Skip to content

Latest commit

 

History

History
85 lines (65 loc) · 2.95 KB

containers.md

File metadata and controls

85 lines (65 loc) · 2.95 KB
Raw

Containers

Articles

Name Comments
Docker CheatSheet
Everything you need to know about containers
A container networking overview
My Docker Cheat Sheet
Docker Networking Deep Dive

Projects

Name Comments
awesome-docker

Books

Name Comments
Docker Deep Dive

Tools

Name Description
dive "A tool for exploring a docker image, layer content, ..."
trivy "A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI."

Production Best Practices

  • Secured communication between daemon and clients using TLS

Cheatsheet

  • Stop and remove all containers: podman container stop $(docker container ls -aq)
  • Run container with bash shell: podman run -ti ubuntu:latest /bin/bash
  • Check how many containers are running: podman info
  • Cleanup everything: podman system prune -a -f

Images

  • List images: podman image ls
  • Pull latest ubuntu image: podman image pull ubuntu:latest

Security

  • Secure communication between client and server:
# On CA node
openssl genrsa -aes256 -out ca-k.pem 4096
openssl req -new -x509 -days 730 -key ca-k.pem -sha256 -out ca.pem
openssl genrsa -out daemon-key.pem 4096
openssl req -subj "/CN=daemon.host.address" -sha256 -new -key daemon-key.pem -out daemon.csr
cat << EOF >> file.conf
subjectAltName = DNS:daemon.host.address,IP:X.X.X.X
extendedKeyUsage = serverAuth
EOF
openssl x509 -req -days 730 -sha256 -in daemon.csr -CA ca.pem -CAkey ca-k.pem -CAcreateserial -out daemon-cert.pem -extfile file.conf
openssl genrsa -out client-key.pem 4096
openssl req -subj '/CN=client.address' -new -key client-key.pem -out client.csr
echo "extendedKeyUsage = clientAuth" > file.conf
openssl x509 -req -days 730 -sha256 -in client.csr -CA ca.pem -CAkey ca-k.pem -CAcreateserial -out client-cert.pem -extfile file.conf
chmod 0400 ca-k.pem client-key.pem daemon-key.pem && chmod -v 0444 ca.pem client-cert.pem daemon-cert.pem
# On daemon host put the keys ca.pem, daemon-cert.pem and daemon-key.pem in ~/.docker
# On client host put the keys ca.pem, client-cert.pem and client-key.pem in ~/.docker
  • Enable TLS
# Put it in /etc/docker/daemon.json
{
"hosts": ["tcp://node3:2376"],
"tls": true,
"tlsverify": true,
"tlscacert": "/home/ubuntu/.docker/ca.pem",
"tlscert": "/home/ubuntu/.docker/cert.pem",
"tlskey": "/home/ubuntu/.docker/key.pem"
}