-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tmpfs as a valid volume source command. #13587
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
package native | ||
|
||
import ( | ||
"fmt" | ||
"os" | ||
"os/exec" | ||
"strings" | ||
|
||
"github.com/Sirupsen/logrus" | ||
"github.com/opencontainers/runc/libcontainer/configs" | ||
) | ||
|
||
func genTmpfsPremountCmd(tmpDir string, fullDest string, dest string) []configs.Command { | ||
var premount []configs.Command | ||
tarPath, err := exec.LookPath("tar") | ||
if err != nil { | ||
logrus.Warn("tar command is not available for tmpfs mount: %s", err) | ||
return premount | ||
} | ||
if _, err = exec.LookPath("rm"); err != nil { | ||
logrus.Warn("rm command is not available for tmpfs mount: %s", err) | ||
return premount | ||
} | ||
tarFile := fmt.Sprintf("%s/%s.tar", tmpDir, strings.Replace(dest, "/", "_", -1)) | ||
if _, err := os.Stat(fullDest); err == nil { | ||
premount = append(premount, configs.Command{ | ||
Path: tarPath, | ||
Args: []string{"-cf", tarFile, "-C", fullDest, "."}, | ||
}) | ||
} | ||
return premount | ||
} | ||
|
||
func genTmpfsPostmountCmd(tmpDir string, fullDest string, dest string) []configs.Command { | ||
var postmount []configs.Command | ||
tarPath, err := exec.LookPath("tar") | ||
if err != nil { | ||
return postmount | ||
} | ||
rmPath, err := exec.LookPath("rm") | ||
if err != nil { | ||
return postmount | ||
} | ||
if _, err := os.Stat(fullDest); os.IsNotExist(err) { | ||
return postmount | ||
} | ||
tarFile := fmt.Sprintf("%s/%s.tar", tmpDir, strings.Replace(dest, "/", "_", -1)) | ||
postmount = append(postmount, configs.Command{ | ||
Path: tarPath, | ||
Args: []string{"-xf", tarFile, "-C", fullDest, "."}, | ||
}) | ||
return append(postmount, configs.Command{ | ||
Path: rmPath, | ||
Args: []string{"-f", tarFile}, | ||
}) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1298,6 +1298,14 @@ above, or already defined by the developer with a Dockerfile `ENV`: | |
|
||
Similarly the operator can set the **hostname** with `-h`. | ||
|
||
### TMPFS (mount tmpfs filesystems) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @rhatdan Thank you for the contribution. I think you need to update As for this, the break is a bit awkward. Also, I think it is important to point out where the --tmpfs=[]: Create a tmpfs mount with: container-dir[:<options>], where the options are identical to the Linux `mount -t tmpfs -o` command.
Underlying content from the "container-dir" is copied into tmpfs.
$ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65k my_image There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fixed |
||
|
||
--tmpfs=[]: Create a tmpfs mount with: container-dir[:<options>], where the options are identical to the Linux `mount -t tmpfs -o` command. | ||
|
||
Underlying content from the "container-dir" is copied into tmpfs. | ||
|
||
$ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image | ||
|
||
### VOLUME (shared filesystems) | ||
|
||
-v=[]: Create a bind mount with: [host-src:]container-dest[:<options>], where | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -59,6 +59,7 @@ docker-run - Run a command in a new container | |
[**--shm-size**[=*[]*]] | ||
[**--sig-proxy**[=*true*]] | ||
[**-t**|**--tty**[=*false*]] | ||
[**--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]] | ||
[**-u**|**--user**[=*USER*]] | ||
[**-v**|**--volume**[=*[]*]] | ||
[**--ulimit**[=*[]*]] | ||
|
@@ -432,6 +433,20 @@ interactive shell. The default is false. | |
The **-t** option is incompatible with a redirection of the docker client | ||
standard input. | ||
|
||
**--tmpfs**=[] Create a tmpfs mount | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. **--tmpfs**[=*[CONTAINER-DIR[:<OPTIONS>]*]]
Mount a temporary filesystem (tmpfs) mount within a container. For example,
`--tmpfs /tmp:rw,size=787448k,mode=1777` mounts a tmpfs at /tmp within the
container. The mount copies the underlying content into the /tmpfs). The
supported options are the same as the Linux default mount flags
`rw,noexec,nosuid,nodev,size=65536k`. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I went a little further on this. Mount a temporary filesystem (tmpfs) mount within a container. For example, |
||
|
||
Mount a temporary filesystem (`tmpfs`) mount into a container, for example: | ||
|
||
$ docker run -d --tmpfs /tmp:rw,size=787448k,mode=1777 my_image | ||
|
||
This command mounts a `tmpfs` at `/tmp` within the container. The mount copies | ||
the underlying content of `my_image` into `/tmp`. For example if there was a | ||
directory `/tmp/content` in the base image, docker will copy this directory and | ||
all of its content on top of the tmpfs mounted on `/tmp`. The supported mount | ||
options are the same as the Linux default `mount` flags. If you do not specify | ||
any options, the systems uses the following options: | ||
`rw,noexec,nosuid,nodev,size=65536k`. | ||
|
||
**-u**, **--user**="" | ||
Sets the username or UID used and optionally the groupname or GID for the specified command. | ||
|
||
|
@@ -548,6 +563,19 @@ the exit codes follow the `chroot` standard, see below: | |
|
||
# EXAMPLES | ||
|
||
## Running container in read-only mode | ||
|
||
During container image development, containers often need to write to the image | ||
content. Installing packages into /usr, for example. In production, | ||
applications seldom need to write to the image. Container applications write | ||
to volumes if they need to write to file systems at all. Applications can be | ||
made more secure by running them in read-only mode using the --read-only switch. | ||
This protects the containers image from modification. Read only containers may | ||
still need to write temporary data. The best way to handle this is to mount | ||
tmpfs directories on /run and /tmp. | ||
|
||
# docker run --read-only --tmpfs /run --tmpfs /tmp -i -t fedora /bin/bash | ||
|
||
## Exposing log messages from the container to the host's log | ||
|
||
If you want messages that are logged in your container to show up in the host's | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be private
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, it's already abused in execdriver