There are two ways to install and upgrade Mirantis Container Runtime on Red Hat Enterprise Linux:
To install MCR, you first need to go to repos.mirantis.com to obtain the URL for the static repository that
contains the MCR software for the desired RHEL version (henceforth referred to
here as <MCR-RHEL-URL>
.)
Mirantis Container Runtime supports Red Hat Enterprise Linux 64-bit,
versions 7.4 and higher running on x86_64
. See the Compatibility Matrix
for specific details.
On Red Hat Enterprise Linux, Mirantis Container Runtime supports the
overlay2
storage driver. The following limitations apply:
selinux
is enabled, the overlay2
storage driver is
supported on RHEL 7.4 or higher.selinux
is disabled, overlay2
is supported on RHEL 7.2 or higher
with kernel version 3.10.0-693 and higher.Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.
With Mirantis Container Runtime Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is also automatically enabled in the Docker engine. If FIPS support is not already enabled in your RHEL implementation, visit the Red Hat Product Documentation for instructions on how to enable it.
To verify the FIPS-140-2 module is enabled in the Linux kernel, confirm
the file /proc/sys/crypto/fips_enabled
contains 1
.
$ cat /proc/sys/crypto/fips_enabled
1
Note
FIPS is only supported in Mirantis Container Runtime. MKE and MSR currently do not have support for FIPS-140-2.
You can override FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode. Note, this does not change FIPS 140-2 mode on the system. To override the FIPS 140-2 mode, follow ths steps below.
Create a file called
/etc/systemd/system/docker.service.d/fips-module.conf
. Add the
following:
[Service]
Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
To confirm Docker is running with FIPS-140-2 enabled, run the
docker info
command.
docker info --format {{.SecurityOptions}}
[name=selinux name=fips]
If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the
value DOCKER_FIPS=0
in the
/etc/systemd/system/docker.service.d/fips-module.conf
.
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
The Mirantis Container Runtime package is called docker-ee
. Older
versions were called docker
or docker-engine
. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/
are preserved, including images, containers,
volumes, and networks.
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
The advantage of using a repository from which to install Mirantis Container Runtime (or any software) is that it provides a certain level of automation. RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM that work with your repositories to manage dependencies and provide automatic updates.
Disable SELinux before installing Mirantis Container Runtime 17.06.xx on IBM Z systems
There is currently
no support for selinux
on IBM Z systems. If you attempt > to install
or upgrade Mirantis Container Runtime on an IBM Z system with >
selinux
enabled, an error is thrown that the container-selinux
package is > not found. Disable selinux
before installing or
upgrading Docker on IBM Z. > IBM Z systems are supported on Docker
Engine - Enterprise versions 17.06.xx > only.
You only need to set up the repository once, after which you can install Mirantis Container Runtime from the repo and repeatedly upgrade as necessary.
Install the latest patch release, or go to the next step to install a specific version:
$ sudo yum -y install docker-ee docker-ee-cli containerd.io
If prompted to accept the GPG key, verify that the fingerprint matches
77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9
, and if so, accept it.
To install a specific version of Mirantis Container Runtime (recommended in production), list versions and install:
List and sort the versions available in your repo. This example sorts results by version number, highest to lowest, and is truncated:
$ sudo yum list docker-ee --showduplicates | sort -r
docker-ee.x86_64 19.03.ee.2-1.el7.rhel docker-ee-stable-18.09
The list returned depends on which repositories you enabled, and is
specific to your version of Red Hat Enterprise Linux (indicated by
.el7
in this example).
Install a specific version by its fully qualified package name,
which is the package name (docker-ee
) plus the version string
(2nd column) starting at the first colon (:
), up to the first
hyphen, separated by a hyphen (-
). For example,
docker-ee-18.09.1
.
$ sudo yum -y install docker-ee-<VERSION_STRING> docker-ee-cli-<VERSION_STRING> containerd.io
For example, if you want to install the 18.09 version run the following:
sudo yum-config-manager --enable docker-ee-stable-18.09
Docker is installed but not started. The docker
group is created,
but no users are added to the group.
Start Docker:
Note
If using devicemapper
, ensure it is properly configured before
starting Docker.
$ sudo systemctl start docker
Verify that Mirantis Container Runtime is installed correctly by
running the hello-world
image. This command downloads a test
image, runs it in a container, prints an informational message, and
exits:
$ sudo docker run hello-world
Mirantis Container Runtime is installed and running. Use sudo
to
run Docker commands.
To manually install Docker Enterprise, download the
.rpm
file for your release. You need to
download a new file each time you want to upgrade Docker Enterprise.
yum -y upgrade
instead of yum -y install
, and point to
the new file.Uninstall the Mirantis Container Runtime package:
$ sudo yum -y remove docker-ee
Delete all images, containers, and volumes (because these are not automatically removed from your host):
$ sudo rm -rf /var/lib/docker
Delete other Docker related resources:
$ sudo rm -rf /run/docker
$ sudo rm -rf /var/run/docker
$ sudo rm -rf /etc/docker
If desired, remove the devicemapper
thin pool and reformat the
block devices that were part of it.
Note
You must delete any edited configuration files manually.