Some applications want to write to /proc. For instance:
docker run -it centos groupadd foo
Gives: groupadd: failure while writing changes to /etc/group
And strace reveals why:
open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)
I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.
The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 68493e2f7f9cb8303302e1098e3293b521ace243
Component: engine
For issue #5658 this rewrite of the networking page explains what every
single option (unless I missed one!) does both for the Docker server and
also the Docker client when submitting a "docker run". I somehow
thought that, when I was done, there would be a lot more about setting
up topologies like I did for my Foundations of Python Network
Programming network of Docker containers. More about making routers and
firewalls that NAT and so forth. But, at least for this draft, I think
that setting up subnets and setting up point-to-point links is most of
what Docker users will need unless they are doing something exotic.
We can always expand later.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md documentation per @jamtur01
Besides catching some typos and awkward sentences, @jamtur01 had several
more thorough changes to suggest:
* He illustrated the correct way to delimit "Note" paragraphs in
Docker documentation.
* He helped point out where I was presuming an Ubuntu host running
Docker, so that I could re-word those sections to be specific that
the advice only applied to Ubuntu (these mostly related to how to
set server-wide options and restart the server).
* He is happy to have "Ethernet" capitalized even where Linux
documentation would render it with an ugly lower-case first letter.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md per ideas from @SvenDowideit
A response to a bit of further discussion of pull request #5884.
Upstream-commit: ca9c35cdf772ddb121447b3877dbcf8caa4c5cdb
Component: engine
Rearrange docker version output so that server output matches client
output
Docker-DCO-1.1-Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com> (github: jmccrohan)
Upstream-commit: 82712ed67ef9c189ccc8837ef8469272c91f6fcf
Component: engine
Note, this text is just copied from sysinit.go
See Issue #5873
Docker-DCO-1.1-Signed-off-by: Timothy <timothyhobbs@seznam.cz> (github: https://github.com/timthelion)
Upstream-commit: f9728de7a3a5bca5db800edf17d8bc3b39358b77
Component: engine
This improves the TestBuildSixtySteps test by switching from busybox to
scratch and simply adding a file.
This lowers the execution time of that test from 20 seconds to 5
seconds.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 58c11ee0a8be74562b0e6f88ee000afdf9ddf025
Component: engine
@vmarmol has made the fix upstream for not failing if the capability
being dropped is returned as invalid from the syscall, which is the case
when the capability is not supported on the host.
This is a blocker presently for RHEL6.5 on CAP_SYSLOG. We have patched
around this in our RPM for the time being, but this is the proper fix.
See also https://github.com/dotcloud/docker/pull/5810
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
Upstream-commit: 4bf03a0fac48a06298afa149d4339245736810b6
Component: engine
Make libcontainer's CapabilitiesMask into a []string (Capabilities). + add support for CAP_FOWNER
Upstream-commit: cc84dd09676623961ef8dd2d7a415e10323ef9c3
Component: engine
After removed, the User-Agent shows in log like this:
[debug] http.go:160 https://index.docker.io/v1/repositories/busybox/images --
HEADERS: map[User-Agent:[docker/0.11.1-dev go/go1.2.2 git-commit/8887e00-dirty kernel/3.14.3-n1 os/linux arch/amd64]]
The code also moved all validation work into validVersion,
to keep the main logic as clean.
Docker-DCO-1.1-Signed-off-by: Derek <crq@kernel.org> (github: crquan)
Upstream-commit: 42734394b0ec238c88bc3ef09454df411b8f3776
Component: engine
This commit makes the Docker cli client use ValidateContextDirectory
before attempting to create a tarball out of the context. This ensures
we avoid errors such as "unexpected EOF" during the upload of the
context.
This check is done before uploading any data and can save time and
bandwidth for remote Docker daemons.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 33d5b38d62f48edcadbe239595e242300f3ecd27
Component: engine
