This tutorial explains how to install Docker CE on Ubuntu 20.04. With this tutorial, you will learn how to install and configure Docker on Ubuntu to use it with many different apps and services. Also, this tutorial describes how to use Docker with ufw and additionally install and set up docker-compose and Portainer. You should have a basic understanding of Linux and shell commands. A fresh install of Ubuntu 20.04 (may also work with other versions) is required.
This tutorial is based on the official tutorial provided by docker with a few extra notes and additions.
Docker can be used on nearly any root or vServer. netcup's server architecture is amd64. You need to be
root and/or have
sudo privileges to install packages.
We will install Docker by using Ubuntu's APT package manager. To fetch the latest package database, use:
sudo apt-get update
To add a custom package repository for Docker, we need a few apt tools that you may not have installed yet. Use the following command to install them:
sudo apt-get install \ ca-certificates \ curl \ gnupg \ lsb-release
If there are multiple packages or dependencies to be installed, the installer might ask for your confirmation. Press
y and ENTER when asked:
The following NEW packages will be installed: .... 0 upgraded, 64 newly installed, 0 to remove and 0 not upgraded. Need to get 13.5 MB of archives. After this operation, 51.6 MB of additional disk space will be used. Do you want to continue? [Y/n] y
Docker gets shipped by a custom apt package repository hosted by the Docker organization. This provides newer and more frequently updated versions of docker-ce.
At first you need to add Docker's PGP key. To do this, execute the following command:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
After adding the key file, we need to add the new repository. To do this, type:
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \ $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
To fetch all available packages from the newly added repository, run the following command again:
sudo apt-get update
To finally install the Docker package, run:
sudo apt-get install docker-ce docker-ce-cli containerd.io
To test if Docker is working, you can fetch the "hello world" image and start it by using:
sudo docker run --rm hello-world
If you're using ufw as an iptables frontend/firewall for your server, you should be cautious with Docker's iptables modifications, as Docker will bypass the rules defined with ufw. To fix this, we have to modify a specific ufw config file. This part is based on the ufw-docker Github repository tutorial.
To check if your server is using ufw, run the following command:
sudo ufw status
Check if the reported status is
The expected result should be similar to this:
Status: active To Action From -- ------ ---- ... ... ...
If your server shows an "inactive" state, ufw is not enabled for your server. If you want to enable it, see Step 3.1
Important: When enabling ufw and not adding a rule for SSH, you might lose connectivity to your server. Make sure to add an appropriate rule for allowing SSH traffic on port
22by using the following command:
sudo ufw allow ssh
You can also add this rule by using netcup's web console feature found inside your server control panel.
To enable ufw in case it's not yet enabled, you can run:
sudo ufw enable
Use an editor of your choice to edit the configuration file at
sudo nano /etc/ufw/after.rules).
Add the following to the end of the file and save it:
## BEGIN UFW AND DOCKER *filter :ufw-user-forward - [0:0] :ufw-docker-logging-deny - [0:0] :DOCKER-USER - [0:0] -A DOCKER-USER -j ufw-user-forward -A DOCKER-USER -j RETURN -s 10.0.0.0/8 -A DOCKER-USER -j RETURN -s 172.16.0.0/12 -A DOCKER-USER -j RETURN -s 192.168.0.0/16 -A DOCKER-USER -p udp -m udp --sport 53 --dport 1024:65535 -j RETURN -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -d 172.16.0.0/12 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 192.168.0.0/16 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 10.0.0.0/8 -A DOCKER-USER -j ufw-docker-logging-deny -p udp -m udp --dport 0:32767 -d 172.16.0.0/12 -A DOCKER-USER -j RETURN -A ufw-docker-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW DOCKER BLOCK] " -A ufw-docker-logging-deny -j DROP COMMIT ## END UFW AND DOCKER
After saving the modifications, restart the server to have the changes take effect.
If you want to publish a port from your containers, use the following command:
This command publishes port 80 from any container's local port. Replace 80 with your custom ports for TCP communication. To use the UDP Protocol, replace
ufw route allow proto tcp from any to any port 80
If you have multiple containers using the same port, you can specify the container by its private (internal) IP:
ufw route allow proto tcp from any to 172.17.0.2 port 80
Please note: The port used at the end of this command is the internal port of the container! You don't have to expose it to the host.
Instead of performing the above manual steps to install/configure ufw, you can use a handy script provided by the authors of the ufw-docker repository.
To install the tool, run the following command:
sudo wget -O /usr/local/bin/ufw-docker \ https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker sudo chmod +x /usr/local/bin/ufw-docker
To automatically apply the ufw
after.rules change, run:
sudo ufw-docker install
To publish a container port, use the command:
sudo ufw-docker allow <CONTAINER_NAME> <PORT>
To display further information and help, use the command:
sudo ufw-docker help
If you wish to use Docker with your regular user without using
sudo all the time, you can add your user to the "docker" group.
Please bear in mind that other users might exploit Docker to gain root access to your host machine!
To add your user to the "docker" group, run:
## Create the docker group in case it does not yet exist sudo groupadd docker ## Add your user to the docker group sudo usermod -aG docker $USER
You need to log out and log back in to have the changes take effect.
To test if this step was successful, you can run the following command again without sudo:
docker run --rm hello-world
When using apps/services that depend on multiple containers/images you can use
docker-compose for easier setup/maintenance. This part is based on the official documentation for docker-compose.
To install docker-compose, run the following commands:
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose sudo chmod +x /usr/local/bin/docker-compose
Portainer is a software for managing Docker containers with a handy web UI. Additional information can be found in the official documentation.
Portainer itself gets shipped as a Docker image. To install it, simply create a new volume and run the container.
docker volume create portainer_data docker run -d -p 9443:9443 --name portainer \ --restart=always \ -v /var/run/docker.sock:/var/run/docker.sock \ -v portainer_data:/data \ portainer/portainer-ce:latest
If you use the ufw modification, you need to add port 9443 to make it reachable:
sudo ufw-docker allow portainer 9443
You can now reach Portainer via your web browser by opening URL:
Note: By default, Portainer is using a self-signed certificate. Therefore, a warning may appear when you open the web panel for the first time.
Installing Docker is just the base for many different applications and use cases. For example, you can install "mailcow-dockerized" or other software that uses it. By using nginx as a reverse proxy inside Docker or on your host machine, you can have multiple webservices listen on the same port with different domain names/paths.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicence, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
By making a contribution to this project, I certify that:
The contribution was created in whole or in part by me and I have the right to submit it under the license indicated in the file; or
The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same license (unless I am permitted to submit under a different license), as indicated in the file; or
The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the license(s) involved.