Comments

Latest Posts

Install Docker, Docker-Compose, Portainer & Nginx on CentOS 8 & Ubuntu 20.04

This post is to summarize all installation steps for a new CentOS8 and get Docker and Docker-Compose and Portainer installed. Nginx will also be installed and configured as reverse proxy for Portainer with Cloudflare managed custom domain. Cert-Bot will be installed on Nginx to enable https for Portainer's web interface. 

The steps are same as CentOS7 and other Debian based release. 

For Arm-based architecture, here is the post to install Docker /Docker-Compose:



System Update

Check System Public IP:

[[email protected] ~]# curl https://ip.51sec.org/api
132.145.100.226
Update CentOS 8system to latest:

 [[email protected] ~]# yum upgrade -y && yum update -y
Update Ubuntu 20.04 8system to latest:

 [[email protected] ~]# apt upgrade -y && apt update -y

Install NodeQuery Monitor Agent

Add a new server into your NodeQuery Account or select Reinstall to get code for agent installation.


[[email protected] ~]# wget -N --no-check-certificate https://raw.github.com/nodequery/nq-agent/master/nq-install.sh && bash nq-install.sh Zb8Ge0oBFXvx24SM6YgfpH

SWAP Size change

Based on your VPS's default configuration, it might need to increase swap size. It will dramatically increase your service's stable ability for those small memory VPS (less than 2GB). 

[[email protected] ~]# free
              total        used        free      shared  buff/cache   available
Mem:         823684      258292      120892        1904      444500      553072
Swap:       8388604        8532     8380072


Check post  "Change SWAP Size to Improve Low Memory Cloud VM Reliability "for how to change your swap size. 

Basic command: 
wget https://raw.githubusercontent.com/51sec/swap/main/swap.sh && bash swap.sh

Install Docker and Docker Compose

Install Docker on CentOS 8:

curl -sSL https://get.docker.com/ | sh 
systemctl start docker 
systemctl enable docker

Install Docker on Ubuntu 20.04:

#Ubuntu 20.04
sudo apt install docker.io

Install Docker Compose on CentOS 8:
Important: Check the latest version of docker-compose  from https://docs.docker.com/compose/release-notes/ then modify following command with latest version number.  (I got 1.29.2 for this installation)


curl -L "https://get.daocloud.io/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
ln -s /usr/local/bin/docker-compose /usr/bin/docker-compose
Install Docker Compose on Ubuntu 20.04:

#Ubuntu 20.04
sudo apt install docker-compose

Check Version:

[[email protected] ~]# /usr/local/bin/docker-compose version
docker-compose version 1.29.2, build 5becea4c
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

[[email protected] ~]# docker version
Client: Docker Engine - Community
 Version:           20.10.6
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        370c289
 Built:             Fri Apr  9 22:44:36 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.6
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd2
  Built:            Fri Apr  9 22:43:02 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
[[email protected] ~]#

Install Portainer

Please make sure your VPS's firewall port 80, 443 and 9000 has been opened. We can close 9000 later.

[[email protected] ~]# docker volume create portainer_data
portainer_data
[[email protected] ~]# docker run -d -p 9000:9000 --name portainer --restart always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest
Unable to find image 'portainer/portainer-ce:latest' locally
latest: Pulling from portainer/portainer-ce
94cfa856b2b1: Pull complete
49d59ee0881a: Pull complete
f220caeff793: Pull complete
Digest: sha256:67e3edef02ba465d18663cd273cc24ec2764b27686ea5afbe8f392317a70ed72
Status: Downloaded newer image for portainer/portainer-ce:latest
d0ff883b063156b5929a8999593d38837501e6c16ffcefcbefb221ebe0301a32
[[email protected] ~]#

Verify Portainer from Internet by visiting http://<VPS's Public IP>:9000


Install Nginx using Portainer


From Portainer Portal, click App Templates menu, then choose Nginx template to deploy:


Make sure you put port 80 and port 443 mapping as show below:



Now you should get your Ngix page from http://<VPS's public ip>




Configure Nginx as Reverse Proxy 

In this section, Nginx will be configured as reverse proxy to redirect all traffic for portainer1.51sec.eu.org on port 80 and 443 to proxied docker website Portainer. Connect into Nginx console from Portainer portal or command: docker exec -it nginx bin/bash. or docker exec -it nginx sh

[email protected]:/# apt update && apt install nano -y
nano /etc/nginx/conf.d/portainer.conf


server {
    listen       80;
    server_name  portainer1.51sec.eu.org;

location / {
    proxy_pass       http://172.31.23.170:6080;
    proxy_http_version         1.1;
    proxy_read_timeout 300;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
           }
}
service nginx restart

Visit http://portainer1.51sec.eu.org through Google Incognito window to verify the access and configuration. 

Enable Https for Nginx

Connect into Nginx console from Portainer portal or command: docker exec -it nginx bin/bash


apt update
apt install certbot python-certbot-nginx
certbot --nginx


[email protected]:/# certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: portainer1.51sec.eu.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for portainer1.51sec.eu.org
2021/05/24 19:49:48 [notice] 1330#1330: signal process started
Waiting for verification...
Cleaning up challenges
2021/05/24 19:49:53 [notice] 1332#1332: signal process started
Deploying Certificate to VirtualHost /etc/nginx/conf.d/portainer.conf
2021/05/24 19:49:56 [notice] 1334#1334: signal process started

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://portainer1.51sec.eu.org

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=portainer1.51sec.eu.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/portainer1.51sec.eu.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/portainer1.51sec.eu.org/privkey.pem
   Your cert will expire on 2021-08-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[email protected]:/# 

After this step, both http and https should work for your portainer site. 



Custom Bridge Network


Create a new bridge network to join your Containers into same network. In this way, they can access it through their name directly.





Get your Docker Container to join into your new created bridge network.

In this way, we can directly use container's name to access each other. After this, we can close firewall's port 9000. 




[email protected]:/# ping portainer
PING portainer (172.20.20.3) 56(84) bytes of data.
64 bytes from portainer.mybridge (172.20.20.3): icmp_seq=1 ttl=64 time=0.104 ms
64 bytes from portainer.mybridge (172.20.20.3): icmp_seq=2 ttl=64 time=0.080 ms
64 bytes from portainer.mybridge (172.20.20.3): icmp_seq=3 ttl=64 time=0.081 ms
64 bytes from portainer.mybridge (172.20.20.3): icmp_seq=4 ttl=64 time=0.079 ms
^C
--- portainer ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 53ms
rtt min/avg/max/mdev = 0.079/0.086/0.104/0.010 ms
[email protected]:/# 


nano /etc/nginx/conf.d/portainer.conf

server {
    listen       80;
    server_name  portainer1.51sec.eu.org;

location / {
    proxy_pass       http://portainer:6080;
    proxy_http_version         1.1;
    proxy_read_timeout 300;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
           }
}


Install Network Utilities in Container

Most of times, the docker image is not including following network utilities which can help you troubleshooting your network connectivity, such as ping, ifconfig, tracert, telnet etc. You might want to install them for yourself.


[email protected]:/# cat /etc/*-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[email protected]:/# 



[email protected]:/# apt-get update
[email protected]:/# apt-get install iputils-ping
[email protected]:/# apt-get install telnet
[email protected]:/# apt-get install traceroute
[email protected]:/# apt-get install net-tools

Note: net-tools will include ifconfig / netstat commands


YouTube















No comments