Browse code
fix issue #11676 #11754, disable RLIMIT_AS,edit DOCKER_OPTS
Signed-off-by: Simei He <hesimei@zju.edu.cn>
dalanlan authored on 2015/03/30 10:00:05Showing 2 changed files
| ... | ... |
@@ -121,8 +121,23 @@ Finally, several networking options can only be provided when calling |
| 121 | 121 |
* `-P` or `--publish-all=true|false` — see |
| 122 | 122 |
[Binding container ports](#binding-ports) |
| 123 | 123 |
|
| 124 |
-The following sections tackle all of the above topics in an order that |
|
| 125 |
-moves roughly from simplest to most complex. |
|
| 124 |
+To supply networking options to the Docker server at startup, use the |
|
| 125 |
+`DOCKER_OPTS` in the Docker upstart configuration file. For Ubuntu, edit the |
|
| 126 |
+variable in `/etc/default/docker` and `/etc/sysconfig/docker` for Centos. |
|
| 127 |
+ |
|
| 128 |
+The following example illustrates how to configure Docker on Ubuntu to recognize a |
|
| 129 |
+newly build bridge. Edit the `/etc/default/docker` file: |
|
| 130 |
+ |
|
| 131 |
+ $ echo 'DOCKER_OPTS="-b=bridge0"' >> /etc/default/docker |
|
| 132 |
+ |
|
| 133 |
+Then, restart the Docker server. |
|
| 134 |
+ |
|
| 135 |
+ $ sudo service docker start |
|
| 136 |
+ |
|
| 137 |
+For additional information on bridges, see [building your own |
|
| 138 |
+bridge](#building-your-own-bridge) later on this page. |
|
| 139 |
+ |
|
| 140 |
+The following sections tackle all of the above topics in an order that we can move roughly from simplest to most complex. |
|
| 126 | 141 |
|
| 127 | 142 |
## Configuring DNS |
| 128 | 143 |
|
| ... | ... |
@@ -296,8 +311,7 @@ system level, by two factors. |
| 296 | 296 |
policy to `DROP` if `--icc=false`. |
| 297 | 297 |
|
| 298 | 298 |
It is a strategic question whether to leave `--icc=true` or change it to |
| 299 |
-`--icc=false` (on Ubuntu, by editing the `DOCKER_OPTS` variable in |
|
| 300 |
-`/etc/default/docker` and restarting the Docker server) so that |
|
| 299 |
+`--icc=false` so that |
|
| 301 | 300 |
`iptables` will protect other containers — and the main host — from |
| 302 | 301 |
having arbitrary ports probed or accessed by a container that gets |
| 303 | 302 |
compromised. |
| ... | ... |
@@ -426,8 +440,7 @@ you can use either `-p IP:host_port:container_port` or `-p IP::port` to |
| 426 | 426 |
specify the external interface for one particular binding. |
| 427 | 427 |
|
| 428 | 428 |
Or if you always want Docker port forwards to bind to one specific IP |
| 429 |
-address, you can edit your system-wide Docker server settings (on |
|
| 430 |
-Ubuntu, by editing `DOCKER_OPTS` in `/etc/default/docker`) and add the |
|
| 429 |
+address, you can edit your system-wide Docker server settings and add the |
|
| 431 | 430 |
option `--ip=IP_ADDRESS`. Remember to restart your Docker server after |
| 432 | 431 |
editing this setting. |
| 433 | 432 |
|
| ... | ... |
@@ -692,9 +705,6 @@ options are configurable at server startup: |
| 692 | 692 |
|
| 693 | 693 |
* `--mtu=BYTES` — override the maximum packet length on `docker0`. |
| 694 | 694 |
|
| 695 |
-On Ubuntu you would add these to the `DOCKER_OPTS` setting in |
|
| 696 |
-`/etc/default/docker` on your Docker host and restarting the Docker |
|
| 697 |
-service. |
|
| 698 | 695 |
|
| 699 | 696 |
Once you have one or more containers up and running, you can confirm |
| 700 | 697 |
that Docker has properly connected them to the `docker0` bridge by |
| ... | ... |
@@ -2195,6 +2195,8 @@ available in the default container, you can set these using the `--ulimit` flag. |
| 2195 | 2195 |
> If you do not provide a `hard limit`, the `soft limit` will be used for both |
| 2196 | 2196 |
values. If no `ulimits` are set, they will be inherited from the default `ulimits` |
| 2197 | 2197 |
set on the daemon. |
| 2198 |
+> `as` option is disabled for now. In other words, the following script is not supported: |
|
| 2199 |
+> `$docker run -it --ulimit as=1024 fedora /bin/bash` |
|
| 2198 | 2200 |
|
| 2199 | 2201 |
## save |
| 2200 | 2202 |
|