Terraform
Docker Engine
Terraform Enterprise requires at least one of the following Docker Engine configurations, in order of preference:
- 20.10.x with
runcv1.0.0-rc93 or greater (19.03.x is also supported). - 20.10.x with
libseccomp2.4.4 or greater. - 20.10.x using a modified
libseccompprofile (19.03.x is also supported).
If you are installing on RHEL7, you can use Docker Engine 1.13.1 from the Extra Packages for Enterprise Linux (EPEL) repository, with a modified libseccomp profile.
On a first install of Terraform Enterprise (online install), Docker can be automatically installed with all necessary dependancies. Upgrades to Terraform Enterprise will not automatically upgrade Docker. Docker should be regularly updated to ensure stability and security.
Note: If you install Docker manually, Terraform Enterprise is not capable of verifying the Docker Engine configuration automatically.
Docker Engine With a Compatible runc Version
Install Docker Engine 20.10.x for your operating system.
Install the latest version of
containerdfor your operating system.On Debian/Ubuntu:
sudo apt install containerdOn RHEL/CentOS:
sudo yum install containerd.ioConfirm that the installed
containerdversion is 1.4.9, 1.5.5, or greater.containerd --versionConfirm that the installed
runcversion is v1.0.0-rc93 or greater:runc --versionIf your Docker Engine and
runcversions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 2.
Docker Engine With a Compatible libseccomp Version
Note: These instructions should only be used if your operating system does not meet the requirements detailed in Docker Engine With a Compatible runc Version.
Install Docker Engine 20.10.x for your operating system.
Install the latest version of
libseccompfor your operating system.On Debian/Ubuntu:
sudo apt install libseccomp2On RHEL/CentOS:
sudo yum install libseccompConfirm that the installed
libseccompversion is 2.4.4 or greater.runc --versionIf your Docker Engine and
libseccompversions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 3.
Docker Engine Using a Modified libseccomp Profile
Note: These instructions should only be used if your operating system does not meet the requirements detailed in either Docker Engine With a Compatible runc Version or Docker Engine With a Compatible libseccomp Version.
Install Docker Engine 20.10.x, or 1.13.1 (RHEL v7 only), for your operating system.
Check if the file
/etc/docker/seccomp.jsonexists. If it does, proceed to step 4.Download the default moby
libseccompprofile and save it to the file/etc/docker/seccomp.json.sudo curl -L -o /etc/docker/seccomp.json \ https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.jsonIn the
/etc/docker/seccomp.jsonfile, change"defaultAction": "SCMP_ACT_ERRNO",to"defaultAction": "SCMP_ACT_TRACE",.sudo sed -i 's/"defaultAction":\s*"SCMP_ACT_ERRNO"/"defaultAction": "SCMP_ACT_TRACE"/1' /etc/docker/seccomp.jsonDocker Engine 1.13.1 (RHEL only): After modifying the
/etc/docker/seccomp.jsonfile, proceed to step 8.Create a drop-in systemd unit file for the
dockersystemd service.sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.serviceEdit the drop-in
/etc/systemd/system/docker.servicesystemd unit file and modify the line starting withExecStart=to include the option--seccomp-profile=/etc/docker/seccomp.json.For example, the following line:
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMESWould become:
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --seccomp-profile=/etc/docker/seccomp.json $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMESReload the systemd daemon.
sudo systemctl daemon-reloadRestart Docker Engine.
sudo systemctl restart docker