To configure Docker on a Linux server, install the Docker Engine from the official repository, add your user to the docker group, enable Docker to start on boot, and harden the daemon via /etc/docker/daemon.json. Then set up networking, logging, and Docker Compose for multi-container apps, followed by ongoing updates, monitoring, and cleanup.
In this step-by-step guide, you’ll learn how to configure Docker on a Linux server the right way for 2026 and beyond. We’ll cover installation on Ubuntu/Debian and RHEL-based distros, secure daemon settings, user permissions, networking, Docker Compose, logging, metrics, and real-world best practices used in hosting environments.
What You’ll Need (Prerequisites)
- A Linux server (Ubuntu 22.04/24.04+, Debian 12+, or RHEL/CentOS/AlmaLinux/Rocky 8/9+)
- sudo privileges (or root)
- Outbound internet access to Docker’s repositories
- Open ports for your apps (e.g., 80/443 for web)
- Basic familiarity with the Linux CLI
Primary keyword focus: configure Docker on Linux server. Secondary keywords used naturally: install Docker on Ubuntu, Docker Compose, secure Docker daemon, Linux server hardening.
Step 1: Install Docker on Linux (2026-Ready)
The safest method is to use the official Docker repositories so you get current, signed packages: docker-ce (Engine), docker-ce-cli, containerd.io, and the Docker Compose plugin.
Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg lsb-release
# Add Docker’s official GPG key and repo
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/$(. /etc/os-release && echo $ID)/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/$(. /etc/os-release && echo $ID) \
$(. /etc/os-release && echo $VERSION_CODENAME) stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-pluginRHEL/CentOS/AlmaLinux/Rocky
sudo dnf -y install ca-certificates curl gnupg2
sudo dnf -y install dnf-plugins-core
sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo dnf -y install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# Start and enable Docker
sudo systemctl enable --now dockerVerify the Installation
sudo systemctl status docker
docker --version
docker compose version
sudo docker run --rm hello-worldStep 2: Post-Install Setup (Non-Root User, Autostart)
By default, Docker commands require sudo. To run Docker as a non-root user, add your user to the docker group and enable Docker on boot.
# Add your user to the docker group
sudo usermod -aG docker $USER
# Log out and back in (or run newgrp docker) to apply
# Enable on boot and start now
sudo systemctl enable --now dockerIf you still see “permission denied,” ensure your session is refreshed (reboot or re-login) and verify with docker ps.
Step 3: Secure and Tune the Docker Daemon
Harden the daemon via /etc/docker/daemon.json. Configure logging, cgroups, storage, and security features that reduce risk in production environments.
Create or Edit /etc/docker/daemon.json
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json > /dev/null << 'EOF'
{
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
},
"storage-driver": "overlay2",
"exec-opts": ["native.cgroupdriver=systemd"],
"live-restore": true,
"userns-remap": "default",
"no-new-privileges": true,
"default-address-pools": [
{"base":"10.10.0.0/16","size":24}
]
}
EOF
# Restart and validate
sudo systemctl restart docker
docker info | grep -E 'Cgroup|Storage Driver|Logging Driver'Highlights: log rotation prevents disk bloat; overlay2 is the modern storage driver; systemd cgroup driver aligns with current Linux defaults; live-restore limits container downtime during daemon upgrades; user namespace remapping reduces container privilege risks; default-address-pools avoids network overlap in multi-bridge setups.
Optional: Rootless Docker (Extra Isolation)
# Install rootless prerequisites
sudo apt-get install -y uidmap dbus-user-session # Debian/Ubuntu
# or: sudo dnf -y install shadow-utils
dockerd-rootless-setuptool.sh install
systemctl --user enable --now docker
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
docker info | grep RootlessRootless improves security by removing root privileges from the Engine, though some networking features may be limited. Use for multi-tenant environments or strict compliance needs.
Firewall Rules (UFW or firewalld)
# UFW examples
sudo ufw allow 22/tcp
sudo ufw allow 80,443/tcp
sudo ufw enable
sudo ufw status
# firewalld examples
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadDocker manipulates iptables rules; always test your firewall with running containers to ensure traffic flows as intended.
Step 4: Docker Networking Basics (Bridges and Custom Networks)
By default, Docker uses the bridge network (docker0). For production, create user-defined bridge networks per app stack for predictable IP ranges, DNS-based service discovery, and easier policy control.
# Create a custom bridge network with a fixed subnet
docker network create --driver bridge \
--subnet 10.10.10.0/24 --gateway 10.10.10.1 \
app_net
# Attach containers to this network
docker run -d --name web --network app_net -p 80:80 nginx:alpine
docker run -d --name api --network app_net myorg/api:latestThe default-address-pools in daemon.json ensures Docker auto-allocates non-overlapping subnets, useful on hosts running multiple custom networks.
Step 5: Docker Compose v2 (Plugin)
Compose simplifies multi-container apps. Starting with modern releases, docker compose is a plugin (no separate Python binary). Test with docker compose version, then deploy a simple stack. Example: a production-ready WordPress and MariaDB stack for a small site.
mkdir -p ~/stacks/wordpress && cd ~/stacks/wordpress
cat > docker-compose.yml << 'YAML'
version: "3.9"
services:
db:
image: mariadb:11
environment:
MYSQL_DATABASE: wordpress
MYSQL_USER: wpuser
MYSQL_PASSWORD: strong_db_pass
MYSQL_ROOT_PASSWORD: stronger_root_pass
volumes:
- db_data:/var/lib/mysql
networks:
- wp_net
healthcheck:
test: ["CMD","mysqladmin","ping","-h","localhost"]
interval: 10s
retries: 5
wordpress:
image: wordpress:php8.2-fpm
environment:
WORDPRESS_DB_HOST: db:3306
WORDPRESS_DB_USER: wpuser
WORDPRESS_DB_PASSWORD: strong_db_pass
WORDPRESS_DB_NAME: wordpress
volumes:
- wp_data:/var/www/html
depends_on:
db:
condition: service_healthy
networks:
- wp_net
nginx:
image: nginx:alpine
volumes:
- wp_data:/var/www/html:ro
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
ports:
- "80:80"
- "443:443"
depends_on:
- wordpress
networks:
- wp_net
volumes:
db_data:
wp_data:
networks:
wp_net:
driver: bridge
YAML
# Bring the stack up
docker compose up -d
docker compose psAdd TLS to NGINX and tune PHP-FPM for best performance. For higher availability, consider an external managed database and object storage.
Step 6: Logging, Metrics, and Cleanup
Effective operations require log rotation, metrics scraping, and routine image/container cleanup.
- Logs: You enabled the json-file driver with rotation. Inspect with docker logs container.
- Metrics: Expose cAdvisor or use Docker’s events API. For Prometheus, add node_exporter and cadvisor to your compose stack.
- Cleanup: Periodically reclaim space.
# Remove stopped containers, dangling images, unused networks
docker system prune -f
# More aggressive (also removes unused volumes)
docker system prune -a --volumes -f
# Check space usage
docker system dfStep 7: Optional — Secure Remote API (TLS)
Avoid binding the Docker API to 0.0.0.0 without TLS. If you need remote management, enable TCP with certificates and firewall restrictions. SSH tunneling is often simpler and safer.
# Example daemon.json additions (use real cert paths and client certs)
{
"hosts": ["fd://","tcp://0.0.0.0:2376"],
"tls": true,
"tlscacert": "/etc/docker/certs/ca.pem",
"tlscert": "/etc/docker/certs/server-cert.pem",
"tlskey": "/etc/docker/certs/server-key.pem",
"tlsverify": true
}
# Then restrict 2376 at the firewall to trusted IPs only.Troubleshooting and Common Errors
- Permission denied (dial unix /var/run/docker.sock): Add user to docker, re-login, confirm with groups.
- cgroup v2 issues: Ensure systemd cgroup driver is set (exec-opts) and system has unified cgroup hierarchy enabled (modern distros do).
- Out of disk space: Verify log rotation, clean old images (docker image prune -a), move Docker data-root to a larger disk.
- Port conflicts: Use docker ps to find bound ports; re-map with -p host:container or change NGINX listen ports.
- Network overlap: Use default-address-pools to avoid 172.17.0.0/16 collisions or define custom subnets per network.
Real-World Best Practices from Hosting Experience
- Pin image versions (e.g., nginx:1.27-alpine) to avoid surprise upgrades; schedule maintenance windows for updates.
- Enable Docker Content Trust (export DOCKER_CONTENT_TRUST=1) and scan images with your CI to reduce supply-chain risk.
- Use healthchecks in Compose so reverse proxies don’t route to unhealthy containers.
- Separate state: Keep databases on managed services or dedicated volumes/snapshots for easy backup and restore.
- Private registry and cache: Use a private registry or registry mirror to speed up pulls and control provenance.
- Least privilege: Use non-root container users where possible and read-only root filesystems for stateless services.
When to Choose a Managed VPS for Docker
If you’re deploying revenue-critical apps, a reliable infrastructure partner matters. At YouStable, our NVMe-powered VPS plans, dedicated firewalls, DDoS protection, and snapshot backups give Docker workloads the performance and resilience they deserve. You focus on containers; we’ll handle the platform stability and 24×7 support.
FAQs: Configure Docker on Linux Server
Is Docker free to use on Linux?
Yes. Docker Engine Community Edition (CE) is free and open-source. For enterprise support, consider Docker subscriptions or a managed platform. Most small to mid-sized teams run Docker CE on Linux without cost.
How do I install Docker on Ubuntu 22.04 or 24.04?
Add Docker’s official GPG key and repository, then install docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin, and docker-compose-plugin via apt. The commands above under “Ubuntu/Debian” are 2026-ready and follow current best practices.
How do I run Docker without sudo?
Add your user to the docker group with sudo usermod -aG docker $USER, then log out and back in (or run newgrp docker). Verify with docker ps. For even stronger isolation, consider rootless Docker.
What are the most important security settings for Docker?
Enable log rotation, userns-remap, no-new-privileges, and live-restore. Avoid exposing the remote API without TLS. Run containers as non-root when possible, and keep hosts patched. Use firewall rules and minimal images (alpine or distroless) to reduce attack surface.
Docker or Podman for 2026?
Both are mature and OCI-compliant. Docker remains popular for Compose-based workflows and broad ecosystem support. Podman offers daemonless operation and tight SELinux integration on RHEL-based systems. Choose based on tooling, workflows, and team familiarity.
Conclusion
With the steps above, you can confidently configure Docker on a Linux server for production. Harden the daemon, define clean networks, adopt Compose for multi-service apps, and automate updates, backups, and monitoring. When you’re ready to scale, a YouStable VPS provides the performance and reliability your containers need.
