kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #2712 from makinacorpus/master

Browse source 
Do not drop sys_boot
This commit is contained in:
Victor Vieux 2013-11-15 10:33:41 -08:00
commit ad96d5ff04
3 changed files with 12 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

1
AUTHORS
View file

@ -120,6 +120,7 @@ Marko Mikulicic <mmikulicic@gmail.com>
Markus Fix <lispmeister@gmail.com> Markus Fix <lispmeister@gmail.com>
Martin Redmond <martin@tinychat.com> Martin Redmond <martin@tinychat.com>
Matt Apperson <me@mattapperson.com> Matt Apperson <me@mattapperson.com>
Mathieu Le Marec - Pasquet <kiorky@cryptelium.net>
Matt Bachmann <bachmann.matt@gmail.com> Matt Bachmann <bachmann.matt@gmail.com>
Matthew Mueller <mattmuelle@gmail.com> Matthew Mueller <mattmuelle@gmail.com>
Maxim Treskin <zerthurd@gmail.com> Maxim Treskin <zerthurd@gmail.com>

10
docs/sources/installation/kernel.rst
View file

@ -25,6 +25,7 @@ If you cannot or do not want to use the "official" kernels,
here is some technical background about the features (both optional and here is some technical background about the features (both optional and
mandatory) that docker needs to run successfully. mandatory) that docker needs to run successfully.
Linux version 3.8 or above Linux version 3.8 or above
-------------------------- --------------------------
@ -39,6 +40,15 @@ The symptoms include:
- kernel crash causing the machine to freeze for a few minutes, or even - kernel crash causing the machine to freeze for a few minutes, or even
completely. completely.
Additionally, kernels prior 3.4 did not implement ``reboot_pid_ns``,
which means that the ``reboot()`` syscall could reboot the host machine,
instead of terminating the container. To work around that problem,
LXC userland tools (since version 0.8) automatically drop the ``SYS_BOOT``
capability when necessary. Still, if you run a pre-3.4 kernel with pre-0.8
LXC tools, be aware that containers can reboot the whole host! This is
not something that Docker wants to address in the short term, since you
shouldn't use kernels prior 3.8 with Docker anyway.
While it is still possible to use older kernels for development, it is While it is still possible to use older kernels for development, it is
really not advised to do so. really not advised to do so.

2
lxc_template.go
View file

@ -120,7 +120,7 @@ lxc.aa_profile = unconfined
# (Note: 'lxc.cap.keep' is coming soon and should replace this under the # (Note: 'lxc.cap.keep' is coming soon and should replace this under the
# security principle 'deny all unless explicitly permitted', see # security principle 'deny all unless explicitly permitted', see
# http://sourceforge.net/mailarchive/message.php?msg_id=31054627 ) # http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
{{end}} {{end}}
# limits # limits