This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| docker [2025/06/01 17:12] – [Compose files] admin | docker [2026/04/08 22:19] (current) – admin | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Docker ====== | ====== Docker ====== | ||
| + | ===== Removal ===== | ||
| + | |||
| + | Back up all volumes | ||
| + | |||
| + | for d in */; do tar -czf " | ||
| + | |||
| + | Remove all of docker and start again | ||
| + | |||
| + | sudo systemctl stop docker | ||
| + | sudo apt-get purge -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin | ||
| + | sudo rm -rf / | ||
| + | sudo rm -rf / | ||
| + | sudo rm -rf /etc/docker | ||
| + | sudo apt-get autoremove -y | ||
| + | |||
| + | ===== Fresh install ===== | ||
| + | |||
| + | Then reinstall via Docker' | ||
| + | |||
| + | curl -fsSL https:// | ||
| + | |||
| + | That script installs the latest stable Docker CE with all plugins. After that, add your user to the docker group if needed: | ||
| + | |||
| + | sudo usermod -aG docker sean | ||
| + | |||
| + | Then re-enable your services: | ||
| + | |||
| + | sudo systemctl enable --now docker | ||
| + | sudo systemctl enable --now hawser | ||
| + | |||
| + | ===== Enable SSL/TLS connection ===== | ||
| + | |||
| + | ==== Generate a CA, server, and client certificate/ | ||
| + | |||
| + | 1. Create a working directory | ||
| + | |||
| + | mkdir -p ~/ | ||
| + | |||
| + | 2. Generate the CA private key | ||
| + | |||
| + | openssl genrsa -aes256 -out ca-key.pem 4096 | ||
| + | |||
| + | 3. Generate the CA certificate | ||
| + | |||
| + | openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem | ||
| + | |||
| + | You'll be prompted for a passphrase and subject info (Country, CN, etc.). | ||
| + | |||
| + | 4. Generate the server private key | ||
| + | |||
| + | openssl genrsa -out server-key.pem 4096 | ||
| + | |||
| + | 5. Generate the server CSR (Certificate Signing Request) | ||
| + | |||
| + | openssl req -subj "/ | ||
| + | |||
| + | Replace < | ||
| + | |||
| + | 6. Create a SANs (Subject Alternative Names) extension file | ||
| + | |||
| + | echo subjectAltName = DNS:< | ||
| + | echo extendedKeyUsage = serverAuth >> extfile.cnf | ||
| + | |||
| + | Add all hostnames/ | ||
| + | |||
| + | 7. Sign the server certificate with the CA | ||
| + | |||
| + | openssl x509 -req -days 365 -sha256 \ | ||
| + | -in server.csr -CA ca.pem -CAkey ca-key.pem \ | ||
| + | -CAcreateserial -out server-cert.pem -extfile extfile.cnf | ||
| + | |||
| + | 8. Generate the client private key | ||
| + | |||
| + | openssl genrsa -out key.pem 4096 | ||
| + | |||
| + | 9. Generate the client CSR | ||
| + | |||
| + | openssl req -subj '/ | ||
| + | |||
| + | 10. Create a client extension file | ||
| + | |||
| + | echo extendedKeyUsage = clientAuth > extfile-client.cnf | ||
| + | |||
| + | 11. Sign the client certificate with the CA | ||
| + | |||
| + | openssl x509 -req -days 365 -sha256 \ | ||
| + | -in client.csr -CA ca.pem -CAkey ca-key.pem \ | ||
| + | -CAcreateserial -out cert.pem -extfile extfile-client.cnf | ||
| + | |||
| + | 12. Clean up CSRs and extension files, lock down permissions | ||
| + | |||
| + | rm -f client.csr server.csr extfile.cnf extfile-client.cnf | ||
| + | chmod 0400 ca-key.pem key.pem server-key.pem | ||
| + | chmod 0444 ca.pem server-cert.pem cert.pem | ||
| + | |||
| + | After this you'll have: | ||
| + | |||
| + | ┌──────────────────────────────────┬───────────────────────────────────────────────────┐ | ||
| + | │ | ||
| + | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| + | │ ca.pem | ||
| + | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| + | │ server-cert.pem / server-key.pem │ Server certificate and key │ | ||
| + | ├──────────────────────────────────┼───────────────────────────────────────────────────┤ | ||
| + | │ cert.pem / key.pem | ||
| + | └──────────────────────────────────┴───────────────────────────────────────────────────┘ | ||
| + | |||
| + | ==== Configure / | ||
| + | |||
| + | 1. Copy server certs to a permanent location | ||
| + | |||
| + | sudo mkdir -p / | ||
| + | sudo cp ~/ | ||
| + | sudo cp ~/ | ||
| + | sudo cp ~/ | ||
| + | sudo chmod 0444 / | ||
| + | sudo chmod 0400 / | ||
| + | |||
| + | 2. Create or edit / | ||
| + | |||
| + | sudo tee / | ||
| + | { | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | " | ||
| + | } | ||
| + | EOF | ||
| + | |||
| + | - " | ||
| + | - " | ||
| + | - Port 2376 is the standard TLS Docker port (2375 is unencrypted) | ||
| + | |||
| + | 3. Handle the hosts conflict with systemd (WSL/Linux) | ||
| + | |||
| + | If Docker is managed by systemd, the -H flag in the service file conflicts with hosts in daemon.json. Override it: | ||
| + | |||
| + | sudo mkdir -p / | ||
| + | sudo tee / | ||
| + | [Service] | ||
| + | ExecStart= | ||
| + | ExecStart=/ | ||
| + | EOF | ||
| + | |||
| + | Enable systemd in WSL2 (recommended). | ||
| + | |||
| + | Edit / | ||
| + | |||
| + | sudo tee / | ||
| + | [boot] | ||
| + | systemd=true | ||
| + | EOF | ||
| + | |||
| + | 4. Reload and restart Docker | ||
| + | |||
| + | sudo systemctl daemon-reload | ||
| + | sudo systemctl restart docker | ||
| + | |||
| + | 5. Verify Docker is listening on port 2376 | ||
| + | |||
| + | sudo ss -tlnp | grep 2376 | ||
| + | |||
| + | You should see dockerd bound to 0.0.0.0: | ||
| + | |||
| ===== Portainer ===== | ===== Portainer ===== | ||
| ==== Upgrade Portainer ==== | ==== Upgrade Portainer ==== | ||
| Line 85: | Line 251: | ||
| ===== Compose files ===== | ===== Compose files ===== | ||
| [[Cacti]] | [[Cacti]] | ||
| + | |||
| [[Portainer Agent]] | [[Portainer Agent]] | ||
| ===== References ===== | ===== References ===== | ||