Even if Red Hat has developed podman and buildah, its own tools to work with containers, which come with some important advantages like a daemonless architecture, you may want to continue using the original Docker software on Fedora. In this tutorial we will explore the options we have on the latest release of the distribution to do so, and will see how to apply the needed fixes for Docker to work correctly.
In this tutorial you will learn:
- How to install moby-engine
- How to install docker-ce
- How to apply the workarounds needed to make Docker run correctly on Fedora 32
Software Requirements and Conventions Used
|Category||Requirements, Conventions or Software Version Used|
|Software||No specific software is needed to follow this tutorial|
|Other||Root permissions to perform administrative tasks|
|Conventions||# – requires given linux commands to be executed with root privileges either directly as a root user or by use of
$ – requires given linux commands to be executed as a regular non-privileged user
Moby-engine vs Docker-ce
There are two ways we can obtain docker on Fedora 32: we can install the “docker” package from the official distribution repositories, or add the docker-ce ones and install the needed packages from there. If we choose the first option, the
moby-engine package will be installed on our distribution instead of the actual
docker release. If we choose the second one, we will obtain the latest release of the community edition of the “official”
What is the difference between the two? “Moby” is an “upstream” open-source project created by docker in order to easy distribute and divide its codebase into multiple components. The software we obtain installing
moby-engine directly from the official Fedora repository is packaged by the distribution on the base of this upsteam project, while
docker-ce (and also
docker-ee – Enterprise Edition) is the product created by the
docker project on the same base. Both are released under an open source license and are freely available.
In this tutorial we will see how to perform the installation of
moby-engine, and we will also see how to apply the fixes needed to make docker work correctly on the latest version of Fedora.
Installing moby-engine from the official repositories
moby-engine it’s the easiest and quickest way to work with containers using the docker client-server architecture on the distribution. All we have to do is to use dnf, the Fedora package manager, and run the following command:
$ sudo dnf install docker Last metadata expiration check: 1:38:14 ago on Sun 03 May 2020 02:22:22 PM CEST. Dependencies resolved. ================================================================================ Package Arch Version Repo Size ================================================================================ Installing: moby-engine x86_64 19.03.8-1.ce.gitafacb8b.fc32 fedora 51 M Installing dependencies: container-selinux noarch 2:2.132.0-1.fc32 updates 48 k containerd x86_64 1.3.3-1.fc32 updates 32 M libbsd x86_64 0.10.0-2.fc32 fedora 106 k libnet x86_64 1.1.6-19.fc32 fedora 64 k runc x86_64 2:1.0.0-144.dev.gite6555cc.fc32 fedora 2.7 M Installing weak dependencies: criu x86_64 3.13-5.fc32 fedora 492 k Transaction Summary ================================================================================ Install 7 Packages Total download size: 86 M Installed size: 314 M Is this ok [y/N]:
As you can see, even if we specified
docker as package, the
19.03.8-1.ce.gitafacb8b.fc32 will be actually installed, together with its dependencies.
Docker community edition (ce) is the “official” Docker version, which, as we said before, is based on the moby-project. Installing on Fedora 32 requires more steps. If you previously installed the version of docker available from the fedora repositories (moby-engine), please be sure to uninstall it by running the following command:
$ sudo dnf autoremove docker
If you previously built some images or created containers or volumes, don’t worry: the will preserved.
Once we are sure previously installed packages are removed from our system, we can add the docker-ce repository to our distribution software sources, so we can stay up to date with future releases. The first thing we have to do is to download the
$ curl -O https://download.docker.com/linux/fedora/docker-ce.repo
If we open the file with our favorite text editor, we can see that the section relative to
docker-ce-stable is marked as enabled:
[docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable enabled=1 gpgcheck=1 gpgkey=https://download.docker.com/linux/fedora/gpg
When dnf parses the
.repo file, the
$releasever variable is expanded, as its name suggests, to the distribution release version, in this case
32. Since at the moment of writing there is not a docker-ce repository explicitly dedicated to Fedora 32, we have to substitute this variable with a static value,
31, the previous Fedora release. We can easily perform the change using the
# Be sure to use single quotes! $ sed -i 's/$releasever/31/g' docker-ce.repo
With the command above we substituted every occurrence of
$releasever in the file with
31. For the command to work correctly the substitution pattern must be enclosed in single quotes as we did above (or the
$ character must be escaped).
As you can notice, only the
stable branch of the repository is enabled by default (
enabled=1). I suggest you to leave it this way, unless you have some specific requirement.
To make dnf use the docker-ce repository, we must move the
.repo file to the
$ sudo mv docker-ce.repo /etc/yum.repos.d/
At this point we can issue the following command to install the docker-ce packages we need:
$ sudo dnf install docker-ce docker-ce-cli containerd.io Docker CE Stable - x86_64 17 kB/s | 8.9 kB 00:00 Dependencies resolved. ================================================================================================================================== Package Architecture Version Repository Size ================================================================================================================================== Installing: containerd.io x86_64 1.2.13-3.1.fc31 docker-ce-stable 23 M docker-ce x86_64 3:19.03.8-3.fc31 docker-ce-stable 23 M docker-ce-cli x86_64 1:19.03.8-3.fc31 docker-ce-stable 39 M Installing dependencies: container-selinux noarch 2:2.132.0-1.fc32 updates 48 k libcgroup x86_64 0.42.2-1.fc32 fedora 68 k Transaction Summary ================================================================================================================================== Install 5 Packages Total download size: 85 M Installed size: 363 M Is this ok [y/N]:
Confirm the installation to proceed. You will be also prompted to accept the newly installed repository gpg key.
Start the docker daemon
No matter if we installed
docker-ce from the dedicated repository or the
moby-engine, once the packages are installed, to actually work with containers we need to start the
docker daemon, and optionally make so that is automatically launched at boot. To perform both operations we can use the
systemctl command and run:
$ sudo systemctl enable --now docker
At this point we have docker-ce or moby-engine installed on our system, and the daemon running. There are however some adjustments we need to perform for docker to work correctly on our distribution.
Enable backward-compatibility for cgroups
Since Fedora 31, the distribution sponsored by Red Hat has switch to cgroup v2 (Control Groups) by default. Cgroup is mechanism included into the Linux kernel, used to organize processes hierarchically and distribute resources accordingly. Docker doesn’t support yet the version
2 of cgroups, therefore we must disable it. To do it, we must pass the
systemd.unified_cgroup_hierarchy=0 parameter to the kernel at boot. With administrative privileges open the
/etc/default/grub file. It should have a content similar to this:
GRUB_TIMEOUT=5 GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)" GRUB_DEFAULT=saved GRUB_DISABLE_SUBMENU=true GRUB_TERMINAL_OUTPUT="console" GRUB_CMDLINE_LINUX="rhgb quiet" GRUB_DISABLE_RECOVERY="true" GRUB_ENABLE_BLSCFG=true
GRUB_CMDLINE_LINUX line, we just need to add the parameter we mentioned above, so that it looks this way:
GRUB_CMDLINE_LINUX="rhgb quiet systemd.unified_cgroup_hierarchy=0"
Once done, save the modified file and rebuild the grub configuration:
$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg
To make the changes effective, we need to reboot the machine.
Fix dns not working inside docker
Let’s now try to run a very simple container based on the official busybox image. We use it to run a very simple
ping command on
www.google.com. This is the result:
sudo docker run --rm -it busybox ping -c 3 www.google.com ping: bad address 'www.google.com'
As you can see an error is generated. The
ping command complains about www.google.com being a bad address, but this actually happens because dns resolution doesn’t work inside the container. Why this happens? When docker runs, it needs to perform some firewall adjustments, and use IP masquerading. This behavior is blocked by firewalld, the default firewall manager installed on Fedora. The easiest way to solve the problem is to explicitly add the
docker0 interface to the trusted firewall zone. We can do it via the
$ sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0 && sudo firewall-cmd --reload
At this point, if we retry the
ping command via the busybox-based container, it should work correctly:
$ sudo docker run --rm -it busybox ping -c 3 www.google.com PING www.google.com (126.96.36.199): 56 data bytes 64 bytes from 188.8.131.52: seq=0 ttl=51 time=31.559 ms 64 bytes from 184.108.40.206: seq=1 ttl=51 time=30.417 ms 64 bytes from 220.127.116.11: seq=2 ttl=51 time=30.154 ms --- www.google.com ping statistics --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 30.154/30.710/31.559 ms
In this tutorial we learned the difference between
docker-ce and we learned how to install them on Fedora 32. We also saw how to apply the two fixes needed to run Docker correctly on the distribution. After reading this article you should hopefully have a working setup.