Estimated reading time: 15 minutes
This section contains optional procedures for configuring Linux hosts to workbetter with Docker.
Nov 19, 2020 doug@fedora-server28 Documents$ sudo dnf -y install podman (Obviously use yum or apt-get or whatever your distro uses to install and manage software.) If you're ready to go all-in with podman, you can add alias docker=podman. That means that your Linux system will always invoke podman, even if you type docker out of habit.
Manage Docker as a non-root user
- BetterCAP is containerized using Alpine Linux - a security-oriented, lightweight Linux distribution based on musl libc and busybox. The resulting Docker image is relatively small and easy to manage the dependencies. Since it is using a multi-stage build, a Docker version greater than 17.05 is required.
- Install docker-distribution: To install the docker-distribution package you must have enabled the rhel-7-server-extras-rpms repository (as described earlier). They you can install the package as follows: # yum install -y docker-distribution.
The Docker daemon binds to a Unix socket instead of a TCP port. By defaultthat Unix socket is owned by the user root
and other users can only access itusing sudo
. The Docker daemon always runs as the root
user.
If you don’t want to preface the docker
command with sudo
, create a Unixgroup called docker
and add users to it. When the Docker daemon starts, itcreates a Unix socket accessible by members of the docker
group.
Warning
The docker
group grants privileges equivalent to the root
user. For details on how this impacts security in your system, seeDocker Daemon Attack Surface.
Note:
To run Docker without root privileges, seeRun the Docker daemon as a non-root user (Rootless mode).
To create the docker
group and add your user:
Create the
docker
group.Add your user to the
docker
group.Log out and log back in so that your group membership is re-evaluated.
If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.
On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.
On Linux, you can also run the following command to activate the changes to groups:
Verify that you can run
docker
commands withoutsudo
.This command downloads a test image and runs it in a container. When thecontainer runs, it prints an informational message and exits.
If you initially ran Docker CLI commands using
sudo
before addingyour user to thedocker
group, you may see the following error,which indicates that your~/.docker/
directory was created withincorrect permissions due to thesudo
commands.To fix this problem, either remove the
~/.docker/
directory(it is recreated automatically, but any custom settingsare lost), or change its ownership and permissions using thefollowing commands:
Configure Docker to start on boot
Most current Linux distributions (RHEL, CentOS, Fedora, Debian, Ubuntu 16.04 andhigher) use systemd
to manage which services start when the systemboots. On Debian and Ubuntu, the Docker service is configured to start on bootby default. To automatically start Docker and Containerd on boot for otherdistros, use the commands below:
To disable this behavior, use disable
instead.
If you need to add an HTTP Proxy, set a different directory or partition for theDocker runtime files, or make other customizations, seecustomize your systemd Docker daemon options.
Use a different storage engine
For information about the different storage engines, seeStorage drivers.The default storage engine and the list of supported storage engines depend onyour host’s Linux distribution and available kernel drivers.
Configure default logging driver
Docker provides the capability tocollect and view log data from all containers running on a host via a series oflogging drivers. The default logging driver, json-file
, writes log data toJSON-formatted files on the host filesystem. Over time, these log files expandin size, leading to potential exhaustion of disk resources.
To alleviate such issues, either configure the json-file
logging driver toenable log rotation, use analternative logging driversuch as the “local” logging driverthat performs log rotation by default, or use a logging driver that sendslogs to a remote logging aggregator.
Configure where the Docker daemon listens for connections
By default, the Docker daemon listens for connections on a UNIX socket to acceptrequests from local clients. It is possible to allow Docker to accept requestsfrom remote hosts by configuring it to listen on an IP address and port as wellas the UNIX socket. For more detailed information on this configuration optiontake a look at “Bind Docker to another host/port or a unix socket” section ofthe Docker CLI Reference article.
Secure your connection
Before configuring Docker to accept connections from remote hosts it is critically important that youunderstand the security implications of opening docker to the network. If steps are not taken to secure the connection, it is possible for remote non-root users to gain root access on the host. For more information on how to use TLS certificates to secure this connection, check this article on how to protect the Docker daemon socket.
Configuring Docker to accept remote connections can be done with the docker.service
systemd unit file for Linux distributions using systemd, such as recent versionsof RedHat, CentOS, Ubuntu and SLES, or with the daemon.json
file which isrecommended for Linux distributions that do not use systemd.
systemd vs daemon.json
Configuring Docker to listen for connections using both the systemd
unit file and the daemon.json
file causes a conflict that prevents Docker from starting.
Configuring remote access with systemd
unit file
Use the command
sudo systemctl edit docker.service
to open an override file fordocker.service
in a text editor.Add or modify the following lines, substituting your own values.
Save the file.
Reload the
systemctl
configuration.Restart Docker.
Check to see whether the change was honored by reviewing the output of
netstat
to confirmdockerd
is listening on the configured port.
Configuring remote access with daemon.json
Set the
hosts
array in the/etc/docker/daemon.json
to connect to the UNIX socket and an IP address, as follows:Restart Docker.
Check to see whether the change was honored by reviewing the output of
netstat
to confirmdockerd
is listening on the configured port.
Enable IPv6 on the Docker daemon
To enable IPv6 on the Docker daemon, seeEnable IPv6 support.
Troubleshooting
Kernel compatibility
Docker cannot run correctly if your kernel is older than version 3.10 or if itis missing some modules. To check kernel compatibility, you can download andrun the check-config.sh
script.
The script only works on Linux, not macOS.
Cannot connect to the Docker daemon
If you see an error such as the following, your Docker client may be configuredto connect to a Docker daemon on a different host, and that host may not bereachable.
To see which host your client is configured to connect to, check the value ofthe DOCKER_HOST
variable in your environment.
If this command returns a value, the Docker client is set to connect to aDocker daemon running on that host. If it is unset, the Docker client is set toconnect to the Docker daemon running on the local host. If it is set in error,use the following command to unset it:
You may need to edit your environment in files such as ~/.bashrc
or~/.profile
to prevent the DOCKER_HOST
variable from being seterroneously.
If DOCKER_HOST
is set as intended, verify that the Docker daemon is runningon the remote host and that a firewall or network outage is not preventing youfrom connecting.
IP forwarding problems
If you manually configure your network using systemd-network
with systemd
version 219 or higher, Docker containers may not be able to access your network.Beginning with systemd
version 220, the forwarding setting for a given network(net.ipv4.conf.<interface>.forwarding
) defaults to off. This settingprevents IP forwarding. It also conflicts with Docker’s behavior of enablingthe net.ipv4.conf.all.forwarding
setting within containers.
Docker Install On Redhat 8
To work around this on RHEL, CentOS, or Fedora, edit the <interface>.network
file in /usr/lib/systemd/network/
on your Docker host(ex: /usr/lib/systemd/network/80-container-host0.network
) and add thefollowing block within the [Network]
section.
This configuration allows IP forwarding from the container as expected.
DNS resolver found in resolv.conf and containers can't use it
Linux systems which use a GUI often have a network manager running, which uses adnsmasq
instance running on a loopback address such as 127.0.0.1
or127.0.1.1
to cache DNS requests, and adds this entry to/etc/resolv.conf
. The dnsmasq
service speeds upDNS look-ups and also provides DHCP services. This configuration does not workwithin a Docker container which has its own network namespace, becausethe Docker container resolves loopback addresses such as 127.0.0.1
toitself, and it is very unlikely to be running a DNS server on its ownloopback address.
If Docker detects that no DNS server referenced in /etc/resolv.conf
is a fullyfunctional DNS server, the following warning occurs and Docker uses the publicDNS servers provided by Google at 8.8.8.8
and 8.8.4.4
for DNS resolution.
If you see this warning, first check to see if you use dnsmasq
:
If your container needs to resolve hosts which are internal to your network, thepublic nameservers are not adequate. You have two choices:
- You can specify a DNS server for Docker to use, or
- You can disable
dnsmasq
in NetworkManager. If you do this, NetworkManageradds your true DNS nameserver to/etc/resolv.conf
, but you lose thepossible benefits ofdnsmasq
.
You only need to use one of these methods.
Specify DNS servers for Docker
The default location of the configuration file is /etc/docker/daemon.json
. Youcan change the location of the configuration file using the --config-file
daemon flag. The documentation below assumes the configuration file is locatedat /etc/docker/daemon.json
.
Create or edit the Docker daemon configuration file, which defaults to
/etc/docker/daemon.json
file, which controls the Docker daemonconfiguration.Add a
dns
key with one or more IP addresses as values. If the file hasexisting contents, you only need to add or edit thedns
line.If your internal DNS server cannot resolve public IP addresses, include atleast one DNS server which can, so that you can connect to Docker Hub and sothat your containers can resolve internet domain names.
Save and close the file.
Restart the Docker daemon.
Verify that Docker can resolve external IP addresses by trying to pull animage:
If necessary, verify that Docker containers can resolve an internal hostnameby pinging it.
Disable dnsmasq
Ubuntu
If you prefer not to change the Docker daemon’s configuration to use a specificIP address, follow these instructions to disable dnsmasq
in NetworkManager.
Edit the
/etc/NetworkManager/NetworkManager.conf
file.Comment out the
dns=dnsmasq
line by adding a#
character to the beginningof the line.Save and close the file.
Restart both NetworkManager and Docker. As an alternative, you can rebootyour system.
RHEL, CentOS, or Fedora
To disable dnsmasq
on RHEL, CentOS, or Fedora:
Disable the
dnsmasq
service:Configure the DNS servers manually using theRed Hat documentation.
Allow access to the remote API through a firewall
If you run a firewall on the same host as you run Docker and you want to accessthe Docker Remote API from another host and remote access is enabled, you needto configure your firewall to allow incoming connections on the Docker port,which defaults to 2376
if TLS encrypted transport is enabled or 2375
otherwise.
Two common firewall daemons areUFW (Uncomplicated Firewall) (oftenused for Ubuntu systems) and firewalld (often usedfor RPM-based systems). Consult the documentation for your OS and firewall, butthe following information might help you get started. These options are fairlypermissive and you may want to use a different configuration that locks yoursystem down more.
UFW: Set
DEFAULT_FORWARD_POLICY='ACCEPT'
in your configuration.firewalld: Add rules similar to the following to your policy (one forincoming requests and one for outgoing requests). Be sure the interface namesand chain names are correct.
Your kernel does not support cgroup swap limit capabilities
On Ubuntu or Debian hosts, You may see messages similar to the following whenworking with an image.
This warning does not occur on RPM-based systems, which enable thesecapabilities by default.
If you don’t need these capabilities, you can ignore the warning. You can enablethese capabilities on Ubuntu or Debian by following these instructions. Memoryand swap accounting incur an overhead of about 1% of the total available memoryand a 10% overall performance degradation, even if Docker is not running.
Log into the Ubuntu or Debian host as a user with
sudo
privileges.Edit the
/etc/default/grub
file. Add or edit theGRUB_CMDLINE_LINUX
lineto add the following two key-value pairs:Save and close the file.
Update GRUB.
If your GRUB configuration file has incorrect syntax, an error occurs.In this case, repeat steps 2 and 3.
The changes take effect when the system is rebooted.
Docker Installation On Redhat
Next steps
- Take a look at the Get started training modules to learn how to build an image and run it as a containerized application.
- Review the topics in Develop with Docker to learn how to build new applications using Docker.