Docker/Moby configuration

[mskarbek]

As briefly discussed in PR#26 moby-engine is shipped with no configuration which means that we get default logging/cgroup drivers. IMO this is suboptimal. I agree with @rhatdan that FCOS shouldn't enable Moby by default or ship own configuration for it, but despite the fact that we should encourage usage of other tools with current situation we can't expect that everyone will jump right into the podman/cri-o and because of that I would propose to work with moby-engine package maintainer on a more sensible default configuration.

[bgilbert]

👍 to a reasonable default configuration.

Continuing the discussion from coreos/fedora-coreos-config#26, why should we not make docker socket-activated? Socket activation doesn't start the daemon or consume meaningful resources unless something actually wants to talk to it, at which point they transparently get a working docker. What's the downside?

[dustymabe]

why should we not make docker socket-activated?

This is mostly from my experience in the past. For example, if I accidentally ever ran the docker command on the machine storage would get configured; we configured storage using a docker-storage-setup script in the past that was tied to docker service startup in systemd. In general I just think it would be better to not be able to accidentally start a heavyweight daemon. In the past when there was no other viable alternative for running containers then having docker start by default made sense. Since there are now other options I don't think it's good to make it so easy to start the heavyweight daemon.

[cgwalters]

For example, if I accidentally ever ran the docker command on the machine storage would get configured

Though this won't happen with FCOS anymore.

(I don't have a really strong opinion on the socket activated docker issue though)

[bgilbert]

Conversely, in an OS specifically intended for running containers, users may expect that the docker command will work correctly without additional configuration. I'm concerned about adding a speed bump for new users who are accustomed to docker or who are following a guide written for a different environment.

[dustymabe]

Though this won't happen with FCOS anymore.

agree, so maybe my concern isn't as valid. I'm fine with socket activation if that is what people prefer.

[dustymabe]

ok so can we enumerate the changes that we want to make to the package so that we can get this implemented?

• enable socket activation
• change logging driver to what?
• change cgroup driver to what?

[mskarbek]

I have created new PR in moby-engine package repo: https://src.fedoraproject.org/rpms/moby-engine/pull-request/1
To sum up:

• logging driver: journald
• cgroup driver: systemd
• enabled SELinux

Temporary repo: https://copr.fedorainfracloud.org/coprs/mskarbek/moby-engine/

[dustymabe]

thanks @mskarbek - that PR has been merged.

After a quick scan of the PR I don't see anything specific to socket activation. Was that enabled?

I think socket activation is the only open question left that is stopping us from closing out this issue.

[mskarbek]

No, I didn't add socket activation in that PR. This should be a separate change (a little controversial), I didn't want to block those more obvious ones by pushing them together.

[dustymabe]

No prob. I think in the conversation we had earlier in this issue we resolved to have it enabled. Would you want to add a PR for that?

[dustymabe]

the request for docker socket activation was opened by @dm0- and implemented here: https://src.fedoraproject.org/rpms/fedora-release/pull-request/50# for rawhide/f30 - closing out this ticket now.