As container adoption grows, Docker has become the de facto standard for packaging and running applications. But while it simplifies deployment, securing a Docker environment is often overlooked.
In this article, we’ll walk through how to:
- Install and optimize Docker on CentOS
- Reduce log and disk bloat
- Integrate SafeLine WAF to defend against attacks like SQL injection, XSS, and DDoS
This step-by-step guide will help you build a performance-tuned and security-hardened Docker environment from the ground up.
Step 1: Install Docker on CentOS
Here’s how to get Docker running:
- Install Docker using Aliyun mirror:
curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun
- Set up the Docker repo:
sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
- Install required dependencies:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
- Remove older versions if installed:
yum remove docker docker-client docker-common docker-latest docker-engine
- List available versions:
yum list docker-ce --showduplicates | sort -r
- Install a specific version:
yum install docker-ce-19.03.13 docker-ce-cli-19.03.13 containerd.io
- Or install the latest:
yum -y install docker-ce
- Start and enable Docker:
systemctl start docker
systemctl enable docker
Step 2: Optimize Docker for Performance
Move Docker Data to a New Location
To improve disk I/O, move Docker’s storage:
systemctl stop docker
mkdir -p /home/jamelli/docker/data/lib
rsync -r -avz /var/lib/docker /home/jamelli/docker/data/lib
Update Docker's service config:
cat <<EOF > /etc/systemd/system/docker.service.d/devicemapper.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --graph=/home/jamelli/docker/data/lib/docker
EOF
systemctl daemon-reload
systemctl restart docker
Configure Log Rotation
Prevent large log files from consuming disk space:
cat <<EOF > /etc/docker/daemon.json
{
"log-driver": "json-file",
"log-opts": {
"max-size": "100m",
"max-file": "3"
}
}
EOF
Free Up Disk Space
Use the following to clean up unused resources:
docker system df
docker system prune
docker system prune -a
docker system df -v
Step 3: Useful Docker Commands
Quick reference for monitoring and troubleshooting:
-
docker system df: Check disk usage -
docker image: List images -
docker info: System summary -
docker stats: View container CPU/memory usage -
docker logs --tail=10 -f <container>: Follow container logs
Step 4: Add SafeLine WAF for Real Protection
Docker makes apps portable, but it doesn’t secure them. You still need protection against OWASP Top 10 threats, scanners, and automated attacks.
SafeLine WAF is an open source web application firewall that defends your services with minimal performance overhead.
Install SafeLine:
bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"
Open SafeLine Dashboard:
firewall-cmd --zone=public --add-port=9443/tcp --permanent
firewall-cmd --reload
Then visit:
https://<your-server-ip>:9443/
SafeLine offers semantic-based detection, protection against injection attacks, anti-bot mechanisms, and more — all built on Nginx, making it an ideal fit for containerized environments.
Step 5: Fix TLS Timeout Issues When Pulling Images
If you encounter:
Error response from daemon: net/http: TLS handshake timeout
Add a Docker mirror to speed up downloads:
sudo vim /etc/docker/daemon.json
{
"registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}
Then reload:
systemctl daemon-reload
systemctl restart docker
Final Thoughts
A secure Docker deployment isn’t just about getting containers to run — it’s about building a system that performs well under load and defends itself against threats.
By combining best practices in system optimization with SafeLine WAF protection, you’re well on your way to a production-ready environment.
Join the SafeLine Community
If you continue to experience issues, feel free to contact SafeLine support for further assistance.
Top comments (0)