Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Applies to SUSE Linux Enterprise Server 15

2 Docker Open Source Engine Installation Edit source

2.1 General Preparation Edit source

Prepare the host as described below. Before installing any Docker-related packages, you need to enable the container module:

Note
Note: Built-in Docker Orchestration Support

Starting with Docker Open Source Engine 1.12, the container orchestration is now an integral part of Docker Open Source Engine. Even though this feature is available in SUSE Linux Enterprise Server, it is not supported by SUSE and is only provided as a technical preview. Use Kubernetes for Docker container orchestration, for details refer to the Kubernetes documentation.

Procedure 2.1: Enabling the Container Module Using YaST
  1. Start YaST, and select Software ›  Software Repositories.

  2. Click Add to open the add-on dialog.

  3. Select Extensions and Modules from Registration Server and click Next.

  4. From the list of available extensions and modules, select Container Module 15 x86_64 and click Next.

    The containers module and its repositories will be added to your system.

  5. If you use Repository Mirroring Tool, update the list of repositories on the RMT server.

Procedure 2.2: Enabling the Container Module Using SUSEConnect
  • The Container Module can be added also with the following command:

    tux > sudo SUSEConnect -p sle-module-containers/15.GA/x86_64 -r ''
    Note
    Note: SUSEConnect Syntax

    The -r '' flag is required to avoid a known limitation of SUSEConnect.

Procedure 2.3: Installing and Setting Up Docker Open Source Engine
  1. Install the docker package:

    tux > sudo zypper install docker
  2. To automatically start the Docker service at boot time:

    tux > sudo systemctl enable docker.service

    This will automatically enable docker.socket in consequence.

  3. In case you will use Portus and an SSL secured registry, open the /etc/sysconfig/docker file. Search for the parameter DOCKER_OPTS and add --insecure-registry ADDRESS_OF_YOUR_REGISTRY.

  4. In the production environment when using the SSL secured registry with Portus, add CA certificates to the directory /etc/docker/certs.d/REGISTRY_ADDRESS and copy the CA certificates to your system:

    tux > sudo cp CA /etc/pki/trust/anchors/ && update-ca-certificates
  5. Start the Docker service:

    tux > sudo systemctl start docker.service

    This will automatically start docker.socket.

The Docker daemon listens on a local socket which is accessible only by the root user and by the members of the docker group. The docker group is automatically created at package installation time. To allow a certain user to connect to the local Docker daemon, use the following command:

tux > sudo /usr/sbin/usermod -aG docker USERNAME

The user can communicate with the local Docker daemon upon their next login.

2.2 Networking Edit source

If you want your containers to be able to access the external network, you must enable the ipv4 ip_forward rule. This can be done using YaST by browsing to System › Network Settings › Routing menu and ensuring Enable IPv4 Forwarding is checked.

This option cannot be changed when networking is handled by the Network Manager. In such cases you must configure firewalld to enable IPv4 masquerading, either from the command line or using the graphical firewalld-config tool. By default, the external zone has masquerading enabled.

You may add masquerading to any zone with firewall-cmd:

tux > sudo firewall-cmd --zone=containers --add-masquerade

When you are satisfied that this is operating correctly, make it permanent:

tux > sudo firewall-cmd --runtime-to-permanent

In the firewalld-config interface, look for the Masquerade tab to enable and disable masquerading.

See Chapter 16 of the Security and Hardening Guide for more information on firewalld.

2.2.1 Networking Limitations on Power Architecture Edit source

Currently Docker networking has two limitations on the POWER architecture.

The first limitation is about iptables. SLE machines cannot run Docker Open Source Engine with the iptables support enabled. An update of the kernel is going to solve this issue. In the meantime the docker package for POWER has iptables support disabled via a dedicated directive inside of /etc/sysconfig/docker.

As a result of this limitation Docker containers will not have access to the outer network. A possible workaround is to share the same network namespace between the host and the containers. This however reduces the isolation of the containers.

The network namespace of the host can be shared on a per-container basis by adding --net=host to the docker run command.

Note
Note: iptables Support on SUSE Linux Enterprise Server

SUSE Linux Enterprise Server hosts are not affected by this limitation but they may have iptables support disabled. This can be changed by removing the -iptables=false setting inside of /etc/sysconfig/docker.

The second limitation is about network isolation between the containers and the host. Currently it is not possible to prevent containers from probing or accessing arbitrary ports of each other.

2.3 Updates Edit source

All updates to the docker package are marked as interactive (that is, no automatic updates) to avoid accidental updates break running container workloads. In general, we recommend stopping all running containers before applying an update to Docker Open Source Engine.

To avoid the potential for data loss, we do not recommend having workloads rely on containers being startable after an update to Docker Open Source Engine. Although it is technically possible to keep containers running during an update via the --live-restore option, experience has shown that such updates can introduce regressions. SUSE does not support this feature.

Print this page