We need SETFCAP to be able to mark files as having caps, which is
heavily used by fedora.
See https://github.com/dotcloud/docker/issues/5928
We also need SETPCAP, for instance systemd needs this to set caps
on its childen.
Both of these are safe in the sense that they can never ever
result in a process with a capability not in the bounding set of the
container.
We also add NET_BIND_SERVICE caps, to be able to bind to ports lower
than 1024.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Without this any container startup fails:
2014/05/20 09:20:36 setup mount namespace copy additional dev nodes mknod fuse operation not permitted
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
This changes the test TestBuildWithInaccessibleFilesInContext to not
add the user 'unprivilegeduser' and add it via the Dockerfile instead.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Fixes#5849
If the host system does not have fuse enabled in the kernel config we
will ignore the is not exist errors when trying to copy the device node
from the host system into the container.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Some applications want to write to /proc. For instance:
docker run -it centos groupadd foo
Gives: groupadd: failure while writing changes to /etc/group
And strace reveals why:
open("/proc/self/task/13/attr/fscreate", O_RDWR) = -1 EROFS (Read-only file system)
I've looked at what other systems do, and systemd-nspawn makes /proc read-write
and /proc/sys readonly, while lxc allows "proc:mixed" which does the same,
plus it makes /proc/sysrq-trigger also readonly.
The later seems like a prudent idea, so we follows lxc proc:mixed.
Additionally we make /proc/irq and /proc/bus, as these seem to let
you control various hardware things.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
For issue #5658 this rewrite of the networking page explains what every
single option (unless I missed one!) does both for the Docker server and
also the Docker client when submitting a "docker run". I somehow
thought that, when I was done, there would be a lot more about setting
up topologies like I did for my Foundations of Python Network
Programming network of Docker containers. More about making routers and
firewalls that NAT and so forth. But, at least for this draft, I think
that setting up subnets and setting up point-to-point links is most of
what Docker users will need unless they are doing something exotic.
We can always expand later.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md documentation per @jamtur01
Besides catching some typos and awkward sentences, @jamtur01 had several
more thorough changes to suggest:
* He illustrated the correct way to delimit "Note" paragraphs in
Docker documentation.
* He helped point out where I was presuming an Ubuntu host running
Docker, so that I could re-word those sections to be specific that
the advice only applied to Ubuntu (these mostly related to how to
set server-wide options and restart the server).
* He is happy to have "Ethernet" capitalized even where Linux
documentation would render it with an ugly lower-case first letter.
Docker-DCO-1.1-Signed-off-by: Brandon Rhodes <brandon@rhodesmill.org> (github: brandon-rhodes)
Improve networking.md per ideas from @SvenDowideit
A response to a bit of further discussion of pull request #5884.
