Merge pull request #19265 from rhatdan/netsysctl

Add support for setting sysctls Upstream-commit: 988508a2b5aa18c04fd3db143b4e4f5f207ea15e Component: engine
2016-04-13 18:36:30 +02:00
parent 5f0157b8da 3b52ebb9ff
commit 2a0b94972b
12 changed files with 157 additions and 0 deletions
--- a/components/engine/docs/reference/commandline/create.md
+++ b/components/engine/docs/reference/commandline/create.md
@ -82,6 +82,7 @@ Creates a new container.
      --stop-signal="SIGTERM"       Signal to stop a container
      --shm-size=[]                 Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`.  Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
      --storage-opt=[]              Set storage driver options per container
+      --sysctl[=*[]*]]              Configure namespaced kernel parameters at runtime
      -t, --tty                     Allocate a pseudo-TTY
      -u, --user=""                 Username or UID
      --userns=""                   Container user namespace
--- a/components/engine/docs/reference/commandline/run.md
+++ b/components/engine/docs/reference/commandline/run.md
@ -84,6 +84,7 @@ parent = "smn_cli"
      --sig-proxy=true              Proxy received signals to the process
      --stop-signal="SIGTERM"       Signal to stop a container
      --storage-opt=[]              Set storage driver options per container
+      --sysctl[=*[]*]]              Configure namespaced kernel parameters at runtime
      -t, --tty                     Allocate a pseudo-TTY
      -u, --user=""                 Username or UID (format: <name|uid>[:<group|gid>])
      --userns=""                   Container user namespace
@ -620,3 +621,30 @@ If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`,
 $ docker run -d --isolation default busybox top
 $ docker run -d --isolation hyperv busybox top
 ```
+
+### Configure namespaced kernel parameters (sysctls) at runtime
+
+The `--sysctl` sets namespaced kernel parameters (sysctls) in the
+container. For example, to turn on IP forwarding in the containers
+network namespace, run this command:
+
+    $ docker run --sysctl net.ipv4.ip_forward=1 someimage
+
+
+> **Note**: Not all sysctls are namespaced. docker does not support changing sysctls
+> inside of a container that also modify the host system. As the kernel 
+> evolves we expect to see more sysctls become namespaced.
+
+#### Currently supported sysctls
+
+  `IPC Namespace`:
+
+  kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
+  Sysctls beginning with fs.mqueue.*
+
+  If you use the `--ipc=host` option these sysctls will not be allowed.
+
+  `Network Namespace`:
+      Sysctls beginning with net.*
+
+  If you use the `--net=host` option using these sysctls will not be allowed.