How to install Docker on AWS EC2 instance with AMI (CE/EE Update)

What is the current way of installing Docker on an AWS EC2 instance running the AMI? There has been an announcement of Docker Enterprise Edition and now I want to know if anything has changed. Until now, I have been using yum install docker and do get a Docker versioned at 1.12.6, build 7392c3b/1.12.6 right now (3/3/2017). However, the Docker repository on GitHub tells me that there are already newer releases.

I remember the official Docker (package) repository having a package named docker-engine replacing docker some time ago and now they seem to split the package up into docker-ce and docker-ee, where e.g. "Docker Community Edition (Docker CE) is not supported on Red Hat Enterprise Linux." [Source]

So is or will it still be correct to use the above to get the latest stable Docker version on EC2 instances running the AMI or do I need to pull the package from somewhere else (and if so which one, CE or EE)?

The hardest part to figure all of this out was the container-selinux requirement. Just find the latest version in http://mirror.centos.org/centos/7/extras/x86_64/Packages/ and install that first. In addition EC2 instances may not have a proper entropy generator so haveged may need to be installed.

The rest is taken from https://docs.docker.com/install/linux/docker-ce/centos/ with the addition of haveged and firewalld. All these have to be done as root so sudo appropriately.

yum install -q -y http://mirror.centos.org/centos/7/extras/x86_64/Packages/container-selinux-2.42-1.gitad8f0f7.el7.noarch.rpm
yum install -q -y http://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/h/haveged-1.9.1-1.el7.x86_64.rpm
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum install -q -y firewalld docker-ce
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --add-port=2377/tcp --permanent
firewall-cmd --add-port=2376/tcp --permanent
firewall-cmd --add-port=7946/tcp --permanent
firewall-cmd --add-port=7946/udp --permanent
firewall-cmd --add-port=4789/udp --permanent
firewall-cmd --zone=public --permanent --add-masquerade
firewall-cmd --reload
systemctl enable haveged
systemctl start haveged
systemctl enable docker
systemctl start docker
setenforce 1

Enable SELinux by modifying /etc/sysconfig/selinux to be

SELINUX=enforcing
SELINUXTYPE=targeted

Then reboot your instance by issuing shutdown -r now

Executing sudo docker version should yield as of the time of this posting...

Client:
 Version:       18.03.0-ce
 API version:   1.37
 Go version:    go1.9.4
 Git commit:    0520e24
 Built: Wed Mar 21 23:09:15 2018
 OS/Arch:       linux/amd64
 Experimental:  false
 Orchestrator:  swarm

Server:
 Engine:
  Version:      18.03.0-ce
  API version:  1.37 (minimum version 1.12)
  Go version:   go1.9.4
  Git commit:   0520e24
  Built:        Wed Mar 21 23:13:03 2018
  OS/Arch:      linux/amd64
  Experimental: false

Per https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html

The current Amazon ECS-optimized AMI (amzn-ami-2017.09.j-amazon-ecs-optimized) consists of:

  • The latest minimal version of the Amazon Linux AMI
  • The latest version of the Amazon ECS container agent (1.17.2)
  • The recommended version of Docker for the latest Amazon ECS container agent (17.12.0-ce)
  • The latest version of the ecs-init package to run and monitor the Amazon ECS agent (1.17.2-1)

You can see the history at https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-ami-versions.html

In addition to my previous answer. If you use Terraform, I have also created a Terraform module that can be used to create a Docker Swarm

https://registry.terraform.io/modules/trajano/swarm-aws/docker

The difference between the approach I had done previously vs the approach I am presently doing with the terraform module is to utilize the AWS provided Docker packages. This does not include the full docker-compose and what not, but you don't require those packages normally in a server.

Because I am using the one Amazon had provided, it is no longer the latest 18.09 version but the 18.06 version. However, the set up is simpler and I don't have to play catch up to container-selinux.

The only external dependency I use is EPEL to get haveged because you still need a good random source for some applications.

I also relied on the AWS security groups rather than explicitly setting up firewalld and used the SELinux setting that is defaulted in the AMI image.

Did you read the AWS documentation on how to install Docker standard? If so what part of it didn’t work, or what issues didn’t it address? Creating a container image for use on Amazon ECS - Amazon Elastic Container Service

I suppose Amazon will update it when they get around to it. Though you know of course that nobody should be using Amazon Linux for anything.

The question is whether I can continue to do it like this. As already mentioned it’ll install me Docker versioned at 1.12 which is already one if not more minor version updates behind the latest stable release (1.13, before CE/EE) and I wonder if this is due to the usual repository update delay or because the guide and package simply being outdated which requires some replacement work done by me (e.g. somehow getting Docker from their own repository?). Also concerning the latest EE announcement which might change something…

Running what AMI?

If that is the real solution to this problem this does make me a little sad. However thanks for the hint, I haven’t had too much experience with EC2 yet to get to this conclusion by myself. I always thought it’s the best to use AMI because it (should be) is the most updated and adapted image concerning the EC2 virtualization.

The packages are all updated, the kernel. However I do find Ubuntu much easier for software installation and general support, there are few Amazon Linux resources so difficult things are made even more difficult.

@MichaelHampton Amazon Linux is fine for ECS usage. It’s pre-configured for ECS usage, and the underlying OS doesn’t matter much in that case.

@MichaelHampton, nobody should be using Amazon Linux for anything so what AMI do you propose then, sir?