The Standard for 2026 Cloud Architecture
Step 1: System Preparation and Cleanup
Step 2: Install Official Docker Engine
Step 4: The Secure Network Rule (Fixing UFW Bypass)
Step 5: Install NVIDIA Container Toolkit
Step 6: Deploy Coolify (The Modern Stack)
Conclusion Go beyond basic installations. Learn to fix the massive UFW firewall flaw, configure NVIDIA GPUs, and deploy Coolify on your dedicated server. Deploying Docker directly on an Ubuntu 26.04 Bare Metal Server is the most efficient way to build a private cloud. By skipping heavy hypervisors like Proxmox or VMware, your containers interact directly with the Linux Kernel. This grants your applications absolute hardware utilization and near-native performance. However, most online guides instruct you to install the outdated Ubuntu packages and leave your server dangerously exposed to the public internet. In this technical guide, we will use the official Docker repository, secure the daemon against the infamous UFW bypass vulnerability, and prepare the server for intensive AI workloads using NVIDIA GPUs. Log into your iRexta Dedicated Server via SSH. Before installing the latest version, you must remove any unofficial or conflicting Docker packages that might have been pre-installed with the OS. To guarantee you receive the latest security patches, you must add the official Docker repository to your Ubuntu 26.04 APT sources. This is a critical security concept for bare metal servers. Docker automatically alters Linux iptables to route network traffic. This means if you use UFW to block a specific port, but a Docker container exposes that same port, Docker will punch a hole straight through your firewall. Many outdated guides suggest setting iptables to false in the Docker daemon. Do not do this. Disabling iptables breaks container networking, NAT, and bridge networks entirely. The enterprise standard is to enforce localhost binding. Whenever you run a container or write a docker-compose file, never expose ports to the public interface. Always bind them strictly to your local loopback address. Secure Docker Compose Example: Once bound to localhost, your container is completely hidden from the outside world. You then use a Reverse Proxy like Nginx, Traefik, or Coolify listening on standard web ports (which UFW securely controls) to route traffic into your containers. If your iRexta Bare Metal Server is equipped with Enterprise GPUs like the NVIDIA L40S or H200, you must install the toolkit. This bridge allows your Docker containers to bypass virtualization and directly access the physical PCIe lanes for maximum AI inference speed. Now that your foundation is rock solid, you do not need to manage containers manually. Coolify is an open-source platform that turns your Ubuntu 26.04 server into a private Vercel or Heroku alternative. Your Ubuntu 26.04 environment is now running the latest Docker Engine. It is completely immune to the UFW bypass vulnerability, fully optimized for NVIDIA AI hardware, and managed by a modern orchestration interface. This is the exact blueprint used by senior system architects. Ready to deploy intensive workloads? Explore iRexta High-Performance Bare Metal Servers. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse
# Update the system package index
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Remove conflicting legacy packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">remove -weight: 500;">docker.io -weight: 500;">docker-doc -weight: 500;">docker-compose -weight: 500;">docker-compose-v2 podman--weight: 500;">docker containerd runc
# Update the system package index
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Remove conflicting legacy packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">remove -weight: 500;">docker.io -weight: 500;">docker-doc -weight: 500;">docker-compose -weight: 500;">docker-compose-v2 podman--weight: 500;">docker containerd runc
# Update the system package index
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update && -weight: 600;">sudo -weight: 500;">apt -weight: 500;">upgrade -y # Remove conflicting legacy packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">remove -weight: 500;">docker.io -weight: 500;">docker-doc -weight: 500;">docker-compose -weight: 500;">docker-compose-v2 podman--weight: 500;">docker containerd runc
# Install prerequisite packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ca-certificates -weight: 500;">curl -y # Download and add Docker official GPG key
-weight: 600;">sudo -weight: 500;">install -m 0755 -d /etc/-weight: 500;">apt/keyrings
-weight: 600;">sudo -weight: 500;">curl -fsSL https://download.-weight: 500;">docker.com/linux/ubuntu/gpg -o /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc
-weight: 600;">sudo chmod a+r /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc # Add the repository to APT sources
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc] https://download.-weight: 500;">docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/-weight: 500;">docker.list > /dev/null # Update index and -weight: 500;">install Docker CE
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-ce -weight: 500;">docker-ce-cli containerd.io -weight: 500;">docker-buildx-plugin -weight: 500;">docker-compose-plugin -y
# Install prerequisite packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ca-certificates -weight: 500;">curl -y # Download and add Docker official GPG key
-weight: 600;">sudo -weight: 500;">install -m 0755 -d /etc/-weight: 500;">apt/keyrings
-weight: 600;">sudo -weight: 500;">curl -fsSL https://download.-weight: 500;">docker.com/linux/ubuntu/gpg -o /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc
-weight: 600;">sudo chmod a+r /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc # Add the repository to APT sources
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc] https://download.-weight: 500;">docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/-weight: 500;">docker.list > /dev/null # Update index and -weight: 500;">install Docker CE
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-ce -weight: 500;">docker-ce-cli containerd.io -weight: 500;">docker-buildx-plugin -weight: 500;">docker-compose-plugin -y
# Install prerequisite packages
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install ca-certificates -weight: 500;">curl -y # Download and add Docker official GPG key
-weight: 600;">sudo -weight: 500;">install -m 0755 -d /etc/-weight: 500;">apt/keyrings
-weight: 600;">sudo -weight: 500;">curl -fsSL https://download.-weight: 500;">docker.com/linux/ubuntu/gpg -o /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc
-weight: 600;">sudo chmod a+r /etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc # Add the repository to APT sources
echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/-weight: 500;">apt/keyrings/-weight: 500;">docker.asc] https://download.-weight: 500;">docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/-weight: 500;">docker.list > /dev/null # Update index and -weight: 500;">install Docker CE
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -weight: 500;">docker-ce -weight: 500;">docker-ce-cli containerd.io -weight: 500;">docker-buildx-plugin -weight: 500;">docker-compose-plugin -y
Step 3: Enable Rootless Execution
By default, running Docker commands requires root privileges. This is a security risk for daily operations. Add your current user to the docker group to execute commands safely. # Add your user to the docker groupsudo usermod -aG docker $USER # Apply the new group membership immediatelynewgrp docker # Test the installation
docker run hello-world
Step 3: Enable Rootless Execution
By default, running Docker commands requires root privileges. This is a security risk for daily operations. Add your current user to the docker group to execute commands safely. # Add your user to the docker groupsudo usermod -aG docker $USER # Apply the new group membership immediatelynewgrp docker # Test the installation
docker run hello-world
Step 3: Enable Rootless Execution
By default, running Docker commands requires root privileges. This is a security risk for daily operations. Add your current user to the docker group to execute commands safely. # Add your user to the docker groupsudo usermod -aG docker $USER # Apply the new group membership immediatelynewgrp docker # Test the installation
docker run hello-world
# ❌ DANGEROUS: Exposes port 8080 directly to the public internet bypassing UFW
-weight: 500;">docker run -p 8080:80 nginx # ✅ SECURE: Binds port 8080 only to localhost
-weight: 500;">docker run -p 127.0.0.1:8080:80 nginx
# ❌ DANGEROUS: Exposes port 8080 directly to the public internet bypassing UFW
-weight: 500;">docker run -p 8080:80 nginx # ✅ SECURE: Binds port 8080 only to localhost
-weight: 500;">docker run -p 127.0.0.1:8080:80 nginx
# ❌ DANGEROUS: Exposes port 8080 directly to the public internet bypassing UFW
-weight: 500;">docker run -p 8080:80 nginx # ✅ SECURE: Binds port 8080 only to localhost
-weight: 500;">docker run -p 127.0.0.1:8080:80 nginx
services: web: image: nginx ports: - "127.0.0.1:8080:80"
services: web: image: nginx ports: - "127.0.0.1:8080:80"
services: web: image: nginx ports: - "127.0.0.1:8080:80"
# Add NVIDIA package repositories
-weight: 500;">curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | -weight: 600;">sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg -weight: 500;">curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/nvidia-container-toolkit.list # Install the toolkit
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -y nvidia-container-toolkit # Configure the Docker runtime
-weight: 600;">sudo nvidia-ctk runtime configure --runtime=-weight: 500;">docker
-weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart -weight: 500;">docker
# Add NVIDIA package repositories
-weight: 500;">curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | -weight: 600;">sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg -weight: 500;">curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/nvidia-container-toolkit.list # Install the toolkit
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -y nvidia-container-toolkit # Configure the Docker runtime
-weight: 600;">sudo nvidia-ctk runtime configure --runtime=-weight: 500;">docker
-weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart -weight: 500;">docker
# Add NVIDIA package repositories
-weight: 500;">curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | -weight: 600;">sudo gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg -weight: 500;">curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ -weight: 600;">sudo tee /etc/-weight: 500;">apt/sources.list.d/nvidia-container-toolkit.list # Install the toolkit
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">update
-weight: 600;">sudo -weight: 500;">apt -weight: 500;">install -y nvidia-container-toolkit # Configure the Docker runtime
-weight: 600;">sudo nvidia-ctk runtime configure --runtime=-weight: 500;">docker
-weight: 600;">sudo -weight: 500;">systemctl -weight: 500;">restart -weight: 500;">docker
# Run the official Coolify installation script
-weight: 500;">curl -fsSL https://cdn.coollabs.io/coolify/-weight: 500;">install.sh | bash
# Run the official Coolify installation script
-weight: 500;">curl -fsSL https://cdn.coollabs.io/coolify/-weight: 500;">install.sh | bash
# Run the official Coolify installation script
-weight: 500;">curl -fsSL https://cdn.coollabs.io/coolify/-weight: 500;">install.sh | bash
