Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add support for setting sysctls 

This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This commit is contained in:
Dan Walsh 2016-03-29 08:24:28 -04:00 committed by Tibor Vass
parent 8850c4ab6e
commit a60c612a04
6 changed files with 80 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
contrib/completion/bash/docker
View File

@ -1671,6 +1671,7 @@ _docker_run() {
--shm-size --shm-size
--stop-signal --stop-signal
--tmpfs --tmpfs
--sysctl
--ulimit --ulimit
--user -u --user -u
--userns --userns

1
contrib/completion/zsh/_docker
View File

@ -644,6 +644,7 @@ __docker_subcommand() {
"($help)--privileged[Give extended privileges to this container]" "($help)--privileged[Give extended privileges to this container]"
"($help)--read-only[Mount the container's root filesystem as read only]" "($help)--read-only[Mount the container's root filesystem as read only]"
"($help)*--security-opt=[Security options]:security option: " "($help)*--security-opt=[Security options]:security option: "
"($help)*--sysctl=-[sysctl options]:sysctl: "
"($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]" "($help -t --tty)"{-t,--tty}"[Allocate a pseudo-tty]"
"($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users" "($help -u --user)"{-u=,--user=}"[Username or UID]:user:_users"
"($help)--tmpfs[mount tmpfs]" "($help)--tmpfs[mount tmpfs]"

1
docs/reference/commandline/create.md
View File

@ -82,6 +82,7 @@ Creates a new container.
--stop-signal="SIGTERM" Signal to stop a container --stop-signal="SIGTERM" Signal to stop a container
--shm-size=[] Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. --shm-size=[] Size of `/dev/shm`. The format is `<number><unit>`. `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
--storage-opt=[] Set storage driver options per container --storage-opt=[] Set storage driver options per container
--sysctl[=*[]*]] Configure namespaced kernel parameters at runtime
-t, --tty Allocate a pseudo-TTY -t, --tty Allocate a pseudo-TTY
-u, --user="" Username or UID -u, --user="" Username or UID
--userns="" Container user namespace --userns="" Container user namespace

28
docs/reference/commandline/run.md
View File

@ -84,6 +84,7 @@ parent = "smn_cli"
--sig-proxy=true Proxy received signals to the process --sig-proxy=true Proxy received signals to the process
--stop-signal="SIGTERM" Signal to stop a container --stop-signal="SIGTERM" Signal to stop a container
--storage-opt=[] Set storage driver options per container --storage-opt=[] Set storage driver options per container
--sysctl[=*[]*]] Configure namespaced kernel parameters at runtime
-t, --tty Allocate a pseudo-TTY -t, --tty Allocate a pseudo-TTY
-u, --user="" Username or UID (format: <name|uid>[:<group|gid>]) -u, --user="" Username or UID (format: <name|uid>[:<group|gid>])
--userns="" Container user namespace --userns="" Container user namespace
@ -620,3 +621,30 @@ If you have set the `--exec-opt isolation=hyperv` option on the Docker `daemon`,
$ docker run -d --isolation default busybox top $ docker run -d --isolation default busybox top
$ docker run -d --isolation hyperv busybox top $ docker run -d --isolation hyperv busybox top
``` ```
### Configure namespaced kernel parameters (sysctls) at runtime
The `--sysctl` sets namespaced kernel parameters (sysctls) in the
container. For example, to turn on IP forwarding in the containers
network namespace, run this command:
$ docker run --sysctl net.ipv4.ip_forward=1 someimage
> **Note**: Not all sysctls are namespaced. docker does not support changing sysctls
> inside of a container that also modify the host system. As the kernel
> evolves we expect to see more sysctls become namespaced.
#### Currently supported sysctls
`IPC Namespace`:
kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
Sysctls beginning with fs.mqueue.*
If you use the `--ipc=host` option these sysctls will not be allowed.
`Network Namespace`:
Sysctls beginning with net.*
If you use the `--net=host` option using these sysctls will not be allowed.

16
man/docker-create.1.md
View File

@ -67,6 +67,7 @@ docker-create - Create a new container
[**--storage-opt**[=*[]*]] [**--storage-opt**[=*[]*]]
[**--stop-signal**[=*SIGNAL*]] [**--stop-signal**[=*SIGNAL*]]
[**--shm-size**[=*[]*]] [**--shm-size**[=*[]*]]
[**--sysctl**[=*[]*]]
[**-t**|**--tty**] [**-t**|**--tty**]
[**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]]
[**-u**|**--user**[=*USER*]] [**-u**|**--user**[=*USER*]]
@ -336,6 +337,21 @@ unit, `b` is used. Set LIMIT to `-1` to enable unlimited swap.
**--stop-signal**=*SIGTERM* **--stop-signal**=*SIGTERM*
Signal to stop a container. Default is SIGTERM. Signal to stop a container. Default is SIGTERM.
**--sysctl**=SYSCTL
Configure namespaced kernel parameters at runtime
IPC Namespace - current sysctls allowed:
kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
Sysctls beginning with fs.mqueue.*
Note: if you use --ipc=host using these sysctls will not be allowed.
Network Namespace - current sysctls allowed:
Sysctls beginning with net.*
Note: if you use --net=host using these sysctls will not be allowed.
**-t**, **--tty**=*true*|*false* **-t**, **--tty**=*true*|*false*
Allocate a pseudo-TTY. The default is *false*. Allocate a pseudo-TTY. The default is *false*.

33
man/docker-run.1.md
View File

@ -71,6 +71,7 @@ docker-run - Run a command in a new container
[**--stop-signal**[=*SIGNAL*]] [**--stop-signal**[=*SIGNAL*]]
[**--shm-size**[=*[]*]] [**--shm-size**[=*[]*]]
[**--sig-proxy**[=*true*]] [**--sig-proxy**[=*true*]]
[**--sysctl**[=*[]*]]
[**-t**|**--tty**] [**-t**|**--tty**]
[**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] [**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]]
[**-u**|**--user**[=*USER*]] [**-u**|**--user**[=*USER*]]
@ -492,6 +493,21 @@ its root filesystem mounted as read only prohibiting any writes.
`number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes). `number` must be greater than `0`. Unit is optional and can be `b` (bytes), `k` (kilobytes), `m`(megabytes), or `g` (gigabytes).
If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`. If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses `64m`.
**--sysctl**=SYSCTL
Configure namespaced kernel parameters at runtime
IPC Namespace - current sysctls allowed:
kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced
Sysctls beginning with fs.mqueue.*
If you use the `--ipc=host` option these sysctls will not be allowed.
Network Namespace - current sysctls allowed:
Sysctls beginning with net.*
If you use the `--net=host` option these sysctls will not be allowed.
**--sig-proxy**=*true*|*false* **--sig-proxy**=*true*|*false*
Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*. Proxy received signals to the process (non-TTY mode only). SIGCHLD, SIGSTOP, and SIGKILL are not proxied. The default is *true*.
@ -955,6 +971,23 @@ $ docker run -d --isolation default busybox top
$ docker run -d --isolation hyperv busybox top $ docker run -d --isolation hyperv busybox top
``` ```
## Setting Namespaced Kernel Parameters (Sysctls)
The `--sysctl` sets namespaced kernel parameters (sysctls) in the
container. For example, to turn on IP forwarding in the containers
network namespace, run this command:
$ docker run --sysctl net.ipv4.ip_forward=1 someimage
Note:
Not all sysctls are namespaced. docker does not support changing sysctls
inside of a container that also modify the host system. As the kernel
evolves we expect to see more sysctls become namespaced.
See the definition of the `--sysctl` option above for the current list of
supported sysctls.
# HISTORY # HISTORY
April 2014, Originally compiled by William Henry (whenry at redhat dot com) April 2014, Originally compiled by William Henry (whenry at redhat dot com)
based on docker.com source material and internal work. based on docker.com source material and internal work.