3.3. Setting Up Docker

Once Virtuozzo Storage is installed and configured, you need to install Docker on every cluster node. Depending on your needs, you may want to install a specific Docker edition:

  • If you want to use Docker Swarm, do the following:

    1. Set up Swarm alongside Docker Community Edition (CE). Make sure to open the specified ports on each cluster node.
    2. Add all the servers in your Virtuozzo Storage cluster to your Docker Swarm cluster as explained here.
  • If you need the commercial Universal Control Plane (UCP) in addition to Swarm, do the following:

    1. Open the required ports on each cluster node. See Configuring Firewall for Docker UCP.
    2. Install Docker Datacenter (DDC) based on Docker Enterprise Edition (EE).
    3. Once Docker UCP is deployed, make sure you add all the servers in your Virtuozzo Storage cluster to your Docker Swarm cluster via the Add Node screen in the Nodes menu in the UCP web interface.

    As a result of following these steps, you should have:

    • A Docker Swarm cluster sharing the nodes with Virtuozzo Storage,
    • Docker UCP (in case you have followed the Docker UCP installation instructions).

Important

Do not install Docker with yum as the version available in the default repositories is obsolete and does not support the required functionality (e.g., the docker volume command).

3.3.1. Configuring Firewall for Docker UCP

Before installing Docker UCP on a Virtuozzo Storage node, open the required ports in the firewall via the direct interface by means of the /etc/firewalld/direct.xml file (create it if needed).

On the controller node, make sure /etc/firewalld/direct.xml contains these lines:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 443</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2375</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2376 </rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m udp -p udp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m udp -p udp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 12376:12390</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 443</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2375</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2376 </rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m udp -p udp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m udp -p udp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 12376:12390</rule>
</direct>

On worker nodes, make sure /etc/firewalld/direct.xml contains these lines:

<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 443</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2375</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2376 </rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m udp -p udp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m udp -p udp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 12376</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 443</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2375</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 2376 </rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m udp -p udp -j ACCEPT --dport 4789</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m udp -p udp -j ACCEPT --dport 7946</rule>
  <rule priority="0" table="filter" ipv="ipv6" chain="INPUT">-m tcp -p tcp -j ACCEPT --dport 12376</rule>
</direct>

Having created or edited the files, reload the firewall service on each node to apply changes:

# firewall-cmd --reload

After configuring the firewall, proceed to install Docker UCP.