Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add tests for mounting into /proc and /sys
These two locations should be prohibited from mounting volumes into
those destinations.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: f25bbedc85e8a99c1389dbe8f48436907ce24526
Component: engine
These files in /proc should not be able to be read as well
as written to.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: a7a51306b1459a67da3a9cbbe8c9f80d3950c084
Component: engine
We can use this to control block IO weight of a container.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: f133f11a7d25e6262558dd733afaa95ddd1c7aee
Component: engine
The lxc code here is doing the exact same thing on calling
execdriver.Terminate, so let's just use that.
Also removes some dead comments originally introduced
50144aeb42283848db730b936d6b5b6332ec6565 but no longer relevant since we
have restart policies.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 44cd599e29451647492b3a5341ba23252a69ca27
Component: engine
`lxc-stop` does not support sending arbitrary signals.
By default, `lxc-stop -n <id>` would send `SIGPWR`.
The lxc driver was always sending `lxc-stop -n <id> -k`, which always
sends `SIGKILL`. In this case `lxc-start` returns an exit code of `0`,
regardless of what the container actually exited with.
Because of this we must send signals directly to the process when we
can.
Also need to set quiet mode on `lxc-start` otherwise it reports an error
on `stderr` when the container exits cleanly (ie, we didn't SIGKILL it),
this error is picked up in the container logs... and isn't really an
error.
Also cleaned up some potential races for waitblocked test.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: d2c4ee37c6a4114b33a915b7dae6de70e27e7965
Component: engine
Make /etc/hosts, /etc/resolv.conf, /etc/hostname read only if --read-only enabled
Upstream-commit: 77266a67e0e1fc9ec2b026bf0a57a14188ec5224
Component: engine
The `--userland-proxy` daemon flag makes it possible to rely on hairpin
NAT and additional iptables routes instead of userland proxy for port
publishing and inter-container communication.
Usage of the userland proxy remains the default as hairpin NAT is
unsupported by older kernels.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Upstream-commit: f42348e18f73d1d775d77ac75bc96466aae56d7c
Component: engine
To help avoid version mismatches between libcontainer and Docker, this updates libcontainer to be the source of truth for which version of logrus the project is using. This should help avoid potential incompatibilities in the future, too. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 80a895142e7101b44ff71910bb2da994b1cc4f5f
Component: engine
Adds a `stream` query param to the stats API which allows API users to
only collect one stats entry and disconnect instead of keeping the
connection alive to stream more stats.
Also adds a `--no-stream` flag to `docker stats` which does the same
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: f3023a93d1a0a96a7312de441a550c758ac0c17d
Component: engine
Add cgroup support for disable OOM killer.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Upstream-commit: a4a924e1b6c50f0f02460489259d73468a6c282e
Component: engine
Right now devicemapper mounts thin device using online discards by default
and passes mount option "discard". Generally people discourage usage of
online discards as they can be a drain on performance. Instead it is
recommended to use fstrim once in a while to reclaim the space.
In case of containers, we recommend to keep data volumes separate. So
there might not be lot of rm, unlink operations going on and there might
not be lot of space being freed by containers. So it might not matter
much if we don't reclaim that free space in pool.
User can still pass mount option explicitly using dm.mountopt=discard to
enable discards if they would like to.
So this is more like setting the containers by default for better performance
instead of better space efficiency in pool. And user can change the behavior
if they don't like default behavior.
Reported-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Upstream-commit: 04adaaf1ee1688ff48cb8f541dcb80e965f45080
Component: engine
