Article ID: 125115, created on Apr 3, 2015, last review on Jun 21, 2016

  • Applies to:
  • Virtuozzo 6.0
  • Virtuozzo containers for Linux

Starting from Update 9 (6.0.9-2806) Parallels Cloud Server supports running Docker inside of containers.

This article will help you to configure Docker and tell you about known limitations.

Table of contents:

Prerequisites

In order to run Docker inside of a container it's necessary to satisfy following requirements:

  • Server is running on kernel 2.6.32-042stab105.4 or newer

    Following command displays currently used kernel:

    [root@pcs ~]# uname -r
    2.6.32-042stab106.4
    
  • Kernel modules veth and bridge are loaded on host

    Following command checks if modules are currently loaded (if module is loaded it will be printed):

    [root@pcs ~]# lsmod | awk '$1=="veth" || $1=="bridge"'
    veth                    4866  0
    bridge                 85143  0
    
  • Container running on CentOS 7 or Fedora 21

We recommend to install Docker using the application template since it would perform most of the configuration steps automatically, including creating modprobe script for automatic loading of veth module.

Template Installation

  1. Create CentOS 7 (or Fedora 21) container:

    [root@pcs ~]# vzctl create <CTID> --ostemplate centos-7-x86_64
    
  2. Setup bridged network in the container:

    [root@pcs ~]# vzctl set <CTID> --netif_add eth0 --save
    [root@pcs ~]# vzctl set <CTID> --ifname eth0 --network <NetworkID> --ipadd <IP>/<Netmask> --gw <GatewayIP> --save
    
  3. Setup bridge feature and allow all(full netfilter) iptables modules in the container:

    [root@pcs ~]# vzctl set <CTID> --features bridge:on --save
    [root@pcs ~]# vzctl set <CTID> --netfilter full --save
    [root@pcs ~]# vzctl set <CTID> --devnodes net/tun:rw --save
    
  4. Install corresponding Docker application template on a Hardware Node:

    [root@pcs ~]# yum install docker-centos-7-x86_64-ez
    
  5. Install Docker application template in the container:

    [root@pcs ~]# vzctl start <CTID>
    [root@pcs ~]# vzpkg install <CTID> docker
    

Manual Installation

  1. Create CentOS 7 (or Fedora 21) container:

    [root@pcs ~]# vzctl create <CTID> --ostemplate centos-7-x86_64
    
  2. Setup bridged network in the container:

    [root@pcs ~]# vzctl set <CTID> --netif_add eth0 --save
    [root@pcs ~]# vzctl set <CTID> --ifname eth0 --network <NetworkID> --ipadd <IP>/<Netmask> --gw <GatewayIP> --save
    
  3. Setup bridges feature and allow all(full netfilter) iptables modules in the container:

    [root@pcs ~]# vzctl set <CTID> --features bridge:on --save
    [root@pcs ~]# vzctl set <CTID> --netfilter full --save
    [root@pcs ~]# vzctl set <CTID> --devnodes net/tun:rw --save
    
  4. Configure custom cgroups in systemd:

    systemd reads /proc/cgroups and mounts all cgroups enabled there, though it doesn't know there's a restriction that only freezer,devices and cpuacct,cpu,cpuset can be mounted in a container, but not freezer, cpu, and others separately.

    Run following command to configure cgroups correctly:

    [root@pcs ~]# vzctl mount <CTID>
    [root@pcs ~]# echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /vz/root/<CTID>/etc/systemd/system.conf 
    
  5. Load veth module on host:

    [root@pcs ~]# modprobe veth
    

    It is recommended to configure the server to load veth module automatically on boot. For more information refer to the corresponding documentation.

  6. Start the container:

    [root@pcs ~]# vzctl start <CTID>
    
  7. Prepare Docker in container

    These steps are to be performed inside the container.

    1. Install Docker:

      [root@docker ~]# yum -y install docker-io
      
    2. Start docker daemon

      [root@docker ~]# service docker start
      

Limitations

Running Docker inside of a container has its own restrictions:

  • Only vfs Docker graph driver is currently supported
  • Checkpointing and live migration of a container with Docker containers inside is not supported
  • Bridges cannot be created inside of Docker Containers which are running inside of PCS Container

Known Issues

This section contains known issues one can face during Docker configuration:

  1. docker service cannot start with inappropriate ioctl for device error

    [root@docker ~]# service docker start
    Redirecting to /bin/systemctl start  docker.service
    Job for docker.service failed. See 'systemctl status docker.service' and 'journalctl -xn' for details.
    [root@docker ~]# systemctl status docker.service
    docker.service - Docker Application Container Engine
       Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled)
       Active: failed (Result: exit-code) since Fri 2015-04-03 17:24:05 NOVT; 9s ago
         Docs: http://docs.docker.com
      Process: 544 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY (code=exited, status=1/FAILURE)
     Main PID: 544 (code=exited, status=1/FAILURE)
    
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="+job serveapi(unix:///var/run/docker.sock)"
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="+job init_networkdriver()"
    Apr 03 17:24:05 docker.host docker[544]: inappropriate ioctl for device
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="-job init_networkdriver() = ERR (1)"
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="fatal" msg="inappropriate ioctl for device"
    [root@docker ~]#
    

    This error indicates that bridge feature is not enabled for the container. To enable it, execute following command:

    [root@pcs ~]# vzctl set <CTID> --features "bridge:on" --save
    

    Note!: Container should be restarted afterwards

  2. docker service cannot start with Unable to enable network bridge NAT error:

    [root@docker ~]# systemctl status docker.service
    docker.service - Docker Application Container Engine
       Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled)
       Active: failed (Result: exit-code) since Fri 2015-04-03 17:27:17 NOVT; 3s ago
         Docs: http://docs.docker.com
      Process: 445 ExecStart=/usr/bin/docker -d $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_NETWORK_OPTIONS $ADD_REGISTRY $BLOCK_REGISTRY $INSECURE_REGISTRY (code=exited, status=1/FAILURE)
     Main PID: 445 (code=exited, status=1/FAILURE)
    
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="+job serveapi(unix:///var/run/docker.sock)"
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="+job init_networkdriver()"
    Apr 03 17:24:05 docker.host docker[544]: inappropriate ioctl for device
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="info" msg="-job init_networkdriver() = ERR (1)"
    Apr 03 17:24:05 docker.host docker[544]: time="2015-04-03T17:24:05+06:00" level="fatal" msg="inappropriate ioctl for device"
    Apr 03 17:27:17 docker.host docker[445]: time="2015-04-03T17:27:17+06:00" level="info" msg="+job serveapi(unix:///var/run/docker.sock)"
    Apr 03 17:27:17 docker.host docker[445]: time="2015-04-03T17:27:17+06:00" level="info" msg="Listening for HTTP on unix (/var/run/docker.sock)"
    Apr 03 17:27:17 docker.host docker[445]: time="2015-04-03T17:27:17+06:00" level="info" msg="+job init_networkdriver()"
    Apr 03 17:27:17 docker.host docker[445]: Unable to enable network bridge NAT: iptables failed: iptables --wait -I POSTROUTING -t nat -s 172.17.42.1/16 ! -o doc...to insmod?)
    Apr 03 17:27:17 docker.host docker[445]: Perhaps iptables or your kernel needs to be upgraded.
    Apr 03 17:27:17 docker.host docker[445]: (exit status 3)
    Apr 03 17:27:17 docker.host docker[445]: time="2015-04-03T17:27:17+06:00" level="info" msg="-job init_networkdriver() = ERR (1)"
    Apr 03 17:27:17 docker.host docker[445]: time="2015-04-03T17:27:17+06:00" level="fatal" msg=" (exit status 3)"
    Hint: Some lines were ellipsized, use -l to show in full.
    [root@docker ~]#
    

    This error takes place because container cannot configure NAT-related rules in iptables, most likelynetfilter parameter is not set to full for the container. Use following command to enable it:

     [root@pcs ~]# vzctl set <CTID> --netfilter full --save
    

    Note!: Container should be restarted afterwards

  3. It is impossible to run docker container with an error mountpoint for devices not found:

    [root@docker ~]# docker run -i -t docker.io/centos "/bin/bash"
    FATA[0027] Error response from daemon: Cannot start container 384ecb8bd892ff2e0bb45b785ffbbf9243e2d62fa9380dcf1baa9374daf138c2: mountpoint for devices not found
    

    This error takes places because proper cgroups are not configured, e.g.:

    [root@docker ~]# grep ^JoinControllers /etc/systemd/system.conf
    [root@docker ~]#
    

    Example of a correct configuration (the only correct configuration):

    [root@docker ~]# grep ^JoinControllers /etc/systemd/system.conf
    JoinControllers=cpu,cpuacct,cpuset freezer,devices
    [root@docker ~]#
    

    To configure cgroups, run following command from inside of container:

    [root@docker ~]# echo "JoinControllers=cpu,cpuacct,cpuset freezer,devices" >> /etc/systemd/system.conf
    [root@docker ~]# service docker restart
    
  4. It is impossible to run docker container with an error operation not supported:

    [root@docker ~]# docker run -i -t docker.io/centos "/bin/bash"
    FATA[0022] Error response from daemon: Cannot start container fa074c365b09d47050ff39d2ce9fc4af94b551a5fc33fbc1da6e8cdd52af003a: operation not supported
    [root@docker ~]#
    

    This error would happen if veth module is not loaded on a host:

    [root@pcs ~]# lsmod | grep veth
    [root@pcs ~]#
    

    Load the module to allow container to start (command should be executed on a hardware node side):

    [root@pcs ~]# modprobe veth
    

    It is recommended to configure the server to load veth module automatically on boot. For more information refer to the corresponding documentation.

  5. It is impossible to run docker container with an error mountpoint for devices not found

    [root@docker ~]# docker run -i -t docker.io/centos "/bin/bash"
    2015/03/26 19:01:20 Error response from daemon: Cannot start container 970299d4271782d5e1451f1204edd72eda3c506e2f0d02498821c0d9087f8066: mountpoint for devices not found
    

    This error might take place when hardware node is not running on a supported kernel. Kernel version should be 2.6.32-042stab106.4 or newer. Reboot the host into supported kernel version in order to address this issue.

  6. It is impossible to start Docker 1.8 or 1.9 in a Virtuozzo 6 update 10 container:

    [root@ct ~]# docker run -d -p 80 test/hello-world
    WARNING: Your kernel does not support memory swappiness capabilities, memory swappiness discarded.
    Error response from daemon: Cannot start container ID: unable to set hairpin mode on veth101 via netlink: address family not supported by protocol
    

    Docker 1.8 and 1.9 is not supported in Virtuozzo 6 update 10. It is required to downgrade Docker to the supported version 1.7.1. For more infomation, see the following article:

127636 Cannot start Docker in container on Virtuozzo 6 update 10: address family not supported by protocol

Search Words

docker

mountpoint for devices not found

c62e8726973f80975db0531f1ed5c6a2 2897d76d56d2010f4e3a28f864d69223 0dd5b9380c7d4884d77587f3eb0fa8ef e8e50b42231236b82df27684e7ec0beb d02f9caf3e11b191a38179103495106f

Email subscription for changes to this article
Save as PDF