上QQ阅读APP看书，第一时间看更新

Docker Engine

Docker Desktop is great for developing with containers on Windows 10. For production environments where you have a headless server with no UI, you install Docker Engine to run as a background Windows Service using a PowerShell module.

On a new installation of Windows Server 2019 Core, use the sconfig tool to install all the latest Windows updates, and then run these PowerShell commands to install the Docker Engine and Docker CLI:

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force
Install-Package -Name docker -ProviderName DockerMsftProvider

This will configure the server with the necessary Windows features, install Docker, and set it up to run as a Windows service. Depending on how many Windows updates were installed, you may need to reboot the server:

Restart-Computer -Force

When the server is online, confirm that Docker is running with docker version, and then run a container from the sample image for this chapter:

docker container run dockeronwindows/ch01-whale:2e

You can update your server when a new version of Docker Engine is released by repeating the Install command, and adding the -Update flag:

Install-Package -Name docker -ProviderName DockerMsftProvider -Update

I use this configuration for some of my environments – running Windows Server 2019 Core in a lightweight VM that only has Docker installed. You can use Docker on the server by connecting with Remote Desktop, or you can configure the Docker Engine to allow remote connections, which lets you manage Docker containers on your server using docker commands on your laptop. This is a more advanced setup, but it does give you secure remote access.

It's best to set up the Docker Engine so that communication with the client is secured using TLS, the same encryption technique used by HTTPS. Clients can only connect if they have the right TLS certificates to authenticate with the service. You can set this up by running these PowerShell commands inside the VM, supplying the VM's external IP address:

$ipAddress = '<vm-ip-address>'

mkdir -p C:\certs\client

docker container run --rm `
 --env SERVER_NAME=$(hostname) `
 --env IP_ADDRESSES=127.0.0.1,$ipAddress `
 --volume 'C:\ProgramData\docker:C:\ProgramData\docker' `
 --volume 'C:\certs\client:C:\Users\ContainerAdministrator\.docker' `
 dockeronwindows/ch01-dockertls:2e

Restart-Service docker

Don't worry too much about what this command is doing. Over the next few chapters, you'll get a good understanding of all these Docker options. I'm using a Docker image based on one from Stefan Scherer, who is a Microsoft MVP and Docker Captain. The image has a script that secures the Docker Engine with TLS certificates. You can read more details on Stefan's blog at https://stefanscherer.github.io.

When this command completes, it will have configured the Docker Engine API to allow only secure remote connections and will also have created the certificates that the client needs to use to connect. Copy these certificates from C:\certs\client on the VM onto the machine where you want to use the Docker client.

On the client machine, you can set environment variables to point the Docker client to use a remote Docker service. These commands will set up a remote connection to the VM (assuming you have used the same path for the certificate files on the client), as follows:

$ipAddress = '<vm-ip-address>'

$env:DOCKER_HOST='tcp://$($ipAddress):2376'
$env:DOCKER_TLS_VERIFY='1'
$env:DOCKER_CERT_PATH='C:\certs\client'

You can use this approach to securely connect to any remote Docker Engine. If you don't have access to Windows 10 or Windows Server 2019, you can create a VM on the cloud and connect to it using the same commands.