How to install and configure Docker-ce/Moby Engine on Fedora 32

Even if Red Hat has developed podman and buildah, its own tools to work with containers, which come with some important advantages like a daemonless architecture, you may want to continue using the original Docker software on Fedora. In this tutorial we will explore the options we have on the latest release of the distribution to do so, and will see how to apply the needed fixes for Docker to work correctly.

In this tutorial you will learn:

  • How to install moby-engine
  • How to install docker-ce
  • How to apply the workarounds needed to make Docker run correctly on Fedora 32

Software Requirements and Conventions Used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Fedora 32
Software No specific software is needed to follow this tutorial
Other Root permissions to perform administrative tasks
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user

Moby-engine vs Docker-ce

There are two ways we can obtain docker on Fedora 32: we can install the “docker” package from the official distribution repositories, or add the docker-ce ones and install the needed packages from there. If we choose the first option, the moby-engine package will be installed on our distribution instead of the actual docker release. If we choose the second one, we will obtain the latest release of the community edition of the “official” docker-engine.

What is the difference between the two? “Moby” is an “upstream” open-source project created by docker in order to easy distribute and divide its codebase into multiple components. The software we obtain installing moby-engine directly from the official Fedora repository is packaged by the distribution on the base of this upsteam project, while docker-ce (and also docker-ee – Enterprise Edition) is the product created by the docker project on the same base. Both are released under an open source license and are freely available.

In this tutorial we will see how to perform the installation of docker-ce or moby-engine, and we will also see how to apply the fixes needed to make docker work correctly on the latest version of Fedora.

Installing moby-engine from the official repositories

Installing moby-engine it’s the easiest and quickest way to work with containers using the docker client-server architecture on the distribution. All we have to do is to use dnf, the Fedora package manager, and run the following command:

$ sudo dnf install docker
Last metadata expiration check: 1:38:14 ago on Sun 03 May 2020 02:22:22 PM CEST.
Dependencies resolved.
================================================================================
 Package             Arch     Version                           Repo       Size
================================================================================
Installing:
 moby-engine         x86_64   19.03.8-1.ce.gitafacb8b.fc32      fedora     51 M
Installing dependencies:
 container-selinux   noarch   2:2.132.0-1.fc32                  updates    48 k
 containerd          x86_64   1.3.3-1.fc32                      updates    32 M
 libbsd              x86_64   0.10.0-2.fc32                     fedora    106 k
 libnet              x86_64   1.1.6-19.fc32                     fedora     64 k
 runc                x86_64   2:1.0.0-144.dev.gite6555cc.fc32   fedora    2.7 M
Installing weak dependencies:
 criu                x86_64   3.13-5.fc32                       fedora    492 k

Transaction Summary
================================================================================
Install  7 Packages

Total download size: 86 M
Installed size: 314 M
Is this ok [y/N]:


As you can see, even if we specified docker as package, the moby-engine version 19.03.8-1.ce.gitafacb8b.fc32 will be actually installed, together with its dependencies.

Installing docker-ce

Docker community edition (ce) is the “official” Docker version, which, as we said before, is based on the moby-project. Installing on Fedora 32 requires more steps. If you previously installed the version of docker available from the fedora repositories (moby-engine), please be sure to uninstall it by running the following command:

$ sudo dnf autoremove docker

If you previously built some images or created containers or volumes, don’t worry: the will preserved.

Once we are sure previously installed packages are removed from our system, we can add the docker-ce repository to our distribution software sources, so we can stay up to date with future releases. The first thing we have to do is to download the docker-ce.repo file:

$ curl -O https://download.docker.com/linux/fedora/docker-ce.repo

If we open the file with our favorite text editor, we can see that the section relative to docker-ce-stable is marked as enabled:

[docker-ce-stable]
name=Docker CE Stable - $basearch
baseurl=https://download.docker.com/linux/fedora/$releasever/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg

When dnf parses the .repo file, the $releasever variable is expanded, as its name suggests, to the distribution release version, in this case 32. Since at the moment of writing there is not a docker-ce repository explicitly dedicated to Fedora 32, we have to substitute this variable with a static value, 31, the previous Fedora release. We can easily perform the change using the sed command:

# Be sure to use single quotes!
$ sed -i 's/$releasever/31/g' docker-ce.repo

With the command above we substituted every occurrence of $releasever in the file with 31. For the command to work correctly the substitution pattern must be enclosed in single quotes as we did above (or the $ character must be escaped).

As you can notice, only the stable branch of the repository is enabled by default (enabled=1). I suggest you to leave it this way, unless you have some specific requirement.

To make dnf use the docker-ce repository, we must move the .repo file to the /etc/yum.repos.d directory:

$ sudo mv docker-ce.repo /etc/yum.repos.d/

At this point we can issue the following command to install the docker-ce packages we need:

$ sudo dnf install docker-ce docker-ce-cli containerd.io
Docker CE Stable - x86_64                                                                          17 kB/s | 8.9 kB     00:00
Dependencies resolved.
==================================================================================================================================
 Package                           Architecture           Version                          Repository                        Size
==================================================================================================================================
Installing:
 containerd.io                     x86_64                 1.2.13-3.1.fc31                  docker-ce-stable                  23 M
 docker-ce                         x86_64                 3:19.03.8-3.fc31                 docker-ce-stable                  23 M
 docker-ce-cli                     x86_64                 1:19.03.8-3.fc31                 docker-ce-stable                  39 M
Installing dependencies:
 container-selinux                 noarch                 2:2.132.0-1.fc32                 updates                           48 k
 libcgroup                         x86_64                 0.42.2-1.fc32                    fedora                            68 k

Transaction Summary
==================================================================================================================================
Install  5 Packages

Total download size: 85 M
Installed size: 363 M
Is this ok [y/N]:

Confirm the installation to proceed. You will be also prompted to accept the newly installed repository gpg key.

Start the docker daemon

No matter if we installed docker-ce from the dedicated repository or the moby-engine, once the packages are installed, to actually work with containers we need to start the docker daemon, and optionally make so that is automatically launched at boot. To perform both operations we can use the systemctl command and run:

$ sudo systemctl enable --now docker

At this point we have docker-ce or moby-engine installed on our system, and the daemon running. There are however some adjustments we need to perform for docker to work correctly on our distribution.

Enable backward-compatibility for cgroups

Since Fedora 31, the distribution sponsored by Red Hat has switch to cgroup v2 (Control Groups) by default. Cgroup is mechanism included into the Linux kernel, used to organize processes hierarchically and distribute resources accordingly. Docker doesn’t support yet the version 2 of cgroups, therefore we must disable it. To do it, we must pass the systemd.unified_cgroup_hierarchy=0 parameter to the kernel at boot. With administrative privileges open the /etc/default/grub file. It should have a content similar to this:

GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="rhgb quiet"
GRUB_DISABLE_RECOVERY="true"
GRUB_ENABLE_BLSCFG=true

In the GRUB_CMDLINE_LINUX line, we just need to add the parameter we mentioned above, so that it looks this way:

GRUB_CMDLINE_LINUX="rhgb quiet systemd.unified_cgroup_hierarchy=0"

Once done, save the modified file and rebuild the grub configuration:

$ sudo grub2-mkconfig -o /boot/grub2/grub.cfg

To make the changes effective, we need to reboot the machine.



Fix dns not working inside docker

Let’s now try to run a very simple container based on the official busybox image. We use it to run a very simple ping command on www.google.com. This is the result:

sudo docker run --rm -it busybox ping -c 3 www.google.com
ping: bad address 'www.google.com'

As you can see an error is generated. The ping command complains about www.google.com being a bad address, but this actually happens because dns resolution doesn’t work inside the container. Why this happens? When docker runs, it needs to perform some firewall adjustments, and use IP masquerading. This behavior is blocked by firewalld, the default firewall manager installed on Fedora. The easiest way to solve the problem is to explicitly add the docker0 interface to the trusted firewall zone. We can do it via the firewall-cmd utility:

$ sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0 && sudo firewall-cmd --reload

At this point, if we retry the ping command via the busybox-based container, it should work correctly:

$ sudo docker run --rm -it busybox ping -c 3 www.google.com
PING www.google.com (216.58.198.36): 56 data bytes
64 bytes from 216.58.198.36: seq=0 ttl=51 time=31.559 ms
64 bytes from 216.58.198.36: seq=1 ttl=51 time=30.417 ms
64 bytes from 216.58.198.36: seq=2 ttl=51 time=30.154 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 30.154/30.710/31.559 ms

Conclusions

In this tutorial we learned the difference between moby-engine and docker-ce and we learned how to install them on Fedora 32. We also saw how to apply the two fixes needed to run Docker correctly on the distribution. After reading this article you should hopefully have a working setup.