From 65120e88518d33de002a2ae5d501660bbc89d790 Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Tue, 1 Dec 2015 13:39:34 -0500 Subject: [PATCH] This patch adds --tmpfs as a option for mounting tmpfs on directories It will Tar up contents of child directory onto tmpfs if mounted over This patch will use the new PreMount and PostMount hooks to "tar" up the contents of the base image on top of tmpfs mount points. Signed-off-by: Dan Walsh --- contrib/completion/bash/docker | 3 ++- contrib/completion/fish/docker.fish | 1 + contrib/completion/zsh/_docker | 1 + docs/reference/commandline/run.md | 8 ++++++++ docs/reference/run.md | 8 ++++++++ man/docker-create.1.md | 15 +++++++++++++++ man/docker-run.1.md | 28 ++++++++++++++++++++++++++++ 7 files changed, 63 insertions(+), 1 deletion(-) diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index f2648f70c0..ced3724e53 100644 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -1394,6 +1394,7 @@ _docker_run() { --restart --security-opt --stop-signal + --tmpfs --ulimit --user -u --uts @@ -1443,7 +1444,7 @@ _docker_run() { _filedir return ;; - --device|--volume|-v) + --device|--tmpfs|--volume|-v) case "$cur" in *:*) # TODO somehow do _filedir for stuff inside the image, if it's already specified (which is also somewhat difficult to determine) diff --git a/contrib/completion/fish/docker.fish b/contrib/completion/fish/docker.fish index 04a1844388..33abfd0d37 100644 --- a/contrib/completion/fish/docker.fish +++ b/contrib/completion/fish/docker.fish @@ -339,6 +339,7 @@ complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l sig-proxy -d 'P complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l stop-signal -d 'Signal to kill a container' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s t -l tty -d 'Allocate a pseudo-TTY' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s u -l user -d 'Username or UID' +complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l tmpfs -d 'Mount tmpfs on a directory' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s v -l volume -d 'Bind mount a volume (e.g., from the host: -v /host:/container, from Docker: -v /container)' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -l volumes-from -d 'Mount volumes from the specified container(s)' complete -c docker -A -f -n '__fish_seen_subcommand_from run' -s w -l workdir -d 'Working directory inside the container' diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index 91eb563584..cde026b7eb 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -491,6 +491,7 @@ __docker_subcommand() { "($help)*--security-opt=[Security options]:security option: " "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]" "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users" + "($help)--tmpfs[mount tmpfs] " "($help)*-v[Bind mount a volume]:volume: " "($help)--volume-driver=[Optional volume driver for the container]:volume driver:(local)" "($help)*--volumes-from=[Mount volumes from the specified container]:volume: " diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md index 56f5bab25b..87cef35445 100644 --- a/docs/reference/commandline/run.md +++ b/docs/reference/commandline/run.md @@ -153,6 +153,14 @@ flag exists to allow special use-cases, like running Docker within Docker. The `-w` lets the command being executed inside directory given, here `/path/to/dir/`. If the path does not exists it is created inside the container. +### mount tmpfs (--tmpfs) + + $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image + + The --tmpfs flag mounts a tmpfs into the container with the rw,noexec,nosuid,size=65536k options. + + Underlying content from the /run in the my_image image is copied into tmpfs. + ### Mount volume (-v, --read-only) $ docker run -v `pwd`:`pwd` -w `pwd` -i -t ubuntu pwd diff --git a/docs/reference/run.md b/docs/reference/run.md index e9b3a85aaa..b40888bf6d 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1298,6 +1298,14 @@ above, or already defined by the developer with a Dockerfile `ENV`: Similarly the operator can set the **hostname** with `-h`. +### TMPFS (mount tmpfs filesystems) + + --tmpfs=[]: Create a tmpfs mount with: container-dir[:], where the options are identical to the Linux `mount -t tmpfs -o` command. + + Underlying content from the "container-dir" is copied into tmpfs. + + $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image + ### VOLUME (shared filesystems) -v=[]: Create a bind mount with: [host-src:]container-dest[:], where diff --git a/man/docker-create.1.md b/man/docker-create.1.md index bd143639e4..dc6891da62 100644 --- a/man/docker-create.1.md +++ b/man/docker-create.1.md @@ -57,6 +57,7 @@ docker-create - Create a new container [**--stop-signal**[=*SIGNAL*]] [**--shm-size**[=*[]*]] [**-t**|**--tty**[=*false*]] +[**--tmpfs**[=*[CONTAINER-DIR[:]*]] [**-u**|**--user**[=*USER*]] [**--ulimit**[=*[]*]] [**--uts**[=*[]*]] @@ -271,6 +272,20 @@ This value should always larger than **-m**, so you should always use this with **-t**, **--tty**=*true*|*false* Allocate a pseudo-TTY. The default is *false*. +**--tmpfs**=[] Create a tmpfs mount + + Mount a temporary filesystem (`tmpfs`) mount into a container, for example: + + $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image + + This command mounts a `tmpfs` at `/tmp` within the container. The mount copies +the underlying content of `my_image` into `/tmp`. For example if there was a +directory `/tmp/content` in the base image, docker will copy this directory and +all of its content on top of the tmpfs mounted on `/tmp`. The supported mount +options are the same as the Linux default `mount` flags. If you do not specify +any options, the systems uses the following options: +`rw,noexec,nosuid,nodev,size=65536k`. + **-u**, **--user**="" Username or UID diff --git a/man/docker-run.1.md b/man/docker-run.1.md index 03eb1b66c0..7c56790f9f 100644 --- a/man/docker-run.1.md +++ b/man/docker-run.1.md @@ -60,6 +60,7 @@ docker-run - Run a command in a new container [**--shm-size**[=*[]*]] [**--sig-proxy**[=*true*]] [**-t**|**--tty**[=*false*]] +[**--tmpfs**[=*[CONTAINER-DIR[:]*]] [**-u**|**--user**[=*USER*]] [**-v**|**--volume**[=*[]*]] [**--ulimit**[=*[]*]] @@ -436,6 +437,20 @@ interactive shell. The default is false. The **-t** option is incompatible with a redirection of the docker client standard input. +**--tmpfs**=[] Create a tmpfs mount + + Mount a temporary filesystem (`tmpfs`) mount into a container, for example: + + $ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image + + This command mounts a `tmpfs` at `/tmp` within the container. The mount copies +the underlying content of `my_image` into `/tmp`. For example if there was a +directory `/tmp/content` in the base image, docker will copy this directory and +all of its content on top of the tmpfs mounted on `/tmp`. The supported mount +options are the same as the Linux default `mount` flags. If you do not specify +any options, the systems uses the following options: +`rw,noexec,nosuid,nodev,size=65536k`. + **-u**, **--user**="" Sets the username or UID used and optionally the groupname or GID for the specified command. @@ -552,6 +567,19 @@ the exit codes follow the `chroot` standard, see below: # EXAMPLES +## Running container in read-only mode + +During container image development, containers often need to write to the image +content. Installing packages into /usr, for example. In production, +applications seldom need to write to the image. Container applications write +to volumes if they need to write to file systems at all. Applications can be +made more secure by running them in read-only mode using the --read-only switch. +This protects the containers image from modification. Read only containers may +still need to write temporary data. The best way to handle this is to mount +tmpfs directories on /run and /tmp. + + # docker run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash + ## Exposing log messages from the container to the host's log If you want messages that are logged in your container to show up in the host's