Running Docker on RHEL 7

docker-rhel-7.md

RPM repositories

subscription-manager repos --enable=rhel-7-server-extras-rpms
subscription-manager repos --enable=rhel-7-server-optional-rpms

Install

yum install docker

Startup options

Docker options are normally stored in /etc/sysconfig/docker

If you want to add additional startup arguments to docker, edit this file:

# /etc/sysconfig/docker
other_args="..."

Placing your arguments in the other_args section, create it if it doensn't exist.

However, other_args won't work, since the service doesn't honour other_args by default, edit /usr/lib/systemd/system/docker.service to add $other_args to the ExecStart setting:

[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.io
After=network.target

[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d --selinux-enabled $other_args
Restart=on-failure
LimitNOFILE=1048576
LimitNPROC=1048576

[Install]
WantedBy=multi-user.target

Volume Mapping Permissions

With --selinux-enabled I found mapping volumes didn't work, with docker not mapping the file permissions correctly.

Doing a docker run -ti -v /var/run/docker.sock:/docker.sock <image> ls -al /, would result in a listing like this:

ls: cannot access /docker.sock: Permission denied
total 8848
dr-xr-xr-x.  22 root root    4096 Jul  4 10:24 .
dr-xr-xr-x.  22 root root    4096 Jul  4 10:24 ..
-rwxr-xr-x.   1 root root       0 Jul  4 10:24 .dockerenv
-rwx------.   1 root root 8979137 Jul  4 08:44 .dockerinit
dr-xr-xr-x.   2 root root    4096 Jun  9 16:14 bin
drwxr-xr-x.   4 root root     360 Jul  4 10:24 dev
-??????????   ? ?    ?          ?            ? docker.sock
drwxr-xr-x.  40 root root    4096 Jul  4 10:24 etc
drwxr-xr-x.   2 root root    4096 Sep 23  2011 home
dr-xr-xr-x.   7 root root    4096 Jun  9 16:14 lib
dr-xr-xr-x.   5 root root    4096 Jun  9 16:14 lib64
drwx------.   2 root root    4096 Jun  9 16:10 lost+found
drwxr-xr-x.   2 root root    4096 Sep 23  2011 media
drwxr-xr-x.   2 root root    4096 Sep 23  2011 mnt
drwxr-xr-x.   2 root root    4096 Sep 23  2011 opt
dr-xr-xr-x. 118 root root       0 Jul  4 10:24 proc
dr-xr-x---.   2 root root    4096 Jun  9 16:14 root
drwxr-xr-x.   3 root root    4096 Jul  4 10:24 run
dr-xr-xr-x.   2 root root    4096 Jun  9 16:14 sbin
drwxr-xr-x.   3 root root    4096 Jun  9 16:14 selinux
drwxr-xr-x.   2 root root    4096 Sep 23  2011 srv
dr-xr-xr-x.  13 root root       0 Jul  4 09:42 sys
drwxrwxrwt.   2 root root    4096 Jun  9 16:14 tmp
drwxr-xr-x.  13 root root    4096 Jun  9 16:12 usr
drwxr-xr-x.  17 root root    4096 Jun  9 16:12 var

With the mapped volume looking like this:

-??????????   ? ?    ?          ?            ? docker.sock

Removing --selinux-enabled from /usr/lib/systemd/system/docker.service fixes this.

See Docker and SELinux.

You could have just run with a --privileged container.

Starting from Docker 1.7 (maybe even 1.6 on RHEL7/Fedora/CentOS) there is a much better option to fix volume mapping permissions than disabling SELinux, you can just append :z or :Z to the container path. See http://www.projectatomic.io/blog/2015/06/using-volumes-with-docker-can-cause-problems-with-selinux/