SpecialistOff.NET / Вопросы / Статьи / Фрагменты кода / Резюме / Метки / Помощь / Файлы

Docker: Установка и настройка

Метки: docker docker-compose pip dnf nftables

Установка

Debian

for pkg in docker.io docker-doc docker-compose podman-docker containerd runc; do apt-get remove $pkg; done

apt-get -y update
apt-get -y install ca-certificates curl gnupg

install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
chmod a+r /etc/apt/keyrings/docker.gpg

echo \
  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null

apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin

Fedora

dnf remove docker \
    docker-client \
    docker-client-latest \
    docker-common \
    docker-latest \
    docker-latest-logrotate \
    docker-logrotate \
    docker-selinux \
    docker-engine-selinux \
    docker-engine

dnf -y install dnf-plugins-core

dnf config-manager addrepo \
--from-repofile https://download.docker.com/linux/fedora/docker-ce.repo

dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Настройка

nftables

table inet filter {
    chain forward {
        type filter hook forward priority 0;
        policy drop;
        ct state invalid drop comment "Drop invalid connections";
        ct state established,related accept comment "Accept traffic originated from us";

        oifname "docker0" ct state related,established accept;
        iifname docker0 oifname != docker0 accept;
        iifname docker0 oifname docker0 accept;

        oifname "br-*" ct state related,established accept;
        oifname "br-*" jump DOCKER;
        iifname "br-*" oifname != "br-*" accept;
        iifname "br-*" oifname "br-*" accept
    }
}

table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat;
        policy accept;
        oifname != "docker0" ip saddr 172.16.0.0/12 masquerade;
    }
}

nft add rule ip filter forward oifname "docker0" ct state related,established accept;
nft add rule ip filter forward iifname docker0 oifname != docker0 accept;
nft add rule ip filter forward iifname docker0 oifname docker0 accept;

nft add rule ip filter forward oifname "br-*" ct state related,established accept
nft add rule ip filter forward oifname "br-*" jump DOCKER
nft add rule ip filter forward iifname "br-*" oifname != "br-*" accept
nft add rule ip filter forward iifname "br-*" oifname "br-*" accept