Address feedback from @jamtur01.

Docker-DCO-1.1-Signed-off-by: Andy Rothfusz <github@developersupport.net> (github: metalivedev)
2014-01-28 17:32:05 -08:00 · 2014-01-28 17:32:05 -08:00 · f3a032f27b
parent 07c4eda46a
commit f3a032f27b
2 changed files with 173 additions and 113 deletions
--- a/docs/sources/articles/runmetrics.rst
+++ b/docs/sources/articles/runmetrics.rst
@ -37,8 +37,8 @@ To figure out where your control groups are mounted, you can run:
 .. _run_findpid:
-Ennumerating Cgroups
+Enumerating Cgroups
--------------------
+-------------------
 You can look into ``/proc/cgroups`` to see the different control group
 subsystems known to the system, the hierarchy they belong to, and how
@ -71,7 +71,7 @@ container, take a look at ``/sys/fs/cgroup/memory/lxc/<longid>/``.
 Metrics from Cgroups: Memory, CPU, Block IO
 -------------------------------------------
-For each subsystem (memory, cpu, and block i/o), you will find one or
+For each subsystem (memory, CPU, and block I/O), you will find one or
 more pseudo-files containing statistics.
 Memory Metrics: ``memory.stat``
@ -79,7 +79,7 @@ Memory Metrics: ``memory.stat``
 Memory metrics are found in the "memory" cgroup. Note that the memory
 control group adds a little overhead, because it does very
-fine-grained accounting of the memory usage on your system. Therefore,
+fine-grained accounting of the memory usage on your host. Therefore,
 many distros chose to not enable it by default. Generally, to enable
 it, all you have to do is to add some kernel command-line parameters:
 ``cgroup_enable=memory swapaccount=1``.
@ -133,7 +133,7 @@ creation of the cgroup; this number can never decrease).
 cache 
  the amount of memory used by the processes of this control group
  that can be associated precisely with a block on a block
-  device. When you read and write files from and to disk, this amount
+  device. When you read from and write to files on disk, this amount
  will increase. This will be the case if you use "conventional" I/O
  (``open``, ``read``, ``write`` syscalls) as well as mapped files
  (with ``mmap``). It also accounts for the memory used by ``tmpfs``
@ -148,17 +148,11 @@ mapped_file
  control group. It doesn't give you information about *how much*
  memory is used; it rather tells you *how* it is used.
 pgpgin and pgpgout
  correspond to *charging events*. Each time a page is "charged"
  (=added to the accounting) to a cgroup, pgpgin increases. When a
  page is "uncharged" (=no longer "billed" to a cgroup), pgpgout
  increases.
 pgfault and pgmajfault 
  indicate the number of times that a process of the cgroup triggered
  a "page fault" and a "major fault", respectively. A page fault
  happens when a process accesses a part of its virtual memory space
-  which is inexistent or protected. The former can happen if the
+  which is nonexistent or protected. The former can happen if the
  process is buggy and tries to access an invalid address (it will
  then be sent a ``SIGSEGV`` signal, typically killing it with the
  famous ``Segmentation fault`` message). The latter can happen when
@ -237,7 +231,7 @@ the processes were in direct control of the CPU (i.e. executing
 process code), and ``system`` is the time during which the CPU was
 executing system calls on behalf of those processes.
-Those times are expressed in ticks of 1/100th of second. Actually,
+Those times are expressed in ticks of 1/100th of a second. Actually,
 they are expressed in "user jiffies". There are ``USER_HZ``
 *"jiffies"* per second, and on x86 systems, ``USER_HZ`` is 100. This
 used to map exactly to the number of scheduler "ticks" per second; but
@ -383,11 +377,11 @@ pseudo-files. (Symlinks are accepted.)
 In other words, to execute a command within the network namespace of a
 container, we need to:
-* find out the PID of any process within the container that we want to
+* Find out the PID of any process within the container that we want to
  investigate;
-* create a symlink from ``/var/run/netns/<somename>`` to
+* Create a symlink from ``/var/run/netns/<somename>`` to
  ``/proc/<thepid>/ns/net``
-* execute ``ip netns exec <somename> ....``
+* Execute ``ip netns exec <somename> ....``
 Please review :ref:`run_findpid` to learn how to find the cgroup of a
 pprocess running in the container of which you want to measure network
--- a/docs/sources/reference/run.rst
+++ b/docs/sources/reference/run.rst
@ -21,6 +21,7 @@ Every one of the :ref:`example_list` shows running containers, and so
 here we try to give more in-depth guidance.
 .. contents:: Table of Contents
   :depth: 2
 .. _run_running:
@ -37,24 +38,33 @@ To learn how to interpret the types of ``[OPTIONS]``, see
 The list of ``[OPTIONS]`` breaks down into two groups: 
-* options that define the runtime behavior or environment, and 
+1. Settings exclusive to operators, including:
 * options that override image defaults. 
-Since image defaults usually get set in :ref:`Dockerfiles
+   * Detached or Foreground running,
-<dockerbuilder>` (though they could also be set at :ref:`cli_commit`
+   * Container Identification,
-time too), we will group the runtime options here by their related
+   * Network settings, and
-Dockerfile commands so that it is easier to see how to override image
+   * Runtime Constraints on CPU and Memory
-defaults and set new behavior.
+   * Privileges and LXC Configuration
-We'll start, though, with the options that are unique to ``docker
+2. Setting shared between operators and developers, where operators
-run``, the options which define the runtime behavior or the container
+   can override defaults developers set in images at build time.
 environment.
-.. note:: The runtime operator always has final control over the
+Together, the ``docker run [OPTIONS]`` give complete control over
-   behavior of a Docker container.
+runtime behavior to the operator, allowing them to override all
 defaults set by the developer during ``docker build`` and nearly all
 the defaults set by the Docker runtime itself.
-Detached or Foreground
+Operator Exclusive Options
-======================
+==========================
 Only the operator (the person executing ``docker run``) can set the
 following options.
 .. contents::
   :local:
 Detached vs Foreground
 ----------------------
 When starting a Docker container, you must first decide if you want to
 run the container in the background in a "detached" mode or in the
@ -65,7 +75,7 @@ default foreground mode::
 Detached (-d)
 .............
-In detached mode (``-d=true`` or just ``-d``), all IO should be done
+In detached mode (``-d=true`` or just ``-d``), all I/O should be done
 through network connections or shared volumes because the container is
 no longer listening to the commandline where you executed ``docker
 run``. You can reattach to a detached container with ``docker``
@ -82,22 +92,68 @@ error. It can even pretend to be a TTY (this is what most commandline
 executables expect) and pass along signals. All of that is
 configurable::
-   -a=[]          : Attach to stdin, stdout and/or stderr
+   -a=[]          : Attach to ``stdin``, ``stdout`` and/or ``stderr``
   -t=false       : Allocate a pseudo-tty
   -sig-proxy=true: Proxify all received signal to the process (even in non-tty mode)
-   -i=false       : Keep stdin open even if not attached
+   -i=false       : Keep STDIN open even if not attached
 If you do not specify ``-a`` then Docker will `attach everything
 (stdin,stdout,stderr)
-<https://github.com/dotcloud/docker/blob/master/commands.go#L1797>`_. You
+<https://github.com/dotcloud/docker/blob/75a7f4d90cde0295bcfb7213004abce8d4779b75/commands.go#L1797>`_. You
-can specify which of the three standard streams (stdin, stdout,
+can specify to which of the three standard streams (``stdin``, ``stdout``,
-stderr) you'd like to connect between your  instead, as in::
+``stderr``) you'd like to connect instead, as in::
   docker run -a stdin -a stdout -i -t ubuntu /bin/bash
 For interactive processes (like a shell) you will typically want a tty
-as well as persistent standard in, so you'll use ``-i -t`` together in
+as well as persistent standard input (``stdin``), so you'll use ``-i
-most interactive cases.
+-t`` together in most interactive cases.
 Container Identification
 ------------------------
 Name (-name)
 ............
 The operator can identify a container in three ways:
 * UUID long identifier ("f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778")
 * UUID short identifier ("f78375b1c487")
 * Name ("evil_ptolemy")
 The UUID identifiers come from the Docker daemon, and if you do not
 assign a name to the container with ``-name`` then the daemon will
 also generate a random string name too. The name can become a handy
 way to add meaning to a container since you can use this name when
 defining :ref:`links <working_with_links_names>` (or any other place
 you need to identify a container). This works for both background and
 foreground Docker containers.
 PID Equivalent
 ..............
 And finally, to help with automation, you can have Docker write the
 container ID out to a file of your choosing. This is similar to how
 some programs might write out their process ID to a file (you've seen
 them as PID files)::
      -cidfile="": Write the container ID to the file
 Network Settings
 ----------------
 ::
   -n=true   : Enable networking for this container
   -dns=[]   : Set custom dns servers for the container
 By default, all containers have networking enabled and they can make
 any outgoing connections. The operator can completely disable
 networking with ``docker run -n`` which disables all incoming and outgoing
 networking. In cases like this, you would perform I/O through files or
 STDIN/STDOUT only.
 Your container will use the same DNS servers as the host by default,
 but you can override this with ``-dns``.
 Clean Up (-rm)
 --------------
@ -112,57 +168,84 @@ the container exits**, you can add the ``-rm`` flag::
   -rm=false: Automatically remove the container when it exits (incompatible with -d)
 Name (-name)
 ============
-The operator can identify a container in three ways:
+Runtime Constraints on CPU and Memory
 -------------------------------------
-* UUID long identifier ("f78375b1c487e03c9438c729345e54db9d20cfa2ac1fc3494b6eb60872e74778")
+The operator can also adjust the performance parameters of the container::
 * UUID short identifier ("f78375b1c487")
 * name ("evil_ptolemy")
-The UUID identifiers come from the Docker daemon, and if you do not
+   -m="": Memory limit (format: <number><optional unit>, where unit = b, k, m or g)
-assign a name to the container with ``-name`` then the daemon will
+   -c=0 : CPU shares (relative weight)
 also generate a random string name too. The name can become a handy
 way to add meaning to a container since you can use this name when
 defining :ref:`links <working_with_links_names>` (or any other place
 you need to identify a container). This works for both background and
 foreground Docker containers.
-PID Equivalent
+The operator can constrain the memory available to a container easily
-==============
+with ``docker run -m``. If the host supports swap memory, then the
 ``-m`` memory setting can be larger than physical RAM.
-And finally, to help with automation, you can have Docker write the
+Similarly the operator can increase the priority of this container
-container id out to a file of your choosing. This is similar to how
+with the ``-c`` option. By default, all containers run at the same
-some programs might write out their process ID to a file (you've seen
+priority and get the same proportion of CPU cycles, but you can tell
-them as .pid files)::
+the kernel to give more shares of CPU time to one or more containers
 when you start them via Docker.
-      -cidfile="": Write the container ID to the file
+Runtime Privilege and LXC Configuration
 ---------------------------------------
-Overriding Dockerfile Image Defaults
+::
-====================================
+
   -privileged=false: Give extended privileges to this container
   -lxc-conf=[]: Add custom lxc options -lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"
 By default, Docker containers are "unprivileged" and cannot, for
 example, run a Docker daemon inside a Docker container. This is
 because by default a container is not allowed to access any devices,
 but a "privileged" container is given access to all devices (see
 lxc-template.go_ and documentation on `cgroups devices
 <https://www.kernel.org/doc/Documentation/cgroups/devices.txt>`_).
 When the operator executes ``docker run -privileged``, Docker will
 enable to access to all devices on the host as well as set some
 configuration in AppArmor to allow the container nearly all the same
 access to the host as processes running outside containers on the
 host. Additional information about running with ``-privileged`` is
 available on the `Docker Blog
 <http://blog.docker.io/2013/09/docker-can-now-run-within-docker/>`_.
 An operator can also specify LXC options using one or more
 ``-lxc-conf`` parameters. These can be new parameters or override
 existing parameters from the lxc-template.go_. Note that in the
 future, a given host's Docker daemon may not use LXC, so this is an
 implementation-specific configuration meant for operators already
 familiar with using LXC directly.
 .. _lxc-template.go: https://github.com/dotcloud/docker/blob/master/execdriver/lxc/lxc_template.go
 Overriding ``Dockerfile`` Image Defaults
 ========================================
 When a developer builds an image from a :ref:`Dockerfile
 <dockerbuilder>` or when she commits it, the developer can set a
 number of default parameters that take effect when the image starts up
 as a container.
-Four of the Dockerfile commands cannot be overridden at runtime:
+Four of the ``Dockerfile`` commands cannot be overridden at runtime:
 ``FROM, MAINTAINER, RUN``, and ``ADD``. Everything else has a
 corresponding override in ``docker run``. We'll go through what the
-developer might have set in each Dockerfile instruction and how the
+developer might have set in each ``Dockerfile`` instruction and how the
 operator can override that setting.
 .. contents::
   :local:
-CMD
+CMD (Default Command or Options)
-...
+--------------------------------
-Remember the optional ``COMMAND`` in the Docker commandline::
+Recall the optional ``COMMAND`` in the Docker commandline::
  docker run [OPTIONS] IMAGE[:TAG] [COMMAND] [ARG...]
 This command is optional because the person who created the ``IMAGE``
-may have already provided a default ``COMMAND`` using the Dockerfile
+may have already provided a default ``COMMAND`` using the ``Dockerfile``
 ``CMD``. As the operator (the person running a container from the
 image), you can override that ``CMD`` just by specifying a new
 ``COMMAND``.
@ -171,22 +254,22 @@ If the image also specifies an ``ENTRYPOINT`` then the ``CMD`` or
 ``COMMAND`` get appended as arguments to the ``ENTRYPOINT``.
-ENTRYPOINT
+ENTRYPOINT (Default Command to Execute at Runtime
-..........
+-------------------------------------------------
 ::
   -entrypoint="": Overwrite the default entrypoint set by the image
-The ENTRYPOINT of an image is similar to a COMMAND because it
+The ENTRYPOINT of an image is similar to a ``COMMAND`` because it
 specifies what executable to run when the container starts, but it is
-(purposely) more difficult to override. The ENTRYPOINT gives a
+(purposely) more difficult to override. The ``ENTRYPOINT`` gives a
 container its default nature or behavior, so that when you set an
-ENTRYPOINT you can run the container *as if it were that binary*,
+``ENTRYPOINT`` you can run the container *as if it were that binary*,
 complete with default options, and you can pass in more options via
-the COMMAND. But, sometimes an operator may want to run something else
+the ``COMMAND``. But, sometimes an operator may want to run something else
-inside the container, so you can override the default ENTRYPOINT at
+inside the container, so you can override the default ``ENTRYPOINT`` at
-runtime by using a string to specify the new ENTRYPOINT. Here is an
+runtime by using a string to specify the new ``ENTRYPOINT``. Here is an
 example of how to run a shell in a container that has been set up to
 automatically run something else (like ``/usr/bin/redis-server``)::
@ -198,16 +281,14 @@ or two examples of how to pass more parameters to that ENTRYPOINT::
  docker run -i -t -entrypoint /usr/bin/redis-cli example/redis --help
-EXPOSE (``run`` Networking Options)
+EXPOSE (Incoming Ports)
-...................................
+-----------------------
-The *Dockerfile* doesn't give much control over networking, only
+The ``Dockerfile`` doesn't give much control over networking, only
-providing the EXPOSE instruction to give a hint to the operator about
+providing the ``EXPOSE`` instruction to give a hint to the operator
-what incoming ports might provide services. At runtime, however,
+about what incoming ports might provide services. The following
-Docker provides a number of ``run`` options related to networking::
+options work with or override the ``Dockerfile``'s exposed defaults::
   -n=true   : Enable networking for this container
   -dns=[]   : Set custom dns servers for the container
   -expose=[]: Expose a port from the container 
               without publishing it to your host
   -P=false  : Publish all exposed ports to the host interfaces
@ -217,25 +298,16 @@ Docker provides a number of ``run`` options related to networking::
               (use 'docker port' to see the actual mapping)
   -link=""  : Add link to another container (name:alias)
 By default, all containers have networking enabled and they can make
 any outgoing connections. The operator can completely disable
 networking with ``run -n`` which disables all incoming and outgoing
 networking. In cases like this, you would perform IO through files or
 stdin/stdout only.
 Your container will use the same DNS servers as the host by default,
 but you can override this with ``-dns``.
 As mentioned previously, ``EXPOSE`` (and ``-expose``) make a port
 available **in** a container for incoming connections. The port number
 on the inside of the container (where the service listens) does not
 need to be the same number as the port exposed on the outside of the
 container (where clients connect), so inside the container you might
 have an HTTP service listening on port 80 (and so you ``EXPOSE 80`` in
-the Dockerfile), but outside the container the port might be 42800.
+the ``Dockerfile``), but outside the container the port might be 42800.
 To help a new client container reach the server container's internal
-port operator ``-expose'd`` by the operator or ``EXPOSE'd`` by the
+port operator ``-expose``'d by the operator or ``EXPOSE``'d by the
 developer, the operator has three choices: start the server container
 with ``-P`` or ``-p,`` or start the client container with ``-link``.
@ -250,10 +322,10 @@ networking interface. Docker will set some environment variables in
 the client container to help indicate which interface and port to use.
 ENV (Environment Variables)
-...........................
+---------------------------
 The operator can **set any environment variable** in the container by
-using one or more ``-e``, even overriding those already defined by the
+using one or more ``-e`` flags, even overriding those already defined by the
 developer with a Dockefile ``ENV``::
   $ docker run -e "deep=purple" -rm ubuntu /bin/bash -c export
@ -287,7 +359,9 @@ container. Let's imagine we have a container running Redis::
   2014/01/25 00:55:38 Error: No public port '6379' published for 4241164edf6f
-Yet we can get information about the redis container's exposed ports with ``-link``. Choose an alias that will form a valid environment variable!
+Yet we can get information about the Redis container's exposed ports
 with ``-link``. Choose an alias that will form a valid environment
 variable!
 ::
@ -312,7 +386,7 @@ And we can use that information to connect from another container as a client::
   172.17.0.32:6379>
 VOLUME (Shared Filesystems)
-...........................
+---------------------------
 ::
@ -322,32 +396,24 @@ VOLUME (Shared Filesystems)
 The volumes commands are complex enough to have their own
 documentation in section :ref:`volume_def`. A developer can define one
-or more VOLUMEs associated with an image, but only the operator can
+or more ``VOLUME``\s associated with an image, but only the operator can
 give access from one container to another (or from a container to a
 volume mounted on the host).
 USER
-....
+----
-::
+The default user within a container is ``root`` (id = 0), but if the
 developer created additional users, those are accessible too. The
 developer can set a default user to run the first process with the
 ``Dockerfile USER`` command, but the operator can override it ::
   -u="": Username or UID
 WORKDIR
-.......
+-------
-::
+The default working directory for running binaries within a container is the root directory (``/``), but the developer can set a different default with the ``Dockerfile WORKDIR`` command. The operator can override this with::
   -w="": Working directory inside the container
 Performance
 ===========
 The operator can also adjust the performance parameters of the container::
   -c=0 : CPU shares (relative weight)
   -m="": Memory limit (format: <number><optional unit>, where unit = b, k, m or g)
   -lxc-conf=[]: Add custom lxc options -lxc-conf="lxc.cgroup.cpuset.cpus = 0,1"
   -privileged=false: Give extended privileges to this container