Add a --readonly flag to allow the container's root filesystem to be
mounted as readonly. This can be used in combination with volumes to
force a container's process to only write to locations that will be
persisted. This is useful in many cases where the admin controls where
they would like developers to write files and error on any other
locations.
Closes#7923Closes#8752
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 409407091a7282d0c4086b71e86397e2d089ba13
Component: engine
We want to be able to use container without the PID namespace. We basically
want containers that can manage the host os, which I call Super Privileged
Containers. We eventually would like to get to the point where the only
namespace we use is the MNT namespace to bring the Apps userspace with it.
By eliminating the PID namespace we can get better communication between the
host and the clients and potentially tools like strace and gdb become easier
to use. We also see tools like libvirtd running within a container telling
systemd to place a VM in a particular cgroup, we need to have communications of the PID.
I don't see us needing to share PID namespaces between containers, since this
is really what docker exec does.
So currently I see us just needing docker run --pid=host
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 23feaaa240853c0e7f9817f8c2d272dd1c93ac3f
Component: engine
Add a check to make sure Dockerfile is in the build context
Add docs and a testcase
Make -f relative to current dir, not build context
Signed-off-by: Doug Davis <dug@us.ibm.com>
Upstream-commit: eb3ea3b43c716ad727521a7d0bc20d7321bb0867
Component: engine
--help and help are successful commands so output should not go to error.
QE teams have requested this change, also users doing docker help | less
or docker run --help | less would expect this to work.
Usage statement should only be printed when the user asks for it.
Errors should print error message and then suggest the docker COMMAND --help
command to see usage information.
The current behaviour causes the user to have to search for the error message
and sometimes scrolls right off the screen. For example a error on a
"docker run" command is very difficult to diagnose.
Finally erros should always exit with a non 0 exit code, if the user
makes a CLI error.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: a2b529ead21e6ab9eafcb1b1d2437c725c43a06a
Component: engine
This patch fixes the indenting.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: bc1507dfce956846ba1515ccbfcd202c06aa995b
Component: engine
Forbid `docker run -t` with a redirected stdin (such as `echo test |
docker run -ti busybox cat`). Forbid `docker exec -t` with a redirected
stdin. Forbid `docker attach` with a redirect stdin toward a tty enabled
container.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Upstream-commit: 67e3ddb75ff27b8de0022e330413b4308ec5b010
Component: engine
I've re-jigged the run man page so that each option's text begins with the
cli's help text for that flag, and then ay subsequent lines in the man page
are carried forward.
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> (github: SvenDowideit)
Upstream-commit: e01baa6be782320d3c0800697c882c2b919b202f
Component: engine
Documented --storage-opt=[] option in man page. Content taken from:
daemon/graphdriver/devmapper/README.md
Signed-off-by: Michal Minar <miminar@redhat.com>
Docker-DCO-1.1-Signed-off-by: Michal Minar <miminar@redhat.com> (github: SvenDowideit)
Upstream-commit: aa00ad47e243b41b863354e6360a5d3a46aa3212
Component: engine
Current description is misleading. It make an impression the --icc=false
prevents containers to talk with each other.
Signed-off-by: Michal Minar <miminar@redhat.com>
Docker-DCO-1.1-Signed-off-by: Michal Minar <miminar@redhat.com> (github: SvenDowideit)
Upstream-commit: a61a4a31882335020cfbffc49ffe274847a5c803
Component: engine
Synopsis is mentioning "NAME" while description is describing "REPOSITORY".
Signed-off-by: Tomas Tomecek <ttomecek@redhat.com>
Upstream-commit: 095027944f16205c1c75d47d2f60a7c1ac666bf1
Component: engine
Next steps, in another PR, would be:
- make all logging go through the logrus stuff
- I'd like to see if we can remove the env var stuff (like DEBUG) but we'll see
Closes#5198
Signed-off-by: Doug Davis <dug@us.ibm.com>
Upstream-commit: 2facc0467336a80f48c765dbdbd803055a431aa9
Component: engine
Signal proxy does work only in non-TTY mode (--tty=false). Man pages and
commands should not lie about it.
Signed-off-by: Michal Minar <miminar@redhat.com>
Upstream-commit: e71f241c4b8006f097e4c63f7b3ea28d4591ddee
Component: engine
Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.
This patch mimics the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers
If you share IPC between containers, then you need to make sure SELinux labels
match.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 497fc8876ede9924f61c0eee4dfadd71e5d9f537
Component: engine
PR 6720 introduce that use `--dns-search=.` will not set `search` in `/etc/resolv.conf`.
Signed-off-by: Huayi Zhang <irachex@gmail.com>
Upstream-commit: 36ffbd7acf60d15942c0591bb4fec498f021331e
Component: engine
Using repo tag in the status message for better usability, as per review comments
Added documentation and Changed code to print Status after downloads are complete
Addresses #2404
Signed-off-by: Srini Brahmaroutu <srbrahma@us.ibm.com>
Upstream-commit: ecff6303a366a5e8fd178b7baa1c64895a3a3622
Component: engine
Add --security-opts options to allow user to customize container labels and apparmor profile
Upstream-commit: d40ab6f1238c78ea84645e516f1f24d7991798b0
Component: engine
security-opts will allow you to customise the security subsystem.
For example the labeling system like SELinux will run on a container.
--security-opt="label:user:USER" : Set the label user for the container
--security-opt="label:role:ROLE" : Set the label role for the container
--security-opt="label:type:TYPE" : Set the label type for the container
--security-opt="label:level:LEVEL" : Set the label level for the container
--security-opt="label:disabled" : Turn off label confinement for the container
Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels. Genlabels interface is Depracated.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 87e732a0f3503517d7a66804bb9a7f74977347e5
Component: engine
docker-exec.md needs to be renamed in order to build man page.
Should be docker-exec.1.md
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 0a8fb80d99e41f2d8d05f593fd77018e26f4ee2c
Component: engine
Updated the documentation to to clarify random port mapping when using -...
Upstream-commit: 60f6b0299a11212f9562d7df0f126d517fd2d3a6
Component: engine
