Docker and Fedora 32

With the release of Fedora 32, regular users of Docker have been confronted by a small challenge. At the time of writing, Docker is not supported on Fedora 32. There are alternatives, like Podman and Buildah, but for many existing users, switching now might not be the best time. As such, this article can help you set up your Docker environment on Fedora 32.

NOTE: A more recent article covering Docker and Fedora 34/35 is now available.

Step 0: Removing conflicts

This step is for any user upgrading from Fedora 30 or 31. If this is a fresh installation of Fedora 32, you can move on to step 1.

To remove docker and all its related components:

sudo dnf remove docker-*
sudo dnf config-manager --disable docker-*

Step 1: System preparation

With the last two versions of Fedora, the operating system has moved to two new technologies: CGroups and NFTables for the Firewall. While the details of these new technologies is behind the scope of this tutorial, it’s a sad fact that docker doesn’t support them yet. As such, you’ll have to make some changes to facilitate Docker on Fedora.

Enable old CGroups

The previous implementation of CGroups is still supported and it can be enabled using the following command.

sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"

Whitelist docker in firewall

To allow Docker to have network access, two commands are needed.

sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0
sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-masquerade

The first command will add the Docker-interface to the trusted environment which allows Docker to make remote connections. The second command will allow docker to make local connections. This is particularly useful when multiple Docker containers are in as a development environment.

Step 2: installing Moby

Moby is the open-source, white label version of Docker. It’s based on the same code but it does not carry the trademark. It’s included in the main Fedora repository, which makes it easy to install.

sudo dnf install moby-engine docker-compose

This installs moby-engine, docker-compose, containerd and some other related libraries. Once installed, you’ll have to enable the system-wide daemon to run docker.

sudo systemctl enable docker

Step 3: Restart and test

To ensure that all systems and settings are properly processed, you’ll now have to reboot your machine.

sudo systemctl reboot

After that, you can validate your installation using the Docker hello-world package.

sudo docker run hello-world

You are then greeted by the Hello from Docker! unless something went wrong.

Running as admin

Optionally, you can now also add your user to the group account of Docker, so that you can start docker images without typing sudo.

sudo groupadd docker
sudo usermod -aG docker $USER

Logout and login for the change to take effect. If the thought of running containers with administrator privileges concerns you, then you should look into Podman.

In summary

From this point on, Docker will work how you’re used to, including docker-compose and all docker-related tools. Don’t forget to check out the official documentation which can help you in many cases where something isn’t quite right.

The current state of Docker on Fedora 32 is not ideal. The lack of an official package might bother some, and there is an issue upstream where this is discussed. The missing support for both CGroups and NFTables is more technical, but you can check their progress in their public issues.

These instruction should allow you to continue working like nothing has happened. If this has not satisfied your needs, don’t forget to address your technical issues at the Moby or Docker Github pages, or take a look at Podman which might prove more robust in the long-term future.

For Developers For System Administrators

37 Comments

  1. Vincent Rubiolo

    Hi there and thanks for the article, a useful sumup of the various threads lying around which will benefit a lot of people moving to Fedora32!

    Just a note that w.r.t cgroups, it’s the move to cgroupsv2 which is a problem for Docker and which requires to move back to cgroupsv1.

    The Redhat Enable Sysadmin site did a great article about this when Fedora 31 was released: https://www.redhat.com/sysadmin/fedora-31-control-group-v2, I can only recommend it.

    • Ricky Zhang

      I confirmed this is the exact problem starting form Fedora 31.

  2. Christian Groove

    Podman is a wonderful replacement for the unsafe docker. I used it to run my accounting software, in a container that is executed as a non-root service under a technical user and a customized selinux config.

    • Guus

      It would be interesting to know why you find docker unsafe. Do you have a link to a document that explains this?

      P.S. I am currently not a user of docker, neither of podman. But I do want to understand the technologies behind both and I would like to know why pod is safe and docker is not.

      • One of the reasons Podman was created was to facilitate the use of rootless containers. or containers without root privileges on the host. Docker requires the Docker Daemon which runs as root. That is the fundamental difference.

        • Mark

          I prefer docker to podman from an admin and disk space point of view. With the docker daemon you have a single point to view all running containers that may impact your system plus all the images are stored in one place. Plus while ‘docker stats’ is not that accurate you do get an idea of what impact each container is having.
          With podman and users building and running containers as they see fit, plus each user having their own images and container overlays in their home directory structure, on a multi-user system it is a waste of disk space an no easy overview of what containers are running.
          From a system admin viewpoint Podman should be used only on single user developer workstations, not on a multi-user server.

        • Mehdi

          But, podman also gives a root shell when you run a container (using run -ti) with it. How is that rootless? Would you please explain?

          • Hello @Medhi,
            When a user starts podman using the run command and the -ti options, they are running a container in their own namespace, which should be specified in /etc/subuid . The -ti just tells the podman run command it is a tty(-t) and interactive(-i). While you can be “root” within the container since you are the owner of the namespace used when the container is run, the container is rootless on your system.

      • Olivier

        To me all the unsafe is here :

        sudo usermod -aG docker $USER

        and dockerd run as root. You can access host through volume and do what you want, such as change root password on the host…

        • kayke

          you can use this command is a little bit safer then usermod

          sudo setfacl –modify user:$USER:rw /var/run/docker.sock

  3. shy

    Podman development is progressing. There is podman-compose to replace docker-compose https://github.com/containers/podman-compose/

    XWIKI runs on podman using podman-compose https://forum.xwiki.org/t/xwiki-docker-images-run-on-podman/6869

    Pi-hole runs on podman using podman-compose https://discourse.pi-hole.net/t/pi-hole-runs-on-podman/34719

    • Alejandro

      Awesome, this is exactly what I mentioned in previous comment! Will have a look 😀

  4. Daniel

    Thank you! I was missing an article to point this out.

  5. Following can also help

    sudo dnf install podman-docker

    Description : This package installs a script named docker that emulates the Docker CLI by executes podman commands, it also creates links between all Docker CLI man pages and podman.

  6. Alejandro

    Nice article, I struggled to find an article a few months back when I moved to Fedora 32 regarding the state of Docker. Or one that actually worked for me, anyway. I decided to start investing time in Podman*, which I love, although for some reason -probably me- not all the same commands I had for docker worked.

    Slightly off-topic, I wish Podman had a gender neutral name.

    • Einer

      Hmmmm ….. is “Alejandro” a “gender neutral name”? …….. Maybe you should change it ……..

      (Podman == Pod Manager … looks pretty “gender neutral” to me ..)

    • John

      What’s wrong with the name Podman?

    • Alan

      PodMan is a gender neutral name. The man stands for manager not male.

  7. There is also a question of the docker network and the firewallD. I managed to make it work by adding the docker0 network to the default group.
    But I’m a user of another distribution (‘de’ …) and I’m still getting started with Fedora.
    Aguém indicates a good tutorial, even simple, FirewallD?

    • Sebastiaan Franken

      I’ve found the firewalld man page to be a good starting point. Also, the firewalld website (firewalld [dot] org) has quite a bit of info!

  8. Stephane

    Heads up, this worked but completely broke my libvirtd virtual machine.. Something about python-nftables failing.

    I had to revert all the steps to boot the VM again… I will probably have to use podman instead of docker.

    • Esteban

      Check to make sure the bridges don’t overlap. It’s happened to me.

  9. drakkai

    I’m using the docker repo for F31 on F32 without problems.
    [docker-ce-stable]
    name=Docker CE Stable – $basearch
    baseurl=https://download.docker.com/linux/fedora/31/$basearch/stable
    enabled=1
    gpgcheck=1
    gpgkey=https://download.docker.com/linux/fedora/gpg

    • Elad

      How is this working ? 🙂

    • Bruno

      Same for me. The fedora 31 Docker repo works fine in Fedora 32.

      Fortunately I also don’t use firewalld but ufw, so I didn’t have to change anything in the Firewall also 😉

      Great article,

  10. For me, reverting firewalld backend from nftables to iptables worked better than changing firewalld settings.

  11. Mark

    Yes, as far as I am aware docker-ce runs without any issues. While I don’t use it on Fedora I run it on CentOS8 which is also cgroups2 without any issues.

  12. Heiko Loewe

    Hi,

    awesome article.
    But what about Nvidia integration. I found nothing on github how to install the nvidia-docker-plugin with moby.

    Heiko

  13. vic

    This is sad. I loved using older Fedora, due to RedHat heritage.
    Due to Docker issues, I’m starting to look at PopOS.

  14. Trung LE

    I am not a big fan of moby and love to switch to podman if possible. I wish one day commercial support for podman would get on par with docker.

    Btw, if people start running into issue with libvirt after installing moby-engine, check this https://bugzilla.redhat.com/show_bug.cgi?id=1829090

  15. Anonymous

    Thanks for the guide, this publication rocks! Zsh users here will need to quote “docker-*” in the first two commands to avoid expansion.

    sudo dnf ‘remove docker-
    sudo dnf config-manager ‘–disable docker-

  16. Tim Hughes

    This breaks vagrant-libvirt integration with the following error:

    Error while activating network: Call to virNetworkCreate failed: error from service: changeZoneOfInterface: COMMAND_FAILED: 'python-nftables' failed:

    To fix I deleted everything under

    /etc/firewalld

    and then reinstall firewalld

    sudo rm -rf /etc/firewalld
    sudo dnf reinstall -y firewalld

    restarted firewalld and libvirt

    sudo systemctl restart firewalld
    sudo systemctl restart libvirtd
  17. Hubbs

    This has completely broken libvirtd VM networking. The VMs can not access the Internet. The docker rules prevent libvirtd for putting the proper firewall rules in places. If VMs need to access the Internet, I need to restart firewalld and libvirtd. In turn, my docker containers will fail. Podman is useless because the work flow at my employer, where no one else is using a linux box, requires the ability to manipulate docker containers that podman doesn’t support now or doesn’t easily support.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions