https://wiki.archlinux.org/api.php?action=feedcontributions&user=The+Xperience&feedformat=atomArchWiki - User contributions [en]2024-03-29T07:19:22ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Docker&diff=575256Docker2019-06-12T12:40:21Z<p>The Xperience: Added another fixing approach for having no internet in docker containers</p>
<hr />
<div>[[Category:Virtualization]]<br />
[[Category:Sandboxing]]<br />
[[ja:Docker]]<br />
[[ru:Docker]]<br />
[[zh-hant:Docker]]<br />
[[zh-hans:Docker]]<br />
{{Related articles start}}<br />
{{Related|systemd-nspawn}}<br />
{{Related|Linux Containers}}<br />
{{Related|Vagrant}}<br />
{{Related articles end}}<br />
[[Wikipedia:Docker (software)|Docker]] is a utility to pack, ship and run any application as a lightweight container.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|docker}} package or, for the development version, the {{Aur|docker-git}} package. Next [[start]] and enable {{ic|docker.service}} and verify operation:<br />
<br />
# docker info<br />
<br />
Note that starting the docker service may fail if you have an active VPN connection due to IP conflicts between the VPN and Docker's bridge and overlay networks. If this is the case, try disconnecting the VPN before starting the docker service. You may reconnect the VPN immediately afterwards. [https://stackoverflow.com/questions/45692255/how-make-openvpn-work-with-docker You can also try to deconflict the networks.]<br />
<br />
If you want to be able to run docker as a regular user, add your user to the {{ic|docker}} [[user group]].<br />
<br />
{{Warning|Anyone added to the {{ic|docker}} group is root equivalent. More information [https://github.com/docker/docker/issues/9976 here] and [https://docs.docker.com/engine/security/security/ here].}}<br />
<br />
== Configuration ==<br />
<br />
=== Storage driver ===<br />
<br />
The docker storage driver (or graph driver) has a huge impact on performance. Its job is to store layers of container images efficiently, that is when several images share a layer, only one layer uses disk space. The compatible option, `devicemapper` offers suboptimal performance, which is outright terrible on rotating disks. Additionally, `devicemapper` is not recommended in production.<br />
<br />
As Arch linux ships new kernels, there is no point using the compatibility option. A good, modern choice is {{ic|overlay2}}.<br />
<br />
To see the current storage driver, run {{ic|# docker info {{!}} head}}; modern docker installations should already use {{ic|overlay2}} by default.<br />
<br />
To set your own choice of storage driver, edit {{ic|/etc/docker/daemon.json}} (create it if it does not exist):<br />
{{hc|/etc/docker/daemon.json|2=<br />
{<br />
"storage-driver": "overlay2"<br />
}<br />
<br />
}}<br />
<br />
Afterwards, [[restart]] docker.<br />
<br />
Further information on options is available on the [https://docs.docker.com/engine/userguide/storagedriver/selectadriver/ user guide].<br />
For more information about options in {{ic|daemon.json}} see [https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file dockerd documentation].<br />
<br />
=== Remote API ===<br />
<br />
To open the Remote API to port {{ic|4243}} manually, run:<br />
<br />
# /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock<br />
<br />
{{ic|-H tcp://0.0.0.0:4243}} part is for opening the Remote API.<br />
<br />
{{ic|-H unix:///var/run/docker.sock}} part for host machine access via terminal.<br />
<br />
==== Remote API with systemd ====<br />
<br />
To start the remote API with the docker daemon, create a [[Drop-in snippet]] with the following content:<br />
<br />
{{hc|/etc/systemd/system/docker.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock<br />
}}<br />
<br />
=== Daemon socket configuration ===<br />
<br />
The ''docker'' daemon listens to a [[Wikipedia:Unix domain socket|Unix socket]] by default. To listen on a specified port instead, create a [[Drop-in snippet]] with the following content:<br />
<br />
{{hc|/etc/systemd/system/docker.socket.d/socket.conf|2=<br />
[Socket]<br />
ListenStream=0.0.0.0:2375<br />
}}<br />
<br />
=== Proxies ===<br />
<br />
Proxy configuration is broken down into two. First is the host configuration of the Docker daemon, second is the configuration required for your container to see your proxy.<br />
<br />
==== Proxy configuration ====<br />
<br />
Create a [[Drop-in snippet]] with the following content:<br />
{{hc|/etc/systemd/system/docker.service.d/proxy.conf|2=<br />
[Service]<br />
Environment="HTTP_PROXY=192.168.1.1:8080"<br />
Environment="HTTPS_PROXY=192.168.1.1:8080"<br />
}}<br />
<br />
{{Note|This assumes {{ic|192.168.1.1}} is your proxy server, do not use {{ic|127.0.0.1}}.}}<br />
<br />
Verify that the configuration has been loaded:<br />
<br />
{{hc|# systemctl show docker --property Environment|2=<br />
Environment=HTTP_PROXY=192.168.1.1:8080 HTTPS_PROXY=192.168.1.1:8080<br />
}}<br />
<br />
==== Container configuration ====<br />
<br />
The settings in the {{ic|docker.service}} file will not translate into containers. To achieve this you must set {{ic|ENV}} variables in your {{ic|Dockerfile}} thus:<br />
<br />
FROM base/archlinux<br />
ENV http_proxy="<nowiki>http://192.168.1.1:3128</nowiki>"<br />
ENV https_proxy="<nowiki>https://192.168.1.1:3128</nowiki>"<br />
<br />
[https://docs.docker.com/engine/reference/builder/#env Docker] provide detailed information on configuration via {{ic|ENV}} within a Dockerfile.<br />
<br />
=== Configuring DNS ===<br />
<br />
By default, docker will make {{ic|resolv.conf}} in the container match {{ic|/etc/resolv.conf}} on the host machine, filtering out local addresses (e.g. {{ic|127.0.0.1}}). If this yields an empty file, then [https://developers.google.com/speed/public-dns/ Google DNS servers] are used. If you are using a service like [[dnsmasq]] to provide name resolution, you may need to add an entry to the {{ic|/etc/resolv.conf}} for docker's network interface so that it is not filtered out.<br />
<br />
=== Running Docker with a manually-defined network on systemd-networkd ===<br />
<br />
If you manually configure your network using [[systemd-networkd]] version '''220 or higher''', containers you start with Docker may be unable to access your network. Beginning with version 220, the forwarding setting for a given network ({{ic|net.ipv4.conf.<interface>.forwarding}}) defaults to {{ic|off}}. This setting prevents IP forwarding. It also conflicts with Docker which enables the {{ic|net.ipv4.conf.all.forwarding}} setting within a container.<br />
<br />
A workaround is to edit the {{ic|<interface>.network}} file in {{ic|/etc/systemd/network/}}, adding {{ic|1=IPForward=kernel}} on the Docker host:<br />
<br />
{{hc|/etc/systemd/network/<interface>.network|2=<br />
[Network]<br />
...<br />
IPForward=kernel<br />
...}}<br />
<br />
This configuration allows IP forwarding from the container as expected.<br />
<br />
=== Images location ===<br />
<br />
By default, docker images are located at {{ic|/var/lib/docker}}. They can be moved to other partitions. <br />
First, [[stop]] the {{ic|docker.service}}. <br />
<br />
If you have run the docker images, you need to make sure the images are unmounted totally. Once that is completed, you may move the images from {{ic|/var/lib/docker}} to the target destination.<br />
<br />
Then add a [[Drop-in snippet]] for the {{ic|docker.service}}, adding the {{ic|-g}} parameter to the {{ic|ExecStart}}:<br />
<br />
{{hc|/etc/systemd/system/docker.service.d/docker-storage.conf|2=<br />
[Service]<br />
ExecStart= <br />
ExecStart=/usr/bin/dockerd -g ''/path/to/new/location/docker'' -H fd://}}<br />
<br />
=== Insecure registries ===<br />
<br />
If you decide to use a self signed certificate for your private registry, Docker will refuse to use it until you declare that you trust it.<br />
Add a [[Drop-in snippet]] for the {{ic|docker.service}}, adding the {{ic|--insecure-registry}} parameter to the {{ic|dockerd}}:<br />
{{hc|/etc/systemd/system/docker.service.d/override.conf|2=<br />
[Service]<br />
ExecStart=<br />
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry my.registry.name:5000<br />
}}<br />
<br />
== Images ==<br />
=== Arch Linux ===<br />
The following command pulls the [https://hub.docker.com/r/archlinux/base/ archlinux/base] x86_64 image. This is a stripped down version of Arch core without network, etc.<br />
<br />
# docker pull archlinux/base<br />
<br />
See also [https://github.com/archlinux/archlinux-docker/blob/master/README.md README.md].<br />
<br />
For a full Arch base, clone the repo from above and build your own image.<br />
<br />
$ git clone https://github.com/archlinux/archlinux-docker.git<br />
<br />
Edit the {{ic|packages}} file so it only contains 'base'. Then run: <br />
<br />
# make docker-image<br />
<br />
=== Debian ===<br />
The following command pulls the [https://hub.docker.com/r/_/debian/ debian] x86_64 image.<br />
<br />
# docker pull debian<br />
<br />
==== Manually ====<br />
Build Debian image with {{Pkg|debootstrap}}:<br />
<br />
# mkdir jessie-chroot<br />
# debootstrap jessie ./jessie-chroot http://http.debian.net/debian/<br />
# cd jessie-chroot<br />
# tar cpf - . | docker import - debian<br />
# docker run -t -i --rm debian /bin/bash<br />
<br />
== Remove Docker and images ==<br />
<br />
In case you want to remove Docker entirely you can do this by following the steps below:<br />
<br />
{{Note|Do not just copy paste those commands without making sure you know what you are doing.}}<br />
<br />
Check for running containers:<br />
<br />
# docker ps<br />
<br />
List all containers running on the host for deletion:<br />
<br />
# docker ps -a<br />
<br />
Stop a running container:<br />
<br />
# docker stop <CONTAINER ID><br />
<br />
Killing still running containers:<br />
<br />
# docker kill <CONTAINER ID><br />
<br />
Delete all containers listed by ID:<br />
<br />
# docker rm <CONTAINER ID><br />
<br />
List all Docker images:<br />
<br />
# docker images<br />
<br />
Delete all images by ID:<br />
<br />
# docker rmi <IMAGE ID><br />
<br />
Delete all images, containers, volumes, and networks that are not associated with a container (dangling):<br />
<br />
# docker system prune<br />
<br />
To additionally remove any stopped containers and all unused images (not just dangling ones), add the -a flag to the command:<br />
<br />
# docker system prune -a<br />
<br />
Delete all Docker data (purge directory):<br />
<br />
{{Accuracy|Doing # rm -R /var/lib/docker will left behind the btrfs subvolumes of the removed containers}}<br />
<br />
# rm -R /var/lib/docker<br />
<br />
== Useful tips ==<br />
<br />
To grab the IP address of a running container:<br />
<br />
{{hc|<nowiki>$ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container-name OR id> </nowiki>|<br />
172.17.0.37}}<br />
<br />
For each running container, the name and corresponding IP address can be listed for use in {{ic|/etc/hosts}}:<br />
<br />
{{bc|#!/usr/bin/env sh<br />
<nowiki>for ID in $(docker ps -q | awk '{print $1}'); do<br />
IP=$(docker inspect --format="{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}" "$ID")<br />
NAME=$(docker ps | grep "$ID" | awk '{print $NF}')<br />
printf "%s %s\n" "$IP" "$NAME"<br />
done</nowiki>}}<br />
<br />
== Troubleshooting ==<br />
=== docker0 Bridge gets no IP / no internet access in containers ===<br />
<br />
Docker enables IP forwarding by itself, but by default [[systemd-networkd]] overrides the respective sysctl setting. Set {{ic|1=IPForward=yes}} in the network profile. See [[Internet sharing#Enable packet forwarding]] for details.<br />
<br />
{{Note|You may need to [[restart]] {{ic|docker.service}} each time you [[restart]] {{ic|systemd-networkd.service}} or {{ic|iptables.service}}}}<br />
<br />
{{Note|Also be aware that [[nftables]] may block docker connections by default. Use {{ic|nft list ruleset}} to check for blocking rules. {{ic|nft flush chain inet filter forward}} removes all forwarding rules temporarily. Edit {{ic|/etc/nftables.conf}} to make changes permanent. Remember to [[restart]] {{ic|nftables.service}} to reload rules from the config file.}}<br />
<br />
=== Default number of allowed processes/threads too low ===<br />
<br />
If you run into error messages like<br />
<br />
# e.g. Java<br />
java.lang.OutOfMemoryError: unable to create new native thread<br />
# e.g. C, bash, ...<br />
fork failed: Resource temporarily unavailable<br />
<br />
then you might need to adjust the number of processes allowed by systemd. The default is 500 (see {{ic|system.conf}}), which is pretty small for running several docker containers. [[Edit]] the {{ic|docker.service}} with the following snippet:<br />
<br />
{{hc|# systemctl edit docker.service|2=<br />
[Service]<br />
TasksMax=infinity<br />
}}<br />
<br />
=== Error initializing graphdriver: devmapper ===<br />
<br />
If ''systemctl'' fails to start docker and provides an error:<br />
<br />
Error starting daemon: error initializing graphdriver: devmapper: Device docker-8:2-915035-pool is not a thin pool<br />
<br />
Then, try the following steps to resolve the error. Stop the service, back up {{ic|/var/lib/docker/}} (if desired), remove the contents of {{ic|/var/lib/docker/}}, and try to start the service. See the open [https://github.com/docker/docker/issues/21304 GitHub issue] for details.<br />
<br />
=== Failed to create some/path/to/file: No space left on device ===<br />
If you are getting an error message like this:<br />
<br />
ERROR: Failed to create some/path/to/file: No space left on device<br />
<br />
when building or running a Docker image, even though you do have enough disk space available, make sure:<br />
<br />
* [[Tmpfs]] is disabled or has enough memory allocation. Docker might be trying to write files into {{ic|/tmp}} but fails due to restrictions in memory usage and not disk space.<br />
* If you are using [[XFS]], you might want to remove the {{ic|noquota}} mount option from the relevant entries in {{ic|/etc/fstab}} (usually where {{ic|/tmp}} and/or {{ic|/var/lib/docker}} reside). Refer to [[Disk quota]] for more information, especially if you plan on using and resizing {{ic|overlay2}} Docker storage driver.<br />
* XFS quota mount options ({{ic|uquota}}, {{ic|gquota}}, {{ic|prjquota}}, etc.) fail during re-mount of the file system. To enable quota for root file system, the mount option must be passed to initramfs as a [[kernel parameter]] {{ic|1=rootflags=}}. Subsequently, it should not be listed among mount options in {{ic|/etc/fstab}} for the root ({{ic|/}}) filesystem.<br />
<br />
{{Note|There are some differences of XFS Quota compared to standard Linux [[Disk quota]], [http://inai.de/linux/adm_quota] may be worth reading.}}<br />
<br />
=== Invalid cross-device link in kernel 4.19.1 ===<br />
<br />
If commands like ''dpkg'' fail to run in docker, e.g:<br />
<br />
dpkg: error: error creating new backup file '/var/lib/dpkg/status-old': Invalid cross-device link<br />
<br />
Either add a {{ic|1=overlay.metacopy=N}} [[kernel parameter]] or downgrade to 4.18.x until [https://github.com/docker/for-linux/issues/480 this issue] is resolved. More info in the [https://bbs.archlinux.org/viewtopic.php?id=241866 Arch forum].<br />
<br />
=== CPUACCT missing in docker with Linux-ck ===<br />
<br />
In newer versions of [[Linux-ck]] ([https://aur.archlinux.org/packages/linux-ck#comment-677316 some experienced] with 4.19, 4.20 seems general), a change to the MuQSS was made that disables the {{ic|CONFIG_CGROUP_CPUACCT}} option from the kernel, which makes ''some'' usage of docker ({{ic|run}} or {{ic|build}}) to produce the following error:<br />
<br />
{{hc|$ docker run --rm hello-world|docker: Error response from daemon: unable to find "cpuacct" in controller set: unknown.}}<br />
<br />
This error does not seem to affect the docker daemon, just containers. Read more on [[Linux-ck#CPUACCT missing in docker]].<br />
<br />
=== Docker-machine fails to create virtual machines using the virtualbox driver ===<br />
<br />
In case docker-machine fails to create the VM's using the virtualbox driver, with the following:<br />
<br />
VBoxManage: error: VBoxNetAdpCtl: Error while adding new interface: failed to open /dev/vboxnetctl: No such file or directory<br />
<br />
Simply reload the virtualbox via CLI with {{ic|vboxreload}}.<br />
<br />
=== Starting Docker breaks KVM bridged networking ===<br />
<br />
This is a [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865975 known issue]. You can use the following workaround:<br />
<br />
{{hc|/etc/docker/daemon.json|2=<br />
{<br />
"iptables": false<br />
}<br />
}}<br />
<br />
== See also ==<br />
<br />
* [https://www.docker.com Official website]<br />
* [https://docs.docker.com/engine/installation/linux/archlinux/ Arch Linux on docs.docker.com]<br />
* [http://opensource.com/business/14/7/docker-security-selinux Are Docker containers really secure?] — opensource.com</div>The Xperience