We've had some requests from clients on how they can effectively used some of their extra server resources on their powerful cpanel servers. The majority have asked how they can get docker working as well. After some testing in our development environment and almost a month in production we have come up with a guide that will allow you to get docker installed on a server running cPanel without damaging cPanel. Keep in mind these are very advanced topics. If you are NetZilla client and wish to have this done on your server please just ask support they would be happy to get it done for you usually free of charge.
This works with either cloudlinux cpanel servers or normal cpanel servers. In the cloud linux version you will have an extra step or two.
If you're running cloudlinux first you need to enable the /etc/yum.repos.d/centos-extras.repo so you can actually install the required depencies for docker. After the install you can disable it. There are various ways to enabled and disable a repo but if you're unsure simply edit the file and change enabled from 0 to 1.
We would suggest making a docker folder in your home directory if the majority of your server space is located in that parition.
Once you've done that make the following file /etc/docker/daemon.json and add the following output:
{
"iptables": false,
"log-driver": "json-file",
"graph": "/home/docker",
"log-opts": {
"max-size": "10m",
"max-file": "2"
}
}
This does two things. It will make sure that docker is built and stored in that home folder so it doesn't conflict with the space requirements of cpanel or cloudlinux and it makes sure that docker doesn't mess with iptables that way cphulk csf and other programs aren't interrupted. Next you will want to actually install docker. The best way to do that is to use the following commands. They will install and start docker. The second one will double check to make sure that docker is actually running and enabled on boot.
curl -sSL https://get.docker.com/ | sh
systemctl enable docker && systemctl start docker && systemctl status docker
If running csf you should make a csfpost.sh that has this:
#!/bin/sh
echo "[DOCKER] Setting up FW rules."
iptables -N DOCKER
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t filter -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
iptables -t filter -A FORWARD -i docker0 -o docker0 -j ACCEPT
echo "[DOCKER] Done."
If you do all of the above docker will run without interfering with cpanel or cloudlinux. There are a few gotchas
- Some docker images won't work properly for example the alpine version of the java sdk will not work on cloudlinux but will work on normal cpanel.
- None of your dockers can be run as persistent services automatically meaning you have to manually configure them into the firewall and make sure that they don't conflict with any cpanel processes or systems only for advanced users.
- Due to the requirement of cpanel that selinux be disabled there are some inherent risks to running docker containers depending on your kernel and docker specific settings. This should not be something you offload jenkins builds or some other service where unknown or unauthorized images might be run as it could pose a security risk.
