On Thu, 2016-11-03 at 13:00 -0700, John Roberts wrote:
> Getting Docker working on CentOS itself was the challenge. There are
> two issues to address with Docker on CentOS/Fedora distributions:
> There may be issues with Redhat's default configuration of storage
> for their native Docker distributions. Perhaps the problem has been
> solved, but when I set up our system, the two solutions appeared to
> be
The devicemapper driver used to be the default, and they provide a
special oneshot service (run by default) to set up a logical volume for
it automatically. If you still want to use it (it may or may not still
be the fastest approach), all you need to do is leave enough space on a
volume group and everything works out-of-the-box.
Today however you don't need to do anything: the latest version of the
'docker' package uses overlayfs2 by default. This is backed by the
filesystem, not a block device, so no configuration necessary. I reckon
the 'docker-latest' package defaults to it as well.
> Accept Redhat's default Docker storage configuration and possible
> problems under heavy load. This was the approach we took, mainly
> because ours is a research use and we don't anticipate the sorts of
> system load that cause problems for Docker on Redhat in the default
> configuration.
This wasn't much of a default as it was a fallback so you could at
least test Docker even if you didn't leave it enough space for it to
store its image layers on the VG. It simply created loopback block
devices backed by files on the filesystem. The levels of indirection
are numerous (fs->loop->fs->vol as opposed to fs->vol) and it really
isn't recommended.
> Docker likes working with iptables and does not play well with
> firewalld. I tried working with a hybrid system, keeping firewalld
> and fixing things when Docker would break it, but I eventually turned
> off firewalld and reverted to using iptables.
It used to be that you had to make sure you started Docker after
firewalld, and although it was set up that way by default and I never
experienced any issues in the past, even that doesn't seem to be true
anymore (and indeed they stopped documenting it). I've just tested
restarting firewalld in a sandbox and everything seems to work fine
(container published ports are still accessible).
tl;dr I recommend using the latest point release. Everything has been
working seamlessly for us (at multiple production sites) so far. YMMV.
Best regards,
--
Thibault Nélis <
t...@osimis.io>
Osimis