Docker

Replace Watchtower with WUD: Build a Controlled Docker Auto-Update Plan

Replace Watchtower with WUD: Build a Controlled Docker Auto-Update Plan WUD (What’s Up Docker) services: wud: image: getwud/wud:latest container_name: wud restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./store:/store environment: - TZ=Asia/Shanghai # Local Docker watcher - WUD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock # Key: do not watch any containers by default - WUD_WATCHER_LOCAL_WATCHBYDEFAULT=false # Scan every 12 hours - WUD_WATCHER_LOCAL_CRON=0 */12 * * * # Auto update + prune old images after update - WUD_TRIGGER_DOCKER_AUTO_PRUNE=true # Equivalent to `watchtower --cleanup` Monitor only (no auto update) labels: - "wud.watch=true" Appears in the WUD UI Shows update hints Does not auto-restart Monitor + auto update (Watchtower equivalent) labels: - "wud.watch=true" - "wud.trigger.include=docker.auto"

Sunday, January 11, 2026 Read

Docker Containers Can't Access the Internet? NAT Configuration Guide for nftables

Docker Containers Can’t Access the Internet? NAT Configuration Guide for nftables

Wednesday, September 3, 2025 Read

Use LinuxServer.io Docker Images to Turn Desktop Apps into Web Apps

Use LinuxServer.io Docker Images to Turn Desktop Apps into Web Apps LinuxServer.io Official Site

Friday, August 1, 2025 Read

Gluetun: Route Docker Containers Through a VPN, Disconnect on No Network

Gluetun: Route Docker Containers Through a VPN, Disconnect on No Network Gluetun OpenVPN services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: # Fill in based on your VPN provider's OpenVPN config - VPN_SERVICE_PROVIDER=protonvpn - VPN_TYPE=openvpn - OPENVPN_USER= # OpenVPN username - OPENVPN_PASSWORD= # OpenVPN password - SERVER_COUNTRIES=United Kingdom # Set server country, separated by commas networks: # (Optional) fixed IP for the Gluetun container network: ipv4_address: 172.27.0.5 networks: # (Optional) fixed IP for the Gluetun container network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 WireGuard services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: - VPN_SERVICE_PROVIDER=protonvpn # Fill in based on your VPN provider's WireGuard config - VPN_TYPE=wireguard - WIREGUARD_PRESHARED_KEY= # Preshared key - WIREGUARD_PRIVATE_KEY= # Private key - WIREGUARD_ADDRESSES= # Set IPv4 and IPv6 addresses, separated by commas - SERVER_COUNTRIES=United Kingdom # Set server country, separated by commas networks: # (Optional) fixed IP for the Gluetun container network: ipv4_address: 172.27.0.5 networks: # (Optional) fixed IP for the Gluetun container network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 Let containers use Gluetun’s VPN connection If the service and Gluetun are in the same docker-compose, add network mode: network_mode: “service:gluetun” If the service is in a different docker-compose from Gluetun, add network_mode: “container:gluetun” Open Gluetun’s docker-compose file and re-add the service ports you need (e.g. 8080) Start Gluetun first, then start services that should use Gluetun’s VPN connection The container’s public IP should match the VPN server you selected

Friday, August 1, 2025 Read

Build a Private Object Storage with Traefik v3 and MinIO in Docker

Build a Private Object Storage with Traefik v3 and MinIO in Docker https://github.com/soulteary/traefik-minio-example.git Best Practices for Traefik 3 in Docker: Quick Start

Tuesday, August 6, 2024 Read

Container security fundamentals

Container security fundamentals: Exploring containers as processes Container security fundamentals part 2: Isolation & namespaces Container security fundamentals part 3: Capabilities Container security fundamentals part 4: Cgroups Container security fundamentals part 5: AppArmor and SELinux Container security fundamentals part 6: seccomp

Wednesday, October 4, 2023 Read

Faster Multi-Platform Builds: Dockerfile Cross-Compilation Guide

Faster Multi-Platform Builds: Dockerfile Cross-Compilation Guide method docker buildx create --use FROM --platform=linux/amd64 debian / FROM --platform=$BUILDPLATFORM debian variables BUILDPLATFORM — matches the current machine. (e.g. linux/amd64) BUILDOS — os component of BUILDPLATFORM, e.g. linux BUILDARCH — e.g. amd64, arm64, riscv64 BUILDVARIANT — used to set ARM variant, e.g. v7 TARGETPLATFORM — The value set with --platform flag on build TARGETOS - OS component from --platform, e.g. linux TARGETARCH - Architecture from --platform, e.g. arm64 TARGETVARIANT example before FROM golang:1.17-alpine AS build WORKDIR /src COPY . . RUN go build -o /out/myapp . FROM alpine COPY --from=build /out/myapp /bin after FROM --platform=$BUILDPLATFORM golang:1.17-alpine AS build WORKDIR /src ARG TARGETOS TARGETARCH RUN --mount=target=. \ --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg \ GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/myapp . FROM alpine COPY --from=build /out/myapp /bin

Monday, September 4, 2023 Read

Elasticsearch Study Notes

Elasticsearch Study Notes Install the Chinese analyzer plugin docker exec -it elasticsearch bash $ elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v8.4.1/elasticsearch-analysis-ik-8.4.1.zip Dev Tools The content field is text. Use ik_max_word for indexing and ik_smart for searching. The former generates as many tokens as possible, while the latter generates coarser-grained tokens. PUT /words { "mappings": { "properties": { "content": { "type": "text", "analyzer": "ik_max_word", "search_analyzer": "ik_smart" }, "age": { "type": "integer", "index": false } } } } { "acknowledged": true, "shards_acknowledged": true, "index": "words" }

Thursday, October 6, 2022 Read

Build a Lightweight Docker Image for Your Go App? | IT Man

Build a Lightweight Docker Image for Your Go App? | IT Man go build # default $ go build -o test1 main.go $ du -sh test1 14M test1 # You can add `-ldflags "-s -w"` during compilation to reduce the binary size by stripping some link and debug info. Details: # -a: force rebuilding all dependencies # -s: drop symbol table info; stack traces in panic will lose file/line info # -w: drop DWARF debug info; you cannot debug with gdb # If you don't need the symbol table, you can just use "-s" # Note: it is not recommended to use -w and -s together $ go build -ldflags "-s -w" -o test2 main.go $ du -sh test2 11M test2 upx(brew/yum install upx) $ upx test2 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- 11490768 -> 4063248 35.36% macho/amd64 test2 Packed 1 file. $ upx --brute test2 $ du -sh test2 4.6M test2 UPX compression options

Monday, July 25, 2022 Read

Docker Introduction

Docker Concept VM vs Container VM - Base on OS Container - Base on Application (Linux Kernel: Namespace and Cgroup) Client to Server Docker daemon - containerd, docker-containerd-shim, docker-runc Docker client - cli command docker cli -> docker daemon -> containerd -> runc -> namespace & cgroup Image Snapshots Container Read-Only processes on image Hub / Registry Store images References Docker —— 從入門到實踐 docker docs Docker commands Dockerfile ARG dist="/tmp/password" ARG projectDir="/password" FROM golang:1.16-alpine3.14 AS builder RUN apk add build-base upx ARG dist ARG projectDir WORKDIR ${projectDir} COPY . . RUN go build -trimpath -o main cmd/main.go RUN upx -9 -o ${dist} main FROM scratch ARG dist ENV TZ=Asia/Taipei COPY --from=builder ${dist} /usr/local/bin/password Dockerfile1 FROM alpine CMD ["nc","-l","12345"] Dockerfile2 FROM alpine CMD ["echo","DOCKER"] docker build command docker build . -t program docker build . -f Dockerfile -t test_mysql docker build . -t hello:v1.1 --build-arg dist=/tmp/hello --build-arg projectDir=/hello docker build . docker/status echo -e "${GREEN}Before build${RESET}" docker image ls docker build . -f docker/Dockerfile1 -t test1 docker build . -f docker/Dockerfile2 -t test2 docker image . docker/status echo -e "${GREEN}After build${RESET}" docker image ls docker run AND rm . docker/status echo -e "${GREEN}Run container1${RESET}" docker run -d --name container1 test1 echo -e "${GREEN}Run container2${RESET}" docker run -d --name container2 test2 echo -e "${GREEN}List alive containers${RESET}" docker ps echo -e "${GREEN}List all containers${RESET}" docker ps -a echo -e "${GREEN}Remove alive container${RESET}" docker rm -f container1 echo -e "${GREEN}List all containers${RESET}" docker ps -a echo -e "${GREEN}Remove exit container${RESET}" docker rm container2 echo -e "${GREEN}List all containers${RESET}" docker ps -a docker pull AND rmi . docker/status echo -e "${GREEN}List all image${RESET}" docker image ls echo -e "${GREEN}Pull alpine image${RESET}" docker pull alpine echo -e "${GREEN}List all image${RESET}" docker image ls docker rmi . docker/status echo -e "${GREEN}Remove alpine image${RESET}" docker rmi alpine echo -e "${GREEN}List all image${RESET}" docker image ls prune docker system prune -f --volumes docker history . docker/status echo -e "${GREEN}History of test1${RESET}" docker history test1 echo -e "${GREEN}History of mysql:8${RESET}" docker history mysql:8 Docker remote Edit service file # /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 Restart service systemctl daemon-reload systemctl restart docker Specify DOCKER_HOST . docker/status echo -e "${GREEN}List images on 192.168.185.9${RESET}" DOCKER_HOST=192.168.185.9:2375 docker images Docker-compose version: "3" services: svn: image: zeyanlin/svn environment: - LDAP_HOSTS=${LDAP_HOSTS} - LDAP_BASE_DN=${LDAP_BASE_DN} - LDAP_BIND_DN=${LDAP_BIND_DN} - LDAP_ADMIN_PASS=${LDAP_ADMIN_PASS} ports: - 8000:80 - 3690:3690 depends_on: - ldap ldap: image: zeyanlin/openldap environment: - LDAP_DOMAIN=${LDAP_DOMAIN} - LDAP_ADMIN_PASS=${LDAP_ADMIN_PASS} ports: - 389:389 - 636:636 php: image: zeyanlin/phpldapadmin environment: - LDAP_HOSTS=${LDAP_HOSTS} ports: - 80:80 depends_on: - ldap Env LDAP_HOSTS=ldap LDAP_DOMAIN="knowhow.fun" LDAP_BASE_DN="dc=knowhow,dc=fun" LDAP_BIND_DN="cn=admin" LDAP_ADMIN_PASS="123qwe"

Friday, September 17, 2021 Read

Docker Security Best Practices: Cheat Sheet

Docker Security Best Practices: Cheat Sheet Image Security Use Trusted Images Unprivileged User FROM base_image RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser User ID Namespace Segregate namespaces to prevent container privilege escalation from affecting the host. To mitigate this risk, configure your host and the Docker daemon to use a separate namespace with the --userns-remap option. Container Runtime Security Forbid New Privileges For enhanced security, it is recommended to explicitly forbid the addition of new privileges after container creation using this option: --security-opt=no-new-privileges.

Friday, August 20, 2021 Read

docker-compose yaml problem

issue # ./docker-compose up -d Creating network "gogs_default" with the default driver Creating gogs_mysql_1 ... done Creating gogs_gogs_1 ... error ERROR: for gogs_gogs_1 Cannot create container for service gogs: invalid port specification: "133342" ERROR: for gogs Cannot create container for service gogs: invalid port specification: "133342" ERROR: Encountered errors while bringing up the project. services: gogs: ports: - 2222:22 YAML supports so-called “base-60 floating-point numbers,” which is useful for time calculations. Therefore, 2222:22 is interpreted as 2222 * 60 + 22, which is 133342.

Monday, July 19, 2021 Read