Differences

This shows you the differences between two versions of the page.

--- kvm_and_docker_on_one_host [2019/07/26 14:07] – herwarth
+++ kvm_and_docker_on_one_host [2020/04/12 09:10] (current) – [ZFS] herwarth
@@ Line 171: / Line 171: @@
   apt install docker.io
   systemctl enable docker
+We need docker-compose and are going to install it via pip
+  apt install python3-pip
+Now install docker-compose
+  pip3 install docker-compose
 =====Configure=====
 Docker is using iptables to mitigate traffic between containers. Because we are using VLANs with bridges, we do not want Docker to intervene network traffic.
@@ Line 178: / Line 183: @@
 }
 </code>
-  systemctl restart docker
+When we stop docker to manipulate iptables it will not add the masquerade rule to the docker0 bridge. We need this iptables rule to make docker build work again. So first we are going to add the iptables rule manually. Find out which subnet is connected to docker0
+  ip a s docker0
+<code>
+: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
+    link/ether 02:42:b5:d4:a8:53 brd ff:ff:ff:ff:ff:ff
+    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
+       valid_lft forever preferred_lft forever
+    inet6 fe80::42:b5ff:fed4:a853/64 scope link
+       valid_lft forever preferred_lft forever
+</code>
+In this case the subnet is 172.17.0.0/16. Add the rule
+  iptables -t nat -A POSTROUTING -s 172.17.0.0/16 -j MASQUERADE
+Now we have the rule added. Make it persistent. First install iptables-persistent
+  apt install iptables-persistent
+It will tell you it created rules in: /etc/iptables/rules.v4 and /etc/iptables/rules.v6.
+Check the rules.v4 file for the masquerade rule
+  cat /etc/iptables/rules.v4
+<code>
+# Generated by iptables-save v1.6.1 on Fri Jul 26 18:19:47 2019
+*nat
+:PREROUTING ACCEPT [468:72707]
+:INPUT ACCEPT [22:10893]
+:OUTPUT ACCEPT [8:601]
+:POSTROUTING ACCEPT [8:601]
+-A POSTROUTING -s 172.17.0.0/16 -j MASQUERADE
+COMMIT
+# Completed on Fri Jul 26 18:19:47 2019
+# Generated by iptables-save v1.6.1 on Fri Jul 26 18:19:47 2019
+*filter
+:INPUT ACCEPT [2328:191223]
+:FORWARD ACCEPT [3836:8412380]
+:OUTPUT ACCEPT [1473:233542]
+:DOCKER-USER - [0:0]
+-A FORWARD -j DOCKER-USER
+-A DOCKER-USER -j RETURN
+COMMIT
+# Completed on Fri Jul 26 18:19:47 2019
+</code>
+====ZFS====
+When you have a ZFS pool you want to use for storage
+<code>
+systemctl stop docker
+rm -rf /var/lib/docker
+zfs create -o mountpoint=/var/lib/docker data/docker
+</code>
+<code - /etc/docker/daemon.json>
+{
+  "storage-driver": "zfs",
+  "iptables": false
+}
+</code>
+<code>
+systemctl start docker
+</code>
+Check with docker info
+<code>docker info</code>
+<code>
+Client:
+ Debug Mode: false
+Server:
+ Containers: 0
+  Running: 0
+  Paused: 0
+  Stopped: 0
+ Images: 0
+ Server Version: 19.03.8
+ Storage Driver: zfs
+  Zpool: data
+  Zpool Health: ONLINE
+  Parent Dataset: data/docker
+  Space Used By Parent: 98304
+  Space Available: 965292744704
+  Parent Quota: no
+  Compression: off
+.
+.
+.
+</code>
 ====Networks====
 In our example we are not going to use containers in the routed subnet bridge called internet
@@ Line 190: / Line 276: @@
 docker network create -d macvlan --subnet=x.x.2.0/24 --gateway=x.x.2.1 --ip-range=x.x.2.128/28 --subnet=x:x:x:2::/64 --gateway=x:x:x:2::1 --ip-range=x:x:x:2::128/124 -o parent=mgmt --ipv6 mgmt
 </code>
+Check it
+  docker network ls
+<code>
+NETWORK ID          NAME                DRIVER              SCOPE
+ae8a5b99638        bridge              bridge              local
+edcbcc28b        dmz                 macvlan             local
+d5b0706837        host                host                local
+cb04700d3481        local               macvlan             local
+b0bdff0a6d53        mgmt                macvlan             local
+e38274915        none                null                local
+</code>
+{{tag>linux}}

User Tools

Site Tools

Differences

Page Tools