Skip to main content

Docker: Installation

Install Docker and Ubuntu

Docker Engine is available on a variety of Linux platforms, macOS, and Windows 10 through Docker Desktop, and as a static binary installation. In this document Ubuntu installation steps described if you have other OS the follow this link: https://docs.docker.com/engine/install/.

To get started with Docker Engine on Ubuntu, make sure you meet the prerequisites, then install Docker.

Prerequisites

To install Docker Engine, you need the 64-bit version of one of these Ubuntu versions:

  • Ubuntu Hirsute 21.04
  • Ubuntu Groovy 20.10
  • Ubuntu Focal 20.04 (LTS)
  • Ubuntu Bionic 18.04 (LTS)

Docker Engine is supported on x86_64 (or amd64), armhf, arm64, and s390x architectures.

You can install Docker Engine in different ways, depending on your needs. Most users set up Docker’s repositories and install from them, for ease of installation and upgrade tasks. This is the recommended approach.

Install Docker repository

Before you install Docker Engine for the first time on a new host machine, you need to set up the Docker repository. After setting up the Docker repository, install and update Docker from the repository.

Set up the repository

  1. Update the apt package index and install packages to allow apt to use a repository over HTTPS: $ sudo apt-get update

    $ sudo apt-get install \
    apt-transport-https \
    ca-certificates \
    curl \
    gnupg \
    lsb-release

  2. Add Docker’s official GPG key:

    $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o/usr/share/keyrings/docker-archive-keyring.gpg

  3. Use the following command to set up the stable repository:

    Note:

    The $lsb_release -cs sub-command below returns the name of your Ubuntu distribution, such as xenial. Sometimes, in a distribution like Linux Mint, you might need to change $(lsb_release -cs) to your parent Ubuntu distribution. For example, if you are using Linux Mint Tessa, you could use bionic. Docker does not offer any guarantees on untested and unsupported Ubuntu distributions.

    echo \
    "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu \
    $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Install Docker Engine

  1. Update the apt package index, and install the latest version of Docker Engine and containerID, or go to the next step to install a specific version:

    $ sudo apt-get update

    $ sudo apt-get install docker-ce docker-ce-cli containerd.io

  2. To install a specific version of Docker Engine, list the available versions in the repo, then select and install:

    i. List the versions available in your repo:

    $ apt-cache madison docker-ce

    ii. Install a specific version using the version string from the second column, for example, 5:18.09.13-0ubuntu-xenial

    $ sudo apt-get install docker-ce=<VERSION_STRING> docker-ce-cli=<VERSION_STRING> containerd.io

    iii. Verify that Docker Engine is installed correctly by running the hello-world image.

    $ sudo docker run hello-world

For more information, click Ubuntu.

Protect the Docker daemon socket

By default, Docker runs through a non-networked UNIX socket. It can also optionally communicate using SSH or a TLS (HTTPS) socket.

Use TLS (HTTPS) to protect the Docker daemon socket

Notes:
  • Client must install Docker engine on the machine to use the configuration type.
  • If you need Docker to be reachable through HTTPS rather than SSH in a safe manner, you can enable TLS (HTTPS).

In the daemon mode, it only allows connections from clients authenticated by a certificate signed by that CA. In the client mode, it only connects to servers with a certificate signed by that CA.

  1. Create a CA, server, and client keys with OpenSSL. First, on the Docker daemon’s host machine, generate CA private and public keys:

    $ openssl genrsa -aes256 -out ca-key.pem 4096

    $ openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

    ---Provide all required fields. For common name field, provide Hostname($hostname –fqdn Use this command to get hostname for Ubuntu).

  2. Now that you have a CA, you can create a server key and certificate signing request (CSR). Make sure that “Common Name” matches the hostname you use to connect to Docker:

    $ openssl genrsa -out server-key.pem 4096

    Note:

    Replace all instances of $HOST in the following example with the DNS name of your Docker daemon’s host. Or Set the HOST using $ export HOST=10.10.10.10(Host IP Address or DNS name) command.

    $ openssl req -subj "/CN=$HOST" -sha256 -new -key server-key.pem -out server.csr

  3. Next, we’re going to sign the public key with our CA: Since TLS connections can be made through IP address as well as DNS name, the IP addresses need to be specified when creating the certificate. For example, to allow connections using 10.10.10.10 and 127.0.0.1:

    $ echo subjectAltName = DNS:$HOST,IP:10.10.10.10,IP:127.0.0.1 >> extfile.cnf

  4. Set the Docker daemon key’s extended usage attributes to be used only for server authentication:

    $ echo extendedKeyUsage = serverAuth >> extfile.cnf

  5. Now, generate the signed certificate:

    $ openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnf

  6. For client authentication, create a client key and certificate signing request:

    Note:

    For simplicity of the next couple of steps, you may perform this step on the Docker daemon’s host machine as well.

    $ openssl genrsa -out key.pem 4096

    $ openssl req -subj '/CN=client' -new -key key.pem -out client.csr

  7. To make the key suitable for client authentication, create a new extensions config file:

    $ echo extendedKeyUsage = clientAuth > extfile-client.cnf

  8. Now, generate the signed certificate:

    $ openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out cert.pem -extfile extfile-client.cnf

  9. After generating cert.pem and server-cert.pem you can safely remove the two certificate signing requests and extensions config files:

    $ rm -v client.csr server.csr extfile.cnf extfile-client.cnf

  10. To protect your keys from accidental damage, remove their write permissions. To make them only readable by you, change file modes as follows:

    $ chmod -v 0400 ca-key.pem key.pem server-key.pem

    Certificates can be world-readable, but you might want to remove write access to prevent accidental damage:

    $ chmod -v 0444 ca.pem server-cert.pem cert.pem

  11. Now you can make the Docker daemon only accept connections from clients providing a certificate trusted by your CA:

    $ dockerd \

        --tlsverify \
        --tlscacert=ca.pem \ 
        --tlscert=server-cert.pem \ 
        --tlskey=server-key.pem \ 
        --H=0.0.0.0:2376

    If you want to configure Docker to accept remote connections using the docker.service systemd unit files for Linux distributions, such as recent versions of RedHat, CentOS, Ubuntu, and SLES. Then complete the following steps:

    i. Use the command $ sudo systemctl edit docker.service to open an override file for docker.service in a text editor.

    ii. Add or modify the following lines, substituting your own values.

    [Service]
    ExecStart=
    ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2376 --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem

    iii. Save the file.

    iv. Reload the systemctl configuration.

    $ sudo systemctl daemon-reload

    v. Restart Docker.

    $ sudo systemctl restart docker.service

    For more information, click Configuring remote access with systemd unit file.

  12. To connect to docker and validate its certificate, you need to copy your client keys(key.pem), certificates(cert.pem) and trusted CA(ca.pem) to client machine and provide these certificates to Docker plugin steps.

Secure by default

If you want to secure your Docker client connections by default, you can move the files to the .docker directory in your home directory and set the DOCKER_HOST and DOCKER_TLS_VERIFY variables as well. Then no need to provide the certificates and Docker Host URI to docker plugins for docker connection.

For Ubuntu:

$ export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1

For more information, see : https://docs.docker.com/engine/security/protect-access/#use-tls-https-to-protect-the-docker-daemon-socket

SSH Configurations

  • To do SSH Connection, You need to run a daemon on UNIX socket. By default, the Docker daemon listens for connections on a UNIX socket to accept requests from local clients.

    Note:

    To connect using this configuration type, there is no need to install docker engine on the client side.

  • Provide the Server Name(Public IP Address), Port, Username, Password.

  • You can also use both configuration types. While running Docker daemon use the following command:

    $ dockerd \
        --tlsverify \
        --tlscacert=ca.pem \
        --tlscert=server-cert.pem \
        --tlskey=server-key.pem \
        -H unix:///var/run/docker.sock \
        -H=0.0.0.0:2376
Last updated on