Containers

Install Docker CE on Rocky Linux 10/9 and AlmaLinux 10/9

Josphat Mutai Updated Apr 8, 2026 · 5 min read

Docker on RHEL-family distros has always had a few quirks. The repos are different, Podman ships by default, and SELinux is enforcing. This guide covers a clean Docker CE installation on Rocky Linux 10/9 and AlmaLinux 10/9, with SELinux left exactly where it belongs: enforcing.

Original content from computingforgeeks.com - post 64195

The steps cover adding the official Docker repository, installing Docker CE with Compose, running containers as a non-root user, and handling the kernel module gotcha that trips up Rocky 10 minimal installs. If you’re coming from CentOS 7 or 8, the repo paths and DNF syntax have changed.

Tested April 2026 on Rocky Linux 10.1, Docker CE 29.4.0, Docker Compose v5.1.1, SELinux enforcing

Prerequisites

Before starting, confirm the following:

  • Rocky Linux 10/9 or AlmaLinux 10/9 (64-bit, minimal or server install)
  • A user account with sudo privileges
  • Internet access to reach Docker’s package repository
  • Tested on: Rocky Linux 10.1 (kernel 6.12.0-124.45.1.el10_1.x86_64), Docker CE 29.4.0

Fix Missing Kernel Modules (Rocky 10 Minimal)

This catches most people off guard. Rocky Linux 10 minimal and cloud images do not include kernel-modules-extra by default. Without it, Docker fails to start because iptables cannot load the xt_addrtype module. Handle this before installing Docker.

sudo dnf install -y kernel-modules-extra
sudo reboot

After the system comes back up, verify the kernel module loads cleanly:

modprobe xt_addrtype

No output means success. If you skip this step on a minimal install, Docker will fail with the error below.

Error: “iptables failed: Warning: Extension addrtype revision 0 not supported, missing kernel module?”

This error appears in journalctl -u docker when Docker tries to set up its network bridge on a system missing xt_addrtype. The fix is installing kernel-modules-extra and rebooting, as shown above. On Rocky/AlmaLinux 9, this package is usually pre-installed, so the issue primarily affects version 10 minimal and cloud images.

Remove Old Docker Packages

Clean out any pre-installed Docker or Podman packages that conflict with Docker CE:

sudo dnf remove docker docker-client docker-client-latest docker-common docker-latest docker-logrotate docker-engine podman runc

If none of these are installed, DNF will report “No packages marked for removal” and exit cleanly. That’s fine.

Add the Docker CE Repository

Docker publishes separate repos for RHEL and CentOS. Rocky/AlmaLinux 10 uses the rhel repo path, while version 9 uses the centos path.

Rocky/AlmaLinux 10 (DNF5):

sudo dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo

Rocky/AlmaLinux 9 (DNF4):

sudo dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

Both versions use the --add-repo flag, but the underlying DNF command is different. Rocky 10 ships DNF5, which is a complete rewrite of the package manager. Rocky 9 uses the older DNF4. The flag happens to be the same for repo management, but other subcommands have changed syntax.

Install Docker CE

Install the Docker engine along with the CLI tools, containerd, Buildx, and the Compose plugin:

sudo dnf install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

DNF pulls in all required dependencies automatically. On a fresh system, expect around 100 MB of packages.

Start and Enable Docker

Enable the service so it starts on boot, and start it immediately:

sudo systemctl enable --now docker

Check the service status:

systemctl status docker

The output should show active (running):

● docker.service - Docker Application Container Engine
     Loaded: loaded (/usr/lib/systemd/system/docker.service; enabled; preset: disabled)
     Active: active (running) since Tue 2026-04-08 09:12:34 UTC; 5s ago
   Main PID: 2847 (dockerd)
      Tasks: 10
     Memory: 42.3M
     CGroup: /system.slice/docker.service
             └─2847 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock

Verify the Installation

Confirm Docker and Compose versions:

docker --version

Output:

Docker version 29.4.0, build a1de4e3

Check the Compose plugin:

docker compose version

You should see:

Docker Compose version v5.1.1

For detailed system information including storage driver and cgroup version:

docker info | grep -E "Storage|Cgroup|Kernel|Operating"

On Rocky Linux 10.1:

 Storage Driver: overlayfs
 Cgroup Driver: systemd
 Cgroup Version: 2
 Kernel Version: 6.12.0-124.45.1.el10_1.x86_64
 Operating System: Rocky Linux 10.1 (Red Quartz)

Run the Hello World Container

Pull and run the test image:

sudo docker run hello-world

Docker pulls the image from Docker Hub and runs it. The output confirms everything is working:

Unable to find image 'hello-world:latest' locally
latest: Pulling from library/hello-world
e6590344b1a5: Pull complete
Digest: sha256:c41088499908a59aae30a67e05a5b8e4d542c2a3fc2cf92e8a8e1e9e5e9e36b7
Status: Downloaded newer image for hello-world:latest

Hello from Docker!
This message shows that your installation appears to be working correctly.

SELinux and Docker

Rocky Linux and AlmaLinux run SELinux in enforcing mode by default. Docker works with SELinux out of the box on these distributions. Containers run under the container_t SELinux context automatically, so there is nothing extra to configure.

Verify SELinux is enforcing:

getenforce

Output:

Enforcing

Never disable SELinux to make Docker work. If you encounter AVC denials, check the audit log with ausearch -m avc -ts recent and apply targeted fixes using setsebool or semanage rather than switching to permissive mode.

Run Docker as a Non-Root User

By default, Docker commands require sudo. To allow your regular user account to run Docker commands directly, add the user to the docker group:

sudo usermod -aG docker $USER

Log out and back in (or run newgrp docker) for the group membership to take effect. Then test without sudo:

docker run hello-world

Be aware that any user in the docker group effectively has root-level access to the host through container mounts. Only add trusted users.

Test Docker Compose with Nginx and Redis

Create a project directory and a Compose file to verify multi-container orchestration works:

mkdir ~/compose-test && cd ~/compose-test

Create the Compose file:

cat > docker-compose.yml

Paste the following configuration:

services:
  web:
    image: nginx:alpine
    ports:
      - "8080:80"
  cache:
    image: redis:alpine

Press Ctrl+D to save the file. Start both containers in detached mode:

docker compose up -d

Both containers should start and show a healthy status:

docker compose ps

Output confirms both services are running:

NAME                    IMAGE          COMMAND                  SERVICE   CREATED          STATUS          PORTS
compose-test-cache-1    redis:alpine   "docker-entrypoint.s…"   cache     12 seconds ago   Up 11 seconds   6379/tcp
compose-test-web-1      nginx:alpine   "/docker-entrypoint.…"   web       12 seconds ago   Up 11 seconds   0.0.0.0:8080->80/tcp

Test the Nginx container:

curl http://localhost:8080

You should see the default Nginx welcome page HTML. Clean up when done:

docker compose down

Configure Firewall for Container Ports

If firewalld is running (it is on most Rocky/AlmaLinux installs), you need to open ports for any containers you want accessible from outside the host. Docker manipulates iptables directly, but firewalld can interfere. For example, to expose port 8080:

sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reload

Verify the port is open:

sudo firewall-cmd --list-ports

In production, consider using a dedicated Docker zone in firewalld or the docker0 interface binding to control traffic more precisely.

Differences Between Rocky/AlmaLinux 10 and 9

If you manage both versions, these are the key differences for Docker installations:

ItemRocky/AlmaLinux 10Rocky/AlmaLinux 9
DNF versionDNF5DNF4
Docker repo URLdocker.com/linux/rhel/docker.com/linux/centos/
Kernel6.12.x5.14.x
kernel-modules-extraMust install manually on minimalUsually pre-installed
Cgroup versionv2 (default)v2 (default)
SELinuxEnforcing (default)Enforcing (default)

The installation commands are identical once the correct repository is added. The kernel-modules-extra issue is the only real gotcha specific to version 10.

Uninstall Docker CE

To remove Docker CE completely:

sudo systemctl stop docker
sudo dnf remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Images, containers, volumes, and custom configurations are stored in /var/lib/docker and are not removed by the package manager. Delete them manually if you want a clean slate:

sudo rm -rf /var/lib/docker
sudo rm -rf /var/lib/containerd
Josphat Mutai

Founder of Computingforgeeks. Expertise in Virtualization, Cloud, Linux/UNIX Administration, Automation,Storage Systems, Containers, Server Clustering e.t.c.

Related Articles

Containers Install Docspell Document Management System (DMS) in Docker Containers Run Kubernetes Cluster on Rocky Linux using k3s Containers Expand PVC in OpenShift with ODF Storage Containers Install Istio Service Mesh on OpenShift 4.x

Leave a Comment

Press ESC to close