This moves the bind mounts like /.dockerinit, /etc/hostname, volumes,
etc into the container namespace, by setting them up using lxc.
This is useful to avoid littering the global namespace with a lot of
mounts that are internal to each container and are not generally
needed on the outside. In particular, it seems that having a lot of
mounts is problematic wrt scaling to a lot of containers on systems
where the root filesystem is mounted --rshared.
Note that the "private" option is only supported by the native driver, as
lxc doesn't support setting this. This is not a huge problem, but it does
mean that some mounts are unnecessarily shared inside the container if you're
using the lxc driver.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Since these functions are indepenent of lxc, and could be used by
other drivers.
Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
If you are using jumbo frames the host side of the veth was being set to
1500. Docker would set the MTU of the container side of the veth to 9001.
This would lead to a situation in which the two sides of the veth had
different MTU sizes causing issues in network traffic.
Docker-DCO-1.1-Signed-off-by: Darren Shepherd <darren.s.shepherd@gmail.com> (github: ibuildthecloud)
With this capability set the container can e.g. change the ip address
of his devices to that of another container on the docker0 bridge. In
a quick test I was able to listen to a port on a different ip than the
one docker assigned me, but was not able to hijack an open port
redirection that another container had open. Maybe its possible with
some more knowledge of networking though.
Anyway, network setup is meant to be handled by docker, not the apps,
so I believe denying this is generally in the spirit of docker, and
it closes down potential security issues.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
If networking is disabled, but then pipework is used later to add nics, the network still doesn't function. Using flags=up for empty networking fixes this.
Docker-DCO-1.1-Signed-off-by: James DeFelice <james.defelice@ishisystems.com> (github: jdef)
This code only works for backends that directly spawn the child
via the Command. It will not work for the libvirt backend. So
we move this code into the individual backends that need it.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
If rootIsShared() is detected we apply the shell stuff to early, before
the real command and arguments are added to the parameters. This
means they get passed on to unshare rather than docker-init, breaking
docker on e.g. fedora like:
goroutine 1 [running]:
runtime.panic(0x678340, 0x9b3fd7)
/usr/lib64/golang/src/pkg/runtime/panic.c:266 +0xb6
github.com/dotcloud/docker/execdriver/lxc.func·001(0xc21000a1b0, 0xc21001eab0, 0x7fff24715faf)
/home/alex/vcs/go/src/github.com/dotcloud/docker/execdriver/lxc/driver.go:41 +0x525
github.com/dotcloud/docker/sysinit.executeProgram(0xc21000a1b0, 0xc21000a1b0, 0xa)
/home/alex/vcs/go/src/github.com/dotcloud/docker/sysinit/sysinit.go:34 +0xca
github.com/dotcloud/docker/sysinit.SysInit()
/home/alex/vcs/go/src/github.com/dotcloud/docker/sysinit/sysinit.go:88 +0x791
main.main()
/home/alex/vcs/go/src/github.com/dotcloud/docker/dockerinit/dockerinit.go:14 +0x1a
The fix is to construct the full params array before escaping it.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Use Resources to represent container limits rather than a cgroup specific field.
Docker-DCO-1.1-Signed-off-by: Paul Nasrat <pnasrat@gmail.com> (github: pnasrat)
Alexander Larsson
Guillaume J. Charmes
unclejack
Michael Crosby
Victor Vieux
Vincent Batts
Darren Shepherd
Guillaume J. Charmes
James DeFelice
Tianon Gravi
Chia-liang Kao
Paul Nasrat