Docker
The default, production-ready runtime. Each replica is a container on a per-namespace bridge network. All three health-check types (tcp / http / command), container metrics, labels, registry credentials, and a live event stream for sub-second crash detection.
Prerequisites
A running Docker daemon and access to its socket (/var/run/docker.sock). That's it.
Enable it
Runtimes are opt-in, so add this under the [server] table in ~/.config/kemeter/ring/config.toml:
[server.runtime.docker] enabled = true # host = "unix:///var/run/docker.sock" # default; override for a remote daemon # use_host_registry_auth = true # allow deployments to pull with the host's docker login # host_registry_config = "/home/deploy/.docker/config.json" # pin the file if the daemon runs as another user
If enabled = true but the daemon is unreachable, Ring logs a warning and skips Docker (the node still starts if another runtime is usable).
Deploy
# web.yaml deployments: web: name: web namespace: production runtime: docker image: "nginx:latest" replicas: 3 ports: - { published: 8080, target: 80 } health_checks: - type: http port: 80 path: / interval: 10s timeout: 5s threshold: 3 on_failure: restart
ring apply -f web.yaml
Good to know
- Per-namespace networking. Each namespace gets its own bridge network (
ring_<namespace>), so containers in the same namespace reach each other by name. - Event-driven crash detection. Ring listens to the Docker event stream, so a crash is noticed sub-second (the other runtimes detect crashes on the scheduler tick instead).
- Full feature set. Everything in the manifest reference works on Docker, the baseline the other runtimes are compared against.
- Registry auth from the host. Already
docker login-ed on the host? Setuse_host_registry_auth = truehere, thenconfig.use_host_auth: trueon the deployment, to pull private images without putting the secret in the manifest. See manifestconfig. - Registry auth from an encrypted Secret. The portable alternative: store credentials in a
Secretand reference it withconfig.image_pull_secret. See deploy with secrets.
See also
- Runtimes overview: pick a runtime
- Podman: the rootless, daemonless alternative
- Manifest reference