• Docker Docker Daemon Json Config Command
• Docker Docker Daemon Json Config Tutorial
• Docker Daemon.json Configure Dns
• Docker Daemon.json Configuration

Step 2 in the Linux setup for the ServiceNow® headless browser for Automated Test Framework.

Role required: admin on your ServiceNow® instance and local administrator on the host machine.

Complete step 1: Generate certificates for headless browser setup for Linux

Dec 14, 2020 tutorial. So in P3 of the Harden Docker with CIS series, I’ll continue with the hardening process of the Docker installation which we setup in the P1. We’ll start with the module two of the benchmark (CIS Docker Benchmark v1.2.0) i.e. Docker daemon configuration. There are seventeen items in total out of which one is “Not scored”, thus. Similar to docker config create and docker config rm. Adds to the metadata of new configs ‘ansiblekey’, an encrypted hash representation of the data, which is then used in future runs to test if a config has changed. If ‘ansiblekey’ is not present, then a config will not be updated unless the force option is set.

Procedure

1. Configure Docker to use the certificates you generated in Step 1.
2. Find or create the /etc/docker/daemon.json file.
3. Add the following properties to the daemon.json file. Be sure to replace with the correct paths to your certificates:
   To learn more, see https://docs.docker.com/config/daemon/#configure-the-docker-daemon.
4. Configure Docker to expose the remote API on a port (Port 2376 is recommended).
   You can configure Docker to accept remote connections with the docker.service systemd unit file for Linux distributions using systemd, such as recent versions of RedHat, CentOS, Ubuntu and SLES, or with the daemon.json file, which is recommended for Linux distributions that do not use systemd.

   If using systemd (systemctl):

   1. Use the command sudo systemctl edit docker.service to open an override file for docker.service in a text editor.
   2. Add or modify the following lines, substituting your own values.
   3. Save the file.
   4. Reload the systemctl configuration.

      sudo systemctl daemon-reload

   5. Restart Docker.

      sudo systemctl restart docker.service

   If not using system:

   1. Set the host’s array in the /etc/docker/daemon.json to connect to the UNIX socket and an IP address, as follows:

      { 'hosts': ['tcp://0.0.0.0:2376']}

   2. Restart Docker.
   3. To enable Docker access via a command line, add the certificate authority public key and client keypair to the .docker directory. Copy the CA public key, the client public key (be sure to name it key.pem), and private certificate (be sure to name it cert.pem).
   4. Copy certificates to the docker home directory.
      • mkdir -pv ~/.docker
      • cp ca.pem ~/.docker
      • cp client-key.pem ~/.docker/key.pem
      • cp client-cert.pem ~/.docker/cert.pem
   5. Set DOCKER_HOST and DOCKER_TLS_VERIFY environment variables for your user:

   To learn more, see Manage Docker as a non-root user.

The default Docker config works but there are some additional features which improves the overall experience with Docker. We will create a JSON config file with optimized options for the Docker Daemon, install bash completion for the Docker CLI commands with one line and increase security. But first things first.

Docker / Docker Compose installation

Please refer to the official Docker installation docs to install Docker on your specific system. To install Docker Compose, you can simply execute the following command which downloads Docker Compose 1.11 and makes it executable. Make sure you are root, otherwise you get a permission denied error. Docker Compose simplifies Mult-Container apps. It is a tool for defining and running Multi-Container Docker applications and maintains a logical definition of a distributed application. You can then deploy this stack to your Docker Swarm Cluster with docker stack deploy --compose-file=docker-compose.yml my_stack. But this is another great story.

Docker Daemon configuration

You can modify the Docker Daemon to improve overall performance and make it more robust. Especially the storage filesystem driver is a key component. We will use the overlay2 storage driver, which can be used with Linux kernel >= 4.0 and Docker >= 1.12. So make sure it is available on your system. There are some security features like user namespaces which should be enabled.

Let's activate our own configuration file by running this command.

Warning: Your current Docker configuration will be overwritten.

There is no way to move data from one storage to another, so all your Docker containers and images are not available anymore. You can delete everything before switching with the command docker system prune to save some disk space. This is optional of course and you may switch back, if you use your previous storage driver. Fasten your seatbelts and take off.

Create the file /etc/docker/daemon.json and put the following lines there. You find an excellent explanation of each configuration flag here. In short, we use the storage driver overlay2, enable JSON log files with logrotation and enable user namespaces. userns-remap uses UID and GID which is 1000 on my system. You can check these values for your user by executing the command id.

Docker CLI Bash completion

Docker Docker Daemon Json Config Command

Do you know that Docker comes also with bash completion? This is really helpful. Make sure you are root, otherwise you get a permission denied error. The following command downloads the bash completion file for the current installed Docker version. You should also run this command after each Docker update.

The bash completion is also available for Docker Compose which makes things easier. The following command downloads the bash completion file for the current installed Docker Compose version. You should also run this command after each Docker Compose update.

Docker Docker Daemon Json Config Tutorial

Now it's time to restart the Docker service with sudo service docker restart (Ubuntu) and with docker info you should get this info. The bash completion will be available if you reopen your terminal. Let me know if you have other Docker config improvements.

Docker Daemon.json Configure Dns

Conclusion

Docker Daemon.json Configuration

This blog post has shown how to configure and optimize the Docker Daemon configuration. The Docker Daemon has now more performance due the overlay2 storage and is more robust due the user namespaces. The CLI bash completion for Docker and Docker Compose is very handy too.