Usage of loopback devices is strongly discouraged

2019-01-30 05:05发布

问题:

I want to test docker in my CentOS 7.1 box, I got this warning:

[root@docker1 ~]# docker run busybox /bin/echo Hello Docker
Usage of loopback devices is strongly discouraged for production use. Either use `--storage-opt dm.thinpooldev` or use `--storage-opt dm.no_warn_on_loop_devices=true` to suppress this warning.
Hello Docker

I want to know the reason and how to suppress this warning.

The CentOS instance is running in virtualbox created by vagrant.

回答1:

The warning message occurs because your Docker storage configuration is using a "loopback device" -- a virtual block device such as /dev/loop0 that is actually backed by a file on your filesystem. This was never meant as anything more than a quick hack to get Docker up and running quickly as a proof of concept.

You don't want to suppress the warning; you want to fix your storage configuration such that the warning is no longer issued. The easiest way to do this is to assign some local disk space for use by Docker's devicemapper storage driver and use that.

If you're using LVM and have some free space available on your volume group, this is relatively easy. For example, to give docker 100G of space, first create a data and metadata volume:

# lvcreate -n docker-data -L 100G /dev/my-vg
# lvcreate -n docker-metadata -L1G /dev/my-vg

And then configure Docker to use this space by editing /etc/sysconfig/docker-storage to look like:

DOCKER_STORAGE_OPTIONS=-s devicemapper --storage-opt dm.datadev=/dev/my-vg/docker-data --storage-opt dm.metadatadev=/dev/my-vg/docker-metadata

If you're not using LVM or don't have free space available on your VG, you could expose some other block device (e.g., a spare disk or partition) to Docker in a similar fashion.

There are some interesting notes on this topic here.



回答2:

Thanks. This was driving me crazy. I thought bash was outputting this message. I was about to submit a bug against bash. Unfortunately, none of the options presented are viable on a laptop or such where disk is fully utilized. Here is my answer for that scenario.

Here is what I used in the /etc/sysconfig/docker-storage on my laptop:

DOCKER_STORAGE_OPTIONS="--storage-opt dm.no_warn_on_loop_devices=true"

Note: I had to restart the docker service for this to have an effect. On Fedora the command for that is:

systemctl stop docker
systemctl start docker

There is also just a restart command (systemctl restart docker), but it is a good idea to check to make sure stop really worked before starting again.

If you don't mind disabling SELinux in your containers, another option is to use overlay. Here is a link that describes that fully:

http://www.projectatomic.io/blog/2015/06/notes-on-fedora-centos-and-docker-storage-drivers/

In summary for /etc/sysconfig/docker:

OPTIONS='--selinux-enabled=false --log-driver=journald'

and for /etc/sysconfig/docker-storage:

DOCKER_STORAGE_OPTIONS=-s overlay

When you change a storage type, restarting docker will destroy your complete image and container store. You may as well everything up in the /var/lib/docker folder when doing this:

systemctl stop docker
rm -rf /var/lib/docker
dnf reinstall docker
systemctl start docker

In RHEL 6.6 any user with docker access can access my private keys, and run applications as root with the most trivial of hacks via volumes. SELinux is the one thing that prevents that in Fedora and RHEL 7. That said, it is not clear how much of the additional RHEL 7 security comes from SELinux outside the container and how much inside the container...

Generally, loopback devices are fine for instances where the limit of 100GB maximum and a slightly reduced performance are not a problem. The only issue I can find is the docker store can be corrupt if you have a disk full error while running... That can probably be avoided with quotas, or other simple solutions.

However, for a production instance it is definitely worth the time and effort to set this up correctly.

100G may excessive for your production instance. Containers and images are fairly small. Many organizations are running docker containers within VM's as an additional measure of security and isolation. If so, you might have a fairly small number of containers running per VM. In which case even 10G might be sufficient.

One final note. Even if you are using direct lvm, you probable want a additional filesystem for /var/lib/docker. The reason is the command "docker load" will create an uncompressed version of the images being loaded in this folder before adding it to the data store. So if you are trying to keep it small and light then explore options other than direct lvm.



回答3:

@Igor Ganapolsky Feb and @Mincă Daniel Andrei

Check this:

systemctl edit docker --full

If directive EnvironmentFile is not listed in [Service] block, then no luck (I also have this problem on Centos7), but you can extend standard systemd unit like this:

systemctl edit docker EnvironmentFile=-/etc/sysconfig/docker ExecStart= ExecStart=/usr/bin/dockerd $OPTIONS

And create a file /etc/sysconfig/docker with content:

OPTIONS="-s overlay --storage-opt dm.no_warn_on_loop_devices=true"