first of all, you can build and upload docker image to registry.

1
2
3
4

docker login
docker build -t <username>/<imagename>:<tag> -f <dockerfile> <resource_path>
docker push <username>/<imagename>:<tag>

you can upload to docker.io or microk8s provided local registry.

https://microk8s.io/docs/registry-built-in

1
2
3
4

# for microk8s the registry address is localhost:32000
docker tag <imagename> <registry_addr>/<imagename>
docker push <registry_addr>/<imagename>

you can also build image with minikube:

1
2

minikube image build -t <imagename> -f <dockerfile_path> <resource_path>

load image exported with docker save <image>:<tag>

1
2
3
4
5
6
7
8
9

# ref: https://minikube.sigs.k8s.io/docs/commands/image/
# remember to set a tag to the image imported
# or set the imagePullPolicy to Never
# ref: https://iximiuz.com/en/posts/kubernetes-kind-load-docker-image/
minikube image load <image_filepath>/<docker_image_name>
microk8s images import <image_filepath>
microk8s ctr image import <image_filepath>
k3s ctr image import <image_filepath>

https://blog.scottlowe.org/2020/01/25/manually-loading-container-images-with-containerd/

https://docs.k3s.io/installation/registry-mirror#pushing-images

you can also configure k8s to use docker as container runtime instead.

https://github.com/canonical/microk8s/issues/287

https://docs.k3s.io/advanced#using-docker-as-the-container-runtime

on termux you use proot-distro for installing kali and blackarch linux.

install via apt install proot-distro

use podman over docker, since we do not need gpu here, and want faster pulling speed.

recent version of podman requires extra layer of domain/index specification before searching and pulling images.

1
2
3

podman search docker.io/kali
podman pull docker.io/kalilinux/kali-rolling

if you want to run network scanning commands like nmap, you would grant the container sufficient permissions:

1
2

podman run --cap-add=NET_RAW --cap-add=NET_ADMIN --rm -it docker.io/parrotsec/security

metasploitable2, parrot linux also have docker images. more cybersecurity/ctf related images to be found.

run this query in search engines:

1
2

site:github.com cybersecurity docker images

https://github.com/VaultSEC/osint

https://github.com/PberAcademy/Dockerimages

on ubuntu you use docker for pulling kali and blackarch linux images. latest images are pushed to docker hub.

1
2
3
4
5

sudo docker pull kalilinux/kali-rolling
# kali-rolling does not contain all packages
# run inside container: apt update && apt install -y kali-linux-headless
sudo docker pull blackarchlinux/blackarch

it is always recommend to update and upgrade the blackarch you installed.

even if you configure /etc/docker/daemon.json like this (note: you still need to do this):

1
2
3
4

{ "registry-mirrors":
["https://mirror.baidubce.com"]
}

it is not fully working until:

1
2

sudo -E docker pull mirror.baidubce.com/significantgravitas/auto-gpt

Docker container storage quota

--storage-opt is supported only for overlay over xfs with ‘pquota’ mount option.

change data-root to somewhere else in /etc/docker/daemon.json

edit /etc/fstab and add our xfs block on new line (find uuid using blkid)

1
2

docker run --storage-opt size=10M --rm -it alpine

when using devmapper make sure size is greater than 10G (default)

1
2

docker run --storage-opt size=11G --r'm -it alpine

zfs, vfs (not a unionfs, but for testing) storage drivers also supports disk quota. you may use it by changing data-root to the related storage device.

use slim toolkit to shrink docker image size

with iptable, you can constrain docker container network

1
2

sudo iptables -I DOCKER-USER -d <ip_range> -j DROP

it does not work if you block all local ip ranges.

to use host provided proxy servers, one can set environment variables before running containers.

1
2

docker run -e http_proxy=<proxy_addr> -e https_proxy=<proxy_addr> -e all_proxy=<proxy_addr> -e no_proxy=<bypass_addrs>

or better, use tun2proxy (linux only)

run server:

1
2

docker run -d -v /dev/net/tun:/dev/net/tun --sysctl net.ipv6.conf.default.disable_ipv6=0 --cap-add NET_ADMIN --name tun2proxy tun2proxy --proxy <proto>://[username[:password]@]host:port

container forced to use proxy:

1
2

docker run -it --network "container:tun2proxy" <image_name>[:tag]

with docker for mac, you can use the following domain name to get host and gateway ip:

• host.docker.internal

• gateway.docker.internal

for podman:

• host.containers.internal

• gateway.containers.internal

latest docker mirror:

https://zhuanlan.zhihu.com/p/704011584

login mysql with empty password then execute command to make it remotely available:

1
2

mysql -uroot --password= -e "grant all privileges on *.* to root@'%' identified by '' with grant option; commit;"

create volume and attach volume to container, since containers will be reset after system restarts.

1
2
3
4

docker volume create <volume_name>
docker run -it -d --rm -v <volume_name>:<container_mountpoint> --name <container_name> <image_name>
docker volume inspect <volume_name> # get info on created volume

when using mindsdb, it sucks because having bad pypi mirrors.

set pip index url globally:

1
2

pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple

or pass it as environment variable:

1
2

docker run -it -d -e PIP_INDEX_URL=https://pypi.tuna.tsinghua.edu.cn/simple -n <container_name> <image_name>

if you want to save container states into images, use docker commit <container_name> <image_name>[:image_tag]

Keep in mind that the docker commit command only saves the changes made to a container’s file system. It does not save any changes made to the container’s settings or network configurations. To save all changes made to a container, including settings and network configurations, you can use the docker export and docker import commands instead.

when exporting ports, if not specifying host ip, you cannot reach the service inside the container. do this instead: docker run -p 0.0.0.0:<host_port>:<container_port> <rest_commands>

it seems to be the proxy (fastgithub). disable http proxy so we can connect to container again, or use clash to make rules to let “localhost” or subnet requests passing through.

if you want to change ip routings or some other configurations passed when docker run, you need to change the file called hostconfig.json located in /var/lib/docker/containers/<container_id> with PortBindings sections. you stop the container first. find and change the config file then start it. tutorial

seems not working. fuck.

1
2
3
4
5
6
7
8

"PortBindings": {
"80/tcp": [
{
"HostPort": "8080"
}
],
}

containers can only contact each other if they share the same network. better give unique ip for each container within same network. it can also use container name as host name instead of static ip. tutorial

create a network (not overlapping with anything shown in ifconfig, notice the subnet mask):

1
2

docker network create --subnet=172.18.0.0/16 <network_name>

start container with given network (again not overlapping with addresses in ifconfig, not the starting address):

1
2

docker run --rm -d -it --net <network_name> --ip <ipaddress> --name <container_name>

to check what ip the container is at:

1
2

docker inspect <container_id/container_name> | grep IPAddress

now you might can talk to the container without port mappings.