What is Docker
Docker is a powerful tool that allows us to build, run, and distribute applications by using containerization technology. Containers are lightweight, standalone, executable packages that include everything needed to run a piece of software, including the code, runtime, system tools, libraries, and settings. They are isolated from each other and the host system.
Install Docker Engine on Ubuntu
Before installing Docker on Ubuntu 20.04, make sure you meet the prerequisites.
Prerequisites
To install Docker Engine, you need the 64-bit version of one of these Ubuntu versions:
Ubuntu Mantic 23.10
Ubuntu Lunar 23.04
Ubuntu Jammy 22.04 (LTS)
Ubuntu Focal 20.04 (LTS)
Docker Engine for Ubuntu is compatible with x86_64 (or amd64), armhf, arm64, s390x, and ppc64le (ppc64el) architectures.
Before you can install Docker Engine, you need to uninstall any conflicting packages.
Distro maintainers provide unofficial distributions of Docker packages in APT. You must uninstall these packages before you can install the official version of Docker Engine.
The unofficial packages to uninstall are:
docker-compose
docker-compose-v2
docker-doc
podman-docker
Moreover, Docker Engine depends on containerd
and runc
. Docker Engine bundles these dependencies as one bundle: containerd.io
. If you have installed the containerd
or runc
previously, uninstall them to avoid conflicts with the versions bundled with Docker Engine.
Install using the apt repository
Ensure that Ubuntu has the right version by running the following command:
lsb_release -a
Ensure that you do not have any conflicting packages by uninstalling old versions. Run the following command:
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman- docker containerd runc; do sudo apt-get remove $pkg; done
Images, containers, volumes, and networks stored in
/var/lib/docker/
aren't automatically removed when you uninstall Docker. If you want to start with a clean installation, and prefer to clean up any existing data, read the uninstall Docker Engine section.
Update the package database to get the latest versions of packages and their dependencies:
sudo apt-get update
Install packages that allow
apt
to use a repository over HTTPS:sudo apt-get install ca-certificates curl gnupg
ca-certificates
package contains a set of Certificate Authority (CA) certificates. These are essential for verifying the authenticity of SSL/TLS certificates - in other words, they are used to establish the trustworthiness of secure websites and downloaded packages.curl
: Curl is a command-line tool and library for transferring data with URLs. It's used for downloading files from the internet and can handle a variety of protocols, including HTTP, HTTPS, FTP, and more.gnupg
: Stands for GNU Privacy Guard; it's a package for encryption and signing data. It's used here primarily for handling the GPG key related to Docker.
Create a new directory named
/etc/apt/keyrings
with read, write, and execute permissions for the owner, and read and execute permissions for group members and other users.sudo install -m 0755 -d /etc/apt/keyrings
Download the GPG key for the Docker repository from its website and save it as a binary keyring file in
/etc/apt/keyrings
, which APT can then use to verify the authenticity of Docker packages downloaded from the repository:curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
gpg --dearmor
is used to convert the armored GPG key (ASCII text format) into a binary format.-o /etc/apt/keyrings/docker.gpg
specifies the output file where the converted key should be saved.
This is a security step: when APT is downloading packages from the Docker repository, it can use this GPG key to verify that the packages are authentic and haven't been tampered with. The GPG key mechanism explanation is provided in the next section.
Change the file permissions of the Docker GPG key to be readable by all users:
sudo chmod a+r /etc/apt/keyrings/docker.gpg
Verify that you now have the key with the fingerprint. Run:
sudo apt-key fingerprint
Add the Docker Repository to APT sources:
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
The command above is used in Ubuntu-based systems to add Docker's official APT repository to the list of sources from which packages can be installed.
Update Package Database with Docker Packages.
sudo apt update
Now, install the latest version of Docker CE (Community Edition) using:
sudo apt install docker-ce
💡We can install Docker either directly from Docker's official repository (docker-ce) and get the latest version of Docker or from Ubuntu's repository (docker.io) maintained by the Ubuntu community which might not always be the latest version of Docker. In this hands-on, we download docker-ce.Check if Docker is running:
sudo systemctl status docker
If Docker is running, you'll see an active (running) status in the output.
Add Your User to the Docker Group (Optional). By default, running the
docker
command requires administrator privileges. To run Docker commands as your non-root user, add your user to thedocker
group:sudo usermod -aG docker ${USER}
You'll need to log out and back in for this to take effect.
Test Docker. Run the
hello-world
image to test if Docker is correctly installed:docker run hello-world
Configure Docker to Start on Boot (Optional). Enable Docker to start on boot with:
sudo systemctl enable docker
How GPG Works in Package Verification
Key Pair: GPG operates using a pair of keys:
Private Key: Known only to the key's owner, used for signing data.
Public Key: Distributed openly, used for verifying signatures.
Signing the Package:
The package maintainer (e.g., Docker) signs the package with their private GPG key before distributing it. This signature is a form of a digital fingerprint uniquely generated from the package content via a hashing algorithm.
The signing process doesn't encrypt the whole package; it just generates a signature based on the package's content.
Distributing the Public Key:
The maintainer also makes their public GPG key available, often on a website or in a public key server. This public key is what users will download and add to their keyring.
This public key can verify signatures made by the corresponding private key but can't be used to generate those signatures.
User Downloads the Package:
- When a user downloads the package, they also receive the digital signature.
Verification Process:
On the user's side, the GPG tool uses the maintainer's public key to verify the signature attached to the package.
If the signature is valid, it ensures that the package hasn't been altered since it was signed - i.e., it's authentic and unmodified.