Difference between revisions of "Docker inside CT"
(simplify prereq) |
m |
||
(13 intermediate revisions by 8 users not shown) | |||
Line 1: | Line 1: | ||
Since OpenVZ kernel [[Download/kernel/rhel6-testing/042stab105.4|042stab105.4]] it is possible to run Docker inside containers. This article describes how. | Since OpenVZ kernel [[Download/kernel/rhel6-testing/042stab105.4|042stab105.4]] it is possible to run Docker inside containers. This article describes how. | ||
+ | <br>'''This page is applicable for OpenVZ 6''' (for Virtuozzo 7 see [[Docker inside CT vz7| '''here''']]). | ||
== Prerequisites == | == Prerequisites == | ||
+ | |||
* Kernel 042stab105.4 or later version | * Kernel 042stab105.4 or later version | ||
− | * Kernel modules '''veth''' and '''bridge''' loaded on host | + | * Kernel modules '''tun''', '''veth''' and '''bridge''' loaded on host (not required since vzctl 4.9 as it loads it automatically) |
− | == Container tuning == | + | == Container creation and tuning == |
− | * Create | + | * Create CentOS 7 container with enough disk space: |
− | vzctl create $veid --ostemplate | + | vzctl create $veid --ostemplate centos-7-x86_64 --diskspace 20G |
* Turn on bridge feature to allow docker creating bridged network: | * Turn on bridge feature to allow docker creating bridged network: | ||
vzctl set $veid --features bridge:on --save | vzctl set $veid --features bridge:on --save | ||
Line 15: | Line 17: | ||
* Allow all iptables modules to be used in containers: | * Allow all iptables modules to be used in containers: | ||
vzctl set $veid --netfilter full --save | vzctl set $veid --netfilter full --save | ||
+ | * Enable tun device access for container: | ||
+ | vzctl set $veid --devnodes net/tun:rw --save | ||
* Configure custom cgroups in systemd: | * Configure custom cgroups in systemd: | ||
: <small>''systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately''</small> | : <small>''systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately''</small> | ||
vzctl mount $veid | vzctl mount $veid | ||
− | echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf | + | echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf |
* Start the container: | * Start the container: | ||
vzctl start $veid | vzctl start $veid | ||
+ | * If you use Debian Wheezy for your CT which does not support systemd, you can run: | ||
+ | mount -t tmpfs tmpfs /sys/fs/cgroup | ||
+ | mkdir /sys/fs/cgroup/freezer,devices | ||
+ | mount -t cgroup cgroup /sys/fs/cgroup/freezer,devices -o freezer,devices | ||
+ | mkdir /sys/fs/cgroup/cpu,cpuacct,cpuset | ||
+ | mount -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct,cpuset/ -o cpu,cpuacct,cpuset | ||
== Prepare Docker in container == | == Prepare Docker in container == | ||
Line 29: | Line 39: | ||
yum -y install docker-io | yum -y install docker-io | ||
* Start docker daemon | * Start docker daemon | ||
− | docker - | + | dockerd -s vfs |
+ | or change line in /etc/sysconfig/docker to: | ||
+ | OPTIONS='--selinux-enabled -s vfs' | ||
+ | and | ||
+ | service docker start | ||
== Example usage == | == Example usage == | ||
=== Wordpress === | === Wordpress === | ||
+ | |||
Use Docker to start Wordpress (official, standard way). | Use Docker to start Wordpress (official, standard way). | ||
Line 44: | Line 59: | ||
== Limitations == | == Limitations == | ||
− | |||
* Only "vfs" Docker graph driver is currently supported | * Only "vfs" Docker graph driver is currently supported | ||
* [[Checkpointing and live migration]] of a container with Docker containers inside is not supported | * [[Checkpointing and live migration]] of a container with Docker containers inside is not supported | ||
+ | * Bridges cannot be created inside Docker containers running inside OpenVZ container | ||
+ | * Only works with docker versions 1.10 or older. Newer versions will return an error: "Your Linux kernel version 2.6.32-042stab123.2 is not supported for running docker. Please upgrade your kernel to 3.10.0 or newer." (i.e. switch to [[Quick_installation|Virtuozzo 7]] or later) | ||
+ | |||
+ | == See also == | ||
+ | * [http://www.youtube.com/watch?v=rh4oPpLtdYc Docker inside CT demo video]. | ||
[[Category:HOWTO]] | [[Category:HOWTO]] | ||
+ | [[Category: TRD]] |
Latest revision as of 06:55, 22 May 2017
Since OpenVZ kernel 042stab105.4 it is possible to run Docker inside containers. This article describes how.
This page is applicable for OpenVZ 6 (for Virtuozzo 7 see here).
Contents
Prerequisites[edit]
- Kernel 042stab105.4 or later version
- Kernel modules tun, veth and bridge loaded on host (not required since vzctl 4.9 as it loads it automatically)
Container creation and tuning[edit]
- Create CentOS 7 container with enough disk space:
vzctl create $veid --ostemplate centos-7-x86_64 --diskspace 20G
- Turn on bridge feature to allow docker creating bridged network:
vzctl set $veid --features bridge:on --save
- Setup Container veth-based network:
vzctl set $veid --netif_add eth0 --save
- Allow all iptables modules to be used in containers:
vzctl set $veid --netfilter full --save
- Enable tun device access for container:
vzctl set $veid --devnodes net/tun:rw --save
- Configure custom cgroups in systemd:
- systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in container, but not freezer, cpu etc. separately
vzctl mount $veid echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/$veid/etc/systemd/system.conf
- Start the container:
vzctl start $veid
- If you use Debian Wheezy for your CT which does not support systemd, you can run:
mount -t tmpfs tmpfs /sys/fs/cgroup mkdir /sys/fs/cgroup/freezer,devices mount -t cgroup cgroup /sys/fs/cgroup/freezer,devices -o freezer,devices mkdir /sys/fs/cgroup/cpu,cpuacct,cpuset mount -t cgroup cgroup /sys/fs/cgroup/cpu,cpuacct,cpuset/ -o cpu,cpuacct,cpuset
Prepare Docker in container[edit]
These steps are to be performed inside the container.
- Install Docker:
yum -y install docker-io
- Start docker daemon
dockerd -s vfs
or change line in /etc/sysconfig/docker to:
OPTIONS='--selinux-enabled -s vfs'
and
service docker start
Example usage[edit]
Wordpress[edit]
Use Docker to start Wordpress (official, standard way).
- Start mysql docker:
docker run --name test-mysql -e MYSQL_ROOT_PASSWORD=123 -d mysql
- Start wordpress:
docker run --name test-wordpress --link test-mysql:mysql -p 8080:80 -d wordpress
- Access wordpress server by container IP and port 8080:
http://container_ip:8080
Limitations[edit]
- Only "vfs" Docker graph driver is currently supported
- Checkpointing and live migration of a container with Docker containers inside is not supported
- Bridges cannot be created inside Docker containers running inside OpenVZ container
- Only works with docker versions 1.10 or older. Newer versions will return an error: "Your Linux kernel version 2.6.32-042stab123.2 is not supported for running docker. Please upgrade your kernel to 3.10.0 or newer." (i.e. switch to Virtuozzo 7 or later)