Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fedora 32 and Fedora 31 support for Docker #215

Closed
jennydaman opened this issue Jul 30, 2020 · 11 comments
Closed

Fedora 32 and Fedora 31 support for Docker #215

jennydaman opened this issue Jul 30, 2020 · 11 comments

Comments

@jennydaman
Copy link
Contributor

jennydaman commented Jul 30, 2020
edited
Loading

outdated information, please go to wiki

https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/Fedora-32-Support-for-Docker

tl;dr I am suggesting that everyone trying to develop on Fedora should use a virtual machine.

Background

Fedora 30 (2019 April) was the last release of Fedora where Docker installation was (supposedly) seamless.

Fedora 31 (2019 October) uses cgroup version 2 [1], which broke containers. There is a workaround [2]. Fedora 31 is the last release which is officially supported by Docker [3].

Fedora 32 (2020 April) does not support Docker [4].

[1] https://www.redhat.com/sysadmin/fedora-31-control-group-v2
[2] https://fedoraproject.org/wiki/Common_F31_bugs#Docker_package_no_longer_available_and_will_not_run_by_default_.28due_to_switch_to_cgroups_v2.29
[3] https://docs.docker.com/engine/install/fedora/
[4] https://fedoramagazine.org/docker-and-fedora-32/

Many of our collaborators use Fedora 32.

SELinux

Relevant to Fedora, RHEL, CentOS.

According to man docker-run

Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By default, Docker does not change the labels set by the OS.

To change a label in the container context, you can add either of two suffixes :z or :Z to the volume mount. These suffixes tell Docker to relabel file objects on the shared volumes. The z option tells Docker that two containers share the volume content. As a result, Docker labels the content with a shared content label. Shared volume labels allow all containers to read/write content. The Z option tells Docker to label the content with a private unshared label. Only the current container can use a private volume.

I created a branch z-vol to demonstrate how this works.

Running ./make.sh on a Fedora

For the sake of showing how it is possible to run ChRIS on a Fedora machine with SELinux enabled, we will use a virtual machine.

Use Vagrant to provision a lightweight Fedora 31 VM and correctly install Docker.
https://docs.docker.com/engine/install/fedora/#install-docker-engine

Vagrant.configure("2") do |config|
  config.vm.box = "fedora/31-cloud-base"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "8096"
  end

  config.vm.provision "shell", inline: <<-SHELL
    curl -L "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
    chmod +x /usr/local/bin/docker-compose
    sh -c "$(curl -fsSL https://get.docker.com)"
    grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
    systemctl enable docker
    git clone --branch z-vol https://github.com/FNNDSC/ChRIS_ultron_backEnd.git
  SHELL
end

Create, provision, then reboot VM (required to set kernel cgroup option)

$ vagrant up && vagrant reload

Double check distro version and SELinux status

$ vagrant ssh -c 'cat /etc/fedora-release; getenforce'
Fedora release 31 (Thirty One)
Enforcing
Connection to 127.0.0.1 closed.

Start CUBE

$ vagrant ssh -c 'cd ChRIS_ultron_backEnd && sudo ./make.sh'

Result

Performing system checks...

System check identified no issues (3 silenced).
July 30, 2020 - 13:51:13
Django version 2.2.12, using settings 'config.settings.local'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.

Comments

For the insistent it is possible to use Fedora 32, see

I tried Fedora 30 but docker-compose did not work out of the box.

Fedora 31 broke Docker, then Fedora 32 broke Docker even more. It has been 3 months since the release of Fedora 32 and it seems like Docker inc. is choosing not to support Fedora 32. The easiest way for a developer on Fedora 32 to get started would be to not use Fedora. I am suggesting that developers try using virtual machines instead, akin to how Docker works on other incompatible platforms like Windows and Mac. As demonstrated above, using Vagrant involves only a few steps. Only instead of starting from fedora/31-cloud-base use anything else, like bento/debian-10.4. VM is less painful but less performant, which is okay for a development environment.

RedHat endorses moby or podman for running Docker containers on Fedora 32.
@jennydaman
Copy link
Contributor Author

jennydaman commented Jul 30, 2020
edited
Loading

Hands-off Vagrant Example

I expect this demo to work on Ubuntu, Arch Linux, Mac, Windows, Fedora, RHEL

Requirements: Vagrant and VirtualBox

Vagrant.configure("2") do |config|
  config.vm.box = "debian/buster64"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "8096"
  end

  config.vm.provision "shell", inline: <<-SHELL
    wget -qO /usr/local/bin/docker-compose "https://github.com/docker/compose/releases/download/1.26.2/docker-compose-$(uname -s)-$(uname -m)"
    chmod +x /usr/local/bin/docker-compose
    wget -qO /tmp/get-docker.sh https://get.docker.com
    sh /tmp/get-docker.sh > /dev/null 2>&1
    systemctl enable --now docker
  SHELL
end

Place Vagrantfile wherever ChRIS_ultron_backEnd was cloned to.

vagrant up && vagrant ssh -c 'cd /vagrant && sudo ./make.sh'

@rudolphpienaar
Copy link
Member

Much appreciated @jennydaman !! This is great

@junaruga
Copy link
Member

Great! Let me check it tomorrow.

@junaruga
Copy link
Member

junaruga commented Jul 31, 2020
edited
Loading

In my opinion, before deciding that everyone trying to develop on Fedora should use a virtual machine, I think we can still have time to fix the issues related to Docker or Fedora, if we are not urgent.

At least for me I could run the following Docker basic use case in Fedora 32 after fixing some issues. Now it is a good time to fix it.

$ docker run --rm -t docker.io/hello-world

Now here is the another issue I am facing to run make.sh on Fedora 32. #214 (comment)
I believe if we can prepare the instructions or the script to check the preconditions including Fedora, we can run the current README.md steps practically as other platforms as well.

We do not want to increase a complexity by making a specific workflow, right?

I am developing the script to check the pre-condition to make Fedora and other platforms users easier to check it.
https://gist.github.com/junaruga/7b306d4fcde470a2cffc6eee0ac0ad33

$ ./check_env.sh

@jennydaman
Copy link
Contributor Author

better suited as a wiki page

https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/Fedora-32-Support-for-Docker

@junaruga
Copy link
Member

junaruga commented Aug 4, 2020
edited
Loading

Why not merge the commit on z-vol branch to master branch?

@jennydaman
Copy link
Contributor Author

You can make a PR if you want.

I did it as a proof-of-concept, to demonstrate an example. A PR should continue the discussion about the project's scope and to what extent we aim to offer seamless setup at the cost of feature creep.

@junaruga junaruga mentioned this issue Aug 12, 2020
Merged
@junaruga
Copy link
Member

I succeeded to run make.sh on both docker-ce from docker official repository and moby from fedora official repository.

I documented the steps covering the use cases of both docker-ce and moby here.
https://github.com/junaruga/ChRIS_ultron_backEnd/wiki/Setup-Docker-on-Fedora-32

Shall we manage this document somewhere in this repository?

The ticket docker/for-linux#955 helped me to install those.

tl;dr I am suggesting that everyone trying to develop on Fedora should use a virtual machine.

So, can I just disagree on this now?
If someone would develop against your suggestion without using the Fedora 31 VM on Fedora, what's the problem for you?

@jennydaman
Copy link
Contributor Author

jennydaman commented Aug 12, 2020
edited
Loading

My first comment above is obsolete, see the wiki...

suggestion without using the Fedora 31 VM on Fedora

Actually I suggest against F31 VM, my suggestion was to avoid Fedora altogether: developers looking for a "quickstart" should use a Debian VM on any host OS. See https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/Fedora-32-Support-for-Docker#hands-off-vagrant-example

I agree with you, nobody can argue with how it's more optimal to run containers on a container engine. Needless to say a VM introduces a lot of overhang. Yet, the documentation I have provided is for a developer who wants to get started in 5 minutes, not 5 days, and without needing to modify their system extensively. Nonetheless your research is useful because it's always good to have options.

docker-ce is not supported on Fedora 32, that was a decision made by the company Docker, inc. When things break I hope it is not our advice that users blame...

moby seems to work, getting it to run starting from a clean install took 4 commands.
https://github.com/FNNDSC/ChRIS_ultron_backEnd/wiki/Fedora-32-Support-for-Docker#minimal-setup
I did not have problems with --live-restore and moby, let me try that again...

@junaruga
Copy link
Member

junaruga commented Aug 20, 2020
edited
Loading

I did not have problems with --live-restore and moby, let me try that again...

You might see some docker daemon command options by the following command in your Vagrant Fedora 31 VM.

$ ps -wwef | grep docker

In Fedora 32 using moby, we need one more step to allow docker connections in container by firewall-cmd commands too, as I wrote it on my working log document.

The reason is the step is needed for the firewalld using nftables as a backkend. But not for the firewalld using iptables as a backend. (Ref: docker/for-linux#955 (comment))

On Fedora 32 ntftables is used as a backend as a default setting, but on Fedora 31 iptables is used as a backend.
I think that that's the reason we do not need the one more step for Vagrant Fedora 31 VM.

Fedora 32

$ rpm -qf /etc/firewalld/firewalld.conf
firewalld-0.8.2-3.fc32.noarch

$ sudo grep ^FirewallBackend /etc/firewalld/firewalld.conf
FirewallBackend=nftables

Fedora 31

Checked by docker run --rm -it fedora:31 bash.

$ rpm -qf /etc/firewalld/firewalld.conf 
firewalld-0.7.5-2.fc31.noarch

There is no FirewallBackend item in firewalld.conf of the firewalld-0.7.5-2.fc31.

$ sudo grep ^FirewallBackend /etc/firewalld/firewalld.conf

As a reference, this change was merged on firewalld 0.6.0. But so far Fedora 31 firewalld enables iptables as a default setting applying this patch file, while Fedora 32 firewalld does not apply the patch.

@junaruga
Copy link
Member

Note: docker-ce is supporting Fedora 32. The official document is not updated yet.
Here is the comment from docker maintainer.
docker/for-linux#955 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@junaruga @rudolphpienaar @jennydaman