Docker

References: Man Page Install Docker Tutorial Docker Containers Can Do Too Much Your containers can do too much. Look at all the capabilities a Docker container gets by default: - SYS_ADMIN - NET_ADMIN - NET_RAW - FOWNER - SETGID - SETUID - CHOWN - AUDIT_CONTROL - AUDIT_READ - AUDIT_WRITE - BLOCK_SUSPEND - BPF - CHECKPOINT_RESTORE - DAC_READ_SEARCH - DAC_OVERRIDE - FSETID - IPC_LOCK - KILL - LEASE - LINUX_IMMUTABLE - MAC_ADMIN - MAC_OVERRIDE - MKNOD - NET_ADMIN - NET_BIND_SERVICE - NET_BROADCAST - PERFMON - SETFCAP - SETPCAP - SYS_BOOT - SYS_CHROOT - SYS_NICE - SYS_PACCT - SYS_PTRACE - SYS_RAWIO - SYS_RESOURCE - SYS_TIME - SYS_TTY_CONFIG - SYSLOG - WAKE_ALARM This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it? ...

References TechHut Dockhand Dockhand Documentation Setup Docker Compose: services: dockhand: image: fnsys/dockhand:latest container_name: dockhand restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data:/app/data - /home/mechanicus/Code/compose:/mnt/compose Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary Adding Environments My preferred method is to use the hawser connector: docker run -d --name hawser --restart unless-stopped \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /home/mechanicus/code/docker-compose/:/mnt/compose \ -p 2376:2376 -e TOKEN==[SECURE TOKEN] \ ghcr.io/finsys/hawser:latest Note: Include the location of compose files for easier management ...

Directory Setup Set up the files and directories: mkdir -p tor-site/keys tor-site/html tor-site/logs touch tor-site/torrc Set permissions: chmod 700 tor-site/keys chmod 600 tor-site/logs sudo chown root:root tor-site/keys tor-site/logs Content Setup Add the files for your website into the tor-site/html folder: example: <!DOCTYPE html> <html> <body> <h1>Hello from the Onion Router!</h1> <p>This site is hosted inside Docker.</p> </body> </html> Docker Setup [[Install Docker]] Docker Compose File compose.yaml services: nginx: container_name: nginx image: nginx cap_drop: - ALL cap_add: - CHOWN - SETGID - SETUID volumes: - ./html:/usr/share/nginx/html:ro - ./logs:/var/log/nginx networks: - tor_network tor: container_name: tor volumes: - ./torrc:/etc/tor/torrc:ro - ./keys:/var/lib/tor/hidden_service/ image: alpine:latest entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc" security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - NET_BIND_SERVICE networks: - tor_network depends_on: - nginx networks: tor_network: nginx is the name of your web server container - this is important for the torrc file. :ro sets the volume to read only networks: tor_network means all the traffic stays inside the tor network security_opt: - no-new-privileges:true prevents the user from running as root through setuid or setgid cap_drop: -All removes all default Linux capabilities granted to a container cap_add: - NET_BIND_SERVICE will allow tor to work with only the necessary capabilities networks ensures that all traffic stays inside the docker network with a custom bridge tor_network to access the tor relays See Docker Permissions Create torrc: # Standard Tor config DataDirectory /var/lib/tor # Define the Hidden Service HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 nginx:80 note: the name nginx should be the same as you name your web server container in the compose.yaml (see [[#Docker Setup]]). Notes: Did you know you can make a custom tor site name? See the Named Tor Site. The docker service setup: Dockhand Portainer services: nginx: container_name: nginx image: nginx volumes: - /home/mechanicus/code/tor-site/html:/usr/share/nginx/html:ro - /home/mechanicus/code/tor-site/logs:/var/log/nginx networks: - tor_network deploy: mode: replicated replicas: 1 labels: - "com.centurylinklabs.watchtower.enable=true" - "label=shepherd.autodeploy=true" tor: container_name: tor volumes: - /home/mechanicus/code/tor-site/torrc:/etc/tor/torrc:ro - /home/mechanicus/code/tor-site/keys:/var/lib/tor/hidden_service/ image: alpine:latest entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc" security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - NET_BIND_SERVICE networks: - tor_network depends_on: - nginx deploy: mode: replicated replicas: 1 labels: - "com.centurylinklabs.watchtower.enable=true" - "label=shepherd.autodeploy=true" networks: tor_network:

Install Docker Install Docker Tutorial Setup Buildx Environment docker buildx create \ --name container-builder \ --driver docker-container \ --bootstrap --use Build the Container docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \ -t [repository]/[containername]:[tag] . --push The -t flag sets the naming convention for the container, . tells docker where to build the container (where the Dockerfile is located), and --push sends it to the Docker Hub repository. Tag a Docker Container docker tag [name]:[tag] [new-name]:[new-tag] Save and Transfer a Docker Container docker save -o [name] [name]:[tag] rsync -P [name] [target]:[location] docker load -i [name]

References Docker Setup: Debian Based # Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin Setup: Arch Based # Pamac (manjaro) sudo pamac install docker docker-compose # Arch sudo pacman -Syu docker docker-compose Enable the docker service ...

References Kasm Documentation Kasm System Requirements Kasm GPU Install Prerequisites Install Docker Tutorial Swap Space Installation NOTE: check for the latest version cd /tmp curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.18.1.tar.gz tar -xf kasm_release_1.18.1.tar.gz sudo bash kasm_release/install.sh --accept-eula --swap-size 8192 GPU Setup The Nvidia container setup instructions, and standard GPU driver installation threw an error: nvidia runtime not found. The script on Kasm’s site worked. #!/bin/bash # Check for NVIDIA cards if ! lspci | grep -i nvidia > /dev/null; then echo "No NVIDIA GPU detected" exit 0 fi add-apt-repository -y ppa:graphics-drivers/ppa curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list apt update apt install -y ubuntu-drivers-common # Run ubuntu-drivers and capture the output DRIVER_OUTPUT=$(ubuntu-drivers list 2>/dev/null) # Extract server driver versions using grep and regex # Pattern looks for nvidia-driver-XXX-server SERVER_VERSIONS=$(echo "$DRIVER_OUTPUT" | grep -o 'nvidia-driver-[0-9]\+-server' | grep -o '[0-9]\+' | sort -n) # Check if any server versions were found if [ -z "$SERVER_VERSIONS" ]; then echo "Error: No NVIDIA server driver versions found." >&2 exit 1 fi # Find the highest version number LATEST_VERSION=$(echo "$SERVER_VERSIONS" | tail -n 1) # Validate that the version is numeric if ! [[ "$LATEST_VERSION" =~ ^[0-9]+$ ]]; then echo "Error: Invalid version number: $LATEST_VERSION" >&2 exit 2 fi # Output only the version number echo "Latest version is: $LATEST_VERSION" ubuntu-drivers install "nvidia:$LATEST_VERSION-server" apt install -y "nvidia-utils-$LATEST_VERSION-server" # Install NVIDIA toolkit + configure for docker apt-get install -y nvidia-container-toolkit nvidia-ctk runtime configure --runtime=docker Egress Setup: NordVPN Get service credentials for the VPN: Available on the VPN dashboard Download desired OpenVPN configuration files: Available on the VPN dashboard On Kasm Administrator dashboard, select Egress (Infrastructure > Egress) Add the egress provider: Configure VPN type: Add egress gateways: On the Workspaces > Workspace page, select the workspace to allow it to use the VPN, click edit and add the egress provider on the Egress tab. On the Egress Credentials tab, add in the service credentials for the VPN

Description Portainer is a web-based Docker management interface that allows users to easily manage their Docker containers, networks, and volumes. It provides a simple and intuitive way to view and interact with your Docker environment. Installation Install Docker Create the Portainer server database: docker volume create portainer_data Download and install Portainer-CE docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest Things I’ve Learned To update the container’s name in the yaml file, use the container_name: variable If a stack is unable to be deleted, it’s likely because the /var/lib/docker/volumes/portiner_data/_data/compose file is missing. You’ll have to recreate that numbered file and a docker-compose.yml in the directory in order to delete the stack. After Setup remove the 8000 port bind docker run -d -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest See also: Setup automatic updates with [[Watchtower]] or [[Shepherd]]. References Portainer-CE Container Names

References: Shepherd Docker Compose Examples Shepherd Github Shepherd on hub.docker.com About Shepherd is a Docker swarm service for automatically updating your services whenever their base image is refreshed. Variables Default check time is every 5 minutes. Change this with the SLEEP_TIME variable. Control which services aren’t updated with the IGNORELIST_SERVICES variable. Ignored services should be in a space separated list of service names. As an alternative to ignore, use FILTER_SERVICES to specify which services you want updated. Notifications can be enabled through the appraise micro service and the APPRISE_SIDECAR_URL variable. Set the timezone with the TZ variable. Note, do not include quotations for the timezone. Clean up old services with IMAGE_AUTOCLEAN_LIMIT, the variable set keeps that number of old images. Setup: Docker Compose version: "3" services: app: image: containrrr/shepherd environment: APPRISE_SIDECAR_URL: notify:5000 TZ: Pacific/Honolulu IMAGE_AUTOCLEAN_LIMIT: 2 SLEEP_TIME: '360m' FILTER_SERVICES: "label=shepherd.autodeploy" VERBOSE: 'true' volumes: - /var/run/docker.sock:/var/run/docker.sock networks: - notification deploy: placement: constraints: - node.role == manager notify: image: mazzolino/apprise-microservice:latest environment: NOTIFICATION_URLS: discord:[add your URL here] networks: - notification networks: notification: Docker Run docker service create --name shepherd --constraint "node.role==manager" --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock,ro containrrr/shepherd Notes: Notifications runs through the apprise microservice which runs on Apprise. The format for discord notifications is: discord://webhook_id/webhook_token or discord://avatar@webhook_id/webhook_token.

References Watchtower Docs Watchtower Notifications Watchtower Configuration - smarthomebeginner Watchtower Docker Compose Examples All Arguments A Good Reddit Thread\ A Tutorial Setup Docker Compose: version: "3" services: watchtower: image: nickfedor/watchtower container_name: watchtower volumes: - /var/run/docker.sock:/var/run/docker.sock environment: # - WATCHTOWER_LABEL_ENABLE=true - WATCHTOWER_NOTIFICATIONS=shoutrrr - WATCHTOWER_NOTIFICATION_URL=discord:[add discord url] - WATCHTOWER_POLL_INTERVAL=21600 - WATCHTOWER_CLEANUP=true # labels: # - "com.centurylinklabs.watchtower.enable=true" command: homepage portainer hostname: watchtower restart: unless-stopped deploy: mode: global Docker Run: docker run -d --name watchtower --volume /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower [NAMES OF THE CONTAINERS TO UPDATE] Notes Watchtower does not work with docker swarms, for that use case see Shepherd.

Links dash.cloudflare.com one.dash.cloudflare.com Installing the service Ubuntu curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && sudo dpkg -i cloudflared.deb && sudo cloudflared service install [TUNNEL KEY] Red Hat curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && sudo yum localinstall -y cloudflared.rpm && sudo cloudflared service install [TUNNEL KEY] Docker docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY] Docker Compose version: "3.8" services: cloudflared: image: cloudflare/cloudflared:latest restart: unless-stopped command: tunnel run network_mode: host environment: - "TUNNEL_TOKEN=[TUNNEL KEY]" deploy: mode: global placement: constraints: [node.platform.os == linux] Cloudflare as a Docker Sidecar Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below: ...