Deploying NGINX and NGINX Plus with Docker

F5 NGINX Plus, the high‑performance application delivery platform, load balancer, and web server, is available as the Docker container.

Prerequisites

  • TheDocker Engine command-line tool

  • for NGINX Plus:

    • the JSON Web Token (JWT) fromMyF5 customer portal
    • thenginx-repo.crt andnginx-repo.key files fromMyF5 customer portal
    • your private Docker registry is configured and running

  • for NGINX Open Source:Docker Hub account

Use official NGINX Plus Docker images

Since NGINX Plus NGINX PlusRelease 31 you can get an NGINX Plus image from the official NGINX Plus Docker registry and upload it to your private registry.

The NGINX Plus Docker registry is available athttps://private-registry.nginx.com/v2/.

The registry contains the following image types:

  • NGINX Plus:
    https://private-registry.nginx.com/v2/nginx-plus/base

  • Unprivileged installation of NGINX Plus:
    https://private-registry.nginx.com/v2/nginx-plus/rootless-base

  • NGINX Plus bundled withNGINX Agent:
    https://private-registry.nginx.com/v2/nginx-plus/agent

  • Unprivileged installation of NGINX Plus and NGINX Agent:
    https://private-registry.nginx.com/v2/nginx-plus/rootless-agent

The images can be targeted for a particular operating system and NGINX Plus release using tags.

Tags for operating systems

Operating systemBasic OS tagTag examples
Alpine (x86_64, aarch64)alpiner33-alpine,r33-alpine-3.20
Debian (x86_64, aarch64)debianr33-debian,r33-debian-bookworm
Red Hat Enterprise Linux (x86_64, aarch64)ubir33-ubi,r33-ubi-9,r33-ubi-9-20240624
Operating systemBasic OS tagTag examples
Alpine (x86_64, aarch64)alpiner33-alpine,r33-alpine-3.20
Debian (x86_64, aarch64)debianr33-debian,r33-debian-bookworm
Red Hat Enterprise Linux (x86_64, aarch64)ubir33-ubi,r33-ubi-9,r33-ubi-9-20240624

Tags for NGINX Plus versions

The NGINX Plus registry contains images for the two most recent versions of NGINX Plus. The basic operating system tag returns the latest version of NGINX Plus built for the latest version of this operating system.

Example:nginx-plus-r33-ubi-9,nginx-plus-r32-alpine-3.19.
nginx-plus-r33-ubi-9,nginx-plus-r32-alpine-3.19.

The image may contain a particular version of NGINX Plus or contain a bundle of NGINX Plus and NGINX Agent, and can be targeted for a specific architecture.

List all tags

For a complete tag list for NGINX Plus bundled with NGINX Agent images, use the command:

curl https://private-registry.nginx.com/v2/nginx-plus/<nginxplus-image-type>/tags/list --key <nginx-repo.key> --cert <nginx-repo.crt>| jq
curl https://private-registry.nginx.com/v2/nginx-plus/<nginxplus-image-type>/tags/list --key <nginx-repo.key> --cert <nginx-repo.crt>| jq

where:

  • the<nginxplus-image-type> is the location of images in NGINX Plus private registry:

    • base is NGINX Plus only
    • rootless-base is NGINX Plus run fromnginx user
    • agent is NGINX Plus along with NGINX Agent in a single image
    • rootless-agent is NGINX Plus with NGINX Agent both run fromnginx user
    • modules is NGINX Plus dynamic modules

  • the<nginx-repo.key> is a local path to your client key from MyF5, for example,/etc/ssl/nginx/nginx-repo-x12345.key

  • the<nginx-repo.crt> is a local path to your client certificate from MyF5, for example,/etc/ssl/nginx/nginx-repo-x12345.crt

  • thejq command is used to format the JSON output for easier reading and requires thejq JSON processor to be installed.

Download the JSON Web Token or NGINX Plus certificate and key

Before you get a container image, you should provide the JSON Web Token file or SSL certificate and private key files provided with your NGINX Plus subscription. These files grant access to the package repository from which the script will download the NGINX Plus package:

  1. Log in toMyF5.
  2. Go toMy Products & Plans > Subscriptions to see your active subscriptions.
  3. Find your NGINX products or services subscription, and select theSubscription ID for details.
  4. Download theJSON Web Token from the subscription page.
  1. Log in to theMyF5 customer portal.
  2. Go toMy Products and Plans >Subscriptions.
  3. Select the product subscription.
  4. Download theSSL Certificate andPrivate Key files.

Set up Docker for NGINX Plus container registry

Set up Docker to communicate with the NGINX Container Registry located atprivate-registry.nginx.com.

Open the JSON Web Token file previously downloaded fromMyF5 customer portal (for example,nginx-repo-12345abc.jwt) and copy its contents.

Log in to the docker registry using the contents of the JSON Web Token file:

docker login private-registry.nginx.com --username=<output_of_jwt_token> --password=none
docker login private-registry.nginx.com --username=<output_of_jwt_token> --password=none

Create a directory and copy your certificate and key to this directory:

shell
mkdir -p /etc/docker/certs.d/private-registry.nginx.comcp <path-to-your-nginx-repo.crt> /etc/docker/certs.d/private-registry.nginx.com/client.certcp <path-to-your-nginx-repo.key> /etc/docker/certs.d/private-registry.nginx.com/client.key
mkdir -p /etc/docker/certs.d/private-registry.nginx.comcp <path-to-your-nginx-repo.crt> /etc/docker/certs.d/private-registry.nginx.com/client.certcp <path-to-your-nginx-repo.key> /etc/docker/certs.d/private-registry.nginx.com/client.key

The steps provided are for Linux. For Mac or Windows, see theDocker for Mac orDocker for Windows documentation. For more details on Docker Engine security, you can refer to theDocker Engine Security documentation.

Log in to the docker registry:

docker login private-registry.nginx.com
docker login private-registry.nginx.com

Pull the image

Next, pull the image you need fromprivate-registry.nginx.com.

To pull an image, replace<version-tag> with the specific NGINX Plus version or the NGINX Plus version and OS version you need.

For NGINX Plus, run:

docker pull private-registry.nginx.com/nginx-plus/base:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/base:<version-tag>

For NGINX Plus with NGINX Agent version 2, run:

docker pull private-registry.nginx.com/nginx-plus/agent:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/agent:<version-tag>

For NGINX Plus with NGINX Agent version 3, run:

docker pull private-registry.nginx.com/nginx-plus/agentv3:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/agentv3:<version-tag>

For NGINX Plus installed fromnginx user (rootless installation), run:

docker pull private-registry.nginx.com/nginx-plus/rootless-base:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/rootless-base:<version-tag>

For NGINX Plus with NGINX Agent version 2 installed fromnginx user (rootless installation), run:

docker pull private-registry.nginx.com/nginx-plus/rootless-agent:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/rootless-agent:<version-tag>

For NGINX Plus with NGINX Agent version 3 installed fromnginx user (rootless installation), run:

docker pull private-registry.nginx.com/nginx-plus/rootless-agentv3:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/rootless-agentv3:<version-tag>

For NGINX modules, run:

docker pull private-registry.nginx.com/nginx-plus/modules:<version-tag>
docker pull private-registry.nginx.com/nginx-plus/modules:<version-tag>
Protect sensitive data

To protect your system and data, follow these security practices:

  1. JWTs: Treat JSON Web Tokens (JWTs) as sensitive data. Store them securely and delete them after use to prevent unauthorized access.

  2. Shell history: Commands with JWTs or passwords are saved in plain text in your shell history. After running such commands, clear the history to protect credentials. For example:

    • Edit your shell history file (such as ~/.bash_history or ~/.zsh_history) to remove specific commands.
    • Usehistory -c to clear all shell history in bash or zsh.
Protect sensitive data

To protect your system and data, follow these security practices:

  1. JWTs: Treat JSON Web Tokens (JWTs) as sensitive data. Store them securely and delete them after use to prevent unauthorized access.

  2. Shell history: Commands with JWTs or passwords are saved in plain text in your shell history. After running such commands, clear the history to protect credentials. For example:

    • Edit your shell history file (such as ~/.bash_history or ~/.zsh_history) to remove specific commands.
    • Usehistory -c to clear all shell history in bash or zsh.

Push the image to your private registry

After pulling the image, tag it and upload it to your private registry.

Note: Never upload your NGINX Plus images to a public repository such as Docker Hub. Doing so violates your license agreement.

Log in to your private registry:

docker login <my-docker-registry>
docker login <my-docker-registry>

Tag and push the image. Replace<my-docker-registry> with your registry’s path and<version-tag> with the your NGINX Plus version and/or OS version:

docker tag private-registry.nginx.com/nginx-plus/base:<version-tag> <my-docker-registry>/nginx-plus/base:<version-tag>
docker tag private-registry.nginx.com/nginx-plus/base:<version-tag> <my-docker-registry>/nginx-plus/base:<version-tag>
docker push <my-docker-registry>/nginx-plus/base:<version-tag>
docker push <my-docker-registry>/nginx-plus/base:<version-tag>

Run the NGINX Plus container

Note: Starting fromNGINX Plus Release 33, the JWT file is required for each NGINX Plus instance. For more information, seeAbout Subscription Licenses.
Starting fromNGINX Plus Release 33, the JWT file is required for each NGINX Plus instance. For more information, seeAbout Subscription Licenses.

To start the Docker container with NGINX Plus, you will need to pass your JWT license file namedlicense.jwt as theNGINX_LICENSE_JWT environment variable. If the license file needs to be located in a non-default directory, specify its full path using theNGINX_LICENSE_PATH variable (default path:/etc/nginx/license.jwt).

To start the Docker container with NGINX Plus only:

sh
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--restart=always\--runtime=runc\-d <YOUR_REGISTRY>/nginx-plus/base:<VERSION_TAG>
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--restart=always\--runtime=runc\-d <YOUR_REGISTRY>/nginx-plus/base:<VERSION_TAG>

To start the Docker container with NGINX Plus and NGINX Agent,you will need to additionally pass the NGINX One data plane key as theNGINX_AGENT_SERVER_TOKEN environment variable. For more information, seeCreate and manage data plane keys:

sh
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d <YOUR_REGISTRY>/nginx-plus/agent:<VERSION_TAG>
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d <YOUR_REGISTRY>/nginx-plus/agent:<VERSION_TAG>

where:

  • NGINX_LICENSE_JWT is your JWT license file from MyF5. The file name should belicense.jwt.
  • NGINX_AGENT_SERVER_GRPCPORT sets a GRPC port used by NGINX Agent to communicate with NGINX Instance Manager.
  • NGINX_AGENT_SERVER_HOST sets the domain name or IP address of NGINX Instance Manager. Note that for production environments it is not recommended to expose NGINX Instance Manager to public networks.
  • NGINX_AGENT_SERVER_TOKEN sets NGINX One data plane key. SeeCreate and manage data plane keys for details.
  • NGINX_AGENT_TLS_ENABLE enables mutual TLS, server-side TLS, or insecure mode (not recommended for production environments). SeeEncrypt communication for details.
  • YOUR_REGISTRY is the path to your private registry.
  • VERSION_TAG is the tag assigned when pushing to your registry.

Example:

To start the Docker Container with NGINX Plus and NGINX Agent on Debian or Ubuntu:

sh
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d private-registry.nginx.com/nginx-plus/agent:debian
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d private-registry.nginx.com/nginx-plus/agent:debian

To start the Docker Container with NGINX Plus and NGINX Agent on Debian or Ubuntu:

sh
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d private-registry.nginx.com/nginx-plus/agent:debian
sudo docker run\--env=NGINX_LICENSE_JWT=$(cat license.jwt)\--env=NGINX_AGENT_SERVER_GRPCPORT=443\--env=NGINX_AGENT_SERVER_HOST=agent.connect.nginx.com\--env=NGINX_AGENT_SERVER_TOKEN="YOUR_NGINX_ONE_DATA_PLANE_KEY"\--env=NGINX_AGENT_TLS_ENABLE=true\--restart=always\--runtime=runc\-d private-registry.nginx.com/nginx-plus/agent:debian

Using NGINX Open Source Docker Images

You can create an NGINX instance in a Docker container using the NGINX Open Source image from the Docker Hub.

  1. Launch an instance of NGINX running in a container and using the default NGINX configuration with the following command:

    docker run --name mynginx1 -p 80:80 -d nginx
    docker run --name mynginx1 -p 80:80 -d nginx

    where:

    • mynginx1 is the name of the created container based on the NGINX image

    • the-d option specifies that the container runs in detached mode: the container continues to run until stopped but does not respond to commands run on the command line.

    • the-p option tells Docker to map the ports exposed in the container by the NGINX image (port80) to the specified port on the Docker host. The first parameter specifies the port in the Docker host, the second parameter is mapped to the port exposed in the container

    The command returns the long form of the container ID:fcd1fb01b14557c7c9d991238f2558ae2704d129cf9fb97bb4fadf673a58580d. This form of ID is used in the name of log files.

  2. Verify that the container was created and is running with thedocker ps command:

    shell
    $ docker psCONTAINER ID  IMAGE         COMMAND               CREATED         STATUS        ...fcd1fb01b145  nginx:latest"nginx -g 'daemon of  16 seconds ago  Up 15 seconds ...    ... PORTS              NAMES    ... 0.0.0.0:80->80/tcp mynginx1
    $ docker psCONTAINER ID  IMAGE         COMMAND               CREATED         STATUS        ...fcd1fb01b145  nginx:latest"nginx -g 'daemon of  16 seconds ago  Up 15 seconds ...    ... PORTS              NAMES    ... 0.0.0.0:80->80/tcp mynginx1

This command also allows viewing the port mappings set in the previous step: thePORTS field in the output reports that port80 on the Docker host is mapped to port80 in the container.

Creating custom NGINX Plus Docker Image

As NGINX Plus is a commercial offering, NGINX Plus Docker images are not available at Docker Hub, so first you will need to create an NGINX Plus Docker image.

Note: Never upload your NGINX Plus images to a public repository such as Docker Hub. Doing so violates your license agreement.

To generate a custom NGINX Plus image:

  1. Create the Docker build context, or a Dockerfile, for example:

  2. As with NGINX Open Source, default NGINX Plus image has the same default settings:

    • access and error logs are linked to the Docker log collector
    • no volumes are specified: a Dockerfile can be used to create base images from which you can create new images with volumes specified, or volumes can be specified manually:
    dockerfile
    VOLUME /usr/share/nginx/htmlVOLUME /etc/nginx
    VOLUME /usr/share/nginx/htmlVOLUME /etc/nginx
    • no files are copied from the Docker host as a container is created: you can addCOPY definitions to each Dockerfile, or the image you create can be used as the basis for another image

  3. Log in toMyF5 Customer Portal and download yournginx-repo.crt andnginx-repo.key files. For a trial of NGINX Plus, the files are provided with your trial package.

  4. Copy the files to the directory where the Dockerfile is located.

  5. Create a Docker image, for example,nginxplus (note the final period in the command).

    docker build  --no-cache --secretid=nginx-key,src=nginx-repo.key --secretid=nginx-crt,src=nginx-repo.crt -t nginxplus .
    docker build  --no-cache --secretid=nginx-key,src=nginx-repo.key --secretid=nginx-crt,src=nginx-repo.crt -t nginxplus .

    The--no-cache option tells Docker to build the image from scratch and ensures the installation of the latest version of NGINX Plus. If the Dockerfile was previously used to build an image without the--no-cache option, the new image uses the version of NGINX Plus from the previously built image from the Docker cache.

  6. Verify that thenginxplus image was created successfully with thedocker images command:

    shell
    $ docker images nginxplusREPOSITORY  TAG     IMAGE ID      CREATED        SIZEnginxplus   latest  ef2bf65931cf6 seconds ago  91.2 MB
    $ docker images nginxplusREPOSITORY  TAG     IMAGE ID      CREATED        SIZEnginxplus   latest  ef2bf65931cf6 seconds ago  91.2 MB

  7. Create a container based on this image, for example,mynginxplus container:

    docker run --name mynginxplus -p 80:80 -d nginxplus
    docker run --name mynginxplus -p 80:80 -d nginxplus

  8. Verify that themynginxplus container is up and running with thedocker ps command:

    shell
    $ docker psCONTAINER ID  IMAGE             COMMAND               CREATED         STATUS        ...eb7be9f439db  nginxplus:latest"nginx -g 'daemon of  1 minute ago    Up 15 seconds ...    ... PORTS              NAMES    ... 0.0.0.0:80->80/tcp mynginxplus
    $ docker psCONTAINER ID  IMAGE             COMMAND               CREATED         STATUS        ...eb7be9f439db  nginxplus:latest"nginx -g 'daemon of  1 minute ago    Up 15 seconds ...    ... PORTS              NAMES    ... 0.0.0.0:80->80/tcp mynginxplus

NGINX Plus containers are controlled and managed in the same way as NGINX Open Source containers.

Managing Content and Configuration Files

Content served by NGINX and NGINX configuration files can be managed in several ways:

  • files are maintained on the Docker host
  • files are copied from the Docker host to a container
  • files are maintained in the container

Maintaining Content and Configuration Files on the Docker Host

When the container is created, you can mount a local directory on the Docker host to a directory in the container. The NGINX image uses the default NGINX configuration, which uses/usr/share/nginx/html as the container’s root directory and puts configuration files in/etc/nginx. For a Docker host with content in the local directory/var/www and configuration files in/var/nginx/conf, run the command:

shell
docker run --name mynginx2\   --mounttype=bind,source=/var/www,target=/usr/share/nginx/html,readonly\   --mounttype=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly\   -p 80:80\   -d nginxplus
docker run --name mynginx2\   --mounttype=bind,source=/var/www,target=/usr/share/nginx/html,readonly\   --mounttype=bind,source=/var/nginx/conf,target=/etc/nginx/conf,readonly\   -p 80:80\   -d nginxplus

Any change made to the files in the local directories/var/www and /var/nginx/conf on the Docker host are reflected in the directories/usr/share/nginx/html and/etc/nginx in the container. Thereadonly option means these directories can be changed only on the Docker host, not from within the container.

Copy content and configuration files from the Docker host

Docker can copy the content and configuration files from a local directory on the Docker host during container creation. Once a container is created, the files are maintained by creating a new container when files change or by modifying the files in the container.

A simple way to copy the files is to create a Dockerfile with commands that are run during generation of a new Docker image based on the NGINX image. For the file‑copy (COPY) commands in the Dockerfile, the local directory path is relative to the build context where the Dockerfile is located.

Let’s assume that the content directory iscontent and the directory for configuration files isconf, both subdirectories of the directory where the Dockerfile is located. The NGINX image has the default NGINX configuration files, includingdefault.conf, in the/etc/nginx/conf.d directory. To use the configuration files from the Docker host only, delete the default files with theRUN command:

dockerfile
FROM nginxRUN rm /etc/nginx/conf.d/default.confCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginx
FROM nginxRUN rm /etc/nginx/conf.d/default.confCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginx

Create NGINX image by running the command from the directory where the Dockerfile is located. The period (“.”) at the end of the command defines the current directory as the build context, which contains the Dockerfile and the directories to be copied:

docker build -t mynginx_image1 .
docker build -t mynginx_image1 .

Create a containermynginx3 based on themynginx_image1 image:

docker run --name mynginx3 -p 80:80 -d mynginx_image1
docker run --name mynginx3 -p 80:80 -d mynginx_image1

To make changes to the files in the container, use a helper container as described in the next section.

Maintain content and configuration files in the container

As SSH cannot be used to access the NGINX container, to edit the content or configuration files directly you need to create a helper container that has shell access. For the helper container to have access to the files, create a new image that has the proper Docker data volumes defined for the image:

  1. Copy nginx content and configuration files and define the volume for the image with the Dockerfile:

    dockerfile
    FROM nginxCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginxVOLUME /usr/share/nginx/htmlVOLUME /etc/nginx
    FROM nginxCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginxVOLUME /usr/share/nginx/htmlVOLUME /etc/nginx

  2. Create the new NGINX image by running the following command:

    docker build -t mynginx_image2 .
    docker build -t mynginx_image2 .

  3. Create an NGINX containermynginx4 based on themynginx_image2 image:

    docker run --name mynginx4 -p 80:80 -d mynginx_image2
    docker run --name mynginx4 -p 80:80 -d mynginx_image2

  4. Start a helper containermynginx4_files that has a shell, providing access the content and configuration directories of themynginx4 container we just created:

    shell
    $ docker run -i -t --volumes-from mynginx4 --name mynginx4_files debian /bin/bashroot@b1cbbad63dd1:/#
    $ docker run -i -t --volumes-from mynginx4 --name mynginx4_files debian /bin/bashroot@b1cbbad63dd1:/#

    where:

    • the newmynginx4_files helper container runs in the foreground with a persistent standard input (the-i option) and a tty (the-t option). All volumes defined inmynginx4 are mounted as local directories in the helper container.
    • thedebian argument means that the helper container uses the Debian image from Docker Hub. Because the NGINX image also uses Debian, it is most efficient to use Debian for the helper container, rather than having Docker load another operating system
    • the/bin/bash argument means that the bash shell runs in the helper container, presenting a shell prompt that you can use to modify files as needed

To start and stop the container, run the commands:

shell
docker start mynginx4_filesdocker stop mynginx4_files
docker start mynginx4_filesdocker stop mynginx4_files

To exit the shell but leave the container running, pressCtrl+p followed byCtrl+q. To regain shell access to a running container, run this command:

docker attach mynginx4_files
docker attach mynginx4_files

To exit the shell and terminate the container, run theexit command.

Manage logging

You can use default logging or customize logging.

Use default logging

By default, the NGINX image is configured to send NGINXaccess log anderror log to the Docker log collector. This is done by linking them tostdout andstderr: all messages from both logs are then written to the file/var/lib/docker/containers/container-ID/container-ID-json.log on the Docker host. The container‑ID is the long‑form ID returned when youcreate a container. To display the long form ID, run the command:

docker inspect --format'{{ .Id }}' container-name
docker inspect --format'{{ .Id }}' container-name

You can use both the Docker command line and the Docker Engine API to extract the log messages.

To extract log messages from the command line, run the command:

docker logs container-name
docker logs container-name

To extract log messages using the Docker Remote API, send aGET request using the Docker Unix sock:

curl --unix-sock /var/run/docker-sock http://localhost/containers/container-name/logs?stdout=1&stderr=1
curl --unix-sock /var/run/docker-sock http://localhost/containers/container-name/logs?stdout=1&stderr=1

To include only access log messages in the output, include onlystdout=1. To limit the output to error log messages, include onlystderr=1. For other available options, seeGet container logs section of theDocker Engine API documentation.

Use customized logging

If you want to configure logging differently for certain configuration blocks (such asserver {} andlocation {}), define a Docker volume for the directory in which to store the log files in the container, create a helper container to access the log files, and use any logging tools. To implement this, create a new image that contains the volume or volumes for the logging files.

For example, to configure NGINX to store log files in/var/log/nginx/log, add aVOLUME definition for this directory to the Dockerfile (provided that content and configuration Files aremanaged in the container):

dockerfile
FROM nginxCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginxVOLUME /var/log/nginx/log
FROM nginxCOPY content /usr/share/nginx/htmlCOPY conf /etc/nginxVOLUME /var/log/nginx/log

Then you cancreate an image and use it to create an NGINX container and a helper container that have access to the logging directory. The helper container can have any desired logging tools installed.

Control NGINX

Since there is no direct access to the command line of the NGINX container, NGINX commands cannot be sent to a container directly. Instead,signals can be sent to a container via Dockerkill command.

To reload the NGINX configuration, send theHUP signal to Docker:

dockerkill -s HUP container-name
dockerkill -s HUP container-name

To restart NGINX, run this command to restart the container:

docker restart container-name
docker restart container-name