Commit Graph

219 Commits

Author SHA1 Message Date
Iain Samuel McLean Elder 8b408372f9 Describe privileged mode in terms of capabilities
I didn't see where in the page that `--privileged` mode adds all capabilities.

I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document.

> Full container capabilities (--privileged)
>
> The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

https://stackoverflow.com/a/36441605/111424
Signed-off-by: Iain Samuel McLean Elder <iain@isme.es>
2022-02-08 14:58:25 +01:00
Peter Dave Hello 417f97605f Update most links in docs to use https by default
cc @thaJeztah docker/docker.github.io#13680

Signed-off-by: Peter Dave Hello <hsu@peterdavehello.org>
2021-10-15 15:04:36 +08:00
Sebastiaan van Stijn 47e5cfa9e9
docs: fix description of restart-delay to mention max (1 minute)
Commit 9bd3a7c029
(docker 17.04 and up) added a maximum timeout of 1 minute to the
restart timeout.

This patch updates the documentation to match the current behavior.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-22 17:55:45 +02:00
Sebastiaan van Stijn 47ba76afb1
docs: use "console" code-hint for shell examples
This replaces the use of bash where suitable, to allow easier copy/pasting
of shell examples without copying the prompt or process output.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-21 18:29:13 +02:00
Erik Humphrey 57e7680591
docs: Fix broken jump link
Signed-off-by: Erik Humphrey <erik.humphrey@carleton.ca>
2021-05-13 10:10:38 -04:00
Busindre 040210bfae Update the list of log drivers
Some new drivers were added to the "docker run" section to make the documentation more up to date.

Signed-off-by: d.alvarez <david.alvarez@flyeralarm.com>
2021-02-14 16:22:49 +01:00
DongGeon Lee 852fe05991 docs: Fix wrong variable name
Signed-off-by: LeeDongGeon <secmatth1996@gmail.com>
2021-01-23 19:04:15 +09:00
Sebastiaan van Stijn a4fb01f957
docs: add redirect for old reference URL
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-21 15:40:37 +01:00
Andres Leon Rangel dc287b9072
Long format for flag -w --workdir
Added Long format for the wok directory option in docker run.

Signed-off-by: Andres LeonRangel <aleon1220@gmail.com>
2020-11-20 15:03:49 +13:00
Sebastiaan van Stijn 6a02a51c99
docs: remove some references to obsolete docker versions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-26 18:30:01 +01:00
Sebastiaan van Stijn 6065dccc98
Add docs and bash-completion for new Linux capabilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 16:22:43 +02:00
Sebastiaan van Stijn f19e31afe2
docs: add link to linux kernel source code for capabilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 16:22:41 +02:00
Sebastiaan van Stijn 72a357858c
docs: resize capabilities table
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 16:22:38 +02:00
Sebastiaan van Stijn 884a5ffbdf
docs: document CAP_AUDIT_READ
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:46:09 +02:00
Sebastiaan van Stijn 4e58c29513
docs: document optional "CAP_" prefix for capabilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:32:04 +02:00
Sebastiaan van Stijn 5bbdcd1c9d
docs: sort list of capabilities alphabetically
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:26:20 +02:00
Sebastiaan van Stijn 116c9a1f59
docs: fix links, and minor markdown touch-ups
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-30 00:17:28 +02:00
Sebastiaan van Stijn b73df4a231
docs/reference/run.md: touch-up markdown
- add code-fences with code-hints so that the right
  hightlighting is applied
- reduced number of "notes", either by combining some,
  or by changing some to regular text.
- use tables for some option lists

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-19 17:52:38 +02:00
Sebastiaan van Stijn 5331358d3e
Fix PowerShell codehint for rouge
Rouge is case-sensitive, and only works with powershell
all lowercase.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 16:37:30 -07:00
Aleksa Sarai 647579068f
cli: add a separate --domainname flag
A while ago, Docker split the "Domainname" field out from the "Hostname"
field for the container configuration. There was no real user-visible
change associated with this (and under the hood "Domainname" was mostly
left unused from the command-line point of view). We now add this flag
in order to match other proposed changes to allow for setting the NIS
domainname of a container.

This also includes a fix for the --hostname parsing tests (they would
not error out if only one of .Hostname and .Domainname were incorrectly
set -- which is not correct).

Signed-off-by: Aleksa Sarai <asarai@suse.de>
2018-12-08 00:03:56 +11:00
Scott Brenner 50143cff12 Minor typo fix in run documentation
Quick syntax fix!

Signed-off-by: Scott Brenner <scott@scottbrenner.me>
2018-10-10 12:59:13 -07:00
Alex Mayer 2b0fdd0f17 Docs: Add Spaces Around Parenthesis Where Needed
Signed-off-by: Alex Mayer <amayer5125@gmail.com>
2018-09-28 17:40:22 -04:00
wyckster b59823c784
Fixed wrong apostrophe character
Changed unexpected Unicode character 0x1fbf GREEK PSILI that was standing in as an imposter for an apostrophe:  an _impostrophe_.

Signed-off-by: Chad Faragher <wyckster@hotmail.com>
2018-08-01 11:06:07 -04:00
taiji-tech 5119c4d8ef Update document links and title.
Signed-off-by: taiji-tech <csuhqg@foxmail.com>
2018-05-22 21:13:41 +08:00
David Beitey 8ca237054f Clarify behaviour of restart policy in run ref doc
This clarifies that the behaviour of `unless-stopped` will restart the container on daemon start.  This was implied before, but now the restart-on-daemon-start behaviour is mentioned directly.

Signed-off-by: David Beitey <david@davidjb.com>
2018-03-26 00:21:40 +10:00
Sebastiaan van Stijn e9ce688d6e
Docs touch-ups for "autoremove" and broken anchor
`--rm` moved to the daemon, so is now also supported
when combined with `-d`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-03-21 19:00:11 +01:00
T K Sourabh afcc78aae3 Corrected descriptions for MAC_ADMIN and MAC_OVERRIDE
The description for capabilities are mismatched for MAC_ADMIN and MAC_OVERRIDE.

Signed-off-by: T K Sourabh <sourabhtk37@gmail.com>
2017-12-21 16:06:32 +05:30
John Mulhausen 4a5db8d27e
Removing titles from md files
Signed-off-by: John Mulhausen <john@docker.com>
2017-10-13 15:24:06 -07:00
Misty Stanley-Jones 2801d382c6 Merge pull request #547 from rdxmb/small-change
small reference change
2017-10-05 11:56:33 -07:00
Frieder Bluemle 45c9b9b6c1
Fix GitHub spelling
Signed-off-by: Frieder Bluemle <frieder.bluemle@gmail.com>
2017-10-05 01:14:31 +08:00
Marc Bihlmaier 9490189cba small reference change
Signed-off-by: Marc Bihlmaier <marc.bihlmaier@reddoxx.com>
2017-09-22 10:49:30 +02:00
Tobias Gesellchen f8ed8d22c6 [docs] Fix typo in configration.
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
2017-09-10 23:12:29 +02:00
Vincent Demeester 8ebc03a71f Merge pull request #367 from kolyshkin/ipcmode
Introduce/document new IPC modes
2017-08-25 09:48:00 +02:00
Christophe Vidal 037029414d Dropped hyphen in bind mount where appropriate
Signed-off-by: Christophe Vidal <kriss@krizalys.com>
2017-08-19 21:14:48 +07:00
Kir Kolyshkin 9285db6752 Introduce/document new IPC modes
This builds (and depends) on https://github.com/moby/moby/pull/34087

Version 2:
 - remove --ipc argument validation (it is now done by daemon)
 - add/document 'none' value
 - docs/reference/run.md: add a table with better modes description
 - dockerd(8) typesetting fixes

Version 3:
 - remove ipc mode tests from cli/command/container/opts_test.go

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-08-05 17:49:53 -07:00
Kir Kolyshkin 6d85a4f5f8 Fix repo references in docs
Since CLI was moved to a separate repo, these references are incorrect.
Fixed with the help of sed script, verified manually.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-07-28 10:32:42 -07:00
Misty Stanley-Jones c63485b47d Clarify that you can use -d and --rm together now
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
2017-07-03 16:43:41 -07:00
Doug Davis ba4dcadcaa Merge pull request #32804 from bbodenmiller/patch-1
remove extra word
(cherry picked from commit 9db03bd8cdad3c8804105cb5794ebad5e728f48f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3eaec0071c3ce1b7201e37859afe5bcb78d4f215)
Signed-off-by: Tibor Vass <tibor@docker.com>
2017-06-14 02:48:46 +00:00
John V. Martinez a316bc3895 Improve documentation on the -e flag to the 'run' cli command. The ability to import the current vale of an environment variable by simply naming the variable didn't seem to be documented anywhere. (see opts/env.go)
Signed-off-by: John V. Martinez <jvmatl@gmail.com>
2017-06-02 00:11:05 +00:00
Sebastiaan van Stijn 6a767c1711 fix confusing description of stdout/stdin pipe
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:11:05 +00:00
Elias Faxö c5071b94da Added start period option to health check.
Signed-off-by: Elias Faxö <elias.faxo@gmail.com>
2017-06-02 00:11:02 +00:00
Sebastiaan van Stijn afe91a5120 docs: remove outdated reference to updating /etc/hosts
Starting with docker 1.10, docker no longer uses
/etc/hosts for service discovery, but uses an
embedded DNS server. This patch removes a reference
to the old (pre 1.10) behavior.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:10:58 +00:00
Daniel Zhang 218740abc7 Add daemon flag to set no_new_priv as default for unprivileged containers.
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-06-02 00:10:55 +00:00
Nathan LeClaire b380c2eb63 Remove --init-path mention
Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com>
2017-06-02 00:10:53 +00:00
Nathan LeClaire f571b363e6 Document --init flag for docker run
Signed-off-by: Nathan LeClaire <nathan.leclaire@gmail.com>
2017-06-02 00:10:53 +00:00
John Howard 8c24f5d5e7 Update run.md ENV docs
Signed-off-by: John Howard <jhoward@microsoft.com>
2017-06-02 00:10:49 +00:00
allencloud 175d21838a update docs about --oom-score-adj
Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-06-02 00:10:45 +00:00
Qinglan Peng 2d40fc55b8 fix some broken contents links
Signed-off-by: Qinglan Peng <qinglanpeng@zju.edu.cn>

fix-contents-links

Signed-off-by: Qinglan Peng <qinglanpeng@zju.edu.cn>
2017-06-02 00:10:44 +00:00
Yanqiang Miao e248501799 Fix some format errors
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>

update

Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
2017-06-02 00:10:42 +00:00
Yanqiang Miao 43a8f3b028 Fix a description of 'docker run [-a]'
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
2017-06-02 00:10:41 +00:00
Sebastiaan van Stijn f2573a87ed Revert reference docs for ambient capabilities
This feature was reverted for docker 1.13
in c5251f7116e3d9095a7169fc31bd170dff997c2e,
so removing the documentation as well.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:10:39 +00:00
Yong Tang ebacbb50ae Add `--dns-option` to `docker run` and hide `--dns-opt`
This fix is a follow up to #27567 based on:
https://github.com/docker/docker/pull/27567#issuecomment-259295055

In #27567, `--dns-options` has been added to `service create/update`,
together with `--dns` and `--dns-search`. The `--dns-opt` was used
in `docker run`.

This fix add `--dns-option` (not `--dns-options`) to `docker run/create`, and hide
`--dns-opt`. It is still possible to use `--dns-opt` with
`docker run/create`, though it will not show up in help output.

This fix change `--dns-options`to --dns-option` for `docker service create`
and `docker service update`.

This fix also updates the docs and bash/zsh completion scripts.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-02 00:10:36 +00:00
Yong Tang d93d09acaa Add `--cpus` flag to control cpu resources
This fix tries to address the proposal raised in 27921 and add
`--cpus` flag for `docker run/create`.

Basically, `--cpus` will allow user to specify a number (possibly partial)
about how many CPUs the container will use. For example, on a 2-CPU system
`--cpus 1.5` means the container will take 75% (1.5/2) of the CPU share.

This fix adds a `NanoCPUs` field to `HostConfig` since swarmkit alreay
have a concept of NanoCPUs for tasks. The `--cpus` flag will translate
the number into reused `NanoCPUs` to be consistent.

This fix adds integration tests to cover the changes.

Related docs (`docker run` and Remote APIs) have been updated.

This fix fixes 27921.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-02 00:10:32 +00:00
Gaetan de Villele 572c6bb89a fix frontmatter keywords value type (string, instead of []string) in /docs/reference
Signed-off-by: Gaetan de Villele <gdevillele@gmail.com>
2017-06-02 00:10:31 +00:00
lixiaobing10051267 9b109cd9a7 fill all the rest invalid address because no related directory
Signed-off-by: lixiaobing10051267 <li.xiaobing1@zte.com.cn>
2017-06-02 00:10:30 +00:00
lixiaobing10051267 2603a9c1dd fill the complete address because of no userguide directory
Signed-off-by: lixiaobing10051267 <li.xiaobing1@zte.com.cn>
2017-06-02 00:10:30 +00:00
Erik St. Martin 42ef78911e Implementing support for --cpu-rt-period and --cpu-rt-runtime so that
containers may specify these cgroup values at runtime. This will allow
processes to change their priority to real-time within the container
when CONFIG_RT_GROUP_SCHED is enabled in the kernel. See #22380.

Also added sanity checks for the new --cpu-rt-runtime and --cpu-rt-period
flags to ensure that that the kernel supports these features and that
runtime is not greater than period.

Daemon will support a --cpu-rt-runtime flag to initialize the parent
cgroup on startup, this prevents the administrator from alotting runtime
to docker after each restart.

There are additional checks that could be added but maybe too far? Check
parent cgroups to ensure values are <= parent, inspecting rtprio ulimit
and issuing a warning.

Signed-off-by: Erik St. Martin <alakriti@gmail.com>
2017-06-02 00:10:28 +00:00
Leo Gallucci 74e0f7857b Typo --ti and missing my_strace_docker_image
Signed-off-by: Leo Gallucci <leo.gallucci@zalando.de>
2017-06-02 00:10:28 +00:00
Misty Stanley-Jones 7f36c3a1a0 Sync docker/docker refs with files mistakenly edited in docker.github.io repo
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
2017-06-02 00:10:26 +00:00
Misty Stanley-Jones 2845676cc2 Convert Markdown frontmatter to YAML
Some frontmatter such as the weights, menu stuff, etc is no longer used
'draft=true' becomes 'published: false'

Signed-off-by: Misty Stanley-Jones <misty@docker.com>
2017-06-02 00:10:24 +00:00
Justin Cormack 856a50e733 Add support for ambient capabilities
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.

Previously there was no way to allow containers not running as root
capabilities in a useful way.

Fix #8460

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-02 00:10:13 +00:00
Josh Bodah 622f3bf19f Remove extra paren in `run --link` docs
Signed-off-by: Josh Bodah <jb3689@yahoo.com>
2017-06-02 00:10:10 +00:00
yuexiao-wang 2ff594515f clean up the run.md in reference
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2017-06-02 00:10:07 +00:00
Rich Moyse 463d68bde9 Fixes #25918 - Changed --permissive to --privileged.
Signed-off-by: Rich Moyse <rich@moyse.us>
2017-06-02 00:10:07 +00:00
Justin Cormack ff474eb300 Split list of capabilities into those added by default and those not
The documentation was a bit unhelpful as to what are the default
capabilities, so split.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-02 00:10:05 +00:00
Yong Tang 68ea0dc2d0 Update documentation for entrypoint unset with `docker run/create`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-02 00:10:04 +00:00
Aanand Prasad 897dc90656 Add note about --entrypoint overriding default command
Signed-off-by: Aanand Prasad <aanand.prasad@gmail.com>
2017-06-02 00:10:02 +00:00
Justin Cormack 6a983cc502 Document --oom-score-adj flag in docker run
This was only mentioned in docker create documentation.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-02 00:07:51 +00:00
Justin Cormack 8bc84934fb Expand the documentation of "no-new-privileges"
The change to runc in https://github.com/opencontainers/runc/pull/789
was not documented previously. Also say what this affects and clean
up layout of initial table as there was some miscolouration of the
continuation lines.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-02 00:07:50 +00:00
Arnaud Porterie (icecrime) 253a5f4ea2 Rename `--net` to `--network`
Add a `--network` flag which replaces `--net` without deprecating it
yet. The `--net` flag remains hidden and supported.

Add a `--network-alias` flag which replaces `--net-alias` without deprecating
it yet. The `--net-alias` flag remains hidden and supported.

Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
2017-06-02 00:07:50 +00:00
Alessandro Boch 987e5e6d8a Allow user to specify container's link-local addresses
Signed-off-by: Alessandro Boch <aboch@docker.com>
2017-06-02 00:07:44 +00:00
Victoria Bialas d3b7a2779e surfacing Learn by example topics to top level of Docker Engine docs
fixing links after moving surfacing tutorials

fixing more links for the newly located tutorials

Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
2017-06-02 00:07:43 +00:00
Shoubhik Bose 0a0bb19a33 Added example for using image digest in the docker run command
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>

Added explanation for the example with image's digest ( as per @thaJeztah 's comment

Signed-off-by: Shoubhik Bose <sbose78@gmail.com>

Wrapped to ~80 chars

Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
2017-06-02 00:07:43 +00:00
Thomas Leonard 51ddea93a2 Add support for user-defined healthchecks
This PR adds support for user-defined health-check probes for Docker
containers. It adds a `HEALTHCHECK` instruction to the Dockerfile syntax plus
some corresponding "docker run" options. It can be used with a restart policy
to automatically restart a container if the check fails.

The `HEALTHCHECK` instruction has two forms:

* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)

The `HEALTHCHECK` instruction tells Docker how to test a container to check that
it is still working. This can detect cases such as a web server that is stuck in
an infinite loop and unable to handle new connections, even though the server
process is still running.

When a container has a healthcheck specified, it has a _health status_ in
addition to its normal status. This status is initially `starting`. Whenever a
health check passes, it becomes `healthy` (whatever state it was previously in).
After a certain number of consecutive failures, it becomes `unhealthy`.

The options that can appear before `CMD` are:

* `--interval=DURATION` (default: `30s`)
* `--timeout=DURATION` (default: `30s`)
* `--retries=N` (default: `1`)

The health check will first run **interval** seconds after the container is
started, and then again **interval** seconds after each previous check completes.

If a single run of the check takes longer than **timeout** seconds then the check
is considered to have failed.

It takes **retries** consecutive failures of the health check for the container
to be considered `unhealthy`.

There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
more than one then only the last `HEALTHCHECK` will take effect.

The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
see e.g. `ENTRYPOINT` for details).

The command's exit status indicates the health status of the container.
The possible values are:

- 0: success - the container is healthy and ready for use
- 1: unhealthy - the container is not working correctly
- 2: starting - the container is not ready for use yet, but is working correctly

If the probe returns 2 ("starting") when the container has already moved out of the
"starting" state then it is treated as "unhealthy" instead.

For example, to check every five minutes or so that a web-server is able to
serve the site's main page within three seconds:

    HEALTHCHECK --interval=5m --timeout=3s \
      CMD curl -f http://localhost/ || exit 1

To help debug failing probes, any output text (UTF-8 encoded) that the command writes
on stdout or stderr will be stored in the health status and can be queried with
`docker inspect`. Such output should be kept short (only the first 4096 bytes
are stored currently).

When the health status of a container changes, a `health_status` event is
generated with the new status. The health status is also displayed in the
`docker ps` output.

Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:41 +00:00
Yong Tang d1aaf129f2 The option --add-host and --net=host should not be mutually exclusive.
This fix tries to address the issue raised in #21976 and allows
the options of `--add-host` and `--net=host` to work at the same time.

The documentation has been updated and additional tests have been
added to cover this change.

This fix fixes #21976.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-02 00:07:40 +00:00
Yong Tang f17fb53f53 The option --dns, --dns-search, --dns-opt and --net=host should not be mutually exclusive.
This fix tries to address the issue raised in #21976 and allows
the options of `--dns`, `--dns-search`, `--dns-opt` and `--net=host`
to work at the same time.

The documentation has been updated and additional tests have been
added to cover this change.

This fix fixes #21976.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-02 00:07:40 +00:00
Michael Friis 3cc96bb891 remove duplicated text
Signed-off-by: Michael Friis <friism@gmail.com>
2017-06-02 00:07:39 +00:00
Sebastiaan van Stijn 563b5dab54 Remove MLS example from SELinux example in run reference
Automatic translation of MLS labels is currently not
supported, so should not be documented as an example.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:39 +00:00
Justin Cormack ba8f5cfbb8 Align default seccomp profile with selected capabilities
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.

While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.

It also cleans up some architecture specific system calls to be
only selected when needed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-06-02 00:07:39 +00:00
Mrunal Patel 637048e176 Add support for --pid=container:<id>
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-06-02 00:07:39 +00:00
Yuan Sun d16947629c from inheritted to inherited
Signed-off-by: Yuan Sun <sunyuan3@huawei.com>
2017-06-02 00:07:37 +00:00
Doug Davis fe09131526 Remove unnecessary double-double quotes
Signed-off-by: Doug Davis <dug@us.ibm.com>
2017-06-02 00:07:37 +00:00
Yuan Sun 7d3bb7a6d0 remove "the" in docs.
Signed-off-by: Yuan Sun <sunyuan3@huawei.com>
2017-06-02 00:07:37 +00:00
Hao Zhang 64ba15e3a3 update cgroup link in doc of run
Signed-off-by: Hao Zhang <21521210@zju.edu.cn>
2017-06-02 00:07:37 +00:00
Sebastiaan van Stijn d192f97acc docs: add note about MAC addresses not being unique
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:36 +00:00
Kai Qiang Wu(Kennan) 6a5870dcfa Fix the old exit status example
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
2017-06-02 00:07:36 +00:00
Kai Qiang Wu(Kennan) a8a29fe7f5 Fix deprecated format for security-opt
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
2017-06-02 00:07:35 +00:00
Lei Jitang 42dfcc1d2a Correct the description of --group-add in run.md
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2017-06-02 00:07:35 +00:00
Sebastiaan van Stijn 0a13b2a1ce Un-deprecate auto-creation of host directories for mounts
Auto-creation of host-directories was marked deprecated in
Docker 1.9, but was decided to be too much of an backward-incompatible
change, so it was decided to keep the feature.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:35 +00:00
Brian Goff eba678647b Add explicit flags for volume cp/no-cp
This allows a user to specify explicitly to enable
automatic copying of data from the container path to the volume path.
This does not change the default behavior of automatically copying, but
does allow a user to disable it at runtime.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-06-02 00:07:32 +00:00
David Calavera a7364b3743 Consolidate security options to use `=` as separator.
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2017-06-02 00:07:32 +00:00
Dan Walsh 2d0316cb43 Fix documentation on --security-opt seccomp
Missing documentation and man pages on seccomp options.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-02 00:07:32 +00:00
Zhang Wei d219111855 Fix typo
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-06-02 00:07:32 +00:00
Jason Heiss 6bcb137d2f Allow --hostname with --net=host
Docker creates a UTS namespace by default, even with --net=host, so it
is reasonable to let the user set the hostname. Note that --hostname is
forbidden if the user specifies --uts=host.

Closes #12076
Signed-off-by: Jason Heiss <jheiss@aput.net>
2017-06-02 00:07:32 +00:00
Mrunal Patel d3f632156e Add support for NoNewPrivileges in docker
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Add tests for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Update documentation for no-new-privileges

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2017-06-02 00:07:31 +00:00
Jessica Frazelle 91d0d25ee4 update cap-add docs for seccomp
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2017-06-02 00:07:28 +00:00
Sian Lerk Lau 7c85fb1665 Improve usage details on overriding USER command in Docker run reference page
Signed-off-by: Sian Lerk Lau <kiawin@gmail.com>
2017-06-02 00:07:28 +00:00
Tianon Gravi a015293ff7 Remove "--group-add dbus" from busybox example (no dbus group in busybox anymore)
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2017-06-02 00:07:28 +00:00
Sebastiaan van Stijn d4fd7fd13b Fix docs for tmpfs (pr 19688)
Underlying files are no longer copied to the tmpfs.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:27 +00:00
Mary Anthony 7910f01804 Creating Engine specific menu
Fixing the links
Updating with Seb's comments
Adding weight
Fixing the engine aliases
Updating after Arun pushed
Removing empty file

Signed-off-by: Mary Anthony <mary@docker.com>
2017-06-02 00:07:26 +00:00