Server Management
How to Install Docker and Docker Compose Securely
Docker packages applications into containers. This guide installs it from Docker's official apt repository with the GPG key verified, rather than piping a script from the internet into your shell. It also explains why docker group membership is effectively root access on the host.
Update and Install Prerequisites
Refresh the package index and install the tools needed to add a signed repository.
sudo apt update sudo apt install -y ca-certificates curl gnupg
Add Docker's Official GPG Key
Download and install Docker's signing key into a dedicated keyring. This lets apt cryptographically verify every package, so you are not trusting an unauthenticated 'curl | sh' pipeline.
sudo install -m 0755 -d /etc/apt/keyrings # Fetch Docker's GPG key and store it de-armored in its own keyring file sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc
Add the Official Docker Repository
Register the repo and pin it to the key you just installed via signed-by, so packages must be signed by Docker to be accepted.
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
Install Docker Engine and Compose Plugin
Install the engine, CLI, containerd, and the modern Compose plugin (run as 'docker compose', no separate binary needed).
sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Verify the Installation
Run the hello-world image and check the Compose plugin version. Successful output confirms the daemon and image pulls work.
sudo docker run --rm hello-world # downloads and runs a tiny test image, then removes it docker compose version # confirm the Compose plugin is present
Understand the docker Group, Then Add Your User
Anyone in the docker group can mount the host filesystem into a container and become root on the host. Treat docker group membership as equivalent to giving someone root. Only add trusted accounts.
# WARNING: members of the 'docker' group have effective root on this host. sudo usermod -aG docker $USER newgrp docker # apply the new group in the current shell (or log out and back in) # For untrusted or multi-tenant use, consider rootless mode instead: # https://docs.docker.com/engine/security/rootless/
Docker is installed from the official repository with its GPG key verified, the hello-world test passed, and you understand that docker group membership equals root on the host. For shared or higher-risk environments, run Docker in rootless mode and keep the engine patched.