Difference between revisions of "Docker inside CT"

From OpenVZ Virtuozzo Containers Wiki
Jump to: navigation, search
(simplify prereq)
m
 
(13 intermediate revisions by 8 users not shown)
Line 1: Line 1:
 
Since OpenVZ kernel [[Download/kernel/rhel6-testing/042stab105.4|042stab105.4]] it is possible to run Docker inside containers. This article describes how.
 
Since OpenVZ kernel [[Download/kernel/rhel6-testing/042stab105.4|042stab105.4]] it is possible to run Docker inside containers. This article describes how.
 +
<br>'''This page is applicable for OpenVZ 6''' (for Virtuozzo 7 see [[Docker inside CT vz7| '''here''']]).
  
 
== Prerequisites ==
 
== Prerequisites ==
 +
 
* Kernel 042stab105.4 or later version
 
* Kernel 042stab105.4 or later version
* Kernel modules '''veth''' and '''bridge''' loaded on host
+
* Kernel modules '''tun''', '''veth''' and '''bridge''' loaded on host (not required since vzctl 4.9 as it loads it automatically)
  
== Container tuning ==
+
== Container creation and tuning ==
  
* Create Fedora 20 container:
+
* Create CentOS 7 container with enough disk space:
  vzctl create $veid --ostemplate fedora-20-x86_64
+
  vzctl create $veid --ostemplate centos-7-x86_64 --diskspace 20G
 
* Turn on bridge feature to allow docker creating bridged network:
 
* Turn on bridge feature to allow docker creating bridged network:
 
  vzctl set $veid --features bridge:on --save
 
  vzctl set $veid --features bridge:on --save
Line 15: Line 17:
 
* Allow all iptables modules to be used in containers:
 
* Allow all iptables modules to be used in containers:
 
  vzctl set $veid --netfilter full --save
 
  vzctl set $veid --netfilter full --save
 +
* Enable tun device access for container:
 +
vzctl set $veid --devnodes net/tun:rw --save
 
* Configure custom cgroups in systemd:
 
* Configure custom cgroups in systemd:
 
: <small>''systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately''</small>
 
: <small>''systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately''</small>
 
  vzctl mount $veid
 
  vzctl mount $veid
  echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf  
+
  echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf
 
* Start the container:
 
* Start the container:
 
  vzctl start $veid
 
  vzctl start $veid
 +
* If you use Debian Wheezy for your CT which does not support systemd, you can run:
 +
mount -t tmpfs tmpfs /sys/fs/cgroup
 +
mkdir /sys/fs/cgroup/freezer,devices
 +
mount -t cgroup cgroup /sys/fs/cgroup/freezer,devices -o freezer,devices
 +
mkdir /sys/fs/cgroup/cpu,cpuacct,cpuset
 +
mount -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct,cpuset/ -o cpu,cpuacct,cpuset
  
 
== Prepare Docker in container ==  
 
== Prepare Docker in container ==  
Line 29: Line 39:
 
  yum -y install docker-io
 
  yum -y install docker-io
 
* Start docker daemon
 
* Start docker daemon
  docker -d -s vfs
+
  dockerd -s vfs
 +
or change line in /etc/sysconfig/docker to:
 +
OPTIONS='--selinux-enabled -s vfs'
 +
and
 +
service docker start
  
 
== Example usage ==
 
== Example usage ==
  
 
=== Wordpress ===
 
=== Wordpress ===
 +
 
Use Docker to start Wordpress (official, standard way).
 
Use Docker to start Wordpress (official, standard way).
  
Line 44: Line 59:
 
== Limitations ==
 
== Limitations ==
  
* This feature is currently in beta
 
 
* Only "vfs" Docker graph driver is currently supported
 
* Only "vfs" Docker graph driver is currently supported
 
* [[Checkpointing and live migration]] of a container with Docker containers inside is not supported
 
* [[Checkpointing and live migration]] of a container with Docker containers inside is not supported
 +
* Bridges cannot be created inside Docker containers running inside OpenVZ container
 +
* Only works with docker versions 1.10 or older. Newer versions will return an error: "Your Linux kernel version 2.6.32-042stab123.2 is not supported for running docker. Please upgrade your kernel to 3.10.0 or newer." (i.e. switch to [[Quick_installation|Virtuozzo 7]] or later)
 +
 +
== See also ==
 +
* [http://www.youtube.com/watch?v=rh4oPpLtdYc Docker inside CT demo video].
  
 
[[Category:HOWTO]]
 
[[Category:HOWTO]]
 +
[[Category: TRD]]

Latest revision as of 06:55, 22 May 2017

Since OpenVZ kernel 042stab105.4 it is possible to run Docker inside containers. This article describes how.
This page is applicable for OpenVZ 6 (for Virtuozzo 7 see here).

Prerequisites[edit]

  • Kernel 042stab105.4 or later version
  • Kernel modules tun, veth and bridge loaded on host (not required since vzctl 4.9 as it loads it automatically)

Container creation and tuning[edit]

  • Create CentOS 7 container with enough disk space:
vzctl create $veid --ostemplate centos-7-x86_64 --diskspace 20G
  • Turn on bridge feature to allow docker creating bridged network:
vzctl set $veid --features bridge:on --save
  • Setup Container veth-based network:
vzctl set $veid --netif_add eth0 --save
  • Allow all iptables modules to be used in containers:
vzctl set $veid --netfilter full --save
  • Enable tun device access for container:
vzctl set $veid --devnodes net/tun:rw --save
  • Configure custom cgroups in systemd:
systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately
vzctl mount $veid
echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf
  • Start the container:
vzctl start $veid
  • If you use Debian Wheezy for your CT which does not support systemd, you can run:
mount -t tmpfs tmpfs /sys/fs/cgroup
mkdir /sys/fs/cgroup/freezer,devices
mount -t cgroup cgroup /sys/fs/cgroup/freezer,devices -o freezer,devices
mkdir /sys/fs/cgroup/cpu,cpuacct,cpuset
mount -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct,cpuset/ -o cpu,cpuacct,cpuset

Prepare Docker in container[edit]

These steps are to be performed inside the container.

  • Install Docker:
yum -y install docker-io
  • Start docker daemon
dockerd -s vfs

or change line in /etc/sysconfig/docker to:

OPTIONS='--selinux-enabled -s vfs'

and

service docker start

Example usage[edit]

Wordpress[edit]

Use Docker to start Wordpress (official, standard way).

  • Start mysql docker:
docker run --name test-mysql -e MYSQL_ROOT_PASSWORD=123 -d mysql
  • Start wordpress:
docker run --name test-wordpress --link test-mysql:mysql -p 8080:80 -d wordpress
  • Access wordpress server by container IP and port 8080:
    http://container_ip:8080

Limitations[edit]

  • Only "vfs" Docker graph driver is currently supported
  • Checkpointing and live migration of a container with Docker containers inside is not supported
  • Bridges cannot be created inside Docker containers running inside OpenVZ container
  • Only works with docker versions 1.10 or older. Newer versions will return an error: "Your Linux kernel version 2.6.32-042stab123.2 is not supported for running docker. Please upgrade your kernel to 3.10.0 or newer." (i.e. switch to Virtuozzo 7 or later)

See also[edit]