Docker on Nobody's Home

Docker Permissions

Sun, 12 Apr 2026 00:00:00 +0000

References:

Docker Containers Can Do Too Much

Your containers can do too much. Look at all the capabilities a Docker container gets by default:

  - SYS_ADMIN
  - NET_ADMIN
  - NET_RAW
  - FOWNER
  - SETGID
  - SETUID
  - CHOWN
  - AUDIT_CONTROL
  - AUDIT_READ
  - AUDIT_WRITE
  - BLOCK_SUSPEND
  - BPF
  - CHECKPOINT_RESTORE
  - DAC_READ_SEARCH
  - DAC_OVERRIDE
  - FSETID
  - IPC_LOCK
  - KILL
  - LEASE
  - LINUX_IMMUTABLE
  - MAC_ADMIN
  - MAC_OVERRIDE
  - MKNOD
  - NET_ADMIN
  - NET_BIND_SERVICE
  - NET_BROADCAST
  - PERFMON
  - SETFCAP
  - SETPCAP
  - SYS_BOOT
  - SYS_CHROOT
  - SYS_NICE
  - SYS_PACCT
  - SYS_PTRACE
  - SYS_RAWIO
  - SYS_RESOURCE
  - SYS_TIME
  - SYS_TTY_CONFIG
  - SYSLOG
  - WAKE_ALARM

This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it?

Dockhand

Wed, 04 Feb 2026 00:00:00 +0000

References

Setup

Docker Compose:

services:
  dockhand:
    image: fnsys/dockhand:latest
    container_name: dockhand
    restart: unless-stopped
    ports:
      - "3000:3000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/app/data
      - /home/mechanicus/Code/compose:/mnt/compose

Notes: using a separate data directory instead of a volume mount will make the container easier to manage and transfer if necessary

Adding Environments

My preferred method is to use the hawser connector:

docker run -d --name hawser --restart unless-stopped \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /home/mechanicus/code/docker-compose/:/mnt/compose \
-p 2376:2376 -e TOKEN==[SECURE TOKEN] \
ghcr.io/finsys/hawser:latest

Note: Include the location of compose files for easier management

Tor Site

Sat, 13 Dec 2025 00:00:00 +0000

Directory Setup

Set up the files and directories:

mkdir -p tor-site/keys tor-site/html tor-site/logs
touch tor-site/torrc

Set permissions:

chmod 700 tor-site/keys 
chmod 600 tor-site/logs
sudo chown root:root tor-site/keys tor-site/logs

Content Setup

Add the files for your website into the tor-site/html folder: example:

<!DOCTYPE html>
<html>
<body>
    <h1>Hello from the Onion Router!</h1>
    <p>This site is hosted inside Docker.</p>
</body>
</html>

Docker Setup

[[Install Docker]] Docker Compose File compose.yaml

services:
  nginx:
    container_name: nginx
    image: nginx
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETGID
      - SETUID
    volumes:
      - ./html:/usr/share/nginx/html:ro
      - ./logs:/var/log/nginx
    networks:
      - tor_network
  tor:
    container_name: tor
    volumes:
      - ./torrc:/etc/tor/torrc:ro
      - ./keys:/var/lib/tor/hidden_service/
    image: alpine:latest
    entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    networks:
      - tor_network
    depends_on:
      - nginx

networks:
  tor_network:

nginx is the name of your web server container - this is important for the torrc file.
:ro sets the volume to read only
networks: tor_network means all the traffic stays inside the tor network
security_opt: - no-new-privileges:true prevents the user from running as root through setuid or setgid
cap_drop: -All removes all default Linux capabilities granted to a container
cap_add: - NET_BIND_SERVICE will allow tor to work with only the necessary capabilities
networks ensures that all traffic stays inside the docker network with a custom bridge tor_network to access the tor relays See Docker Permissions

Create `torrc`:

# Standard Tor config
DataDirectory /var/lib/tor

# Define the Hidden Service
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 nginx:80

note: the name nginx should be the same as you name your web server container in the compose.yaml (see [[#Docker Setup]]).

Notes:

Did you know you can make a custom tor site name? See the Named Tor Site.
The docker service setup: Dockhand Portainer


services:
  nginx:
    container_name: nginx
    image: nginx
    volumes:
      - /home/mechanicus/code/tor-site/html:/usr/share/nginx/html:ro
      - /home/mechanicus/code/tor-site/logs:/var/log/nginx
    networks:
      - tor_network
    deploy: 
      mode: replicated
      replicas: 1
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "label=shepherd.autodeploy=true"
  tor:
    container_name: tor
    volumes:
      - /home/mechanicus/code/tor-site/torrc:/etc/tor/torrc:ro
      - /home/mechanicus/code/tor-site/keys:/var/lib/tor/hidden_service/
    image: alpine:latest
    entrypoint: sh -c "apk add --no-cache tor && tor -f /etc/tor/torrc"
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    networks:
      - tor_network
    depends_on:
      - nginx
    deploy: 
      mode: replicated
      replicas: 1
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "label=shepherd.autodeploy=true"

networks:
  tor_network:

Building Docker Containers

Sun, 31 Aug 2025 00:00:00 +0000

Install Docker

Install Docker Tutorial

Setup Buildx Environment

docker buildx create \
  --name container-builder \
  --driver docker-container \
  --bootstrap --use

Build the Container

docker buildx build --platform linux/amd64,linux/arm64,linux/arm/v7 \
-t [repository]/[containername]:[tag] . --push

The -t flag sets the naming convention for the container, . tells docker where to build the container (where the Dockerfile is located), and --push sends it to the Docker Hub repository.

Tag a Docker Container

docker tag [name]:[tag] [new-name]:[new-tag]

Save and Transfer a Docker Container

docker save -o [name] [name]:[tag]

rsync -P [name] [target]:[location]

docker load -i [name]

Install Docker

Sun, 31 Aug 2025 00:00:00 +0000

References

Docker

Setup: Debian Based

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Setup: Arch Based

# Pamac (manjaro)
sudo pamac install docker docker-compose

# Arch
sudo pacman -Syu docker docker-compose

Enable the docker service

Kasm Workspaces

Sun, 31 Aug 2025 00:00:00 +0000

References

Kasm Documentation Kasm System Requirements Kasm GPU Install

Prerequisites

Install Docker Tutorial
Swap Space

Installation

NOTE: check for the latest version

cd /tmp
curl -O https://kasm-static-content.s3.amazonaws.com/kasm_release_1.18.1.tar.gz
tar -xf kasm_release_1.18.1.tar.gz
sudo bash kasm_release/install.sh --accept-eula --swap-size 8192

GPU Setup

The Nvidia container setup instructions, and standard GPU driver installation threw an error: nvidia runtime not found. The script on Kasm’s site worked.

#!/bin/bash

# Check for NVIDIA cards
if ! lspci | grep -i nvidia > /dev/null; then
    echo "No NVIDIA GPU detected"
    exit 0
fi

add-apt-repository -y ppa:graphics-drivers/ppa

curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \
  && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
    sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
    sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list

apt update
apt install -y ubuntu-drivers-common

# Run ubuntu-drivers and capture the output
DRIVER_OUTPUT=$(ubuntu-drivers list 2>/dev/null)
# Extract server driver versions using grep and regex
# Pattern looks for nvidia-driver-XXX-server
SERVER_VERSIONS=$(echo "$DRIVER_OUTPUT" | grep -o 'nvidia-driver-[0-9]\+-server' | grep -o '[0-9]\+' | sort -n)
# Check if any server versions were found
if [ -z "$SERVER_VERSIONS" ]; then
    echo "Error: No NVIDIA server driver versions found." >&2
    exit 1
fi
# Find the highest version number
LATEST_VERSION=$(echo "$SERVER_VERSIONS" | tail -n 1)
# Validate that the version is numeric
if ! [[ "$LATEST_VERSION" =~ ^[0-9]+$ ]]; then
    echo "Error: Invalid version number: $LATEST_VERSION" >&2
    exit 2
fi
# Output only the version number
echo "Latest version is: $LATEST_VERSION"
ubuntu-drivers install "nvidia:$LATEST_VERSION-server"
apt install -y "nvidia-utils-$LATEST_VERSION-server"
# Install NVIDIA toolkit + configure for docker
apt-get install -y nvidia-container-toolkit
nvidia-ctk runtime configure --runtime=docker

Egress Setup: NordVPN

Get service credentials for the VPN: Available on the VPN dashboard
Download desired OpenVPN configuration files: Available on the VPN dashboard
On Kasm Administrator dashboard, select Egress (Infrastructure > Egress)
- Add the egress provider:
- Configure VPN type:
- Add egress gateways:
On the Workspaces > Workspace page, select the workspace to allow it to use the VPN, click edit and add the egress provider on the Egress tab.
On the Egress Credentials tab, add in the service credentials for the VPN

Portainer

Fri, 20 Jun 2025 00:00:00 +0000

Description

Portainer is a web-based Docker management interface that allows users to easily manage their Docker containers, networks, and volumes. It provides a simple and intuitive way to view and interact with your Docker environment.

Installation

Install Docker

Create the Portainer server database:

docker volume create portainer_data

Download and install Portainer-CE

docker run -d -p 8000:8000 -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

Things I’ve Learned

To update the container’s name in the yaml file, use the container_name: variable
If a stack is unable to be deleted, it’s likely because the /var/lib/docker/volumes/portiner_data/_data/compose file is missing. You’ll have to recreate that numbered file and a docker-compose.yml in the directory in order to delete the stack.
After Setup remove the 8000 port bind

docker run -d -p 9443:9443 --name portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

References

Portainer-CE Container Names

Shepherd

Sat, 06 Jul 2024 00:00:00 +0000

References:

About

Shepherd is a Docker swarm service for automatically updating your services whenever their base image is refreshed.

Variables

Default check time is every 5 minutes. Change this with the SLEEP_TIME variable.
Control which services aren’t updated with the IGNORELIST_SERVICES variable. Ignored services should be in a space separated list of service names.
As an alternative to ignore, use FILTER_SERVICES to specify which services you want updated.
Notifications can be enabled through the appraise micro service and the APPRISE_SIDECAR_URL variable.
Set the timezone with the TZ variable. Note, do not include quotations for the timezone.
Clean up old services with IMAGE_AUTOCLEAN_LIMIT, the variable set keeps that number of old images.

Setup:

Docker Compose

version: "3"

services:
  app:
    image: containrrr/shepherd
    environment:
      APPRISE_SIDECAR_URL: notify:5000
      TZ: Pacific/Honolulu
      IMAGE_AUTOCLEAN_LIMIT: 2
      SLEEP_TIME: '360m'
      FILTER_SERVICES: "label=shepherd.autodeploy"
      VERBOSE: 'true'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    networks:
      - notification
    deploy:
      placement:
        constraints:
          - node.role == manager

  notify:
    image: mazzolino/apprise-microservice:latest
    environment:
      NOTIFICATION_URLS: discord:[add your URL here]
    networks:
      - notification

networks:
  notification:

Docker Run

docker service create --name shepherd --constraint "node.role==manager" --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock,ro containrrr/shepherd

Notes:

Notifications runs through the apprise microservice which runs on Apprise. The format for discord notifications is: discord://webhook_id/webhook_token or discord://avatar@webhook_id/webhook_token.

Watchtower

Sat, 06 Jul 2024 00:00:00 +0000

References

Setup

Docker Compose:

version: "3"
services:
  watchtower:
    image: nickfedor/watchtower
    container_name: watchtower
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
#      - WATCHTOWER_LABEL_ENABLE=true 
      - WATCHTOWER_NOTIFICATIONS=shoutrrr
      - WATCHTOWER_NOTIFICATION_URL=discord:[add discord url]
      - WATCHTOWER_POLL_INTERVAL=21600
      - WATCHTOWER_CLEANUP=true
#    labels:
#      - "com.centurylinklabs.watchtower.enable=true"
    command: homepage portainer
    hostname: watchtower
    restart: unless-stopped
    deploy: 
      mode: global

Docker Run:

docker run -d --name watchtower --volume /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower [NAMES OF THE CONTAINERS TO UPDATE]

Notes

Watchtower does not work with docker swarms, for that use case see Shepherd.

Cloudflare Tunnel

Thu, 04 Jul 2024 00:00:00 +0000

Links

dash.cloudflare.com one.dash.cloudflare.com

Installing the service

Ubuntu

curl -L --output cloudflared.deb https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb && 

sudo dpkg -i cloudflared.deb && 

sudo cloudflared service install [TUNNEL KEY]

Red Hat

curl -L --output cloudflared.rpm https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-x86_64.rpm && 

sudo yum localinstall -y cloudflared.rpm && 

sudo cloudflared service install [TUNNEL KEY]

Docker

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token [TUNNEL KEY]

Docker Compose

version: "3.8"

services:
  cloudflared:
    image: cloudflare/cloudflared:latest
    restart: unless-stopped
    command: tunnel run
    network_mode: host
    environment:
      - "TUNNEL_TOKEN=[TUNNEL KEY]"
    deploy:
      mode: global
      placement:
        constraints: [node.platform.os == linux]

Cloudflare as a Docker Sidecar

Cloudflare can serve ports from other docker containers without actually exposing the container ports on the host device. See the compose example below:

Ollama Service

Wed, 03 Jul 2024 00:00:00 +0000

References

Ollama.com

Installation

curl -fsSL https://ollama.com/install.sh | sh

Useful Commands

sudo usermod -aG ollama $USER

ollama pull llama3 llama2-uncensored godegemma gemma dolphin-mistral

Service Configuration

[Unit]
Description=Ollama Service
After=network-online.target

[Service]
ExecStart=/usr/local/bin/ollama serve
User=ollama
Group=ollama
Restart=always
RestartSec=3
Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
Environment="OLLAMA_HOST=0.0.0.0"

[Install]
WantedBy=default.target

Useful Plugins

Obsidian: local gpt
Openweb-UI

Misc Information

Service runs on port 11433
By default service only listens on local host

Openweb-UI

Wed, 03 Jul 2024 00:00:00 +0000

References:

Open WebUI Open WebUI Troubleshooting Searxng Integration This is my error…

Setup

Main

docker run -d -p 8080:8080 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:main

Latest

docker run -d -p 8080:8080 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:latest

Docker Compose Yaml

version: "3"
services:
	open-webui:
		image: ghcr.io/open-webui/open-webui:latest
		container_name: open-webui
		volumes:
			- /home/mechanicus/open-webui:/app/backend/data
		restart: unless-stopped
		port:
			- "8080:8080"
		extra_hosts:
			- "host.docker.internal:host-gateway"

Updates

Pull the new image (make sure you pick main or latest based on your install)

docker pull ghcr.io/open-webui/open-webui:latest

Remove the old container

docker rm --force open-webui

Start the new container by rerunning the setup command

docker run -d -p 8080:8080 --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --restart always ghcr.io/open-webui/open-webui:latest

(Optional) Let [[Watchtower]] Do it

docker run -d --name watchtower --volume /var/run/docker.sock:/var/run/docker.sock containrrr/watchtower open-webui

Troubleshooting

Resetting the admin password on a local instance - generate a new password hash

htpasswd -bnBC 10 "" your-new-password | tr -d ':\n'

Change the password using a new docker container - replace HASH with the new password hash you just generated.

docker run --rm -v open-webui:/data alpine/socat EXEC:"bash -c 'apk add sqlite && echo UPDATE auth SET password='\''HASH'\'' WHERE email='\''admin@example.com'\''; | sqlite3 /data/webui.db'", STDIO

Data needs to be directly in the base folder for a mapped volume (Docker volumes use _data within a volume folder).
[[Searxng]] needs the following changes to searxng/settings.yml:

search:
	safe_search: 0
	autocomplete: ""
	default_lang: ""
	formats:
		- html
		- json

Docker on Nobody's Home

Docker Permissions

References:

Docker Containers Can Do Too Much

Dockhand

References

Setup

Docker Compose:

Adding Environments

Tor Site

Directory Setup

Content Setup

Docker Setup

Create torrc:

Notes:

Building Docker Containers

Install Docker

Setup Buildx Environment

Build the Container

Tag a Docker Container

Save and Transfer a Docker Container

Install Docker

References

Setup: Debian Based

Setup: Arch Based

Kasm Workspaces

References

Prerequisites

Installation

GPU Setup

Egress Setup: NordVPN

Portainer

Description

Installation

Things I’ve Learned

See also:

References

Shepherd

References:

About

Variables

Setup:

Notes:

Watchtower

References

Setup

Notes

Cloudflare Tunnel

Links

Installing the service

Ubuntu

Red Hat

Docker

Docker Compose

Cloudflare as a Docker Sidecar

Ollama Service

References

Installation

Useful Commands

Service Configuration

Useful Plugins

Misc Information

Openweb-UI

References:

Setup

Updates

Troubleshooting

Create `torrc`: