Get Mirantis Container Runtime for Red Hat Linux

Get Mirantis Container Runtime for Red Hat Linux

There are two ways to install and upgrade Mirantis Container Runtime on Red Hat Enterprise Linux:

  • YUM repository: Set up a Docker repository and install Mirantis Container Runtime from it. This is the recommended approach because installation and upgrades are managed with YUM and easier to do.
  • RPM package: Download the RPM package, install it manually, and manage upgrades manually. This is useful when installing Mirantis Container Runtime on air-gapped systems with no access to the internet.

Prerequisites

To install MCR, you first need to go to repos.mirantis.com to obtain the URL for the static repository that contains the MCR software for the desired RHEL version (henceforth referred to here as <MCR-RHEL-URL>.)

Architectures and storage drivers

Mirantis Container Runtime supports Red Hat Enterprise Linux 64-bit, versions 7.4 and higher running on x86_64. See the Compatibility Matrix for specific details.

On Red Hat Enterprise Linux, Mirantis Container Runtime supports the overlay2 storage driver. The following limitations apply:

  • OverlayFS: If selinux is enabled, the overlay2 storage driver is supported on RHEL 7.4 or higher.
  • If selinux is disabled, overlay2 is supported on RHEL 7.2 or higher with kernel version 3.10.0-693 and higher.

FIPS 140-2 cryptographic module support

Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.

With Mirantis Container Runtime Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is also automatically enabled in the Docker engine. If FIPS support is not already enabled in your RHEL implementation, visit the Red Hat Product Documentation for instructions on how to enable it.

To verify the FIPS-140-2 module is enabled in the Linux kernel, confirm the file /proc/sys/crypto/fips_enabled contains 1.

$ cat /proc/sys/crypto/fips_enabled
1

Note

FIPS is only supported in Mirantis Container Runtime. MKE and MSR currently do not have support for FIPS-140-2.

You can override FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode. Note, this does not change FIPS 140-2 mode on the system. To override the FIPS 140-2 mode, follow ths steps below.

Create a file called /etc/systemd/system/docker.service.d/fips-module.conf. Add the following:

[Service]
Environment="DOCKER_FIPS=1"

Reload the Docker configuration to systemd.

$ sudo systemctl daemon-reload

Restart the Docker service as root.

$ sudo systemctl restart docker

To confirm Docker is running with FIPS-140-2 enabled, run the docker info command.

docker info --format {{.SecurityOptions}}
[name=selinux name=fips]

Disabling FIPS-140-2

If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance.

To disable FIPS 140-2 in Docker but not the operating system, set the value DOCKER_FIPS=0 in the /etc/systemd/system/docker.service.d/fips-module.conf.

Reload the Docker configuration to systemd.

$ sudo systemctl daemon-reload

Restart the Docker service as root.

$ sudo systemctl restart docker

Uninstall old Docker versions

The Mirantis Container Runtime package is called docker-ee. Older versions were called docker or docker-engine. Uninstall all older versions and associated dependencies. The contents of /var/lib/docker/ are preserved, including images, containers, volumes, and networks.

$ sudo yum remove docker \
                  docker-client \
                  docker-client-latest \
                  docker-common \
                  docker-latest \
                  docker-latest-logrotate \
                  docker-logrotate \
                  docker-selinux \
                  docker-engine-selinux \
                  docker-engine

Repo install and upgrade

The advantage of using a repository from which to install Mirantis Container Runtime (or any software) is that it provides a certain level of automation. RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM that work with your repositories to manage dependencies and provide automatic updates.

Disable SELinux before installing Mirantis Container Runtime 17.06.xx on IBM Z systems

There is currently no support for selinux on IBM Z systems. If you attempt > to install or upgrade Mirantis Container Runtime on an IBM Z system with > selinux enabled, an error is thrown that the container-selinux package is > not found. Disable selinux before installing or upgrading Docker on IBM Z. > IBM Z systems are supported on Docker Engine - Enterprise versions 17.06.xx > only.

Set up the repository

You only need to set up the repository once, after which you can install Mirantis Container Runtime from the repo and repeatedly upgrade as necessary.

  1. Remove existing Docker repositories from /etc/yum.repos.d/:

    $ sudo rm /etc/yum.repos.d/docker*.repo
      
  2. Temporarily store the URL (that you copied above) in an environment variable. Replace <DOCKER-EE-URL> with your URL in the following command. This variable assignment does not persist when the session ends:

    $ export DOCKERURL="<DOCKER-EE-URL>"
      
  3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:

    $ sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
      

    Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 7 or 8, but you can also use the more specific minor version, starting from 7.2.

    $ sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
      
  4. Install required packages: yum-utils provides the yum-config-manager utility, and device-mapper-persistent-data and lvm2 are required by the devicemapper storage driver:

    $ sudo yum install -y yum-utils \
      device-mapper-persistent-data \
      lvm2
      
  5. Enable the extras RHEL repository. This ensures access to the container-selinux package required by docker-ee.

    The repository can differ per your architecture and cloud provider, so review the options in this step before running:

    For all architectures except IBM Power:

    $ sudo yum-config-manager --enable rhel-7-server-extras-rpms
      

    For IBM Power only (little endian):

    $ sudo yum-config-manager --enable extras
      $ sudo subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
      $ sudo yum makecache fast
      $ sudo yum -y install container-selinux
      

    Depending on cloud provider, you may also need to enable another repository:

    For AWS (where REGION is a literal, and does not represent the region your machine is running in):

    $ sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
      

    For Azure:

    $ sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms
      
  6. Add the Mirantis Container Runtime stable repository:

    $ sudo -E yum-config-manager \
         --add-repo \
         "$DOCKERURL/rhel/docker-ee.repo"
      
  1. Remove existing Docker repositories from /etc/yum.repos.d/:

    $ sudo rm /etc/yum.repos.d/docker*.repo
      
  2. Temporarily store the URL (that you copied above) in an environment variable. Replace <DOCKER-EE-URL> with your URL in the following command. This variable assignment does not persist when the session ends:

    $ export DOCKERURL="<DOCKER-EE-URL>"
      
  3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:

    $ sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
      

    Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 8, but you can also use the more specific minor version.

    $ sudo sh -c 'echo "8" > /etc/yum/vars/dockerosversion'
      
  4. Install required packages: yum-utils provides the yum-config-manager utility, and device-mapper-persistent-data and lvm2 are required by the devicemapper storage driver:

    $ sudo yum install -y yum-utils \
      device-mapper-persistent-data \
      lvm2
      
  5. Add the Mirantis Container Runtime stable repository:

    $ sudo -E yum-config-manager \
         --add-repo \
         "$DOCKERURL/rhel/docker-ee.repo"
      

Install from the repository

  1. Install the latest patch release, or go to the next step to install a specific version:

    $ sudo yum -y install docker-ee docker-ee-cli containerd.io
    

    If prompted to accept the GPG key, verify that the fingerprint matches 77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9, and if so, accept it.

  2. To install a specific version of Mirantis Container Runtime (recommended in production), list versions and install:

    1. List and sort the versions available in your repo. This example sorts results by version number, highest to lowest, and is truncated:

      $ sudo yum list docker-ee  --showduplicates | sort -r
      
      docker-ee.x86_64      19.03.ee.2-1.el7.rhel      docker-ee-stable-18.09
      

      The list returned depends on which repositories you enabled, and is specific to your version of Red Hat Enterprise Linux (indicated by .el7 in this example).

    2. Install a specific version by its fully qualified package name, which is the package name (docker-ee) plus the version string (2nd column) starting at the first colon (:), up to the first hyphen, separated by a hyphen (-). For example, docker-ee-18.09.1.

      $ sudo yum -y install docker-ee-<VERSION_STRING> docker-ee-cli-<VERSION_STRING> containerd.io
      

      For example, if you want to install the 18.09 version run the following:

      sudo yum-config-manager --enable docker-ee-stable-18.09
      

      Docker is installed but not started. The docker group is created, but no users are added to the group.

  3. Start Docker:

    Note

    If using devicemapper, ensure it is properly configured before starting Docker.

    $ sudo systemctl start docker
    
  4. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    $ sudo docker run hello-world
    

    Mirantis Container Runtime is installed and running. Use sudo to run Docker commands.

Upgrade from the repository

  1. Add the new repository.
  2. Follow the installation instructions and install a new version.

Package install and upgrade

To manually install Docker Enterprise, download the .rpm file for your release. You need to download a new file each time you want to upgrade Docker Enterprise.

Install with a package

  1. Enable the extras RHEL repository. This ensures access to the container-selinux package which is required by docker-ee:

    $ sudo yum-config-manager --enable rhel-7-server-extras-rpms
      

    Alternately, obtain that package manually from Red Hat. There is no way to publicly browse this repository.

  2. Go to the Mirantis Container Runtime repository URL associated with your trial or subscription in your browser. Go to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.

    If you have trouble with selinux using the packages under the 7 directory, try choosing the version-specific directory instead, such as 7.3.

  3. Install Docker Enterprise, changing the path below to the path where you downloaded the Docker package.

    $ sudo yum install /path/to/package.rpm
      

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  4. Start Docker:

    If using devicemapper, ensure it is properly configured before starting Docker.

    $ sudo systemctl start docker
      
  5. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    $ sudo docker run hello-world
      

    Mirantis Container Runtime is installed and running. Use sudo to run Docker commands.

  1. Go to the Mirantis Container Runtime repository URL associated with your trial or subscription in your browser. Go to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.

    If you have trouble with selinux using the packages under the 8 directory, try choosing the version-specific directory instead.

  2. Install Docker Enterprise, changing the path below to the path where you downloaded the Docker package.

    $ sudo yum install /path/to/package.rpm
      

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  3. Start Docker:

    If using devicemapper, ensure it is properly configured before starting Docker.

    $ sudo systemctl start docker
      
  4. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    $ sudo docker run hello-world
      

    Mirantis Container Runtime is installed and running. Use sudo to run Docker commands.

Upgrade with a package

  1. Download the newer package file.
  2. Repeat the installation procedure, using yum -y upgrade instead of yum -y install, and point to the new file.

Uninstall Mirantis Container Runtime

  1. Uninstall the Mirantis Container Runtime package:

    $ sudo yum -y remove docker-ee
    
  2. Delete all images, containers, and volumes (because these are not automatically removed from your host):

    $ sudo rm -rf /var/lib/docker
    
  3. Delete other Docker related resources:

    $ sudo rm -rf /run/docker
    $ sudo rm -rf /var/run/docker
    $ sudo rm -rf /etc/docker
    
  4. If desired, remove the devicemapper thin pool and reformat the block devices that were part of it.

Note

You must delete any edited configuration files manually.

Next steps