How should I use docker? Is there some best practices guide?

Hi,
I would like to use Docker on my VPS server. I have already read the Getting started and Learning by example guides from the project website. I’ve done all the steps shown in the examples in a virtual machine on my PC. I really liked the Docker’s way of containerization. However I don’t know how should my configuration look like.

Currently I host a few websites on my VPS - a web project written in PHP, a WordPress blog and a few static webpages.

I tough that I could run a container from official nginx image and redirect it’s http port to the VPS’s 80 TCP port. It would be used to host the static websites and work as a server-side proxy to forward the traffic to PHP with Apache containers of my web project and WordPress blog. Should I create Dockerfile and include the config inside my new nginx image or should I just use the -v parameter to include my config from outside the image and run the container from official nginx image? Is there some Docker best practices guide that I should follow here?

I planned to run my PHP web project with the PHP and Apache official image. The files inside the project are immutable so I could create my own image with those files or link it from outside the container. Again, which way is better? This project also require to run a script every 5 minutes and another one, every night. Should I use cron on my host server and start a container with PHP-CLI every 5 minutes or install cron inside the container? Maybe there is some other more elegant way of doing this with Docker?

The WordPress blog changes it’s files sometimes - after an upgrade, uploading new images, installing plugins or skins and after changing it’s config (.htaccess and wp-config.php files). I can’t place WordPress files inside the image. I would need to use -v parameter to link some directory from outside the container then.

And another question - where should I store the directories and config’s that I include using the -v option? What should be the access right to those files? Who should be it’s owner - root or docker? Should I add my user to docker group on production server?

Sorry for my English. Like you can see, it’s not my native language and I am still learning.

I’d “bake” everything into the image if possible. -v leads to nothing but pain if you don’t absolutely need it. There may be some cases where you might want that “instant” config update, but for a variety of reasons (reproducibility, auditability, etc.) creating a new image for each deploy is usually considered better practice. Especially with docker service “rolling update” feature introduced recently, deploying new images to a “service” is easier than ever before (you could run a few replicas of the service and have very little downtime on upgrade).

Ideally, you don’t – you should run your containers as an unprivileged user using USER. Probably you could listen on 8080 or something inside the containers (since this unprivileged user won’t be able to access low port by default) and then forward to 80 and/or 443 on your host using --publish.

Personally I would avoid docker group in production and invoke docker via sudo. It is a root privileged command after all. Even though I’m fairly sure having docker run behind sudo wouldn’t help with auditing (anyone able to use docker run could simply go wipe the history when done) you could at least have root privileges behind an additional user password.