Translations: English - Português (Brasil)
Docker group membership is more dangerous than sudo
The Docker daemon typically runs under the root account, so access to Docker commands effectively grants full root power. By design, this allows easy access as root to the host filesystem. Unfortunately, it also makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so.
Docker has no equivalent to sudo's password check, so an arbitrary-code-execution exploit against a user in the docker group effectively grants the attacker root access. Therefore, the safer choice is to never add a user account — even your own — to the docker group, so that Docker commands can only be used via sudo.
If Docker running at root level is an unacceptable security risk, consider running in "rootless mode" instead.
See also "Docker daemon attack surface" in the upstream documentation for more details.
Request for help!
Need your help with Docker packaging.
Docker manages lightweight process containers. docker.io is Debian's package to use Docker, and docker-ce is the equivalent package provided by upstream.
Official ready-made images from Docker Hub
Docker Hub hosts official Debian images. In Docker terminology, an "image" is an object that you can download and reuse to instantiate new containers.
To build and run a container from a Debian image as quickly as possible, run:
1 # Install Docker, if you haven't already
2 $ sudo apt-get install docker.io
3
4 # Create Debian Stable container and launch a bash shell from within it
5 # Refer to the official Debian page on Docker Hub for alternative tags to Stable
6 $ sudo docker run -it --rm --name deb-stable debian:stable /bin/bash
7
8 root@0cf9a333ad8b:/#
9
10 # Press Ctl + P + Q to exit from the container without stopping it.
11
12 # To list running containers (from the host)
13 $ sudo docker ps
14
15 # Example output from the docker ps command:
16 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
17 0cf9a333ad8b debian:status "/bin/bash" 28 minutes ago Up 2 minutes jolly
18
19 # Reconnect to a running container
20 $ sudo docker attach <Container ID>
21 # So, for example,
22 $ sudo docker attach 0cf9a333ad8b
23
24 root@0cf9a333ad8b:/#
Docker stores its working files under /var/lib/docker/, but stay out of this directory. Use docker commands to manage the contents of this folder.
Manual base image creation
The official images are minimal and appropriate for most containers. If you want to roll your own image from scratch, the official images use the Debuerreotype build system (debuerreotype). Refer to Debuerreotype's documentation for building your own images.
For alternatives to debuerreotype, see Tools to create a build system. For other ways to bootstrap a system, see System Build Tools.
Running services inside Docker containers
The relevance and accuracy of this documentation needs review and verification. A lot of it looks very old.
See archived https://www.debian-administration.org/article/698/Automating_the_creation_of_docker_images for a description of how to automate image creation for services running Debian, which describes a way to ensure services will be started properly by runit inside the containers.
You may also be interested in the Debian adaptation of baseimage-docker made by obergix, which also uses runit to control services run inside a container.
John Goerzen has a set of Debian images which feature a full standard init system, cron, SMTP server, etc. in about 11MB of RAM. These are available for jessie, stretch, buster and sid, and are further discussed in a blog post.
See http://sfxpt.wordpress.com/2013/11/17/debianubuntu-package-developing-with-docker-continued/ for a more classical approach to the problem by sharing directories between the host and packaging containers.
CategoryVirtualization | CategorySoftware | CategorySystemAdministration