With the release of Fedora 32, regular users of Docker have been confronted by a small challenge. At the time of writing, Docker is not supported on Fedora 32. There are alternatives, like Podman and Buildah, but for many existing users, switching now might not be the best time. As such, this article can help you set up your Docker environment on Fedora 32.
NOTE: A more recent article covering Docker and Fedora 34/35 is now available.
Step 0: Removing conflicts
This step is for any user upgrading from Fedora 30 or 31. If this is a fresh installation of Fedora 32, you can move on to step 1.
To remove docker and all its related components:
sudo dnf remove docker-* sudo dnf config-manager --disable docker-*
Step 1: System preparation
With the last two versions of Fedora, the operating system has moved to two new technologies: CGroups and NFTables for the Firewall. While the details of these new technologies is behind the scope of this tutorial, it’s a sad fact that docker doesn’t support them yet. As such, you’ll have to make some changes to facilitate Docker on Fedora.
Enable old CGroups
The previous implementation of CGroups is still supported and it can be enabled using the following command.
sudo grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
Whitelist docker in firewall
To allow Docker to have network access, two commands are needed.
sudo firewall-cmd --permanent --zone=trusted --add-interface=docker0 sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-masquerade
The first command will add the Docker-interface to the trusted environment which allows Docker to make remote connections. The second command will allow docker to make local connections. This is particularly useful when multiple Docker containers are in as a development environment.
Step 2: installing Moby
Moby is the open-source, white label version of Docker. It’s based on the same code but it does not carry the trademark. It’s included in the main Fedora repository, which makes it easy to install.
sudo dnf install moby-engine docker-compose
This installs moby-engine, docker-compose, containerd and some other related libraries. Once installed, you’ll have to enable the system-wide daemon to run docker.
sudo systemctl enable docker
Step 3: Restart and test
To ensure that all systems and settings are properly processed, you’ll now have to reboot your machine.
sudo systemctl reboot
After that, you can validate your installation using the Docker hello-world package.
sudo docker run hello-world
You are then greeted by the Hello from Docker! unless something went wrong.
Running as admin
Optionally, you can now also add your user to the group account of Docker, so that you can start docker images without typing sudo.
sudo groupadd docker sudo usermod -aG docker $USER
Logout and login for the change to take effect. If the thought of running containers with administrator privileges concerns you, then you should look into Podman.
In summary
From this point on, Docker will work how you’re used to, including docker-compose and all docker-related tools. Don’t forget to check out the official documentation which can help you in many cases where something isn’t quite right.
The current state of Docker on Fedora 32 is not ideal. The lack of an official package might bother some, and there is an issue upstream where this is discussed. The missing support for both CGroups and NFTables is more technical, but you can check their progress in their public issues.
These instruction should allow you to continue working like nothing has happened. If this has not satisfied your needs, don’t forget to address your technical issues at the Moby or Docker Github pages, or take a look at Podman which might prove more robust in the long-term future.
Vincent Rubiolo
Hi there and thanks for the article, a useful sumup of the various threads lying around which will benefit a lot of people moving to Fedora32!
Just a note that w.r.t cgroups, it’s the move to cgroupsv2 which is a problem for Docker and which requires to move back to cgroupsv1.
The Redhat Enable Sysadmin site did a great article about this when Fedora 31 was released: https://www.redhat.com/sysadmin/fedora-31-control-group-v2, I can only recommend it.
Ricky Zhang
I confirmed this is the exact problem starting form Fedora 31.
Christian Groove
Podman is a wonderful replacement for the unsafe docker. I used it to run my accounting software, in a container that is executed as a non-root service under a technical user and a customized selinux config.
Guus
It would be interesting to know why you find docker unsafe. Do you have a link to a document that explains this?
P.S. I am currently not a user of docker, neither of podman. But I do want to understand the technologies behind both and I would like to know why pod is safe and docker is not.
Stephen Snow
One of the reasons Podman was created was to facilitate the use of rootless containers. or containers without root privileges on the host. Docker requires the Docker Daemon which runs as root. That is the fundamental difference.
Mark
I prefer docker to podman from an admin and disk space point of view. With the docker daemon you have a single point to view all running containers that may impact your system plus all the images are stored in one place. Plus while ‘docker stats’ is not that accurate you do get an idea of what impact each container is having.
With podman and users building and running containers as they see fit, plus each user having their own images and container overlays in their home directory structure, on a multi-user system it is a waste of disk space an no easy overview of what containers are running.
From a system admin viewpoint Podman should be used only on single user developer workstations, not on a multi-user server.
Stephen Snow
I would think that the added security of Podman would have been a plus from the Sys Admin POV. Podman is part of a trio of software for managing containers and images > buildah, podman, and skopeo.
shy
There are certain things everyone show know about Docker:
https://github.com/docker/for-linux/issues/477
Mehdi
But, podman also gives a root shell when you run a container (using run -ti) with it. How is that rootless? Would you please explain?
Stephen Snow
Hello @Medhi,
When a user starts podman using the run command and the -ti options, they are running a container in their own namespace, which should be specified in /etc/subuid . The -ti just tells the podman run command it is a tty(-t) and interactive(-i). While you can be “root” within the container since you are the owner of the namespace used when the container is run, the container is rootless on your system.
Olivier
To me all the unsafe is here :
and dockerd run as root. You can access host through volume and do what you want, such as change root password on the host…
kayke
you can use this command is a little bit safer then usermod
sudo setfacl –modify user:$USER:rw /var/run/docker.sock
shy
Podman development is progressing. There is podman-compose to replace docker-compose https://github.com/containers/podman-compose/
XWIKI runs on podman using podman-compose https://forum.xwiki.org/t/xwiki-docker-images-run-on-podman/6869
Pi-hole runs on podman using podman-compose https://discourse.pi-hole.net/t/pi-hole-runs-on-podman/34719
Alejandro
Awesome, this is exactly what I mentioned in previous comment! Will have a look 😀
Daniel
Thank you! I was missing an article to point this out.
Yogesh Sharma
Following can also help
sudo dnf install podman-docker
Description : This package installs a script named docker that emulates the Docker CLI by executes podman commands, it also creates links between all Docker CLI man pages and podman.
Alejandro
Nice article, I struggled to find an article a few months back when I moved to Fedora 32 regarding the state of Docker. Or one that actually worked for me, anyway. I decided to start investing time in Podman*, which I love, although for some reason -probably me- not all the same commands I had for docker worked.
Slightly off-topic, I wish Podman had a gender neutral name.
Einer
Hmmmm ….. is “Alejandro” a “gender neutral name”? …….. Maybe you should change it ……..
(Podman == Pod Manager … looks pretty “gender neutral” to me ..)
Alberto Patino
podmanwoman or podwomanman or podwo(man)^2 maybe
John
What’s wrong with the name Podman?
Alan
PodMan is a gender neutral name. The man stands for manager not male.
W T Costa
There is also a question of the docker network and the firewallD. I managed to make it work by adding the docker0 network to the default group.
But I’m a user of another distribution (‘de’ …) and I’m still getting started with Fedora.
Aguém indicates a good tutorial, even simple, FirewallD?
Sebastiaan Franken
I’ve found the firewalld man page to be a good starting point. Also, the firewalld website (firewalld [dot] org) has quite a bit of info!
Stephane
Heads up, this worked but completely broke my libvirtd virtual machine.. Something about python-nftables failing.
I had to revert all the steps to boot the VM again… I will probably have to use podman instead of docker.
Esteban
Check to make sure the bridges don’t overlap. It’s happened to me.
drakkai
I’m using the docker repo for F31 on F32 without problems.
[docker-ce-stable]
name=Docker CE Stable – $basearch
baseurl=https://download.docker.com/linux/fedora/31/$basearch/stable
enabled=1
gpgcheck=1
gpgkey=https://download.docker.com/linux/fedora/gpg
Elad
How is this working ? 🙂
Bruno
Same for me. The fedora 31 Docker repo works fine in Fedora 32.
Fortunately I also don’t use firewalld but ufw, so I didn’t have to change anything in the Firewall also 😉
Great article,
Tomasz Gąsior
For me, reverting firewalld backend from nftables to iptables worked better than changing firewalld settings.
Mark
Yes, as far as I am aware docker-ce runs without any issues. While I don’t use it on Fedora I run it on CentOS8 which is also cgroups2 without any issues.
Sergey
https://www.redhat.com/en/blog/world-domination-cgroups-rhel-8-welcome-cgroups-v2
RHEL 8 ships with cgroups v1 as the default.
Heiko Loewe
Hi,
awesome article.
But what about Nvidia integration. I found nothing on github how to install the nvidia-docker-plugin with moby.
Heiko
vic
This is sad. I loved using older Fedora, due to RedHat heritage.
Due to Docker issues, I’m starting to look at PopOS.
Trung LE
I am not a big fan of moby and love to switch to podman if possible. I wish one day commercial support for podman would get on par with docker.
Btw, if people start running into issue with libvirt after installing moby-engine, check this https://bugzilla.redhat.com/show_bug.cgi?id=1829090
Anonymous
Thanks for the guide, this publication rocks! Zsh users here will need to quote “docker-*” in the first two commands to avoid expansion.
sudo dnf ‘remove docker-‘
sudo dnf config-manager ‘–disable docker-‘
Tim Hughes
This breaks vagrant-libvirt integration with the following error:
To fix I deleted everything under
and then reinstall firewalld
sudo dnf reinstall -y firewalld
restarted firewalld and libvirt
sudo systemctl restart libvirtd
Hubbs
This has completely broken libvirtd VM networking. The VMs can not access the Internet. The docker rules prevent libvirtd for putting the proper firewall rules in places. If VMs need to access the Internet, I need to restart firewalld and libvirtd. In turn, my docker containers will fail. Podman is useless because the work flow at my employer, where no one else is using a linux box, requires the ability to manipulate docker containers that podman doesn’t support now or doesn’t easily support.