2 Docker Open Source Engine Installation #
2.1 General Preparation #
Prepare the host as described below. Before installing any Docker-related packages, you need to enable the container module:
Starting with Docker Open Source Engine 1.12, the container orchestration is now an integral part of the Docker Open Source Engine. Even though this feature is available in SLESSP1 and in SLESSP2, it is not supported and is only a technical preview. Use Kubernetes for Docker container orchestration, for details refer to the Kubernetes documentation.
Start YaST, and select › .
Click to open the add-on dialog.
Select and click .
From the list of available extensions and modules, select and click .
The containers module and its repositories will be added to your system.
If you use Subscription Management Tool, update the list of repositories on the SMT server.
The Container Module can be added also with the following command:
$ sudo SUSEConnect -p sle-module-containers/12/x86_64 -r ''
Note: Note about the SUSEConnect syntaxThe
-r ''flag is required to avoid a known limitation of SUSEConnect.
Install the
dockerpackage:sudo zypper install docker
To automatically start the Docker service at boot time:
sudo systemctl enable docker.service
This will automatically enable docker.socket in consequence.
In case you will use Portus and an SSL secured registry, open the
/etc/sysconfig/dockerfile. Search for the parameter DOCKER_OPTS and add--insecure-registry ADDRESS_OF_YOUR_REGISTRY.In the production environment when using the SSL secured registry with Portus, add CA certificates to the directory
/etc/docker/certs.d/<registry address>and copy the CA certificates to your system:sudo cp CA /etc/pki/trust/anchors/ && update-ca-certificates
Start the Docker service:
sudo systemctl start docker.service
This will automatically start docker.socket in consequence.
The Docker daemon listens on a local socket which is accessible only by
the root user and by the
members of the docker group.
The docker group is
automatically created at package installation time. To allow a certain
user to connect to the local Docker daemon, use the following command:
sudo /usr/sbin/usermod -aG docker USERNAME
The user can communicate with the local Docker daemon upon his next login.
2.2 Networking #
If you want your containers to be able to access the external
network, you must enable the ipv4 ip_forward
rule. This can be done using YaST by browsing to › › menu and ensuring
Enable IPv4 Forwarding is checked.
This option cannot be changed when networking is handled by
the Network Manager. In such cases the
/etc/sysconfig/SuSEfirewall2 file needs
to be edited manually to ensure the FW_ROUTE
flag is set to yes:
FW_ROUTE="yes"
2.2.1 Networking Limitations on Power Architecture #
Currently Docker networking has two limitations on the POWER architecture.
The first limitation is about iptables. SLE 12 machines cannot
run Docker Open Source Engine with the iptables support enabled. An update of the kernel
is going to solve this issue. In the meantime the docker
package for POWER has iptables support disabled via a dedicated
directive inside of /etc/sysconfig/docker.
As a result of this limitation Docker containers will not have access to the outer network. A possible workaround is to share the same network namespace between the host and the containers. This however reduces the isolation of the containers.
The network namespace of the host can be shared on a per-container basis
by adding --net=host to the
docker run command.
SLE 12 SP1 hosts are not affected by this limitation but, given they
use the same SLE 12 package, they will have iptables
support disabled. This can be changed by removing the
-iptables=false setting inside of
/etc/sysconfig/docker.
The second limitation is about network isolation between the containers and the host. Currently it is not possible to prevent containers from probing or accessing arbitrary ports of each other.