Install Mirantis Container Runtime for Red Hat Enterprise Linux

There are two ways to install and upgrade Mirantis Container Runtime (MCR).

  • YUM repository: Set up a Docker repository and install Mirantis Container Runtime from it. This is the recommended approach because installation and upgrades are managed with YUM and easier to do.

  • RPM package: Download the RPM package, install it manually, and manage upgrades manually. This is useful when installing Mirantis Container Runtime on air-gapped systems with no access to the internet.

Prerequisites

Perform all prerequisites as required prior to installing MCR on Red Hat Enterprise Linux.

Architectures and storage drivers

Mirantis Container Runtime supports Red Hat Enterprise Linux 64-bit, versions 7.4 and higher running on x86_64. See the compatibility-matrix for specific details.

On Red Hat Enterprise Linux, Mirantis Container Runtime supports the overlay2 storage driver. The following limitations apply:

  • OverlayFS: If selinux is enabled, the overlay2 storage driver is supported on RHEL 7.4 or higher.

  • If selinux is disabled, overlay2 is supported on RHEL 7.2 or higher with kernel version 3.10.0-693 and higher.

FIPS 140-2 cryptographic module support

Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.

With Mirantis Container Runtime license for versions 20.10.x, Mirantis provides FIPS 140-2 support in RHEL 7.x, 8.x, and 9.x (as per the MCR 20.10 Compatibility Matrix). This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is also automatically enabled in MCR. If FIPS support is not already enabled in your RHEL implementation, see the Red Hat Product Documentation for instructions on how to enable it.

To verify the FIPS 140-2 module is enabled in the Linux kernel, confirm the file /proc/sys/crypto/fips_enabled contains 1.

cat /proc/sys/crypto/fips_enabled
1

Note

FIPS is only supported in Mirantis Container Runtime. MKE and MSR currently do not have support for FIPS 140-2.

You can override FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode. Note, this does not change FIPS 140-2 mode on the system. To override the FIPS 140-2 mode, follow ths steps below.

Create a file called /etc/systemd/system/docker.service.d/fips-module.conf. Add the following:

[Service]
Environment="DOCKER_FIPS=1"

Reload the Docker configuration to systemd.

sudo systemctl daemon-reload

Restart the Docker service as root.

sudo systemctl restart docker

To confirm Docker is running with FIPS 140-2 enabled, run the docker info command.

Disabling FIPS 140-2

If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS 140-2 compliance.

To disable FIPS 140-2 in Docker but not the operating system, set the value DOCKER_FIPS=0 in the /etc/systemd/system/docker.service.d/fips-module.conf.

Reload the Docker configuration to systemd.

sudo systemctl daemon-reload

Restart the Docker service as root.

sudo systemctl restart docker

Uninstall old Docker versions

The Mirantis Container Runtime package is called docker-ee. Older versions were called docker or docker-engine. Uninstall all older versions and associated dependencies. The contents of /var/lib/docker/ are preserved, including images, containers, volumes, and networks.

sudo yum remove docker \
                docker-client \
                docker-client-latest \
                docker-common \
                docker-latest \
                docker-latest-logrotate \
                docker-logrotate \
                docker-selinux \
                docker-engine-selinux \
                docker-engine

Repo install and upgrade

The advantage of using a repository from which to install Mirantis Container Runtime (or any software) is that it provides a certain level of automation. RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM that work with your repositories to manage dependencies and provide automatic updates.

Set up the repository

You only need to set up the repository once, after which you can install Mirantis Container Runtime from the repo and repeatedly upgrade as necessary.

  1. Remove existing Docker repositories from /etc/yum.repos.d/:

    sudo rm /etc/yum.repos.d/docker*.repo
    
  2. Temporarily store https://repos.mirantis.com in an environment variable. This variable assignment does not persist when the session ends:

    export DOCKERURL="https://repos.mirantis.com"
    
  3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:

    sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
    

    Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 7, 8, or 9 but you can also use the more specific minor version, starting from 7.2.

    sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
    
  4. Install the yum-utils that provides the yum-config-manager utility.

    sudo yum install -y yum-utils
    
  5. Enable the extras RHEL repository. This ensures access to the container-selinux package required by docker-ee.

    The repository can differ per your architecture and cloud provider, so review the options in this step before running:

    For all architectures except IBM Power:

    sudo yum-config-manager --enable rhel-7-server-extras-rpms
    

    For IBM Power only (little endian):

    sudo yum-config-manager --enable extras
      sudo subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms
      sudo yum makecache fast
      sudo yum -y install container-selinux
    

    Depending on cloud provider, you may also need to enable another repository:

    For AWS:

    sudo yum-config-manager --enable rhel-7-server-rhui-extras-rpms
    

    For Azure:

    sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms
    

    Add the Mirantis Container Runtime stable repository:

    sudo -E yum-config-manager \
         --add-repo \
         "$DOCKERURL/rhel/docker-ee.repo"
    
  1. Remove existing Docker repositories from /etc/yum.repos.d/:

    sudo rm /etc/yum.repos.d/docker*.repo
    
  2. Temporarily store https://repos.mirantis.com in an environment variable. This variable assignment does not persist when the session ends:

    export DOCKERURL="https://repos.mirantis.com"
    
  3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:

    sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
    

    Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 8, but you can also use the more specific minor version.

    sudo sh -c 'echo "8" > /etc/yum/vars/dockerosversion'
    
  4. Install the yum-utils that provides the yum-config-manager utility:

    sudo yum install -y yum-utils
    
  5. Add the Mirantis Container Runtime stable repository:

    sudo -E yum-config-manager \
      --add-repo \
      "$DOCKERURL/rhel/docker-ee.repo"
    
  1. Remove existing Docker repositories from /etc/yum.repos.d/:

    sudo rm /etc/yum.repos.d/docker*.repo
    
  2. Temporarily store https://repos.mirantis.com in an environment variable. This variable assignment does not persist when the session ends:

    export DOCKERURL="https://repos.mirantis.com"
    
  3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:

    sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
    

    Also, store your OS version string in /etc/yum/vars/dockerosversion. Most users should use 9, but you can also use the more specific minor version.

    sudo sh -c 'echo "9" > /etc/yum/vars/dockerosversion'
    
  4. Install the yum-utils that provides the yum-config-manager utility:

    sudo yum install -y yum-utils
    
  5. Add the Mirantis Container Runtime stable repository:

    sudo -E yum-config-manager \
      --add-repo \
      "$DOCKERURL/rhel/docker-ee.repo"
    

Install from the repository

  1. Install the latest patch release, or go to the next step to install a specific version:

    MCR 20.10.12 and later

    Requires the addition of the docker-ee-rootless-extras package.

    sudo yum -y install docker-ee docker-ee-cli \
    docker-ee-rootless-extras containerd.io
    

    Note

    MCR nodes in rootless mode cannot currently be a member of an MKE cluster.

    MCR 20.10.11 and before

    sudo yum -y install docker-ee docker-ee-cli containerd.io
    

    If prompted to accept the GPG key, verify that the fingerprint matches 77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9, and if so, accept it.

  2. To install a specific version of Mirantis Container Runtime (recommended in production), list versions and install:

    1. List and sort the versions available in your repo. This example sorts results by version number, highest to lowest, and is truncated:

      sudo yum list docker-ee  --showduplicates | sort -r
      
      docker-ee.x86_64      20.10.ee.2-1.el7.rhel      docker-ee-stable-18.09
      

      The list returned depends on which repositories you enabled, and is specific to your version of Red Hat Enterprise Linux (indicated by .el7 in this example).

    2. Install a specific version by its fully qualified package name, which is the package name (docker-ee) plus the version string (2nd column) starting at the first colon (:), up to the first hyphen, separated by a hyphen (-). For example, docker-ee-20.10.9.

      sudo yum -y install docker-ee-<VERSION_STRING> docker-ee-cli-<VERSION_STRING> containerd.io
      

      Note

      MCR 20.10.12 and later requires the addition of the docker-ee-rootless-extras package:

      sudo yum -y install docker-ee-<VERSION_STRING> \
      docker-ee-cli-<VERSION_STRING> \
      docker-ee-rootless-extras-<VERSION_STRING> containerd.io
      

      Be aware that MCR nodes in rootless mode cannot currently be a member of an MKE cluster.

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  3. Start Docker:

    sudo systemctl start docker
    
  4. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    sudo docker run hello-world
    

Mirantis Container Runtime is installed and running. Use sudo to run Docker commands.

Upgrade from the repository

  1. Add the new repository.

  2. Follow the installation instructions and install a new version.

Package install and upgrade

To manually install Mirantis Container Runtime, download the .rpm file for your release. You need to download a new file each time you want to upgrade.

Install with a package

  1. Enable the extras RHEL repository. This ensures access to the container-selinux package which is required by docker-ee:

    sudo yum-config-manager --enable rhel-7-server-extras-rpms
    

    Alternately, obtain that package manually from Red Hat. There is no way to publicly browse this repository.

  2. Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.

    If you have trouble with selinux using the packages under the 7 directory, try choosing the version-specific directory instead, such as 7.3.

  3. Install MCR, changing the path below to the path where you downloaded the Docker package.

    sudo yum install <path_to_downloaded_rhel_package_.rpm>
    

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  4. Start Docker:

    sudo systemctl start docker
    
  5. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    sudo docker run hello-world
    

    Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.

  1. Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.

    If you have trouble with selinux using the packages under the 8 directory, try choosing the version-specific directory instead.

  2. Install Mirantis Container Runtime, changing the path below to the path where you downloaded the Docker package.

    sudo yum install <path_to_downloaded_rhel_package_.rpm>
    

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  3. Start Docker:

    sudo systemctl start docker
    
  4. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    sudo docker run hello-world
    

    Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.

  1. Go to repos.mirantis.com in your browser. Navigate to rhel/. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the .rpm file from the Packages directory.

    If you have trouble with selinux using the packages under the 9 directory, try choosing the version-specific directory instead.

  2. Install Mirantis Container Runtime, changing the path below to the path where you downloaded the Docker package.

    sudo yum install <path_to_downloaded_rhel_package_.rpm>
    

    Docker is installed but not started. The docker group is created, but no users are added to the group.

  3. Start Docker:

    sudo systemctl start docker
    
  4. Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:

    sudo docker run hello-world
    

    Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.

Upgrade with a package

  1. Download the newer package file.

  2. Repeat the installation procedure, using yum -y upgrade instead of yum -y install, and point to the new file.

Enable MCR Telemetry

By default, MCR automatically records and transmits data to Mirantis for monitoring and analysis purposes. The data collected provides the Mirantis Customer Success Organization with information that helps us to better understand the operational use of MCR by our customers. It also provides key feedback in the form of product usage statistics, which enable our product teams to enhance Mirantis products and services.

To disable the telemetry function, set features.telemetry to false in your /etc/docker/daemon.json file. Change the setting to true to re-enable telemetry.

{"features":{"telemetry": false}}

Caution

To send the telemetry, verify that dockerd can resolve api.segment.io and create a TCP (HTTPS) connection on port 443.

Run MCR as a non-root user (Rootless mode)

Note

MCR nodes in rootless mode cannot belong to a MKE cluster.

For information on rootless mode installation and configuration, refer to the Docker documentation Run the Docker daemon as a non-root user (Rootless mode).

Uninstall Mirantis Container Runtime

  1. Uninstall the Mirantis Container Runtime package:

    sudo yum -y remove docker-ee
    
  2. Delete all images, containers, and volumes (because these are not automatically removed from your host):

    sudo rm -rf /var/lib/docker
    
  3. Delete other Docker related resources:

    sudo rm -rf /run/docker
    sudo rm -rf /var/run/docker
    sudo rm -rf /etc/docker
    
  4. You must delete any edited configuration files manually.