Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 12 SP5

2 Docker Open Source Engine Installation Edit source

2.1 General Preparation Edit source

Prepare the host as described below. Before installing any Docker-related packages, you need to enable the container module:

Note
Note: Built-in Docker Orchestration Support

Starting with Docker Open Source Engine 1.12, the container orchestration is now an integral part of the Docker Open Source Engine. Even though this feature is available in SLESSP1 and in SLESSP2, it is not supported and is only a technical preview. Use Kubernetes for Docker container orchestration, for details refer to the Kubernetes documentation.

Procedure 2.1: Enabling the Container Module Using YaST
  1. Start YaST, and select Software ›  Software Repositories.

  2. Click Add to open the add-on dialog.

  3. Select Extensions and Modules from Registration Server and click Next.

  4. From the list of available extensions and modules, select Container Module 12 x86_64 and click Next.

    The containers module and its repositories will be added to your system.

  5. If you use Subscription Management Tool, update the list of repositories on the SMT server.

Procedure 2.2: Enabling the Container Module Using SUSEConnect
  • The Container Module can be added also with the following command:

    $ sudo SUSEConnect -p sle-module-containers/12/x86_64 -r ''
    Note
    Note: Note about the SUSEConnect syntax

    The -r '' flag is required to avoid a known limitation of SUSEConnect.

Procedure 2.3: Installing and Setting Up Docker Open Source Engine
  1. Install the docker package:

    sudo zypper install docker
  2. To automatically start the Docker service at boot time:

    sudo systemctl enable docker.service

    This will automatically enable docker.socket in consequence.

  3. In case you will use Portus and an SSL secured registry, open the /etc/sysconfig/docker file. Search for the parameter DOCKER_OPTS and add --insecure-registry ADDRESS_OF_YOUR_REGISTRY.

  4. In the production environment when using the SSL secured registry with Portus, add CA certificates to the directory /etc/docker/certs.d/<registry address> and copy the CA certificates to your system:

        sudo cp CA /etc/pki/trust/anchors/ && update-ca-certificates
  5. Start the Docker service:

    sudo systemctl start docker.service

    This will automatically start docker.socket in consequence.

The Docker daemon listens on a local socket which is accessible only by the root user and by the members of the docker group. The docker group is automatically created at package installation time. To allow a certain user to connect to the local Docker daemon, use the following command:

sudo /usr/sbin/usermod -aG docker USERNAME

The user can communicate with the local Docker daemon upon his next login.

2.2 Networking Edit source

If you want your containers to be able to access the external network, you must enable the ipv4 ip_forward rule. This can be done using YaST by browsing to System › Network Settings › Routing menu and ensuring Enable IPv4 Forwarding is checked.

This option cannot be changed when networking is handled by the Network Manager. In such cases the /etc/sysconfig/SuSEfirewall2 file needs to be edited manually to ensure the FW_ROUTE flag is set to yes:

FW_ROUTE="yes"

2.2.1 Networking Limitations on Power Architecture Edit source

Currently Docker networking has two limitations on the POWER architecture.

The first limitation is about iptables. SLE 12 machines cannot run Docker Open Source Engine with the iptables support enabled. An update of the kernel is going to solve this issue. In the meantime the docker package for POWER has iptables support disabled via a dedicated directive inside of /etc/sysconfig/docker.

As a result of this limitation Docker containers will not have access to the outer network. A possible workaround is to share the same network namespace between the host and the containers. This however reduces the isolation of the containers.

The network namespace of the host can be shared on a per-container basis by adding --net=host to the docker run command.

Note
Note: iptables support on SLE 12 SP1

SLE 12 SP1 hosts are not affected by this limitation but, given they use the same SLE 12 package, they will have iptables support disabled. This can be changed by removing the -iptables=false setting inside of /etc/sysconfig/docker.

The second limitation is about network isolation between the containers and the host. Currently it is not possible to prevent containers from probing or accessing arbitrary ports of each other.

Print this page