7 Setting up Docker Open Source Engine #
7.1 Preparing the host #
Prepare the host as described below. Before installing any Docker-related packages, you need to enable the Containers Module:
Starting with Docker Open Source Engine 1.12, container orchestration is now an integral part of Docker Open Source Engine. Even though this feature is available in SUSE Linux Enterprise Server 15 SP4, it is not supported by SUSE and is only provided as a technology preview. Use K8S for container orchestration. For details, refer to the Kubernetes documentation.
7.1.1 Installing and configuring Docker Open Source Engine #
Install the
dockerpackage:> sudo zypper install docker
To automatically start the Docker service at boot time:
> sudo systemctl enable docker.service
This also enables docker.socket.
Open the
/etc/sysconfig/dockerfile. Search for the parameterDOCKER_OPTSand add--insecure-registry ADDRESS_OF_YOUR_REGISTRY.Add CA certificates to the directory
/etc/docker/certs.d/REGISTRY_ADDRESS:> sudo cp CA /etc/pki/trust/anchors/
Copy the CA certificates to your system:
> sudo update-ca-certificates
Start the Docker service:
> sudo systemctl start docker.service
This also starts docker.socket.
The Docker daemon listens on a local socket accessible only by the root user and by the members of the docker group. The docker group is automatically created during package installation.
To allow a certain user to connect to the local Docker daemon, use the following command:
> sudo /usr/sbin/usermod -aG docker USERNAME
This allows the user to communicate with the local Docker daemon.
7.2 Configuring the network #
To give the containers access to the external network, enable the ipv4 ip_forward rule.
7.2.1 How Docker Open Source Engine interacts with iptables #
To learn more about how containers interact with each other and the system firewall, see the Docker documentation.
It is also possible to prevent Docker Open Source Engine from manipulating iptables. See the Docker documentation.
7.3 Storage drivers #
Docker Open Source Engine supports different storage drivers:
vfs: This driver is automatically used when the Docker host file system does not support copy-on-write. This driver is simpler than the others listed and does not leverage certain advantages of Docker Open Source Engine such as shared layers. It is a reliable but slow driver.
devicemapper: This driver relies on the device-mapper thin provisioning module. It supports copy-on-write, so it leverages all the advantages of Docker Open Source Engine.
btrfs: This driver relies on Btrfs to provide all the features required by Docker Open Source Engine. To use this driver, the
/var/lib/dockerdirectory must be on a Btrfs file system.
Since SUSE Linux Enterprise Server 12 onward, the Btrfs file system is used by default, which forces Docker Open Source Engine to use the btrfs driver.
It is possible to specify what driver to use by changing the value of the DOCKER_OPTS variable defined in the /etc/sysconfig/docker file. This can be done either manually or using YaST by browsing to the System > /etc/sysconfig Editor > System > Management > DOCKER_OPTS menu and entering the -s storage_driver string.
For example, to force the usage of the devicemapper driver, enter the following text:
DOCKER_OPTS="-s devicemapper"
/var/lib/dockerIt is recommended to mount /var/lib/docker on a separate partition or volume. In case of file system corruption, this would leave the operating system running Docker Open Source Engine unaffected.
If you choose the Btrfs file system for /var/lib/docker, it is strongly recommended to create a subvolume for it. This ensures that the directory is excluded from file system snapshots. If you do not exclude /var/lib/docker from snapshots, the file system will likely run out of disk space soon after you start deploying containers. In addition, a rollback to a previous snapshot will also reset the Docker database and images. For more information, see https://documentation.suse.com/sles/html/SLES-all/cha-snapper.html#sec-snapper-setup-customizing-new-subvolume.
7.4 Updates #
All updates to the docker package are marked as interactive (that is, no automatic updates) to avoid accidental updates that can break running container workloads. We recommend stopping all running containers before applying an update to Docker Open Source Engine.
To avoid data loss, we do not recommend having workloads rely on containers being start-able after an update to Docker Open Source Engine. Although it is technically possible to keep containers running during an update via the --live-restore option, experience has shown that such updates can introduce regressions. SUSE does not support this feature.