Offer the ability to enable hairpin NAT on a per network basis, while
keeping it disable by default as it is unsupported by older kernel.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
When running under child subreaper mode, it's useful for nsenter to be able to
reap child processes. We have seen cases where spawned user processes wasnt
reaped properly (https://github.com/creationix/nvm/issues/650)
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
This is to support being able to DNAT/MASQ traffic from a container back into itself (dotcloud/docker#4442)
Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
The root problem this fixes is the docker daemon uses DefaulDependencies
for all of its scopes which means that the containers get killed by
systemd before the docker daemon is notified to shutdown. This means
that a docker run in a service file won't get ordered properly on
shutdown! This has affected many CoreOS users and is documented in
systemd as so:
"Unless DefaultDependencies=false is used, scope units will implicitly
have dependencies of type Conflicts= and Before= on shutdown.target."
Unfortunately, systemd didn't allow setting DefaultDependencies=false on
transient units until today:
systemd-run --scope --property="DefaultDependencies=false" /usr/bin/sleep 50000
Unknown assignment DefaultDependencies=false.
Failed to create message: Invalid argument
Fixed here:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50
Discussion with systemd upstream:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026313.htmlhttp://lists.freedesktop.org/archives/systemd-devel/2015-February/027890.html
Tested with docker and systemd master as of today and it work for me.
Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.
In this case it can use /proc/self/status, which is always the right one.
Signed-off-by: Andrew Vagin <avagin@openvz.org>
This removes a new unused methods from the container interface and types
parameters such as os.Signal and WaitStatus
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Change the various config structs into one package and have a flatter
structure for easier use.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Issue with cmd.Wait is that it is waiting for closing pipes and if we
have forked processes which inherited pipes from parent, then we need to
kill them to unblock cmd.Wait.
Should fixdocker/docker#10303
Now idea is next:
- cmd.Process.Wait for init process dead
- Kill remaining processes in cgroup (pipes closed as side effect)
- use cmd.Wait for waiting pipes flushed to client
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Currently nsexec() creates a proxy process to enter into a pid namespace.
It isn't good, because we need to proxy an exit code and signals.
We can use CLONE_PARENT to fork a process with the right parent.
Signed-off-by: Andrey Vagin <avagin@openvz.org>
The only place I could find where libcontainer tries to write to the
container's root FS is when setting up the pivot dir, to be used on
pivot_root(2).
This makes the pivot base dir configurable, so a read-only FS can be
used as root FS of containers. Users can then specify a writeable
subpath to be used as pivot inside the container.
Signed-off-by: Fabio Kung <fabio@heroku.com> (github: fabiokung)