Install and Secure Docker on Ubuntu 26.04 Bare Metal
Nyra AmsiGo beyond basic installations. Learn to fix the massive UFW firewall flaw, configure NVIDIA GPUs, and...
Go beyond basic installations. Learn to fix the massive UFW firewall flaw, configure NVIDIA GPUs, and deploy Coolify on your dedicated server.
The Standard for 2026 Cloud Architecture
Deploying Docker directly on an Ubuntu 26.04 Bare Metal Server is the most efficient way to build a private cloud. By skipping heavy hypervisors like Proxmox or VMware, your containers interact directly with the Linux Kernel. This grants your applications absolute hardware utilization and near-native performance.
However, most online guides instruct you to install the outdated Ubuntu packages and leave your server dangerously exposed to the public internet. In this technical guide, we will use the official Docker repository, secure the daemon against the infamous UFW bypass vulnerability, and prepare the server for intensive AI workloads using NVIDIA GPUs.
Step 1: System Preparation and Cleanup
Log into your iRexta Dedicated Server via SSH. Before installing the latest version, you must remove any unofficial or conflicting Docker packages that might have been pre-installed with the OS.
# Update the system package index
sudo apt update && sudo apt upgrade -y
# Remove conflicting legacy packages
sudo apt remove docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc
Step 2: Install Official Docker Engine
To guarantee you receive the latest security patches, you must add the official Docker repository to your Ubuntu 26.04 APT sources.
# Install prerequisite packages
sudo apt install ca-certificates curl -y
# Download and add Docker official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to APT sources
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Update index and install Docker CE
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin -y
## Step 3: Enable Rootless Execution
By default, running Docker commands requires root privileges. This is a security risk for daily operations. Add your current user to the docker group to execute commands safely.
# Add your user to the docker group
sudo usermod -aG docker $USER
# Apply the new group membership immediately
newgrp docker
# Test the installation
docker run hello-world
Step 4: The Secure Network Rule (Fixing UFW Bypass)
This is a critical security concept for bare metal servers. Docker automatically alters Linux iptables to route network traffic. This means if you use UFW to block a specific port, but a Docker container exposes that same port, Docker will punch a hole straight through your firewall.
Many outdated guides suggest setting iptables to false in the Docker daemon. Do not do this. Disabling iptables breaks container networking, NAT, and bridge networks entirely. The enterprise standard is to enforce localhost binding.
Whenever you run a container or write a docker-compose file, never expose ports to the public interface. Always bind them strictly to your local loopback address.
# ❌ DANGEROUS: Exposes port 8080 directly to the public internet bypassing UFW
docker run -p 8080:80 nginx
# ✅ SECURE: Binds port 8080 only to localhost
docker run -p 127.0.0.1:8080:80 nginx
Secure Docker Compose Example:
services:
web:
image: nginx
ports:
- "127.0.0.1:8080:80"
Once bound to localhost, your container is completely hidden from the outside world. You then use a Reverse Proxy like Nginx, Traefik, or Coolify listening on standard web ports (which UFW securely controls) to route traffic into your containers.
Step 5: Install NVIDIA Container Toolkit
If your iRexta Bare Metal Server is equipped with Enterprise GPUs like the NVIDIA L40S or H200, you must install the toolkit. This bridge allows your Docker containers to bypass virtualization and directly access the physical PCIe lanes for maximum AI inference speed.
# Add NVIDIA package repositories
curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg
curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \
sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \
sudo tee /etc/apt/sources.list.d/nvidia-container-toolkit.list
# Install the toolkit
sudo apt update
sudo apt install -y nvidia-container-toolkit
# Configure the Docker runtime
sudo nvidia-ctk runtime configure --runtime=docker
sudo systemctl restart docker
Step 6: Deploy Coolify (The Modern Stack)
Now that your foundation is rock solid, you do not need to manage containers manually. Coolify is an open-source platform that turns your Ubuntu 26.04 server into a private Vercel or Heroku alternative.
# Run the official Coolify installation script
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | bash
Conclusion
Your Ubuntu 26.04 environment is now running the latest Docker Engine. It is completely immune to the UFW bypass vulnerability, fully optimized for NVIDIA AI hardware, and managed by a modern orchestration interface. This is the exact blueprint used by senior system architects.
Ready to deploy intensive workloads? Explore iRexta High-Performance Bare Metal Servers.