We need SETFCAP to be able to mark files as having caps, which is
heavily used by fedora.
See https://github.com/dotcloud/docker/issues/5928
We also need SETPCAP, for instance systemd needs this to set caps
on its childen.
Both of these are safe in the sense that they can never ever
result in a process with a capability not in the bounding set of the
container.
We also add NET_BIND_SERVICE caps, to be able to bind to ports lower
than 1024.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: fcf2e9a9107c6c9aebaf63ce044f636333e7eed8
Component: engine
Without this any container startup fails:
2014/05/20 09:20:36 setup mount namespace copy additional dev nodes mknod fuse operation not permitted
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 602950435056baa939f428223b6d3ff26ca5403d
Component: engine
This changes the test TestBuildWithInaccessibleFilesInContext to not
add the user 'unprivilegeduser' and add it via the Dockerfile instead.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 599cb12bb8aa13aa2f1be940dd8de4c9d3a06959
Component: engine
Fixes#5849
If the host system does not have fuse enabled in the kernel config we
will ignore the is not exist errors when trying to copy the device node
from the host system into the container.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Upstream-commit: a87bcefb8bf0cee47bf114a46fc33708ce843208
Component: engine
Some applications want to write to /proc. For instance:
docker run -it centos groupadd foo
Gives: groupadd: failure while writing changes to /etc/group
And strace reveals why:
open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)
I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.
The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 68493e2f7f9cb8303302e1098e3293b521ace243
Component: engine
Tee hanging when `go test` exit with non-zero code.
Fixes#5672
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
Upstream-commit: 7cd1e482309e944522d3506f8e15eeb3ab7fb796
Component: engine
For issue #5658 this rewrite of the networking page explains what every
single option (unless I missed one!) does both for the Docker server and
also the Docker client when submitting a "docker run". I somehow
thought that, when I was done, there would be a lot more about setting
up topologies like I did for my Foundations of Python Network
Programming network of Docker containers. More about making routers and
firewalls that NAT and so forth. But, at least for this draft, I think
that setting up subnets and setting up point-to-point links is most of
what Docker users will need unless they are doing something exotic.
We can always expand later.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md documentation per @jamtur01
Besides catching some typos and awkward sentences, @jamtur01 had several
more thorough changes to suggest:
* He illustrated the correct way to delimit "Note" paragraphs in
Docker documentation.
* He helped point out where I was presuming an Ubuntu host running
Docker, so that I could re-word those sections to be specific that
the advice only applied to Ubuntu (these mostly related to how to
set server-wide options and restart the server).
* He is happy to have "Ethernet" capitalized even where Linux
documentation would render it with an ugly lower-case first letter.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md per ideas from @SvenDowideit
A response to a bit of further discussion of pull request #5884.
Upstream-commit: ca9c35cdf772ddb121447b3877dbcf8caa4c5cdb
Component: engine
Rearrange docker version output so that server output matches client
output
Docker-DCO-1.1-Signed-off-by: Jonathan McCrohan <jmccrohan@gmail.com> (github: jmccrohan)
Upstream-commit: 82712ed67ef9c189ccc8837ef8469272c91f6fcf
Component: engine
