From 6ee8cf85c5dd0de7b516ca647c1c57a94d1bb560 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 1 Jun 2017 17:05:42 +0200 Subject: [PATCH 1/8] Update deprecated.md for removal of --email flag Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 43239f62bedc4721d27744d21c122622988bb3ae) Signed-off-by: Tibor Vass --- docs/deprecated.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/deprecated.md b/docs/deprecated.md index 7e0bfc0a60..e1e7e12645 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -138,7 +138,7 @@ on all subcommands (due to it conflicting with, e.g. `-h` / `--hostname` on ### `-e` and `--email` flags on `docker login` **Deprecated In Release: [v1.11.0](https://github.com/docker/docker/releases/tag/v1.11.0)** -**Target For Removal In Release: v17.06** +**Removed In Release: [v17.06](https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce)** The docker login command is removing the ability to automatically register for an account with the target registry if the given username doesn't exist. Due to this change, the email flag is no longer required, and will be deprecated. From 7955683eb27e161a159cb464f1f17b27bcc09002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?T=C3=B5nis=20Tiigi?= Date: Thu, 20 Apr 2017 20:11:26 -0700 Subject: [PATCH 2/8] Merge pull request #32684 from scjane/patch-3 Update builder.md (cherry picked from commit 831066337743fc29ff122fce51afe44b8b3b3ba9) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit bc66821abbcf50c721ce9b8f52b339fda102d389) Signed-off-by: Tibor Vass --- docs/reference/builder.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference/builder.md b/docs/reference/builder.md index 2571511b64..502e41dfbb 100644 --- a/docs/reference/builder.md +++ b/docs/reference/builder.md @@ -94,8 +94,8 @@ instructions. Whenever possible, Docker will re-use the intermediate images (cache), to accelerate the `docker build` process significantly. This is indicated by the `Using cache` message in the console output. -(For more information, see the [Build cache section](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#/build-cache)) in the -`Dockerfile` best practices guide: +(For more information, see the [Build cache section](https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/#build-cache) in the +`Dockerfile` best practices guide): $ docker build -t svendowideit/ambassador . Sending build context to Docker daemon 15.36 kB From b1738f45059b60945dc97f4d53cc9f4e2814a3e1 Mon Sep 17 00:00:00 2001 From: Vincent Demeester Date: Wed, 26 Apr 2017 15:30:09 +0200 Subject: [PATCH 3/8] Merge pull request #32724 from PatrickLang/patricklang-win-memory Adding more on -m and --memory (cherry picked from commit c3fbca106552f2dadcb89510ff87945b50f36419) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit b4047a849bd3018f8a8eabf34613a4fca57f818e) Signed-off-by: Tibor Vass --- docs/reference/commandline/run.md | 35 +++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index ecb676dc20..2216319415 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -745,6 +745,41 @@ PS C:\> docker run -d --isolation default microsoft/nanoserver powershell echo h PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hyperv ``` +### Specify hard limits on memory available to containers (-m, --memory) + +These parameters always set an upper limit on the memory available to the container. On Linux, this +is set on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`. + +On Windows, this will affect containers differently depending on what type of isolation is used. + +- With `process` isolation, Windows will report the full memory of the host system, not the limit to applications running inside the container + ```powershell + docker run -it -m 2GB --isolation=process microsoft/nanoserver powershell Get-ComputerInfo *memory* + + CsTotalPhysicalMemory : 17064509440 + CsPhyicallyInstalledMemory : 16777216 + OsTotalVisibleMemorySize : 16664560 + OsFreePhysicalMemory : 14646720 + OsTotalVirtualMemorySize : 19154928 + OsFreeVirtualMemory : 17197440 + OsInUseVirtualMemory : 1957488 + OsMaxProcessMemorySize : 137438953344 + ``` +- With `hyperv` isolation, Windows will create a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory." + ```powershell + docker run -it -m 2GB --isolation=hyperv microsoft/nanoserver powershell Get-ComputerInfo *memory* + + CsTotalPhysicalMemory : 2683355136 + CsPhyicallyInstalledMemory : + OsTotalVisibleMemorySize : 2620464 + OsFreePhysicalMemory : 2306552 + OsTotalVirtualMemorySize : 2620464 + OsFreeVirtualMemory : 2356692 + OsInUseVirtualMemory : 263772 + OsMaxProcessMemorySize : 137438953344 + ``` + + ### Configure namespaced kernel parameters (sysctls) at runtime The `--sysctl` sets namespaced kernel parameters (sysctls) in the From 5bf86c198488c7f78f2ffd05a8a2441f719d3b98 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Tue, 25 Apr 2017 10:18:16 -0700 Subject: [PATCH 4/8] Merge pull request #32735 from bhavin192/patch-1 Add note about host-dir in VOLUME (cherry picked from commit f2fff9d913a8ab0436dd56033189a7c3713a59a2) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 8fd6547fc3eb67e7efa7efb007ae6a4494cd2bb3) Signed-off-by: Tibor Vass --- docs/reference/builder.md | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/docs/reference/builder.md b/docs/reference/builder.md index 502e41dfbb..f8ef9cf56b 100644 --- a/docs/reference/builder.md +++ b/docs/reference/builder.md @@ -1281,18 +1281,28 @@ This Dockerfile results in an image that causes `docker run`, to create a new mount point at `/myvol` and copy the `greeting` file into the newly created volume. -> **Note**: -> When using Windows-based containers, the destination of a volume inside the -> container must be one of: a non-existing or empty directory; or a drive other -> than C:. +### Notes about specifying volumes -> **Note**: -> If any build steps change the data within the volume after it has been -> declared, those changes will be discarded. +Keep the following things in mind about volumes in the `Dockerfile`. -> **Note**: -> The list is parsed as a JSON array, which means that -> you must use double-quotes (") around words not single-quotes ('). +- **Volumes on Windows-based containers**: When using Windows-based containers, + the destination of a volume inside the container must be one of: + + - a non-existing or empty directory + - a drive other than `C:` + +- **Changing the volume from within the Dockerfile**: If any build steps change the + data within the volume after it has been declared, those changes will be discarded. + +- **JSON formatting**: The list is parsed as a JSON array. + You must enclose words with double quotes (`"`)rather than single quotes (`'`). + +- **The host directory is declared at container run-time**: The host directory + (the mountpoint) is, by its nature, host-dependent. This is to preserve image + portability. since a given host directory can't be guaranteed to be available + on all hosts.For this reason, you can't mount a host directory from + within the Dockerfile. The `VOLUME` instruction does not support specifying a `host-dir` + parameter. You must specify the mountpoint when you create or run the container. ## USER From 8247a36058932059dd9e8aac82b1a7f426197b32 Mon Sep 17 00:00:00 2001 From: Brian Goff Date: Mon, 24 Apr 2017 08:53:30 -0400 Subject: [PATCH 5/8] Merge pull request #32791 from djalal/patch-1 fix typo (cherry picked from commit 32a52716b964373b4ac464052e73ea5da79856c6) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit fcbd93f52032593cc71b298c00a46fd354356650) Signed-off-by: Tibor Vass --- docs/reference/commandline/node_ls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/commandline/node_ls.md b/docs/reference/commandline/node_ls.md index 224642c2e5..2f9c2becdf 100644 --- a/docs/reference/commandline/node_ls.md +++ b/docs/reference/commandline/node_ls.md @@ -89,7 +89,7 @@ ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS 1bcef6utixb0l0ca7gxuivsj0 swarm-worker2 Ready Active ``` -#### membersip +#### membership The `membership` filter matches nodes based on the presence of a `membership` and a value `accepted` or `pending`. From ba4dcadcaa2bdd99c96b289c2443396e4b992391 Mon Sep 17 00:00:00 2001 From: Doug Davis Date: Fri, 28 Apr 2017 18:39:52 -0400 Subject: [PATCH 6/8] Merge pull request #32804 from bbodenmiller/patch-1 remove extra word (cherry picked from commit 9db03bd8cdad3c8804105cb5794ebad5e728f48f) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 3eaec0071c3ce1b7201e37859afe5bcb78d4f215) Signed-off-by: Tibor Vass --- docs/reference/run.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/run.md b/docs/reference/run.md index b209343b58..817c20c969 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1123,7 +1123,7 @@ by default a container is not allowed to access any devices, but a the documentation on [cgroups devices](https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt)). When the operator executes `docker run --privileged`, Docker will enable -to access to all devices on the host as well as set some configuration +access to all devices on the host as well as set some configuration in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with `--privileged` is available on the From 8b11d46ecdb82f6eded069d1a005e05bbbee62f2 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 8 Jun 2017 01:09:45 +0200 Subject: [PATCH 7/8] Merge pull request #33572 from hsluoyz/patch-1 Add Casbin plugin to the list of Authorization plugins in docs. (cherry picked from commit 220831d541bfe9bf566c1038773198d431560dd3) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 0ad3e3294e74f443130b5e1fb1ef6b31f4f92366) Signed-off-by: Tibor Vass --- docs/extend/legacy_plugins.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/extend/legacy_plugins.md b/docs/extend/legacy_plugins.md index 68bba59f46..dc77743b86 100644 --- a/docs/extend/legacy_plugins.md +++ b/docs/extend/legacy_plugins.md @@ -87,8 +87,9 @@ Plugin Plugin | Description ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ - [Twistlock AuthZ Broker](https://github.com/twistlock/authz) | A basic extendable authorization plugin that runs directly on the host or inside a container. This plugin allows you to define user policies that it evaluates during authorization. Basic authorization is provided if Docker daemon is started with the --tlsverify flag (username is extracted from the certificate common name). - [HBM plugin](https://github.com/kassisol/hbm) | An authorization plugin that prevents from executing commands with certains parameters. +[Casbin AuthZ Plugin](https://github.com/casbin/casbin-authz-plugin) | An authorization plugin based on [Casbin](https://github.com/casbin/casbin), which supports access control models like ACL, RBAC, ABAC. The access control model can be customized. The policy can be persisted into file or DB. +[HBM plugin](https://github.com/kassisol/hbm) | An authorization plugin that prevents from executing commands with certains parameters. +[Twistlock AuthZ Broker](https://github.com/twistlock/authz) | A basic extendable authorization plugin that runs directly on the host or inside a container. This plugin allows you to define user policies that it evaluates during authorization. Basic authorization is provided if Docker daemon is started with the --tlsverify flag (username is extracted from the certificate common name). ## Troubleshooting a plugin From ee1bbab62093f8a2fa4e365c0884d5bf8898354a Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sun, 11 Jun 2017 14:47:23 +0200 Subject: [PATCH 8/8] Update docs, completion scripts for disable-legacy-registry Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 2b8f0eef7338f37104464154ba65aef7db3b9703) Signed-off-by: Tibor Vass --- contrib/completion/zsh/_docker | 2 +- docs/deprecated.md | 2 +- docs/reference/commandline/dockerd.md | 15 +++++++++++++-- man/dockerd.8.md | 2 +- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index 0860907839..4b0c1e25c7 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -2620,7 +2620,7 @@ __docker_subcommand() { "($help)--default-gateway-v6[Container default gateway IPv6 address]:IPv6 address: " \ "($help)--default-shm-size=[Default shm size for containers]:size:" \ "($help)*--default-ulimit=[Default ulimits for containers]:ulimit: " \ - "($help)--disable-legacy-registry[Disable contacting legacy registries]" \ + "($help)--disable-legacy-registry[Disable contacting legacy registries (default true)]" \ "($help)*--dns=[DNS server to use]:DNS: " \ "($help)*--dns-opt=[DNS options to use]:DNS option: " \ "($help)*--dns-search=[DNS search domains to use]:DNS search: " \ diff --git a/docs/deprecated.md b/docs/deprecated.md index e1e7e12645..9905994b73 100644 --- a/docs/deprecated.md +++ b/docs/deprecated.md @@ -292,7 +292,7 @@ of the `--changes` flag that allows to pass `Dockerfile` commands. **Target For Removal In Release: v17.12** -Version 1.9 adds a flag (`--disable-legacy-registry=false`) which prevents the +Version 1.8.3 added a flag (`--disable-legacy-registry=false`) which prevents the docker daemon from `pull`, `push`, and `login` operations against v1 registries. Though enabled by default, this signals the intent to deprecate the v1 protocol. diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md index 93774c841b..ef6bcd3831 100644 --- a/docs/reference/commandline/dockerd.md +++ b/docs/reference/commandline/dockerd.md @@ -42,7 +42,7 @@ Options: --default-gateway-v6 ip Container default gateway IPv6 address --default-runtime string Default OCI runtime for containers (default "runc") --default-ulimit ulimit Default ulimits for containers (default []) - --disable-legacy-registry Disable contacting legacy registries + --disable-legacy-registry Disable contacting legacy registries (default true) --dns list DNS server to use (default []) --dns-opt list DNS options to use (default []) --dns-search list DNS search domains to use (default []) @@ -901,7 +901,18 @@ system's list of trusted CAs instead of enabling `--insecure-registry`. ##### Legacy Registries -Enabling `--disable-legacy-registry` forces a docker daemon to only interact with registries which support the V2 protocol. Specifically, the daemon will not attempt `push`, `pull` and `login` to v1 registries. The exception to this is `search` which can still be performed on v1 registries. +Operations against registries supporting only the legacy v1 protocol are +disabled by default. Specifically, the daemon will not attempt `push`, +`pull` and `login` to v1 registries. The exception to this is `search` +which can still be performed on v1 registries. + +Add `"disable-legacy-registry":false` to the [daemon configuration +file](#daemon-configuration-file), or set the +`--disable-legacy-registry=false` flag, if you need to interact with +registries that have not yet migrated to the v2 protocol. + +Interaction v1 registries will no longer be supported in Docker v17.12, +and the `disable-legacy-registry` configuration option will be removed. #### Running a Docker daemon behind an HTTPS_PROXY diff --git a/man/dockerd.8.md b/man/dockerd.8.md index a4e079074f..e9d7e68739 100644 --- a/man/dockerd.8.md +++ b/man/dockerd.8.md @@ -192,7 +192,7 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru Default ulimits for containers. **--disable-legacy-registry**=*true*|*false* - Disable contacting legacy registries + Disable contacting legacy registries. Default is `true`. **--dns**="" Force Docker to use specific DNS servers