Guide to DevSecOps

Appearance

Docker Maintenance Guide

This guide will walk you through various tasks for maintaining Docker containers and images.

Installation Guide

Installing Docker Engine

On Ubuntu/Debian

bash
# Update package index
sudo apt-get update

# Install prerequisites
sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common

# Add Docker's official GPG key
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

# Set up the stable repository
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

# Install Docker Engine
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io

On CentOS/RHEL

bash
# Install prerequisites
sudo yum install -y yum-utils

# Add Docker repository
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

# Install Docker Engine
sudo yum install -y docker-ce docker-ce-cli containerd.io

On macOS

bash
# Install using Homebrew
brew install --cask docker

On Windows

  1. Download Docker Desktop from Docker Hub
  2. Follow the installation wizard instructions

Installing Docker Compose

On Linux

bash
# Download the current stable release
sudo curl -L "https://github.com/docker/compose/releases/download/v2.20.3/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# Apply executable permissions
sudo chmod +x /usr/local/bin/docker-compose

On macOS/Windows

Docker Compose is included with Docker Desktop installation

Setting Up Docker Swarm

bash
# Initialize swarm mode on manager node
docker swarm init --advertise-addr <MANAGER-IP>

# Join worker nodes (using the token provided by the init command)
docker swarm join --token <TOKEN> <MANAGER-IP>:2377

Troubleshooting Docker Installation

Fixing Duplicate Repository Warnings

If you encounter this warning:

W: Target CNF (stable/cnf/Commands-all) is configured multiple times in /etc/apt/sources.list.d/archive_uri-https_download_docker_com_linux_ubuntu-jammy.list:1 and /etc/apt/sources.list.d/docker.list:1

This means Docker's repository is configured in multiple files. To fix it:

bash
# First, examine the content of both files to ensure they contain the same repository
cat /etc/apt/sources.list.d/archive_uri-https_download_docker_com_linux_ubuntu-jammy.list
cat /etc/apt/sources.list.d/docker.list

# Remove one of the duplicate files (typically the longer-named one)
sudo rm /etc/apt/sources.list.d/archive_uri-https_download_docker_com_linux_ubuntu-jammy.list

# Update package lists to verify the warning is gone
sudo apt update

If you installed Docker using different methods (like both apt and the convenience script), this can happen. Always stick to one installation method to avoid conflicts.

Step 1: Log in to Docker Registry

To log in to a Docker registry, use the following command:

bash
docker login

You will be prompted to enter your Docker Hub username and password.

Step 2: List Docker Images

To list all Docker images on your local machine, use the following command:

bash
docker images

Step 3: List Docker Containers

To list all running Docker containers, use the following command:

bash
docker ps

To list all containers (running and stopped), use:

bash
docker ps -a

Step 4: Check Docker Sessions

To check active Docker sessions, use the following command:

bash
docker session ls

Step 5: Connect to a Docker Container

To connect to a Docker container interactively, use the following command:

bash
docker exec -it <container_id> /bin/bash

Replace <container_id> with the ID of the container you want to connect to.

To connect to a Docker container in detached mode, use:

bash
docker attach <container_id>

Step 6: Stop a Docker Container

To stop a running Docker container, use the following command:

bash
docker stop <container_id>

Step 7: Delete a Docker Container

To delete a stopped Docker container, use the following command:

bash
docker rm <container_id>

Step 8: Delete a Docker Image

To delete a Docker image, use the following command:

bash
docker rmi <image_id>

Step 9: Purge Orphan Images/Containers

To remove all stopped containers, use the following command:

bash
docker container prune

To remove all unused images, use:

bash
docker image prune

Step 10: Check Docker Logs

To check the logs of a Docker container, use the following command:

bash
docker logs <container_id>

Conclusion

You have successfully learned how to log in to the Docker registry, list images and containers, check sessions, connect to a Docker container interactively or detached, stop a container, delete a container, delete an image, purge orphan images/containers, and check logs. These tasks will help you maintain your Docker environment efficiently.

Security Best Practices

Docker Daemon Security

  1. Use TLS for Docker daemon communication
bash
# Generate CA, server and client keys
mkdir -p ~/.docker/certs
cd ~/.docker/certs
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

# Configure Docker daemon to use TLS
sudo nano /etc/docker/daemon.json

Add the following to daemon.json:

json
{
  "tls": true,
  "tlscacert": "/path/to/ca.pem",
  "tlscert": "/path/to/server-cert.pem",
  "tlskey": "/path/to/server-key.pem",
  "tlsverify": true
}
  1. Limit user access to Docker daemon
bash
# Add users to docker group only when necessary
sudo usermod -aG docker <username>

Container Security

  1. Run containers with limited capabilities
bash
# Drop all capabilities and add only necessary ones
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE your-container
  1. Use read-only filesystem when possible
bash
docker run --read-only your-container
  1. Set resource limits
bash
docker run --memory=512m --cpu-shares=512 your-container

Image Security

  1. Use official or verified images
  2. Regularly scan images for vulnerabilities
bash
# Install trivy scanner
sudo apt-get install trivy

# Scan an image
trivy image your-image:tag
  1. Use multi-stage builds to minimize image size
dockerfile
FROM node:14 AS build
WORKDIR /app
COPY package*.json ./
RUN npm install
COPY . .
RUN npm run build

FROM nginx:alpine
COPY --from=build /app/dist /usr/share/nginx/html

Docker Compose Security

Add security configurations to your docker-compose.yml:

yaml
version: '3'
services:
  webapp:
    image: myapp
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

Docker Swarm Security

bash
# Create encrypted networks for service communication
docker network create --opt encrypted --driver overlay secure-network

# Enable autolock to protect swarm encryption keys
docker swarm update --autolock=true

Remember to always keep Docker and all components updated to the latest versions to benefit from security patches:

bash
sudo apt-get update && sudo apt-get upgrade docker-ce docker-ce-cli containerd.io