I found that to run a blocked system call( like ptrace) inside a lxc container
the capabilities need to be added. How exactly the capabilities can be added to the lxc container.
you can use lxc.keep.cap or lxc.drop.cap in container config. See man 7 capabilities and /usr/share/lxc/config/*.conf files
Related
I have created a docker swarm service with --read-only mode, which makes the container's root file system read-only. Now I just want to remove the read-only option of the running container. All the other existing options should be kept intact.
Docker service update command has many options to make the service flexible, like --constraint-add, --constraint-rm, --env-add, --env-rm, --mount-add, --mount-rm etc.
Is there any way to remove the previously added read-only flag?
background:
We are using registry_mirrors & insecure_registries options in docker daemon.json file. We would like to stop setting the location of the mirrors hard-coded.
Question
Is it possible to use env variable inside daemon.json? So instead of writing ip X.Y.Z.W:PORT one would write ${REPO1}. Hopefully it will be possible to change REPO1 var without restarting the daemon
Remarks
The solution must allow to change the repo location without restarting the daemon
EDIT
it is not possible to use the following inside daemon.json
1. ${VAR_NAME}
Possible workaround
Use custom hostname and redefine it in /etc/hosts. This allows to change repo ip without restarting the daemon. But it does not allow to change the port or the protocol
Possible workaround 2
Some options can be reconfigured when the daemon is running without requiring to restart the process. We use the SIGHUP signal in Linux to reload, and a global event in Windows with the key Global\docker-daemon-config-$PID. The options can be modified in the configuration file but still will check for conflicts with the provided flags. The daemon fails to reconfigure itself if there are conflicts, but it won’t stop executionsource
So one can edit the registry and do sudo systemctl reload docker or sudo kill -SIGHUP $(pidof dockerd). This does not restart the existing containers nor the daemon itself
I have a process in an Ubuntu docker container. If it crashes, I want to restart it automatically.
What is the best way to go about it?
I checked systemd (which is the normal Linux method) but docker doesn't support it. inittab is also deprecated.
Docker offers such functionality, all you have to do is to define a restart policy for the container.
You should choose one of the available policies no,always,on-failure,unless-stopped and adjust your docker run command accordingly.
From docs:
To configure the restart policy for a container, use the --restart
flag when using the docker run command
For your case, choose one of always or on-failure.
Note: The above is valid only if the process you have mentioned is the container's entrypoint.
The (already created and tailored) docker container, which is on a Tegra TX2 host, was created with the priveleged flag.
I want to add devices from my Tegra TX2 host to the container, but 'docker run --device=...' would create a new container. How can I do this?
Regards
docker update is what you would use if you want to update the configuration of a container. Unfortunately there is no way to add a new device without recreating the container.
For more information on what can be updated check the documentation.
I'm running OSX and Docker with the help of boot2docker.
From my understanding boot2docker is a lightweight linux distro that is running the docker containers. I have some Ubuntu containers that I use to run and test projects that should specifically run well on Linux.
However every small code change from my host text editor of choice, requires me to re-build image and re-run the container. Run the app and confirm that the change I made didn't break something.
Is there a way for me to open a Docker container FS folder in a text editor from my host machine? (a.k.a Remote edit?)
Have any of you guys done this? Any ideas will be awesome. I think about setuping SFTP or SSHD on the Docker container, but I would want your opinion?
What I often do is, in development, mount the source code of the application to its usual place in a volume. Then, I set the command (or entrypoint) of the container to a script that launches it in "development mode" (for example, by using nodemon for a node.js application, setting RAILS_ENV=development in Rails, and so on).
Volumes do work on Mac OS X (and I assume Windows) under boot2docker or docker-machine, with the caveat that you need to be working somewhere beneath your home directory.
For a concrete example, here's a repository that I set this up in. The ingredients:
script/dev is my "dev-mode" entrypoint. It launches the main application under nodemon.
When I launch the container, I mount the source directory into the container as a volume and set script/dev as the command. (I'm using docker-compose here to launch and link in an upstream dependency, so I can do everything in one command.)
With those two things in place, I can run docker-compose up, make a source change in whatever editor I choose on my host, save the file, and the service within the container auto-reloads to bring my changes into effect. Presto!