第12章 Linux Containers
12.1. Linux Containers Using Docker Technology
Red Hat Enterprise Linux Atomic Host 7.1.4 includes the following updates:
- Firewalld is now supported for docker containers. If firewalld is running on the system, the rules will be added via the firewalld passthrough. If firewalld is reloaded, the configuration will be re-applied.
- Docker now mounts the cgroup information specific to a container under the
/sys/fs/cgroupdirectory. Some applications make decisions based on the amount of resources available to them. For example, a Java Virtual Machines (JVMs) would want to check how much memory is available to them so they can allocate a large enough pool to improve their performance. This allows applications to discover the maximum about of memory available to the container, by reading
docker runcommand now emits a warning message if you are using a device mapper on a loopback device. It is strongly recommended to use the
dm.thinpooldevoption as a storage option for a production environment. Do not use
loopbackin a production environment.
- You can now run containers in systemd mode with the
--init=systemdflag. If you are running a container with systemd as PID 1, this flag will turn on all systemd features to allow it to run in a non-privileged container. Set
container_uuidas an environment variable to pass to systemd what to store in the
/etc/machine-idfile. This file links the journald within the container to to external log. Mount host directories into a container so systemd will not require privileges then mount the journal directory from the host into the container. If you run journald within the container, the host journalctl utility will be able to display the content. Mount the
/rundirectory as a tmpfs. Then automatically mount the
/sys/fs/cgroupdirectory as read-only into a container if
--systemdis specified. Send proper signal to systemd when running in systemd mode.
- The search experience within containers using the
docker searchcommand has been improved:
- You can now prepend indices to search results.
- You can prefix a remote name with a registry name.
- You can shorten the index name if it is not an IP address.
--no-indexoption has been added to avoid listing index names.
- The sorting of entries when the index is preserved has been changed: You can sort by
- The sorting of entries when the index is omitted has been changed: You can sort by
- You can now expose configured registry list using the Docker info API.
Red Hat Enterprise Linux Atomic Host 7.1.3 includes the following updates:
- docker-storage-setup now relies on the Logical Volume Manager (LVM) to extend thin pools automatically. By default, 60% of free space in the volume group is used for a thin pool and it is grown automatically by LVM. When the thin pool is full 60%, it will be grown by 20%.
- A default configuration file for docker-storage-setup is now in
/usr/lib/docker-storage-setup/docker-storage-setup. You can override the settings in this file by editing the
- Support for passing raw block devices to the docker service for creating a thin pool has been removed. Now the docker-storage-setup service creates an LVM thin pool and passes it to docker.
- The chunk size for thin pools has been increased from 64K to 512K.
- By default, the partition table for the root user is not grown. You can change this behavior by setting the
GROWPART=trueoption in the
- A thin pool is now set up with the
skip_block_zeroingfeature. This means that when a new block is provisioned in the pool, it will not be zeroed. This is done for performance reasons. One can change this behavior by using the
lvchange --zero y thin-pool
- By default, docker storage using the devicemapper graphdriver runs on loopback devices. It is strongly recommended to not use this setup, as it is not production ready. A warning message is displayed to warn the user about this. The user has the option to suppress this warning by passing this storage flag
- Updates related to handling storage on Docker-formatted containers:
- NFS Volume Plugins validated with SELinux have been added. This includes using the NFS Volume Plugin to NFS Mount GlusterFS.
- Persistent volume support validated for the NFS volume plugin only has been added.
- Local storage (HostPath volume plugin) validated with SELinux has been added. (requires workaround described in the docs)
- iSCSI Volume Plugins validated with SELinux has been added.
- GCEPersistentDisk Volume Plugins validated with SELinux has been added. (requires workaround described in the docs)
Red Hat Enterprise Linux Atomic Host 7.1.2 includes the following updates:
- A completely re-architected Registry and a new Registry API supported by Docker 1.6 that enhance significantly image pulls performance and reliability.
- A new logging driver API which allows you to send container logs to other systems has been added to the docker utilty. The
--log driveroption has been added to the
docker runcommand and it takes three sub-options: a JSON file, syslog, or none. The
noneoption can be used with applications with verbose logs that are non-essential.
- Dockerfile instructions can now be used when committing and importing. This also adds the ability to make changes to running images without having to re-build the entire image. The
import --changeoptions allow you to specify standard changes to be applied to the new image. These are expressed in the Dockerfile syntax and used to modify the image.
- This release adds support for custom cgroups. Using the
--cgroup-parentflag, you can pass a specific cgroup to run a container in. This allows you to create and manage cgroups on their own. You can define custom resources for those cgroups and put containers under a common parent group.
- With this update, you can now specify the default ulimit settings for all containers, when configuring the Docker daemon. For example:
docker -d --default-ulimit nproc=1024:2048
--default-ulimit nproc=1024:2408 --default-ulimit nofile=100:200
docker run -d --ulimit nproc=2048:4096 httpd
- The ability to block registries with the
- Support for searching multiple registries at once.
- Pushing local images to a public registry requires confirmation.
- Short names are resolved locally against a list of registries configured in an order, with the docker.io registry last. This way, pulling is always done with a fully qualified name.
Red Hat Enterprise Linux Atomic Host 7.1.1 includes the following updates:
- IPv6 support: Support is available for globally routed and local link addresses.
- Read-only containers: This option is used to restrict applications in a container from being able to write to the entire file system.
- Statistics API and endpoint: Statistics on live CPU, memory, network IO and block IO can now be streamed from containers.
docker build -f docker_filecommand to specify a file other than Dockerfile to be used by docker build.
- The ability to specify additional registries to use for unqualified pulls and searches. Prior to this an unqualified name was only searched in the public Docker Hub.
- The ability to block communication with certain registries with
--block-registry=<registry>flag. This includes the ability to block the public Docker Hub and the ability to block all but specified registries.
- Confirmation is required to push to a public registry.
- All repositories are now fully qualified when listed. The output of
docker imageslists the source registry name for all images pulled. The output of
docker searchshows the source registry name for all results.