There are two ways to install and upgrade :ref:`Docker Enterprise<docker-engine-enterprise> on Red Hat Enterprise Linux:
This section lists what you need to consider before installing Docker EE. Items that require action are explained below.
x86_64.overlay2 or devicemapper (direct-lvm
mode in production)./etc/yum.repos.d/.Docker EE supports Red Hat Enterprise Linux 64-bit,
versions 7.4 and higher running on x86_64.
On Red Hat Enterprise Linux, Docker EE supports storage drivers, overlay2
and devicemapper. In Docker EE 17.06.2-ee-5 and higher, overlay2 is the
recommended storage driver. The following limitations apply:
selinux is enabled, the
overlay2 storage driver is supported on RHEL 7.4
or higher. If selinux is disabled, overlay2 is supported on
RHEL 7.2 or higher with kernel version 3.10.0-693 and
higher.devicemapper, you must use direct-lvm mode, which requires
one or more dedicated block devices. Fast storage such as solid-state
media (SSD) is recommended.Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.
With Docker EE Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is also automatically enabled in the Docker engine.
To verify the FIPS 140-2 module is enabled in the Linux kernel, confirm
the file /proc/sys/crypto/fips_enabled contains 1.
$ cat /proc/sys/crypto/fips_enabled
1
Note
FIPS is only supported in Docker Engine EE. UCP and DTR currently do not have support for FIPS 140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following:
Create a file called
/etc/systemd/system/docker.service.d/fips-module.conf. Add the
following:
[Service]
Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
To confirm Docker is running with FIPS 140-2 enabled, run the
docker info command.
docker info --format {{.SecurityOptions}}
[name=selinux name=fips]
If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS 140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the
value DOCKER_FIPS=0 in the
/etc/systemd/system/docker.service.d/fips-module.conf.
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
To install Docker Enterprise, you will need the URL of the Docker Enterprise repository associated with your trial or subscription:
You will use this URL in a later step to create a variable called,
DOCKERURL.
The Docker EE package is called docker-ee. Older
versions were called docker or docker-engine. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/ are preserved, including images, containers,
volumes, and networks.
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
The advantage of using a repository from which to install Docker EE (or any software) is that it provides a certain level of automation. RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM that work with your repositories to manage dependencies and provide automatic updates.
Disable SELinux before installing Docker EE 17.06.xx on IBM Z systems
There is currently
no support for selinux on IBM Z systems. If you attempt > to install
or upgrade Docker EE on an IBM Z system with >
selinux enabled, an error is thrown that the container-selinux
package is > not found. Disable selinux before installing or
upgrading Docker on IBM Z.
You only need to set up the repository once, after which you can install Docker EE from the repo and repeatedly upgrade as necessary.
Remove existing Docker repositories from /etc/yum.repos.d/:
$ sudo rm /etc/yum.repos.d/docker*.repo
Temporarily store the URL (that you copied above) in an environment variable. Replace <DOCKER-EE-URL> with your URL in the following command. This variable assignment does not persist when the session ends:
$ export DOCKERURL="<DOCKER-EE-URL>"
Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:
$ sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 7, but you can also use the more specific minor version, starting from 7.2.
$ sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
Install required packages: yum-utils provides the yum-config-manager utility, and device-mapper-persistent-data and lvm2 are required by the devicemapper storage driver:
$ sudo yum install -y yum-utils \
device-mapper-persistent-data \
lvm2
Enable the extras RHEL repository. This ensures access to the container-selinux package required by docker-ee.
The repository can differ per your architecture and cloud provider, so review the options in this step before running:
For all architectures except IBM Power:
$ sudo yum-config-manager --enable rhel-7-server-extras-rpms
For IBM Power only (little endian):
$ sudo yum-config-manager --enable extras
$ sudo subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
$ sudo yum makecache fast
$ sudo yum -y install container-selinux
Depending on cloud provider, you may also need to enable another repository:
For AWS (where REGION is a literal, and does not represent the region your machine is running in):
$ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
For Azure:
$ sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms
Add the Docker EE stable repository:
$ sudo -E yum-config-manager \
--add-repo \
"$DOCKERURL/rhel/docker-ee.repo"
Install the latest patch release, or go to the next step to install a specific version:
$ sudo yum -y install docker-ee docker-ee-cli containerd.io
If prompted to accept the GPG key, verify that the fingerprint matches
77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9, and if so, accept it.
To install a specific version of Docker EE (recommended in production), list versions and install:
List and sort the versions available in your repo. This example sorts results by version number, highest to lowest, and is truncated:
$ sudo yum list docker-ee --showduplicates | sort -r
docker-ee.x86_64 19.03.ee.2-1.el7.rhel docker-ee-stable-18.09
The list returned depends on which repositories you enabled, and is
specific to your version of Red Hat Enterprise Linux (indicated by
.el7 in this example).
Install a specific version by its fully qualified package name,
which is the package name (docker-ee) plus the version string
(2nd column) starting at the first colon (:), up to the first
hyphen, separated by a hyphen (-). For example,
docker-ee-18.09.1.
$ sudo yum -y install docker-ee-<VERSION_STRING> docker-ee-cli-<VERSION_STRING> containerd.io
For example, if you want to install the 18.09 version run the following:
sudo yum-config-manager --enable docker-ee-stable-18.09
Docker is installed but not started. The docker group is created,
but no users are added to the group.
Start Docker:
Note
If using devicemapper, ensure it is properly configured before
starting Docker.
$ sudo systemctl start docker
Verify that Docker EE is installed correctly by
running the hello-world image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
$ sudo docker run hello-world
Docker EE is installed and running. Use sudo to
run Docker commands.
To manually install Docker Enterprise, download the
.rpm file for your release. You need to
download a new file each time you want to upgrade Docker EE.
Disable SELinux before installing Docker EE on IBM Z systems
There is currently no support for selinux on IBM Z systems. If you
attempt to install or upgrade Docker EE on an IBM Z system with selinux
enabled, an error is thrown that the container-selinux package is not
found. Disable selinux before installing or upgrading Docker on IBM Z.
Enable the extras RHEL repository. This ensures access to the container-selinux package which is required by docker-ee:
$ sudo yum-config-manager --enable rhel-7-server-extras-rpms
Alternately, obtain that package manually from Red Hat. There is no way to publicly browse this repository.
Go to the Docker EE repository URL associated with your trial or subscription in your browser. Go to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.
Note
If you have trouble with selinux using the packages under the 7 directory, try choosing the version-specific directory instead, such as 7.3.
Install Docker EE, changing the path below to the path where you downloaded the Docker package.
$ sudo yum install /path/to/package.rpm
Docker is installed but not started. The docker group is created, but no users are added to the group.
Start Docker:
Note
If using devicemapper, ensure it is properly configured before starting Docker, per the storage guide.
$ sudo systemctl start docker
Verify that Docker EE is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:
$ sudo docker run hello-world
Docker EE is installed and running. Use sudo to run Docker commands. See Linux postinstall to allow non-privileged users to run Docker commands.
Uninstall the Docker EE package:
$ sudo yum -y remove docker-ee
Delete all images, containers, and volumes (because these are not automatically removed from your host):
$ sudo rm -rf /var/lib/docker
Delete other Docker related resources:
$ sudo rm -rf /run/docker
$ sudo rm -rf /var/run/docker
$ sudo rm -rf /etc/docker
If desired, remove the devicemapper thin pool and reformat the
block devices that were part of it.
Note
You must delete any edited configuration files manually.