Notice
Docker (HOW-TO)
This thread also has a how-to guide how to install Docker on ClearOS 7.x. Please scroll down for the how-to.
Link to how-to post in this thread.
Hi,
Out of curiosity has anyone already fiddled with docker on ClearOS 7.1 Community?
Edit Saturday, 5 March 2016: Here some information from the Docker site:
What is Docker?
How is this different from virtual machines?
Hypervisor:
Docker:
Edit Monday, 7 March 2016: Note: Docker is coming to ClearOS
Edit Friday, 25 March 2016: The original Docker topic can be found HERE. This was a feature request for ClearVM. I started this topic with the question or someone already had fiddled with Docker on ClearOS Community. Later I started a investigation how to install Docker on ClearOS community you can find this information in this thread. One thing I can say Docker is really awesome!!!
Link to how-to post in this thread.
Hi,
Out of curiosity has anyone already fiddled with docker on ClearOS 7.1 Community?
Edit Saturday, 5 March 2016: Here some information from the Docker site:
What is Docker?
Docker containers wrap up a piece of software in a complete filesystem that contains everything it needs to run: code, runtime, system tools, system libraries – anything you can install on a server. This guarantees that it will always run the same, regardless of the environment it is running in.
How is this different from virtual machines?
Hypervisor:
Docker:
Edit Monday, 7 March 2016: Note: Docker is coming to ClearOS
Edit Friday, 25 March 2016: The original Docker topic can be found HERE. This was a feature request for ClearVM. I started this topic with the question or someone already had fiddled with Docker on ClearOS Community. Later I started a investigation how to install Docker on ClearOS community you can find this information in this thread. One thing I can say Docker is really awesome!!!
Share this post:
Accepted Answer
@Marcel
Currently working on planning to get Docker to run on ClearOS and then ClearVM. Here is a projected Roadmap specifically focusing on ClearVM.
NOTE: We are currently looking to update the ClearVM installer and then the integrations between ClearOS and ClearVM.
Thank you for all you do and your patience as new chapter(s) are opening.
Currently working on planning to get Docker to run on ClearOS and then ClearVM. Here is a projected Roadmap specifically focusing on ClearVM.
NOTE: We are currently looking to update the ClearVM installer and then the integrations between ClearOS and ClearVM.
Thank you for all you do and your patience as new chapter(s) are opening.
Responses (72)
-
Accepted Answer
Nick Howitt wrote:
You can't really disable the firewall. It is too integrated in ClearOS. You may be able to hack the start up file, /usr/lib/systemd/system/firewall.service, but the file will get updated every time the firewall updates. Alternatively you could override the file by creating an overriding file somewhere in /etc/systemd/system, but you'll have to google it.
I have done something else:
In the files /usr/libexec/firewall/exec-stop.sh and exec-start.sh I commented out the lines with firewall_stop and firewall_start.
So the command does nothing when systemctl restart firewall is called...
For me that is fine, as I just have to remember to execute that commands when the server restart... -
Accepted Answer
You can't really disable the firewall. It is too integrated in ClearOS. You may be able to hack the start up file, /usr/lib/systemd/system/firewall.service, but the file will get updated every time the firewall updates. Alternatively you could override the file by creating an overriding file somewhere in /etc/systemd/system, but you'll have to google it. -
Accepted Answer
I have a question: I have the Firewall disabled in my ClearOS because I don't need it, my ClearOS Server is in a safe environment and the firewall is provided by a dedicated hardware firewall.
I've installed docker and everything is running fine until iptables are reloaded somehow and all the docker rules are cleared. I then have to restart docker to let it create all the rules.
But why? How can I disable the reload and the clearing of the iptable rules by ClearOS? -
Accepted Answer
Docker and ClearOS7 with a firewall do not play well together. For your container you need to start docker at the command line then snapshot the firewall (both the filter and nat tables). Then flip "DOCKER_NETWORK_OPTIONS='--iptables=false'" to true and start your container. Then snapshot the firewall again. Then do a diff of the firewall snapshots. All the extra rules you need to add by hand, but I take a short cut and done add a bunch of individual port rules if I can do it for a whole IP. then edit the following to make your required rules work permanently:
This is the clearglass firewall script. It can be massively simplified as in section 13 here if you're happy to accept some approximations. Save the file in /etc/clearos/firewall.d with name starting with a number > 10. Remember to flip back the earlier preference you changed.#!/bin/bash
function get_firewall_rules()
{
${IPTABLES} -nv --line-numbers -t $1 -L $2 | grep $ClearglassIF | awk '{ print $1 }' | sort -rn
}
function delete_firewall_rules()
{
for chain in $2; do
RULE_IDS=$(get_firewall_rules $1 $2)
[ -z "$RULE_IDS" ] && continue
for rule_id in $RULE_IDS; do
${IPTABLES} -t $1 -D $2 ${rule_id}
done
done
}
function clear_stale_rules()
{
# filter table
table='filter'
CHAINS="INPUT FORWARD OUTPUT DOCKER DOCKER-ISOLATION"
for chain in $CHAINS; do
delete_firewall_rules ${table} ${chain}
done
# nat table
table='nat'
CHAINS="POSTROUTING DOCKER"
for chain in $CHAINS; do
delete_firewall_rules ${table} ${chain}
done
}
# Check firewall flag
#--------------------
RUN_HOOK='yes'
if [ -e /etc/clearos/docker.conf ]; then
CHECK=$(grep -i '^enable_firewall[[:space:]]*=[[:space:]]*no' /etc/clearos/docker.conf 2>/dev/null)
if [ -n "$CHECK" ]; then
RUN_HOOK='no'
fi
fi
# Firewall hook
#--------------
if [ "$RUN_HOOK" == 'yes' ]; then
# Check the state file exists; if not, initialise the file/parameter
CHECK=$(grep '^clearglass_interface' /var/clearos/clearglass_community/clearglass.state 2>/dev/null)
if [ -z "$CHECK" ]; then
echo 'clearglass_interface = ' >> /var/clearos/clearglass_community/clearglass.state
fi
# Check if $IPTABLES is set. This allows the program to run outside control of the firewall.
# i.e on Clearglass start. If running under firewall control, rules would already be cleared
#-------------------------------------------------------------------------------------------
if [ -z "$IPTABLES" ] ; then
IPTABLES='/usr/sbin/iptables -w'
FW_PROTO='ipv4'
ClearglassIF=$(grep '^clearglass_interface' /var/clearos/clearglass_community/clearglass.state | awk '{ print $3 }')
if [ -n "$ClearglassIF" ]; then
clear_stale_rules
fi
fi
# This will bail if the script runs as part of the firewall restart and is not ipv4
if [ "$FW_PROTO" != 'ipv4' ]; then
return 0
fi
sed -i -e 's/^clearglass_interface.*/clearglass_interface = /g' /var/clearos/clearglass_community/clearglass.state
# Now only run if Clearglass is running
#--------------------------------------
ps aux | grep clearglass | grep python > /dev/null
if [ $? -eq 0 ]; then
# Loop for MaxAttempts retries at 1s interval waiting for the interface to appear
#--------------------------------------------------------------------------------
MaxAttempts=60
counter=1
while [ $counter -le $MaxAttempts ]; do
ClearglassNetworkID=$(/usr/bin/docker inspect 'clearglass_ui_1' --format '{{ .NetworkSettings.Networks.clearglass_default.NetworkID }}' 2>/dev/null)
NewClearglassIF=$(echo 'br-'${ClearglassNetworkID:0:12})
if [ ${#NewClearglassIF} -ne 15 ]; then
((counter++))
sleep 1
else
# Interface is up. Now add firewall rules
#----------------------------------------
ClearglassNetwork=$(ip route | grep $NewClearglassIF | awk '{ print $1 }')
${IPTABLES} -A INPUT -i $NewClearglassIF -j ACCEPT
${IPTABLES} -A FORWARD -o $NewClearglassIF -j DOCKER
${IPTABLES} -A FORWARD -i $NewClearglassIF -j ACCEPT
${IPTABLES} -A OUTPUT -o $NewClearglassIF -j ACCEPT
${IPTABLES} -A DOCKER-ISOLATION -i $NewClearglassIF -o docker0 -j DROP
${IPTABLES} -A DOCKER-ISOLATION -i docker0 -o $NewClearglassIF -j DROP
${IPTABLES} -A POSTROUTING -t nat ! -o $NewClearglassIF -s $ClearglassNetwork -j MASQUERADE
${IPTABLES} -A DOCKER -t nat -i $NewClearglassIF -j RETURN
sed -i -e "s/^clearglass_interface.*/clearglass_interface = $NewClearglassIF/g" /var/clearos/clearglass_community/clearglass.state
logger -t ClearGLASS "Interface came up in $counter seconds."
break
fi
done
if [ ${#NewClearglassIF} -ne 15 ]; then
logger -t ClearGLASS "Interface not up in $MaxAttempts seconds. Consider raising MaxAttempts in /etc/clearos/firewall.d/20-clearglass"
fi
fi
fi
PiHole may be an issue because of how dnsmasq is integrated into ClearOS. I don't think it is easy to make pihole bind to a different port as it would be simple to make dnsmasq then use pihole. As an alternative you could force dnsmasq to bind to a different port allowing pihole to bind to 53. -
Accepted Answer
Hi,
I just found this post as I was trying to set up a pyhole container under Clearos 7 (my gateway) to save a raspberry for some other testing.
I changed the dnsmasq 53 port to another one as I do not intend to use Clearos dns.
I faced the iptables 'refreshing' rules that wipout totally the docker rules.
I tried to create a service for docker to start after all CLerOS services but with no luck.
What is the latest on docker support for Clearos?
Is the only workaround still to disable iptable under docker and then build the rules manually? Do you do that in the iptable-local file manually or via the GUI interface?
Thanks -
Accepted Answer
Reading this post, still running in a issue with network bridges. All tips from Nick and Marcel are in place except additional routing.
My situation: Base host is ClearOs 7 up-to-date which also runs virtualbox 6. Within Virtualbox I have multiple ClearOS images running, all for a different purpose. This way I can experiment and backup each individual machine. Very Handy in my opinion.
Currently experimenting with docker in a ClearOS guest (via Virtualbox) which is hosted on Clearos. Everything in the guest is working as desired and the docker app (home-assistant) is running without clear problems but without a bridge to the guest machine (and therefor not accessable in house via the local network).
Goal is to access a service via 192.168.1.60:8123 which runs inside the docker
My current output
[root@HomeAssistant ~]# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
inet6 fe80::42:c6ff:fe13:a913 prefixlen 64 scopeid 0x20<link>
ether 02:42:c6:13:a9:13 txqueuelen 0 (Ethernet)
RX packets 1 bytes 76 (76.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3 bytes 266 (266.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.60 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::a00:27ff:fe38:23b5 prefixlen 64 scopeid 0x20<link>
ether 08:00:27:38:23:b5 txqueuelen 1000 (Ethernet)
RX packets 464269 bytes 53550456 (51.0 MiB)
RX errors 0 dropped 64688 overruns 0 frame 0
TX packets 1824 bytes 218623 (213.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
/etc/sysconfig/network-scripts/ifcfg-docker0
DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"
#/etc/sysconfig/docker-network
# DOCKER_NETWORK_OPTIONS=
[root@homeassistant ~]# docker network list
NETWORK ID NAME DRIVER SCOPE
6ffb64e7a8f5 bridge bridge local
7fd540cf9587 host host local
c2b714bc3985 none null local
[root@homeassistant ~]# docker inspect 6ffb64e7a8f5 7fd540cf9587 c2b714bc3985
[
{
"Name": "bridge",
"Id": "6ffb64e7a8f50f7a07609cae340a0d5637de46b7e63ed3b9aaf5d16ebe93feaa",
"Created": "2019-09-05T09:21:35.492594968-04:00",
"Scope": "local",
"Driver": "bridge",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": [
{
"Subnet": "172.17.0.0/16",
"Gateway": "172.17.0.1"
}
]
},
"Internal": false,
"Attachable": false,
"Containers": {},
"Options": {
"com.docker.network.bridge.default_bridge": "true",
"com.docker.network.bridge.enable_icc": "true",
"com.docker.network.bridge.enable_ip_masquerade": "true",
"com.docker.network.bridge.host_binding_ipv4": "0.0.0.0",
"com.docker.network.bridge.name": "docker0",
"com.docker.network.driver.mtu": "1500"
},
"Labels": {}
},
{
"Name": "host",
"Id": "7fd540cf95871450915b183027f6a19cc536eb2389f55519657798a18b8ab0e2",
"Created": "2019-09-05T07:50:55.669692505-04:00",
"Scope": "local",
"Driver": "host",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": []
},
"Internal": false,
"Attachable": false,
"Containers": {
"8f1baedbf1dfb865bb66b9f63b99da049c936681fdf9bc7ad288778257e40668": {
"Name": "home-assistant",
"EndpointID": "d506bed287d16ac981b68adfff57a9d768f6dccb56bd46f089db71ceeb117047",
"MacAddress": "",
"IPv4Address": "",
"IPv6Address": ""
}
},
"Options": {},
"Labels": {}
},
{
"Name": "none",
"Id": "c2b714bc3985468e254dd07f36d65fbb54a486265004bdd3cf22a50adc8025a1",
"Created": "2019-09-05T07:50:55.645840665-04:00",
"Scope": "local",
"Driver": "null",
"EnableIPv6": false,
"IPAM": {
"Driver": "default",
"Options": null,
"Config": []
},
"Internal": false,
"Attachable": false,
"Containers": {},
"Options": {},
"Labels": {}
}
]
Any idea what is causing this ? -
Accepted Answer
To find docker container IP's, try section 11 in this post. For a permanent firewall see section 12 in the same post. Don't be tempted to Use a custom firewall rule for a couple of reasons:
1 - Custom rules are run before 10-docker so the DOCKER chain will not exist when your custom rule is added causing it to fail.
2 - The Custom Firewall rules do not allow a "!" for the moment. There is a patch just going through at the moment to allow it, but see 1 which is the most important. -
Accepted Answer
The containers can communicate with each other!
What I did is what nick suggested, and I made snapshots of the different states. I did this with:
iptables -nvL
iptables -nvL -t nat
So I'll found the ip addresses of the containers.
172.17.0.2
172.17.0.3
I made a rule:
ptables -A DOCKER -t nat ! -i docker0 -d 172.17.0.2 -j DNAT --to-destination 172.17.0.3
So container with ip address 172.17.0.2 can now communicate with the container with ip address 172.17.0.3. if I use ip address 172.17.0.3 to connect to in the webapp everything works.
I'm not finished yet I still have to make it permanent so the rules survive a reboot. -
Accepted Answer
For the firewall:
I'd be particularly curious with the DOCKER-ISOLATION chain.iptables -nvL
iptables -nvL -t nat
I'd suggest:
rebooting (with the docker0 interface)
snapshot the firewall
start docker with iptables enabled
snapshot the firewall
start your containers, each time snapshotting the firewall
look for the differences in the firewalls between each stage.
I'm not going to be able to do much for a few days now, I'm afraid. -
Accepted Answer
You mean commenting out "DOCKER_NETWORK_OPTIONS='--iptables=false'"? The "iptables='false' part was missing in my "docker-network"file. So that was already the case. If I add "DOCKER_NETWORK_OPTIONS='--iptables=false' then I can't connect to the Docker containers via the web browser anymore. I tried different options also rebuilding and restarting my containers. Also rebooted the server to be sure.
Can you give me a hint how to check the firewall rules? Not a expert here. -
Accepted Answer
-
Accepted Answer
Mine is:
Commenting it out then starting docker meant I got the iptables rules which I could then emulate manually.# /etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS='--iptables=false'
I'm afraid I don't have a lot of knowledge of docker. Just what I've learned from playing with the samba container and what I've heard about the ClearGLASS set up. -
Accepted Answer
Nick Howitt wrote:
OK. Some misinformation there. I've found my notes and have pointed you in the wrong direction. Try instead /etc/sysconfig/docker-network. Just comment out the line to enable auto-generation of the rules.
Setting up docker0 only helps a boot condition. If you restart the firewall after starting docker the effect is the same but not so clean.
Oke, this are the two line I have in "docker-nertwork".
#/etc/sysconfig/docker-network
DOCKER_NETWORK_OPTIONS=
-
Accepted Answer
If I do a Docker inspect of a container I see it uses the Docker interface:
"SandboxKey": "/var/run/docker/netns/1eca0661c6e7",
"SecondaryIPAddresses": null,
"SecondaryIPv6Addresses": null,
"EndpointID": "f0b77db9e738adf9477f3e2246a40bb7f03cf73b1ac4d3ffa97f1767f7c146cf",
"Gateway": "172.17.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"MacAddress": "xx:xx:xx:xx:xx:xx",
"Networks": {
"bridge": {
"IPAMConfig": null,
"Links": null,
"Aliases": null,
"NetworkID": "eb526cd22646bc270899ffb9797e05d27f6e9425a14b53b71682aa8863e0667f",
"EndpointID": "f0b77db9e738adf9477f3e2246a40bb7f03cf73b1ac4d3ffa97f1767f7c146cf",
"Gateway": "172.17.0.1",
"IPAddress": "172.17.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"MacAddress": "xx:xx:xx:xx:xx:xx" -
Accepted Answer
OK. Some misinformation there. I've found my notes and have pointed you in the wrong direction. Try instead /etc/sysconfig/docker-network. Just comment out the line to enable auto-generation of the rules.
Setting up docker0 only helps a boot condition. If you restart the firewall after starting docker the effect is the same but not so clean. -
Accepted Answer
but I believe iptables is disabled for docker in the ClearOS installation
What do you mean? ClearOS servers with Docker installations have no iptables active? Let's hope not. I expect that I do misunderstand you.
see /etc/clearos/docker.conf
I don't have that file.
Also, until you start docker, there is no docker0 interface. There is a bug request for this which you can do yourself.
I tried this, but Docker containers still can't communicate with each other. The interface is created though:
4: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 0a:be:e4:b2:60:14 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::f4c0:90ff:fe6e:6a2d/64 scope link
valid_lft forever preferred_lft forever
-
Accepted Answer
Iptables is a big issue with docker. I'd need to do a fresh installation to check, but I believe iptables is disabled for docker in the ClearOS installation - see /etc/clearos/docker.conf. Also, until you start docker, there is no docker0 interface. There is a bug request for this which you can do yourself. Just create a file /etc/sysconfig/network-scripts/ifcfg-docker0 and in it put:
Then the interface is there at boot and docker will take control of it when it starts.DEVICE=docker0
TYPE="Bridge"
ONBOOT="yes"
USERCTL="no"
BOOTPROTO="none"
The problem with iptables is more serious. ClearOS, when it restarts the firewall wipes iptables and it does not recreate the docker container rules. If iptables is turned on in docker, docker containers will do that only if restarted and this is not optimal.
As docker is only on ClearOS for ClearGLASS, there is a /etc/clearos/firewall-d/10-docker file (from app-docker) which runs on firewall restart which creates all the firewall rules needed by docker and the ClearGLASS containers. Really this needs to be split into docker rules and ClearGLASS rules.
What I did for Samba in Docker (see this post was to flip the /etc/clearos/docker.conf parameter and observe the firewall rules the samba container set up, then emulate them in my own /etc/clearos/firewall.d/11-docker-samba file, so they would be recreated every time the firewall reloaded. Then I flipped the /etc/clearos/docker.conf parameter off again.
As a slight shortcut, the samba container rules were very detailed with lots of rules for individual ports. I just combined them into a single rule for the docker internal IP.
It is also worth reading the thread I linked to, as docker tries to choose a free /16 subnet to work with, but does not always get it right and you can get IP clashes.
[edit]
You may also want to check the DOCKER-ISOLATION rules set up by /etc/clearos/firewall-d/10-docker as they could be working against you if you've got any br-* interfaces from your containers.
[/edit] -
Accepted Answer
What I notice is that Docker containers can't communicate with each other. I think the reason is that we are using Docker on a gateway distro. So the problem iptables???? Is there a way to check if iptables is the problem. I'm not a iptables expert..
I strongly advice everyone to use Docker from the ClearOS repo!
yum install docker
-
Accepted Answer
Nick Howitt wrote:
Docker is now in the ClearOS repos so a simple:
should work. The only thing is that this is version 1.13.1-53.git774336d and is the latest official version for RHEL/Centos. If it gets hung up on installation for the same reason, libcgroup is available from clearos-centos or centos-verified so perhaps add:yum install docker
to your yum command. If you permanently enable clearos-centos (which is OK), you should also permanently enable clearos-centos-updates.--enable-repo=clearos-centos
You've cut you command line, but it looks like you are trying to install DockerCE which should also work (Peter Baldwin has it installed). Apply the same fix for libcgroup.
Thanks! It was actually totally my fault in the end. I thought I'd finished the installation, but had neglected to finish the setup by logging into the web interface and registering. Doh! -
Accepted Answer
Docker is now in the ClearOS repos so a simple:
should work. The only thing is that this is version 1.13.1-53.git774336d and is the latest official version for RHEL/Centos. If it gets hung up on installation for the same reason, libcgroup is available from clearos-centos or centos-verified so perhaps add:yum install docker
to your yum command. If you permanently enable clearos-centos (which is OK), you should also permanently enable clearos-centos-updates.--enable-repo=clearos-centos
You've cut you command line, but it looks like you are trying to install DockerCE which should also work (Peter Baldwin has it installed). Apply the same fix for libcgroup. -
Accepted Answer
Hi. I've followed this guide successfully a couple of times, but came to do so again yesterday and it failed with the following output:
Loaded plugins: clearcenter-marketplace, fastestmirror
ClearCenter Marketplace: fetching repositories...
ClearCenter Marketplace: System not registered. Code: 3
Loading mirror speeds from cached hostfile
* clearos: mirror1-newyork.clearos.com
* clearos-centos-sclo-rh: download1.clearsdn.com
* clearos-contribs: mirror1-newyork.clearos.com
* clearos-fast-updates: download1.clearsdn.com
* clearos-infra: mirror1-newyork.clearos.com
* clearos-updates: mirror1-newyork.clearos.com
dockerrepo | 2.9 kB 00:00
Package docker-engine is obsoleted by docker-ce, trying to install docker-ce-18.06.0.ce-3.el7.x86_64 instead
Resolving Dependencies
--> Running transaction check
---> Package docker-ce.x86_64 0:18.06.0.ce-3.el7 will be installed
--> Processing Dependency: container-selinux >= 2.9 for package: docker-ce-18.06.0.ce-3.el7.x86_64
--> Processing Dependency: libcgroup for package: docker-ce-18.06.0.ce-3.el7.x86_64
--> Processing Dependency: libltdl.so.7()(64bit) for package: docker-ce-18.06.0.ce-3.el7.x86_64
--> Running transaction check
---> Package container-selinux.noarch 2:2.42-1.gitad8f0f7.el7 will be installed
--> Processing Dependency: policycoreutils-python for package: 2:container-selinux-2.42-1.gitad8f0f7.el7.noarch
---> Package docker-ce.x86_64 0:18.06.0.ce-3.el7 will be installed
--> Processing Dependency: libcgroup for package: docker-ce-18.06.0.ce-3.el7.x86_64
--> Processing Dependency: libltdl.so.7()(64bit) for package: docker-ce-18.06.0.ce-3.el7.x86_64
--> Finished Dependency Resolution
Error: Package: docker-ce-18.06.0.ce-3.el7.x86_64 (docker-ce-stable)
Requires: libltdl.so.7()(64bit)
Error: Package: docker-ce-18.06.0.ce-3.el7.x86_64 (docker-ce-stable)
Requires: libcgroup
Error: Package: 2:container-selinux-2.42-1.gitad8f0f7.el7.noarch (clearos-updates)
Requires: policycoreutils-python
You could try using --skip-broken to work around the problem
You could try running: rpm -Va --nofiles --nodigest
Any idea what the problem might be? Thanks -
Accepted Answer
Jonathan Dumont wrote:
Hi everyone;
I try to find the HowTo Docker on ClearOS
and everything point here
but I just see a thread of discussion about how it will be great
and nothing look like a how to
such as
yum install docker ...
so Docker on ClearOS is working or not ?
which kind of issue is the most common ?
...
Regards!
Jonathan
Hi,
When you to bottom of the page you see a "Load more replies" button. Tick this and you can scroll down to the how-to. -
Accepted Answer
Hi everyone;
I try to find the HowTo Docker on ClearOS
and everything point here
but I just see a thread of discussion about how it will be great
and nothing look like a how to
such as
yum install docker ...
so Docker on ClearOS is working or not ?
which kind of issue is the most common ?
...
Regards!
Jonathan -
Accepted Answer
-
Accepted Answer
Marcel van Leeuwen wrote:
This thread also has a how-to guide how to install Docker on ClearOS 7.x. Please scroll down for the how-to.
Hi, please excuse me if I overlooked it it's very late here in California and I'm probably sleep typing but where is the 'how-to guide how to install Docker on ClearOS'? I've read this post and your other post about Docker many MANY times tonight looking for that guide/link and I can't seem to find it. I want to install ClearOS but I must have Docker comparability also. As interesting as ClearOS seems no Docker is an instant deal breaker for me as pretty much all my work/hobby stuff is exclusively Docker images and Containers. Since it appears that Docker engine has been solved by the fine folks here are there any plans for Docker Compose and Docker Swarm or any other Docker container orchestration?
Sorry to bother you with such a silly question about the link to the guide, any help/replies would be a huge help. -
Accepted Answer
-
Accepted Answer
T wrote:
systemd-nspawn is a major part of the future of systemd and I'd love to see a comparison between system resource usage of Docker vs nspawn. This is relevant as ClearOS will often be deployed as a router or a server on a LAN, and routers / servers don't want to be wasting what little grunt they've got on a containerisation system: all that grunt should be available to the services (containers) themselves.
It looks like I have more research to do! -
Accepted Answer
Peter Baldwin wrote:
Fantastic - thanks for providing concrete examples of what I'd mentioned - that makes it easier for people to see real-world advantages and also provides test cases to show progress accomplished by containerisation.T wrote:Using a Container for a process has security advantages (as previously mentioned) but also it makes dependencies much cleaner. Rather than filling up your bare-metal installation with libraries only used by one or two processes, you can set up your bare-metal installation to only run the Containerisation system. Then each container can have the specific libraries it needs to run its process. This way you never have to try to resolve conflicts where Tool A requires Library v0.11 and Tool B requires Library v0.12 and you can't have both installed at the same time. Just put them in separate containers and they won't even know the other exists.
Though not relevant with Plex or Transmission, a lot of LAMP-based apps have different MySQL/PHP/Python requirements, and we're seeing more "nginx vs Apache" conflicts as well. Containers solve that versioning/conflict problem.
Marcel van Leeuwen wrote:One thing I have to mention of LXC is that you can give containers a ip address...
That's the bare necessity for a container, no matter what system is implementing it. It allows the container's firewall to have only the port(s) relevant to its service open, simplifying maintenance.
systemd-networkd provides host-only, inter-container, and/or LAN-accessible IP address(es) for systemd-nspawn containers.
systemd-networkd is documented here: https://wiki.archlinux.org/index.php/systemd-networkd
systemd-nspawn is documented here: https://wiki.archlinux.org/index.php/Systemd-nspawn
systemd-nspawn is ready to go in RHEL/CentOS/etc. -like systems; here's an example on the latest Fedora 24: https://fedoramagazine.org/container-technologies-fedora-systemd-nspawn/
systemd-nspawn is also able to run converted Docker containers - something that's important because Docker doesn't like working with systemd particularly when a service relies on starting up multiple containers (eg mySQL and Apache):
the root cause of the conflict is that the Docker daemon is designed to take over a lot of the functions that systemd also performs for Linux.
Where this breaks down, however, is when services running as containers depend on other containerized services.
Systemd allows defining cgroup limits in the initialization files, so that you can define resource profiles for services when they start. With Docker, though, this runs afoul of the client-server model again. The systemd cgroup settings affect only the client; they do not affect the daemon process, where the container is actually running. Instead, each one inherits the cgroup settings of the Docker daemon.
Docker logs also didn't work with systemd's journald. Logging of container output was local to each container, which would cause all logs to be automatically erased whenever a container was deleted. This was a major failing in the eyes of security auditors.
Nspawn continues to be something the systemd team are actively growing and improving: systemd-importd "can download container images in tar, raw, qcow2 or dkr formats, and make them available locally in /var/lib/machines, so that they can run as nspawn containers"; can run in user namespace and overlay filesystems; management of CPU shares and other rescources; machinectl pull-tar for downloading prepackaged containers; additional and arbitrarily-named virtual Ethernet links between the host and the container; container-specific private UID/GID range for security and on-demand inter-container networks; mkosi generates a new raw OS image of a fresh distribution installation; GPT/EFI representation improved and containers inherit /etc/resolv.conf; etc. etc.
systemd-nspawn is a major part of the future of systemd and I'd love to see a comparison between system resource usage of Docker vs nspawn. This is relevant as ClearOS will often be deployed as a router or a server on a LAN, and routers / servers don't want to be wasting what little grunt they've got on a containerisation system: all that grunt should be available to the services (containers) themselves. -
Accepted Answer
Hi Marcel,
Marcel van Leeuwen wrote:
I've searched the Docker site and found some documentation on how to build a Docker container. Also found a how-to on Digital Ocean. Which how-to do you use?
I'm still in the reading and learning stage... wild stuff. A developer over at Tiki Wiki did a proof of concept with Docker and ClearOS. He went as far as creating:
- A ClearOS Docker app
- Two apps via Docker containers: Openfire and MariaDB
The fact the Openfire and MariaDB are running in containers is seamless! I think I'll take a crack at creating a Docker image along with integrating an "official" docker image of some kind. -
Accepted Answer
I've searched the Docker site and found some documentation on how to build a Docker container. Also found a how-to on Digital Ocean. Which how-to do you use? -
Accepted Answer
-
Accepted Answer
Hey Nick,
Nick Howitt wrote:
I have not read up on it, but what are the advantages of running Plex or Transmission in Docker compared to natively (like now)?
Though not relevant with Plex or Transmission, a lot of LAMP-based apps have different MySQL/PHP/Python requirements, and we're seeing more "nginx vs Apache" conflicts as well. Containers solve that versioning/conflict problem. -
Accepted Answer
-
Accepted Answer
Michael Proper wrote:
Would recommend we take a hard look at all of these before locking a default direction:
1) Kubernetes - https://kubernetes.io/
2) Google Container Engine - https://cloud.google.com/container-engine/
3) Docker - https://www.docker.com/
Feel free to add to the Tech Talk Agenda if needed.
Thank you all in advance!
I'm only a bit familiar with Docker and LXC. I tested Proxmox for a while and Proxmox uses LXC for containerisation. unRAID uses Docker. I will checkout the sites you linked. -
Accepted Answer
Michael Proper wrote:Would recommend we take a hard look at all of these before locking a default direction:
Well this thread is specifically about Docker which is why I think the majority of the focus is (rightly) on Docker here. Using a Container for a process has security advantages (as previously mentioned) but also it makes dependencies much cleaner. Rather than filling up your bare-metal installation with libraries only used by one or two processes, you can set up your bare-metal installation to only run the Containerisation system. Then each container can have the specific libraries it needs to run its process. This way you never have to try to resolve conflicts where Tool A requires Library v0.11 and Tool B requires Library v0.12 and you can't have both installed at the same time. Just put them in separate containers and they won't even know the other exists.
But if you're willing to consider other (superior) Containerisation technologies, you can't go wrong with systemd-nspawn. It's baked into systemd so is migratable between CentOS, Ubuntu, etc. etc. everything that uses systemd. If /var/lib/machines is ZFS or BTRFS it's trivial to make filesystem snapshots of container states, etc. It's much more mature than Docker and far less complex to set up and use. "Rocket" (or "rkt") is a small, recent tool for interfacing with it, but don't judge nspawn by Rocket: nspawn is the way forward for as long as systemd will reign. -
Accepted Answer
Would recommend we take a hard look at all of these before locking a default direction:
1) Kubernetes - https://kubernetes.io/
2) Google Container Engine - https://cloud.google.com/container-engine/
3) Docker - https://www.docker.com/
Feel free to add to the Tech Talk Agenda if needed.
Thank you all in advance! -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Marcel van Leeuwen wrote:
Interesting idea to create Docker containers for ClearOS specifically. I must say the idea also crossed my mind. Is it a idea collaborate regarding creating Docker containers? I like the idea of creating Docker containers for the ClearOS community. What do you think?
I'm up for it! Did you have a particular app in mind? -
Accepted Answer
Peter Baldwin wrote:
Hi Marcel,
Marcel van Leeuwen wrote:
On unRAID Docker is working really well. The config files of the container app are outside of the container. So updating your container is really easy. I'm not sure where you referring to. Updating a docker container is just pull in the new Docker container but I think I don't understand you correctly.
I was looking at Docker from the perspective of creating Docker containers for ClearOS, for example a ZoneMinder app. That will require quite a bit of development to make sure updated containers are created when security updates come along. I can see that security discipline is lacking with many docker images out there.
From the perspective of having Docker installed and available on ClearOS, that's fairly straightforward. Sorry for the confusion!
Hi Peter,
Interesting idea to create Docker containers for ClearOS specifically. I must say the idea also crossed my mind. Is it a idea collaborate regarding creating Docker containers? I like the idea of creating Docker containers for the ClearOS community. What do you think?
btw no need to apologise. -
Accepted Answer
Hi Marcel,
Marcel van Leeuwen wrote:
On unRAID Docker is working really well. The config files of the container app are outside of the container. So updating your container is really easy. I'm not sure where you referring to. Updating a docker container is just pull in the new Docker container but I think I don't understand you correctly.
I was looking at Docker from the perspective of creating Docker containers for ClearOS, for example a ZoneMinder app. That will require quite a bit of development to make sure updated containers are created when security updates come along. I can see that security discipline is lacking with many docker images out there.
From the perspective of having Docker installed and available on ClearOS, that's fairly straightforward. Sorry for the confusion! -
Accepted Answer
On unRAID Docker is working really well. The config files of the container app are outside of the container. So updating your container is really easy. I'm not sure where you referring to. Updating a docker container is just pull in the new Docker container but I think I don't understand you correctly. -
Accepted Answer
Marcel van Leeuwen wrote:
Do you have a good feeling to overcome these problems?
The de facto way to handle updates is to have the target application bundled with a base image (barebones OS). Every time there's an update required in the OS, the base image is updated and the new Docker application image is generated. That's all good, but that process would need to be automated and tested in a sane way. -
Accepted Answer
-
Accepted Answer
Paul wrote:
Out of interest on Clearos 6.x I have docker installed
[root@fs1 ~]# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64
[root@fs1 ~]#
Not really using it for anything yet. Was more to play around with
[root@fs1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
cantino/huginn latest 6e2872acb625 2 weeks ago 876.8 MB
ubuntu latest 594b6e305389 7 weeks ago 122 MB
uifd/ui-for-docker latest f17d9cd5f5a1 11 weeks ago 7.391 MB
[root@fs1 ~]#
Thanks for sharing this with us Paul! So it's possible to install Docker on ClearOS 6.x. That is good news for the 6.x users. -
Accepted Answer
Out of interest on Clearos 6.x I have docker installed
[root@fs1 ~]# docker version
Client version: 1.7.1
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 786b29d/1.7.1
OS/Arch (client): linux/amd64
Server version: 1.7.1
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 786b29d/1.7.1
OS/Arch (server): linux/amd64
[root@fs1 ~]#
Not really using it for anything yet. Was more to play around with
[root@fs1 ~]# docker images
REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE
cantino/huginn latest 6e2872acb625 2 weeks ago 876.8 MB
ubuntu latest 594b6e305389 7 weeks ago 122 MB
uifd/ui-for-docker latest f17d9cd5f5a1 11 weeks ago 7.391 MB
[root@fs1 ~]#
-
Accepted Answer
Hi Peter, Thanks for the reply!
I really like to see a faster development but I understand Clearcenter is limited on developers. Also there are of course priorities. So just thumbs up whats you guys are doing.
The Netify app sounds really interesting! I watch out for that app.
I sold My Synology boxes and I'm using a unRAID server for the time being. UnRAID is using Docker and kvm. It's working really well. I want to use ClearOS again and I'm investigation if I can use snapRAID for some redundancy on ClearOS. Also like I mentioned in this thread I experiment a bit with Docker on ClearOS. Not sure when i make the move back but maybe this summer vacation is a good timing. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Marcel van Leeuwen wrote:
That's a shame. Only two weeks after your last post on that thread you started this one, and yet that thread has great Google results placement already! I'll add a link to it so that some people find this follow-on thread.T wrote:
Is this thread mainly a continuation of your original thread on this topic?
To be honest I forgot about that thread. -
Accepted Answer
T wrote:
Is this thread mainly a continuation of your original thread on this topic?
To be honest I forgot about that thread.
Peter Baldwin wrote:
Hi Marcel,
I haven't played around with Docker in quite some time and haven't tried Rocket yet. I was tempted to deploy a Docker-based backend for a new networking monitoring app that is coming to ClearOS, but Docker just felt a little too bleeding edge. I'll have to take another look soon!
Docker is really awesome or must I say containers are awesome! This is a real cool feature for ClearOS but you devs already agreed on that. I Haven't tried Rocket either I had read that Rocket is different from Docker. I'm not sure what the difference are. Google time I guess!!! Oh and I really like to hear your experience when you tried. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Okay, clear thank you!
At the moment I figuring out what I want. I have no dedicated hardware for a ClearOS server. Just deleted my ClearOS test VM because the server where it was running on is for the moment my main storage box. I'm considering selling the Synology what I use for storage since 2013. I'm going to setup a new ClearOS 7.2 test VM so i can fiddle a bit. -
Accepted Answer
Marcel van Leeuwen wrote:
Michael Proper wrote:
@Marcel
Currently working on planning to get Docker to run on ClearOS and then ClearVM. Here is a projected Roadmap specifically focusing on ClearVM.
NOTE: We are currently looking to update the ClearVM installer and then the integrations between ClearOS and ClearVM.
Thank you for all you do and your patience as new chapter(s) are opening.
Just planning or are the devs all ready working on the code? If the latere applies then I filldle a bit further with Docker.
Fiddle a bit further as we are focused on the ClearVM installer currently and this will not impact anything regarding the Docker topic. -
Accepted Answer
Michael Proper wrote:
@Marcel
Currently working on planning to get Docker to run on ClearOS and then ClearVM. Here is a projected Roadmap specifically focusing on ClearVM.
NOTE: We are currently looking to update the ClearVM installer and then the integrations between ClearOS and ClearVM.
Thank you for all you do and your patience as new chapter(s) are opening.
Just planning or are the devs all ready working on the code? If the latere applies then I filldle a bit further with Docker. -
Accepted Answer
Michael Proper wrote:
@Marcel - Thank you for caring about the ClearOS Community and for your years of dedication! Know many folks are working hard to serve the Community while balancing building better Products. Currently engaging in constructive interactions only and specifically when we have material advancements to report.
Thank you for the kind words. I always used ClearOS with pleasure
Of course that is understandable Rome was not built in a day either this also apply for ClearOS and other ClearCenter products. Software development takes time.
Appreciate you helping to improve the Community morale when and where possible.
Okay, I'll try but I love to see more devs on the forums. I think this is essential for the forums. Maybe the unofficial moderators (Nick, Tony, Tim, me, are there more?) have to discuss in a topic how to proceed further. How to get a positive buzz in the forums...
Something else I don't know if you have notice this in a other topic but is it possible to get a preview button next to the reply button so the person posting can check his post before the post goes live (I do not know of the forum software has the capability)? -
Accepted Answer
@Marcel - Thank you for caring about the ClearOS Community and for your years of dedication! Know many folks are working hard to serve the Community while balancing building better Products. Currently engaging in constructive interactions only and specifically when we have material advancements to report.
Appreciate you helping to improve the Community morale when and where possible. -
Accepted Answer
I Didn't expect a answer. I posted several times in the ClearVM forums asking for a update. Now boom 15 minutes after I posted. I suppose at that time there was nothing news report...
I'm surprised Docker is coming to ClearOS and integration of ClearVM and ClearOS is new to me. Very awesome news!
Michael, thank you for sharing this with us. If you ask my opinion you should do that a lot more tell the community whats is going om behind te scenes.
I want to do a lot more! Maybe I'm bit frustrated at moment of this community and how things going but I care about this community.... -
Accepted Answer
-
Accepted Answer
So Lets install a container. I want to start with Transmission. I've chosen the Transmission Docker container of Timhaak.
Let's pull the Docker image
docker pull timhaak/transmission
Output:
Using default tag: latest
latest: Pulling from timhaak/transmission
203137e8afd5: Pull complete
2ff1bbbe9310: Pull complete
933ae2486129: Pull complete
a3ed95caeb02: Pull complete
034aa1c3a6d2: Pull complete
984bc5ae85b6: Pull complete
720635f94c7e: Pull complete
23361b0d8c86: Pull complete
fcbe723cf60a: Pull complete
e7740d5b3ca8: Pull complete
Digest: sha256:6488d2e615475afdc0aba9b2def2e20cc46fdcb5c4366e7bffe96c889789af68
Status: Downloaded newer image for timhaak/transmission:latest
[/docker]
We can check if the image is downloaded with:
docker images
Output:
REPOSITORY TAG IMAGE ID CREATED SIZE
timhaak/transmission latest 01bbfd5d4ab8 9 hours ago 355.2 MB
hello-world latest 690ed74de00f 5 months ago 960 B
So now let's see the command how to start the container:
docker run -d -v /var/flexshare/shares/transmission/watch:/watch -v /var/flexshare/shares/transmission/complete-downloads:/downloads -v /var/flexshare/shares/transmission/incomplete-downloads:/incomplete -v /usr/docker/appdata/transmission:/config -p 45555:45555 -p 9091:9091 -e USERNAME=user -e PASSWORD=transmission timhaak/transmission
We run the container in deamon mode "-d" You see some mappings they begin with "-v" The directories inside the container are mapped to outside flexshares. Of course you have to create the flexshares. Also you have to create a directory appdata so the config of transmission is stored outside of the container. Then we have some port mappings beginning with "-p". We set the user and password with "-e".
Let's run the container!
Now check with:
docker ps
Output:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
86fcbc4412bb timhaak/transmission "/start.sh" 13 minutes ago Up 13 minutes 0.0.0.0:9091->9091/tcp, 0.0.0.0:45555->45555/tcp stoic_snyder
You can access the container with the ip-address of your ClearOS server and port number "9091".
http://IpAddressClearosServer:9091
-
Accepted Answer
Install Docker on ClearOS 7.x
***Important please try this first in a VM***
Docker needs at least kernel version:
3.10.0-229.el7.x86_64
My VM of ClearOS 7.2 Community has:
uname -r
3.10.0-327.10.1.v7.x86_64
Make sure ClearOS is updated
yum update
Copy past the followingl:
sudo tee /etc/yum.repos.d/docker.repo <<-'EOF'
[dockerrepo]
name=Docker Repository
baseurl=https://yum.dockerproject.org/repo/main/centos/7/
enabled=1
gpgcheck=1
gpgkey=https://yum.dockerproject.org/gpg
EOF
Install Docker:
yum install docker-engine
Packages being installed
Dependencies Resolved
===========================================================================================================================================================================================================
Package Arch Version Repository Size
===========================================================================================================================================================================================================
Installing:
docker-engine x86_64 17.03.0.ce-1.el7.centos dockerrepo 19 M
Installing for dependencies:
audit-libs-python x86_64 2.6.5-3.el7_3.1 clearos-centos-verified 70 k
checkpolicy x86_64 2.5-4.el7 clearos-centos-verified 290 k
docker-engine-selinux noarch 17.03.0.ce-1.el7.centos dockerrepo 28 k
libcgroup x86_64 0.41-11.el7 clearos-centos-verified 65 k
libseccomp x86_64 2.3.1-2.el7 clearos-centos-verified 56 k
libsemanage-python x86_64 2.5-5.1.el7_3 clearos-centos-verified 104 k
policycoreutils-python x86_64 2.5-11.el7_3 clearos-centos-verified 445 k
python-IPy noarch 0.75-6.el7 clearos-centos-verified 32 k
setools-libs x86_64 3.3.8-1.1.el7 clearos-centos-verified 612 k
Transaction Summary
===========================================================================================================================================================================================================
Install 1 Package (+9 Dependent packages)
Total download size: 20 M
Installed size: 70 M
Is this ok [y/d/N]:
Start Docker:
service docker start
Verify that Docker is installed and running.
docker version
[root@localhost /]# docker version
Client:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64
Server:
Version: 1.11.2
API version: 1.23
Go version: go1.5.4
Git commit: b9f10c9
Built: Wed Jun 1 21:23:11 2016
OS/Arch: linux/amd64
Start Docker at boot
systemctl enable docker
Run/install "hello-world" container (Docker first search if the hello-world is install. If not it download and installs the container.
docker run hello-world
Output:
Hello from Docker.
This message shows that your installation appears to be working correctly.
To generate this message, Docker took the following steps:
1. The Docker client contacted the Docker daemon.
2. The Docker daemon pulled the "hello-world" image from the Docker Hub.
3. The Docker daemon created a new container from that image which runs the
executable that produces the output you are currently reading.
4. The Docker daemon streamed that output to the Docker client, which sent it
to your terminal.
To try something more ambitious, you can run an Ubuntu container with:
$ docker run -it ubuntu bash
Share images, automate workflows, and more with a free Docker Hub account:
https://hub.docker.com
For more examples and ideas, visit:
https://docs.docker.com/userguide/
You can also check if the docker image has downloaded with:
docker images
Output:
REPOSITORY TAG IMAGE ID CREATED SIZE
hello-world latest 690ed74de00f 5 months ago 960 B
You can also check for running containers with:
docker ps
[root@gandalf completed]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
daecb2648b28 linuxserver/nzbget "/init" 23 minutes ago Up 23 minutes 0.0.0.0:6789->6789/tcp nzbget
You see that NZBGet is running on my ClearOS server.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »