Chapter 12. Linux Containers
12.1. Linux Containers Using Docker Technology
Red Hat Enterprise Linux Atomic Host 7.1.4 includes the following updates:
The docker packages have been upgraded to upstream version 1.7.1, which contains various improvements over version 1.7, which, in its turn, contains significant changes from version 1.6 included in Red Hat Enterprise Linux Atomic Host 7.1.3. See the following change log for the full list of fixes and features between version 1.6 and 1.7.1: https://github.com/docker/docker/blob/master/CHANGELOG.md. Additionally, Red Hat Enterprise Linux Atomic Host 7.1.4 includes the following changes:
- Firewalld is now supported for docker containers. If firewalld is running on the system, the rules will be added via the firewalld passthrough. If firewalld is reloaded, the configuration will be re-applied.
- Docker now mounts the cgroup information specific to a container under the
/sys/fs/cgroup
directory. Some applications make decisions based on the amount of resources available to them. For example, a Java Virtual Machines (JVMs) would want to check how much memory is available to them so they can allocate a large enough pool to improve their performance. This allows applications to discover the maximum about of memory available to the container, by reading/sys/fs/cgroup/memory
. - The
docker run
command now emits a warning message if you are using a device mapper on a loopback device. It is strongly recommended to use thedm.thinpooldev
option as a storage option for a production environment. Do not useloopback
in a production environment. - You can now run containers in systemd mode with the
--init=systemd
flag. If you are running a container with systemd as PID 1, this flag will turn on all systemd features to allow it to run in a non-privileged container. Setcontainer_uuid
as an environment variable to pass to systemd what to store in the/etc/machine-id
file. This file links the journald within the container to to external log. Mount host directories into a container so systemd will not require privileges then mount the journal directory from the host into the container. If you run journald within the container, the host journalctl utility will be able to display the content. Mount the/run
directory as a tmpfs. Then automatically mount the/sys/fs/cgroup
directory as read-only into a container if--systemd
is specified. Send proper signal to systemd when running in systemd mode. - The search experience within containers using the
docker search
command has been improved:- You can now prepend indices to search results.
- You can prefix a remote name with a registry name.
- You can shorten the index name if it is not an IP address.
- The
--no-index
option has been added to avoid listing index names. - The sorting of entries when the index is preserved has been changed: You can sort by
index_name
,start_count
,registry_name
,name
anddescription
. - The sorting of entries when the index is omitted has been changed: You can sort by
registry_name
,star_count
,name
anddescription
.
- You can now expose configured registry list using the Docker info API.
Red Hat Enterprise Linux Atomic Host 7.1.3 includes the following updates:
- docker-storage-setup
- docker-storage-setup now relies on the Logical Volume Manager (LVM) to extend thin pools automatically. By default, 60% of free space in the volume group is used for a thin pool and it is grown automatically by LVM. When the thin pool is full 60%, it will be grown by 20%.
- A default configuration file for docker-storage-setup is now in
/usr/lib/docker-storage-setup/docker-storage-setup
. You can override the settings in this file by editing the/etc/sysconfig/docker-storage-setup
file. - Support for passing raw block devices to the docker service for creating a thin pool has been removed. Now the docker-storage-setup service creates an LVM thin pool and passes it to docker.
- The chunk size for thin pools has been increased from 64K to 512K.
- By default, the partition table for the root user is not grown. You can change this behavior by setting the
GROWPART=true
option in the/etc/sysconfig/docker-storage-setup
file. - A thin pool is now set up with the
skip_block_zeroing
feature. This means that when a new block is provisioned in the pool, it will not be zeroed. This is done for performance reasons. One can change this behavior by using the--zero
option:lvchange --zero y thin-pool
- By default, docker storage using the devicemapper graphdriver runs on loopback devices. It is strongly recommended to not use this setup, as it is not production ready. A warning message is displayed to warn the user about this. The user has the option to suppress this warning by passing this storage flag
dm.no_warn_on_loop_devices=true
.
- Updates related to handling storage on Docker-formatted containers:
- NFS Volume Plugins validated with SELinux have been added. This includes using the NFS Volume Plugin to NFS Mount GlusterFS.
- Persistent volume support validated for the NFS volume plugin only has been added.
- Local storage (HostPath volume plugin) validated with SELinux has been added. (requires workaround described in the docs)
- iSCSI Volume Plugins validated with SELinux has been added.
- GCEPersistentDisk Volume Plugins validated with SELinux has been added. (requires workaround described in the docs)
Red Hat Enterprise Linux Atomic Host 7.1.2 includes the following updates:
- docker-1.6.0-11.el7
- A completely re-architected Registry and a new Registry API supported by Docker 1.6 that enhance significantly image pulls performance and reliability.
- A new logging driver API which allows you to send container logs to other systems has been added to the docker utilty. The
--log driver
option has been added to thedocker run
command and it takes three sub-options: a JSON file, syslog, or none. Thenone
option can be used with applications with verbose logs that are non-essential. - Dockerfile instructions can now be used when committing and importing. This also adds the ability to make changes to running images without having to re-build the entire image. The
commit --change
andimport --change
options allow you to specify standard changes to be applied to the new image. These are expressed in the Dockerfile syntax and used to modify the image. - This release adds support for custom cgroups. Using the
--cgroup-parent
flag, you can pass a specific cgroup to run a container in. This allows you to create and manage cgroups on their own. You can define custom resources for those cgroups and put containers under a common parent group. - With this update, you can now specify the default ulimit settings for all containers, when configuring the Docker daemon. For example:
docker -d --default-ulimit nproc=1024:2048
--default-ulimit nproc=1024:2408 --default-ulimit nofile=100:200
docker run -d --ulimit nproc=2048:4096 httpd
- The ability to block registries with the
--block-registry
flag. - Support for searching multiple registries at once.
- Pushing local images to a public registry requires confirmation.
- Short names are resolved locally against a list of registries configured in an order, with the docker.io registry last. This way, pulling is always done with a fully qualified name.
Red Hat Enterprise Linux Atomic Host 7.1.1 includes the following updates:
- docker-1.5.0-28.el7
- IPv6 support: Support is available for globally routed and local link addresses.
- Read-only containers: This option is used to restrict applications in a container from being able to write to the entire file system.
- Statistics API and endpoint: Statistics on live CPU, memory, network IO and block IO can now be streamed from containers.
- The
docker build -f docker_file
command to specify a file other than Dockerfile to be used by docker build. - The ability to specify additional registries to use for unqualified pulls and searches. Prior to this an unqualified name was only searched in the public Docker Hub.
- The ability to block communication with certain registries with
--block-registry=<registry>
flag. This includes the ability to block the public Docker Hub and the ability to block all but specified registries. - Confirmation is required to push to a public registry.
- All repositories are now fully qualified when listed. The output of
docker images
lists the source registry name for all images pulled. The output ofdocker search
shows the source registry name for all results.
For more information, see Get Started with Docker Formatted Container Images on Red Hat Systems