Copy edit the content
Updates to existing material
Adding mbentley's comments
Updating with last minute comments
Update with Seb's comments
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 8850c4ab6e
Component: cli
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.
Fixes 21475
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Upstream-commit: 31c32956ca
Component: cli
Now that the namespace sharing code via runc is vendored with the
containerd changes, we can disable the restrictions on container to
container net and IPC namespace sharing when the daemon has user
namespaces enabled.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Upstream-commit: 0926303632
Component: cli
Once thin pool gets full, bad things can happen. Especially in case of xfs
it is possible that xfs keeps on retrying IO infinitely (for certain kind
of IO) and container hangs.
One way to mitigate the problem is that once thin pool is about to get full,
start failing some of the docker operations like pulling new images or
creation of new containers. That way user will get warning ahead of time
and can try to rectify it by creating more free space in thin pool. This
can be done either by deleting existing images/containers or by adding more
free space to thin pool.
This patch adds a new option dm.min_free_space to devicemapper graph
driver. Say one specifies dm.min_free_space=10%. This means atleast
10% of data and metadata blocks should be free in pool before new device
creation is allowed, otherwise operation will fail.
By default min_free_space is 10%. User can change it by specifying
dm.min_free_space=X% on command line. A value of 0% will disable the
check.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Upstream-commit: 8db4ee005a
Component: cli
Following #19995 and #17409 this PR enables skipping userns re-mapping
when creating a container (or when executing a command). Thus, enabling
privileged containers running side by side with userns remapped
containers.
The feature is enabled by specifying ```--userns:host```, which will not
remapped the user if userns are applied. If this flag is not specified,
the existing behavior (which blocks specific privileged operation)
remains.
Signed-off-by: Liron Levin <liron@twistlock.com>
Upstream-commit: ce28fa45b0
Component: cli
Allowing to set their values in the daemon configuration file.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 02a1c138d0
Component: cli
Move the note more up, to prevent people from starting
the daemon with --userns-remap before touching the files.
Also clarify that these steps must be done *before* enabling
userns-remap and starting the daemon.
Also fixed some minor Markup formatting issues.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: ecd12ef145
Component: cli
There are five options 'debug' 'labels' 'cluster-store' 'cluster-store-opts'
and 'cluster-advertise' that can be reconfigured, configure any of these
options should not affect other options which may have configured in flags.
But this is not true, for example, I start a daemon with -D to enable the
debugging, and after a while, I want reconfigure the 'label', so I add a file
'/etc/docker/daemon.json' with content '"labels":["test"]' and send SIGHUP to daemon
to reconfigure the daemon, it work, but the debugging of the daemon is also diabled.
I don't think this is a expeted behaviour.
This patch also have some minor refactor of reconfiguration of cluster-advertiser.
Enable user to reconfigure cluster-advertiser without cluster-store in config file
since cluster-store could also be already set in flag, and we only want to reconfigure
the cluster-advertiser.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Upstream-commit: a0399720ce
Component: cli
- It reverts fa163f5619bb01cabca1c21 plus a small change
in order to allow passing the global scope datastore
to libnetwork after damon boot.
Signed-off-by: Alessandro Boch <aboch@docker.com>
Upstream-commit: 15eb38dfb1
Component: cli
Because libnetwork won't really send container information to the new
storage anyways.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 045907a71c
Component: cli
Entering comments from reviewers
Updating with Derek's comments
Fixing bad links reported by build
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 32e9c9434a
Component: cli
That way the configuration file becomes flag, without extra keys.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 2ac86ababf
Component: cli
- Return an error if any of the keys don't match valid flags.
- Fix an issue ignoring merged values as named values.
- Fix tlsverify configuration key.
- Fix bug in mflag to avoid panics when one of the flag set doesn't have any flag.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 9930f31f74
Component: cli
Read configuration after flags making this the priority:
1- Apply configuration from file.
2- Apply configuration from flags.
Reload configuration when a signal is received, USR2 in Linux:
- Reload router if the debug configuration changes.
- Reload daemon labels.
- Reload cluster discovery.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: ad43730d0f
Component: cli
Remove the experimental docs for user namespaces and add similar content
to the `docker daemon` command documentation.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Upstream-commit: 36960be45f
Component: cli
the discovery without the key being already there in the store or
created beforehand and implicitely by a 'swarm join'.
Signed-off-by: Alexandre Beslic <abronan@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
This PR allows to configure the discovery path using the
--discovery-opt flag (with "kv.path=path/to/nodes"). We
can point to "docker/nodes" and use the docker discovery.
If docker instances are advertising to the cluster using
the `--cluster-advertise` flag, the swarm join command
becomes unnecessary.
Signed-off-by: Alexandre Beslic <abronan@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Upstream-commit: 06f084a8ec
Component: cli
It's "/docker" for cgroupfs and "system.slice" for systemd.
Fix#19140
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 6a6c99d7fe
Component: cli
Docker daemon uses kv-store as the host-discovery backend.
Discovery module tracks the liveness of a node through a simple
keepalive mechanism. The keepalive mechanism depends on every
node performing heartbeat by registering itself with the discovery
module (via KV-Store Put operation). And for every Put operation,
the discovery module in all other nodes will receive a Watch
notification. That keeps the node alive.
Any node that fails to register itself within the TTL timer is
considered dead and removed from the discovery database.
The default timer (heartbeat = 20 seconds & ttl = 60 seconds)
works fine for small clusters. But for large clusters, these
default timers are extremely aggressive and that causes high CPU
& most of the processing is spent managing the node discovery
and that impacts normal daemon operation.
Hence we need a way to make the discovery ttl and heartbeat
configurable. As the cluster size grows, the user can change
these timers to make sure the daemon scales.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: c072458308
Component: cli
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 941952972e
Component: cli
devmapper uses xfs by default now. So include xfsprogs in build
environment. Also update docs to reflect the new default.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Upstream-commit: 555f500ab4
Component: cli
The LXC driver was deprecated in Docker 1.8.
Following the deprecation rules, we can remove a deprecated feature
after two major releases. LXC won't be supported anymore starting on Docker 1.10.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: c5ed875bd9
Component: cli
Removing old networking.md
Updating dockernetworks.md with images
Adding information on network plugins
Adding blurb about links to docker networking
Updating the working documentation
Adding Overlay Getting Started
Downplaying links by removing refs/examples, adding refs/examples for network.
Updating getting started to reflect networks not links
Pulling out old network material
Updating per discussion with Madhu to add Default docs section
Updating with bridge default
Fix bad merge
Updating with new cluster-advertise behavior
Update working and NetworkSettings examples
Correcting example for default bridge discovery behavior
Entering comments
Fixing broken Markdown Syntax
Updating with comments
Updating all the links
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 02a859b9f3
Component: cli
This fixes the indentation of the storage driver
options list.
Also wraps/reformats some examples to prevent
horizontal scrollbars on the rendered HTML
Fixes#17140
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 91e898094f
Component: cli
This updates the docs for the daemon based on the new cluster-store-opt
for TLS support.
Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
Upstream-commit: f10d93f394
Component: cli
GitHub flavored markdown is now supported for links and images. Also, ran LinkChecker and FileResolver. Yay!
Fixes from Spider check
Output for docker/docker now goes into engine directory
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: e641a0f363
Component: cli
This leverages recent additions to libkv enabling client
authentication via TLS so the discovery back-end can be locked
down with mutual TLS. Example usage:
docker daemon [other args] \
--cluster-advertise 192.168.122.168:2376 \
--cluster-store etcd://192.168.122.168:2379 \
--cluster-store-opt kv.cacertfile=/path/to/ca.pem \
--cluster-store-opt kv.certfile=/path/to/cert.pem \
--cluster-store-opt kv.keyfile=/path/to/key.pem
Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>
Upstream-commit: 323fb21864
Component: cli
