https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ainv&feedformat=atomArchWiki - User contributions [en]2024-03-29T07:11:41ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Docker&diff=432095Docker2016-04-21T17:00:16Z<p>Ainv: Added [Service] directive to drop-in</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[ja:Docker]]<br />
[[ru:Docker]]<br />
[[zh-tw:Docker]]<br />
{{Related articles start}}<br />
{{Related|systemd-nspawn}}<br />
{{Related|Linux Containers}}<br />
{{Related|Lxc-systemd}}<br />
{{Related|Vagrant}}<br />
{{Related articles end}}<br />
[http://www.docker.io Docker] is a utility to pack, ship and run any application as a lightweight container.<br />
<br />
== Installation ==<br />
<br />
{{Note|Docker doesn't support i686. [https://github.com/docker/docker/issues/136]}}<br />
<br />
[[Install]] the {{Pkg|docker}} package or, for the development version, the {{Aur|docker-git}} package. You may need to reboot. Next [[start]] and enable {{ic|docker.service}} and verify operation:<br />
<br />
# docker info<br />
<br />
If you want to be able to run docker as a regular user, add yourself to the docker group:<br />
<br />
{{Warning| Anyone added to the 'docker' group is root equivalent. More information [https://github.com/docker/docker/issues/9976 here] and [http://docs.docker.com/engine/articles/security/ here].}}<br />
<br />
# gpasswd -a ''user'' docker<br />
<br />
Then re-login or to make your current user session aware of this new group, you can use:<br />
<br />
$ newgrp docker<br />
<br />
== Configuration ==<br />
=== Opening Remote API ===<br />
<br />
To opening the Remote API to port {{ic|4243}} manually.<br />
<br />
# docker daemon -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock<br />
<br />
{{ic|-H tcp://0.0.0.0:4243}} part is for opening the Remote API.<br />
<br />
{{ic|-H unix:///var/run/docker.sock}} part for host machine access via terminal.<br />
<br />
=== Proxies ===<br />
<br />
Proxy configuration is broken down into two. First is the host configuration of the Docker daemon, second is the configuration required for your container to see your proxy.<br />
<br />
==== Daemon Proxy Configuration ====<br />
<br />
Copy {{ic|/usr/lib/systemd/system/docker.service}} to {{ic|/etc/systemd/system/docker.service}}. Then edit {{ic|/etc/systemd/system/docker.service}}, where {{ic|http_proxy}} is your proxy server and {{ic|-g <path>}} is your docker home. The path defaults to {{ic|/var/lib/docker}}.<br />
<br />
First, create a systemd drop-in directory for the docker service: {{ic|mkdir /etc/systemd/system/docker.service.d}}<br />
<br />
Now create a file called {{ic|/etc/systemd/system/docker.service.d/http-proxy.conf}} that adds the {{ic|HTTP_PROXY}} environment variable:<br />
<br />
[Service]<br />
Environment="HTTP_PROXY=192.168.1.1"<br />
<br />
{{Note|This assumes {{ic|192.168.1.1}} is your proxy server, do not use {{ic|127.0.0.1}}.}}<br />
<br />
Flush changes:<br />
{{ic|sudo systemctl daemon-reload}}<br />
<br />
Verify that the configuration has been loaded:<br />
<br />
sudo systemctl show docker --property Environment<br />
Environment=HTTP_PROXY=192.168.1.1<br />
<br />
Restart Docker:<br />
{{ic|sudo systemctl restart docker}}<br />
<br />
==== Container Configuration ====<br />
<br />
The settings in the {{ic|docker.service}} file will not translate into containers. To achieve this you must set {{ic|ENV}} variables in your {{ic|Dockerfile}} thus:<br />
<br />
FROM base/archlinux<br />
ENV http_proxy="<nowiki>http://192.168.1.1:3128</nowiki>"<br />
ENV https_proxy="<nowiki>https://192.168.1.1:3128</nowiki>"<br />
<br />
[https://docs.docker.com/reference/builder/#env Docker] provide detailed information on configuration via {{ic|ENV}} within a Dockerfile.<br />
<br />
=== Daemon Socket Configuration ===<br />
<br />
The ''docker'' daemon listens to a [[Wikipedia:Unix domain socket|Unix socket]] by default. To listen on a specified port instead, edit {{ic|/etc/systemd/system/docker.socket}}, where {{ic|ListenStream}} is the used port:<br />
<br />
[Socket]<br />
ListenStream=0.0.0.0:2375<br />
<br />
=== Configuring DNS ===<br />
<br />
By default, docker will make resolv.conf in the container match resolv.conf on the host machine, filtering out local addresses (e.g. {{ic|127.0.0.1}}). If this yields and empty file, than googles DNS servers are defaulted. If you are using a service like dnsmasq to provide name resolution, you will need to add an entry to your resolv.conf for docker's network interface so that it isn't filtered out.<br />
<br />
=== Images location ===<br />
<br />
By default, docker images are located at {{ic|/var/lib/docker}}. They can be moved to other partitions. <br />
First, [[stop]] the {{ic|docker.service}}. <br />
<br />
If you have run the docker images, you need to make sure the images are unmounted totally. Once that is completed, you may move the images from {{ic|/var/lib/docker}} to the target destination.<br />
<br />
Then add a [[Drop-in snippet]] for the {{ic|docker.service}}, adding the {{ic|-g}} parameter to the {{ic|ExecStart}}:<br />
<br />
{{hc|/etc/systemd/system/docker.service.d/imagelocation.conf|2=<br />
[Service]<br />
ExecStart= <br />
ExecStart=/usr/bin/docker daemon -g ''/path/to/new/location/docker'' -H fd://}}<br />
<br />
Finally, [[reload]] configuration and [[start]] {{ic|docker.service}} again.<br />
<br />
== Docker 0.9.0 -- 1.2.x and LXC ==<br />
<br />
Since version 0.9.0 Docker provides a new way to start containers without relying on a LXC library called ''libcontainer''.<br />
<br />
The lxc exec driver and the -lxc-conf option may also be removed in the near future, [https://github.com/docker/docker/pull/5797]<br />
<br />
Hence, you will not be able to use {{ic|lxc-attach}} with containers managed by Docker 0.9.0+ by default. It is required to make Docker daemon run with {{ic|-e lxc}} as an argument.<br />
<br />
You can create a file named {{ic|lxc.conf}} under {{ic|/etc/systemd/system/docker.service.d/}} with the following contents:<br />
<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/docker -d -e lxc<br />
<br />
== Images ==<br />
=== Arch Linux ===<br />
==== x86_64 ====<br />
The following command pulls the [https://hub.docker.com/r/base/archlinux/ base/archlinux] x86_64 image.<br />
<br />
# docker pull base/archlinux<br />
<br />
==== i686 ====<br />
The default Arch Linux image in Docker Registry is for x86_64 only. i686 image must be built manually.<br />
<br />
==== Build Image ====<br />
Instead, check [https://registry.hub.docker.com/u/base/archlinux/ docker base/archlinux registry] and click the {{ic|mkimage-arch.sh}} link to download {{ic|mkimage-arch.sh}} and {{ic|mkimage-arch-pacman.conf}} to the same directory as raw files. Next, make the script executable and run it: <br />
<br />
$ chmod +x mkimage-arch.sh<br />
$ cp /etc/pacman.conf ./mkimage-arch-pacman.conf # or get a pacman.conf from somewhere else<br />
$ ./mkimage-arch.sh<br />
# docker run -t -i --rm archlinux /bin/bash # try it<br />
<br />
For slow network connections or CPU, the build timeout can be extended: <br />
$ sed -i 's/timeout 60/timeout 120/' mkimage-arch.sh<br />
<br />
=== Debian ===<br />
<br />
Build Debian image with {{Pkg|debootstrap}}:<br />
<br />
# mkdir wheezy-chroot<br />
# debootstrap wheezy ./wheezy-chroot http://http.debian.net/debian/<br />
# cd wheezy-chroot<br />
# tar cpf - . | docker import - debian<br />
# docker run -t -i --rm debian /bin/bash<br />
<br />
== Arch Linux image with snapshot repository ==<br />
Archlinux on Docker can become problematic when multiple images are created and updated each having different package versions. To keep Docker containers with consistent package versions a [https://registry.hub.docker.com/u/pritunl/archlinux/ Docker image with a snapshot repository] is available. This allows installing new packages from the official repository as it was on the day that the snapshot was created.<br />
<br />
$ docker pull pritunl/archlinux:latest<br />
$ docker run --rm -t -i pritunl/archlinux:latest /bin/bash<br />
<br />
== Useful tips ==<br />
<br />
To grab the IP address of a running container:<br />
<br />
{{hc|<nowiki>$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' <container-name OR id> </nowiki>|<br />
172.17.0.37}}<br />
<br />
== Troubleshooting ==<br />
<br />
=== Docker info errors out ===<br />
<br />
If running {{ic|docker info}} gives an error that looks like this:<br />
<br />
FATA[0000] Get http:///var/run/docker.sock/v1.17/info: read unix /var/run/docker.sock: connection reset by peer. Are you trying to connect to a TLS-enabled daemon without TLS? <br />
<br />
then you might not have the {{ic|bridge}} module loaded. You can check for it by running {{ic|lsmod | grep bridge}}. If it is not loaded, you can try to load it with {{ic|modprobe}} or simply reboot (a reboot might be required if you have upgraded your kernel recently without rebooting and the bridge module was built for the more recent kernel.)<br />
<br />
See [https://github.com/docker/docker/issues/6853 this issue on GitHub for more information].<br />
<br />
=== Deleting Docker Images in a BTRFS Filesystem ===<br />
Deleting docker images in a [[btrfs]] filesystem leaves the images in {{ic|/var/lib/docker/btrfs/subvolumes/}} with a size of 0. When you try to delete this you get a permission error.<br />
# docker rm bab4ff309870<br />
# rm -Rf /var/lib/docker/btrfs/subvolumes/*<br />
rm: cannot remove '/var/lib/docker/btrfs/subvolumes/85122f1472a76b7519ed0095637d8501f1d456787be1a87f2e9e02792c4200ab': Operation not permitted<br />
<br />
This is caused by btrfs which created subvolumes for the docker images. So the correct command to delete them is:<br />
# btrfs subvolume delete /var/lib/docker/btrfs/subvolumes/85122f1472a76b7519ed0095637d8501f1d456787be1a87f2e9e02792c4200ab<br />
<br />
=== docker0 Bridge gets no IP / no internet access in containers ===<br />
<br />
Docker enables IP forwarding by itself, but by default systemd overrides the respective sysctl setting. The following disables this override (for all interfaces):<br />
<br />
# cat > /etc/systemd/network/ipforward.network <<EOF<br />
[Network]<br />
IPForward=ipv4<br />
EOF<br />
<br />
# cat > /etc/systemd/network/99-docker.conf <<EOF<br />
net.ipv4.ip_forward = 1<br />
EOF<br />
<br />
# sysctl -w net.ipv4.ip_forward=1<br />
<br />
Finally [[restart]] the {{ic|systemd-networkd}} and {{ic|docker}} services.<br />
<br />
=== docker complains about no loopback devices ===<br />
<br />
If starting the docker service fails and {{ic|journalctl}} says that no loopback device can be found, try following the steps outlined in [[TrueCrypt#Failed_to_set_up_a_loop_device|TrueCrypt's troubleshooting section]]. In particular, if you've upgraded the kernel since last rebooting, you just need to reboot.<br />
<br />
=== Default number of allowed processes/threads too low ===<br />
<br />
If you run into error messages like<br />
<br />
# e.g. Java<br />
java.lang.OutOfMemoryError: unable to create new native thread<br />
# e.g. C, bash, ...<br />
fork failed: Resource temporarily unavailable<br />
<br />
then you might need to adjust the number of processes allowed by systemd. Default (see system.conf) is 500, which is pretty small for running several docker containers. You need to create a drop-in service file for this:<br />
<br />
# mkdir /etc/systemd/system/docker.service.d<br />
# cat > /etc/systemd/system/docker.service.d/tasks.conf <<EOF<br />
[Service]<br />
TasksMax=infinity<br />
EOF<br />
# systemctl daemon-reload<br />
# systemctl restart docker.service<br />
<br />
== See also ==<br />
<br />
* [https://docs.docker.com/installation/archlinux/ Arch Linux on docs.docker.com]<br />
* [http://opensource.com/business/14/7/docker-security-selinux Are Docker containers really secure?] — opensource.com</div>Ainv