it-artikel:linux:how-to-install-and-configure-docker-on-ubuntu-server-20.04-and-similar
Differences
This shows you the differences between two versions of the page.
— | it-artikel:linux:how-to-install-and-configure-docker-on-ubuntu-server-20.04-and-similar [2022-08-31 12:30] (current) – created - external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== How to install and configure Docker on UBUNTU Server 20.04 (and similar) ====== | ||
+ | |||
+ | One can find " | ||
+ | |||
+ | These are my goals for this manual: | ||
+ | |||
+ | * configure the Docker directory, where it puts its images, volumes, etc. | ||
+ | * configure / limit Dockers log files (prevent haywire) | ||
+ | * how to provide additional IP (external) addresses to containers, so one could run additional network services like DNS, HTTPS etc which ports may be already IN USE by services on your docker host (port collision, ports in use). | ||
+ | * Modify an iptables based hostfirewall to allow Docker container access to the local network (lan) and internet | ||
+ | |||
+ | |||
+ | ===== Installation and configuration: | ||
+ | |||
+ | Beside the Docker runtime itself im also going to install **docker-compose** , the manuals and additional " | ||
+ | |||
+ | - Enter as user ROOT to remove any old docker installation that may be around: < | ||
+ | aptitude install -y vim-syntax-docker | ||
+ | aptitude remove -y docker.io docker.io-doc docker-compose | ||
+ | |||
+ | # add Docker.com' | ||
+ | curl -fsSL https:// | ||
+ | |||
+ | # add Docker.com' | ||
+ | add-apt-repository \ | ||
+ | " | ||
+ | | ||
+ | | ||
+ | |||
+ | # install docker-ce (community edition) | ||
+ | apt-get update | ||
+ | apt-get install \ | ||
+ | docker-ce \ | ||
+ | docker-ce-cli | ||
+ | | ||
+ | </ | ||
+ | - Check if the Systemd Service is enabled, else enable the service, to it starts on boot time:< | ||
+ | |||
+ | systemctl status docker | ||
+ | |||
+ | # prevent starting docker on boot | ||
+ | systemctl disable docker | ||
+ | |||
+ | # stop docker for now | ||
+ | systemctl stop docker | ||
+ | |||
+ | </ | ||
+ | - **DO NOT START DOCKER YET!** We need to configure the Docker daemon first to achieve... | ||
+ | - Change storage directory: | ||
+ | - By default Docker will put everything (Containers, | ||
+ | - Limiting the logging behavior of the deamon: | ||
+ | - By default the Docker daemon is unlimited in its logging capbilities. Thus its able to fill up gigabytes within seconds if something goes haywire. Better limit this to a more manageable size. | ||
+ | - Preventing Docker from messing around with IP routing (ip forwarding) and iptables (firewalld / ipf ) rules: | ||
+ | - By default Docker tries to dynamicly add and remove iptables rules/ | ||
+ | - To configure the Docker daemon we need a configuration file now. As with UBUNTU 20.04 and the official Docker installation method there is none by default. So we prepare the storage and create a config file: < | ||
+ | |||
+ | # trash everyhing at former (default) docker location and within /etc/ | ||
+ | rm -rv / | ||
+ | |||
+ | # prepare new destination dir/drive | ||
+ | mkdir -vp / | ||
+ | |||
+ | # create configuration file for Docker daemon: | ||
+ | cat << ' | ||
+ | { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | } | ||
+ | } | ||
+ | EOF | ||
+ | </ | ||
+ | - Start the Docker service:< | ||
+ | systemctl start docker | ||
+ | </ | ||
+ | - Check if Docker is running:< | ||
+ | systemctl status docker | ||
+ | |||
+ | docker version | ||
+ | |||
+ | # pull and run a temporarily | ||
+ | # container from the default | ||
+ | # docker registry on the | ||
+ | # interwebs | ||
+ | # | ||
+ | docker run --rm hello-world | ||
+ | |||
+ | # expect some hello world output | ||
+ | |||
+ | # clean up the hello-world remains: | ||
+ | # | ||
+ | docker image rm hello-world | ||
+ | |||
+ | </ | ||
+ | - At this point we are pretty much ready to spin up any Docker container we want... ... that is until we want to run new network services as a container on our Docker host where we might already have similar services running. Like a http/httpd webserver on Port 80 or 443, or a local DNS server on port 53. Docker wont let us spin up containers that collide with these tcp/udp ports already in use. Now what ? | ||
+ | |||
+ | ===== How to provide more IP addresses (external/ | ||
+ | |||
+ | There are times and scenarios where you might run out of free ports or get port collisions between services running on your Docker host and your Docker containers. " | ||
+ | |||
+ | In my case the DNS port 53 tcp+udp on my docker host was occupied by a productive DNS server. But i wanted to run "some 3rd party app" in a container which brings (and requires) its own DNS server on port 53. My goal was to run BOTH on the SAME HOST with the SAME PORT. So i simply needed another IP address i can bind the container to. | ||
+ | |||
+ | In these rare cases you might want to add more IP addresses to your Docker host, so you can separate things a bit better and bind container and services to " | ||
+ | |||
+ | This is how i did it... | ||
+ | |||
+ | - Configure multiple IP addresses to your Docker hosts main (LAN) interface: | ||
+ | - :!: **Watch the indentation! Its important with yaml files!** | ||
+ | - In this example we are configuring 3 IPv4+IPv6 addresses to a bridge interface **br0** instead to the physical network interface. Because we can. :< | ||
+ | cat << EOF > / | ||
+ | network: | ||
+ | version: 2 | ||
+ | ethernets: | ||
+ | enp1s0: | ||
+ | dhcp4: false | ||
+ | dhcp6: false | ||
+ | bridges: | ||
+ | br0: | ||
+ | addresses: | ||
+ | - 192.168.0.1/ | ||
+ | - 192.168.0.2/ | ||
+ | - 192.168.0.3/ | ||
+ | - fd00: | ||
+ | - fd00: | ||
+ | - fd00: | ||
+ | dhcp4: false | ||
+ | dhcp6: false | ||
+ | interfaces: | ||
+ | - enp1s0 | ||
+ | nameservers: | ||
+ | addresses: | ||
+ | - 192.168.0.1 | ||
+ | - ::1 | ||
+ | search: | ||
+ | - lan | ||
+ | EOF | ||
+ | </ | ||
+ | - Apply/ | ||
+ | - Check network interface and their assigned IP addresses:< | ||
+ | - To run a Docker container using a specific alternative IP address and port you can do something like this now:< | ||
+ | |||
+ | docker run -ti --name nameYourContainer -p 192.168.0.2: | ||
+ | |||
+ | </ | ||
+ | |||
+ | ===== Allowing Docker container to access local network and internet destinations while running an iptables based hostfirewall script on the Docker host: ===== | ||
+ | |||
+ | Without any kind of host firewall or network firewall in place, Docker is by default allowed to access anything on your local network (and the internet) as well as services running within containers can be accessed from your local network. That might be ok for you. | ||
+ | |||
+ | However... | ||
+ | |||
+ | If you run your Docker daemon on a host with some sort of host firewall (iptables, firewalld or similar), multiple network interfaces, routing plus IP masquerading/ | ||
+ | |||
+ | Well... since this highly depends on the type of firewall/ | ||
+ | |||
+ | In my case my Docker host was denying, rejecting and reporting any traffic or connection attempts on any network interfaces that is unexpected. Therefore i had to allow incoming traffic on the docker0: virtual network interface (bridge), as well as allowing forwarding/ | ||
+ | |||
+ | The iptables commands shown are just examples and are totally ripped out of context. Its just to demo the crucial part which made it fly again for me. Depending on your firewall script the possitions of the commands are crucial of course. | ||
+ | |||
+ | < | ||
+ | ... | ||
+ | iptables -I INPUT n -i docker0 -j ACCEPT -m comment --comment " | ||
+ | ... | ||
+ | iptables -I FORWARD n -i docker0 -j ACCEPT -m comment --comment " | ||
+ | ... | ||
+ | iptables -I FORWARD n -i $INTERNET-IF -o docker0 -m state --state RELATED, | ||
+ | ... | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | ---- | ||
+ | {{tag> |