Docker - Getting Started Guide
Docker is a platform for running applications in isolated containers. Instead of installing software directly on the server, you package it with all its dependencies into a container that runs the same way everywhere. This server comes with Docker Engine, Docker Compose and Portainer - a web interface for managing containers without the command line.
Step 1 - Verify Portainer Works
Your server's IP address and root password are shown on the Server Details page in your client panel. Portainer starts automatically on first boot. Open your browser and go to:
https://your.server.ip:9443Your browser will show a security warning about the self-signed certificate - this is normal, proceed to the site. Set a password for the admin account (minimum 12 characters). After that you will see the Portainer dashboard where you can manage containers, deploy stacks and monitor your Docker environment.
If you placed the server behind a VyOS router on a private network, you can either configure port forwarding (port 22 for SSH, port 9443 for Portainer, plus any ports your containers expose) or connect over a VPN and reach the server on its private IP.
Portainer Timeout
For security, Portainer gives you 5 minutes to set the password after the container starts. If you see "Your Portainer instance timed out", connect via SSH and restart the container:
ssh root@your.server.ip
docker restart portainerThen open https://your.server.ip:9443 again and create your password.
Step 2 - Connect via SSH
For command-line Docker management, connect to your server:
ssh root@your.server.ipVerify Docker is running:
docker --version
docker compose version
docker run hello-worldIf you see "Hello from Docker!" - everything works.
Step 3 - Running Containers
Start a container from any image on Docker Hub:
# Run an Nginx web server on port 80
docker run -d --name webserver -p 80:80 nginx
# View running containers
docker ps
# Stop and remove the container
docker stop webserver
docker rm webserverStep 4 - Docker Compose
Compose lets you define multi-container apps in a YAML file. Example - Nginx plus MySQL:
mkdir ~/myapp && cd ~/myapp
cat > docker-compose.yml <<'EOF'
services:
web:
image: nginx:alpine
ports:
- "80:80"
volumes:
- ./html:/usr/share/nginx/html
depends_on:
- db
db:
image: mysql:8.0
environment:
MYSQL_ROOT_PASSWORD: changeme
MYSQL_DATABASE: myapp
volumes:
- db_data:/var/lib/mysql
volumes:
db_data:
EOF
docker compose up -dUseful Compose commands:
# View logs
docker compose logs -f
# Stop services
docker compose down
# Stop and remove volumes (deletes data!)
docker compose down -vPost-Installation
Disk Space
Docker images can use up disk space quickly. Keep an eye on it:
# Check overall disk usage
df -h /
# Check Docker-specific disk usage
docker system df
# Clean up unused images, containers and networks
docker system prune -aUpdates
To update Docker, Portainer and system packages:
# Update system packages and Docker
apt update && apt upgrade -y
# Update Portainer to the latest version
docker stop portainer
docker rm portainer
docker pull portainer/portainer-ce:latest
docker run -d --name portainer --restart=always \
-p 9443:9443 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data \
portainer/portainer-ce:latestFirewall
SSH (port 22) and Portainer (port 9443) are open by default. When you publish container ports (like -p 80:80), they become accessible from the internet.
Check which ports your containers expose:
docker ps --format "table {{.Names}}\t{{.Ports}}"Fail2Ban - Brute-Force Protection
Your server comes with Fail2Ban pre-configured to protect SSH from brute-force attacks.
| Rule | Max Attempts | Ban Duration |
|---|---|---|
| SSH | 5 failed logins | 10 minutes |
Useful commands:
# Check banned IPs
fail2ban-client status sshd
# Unban an IP
fail2ban-client set sshd unbanip 1.2.3.4If you accidentally lock yourself out, connect via VNC console in your client panel and unban your IP.
Service Management
Docker runs as a systemd service. Common commands:
# Check service status
systemctl status docker
# Restart Docker
systemctl restart docker
# View Docker logs
journalctl -u docker -fServer Credentials
The Portainer admin password is the one you set on first login at https://your.server.ip:9443. Docker itself has no separate credentials - access is controlled by the root user on the server.
Software Included
| Component | Version |
|---|---|
| Ubuntu | 24.04 LTS |
| Docker CE | 29.3.0 |
| Docker Compose | 5.1.0 |
| Docker Buildx | 0.31.1 |
| containerd | 2.2.2 |
| Portainer CE | 2.39.0 |
| Fail2Ban | 1.0.2 |
Troubleshooting
| Problem | Solution |
|---|---|
| Portainer shows "timed out" | Run docker restart portainer via SSH, then open https://IP:9443 again |
| Cannot connect to Docker daemon | Docker may not have started yet. Run systemctl start docker |
| Container can't access the internet | Restart Docker networking: systemctl restart docker |
| Port already in use | Check what's using it: ss -tlnp | grep :80 |
| No space left on device | Clean up: docker system prune -a and check with df -h / |
| Forgot Portainer admin password | Reset Portainer data: docker stop portainer && docker rm portainer && docker volume rm portainer_data, then recreate the container (see Updates section) |
| Blocked by Fail2Ban | Use VNC console in your client panel to unban your IP |
| Forgot root password | Use VNC console in your client panel to reset it |