How to Install and Use Docker CE on Debian 9

Most of us are experienced with virtual machines under Virtualbox, VMware, xen and other technologies allowing us to run an OS (Operating System) within our real OS. The theory behind Docker is similar to the one behind virtual machines. A virtual machine allowed us to run different virtual servers within a single physical device allowing us to isolate services or applications (if a server fails the rest keeps working) and save resources (one hardware instead of many). Virtual machines were revolutionary for sysadmins as it is Docker now.

Docker allows us to isolate applications without need to include the environment or OS, which means, we can isolate a service like nginx without need to dedicate a whole operating system for it, without even dedicated libraries. Applications (images) are isolated within containers to be used and customized as explained in this tutorial.

Some Docker components:

  • dockerd: is the Docker daemon which manages
  • Docker Hub repositories: public repository hosting all containers shared by the community. You not always need to create a container, you can enjoy ready containers from the Docker Hub repositories.
  • Docker images vs Docker containers: A Docker image is the initial live software we’ll use within a container from which we can apply our changes (and create a new image including them if we want). We can not edit or change data within images but we can run them within containers and export a new image with the required customization.

Installing Docker

Before setting up Docker we need to make sure old versions are not installed, previously to Docker installation run:

apt remove docker docker-engine containerd runc

Then update repositories by running:

apt update

Let’s install packages to allow docker installation through https, execute:

apt install apt-transport-https ca-certificates curl gnupg2 software-properties-common

curl -fsSL | sudo apt-key add -

Now add Docker keys, type:

apt-key fingerprint 0EBFCD88

Now add Docker  repositories by running:

add-apt-repository "deb [arch=amd64]
$(lsb_release -cs) stable"

Update repositories by running:

apt update

As you see the Docker repository was added successfully. To install Docker execute:

apt install docker-ce docker-ce-cli

Press Y when requested to continue.

Run a simple instruction to check Docker was installed properly by running:

docker run hello-world

As you see the hello-world image wasn’t found locally therefore Docker CE will download it from the Docker Hub repositories. The test image shows the installation works properly and that the Docker daemon was contacted by the client.

Docker basic commands

docker start: start/run an existing container.
docker stop:
stop a started or running container.
docker build: Build a docker image.
docker run: Run commands within a Docker container.
docker search: search docker images within Docker Hub repositories.
docker pull: this command is used to pull images from the Docker Hubor other defined source.
docker commit: create a new container from an existing one including modifications.
docker ps: shows docker containers
docker image ls: shows Docker images.

Running Snort with Docker CE on Debian 9

For this example I will use a Snort IDS (Intrusion Detection System) container, To install the Snort container from the Docker Hub run:

docker pull linton/docker-snort

Give the container access to the network by running:

docker run -it --rm --net=host linton/docker-snort /bin/bash

Use vi to edit Snort rules, type:

vi /etc/snort/rules/local.rules

Now let’s add a rule to Snort which will report pings to our system, to check if it works properly.

Once vi was opened, press ALT+I to insert new content and add the following line:

alert icmp any any -> any any (msg:"Ping report works...";sid:1000004;)

Once the rule was added type “😡” to save and exit.

Now lets run:

snort -i enp2s0 -c /etc/snort/etc/snort/snort.conf -A console

Note: replace enp2s0 with your network device.

Now if you ping your device live alerts will prompt showing the rule we added. For more information on Snort you can check Configure Snort IDS and Create Rules and Snort Alerts.

To exit a container just run exit

If you want to list the available containers run:

docker ps -a

Creating a new image from a container

As said before a docker image is the original and immutable source of the software, while the container is it’s persistent version in which we can save modifications with the command commit. We will download an Ubuntu image, modify it and create a new one including our modification:

First to download the Ubuntu image run:

docker pull ubuntu

Once downloaded run it by typing:

docker run -i -t ubuntu /bin/bash

Create a file which will represent the modification by running:

touch modiciation
Then exit typing:

Check the container ID by running:

docker ps -a

Use the command docker commit and the container ID to create a new image from your modified container:

docker commit 6643124f4da8 modified-ubuntu

Note: replace 6643124f4da8 for your container ID.

Now let’s run the new image:

docker run -i -t modified-ubuntu

Check if our file remains there:


And as you see the changes are persistent, the file remains there.


Docker is great, not as an alternative but as main resource to replace virtual machines. While we can break our containers, we can’t break the system hosting it, installation, configuration and customization processes can be easily avoided by using this tool without need to clonate partitions or filesystems worrying about hardware compatibility.

Docker literally reduces the work from Gigabytes to MB and prevents a lot of problems associated with OS virtualization with advantages from developers to final users.

Thank you for following, keep following us for more tutorials and updates on Linux, networking and security.

About the author

David Adams

David Adams is a System Admin and writer that is focused on open source technologies, security software, and computer systems.