mirror of https://github.com/docker/cli.git
Allow net and IPC namespaces to be shared when userns=on
Now that the namespace sharing code via runc is vendored with the containerd changes, we can disable the restrictions on container to container net and IPC namespace sharing when the daemon has user namespaces enabled. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This commit is contained in:
parent
eba678647b
commit
0926303632
|
@ -792,11 +792,9 @@ The following standard Docker features are currently incompatible when
|
||||||
running a Docker daemon with user namespaces enabled:
|
running a Docker daemon with user namespaces enabled:
|
||||||
|
|
||||||
- sharing PID or NET namespaces with the host (`--pid=host` or `--net=host`)
|
- sharing PID or NET namespaces with the host (`--pid=host` or `--net=host`)
|
||||||
- sharing a network namespace with an existing container (`--net=container:*other*`)
|
|
||||||
- sharing an IPC namespace with an existing container (`--ipc=container:*other*`)
|
|
||||||
- A `--readonly` container filesystem (this is a Linux kernel restriction against remounting with modified flags of a currently mounted filesystem when inside a user namespace)
|
- A `--readonly` container filesystem (this is a Linux kernel restriction against remounting with modified flags of a currently mounted filesystem when inside a user namespace)
|
||||||
- external (volume or graph) drivers which are unaware/incapable of using daemon user mappings
|
- external (volume or graph) drivers which are unaware/incapable of using daemon user mappings
|
||||||
- Using `--privileged` mode flag on `docker run`
|
- Using `--privileged` mode flag on `docker run` (unless also specifying `--userns=host`)
|
||||||
|
|
||||||
In general, user namespaces are an advanced feature and will require
|
In general, user namespaces are an advanced feature and will require
|
||||||
coordination with other capabilities. For example, if volumes are mounted from
|
coordination with other capabilities. For example, if volumes are mounted from
|
||||||
|
|
Loading…
Reference in New Issue