Docker Community Forums

Share and learn in the Docker community.

Docker-ce on CentOS 8

Hi @xrobau

In RHEL8 you have the concept of modularity
https://dnf.readthedocs.io/en/latest/modularity.html

Module streams can distribute packages with lower versions than available in the repositories available to the operating system. To make such packages available for installs and upgrades, the non-modular packages are filtered out when they match by name with modular packages from any existing stream.

What is happening here is that containerd packages are “providing” runc but are non-modular, and RHEL8 also has a runc package that is modular.
Before modular packages (RHEL7) if you install containerd, then install podman, podman will use containerd runc so you might have weird bug. Now dnf prevents that, but without a good error message.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1756473

1 Like

Also CentOS 8 ships with iptables v1.8.x (nf_tables), and not iptables v1.8.x (legacy) ie iptables binary talks nf_tables kernel part and not x_tables.
Some distros like Debian switched to iptables (nf_tables) but you can still switch to legacy. In CentOS 8 you don’t have the option.
My speculation is that RedHat don’t want to support x_tables for 10 more years and be able to ship improvements based on nf_tables

Didnt know you are the devS.

I’m looking at SuSE or even Ubuntu to run as docker host for a cloud production env. Can’t wait forever either. Might as well start looking when to jump ship. :\

Lucky you that Ubuntu is an option for you. My companies policies allow either RHEL or SuSE…

If you read the documentation, RHEL 7 is the first and most well documented way of running Docker, and Docker CE. There’s no REASON to update to RHEL 8 right now. Stick on 7. It’s supported until at least 2024.

When libnetwork is updated to support nft-based firewalld, and libsolv is fixed to not incorrectly exclude some versions of containerd, you’ll be able to upgrade fine.

Thank you for your input. Though, it is not realy up to me what our patch management policies govern and if/when they will force our os-level manged machines to be updated to RHEL8. At least RHEL 7.7 finaly appeared in the compatibility matrix for EE3.0.

I understand you sentiment when policies are in the way. 2024 is around the corner in for an enterprise. Knowing that our junk will run smoothly on Centos8 would give piece of mind to the engineers who have to implement it. Make changes to the codebase as early as possible makes shipping it less chaotic.
Godspeed!

Looks like we have to wait for the devs figure out nftables and modularity.

Is enabling masquerade for the firewall zone the way forward with this?

for this to work, I had to enable masquerading. It looked like dockerd already did this through iptables , but apparently this needs to be specifically enabled for the firewall zone for iptables masquerading to work