People have reported following issue with overlay
$ docker run -ti --name=foo -v /dev/:/dev fedora bash
$ docker cp foo:/bin/bash /tmp
$ exit container
Upon container exit, /dev/pts gets unmounted too. This happens because
docker cp volume mounts get propagated to /run/docker/libcontainer/....
and when container exits, it must be tearing down mount point under
/run/docker/libcontainerd/... and as these are "shared" mounts it
propagates events to /dev/pts and it gets unmounted too.
One way to solve this problem is to make sure "docker cp" volume mounts
don't become visible under /run/docker/libcontainerd/..
Here are more details of what is actually happening.
Make overlay home directory (/var/lib/docker/overlay) private mount when
docker starts and unmount it when docker stops. Following is the reason
to do it.
In fedora and some other distributions / is "shared". That means when
docker creates a container and mounts it root in /var/lib/docker/overlay/...
that mount point is "shared".
Looks like after that containerd/runc bind mounts that rootfs into
/runc/docker/libcontainerd/container-id/rootfs. And this puts both source
and destination mounts points in shared group and they both are setup
to propagate mount events to each other.
Later when "docker cp" is run it sets up container volumes under
/var/lib/dokcer/overlay/container-id/... And all these mounts propagate
to /runc/docker/libcontainerd/... Now mountVolumes() makes these new
mount points private but by that time propagation already has happened
and private only takes affect when unmount happens.
So to stop this propagation of volumes by docker cp, make
/var/lib/docker/overlay a private mount point. That means when a container
rootfs is created, that mount point will be private too (it will inherit
property from parent). And that means when bind mount happens in /runc/
dir, overlay mount point will not propagate mounts to /runc/.
Other graphdrivers like devicemapper are already doing it and they don't
face this issue.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Distro packagers will often use the tarball to build a package and have
the build script for the package in git. To avoid that the docker build
script picks up the git commit from the distro repo we also check for a
directory named .git before check for -unsupported builds.
Signed-off-by: Natanael Copa <natanael.copa@docker.com>
This feature was added after the 1.11 code-freeze,
so will be part of the 1.12 release. Moving it to the
right API version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 2535db86781f2731024c945ecabd59199de0c727)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some fixes in the changelog were not regressions
since 1.10.x, but only present in 1.11 release candidates
so don't need to be mentioned for the release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 99589731ac1e5d901436e6d0d8c03e9eddb5cccc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
hardware signing was put back to experimental due to packaging issues
(https://github.com/docker/docker/pull/21499)
add missing "--quiet" option for docker load
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 32a5308237858cc5b7bcac16cc16286fc7996a9b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: John Howard <jhoward@microsoft.com>
(cherry picked from commit 76489af40f40385b3fd9f0a669fdc8cf3640e188)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In TP5, Hyper-V containers need all image files ACLed so that the virtual
machine process can access them. This was fixed post-TP5 in Windows, but
for TP5 we need to explicitly add these ACLs.
Signed-off-by: John Starks <jostarks@microsoft.com>
* Fix closing strings in graphdriver plugin documentation
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Fix documenation for Err type in graphdriver plugins
Fix https://github.com/docker/go-plugins-helpers/issues/24
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Add missing MountLabel argument in graphdriver plugin documentation
The real `Create` seems also to take more arguments (the `storageOpt`) which
are not exposed to the plugin API (yet?).
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Add missing CreateReadWrite in graphdriver plugin documentation
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
Copy edit the content
Updates to existing material
Adding mbentley's comments
Updating with last minute comments
Update with Seb's comments
Signed-off-by: Mary Anthony <mary@docker.com>
Binaries are now distributed as a '.tgz' or '.zip'
archive, and contain multiple binaries for Linux.
This updates the instructions for 1.11.
Also mention that the Windows 64-bit binary
actually can be used as a daemon. Given that
this is still in beta, no instructions were
added for *running* a daemon on Windows.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The documentation already says the cache miss happens only at `ARG`
variable usage, not declaration, but there is a very common implicit
usage: `RUN`, which this commit documents even more, improving on #21790.
Also, use `definition` instead of `declaration`: it's the same thing, and
`definition` is already used in this documentation, contrary to
`declaration`.
Also, distinguish between "instructions" and "variables defined by `ARG`
instructions".
Signed-off-by: Thomas Riccardi <riccardi@systran.fr>
Vivek Goyal
Vincent Demeester
Thomas Grainger
Darren Stahl
Sebastiaan van Stijn
Tibor Vass
David Calavera
Jess Frazelle
Brian Goff
Natanael Copa
Sebastiaan van Stijn
Robin Naundorf
Tibor Vass
Santhosh Manohar
Kenfe-Mickael Laventure
John Howard
Akihiro Suda
Alexander Morozov
Tonis Tiigi
John Starks
Thomas Gazagnaire
Mary Anthony
Thomas Riccardi
Lei Jitang
Aaron Lehmann