Debian 10 with Docker

Home » Computer Articles » Linux » Debian 10 with Docker
June 22, 2020 Linux No Comments

Debian 10 setup to become a Docker host server

Download and setup Debian 10 the way you want it.  

 

Disable some not needed services.

# systemctl list-units -t service
# systemctl list-unit-files --state=enabled --no-pager
# systemctl stop nfs-common.service
# systemctl disable nfs-common.service
# systemctl stop rpcbind.service
# systemctl disable rpcbind.service
# systemctl stop exim4
# systemctl disable exim4
# systemctl stop rpcbind.service
# systemctl disable rpcbind.service
# systemctl stop nfs-common
# systemctl disable nfs-common
# systemctl stop nfs-client.target
# systemctl disable nfs-client.target
# systemctl stop remote-fs.target
# systemctl disable remote-fs.target

 

Iptables setup

# mkdir /etc/iptables
# nano /etc/iptables/iptables.conf

*filter
# all our chains with their default actions
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

# first flush all chains that we will touch to have a clean setup
-F INPUT
-F DOCKER-USER
-F FILTERS

# accept local loopback traffic and if you want it also ping otherwise remove
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
# the important part, go to chain FILTERS
-A INPUT -j FILTERS

# when something comes into the external interface to the FORWARD chain
# (which will first put it into the DOCKER-USER chain), also use chain FILTERS
-A DOCKER-USER -i eth0 -j FILTERS

# our firewall rules go here, I allowed ping
# first accept all packets for ESTABLISHED and RELATED connection states
-A FILTERS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FILTERS -m conntrack --ctstate INVALID -j DROP

# now all our firewall rules that will apply to our host listening to ports
# as well as Docker hosts listening, just some examples
-A FILTERS -m conntrack --ctstate NEW -s 192.168.10.200/32 -m tcp -p tcp --dport 22 -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A FILTERS -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A FILTERS -j DROP

COMMIT
nano /etc/iptables/ip6tables.conf
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

-F INPUT
-F FORWARD
-F OUTPUT

-A INPUT -i lo -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m conntrack --ctstate NEW -m tcp -p tcp --dport 443 -j ACCEPT

COMMIT
# nano /etc/systemd/system/iptables.service
[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target

[Service]
Type=oneshot
ExecStartPre=/sbin/ip6tables-restore -n /etc/iptables/ip6tables.conf
ExecStart=/sbin/iptables-restore -n /etc/iptables/iptables.conf

[Install]
WantedBy=multi-user.target

Enable new firewall setup

# systemctl daemon-reload
# systemctl start iptables.service
# systemctl enable iptables.service
# systemctl status iptables.service

 

Search for packages.

# apt-cache search docker

Once you have a package name, you can get more detailed information on the package using the apt-cache show and apt-cache showpkg commands.

# apt-cache show docker-ce
# apt-cache showpkg docker-ce

 

Update the system to the latest version.

# apt update
# apt upgrade

 

After the upgrade is done, you can remove unnecessary packages.

# apt-get autoremove

 

Reboot to updated system

# reboot

 

After the system comes back up, login in and check the Debian version.

# cat /etc/debian_version
# uname -a

 

From docker documentation.

Ref: https://docs.docker.com/install/linux/docker-ce/debian/

# apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common htop
# curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
# apt-key fingerprint 0EBFCD88
# add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
# apt-get update
# apt-get install docker-ce docker-ce-cli containerd.io -y
# docker run hello-world

 

Setup docker

# nano /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet elevator=noop swapaccount=1" or another scheduler deadline or cfq, On VMware noop seems to perform well.
# update-grub2

 

Putting some settings on Docker

# nano /etc/docker/daemon.json
{
"storage-driver": "overlay2",
"live-restore": true,
"ipv6": false
}

 

Control startup of Docker

# nano /lib/systemd/system/docker.service
ExecStart=/usr/bin/docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock (For production server on the internet)
systemctl reload docker or reboot

 

Check status of Docker

# systemctl status docker

 

Cleanup after all updates etc.

# rm -rf /usr/share/man/?? && rm -rf /usr/share/man/??_*

 

Add some more settings to sysctl.conf

# nano sysctl.conf
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_max_syn_backlog = 8096

  You should now have a running docker host. Now it's time to start playing with containers.

Share This:

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.