Root-Server Tutorial

ROOT-SERVER TUTORIAL

Installing Docker CE on Ubuntu 20.04 with docker-compose, Portainer and ufw

Learn how to set up Docker CE on Ubuntu 20.04 with docker-compose and Portainer for better management. Includes ufw configuration instructions for additional security.

Author:

Marcel Aust

Last updated:

04/11/2021

Introduction

This tutorial explains how to install Docker CE on Ubuntu 20.04. With this tutorial, you will learn how to install and configure Docker on Ubuntu to use it with many different apps and services. Also, this tutorial describes how to use Docker with ufw and additionally install and set up docker-compose and Portainer. You should have a basic understanding of Linux and shell commands. A fresh install of Ubuntu 20.04 (may also work with other versions) is required.

This tutorial is based on the official tutorial provided by docker with a few extra notes and additions.

Requirements

Docker can be used on nearly any root or vServer. netcup's server architecture is amd64. You need to be root and/or have sudo privileges to install packages.

Step 1 - Preparation

We will install Docker by using Ubuntu's APT package manager. To fetch the latest package database, use:

sudo apt-get update

To add a custom package repository for Docker, we need a few apt tools that you may not have installed yet. Use the following command to install them:

sudo apt-get install \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

If there are multiple packages or dependencies to be installed, the installer might ask for your confirmation. Press y and ENTER when asked:

The following NEW packages will be installed:
  ....
0 upgraded, 64 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.5 MB of archives.
After this operation, 51.6 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Step 2 - Add custom repository and install Docker

Step 2.1 - Add custom apt repository

Docker gets shipped by a custom apt package repository hosted by the Docker organization. This provides newer and more frequently updated versions of docker-ce.

At first you need to add Docker's PGP key. To do this, execute the following command:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

After adding the key file, we need to add the new repository. To do this, type:

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

To fetch all available packages from the newly added repository, run the following command again:

sudo apt-get update

Step 2.2 - Install Docker

To finally install the Docker package, run:

sudo apt-get install docker-ce docker-ce-cli containerd.io

Step 2.3 - Test if Docker is working

To test if Docker is working, you can fetch the "hello world" image and start it by using:

sudo docker run --rm hello-world

Step 3 - Set up ufw so Docker doesn't bypass firewall rules (optional)

If you're using ufw as an iptables frontend/firewall for your server, you should be cautious with Docker's iptables modifications, as Docker will bypass the rules defined with ufw. To fix this, we have to modify a specific ufw config file. This part is based on the ufw-docker Github repository tutorial.

To check if your server is using ufw, run the following command:

sudo ufw status

Check if the reported status is active. The expected result should be similar to this:

Status: active

To                         Action      From
--                         ------      ----
...                         ...         ...

If your server shows an "inactive" state, ufw is not enabled for your server. If you want to enable it, see Step 3.1

Step 3.1 - Enable ufw (optional)

Important: When enabling ufw and not adding a rule for SSH, you might lose connectivity to your server. Make sure to add an appropriate rule for allowing SSH traffic on port 22 by using the following command:

sudo ufw allow ssh

You can also add this rule by using netcup's web console feature found inside your server control panel.

To enable ufw in case it's not yet enabled, you can run:

sudo ufw enable

Step 3.2 - Set up ufw config

Use an editor of your choice to edit the configuration file at /etc/ufw/after.rules (e.g. sudo nano /etc/ufw/after.rules). Add the following to the end of the file and save it:

## BEGIN UFW AND DOCKER
*filter
:ufw-user-forward - [0:0]
:ufw-docker-logging-deny - [0:0]
:DOCKER-USER - [0:0]
-A DOCKER-USER -j ufw-user-forward

-A DOCKER-USER -j RETURN -s 10.0.0.0/8
-A DOCKER-USER -j RETURN -s 172.16.0.0/12
-A DOCKER-USER -j RETURN -s 192.168.0.0/16

-A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN

-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8
-A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12

-A DOCKER-USER -j RETURN

-A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] "
-A ufw-docker-logging-deny -j DROP

COMMIT
## END UFW AND DOCKER

After saving the modifications, restart the server to have the changes take effect.

sudo reboot

Step 3.3 - Using ufw to open ports

If you want to publish a port from your containers, use the following command:

This command publishes port 80 from any container's local port. Replace 80 with your custom ports for TCP communication. To use the UDP Protocol, replace proto tcp with proto udp.

ufw route allow proto tcp from any to any port 80

If you have multiple containers using the same port, you can specify the container by its private (internal) IP:

ufw route allow proto tcp from any to 172.17.0.2 port 80

Please note: The port used at the end of this command is the internal port of the container! You don't have to expose it to the host.

Step 3.4 - Using the ufw-docker tool for easier setup

Instead of performing the above manual steps to install/configure ufw, you can use a handy script provided by the authors of the ufw-docker repository.

To install the tool, run the following command:

sudo wget -O /usr/local/bin/ufw-docker \
  https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
sudo chmod +x /usr/local/bin/ufw-docker

To automatically apply the ufw after.rules change, run:

sudo ufw-docker install

To publish a container port, use the command:

sudo ufw-docker allow <CONTAINER_NAME> <PORT>

To display further information and help, use the command:

sudo ufw-docker help

Step 4 - Add your user to 'docker' group to use Docker without sudo (optional)

If you wish to use Docker with your regular user without using sudo all the time, you can add your user to the "docker" group. Please bear in mind that other users might exploit Docker to gain root access to your host machine!

To add your user to the "docker" group, run:

## Create the docker group in case it does not yet exist
sudo groupadd docker
## Add your user to the docker group
sudo usermod -aG docker $USER

You need to log out and log back in to have the changes take effect.

To test if this step was successful, you can run the following command again without sudo:

docker run --rm hello-world

Step 5 - Install docker-compose (optional)

When using apps/services that depend on multiple containers/images you can use docker-compose for easier setup/maintenance. This part is based on the official documentation for docker-compose. To install docker-compose, run the following commands:

sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose

Step 6 - Install Portainer (optional)

Portainer is a software for managing Docker containers with a handy web UI. Additional information can be found in the official documentation.

Portainer itself gets shipped as a Docker image. To install it, simply create a new volume and run the container.

docker volume create portainer_data
docker run -d -p 9443:9443 --name portainer \
    --restart=always \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v portainer_data:/data \
    portainer/portainer-ce:latest

If you use the ufw modification, you need to add port 9443 to make it reachable:

sudo ufw-docker allow portainer 9443

You can now reach Portainer via your web browser by opening URL: https://<YOURSERVER>:9443.

Note: By default, Portainer is using a self-signed certificate. Therefore, a warning may appear when you open the web panel for the first time.

Conclusion

Installing Docker is just the base for many different applications and use cases. For example, you can install "mailcow-dockerized" or other software that uses it. By using nginx as a reverse proxy inside Docker or on your host machine, you can have multiple webservices listen on the same port with different domain names/paths.

License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Contributor's Certificate of Origin

By making a contribution to this project, I certify that:

  1. The contribution was created in whole or in part by me and I have the right to submit it under the license indicated in the file; or

  2. The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same license (unless I am permitted to submit under a different license), as indicated in the file; or

  3. The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.

  4. I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the license(s) involved.

Published 04/11/2021 by Marcel Aust

Submit your tutorial

Get 60€ netcup vouchers for every published tutorial.