Offer the ability to enable hairpin NAT on a per network basis, while
keeping it disable by default as it is unsupported by older kernel.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
When running under child subreaper mode, it's useful for nsenter to be able to
reap child processes. We have seen cases where spawned user processes wasnt
reaped properly (https://github.com/creationix/nvm/issues/650)
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
This is to support being able to DNAT/MASQ traffic from a container back into itself (dotcloud/docker#4442)
Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
The root problem this fixes is the docker daemon uses DefaulDependencies
for all of its scopes which means that the containers get killed by
systemd before the docker daemon is notified to shutdown. This means
that a docker run in a service file won't get ordered properly on
shutdown! This has affected many CoreOS users and is documented in
systemd as so:
"Unless DefaultDependencies=false is used, scope units will implicitly
have dependencies of type Conflicts= and Before= on shutdown.target."
Unfortunately, systemd didn't allow setting DefaultDependencies=false on
transient units until today:
systemd-run --scope --property="DefaultDependencies=false" /usr/bin/sleep 50000
Unknown assignment DefaultDependencies=false.
Failed to create message: Invalid argument
Fixed here:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=261420ba2a20305ad271b6f5f380aa74c5c9dd50
Discussion with systemd upstream:
http://lists.freedesktop.org/archives/systemd-devel/2014-December/026313.htmlhttp://lists.freedesktop.org/archives/systemd-devel/2015-February/027890.html
Tested with docker and systemd master as of today and it work for me.
Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
The gocapability package uses /proc/PID/status to get a bounding set.
If a container uses pidns without mntns, it sees /proc from the host
namespace, but the process doesn't know its own pid in this namespace.
In this case it can use /proc/self/status, which is always the right one.
Signed-off-by: Andrew Vagin <avagin@openvz.org>
This removes a new unused methods from the container interface and types
parameters such as os.Signal and WaitStatus
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Change the various config structs into one package and have a flatter
structure for easier use.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Michael Crosby
Mrunal Patel
Arnaud Porterie
Daniel, Dao Quang Minh
Patrick Hemmer
Michael Crosby
Rohit Jnagal
Qiang Huang
Victor Marmol
Andrey Vagin
Brandon Philips
Alexander Morozov
Shishir Mahajan