Docker

Docker Networking


#Create Network

docker network create \
--driver=bridge \
--subnet=172.28.0.0/16 \
--ip-range=172.28.5.0/24 \
--gateway=172.28.5.254 \
br0


docker network create djlabs_default --subnet=172.28.0.0/16

#smaller subnet
docker network create djlabs_4 --subnet=172.28.4.0/24


docker network create djlabs_default

docker network ls

docker network inspect djlabs_default


#Docker compose

#insert at the end of the docker compose, line up with services

services:

~

~

networks:
default:
external:
name: djlabs_default


#Delete Network


docker network rm my-network





brctl show

bridge name bridge id STP enabled interfaces

br-8501bbb1f17b 8000.0242f1d62f7d no

br0 8000.3417ebbb7e6e no eno1

vnet0

docker0 8000.024251c6e2f7 no

virbr0 8000.525400616906 yes

#extras

docker inspect <container-name>

docker exec -it <container_id>

--

ps -ef | grep 88

sudo kill 875


netstat -anp | grep :53



Quick Nginx Web Server


version: '3'
services:
nginx:
container_name: webtest
image: nginx:latest
volumes:
- <path/to/local/index.html>:/usr/share/nginx/html
ports:
- 80:80
- 443:443


Guacamole

git clone "https://github.com/boschkundendienst/guacamole-docker-compose.git"

cd guacamole-docker-compose

./prepare.sh

docker-compose up -d



You can use your own certificates by placing the private key in nginx/ssl/self-ssl.key and the cert in nginx/ssl/self.cert


### wrong DNS server

The simple fix seems to be to create a new config file, for instance 03-pihole-dhcp-dns-fix.conf in the folder that is mapped to /etc/dnsmasq.d folder in the container with this content (adopt IP to your needs):

dhcp-option=option:dns-server,<your host IP>

ref;

https://github.com/boschkundendienst/guacamole-docker-compose


Docker notes


#show port numbers
docker port container-name

#Stop all docker containers
docker kill $(docker ps -q)

Upload to docker hub

docker login

docker tag smtp-proxy:v1 donamato/smtp-proxy:latest

docker push donamato/smtp-proxy:latest

Docker Test Apps


https://github.com/f5devcentral/f5-demo-httpd

https://hub.docker.com/r/swaggerapi/petstore

https://github.com/dotronglong/faker


docker run --rm -it -p 80:80 vulnerables/web-dvwa

docker run --rm -p 3000:3000 bkimminich/juice-shop

docker run --name hackazon -d -p 80:80 bepsoccer/all-in-one-hackazon

https://github.com/ravikalla/online-bank

docker run --rm -it -d -p 88:80 yeasy/simple-web:latest

---

docker pull webgoat/webgoat-7.1 docker run -p 8080:8080 -t webgoat/webgoat-7.1

From <https://hub.docker.com/r/webgoat/webgoat-7.1/>

https://hub.docker.com/r/webgoat/webgoat-8.0/

docker pull webgoat/webgoat-8.0

docker run -p 8080:8080 -t webgoat/webgoat-8.0

From <https://hub.docker.com/r/webgoat/webgoat-8.0/>

http://192.168.70.70:8080/WebGoat/login

User - create new user

WebGoat walk through!

http://shubhamhacker.blogspot.com/2018/02/walkthrough-hello-guys-this-is-shubham.html

----

Great test app

https://hub.docker.com/r/rawmind/web-test

docker pull rawmind/web-test

docker run -d -p 86:8080 rawmind/web-test

----------------

FILE UPLOAD SERVER FOR CHECK VIRUSES

docker build -t uploader .

From <https://github.com/peebles/cloud-file-upload>

https://hub.docker.com/r/linuxserver/photoshow/

docker pull linuxserver/photoshow

From <https://hub.docker.com/r/linuxserver/photoshow/>


docker pull alterway/docker-image-gallery

docker pull mayth/simple-upload-server


--------------------------------

docker run -d -p 8581:80 donamato/red



https://github.com/0xn3va/cheat-sheets/tree/main/Web%20Application



WireGuard

#Docker Compose


---

version: "2.1"

services:

wireguard:

image: lscr.io/linuxserver/wireguard

container_name: wireguard

cap_add:

- NET_ADMIN

- SYS_MODULE

environment:

- PUID=1000

- PGID=1000

- TZ=Europe/London

- SERVERURL=wireguard.domain.com #optional server ip or hostname

- SERVERPORT=51820 #optional server port can be changed

- PEERS=1 #optional

- PEERDNS=auto #optional DNS for the connecting peers

- INTERNAL_SUBNET=10.13.13.0 #optional- Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode.

- ALLOWEDIPS=0.0.0.0/0 #optional - The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1.

volumes:

- /path/to/appdata/config:/config

- /lib/modules:/lib/modules

ports:

- 51820:51820/udp

sysctls:

- net.ipv4.conf.all.src_valid_mark=1

restart: unless-stopped

#To monitor the logs of the container in realtime:
docker logs -f wireguard

#Peer QR codes

To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker exec -it wireguard /app/show-peer 1 4 5 or docker exec -it wireguard /app/show-peer myPC myPhone myTablet (Keep in mind that the QR codes are also stored as PNGs in the config folder).




Portainer

### portainer ###

docker run --name lab-portainer -d -p 9000:9000 --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /home/fplabs/portainer/data:/data portainer/portainer

### portainer agent###

docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /home/fplabs/portainer/data:/var/lib/docker/volumes portainer/agent

Nginx reverse proxy docker-compose

Example

#create a directory for the config files.

mkdir -p /dockerlab/labproxy

cd /dockerlab/labproxy

#Create docker compose file

nano docker-compose.yml

version: '3'

services:

nginx:

container_name: labproxy

image: nginx:latest

volumes:

- /dockerlab/labproxy/conf.d:/etc/nginx/conf.d:ro

ports:

- 80:80

- 443:443

----

#Simple reverse proxy config

mkdir /dockerlab/labproxy/conf.d

cd /dockerlab/labproxy/conf.d

nano proxy1.conf

server {

server_name web2.fplabs.com

listen 80;

location / {

proxy_pass http://192.168.101.50:8082;

}

}

#Simple load balancing

nano proxy1.conf

upstream lb_fplab {

server 192.168.101.50:8080;

server 192.168.101.50:8082;

}

server {

listen 80;

server_name web1.fplabs.com;

location / {

proxy_pass http://lb_fplab;

}

}

#add persistance

ip_hash;

upstream lb_fplab {

server 192.168.101.50:8080;

server 192.168.101.50:8082;

}

server {

listen 80;

server_name web1.fplabs.com;

location / {

proxy_pass http://lb_fplab;

}

}

#add ssl offload

server {

server_name zoltan.dc1.fullproxylabs.com;

listen 443 ssl;

ssl_certificate /etc/nginx/conf.d/certs/cert2.pem;

ssl_certificate_key /etc/nginx/conf.d/certs/privkey2.pem;


-----------------------------------------------------------------

Default Server - Catch all

server {

server_name zoltan.dc1.fullproxylabs.com cloud.dc1.fullproxylabs.com dump.dc1.fullproxylabs.com dropbox.fullproxylabs.com dropbox.cloudlab.fullproxylabs.com;

listen 443 ssl;

ssl_certificate /etc/nginx/conf.d/dc1.fullproxylabs.com/cert3.pem;

ssl_certificate_key /etc/nginx/conf.d/dc1.fullproxylabs.com/privkey3.pem;

location / {

proxy_pass https://zoltan.home:4443;

proxy_max_temp_file_size 0;

proxy_buffering off;

client_max_body_size 0;

proxy_set_header Host $host;

}

}

server {

server_name *.dc1.fullproxylabs.com;

listen 443 ssl;

ssl_certificate /etc/nginx/conf.d/dc1.fullproxylabs.com/cert3.pem;

ssl_certificate_key /etc/nginx/conf.d/dc1.fullproxylabs.com/privkey3.pem;

location / {

rewrite ^/(.*)$ http://fullproxy.com/$1 permanent;

}

}





WebServer and Reverse Proxy

Docker compose file

version: '3'

services:

nginx:

container_name: cloudproxy

image: nginx:latest

volumes:

- /home/ubuntu/dockerlab/cloudproxy/conf.d:/etc/nginx/conf.d:ro

- /home/ubuntu/dockerlab/cloudproxy/pages:/etc/nginx/html:ro

ports:

- 80:80

- 443:443


sample conf.d file

server {

server_name site1.sorry.fullproxylabs.com;

listen 443 ssl;

ssl_certificate /etc/nginx/conf.d/cloud_lab_certs/cert.pem;

ssl_certificate_key /etc/nginx/conf.d/cloud_lab_certs/privkey.pem;

location / {

root html/site1/; # this refers to pages folder then site1

}

}




Duo Auth Proxy

docker run -d \

--name duoauthproxy \

-p 1812:1812/udp \

-p 18120:18120/udp \

-v /your/path/conf:/opt/duoauthproxy/conf:ro \

--read-only \

--cap-drop=all \

--cap-add=setgid \

--cap-add=setuid \

jumanjiman/duoauthproxy:latest

##If there are any errors on build- do the following

Create this file in /your/path/conf/authproxy.cfg and add some dummy config

[ad_client]

host=1.2.3.4

service_account_username=duoservice

service_account_password=password1

search_dn=DC=example,DC=com

security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com


Create the path and dummy crt file /your/path/conf/conf/ca-bundle.crt


**https://duo.com/docs/authproxy-reference#configuration

**https://duo.com/docs/f5bigip#install-the-duo-authentication-proxy

[duo_only_client]


[radius_server_iframe]

type=f5_bigip

ikey=DIXXXXXXXXXXXXXXXXXX

skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

api_host=api-XXXXXXXX.duosecurity.com

radius_ip_1=5.6.7.8 *F5 IP

radius_secret_1=radiussecret1

client=duo_only_client

port=1812

failmode=safe





Install Docker Ubuntu 20.04

sudo apt update

sudo apt install apt-transport-https ca-certificates curl software-properties-common

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"

sudo apt update

sudo apt install docker-ce

sudo usermod -aG docker ${USER}


Add Docker compose

sudo apt install docker-compose


Docker images disappear


if docker images disappear after a restart just run the following command

sudo systemctl restart docker.service


OpenSpeedtest

This docker image contains the same application running at http://openspeedtest.com. This can run offline! So you can use it to test your Local Area Network or put it on a server to test your line speed to that server.Currently optimized to test speeds up to 1~2 Gbps. You can change the values and files inside this docker and can test even faster connection.

docker run --restart=unless-stopped --name=openspeedtest -d -p 80:8080 openspeedtest/latest


Home Assistant


docker run -d --restart=always --name="home-assistant" -v /home/donald/homeass:/config -v /etc/localtime:/etc/localtime:ro --net=host homeassistant/home-assistant:stable


---

*add usb zigbee

ls -l /dev/serial/by-id


version: '3'

services:

homeassistant:

container_name: home-assistant

image: homeassistant/home-assistant:stable

volumes:

- /hass/config:/config

- /etc/localtime:/etc/localtime:ro

- /dev/serial/by-id:/dev/serial/by-id

devices:

- /dev/ttyACM0:/dev/ttyACM0

environment:

- TZ=Europe/London

ports:

- 8123:8123

restart: always

network_mode: host


sudo docker-compose up -d --build homeassistant


USB ref;https://community.home-assistant.io/t/zigbee-config-docker-access-to-usb-stick/226567


Simple Website


Step 1 - Create a Directory for the Website

Make sure that you have your HTML files already in the current directory.

Step 2 - Create a file called Dockerfile

Place the following contents into the Dockerfile

FROM nginx:alpine

COPY . /usr/share/nginx/html

Step 3 - Build the Docker Image for the HTML Server

Run the following command:

docker build -t html-server-image:v1 .

You can confirm that this has worked by running the command:

docker images

And it should show you output something like this:

Step 4 - Run the Docker Container

Run the following command to run the HTML container server:

docker run -d -p 80:80 html-server-image:v1


??

COPY ./default.conf /etc/nginx/conf.d/default.conf

server {

listen 80;

location / {

autoindex on;

}

}

**************** OR ****************************************


<!doctype html>

<html lang="en">

<head>

<meta charset="utf-8">

<title>Docker Nginx</title>

</head>

<body>

<h2>Hello from Nginx Server 1</h2>

</body>

</html>

docker run -it --rm -d -p 8080:80 --name web -v ~/site-content:/usr/share/nginx/html nginx


Pi-Hole Docker


sudo nano docker-compose.yml


version: "3"

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/

services:

pihole:

container_name: pihole

image: pihole/pihole:latest

ports:

- "53:53/tcp"

- "53:53/udp"

- "67:67/udp"

- "80:80/tcp"

- "443:443/tcp"

environment:

TZ: 'Europe/London'

WEBPASSWORD: 'password123'

# Volumes store your data between container upgrades

volumes:

- './etc-pihole/:/etc/pihole/'

- './etc-dnsmasq.d/:/etc/dnsmasq.d/'

# Recommended but not required (DHCP needs NET_ADMIN)

# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities

cap_add:

- NET_ADMIN

restart: unless-stopped


---------------------------------------------

docker-compose up -d

docker-compose up --detach

-------

Installing on Ubuntu

Modern releases of Ubuntu (17.10+) include systemd-resolved which is configured by default to implement a caching DNS stub resolver. This will prevent pi-hole from listening on port 53. The stub resolver should be disabled with:

sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf

This will not change the nameserver settings, which point to the stub resolver thus preventing DNS resolution.

Change the /etc/resolv.conf symlink to point to /run/systemd/resolve/resolv.conf,

which is automatically updated to follow the system's netplan:

sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'

After making these changes, you should restart systemd-resolved using:

systemctl restart systemd-resolved

Once pi-hole is installed, you'll want to configure your clients to use it (see here). If you used the symlink above, your docker host will either use whatever is served by DHCP, or whatever static setting you've configured. If you want to explicitly set your docker host's nameservers you can edit the netplan(s) found at /etc/netplan, then run sudo netplan apply. Example netplan:

network:

ethernets:

ens160:

dhcp4: true

dhcp4-overrides:

use-dns: false

nameservers:

addresses: [127.0.0.1]

version: 2

Note that it is also possible to disable systemd-resolved entirely. However, this can cause problems with name resolution in vpns (see bug report). It also disables the functionality of netplan since systemd-resolved is used as the default renderer (see man netplan). If you choose to disable the service, you will need to manually set the nameservers, for example by creating a new /etc/resolv.conf.

Users of older Ubuntu releases (circa 17.04) will need to disable dnsmasq.

--------------

1. List the default network set-up for the virtual machines

# virsh net-list

Name State Autostart Persistent

----------------------------------------------------------

default active yes yes

2. Destroy the network default.

# virsh net-destroy default

Network default destroyed

3. Permanently remove the default vitual network from the configuration.

# virsh net-undefine default

Network default has been undefined

4. The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.

# ifconfig virbr0

virbr0: error fetching interface information: Device not found


--------

update pihole

docker-compose pull pihole

docker-compose up -d pihole


stop using port 53 on host machine

systemctl stop systemd-resolved

systemctl disable systemd-resolved


REF;https://hub.docker.com/r/pihole/pihole


My NextCloud Setup


docker network create nextcloud-net

docker create \

--name=mariadb-nextcloud \

-e PUID=1000 \

-e PGID=1000 \

-e MYSQL_ROOT_PASSWORD=h***********\

-e TZ=Europe/London \

-e MYSQL_DATABASE=nextcloud-db \

-e MYSQL_USER=admin \

-e MYSQL_PASSWORD=h************ \

-p 3306:3306 \

-v /nextcloudDB:/config \

--network nextcloud-net \

--restart unless-stopped \

linuxserver/mariadb

docker create \

--name=nextcloud \

-e PUID=1000 \

-e PGID=1000 \

-e TZ=Europe/London \

-p 8443:443 \

-v /nextcloud/config:/config \

-v /nextcloud/data:/data \

--network nextcloud-net \

--restart unless-stopped \

linuxserver/nextcloud

docker start nextcloud mariadb-nextcloud

#notes

remember and create the directories for the various data file .e.g -v /nextcloudDB:/config and -v /nextcloud/config:/config -v /nextcloud/data:/data

during nextcloud setup choose mariadb with the details above with hostname mariadb-nextcloud:3306

Trusted Domains

this is on the local host - /nextcloud/config/www/nextcloud/config/config.php


Nextcloud - Compose

version: '2'

services:

nextcloud:

container_name: nextcloud2

restart: unless-stopped

image: linuxserver/nextcloud

ports:

- 9443:443

- 9080:80

volumes:

- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/config:/config

- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/data:/data

- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/apps:/apps

environment:

PUID: 1000

PGID: 1000

TZ: Europe/London

depends_on:

- db

db:

container_name: maria-db2

restart: unless-stopped

image: linuxserver/mariadb

environment:

MYSQL_ROOT_PASSWORD: qwerty@nextcloud2

MYSQL_DATABASE: nextcloud2-db

MYSQL_USER: admin

MYSQL_PASSWORD: qwerty@nextcloud2

PUID: 1000

PGID: 1000

TZ: Europe/London

volumes:

- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/mariadb2:/var/lib/mysql


--------------------------------------------------------------------------


alternate install

ref; https://gist.github.com/ichiTechs/83e228fa1e6c83543623a1bf06f3eb32

# NextCLoud with MariaDB/MySQL

#

# Access via "http://localhost:80" (or "http://$(docker-machine ip):80" if using docker-machine)

#

# During initial NextCLoud setup, select "Storage & database" --> "Configure the database" --> "MySQL/MariaDB"

# Database user: nextcloud

# Database password: nextcloud

# Database name: ncdb

# Database host: replace "localhost" with "maria-db" the same name as the data base container name.

#

#

# The reason for the more refined data persistence in the volumes is because if you were to

# use just the the '/var/www/html' then everytime you would want/need to update/upgrade

# NextCloud you would have to go into the volume on the host machine and delete 'version.php'

#


version: '2'

services:

nextcloud:

container_name: nextcloud

restart: unless-stopped

image: nextcloud

ports:

- 80:80

volumes:

- /containers/cloud/nextcloud/apps:/var/www/html/apps

- /containers/cloud/nextcloud/config:/var/www/html/config

- /containers/cloud/nextcloud/data:/var/www/html/data

depends_on:

- db

db:

container_name: maria-db

restart: unless-stopped

image: mariadb

environment:

MYSQL_ROOT_PASSWORD: root

MYSQL_DATABASE: ncdb

MYSQL_USER: nextcloud

MYSQL_PASSWORD: nextcloud

volumes:

- /containers/cloud/mariadb:/var/lib/mysql


------------------------------------------------------------------


#Trusted Sources Example

nano /mnt/lvm-vg2-mount/dockerlab/nextcloud/config/www/nextcloud/config/config.php


#Edit this

'trusted_domains' =>

array (

0 => 'zoltan.home:4443',

1 => '192.168.100.125:4443',

2 => 'cloud.dc1.fullproxylabs.com',

3 => 'zoltan.dc1.fullproxylabs.com',


#Edit this for external url !

'overwrite.cli.url' => 'https://cloud.dc1.fullproxylabs.com',


# SCAN

docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ files:scan --all


docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ files:scan --path="donald/files"


# issues

https://autoize.com/nextcloud-performance-troubleshooting/


#change upload size

nano /mnt/lvm-vg2-mount/dockerlab/nextcloud2/config/php/php-local.ini

# add this

max_execution_time=3600

max_input_time = 3600

upload_max_filesize=10G

post_max_size= 10G

output_buffering = 0





Squid Proxy

Squid:

image: sameersbn/squid:3.5.27-2

ports:

- "3128:3128"

volumes:

- /srv/docker/squid/cache:/var/spool/squid

restart: always


PLEX


---

version: "2.1"

services:

plex:

image: ghcr.io/linuxserver/plex

container_name: plex

network_mode: host

environment:

- PUID=1000

- PGID=1000

- VERSION=docker

- UMASK_SET=022 #optional

- PLEX_CLAIM= #optional

volumes:

- /path/to/library:/config

- /path/to/tvseries:/tv

- /path/to/movies:/movies

restart: unless-stopped


UPDATE

Update all images: docker-compose pull

or update a single image: docker-compose pull plex

Let compose update all containers as necessary: docker-compose up -d

or update a single container: docker-compose up -d plex

You can also remove the old dangling images: docker image prune


Zabbix

version: '3'

services:

zabbix-app:

image: "zabbix/zabbix-appliance:latest"

ports:

- "8081:80"

- "10051:10051"

environment:

- PHP_TZ=Europe/London

- ZBX_HOSTNAME=zabbix-app

- ZBX_SERVER_HOST=zabbix-app

volumes:

- /home/donald/dockerlab/zabbix/zapp-db:/var/lib/mysql

links:

- zabbix-agent

zabbix-agent:

image: "zabbix/zabbix-agent:latest"

environment:

- ZBX_HOSTNAME=zabbix-agent

- ZBX_SERVER_HOST=zabbix-app

volumes:

zapp-db:


ref;https://codingkata.tardate.com/infrastructure/zabbix/dockerized/


Docker-compose update

docker-compose pull <servicename>

docker-compose up -d <servicename>


#example
docker-compose pull pihole

docker-compose up -d pihole

RemoteSpark

example setup

docker run --name remotespark8380 -d -p 8380:80 -v /home/donald/dockerlab/remotespark/gateway.conf:/usr/local/bin/SparkGateway/gateway.conf simonkowallik/remotespark:latest

#remember to create an empty gateway.conf

#enter docker cli

docker exec -it remotespark8380 /bin/ash


#config

http://x.x.x.x/config.html

#login

http://x.x.x.x/login.html


#SSL config

add config ?????