Skip to content

docker | Cheatsheet

Docker is a container virtualization environment which can establish development or runtime environments without modifying the environment of the base operating system. It has the ability to deploy instances of containers that provide a thin virtualization, using the host kernel, which makes it faster and lighter than full hardware virtualization.

Containers that produce kernel panics will induce kernel panics into the host operating system

# General setup  --->
>    [*] POSIX Message Queues
>    -*- Control Group support  --->
>        [*]   Memory controller 
>        [*]     Swap controlle
>        [*]       Swap controller enabled by default
>        [*]   IO controller
>        [ ]     IO controller debugging
>        [*]   CPU controller  --->
>              [*]   Group scheduling for SCHED_OTHER
>              [*]     CPU bandwidth provisioning for FAIR_GROUP_SCHED
>              [*]   Group scheduling for SCHED_RR/FIFO
>        [*]   PIDs controller
>        [*]   Freezer controller
>        [*]   HugeTLB controller
>        [*]   Cpuset controller
>        [*]     Include legacy /proc/<pid>/cpuset file
>        [*]   Device controller
>        [*]   Simple CPU accounting controller
>        [*]   Perf controller
>        [ ]   Example controller 
>    -*- Namespaces support
>        [*]   UTS namespace
>        -*-   IPC namespace
>        [*]   User namespace
>        [*]   PID Namespaces
>        -*-   Network namespace

# -*- Enable the block layer  --->
>    [*]   Block layer bio throttling support

# -*- IO Schedulers  --->
>    [*]   CFQ IO scheduler
>        [*]   CFQ Group Scheduling support   

# [*] Networking support  --->
>      Networking options  --->
>        [*] Network packet filtering framework (Netfilter)  --->
>            [*] Advanced netfilter configuration
>            [*]  Bridged IP/ARP packets filtering
>                Core Netfilter Configuration  --->
>                  <*> Netfilter connection tracking support 
>                  *** Xtables matches ***
>                  <*>   "addrtype" address type match support
>                  <*>   "conntrack" connection tracking match support
>                  <M>   "ipvs" match support
>            <M> IP virtual server support  --->
>                  *** IPVS transport protocol load balancing support ***
>                  [*]   TCP load balancing support
>                  [*]   UDP load balancing support
>                  *** IPVS scheduler ***
>                  <M>   round-robin scheduling
>                  [*]   Netfilter connection tracking
>                IP: Netfilter Configuration  --->
>                  <*> IPv4 connection tracking support (required for NAT)
>                  <*> IP tables support (required for filtering/masq/NAT)
>                  <*>   Packet filtering
>                  <*>   IPv4 NAT
>                  <*>     MASQUERADE target support
>                  <*>   iptables NAT support  
>                  <*>     MASQUERADE target support
>                  <*>     NETMAP target support
>                  <*>     REDIRECT target support
>        <*> 802.1d Ethernet Bridging
>        [*] QoS and/or fair queueing  ---> 
>            <*>   Control Group Classifier
>        [*] L3 Master device support
>        [*] Network priority cgroup
>        -*- Network classid cgroup

# Device Drivers  --->
>    [*] Multiple devices driver support (RAID and LVM)  --->
>        <*>   Device mapper support
>        <*>     Thin provisioning target
>    [*] Network device support  --->
>        [*]   Network core driver support
>        <M>     Dummy net driver support
>        <M>     MAC-VLAN support
>        <M>     IP-VLAN support
>        <M>     Virtual eXtensible Local Area Network (VXLAN)
>        <*>     Virtual ethernet pair device
>    Character devices  --->
>        -*- Enable TTY
>        -*-   Unix98 PTY support
>        [*]     Support multiple instances of devpts (option appears if you are using systemd)

# File systems  --->
>    <*> Overlay filesystem support 
>    Pseudo filesystems  --->
>        [*] HugeTLB file system support

# Security options  --->
>    [*] Enable access key retention support
>    [*]   Enable register of persistent per-UID keyrings
>    <M>   ENCRYPTED KEYS
>    [*]   Diffie-Hellman operations on retained keys

Compatibility check

wuseman@localhost ~ $ /usr/share/docker/contrib/check-config.sh
warning: /proc/config.gz does not exist, searching other paths for kernel config ...
info: reading kernel config from /usr/src/linux/.config ...

Generally Necessary:
- cgroup hierarchy: properly mounted [/sys/fs/cgroup]
- CONFIG_NAMESPACES: enabled
- CONFIG_NET_NS: enabled
- CONFIG_PID_NS: enabled
- CONFIG_IPC_NS: enabled
- CONFIG_UTS_NS: enabled
- CONFIG_CGROUPS: enabled
- CONFIG_CGROUP_CPUACCT: enabled
- CONFIG_CGROUP_DEVICE: enabled
- CONFIG_CGROUP_FREEZER: enabled
- CONFIG_CGROUP_SCHED: enabled
- CONFIG_CPUSETS: enabled
- CONFIG_MEMCG: enabled
- CONFIG_KEYS: enabled
- CONFIG_VETH: enabled
- CONFIG_BRIDGE: enabled
- CONFIG_BRIDGE_NETFILTER: enabled (as module)
- CONFIG_IP_NF_FILTER: enabled
- CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module)
- CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module)
- CONFIG_NETFILTER_XT_MARK: enabled (as module)
- CONFIG_IP_NF_NAT: enabled (as module)
- CONFIG_NF_NAT: enabled
- CONFIG_POSIX_MQUEUE: enabled
- CONFIG_CGROUP_BPF: enabled

Optional Features:
- CONFIG_USER_NS: enabled
- CONFIG_SECCOMP: enabled
- CONFIG_SECCOMP_FILTER: enabled
- CONFIG_CGROUP_PIDS: enabled
- CONFIG_MEMCG_SWAP: missing
    (cgroup swap accounting is currently enabled)
- CONFIG_BLK_CGROUP: enabled
- CONFIG_BLK_DEV_THROTTLING: enabled
- CONFIG_CGROUP_PERF: enabled
- CONFIG_CGROUP_HUGETLB: enabled
- CONFIG_NET_CLS_CGROUP: enabled
- CONFIG_CGROUP_NET_PRIO: enabled
- CONFIG_CFS_BANDWIDTH: enabled
- CONFIG_FAIR_GROUP_SCHED: enabled
- CONFIG_RT_GROUP_SCHED: enabled
- CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module)
- CONFIG_IP_VS: enabled (as module)
- CONFIG_IP_VS_NFCT: enabled
- CONFIG_IP_VS_PROTO_TCP: enabled
- CONFIG_IP_VS_PROTO_UDP: enabled
- CONFIG_IP_VS_RR: enabled (as module)
- CONFIG_SECURITY_SELINUX: missing
- CONFIG_SECURITY_APPARMOR: enabled
- CONFIG_EXT4_FS: enabled
- CONFIG_EXT4_FS_POSIX_ACL: enabled
- CONFIG_EXT4_FS_SECURITY: enabled
- Network Drivers:
  - "overlay":
    - CONFIG_VXLAN: enabled (as module)
    - CONFIG_BRIDGE_VLAN_FILTERING: enabled
      Optional (for encrypted networks):
      - CONFIG_CRYPTO: enabled
      - CONFIG_CRYPTO_AEAD: enabled
      - CONFIG_CRYPTO_GCM: enabled
      - CONFIG_CRYPTO_SEQIV: enabled
      - CONFIG_CRYPTO_GHASH: enabled
      - CONFIG_XFRM: enabled
      - CONFIG_XFRM_USER: enabled
      - CONFIG_XFRM_ALGO: enabled
      - CONFIG_INET_ESP: enabled (as module)
  - "ipvlan":
    - CONFIG_IPVLAN: enabled (as module)
  - "macvlan":
    - CONFIG_MACVLAN: enabled (as module)
    - CONFIG_DUMMY: enabled (as module)
  - "ftp,tftp client in container":
    - CONFIG_NF_NAT_FTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_FTP: enabled (as module)
    - CONFIG_NF_NAT_TFTP: enabled (as module)
    - CONFIG_NF_CONNTRACK_TFTP: enabled (as module)
- Storage Drivers:
  - "aufs":
    - CONFIG_AUFS_FS: missing
  - "btrfs":
    - CONFIG_BTRFS_FS: missing
    - CONFIG_BTRFS_FS_POSIX_ACL: missing
  - "devicemapper":
    - CONFIG_BLK_DEV_DM: enabled
    - CONFIG_DM_THIN_PROVISIONING: enabled (as module)
  - "overlay":
    - CONFIG_OVERLAY_FS: enabled
  - "zfs":
    - /dev/zfs: missing
    - zfs command: missing
    - zpool command: missing

Limits:
- /proc/sys/kernel/keys/root_maxkeys: 1000000

wuseman@localhost ~ $

Kernel

Compile kernel

cd /usr/src/linux
make -j5
make modules_install
make install

Generate grub.cfg

mount -v -t vfat /dev/sda2 /boot
grub-mkconfig -o /boot/grub/grub.cfg
reboot

Resource(s)