# Docker System Übersicht
docker system info
docker system df  # Disk Usage
docker system events --since '2025-01-01'
docker system prune # Cleanup

# Docker Daemon Konfiguration (/etc/docker/daemon.json)
{
  "data-root": "/var/lib/docker",
  "storage-driver": "overlay2",
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3"
  },
  "dns": ["8.8.8.8", "8.8.4.4"],
  "insecure-registries": [],
  "registry-mirrors": [],
  "live-restore": true,
  "userland-proxy": false,
  "icc": false,
  "userns-remap": "default"
}

# Container Runtime Hierarchie
docker info | grep -E "(Runtime|Storage Driver|Backing Filesystem)"

# Detaillierte Runtime Information
docker container inspect <container_id> | jq '.HostConfig'

# Repository Setup für Ubuntu/Debian
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Docker Engine Installation
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin

# Post-Installation Setup
sudo systemctl enable docker
sudo systemctl start docker

# Non-root Docker Access (Entwicklungsumgebung)
sudo usermod -aG docker $USER

# Systemd Service Override
sudo mkdir -p /etc/systemd/system/docker.service.d
sudo tee /etc/systemd/system/docker.service.d/override.conf << EOF
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --log-level=warn
EOF

sudo systemctl daemon-reload
sudo systemctl restart docker

# Storage Driver Optimierung
sudo mkdir -p /etc/docker
sudo tee /etc/docker/daemon.json << EOF
{
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true"
  ],
  "data-root": "/opt/docker"
}
EOF

# Security Scanning
docker scout cves <image_name>
docker scan <image_name>

# Security Benchmarks
docker run --rm -it \
  --pid host \
  --userns host \
  --cap-add audit_control \
  -v /etc:/etc:ro \
  -v /var/lib:/var/lib:ro \
  -v /var/run/docker.sock:/var/run/docker.sock:ro \
  aquasec/docker-bench-security

# User Namespace Setup für bessere Isolation
sudo tee -a /etc/subuid << EOF
dockremap:165536:65536
EOF

sudo tee -a /etc/subgid << EOF
dockremap:165536:65536
EOF

# Daemon Configuration Update
{
  "userns-remap": "dockremap"
}

# AppArmor Profile für Container
sudo tee /etc/apparmor.d/docker-default << EOF
#include <tunables/global>

profile docker-default flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/base>
  
  deny @{PROC}/* w,
  deny @{PROC}/sys/fs/** wklx,
  deny @{PROC}/sysrq-trigger rwklx,
  deny @{PROC}/mem rwklx,
  deny @{PROC}/kmem rwklx,
  deny @{PROC}/kcore rwklx,
  
  deny mount,
  deny /sys/[^f]*/** wklx,
  deny /sys/f[^s]*/** wklx,
  deny /sys/fs/[^c]*/** wklx,
  deny /sys/fs/c[^g]*/** wklx,
  deny /sys/fs/cg[^r]*/** wklx,
  deny /sys/firmware/** rwklx,
  deny /sys/kernel/security/** rwklx,
}
EOF

sudo apparmor_parser -r /etc/apparmor.d/docker-default

# Privacy-by-Design Container
docker run -d \
  --name gdpr-compliant-app \
  --read-only \
  --tmpfs /tmp \
  --tmpfs /var/run \
  --security-opt no-new-privileges:true \
  --security-opt apparmor:docker-default \
  --cap-drop ALL \
  --cap-add NET_BIND_SERVICE \
  --user 1000:1000 \
  --memory 512m \
  --cpus 0.5 \
  --pids-limit 100 \
  nginx:alpine

# Multi-Stage Build für optimierte Images
cat << EOF > Dockerfile.optimized
# Build Stage
FROM node:18-alpine AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production

# Production Stage
FROM node:18-alpine AS production
RUN addgroup -g 1001 -S nodejs
RUN adduser -S nextjs -u 1001
WORKDIR /app
COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
COPY --chown=nextjs:nodejs . .
USER nextjs
EXPOSE 3000
CMD ["npm", "start"]
EOF

# Build optimized image
docker build -f Dockerfile.optimized -t app:optimized .

# Docker Compose für komplexe Setups
version: '3.8'
services:
  web:
    image: nginx:alpine
    ports:
      - "80:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - app
    networks:
      - frontend
    deploy:
      replicas: 2
      resources:
        limits:
          memory: 128M
        reservations:
          memory: 64M
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

  app:
    build: .
    environment:
      - NODE_ENV=production
      - DATABASE_URL=postgresql://user:pass@db:5432/appdb
    networks:
      - frontend
      - backend
    volumes:
      - ./logs:/app/logs
    depends_on:
      db:
        condition: service_healthy

  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_DB: appdb
      POSTGRES_USER: user
      POSTGRES_PASSWORD: securepassword
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./init.sql:/docker-entrypoint-initdb.d/init.sql:ro
    networks:
      - backend
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U user -d appdb"]
      interval: 30s
      timeout: 10s
      retries: 5

networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge
    internal: true

volumes:
  postgres_data:
    driver: local

# Erweiterte Health Checks
docker run -d \
  --name app-with-healthcheck \
  --health-cmd="curl -f http://localhost/health || exit 1" \
  --health-interval=30s \
  --health-timeout=10s \
  --health-retries=3 \
  --health-start-period=30s \
  myapp:latest

# Health Status Monitoring
docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
docker inspect --format='{{.State.Health.Status}}' app-with-healthcheck

# Prometheus + Grafana Setup
version: '3.8'
services:
  prometheus:
    image: prom/prometheus:latest
    ports:
      - "9090:9090"
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yml'
      - '--storage.tsdb.path=/prometheus'
      - '--web.console.libraries=/etc/prometheus/console_libraries'
      - '--web.console.templates=/etc/prometheus/consoles'
      - '--storage.tsdb.retention.time=200h'
      - '--web.enable-lifecycle'

  node-exporter:
    image: prom/node-exporter:latest
    ports:
      - "9100:9100"
    volumes:
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro
      - /:/rootfs:ro
    command:
      - '--path.procfs=/host/proc'
      - '--path.sysfs=/host/sys'
      - '--collector.filesystem.ignored-mount-points=^/(sys|proc|dev|host|etc)($$|/)'

  cadvisor:
    image: gcr.io/cadvisor/cadvisor:latest
    ports:
      - "8080:8080"
    volumes:
      - /:/rootfs:ro
      - /var/run:/var/run:rw
      - /sys:/sys:ro
      - /var/lib/docker/:/var/lib/docker:ro
      - /dev/disk/:/dev/disk:ro

  grafana:
    image: grafana/grafana:latest
    ports:
      - "3000:3000"
    environment:
      - GF_SECURITY_ADMIN_USER=admin
      - GF_SECURITY_ADMIN_PASSWORD=admin123
    volumes:
      - grafana_data:/var/lib/grafana

volumes:
  prometheus_data:
  grafana_data:

# ELK Stack für Docker Logs
version: '3.8'
services:
  elasticsearch:
    image: elasticsearch:8.5.0
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
    volumes:
      - elasticsearch_data:/usr/share/elasticsearch/data
    ports:
      - "9200:9200"

  logstash:
    image: logstash:8.5.0
    volumes:
      - ./logstash.conf:/usr/share/logstash/pipeline/logstash.conf
    depends_on:
      - elasticsearch

  kibana:
    image: kibana:8.5.0
    ports:
      - "5601:5601"
    environment:
      - ELASTICSEARCH_HOSTS=http://elasticsearch:9200
    depends_on:
      - elasticsearch

  filebeat:
    image: elastic/filebeat:8.5.0
    user: root
    volumes:
      - ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
      - /var/lib/docker/containers:/var/lib/docker/containers:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    depends_on:
      - elasticsearch

volumes:
  elasticsearch_data:

# Log Driver Konfiguration
{
  "log-driver": "json-file",
  "log-opts": {
    "max-size": "10m",
    "max-file": "3",
    "compress": "true"
  }
}

# Structured Logging für Container
docker run -d \
  --name structured-logs \
  --log-driver json-file \
  --log-opt max-size=10m \
  --log-opt max-file=5 \
  --log-opt labels=env,version \
  --log-opt env=production \
  --label version=1.0.0 \
  myapp:latest

# Log Analysis Commands
docker logs --since="2025-01-01" --until="2025-01-02" container_name
docker logs --tail=100 --follow container_name
docker logs --timestamps container_name | grep ERROR

# Custom Bridge Network
docker network create \
  --driver bridge \
  --subnet=172.20.0.0/16 \
  --ip-range=172.20.240.0/20 \
  --gateway=172.20.0.1 \
  --opt com.docker.network.bridge.name=custom-bridge \
  --opt com.docker.network.bridge.enable_icc=false \
  --opt com.docker.network.bridge.enable_ip_masquerade=true \
  custom-network

# Overlay Network für Multi-Host
docker network create \
  --driver overlay \
  --subnet=10.0.9.0/24 \
  --gateway=10.0.9.1 \
  --attachable \
  multi-host-overlay

# Macvlan für Direct Hardware Access
docker network create \
  --driver macvlan \
  --subnet=192.168.1.0/24 \
  --gateway=192.168.1.1 \
  --opt parent=eth0 \
  macvlan-network

# Inter-Container Communication Control
docker network create \
  --driver bridge \
  --opt com.docker.network.bridge.enable_icc=false \
  isolated-network

# Port Exposure Best Practices
docker run -d \
  --name secure-web \
  --network isolated-network \
  -p 127.0.0.1:8080:80 \
  nginx:alpine

# Network Segmentation
docker network create frontend-network
docker network create backend-network
docker network create database-network

# Container mit mehreren Networks
docker run -d \
  --name app-server \
  --network frontend-network \
  myapp:latest

docker network connect backend-network app-server

# Named Volumes für persistente Daten
docker volume create \
  --driver local \
  --opt type=none \
  --opt o=bind \
  --opt device=/opt/docker-volumes/app-data \
  app-data-volume

# Volume mit Backup-Integration
docker volume create \
  --driver local \
  --opt type=nfs \
  --opt o=addr=192.168.1.100,rw \
  --opt device=:/path/to/nfs/share \
  nfs-backup-volume

# Volume Cleanup und Maintenance
docker volume prune --force
docker volume ls --filter dangling=true

# Overlay2 Performance Tuning
{
  "storage-driver": "overlay2",
  "storage-opts": [
    "overlay2.override_kernel_check=true",
    "overlay2.size=120G"
  ]
}

# Storage Monitoring
docker system df -v
du -sh /var/lib/docker/overlay2/*

# CPU und Memory Limits
docker run -d \
  --name resource-limited \
  --cpus="1.5" \
  --memory="512m" \
  --memory-swap="1g" \
  --memory-swappiness=10 \
  --oom-kill-disable=false \
  --restart=unless-stopped \
  myapp:latest

# System Resource Monitoring
docker stats --no-stream
docker container top <container_id>

# Multi-stage Build für minimale Images
FROM node:18-alpine AS dependencies
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production && npm cache clean --force

FROM node:18-alpine AS build
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

FROM node:18-alpine AS runtime
RUN addgroup -g 1001 -S nodejs && \
    adduser -S nextjs -u 1001
WORKDIR /app
COPY --from=dependencies --chown=nextjs:nodejs /app/node_modules ./node_modules
COPY --from=build --chown=nextjs:nodejs /app/build ./build
COPY --chown=nextjs:nodejs package*.json ./
USER nextjs
EXPOSE 3000
CMD ["npm", "start"]

# Build Cache Management
docker builder prune --filter until=24h
docker image prune --filter until=72h

# Multi-platform Builds
docker buildx create --name multiarch --use
docker buildx build --platform linux/amd64,linux/arm64 -t myapp:multiarch .

# Volume Backup
docker run --rm \
  -v postgres_data:/source:ro \
  -v $(pwd)/backups:/backup \
  alpine \
  tar -czf /backup/postgres_backup_$(date +%Y%m%d_%H%M%S).tar.gz -C /source .

# Container Export/Import
docker export container_name > container_backup.tar
docker import container_backup.tar new_image:tag

# Image Save/Load
docker save myapp:latest | gzip > myapp_latest.tar.gz
gunzip -c myapp_latest.tar.gz | docker load

#!/bin/bash
# Docker Disaster Recovery Script

BACKUP_DIR="/opt/backups"
DATE=$(date +%Y%m%d_%H%M%S)

# Backup Volumes
for volume in $(docker volume ls -q); do
    echo "Backing up volume: $volume"
    docker run --rm \
        -v $volume:/source:ro \
        -v $BACKUP_DIR:/backup \
        alpine \
        tar -czf /backup/${volume}_${DATE}.tar.gz -C /source .
done

# Backup Images
echo "Backing up images..."
docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "<none>" | \
while read image; do
    safe_name=$(echo $image | tr '/:' '_-')
    docker save $image | gzip > $BACKUP_DIR/${safe_name}_${DATE}.tar.gz
done

# Cleanup old backups (keep 7 days)
find $BACKUP_DIR -name "*.tar.gz" -mtime +7 -delete

# Private Registry Setup
version: '3.8'
services:
  registry:
    image: registry:2
    ports:
      - "5000:5000"
    environment:
      REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY: /var/lib/registry
      REGISTRY_AUTH: htpasswd
      REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
      REGISTRY_AUTH_HTPASSWD_REALM: "Registry Realm"
    volumes:
      - registry_data:/var/lib/registry
      - ./auth:/auth:ro
      - ./certs:/certs:ro

  registry-ui:
    image: joxit/docker-registry-ui:latest
    ports:
      - "8080:80"
    environment:
      - REGISTRY_TITLE=Company Registry
      - REGISTRY_URL=http://registry:5000
      - DELETE_IMAGES=true
    depends_on:
      - registry

volumes:
  registry_data:

# GitLab CI Docker Integration
stages:
  - build
  - test
  - deploy

variables:
  DOCKER_DRIVER: overlay2
  DOCKER_TLS_CERTDIR: "/certs"

services:
  - docker:20.10.16-dind

before_script:
  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY

build:
  stage: build
  script:
    - docker build -t $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA .
    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA

test:
  stage: test
  script:
    - docker run --rm $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA npm test

deploy:
  stage: deploy
  script:
    - docker tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE:latest
    - docker push $CI_REGISTRY_IMAGE:latest
  only:
    - main

# Container Exit Codes Analysis
docker ps -a --format "table {{.Names}}\t{{.Status}}\t{{.Command}}"

# Container Resource Usage
docker stats --no-stream --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}\t{{.BlockIO}}"

# Network Connectivity Issues
docker exec -it container_name ping google.com
docker exec -it container_name nslookup google.com
docker network inspect bridge

# Storage Issues
docker system df
df -h /var/lib/docker
du -sh /var/lib/docker/overlay2/* | sort -hr | head -10

# Container Process Debugging
docker exec -it container_name ps aux
docker exec -it container_name lsof -p 1
docker exec -it container_name netstat -tulpn

# Systemd Integration Debugging
systemctl status docker
journalctl -u docker.service --since today
journalctl -u docker.service -f

# Container Performance Profiling
docker exec -it container_name top
docker exec -it container_name iostat 1 5
docker exec -it container_name sar -u 1 5

# Resource Limit Testing
docker run -it --rm --memory=100m --cpus=0.5 stress:latest stress --vm 1 --vm-bytes 150M --vm-hang 1

# CIS Docker Benchmark Automation
#!/bin/bash

# 1. Host Configuration
echo "Checking host configuration..."
grep -q "docker" /etc/group || groupadd docker
usermod -aG docker jenkins

# 2. Docker Daemon Configuration
cat > /etc/docker/daemon.json << EOF
{
  "icc": false,
  "userns-remap": "default",
  "live-restore": true,
  "userland-proxy": false,
  "no-new-privileges": true,
  "seccomp-profile": "/etc/docker/seccomp.json",
  "log-driver": "syslog",
  "log-opts": {
    "syslog-address": "tcp://localhost:514"
  }
}
EOF

# 3. Container Runtime Security
docker run --security-opt=no-new-privileges:true \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --read-only \
  --tmpfs /tmp \
  myapp:latest

# DSGVO-konforme Container Deployment
version: '3.8'
services:
  gdpr-app:
    image: myapp:latest
    security_opt:
      - no-new-privileges:true
      - apparmor:docker-default
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: true
    tmpfs:
      - /tmp
      - /var/run
    user: "1000:1000"
    environment:
      - DATA_RETENTION_DAYS=365
      - ENCRYPTION_ENABLED=true
      - AUDIT_LOGGING=true
    logging:
      driver: "syslog"
      options:
        tag: "gdpr-app"

# DSGVO Data Minimization
docker run --rm \
  -v data_volume:/data \
  alpine sh -c "find /data -type f -mtime +365 -delete"

# Audit Logging
{
  "log-driver": "syslog",
  "log-opts": {
    "syslog-address": "tcp://siem.company.de:514",
    "tag": "docker/{{.Name}}"
  }
}

# Resource Allocation Strategy
docker update --memory=512m --cpus=1.0 container_name

# Swarm Mode für High Availability
docker swarm init
docker service create --replicas=3 --name web nginx:alpine

# Zero-Trust Container Security
docker run -d \
  --name zero-trust-app \
  --security-opt=no-new-privileges:true \
  --cap-drop=ALL \
  --read-only \
  --user=1000:1000 \
  --network=none \
  myapp:latest