Docker
Docker Networking
#Create Network
docker network create \
--driver=bridge \
--subnet=172.28.0.0/16 \
--ip-range=172.28.5.0/24 \
--gateway=172.28.5.254 \
br0
docker network create djlabs_default --subnet=172.28.0.0/16
#smaller subnet
docker network create djlabs_4 --subnet=172.28.4.0/24
docker network create djlabs_default
docker network ls
docker network inspect djlabs_default
#Docker compose
#insert at the end of the docker compose, line up with services
services:
~
~
networks:
default:
external:
name: djlabs_default
#Delete Network
docker network rm my-network
brctl show
bridge name bridge id STP enabled interfaces
br-8501bbb1f17b 8000.0242f1d62f7d no
br0 8000.3417ebbb7e6e no eno1
vnet0
docker0 8000.024251c6e2f7 no
virbr0 8000.525400616906 yes
#extras
docker inspect <container-name>
docker exec -it <container_id>
--
ps -ef | grep 88
sudo kill 875
netstat -anp | grep :53
Quick Nginx Web Server
version: '3'
services:
nginx:
container_name: webtest
image: nginx:latest
volumes:
- <path/to/local/index.html>:/usr/share/nginx/html
ports:
- 80:80
- 443:443
Guacamole
git clone "https://github.com/boschkundendienst/guacamole-docker-compose.git"
cd guacamole-docker-compose
./prepare.sh
docker-compose up -d
You can use your own certificates by placing the private key in nginx/ssl/self-ssl.key and the cert in nginx/ssl/self.cert
### wrong DNS server
The simple fix seems to be to create a new config file, for instance 03-pihole-dhcp-dns-fix.conf in the folder that is mapped to /etc/dnsmasq.d folder in the container with this content (adopt IP to your needs):
dhcp-option=option:dns-server,<your host IP>
ref;
https://github.com/boschkundendienst/guacamole-docker-compose
Docker notes
#show port numbers
docker port container-name
#Stop all docker containers
docker kill $(docker ps -q)
Upload to docker hub
docker login
docker tag smtp-proxy:v1 donamato/smtp-proxy:latest
docker push donamato/smtp-proxy:latest
Docker Test Apps
https://github.com/f5devcentral/f5-demo-httpd
https://hub.docker.com/r/swaggerapi/petstore
https://github.com/dotronglong/faker
docker run --rm -it -p 80:80 vulnerables/web-dvwa
docker run --rm -p 3000:3000 bkimminich/juice-shop
docker run --name hackazon -d -p 80:80 bepsoccer/all-in-one-hackazon
https://github.com/ravikalla/online-bank
docker run --rm -it -d -p 88:80 yeasy/simple-web:latest
---
docker pull webgoat/webgoat-7.1 docker run -p 8080:8080 -t webgoat/webgoat-7.1
From <https://hub.docker.com/r/webgoat/webgoat-7.1/>
https://hub.docker.com/r/webgoat/webgoat-8.0/
docker pull webgoat/webgoat-8.0
docker run -p 8080:8080 -t webgoat/webgoat-8.0
From <https://hub.docker.com/r/webgoat/webgoat-8.0/>
http://192.168.70.70:8080/WebGoat/login
User - create new user
WebGoat walk through!
http://shubhamhacker.blogspot.com/2018/02/walkthrough-hello-guys-this-is-shubham.html
----
Great test app
https://hub.docker.com/r/rawmind/web-test
docker pull rawmind/web-test
docker run -d -p 86:8080 rawmind/web-test
----------------
FILE UPLOAD SERVER FOR CHECK VIRUSES
docker build -t uploader .
From <https://github.com/peebles/cloud-file-upload>
https://hub.docker.com/r/linuxserver/photoshow/
docker pull linuxserver/photoshow
From <https://hub.docker.com/r/linuxserver/photoshow/>
docker pull alterway/docker-image-gallery
docker pull mayth/simple-upload-server
--------------------------------
docker run -d -p 8581:80 donamato/red
https://github.com/0xn3va/cheat-sheets/tree/main/Web%20Application
WireGuard
#Docker Compose
---
version: "2.1"
services:
wireguard:
image: lscr.io/linuxserver/wireguard
container_name: wireguard
cap_add:
- NET_ADMIN
- SYS_MODULE
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/London
- SERVERURL=wireguard.domain.com #optional server ip or hostname
- SERVERPORT=51820 #optional server port can be changed
- PEERS=1 #optional
- PEERDNS=auto #optional DNS for the connecting peers
- INTERNAL_SUBNET=10.13.13.0 #optional- Internal subnet for the wireguard and server and peers (only change if it clashes). Used in server mode.
- ALLOWEDIPS=0.0.0.0/0 #optional - The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1.
volumes:
- /path/to/appdata/config:/config
- /lib/modules:/lib/modules
ports:
- 51820:51820/udp
sysctls:
- net.ipv4.conf.all.src_valid_mark=1
restart: unless-stopped
#To monitor the logs of the container in realtime:
docker logs -f wireguard
#Peer QR codes
To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: docker exec -it wireguard /app/show-peer 1 4 5 or docker exec -it wireguard /app/show-peer myPC myPhone myTablet (Keep in mind that the QR codes are also stored as PNGs in the config folder).
Portainer
### portainer ###
docker run --name lab-portainer -d -p 9000:9000 --restart always -v /var/run/docker.sock:/var/run/docker.sock -v /home/fplabs/portainer/data:/data portainer/portainer
### portainer agent###
docker run -d -p 9001:9001 --name portainer_agent --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v /home/fplabs/portainer/data:/var/lib/docker/volumes portainer/agent
Nginx reverse proxy docker-compose
Example
#create a directory for the config files.
mkdir -p /dockerlab/labproxy
cd /dockerlab/labproxy
#Create docker compose file
nano docker-compose.yml
version: '3'
services:
nginx:
container_name: labproxy
image: nginx:latest
volumes:
- /dockerlab/labproxy/conf.d:/etc/nginx/conf.d:ro
ports:
- 80:80
- 443:443
----
#Simple reverse proxy config
mkdir /dockerlab/labproxy/conf.d
cd /dockerlab/labproxy/conf.d
nano proxy1.conf
server {
server_name web2.fplabs.com
listen 80;
location / {
proxy_pass http://192.168.101.50:8082;
}
}
#Simple load balancing
nano proxy1.conf
upstream lb_fplab {
server 192.168.101.50:8080;
server 192.168.101.50:8082;
}
server {
listen 80;
server_name web1.fplabs.com;
location / {
proxy_pass http://lb_fplab;
}
}
#add persistance
ip_hash;
upstream lb_fplab {
server 192.168.101.50:8080;
server 192.168.101.50:8082;
}
server {
listen 80;
server_name web1.fplabs.com;
location / {
proxy_pass http://lb_fplab;
}
}
#add ssl offload
server {
server_name zoltan.dc1.fullproxylabs.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/certs/cert2.pem;
ssl_certificate_key /etc/nginx/conf.d/certs/privkey2.pem;
-----------------------------------------------------------------
Default Server - Catch all
server {
server_name zoltan.dc1.fullproxylabs.com cloud.dc1.fullproxylabs.com dump.dc1.fullproxylabs.com dropbox.fullproxylabs.com dropbox.cloudlab.fullproxylabs.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/dc1.fullproxylabs.com/cert3.pem;
ssl_certificate_key /etc/nginx/conf.d/dc1.fullproxylabs.com/privkey3.pem;
location / {
proxy_pass https://zoltan.home:4443;
proxy_max_temp_file_size 0;
proxy_buffering off;
client_max_body_size 0;
proxy_set_header Host $host;
}
}
server {
server_name *.dc1.fullproxylabs.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/dc1.fullproxylabs.com/cert3.pem;
ssl_certificate_key /etc/nginx/conf.d/dc1.fullproxylabs.com/privkey3.pem;
location / {
rewrite ^/(.*)$ http://fullproxy.com/$1 permanent;
}
}
WebServer and Reverse Proxy
Docker compose file
version: '3'
services:
nginx:
container_name: cloudproxy
image: nginx:latest
volumes:
- /home/ubuntu/dockerlab/cloudproxy/conf.d:/etc/nginx/conf.d:ro
- /home/ubuntu/dockerlab/cloudproxy/pages:/etc/nginx/html:ro
ports:
- 80:80
- 443:443
sample conf.d file
server {
server_name site1.sorry.fullproxylabs.com;
listen 443 ssl;
ssl_certificate /etc/nginx/conf.d/cloud_lab_certs/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/cloud_lab_certs/privkey.pem;
location / {
root html/site1/; # this refers to pages folder then site1
}
}
Duo Auth Proxy
docker run -d \
--name duoauthproxy \
-p 1812:1812/udp \
-p 18120:18120/udp \
-v /your/path/conf:/opt/duoauthproxy/conf:ro \
--read-only \
--cap-drop=all \
--cap-add=setgid \
--cap-add=setuid \
jumanjiman/duoauthproxy:latest
##If there are any errors on build- do the following
Create this file in /your/path/conf/authproxy.cfg and add some dummy config
[ad_client]
host=1.2.3.4
service_account_username=duoservice
service_account_password=password1
search_dn=DC=example,DC=com
security_group_dn=CN=DuoVPNUsers,OU=Groups,DC=example,DC=com
Create the path and dummy crt file /your/path/conf/conf/ca-bundle.crt
**https://duo.com/docs/authproxy-reference#configuration
**https://duo.com/docs/f5bigip#install-the-duo-authentication-proxy
[duo_only_client]
[radius_server_iframe]
type=f5_bigip
ikey=DIXXXXXXXXXXXXXXXXXX
skey=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
api_host=api-XXXXXXXX.duosecurity.com
radius_ip_1=5.6.7.8 *F5 IP
radius_secret_1=radiussecret1
client=duo_only_client
port=1812
failmode=safe
Install Docker Ubuntu 20.04
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce
sudo usermod -aG docker ${USER}
Add Docker compose
sudo apt install docker-compose
Docker images disappear
if docker images disappear after a restart just run the following command
sudo systemctl restart docker.service
OpenSpeedtest
This docker image contains the same application running at http://openspeedtest.com. This can run offline! So you can use it to test your Local Area Network or put it on a server to test your line speed to that server.Currently optimized to test speeds up to 1~2 Gbps. You can change the values and files inside this docker and can test even faster connection.
docker run --restart=unless-stopped --name=openspeedtest -d -p 80:8080 openspeedtest/latest
Home Assistant
docker run -d --restart=always --name="home-assistant" -v /home/donald/homeass:/config -v /etc/localtime:/etc/localtime:ro --net=host homeassistant/home-assistant:stable
---
*add usb zigbee
ls -l /dev/serial/by-id
version: '3'
services:
homeassistant:
container_name: home-assistant
image: homeassistant/home-assistant:stable
volumes:
- /hass/config:/config
- /etc/localtime:/etc/localtime:ro
- /dev/serial/by-id:/dev/serial/by-id
devices:
- /dev/ttyACM0:/dev/ttyACM0
environment:
- TZ=Europe/London
ports:
- 8123:8123
restart: always
network_mode: host
sudo docker-compose up -d --build homeassistant
USB ref;https://community.home-assistant.io/t/zigbee-config-docker-access-to-usb-stick/226567
Simple Website
Step 1 - Create a Directory for the Website
Make sure that you have your HTML files already in the current directory.
Step 2 - Create a file called Dockerfile
Place the following contents into the Dockerfile
FROM nginx:alpine
COPY . /usr/share/nginx/html
Step 3 - Build the Docker Image for the HTML Server
Run the following command:
docker build -t html-server-image:v1 .
You can confirm that this has worked by running the command:
docker images
And it should show you output something like this:
Step 4 - Run the Docker Container
Run the following command to run the HTML container server:
docker run -d -p 80:80 html-server-image:v1
??
COPY ./default.conf /etc/nginx/conf.d/default.conf
server {
listen 80;
location / {
autoindex on;
}
}
**************** OR ****************************************
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Docker Nginx</title>
</head>
<body>
<h2>Hello from Nginx Server 1</h2>
</body>
</html>
docker run -it --rm -d -p 8080:80 --name web -v ~/site-content:/usr/share/nginx/html nginx
Pi-Hole Docker
sudo nano docker-compose.yml
version: "3"
# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "67:67/udp"
- "80:80/tcp"
- "443:443/tcp"
environment:
TZ: 'Europe/London'
WEBPASSWORD: 'password123'
# Volumes store your data between container upgrades
volumes:
- './etc-pihole/:/etc/pihole/'
- './etc-dnsmasq.d/:/etc/dnsmasq.d/'
# Recommended but not required (DHCP needs NET_ADMIN)
# https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
cap_add:
- NET_ADMIN
restart: unless-stopped
---------------------------------------------
docker-compose up -d
docker-compose up --detach
-------
Installing on Ubuntu
Modern releases of Ubuntu (17.10+) include systemd-resolved which is configured by default to implement a caching DNS stub resolver. This will prevent pi-hole from listening on port 53. The stub resolver should be disabled with:
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
This will not change the nameserver settings, which point to the stub resolver thus preventing DNS resolution.
Change the /etc/resolv.conf symlink to point to /run/systemd/resolve/resolv.conf,
which is automatically updated to follow the system's netplan:
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
After making these changes, you should restart systemd-resolved using:
systemctl restart systemd-resolved
Once pi-hole is installed, you'll want to configure your clients to use it (see here). If you used the symlink above, your docker host will either use whatever is served by DHCP, or whatever static setting you've configured. If you want to explicitly set your docker host's nameservers you can edit the netplan(s) found at /etc/netplan, then run sudo netplan apply. Example netplan:
network:
ethernets:
ens160:
dhcp4: true
dhcp4-overrides:
use-dns: false
nameservers:
addresses: [127.0.0.1]
version: 2
Note that it is also possible to disable systemd-resolved entirely. However, this can cause problems with name resolution in vpns (see bug report). It also disables the functionality of netplan since systemd-resolved is used as the default renderer (see man netplan). If you choose to disable the service, you will need to manually set the nameservers, for example by creating a new /etc/resolv.conf.
Users of older Ubuntu releases (circa 17.04) will need to disable dnsmasq.
--------------
1. List the default network set-up for the virtual machines
# virsh net-list
Name State Autostart Persistent
----------------------------------------------------------
default active yes yes
2. Destroy the network default.
# virsh net-destroy default
Network default destroyed
3. Permanently remove the default vitual network from the configuration.
# virsh net-undefine default
Network default has been undefined
4. The interface virbr0 is now gone. You can verify it in the ifconfig or ip command output.
# ifconfig virbr0
virbr0: error fetching interface information: Device not found
--------
update pihole
docker-compose pull pihole
docker-compose up -d pihole
stop using port 53 on host machine
systemctl stop systemd-resolved
systemctl disable systemd-resolved
REF;https://hub.docker.com/r/pihole/pihole
My NextCloud Setup
docker network create nextcloud-net
docker create \
--name=mariadb-nextcloud \
-e PUID=1000 \
-e PGID=1000 \
-e MYSQL_ROOT_PASSWORD=h***********\
-e TZ=Europe/London \
-e MYSQL_DATABASE=nextcloud-db \
-e MYSQL_USER=admin \
-e MYSQL_PASSWORD=h************ \
-p 3306:3306 \
-v /nextcloudDB:/config \
--network nextcloud-net \
--restart unless-stopped \
linuxserver/mariadb
docker create \
--name=nextcloud \
-e PUID=1000 \
-e PGID=1000 \
-e TZ=Europe/London \
-p 8443:443 \
-v /nextcloud/config:/config \
-v /nextcloud/data:/data \
--network nextcloud-net \
--restart unless-stopped \
linuxserver/nextcloud
docker start nextcloud mariadb-nextcloud
#notes
remember and create the directories for the various data file .e.g -v /nextcloudDB:/config and -v /nextcloud/config:/config -v /nextcloud/data:/data
during nextcloud setup choose mariadb with the details above with hostname mariadb-nextcloud:3306
Trusted Domains
this is on the local host - /nextcloud/config/www/nextcloud/config/config.php
Nextcloud - Compose
version: '2'
services:
nextcloud:
container_name: nextcloud2
restart: unless-stopped
image: linuxserver/nextcloud
ports:
- 9443:443
- 9080:80
volumes:
- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/config:/config
- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/data:/data
- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/apps:/apps
environment:
PUID: 1000
PGID: 1000
TZ: Europe/London
depends_on:
- db
db:
container_name: maria-db2
restart: unless-stopped
image: linuxserver/mariadb
environment:
MYSQL_ROOT_PASSWORD: qwerty@nextcloud2
MYSQL_DATABASE: nextcloud2-db
MYSQL_USER: admin
MYSQL_PASSWORD: qwerty@nextcloud2
PUID: 1000
PGID: 1000
TZ: Europe/London
volumes:
- /mnt/lvm-vg2-mount/dockerlab/nextcloud2/mariadb2:/var/lib/mysql
--------------------------------------------------------------------------
alternate install
ref; https://gist.github.com/ichiTechs/83e228fa1e6c83543623a1bf06f3eb32
# NextCLoud with MariaDB/MySQL
#
# Access via "http://localhost:80" (or "http://$(docker-machine ip):80" if using docker-machine)
#
# During initial NextCLoud setup, select "Storage & database" --> "Configure the database" --> "MySQL/MariaDB"
# Database user: nextcloud
# Database password: nextcloud
# Database name: ncdb
# Database host: replace "localhost" with "maria-db" the same name as the data base container name.
#
#
# The reason for the more refined data persistence in the volumes is because if you were to
# use just the the '/var/www/html' then everytime you would want/need to update/upgrade
# NextCloud you would have to go into the volume on the host machine and delete 'version.php'
#
version: '2'
services:
nextcloud:
container_name: nextcloud
restart: unless-stopped
image: nextcloud
ports:
- 80:80
volumes:
- /containers/cloud/nextcloud/apps:/var/www/html/apps
- /containers/cloud/nextcloud/config:/var/www/html/config
- /containers/cloud/nextcloud/data:/var/www/html/data
depends_on:
- db
db:
container_name: maria-db
restart: unless-stopped
image: mariadb
environment:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: ncdb
MYSQL_USER: nextcloud
MYSQL_PASSWORD: nextcloud
volumes:
- /containers/cloud/mariadb:/var/lib/mysql
------------------------------------------------------------------
#Trusted Sources Example
nano /mnt/lvm-vg2-mount/dockerlab/nextcloud/config/www/nextcloud/config/config.php
#Edit this
'trusted_domains' =>
array (
0 => 'zoltan.home:4443',
1 => '192.168.100.125:4443',
2 => 'cloud.dc1.fullproxylabs.com',
3 => 'zoltan.dc1.fullproxylabs.com',
#Edit this for external url !
'overwrite.cli.url' => 'https://cloud.dc1.fullproxylabs.com',
# SCAN
docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ files:scan --all
docker exec nextcloud sudo -u abc php /config/www/nextcloud/occ files:scan --path="donald/files"
# issues
https://autoize.com/nextcloud-performance-troubleshooting/
#change upload size
nano /mnt/lvm-vg2-mount/dockerlab/nextcloud2/config/php/php-local.ini
# add this
max_execution_time=3600
max_input_time = 3600
upload_max_filesize=10G
post_max_size= 10G
output_buffering = 0
Squid Proxy
Squid:
image: sameersbn/squid:3.5.27-2
ports:
- "3128:3128"
volumes:
- /srv/docker/squid/cache:/var/spool/squid
restart: always
PLEX
---
version: "2.1"
services:
plex:
image: ghcr.io/linuxserver/plex
container_name: plex
network_mode: host
environment:
- PUID=1000
- PGID=1000
- VERSION=docker
- UMASK_SET=022 #optional
- PLEX_CLAIM= #optional
volumes:
- /path/to/library:/config
- /path/to/tvseries:/tv
- /path/to/movies:/movies
restart: unless-stopped
UPDATE
Update all images: docker-compose pull
or update a single image: docker-compose pull plex
Let compose update all containers as necessary: docker-compose up -d
or update a single container: docker-compose up -d plex
You can also remove the old dangling images: docker image prune
Zabbix
version: '3'
services:
zabbix-app:
image: "zabbix/zabbix-appliance:latest"
ports:
- "8081:80"
- "10051:10051"
environment:
- PHP_TZ=Europe/London
- ZBX_HOSTNAME=zabbix-app
- ZBX_SERVER_HOST=zabbix-app
volumes:
- /home/donald/dockerlab/zabbix/zapp-db:/var/lib/mysql
links:
- zabbix-agent
zabbix-agent:
image: "zabbix/zabbix-agent:latest"
environment:
- ZBX_HOSTNAME=zabbix-agent
- ZBX_SERVER_HOST=zabbix-app
volumes:
zapp-db:
ref;https://codingkata.tardate.com/infrastructure/zabbix/dockerized/
Docker-compose update
docker-compose pull <servicename>
docker-compose up -d <servicename>
#example
docker-compose pull pihole
docker-compose up -d pihole
RemoteSpark
example setup
docker run --name remotespark8380 -d -p 8380:80 -v /home/donald/dockerlab/remotespark/gateway.conf:/usr/local/bin/SparkGateway/gateway.conf simonkowallik/remotespark:latest
#remember to create an empty gateway.conf
#enter docker cli
docker exec -it remotespark8380 /bin/ash
#config
#login
#SSL config
add config ?????