Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.
Previously there was no way to allow containers not running as root
capabilities in a useful way.
Fix#8460
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 856a50e733
Component: cli
The documentation was a bit unhelpful as to what are the default
capabilities, so split.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: ff474eb300
Component: cli
This was only mentioned in docker create documentation.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 6a983cc502
Component: cli
Add a `--network` flag which replaces `--net` without deprecating it
yet. The `--net` flag remains hidden and supported.
Add a `--network-alias` flag which replaces `--net-alias` without deprecating
it yet. The `--net-alias` flag remains hidden and supported.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
Upstream-commit: 253a5f4ea2
Component: cli
fixing links after moving surfacing tutorials
fixing more links for the newly located tutorials
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Upstream-commit: d3b7a2779e
Component: cli
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Added explanation for the example with image's digest ( as per @thaJeztah 's comment
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Wrapped to ~80 chars
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Upstream-commit: 0a0bb19a33
Component: cli
This PR adds support for user-defined health-check probes for Docker
containers. It adds a `HEALTHCHECK` instruction to the Dockerfile syntax plus
some corresponding "docker run" options. It can be used with a restart policy
to automatically restart a container if the check fails.
The `HEALTHCHECK` instruction has two forms:
* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)
The `HEALTHCHECK` instruction tells Docker how to test a container to check that
it is still working. This can detect cases such as a web server that is stuck in
an infinite loop and unable to handle new connections, even though the server
process is still running.
When a container has a healthcheck specified, it has a _health status_ in
addition to its normal status. This status is initially `starting`. Whenever a
health check passes, it becomes `healthy` (whatever state it was previously in).
After a certain number of consecutive failures, it becomes `unhealthy`.
The options that can appear before `CMD` are:
* `--interval=DURATION` (default: `30s`)
* `--timeout=DURATION` (default: `30s`)
* `--retries=N` (default: `1`)
The health check will first run **interval** seconds after the container is
started, and then again **interval** seconds after each previous check completes.
If a single run of the check takes longer than **timeout** seconds then the check
is considered to have failed.
It takes **retries** consecutive failures of the health check for the container
to be considered `unhealthy`.
There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
more than one then only the last `HEALTHCHECK` will take effect.
The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
see e.g. `ENTRYPOINT` for details).
The command's exit status indicates the health status of the container.
The possible values are:
- 0: success - the container is healthy and ready for use
- 1: unhealthy - the container is not working correctly
- 2: starting - the container is not ready for use yet, but is working correctly
If the probe returns 2 ("starting") when the container has already moved out of the
"starting" state then it is treated as "unhealthy" instead.
For example, to check every five minutes or so that a web-server is able to
serve the site's main page within three seconds:
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
To help debug failing probes, any output text (UTF-8 encoded) that the command writes
on stdout or stderr will be stored in the health status and can be queried with
`docker inspect`. Such output should be kept short (only the first 4096 bytes
are stored currently).
When the health status of a container changes, a `health_status` event is
generated with the new status. The health status is also displayed in the
`docker ps` output.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 51ddea93a2
Component: cli
This fix tries to address the issue raised in #21976 and allows
the options of `--add-host` and `--net=host` to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: d1aaf129f2
Component: cli
This fix tries to address the issue raised in #21976 and allows
the options of `--dns`, `--dns-search`, `--dns-opt` and `--net=host`
to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: f17fb53f53
Component: cli
Automatic translation of MLS labels is currently not
supported, so should not be documented as an example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 563b5dab54
Component: cli
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.
While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.
It also cleans up some architecture specific system calls to be
only selected when needed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: ba8f5cfbb8
Component: cli
Auto-creation of host-directories was marked deprecated in
Docker 1.9, but was decided to be too much of an backward-incompatible
change, so it was decided to keep the feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 0a13b2a1ce
Component: cli
This allows a user to specify explicitly to enable
automatic copying of data from the container path to the volume path.
This does not change the default behavior of automatically copying, but
does allow a user to disable it at runtime.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: eba678647b
Component: cli
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: a7364b3743
Component: cli
Docker creates a UTS namespace by default, even with --net=host, so it
is reasonable to let the user set the hostname. Note that --hostname is
forbidden if the user specifies --uts=host.
Closes#12076
Signed-off-by: Jason Heiss <jheiss@aput.net>
Upstream-commit: 6bcb137d2f
Component: cli
Fixing the links
Updating with Seb's comments
Adding weight
Fixing the engine aliases
Updating after Arun pushed
Removing empty file
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 7910f01804
Component: cli
This makes it so when calling `docker run --rm`, or `docker rm -v`, only
volumes specified without a name, e.g. `docker run -v /foo` instead of
`docker run -v awesome:/foo` are removed.
Note that all volumes are named, some are named by the user, some get a
generated name. This is specifically about how the volume was specified
on `run`, assuming that if the user specified it with a name they expect
it to persist after the container is cleaned up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 8de6a3fc71
Component: cli
Correcting `overlay` -> `bridge` driver in run.md to match the preceding paragraph.
Signed-off-by: Jasmine Hegman <jasmine@jhegman.com>
Upstream-commit: 6495ac0c5f
Component: cli
The existing example didn't illustrate how to
install strace in the container. In addition,
the rhel7 image used is no longer public (and maintained)
so not a good image to use in the example.
This updates the example to use htop (strace is
not working without disabling apparmor for the container)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 31ad32c879
Component: cli
