Is there a possibility to change container restart policy using podman? We can set policy during creating container podman run --restart always, but how to change it when the container is created?
Using docker we have docker update command which allows us to do so. Unfortunately there is no podman update command. Can it be done? Or do I need to create a new container?
when using podman you should create a systemd service that will manage podman container.
create systemd file "/etc/systemd/system/containername.service"
[Unit]
Description=your container
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a containername
ExecStop=/usr/bin/podman stop -t 2 containername
[Install]
WantedBy=local.target
run command:
systemctl daemon-reload
enable service to start at boot
systemctl enable containername.service
restart service
systemctl restart containername.service
You can also add some other restart systemd parameters like:
RestartSec (Configures the time to sleep before restarting a service), StartLimitInterval (seconds service is it not permitted to start any more), StartLimitBurst
for more details check man pages: "man systemd.service"
I cannot connect to internet from pods. My kubernetes cluster is behind proxy.
I have already set /env/environment and /etc/systemd/system/docker.service.d/http_proxy.conf, and confirmed that environment variables(http_proxy, https_proxy, HTTP_PROXY, HTTPS_PROXY, no_proxy, NO_PROXY) are correct.
But in the pod, when I tried echo $http_proxy, answer is empty. I also tried curl -I https://rubygems.org but it returned curl: (6) Could not resolve host: rubygems.org.
So I think pod doesn't receive environment values correctly or there is something I forget to do what I should do. How should I do to solve it?
I tried to export http_proxy=http://xx.xx.xxx.xxx:xxxx; export https_proxy=....
After that, I tried again curl -I https://rubygems.org and I can received header with 200.
What I see is that you have wrong proxy.conf name.
As per official documention the name should be /etc/systemd/system/docker.service.d/http-proxy.confand not /etc/systemd/system/docker.service.d/http_proxy.conf.
Next you add proxies, reload daemon and restart docker, as mentioned in provided in comments another answer
/etc/systemd/system/docker.service.d/http_proxy.conf:
Content:
[Service]
Environment="HTTP_PROXY=http://x.x.x:xxxx"
Environment="HTTPS_PROXY=http://x.x.x.x:xxxx"
# systemctl daemon-reload
# systemctl restart docker
Or, as per #mk_ska answer you can
add http_proxy setting to your Docker machine in order to forward
packets from the nested Pod container through the target proxy server.
For Ubuntu based operating system:
Add export http_proxy='http://:' record to the file
/etc/default/docker
For Centos based operating system:
Add export http_proxy='http://:' record to the file
/etc/sysconfig/docker
Afterwards restart Docker service.
Above will set proxy for all containers what will be used by docker engine
We can use the command docker images to list the Docker images we have on local host.
Now I want to get the same information from a remote server by sending an HTTP GET request in Firefox or Chrome. Does Docker provide some REST API to do this?
I did a lot of search. For example:
Examples using the Docker Engine SDKs and Docker API
It provides a way something like this:
curl --unix-socket /var/run/docker.sock http:/v1.24/containers/json
I know a little about Unix sockets, and I don't think this is what I want. The URL (http:/v1.24/containers/json) is so weird and don't even have a server name in it. I don't think it can work on a remote server. (It does work on a local server.)
Is there any official documentation that Docker provides on this topic?
You need to expose the Docker daemon on a port.
You can configure the Docker daemon to listen to multiple sockets at the same time using multiple -H options:
listen using the default Unix socket, and on two specific IP addresses on this host.
$ sudo dockerd -H unix:///var/run/docker.sock -H tcp://192.168.59.106 -H tcp://10.10.10.2
The Docker client will honor the DOCKER_HOST environment variable to set the -H flag for the client. Use one of the following commands:
https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option
You need to do this by creating a systemd dropin:
mkdir -p /etc/systemd/system/docker.service.d/
cat > /etc/systemd/system/docker.service.d/10_docker.conf <<EOF
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// -H tcp://0.0.0.0:2376
EOF
Then reload and restart Docker:
systemctl daemon-reload
systemctl restart docker
Note: this way you would be exposing your host and you shouldn't do it this way in production. Please read more about this on the link I shared earlier.
I've created a kubenetes cluster on my Mac with docker-machine, following the documentation here:
http://kubernetes.io/docs/getting-started-guides/docker/
I can access the normal api from inside the instance on 127.0.0.1:8080, but I want to access it externally from my macbook. I know there is a secure port :6443, but I'm unsure how to set up the credentials to access this port.
There are lots of instructions on how to do it on custom installs of kubernetes, but I don't know how to do it inside the docker containers I'm running.
Likely, you will want to use Virtual Box's port forwarding capabilities. An example from the documentation:
VBoxManage modifyvm "MyVM" --natpf1 "k8srule,tcp,,6443,,6443"
This forwards port 6443 on all hosts interfaces to port 6443 of the guest. Port forwarding can also be configured through the VirtualBox UI.
It's like a workaround but most of the time, I think KubeOnDocker setup is for developper that don't need the credentials mecanism :
When you start the KubeOnDocker, --config=/etc/kubernetes/manifests point to master.json. If you look the apiserver start command, you will see that --insecure-bind-address is 127.0.0.1. If you use --config=/etc/kubernetes/manifests-multi it will point to master-multi.json, --insecure-bind-address will be 0.0.0.0 and the apiserver will be accessible from everywhere.
Note that you will need to start etcd with manifests-multi.
# Not tested start
docker run \
-d \
--net=host \
gcr.io/google_containers/etcd:2.2.1 \
/usr/local/bin/etcd \
--listen-client-urls=http://127.0.0.1:4001 \
--advertise-client-urls=http://127.0.0.1:4001 \
--data-dir=/var/etcd/data
I need to set docker to listen to tcp://0.0.0.0/4243 on my host machine running amazon linux (centos). All the documentation I have seen has told me to run the following command
echo DOCKER_OPTS="-H=tcp://127.0.0.1:4243" >> /etc/default/docker
Which will write the correct docker_opts to /etc/default/docker. I've done this, but when I restart docker it does not listen to 127.0.0.1
I can make docker run correctly by typing
sudo /usr/bin/docker -H tcp://0.0.0.0:4243 -d &
That works, but I want the default option to be listening on tcp://0.0.0.0:4243 without having to specify it every time.
It seems that docker is completely ignoring my /etc/default/docker file so the settings are being ignored. I also tried writing the file to /etc/default/docker.io and /etc/default/docker-io (didn't really expect much to happen)
I need to be able to start docker with just
service docker start
or it will cause issues in my current deployment playbook.
Any thoughts on what I can do to set DOCKER_OPTS and not have to do it every time I restart docker?
In RHEL7, instead of modifying your docker.service unit file, you can also just edit your /etc/sysconfig/docker file:
# /etc/sysconfig/docker
# Modify these options if you want to change the way the docker daemon runs
OPTIONS=--selinux-enabled -H unix:///var/run/docker.sock -H tcp://0.0.0.0:4243
and then restart your docker service.
To me, this is more reliable than modifying the service script.
For CentOS 7 (RHEL 7):
Find the systemd docker.service unit file. Mine is located at: /usr/lib/systemd/system/docker.service
In this file, edit the line in the [Service] section beginning with ExecStart=. Add the "-H tcp://0.0.0.0:4243" into the line. (notice there's no "=" between the -H and the IP address as in your example DOCKER_OPTS line above.)
On my system, the entire contents of docker.service then looks like:
[Unit]
Description=Docker Application Container Engine
Documentation=http://docs.docker.com
After=network.target docker.socket
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/sysconfig/docker
ExecStart=/usr/bin/docker -d -H tcp://127.0.0.1:4243 -H fd:// $OPTIONS
LimitNOFILE=1048576
LimitNPROC=1048576
[Install]
Also=docker.socket
(I only need Docker to listen on the loopback, instead of all IP addresses.)
After making this edit to the systemd unit file and restarting the Docker service via systemctl restart docker, I see the following process:
root 8574 0.0 0.2 321708 10564 ? Ssl 00:42 0:00 /usr/bin/docker -d -H tcp://127.0.0.1:4243 -H fd:// --selinux-enabled
As you can see, it does now listen on the configured TCP address, and will persist over reboots and service stop/starts.
I cannot believe how many answers there are for this. So here is another one for:
CentOS 7.3
Docker Version = 17.03.1-ce, API Version = 1.27
This answer is built upon an unbelievable playing around combination of this answer and this one and this one.
sudo vim /usr/lib/systemd/system/docker.service
insert " -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"
sudo systemctl daemon-reload //refresh your file changes above
sudo systemctl restart docker
netstat -l | grep 4243 //verify port is open
connect to your docker host from somewhere, like Jenkins Docker Plugin, i.e. tcp://[server_ip]:4243
Editing /etc/docker/daemon.json seems to be the new, supported way.
With Docker 1.7.1 on CentOS 7 neither modifying /usr/lib/systemd/system/docker.service or /etc/sysconfig/docker worked for me. It seems that in systemd sets up the socket, so in order to change the group you have to edit SocketGroup in /usr/lib/systemd/system/docker.socket
[Unit]
Description=Docker Socket for the API
PartOf=docker.service
[Socket]
ListenStream=/var/run/docker.sock
SocketMode=0660
SocketUser=root
SocketGroup=jenkins
[Install]
WantedBy=sockets.target
I Think on CentOS, you can try setting the options as below in the file /etc/sysconfig/docker
other_args="-H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock"
Then restart the docker and try checking if the port is opening using
netstat -plt | grep 4243
This should list if listening
I needed to change the default bridge interface docker0 to use my own bridge interface br0 and putting the following content in that file solved my issue:
CentOS 7.2 and docker 1.10.3
/usr/lib/systemd/system/docker.service.d/docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon --bridge=br0 -H fd://
and of course the following need to be performed after:
sudo systemctl daemon-reload
sudo systemctl restart docker
ip link del docker0
It worked for me when I followed how its shown in the posts above with drop-in replacement files in: /etc/systemd/system/docker.service.d
I am working on centos 7.
I just want to add insecure-registry in docker config file then I changed "DOCKER_OPTS=--insecure-registry=...." in /etc/sysconfig/docker while it did not work.
While I saw a INSECURE_REGISTRY in the config so I changed this variable and it WORKS!
So I guess DOCKER_OPTS does not work here!
But it worked on my unbuntu 14!
It is really frustrating when using docker!
Based on https://docs.docker.com/engine/admin/configuring/
sudo mkdir /etc/systemd/system/docker.service.d
sudo vi /etc/systemd/system/docker.service.d/docker.conf
[Service]
ExecStart=
ExecStart=/usr/bin/docker daemon -H fd:// -D -H tcp://127.0.0.1:4243
sudo systemctl daemon-reload
sudo systemctl restart docker
1、edit /usr/lib/systemd/system/docker.service to add two param in the service section:
# vim /usr/lib/systemd/system/docker.service
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
2、reload the configuration,and then restart docker。
# systemctl daemon-reload
# systemctl restart docker
3、to check for success, see if the return the following response。
# ps -ef|grep docker
root 26208 1 0 23:51 ? 00:00:00 /usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
reference from Expose the Docker Remote API on Centos 7?
I believe things have changed now, this answer by Brian Ogden had worked for me earlier but didn't work on my environment today, probably with the updated versions of the docker, kernel, and OS.
CentOS 7.4.1708 (on AWS)
Docker 17.03.2-ce
API 1.27
This is what worked after few hit and trials. I could not find it documented anywhere.
In file /etc/systemd/system/docker.service.d/execstart.conf, replace the last ExecStart (there are two) with below
ExecStart=/usr/bin/dockerd --graph=/var/lib/docker --storage-driver=overlay -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
Now, my files looks like this
# cat /etc/systemd/system/docker.service.d/execstart.conf
[Service]
Restart=always
StartLimitInterval=0
RestartSec=15
ExecStartPre=-/sbin/ip link del docker0
ExecStart=
ExecStart=/usr/bin/dockerd --graph=/var/lib/docker --storage-driver=overlay -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
#
Once, the above file is changed just the run the below command to activate the changes.
# systemctl daemon-reload && systemctl stop docker && rm -f /var/run/docker.sock && systemctl start docker
To verify if everything is working fine, you can run any (or all) of below commands
# systemctl status docker.service | grep tcp
├─21812 /usr/bin/dockerd --graph=/var/lib/docker --storage-driver=overlay -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
#
# netstat -an | grep 4243
tcp6 0 0 :::4243 :::* LISTEN
#
# ps aux | grep [4]243
root 21812 1.0 0.8 1017512 67876 ? Ssl 15:11 0:06 /usr/bin/dockerd --graph=/var/lib/docker --storage-driver=overlay -H tcp://0.0.0.0:4243 -H unix:///var/run/docker.sock
#
# docker -H :4243 info