notes.neulen.net

Docker

Mar 16, 20255 min read

Warning

Never add credentials or other sensitive information into an image. Check out Handling of credentials for more information.

Info

If you are setting up containers that use Docker commands inside itself you have to mount /var/run/docker.sock. This is for instance the case for the docker inside docker or dind containers and all containers that have to execute docker commands like Portainer.

Cheatsheet

To create an image with a Dockerfile the following command can be used:

sudo docker build -t <target_image_name> .

To start a container via Docker Compose use:

sudo docker compose up

To log in to the shell for a specific container use:

docker exec -it <mycontainer> bash

To run a Docker container and go into CLI directly:

docker run -it --entrypoint /bin/bash <mycontainer>

To run a container indefinetly use a command that will run forever. For instance:

docker run <container_name> sleep infinity

Troubleshooting

Problem with mounting file / folder into container

If following Problem occurs, you either did try to mount a folder or a non existing file to a container. Or the container volume is somehow bugged.

Error

Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting “<host_path>” to rootfs at “<container_path>”: mount <host_path>:<container_path> (via /proc/self/fd/6), flags: 0x5000: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

Thus, first check if the host file is actually available:

cat <host_path>

If that command returns the proper file content you can try to prune the container and its volumes using:

docker container prune
docker volume prune

Install Docker

Fedora

Source: docker.com

First add the docker repository to dnf:

sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo

Now install the latest Docker version:

sudo dnf install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Start Docker and check if it is running using the Hello World container:

sudo systemctl start docker
sudo docker run hello-world

Debian

Source docker.com

First update your current software and get all dependencies:

sudo apt-get update
sudo apt-get install ca-certificates curl gnupg

Add Dockers official GPG key:

sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg

Install the Docker repository:

echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Update the apt package index:

sudo apt-get update

Now install the latest version of the Docker Engine and test the Hello World container:

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
sudo docker run hello-world

Docker post install tasks

Source: https://docs.docker.com/engine/install/linux-postinstall/

Add a specific user to the Docker group for Docker command execution without sudo like follows. First create the docker group if not already automatically added during install:

sudo groupadd docker

Now add the target user to the docker group:

sudo usermod -aG docker <username>

Source: https://docs.docker.com/config/containers/logging/syslog/ Set up a syslog to get Docker logs by adding a file called daemon.json in the folder /etc/docker/ and add a configuration like this:

{
  "log-driver": "syslog",
  "log-opts": {
    "syslog-address": "udp://1.2.3.4:1111"
  }
}

Handling of credentials

Source: https://youtu.be/m3RWcI7cpzk?si=ZCjmS1VPw-0g3JIX

Credentiels should never be added to a Docker image. Images should always be a quasi static state of an application which is not configured specific to the usecase yet. All usecase specific information should be added as environment variable or via configuration files and mounts during runtime. This can be done for instance with a Docker compose setup.

Always keep credentials and other sensitive information local and safe. Only mount them if necessary with suitable access rights.

Creating images

When creating images it is important to keep in mind how many layers are created and which files are stored within the image. It is most of the time not necessary to let cache files stay inside the image. To remove caches after the installation of necessary software a few examples are shown below:

pip cache purge
rm /var/Cache/*
apt-get clean

If there are many layers created by the Dockerfile while creating the image it can be helpful to use the option --squash. This option will try to identify redundant layers and it tries to consolidate them so that the image itself can be build faster.

				# Containers and SSH

To use SSH within containers either to connect to remote machines, or to host a SSH-Service on the container itself the respective packages have to be installed and started. Starting those services is not trivial since containers normally do not have init processes that start those services. How to do that is explained in the following reference:

Installation & Start of SSH-Services

Info

The SSH-Server and Client services require different packages. Take care to install the correct ones when setting up SSH on fresh machines.

SSH-Server

The SSH-Server service is needed to be able to connect to the respective machine from remote ones. The installation and start of the service is done using the following commands.

Warning

When setting up the authorized_keys file make sure that the file has the right owner and permissions!

It is suggested to set the permissions to 600 via chmod and place it in the users or root folder .ssh. The current users folder should be at ~/.ssh, i.e. /home/<username>/.ssh. The folder for the root user should be at /root/.ssh. Only consider using the root user of it is not possible otherwise.

Fedora

Install the SSH-Server service via:

sudo dnf install openssh-server

Run the service like follows if you are on a standard Linux machine:

sudo systemctl start sshd

However if sshd should be run in a container systemctl is most likely not available since containers do not have a init process. In this case run the sshd service manually. The attached & will cause this process to be run in the background so that the command line can still be used for further commands.

/usr/sbin/sshd -D &

Debian

Install the SSH-Server service via:

sudo apt-get install openssh-server

Run the service like follows if you are on a standard Linux machine:

sudo systemctl start sshd

However if sshd should be run in a container systemctl is most likely not available since containers do not have a init process. In this case run the sshd service manually. The attached & will cause this process to be run in the background so that the command line can still be used for further commands.

/usr/sbin/sshd -D &

SSH-Client Service

The SSH-Client service is needed to connect from the respective machine to remote machines. Install the tool like follows.

Fedora

Install the SSH-Client service via:

sudo dnf install openssh-clients

SSHD configuration

To set up a safe initial configuration of the SSHD_config file use the following sed commands that will alter the most important settings.

Warning

Make sure public keys are deployed on the machine you are configuring and you can access it via those keys. Check out the section Setup for more information.

Otherwise you will not be able to login again after setting the following tighter login rules.

It will

  • allow public key authentication,
  • disallow password authentication,
  • disallow empty passwords,
  • set maximum authorities to three,
  • disallow root login.

These are the commands:

sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
Link to original

Pushing images to a registry

Source: docker.com

When pushing Docker images to a registry via docker image push Docker requires the connection to be TLS encrypted. This can be a problem when private registries are used within a private network and if this registry shall not be available to the public internet. Thus, this registry can not obtain a TLS certificate from a trusted authority such as Lets Encrypt.

To overcome this problem the /etc/docker/daemon.json file can be adjusted to allow some insecure registries. Just add the following to the file if it was empty:

{
  "insecure-registries" : ["<url_or_ip_to_registry>:<port_of_registry>"]
}

Info

The /etc/docker/daemon.json has to be adjusted on the host machine not in a container that might be pushing / pulling to / from a registry! Thats because a container will always have to use the docker.sock of the host machine if it runs docker specific tasks.

Post install tasks for Docker Container

Create new user for the container

User Management

Create a new user

Create new user with the following command. Use the option -m to also create a home folder.

sudo useradd -m <username>

Verify that the user was created with this command:

sudo id <username>

Add a password for that user:

sudo passwd <username>
Link to original

Update the container

dnf update

Install packages that you need

dnf install -y <your_package>

Install for instance:

Set up automatic security updates

Set up automatic security updates

To set up automatic securoty updates on a server for instance use the following commands.

Fedora

On Fedora install the following package:

dnf install dnf-automatic

Then edit the file /etc/dnf/automatic.conf with your preferred configuration. But make sure to set upgrade_type to security and apply_updates to yes. Then enable the corresponding service:

systemctl enable --now dnf-automatic.timer

Debian

On Debian install the following package:

apt install unattended-upgrades

Then edit the file /etc/apt/apt.conf.d/50unattended-upgrades with your preferred configuration. You will have to uncomment all packages you want to update automatically. Then enable the corresponding service:

systemctl enable --now unattended-upgrades
Link to original

Graph View

Backlinks