centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-31 00:08:55 +07:00
Code Issues Packages Projects Releases Wiki Activity
8,363 Commits 54 Branches 28 Tags
34c05c58c8d41ee2bb02cd8059e9928ee2f061ea
Commit Graph

11 Commits

Author SHA1 Message Date
Michael Crosby
34c05c58c8 Mount /dev in tmpfs for privileged containers 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-20 22:51:24 +00:00
Alexander Larsson
fcf2e9a910 native driver: Add required capabilities 
We need SETFCAP to be able to mark files as having caps, which is
heavily used by fedora.
See https://github.com/dotcloud/docker/issues/5928

We also need SETPCAP, for instance systemd needs this to set caps
on its childen.

Both of these are safe in the sense that they can never ever
result in a process with a capability not in the bounding set of the
container.

We also add NET_BIND_SERVICE caps, to be able to bind to ports lower
than 1024.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-05-20 11:31:39 +02:00
Victor Marmol
0abad3ae22 Don't drop CAP_FOWNER in the container. Also sorts the list of allowed 
capabilities.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-19 16:52:39 +00:00
Victor Marmol
92614928ce Make libcontainer's CapabilitiesMask into a []string (Capabilities). 
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-17 00:44:10 +00:00
Victor Marmol
01d10d6f13 Merge pull request #5810 from vmarmol/drop-caps 
Change libcontainer to drop all capabilities by default.
 2014-05-16 11:51:41 -07:00
Victor Marmol
9d6875d19d Change libcontainer to drop all capabilities by default. Only keeps 
those that were specified in the config. This commit also explicitly
adds a set of capabilities that we were silently not dropping and were
assumed by the tests.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
 2014-05-16 00:57:58 +00:00
Michael Crosby
3b7a19def6 Move cgroups package into libcontainer 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-14 15:21:44 -07:00
Michael Crosby
db5f6b4aa0 Improve libcontainer namespace and cap format 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-05 12:34:21 -07:00
Eiichi Tsukata
cac0cea03f drop CAP_SYSLOG capability 
Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11

This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).

Closes #5491

Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-05-01 11:43:55 -07:00
Guillaume J. Charmes
813cebc64f Merge branch 'master' into load-profile 
Conflicts:
	daemon/execdriver/native/create.go
	daemon/execdriver/native/driver.go

Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-04-21 10:32:13 -07:00
Alexander Larsson
359b7df5d2 Rename runtime/* to daemon/* 
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-04-17 14:43:01 -07:00