note: this repository also doubles as my dotfiles for client machines, which means it includes configs for graphical stuff that aren't used by the docker container itself
credits to @lukesmithxyz for the .emoji
file
I've been experimenting with using a Dockerfile as a whole system config for a headless environment that I ssh into for daily non-graphical workflow like coding, building and deploying stuff, managing files, transcoding videos, basically anything that I do from the terminal
note that this setup is not meant to be safe from malware or attackers that managed to get into the container. its purpose is simply to avoid polluting the host system with software I install and containing any mistakes I might make so it's much harder to accidentally break the host
I made it so you can modify the Dockerfile and the startup script from within the container and rebuild and reboot it by killing sshd as root
you might ask, why not simply persist most of the rootfs and mount it to a container? well, I like keeping my system clean and often times when experimenting with new software I make a mess, or slowly pile up garbage. using a Dockerfile as my whole system config ensures that I can always go back to a clean state as the only thing I'm persisting at the moment is my home and a few files I symlink to rootfs
so far it's quite neat, so these are my dotfiles for my current setup
if you're not me you'll want to customize the software installed in
the Dockerfile, replace my username with yours (must match the host
machine) and edit the mounts and devices in once.sh
also, once.sh
binds ssh to port 22 but you most likely already have
ssh running on this port on your host machines so either change your
host ssh port or edit the port there to, for example,
--publish 2222:22
for 2222
now you can either start ./run.sh
in a screen or tmux session or
create a service that runs once.sh
as your user and restarts it when
it dies, for example on systemd it would be:
[Unit]
Description=(docker) memevault
[Service]
Type=simple
ExecStart=/home/loli/memevault/once.sh
ExecStop=/usr/bin/docker rm -f memevault
Restart=always
User=loli
Group=loli
[Install]
WantedBy=multi-user.target
which you would put in /etc/systemd/system/memevault.service
,
enable with systemctl enable memevault
and start with
systemctl start memevault
once the container is up and running, you can ssh into it on the port you
specified in once.sh
you can deploy this on a headless server and remotely ssh into it. this is especially good when you have a rock stable system like centOS and want to work or play with cutting edge software on the same machine without polluting the host environment or spinning up a virtual machine
- edit ~/Dockerfile and add your install commands at the bottom before
EXPOSE 22
to maximize rebuild speed (previous layers won't need to be rebuilt) - test your commands in the shell to make sure they won't fail, otherwise the container will not come up and you'll have to ssh into the host to fix the error
sudo killall sshd
- wait for the ssh to come back up with your changes applied. this should not take much longer than the execution time of the commands you added
you can apply the same procedure with once.sh, but you need to be extra careful here because this script is executed by the host, so you could potentially pollute your home folder on the host if you make mistakes