如何在 Linux 服务器上安全安装 Docker 和 PostgreSQL(面向生产的指南)
Source: Dev.to
Introduction
在服务器上运行数据库很容易,但确保其安全是大多数部署失败的地方。本指南将展示如何:
- 正确安装 Docker
- 加固 Docker,防止它削弱服务器安全
- 在 Docker 中运行 PostgreSQL 且不向互联网暴露
- 从本地机器安全访问数据库
- 避免常见的安全陷阱
适用于单服务器、侧项目、SaaS MVP,以及重视安全而非捷径的生产环境。
Prerequisites
- Ubuntu 22.04 或 24.04
- 一个非 root 的管理员用户(例如
dev),具备sudo权限 - 基于 SSH 密钥的登录
- 已启用防火墙(UFW)
Important: 请 不要 使用
root进行日常工作。
Install Docker from the Official Repository
# Remove any old Docker packages
sudo apt remove -y docker docker-engine docker.io containerd runc
# Install prerequisites
sudo apt update
sudo apt install -y ca-certificates curl gnupg
# Set up Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | \
sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add Docker’s APT repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker Engine
sudo apt update
sudo apt install -y \
docker-ce \
docker-ce-cli \
containerd.io \
docker-buildx-plugin \
docker-compose-pluginVerify the installation:
sudo docker version
sudo docker run --rm hello-worldIf you see “Hello from Docker!”, Docker is working.
Add Your User to the docker Group
sudo usermod -aG docker devLog out and back in (or ssh dev@SERVER_IP) and verify:
docker ps⚠️ Warning: 请 不要 将应用或服务用户加入
docker组。该组相当于授予 root 等同的访问权限。
Harden Docker Daemon
Create or edit /etc/docker/daemon.json:
sudo nano /etc/docker/daemon.jsonPaste the following configuration:
{
"icc": false,
"live-restore": true,
"no-new-privileges": true,
"userns-remap": "default",
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "3"
}
}Explanation
icc: false– prevents containers from communicating with each other.userns-remap: "default"– maps container root to an unprivileged host user.no-new-privileges: true– blocks privilege escalation.- Log options limit disk usage.
live-restore: truekeeps containers running during Docker restarts.
Restart Docker and verify the user‑namespace remapping:
sudo systemctl restart docker
docker info | grep -i usernsPrepare a Docker Volume for PostgreSQL
docker volume create pgdataRun PostgreSQL 18 in Docker
Note: PostgreSQL 18 stores data in
/var/lib/postgresql. Do not mount/var/lib/postgresql/data.
docker run -d \
--name postgres \
--restart unless-stopped \
-e POSTGRES_USER=appuser \
-e POSTGRES_PASSWORD=STRONG_PASSWORD_HERE \
-e POSTGRES_DB=appdb \
-v pgdata:/var/lib/postgresql \
-p 127.0.0.1:5432:5432 \
postgres:18- 数据库端口仅绑定到
127.0.0.1,因此不会公开暴露。 - 数据持久化在
pgdata卷中。 - PostgreSQL 在容器内部以非 root 用户运行。
Verify the Container
docker ps
docker logs postgresYou should see a line such as:
database system is ready to accept connectionsEnter the database:
docker exec -it postgres psql -U appuser -d appdbInside psql:
SELECT version();
\qEnsure the Port Is Not Exposed Publicly
ss -tulpn | grep 5432Expected output:
127.0.0.1:5432If you see 0.0.0.0:5432, stop the container and fix the binding.
Check the firewall:
sudo ufw statusPostgreSQL should not appear in the list of allowed services.
Secure Remote Access via SSH Tunnel
From your local machine, create an SSH tunnel that forwards the remote PostgreSQL port to your local machine:
ssh -N -L 5432:127.0.0.1:5432 dev@SERVER_IPLeave this terminal open while you work.
Connect with Your Preferred Client
| Setting | Value |
|---|---|
| 主机 | 127.0.0.1 |
| 端口 | 5432 |
| 用户 | appuser |
| 密码 | your password |
| 数据库 | appdb |
Works with TablePlus, DBeaver, pgAdmin, psql, etc.
Summary
- Secure Docker installation using the official repository and hardened daemon defaults.
- PostgreSQL 18 runs in a container with a future‑safe layout and no public port exposure.
- SSH tunneling provides encrypted, private access to the database.
You don’t need Kubernetes or managed services to be secure—discipline and correct defaults are enough.
Next Steps (optional)
- 为
pgdata卷设置自动备份。 - 为 PostgreSQL 容器添加资源限制。
- 使用
docker-compose实现可重复部署。 - 监控磁盘使用情况并定期审计暴露的端口。
如果遵循本指南,你的服务器将比大多数生产环境更安全。祝你部署顺利 🚀