Type '/' to Search

»Docker Engine

Terraform Enterprise requires at least one of the following Docker Engine configurations, in order of preference:

  1. 20.10.x with runc v1.0.0-rc93 or greater (19.03.x is also supported).
  2. 20.10.x with libseccomp 2.4.4 or greater.
  3. 20.10.x using a modified libseccomp profile (19.03.x is also supported).

If you are installing on RHEL7, you can use Docker Engine 1.13.1 from the Extra Packages for Enterprise Linux (EPEL) repository, with a modified libseccomp profile.

On a first install of Terraform Enterprise (online install), Docker can be automatically installed with all necessary dependancies. Upgrades to Terraform Enterprise will not automatically upgrade Docker. Docker should be regularly updated to ensure stability and security.

Note: If you install Docker manually, Terraform Enterprise is not capable of verifying the Docker Engine configuration automatically.

»Docker Engine With a Compatible runc Version

  1. Install Docker Engine 20.10.x for your operating system.

  2. Install the latest version of containerd for your operating system.

    On Debian/Ubuntu:

    sudo apt install containerd

    sudo apt install containerd

    On RHEL/CentOS:

    sudo yum install containerd.io

    sudo yum install containerd.io

  3. Confirm that the installed containerd version is 1.4.9, 1.5.5, or greater.

    containerd --version

    containerd --version

  4. Confirm that the installed runc version is v1.0.0-rc93 or greater:

    runc --version

    runc --version

  5. If your Docker Engine and runc versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 2.

»Docker Engine With a Compatible libseccomp Version

Note: These instructions should only be used if your operating system does not meet the requirements detailed in Docker Engine With a Compatible runc Version.

  1. Install Docker Engine 20.10.x for your operating system.

  2. Install the latest version of libseccomp for your operating system.

    On Debian/Ubuntu:

    sudo apt install libseccomp2

    sudo apt install libseccomp2

    On RHEL/CentOS:

    sudo yum install libseccomp

    sudo yum install libseccomp

  3. Confirm that the installed libseccomp version is 2.4.4 or greater.

    runc --version

    runc --version

  4. If your Docker Engine and libseccomp versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 3.

»Docker Engine Using a Modified libseccomp Profile

Note: These instructions should only be used if your operating system does not meet the requirements detailed in either Docker Engine With a Compatible runc Version or Docker Engine With a Compatible libseccomp Version.

  1. Install Docker Engine 20.10.x, or 1.13.1 (RHEL v7 only), for your operating system.

  2. Check if the file /etc/docker/seccomp.json exists. If it does, proceed to step 4.

  3. Download the default moby libseccomp profile and save it to the file /etc/docker/seccomp.json.

    sudo curl -L -o /etc/docker/seccomp.json \
  https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json

    sudo curl -L -o /etc/docker/seccomp.json \
  https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json

  4. In the /etc/docker/seccomp.json file, change "defaultAction": "SCMP_ACT_ERRNO", to "defaultAction": "SCMP_ACT_TRACE",.

    sudo sed -i 's/"defaultAction":\s*"SCMP_ACT_ERRNO"/"defaultAction": "SCMP_ACT_TRACE"/1' /etc/docker/seccomp.json

    sudo sed -i 's/"defaultAction":\s*"SCMP_ACT_ERRNO"/"defaultAction": "SCMP_ACT_TRACE"/1' /etc/docker/seccomp.json

    Docker Engine 1.13.1 (RHEL only): After modifying the /etc/docker/seccomp.json file, proceed to step 8.

  5. Create a drop-in systemd unit file for the docker systemd service.

    sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

    sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

  6. Edit the drop-in /etc/systemd/system/docker.service systemd unit file and modify the line starting with ExecStart= to include the option --seccomp-profile=/etc/docker/seccomp.json.

    For example, the following line:

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

    Would become:

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

  7. Reload the systemd daemon.

    sudo systemctl daemon-reload

    sudo systemctl daemon-reload

  8. Restart Docker Engine.

    sudo systemctl restart docker

    sudo systemctl restart docker