Docker

From ArchWiki
Jump to navigation Jump to search

Related articles

Docker is a utility to pack, ship and run any application as a lightweight container.

Installation

Install the docker package or, for the development version, the docker-gitAUR package. Next start and enable docker.service and verify operation: 

# docker info

Note that starting the docker service may fail if you have an active VPN connection due to IP conflicts between the VPN and Docker's bridge and overlay networks. If this is the case, try disconnecting the VPN before starting the docker service. You may reconnect the VPN immediately afterwards. You can also try to deconflict the networks.

If you want to be able to run docker as a regular user, add your user to the docker user group.

Warning: Anyone added to the docker group is root equivalent. More information here and here.

Configuration

Storage driver

The docker storage driver (or graph driver) has a huge impact on performance. Its job is to store layers of container images efficiently, that is when several images share a layer, only one layer uses disk space. The compatible option, `devicemapper` offers suboptimal performance, which is outright terrible on rotating disks. Additionally, `devicemapper` is not recommended in production.

As Arch linux ships new kernels, there is no point using the compatibility option. A good, modern choice is overlay2.

To see the current storage driver, run # docker info | head; modern docker installations should already use overlay2 by default.

To set your own choice of storage driver, edit /etc/docker/daemon.json (create it if it does not exist): 

/etc/docker/daemon.json
{
  "storage-driver": "overlay2"
}

Afterwards, restart docker.

Further information on options is available on the user guide. For more information about options in daemon.json see dockerd documentation.

Remote API

To open the Remote API to port 4243 manually, run: 

# /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock

-H tcp://0.0.0.0:4243 part is for opening the Remote API.

-H unix:///var/run/docker.sock part for host machine access via terminal.

Remote API with systemd

To start the remote API with the docker daemon, create a Drop-in snippet with the following content: 

/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock

Daemon socket configuration

The docker daemon listens to a Unix socket by default. To listen on a specified port instead, create a Drop-in snippet with the following content: 

/etc/systemd/system/docker.socket.d/socket.conf
[Socket]
ListenStream=0.0.0.0:2375

Proxies

Proxy configuration is broken down into two. First is the host configuration of the Docker daemon, second is the configuration required for your container to see your proxy.

Proxy configuration

Create a Drop-in snippet with the following content: 

/etc/systemd/system/docker.service.d/proxy.conf
[Service]
Environment="HTTP_PROXY=192.168.1.1:8080"
Environment="HTTPS_PROXY=192.168.1.1:8080"
Note: This assumes 192.168.1.1 is your proxy server, do not use 127.0.0.1.

Verify that the configuration has been loaded: 

# systemctl show docker --property Environment
Environment=HTTP_PROXY=192.168.1.1:8080 HTTPS_PROXY=192.168.1.1:8080

Container configuration

The settings in the docker.service file will not translate into containers. To achieve this you must set ENV variables in your Dockerfile thus: 

FROM base/archlinux
ENV http_proxy="http://192.168.1.1:3128"
ENV https_proxy="https://192.168.1.1:3128"

Docker provide detailed information on configuration via ENV within a Dockerfile.

Configuring DNS

By default, docker will make resolv.conf in the container match /etc/resolv.conf on the host machine, filtering out local addresses (e.g. 127.0.0.1). If this yields an empty file, then Google DNS servers are used. If you are using a service like dnsmasq to provide name resolution, you may need to add an entry to the /etc/resolv.conf for docker's network interface so that it is not filtered out.

Running Docker with a manually-defined network on systemd-networkd

If you manually configure your network using systemd-networkd version 220 or higher, containers you start with Docker may be unable to access your network. Beginning with version 220, the forwarding setting for a given network (net.ipv4.conf.<interface>.forwarding) defaults to off. This setting prevents IP forwarding. It also conflicts with Docker which enables the net.ipv4.conf.all.forwarding setting within a container.

A workaround is to edit the <interface>.network file in /etc/systemd/network/, adding IPForward=kernel on the Docker host: 

/etc/systemd/network/<interface>.network
[Network]
...
IPForward=kernel
...

This configuration allows IP forwarding from the container as expected.

Images location

By default, docker images are located at /var/lib/docker. They can be moved to other partitions. First, stop the docker.service.

If you have run the docker images, you need to make sure the images are unmounted totally. Once that is completed, you may move the images from /var/lib/docker to the target destination.

Then add a Drop-in snippet for the docker.service, adding the -g parameter to the ExecStart: 

/etc/systemd/system/docker.service.d/docker-storage.conf
[Service]
ExecStart= 
ExecStart=/usr/bin/dockerd -g /path/to/new/location/docker -H fd://

Insecure registries

If you decide to use a self signed certificate for your private registry, Docker will refuse to use it until you declare that you trust it. Add a Drop-in snippet for the docker.service, adding the --insecure-registry parameter to the dockerd: 

/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry my.registry.name:5000

Images

Arch Linux

The following command pulls the archlinux/base x86_64 image. This is a stripped down version of Arch core without network, etc. 

# docker pull archlinux/base

See also README.md.

For a full Arch base, clone the repo from above and build your own image. 

$ git clone https://github.com/archlinux/archlinux-docker.git

Edit the packages file so it only contains 'base'. Then run: 

# make docker-image

Debian

The following command pulls the debian x86_64 image. 

# docker pull debian

Manually

Build Debian image with debootstrap: 

# mkdir jessie-chroot
# debootstrap jessie ./jessie-chroot http://http.debian.net/debian/
# cd jessie-chroot
# tar cpf - . | docker import - debian
# docker run -t -i --rm debian /bin/bash

Remove Docker and images

In case you want to remove Docker entirely you can do this by following the steps below:

Note: Do not just copy paste those commands without making sure you know what you are doing.

Check for running containers: 

# docker ps

List all containers running on the host for deletion: 

# docker ps -a

Stop a running container: 

# docker stop <CONTAINER ID>

Killing still running containers: 

# docker kill <CONTAINER ID>

Delete all containers listed by ID: 

# docker rm <CONTAINER ID>

List all Docker images: 

# docker images

Delete all images by ID: 

# docker rmi <IMAGE ID>

Delete all Docker data (purge directory):

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Doing # rm -R /var/lib/docker will left behind the btrfs subvolumes of the removed containers (Discuss in Talk:Docker#)
# rm -R /var/lib/docker

Useful tips

To grab the IP address of a running container: 

$ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container-name OR id> 
172.17.0.37

For each running container, the name and corresponding IP address can be listed for use in /etc/hosts: 

#!/usr/bin/env sh
for ID in $(docker ps -q | awk '{print $1}'); do
    IP=$(docker inspect --format="{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" "$ID")
    NAME=$(docker ps | grep "$ID" | awk '{print $NF}')
    printf "%s %s\n" "$IP" "$NAME"
done

Troubleshooting

docker0 Bridge gets no IP / no internet access in containers

Docker enables IP forwarding by itself, but by default systemd-networkd overrides the respective sysctl setting. Set IPForward=yes in the network profile. See Internet sharing#Enable packet forwarding for details.

Note: You may need to restart docker.service each time you restart systemd-networkd.service or iptables.service

Default number of allowed processes/threads too low

If you run into error messages like 

# e.g. Java
java.lang.OutOfMemoryError: unable to create new native thread
# e.g. C, bash, ...
fork failed: Resource temporarily unavailable

then you might need to adjust the number of processes allowed by systemd. The default is 500 (see system.conf), which is pretty small for running several docker containers. Edit the docker.service with the following snippet: 

# systemctl edit docker.service
[Service]
TasksMax=infinity

Error initializing graphdriver: devmapper

If systemctl fails to start docker and provides an error: 

Error starting daemon: error initializing graphdriver: devmapper: Device docker-8:2-915035-pool is not a thin pool

Then, try the following steps to resolve the error. Stop the service, back up /var/lib/docker/ (if desired), remove the contents of /var/lib/docker/, and try to start the service. See the open GitHub issue for details.

Failed to create some/path/to/file: No space left on device

If you are getting an error message like this: 

ERROR: Failed to create some/path/to/file: No space left on device

when building or running a Docker image, even though you do have enough disk space available, make sure:

  • Tmpfs is disabled or has enough memory allocation. Docker might be trying to write files into /tmp but fails due to restrictions in memory usage and not disk space.
  • If you are using XFS, you might want to remove the noquota mount option from the relevant entries in /etc/fstab (usually where /tmp and/or /var/lib/docker reside). Refer to Disk quota for more information, especially if you plan on using and resizing overlay2 Docker storage driver.
  • XFS quota mount options (uquota, gquota, prjquota, etc.) fail during re-mount of the file system. To enable quota for root file system, the mount option must be passed to initramfs as a kernel parameter rootflags=. Subsequently, it should not be listed among mount options in /etc/fstab for the root (/) filesystem.
Note: There are some differences of XFS Quota compared to standard Linux Disk quota, [1] may be worth reading.

Invalid cross-device link in kernel 4.19.1

If commands like dpkg fail to run in docker, e.g: 

dpkg: error: error creating new backup file '/var/lib/dpkg/status-old': Invalid cross-device link

Either add a overlay.metacopy=N kernel parameter or downgrade to 4.18.x until this issue is resolved. More info in the Arch forum.

CPUACCT missing in docker with Linux-ck

In newer versions of Linux-ck (some experienced with 4.19, 4.20 seems general), a change to the MuQSS was made that disables the CONFIG_CGROUP_CPUACCT option from the kernel, which makes some usage of docker (run or build) to produce the following error: 

$ docker run --rm hello-world
docker: Error response from daemon: unable to find "cpuacct" in controller set: unknown.

This error does not seem to affect the docker daemon, just containers. Read more on Linux-ck#CPUACCT missing in docker.

Docker-machine fails to create virtual machines using the virtualbox driver

In case docker-machine fails to create the VM's using the virtualbox driver, with the following: 

VBoxManage: error: VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: No such file or directory

Simply reload the virtualbox via CLI with vboxreload.

See also

Retrieved from "https://wiki.archlinux.org/index.php?title=Docker&oldid=571804"