The `docker create` command shares most (all) of its options with `docker run`,
which uses `docker create` under the hood. The `docker create` reference docs
already referred users to the `docker run` sections for details, but some
flags were only documented on the `docker create` page.
This patch:
- moves those flags from the `docker create` to the `docker run` page
- does some minor rephrasing and touch-ups.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These options were added in 22cd418967,
but did not update the documentation.
Signed-off-by: Chee Hau Lim <cheehau.lim@mobimeo.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Explicitly mention flags and environment variables that were removed, to
make the deprecation more discoverable.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove mentions of which options are supported by Kubernetes.
Note that there's some filters remaining that were marked as "not supported
by swarm": those filters need to be checked if this is accurate (and if so,
those filters must be removed).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removes the flags that have been deprecated or removed;
- --default-stack-orchestrator
- --kubernetes
- --kubeconfig
- --namespace
- --orchestrator
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I didn't see where in the page that `--privileged` mode adds all capabilities.
I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document.
> Full container capabilities (--privileged)
>
> The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.
https://stackoverflow.com/a/36441605/111424
Signed-off-by: Iain Samuel McLean Elder <iain@isme.es>
- expand a bit on what's happening
- clarify start of deprecation of the classic builder
- show examples of error and warning
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext
From https://go-review.googlesource.com/c/go/+/264159
> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.
This feature allowed using an encrypted private key with a supplied password,
but did not provide additional security as the encryption is known to be broken,
and the key is sitting next to the password in the filesystem. Users are recommended
to decrypt the private key, and store it un-encrypted to continue using it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change the order of received/written and sent/read in NET I/O and BLOCK I/O description reflect the order in I/O (Input/Output).
From example above:
CONTAINER NAME: awesome_brattain
BLOCK I/O: 147kB / 0B
awesome_brattain has written 147kB and read 0B
Signed-off-by: Tomas Bäckman <larstomas@gmail.com>
Ubuntu version references were a mixture of 14.04 (in descriptions) and 20.04 (in example code). Updated description references to 20.04 to match example code.
Signed-off-by: Mike Dalton <mikedalton@github.com>
Commit 9bd3a7c029
(docker 17.04 and up) added a maximum timeout of 1 minute to the
restart timeout.
This patch updates the documentation to match the current behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The DefaultStopSignal const has been deprecated, because the daemon already
handles a default value. The current code did not actually send the default
value unless the flag was set, which also made the flag description incorrect,
because in that case, the _daemon's_ default would be used, which could
potentially be different as was specified here.
This patch removes the default value from the flag, leaving it to the daemon
to set a default.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The /go/ redirects are now defined in the docs repository, so the one
we defined here can be removed.
Also adds a missing redirect for an old URL to the main CLI page.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This replaces the use of bash where suitable, to allow easier copy/pasting
of shell examples without copying the prompt or process output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- make sure the target directory is created if missing
- add support for custom ID's in headings through `<a>` tags (e.g.
`<a name=heading2></a>`). This allows use of custom anchors that
work both on GitHub (GFM doesn't support extended MarkDown), and
in Jekyll (which does).
- add code to cleanup markdown for use in our docs:
- remove absolute URLs to https://docs.docker.com
- remove tabs in MarkDown, and convert them to 4 spaces. This
prevents the YAML conversion from switching between "short"
and "long" syntax. Tabs in code examples also don't always
work well, so using spaces doesn't hurt for that.
- refactor some code for readability, and to be less "hacky" (still
lots to be improved though)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext
From https://go-review.googlesource.com/c/go/+/264159
> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Support for ALL_PROXY as default build-arg was added recently in
buildkit and the classic builder.
This patch adds the `ALL_PROXY` environment variable to the list of
configurable proxy variables, and updates the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This link worked on GitHub, but was broken on docs.docker.com, so
replacing with a regular link directly to the docs instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Jekyll doesn't work well with markdown links that are wrapped, so changing
the link to be on a single line.
While at it, also added/changed some code-hints.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
More improvements can be made, but this makes a start on cleaning up
this page:
- Reorganise configuration file options into sections
- Use tables for related options to make them easier to find
- Add warning about the config file's possibility to contain sensitive information
- Some MarkDown touch-ups (use "console" code-hint to assist copy/paste)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is mostly a copy of the equivalent `docker secret` commands,
which uses the same mechanisms behind the hood (hence, are 90% the
same).
We can make further refinements to these docs, but this gives us
a starting point.
Adding these documents, because there were some links pointing to
these pages in the docs, but there was no markdown file to link to
on GitHub.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- rename "experimental" to "labs"
- rephrase recommendation for picking a version
- clarify that the "labs" channel provides a superset of the "stable" channel.
- remove "External implementation features" section, because it overlapped
with the "syntax" section.
- removed `:latest` from the "stable" channel (generally not recommended)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- update some examples to show the BuildKit output
- remove some wording about "images" being used for the build cache
- add a link to the `--cache-from` section
- added a link to "scanning your image with `docker scan`"
- updated link to "push your image"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use "console" for code-hints, to make process output distinguishable
from the commands that are executed
- use a consistent prompt for powershell examples
- minor changes in wording around "build context" to reduce confusion
with `docker context`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These options are available in Docker 20.10 and up, but were
previously only available in Docker EE, and not documented.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Updates the stop.md doc to mention that the stop signal can be changed, either with the Dockerfile or via `docker run --stop-signal`. This is a real gotcha if you're not familiar with this feature and build a container that extends a container that uses `STOPSIGNAL`.
Signed-off-by: Christopher Vermilion <christopher.vermilion@gmail.com>
recommend using `docker container prune`, but show an example on
how to combine commands with a bit more context and warnings
about portability/compatibility.
Thanks to Charlie Arehart to do the initial work on this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some new drivers were added to the "docker run" section to make the documentation more up to date.
Signed-off-by: d.alvarez <david.alvarez@flyeralarm.com>
These options were deprecated and removed in the Linux kernel v5.0 and up in;
- f382fb0bce
- fb5772cbfe
- 23aa16489c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker Engine v20.10 and up includes optimizations to verify if images in the
local image cache need updating before pulling, preventing the Docker Engine
from making unnecessary API requests. These optimizations require the container
image registry to conform to the Open Container Initiative Distribution Specification
(https://github.com/opencontainers/distribution-spec).
While most registries conform to the specification, we encountered some registries
to be non-compliant, resulting in `docker pull` to fail.
As a temporary solution, Docker Engine v20.10 includes a fallback mechanism to
allow `docker pull` to be functional when using a non-compliant registry. A
warning message is printed in this situation:
WARNING Failed to pull manifest by the resolved digest. This registry does not
appear to conform to the distribution registry specification; falling back to
pull by tag. This fallback is DEPRECATED, and will be removed in a future
release.
The fallback is added to allow users to either migrate their images to a compliant
registry, or for these registries to become compliant.
Note that this fallback only addresses failures on `docker pull`. Other commands,
such as `docker stack deploy`, or pulling images with `containerd` will continue
to fail.
Given that other functionality is still broken with these registries, we consider
this fallback a _temporary_ solution, and will remove the fallback in an upcoming
major release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like the YAML conversion doesn't like lines starting with `[`, and
causing it to use the "compact" formatting in the generated YAML.
This patch un-wraps these lines to prevent this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
To create this, I ran every JSON document through `jq -S` (which sorts the keys and consistently pretty-prints the result in a format which matches the majority of documents in this file).
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Docker v17.07 introduced an experimental `--stream` flag on `docker build` which
allowed the build-context to be incrementally sent to the daemon, instead of
unconditionally sending the whole build-context.
This functionality has been reimplemented as part of BuildKit, which uses streaming
by default and the `--stream` option will be ignored when using the classic builder,
printing a deprecation warning instead.
Users that want to use this feature are encouraged to enable BuildKit by setting
the `DOCKER_BUILDKIT=1` environment variable or through the daemon or CLI configuration
files.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The experimental feature to run Linux containers on Windows (LCOW) was introduced
as a technical preview in Docker 17.09. While many enhancements were made after
its introduction, the feature never reached completeness, and development has
now stopped in favor of running docker natively on Linux in WSL2.
Developers that need to run Linux workloads on a Windows host are encouraged
to use Docker Desktop with WSL2 instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The CLI disabled experimental features by default, requiring users
to set a configuration option to enable them.
Disabling experimental features was a request from Enterprise users
that did not want experimental features to be accessible.
We are changing this policy, and now enable experimental features
by default. Experimental features may still change and/or removed,
and will be highlighted in the documentation and "usage" output.
For example, the `docker manifest inspect --help` output now shows:
EXPERIMENTAL:
docker manifest inspect is an experimental feature.
Experimental features provide early access to product functionality. These features
may change between releases without warning or can be removed entirely from a future
release. Learn more about experimental features: https://docs.docker.com/go/experimental/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some deprecations are ammended during a major (YY.MM) release, to
inform users as early as possible about deprecations. Removing the
minor version from this overview clarifies that features are
marked deprecated during which major release's lifecycle.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If a file contains trailing whitespace, the YAML generator uses a
compact format, which is hard to read.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Dockerfile `ENV` instruction allows values to be set using either `ENV name=value`
or `ENV name value`. The latter (`ENV name value`) form can be ambiguous, for example,
the following defines a single env-variable (`ONE`) with value `"TWO= THREE=world"`,
but may have intended to be setting three env-vars:
ENV ONE TWO= THREE=world
This format also does not allow setting multiple environment-variables in a single
`ENV` line in the Dockerfile.
Use of the `ENV name value` syntax is discouraged, and may be removed in a future
release. Users are encouraged to update their Dockerfiles to use the `ENV name=value`
syntax, for example:
ENV ONE="" TWO="" THREE="world"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `ENV key value` form can be ambiguous, for example, the following defines
a single env-variable (`ONE`) with value `"TWO= THREE=world"`:
ENV ONE TWO= THREE=world
While we cannot deprecate/remove that syntax (as it would break existing
Dockerfiles), we should reduce exposure of the format in our examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When creating and updating services, we need to avoid unneeded service churn.
The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.
This patch updates how we handle `--cap-add` / `--cap-drop` when _creating_ as
well as _updating_, with the following rules/assumptions applied:
- both existing (service spec) and new (values passed through flags or in
the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
into account when normalizing capabilities. Combining "ALL" capabilities
and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
a capability is both set to be "dropped" and to be "added", it is removed
from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
delegated to the daemon/server.
When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>