Created
October 11, 2020 00:26
-
-
Save VadimBrodsky/57cf690d5be427591d142a3bb1672e56 to your computer and use it in GitHub Desktop.
docker server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Add user | |
| # https://www.digitalocean.com/community/tutorials/how-to-create-a-new-sudo-enabled-user-on-ubuntu-20-04-quickstart | |
| adduser vadim | |
| usermod -aG sudo vadim | |
| # Copy over the keys | |
| # https://askubuntu.com/questions/1218023/copying-ssh-key-from-root-to-another-user-on-same-machine | |
| sudo cp /root/.ssh/authorized_keys /home/$USER/.ssh/authorized_keys | |
| sudo chown -R $USER:$USER /home/$USER/.ssh | |
| sudo chmod 600 /home/$USER/.ssh/authorized_keys | |
| # Disable ssh access for root | |
| # https://www.cyberciti.biz/faq/howto-limit-what-users-can-log-onto-system-via-ssh/ | |
| vi /etc/ssh/sshd_config | |
| PermitRootLogin no | |
| AllowUsers vadim | |
| sudo rm /root/.ssh/authorized_keys | |
| service ssh restart | |
| # Install portainer | |
| docker swarm init --advertise-address IP | |
| docker volume create portainer_data | |
| docker run -d -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce | |
| # Dont allow docker to modify iptables | |
| # https://www.mkubaczyk.com/2017/09/05/force-docker-not-bypass-ufw-rules-ubuntu-16-04/ | |
| echo "{ | |
| \"iptables\": false | |
| }" > /etc/docker/daemon.json | |
| sed -i -e 's/DEFAULT_FORWARD_POLICY="DROP"/DEFAULT_FORWARD_POLICY="ACCEPT"/g' /etc/default/ufw | |
| ufw reload | |
| # Docker has the IP of 172.17.0.1 (can be found easily with ifconfig for docker0 interface), we run | |
| iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE | |
| # Firewall | |
| sudo ufw default deny incoming | |
| sudo ufw default allow outgoing | |
| sudo ufw allow ssh | |
| sudo ufw allow http | |
| sudo ufw allow https | |
| sudo allow 9000 | |
| sudo ufw enable |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment