To enable the SELinux for the Docker service, the Docker service must be configured to run the Docker daemon with --selinux-enabled option. In /etc/sysconfig/docker configuration file, add or correct the following line to enable SELinux support in the Docker daemon:
OPTIONS='--selinux-enabled'
If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system.
To use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the Docker Device Mapper Storage Documentation.
For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance.
The docker package provides necessary software to create containers, which
are self-sufficient and self-contained applications using the resource
isolation features of the kernel.
The docker package can be installed with the following command:
$ sudo yum install docker
To be able to run the docker service, the docker package has to be installed.
The docker service is commonly needed to
create containers.
The docker service can be enabled with the following command:
$ sudo systemctl enable docker.service
To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled.