Skip to content

Docker

Installation

Convenience Script

Install Docker using the script directly
curl -fsSL https://get.docker.com | bash

Rootless access

Users in the docker group don't need to use sudo to use the docker CLI.

usermod -aG docker $USER

Daemon Config

Long running containers can produce extremely large log files

Use the json-file log driver to limit the size of the logs.

/etc/docker/daemon.json
{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  }
}

Remote Docker Socket

Securely exposes Docker Daemon over TCP

This technique can be used to securely expose the Docker Daemon for monitoring by tools like UptimeKuma, Portainer, and other tools.

sequenceDiagram
    participant Client
    Client->>Client: Connects to 127.0.0.1:42375 (local tunnel)
    create participant SSH
    Client->>SSH: systemd starts SSH tunnel
    participant RemoteHost
    SSH->>RemoteHost: SSH forwards to 127.0.0.1:2375
    RemoteHost->>RemoteHost: dockeruser receives forwarded connection
    create participant Docker
    RemoteHost->>Docker: Forwards to Docker socket
    Docker->>Docker: Authorizes and processes Docker API request
    destroy Docker
    Docker->>RemoteHost: Sends Docker API response
    RemoteHost->>SSH: Returns response through SSH tunnel
    destroy SSH
    SSH->>Client: Forwards response to client

Socket Proxy

Tecnativa / docker-socket-proxy

docker-compose.yml on remote host
services:
  docker-proxy:
    image: ghcr.io/tecnativa/docker-socket-proxy:latest # (1)!
    restart: unless-stopped
    ports:
      - "127.0.0.1:2375:2375" # (2)!
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro # (3)!
    environment:
      - CONTAINERS=1
      - INFO=1
      - PING=1
  1. Uses the GitHub container registry as recommended.
  2. Only accessible over the loopback device.
  3. Obviously the proxy needs access to the socket itself.

Proxy User

This snippet creates a user dockeruser that cannot login, but still has access to the exposed socket proxy. It ends with opening the authorized_keys file, so paste in the public key of the connecting system and close the file with.

Create dockeruser
useradd -m -s /usr/sbin/nologin dockeruser && \
mkdir -p /home/dockeruser/.ssh && \
chmod 700 /home/dockeruser/.ssh && \
touch /home/dockeruser/.ssh/authorized_keys && \
chmod 600 /home/dockeruser/.ssh/authorized_keys && \
chown -R dockeruser:dockeruser /home/dockeruser/.ssh && \
nano /home/dockeruser/.ssh/authorized_keys
Test dockeruser
sudo -u dockeruser curl -sS http://localhost:2375/version | jq .

SSH Tunnel

Set up the SSH tunnel