【翻译-Docker】Post-installation steps for Linux

来源【Post-installation steps for Linux】

Post-installation steps for Linux

Estimated reading time: 11 minutes

This section contains optional procedures for configuring Linux hosts to work better with Docker.

Linux安装后的步骤
估计阅读时间：！1分钟
本节包含配置Linux主机能与Docker更好工作的可选程序。

Manage Docker as a non-root user

The docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The docker daemon always runs as the rootuser.

If you don’t want to use sudo when you use the docker command, create a Unix group called docker and add users to it. When the docker daemon starts, it makes the ownership of the Unix socket read/writable by the docker group.

Warning: The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

Docker守护进程绑定到一个Unix套接字而不是TCP端口。默认情况下Unix套接字是由root用户拥有，其他用户只能使用sudo来访问它。Docker守护进程总是以root用户运行。
当你使用docker命令时不想用sudo，创建一个叫docker的Unix组，并把用户添加进去。当docker守护进程启动时，它使得Unix套接字可读写的所有权由docker组启用。
警告：docker组授予的权限等同与root用户，详细关于这会如何影响你系统安全，请参考Docker Daemon Attack Surface。

To create the docker group and add your user:

1. Create the docker group.

   $ sudo groupadd docker
   

2. Add your user to the docker group.

   $ sudo usermod -aG docker $USER
   

3. Log out and log back in so that your group membership is re-evaluated.

   If testing on a virtual machine, it may be necessary to restart the virtual machine for changes to take effect.

   On a desktop Linux environment such as X Windows, log out of your session completely and then log back in.

4. Verify that you can run docker commands without sudo.

   $ docker run hello-world
   

   This command downloads a test image and runs it in a container. When the container runs, it prints an informational message and exits.

Configure Docker to start on boot

Most current Linux distributions (RHEL, CentOS, Fedora, Ubuntu 16.04 and higher) use systemd to manage which services start when the system boots. Ubuntu 14.10 and below use upstart.

配置Docker启动
最新的Linux发行版（RHEL, CentOS, Fedora, Ubuntu 16.04以及更高版本）使用systemd 来管理当系统启动时哪个服务启动。Ubuntu 14.10和低版本的使用upstart

systemd

$ sudo systemctl enable docker

To disable this behavior, use disable instead.

$ sudo systemctl disable docker

If you need to add an HTTP Proxy, set a different directory or partition for the Docker runtime files, or make other customizations, see customize your systemd Docker daemon options.

如果你需要添加HTTP代理，为Docker运行时文件设置不同的目录和分区，或者使用其他自定义，查看自定义你的systemd Docker守护进程选项。

upstart

Docker is automatically configured to start on boot using upstart. To disable this behavior, use the following command:

$ echo manual | sudo tee /etc/init/docker.override

chkconfig

$ sudo chkconfig docker on

Use a different storage engine

For information about the different storage engines, see Storage drivers. The default storage engine and the list of supported storage engines depend on your host’s Linux distribution and available kernel drivers.

Troubleshooting

Kernel compatibility

Docker will not run correctly if your kernel is older than version 3.10 or if it is missing some modules. To check kernel compatibility, you can download and run the check-compatibility.sh script.

使用不同的存储引擎
关于不同存储引擎的信息，请查看存储驱动程序。默认的存储引擎和支持的存储引擎列表依赖于你 Linux主机的发行版和可用的内核引擎。
故障排查
内核兼容
如果你的内核老于3.10版本或者缺少一些模块，Docker将不能正常运行。为了检查内核兼容性，你可以下载并运行脚本check-compatibility.sh

$ curl https://raw.githubusercontent.com/docker/docker/master/contrib/check-config.sh > check-config.sh

$ bash ./check-config.sh

The script will only work on Linux, not macOS.

Cannot connect to the Docker daemon

If you see an error such as the following, your Docker client may be configured to connect to a Docker daemon on a different host, and that host may not be reachable.

如果你看多如下错误，你的Docker客户端可能被配置连接到了不同主机的守护进程，而该主机不可访问。

Cannot connect to the Docker daemon. Is 'docker daemon' running on this host?

To see which host your client is configured to connect to, check the value of the DOCKER_HOST variable in your environment.

$ env | grep DOCKER_HOST

If this command returns a value, the Docker client is set to connect to a Docker daemon running on that host. If it is unset, the Docker client is set to connect to the Docker daemon running on the local host. If it is set in error, use the following command to unset it:

如果这条命令返回一个值，Docker客户端将被设置为连接到那台主机的Docker守护进程。如果没有设置，Docker客户端被设置为连接到本地主机的Docker守护进程。如果设置错误，请使用下面命令取消设置：

$ unset DOCKER_HOST

You may need to edit your environment in files such as ~/.bashrc or ~/.profile to prevent the DOCKER_HOST variable from being set erroneously.

If DOCKER_HOST is set as intended, verify that the Docker daemon is running on the remote host and that a firewall or network outage is not preventing you from connecting.

IP forwarding problems

If you manually configure your network using systemd-network with systemd version 219 or higher, Docker containers may be unable to access your network. Beginning with systemd version 220, the forwarding setting for a given network (net.ipv4.conf.<interface>.forwarding) defaults to off. This setting prevents IP forwarding. It also conflicts with Docker’s behavior of enabling the net.ipv4.conf.all.forwarding setting within containers.

To work around this on RHEL, CentOS, or Fedora, edit the <interface>.network file in /usr/lib/systemd/network/ on your Docker host (ex: /usr/lib/systemd/network/80-container-host0.network) and add the following block within the [Network]section.

[Network]
...
IPForward=kernel
# OR
IPForward=true
...

This configuration allows IP forwarding from the container as expected.

DNS resolver found in resolv.conf and containers can't use it

Linux systems which use a GUI often have a network manager running, which uses a dnsmasq instance running on a loopback address such as 127.0.0.1 or 127.0.1.1 to cache DNS requests, and adds this entry to /etc/resolv.conf. The dnsmasq service speeds up DNS look-ups and also provides DHCP services. This configuration will not work within a Docker container which has its own network namespace, because the Docker container resolves loopback addresses such as 127.0.0.1 to itself, and it is very unlikely to be running a DNS server on its own loopback address.

If Docker detects that no DNS server referenced in /etc/resolv.conf is a fully functional DNS server, the following warning occurs and Docker uses the public DNS servers provided by Google at 8.8.8.8 and 8.8.4.4 for DNS resolution.

容器不能使用resolv.conf中的DNS解析器
使用GUI的Linux系统通常有一个运行的网络管理员，使用dnsmasq实例运行在回环地址上，比如127.0.0.1或者127.0.1.1以缓存DNS请求，并把这个条目加到 /etc/resolv.conf。dnsmasq 服务需要加快DNS查找并提供DHCP服务。这个配置不会对有自己网络命名空间的Docker容器生效，因为Docker容器可以自己解决类似127.0.0.1这样的回环地址，并且不太会在自己的回环地址上运行DNS服务。
如果Docker检测到没有引用DNS服务的/etc/resolv.conf是一个功能完整的DNS服务，将会触发如下警告，并且Docker会使用 Google提供的公共DNS服务8.8.8.8和8.8.4.4用于DNS解析。

WARNING: Local (127.0.0.1) DNS resolver found in resolv.conf and containers
can't use it. Using default external servers : [8.8.8.8 8.8.4.4]

If you see this warning, first check to see if you use dnsmasq:

$ ps aux |grep dnsmasq

If your container needs to resolve hosts which are internal to your network, the public nameservers will not be adequate. You have two choices:

• You can specify a DNS server for Docker to use, or
• You can disable dnsmasq in NetworkManager. If you do this, NetworkManager will add your true DNS nameserver to /etc/resolv.conf, but you will lose the possible benefits of dnsmasq.

You only need to use one of these methods.

Specify DNS servers for Docker

The default location of the configuration file is /etc/docker/daemon.json. You can change the location of the configuration file using the --config-file daemon flag. The documentation below assumes the configuration file is located at /etc/docker/daemon.json.

1. Create or edit the Docker daemon configuration file, which defaults to /etc/docker/daemon.json file, which controls the Docker daemon configuration.

   $ sudo nano /etc/docker/daemon.json
   

2. Add a dns key with one or more IP addresses as values. If the file has existing contents, you only need to add or edit the dns line.

   {
   	"dns": ["8.8.8.8", "8.8.4.4"]
   }

   If your internal DNS server cannot resolve public IP addresses, include at least one DNS server which can, so that you can connect to Docker Hub and so that your containers can resolve internet domain names.

   Save and close the file.

3. Restart the Docker daemon.

   $ sudo service docker restart
   

4. Verify that Docker can resolve external IP addresses by trying to pull an image:

   $ docker pull hello-world
   

5. If necessary, verify that Docker containers can resolve an internal hostname by pinging it.

   $ docker run --rm -it alpine ping -c4 <my_internal_host>
   
   PING google.com (192.168.1.2): 56 data bytes
   64 bytes from 192.168.1.2: seq=0 ttl=41 time=7.597 ms
   64 bytes from 192.168.1.2: seq=1 ttl=41 time=7.635 ms
   64 bytes from 192.168.1.2: seq=2 ttl=41 time=7.660 ms
   64 bytes from 192.168.1.2: seq=3 ttl=41 time=7.677 ms
   

DISABLE DNSMASQ

Ubuntu

If you prefer not to change the Docker daemon’s configuration to use a specific IP address, follow these instructions to disable dnsmasq in NetworkManager.

1. Edit the /etc/NetworkManager/NetworkManager.conf file.

2. Comment out the dns=dnsmasq line by adding a # character to the beginning of the line.

   # dns=dnsmasq
   

   Save and close the file.

3. Restart both NetworkManager and Docker. As an alternative, you can reboot your system.

   $ sudo restart network-manager
   $ sudo restart docker
   

RHEL, CentOS, or Fedora

To disable dnsmasq on RHEL, CentOS, or Fedora:

1. Disable the dnsmasq service:

   $ sudo service dnsmasq stop
   
   $ sudo systemctl disable dnsmasq
   

2. Configure the DNS servers manually using the Red Hat documentation.

Allow access to the remote API through a firewall

If you run a firewall on the same host as you run Docker and you want to access the Docker Remote API from another host and remote access is enabled, you need to configure your firewall to allow incoming connections on the Docker port, which defaults to 2376 if TLS encrypted transport is enabled or 2375 otherwise.

SPECIFIC INSTRUCTIONS FOR UFW

UFW (Uncomplicated Firewall) drops all forwarding traffic and all incoming traffic by default. If you want to access the Docker Remote API from another host and you have enabled remote access, you need to configure UFW to allow incoming connections on the Docker port, which defaults to 2376 if TLS encrypted transport is enabled or 2375 otherwise. By default, Docker runs without TLS enabled. If you do not use TLS, you are strongly discouraged from allowing access to the Docker Remote API from remote hosts, to prevent remote privilege-escalation attacks.

To configure UFW and allow incoming connections on the Docker port:

1. Verify that UFW is enabled.

   $ sudo ufw status
   

   If ufw is not enabled, the remaining steps will not be helpful.

2. Edit the UFW configuration file, which is usually /etc/default/ufw or /etc/sysconfig/ufw. Set the DEFAULT_FORWARD_POLICY policy to ACCEPT.

   DEFAULT_FORWARD_POLICY="ACCEPT"
   

   Save and close the file.

3. If you need to enable access to the Docker Remote API from external hosts and understand the security implications (see the section before this procedure), then configure UFW to allow incoming connections on the Docker port, which is 2375 if you do not use TLS, and 2376 if you do.

   $ sudo ufw allow 2376/tcp
   

4. Reload UFW.

   $ sudo ufw reload
   

Your kernel does not support cgroup swap limit capabilities

On Ubuntu or Debian hosts, You may see messages similar to the following when working with an image.

WARNING: Your kernel does not support swap limit capabilities. Limitation discarded.

This warning does not occur on RPM-based systems, which enable these capabilities by default.

If you don’t need these capabilities, you can ignore the warning. You can enable these capabilities on Ubuntu or Debian by following these instructions. Memory and swap accounting incur an overhead of about 1% of the total available memory and a 10% overall performance degradation, even if Docker is not running.

1. Log into the Ubuntu or Debian host as a user with sudo privileges.

2. Edit the /etc/default/grub file. Add or edit the GRUB_CMDLINE_LINUX line to add the following two key-value pairs:

   GRUB_CMDLINE_LINUX="cgroup_enable=memory swapaccount=1"
   

   Save and close the file.

3. Update GRUB.

   $ sudo update-grub
   

   If your GRUB configuration file has incorrect syntax, an error will occur. In this case, repeat steps 3 and 4.

   The changes will take effect when the system is rebooted.

Next steps

• Continue with the User Guide.

Docker, Docker documentation, requirements, apt, installation, ubuntu, install, uninstall, upgrade, update

---

1. daemon，守护神，进程守护

2. ownership ，所有权，所有制

3. equivalent ，相等的，等效的，n.当量[化]

4. Log out and log back in，注销和重新登录

5. membership，会员资格，全体成员

6. evaluate，评价，评估

7. system boots，系统引导

8. partition，划分，分区

10. customization，定制，自定义

11. correctly，正确的。correct，合适的，改正，纠错

12. compatibility，兼容性

13. intended，预期的，已订婚者。

14. intend，vt/vi. 计划，怀有某种意图。intent，n. 意图，目的；adj. 专心的

15. outage，断供（多指电力）

16. forwarding setting，转发设置。forwarding，促进，转寄。 setting，n. 环境，装置；v. 安排

17. work around，解决，绕过

18. speed up，加速

19. look-ups ，查找

20. adequate，足够的，适当的

21. specify，指定，明确提出。 specific，具体的，明确的，特性

22. documentation ，文档，参考资料

23. instructions，操作指南，指令

24. disable，使无能力，使伤残

25. transport，运输

26. discouraged，沮丧的。discourage，劝阻，使气馁

27. privilege-escalation，特权，扩大，特权提升

28.  incur ，招致，引起

29. overhead of ，开销。overhead，头顶的；天花板，经费；在楼上

30. overall，全部的

31. degradation，退化，堕落

32. syntax，语法