Make a Docker Host Fast and Easy with VMware ESXi and Photon OS 3

If you’re a up-and-coming tech startup like Taxnexus, you can’t afford to spend all your money on AWS doing devops.

Are you dumping into the AWS Money Pit?

The next time you get stuck with a $500 AWS surprise because someone was really trying to make things work better, think about building a devops playground on-prem or at a local colocation facility.

Move some of your Docker workload over to a bare-metal setup using VMware ESXi, the oldest free, commercial hypervisor. Just imagine all the cheap cores at your disposal with a new AMD Ryzen-based server! And, by using Photon OS as an ESXi-optimized host OS you get the best performance and super-simple, built-in Docker support.

Let’s get started!

Install VMware ESXi and Photon OS

Hit your new VMware ESXi host on HTTP to access the management tools
  1. Set up your server hardware with as many cores, memory and fast storage as you can afford. Check this article for more on free ESXi limitations.
  2. Set up ESXi on the local console.
  3. Install your new server in a private network available to your workstations, and then access the management web page to access the VMware Host Client.
  4. Download the Photon OS 3 ISO from the VMware Github repo. These instructions are for the ISO version only; do not use the OVA version.
  5. Upload your ISO to a folder in your VMware datastore.
  6. Create a new VMware virtual machine from the ISO.
  7. Install Photon OS 3 as your first Docker host. Be sure to name your new server!

Now we get to the tricky stuff that kind of makes Photon a pain because is comes up secure and lacking in network nicetities. I use Photon as a single root user, so that requires some additional setup to have a remote SSH work properly.

  1. Set up static IP
  2. Allow external hosts to ping
  3. Enable remote root login
  4. Start and Enable Docker

Set Up Static IP

Access the virtual console in the VMware Host Client and log into your new VM using the root password specified during setup.

To change the IP address from DHCP to static…

# Edit network config file
vi /etc/systemd/network/

For a host with IP, DNS and gateway at, and in a “mydomain.local” DNS zone change the file to this:



Make sure you have the security right, restart networking and check if you have the new IP active.

# set up security, restart networking and show interfaces
chmod 644 /etc/systemd/network/
systemctl restart systemd-networkd

Set Up External Ping

If you’re like me, then you like to know when your servers are up by having them send back a reply to an ICMP Echo request. Here are the steps for that:

# change and save iptables
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables-save >/etc/systemd/scripts/ip4save

Enable Remote Root Login

The ssh daemon does not allow for remote root login by default. If you are OK with not creating special system users, then you need to enable root login by changing “PermitRootLogin no” to “PermitRootLogin yes” in the daemon config file.

# edit ssh daemon config
vi /etc/ssh/sshd_config

# search for "PermitRootLogin no"
# located at line 125
# change it to this
PermitRootLogin yes

# restart sshd
systemctl restart sshd

Start and Enable Docker

The real glory of this procedure is that Docker comes pre-installed in Photon OS, so you avoid all that mess.

# update to latest docker version
yum update -y
# start docker for the first time
systemctl start docker
# enable docker to start automatically
systemctl enable docker
# check that it is working
docker info
docker run hello-world

That’s All Folks!

Remember you only get 8 cores per VM in the free version of ESXi, so spread out your workload across multiple VMs to get started.

My next project on Photon is to try out their Kubernetes installation, which is supposedly a one-liner. Let me know if you get that going!

Make a Docker Lab With Linux, Mac and Windows

Here’s a quickie realization for folks like me who naively figured it would be easy to integrate my Windows and Mac VS Code users with Docker. This realization resulted in me building a bare-metal Linux box to make everything work a lot easier for our Docker lab.

Docker Is Easy, Usually

It’s easy for most engineers to use Docker if you are working on one platform. If you’re working exclusively in Windows, MacOS or Linux, then you’re probably not going to hit the speed bump I’m about to describe.

This advice will resonate for IT pros who need to integrate Docker into an enterprise with Mac and Windows developers.

Ignore The Windows Docker Strategy

Sometimes I get led astray in my devops studies because I am lured into a vendor strategy.

I see a shiny object that makes me feel better. I am like a fish chasing a lure because this newfangled vendor strategy promises me things will be glorious once I buy into the strategy. What really happens is that I get hooked on the vendor’s offering.

If you are working with Node, PHP,  or Golang to build a cloud app, then you should know that the Windows Docker strategy is crap. 

Docker Lab
This is the good way to make a Docker Lab

The containerization “strategy” announced by Docker and Microsoft in 2017 is a good example of vendors luring in IT pros with talk of nirvana. Here is that strategy in a nutshell: if you want to run Windows servers within a Docker container, that is now possible. You still need Hyper-V running underneath Docker on a Windows 2016 server, so whatever.

Hopefully this little realization will save someone else the time and bother I wasted going down a few rabbit holes.

Linux Rules Devops

As it is with all things devops, it is always best to go back to mother, i.e. Linux.

After studying the Docker documentation and tuning my network, I realized that I needed Docker to run on a dedicated Linux platform. If I told my Docker clients that DOCKER_HOST was the Linux server, I figured I might have a solution that worked! SPOILER ALERT — It does and it’s spectacular.

Here’s the real zinger that got me to set up a dedicated server. The documentation on setting up networks and exposing containers is for Linux. The Docker networking instructions give solutions using iptables in Linux.

Set Up Your Docker Lab Server

Take note that I am using an open, unauthenticated port on the Docker server for control communication, which Docker does not recommend. You can implement TLS security on your ports to tighten things up if needed.

I went with a bare metal Linux installation for a couple of reasons. First, Docker involves the use of virtualization technology, and it’s always best to avoid nesting virtualizations. Also, just about any spare PC will do for this lab setup. Even a five-year-old desktop with a 120 GB SSD will be an awesome Linux lab server. 

I only spent an hour sitting in the lab setting up my new server. I used the latest LTS version of Ubuntu, but several Linux distros may be used for your Docker Linux host. If you use another distro, then check for distribution-specific instructions for how to open Docker port 2375.

To set up a simple Mac and Windows Docker lab without security, follow these instructions.

  1. Start with a working VS Code installation on Mac and Windows.
  2. Install Docker locally on both Mac and Windows developer workstations.
  3. Integrate VS Code with Docker on Mac and Windows. Make sure you have the Docker extension installed and working properly.
  4. Prepare a bare-metal server from the distribution ISO with Ubuntu Server 18.04 LTS.
  5. Assign the server a fixed, private IP, such as
  6. Remove AppArmor on the Linux server to improve performance.
  7. Follow these instructions to install Docker-CE.
  8. To open up port 2375 update the following system files and reboot your server (source). 
# File: /etc/default/docker
# Use DOCKER_OPTS to modify the daemon startup options.
DOCKER_OPTS="tcp:// -H unix:///var/run/docker.sock"

# File: /lib/systemd/system/docker.service
## Add EnviromentFile + add "$DOCKER_OPTS" at end of ExecStart
## After change exec "systemctl daemon-reload"
ExecStart=/usr/bin/dockerd -H fd:// $DOCKER_OPTS

Update Mac and Windows Environments

Start configuring your clients by adding the following line to your  .zshrc and .bashrc files on the Mac:

export DOCKER_HOST=tcp://

On Windows, go into the System control panel, Advanced Settings, Environment Variables and add the following:


If you are using Windows Subsystem for Linux (WSL), and you use Docker with WSL, then add the export statement to your .zshrc and .bashrc files too.

Restart VS Code and any terminal or shell programs you have running. Launch a new shell and test it with docker info. You should see Ubuntu 18.04 OS listed in the output.


First, double-check the export statements and Environment Variable settings in your client environments. Make sure you have the “:2375” on the end.

If you have doubts whether you have successfully opened up port 2375 on your Linux server check the port manually. First, make sure you have telnet installed on your Windows, Mac or WSL. Issue this telnet command to see if the port on host is open.

$ telnet 2375

If the port is open, then telnet will continue to run and you will need to quit it with CTRL-C or CTRL-]. If the port is not open, then you will get a communication refused error message.

Celebration Time!

After installing your new host, disable the Docker daemons running on Mac and Windows. The Docker CLI works without the local servers running.

Now it’s time to bask in the glory of your conquest. Run into the next office and claim victory!

Start a PHP 7.2 Slim Project on Ubuntu 18.04

I use Slim, a lightweight PHP framework for creating HTTP applications and APIs using “routes.”

Here’s my formula for deploying my Slim app on Ubuntu 18.04 with PHP 7.2. This has worked on GCP and AWS, as well as my own hosted cluster.

Please note that I will be working with a raw sudo terminal session, so I will omit the use of sudo from these instructions.

One Fresh LAMP Image, Please

Let us start with a fresh installation of Ubuntu 18.04.

# important!
apt update
apt -y upgrade

I like using tasksel to install LAMP (Apache, MySql and PHP). tasksel is the menu you encounter when installing Ubuntu from an ISO. If I am installing on a cloud service, I don’t get the opportunity to use this menu, so I have to install it manually.

apt install -y tasksel
# Scroll down to LAMP Server
# Hit Spacebar to select
# Tab to the OK button and hit Enter

After I install MySql, I always secure it.

# Follow the prompts and accept all security recommendations

Use Certbot for Free SSL

Hooray for Certbot and Let’s Encrypt! Now it only takes a few minutes to configure Apache with SSL certificates.

Configure Public Domain Names

Super-important first step: assign a domain name you control to the public IP address of your hosted Ubuntu instance. The public clouds give you a public IP when you set up a new instance. Use that IP address to set up DNS A records for your host.

For example, if I have a domain called, and I want a host to be called and, and I want to work as well, and my public-facing IP address is, then I need these A records in my DNS zone file:

@    14400  IN  A
api  14400  IN  A
www 14400 IN A

Use Certbot to Install Let’s Encrypt Certificates

Start by installing Certbot and accepting the license terms.

add-apt-repository ppa:certbot/certbot
# Hit Enter to accept the terms
apt install -y python-certbot-apache

Run the certbot command as shown, entering all of your domain names. Enter your email address for identification and sign up for the newsletter! Pick the option to automatically redirect your HTTP traffic to HTTPS.

certbot --apache -d -d -d
# Enter your email address
# Pick the option to redirect HTTP to HTTPS

Install PHP Modules and Composer

Slim uses the popular Composer module management system for PHP. I need a few PHP modules to get Composer to work with my Slim projects.

apt install -y composer zip php-curl php-xml php-mbstring php-zip

Load Project Files

For day-to-day work on a PHP/Slim project, I use a regular, unprivileged user account. I set up a new account with the adduser command. In this example the username vern is just an example. Select any username you want.

adduser vern
# Select a strong password
# Complete the "Full Name" field
# Hit Enter for the remaining prompts

Now, I need to impersonate the new user and load the project files from GitHub (or wherever I have my repository) into the project directory. After that I bring in all the dependent modules by running Composer.

In this example, I start a new Slim project called myproject using the Slim Skeleton repository.

cd ~vern
su vern
git clone myproject
cd myproject
composer install

The last step in developer account preparation is to give Apache ownership of the log directory. Change vern to your developer account name.

chown www-data:www-data /home/vern/myproject/logs

Configure Apache for Slim

Edit the Apache SSL configuration file that was generated by Certbot:

vi /etc/apache2/sites-enabled/000-default-le-ssl.conf

The contents should like like this.

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf

Change the DocumentRoot directive to point to the project’s public directory.

DocumentRoot /home/vern/myproject/public

Add the following <Directory> directive before the </VirtualHost> tag.

<Directory "/home/vern/myproject/public">
  Options Indexes FollowSymLinks MultiViews
   AllowOverride all
   Require all granted
   <IfModule mod_rewrite.c>
    RewriteEngine on
      RewriteCond %{REQUEST_FILENAME} !-f
      RewriteRule ^(.*)$ index.php?_url=/$1 [QSA,L]

Finally, your 000-default-le-ssl.conf file should look like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /home/vern/myproject/public
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
Include /etc/letsencrypt/options-ssl-apache.conf
<Directory "/home/vern/myproject/public">
   Options Indexes FollowSymLinks MultiViews
   AllowOverride all
   Require all granted
   <IfModule mod_rewrite.c>
     RewriteEngine on
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteRule ^(.*)$ index.php?_url=/$1 [QSA,L]

Save and restart Apache.

apache2ctl restart

Bask In The Glory!

Fire up your browser and go to and you should see the Slim default page.