Install Mirantis Container Runtime for Red Hat Enterprise Linux¶
There are two ways to install and upgrade Mirantis Container Runtime (MCR).
YUM repository: Set up a Docker repository and install Mirantis Container Runtime from it. This is the recommended approach because installation and upgrades are managed with YUM and easier to do.
RPM package: Download the RPM package, install it manually, and manage upgrades manually. This is useful when installing Mirantis Container Runtime on air-gapped systems with no access to the internet.
Prerequisites¶
Perform all prerequisites as required prior to installing MCR on Red Hat Enterprise Linux.
Architectures and storage drivers¶
Mirantis Container Runtime supports Red Hat Enterprise Linux 64-bit, versions
7.4 and higher running on x86_64
. See the compatibility-matrix
for specific details.
On Red Hat Enterprise Linux, Mirantis Container Runtime supports the
overlay2
storage driver. The following limitations apply:
OverlayFS: If
selinux
is enabled, theoverlay2
storage driver is supported on RHEL 7.4 or higher.If
selinux
is disabled,overlay2
is supported on RHEL 7.2 or higher with kernel version 3.10.0-693 and higher.
FIPS 140-2 cryptographic module support¶
Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.
With Mirantis Container Runtime license for versions 20.10.x, Mirantis provides FIPS 140-2 support in RHEL 7.x, 8.x, and 9.x (as per the MCR 20.10 Compatibility Matrix). This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is also automatically enabled in MCR. If FIPS support is not already enabled in your RHEL implementation, see the Red Hat Product Documentation for instructions on how to enable it.
To verify the FIPS 140-2 module is enabled in the Linux kernel, confirm
the file /proc/sys/crypto/fips_enabled
contains 1
.
cat /proc/sys/crypto/fips_enabled
1
Note
FIPS is only supported in Mirantis Container Runtime. MKE and MSR currently do not have support for FIPS 140-2.
You can override FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode. Note, this does not change FIPS 140-2 mode on the system. To override the FIPS 140-2 mode, follow ths steps below.
Create a file called
/etc/systemd/system/docker.service.d/fips-module.conf
. Add the
following:
[Service]
Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
sudo systemctl daemon-reload
Restart the Docker service as root.
sudo systemctl restart docker
To confirm Docker is running with FIPS 140-2 enabled, run the
docker info
command.
Disabling FIPS 140-2¶
If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS 140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the
value DOCKER_FIPS=0
in the
/etc/systemd/system/docker.service.d/fips-module.conf
.
Reload the Docker configuration to systemd.
sudo systemctl daemon-reload
Restart the Docker service as root.
sudo systemctl restart docker
Uninstall old Docker versions¶
The Mirantis Container Runtime package is called docker-ee
. Older
versions were called docker
or docker-engine
. Uninstall all
older versions and associated dependencies. The contents of
/var/lib/docker/
are preserved, including images, containers,
volumes, and networks.
sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine
Repo install and upgrade¶
The advantage of using a repository from which to install Mirantis Container Runtime (or any software) is that it provides a certain level of automation. RPM-based distributions such as Red Hat Enterprise Linux, use a tool called YUM that work with your repositories to manage dependencies and provide automatic updates.
Set up the repository¶
You only need to set up the repository once, after which you can install Mirantis Container Runtime from the repo and repeatedly upgrade as necessary.
Remove existing Docker repositories from
/etc/yum.repos.d/
:sudo rm /etc/yum.repos.d/docker*.repo
Temporarily store
https://repos.mirantis.com
in an environment variable. This variable assignment does not persist when the session ends:export DOCKERURL="https://repos.mirantis.com"
Store the value of the variable,
DOCKERURL
(from the previous step), in ayum
variable in/etc/yum/vars/
:sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
Also, store your OS version string in
/etc/yum/vars/dockerosversion
. Most users should use7
,8
, or9
but you can also use the more specific minor version, starting from7.2
.sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
Install the
yum-utils
that provides the yum-config-manager utility.sudo yum install -y yum-utils
Enable the
extras
RHEL repository. This ensures access to thecontainer-selinux
package required bydocker-ee
.The repository can differ per your architecture and cloud provider, so review the options in this step before running:
For all architectures except IBM Power:
sudo yum-config-manager --enable rhel-7-server-extras-rpms
For IBM Power only (little endian):
sudo yum-config-manager --enable extras sudo subscription-manager repos --enable=rhel-7-for-power-le-extras-rpms sudo yum makecache fast sudo yum -y install container-selinux
Depending on cloud provider, you may also need to enable another repository:
For AWS:
sudo yum-config-manager --enable rhel-7-server-rhui-extras-rpms
For Azure:
sudo yum-config-manager --enable rhui-rhel-7-server-rhui-extras-rpms
Add the Mirantis Container Runtime stable repository:
sudo -E yum-config-manager \ --add-repo \ "$DOCKERURL/rhel/docker-ee.repo"
Remove existing Docker repositories from
/etc/yum.repos.d/
:sudo rm /etc/yum.repos.d/docker*.repo
Temporarily store
https://repos.mirantis.com
in an environment variable. This variable assignment does not persist when the session ends:export DOCKERURL="https://repos.mirantis.com"
Store the value of the variable,
DOCKERURL
(from the previous step), in ayum
variable in/etc/yum/vars/
:sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
Also, store your OS version string in
/etc/yum/vars/dockerosversion
. Most users should use8
, but you can also use the more specific minor version.sudo sh -c 'echo "8" > /etc/yum/vars/dockerosversion'
Install the
yum-utils
that provides the yum-config-manager utility:sudo yum install -y yum-utils
Add the Mirantis Container Runtime stable repository:
sudo -E yum-config-manager \ --add-repo \ "$DOCKERURL/rhel/docker-ee.repo"
Remove existing Docker repositories from
/etc/yum.repos.d/
:sudo rm /etc/yum.repos.d/docker*.repo
Temporarily store
https://repos.mirantis.com
in an environment variable. This variable assignment does not persist when the session ends:export DOCKERURL="https://repos.mirantis.com"
Store the value of the variable,
DOCKERURL
(from the previous step), in ayum
variable in/etc/yum/vars/
:sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
Also, store your OS version string in
/etc/yum/vars/dockerosversion
. Most users should use9
, but you can also use the more specific minor version.sudo sh -c 'echo "9" > /etc/yum/vars/dockerosversion'
Install the
yum-utils
that provides the yum-config-manager utility:sudo yum install -y yum-utils
Add the Mirantis Container Runtime stable repository:
sudo -E yum-config-manager \ --add-repo \ "$DOCKERURL/rhel/docker-ee.repo"
Install from the repository¶
Install the latest patch release, or go to the next step to install a specific version:
MCR 20.10.12 and later
Requires the addition of the
docker-ee-rootless-extras
package.sudo yum -y install docker-ee docker-ee-cli \ docker-ee-rootless-extras containerd.io
Note
MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
MCR 20.10.11 and before
sudo yum -y install docker-ee docker-ee-cli containerd.io
If prompted to accept the GPG key, verify that the fingerprint matches
77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9
, and if so, accept it.To install a specific version of Mirantis Container Runtime (recommended in production), list versions and install:
List and sort the versions available in your repo. This example sorts results by version number, highest to lowest, and is truncated:
sudo yum list docker-ee --showduplicates | sort -r docker-ee.x86_64 20.10.ee.2-1.el7.rhel docker-ee-stable-18.09
The list returned depends on which repositories you enabled, and is specific to your version of Red Hat Enterprise Linux (indicated by
.el7
in this example).Install a specific version by its fully qualified package name, which is the package name (
docker-ee
) plus the version string (2nd column) starting at the first colon (:
), up to the first hyphen, separated by a hyphen (-
). For example,docker-ee-20.10.9
.sudo yum -y install docker-ee-<VERSION_STRING> docker-ee-cli-<VERSION_STRING> containerd.io
Note
MCR 20.10.12 and later requires the addition of the
docker-ee-rootless-extras
package:sudo yum -y install docker-ee-<VERSION_STRING> \ docker-ee-cli-<VERSION_STRING> \ docker-ee-rootless-extras-<VERSION_STRING> containerd.io
Be aware that MCR nodes in rootless mode cannot currently be a member of an MKE cluster.
Docker is installed but not started. The
docker
group is created, but no users are added to the group.Start Docker:
sudo systemctl start docker
Verify that Mirantis Container Runtime is installed correctly by running the
hello-world
image. This command downloads a test image, runs it in a container, prints an informational message, and exits:sudo docker run hello-world
Mirantis Container Runtime is installed and running. Use sudo
to run Docker
commands.
Upgrade from the repository¶
Add the new repository.
Follow the installation instructions and install a new version.
Package install and upgrade¶
To manually install Mirantis Container Runtime, download the .rpm
file for
your release. You need to download a new file each time you want to upgrade.
Install with a package¶
Enable the extras RHEL repository. This ensures access to the
container-selinux
package which is required bydocker-ee
:sudo yum-config-manager --enable rhel-7-server-extras-rpms
Alternately, obtain that package manually from Red Hat. There is no way to publicly browse this repository.
Go to repos.mirantis.com in your browser. Navigate to
rhel/
. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the.rpm
file from thePackages
directory.If you have trouble with
selinux
using the packages under the 7 directory, try choosing the version-specific directory instead, such as 7.3.Install MCR, changing the path below to the path where you downloaded the Docker package.
sudo yum install <path_to_downloaded_rhel_package_.rpm>
Docker is installed but not started. The docker group is created, but no users are added to the group.
Start Docker:
sudo systemctl start docker
Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:
sudo docker run hello-world
Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.
Go to repos.mirantis.com in your browser. Navigate to
rhel/
. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the.rpm
file from the Packages directory.If you have trouble with selinux using the packages under the 8 directory, try choosing the version-specific directory instead.
Install Mirantis Container Runtime, changing the path below to the path where you downloaded the Docker package.
sudo yum install <path_to_downloaded_rhel_package_.rpm>
Docker is installed but not started. The docker group is created, but no users are added to the group.
Start Docker:
sudo systemctl start docker
Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:
sudo docker run hello-world
Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.
Go to repos.mirantis.com in your browser. Navigate to
rhel/
. Choose your Red Hat Enterprise Linux version, architecture, and Docker version. Download the.rpm
file from the Packages directory.If you have trouble with selinux using the packages under the 9 directory, try choosing the version-specific directory instead.
Install Mirantis Container Runtime, changing the path below to the path where you downloaded the Docker package.
sudo yum install <path_to_downloaded_rhel_package_.rpm>
Docker is installed but not started. The docker group is created, but no users are added to the group.
Start Docker:
sudo systemctl start docker
Verify that Mirantis Container Runtime is installed correctly by running the hello-world image. This command downloads a test image, runs it in a container, prints an informational message, and exits:
sudo docker run hello-world
Mirantis Container Runtime is now installed and running. Make sure to use sudo to run Docker commands (refer to the Docker documentation for Linux postinstall for information on how to allow non-privileged users to run Docker commands.
Upgrade with a package¶
Download the newer package file.
Repeat the installation procedure, using
yum -y upgrade
instead ofyum -y install
, and point to the new file.
Enable MCR Telemetry¶
By default, MCR automatically records and transmits data to Mirantis for monitoring and analysis purposes. The data collected provides the Mirantis Customer Success Organization with information that helps us to better understand the operational use of MCR by our customers. It also provides key feedback in the form of product usage statistics, which enable our product teams to enhance Mirantis products and services.
To disable the telemetry function, set
features.telemetry
to false
in your /etc/docker/daemon.json
file.
Change the setting to true
to re-enable telemetry.
{"features":{"telemetry": false}}
Caution
To send the telemetry, verify that dockerd can resolve api.segment.io
and create a TCP (HTTPS) connection on port 443.
Run MCR as a non-root user (Rootless mode)¶
Note
MCR nodes in rootless mode cannot belong to a MKE cluster.
For information on rootless mode installation and configuration, refer to the Docker documentation Run the Docker daemon as a non-root user (Rootless mode).
Uninstall Mirantis Container Runtime¶
Uninstall the Mirantis Container Runtime package:
sudo yum -y remove docker-ee
Delete all images, containers, and volumes (because these are not automatically removed from your host):
sudo rm -rf /var/lib/docker
Delete other Docker related resources:
sudo rm -rf /run/docker sudo rm -rf /var/run/docker sudo rm -rf /etc/docker
You must delete any edited configuration files manually.