DEV Community

Lulu
Lulu

Posted on

Optimizing Docker for High Security: Combining Docker and SafeLine

Docker is an open-source application container engine built with Go and follows the Apache 2.0 protocol. It enables developers to package their applications and dependencies into lightweight, portable containers. These containers can be deployed on any popular Linux machine, offering a form of lightweight virtualization. Each container operates in complete isolation (similar to iPhone apps), and most importantly, the performance overhead is minimal.

Docker Installation

Here's how to install Docker on CentOS:

1.Install Docker Image

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
Enter fullscreen mode Exit fullscreen mode

2.Set Up Stable Repositories

sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
Enter fullscreen mode Exit fullscreen mode

3.Install Required Packages

sudo yum install -y yum-utils device-mapper-persistent-data lvm2
Enter fullscreen mode Exit fullscreen mode

4.Remove Old Docker Versions (if any)

yum remove docker docker-client docker-common docker-latest docker-engine
Enter fullscreen mode Exit fullscreen mode

5.List Available Docker Versions

yum list docker-ce --showduplicates | sort -r
Enter fullscreen mode Exit fullscreen mode

6.Install Selected Version (e.g., 19.03.13)

yum install docker-ce-19.03.13 docker-ce-cli-19.03.13 containerd.io
Enter fullscreen mode Exit fullscreen mode

7.Alternatively, Install the Latest Version

yum -y install docker-ce
Enter fullscreen mode Exit fullscreen mode

8.Start and Enable Docker

systemctl start docker
systemctl enable docker
Enter fullscreen mode Exit fullscreen mode

Optimization

When deploying services, it’s best to tune the system for minimal service disruption. Below are some optimizations to improve Docker's performance.

Step 1: Directory Migration

# Stop Docker service
systemctl stop docker

# Create new directory for Docker data
mkdir -p /home/jamelli/docker/data/lib

# Copy existing Docker data to the new directory
rsync -r -avz /var/lib/docker /home/jamelli/docker/data/lib
Enter fullscreen mode Exit fullscreen mode

Step 2: Configure Docker to Use New Directory

cat <<EOF > /etc/systemd/system/docker.service.d/devicemapper.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --graph=/home/jamelli/docker/data/lib/docker
EOF

# Reload and restart Docker
systemctl daemon-reload
systemctl restart docker
Enter fullscreen mode Exit fullscreen mode

Log Optimization

To manage log file size and avoid excessive disk usage, configure log rotation:

cat <<EOF > /etc/docker/daemon.json
{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "100m",
        "max-file": "3"
    }
}
EOF
Enter fullscreen mode Exit fullscreen mode

Disk Optimization

Use these commands to clean up unused containers, volumes, and images:

docker system df
docker system prune
docker system prune -a
Enter fullscreen mode Exit fullscreen mode

To check detailed disk usage:

docker system df -v
Enter fullscreen mode Exit fullscreen mode

Docker Commands You Should Know

  • docker system df: Check Docker’s memory usage
  • docker image: View Docker image contents
  • docker info: Get Docker system information
  • docker stats: View container resource usage (CPU, memory)
  • docker logs --tail=10 -f <container-name>: View container logs in real-time

SafeLine WAF Integration

Now that Docker is installed and optimized, you can further secure your infrastructure by deploying SafeLine WAF, a powerful and free web application firewall. Here's how to install SafeLine on your Dockerized system:

1.Install SafeLine

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Enter fullscreen mode Exit fullscreen mode

2.Access SafeLine
After installation, open port 9443 on your firewall to access the SafeLine management interface:

# Open port 9443
firewall-cmd --zone=public --add-port=9443/tcp --permanent
firewall-cmd --reload
Enter fullscreen mode Exit fullscreen mode

Then, access SafeLine at:

https://<your-server-ip>:9443/
Enter fullscreen mode Exit fullscreen mode

3.Protect Your Web Apps
With SafeLine, your Dockerized applications will be protected against common attacks like SQL injections, XSS, and DDoS threats. SafeLine’s traffic processing engine, built on Nginx, ensures that your applications are secure while maintaining high performance.

Solving Common Docker Issues

When pulling Docker images, if you encounter the following error:

Error response from daemon: net/http: TLS handshake timeout
Enter fullscreen mode Exit fullscreen mode

You can resolve this by adding a Docker mirror:

sudo vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
Enter fullscreen mode Exit fullscreen mode

Then reload and restart Docker:

systemctl daemon-reload
systemctl restart docker
Enter fullscreen mode Exit fullscreen mode

Top comments (0)