If an admin mounts all file systems as -rshared (Default on RHEL and Fedora)
we see a scaling problem as the number of container increase.
Basically every new container needs to have it new mounts in /var/lib/docker
shared to all other containers, this ends up with us only able to scale to
around 100 containers, before the system slows down.
By simply bind mounting /var/lib/docker on its and then setting it private,
the scaling issue goes away.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 792bb41e524615486ef8266b7bf4804b4fe178f1
Component: engine
docker will run the process(es) within the container with an SELinux label and will label
all of the content within the container with mount label. Any temporary file systems
created within the container need to be mounted with the same mount label.
The user can override the process label by specifying
-Z With a string of space separated options.
-Z "user=unconfined_u role=unconfined_r type=unconfined_t level=s0"
Would cause the process label to run with unconfined_u:unconfined_r:unconfined_t:s0"
By default the processes will run execute within the container as svirt_lxc_net_t.
All of the content in the container as svirt_sandbox_file_t.
The process mcs level is based of the PID of the docker process that is creating the container.
If you run the container in --priv mode, the labeling will be disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 4c4356692580afb3971094e322aea64abe0e2500
Component: engine
Add a --dns-search parameter and a DnsSearch
configuration field for specifying dns search
domains.
Docker-DCO-1.1-Signed-off-by: Daniel Norberg <daniel.norberg@gmail.com> (github: danielnorberg)
Upstream-commit: fbfac21ed4de550ce72d993810dc07a2c4877a88
Component: engine
Default to the same build behavior, but allow a go build tag to disable
building of the btrfs graphdriver
go build -tags no_btrfs' ...
$ go build
$ objdump -S docker | grep btrfs | wc -l
194
$ go build -tags no_btrfs
$ objdump -S docker | grep btrfs | wc -l
1
# that is a comment ;-)
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
Upstream-commit: 85a62d9b779bfb351e159f38c2fc95900a0532cd
Component: engine
Enable build tags for all the graphdrivers to be excludable.
As an example:
```
$ go build
$ ls -l docker
-rwxr-xr-x 1 vbatts vbatts 18400158 Mar 14 14:22 docker*
$ go build -tags "exclude_graphdriver_aufs exclude_graphdriver_vfs exclude_graphdriver_devicemapper"
$ ls -l docker
-rwxr-xr-x 1 vbatts vbatts 17467068 Mar 14 14:22 docker*
```
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
Upstream-commit: 670ce98c60dbac1d46a59bd69bd20b569f4794f1
Component: engine
Since we're not not mounting anything but the base filesystem outside
the container we no longer need the separate bind mount at
/var/lib/docker/container/$id/root in order to see the base filesystem
without extra mounts. So, we drop this and mount (again) the container
root directly at the real basefs mountpoint.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: bf1b27dfcc6c4e049706d7d104e1abc5c330815d
Component: engine
This moves the bind mounts like /.dockerinit, /etc/hostname, volumes,
etc into the container namespace, by setting them up using lxc.
This is useful to avoid littering the global namespace with a lot of
mounts that are internal to each container and are not generally
needed on the outside. In particular, it seems that having a lot of
mounts is problematic wrt scaling to a lot of containers on systems
where the root filesystem is mounted --rshared.
Note that the "private" option is only supported by the native driver, as
lxc doesn't support setting this. This is not a huge problem, but it does
mean that some mounts are unnecessarily shared inside the container if you're
using the lxc driver.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 6c266c4b42eeabe2d433a994753d86637fe52a0b
Component: engine
This can't be in execdriver (dependency loop) but should not be
hardcoded inside runtime.go either. So we put it in a subpackage.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 07c35b41a5a93f31111d47afcb1e6d2926b492a0
Component: engine
