======Docker host on CentOS 7======
=====Base installation=====
  * minimal install
  * disable kdump
  * do not configure network
  * no security policy
  * create own partition layout, choose LVM
  * create 512MB /boot
  * create swap of 4GB on LVM, rename volumename cl to rootvg. use all remaing space on disk for LVM
  * do not use all space for root filesystem. I choose 16GB for / and keep the rest unused.
  * choose ext4 for all filesystems. I do not believe in XFS as Redhat does.

=====Configure network=====
  # remove old interface config
  nmcli con del eno1
  nmcli con del eno2

====Teaming====
I am going to use vlans on a teaming interface of two network interfaces. It is easy to assign vlan interfaces to Openstack. This is the configuration for one server:
<code>
# create team device
nmcli con add type team con-name team0 ifname team0 config '{"runner": {"name": "lacp"}}'

# add NICs to team
nmcli con add type team-slave con-name team0-uplink1 ifname eno1 master team0
nmcli con add type team-slave con-name team0-uplink2 ifname eno2 master team0

# bring up team
nmcli con up team0-uplink1
nmcli con up team0-uplink2

# verify team0 ports
ip link
teamnl team0 ports
teamdctl team0 state

# disable ip addresses on team interface
nmcli con mod team0 ipv4.method disabled
nmcli con mod team0 ipv6.method ignore

# finally  bring up team0
nmcli con up team0
</code>
====Bonding====
<code>
nmcli con add type bond con-name bond0 ifname bond0 mode 802.3ad

# disable IP on bond0 interface
nmcli c mod bond0 ipv4.method disabled
nmcli c mod bond0 ipv6.method link-local

# add slaves
nmcli con add type bond-slave ifname eno1 master bond0
nmcli con add type bond-slave ifname eno2 master bond0
</code>
====VLAN====
<code>
# create vlan devices
nmcli con add type vlan con-name vlan2 dev team0 id 2 connection.interface-name vlan2
nmcli con add type vlan con-name vlan11 dev team0 id 11 connection.interface-name vlan11

# disable ip addresses on vlan11 interface. we are going to use this as an external network in openstack
nmcli con mod vlan11 ipv4.method disabled
nmcli con mod vlan11 ipv6.method link-local

# ipv4 on vlan2
nmcli con mod vlan2 ipv4.method manual ipv4.addresses 172.16.2.12/24 ipv4.gateway 172.16.2.1 ipv4.dns 172.16.2.21,208.67.222.222 ipv4.dns-search mngt.bh.helux.nl

# ipv6 on vlan2
nmcli con mod vlan2 ipv6.method manual ipv6.addresses 2a02:22a0:bbb7:402::12/64 ipv6.gateway 2a02:22a0:bbb7:402::1 ipv6.dns 2620:0:ccc::2

# set hostname
hostnamectl set-hostname hp1.mngt.bh.helux.nl
</code>
=====Configure firewalld=====
Use my [[firewalld-zones-centos7|Using firewalld to create zones with subnets on CentOS 7]] howto to create the zones and rules.

=====Configure disks=====
We are going to create an LV for Docker to store its containers.
  lvcreate -L16G -n docker rootvg
  mkdir /var/lib/docker
  mkfs.ext4 -m0 /dev/rootvg/docker

The disk is a SSD so adding noatime,discard to the mount options. Setting discard on the swap filesystems seems unstable.

<code - /etc/fstab>
/dev/mapper/rootvg-root / ext4 defaults,noatime,discard 1 1
UUID=0b76534c-06fd-4428-97fc-9cd937c1d875 /boot ext4 defaults,noatime,discard 1 2
/dev/mapper/rootvg-swap swap swap defaults 0 0
/dev/mapper/rootvg-docker /var/lib/docker ext4 defaults,noatime,discard 1 2
</code>
  mount -o remount /
  mount -o remount /boot
  mount /var/lib/docker
=====Configure Chrony=====
  yum -y install chrony
  systemctl enable chronyd

I use my own NTP reference clock:
<code - /etc/chrony.conf>
.
.
#server 0.centos.pool.ntp.org iburst
#server 1.centos.pool.ntp.org iburst
#server 2.centos.pool.ntp.org iburst
#server 3.centos.pool.ntp.org iburst
server 172.16.2.250 iburst
.
.
</code>
  systemctl restart chronyd
=====Repositories and yum config=====
Add EPEL and official Docker repository
  yum -y install epel-release

<code - /etc/yum.repos.d/docker.repo>
[docker]
name=Docker for Enterprise Linux 7 - $basearch
baseurl=https://yum.dockerproject.org/repo/main/centos/7/
enabled=1
gpgcheck=0
</code>
<code - /etc/yum.conf>
.
.
installonly_limit=2
</code>
=====Packages=====
Install some useful stuff
  yum -y install net-tools wget bind-utils deltarpm bash-completion yum-plugin-remove-with-leaves yum-utils
Update everything
  yum -y update
Install docker
  yum -y install docker-engine python-docker-py
Docker setting for Kolla:
<code>
# Create the drop-in unit directory for docker.service
mkdir -p /etc/systemd/system/docker.service.d
# Create the drop-in unit file
tee /etc/systemd/system/docker.service.d/kolla.conf <<-'EOF'
[Service]
MountFlags=shared
EOF
systemctl daemon-reload
systemctl enable docker
systemctl restart docker
</code>
=====Root CA certificate to communicate with the Docker repository=====
On each node I trust my own root CA.
<code>
update-ca-trust force-enable
cd /etc/pki/ca-trust/source/anchors
curl http://ldap.mngt.bh.helux.nl/cacert.pem -o HeluxCA.pem
update-ca-trust extract
</code>

=====Reboot and remove old kernel=====
  reboot

  package-cleanup --oldkernels --count=1





{{tag>centos}}