Following #22729, enable to dynamically reload/remove the daemon
authorization plugins (via standard reloading mechanism).
https://docs.docker.com/engine/reference/commandline/daemon/#daemon-
configuration-file
Daemon must store a reference to the authorization middleware to refresh
the plugin on configuration changes.
Signed-off-by: Liron Levin <liron@twistlock.com>
this change improves the instructions for
swarm join-token and swarm init;
- only print the join-token command for workers
instead of for both managers and workers, to
prevent users from copying the wrong command.
An extra line is added to explain how to obtain
the manager token.
- print a message that a token was rotated
sucesfully if '--rotate' is used.
- add some extra white-space before / after
the join commands, to make copy/pasting
easier.
this change also does some refactoring of join-token;
- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
to prevent checking for them multiple times, and to
keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
this makes it easier to copy, and cleans up the
code a tiny bit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In `docker service create/update`, flag `--user` actually supports
`uid:gid` (same as `docker run`). However, this is not reflected
in the help and documentation yet.
This fix updates docs in `docker service create/update` to change
the description to `Username or UID (format: <name|uid>[:<group|gid>])`.
The help message output has also been updated.
This fix is related to 25304.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Swarm mode makes it possible through the API to set labels to containers
but not through command line. This tries to fix it.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Instead reserve exit code 2 to be future proof, document that it should
not be used. Implementation-wise, it is considered as unhealthy, but
users should not rely on this as it may change in the future.
Signed-off-by: Tibor Vass <tibor@docker.com>
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Hostnames are not supported for now because libnetwork can't use them
for overlay networking yet.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Update documentation to account for the changes in #24952.
docs/swarm/swarm-tutorial/rolling-update.md doesn't need any changes,
but the CLI reference pages should show the current help text.
drain-node.md no longer needs to specify --update-parallelism 1 in its
example.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
f5e1f6f6880391a5a3399023cf93a3c48502e57d replaced "secrets"
with "join tokens", which also removed the "auto-accept"
policy.
This removes some remaining references to those features.
Note that there are other references, but those
are already addressed in another pull request.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
this improves the formatting, and code-highlighting
of the `docker ps` reference page, and wraps sentences
to 80 chars
also adds single quotes around the formatting
example for labels.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds documentation for "--log-driver" and "--log-opt"
for services.
Also updated the API docs to include the new
options, and generated a more complete JSON
example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the output/response slightly changed in
340964db1c8f161a2ad156023eb47dcc93bf804b,
and `:latest` is no longer required for
various actions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This renames the '--bundle' flag for docker (stack) deploy
to be consistent with 'docker build'.
Note that there's no shorthand '-f' added for now,
because this may be confusing on 'docker stack config',
which also takes a file, and for which we may want to
have a '--format' flag in future.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
this removes a copy/pasta whoopsie on my side,
introduced in de64324109d2694b1525e62b5c0072267282a36c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds the `--live-restore` option to the documentation.
Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- the constraint expression needs to be quoted
- add an actual redis container to run so the command line works
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
The change to runc in https://github.com/opencontainers/runc/pull/789
was not documented previously. Also say what this affects and clean
up layout of initial table as there was some miscolouration of the
continuation lines.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Using tabs here seems to cause copy/paste problems in some terminals.
Using spaces is safer.
Fixes#24609
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This adds an `--oom-score-adjust` flag to the daemon so that the value
provided can be set for the docker daemon's process. The default value
for the flag is -500. This will allow the docker daemon to have a
less chance of being killed before containers do. The default value for
processes is 0 with a min/max of -1000/1000.
-500 is a good middle ground because it is less than the default for
most processes and still not -1000 which basically means never kill this
process in an OOM condition on the host machine. The only processes on
my machine that have a score less than -500 are dbus at -900 and sshd
and xfce( my window manager ) at -1000. I don't think docker should be
set lower, by default, than dbus or sshd so that is why I chose -500.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add a `--network` flag which replaces `--net` without deprecating it
yet. The `--net` flag remains hidden and supported.
Add a `--network-alias` flag which replaces `--net-alias` without deprecating
it yet. The `--net-alias` flag remains hidden and supported.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
Looks like there's issues with sourceforge project
pages. Given that sourceforge isn't really what
it used to be, trying to find alternative URLs
where possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "none" option was not added to the documentation.
This adds an example, and adds additional information
on manually accepting or rejecting a node.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add option to skip kernel check for older kernels which have been patched to support multiple lower directories in overlayfs.
Fixes#24023
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Kernel memory is not allowed to be updated if container is
running, it's not actually a precise kernel limitation.
Before kernel version 4.6, kernel memory will not be accounted
until kernel memory limit is set, if a container created with
kernel memory initialized, kernel memory is accounted as soon
as process created in container, so kernel memory limit update
is allowed afterward. If kernel memory is not initialized,
kernel memory consumed by processes in container will not be
accounted, so we can't update the limit because the account
will be wrong.
So update kernel memory of a running container with kernel memory
initialized is allowed, we should soften the limitation by docker.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
- Update ps with `--last` flag
- Update commands with current output
- Make sure hugo does not detect the wrong language
- Update usage for `tag` command to be more coherent with the other ones
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.
Closes#23785
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
In #24159, the title field of `docker node ls` has been
changed from NAME to HOSTNAME. However, in the docs the
NAMEs are still used for the output of `docker node ls`.
This fix updates docs so that NAME field is changed to
HOSTNAME for all `docker node ls`.
This fix is related to #24159 and #24090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The --auto-accept documentation currently says that both worker and
manager nodes are automatically accepted by default. Correct it.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
For consistency with other filters (such as
"is-official"), this renames the desired_state
filter to "desired-state".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The reason why the issue occurs is because sh parses the first argument after -c as the whole script to execute.
Everything after isn't executed as one might expect.
When working on the 'fix' I found out the same fix is also done in commit 2af7c5cfe24b4c8e931f751979b5e69e20ba77e2, except only for one occurrence.
Signed-off-by: Serhat Gülçiçek <serhat+signoff@equil.nl>
Make `--dispatcher-heartbeat-period` a duration in `docker swarm
update`, allowing to express the value as "5s", "1h", etc.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
fixing links after moving surfacing tutorials
fixing more links for the newly located tutorials
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Added explanation for the example with image's digest ( as per @thaJeztah 's comment
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Wrapped to ~80 chars
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
fixed broken links created from Engine Overview update by adding missing topic to daemon reference page and updating the hrefs in the api pages
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
This fixes some Markup and formatting
issues in the network documentation;
- wrap text to 80 chars
- add missing language hints for code examples
- add missing line continuations (\)
- update USAGE output for Cobra
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds support for filtering by network ID, to be
consistent with other filter options.
Note that only *full* matches are returned; this is
consistent with other filters (e.g. volume), that
also return full matches only.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix fixed a couple of typos in the docs of `docker attach`:
docs/reference/commandline/attach.md
man/docker-attach.1.md
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix fixes a couple of typos in docker attach docs:
docs/reference/commandline/attach.md
man/docker-attach.1.md
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #23055.
Currently `docker search` result caps at 25 and there is
no way to allow getting more results (if exist).
This fix adds the flag `--limit` so that it is possible
to return more results from the `docker search`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#23055.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #20083 where
comment is not supported in `.dockerignore`.
This fix updated the processing of `.dockerignore` so that any
lines starting with `#` are ignored, which is similiar to the
behavior of `.gitignore`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#20083.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds support for user-defined health-check probes for Docker
containers. It adds a `HEALTHCHECK` instruction to the Dockerfile syntax plus
some corresponding "docker run" options. It can be used with a restart policy
to automatically restart a container if the check fails.
The `HEALTHCHECK` instruction has two forms:
* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)
The `HEALTHCHECK` instruction tells Docker how to test a container to check that
it is still working. This can detect cases such as a web server that is stuck in
an infinite loop and unable to handle new connections, even though the server
process is still running.
When a container has a healthcheck specified, it has a _health status_ in
addition to its normal status. This status is initially `starting`. Whenever a
health check passes, it becomes `healthy` (whatever state it was previously in).
After a certain number of consecutive failures, it becomes `unhealthy`.
The options that can appear before `CMD` are:
* `--interval=DURATION` (default: `30s`)
* `--timeout=DURATION` (default: `30s`)
* `--retries=N` (default: `1`)
The health check will first run **interval** seconds after the container is
started, and then again **interval** seconds after each previous check completes.
If a single run of the check takes longer than **timeout** seconds then the check
is considered to have failed.
It takes **retries** consecutive failures of the health check for the container
to be considered `unhealthy`.
There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
more than one then only the last `HEALTHCHECK` will take effect.
The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
see e.g. `ENTRYPOINT` for details).
The command's exit status indicates the health status of the container.
The possible values are:
- 0: success - the container is healthy and ready for use
- 1: unhealthy - the container is not working correctly
- 2: starting - the container is not ready for use yet, but is working correctly
If the probe returns 2 ("starting") when the container has already moved out of the
"starting" state then it is treated as "unhealthy" instead.
For example, to check every five minutes or so that a web-server is able to
serve the site's main page within three seconds:
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
To help debug failing probes, any output text (UTF-8 encoded) that the command writes
on stdout or stderr will be stored in the health status and can be queried with
`docker inspect`. Such output should be kept short (only the first 4096 bytes
are stored currently).
When the health status of a container changes, a `health_status` event is
generated with the new status. The health status is also displayed in the
`docker ps` output.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix fixes an error in documentation (dockerd.md). In the
example given by dockerd.md, the option `cluster-store-opts`
is assigned with an array but this option can only be assigned
as a map.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Add support for two now filter on the `images` command : `before` and
`since`. They work the same as the one on the `ps` command but for
images.
$ docker images --filter before=myimage
# display all images older than myimage
$ docker images --filter since=myimage
# display all images younger than myimage
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue raised in #21976 and allows
the options of `--add-host` and `--net=host` to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #21976 and allows
the options of `--dns`, `--dns-search`, `--dns-opt` and `--net=host`
to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to cover the issue raised in #22463 by adding
filter for events emitted by docker daemon so that user could
utilize filter to receive events of interest.
Documentations have been updated for this fix.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to cover the issue raised in #22463 by emitting
events for docker daemon so that user could be notified by
scenarios like config reload, etc.
This fix adds the `daemon reload`, and events for docker daemon.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Add link to valid image name and tag formats in referenced files
- Per review comments, updated docs to remove reference to `USERNAME` and
`REGISTRYHOST`.
- Per review comment, removed links from man page.
- Per review comment, added and updated examples on `docker tag`
Signed-off-by: Subhajit Ghosh <isubuz.g@gmail.com>
The filtering is made server-side, and the following filters are
supported:
* is-official (boolean)
* is-automated (boolean)
* has-stars (integer)
Signed-off-by: Fabrizio Soppelsa <fsoppelsa@mirantis.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Automatic translation of MLS labels is currently not
supported, so should not be documented as an example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.
While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.
It also cleans up some architecture specific system calls to be
only selected when needed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Replace Note with a new secion, reduce characters in
per line in 80. Add statement suggested by
https://github.com/thaJeztah
Signed-off-by: Lin Lu <doraalin@163.com>
This fix tries to address issues raised in #20936 and #22443
where `docker pull` or `docker push` fails because of the
concurrent connection failing.
Currently, the number of maximum concurrent connections is
controlled by `maxDownloadConcurrency` and `maxUploadConcurrency`
which are hardcoded to 3 and 5 respectively. Therefore, in
situations where network connections don't support multiple
downloads/uploads, failures may encounter for `docker push`
or `docker pull`.
This fix tries changes `maxDownloadConcurrency` and
`maxUploadConcurrency` to adjustable by passing
`--max-concurrent-uploads` and `--max-concurrent-downloads` to
`docker daemon` command.
The documentation related to docker daemon has been updated.
Additional test case have been added to cover the changes in this fix.
This fix fixes#20936. This fix fixes#22443.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The 'Unix Signals' (https://en.wikipedia.org/wiki/Unix_signal#Handling_signals) wiki explains that:
> 'There are two signals which cannot be intercepted and handled: SIGKILL and SIGSTOP.'
Signed-off-by: kevinmeredith <kevin.m.meredith@gmail.com>
The jsonlog logger currently allows specifying envs and labels that
should be propagated to the log message, however there has been no way
to read that back.
This adds a new API option to enable inserting these attrs back to the
log reader.
With timestamps, this looks like so:
```
92016-04-08T15:28:09.835913720Z foo=bar,hello=world hello
```
The extra attrs are comma separated before the log message but after
timestamps.
Without timestaps it looks like so:
```
foo=bar,hello=world hello
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- [x] Update man page description
- [x] Update man page sample output to something more current
Tested with: `TESTFLAGS='-check.f DockerSuite.TestInfoEnsureSucceeds*'
make test-integration-cli`
Signed-off-by: Lucas Chan <lucas-github@lucaschan.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This add a new filter to 'docker network ls'
to allow filtering by driver-name.
Contrary to "ID" and "name" filters, this
filter only supports an *exact* match.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch did following:
1) Make filter check logic same as `docker ps ` filters
Right now docker container logic work as following:
when same filter used like below:
-f name=jack -f name=tom
it would get all containers name is jack or tom(it is or logic)
when different filter used like below:
-f name=jack -f id=7d1
it would get all containers name is jack and id contains 7d1(it is and logic)
It would make sense in many user cases, but it did lack of compliate filter cases,
like "I want to get containers name is jack or id=7d1", it could work around use
(get id=7d1 containers' name and get name=jack containers, and then construct the
final containers, they could be done in user side use shell or rest API)
2) Fix one network filter bug which could include duplicate result
when use -f name= -f id=, it would get duplicate results
3) Make id filter same as container id filter, which means match any string.
not use prefix match.
It is for consistent match logic
Closes: #21417
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
The `Status` field is a `map[string]interface{}` which allows the driver to pass
back low-level details about the underlying volume.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Copy edit the content
Updates to existing material
Adding mbentley's comments
Updating with last minute comments
Update with Seb's comments
Signed-off-by: Mary Anthony <mary@docker.com>
The documentation already says the cache miss happens only at `ARG`
variable usage, not declaration, but there is a very common implicit
usage: `RUN`, which this commit documents even more, improving on #21790.
Also, use `definition` instead of `declaration`: it's the same thing, and
`definition` is already used in this documentation, contrary to
`declaration`.
Also, distinguish between "instructions" and "variables defined by `ARG`
instructions".
Signed-off-by: Thomas Riccardi <riccardi@systran.fr>
This fix tries to fix the discrepancy between `docker stats` and
`docker run` where `docker run` uses RAMInBytes for all memory
related inputs but `docker stats` uses HumanSize for all memory
related outputs.
To be consistent, `docker stats` needs to use BytesSize for all
memory related outputs to conform to RAMInBytes in `docker run`.
This fix addresses this issue. As BytesSize is used, the test
cases needs to be adjusted to match `KiB/MiB/GiB` instead of
`KB/MB/GB`.
The documentation has also been updated.
This fix fixes#21765.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Auto-creation of host-directories was marked deprecated in
Docker 1.9, but was decided to be too much of an backward-incompatible
change, so it was decided to keep the feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.
Fixes 21475
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
It was suggested to me that documentation for "docker pull" and "docker
push" should reference "docker login", to make clearer how to specify
credentials for a push or pull operation. Add a note to the manual pages
and reference documentation explaining how registry credentials are
managed.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This change include filter `name` and `driver`,
and also update related docs to reflect that filters usage.
Closes: #21243
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Now that the namespace sharing code via runc is vendored with the
containerd changes, we can disable the restrictions on container to
container net and IPC namespace sharing when the daemon has user
namespaces enabled.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This allows a user to specify explicitly to enable
automatic copying of data from the container path to the volume path.
This does not change the default behavior of automatically copying, but
does allow a user to disable it at runtime.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The form "Save an images" is not correct.
Either "Save an image" or "Save images" work, but since
the save commands accepts multiple images, I chose the
latter.
Fixed in all places where I could grep "Save an image(s)".
Signed-off-by: Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The old examples no longer worked due to changes in
the client and Docker Hub.
This updates the "docker pull" documentation and
adds more examples and explanation of the features.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker creates a UTS namespace by default, even with --net=host, so it
is reasonable to let the user set the hostname. Note that --hostname is
forbidden if the user specifies --uts=host.
Closes#12076
Signed-off-by: Jason Heiss <jheiss@aput.net>
Once thin pool gets full, bad things can happen. Especially in case of xfs
it is possible that xfs keeps on retrying IO infinitely (for certain kind
of IO) and container hangs.
One way to mitigate the problem is that once thin pool is about to get full,
start failing some of the docker operations like pulling new images or
creation of new containers. That way user will get warning ahead of time
and can try to rectify it by creating more free space in thin pool. This
can be done either by deleting existing images/containers or by adding more
free space to thin pool.
This patch adds a new option dm.min_free_space to devicemapper graph
driver. Say one specifies dm.min_free_space=10%. This means atleast
10% of data and metadata blocks should be free in pool before new device
creation is allowed, otherwise operation will fail.
By default min_free_space is 10%. User can change it by specifying
dm.min_free_space=X% on command line. A value of 0% will disable the
check.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Following #19995 and #17409 this PR enables skipping userns re-mapping
when creating a container (or when executing a command). Thus, enabling
privileged containers running side by side with userns remapped
containers.
The feature is enabled by specifying ```--userns:host```, which will not
remapped the user if userns are applied. If this flag is not specified,
the existing behavior (which blocks specific privileged operation)
remains.
Signed-off-by: Liron Levin <liron@twistlock.com>
Update unit test and documentation to handle the new case where Username
is set to <token> to indicate an identity token is involved.
Change the "Password" field in communications with the credential helper
to "Secret" to make clear it has a more generic purpose.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Prior to this change, the "docker network inspect" contains only the
endpoints that have active local container. This excludes all the remote
and stale endpoints. By including all the endpoints, it makes debugging
much simpler and also allows the user to cleanup any stale endpoints
using "docker network disconnect -f {network} {endpoint-name}".
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Allows users to submit options similar to the `mount` command when
creating a volume with the `local` volume driver.
For example:
```go
$ docker volume create -d local --opt type=nfs --opt device=myNfsServer:/data --opt o=noatime,nosuid
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Move the note more up, to prevent people from starting
the daemon with --userns-remap before touching the files.
Also clarify that these steps must be done *before* enabling
userns-remap and starting the daemon.
Also fixed some minor Markup formatting issues.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This removes the email prompt when you use docker login, and also removes the ability to register via the docker cli. Docker login, will strictly be used for logging into a registry server.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
This change implements communication with an external credentials store,
ala git-credential-helper. The client falls back the plain text store,
what we're currently using, if there is no remote store configured.
It shells out to helper program when a credential store is
configured. Those programs can be implemented with any language as long as they
follow the convention to pass arguments and information.
There is an implementation for the OS X keychain in https://github.com/calavera/docker-credential-helpers.
That package also provides basic structure to create other helpers.
Signed-off-by: David Calavera <david.calavera@gmail.com>
There are five options 'debug' 'labels' 'cluster-store' 'cluster-store-opts'
and 'cluster-advertise' that can be reconfigured, configure any of these
options should not affect other options which may have configured in flags.
But this is not true, for example, I start a daemon with -D to enable the
debugging, and after a while, I want reconfigure the 'label', so I add a file
'/etc/docker/daemon.json' with content '"labels":["test"]' and send SIGHUP to daemon
to reconfigure the daemon, it work, but the debugging of the daemon is also diabled.
I don't think this is a expeted behaviour.
This patch also have some minor refactor of reconfiguration of cluster-advertiser.
Enable user to reconfigure cluster-advertiser without cluster-store in config file
since cluster-store could also be already set in flag, and we only want to reconfigure
the cluster-advertiser.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
- Allow to filter containers by volume with `--filter volume=name` and `filter volume=/dest`.
- Show their names in the list with the custom format `{{ .Mounts }}`.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Add `--restart` flag for `update` command, so we can change restart
policy for a container no matter it's running or stopped.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
- It reverts fa163f5619bb01cabca1c21 plus a small change
in order to allow passing the global scope datastore
to libnetwork after damon boot.
Signed-off-by: Alessandro Boch <aboch@docker.com>
In new content addressable model, image no longer
have virtual size column, it is now 'size'. So we
need to update related docs about them.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Fixing the links
Updating with Seb's comments
Adding weight
Fixing the engine aliases
Updating after Arun pushed
Removing empty file
Signed-off-by: Mary Anthony <mary@docker.com>
This makes it so when calling `docker run --rm`, or `docker rm -v`, only
volumes specified without a name, e.g. `docker run -v /foo` instead of
`docker run -v awesome:/foo` are removed.
Note that all volumes are named, some are named by the user, some get a
generated name. This is specifically about how the volume was specified
on `run`, assuming that if the user specified it with a name they expect
it to persist after the container is cleaned up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Return an error if any of the keys don't match valid flags.
- Fix an issue ignoring merged values as named values.
- Fix tlsverify configuration key.
- Fix bug in mflag to avoid panics when one of the flag set doesn't have any flag.
Signed-off-by: David Calavera <david.calavera@gmail.com>
It is possible to invoke `docker ps -f status=dead`, but the
documentation for docker-ps does not mention `dead` as a valid option.
This commit fixes that.
Signed-off-by: Kareem Khazem <karkhaz@karkhaz.com>
The description "set `-1` to disable swap" is wrong, `build`,
`create` and `run` already fixed, we need to fix `update` as well.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
The path here should be absolute, else it would
deem it as volume name.
Also link to release page to contain static binary,
the old link not work, because it is just used to
install docker in os distro, it can not be used
as static binary directly.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
The example is not right in parameter, and also
one command is same as first one, it should be typo
before, we should use 'rw' as example for that.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
* If user doesn't specify the subnets to create a network, it will pick
subnets from inside preferred pool. This PR aims to inspect these subnets info
* Add integration tests for docker inspect the subnets.
* docker-py project is already synchronized.
* jenkins checks depend on https://github.com/docker/docker-py/pull/888
Fixes issue #18626
Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
Read configuration after flags making this the priority:
1- Apply configuration from file.
2- Apply configuration from flags.
Reload configuration when a signal is received, USR2 in Linux:
- Reload router if the debug configuration changes.
- Reload daemon labels.
- Reload cluster discovery.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Signed-off-by: Mary Anthony <mary@docker.com>
Updaing and slight re-arrangement of security information
Signed-off-by: Mary Anthony <mary@docker.com>
Updating security files
Signed-off-by: Mary Anthony <mary@docker.com>
Updating links to the security documentation
Signed-off-by: Mary Anthony <mary@docker.com>
removing some extra spaces
Signed-off-by: Mary Anthony <mary@docker.com>
Correcting spelling
Signed-off-by: Mary Anthony <mary@docker.com>
docker's network disconnect api now supports `Force` option which can be
used to force cleanup an endpoint from any host in the cluster.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Instead of just showing the number of containers this patch will
show the number of running, paused and stopped containers as well.
Signed-off-by: Kim Eik <kim@heldig.org>
(cherry picked from commit a9804ab1cb117a132cbf460067d55f5146d50956)
When pulling an image with content trust enabled, two references are
created: a digest reference and a tag reference. Deleting by tag
wouldn't actually remove the image, because the digest reference keeps
it alive.
This change modifies the rmi logic so that digest references don't keep
an image alive. If the last tag referencing a given image is deleted,
any digest references to it will be removed as well, so the image can
actually get deleted. This fixes the usability problem with deletions
when content trust is in use, so something like "docker pull busybox;
docker rmi busybox" will work as expected.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Remove the experimental docs for user namespaces and add similar content
to the `docker daemon` command documentation.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
the discovery without the key being already there in the store or
created beforehand and implicitely by a 'swarm join'.
Signed-off-by: Alexandre Beslic <abronan@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
This PR allows to configure the discovery path using the
--discovery-opt flag (with "kv.path=path/to/nodes"). We
can point to "docker/nodes" and use the docker discovery.
If docker instances are advertising to the cluster using
the `--cluster-advertise` flag, the swarm join command
becomes unnecessary.
Signed-off-by: Alexandre Beslic <abronan@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
The existing example didn't illustrate how to
install strace in the container. In addition,
the rhel7 image used is no longer public (and maintained)
so not a good image to use in the example.
This updates the example to use htop (strace is
not working without disabling apparmor for the container)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Implement configurable detach keys (for `attach`, exec`, `run` and
`start`) using the client-side configuration
- Adds a `--detach-keys` flag to `attach`, `exec`, `run` and `start`
commands.
- Adds a new configuration field (in `~/.docker/config.json`) to
configure the default escape keys for docker client.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
It's used for updating properties of one or more containers, we only
support resource configs for now. It can be extended in the future.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Add filter support for `network ls` to hide predefined network,
then user can use "docker network rm `docker network ls -f type=custom`"
to delete a bundle of userdefined networks.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Right now, the quiet (-q, --quiet) flag ignores the output
generated from within the container.
However, it ought to be quiet in a way that all kind
of diagnostic output should be ignored, unless the build
process fails.
This patch makes the quiet flag behave in the following way:
1. If the build process succeeds, stdout contains the image ID
and stderr is empty.
2. If the build process fails, stdout is empty and stderr
has the error message and the diagnostic output of that process.
If the quiet flag is not set, then everything goes to stdout
and error messages, if there are any, go to stderr.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
add a note around restart policies only working in detached mode
Signed-off-by: Aidan Feldman <aidan.feldman@gmail.com>
Update restart description with Mary's comments.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Allow passing mount propagation option shared, slave, or private as volume
property.
For example.
docker run -ti -v /root/mnt-source:/root/mnt-dest:slave fedora bash
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Closing the HTTP connection requesting a push or pull will cancel the
push or pull. This behavior also applies to the CLI.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fixes markdown formatting, and formatting of tables;
- Our markdown engine doesn't support spanning rows, so
re-wrapped table contents.
- Added a CSS-styles to prevent "code" blocks in tables
from wrapping
- The "logging drivers" table didn't have a header
- Aligned table borders in source code for better readability.
- Standardize on using `-it` in stead of -i -t or -ti
- Some markup issues
- Some minor textual fixups
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
libcontainer v0.0.4 introduces setting `/proc/self/oom_score_adj` to
better tune oom killing preferences for container process. This patch
simply integrates OomScoreAdj libcontainer's config option and adjust
the cli with this new option.
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
It will Tar up contents of child directory onto tmpfs if mounted over
This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Closes#9798
@maintainers please note that this is a change to the UX. We no longer
require the -f flag on `docker tag` to move a tag from an existing image.
However, this does make us more consistent across our commands,
see https://github.com/docker/docker/issues/9798 for the history.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Docker daemon uses kv-store as the host-discovery backend.
Discovery module tracks the liveness of a node through a simple
keepalive mechanism. The keepalive mechanism depends on every
node performing heartbeat by registering itself with the discovery
module (via KV-Store Put operation). And for every Put operation,
the discovery module in all other nodes will receive a Watch
notification. That keeps the node alive.
Any node that fails to register itself within the TTL timer is
considered dead and removed from the discovery database.
The default timer (heartbeat = 20 seconds & ttl = 60 seconds)
works fine for small clusters. But for large clusters, these
default timers are extremely aggressive and that causes high CPU
& most of the processing is spent managing the node discovery
and that impacts normal daemon operation.
Hence we need a way to make the discovery ttl and heartbeat
configurable. As the cluster size grows, the user can change
these timers to make sure the daemon scales.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Plugin drivers were added to docker info in
https://github.com/docker/docker/pull/17300
but not added to the example output in the online
docs.
Also fixed mixed tabs/spaces in the API documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit enhance `docker network rm` command to allow user to delete
multi networks at the same time.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Fixes#16555
Original docker `cp` always copy symbol link itself instead of target,
now we provide '-L' option to allow docker to follow symbol link to real
target.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
* This commit will mark --before and --since as deprecated, but leave their behavior
unchanged until they are removed, then re-implement them as options for --filter.
* And update the related docs.
* Update the integration tests.
Fixes issue #17716
Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
- Optional "--shm-size=" was added to the sub-command(run, create,and build).
- The size of /dev/shm in the container can be changed
when container is made.
- Being able to specify is a numerical value that applies number,
b, k, m, and g.
- The default value is 64MB, when this option is not set.
- It deals with both native and lxc drivers.
Signed-off-by: NIWA Hideyuki <niwa.hiedyuki@jp.fujitsu.com>
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
devmapper uses xfs by default now. So include xfsprogs in build
environment. Also update docs to reflect the new default.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This patch adds the ability to run `docker stats` w/o arguments and get
statistics for all running containers by default. Also add a new
`--all` flag to list statistics for all containers (like `docker ps`).
New running containers are added to the list as they show up also.
Add integration tests for this new behavior.
Docs updated accordingly. Fix missing stuff in man/commandline
reference for `docker stats`.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
The LXC driver was deprecated in Docker 1.8.
Following the deprecation rules, we can remove a deprecated feature
after two major releases. LXC won't be supported anymore starting on Docker 1.10.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The purpose of this PR is for users to distinguish Docker errors from
contained command errors.
This PR modifies 'docker run' exit codes to follow the chroot standard
for exit codes.
Exit status:
125 if 'docker run' itself fails
126 if contained command cannot be invoked
127 if contained command cannot be found
the exit status otherwise
Signed-off-by: Sally O'Malley <somalley@redhat.com>
- the /etc/hosts read caveat due to dynamic update
- information about docker_gwbridge
- Carries and closes#17654
- Updating with last change by Madhu
- Updating with the IPAM api 1.22
Signed-off-by: Mary Anthony <mary@docker.com>
Removing old networking.md
Updating dockernetworks.md with images
Adding information on network plugins
Adding blurb about links to docker networking
Updating the working documentation
Adding Overlay Getting Started
Downplaying links by removing refs/examples, adding refs/examples for network.
Updating getting started to reflect networks not links
Pulling out old network material
Updating per discussion with Madhu to add Default docs section
Updating with bridge default
Fix bad merge
Updating with new cluster-advertise behavior
Update working and NetworkSettings examples
Correcting example for default bridge discovery behavior
Entering comments
Fixing broken Markdown Syntax
Updating with comments
Updating all the links
Signed-off-by: Mary Anthony <mary@docker.com>
Added Note to show users that signals will not propagate to the container if the preferred exec form isn't used.
Signed-off-by: Eric Rosenberg <ehaydenr@gmail.com>
Adding Related information blocks
Final first draft pass: ready for review
Review comments
Entering comments from the gang
Updating connect to include paused
Signed-off-by: Mary Anthony <mary@docker.com>
This fixes the indentation of the storage driver
options list.
Also wraps/reformats some examples to prevent
horizontal scrollbars on the rendered HTML
Fixes#17140
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactor so that the Host flag validation doesn't destroy the user's input,
and then post process the flags when we know the TLS options
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
GitHub flavored markdown is now supported for links and images. Also, ran LinkChecker and FileResolver. Yay!
Fixes from Spider check
Output for docker/docker now goes into engine directory
Signed-off-by: Mary Anthony <mary@docker.com>
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
cleaning up docker run -v documentation for man and web reference guide
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
This leverages recent additions to libkv enabling client
authentication via TLS so the discovery back-end can be locked
down with mutual TLS. Example usage:
docker daemon [other args] \
--cluster-advertise 192.168.122.168:2376 \
--cluster-store etcd://192.168.122.168:2379 \
--cluster-store-opt kv.cacertfile=/path/to/ca.pem \
--cluster-store-opt kv.certfile=/path/to/cert.pem \
--cluster-store-opt kv.keyfile=/path/to/key.pem
Signed-off-by: Daniel Hiltgen <daniel.hiltgen@docker.com>