Howto Setup a Docker Environment on PowerPC servers running RHEL7 LE

by · September 19, 2015

If you are looking to setup an on-premise docker environment on PowerPC servers running RHEL LE, then this guide should be of some help.

There are two basic components required for an on-prem docker environment – docker engine and private docker registry.

While there are commercial on-prem options for docker registry like docker trusted registry , artifactory etc, in this article we’ll deploy our own registry using the opensource docker registry code.

Let us now jump to the actual setup instructions.

Step-1 Setup docker engine on RHEL 7.1 LE

There are currently two options for getting docker on RHEL 7.1 LE. Download a pre-built docker binary for RHEL 7.1 LE by following the instructions mentioned here. Or, build docker from source on RHEL 7.1 LE.

The primary toolchain for building Go programs on Power platform is GCC-GO. This is available starting GCC version 5 onwards. While GCC 5 is not shipped by default with RHEL 7.1 LE, one can download the IBM Advance Toolchain (AT) package to get the pre-built binaries or build GCC from source.

We’ll take the easy approach of downloading the IBM AT package and using the pre-built binaries.
Here is a script to install AT 9.0 on RHEL 7.1 LE

#!/bin/bash
cat </etc/yum.repos.d/at9_0.repo
[at9.0]
name=Advance Toolchain Unicamp FTP
baseurl=ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=ftp://ftp.unicamp.br/pub/linuxpatch/toolchain/at/redhat/RHEL7/gpg-pubkey-6976a827-5164221b
EOF

yum install -y advance-toolchain-at9.0-runtime \
               advance-toolchain-at9.0-devel \
               advance-toolchain-at9.0-perf \
               advance-toolchain-at9.0-mcore-libs

echo "export PATH=/opt/at9.0/bin:/opt/at9.0/sbin:$PATH" >> /etc/profile.d/at9.sh
source /etc/profile.d/at9.sh
/opt/at9.0/sbin/ldconfig

Once the Go toolchain is installed, the next step is to build docker. As of this writing, the latest upstream docker doesn’t build as-is on RHEL 7.1 LE due to some work-in-progress patches related to libseccomp. Some minor changes are required for building docker. To make it easier for anyone to build docker on RHEL LE, I have automated the entire process. The patches required are in my github tree and can be viewed here.

Here is a sample script to automate the process.

#!/bin/bash
#Script to build docker on RHEL 7 LE (ppc64le) platforms using Advanced Toolchain
#Ensure AT9.0 is installed and PATH set appropriately
#Accepts one optional parameter [build_dir] 
dir=${1}
BUILD_DIR=${dir:-/docker_bld_ppc64}
SRC='https://github.com/docker/docker.git'
COMMIT_ID=611dbd8957581fa451a4103259100a5e2d115b8c

#Install required dependencies
yum groupinstall -y "Development Tools"
yum install -y patch sqlite-devel wget git  btrfs-progs-devel device-mapper-devel

#Cleanup existing build and install directories
rm -fr ${BUILD_DIR}

#Create temp dir for building
mkdir -p ${BUILD_DIR}

#Set GOPATH
GO_BASE_PATH="${BUILD_DIR}/go/src/github.com/docker/"
mkdir -p ${GO_BASE_PATH}
export AUTO_GOPATH=1

#Download docker source
cd ${GO_BASE_PATH}
git clone ${SRC}
cd docker
git checkout -b ppc64le ${COMMIT_ID}

#Patch and build the docker source on RHEL 7.1 LE
curl https://github.com/bpradipt/docker/commit/567c796fba113bca56b4ebf82be93d813e21f0f2.patch |    patch -p1
sed -i.bkp 's/-ldl/-ldl -lpthread -lsystemd-journal/g' hack/make/gccgo
./hack/make.sh dyngccgo
mv ./hack/make/gccgo.bkp ./hack/make/gccgo

On successful build, the docker binary will be available under bundles/latest/dyngccgo/
You can build static binary as well.
All the scripts used in this article can be downloaded from my github tree.

Step-2: Build and run latest V2 registry on RHEL 7.1 LE.
Do this on a RHEL7.1 LE system which will act as the registry server and have sufficient storage to keep all the images.

Following script helps build the registry code on RHEL 7.1 LE.

#!/bin/bash
#Script to build registry on Power
#Requires Go compiler to be available in the PATH
#build_registry.sh [dynamic|static]
build_type=${1}
BUILD_TYPE=${build_type:-dynamic}
SRC="https://github.com/docker/distribution.git"
COMMIT_ID=ece8e132bf6585815fdd00990f6215122c58fb3f
CUR_DIR=`pwd`
INSTALL_DIR="${CUR_DIR}/go.bld"
BIN_DIR="${CUR_DIR}/go.bld/bin"
mkdir -p ${BIN_DIR}
GOPATH_BASE="${INSTALL_DIR}/src/github.com/docker"
mkdir -p ${GOPATH_BASE}
cd ${GOPATH_BASE}
git clone ${SRC} 
cd distribution
git checkout -q ${COMMIT_ID}
export GOPATH="${GOPATH_BASE}/distribution/Godeps/_workspace:${INSTALL_DIR}:${GOPATH}"
if [ "${BUILD_TYPE}" == "static" ]
then
    BUILDFLAGS="-static -lnetgo"
else
    BUILDFLAGS=""
fi
go build -gccgoflags "${BUILDFLAGS}" -o ${BIN_DIR}/registry ./cmd/registry

#To use the registry you need to copy the file cmd/registry/config-example.yml as config.yml, edit it as appropriate and run it 
#./registry ./config.yml
cp ./cmd/registry/config-example.yml ${BIN_DIR}/config.yml

The registry binary and configuration file will be under ~/go.bld/bin.

Step-3: Run the registry
The default storage location for images is /var/lib/registry and the default port is 5000. If you plan to change any of these options, edit the config.yml as appropriate.

#mkdir -p /var/lib/registry
#cd ~/go.bld/bin
#./registry ./config.yml

This will start the registry server on port 5000
Configure docker daemon to use the new registry.  You need to use the ‘insecure-registry’ option while starting the daemon. For example if the IP of the registry server is 192.168.122.20, then the command will be:

docker -d --insecure-registry 192.168.122.20:5000

(Optional) Securing the registry using TLS
Detailed instructions are available in the official registry documentation here.

#mkdir /certs
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout /certs/domain.key -x509 -days 365 -out /certs/domain.crt
Generating a 4096 bit RSA private key
..........................................................................................++
...........++
writing new private key to '/certs/domain.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Karnataka
Locality Name (eg, city) []:Bangalore
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Own Startup
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:rhel71ledockreg1
Email Address []:admin@myownstartup.com

Start the registry specifying the location of the certificate and the key

# REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt  REGISTRY_HTTP_TLS_KEY=/certs/domain.key /registry ./config.yml

On the docker host do this

# mkdir -p /etc/docker/certs.d/rhel71ledockreg1:5001/
# cp domain.crt /etc/docker/certs.d/rhel71ledockreg1:5001/ca.crt
# cp domain.crt /etc/pki/ca-trust/source/anchors/rhel71ledockreg1.crt
# update-ca-trust
# service docker restart

If you are looking to setup a secure TLS enabled private registry with HTTP authentication, then please have a look at the following article for instructions.

Tags:

Pradipta Kumar Banerjee

I'm a Cloud and Linux/ OpenSource enthusiast, with 16 years of industry experience at IBM. You can find more details about me here - Linkedin

You may also like...

Follow: