Docker

From ArchWiki
Revision as of 22:06, 8 August 2015 by Masterslave (talk | contribs) (Skype: recommending docker for security purposes is misleading at best, see http://opensource.com/business/14/7/docker-security-selinux)
Jump to: navigation, search

Docker is a utility to pack, ship and run any application as a lightweight container.

Installation

Install the docker package or, for the i686 architecture, the docker-gitAUR package. Next enable docker.service and verify operation:

# docker info

If you want to be able to run docker as a regular user, add yourself to the docker group:

# gpasswd -a user docker

Then re-login or to make your current user session aware of this new group, you can use:

$ newgrp docker

Configuration

Proxies

Proxy configuration is broken down into two. First is the host configuration of the Docker daemon, second is the configuration required for your container to see your proxy.

Daemon Proxy Configuration

Copy /usr/lib/systemd/system/docker.service to /etc/systemd/system/docker.service. Then edit /etc/systemd/system/docker.service, where http_proxy is your proxy server and -g <path> is your docker home. The path defaults to /var/lib/docker.

[Service]
Environment="http_proxy=192.168.1.1:3128"
Note: This assumes 192.168.1.1 is your proxy server, do not use 127.0.0.1.

Container Configuration

The settings in the docker.service file will not translate into containers. To achieve this you must set ENV variables in your Dockerfile thus:

 FROM base/archlinux
 ENV http_proxy="http://192.168.1.1:3128"
 ENV https_proxy="https://192.168.1.1:3128"

Docker provide detailed information on configuration via ENV within a Dockerfile.

Daemon Socket Configuration

The docker daemon listens to a Unix socket by default. To listen on a specified port instead, edit /etc/systemd/system/docker.socket, where ListenStream is the used port:

[Socket]
ListenStream=0.0.0.0:2375

Docker 0.9.0 -- 1.2.x and LXC

Since version 0.9.0 Docker provides a new way to start containers without relying on a LXC library called libcontainer.

The lxc exec driver and the -lxc-conf option may also be removed in the near future, [1]

Hence, you will not be able to use lxc-attach with containers managed by Docker 0.9.0+ by default. It is required to make Docker daemon run with -e lxc as an argument.

You can create a file named lxc.conf under /etc/systemd/system/docker.service.d/ with the following contents:

[Service]
ExecStart=
ExecStart=/usr/bin/docker -d -e lxc

Images

Arch Linux

x86_64

The following command pulls x86_64 Images.

# docker pull base/archlinux

i686

The default Arch Linux image in Docker Registry is for x86_64 only. i686 image must be built manually.

Build Image

Instead, check docker base/archlinux registry and click the mkimage-arch.sh link to download mkimage-arch.sh and mkimage-arch-pacman.conf to the same directory as raw files. Next, make the script executable and run it:

$ chmod +x mkimage-arch.sh
$ cp /etc/pacman.conf ./mkimage-arch-pacman.conf # or get a pacman.conf from somewhere else
$ LC_ALL=C ./mkimage-arch.sh # LC_ALL=C because the script parses the console output
# docker run -t -i --rm archlinux /bin/bash # try it

For slow network connections or CPU, the build timeout can be extended:

$ sed -i 's/timeout 60/timeout 120/' mkimage-arch.sh

Debian

Build Debian image with debootstrapAUR from the AUR:

# mkdir wheezy-chroot
# debootstrap wheezy ./wheezy-chroot http://http.debian.net/debian/
# cd wheezy-chroot
# tar cpf - . | docker import - debian
# docker run -t -i --rm debian /bin/bash

ArchLinux image with snapshot repository

Archlinux on Docker can become problematic when multiple images are created and updated each having different package versions. To keep Docker containers with consistent package versions a Docker image with a snapshot repository is available. This allows installing new packages from the official repository as it was on the day that the snapshot was created.

$ docker pull pritunl/archlinux:latest
$ docker run --rm -t -i pritunl/archlinux:latest /bin/bash

Useful tips

To grab the IP address of a running container:

$ docker inspect --format '{{ .NetworkSettings.IPAddress }}' <container-name OR id> 
172.17.0.37

Troubleshooting

Docker info errors out

If running docker info gives an error that looks like this:

 FATA[0000] Get http:///var/run/docker.sock/v1.17/info: read unix /var/run/docker.sock: connection reset by peer. Are you trying to connect to a TLS-enabled daemon without TLS? 


then you might not have the bridge module loaded. You can check for it by running lsmod . If it isn't loaded, you can try to load it with modprobe or simply reboot (a reboot might be required if you have upgraded your kernel recently without rebooting and the bridge module was built for the more recent kernel.)

See this issue on GitHub for more information.

See also