Difference between revisions of "Docker"

From ArchWiki
Jump to: navigation, search
(Added a troubleshooting entry for a fairly common problem among XFS users and Docker. Why: it took me hours to debug and resolve.)
m (Arch Linux: correction)
 
(6 intermediate revisions by 4 users not shown)
Line 8: Line 8:
 
{{Related|Lxc-systemd}}
 
{{Related|Lxc-systemd}}
 
{{Related|Vagrant}}
 
{{Related|Vagrant}}
{{Related|Tmpfs}}
 
{{Related|Disk quota}}
 
{{Related|XFS}}
 
 
{{Related articles end}}
 
{{Related articles end}}
 
[https://www.docker.com Docker] is a utility to pack, ship and run any application as a lightweight container.
 
[https://www.docker.com Docker] is a utility to pack, ship and run any application as a lightweight container.
Line 151: Line 148:
 
== Images ==
 
== Images ==
 
=== Arch Linux ===
 
=== Arch Linux ===
The following command pulls the [https://hub.docker.com/r/archlinux/base/ archlinux/base] x86_64 image.
+
The following command pulls the [https://hub.docker.com/r/archlinux/base/ archlinux/base] x86_64 image. This is a stripped down version of Arch core without network, etc.
  
 
  # docker pull archlinux/base
 
  # docker pull archlinux/base
  
 
See also [https://github.com/archlinux/archlinux-docker/blob/master/README.md README.md].
 
See also [https://github.com/archlinux/archlinux-docker/blob/master/README.md README.md].
 +
 +
For a full Arch base, clone the repo from above and build your own image.
 +
 +
$ git clone https://github.com/archlinux/archlinux-docker.git
 +
 +
Edit the packages file so it only contains 'base'. Then run:
 +
 +
# make docker-image
  
 
=== Debian ===
 
=== Debian ===
Line 215: Line 220:
  
 
Delete all Docker data (purge directory):
 
Delete all Docker data (purge directory):
 +
 +
{{Accuracy|Doing # rm -R /var/lib/docker will left behind the btrfs subvolumes of the removed containers}}
  
 
  # rm -R /var/lib/docker
 
  # rm -R /var/lib/docker
Line 255: Line 262:
  
 
=== Failed to create some/path/to/file: No space left on device ===
 
=== Failed to create some/path/to/file: No space left on device ===
If you're getting an error message like this:
+
If you are getting an error message like this:
  
 
  ERROR: Failed to create some/path/to/file: No space left on device
 
  ERROR: Failed to create some/path/to/file: No space left on device
Line 261: Line 268:
 
when building or running a Docker image, even though you do have enough disk space available, make sure:
 
when building or running a Docker image, even though you do have enough disk space available, make sure:
  
- [[Tmpfs]] is disabled or has enough memory allocation. Docker might be trying to write files into {{ic|/tmp}} but fails due to restrictions in memory usage and not disk space.
+
* [[Tmpfs]] is disabled or has enough memory allocation. Docker might be trying to write files into {{ic|/tmp}} but fails due to restrictions in memory usage and not disk space.
 
+
* If you are using [[XFS]], you might want to remove the {{ic|noquota}} mount option from the relevant entries in {{ic|/etc/fstab}} (usually where {{ic|/tmp}} and/or {{ic|/var/lib/docker}} reside). Refer to [[Disk quota]] for more information, especially if you plan on using and resizing {{ic|overlay2}} Docker storage driver.
- If you're using [[XFS]], you might want to remove {{ic|noquota}} mount option from the relevant entries in {{ic|/etc/fstab}} (usually where {{ic|/tmp}} and/or {{ic|/var/lib/docker}} reside). Refer to [[Disk quota]] for more information, especially if you plan on using and resizing {{ic|overlay2}} Docker storage driver.
+
* XFS quota mount options ({{ic|uquota}}, {{ic|gquota}}, {{ic|prjquota}}, etc.) fail during re-mount of the file system. To enable quota for root file system, the mount option must be passed to initramfs as a [[kernel parameter]] {{ic|1=rootflags=}}. Subsequently, it should not be listed among mount options in {{ic|/etc/fstab}} for the root ({{ic|/}}) filesystem.
 
 
- XFS quota mount options ({{ic|uquota}}, {{ic|gquota}}, {{ic|prjquota}}, etc.) fail during re-mount of the file system. To enable quota for root file system, the mount option must be passed to initramfs as a [[kernel parameter]] {{ic|1=rootflags=}}. Subsequently, it should not be listed among mount options in {{ic|/etc/fstab}} for the root ({{ic|/}}) filesystem.
 
  
{{Note|There are some differences of XFS Quota compared to standard Linux [[Disk quota]], this article http://inai.de/linux/adm_quota may be worth reading.}}
+
{{Note|There are some differences of XFS Quota compared to standard Linux [[Disk quota]], [http://inai.de/linux/adm_quota] may be worth reading.}}
  
 
== See also ==
 
== See also ==

Latest revision as of 00:27, 23 April 2018

Docker is a utility to pack, ship and run any application as a lightweight container.

Installation

Install the docker package or, for the development version, the docker-gitAUR package. Next start and enable docker.service and verify operation:

# docker info

If you want to be able to run docker as a regular user, add yourself to the docker group.

Warning: Anyone added to the docker group is root equivalent. More information here and here.
Note: As of linux 4.15.0-1 vsyscalls, which are required by certain programs in containers (such as apt-get), have been disabled by default in kernel configuration. To enable them again, add the vsyscall=emulate kernel parameter. More information in FS#57336.

Configuration

Storage driver

The docker storage driver (or graph driver) has a huge impact on performance. Its job is to store layers of container images efficiently, that is when several images share a layer, only one layer uses disk space. The compatible option, `devicemapper` offers suboptimal performance, which is outright terrible on rotating disks. Additionally, `devicemappper` is not recommended in production.

As Arch linux ships new kernels, there is no point using the compatibility option. A good, modern choice is overlay2.

To see current storage driver, run # docker info | head, modern docker installation should already use overlay2 by default.

To set your own choice of storage driver, create a Drop-in snippet and use -s option to dockerd (use systemctl edit docker):

/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// -s overlay2

Note that the ExecStart= line is needed to drop inherited ExecStart.

Further information on options is available on the user guide.

Remote API

To open the Remote API to port 4243 manually, run:

# /usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock

-H tcp://0.0.0.0:4243 part is for opening the Remote API.

-H unix:///var/run/docker.sock part for host machine access via terminal.

Remote API with systemd

To start the remote API with the docker daemon, create a Drop-in snippet with the following content:

/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock

Daemon socket configuration

The docker daemon listens to a Unix socket by default. To listen on a specified port instead, create a Drop-in snippet with the following content:

/etc/systemd/system/docker.socket.d/socket.conf
[Socket]
ListenStream=0.0.0.0:2375

Proxies

Proxy configuration is broken down into two. First is the host configuration of the Docker daemon, second is the configuration required for your container to see your proxy.

Proxy configuration

Create a Drop-in snippet with the following content:

/etc/systemd/system/docker.service.d/proxy.conf
[Service]
Environment="HTTP_PROXY=192.168.1.1:8080"
Environment="HTTPS_PROXY=192.168.1.1:8080"
Note: This assumes 192.168.1.1 is your proxy server, do not use 127.0.0.1.

Verify that the configuration has been loaded:

# systemctl show docker --property Environment
Environment=HTTP_PROXY=192.168.1.1:8080 HTTPS_PROXY=192.168.1.1:8080

Container configuration

The settings in the docker.service file will not translate into containers. To achieve this you must set ENV variables in your Dockerfile thus:

FROM base/archlinux
ENV http_proxy="http://192.168.1.1:3128"
ENV https_proxy="https://192.168.1.1:3128"

Docker provide detailed information on configuration via ENV within a Dockerfile.

Configuring DNS

By default, docker will make resolv.conf in the container match /etc/resolv.conf on the host machine, filtering out local addresses (e.g. 127.0.0.1). If this yields an empty file, then Google DNS servers are used. If you are using a service like dnsmasq to provide name resolution, you may need to add an entry to the /etc/resolv.conf for docker's network interface so that it is not filtered out.

Running Docker with a manually-defined network

If you manually configure your network using systemd-network version 220 or higher, containers you start with Docker may be unable to access your network. Beginning with version 220, the forwarding setting for a given network (net.ipv4.conf.<interface>.forwarding) defaults to off. This setting prevents IP forwarding. It also conflicts with Docker which enables the net.ipv4.conf.all.forwarding setting within a container.

To work around this, edit the <interface>.network file in /etc/systemd/network/ on your Docker host add the following block:

/etc/systemd/network/<interface>.network
[Network]
...
IPForward=kernel
...

This configuration allows IP forwarding from the container as expected.

Images location

By default, docker images are located at /var/lib/docker. They can be moved to other partitions. First, stop the docker.service.

If you have run the docker images, you need to make sure the images are unmounted totally. Once that is completed, you may move the images from /var/lib/docker to the target destination.

Then add a Drop-in snippet for the docker.service, adding the --data-root parameter to the ExecStart:

/etc/systemd/system/docker.service.d/docker-storage.conf
[Service]
ExecStart= 
ExecStart=/usr/bin/dockerd --data-root=/path/to/new/location/docker -H fd://

Insecure registries

If you decide to use a self signed certificate for your private registry, Docker will refuse to use it until you declare that you trust it. Add a Drop-in snippet for the docker.service, adding the --insecure-registry parameter to the dockerd:

/etc/systemd/system/docker.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry my.registry.name:5000

Images

Arch Linux

The following command pulls the archlinux/base x86_64 image. This is a stripped down version of Arch core without network, etc.

# docker pull archlinux/base

See also README.md.

For a full Arch base, clone the repo from above and build your own image.

$ git clone https://github.com/archlinux/archlinux-docker.git

Edit the packages file so it only contains 'base'. Then run:

# make docker-image

Debian

The following command pulls the debian x86_64 image.

# docker pull debian

Manually

Build Debian image with debootstrap:

# mkdir jessie-chroot
# debootstrap jessie ./jessie-chroot http://http.debian.net/debian/
# cd jessie-chroot
# tar cpf - . | docker import - debian
# docker run -t -i --rm debian /bin/bash

Arch Linux image with snapshot repository

Arch Linux on Docker can become problematic when multiple images are created and updated each having different package versions. To keep Docker containers with consistent package versions, an unofficial Docker image with a snapshot repository is available. This allows installing new packages from the official repository as it was on the day that the snapshot was created.

$ docker pull pritunl/archlinux:latest
$ docker run --rm -t -i pritunl/archlinux:latest /bin/bash

Alternatively, you could use Arch Linux Archive by freezing /etc/pacman.d/mirrorlist:

Server=https://archive.archlinux.org/repos/2020/01/02/$repo/os/$arch

Remove Docker and images

In case you want to remove Docker entirely you can do this by following the steps below:

Note: Do not just copy paste those commands without making sure you know what you are doing.

Check for running containers:

# docker ps

List all containers running on the host for deletion:

# docker ps -a

Stop a running container:

# docker stop <CONTAINER ID>

Killing still running containers:

# docker kill <CONTAINER ID>

Delete all containers listed by ID:

# docker rm <CONTAINER ID>

List all Docker images:

# docker images

Delete all images by ID:

# docker rmi <IMAGE ID>

Delete all Docker data (purge directory):

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Doing # rm -R /var/lib/docker will left behind the btrfs subvolumes of the removed containers (Discuss in Talk:Docker#)
# rm -R /var/lib/docker

Useful tips

To grab the IP address of a running container:

$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' <container-name OR id> 
172.17.0.37

Troubleshooting

docker0 Bridge gets no IP / no internet access in containers

Docker enables IP forwarding by itself, but by default systemd-networkd overrides the respective sysctl setting. Set IPForward=yes in the network profile. See Internet sharing#Enable packet forwarding for details.

Default number of allowed processes/threads too low

If you run into error messages like

# e.g. Java
java.lang.OutOfMemoryError: unable to create new native thread
# e.g. C, bash, ...
fork failed: Resource temporarily unavailable

then you might need to adjust the number of processes allowed by systemd. The default is 500 (see system.conf), which is pretty small for running several docker containers. Edit the docker.service with the following snippet:

# systemctl edit docker.service
[Service]
TasksMax=infinity

Error initializing graphdriver: devmapper

If systemctl fails to start docker and provides an error:

Error starting daemon: error initializing graphdriver: devmapper: Device docker-8:2-915035-pool is not a thin pool

Then, try the following steps to resolve the error. Stop the service, back up /var/lib/docker/ (if desired), remove the contents of /var/lib/docker/, and try to start the service. See the open GitHub issue for details.

Failed to create some/path/to/file: No space left on device

If you are getting an error message like this:

ERROR: Failed to create some/path/to/file: No space left on device

when building or running a Docker image, even though you do have enough disk space available, make sure:

  • Tmpfs is disabled or has enough memory allocation. Docker might be trying to write files into /tmp but fails due to restrictions in memory usage and not disk space.
  • If you are using XFS, you might want to remove the noquota mount option from the relevant entries in /etc/fstab (usually where /tmp and/or /var/lib/docker reside). Refer to Disk quota for more information, especially if you plan on using and resizing overlay2 Docker storage driver.
  • XFS quota mount options (uquota, gquota, prjquota, etc.) fail during re-mount of the file system. To enable quota for root file system, the mount option must be passed to initramfs as a kernel parameter rootflags=. Subsequently, it should not be listed among mount options in /etc/fstab for the root (/) filesystem.
Note: There are some differences of XFS Quota compared to standard Linux Disk quota, [1] may be worth reading.

See also