HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Terraform
Terraform Home

You are viewing documentation for version v202404-2. View latest version.

Docker Engine Requirements

Flexible Deployment Options is available now

Terraform Enterprise can now be run natively on Docker with Flexible Deployment Options. The Docker Flexible Deployment Option allows for a faster installation and startup time, reduction in resource requirements, improved security and supports Docker Compose.

Terraform Enterprise requires at least one of the following Docker Engine configurations, in order of preference:

  1. Docker Engine 24.x or 23.x
  2. Docker Engine 1.13.1 from the Extra Packages for Enterprise Linux (EPEL) repository using a modified libseccomp profile.

Docker v20.10 is only supported on Amazon Linux 2. Docker v20.10 is no longer receiving updates from Docker, including security updates. Customers using Amazon Linux 2 are encouraged to move to an operating system that supports Docker 23 or 24. In order run Docker v20.10, you will need one of the following:

  1. runc v1.0.0-rc93 or greater
  2. libseccomp 2.4.4 or greater
  3. A modified libseccomp profile

New online installations of Terraform Enterprise install a supported version of Docker Engine by default. Alternatively, you can install Docker Engine manually as long as you adhere to the above requirements.

Upgrades to Terraform Enterprise do not upgrade Docker Engine. It is your responsibility to keep Docker Engine up to date within these requirements to ensure stability and security.

Docker Compose Compatibility

Docker Engine comes prepackaged with Docker Compose and compatibility is assessed by meeting the Docker Engine requirements.
Docker 1.13.1 has a unique path for docker compose.

# Docker Engine 24.0
docker compose version

# Docker Engine 1.13.1
docker-compose version

Docker Compose should be accessible with the docker compose syntax. Modify your installation by renaming the docker compose binary to docker-compose and adjusting the path to the binary when installing Docker Engine 1.13.1.

Docker Engine With a Compatible runc Version

  1. Install a supported Docker Engine version.

  2. Install the latest version of containerd for your operating system.

    On Debian/Ubuntu:

    sudo apt install containerd

    On RHEL/CentOS:

    sudo yum install containerd.io

  3. Confirm that the installed containerd version is 1.4.9, 1.5.5, or greater.

    containerd --version

  4. Confirm that the installed runc version is v1.0.0-rc93 or greater:

    runc --version

  5. If your Docker Engine and runc versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 2.

Docker Engine With a Compatible libseccomp Version

-> Note: These instructions should only be used if your operating system does not meet the requirements detailed in Docker Engine With a Compatible runc Version.

  1. Install a supported Docker Engine version.

  2. Install the latest version of libseccomp for your operating system.

    On Debian/Ubuntu:

    sudo apt install libseccomp2

    On RHEL/CentOS:

    sudo yum install libseccomp

  3. Confirm that the installed libseccomp version is 2.4.4 or greater.

    runc --version

  4. If your Docker Engine and libseccomp versions meet the requirements from previous steps, your system is properly configured. Otherwise, proceed to option 3.

Docker Engine Using a Modified libseccomp Profile

-> Note: These instructions should only be used if your operating system does not meet the requirements detailed in either Docker Engine With a Compatible runc Version or Docker Engine With a Compatible libseccomp Version.

  1. Install a supported Docker Engine version.

  2. Check if the file /etc/docker/seccomp.json exists. If it does, proceed to step 4.

  3. Download the default moby libseccomp profile and save it to the file /etc/docker/seccomp.json.

    sudo curl -L -o /etc/docker/seccomp.json \
  https://raw.githubusercontent.com/moby/moby/master/profiles/seccomp/default.json

  4. In the /etc/docker/seccomp.json file, change "defaultAction": "SCMP_ACT_ERRNO", to "defaultAction": "SCMP_ACT_TRACE",.

    sudo sed -i 's/"defaultAction":\s*"SCMP_ACT_ERRNO"/"defaultAction": "SCMP_ACT_TRACE"/1' /etc/docker/seccomp.json

    Docker Engine 1.13.1 (RHEL only): After modifying the /etc/docker/seccomp.json file, proceed to step 8.

  5. Create a drop-in systemd unit file for the docker systemd service.

    sudo cp /lib/systemd/system/docker.service /etc/systemd/system/docker.service

  6. Edit the drop-in /etc/systemd/system/docker.service systemd unit file and modify the line starting with ExecStart= to include the option --seccomp-profile=/etc/docker/seccomp.json.

    For example, the following line:

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $OPTIONS $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

    Would become:

    ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --seccomp-profile=/etc/docker/seccomp.json $OPTIONS   $DOCKER_STORAGE_OPTIONS $DOCKER_ADD_RUNTIMES

  7. Reload the systemd daemon.

    sudo systemctl daemon-reload

  8. Restart Docker Engine.

    sudo systemctl restart docker
Edit this page on GitHub