mirror of https://github.com/docker/cli.git
add doc
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
This commit is contained in:
Victor Vieux
Tibor Vass
parent
6c10e6fe81
commit
1b9bc637e6
|
|
@ -55,7 +55,7 @@ following options.
|
||||||
- [Network Settings](#network-settings)
|
- [Network Settings](#network-settings)
|
||||||
- [Clean Up (--rm)](#clean-up-rm)
|
- [Clean Up (--rm)](#clean-up-rm)
|
||||||
- [Runtime Constraints on CPU and Memory](#runtime-constraints-on-cpu-and-memory)
|
- [Runtime Constraints on CPU and Memory](#runtime-constraints-on-cpu-and-memory)
|
||||||
- [Runtime Privilege and LXC Configuration](#runtime-privilege-and-lxc-configuration)
|
- [Runtime Privilege, Linux Capabilities, and LXC Configuration](#runtime-privilege-linux-capabilities-and-lxc-configuration)
|
||||||
|
|
||||||
## Detached vs Foreground
|
## Detached vs Foreground
|
||||||
|
|
||||||
|
|
@ -222,8 +222,10 @@ get the same proportion of CPU cycles, but you can tell the kernel to
|
||||||
give more shares of CPU time to one or more containers when you start
|
give more shares of CPU time to one or more containers when you start
|
||||||
them via Docker.
|
them via Docker.
|
||||||
|
|
||||||
## Runtime Privilege and LXC Configuration
|
## Runtime Privilege, Linux Capabilities, and LXC Configuration
|
||||||
|
|
||||||
|
--cap-add: Add Linux capabilities
|
||||||
|
--cap-drop: Drop Linux capabilities
|
||||||
--privileged=false: Give extended privileges to this container
|
--privileged=false: Give extended privileges to this container
|
||||||
--lxc-conf=[]: (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"
|
--lxc-conf=[]: (lxc exec-driver only) Add custom lxc options --lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"
|
||||||
|
|
||||||
|
|
@ -242,6 +244,16 @@ host as processes running outside containers on the host. Additional
|
||||||
information about running with `--privileged` is available on the
|
information about running with `--privileged` is available on the
|
||||||
[Docker Blog](http://blog.docker.com/2013/09/docker-can-now-run-within-docker/).
|
[Docker Blog](http://blog.docker.com/2013/09/docker-can-now-run-within-docker/).
|
||||||
|
|
||||||
|
In addition to `--privileged` the operator can have fine grain control over the
|
||||||
|
capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default
|
||||||
|
list of capabilities that are kept. Both flags support the value `all`, so if the
|
||||||
|
operator wants to have all capabilities but `MKNOD` they could use:
|
||||||
|
|
||||||
|
$ docker run --cap-add=ALL --cap-drop=MKNOD ...
|
||||||
|
|
||||||
|
For interacting with the network stack, instead of using `--privileged` they
|
||||||
|
should use `--cap-add=NET_ADMIN` to modify the network interfaces.
|
||||||
|
|
||||||
If the Docker daemon was started using the `lxc` exec-driver
|
If the Docker daemon was started using the `lxc` exec-driver
|
||||||
(`docker -d --exec-driver=lxc`) then the operator can also specify LXC options
|
(`docker -d --exec-driver=lxc`) then the operator can also specify LXC options
|
||||||
using one or more `--lxc-conf` parameters. These can be new parameters or
|
using one or more `--lxc-conf` parameters. These can be new parameters or
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue