6.7 KiB
| description | keywords | redirect_from | title | ||||
|---|---|---|---|---|---|---|---|
| Instructions for installing Docker EE on RHEL | requirements, installation, rhel, rpm, install, uninstall, upgrade, update |
|
Get Docker EE for Red Hat Enterprise Linux |
{% assign linux-dist = "rhel" %} {% assign linux-dist-cap = "RHEL" %} {% assign linux-dist-url-slug = "rhel" %} {% assign linux-dist-long = "Red Hat Enterprise Linux" %} {% assign package-format = "RPM" %} {% assign gpg-fingerprint = "77FE DA13 1A83 1D29 A418 D3E8 99E5 FF2E 7668 2BC9" %}
{% include ee-linux-install-reuse.md section="ee-install-intro" %}
Prerequisites
This section lists what you need to consider before installing Docker EE. Items that require action are explained below.
- Use {{ linux-dist-cap }} 64-bit 7.1 and higher on
x86_64,s390x, orppc64le(not ppc64). - Use storage driver
overlay2ordevicemapper(direct-lvmmode in production). - Find the URL for your Docker EE repo at Docker Hub{: target="blank" class="" }.
- Uninstall old versions of Docker.
- Remove old Docker repos from
/etc/yum.repos.d/. - Disable SELinux on
s390x(IBM Z) systems before install/upgrade.
Architectures and storage drivers
Docker EE supports {{ linux-dist-long }} 64-bit, versions 7.1 and higher (7.1, 7.2, 7.3, 7.4, 7.5), running on one of the following architectures: x86_64, s390x (IBM Z), or ppc64le (IBM Power, little endian format). To ensure you have ppc64le (and not ppc64), run the command, uname -m.
Little endian format only
On IBM Power systems, Docker EE only supports little endian format,
ppc64le, even though {{ linux-dist-cap }} 7 ships both big and little endian versions.
On {{ linux-dist-long }}, Docker EE supports storage drivers, overlay2 and devicemapper. In Docker EE 17.06.2-ee-5 and higher, overlay2 is the recommended storage driver. The following limitations apply:
-
OverlayFS{: target="blank" class="" }: If
selinuxis enabled, theoverlay2storage driver is supported on {{ linux-dist-cap }} 7.4 or higher. Ifselinuxis disabled,overlay2is supported on {{ linux-dist-cap }} 7.2 or higher with kernel version 3.10.0-693 and higher. -
Device Mapper{: target="blank" class="" }: On production systems using
devicemapper, you must usedirect-lvmmode, which requires one or more dedicated block devices. Fast storage such as solid-state media (SSD) is recommended. Do not start Docker until properly configured per the storage guide{: target="blank" class="" }.
FIPS 140-2 cryptographic module support
Federal Information Processing Standards (FIPS) Publication 140-2 is a United States Federal security requirement for cryptographic modules.
With Docker EE Basic license for versions 18.03 and later, Docker provides FIPS 140-2 support in RHEL 7.3, 7.4 and 7.5. This includes a FIPS supported cryptographic module. If the RHEL implementation already has FIPS support enabled, FIPS is automatically enabled in the Docker engine.
To verify the FIPS-140-2 module is enabled in the Linux kernel, confirm the file /proc/sys/crypto/fips_enabled contains 1.
$ cat /proc/sys/crypto/fips_enabled
1
NOTE: FIPS is only supported in the Docker EE engine. UCP and DTR currently do not have support for FIPS-140-2.
To enable FIPS 140-2 compliance on a system that is not in FIPS 140-2 mode, do the following:
Create a file called /etc/systemd/system/docker.service.d/fips-module.conf. It needs to contain the following:
[Service]
Environment="DOCKER_FIPS=1"
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
To confirm Docker is running with FIPS-140-2 enabled, run the docker info command:
{% raw %}
docker info --format {{.SecurityOptions}}
[name=selinux name=fips]
{% endraw %}
Disabling FIPS-140-2
If the system has the FIPS 140-2 cryptographic module installed on the operating system, it is possible to disable FIPS-140-2 compliance.
To disable FIPS 140-2 in Docker but not the operating system, set the value DOCKER_FIPS=0
in the /etc/systemd/system/docker.service.d/fips-module.conf.
Reload the Docker configuration to systemd.
$ sudo systemctl daemon-reload
Restart the Docker service as root.
$ sudo systemctl restart docker
Find your Docker EE repo URL
{% include ee-linux-install-reuse.md section="find-ee-repo-url" %}
Uninstall old Docker versions
The Docker EE package is called docker-ee. Older versions were called docker or docker-engine. Uninstall all older versions and associated dependencies. The contents of /var/lib/docker/ are preserved, including images, containers, volumes, and networks.
$ sudo yum remove docker \
docker-client \
docker-client-latest \
docker-common \
docker-latest \
docker-latest-logrotate \
docker-logrotate \
docker-selinux \
docker-engine-selinux \
docker-engine \
docker-ce
Repo install and upgrade
{% include ee-linux-install-reuse.md section="using-yum-repo" %}
{% capture selinux-warning %}
Disable SELinux before installing Docker EE on IBM Z systems
There is currently no support for
selinuxon IBM Z systems. If you attempt to install or upgrade Docker EE on an IBM Z system withselinuxenabled, an error is thrown that thecontainer-selinuxpackage is not found. Disableselinuxbefore installing or upgrading Docker on IBM Z. {:.warning} {% endcapture %} {{ selinux-warning }}
Set up the repository
{% include ee-linux-install-reuse.md section="set-up-yum-repo" %}
Install from the repository
{% include ee-linux-install-reuse.md section="install-using-yum-repo" %}
Upgrade from the repository
{% include ee-linux-install-reuse.md section="upgrade-using-yum-repo" %}
Package install and upgrade
{% include ee-linux-install-reuse.md section="package-installation" %}
{{ selinux-warning }}
Install with a package
{% include ee-linux-install-reuse.md section="install-using-yum-package" %}
Upgrade with a package
{% include ee-linux-install-reuse.md section="upgrade-using-yum-package" %}
Uninstall Docker EE
{% include ee-linux-install-reuse.md section="yum-uninstall" %}
Next steps
{% include ee-linux-install-reuse.md section="linux-install-nextsteps" %}