Container install

Running under Docker

If you want to run calico/node under Docker, you can use calicoctl node run command. It automatically pre-initializes the etcd database (which the other installation methods do not). See the calicoctl node run guide for details. This container packages up the core Calico components to provide both Calico networking and network policy.

ETCD_ENDPOINTS=http://<ETCD_IP>:<ETCD_PORT> ./calicoctl node run --node-image=calico/node:v3.10.3

Note: Add the ETCD_ENDPOINTS Env and replace <ETCD_IP>:<ETCD_PORT> with your etcd configuration when etcd isn’t running locally.

Create a start-up script

Felix should be started at boot time by your init system and the init system must be configured to restart Felix if it stops. Felix relies on that behavior for certain configuration changes. This section describes how to run calico/node as a Docker container.

Note: We include examples for systemd, but the commands can be applied to other init daemons such as upstart.

Included here is an EnvironmentFile that defines the environment variables for Calico and a sample systemd service file that uses the environment file and starts the calico/node image as a service.

calico.env - the EnvironmentFile:


Be sure to update this environment file as necessary, such as modifying ETCD_ENDPOINTS to point at the correct etcd cluster endpoints.

Note: The ETCD_CA_CERT_FILE, ETCD_CERT_FILE, and ETCD_KEY_FILE environment variables are required when using etcd with SSL/TLS. The values here are standard values for a non-SSL version of etcd, but you can use this template to define your SSL values if desired.

If CALICO_NODENAME is blank, the compute server hostname will be used to identify the Calico node.

If CALICO_IP or CALICO_IP6 are left blank, Calico will use the currently configured values for the next hop IP addresses for this node—these can be configured through the node resource. If no next hop addresses have been configured, Calico will automatically determine an IPv4 next hop address by querying the host interfaces (and it will configure this value in the node resource). You may set CALICO_IP to autodetect to force auto-detection of IP address every time the node starts. If you set IP addresses through these environments it will reconfigure any values currently set through the node resource.

If CALICO_AS is left blank, Calico will use the currently configured value for the AS Number for the node BGP client—this can be configured through the node resource. If no value is set, Calico will inherit the AS Number from the global default value. If you set a value through this environment it will reconfigure any value currently set through the node resource.

The CALICO_NETWORKING_BACKEND defaults to use BIRD as the routing daemon. This may also be set to none (if routing is handled by an alternative mechanism).

systemd service example

calico-node.service - the systemd service:


ExecStartPre=-/usr/bin/docker rm -f calico-node
ExecStart=/usr/bin/docker run --net=host --privileged \
 --name=calico-node \
 -e IP=${CALICO_IP} \
 -e IP6=${CALICO_IP6} \
 -e AS=${CALICO_AS} \
 -v /var/log/calico:/var/log/calico \
 -v /run/docker/plugins:/run/docker/plugins \
 -v /lib/modules:/lib/modules \
 -v /var/run/calico:/var/run/calico \

ExecStop=-/usr/bin/docker stop calico-node



The systemd service above does the following on start:

  • Confirm Docker is installed under the [Unit] section
  • Get environment variables from the environment file above
  • Remove existing calico/node container (if it exists)
  • Start calico/node

The script will also stop the calico/node container when the service is stopped.

Note: Depending on how you’ve installed Docker, the name of the Docker service under the [Unit] section may be different (such as docker-engine.service). Be sure to check this before starting the service.