Docker Community Forums

Share and learn in the Docker community.

Docker-ce on CentOS 8

You have a statement. Your goal is achieved. Please feel free to go away and harass some other open source developers that aren’t dancing to your tune exactly.

Hi @xrobau

In RHEL8 you have the concept of modularity
https://dnf.readthedocs.io/en/latest/modularity.html

Module streams can distribute packages with lower versions than available in the repositories available to the operating system. To make such packages available for installs and upgrades, the non-modular packages are filtered out when they match by name with modular packages from any existing stream.

What is happening here is that containerd packages are “providing” runc but are non-modular, and RHEL8 also has a runc package that is modular.
Before modular packages (RHEL7) if you install containerd, then install podman, podman will use containerd runc so you might have weird bug. Now dnf prevents that, but without a good error message.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1756473

1 Like

Also CentOS 8 ships with iptables v1.8.x (nf_tables), and not iptables v1.8.x (legacy) ie iptables binary talks nf_tables kernel part and not x_tables.
Some distros like Debian switched to iptables (nf_tables) but you can still switch to legacy. In CentOS 8 you don’t have the option.
My speculation is that RedHat don’t want to support x_tables for 10 more years and be able to ship improvements based on nf_tables

1 Like

Didnt know you are the devS.

I’m looking at SuSE or even Ubuntu to run as docker host for a cloud production env. Can’t wait forever either. Might as well start looking when to jump ship. :\

Lucky you that Ubuntu is an option for you. My companies policies allow either RHEL or SuSE…

If you read the documentation, RHEL 7 is the first and most well documented way of running Docker, and Docker CE. There’s no REASON to update to RHEL 8 right now. Stick on 7. It’s supported until at least 2024.

When libnetwork is updated to support nft-based firewalld, and libsolv is fixed to not incorrectly exclude some versions of containerd, you’ll be able to upgrade fine.

Thank you for your input. Though, it is not realy up to me what our patch management policies govern and if/when they will force our os-level manged machines to be updated to RHEL8. At least RHEL 7.7 finaly appeared in the compatibility matrix for EE3.0.

I understand you sentiment when policies are in the way. 2024 is around the corner in for an enterprise. Knowing that our junk will run smoothly on Centos8 would give piece of mind to the engineers who have to implement it. Make changes to the codebase as early as possible makes shipping it less chaotic.
Godspeed!

Looks like we have to wait for the devs figure out nftables and modularity.

1 Like

Is enabling masquerade for the firewall zone the way forward with this?

for this to work, I had to enable masquerading. It looked like dockerd already did this through iptables , but apparently this needs to be specifically enabled for the firewall zone for iptables masquerading to work

Hi everyone. Is there a tracker or something to track CentOS 8 release?

1 Like

Docker EE

seems to have steps for RHEL 8.

has anybody tried this out?

CentOS 8.1 and RHEL 8.2 Beta are out.

It is not working for me … giving the below error
Error
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 1:26:31 ago on Thu Jan 30 10:24:49 2020.
[MIRROR] download.docke: Curl error (6): Couldn’t resolve host name for https://download.docke/ [Could not resolve host: download.docke]
[FAILED] download.docke: Curl error (6): Couldn’t resolve host name for https://download.docke/ [Could not resolve host: download.docke]
Curl error (6): Couldn’t resolve host name for https://download.docke/ [Could not resolve host: download.docke]

Host https://download.docke/ does not exists. Check your command, it’s seems you typing wrong URL.

I get this on CentOS8

Downloading Packages:
[SKIPPED] libcgroup-0.41-19.el8.x86_64.rpm: Already downloaded
[SKIPPED] containerd.io-1.2.0-3.el7.x86_64.rpm: Already downloaded
[SKIPPED] docker-ce-18.09.1-3.el7.x86_64.rpm: Already downloaded
[SKIPPED] docker-ce-cli-19.03.7-3.el7.x86_64.rpm: Already downloaded
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing ‘dnf clean packages’.
Error: Transaction check error:
file /usr/share/man/man1/docker-attach.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-build.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-commit.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-container-prune.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-container.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-cp.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch
file /usr/share/man/man1/docker-create.1.gz from install of docker-ce-cli-1:19.03.7-3.el7.x86_64 conflicts with file from package podman-manpages-1.4.2-5.module_el8.1.0+237+63e26edc.noarch

thanks a lot !! been trying for days now to get a “simple” docker container to run 2 web-apps on an httpd image with virtualhosting.
not yet there, but getting closer :slight_smile:

To get DNS resolution working, simply enable Masquerading.

firewall-cmd --zone=public  --add-masquerade --permanent
firewall-cmd --reload

It seems RH is aware of the problem. At least they will provide a docker-firewalld package in the future.

https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables

This also contains a manual workaround using own Zone.