Editor – The NGINX Plus Dockerfiles for Debian and Alpine Linux were updated in December 2022 to correspond to the latest NGINX Plus release and versions of those operating system distributions. The Dockerfiles and instructions use Docker secrets to pass license information when building an NGINX Plus image.
Docker is an open platform for building, shipping, and running distributed applications as containers (lightweight, standalone, executable packages of software that include everything needed to run an application). Containers can in turn be deployed and orchestrated by container orchestration platforms such as Kubernetes. (In addition to the Docker container technology discussed in this blog, NGINX provides F5 NGINX Ingress Controller in NGINX Open Source‑based and NGINX Plus-based versions; for NGINX Plus subscribers, support is included at no extra cost.)
As software applications, NGINX Open Source and F5 NGINX Plus are great use cases for Docker, and we publish an NGINX Open Source image on Docker Hub, the repository of Docker images. This post explains how to:
- Deploy NGINX Open Source using the image from Docker Hub
- Manage NGINX in the container (connecting to, configuring, logging, reloading, and restarting)
- Deploy NGINX Plus using a Docker image you create
Introduction
The Docker open platform includes the Docker Engine – the open source runtime that builds, runs, and orchestrates containers – and Docker Hub, a hosted service where Dockerized applications are distributed, shared, and collaborated on by the entire development community or within the confines of a specific organization.
Docker containers enable developers to focus their efforts on application “content” by separating applications from the constraints of infrastructure. Dockerized applications are instantly portable to any infrastructure – laptop, bare‑metal server, VM, or cloud – making them modular components that can be readily assembled and reassembled into fully featured distributed applications and continuously innovated on in real time.
For more information about Docker, see Why Docker? or the full Docker documentation.
Using the NGINX Open Source Docker Image
You can create an NGINX instance in a Docker container using the NGINX Open Source image from Docker Hub.
Let’s start with a very simple example. To launch an instance of NGINX running in a container and using the default NGINX configuration, run this command:
# docker run --name mynginx1 -p 80:80 -d nginx
fcd1fb01b14557c7c9d991238f2558ae2704d129cf9fb97bb4fadf673a58580d
This command creates a container named mynginx1 based on the NGINX image. The command returns the long form of the container ID, which is used in the name of log files; see Managing Logging.
The -p
option tells Docker to map the port exposed in the container by the NGINX image – port 80 – to the specified port on the Docker host. The first parameter specifies the port in the Docker host, while the second parameter is mapped to the port exposed in the container.
The -d
option specifies that the container runs in detached mode, which means that it continues to run until stopped but does not respond to commands run on the command line. In the next section we explain how to interact with the container.
To verify that the container was created and is running, and to see the port mappings, we run docker
ps
. (We’ve split the output across multiple lines here to make it easier to read.)
# docker ps
CONTAINER ID IMAGE COMMAND CREATED ...
fcd1fb01b145 nginx:latest "nginx -g 'daemon of 16 seconds ago ...
... STATUS PORTS NAMES
... Up 15 seconds 0.0.0.0:80->80/tcp mynginx1
The PORTS
field in the output reports that port 80 on the Docker host is mapped to port 80 in the container. Another way to verify that NGINX is running is to make an HTTP request to that port. The code for the default NGINX welcome page appears:
# curl http://localhost
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully
installed and working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="https://www.nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
Working with the NGINX Docker Container
So now we have a working NGINX Docker container, but how do we manage the content and the NGINX configuration? And what about logging?
A Note About SSH
It is common to enable SSH access to NGINX instances, but the NGINX image does not have OpenSSH installed, because Docker containers are generally intended to be for a single purpose (in this case running NGINX). Instead we’ll use other methods supported by Docker.
As an alternative to the commands in Managing Content and Configuration Files below, you can run the following command to open an interactive shell to a running NGINX container (instead of starting an SSH session). However, we recommend this only for advanced users.
-
On Alpine Linux systems:
# docker exec -it <NGINX_container_ID> sh
-
On Debian systems:
# docker exec -it <NGINX_container_ID> bash
Managing Content and Configuration Files
There are several ways you can manage both the content served by NGINX and the NGINX configuration files. Here we cover a few of the options.
Option 1 – Maintain the Content and Configuration on the Docker Host
When the container is created we can tell Docker to mount a local directory on the Docker host to a directory in the container. The NGINX image uses the default NGINX configuration, which uses /usr/share/nginx/html as the container’s root directory and puts configuration files in /etc/nginx. For a Docker host with content in the local directory /var/www and configuration files in /var/nginx/conf, run this command (which appears on multiple lines here only for legibility):
# docker run --name mynginx2 --mount type=bind source=/var/www,target=/usr/share/nginx/html,readonly --mount type=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly -p 80:80 -d nginx
Now any change made to the files in the local directories /var/www and /var/nginx/conf on the Docker host are reflected in the directories /usr/share/nginx/html and /etc/nginx in the container. The readonly
option means these directories can be changed only on the Docker host, not from within the container.
Option 2 – Copy Files from the Docker Host
Another option is to have Docker copy the content and configuration files from a local directory on the Docker host during container creation. Once a container is created, the files are maintained by creating a new container when files change or by modifying the files in the container. A simple way to copy the files is to create a Dockerfile with commands that are run during generation of a new Docker image based on the NGINX image from Docker Hub. For the file‑copy (COPY
) commands in the Dockerfile, the local directory path is relative to the build context where the Dockerfile is located.
In our example, the content is in the content directory and the configuration files are in the conf directory, both subdirectories of the directory where the Dockerfile is located. The NGINX image includes default NGINX configuration files named /etc/nginx/nginx.conf and /etc/nginx/conf.d/default.conf. Because we instead want to use the configuration files from the host, we include a RUN
command that deletes the default files:
FROM nginx
RUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
We create our own NGINX image by running the following command from the directory where the Dockerfile is located. Note the period (“.”) at the end of the command. It defines the current directory as the build context, which contains the Dockerfile and the directories to be copied.
# docker build -t mynginx_image1 .
Now we run this command to create a container called mynginx3 based on the mynginx_image1 image:
# docker run --name mynginx3 -p 80:80 -d mynginx_image1
If we want to make changes to the files in the container, we use a helper container as described in Option 3.
Option 3 – Maintain Files in the Container
As mentioned in A Note About SSH, we can’t use SSH to access the NGINX container, so if we want to edit the content or configuration files directly we have to create a helper container that has shell access. For the helper container to have access to the files, we must create a new image that has the proper Docker data volumes defined for the image. Assuming we want to copy files as in Option 2 while also defining volumes, we use the following Dockerfile:
FROM nginx
RUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
VOLUME /usr/share/nginx/html
VOLUME /etc/nginx
We then create the new NGINX image by running the following command (again note the final period):
# docker build -t mynginx_image2 .
Now we run this command to create an NGINX container (mynginx4) based on the mynginx_image2 image:
# docker run --name mynginx4 -p 80:80 -d mynginx_image2
We then run the following command to start a helper container mynginx4_files that has a shell, enabling us to access the content and configuration directories of the mynginx4 container we just created:
# docker run -i -t --volumes-from mynginx4 --name mynginx4_files debian /bin/bash
root@b1cbbad63dd1:/#
The new mynginx4_files helper container runs in the foreground with a persistent standard input (the -i
option) and a tty (the -t
option). All volumes defined in mynginx4 are mounted as local directories in the helper container.
The debian
argument means that the helper container uses the Debian image from Docker Hub. Because the NGINX image also uses Debian (and all of our examples so far use the NGINX image), it is most efficient to use Debian for the helper container, rather than having Docker load another operating system.
The /bin/bash
argument means that the bash
shell runs in the helper container, presenting a shell prompt that you can use to modify files as needed.
To start and stop the container, run the following commands:
# docker start mynginx4_files
# docker stop mynginx4_files
To exit the shell but leave the container running, press Ctrl+p
followed by Ctrl+q
. To regain shell access to a running container, run this command:
# docker attach mynginx4_files
To exit the shell and terminate the container, run the exit
command.
Managing Logging
You can configure either default or customized logging.
Using Default Logging
The NGINX image is configured to send the main NGINX access and error logs to the Docker log collector by default. This is done by linking them to stdout
and stderr
respectively; all messages from both logs are then written to the file /var/lib/docker/containers/<container_ID>/<container_ID>-json.log on the Docker host, where <container_ID> is the long‑form ID returned when you create a container. For the initial container we created in Using the NGINX Open Source Docker Image, for example, it is fcd1fb01b14557c7c9d991238f2558ae2704d129cf9fb97bb4fadf673a58580d.
To retrieve the container ID for an existing container, run this command, where <container_name>
is the value set by the --name
parameter when the container is created (for the container ID above, for example, it is mynginx1):
# docker inspect --format '{{ .Id }}' <container_name>
Although you can view the logs by opening the <container_ID>-json.log file directly, it is usually easier to run this command:
# docker logs <container_name>
You can use also the Docker Engine API to extract the log messages, by issuing a GET
request against the Docker Unix socket. This command returns both the access log (represented by stdout=1
) and the error log (stderr=1
), but you can request them singly as well:
# curl --unix-socket /var/run/docker-sock http://localhost/containers/<container_name>/logs?stdout=1&stderr=1
To learn about other query parameters, see the Docker Engine API documentation (search for “Get container logs” on that page).
Using Customized Logging
If you want to implement another method of log collection, or if you want to configure logging differently in certain configuration blocks (such as server{}
and location{}
), define a Docker volume for the directory or directories in which to store the log files in the container, create a helper container to access the log files, and use whatever logging tools you like. To implement this, create a new image that contains the volume or volumes for the logging files.
For example, to configure NGINX to store log files in /var/log/nginx/log, we can start with the Dockerfile from Option 3 and simply add a VOLUME
definition for this directory:
FROM nginx
RUN rm /etc/nginx/nginx.conf /etc/nginx/conf.d/default.conf
COPY content /usr/share/nginx/html
COPY conf /etc/nginx
VOLUME /var/log/nginx/log
We can then create an image as described above and use it to create an NGINX container and a helper container that have access to the logging directory. The helper container can have any desired logging tools installed.
Controlling NGINX
Since we do not have direct access to the command line of the NGINX container, we cannot use the nginx
command to control NGINX. Fortunately we can use signals to control NGINX, and Docker provides the kill
command for sending signals to a container.
To reload the NGINX configuration, run this command:
# docker kill -s HUP <container_name>
To restart NGINX, run this command to restart the container:
# docker restart <container_name>
Deploying NGINX Plus with Docker
So far we have discussed Docker for NGINX Open Source, but you can also use it with the commercial product, NGINX Plus. The difference is you first need to create an NGINX Plus image, because as a commercial offering NGINX Plus is not available at Docker Hub. Fortunately, this is quite easy to do.
Note: Never upload your NGINX Plus images to a public repository such as Docker Hub. Doing so violates your license agreement.
Creating a Docker Image of NGINX Plus
To generate an NGINX Plus image, first create a Dockerfile. The examples we provide here use Debian 11 (Bullseye) and Alpine Linux 3.17 as the base Docker images. Before you can create the NGINX Plus Docker image, you have to download your version of the nginx-repo.crt and nginx-repo.key files. NGINX Plus customers can find them at the customer portal; if you are doing a free trial of NGINX Plus, they were provided with your trial package. Copy the files to the directory where the Dockerfile is located (the Docker build context).
As with NGINX Open Source, by default the NGINX Plus access and error logs are linked to the Docker log collector. No volumes are specified, but you can add them if desired, or each Dockerfile can be used to create base images from which you can create new images with volumes specified, as described previously.
We purposely do not specify an NGINX Plus version in the sample Dockerfiles, so that you don’t have to edit the file when you update to a new release of NGINX Plus. We have, however, included commented versions of the relevant instructions for you to uncomment if you want to make the file version‑specific.
Similarly, we’ve included instructions (commented out) that install official dynamic modules for NGINX Plus.
By default, no files are copied from the Docker host as a container is created. You can add COPY
definitions to each Dockerfile, or the image you create can be used as the basis for another image as described above.
NGINX Plus Dockerfile (Debian 11)
Failed loading gist https://gist.github.com/36e97fc87efb5cf0039978c8e41a34b5.json: timeout
NGINX Plus Dockerfile (Alpine Linux 3.17)
Failed loading gist https://gist.github.com/36e97fc87efb5cf0039978c8e41a34b5.json: timeout
Creating the NGINX Plus Image
With the Dockerfile, nginx-repo.crt, and nginx-repo.key files in the same directory, run the following command there to create a Docker image called nginxplus (as before, note the final period):
# DOCKER_BUILDKIT=1 docker build --no-cache -t nginxplus --secret id=nginx-crt,src=</path/to/your/nginx-repo.crt> --secret id=nginx-key,src=</path/to/your/nginx-repo.key> .
The DOCKER_BUILDKIT=1
flag indicates that we are using Docker BuildKit to build the image, as required when including the --secret
option which is discussed below.
The --no-cache
option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus. If the Dockerfile was previously used to build an image and you omit the --no-cache
option, the new image uses the version of NGINX Plus from the Docker cache. (As noted, we purposely do not specify an NGINX Plus version in the Dockerfile so that the file does not need to change at every new release of NGINX Plus.) Omit the --no-cache
option if it’s acceptable to use the NGINX Plus version from the previously built image.
The --secret
option passes the certificate and key for your NGINX Plus license to the Docker build context without risking exposure of the data or having the data persist between Docker build layers. The values of the id
arguments cannot be changed without altering the base Dockerfile, but you need to set the src
arguments to the path to your NGINX Plus certificate and key files (the same directory where you are building the Docker image if you followed the previous instructions).
Output like the following from the docker
images
nginxplus
command indicates that the image was created successfully:
# docker images nginxplus
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
nginxplus latest ef2bf65931cf 6 seconds ago 91.2 MB
To create a container named mynginxplus based on this image, run this command:
# docker run --name mynginxplus -p 80:80 -d nginxplus
You can control and manage NGINX Plus containers in the same way as NGINX Open Source containers.
Summary
NGINX, NGINX Plus, and Docker work extremely well together. Whether you use the NGINX Open Source image from Docker Hub or create your own NGINX Plus image, you can easily spin up new instances of NGINX and NGINX Plus in Docker containers and deploy them in your Kubernetes environment. You can also easily create new Docker images from the base images, making your containers even easier to control and manage. Make sure that all NGINX Plus instances running in your Docker containers are covered by your subscription. For details, please contact the NGINX sales team.
There is much more to Docker than we have been able to cover in this article. For more information, download our free O’Reilly eBook – Container Networking: From Docker to Kubernetes – or check out www.docker.com.