Collection for Interesting Docker Images - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Sunday, July 5, 2020

Collection for Interesting Docker Images

Sometimes, while browsing internet, there are some interesting docker images attracting my attention. I found it had better save them somewhere before I forgot them. Here comes this post. All those dockers have been tested @ Play with Docker .
  • Install Docker/Docker Composer
  • Matomo - Web analytics app
  • Shiori - a Simple Bookmarks Manager
  • A Simple PHP Web Proxy:miniProxy
  • Instantbox-Create a Web temp linux
  • Jellyfin - A Personal Media Server
  • Deploy a CentOS Container
  • HTML5-Based Speedtest to Your VPS
  • ServerStatus
  • NetData
  • ttyd - Share your terminal over the web
  • Yahei Php Probe
  • Grafana+InfluxDB for Monitoring
  • Ubuntu18.04 Xfce4 (VNC/noVNC)
  • Poste Mail Server
  • MediaWiki
  • WebSSH
  • Images Self Hosting Program - Chevereto
  • Baota Panel for VPS
Some related posts:

Install Docker / Docker Composer

Install Docker
#CentOS 6
rpm -iUvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm 
yum update -y 
yum -y install docker-io 
service docker start chkconfig docker on 

#CentOS 7, Debian, Ubuntu 
curl -sSL https://get.docker.com/ | sh 
systemctl start docker 
systemctl enable docker
 
Or , references of my posts:


For Ubuntu 20.04 version


#Ubuntu 20.04
sudo apt install docker.io
sudo apt install docker-compose


Install Docker Composer
curl -L "https://get.daocloud.io/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

chmod +x /usr/local/bin/docker-compose


Console Outputs from a Ubuntu 18 AWS Lightsail VPS:
bitnami@ip-172-26-0-136:~$ sudo -i
root@ip-172-26-0-136:~# curl -sSL https://get.docker.com/ | sh
# Executing docker install script, commit: 26ff363bcf3b3f5a00498ac43694bf1c7d9ce16c
+ sh -c apt-get update -qq >/dev/null
+ sh -c DEBIAN_FRONTEND=noninteractive apt-get install -y -qq apt-transport-https ca-certificates curl >/dev/null
+ sh -c curl -fsSL "https://download.docker.com/linux/ubuntu/gpg" | apt-key add -qq - >/dev/null
+ sh -c echo "deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable" > /etc/apt/sources.list.d/docker.list
+ sh -c apt-get update -qq >/dev/null
+ [ -n  ]
+ sh -c apt-get install -y -qq --no-install-recommends docker-ce >/dev/null
+ sh -c docker version
Client: Docker Engine - Community
 Version:           19.03.12
 API version:       1.40
 Go version:        go1.13.10
 Git commit:        48a66213fe
 Built:             Mon Jun 22 15:45:49 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.12
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.10
  Git commit:       48a66213fe
  Built:            Mon Jun 22 15:44:20 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.2.13
  GitCommit:        7ad184331fa3e55e52b890ea95e65ba581ae3429
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
If you would like to use Docker as a non-root user, you should now consider
adding your user to the "docker" group with something like:

  sudo usermod -aG docker your-user

Remember that you will have to log out and back in for this to take effect!

WARNING: Adding a user to the "docker" group will grant the ability to run
         containers which can be used to obtain root privileges on the
         docker host.
         Refer to https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface
         for more information.
root@ip-172-26-0-136:~# systemctl start docker
root@ip-172-26-0-136:~# systemctl enable docker
Synchronizing state of docker.service with SysV init with /lib/systemd/systemd-sysv-install...
Executing /lib/systemd/systemd-sysv-install enable docker

root@ip-172-26-0-136:~# exit
logout
bitnami@ip-172-26-0-136:~$ docker -v
Docker version 19.03.12, build 48a66213fe

bitnami@ip-172-26-0-136:~$ sudo -i
root@ip-172-26-0-136:~# curl -L "https://get.daocloud.io/docker/compose/releases/download/1.24.1/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   379  100   379    0     0    138      0  0:00:02  0:00:02 --:--:--   139
100   638  100   638    0     0    228      0  0:00:02  0:00:02 --:--:--   228
100 15.4M  100 15.4M    0     0  4631k      0  0:00:03  0:00:03 --:--:-- 32.3M
root@ip-172-26-0-136:~#
root@ip-172-26-0-136:~# chmod +x /usr/local/bin/docker-compose
root@ip-172-26-0-136:~# exit
logout

bitnami@ip-172-26-0-136:~$ docker-compose -v
docker-compose version 1.24.1, build 4667896b
bitnami@ip-172-26-0-136:~$
Or Play with Docker online.

Another command to install Docker for Debian and Ubuntu :
curl -fsSL "https://download.docker.com/linux/debian/gpg" | apt-key add - echo "deb [arch=amd64] https://download.docker.com/linux/debian stretch stable" > /etc/apt/sources.list.d/docker.list apt-get update && apt-get install -y docker-ce

Matomo - Web analytics app

Matomo is a free and open source web analytics application runs on a PHP/MySQL web server. It tracks online visits to one or more websites and displays reports on these visits for analysis.

Docker URL:https://github.com/crazy-max/docker-matomo


#Pull Matomo image docker run --restart=always -d --name matomo \ -p 8000:8000 \ -v ~/matomo/data:/data \ crazymax/matomo

#Pull MySQL image docker run --restart=always --name mysqlmatomo -d \ -p 3306:3306 \ -e MYSQL_ROOT_PASSWORD=51sec123 \ -e MYSQL_DATABASE=matomo \ -e MYSQL_USER=matomo \ -e MYSQL_PASSWORD=51sec123 \ -v ~/matomo/mysql:/var/lib/mysql \ mysql:5.6



Shiori - a Simple Bookmarks Manager

Shiori is a simple bookmarks manager written in Go language. Intended as a simple clone of Pocket. You can use it as command line application or as web application. This application is distributed as a single binary, which means it can be installed and used easily.

Github URL:https://github.com/go-shiori/shiori

docker run -d --name shiori --restart=always -p 8080:8080 -v ~/shiori:/srv/shiori radhifadlillah/shiori

After installation, visit the address: http: // ip: 8080, the initial administrator username and password are shiori and gopher



A Simple PHP Web Proxy:miniProxy


#use ip to visit docker run --name miniproxy -d \ --restart=always \ -p 80:80 \ moerats/miniproxy #use domain name to visit docker run --name miniproxy -d \ --restart=always \ -p 80:80 \ -p 443:443 \ -e domain=www.moerats.com \ moerats/miniproxy



Instantbox-Create a Web temp linux 

Instantbox spins up temporary Linux systems with instant webshell access from any browser and currently supports various versions of Ubuntu, CentOS, Arch Linux, Debian, Fedora and Alpine.

https://github.com/instantbox/instantbox

Install Instantbox:

#期间会要你输入IP and 端口等信息 mkdir instantbox && cd $_ bash <(curl -sSL https://raw.githubusercontent.com/instantbox/instantbox/master/init.sh) #启动容器 docker-compose up -d

By default it is ip:8888


Jellyfin - A Personal Media Server

Similar as Plex and Emby


Docker Installation:

docker run -d -p 8096:8096 -v /jellyfin/config:/config -v /jellyfin/media:/media jellyfin/jellyfin


Access ip:8096

You might need to fill in ffmpeg path ,which usually is at /usr/bin. You can check path by enter 'which ffmpeg'



Deploy a CentOS Container

startup command:
docker run -d -p 2222:22 --name CentOS-Docker ilemonrain/centos-sshd 
Parameter Description:
-d:start with Daemon mode
-p 2222:22 # host is 2222, mapping to container's port 22
--name CentOS-Docker:container name
ilemonrain/centos-sshd:version
Please expose the corresponding port according to your actual needs.
More instructions:
#for different ports: -p 80:80 -p 53:53。For different protocols, -p 80:80/tcp -p 53:53/udp。

#ilemonrain/centos-sshd default is CentOS 6.9,if need CentOS 7.4,the parameter need to change at the end, ilemonrain/centos-sshd:7.4, similar as other version。

After deployment, SSHlogin information:
username:root
password:centos
Please SSHchange your SSHpassword immediately after successful login to prevent malicious blasting.


HTML5-Based Speedtest to Your VPS

Screenshot
Please enter a picture description
Use commands to configure mirroring :
docker run [-t/-d] -p [6688]:80 ilemonrain/html5-speedtest:alpine
Detailed parameters:
-t:show logs after started,Ctrl+C change it to backend
-d:backend mode start docker
-p 6688:80:mapping host 6688 to container port 80
Example command:
docker run -d -p 6688:80 ilemonrain/html5-speedtest:alpine
Then open it http://ip:6688.



ServerStatus


#Create folder
mkdir /home/ServerStatus
#get configuration file
cd /home/ServerStatus
wget --no-check-certificate https://raw.githubusercontent.com/91yun/ServerStatus/master/server/config.json
#create docker container sss
docker create --name=sss \
--restart=always \
-v /home/ServerStatus/config.json:/ServerStatus/server/config.json \
-p 3561:3561 \
-p 80:80 \
rongdede/serverstatus:server
docker start sss
http://<public ip>:80

More configuration details can be found from github site.





NetData

Netdata is distributed, real-time, performance and health monitoring for systems and applications. It is a highly optimized monitoring agent you install on all your systems and containers.
Netdata provides unparalleled insightsin real-time, of everything happening on the systems it runs (including web servers, databases, applications), using highly interactive web dashboards. It can run autonomously, without any third party components, or it can be integrated to existing monitoring toolchains (Prometheus, Graphite, OpenTSDB, Kafka, Grafana, etc).
Netdata is fast and efficient, designed to permanently run on all systems (physical & virtual servers, containersIoT devices), without disrupting their core function.
Netdata is free, open-source software and it currently runs on LinuxFreeBSD, and MacOS.
docker run -d --name=netdata \
  -p 19999:19999 \
  -v /proc:/host/proc:ro \
  -v /sys:/host/sys:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  --cap-add SYS_PTRACE \
  --security-opt apparmor=unconfined \
  netdata/netdata
The above can be converted to docker-compose file for ease of management:
version: '3'
services:
  netdata:
    image: netdata/netdata
    hostname: example.com # set to fqdn of host
    ports:
      - 19999:19999
    cap_add:
      - SYS_PTRACE
    security_opt:
      - apparmor:unconfined
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro




ttyd - Share terminal over the web

ttyd is a simple command-line tool for sharing terminal over the web.
screenshot

https://hub.docker.com/r/tsl0922/ttyd/

$ docker run --restart=always --name ttyd -d -p 7681:7681 tsl0922/ttyd
1e156c668714c78a00755a3533b2031e0af03b3b555526a300909a52babe6c5d
[node1] (local) [email protected] ~/ttyd/build



Yahei PHP Probe


  Used in Linux system (not recommended for Windows system).
  You can view server hard disk resources, memory usage, network card traffic, system load, server time and other information in real time, refreshing once every 1 second.
  And including the server IP address, Web server environment monitoring, php and other information.

GitHub Repository: https://github.com/malaohu/php-yahei-tz

Command line:
git clone https://github.com/malaohu/php-yahei-tz.git -b ibm_tz && mv php-yahei-tz/* ./

Run in docker:
docker run -d --name tz -p 80:80 malaohu/php-yahei-tz


Grafana+InfluxDB

新建docker-compose:
mkdir -p /opt/pingmonitor && cd /opt/pingmonitor && nano docker-compose.yml
写入如下配置:
version: '3.5'

volumes: 
    grafana-data:
    influxdb-data:

services: 
    grafana:
        image: grafana/grafana
        container_name: grafana
        environment:
            - GF_AUTH_ANONYMOUS_ENABLED=true
        ports:
            - 3000:3000
        volumes:
            - grafana-data:/var/lib/grafana
        restart: unless-stopped

    influxdb:
        image: influxdb
        container_name: influxdb
        environment: 
            - INFLUXDB_HTTP_AUTH_ENABLED=true
            - INFLUXDB_DB=telegraf
            - INFLUXDB_ADMIN_USER=admin
            - INFLUXDB_ADMIN_PASSWORD=password
            - INFLUXDB_USER=telegraf
            - INFLUXDB_USER_PASSWORD=password
        ports:
            - 8086:8086
        volumes: 
            - influxdb-data:/var/lib/influxdb
        restart: unless-stopped
注:
1.GF_AUTH_ANONYMOUS_ENABLED是方便公开你的仪表板给别人访问。
2.INFLUXDB_ADMIN_PASSWORD设置HTTP身份验证的账号密码。
3.INFLUXDB_USER_PASSWORD设置数据库用户的密码。
确认无误后up起来即可:
docker-compose up -d
访问你的IP:3000打开Grafana,默认的管理员账号密码均是admin,登录进去之后添加数据源:

https://itprosec.com/index.php/community/network/grafanainfluxdb%e5%9f%ba%e4%ba%8edocker%e6%90%ad%e5%bb%bavps%e4%b8%89%e7%bd%91%e7%9b%91%e6%8e%a7%e5%b9%b3%e5%8f%b0/


Ubuntu18.04 Xfce4 (VNC/noVNC)


mkdir -p /opt/ubuntu-xfce-vnc && nano docker-compose.yml
version: '3.5'

services:
    ubuntu-xfce-vnc:
        container_name: xfce
        image: imlala/ubuntu-xfce-vnc-novnc:latest
        shm_size: "1gb" # 防止高分辨率下Chromium崩溃
        ports:
            - 5900:5900
            - 6080:6080
        environment: 
            - VNC_PASSWD=51sec
            - GEOMETRY=1280x768
            - DEPTH=24
        volumes: 
            - ./Downloads:/root/Downloads
        restart: unless-stopped
1.5900是TigerVNC的服务端口,6080是noVNC的服务端口。
2.VNC_PASSWD=设置你的VNC密码
3.GEOMETRY=屏幕分辨率,800×600/1024×768诸如此类的可自己调整。
4.DEPTH=颜色位数16/24/32可用,越高画面越细腻,但网络不好的也会更卡。
5.Chromium/Deluge/qBittorrent/Transmission下载的文件默认保存位置都是root/Downloads下。
没问题的话,up起来即可:
docker-compose up -d
打开你的浏览器访问VPSIP:6080即可看到noVNC的界面,输入密码即可访问到桌面了。




Poste - Mail Server

由于基于Docker, 因此大部分Linux发行版均可以运行Poste. 运行的Poste占用内存在800 MB左右,因此建议选择一个内存1 GB或者以上的VPS进行搭建。

开始安装之前,建议您先设置好一部分DNS. 我们需要设置这样的几条记录 (请用您自己的域名替代下文中的51sec.org):


  1. 51sec.org. A Any_IP
  2. mx.51sec.org. A 88.88.88.88
  3. 51sec.org. MX mx.51sec.org. 10
  4. mail.51sec.org. CNAME mx.51sec.org.
  5. smtp.51sec.org. CNAME mx.51sec.org.
  6. imap.51sec.org. CNAME mx.51sec.org.
  7. 51sec.org. IN TXT “v=spf1 mx ~all”
  8. _dmarc.51sec.org. IN TXT “v=DMARC1; p=none; rua=mailto:[email protected]
  9. 88.88.88.88 PTR mx.51sec.org

其中,4, 5, 6, 8项为可选,第九项为域名PTR, 需要您在自己的服务器提供商处设定。


执行下面的命令安装Poste.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
docker run \
-p 25:25 \
-p 80:80 \
-p 110:110 \
-p 143:143 \
-p 443:443 \
-p 587:587 \
-p 993:993 \
-p 995:995 \
-v /etc/localtime:/etc/localtime:ro \
-v /srv/poste/data:/data \
--name "PosteServ" \
-h "mx.test.com" \
-t analogic/poste.io
如果没有报错,Poste应该已经安装完毕并开始运行了。整个过程仅需2-3分钟。
安装好Poste之后,我们就可以登录mx.test.com来配置Poste了。初次登录,会提示设置服务器名和管理员邮箱与密码,

More details: https://itprosec.com/index.php/community/related-forum/%e5%8d%81%e5%88%86%e9%92%9f%e9%83%a8%e7%bd%b2%e4%b8%80%e4%b8%aa%e5%9f%ba%e4%ba%8edocker%e7%9a%84%e9%82%ae%e4%bb%b6%e6%9c%8d%e5%8a%a1%e5%99%a8-poste/


MediaWiki

https://hub.docker.com/_/mediawiki

The basic pattern for starting a mediawiki instance is:
$ docker run --name some-mediawiki -d mediawiki
If you'd like to be able to access the instance from the host without the container's IP, standard port mappings can be used:
$ docker run --name some-mediawiki -p 8080:80 -d mediawiki
Then, access it via http://localhost:8080 or http://host-ip:8080 in a browser.


WebSSH

Docker Image: https://hub.docker.com/r/snsyzb/webssh
To start a container from this image:
$ docker run -d -p 8080:8080 snsyzb/webssh
The container will start a web application on 8080 port, so you can visit your own ssh client web application via openning localhost:8080 in your browser. Or you could use command parameter in docker run to identify the address and port:
$ docker run -d -p 10000:10000 snsyzb/webssh wssh --address=0.0.0.0 --port=10000
The command above will start running a container listening the port 10000





Chevereto

https://hub.docker.com/r/nmtan/chevereto/

Docker compose

version: '3'

services:
  db:
    image: mariadb
    volumes:
      - database:/var/lib/mysql:rw
    restart: always
    networks:
      - private
    environment:
      MYSQL_ROOT_PASSWORD: chevereto_root
      MYSQL_DATABASE: chevereto
      MYSQL_USER: chevereto
      MYSQL_PASSWORD: chevereto

  chevereto:
    depends_on:
      - db
    image: nmtan/chevereto
    restart: always
    networks:
      - private
    environment:
      CHEVERETO_DB_HOST: db
      CHEVERETO_DB_USERNAME: chevereto
      CHEVERETO_DB_PASSWORD: chevereto
      CHEVERETO_DB_NAME: chevereto
      CHEVERETO_DB_PREFIX: chv_
    volumes:
      - chevereto_images:/var/www/html/images:rw
    ports:
      - 8080:80

networks:
  private:
volumes:
  database:
  chevereto_images:

Once docker-compose.yaml is ready, you can run

docker-compose up -d

To run the service

Standalone

docker run -it --name chevereto -d \
    --link mysql:mysql \
    -p 80:80 \
    -v "$PWD/images":/var/www/html/images \
    -e "CHEVERETO_DB_HOST=db" \
    -e "CHEVERETO_DB_USERNAME=chevereto" \
    -e "CHEVERETO_DB_PASSWORD=chevereto" \
    -e "CHEVERETO_DB_NAME=chevereto" \
    -e "CHEVERETO_DB_PREFIX=chv_" \
    nmtan/chevereto
Reference: https://v3-docs.chevereto.com/setup/install.html#procedures


Baota Panel for VPS

From: https://github.com/pch18-docker/baota

After logged in through WEB GUI at 8888 port, it requires to bind BaoTa website account before you can use the BaoTa panel. Unfortunately it is not supporting other countries phone number to register a BaoTa account.  

通过host模式运行宝塔镜像

docker run -tid --name baota --net=host --privileged=true --shm-size=1g --restart always -v ~/wwwroot:/www/wwwroot pch18/baota

建议使用上述host网络模式启动,不需要设置映射端口,自动映射宝塔面板全端口到外网
正常的bridge模式可能会造成网站后台不能获取用户真实ip地址.

通过bridge模式运行宝塔镜像

如果特殊情况不能使用host网络模式(macos和windows不支持host), 使用下述命令重新以bridge网络模式运行

docker run -tid --name baota -p 80:80 -p 443:443 -p 8888:8888 -p 888:888 --privileged=true --shm-size=1g --restart always -v ~/wwwroot:/www/wwwroot pch18/baota

登录方式

  • 登陆地址 http://{{面板ip地址}}:8888
docker exec -it baota bash
进入宝塔的docker容器内部
输入bt选择5和6修改账号密码
ctrl+d退出容器且保持容器运行




No comments:

Post a Comment