How do I install Docker Community Edition on Silverblue?

Haha, it’s fine, I just still find that a bit insane.

If you want to try to work around it, maybe you could remove runc manually via rpm-ostree override remove runc and then try installing Docker? Maybe pin your deployment first so you can revert to it easily if this breaks things too much.

I tried this last night. Override-removing runc requires uninstalling fedora-toolbox and override-removing buildah and podman. After doing that, sudo rpm-ostree install docker-ce docker-ce-cli started, but threw an error.

Is this a configuration that should work? I haven’t tried it on plain Fedora 29; I know Docker CE works there but don’t know if there are dependency conflicts with buildah and podman.

Welp, that’s a bit more complicated than I anticipated. What was the error?

$ sudo rpm-ostree install docker-ce docker-ce-cli
Checking out tree b71c645... done
Enabled rpm-md repositories: docker-ce-stable fedora updates
rpm-md repo 'docker-ce-stable' (cached); generated: 2019-02-11T15:25:08Z
rpm-md repo 'fedora' (cached); generated: 2018-10-24T22:20:15Z
rpm-md repo 'updates' (cached); generated: 2019-02-19T06:14:15Z
Importing rpm-md... done
Resolving dependencies... done
Will download: 4 packages (53.1 MB)
Downloading from 'docker-ce-stable'... done
Downloading from 'fedora'... done
Importing packages... done
Applying 3 overrides and 204 overlays
Processing packages... done
Running pre scripts... done
Running post scripts... done
error: Running %post for docker-ce: Executing bwrap(/bin/sh): Child process killed by signal 2; run `journalctl -t 'rpm-ostree('` for more information
$ journalctl -t 'rpm-ostree('
-- Logs begin at Wed 2019-01-30 20:34:03 PST, end at Tue 2019-02-19 21:46:27 PST. --
Feb 19 02:11:43 Silverblue rpm-ostree([2596]: failed to link /var/lib/docker-engine/distribution_based_e>
-- Reboot --
Feb 19 21:45:39 Silverblue rpm-ostree([2596]: failed to link /var/lib/docker-engine/distribution_based_e>
lines 1-4/4 (END)

Ack rpm-ostree may not like /var/lib, or it could be update-alternatives, as I believe the issue is with this like of the rpm spec, maybe try using rpmrebuild to remove it?

Could you use moby-engine (which is now being packaged in Fedora) instead of docker-ce?

I’ve not tried it myself, but it seems that docker-ce is built from moby, so maybe it is an alternative?

1 Like

Just out of curiosity: would it be possible to run Docker inside a Podman container? I know it’s possible to run Docker inside a Docker container, so this should be theoretically possible, too.

1 Like

I think I tried that - the “Docker in Docker (dind)” image is what I tried, but I don’t remember whether the host was Fedora Docker or podman. There was some kind of error and I gave up. Really, I’m looking for something supportable and supported here. I’ll try the Moby Engine thing.

Clearly removing fedora-toolbox, buildah and podman as a consequence of replacing runc is not what anyone intends. It’s annoying that F29 ships with this really old Docker version. Installing Docker CE on vanilla Fedora 29 is easy, but then it doesn’t come with buildah and podman so no dependency conflicts.

I ended up giving up on the latest Docker CE and fixing the issues with the stock Docker 1.13 that’s in the rpm-ostree repo. It would be really preferable if Podman and Docker CE could live happily side-by-side on the same system without package dependencies getting in each other’s way. Also, running Docker inside Podman seems like a highly undesirable workaround to me.

moby-engine works! It looks like it’s slightly older than the upstream docker-ce but that’s OK.

$ docker --version
Docker version 18.06.0-dev, build 0ffa825
1 Like

moby-engine works alongside fedora-toolbox, podman and buildah just fine.

Interesting! Looks like a good solution, however even after some Googling I still don’t fully understand the demarcation between Moby and Docker. What’s in Docker CE that is not provided by the Moby engine?

Docker in Docker, for the curious:

And Docker in Podman (see ~jpetazzo/Using Docker-in-Docker for your CI or testing environment? Think twice.:

$ sudo podman run -it --rm --privileged --volume /var/run/docker.sock:/var/run/docker.sock $ sudo podman run -it --rm --privileged --volume /var/run/docker.sock:/var/run/docker.sock docker
/ # docker ps -a
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                                     NAMES
b4633148c948        dpage/pgadmin4:latest   "/"         17 minutes ago      Up 17 minutes       80/tcp, 443/tcp,>8686/tcp   pgadmin4
d92b53508cc1        rstatsp:latest          "/bin/sh -c 'service…"   17 minutes ago      Up 17 minutes       80/tcp, 443/tcp,>8004/tcp   rstats
d966280c0ace        postgis:latest          "docker-entrypoint.s…"   17 minutes ago      Up 17 minutes>5432/tcp                    postgis

The containers were started via moby-engine Docker on the Silverblue host. This stuff is probably insecure as all-get-out but it does give me the ability to start a container from inside a container, which is what I want to do for a certain use case.

FWIW it’s a bit different, but depending on your use case you maybe use systemd-nspawn / systemd-machined containers, which are more like a full system with isolated networking + a separate systemd instance running inside.

The use case is I have RStudio Server running in a container and I want to be able to run Docker inside that container. I have it working except for some network routing things I need to configure somehow.

The way I understand it, Moby is the open source project from which Docker is built from. So you are able to pull the Moby code, compile it yourself, and run it. Whereas, Docker CE is a packaged version of the Moby code that you can install on your hosts.

I found the image in this post, showing how the code goes from Moby -> Docker CE -> Docker EE to be helpful in understanding:

Additionally, the pull quote from Solomon Hykes mentioned there gave some context:

“Docker [the company] uses the Moby Project as an open R&D lab”

Ah so running Moby in stead of Docker CE is fine for development workloads and would get us a more up-to-date “docker” engine than using the regular docker package in the F29 RPM repository. It’s Docker CE, just not branded that way. At least, I can’t figure out what Docker is adding to Moby that makes Docker CE more that what Moby is.

For now this is a very acceptable workaround, but it would still be desirable to be able to install Podman and Docker CE together on the same machine without version conflicts on shared libraries!

I’m not a lawyer, but I believe there are legal reasons why Fedora is unable to package and distribute Docker CE themselves. So moby-engine is the closest thing that will be offered.

Not sure that’s true given that docker is currently in the F29 RPM repo, all be it an older version. Anyway that’s not the main issue here. I meant it would be nice if there is a way for Podman and Docker CE can be installed simultaneously. That they can coexist on the same Silverblue computer. Also when Docker CE is provided through Docker’s own RPM repo. I know that’s a big ask given that Fedora is not responsible for Docker’s packaging for their own repo, but I’m hoping Fedora could package the its libraries that overlap (like RunC) in such a way that they won’t conflict anymore.

Again not a lawyer, but I seem to recall that some of the agreements about repackaging Docker changed after the introduction of Moby. The version of Docker (1.13) that is provided by Fedora was the last version that was available before the change to Moby.

Anyways, I’m not sure the best path for a co-existence between Docker CE + podman. Since the big difference seems to be with runc, the two projects would somehow have to agree to use the same version. Or radically change how one or the other is packaged.

You could try filing an issue on the upstream podman repo, but I wouldn’t be too optimistic about them trying to co-exist with Docker CE.