Docker bare metal basics

gistfile1.txt

Misc:

apt install mc fail2ban htop openvpn git iotop lsof

Add to /etc/sysctl.d/70-bufferbloat.conf

net.core.default_qdisc=fq
net.ipv4.tcp_fastopen=3
net.ipv4.tcp_ecn=1
net.ipv4.tcp_sack=1
net.ipv4.tcp_dsack=1

echo 'docker system prune -a -f' > /etc/cron.weekly/docker_cleanup

Firewall:

apt install ufw
ufw allow ssh
ufw allow from 10.0.0.0/8
ufw enable
ufw status verbose

Docker installation:

apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
add-apt-repository "deb [arch=$(dpkg --print-architecture)] https://download.docker.com/linux/ubuntu bionic stable"
apt-cache policy docker-ce
apt install docker-ce
echo '{"icc": false}' > /etc/docker/daemon.json
systemctl restart docker
systemctl status docker

Portainer (Docker GUI):

mkdir /opt/portainer-certs
cd /opt/portainer-certs
openssl genrsa -out portainer.key 2048
openssl ecparam -genkey -name secp384r1 -out portainer.key
openssl req -new -x509 -sha256 -key portainer.key -out portainer.crt -days 3650

ufw allow 443/tcp
docker run -d -p 443:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data -v /opt/portainer-certs:/certs --restart unless-stopped --security-opt no-new-privileges --name portainer portainer/portainer --ssl --sslcert /certs/portainer.crt --sslkey /certs/portainer.key

Docker security audit

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sh docker-bench-security.sh

Host performance monitoring

ufw allow 19999/tcp
bash <(curl -Ss https://my-netdata.io/kickstart.sh)
systemctl start netdata

Disk space usage

du -h /opt | sort -hr
docker system df -v