Setting up Docker CE

tested on slackware current (aug 2021)

Overall requirements

XFS or EXT4 is required for OverlayFS2 though XFS has an advantage: you can specify a max file-system size for the container. You need to enable quota for that matter.

mkfs.xfs /dev/nvme0n1p3
vi /etc/fstab

/dev/nvme0n1p3  /docker xfs defaults,noatime,nodiratime,prjquota 0 2

mkdir /docker/
touch /docker/XFS_NOT_MOUNTED
mount /docker/
#rm -rf /var/lib/docker/
ln -s ../../docker /var/lib/docker

Installation

    slackpkg search iptables
    slackpkg search git-2
    slackpkg search procps-ng
    slackpkg search xz
    ls -lF /proc/cgroups

    curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh
    chmod +x check-config.sh
    ./check-config.sh

grab the latest Docker CE release as binaries

rel=20.10.10
wget https://download.docker.com/linux/static/stable/x86_64/docker-$rel.tgz
    tar xzf docker-$rel.tgz
ls -lF /usr/local/bin/
    cp -i docker/* /usr/local/bin/

note it is also available on github as release tag.

#git clone https://github.com/docker/docker-ce.git

see alternate host install for other systems

Sysprep

make the docker commands available to some user

grep docker /etc/group
grep docker /etc/passwd

groupadd -g 331 docker
usermod -aG docker OPERATOR

Setup

we define bridge rather than bridge IP as it sets both gateway and cidr. we want instances to survive daemon down-time and even a host system reboot, hence we enable live-restore. and we’re giving a try to no-new-privileges.

vi /etc/docker/daemon.json # new file

{
    "bridge":               "br0",
    "data-root":        "/docker",
    "debug":        false,
    "exec-opts": [
                "native.cgroupdriver=cgroupfs"
    ],
    "ip-masq":      false,
    "iptables":     false,
    "ip6tables":        false,
    "live-restore":     true,
    "log-level":        "warn",
    "no-new-privileges":    true,
    "storage-driver":   "overlay2",
    "storage-opts": [
                "overlay2.size=5G"
    ]
}

moar options

# "bip": "",
# "dns": [],
# "dns-search": [],
# "hosts": [],
# "ipv6": false,

by default you get an hosts file with instance’s IP only and same resolv.conf as on the host.

Ready to go

enable at boot-time

vi /etc/rc.d/rc.inet1

brctl addbr br0
brctl addif br0 eth1
ifconfig br0 10.0.0.254/16 up

vi /etc/rc.d/rc.local

PATH=$PATH:/usr/local/bin:/usr/local/sbin

sysctl -w net.ipv4.ip_forward=1
echo starting dockerd
dockerd >> /var/log/dockerd.log 2>&1 &
pgrep -a dockerd

vi /etc/rc.d/rc.local_shutdown

echo -n killing dockerd...
pkill dockerd && echo done || echo FAIL

status

pgrep -a docker
ls -lF /var/run/docker.sock
brctl show br0

reload

pgrep -a dockerd
kill -HUP PID-HERE

Acceptance

xfs prjquota

as user

docker run -d --name devuan --hostname devuan --workdir /root pbraun9/devuan

docker exec -ti devuan /bin/bash

df -h

live restore

we could not validate that running instances come back after a reboot. the best we’ve got is a come back after killing and starting the docker daemon again.

Operations

you can now operate your Docker host

as user

newgrp docker
docker images -a
docker ps -a
docker pull pbraun9/devuan
docker pull pbraun9/devuan-svr4

see ops-image and ops

Troubleshooting

failed to start containerd: exec: "containerd": executable file not found in $PATH

==> add PATH into rc.local

Resources

install

Install Docker Engine from binaries https://docs.docker.com/engine/install/binaries/

Post-installation steps for Linux https://docs.docker.com/engine/install/linux-postinstall/

daemon options

dockerd https://docs.docker.com/engine/reference/commandline/dockerd/

Configure and troubleshoot the Docker daemon https://docs.docker.com/config/daemon/

Daemon user namespace options🔗 https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-user-namespace-options

Set ulimits in container (–ulimit)🔗 https://docs.docker.com/engine/reference/commandline/run/#set-ulimits-in-container---ulimit

Enable IPv6 support https://docs.docker.com/config/daemon/ipv6/

How to run dockerd in the background without logs https://stackoverflow.com/questions/54852529/how-to-run-dockerd-in-the-background-without-logs

Local File logging driver https://docs.docker.com/config/containers/logging/local/

storage xfs

How to Enable Disk Quotas on an XFS File System https://www.thegeekdiary.com/how-to-enable-disk-quotas-on-an-xfs-file-system/

Docker Per-Container Disk Quota on Bind Mounted Volumes https://stackoverflow.com/questions/57248180/docker-per-container-disk-quota-on-bind-mounted-volumes

Storage quota per container - overlay2 backed by xfs https://forums.docker.com/t/storage-quota-per-container-overlay2-backed-by-xfs/37653

Docker Container Size Quota https://reece.tech/posts/docker-container-size-quota/

storage misc

About storage drivers https://docs.docker.com/storage/storagedriver/

Docker storage drivers https://docs.docker.com/storage/storagedriver/select-storage-driver/

Use the OverlayFS storage driver https://docs.docker.com/storage/storagedriver/overlayfs-driver/

Storage Drivers in Docker: A Deep Dive https://integratedcode.us/2016/08/30/storage-drivers-in-docker-a-deep-dive/

Docker Issues and Tips (aufs/overlay/btrfs..) https://github.com/AkihiroSuda/issues-docker

BTRFS vs OverlayFS https://www.reddit.com/r/docker/comments/5m4yhi/btrfs_vs_overlayfs/

storage advanced

how to clean up docker overlay directory? https://stackoverflow.com/questions/31712266/how-to-clean-up-docker-overlay-directory

security

Isolate containers with a user namespace https://docs.docker.com/engine/security/userns-remap/

Run the Docker daemon as a non-root user (Rootless mode) https://docs.docker.com/engine/security/rootless/

User privileges in Docker containers https://medium.com/jobteaser-dev-team/docker-user-best-practices-a8d2ca5205f4

Understanding root inside and outside a container https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container

Running Docker Containers as ROOT: https://dockerlabs.collabnix.com/security/Running-Containers-as-ROOT.html

live restore

Keep containers alive during daemon downtime https://docs.docker.com/config/containers/live-restore/


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun