Chapter 12. Linux Containers

12.1. Linux Containers Using Docker Technology

Red Hat Enterprise Linux Atomic Host 7.1.4 includes the following updates:

The docker packages have been upgraded to upstream version 1.7.1, which contains various improvements over version 1.7, which, in its turn, contains significant changes from version 1.6 included in Red Hat Enterprise Linux Atomic Host 7.1.3. See the following change log for the full list of fixes and features between version 1.6 and 1.7.1: https://github.com/docker/docker/blob/master/CHANGELOG.md. Additionally, Red Hat Enterprise Linux Atomic Host 7.1.4 includes the following changes:
    • Firewalld is now supported for docker containers. If firewalld is running on the system, the rules will be added via the firewalld passthrough. If firewalld is reloaded, the configuration will be re-applied.
    • Docker now mounts the cgroup information specific to a container under the /sys/fs/cgroup directory. Some applications make decisions based on the amount of resources available to them. For example, a Java Virtual Machines (JVMs) would want to check how much memory is available to them so they can allocate a large enough pool to improve their performance. This allows applications to discover the maximum about of memory available to the container, by reading /sys/fs/cgroup/memory.
    • The docker run command now emits a warning message if you are using a device mapper on a loopback device. It is strongly recommended to use the dm.thinpooldev option as a storage option for a production environment. Do not use loopback in a production environment.
    • You can now run containers in systemd mode with the --init=systemd flag. If you are running a container with systemd as PID 1, this flag will turn on all systemd features to allow it to run in a non-privileged container. Set container_uuid as an environment variable to pass to systemd what to store in the /etc/machine-id file. This file links the journald within the container to to external log. Mount host directories into a container so systemd will not require privileges then mount the journal directory from the host into the container. If you run journald within the container, the host journalctl utility will be able to display the content. Mount the /run directory as a tmpfs. Then automatically mount the /sys/fs/cgroup directory as read-only into a container if --systemd is specified. Send proper signal to systemd when running in systemd mode.
    • The search experience within containers using the docker search command has been improved:
      • You can now prepend indices to search results.
      • You can prefix a remote name with a registry name.
      • You can shorten the index name if it is not an IP address.
      • The --no-index option has been added to avoid listing index names.
      • The sorting of entries when the index is preserved has been changed: You can sort by index_name, start_count, registry_name, name and description.
      • The sorting of entries when the index is omitted has been changed: You can sort by registry_name, star_count, name and description.
    • You can now expose configured registry list using the Docker info API.

Red Hat Enterprise Linux Atomic Host 7.1.3 includes the following updates:

  • docker-storage-setup
    • docker-storage-setup now relies on the Logical Volume Manager (LVM) to extend thin pools automatically. By default, 60% of free space in the volume group is used for a thin pool and it is grown automatically by LVM. When the thin pool is full 60%, it will be grown by 20%.
    • A default configuration file for docker-storage-setup is now in /usr/lib/docker-storage-setup/docker-storage-setup. You can override the settings in this file by editing the /etc/sysconfig/docker-storage-setup file.
    • Support for passing raw block devices to the docker service for creating a thin pool has been removed. Now the docker-storage-setup service creates an LVM thin pool and passes it to docker.
    • The chunk size for thin pools has been increased from 64K to 512K.
    • By default, the partition table for the root user is not grown. You can change this behavior by setting the GROWPART=true option in the /etc/sysconfig/docker-storage-setup file.
    • A thin pool is now set up with the skip_block_zeroing feature. This means that when a new block is provisioned in the pool, it will not be zeroed. This is done for performance reasons. One can change this behavior by using the --zero option:
      lvchange --zero y thin-pool
    • By default, docker storage using the devicemapper graphdriver runs on loopback devices. It is strongly recommended to not use this setup, as it is not production ready. A warning message is displayed to warn the user about this. The user has the option to suppress this warning by passing this storage flag dm.no_warn_on_loop_devices=true.
  • Updates related to handling storage on Docker-formatted containers:
    • NFS Volume Plugins validated with SELinux have been added. This includes using the NFS Volume Plugin to NFS Mount GlusterFS.
    • Persistent volume support validated for the NFS volume plugin only has been added.
    • Local storage (HostPath volume plugin) validated with SELinux has been added. (requires workaround described in the docs)
    • iSCSI Volume Plugins validated with SELinux has been added.
    • GCEPersistentDisk Volume Plugins validated with SELinux has been added. (requires workaround described in the docs)

Red Hat Enterprise Linux Atomic Host 7.1.2 includes the following updates:

  • docker-1.6.0-11.el7
    • A completely re-architected Registry and a new Registry API supported by Docker 1.6 that enhance significantly image pulls performance and reliability.
    • A new logging driver API which allows you to send container logs to other systems has been added to the docker utilty. The --log driver option has been added to the docker run command and it takes three sub-options: a JSON file, syslog, or none. The none option can be used with applications with verbose logs that are non-essential.
    • Dockerfile instructions can now be used when committing and importing. This also adds the ability to make changes to running images without having to re-build the entire image. The commit --change and import --change options allow you to specify standard changes to be applied to the new image. These are expressed in the Dockerfile syntax and used to modify the image.
    • This release adds support for custom cgroups. Using the --cgroup-parent flag, you can pass a specific cgroup to run a container in. This allows you to create and manage cgroups on their own. You can define custom resources for those cgroups and put containers under a common parent group.
    • With this update, you can now specify the default ulimit settings for all containers, when configuring the Docker daemon. For example:
      docker -d --default-ulimit nproc=1024:2048
      This command sets a soft limit of 1024 and a hard limit of 2048 child processes for all containers. You can set this option multiple times for different ulimit values, for example:
      --default-ulimit nproc=1024:2408 --default-ulimit nofile=100:200
      These settings can be overwritten when creating a container as such:
      docker run -d --ulimit nproc=2048:4096 httpd
      This will overwrite the default nproc value passed into the daemon.
    • The ability to block registries with the --block-registry flag.
    • Support for searching multiple registries at once.
    • Pushing local images to a public registry requires confirmation.
    • Short names are resolved locally against a list of registries configured in an order, with the docker.io registry last. This way, pulling is always done with a fully qualified name.

Red Hat Enterprise Linux Atomic Host 7.1.1 includes the following updates:

  • docker-1.5.0-28.el7
    • IPv6 support: Support is available for globally routed and local link addresses.
    • Read-only containers: This option is used to restrict applications in a container from being able to write to the entire file system.
    • Statistics API and endpoint: Statistics on live CPU, memory, network IO and block IO can now be streamed from containers.
    • The docker build -f docker_file command to specify a file other than Dockerfile to be used by docker build.
    • The ability to specify additional registries to use for unqualified pulls and searches. Prior to this an unqualified name was only searched in the public Docker Hub.
    • The ability to block communication with certain registries with --block-registry=<registry> flag. This includes the ability to block the public Docker Hub and the ability to block all but specified registries.
    • Confirmation is required to push to a public registry.
    • All repositories are now fully qualified when listed. The output of docker images lists the source registry name for all images pulled. The output of docker search shows the source registry name for all results.