Docker Engine

Terraform Enterprise requires at least one of the following Docker Engine configurations, in order of preference:

1. 20.10.x with runc v1.0.0-rc93 or greater (19.03.x is also supported).
2. 20.10.x with libseccomp 2.4.4 or greater.
3. 20.10.x using a modified libseccomp profile (19.03.x is also supported).

If you are installing on RHEL7, you can use Docker Engine 1.13.1 from the Extra Packages for Enterprise Linux (EPEL) repository, with a modified libseccomp profile.

On a first install of Terraform Enterprise (online install), Docker can be automatically installed with all necessary dependancies. Upgrades to Terraform Enterprise will not automatically upgrade Docker. Docker should be regularly updated to ensure stability and security.

Docker Engine With a Compatible runc Version

1. Install Docker Engine 20.10.x for your operating system.

2. Install the latest version of containerd for your operating system.

   On Debian/Ubuntu:

   sudo apt install containerd
   

   Copy

   On RHEL/CentOS:

   sudo yum install containerd.io
   

   Copy

3. Confirm that the installed containerd version is 1.4.9, 1.5.5, or greater.

   containerd --version
   

   Copy

4. Confirm that the installed runc version is v1.0.0-rc93 or greater:

   runc --version
   

   Copy

5. If your Docker Engine and runc versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 2.

Docker Engine With a Compatible libseccomp Version

1. Install Docker Engine 20.10.x for your operating system.

2. Install the latest version of libseccomp for your operating system.

   On Debian/Ubuntu:

   sudo apt install libseccomp2
   

   Copy

   On RHEL/CentOS:

   sudo yum install libseccomp
   

   Copy

3. Confirm that the installed libseccomp version is 2.4.4 or greater.

   runc --version
   

   Copy

4. If your Docker Engine and libseccomp versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 3.

Docker Engine Using a Modified libseccomp Profile

1. Install Docker Engine 20.10.x, or 1.13.1 (RHEL v7 only), for your operating system.

2. Check if the file /etc/docker/seccomp.json exists. If it does, proceed to step 4.

3. Download the default moby libseccomp profile and save it to the file /etc/docker/seccomp.json.

   sudo curl -L -o /etc/docker/seccomp.json \
     https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json
   

   Copy

4. In the /etc/docker/seccomp.json file, change "defaultAction": "SCMP_ACT_ERRNO", to "defaultAction": "SCMP_ACT_TRACE",.

   sudo sed -i 's/"defaultAction":\s*"SCMP_ACT_ERRNO"/"defaultAction": "SCMP_ACT_TRACE"/1' /etc/docker/seccomp.json
   

   Copy

   Docker Engine 1.13.1 (RHEL only): After modifying the /etc/docker/seccomp.json file, proceed to step 8.

5. Create a drop-in systemd unit file for the docker systemd service.

   sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service
   

   Copy

6. Edit the drop-in /etc/systemd/system/docker.service systemd unit file and modify the line starting with ExecStart= to include the option --seccomp-profile=/etc/docker/seccomp.json.

   For example, the following line:

   ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES
   

   Copy

   Would become:

   ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES
   

   Copy

7. Reload the systemd daemon.

   sudo systemctl daemon-reload
   

   Copy

8. Restart Docker Engine.

   sudo systemctl restart docker
   

   Copy