Browse code
Merge pull request #2712 from makinacorpus/master
| ... | ... |
@@ -120,6 +120,7 @@ Marko Mikulicic <mmikulicic@gmail.com> |
| 120 | 120 |
Markus Fix <lispmeister@gmail.com> |
| 121 | 121 |
Martin Redmond <martin@tinychat.com> |
| 122 | 122 |
Matt Apperson <me@mattapperson.com> |
| 123 |
+Mathieu Le Marec - Pasquet <kiorky@cryptelium.net> |
|
| 123 | 124 |
Matt Bachmann <bachmann.matt@gmail.com> |
| 124 | 125 |
Matthew Mueller <mattmuelle@gmail.com> |
| 125 | 126 |
Maxim Treskin <zerthurd@gmail.com> |
| ... | ... |
@@ -25,6 +25,7 @@ If you cannot or do not want to use the "official" kernels, |
| 25 | 25 |
here is some technical background about the features (both optional and |
| 26 | 26 |
mandatory) that docker needs to run successfully. |
| 27 | 27 |
|
| 28 |
+ |
|
| 28 | 29 |
Linux version 3.8 or above |
| 29 | 30 |
-------------------------- |
| 30 | 31 |
|
| ... | ... |
@@ -39,6 +40,15 @@ The symptoms include: |
| 39 | 39 |
- kernel crash causing the machine to freeze for a few minutes, or even |
| 40 | 40 |
completely. |
| 41 | 41 |
|
| 42 |
+Additionally, kernels prior 3.4 did not implement ``reboot_pid_ns``, |
|
| 43 |
+which means that the ``reboot()`` syscall could reboot the host machine, |
|
| 44 |
+instead of terminating the container. To work around that problem, |
|
| 45 |
+LXC userland tools (since version 0.8) automatically drop the ``SYS_BOOT`` |
|
| 46 |
+capability when necessary. Still, if you run a pre-3.4 kernel with pre-0.8 |
|
| 47 |
+LXC tools, be aware that containers can reboot the whole host! This is |
|
| 48 |
+not something that Docker wants to address in the short term, since you |
|
| 49 |
+shouldn't use kernels prior 3.8 with Docker anyway. |
|
| 50 |
+ |
|
| 42 | 51 |
While it is still possible to use older kernels for development, it is |
| 43 | 52 |
really not advised to do so. |
| 44 | 53 |
|
| ... | ... |
@@ -120,7 +120,7 @@ lxc.aa_profile = unconfined |
| 120 | 120 |
# (Note: 'lxc.cap.keep' is coming soon and should replace this under the |
| 121 | 121 |
# security principle 'deny all unless explicitly permitted', see |
| 122 | 122 |
# http://sourceforge.net/mailarchive/message.php?msg_id=31054627 ) |
| 123 |
-lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config |
|
| 123 |
+lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setpcap sys_admin sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config |
|
| 124 | 124 |
{{end}}
|
| 125 | 125 |
|
| 126 | 126 |
# limits |