Docker

Installation

Convenience Script

Install Docker using the script directly

curl -fsSL https://get.docker.com | bash

Add user to docker group

usermod -aG docker $USER

nicholas-fedor/watchtower

watchtower docs

Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially.

• Poll interval - set interval in seconds
• Scheduling - cron-like scheduling
  • 6 figure cron format

docker rundocker-compose.yml

$ docker run --detach \
    --name watchtower \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    nickfedor/watchtower

services:
  watchtower:
    image: nickfedor/watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    environment:
      WATCHTOWER_SCHEDULE: "0 0 3 * * *"

Remote Docker Socket

Securely exposes Docker Daemon over TCP

This technique can be used to securely expose the Docker Daemon for monitoring by tools like UptimeKuma, Portainer, and other tools.

sequenceDiagram
    participant Client
    Client->>Client: Connects to 127.0.0.1:42375 (local tunnel)
    create participant SSH
    Client->>SSH: systemd starts SSH tunnel
    participant RemoteHost
    SSH->>RemoteHost: SSH forwards to 127.0.0.1:2375
    RemoteHost->>RemoteHost: dockeruser receives forwarded connection
    create participant Docker
    RemoteHost->>Docker: Forwards to Docker socket
    Docker->>Docker: Authorizes and processes Docker API request
    destroy Docker
    Docker->>RemoteHost: Sends Docker API response
    RemoteHost->>SSH: Returns response through SSH tunnel
    destroy SSH
    SSH->>Client: Forwards response to client

Socket Proxy

Tecnativa / docker-socket-proxy

docker-compose.yml on remote host

services:
  docker-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:latest # (1)!
    restart: unless-stopped
    ports:
      - "127.0.0.1:2375:2375" # (2)!
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # (3)!
    environment:
      - CONTAINERS=1
      - INFO=1
      - PING=1

1. Uses the GitHub container registry as recommended.
2. Only accessible over the loopback device.
3. Obviously the proxy needs access to the socket itself.

Proxy User

This snippet creates a user dockeruser that cannot login, but still has access to the exposed socket proxy. It ends with opening the authorized_keys file, so paste in the public key of the connecting system and close the file with Ctrl+S, Ctrl+X.

Create dockeruser

useradd -m -s /usr/sbin/nologin dockeruser && \
mkdir -p /home/dockeruser/.ssh && \
chmod 700 /home/dockeruser/.ssh && \
touch /home/dockeruser/.ssh/authorized_keys && \
chmod 600 /home/dockeruser/.ssh/authorized_keys && \
chown -R dockeruser:dockeruser /home/dockeruser/.ssh && \
nano /home/dockeruser/.ssh/authorized_keys

Test dockeruser

sudo -u dockeruser curl -sS http://localhost:2375/version | jq .

SSH Tunnel

Set up the SSH tunnel