Skip to content

D
docs

openeuler / docs

通知 6
Star 0
Fork 0
D
docs

前往新版Gitcode,体验更适合开发者的 AI 搜索 >>

提交 00dfefa0 编写于 作者: A amyMayun
浏览文件
操作

merge container makedown files for easy reading

上级 0065df62
展开全部 隐藏空白更改
内联 并排
Showing with 12365 addition and 12096 deletion
content/en/docs/Container/about-this-document.md 已删除 100644 → 0
浏览文件 @ 0065df62
# About This Document <a name="EN-US_TOPIC_0183674366"></a>
## Overview<a name="section4537382116410"></a>
The openEuler software package provides iSula, the basic platform for running containers.
iSula is a brand of Huawei's container technology solution. It originally means a kind of ant. This ant is also known as "bullet ant" due to the extremely painful sting, which has been compared to being shot by a bullet. In the eyes of Brazilian natives living in the Amazon jungle in Central and South America, iSula is one of the most powerful insects in the world. Huawei names the container technology solution brand based on its meaning.
The basic container platform iSula provides both Docker engine and lightweight container engine iSulad. You can select either of them as required.
In addition, the following container forms are provided on different application scenarios:
- Common containers applicable to most common scenarios
- Secure containers applicable to strong isolation and multi-tenant scenarios
- System containers applicable to scenarios where the systemd is used to manage services
This document describes how to install and use the container engines and how to deploy and use containers in different forms.
## Intended Audience<a name="section4378592816410"></a>
This document is intended for openEuler users who need to install containers. You can better understand this document if you:
- Be familiar with basic Linux operations.
- Have a basic understanding of containers.
## Symbol Conventions<a name="section133020216410"></a>
The symbols that may be found in this document are defined as follows.
<a name="table17522428316"></a>
<table><thead align="left"><tr id="row25221921314"><th class="cellrowborder" valign="top" width="20.580000000000002%" id="mcps1.1.3.1.1"><p id="p252214203118"><a name="p252214203118"></a><a name="p252214203118"></a><strong id="b2136615816410"><a name="b2136615816410"></a><a name="b2136615816410"></a>Symbol</strong></p>
</th>
<th class="cellrowborder" valign="top" width="79.42%" id="mcps1.1.3.1.2"><p id="p1352216215311"><a name="p1352216215311"></a><a name="p1352216215311"></a><strong id="b4522132153120"><a name="b4522132153120"></a><a name="b4522132153120"></a>Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="row20523729310"><td class="cellrowborder" valign="top" width="20.580000000000002%" headers="mcps1.1.3.1.1 "><p id="p9523172173116"><a name="p9523172173116"></a><a name="p9523172173116"></a><a name="image185230243117"></a><a name="image185230243117"></a><span><img class="" id="image185230243117" height="25.270000000000003" width="55.9265" src="figures/en-us_image_0221924926.png"></span></p>
</td>
<td class="cellrowborder" valign="top" width="79.42%" headers="mcps1.1.3.1.2 "><p id="p1052314233112"><a name="p1052314233112"></a><a name="p1052314233112"></a>Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.</p>
<p id="p125237214313"><a name="p125237214313"></a><a name="p125237214313"></a>NOTICE is used to address practices not related to personal injury.</p>
</td>
</tr>
<tr id="row1652315219312"><td class="cellrowborder" valign="top" width="20.580000000000002%" headers="mcps1.1.3.1.1 "><p id="p1552314223110"><a name="p1552314223110"></a><a name="p1552314223110"></a><a name="image1452315212316"></a><a name="image1452315212316"></a><span><img class="" id="image1452315212316" height="15.96" width="47.88" src="figures/en-us_image_0221924927.png"></span></p>
</td>
<td class="cellrowborder" valign="top" width="79.42%" headers="mcps1.1.3.1.2 "><p id="p952316210315"><a name="p952316210315"></a><a name="p952316210315"></a>Supplements the important information in the main text.</p>
<p id="p1952320210313"><a name="p1952320210313"></a><a name="p1952320210313"></a>NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration.</p>
</td>
</tr>
</tbody>
</table>
content/en/docs/Container/adding-a-pod-to-the-cni-network-list.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Adding a Pod to the CNI Network List<a name="EN-US_TOPIC_0184808074"></a>
If **--network-plugin=cni** is configured for iSulad and the default network plane is configured, a pod is automatically added to the default network plane when the pod is started. If the additional network configuration is configured in the pod configuration, the pod is added to these additional network planes when the pod is started.
**port\_mappings** in the pod configuration is also a network configuration item, which is used to set the port mapping of the pod. To set port mapping, perform the following steps:
```
"port_mappings":[
{
"protocol": 1,
"container_port": 80,
"host_port": 8080
}
]
```
- **protocol**: protocol used for mapping. The value can be **tcp** \(identified by 0\) or **udp** \(identified by 1\).
- **container\_port**: port through which the container is mapped.
- **host\_port**: port mapped to the host.
content/en/docs/Container/apis-19.md 已删除 100644 → 0
浏览文件 @ 0065df62
# APIs<a name="EN-US_TOPIC_0184808156"></a>
Both iSulad and iSula provide the hook APIs. The default hook configurations provided by iSulad apply to all containers. The hook APIs provided by iSula apply only to the currently created container.
The default OCI hook configurations provided by iSulad are as follows:
- Set the configuration item **hook-spec** in the **/etc/isulad/daemon.json** configuration file to specify the path of the hook configuration file. Example: **"hook-spec": "/etc/default/isulad/hooks/default.json"**
- Use the **isulad --hook-spec** parameter to set the path of the hook configuration file.
The OCI hook configurations provided by iSula are as follows:
- **isula create --hook-spec**: specifies the path of the hook configuration file in JSON format.
- **isula run --hook-spec**: specifies the path of the hook configuration file in JSON format.
The configuration for **run** takes effect in the creation phase.
content/en/docs/Container/apis.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/command-line-interface-list.md content/en/docs/Container/appendix-1.md
浏览文件 @ 00dfefa0
# Command Line Interface List<a name="EN-US_TOPIC_0184808036"></a>
## Appendix
- [Appendix](#appendix-1)
- [Command Line Interface List](#command-line-interface-list)
## Command Line Interface List
This section lists commands in system containers, which are different from those in common containers. For details about other commands, refer to sections related to the iSulad container engine or run the **isula _XXX_ --help** command.
This section lists commands in system containers, which are different from those in common containers. For details about other commands, refer to sections related to the iSulad container engine or run the **isula **_XXX_** --help** command.
<a name="en-us_topic_0182200851_table1661120132715"></a>
<table><thead align="left"><tr id="en-us_topic_0182200851_row106622062718"><th class="cellrowborder" valign="top" width="15.909999999999998%" id="mcps1.1.4.1.1"><p id="en-us_topic_0182200851_p66628072719"><a name="en-us_topic_0182200851_p66628072719"></a><a name="en-us_topic_0182200851_p66628072719"></a><strong id="en-us_topic_0182200851_b18161020581"><a name="en-us_topic_0182200851_b18161020581"></a><a name="en-us_topic_0182200851_b18161020581"></a>Command</strong></p>
</th>
<th class="cellrowborder" valign="top" width="20.96%" id="mcps1.1.4.1.2"><p id="en-us_topic_0182200851_p180520291382"><a name="en-us_topic_0182200851_p180520291382"></a><a name="en-us_topic_0182200851_p180520291382"></a>Parameters</p>
......
content/en/docs/Container/apis-32.md content/en/docs/Container/appendix-2.md
浏览文件 @ 00dfefa0
# APIs<a name="EN-US_TOPIC_0184808188"></a>
# Appendix
- [Appendix](#appendix-2)
- [configuration.toml](#configuration-toml)
- [APIs](#apis)
## configuration.toml
>![](public_sys-resources/icon-note.gif) **NOTE:**
>The value of each field in the **configuration.toml** file is subject to the **configuration.toml** file in the **kata-containers-<**_version_**\>.rpm package**. You cannot set any field in the configuration file.
```
[hypervisor.qemu]
path: specifies the execution path of the virtualization QEMU.
kernel: specifies the execution path of the guest kernel.
initrd: specifies the guest initrd execution path.
image: specifies the execution path of the guest image (not applicable).
machine_type: specifies the type of the analog chip. The value is virt for the ARM architecture and pc for the x86 architecture.
kernel_params: specifies the running parameters of the guest kernel.
firmware: specifies the firmware path. If this parameter is left blank, the default firmware is used.
machine_accelerators: specifies an accelerator.
default_vcpus: specifies the default number of vCPUs for each SB/VM.
default_maxvcpus: specifies the default maximum number of vCPUs for each SB/VM.
default_root_ports: specifies the default number of root ports for each SB/VM.
default_bridges: specifies the default number of bridges for each SB/VM.
default_memory: specifies the default memory size of each SB/VM. The default value is 1024 MiB.
memory_slots: specifies the number of memory slots for each SB/VM. The default value is 10.
memory_offset: specifies the memory offset. The default value is 0.
disable_block_device_use: disables the block device from being used by the rootfs of the container.
shared_fs: specifies the type of the shared file system. The default value is virtio-9p.
virtio_fs_daemon: specifies the path of the vhost-user-fs daemon process.
virtio_fs_cache_size: specifies the default size of the DAX cache.
virtio_fs_cache: specifies the cache mode.
block_device_driver: specifies the driver of a block device.
block_device_cache_set: specifies whether to set cache-related options for a block device. The default value is false.
block_device_cache_direct: specifies whether to enable O_DIRECT. The default value is false.
block_device_cache_noflush: specifies whether to ignore device update requests. The default value is false.
enable_iothreads: enables iothreads.
enable_mem_prealloc: enables VM RAM pre-allocation. The default value is false.
enable_hugepages: enables huge pages. The default value is false.
enable_swap: enables the swap function. The default value is false.
enable_debug: enables QEMU debugging. The default value is false.
disable_nesting_checks: disables nested check.
msize_9p = 8192: specifies the number of bytes transmitted in each 9p packet.
use_vsock: uses vsocks to directly communicate with the agent (the prerequisite is that vsocks is supported). The default value is false.
hotplug_vfio_on_root_bus: enables the hot swap of the VFIO device on the root bus. The default value is false.
disable_vhost_net: disables vhost_net. The default value is false.
entropy_source: specifies the default entropy source.
guest_hook_path: specifies the binary path of the guest hook.
[factory]
enable_template: enables the VM template. The default value is false.
template_path: specifies the template path.
vm_cache_number: specifies the number of VM caches. The default value is 0.
vm_cache_endpoint: specifies the address of the Unix socket used by the VMCache. The default value is /var/run/kata-containers/cache.sock.
[proxy.kata]
path: specifies the kata-proxy running path.
enable_debug: enables proxy debugging. The default value is false.
[shim.kata]
path: specifies the running path of kata-shim.
enable_debug: enables shim debugging. The default value is false.
enable_tracing: enables shim opentracing.
[agent.kata]
enable_debug: enables the agent debugging function. The default value is false.
enable_tracing: enables the agent tracing function.
trace_mode: specifies the trace mode.
trace_type: specifies the trace type.
enable_blk_mount: enables guest mounting of the block device.
[netmon]
enable_netmon: enables network monitoring. The default value is false.
path: specifies the kata-netmon running path.
enable_debug: enables netmon debugging. The default value is false.
[runtime]
enable_debug: enables runtime debugging. The default value is false.
enable_cpu_memory_hotplug: enables CPU and memory hot swap. The default value is false.
internetworking_model: specifies the network interconnection mode between VMs and containers.
disable_guest_seccomp: disables the seccemp security mechanism in the guest application. The default value is true.
enable_tracing: enables runtime opentracing. The default value is false.
disable_new_netns: disables network namespace creation for the shim and hypervisor processes. The default value is false.
experimental: enables the experimental feature, which does not support user-defined configurations.
```
## APIs
**Table 1** Commands related to the kata-runtime network
......
content/en/docs/Container/appendix-23.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Appendix<a name="EN-US_TOPIC_0184808035"></a>
content/en/docs/Container/appendix-30.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Appendix<a name="EN-US_TOPIC_0184808186"></a>
content/en/docs/Container/application-scenarios-28.md content/en/docs/Container/application-scenarios-2.md
浏览文件 @ 00dfefa0
# Application Scenarios<a name="EN-US_TOPIC_0184808168"></a>
# Application Scenarios
This section describes how to use a secure container.
content/en/docs/Container/application-scenarios.md
浏览文件 @ 00dfefa0
# Application Scenarios<a name="EN-US_TOPIC_0184808051"></a>
# Application Scenarios
This section describes how to use the iSulad.
content/en/docs/Container/attach-41.md 已删除 100644 → 0
浏览文件 @ 0065df62
# attach<a name="EN-US_TOPIC_0184808239"></a>
Syntax: **docker attach \[**_options_**\]** _container_
Function: Attaches an option to a running container.
Parameter description:
**--no-stdin=false**: Does not attach any STDIN.
**--sig-proxy=true**: Proxies all signals of the container, except SIGCHLD, SIGKILL, and SIGSTOP.
Example:
```
$ sudo docker attach attach_test
root@2988b8658669:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
```
content/en/docs/Container/attach.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Attach<a name="EN-US_TOPIC_0184808108"></a>
## Prototype<a name="en-us_topic_0183088054_section164301654155514"></a>
```
rpc Attach(AttachRequest) returns (AttachResponse) {}
```
## Description<a name="en-us_topic_0183088054_section729211519569"></a>
This API is used to take over the init process of a container through the gRPC communication method, that is, obtain URLs from the CRI server, and then use the obtained URLs to establish a long connection to the WebSocket server, implementing the interaction with the container. Only containers whose runtime is of the LCR type are supported.
## Parameters<a name="en-us_topic_0183088054_section349492895613"></a>
<a name="en-us_topic_0183088054_table184320467318"></a>
<table><tbody><tr id="en-us_topic_0183088054_row78917461336"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p1089154617315"><a name="en-us_topic_0183088054_p1089154617315"></a><a name="en-us_topic_0183088054_p1089154617315"></a><strong id="en-us_topic_0183088054_b1145614180320"><a name="en-us_topic_0183088054_b1145614180320"></a><a name="en-us_topic_0183088054_b1145614180320"></a>Parameter</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p128984613319"><a name="en-us_topic_0183088054_p128984613319"></a><a name="en-us_topic_0183088054_p128984613319"></a><strong id="en-us_topic_0183088054_b7905112017323"><a name="en-us_topic_0183088054_b7905112017323"></a><a name="en-us_topic_0183088054_b7905112017323"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row10898461533"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p1253351115517"><a name="en-us_topic_0183088054_p1253351115517"></a><a name="en-us_topic_0183088054_p1253351115517"></a>string container_id</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p1189846434"><a name="en-us_topic_0183088054_p1189846434"></a><a name="en-us_topic_0183088054_p1189846434"></a>Container ID.</p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row4812119101610"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p3218304144"><a name="en-us_topic_0183088054_p3218304144"></a><a name="en-us_topic_0183088054_p3218304144"></a>bool tty</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p1947314925616"><a name="en-us_topic_0183088054_p1947314925616"></a><a name="en-us_topic_0183088054_p1947314925616"></a>Whether to run the command in a TTY.</p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row1569883411415"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p06982346147"><a name="en-us_topic_0183088054_p06982346147"></a><a name="en-us_topic_0183088054_p06982346147"></a>bool stdin</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p469919340142"><a name="en-us_topic_0183088054_p469919340142"></a><a name="en-us_topic_0183088054_p469919340142"></a>Whether to generate the standard input stream.</p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row12135742161414"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p5135242161417"><a name="en-us_topic_0183088054_p5135242161417"></a><a name="en-us_topic_0183088054_p5135242161417"></a>bool stdout</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p1613584220142"><a name="en-us_topic_0183088054_p1613584220142"></a><a name="en-us_topic_0183088054_p1613584220142"></a>Whether to generate the standard output stream.</p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row101281154171413"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p151281754181412"><a name="en-us_topic_0183088054_p151281754181412"></a><a name="en-us_topic_0183088054_p151281754181412"></a>bool stderr</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p51282542141"><a name="en-us_topic_0183088054_p51282542141"></a><a name="en-us_topic_0183088054_p51282542141"></a>Whether to generate the standard error output stream.</p>
</td>
</tr>
</tbody>
</table>
## Return Values<a name="en-us_topic_0183088054_section10495164611565"></a>
<a name="en-us_topic_0183088054_table15296551936"></a>
<table><tbody><tr id="en-us_topic_0183088054_row18741555834"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p197485518319"><a name="en-us_topic_0183088054_p197485518319"></a><a name="en-us_topic_0183088054_p197485518319"></a><strong id="en-us_topic_0183088054_b109921252323"><a name="en-us_topic_0183088054_b109921252323"></a><a name="en-us_topic_0183088054_b109921252323"></a>Return Value</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p374185520310"><a name="en-us_topic_0183088054_p374185520310"></a><a name="en-us_topic_0183088054_p374185520310"></a><strong id="en-us_topic_0183088054_b0887828183218"><a name="en-us_topic_0183088054_b0887828183218"></a><a name="en-us_topic_0183088054_b0887828183218"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088054_row87419551317"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088054_p15574205011242"><a name="en-us_topic_0183088054_p15574205011242"></a><a name="en-us_topic_0183088054_p15574205011242"></a>string url</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088054_p103555206255"><a name="en-us_topic_0183088054_p103555206255"></a><a name="en-us_topic_0183088054_p103555206255"></a>Fully qualified URL of the attach streaming server.</p>
</td>
</tr>
</tbody>
</table>
content/en/docs/Container/attaching-to-a-container.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Attaching to a Container<a name="EN-US_TOPIC_0184808059"></a>
## Description<a name="en-us_topic_0183292667_section13350115135310"></a>
To attach standard input, standard output, and standard error of the current terminal to a running container, run the **isula attach** command. Only containers whose runtime is of the LCR type are supported.
## **Usage**<a name="en-us_topic_0183292667_section188811239165314"></a>
```
isula attach [OPTIONS] CONTAINER
```
## Parameters<a name="en-us_topic_0183292667_section4322824135919"></a>
The following table lists the parameters supported by the **attach** command.
**Table 1** Parameter description
<a name="en-us_topic_0183292667_table14752840142911"></a>
<table><thead align="left"><tr id="en-us_topic_0183292667_row1561315411186"><th class="cellrowborder" valign="top" width="17.333333333333336%" id="mcps1.2.4.1.1"><p id="en-us_topic_0183292667_p16197118172112"><a name="en-us_topic_0183292667_p16197118172112"></a><a name="en-us_topic_0183292667_p16197118172112"></a><strong id="en-us_topic_0183292667_b121981618182110"><a name="en-us_topic_0183292667_b121981618182110"></a><a name="en-us_topic_0183292667_b121981618182110"></a>Command</strong></p>
</th>
<th class="cellrowborder" valign="top" width="39.57575757575758%" id="mcps1.2.4.1.2"><p id="en-us_topic_0183292667_p131981218102117"><a name="en-us_topic_0183292667_p131981218102117"></a><a name="en-us_topic_0183292667_p131981218102117"></a>Parameter</p>
</th>
<th class="cellrowborder" valign="top" width="43.09090909090909%" id="mcps1.2.4.1.3"><p id="en-us_topic_0183292667_p7685132114311"><a name="en-us_topic_0183292667_p7685132114311"></a><a name="en-us_topic_0183292667_p7685132114311"></a><strong id="en-us_topic_0183292667_b238118331471"><a name="en-us_topic_0183292667_b238118331471"></a><a name="en-us_topic_0183292667_b238118331471"></a>Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0183292667_row378741121914"><td class="cellrowborder" rowspan="3" valign="top" width="17.333333333333336%" headers="mcps1.2.4.1.1 "><p id="en-us_topic_0183292667_p2788111171911"><a name="en-us_topic_0183292667_p2788111171911"></a><a name="en-us_topic_0183292667_p2788111171911"></a><strong id="en-us_topic_0183292667_b19827526183312"><a name="en-us_topic_0183292667_b19827526183312"></a><a name="en-us_topic_0183292667_b19827526183312"></a>attach</strong></p>
</td>
<td class="cellrowborder" valign="top" width="39.57575757575758%" headers="mcps1.2.4.1.2 "><p id="en-us_topic_0183292667_p440023182210"><a name="en-us_topic_0183292667_p440023182210"></a><a name="en-us_topic_0183292667_p440023182210"></a>--help</p>
</td>
<td class="cellrowborder" valign="top" width="43.09090909090909%" headers="mcps1.2.4.1.3 "><p id="en-us_topic_0183292667_p114002313226"><a name="en-us_topic_0183292667_p114002313226"></a><a name="en-us_topic_0183292667_p114002313226"></a>Displays help information.</p>
</td>
</tr>
<tr id="en-us_topic_0183292667_row159823516222"><td class="cellrowborder" valign="top" headers="mcps1.2.4.1.1 "><p id="en-us_topic_0183292667_p622945315220"><a name="en-us_topic_0183292667_p622945315220"></a><a name="en-us_topic_0183292667_p622945315220"></a>-H, --host</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.2.4.1.2 "><p id="en-us_topic_0183292667_p11229125362213"><a name="en-us_topic_0183292667_p11229125362213"></a><a name="en-us_topic_0183292667_p11229125362213"></a>Specifies the iSulad socket file path to be accessed.</p>
</td>
</tr>
<tr id="en-us_topic_0183292667_row14595112722316"><td class="cellrowborder" valign="top" headers="mcps1.2.4.1.1 "><p id="en-us_topic_0183292667_p17595162742311"><a name="en-us_topic_0183292667_p17595162742311"></a><a name="en-us_topic_0183292667_p17595162742311"></a>-D, --debug</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.2.4.1.2 "><p id="en-us_topic_0183292667_p1959513279236"><a name="en-us_topic_0183292667_p1959513279236"></a><a name="en-us_topic_0183292667_p1959513279236"></a>Enables the debug mode.</p>
</td>
</tr>
</tbody>
</table>
## Constraints<a name="en-us_topic_0183292667_section18811125219118"></a>
- For the native Docker, running the **attach** command will directly enter the container. For the iSulad container, you have to run the **attach** command and press **Enter** to enter the container.
## Example<a name="en-us_topic_0183292667_section1734193235916"></a>
Attach to a running container.
```
$ isula attach fd7376591a9c3d8ee9a14f5d2c2e5255b02cc44cddaabca82170efd4497510e1
/ #
/ #
```
content/en/docs/Container/audit-component.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Audit Component<a name="EN-US_TOPIC_0184808204"></a>
You can configure audit for Docker. However, this configuration is not mandatory. For example:
```
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /etc/sysconfig/docker -k docker
-w /usr/bin/docker-containerd -k docker
-w /usr/bin/docker-runc -k docker
-w /etc/docker/daemon.json -k docker
```
Configuring audit for Docker brings certain benefits for auditing, while it does not have any substantial effects on attack defense. In addition, the audit configurations cause serious efficiency problems, for example, the system may not respond smoothly. Therefore, exercise caution in the production environment.
The following uses **-w /var/lib/docker -k docker** as an example to describe how to configure Docker audit.
```
[root@localhost signal]# cat /etc/audit/rules.d/audit.rules | grep docker -w /var/lib/docker/ -k docker
[root@localhost signal]# auditctl -R /etc/audit/rules.d/audit.rules | grep docker
[root@localhost signal]# auditctl -l | grep docker -w /var/lib/docker/ -p rwxa -k docker
```
>![](public_sys-resources/icon-note.gif) **NOTE:**
>**-p \[r|w|x|a\]** and **-w** are used together to monitor the read, write, execution, and attribute changes \(such as timestamp changes\) of the directory. In this case, any file or directory operation in the **/var/lib/docker** directory will be recorded in the **audit.log** file. As a result, too many logs will be recorded in the **audit.log** file, which severely affects the memory or CPU usage of the auditd, and further affects the OS. For example, logs similar to the following will be recorded in the **/var/log/audit/audit.log** file each time the **ls /var/lib/docker/containers** command is executed:
```
type=SYSCALL msg=audit(1517656451.457:8097): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=1b955b0 a2=90800 a3=0 items=1 ppid=17821 pid=1925 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=4 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="docker"type=CWD msg=audit(1517656451.457:8097): cwd="/root"type=PATH msg=audit(1517656451.457:8097): item=0 name="/var/lib/docker/containers" inode=1049112 dev=fd:00 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:container_var_lib_t:s0 objtype=NORMAL
```
  
content/en/docs/Container/basic-installation-configuration.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Basic Installation Configuration<a name="EN-US_TOPIC_0184808195"></a>
content/en/docs/Container/capabilities-security-configuration.md 已删除 100644 → 0
浏览文件 @ 0065df62
# capabilities Security Configuration<a name="EN-US_TOPIC_0184808150"></a>
content/en/docs/Container/check-rules.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Check Rules<a name="EN-US_TOPIC_0184808139"></a>
1. After a container is started, the container status is **health:starting**.
2. After the period specified by **start-period**, the **cmd** command is periodically executed in the container at the interval specified by **interval**. That is, after the command is executed, the command will be executed again after the specified period.
3. If the **cmd** command is successfully executed within the time specified by **timeout** and the return value is **0**, the check is successful. Otherwise, the check fails. If the check is successful, the container status changes to **health:healthy**.
4. If the **cmd** command fails to be executed for the number of times specified by **retries**, the container status changes to **health:unhealthy**, and the container continues the health check.
5. When the container status is **health:unhealthy**, the container status changes to **health:healthy** if a check succeeds.
6. If **--exit-on-unhealthy** is set, and the container exits due to reasons other than being killed \(the returned exit code is **137**\), the health check takes effect only after the container is restarted.
7. When the **cmd** command execution is complete or times out, Docker daemon will record the start time, return value, and standard output of the check to the configuration file of the container. A maximum of five records can be recorded. In addition, the configuration file of the container stores health check parameters.
8. When the container is running, the health check status is written into the container configurations. You can run the **isula inspect** command to view the status.
```
"Health": {
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2018-03-07T07:44:15.481414707-05:00",
"End": "2018-03-07T07:44:15.556908311-05:00",
"ExitCode": 0,
"Output": ""
},
{
"Start": "2018-03-07T07:44:18.557297462-05:00",
"End": "2018-03-07T07:44:18.63035891-05:00",
"ExitCode": 0,
"Output": ""
},
......
}
```
content/en/docs/Container/checking-the-container-health-status.md
浏览文件 @ 00dfefa0
# Checking the Container Health Status<a name="EN-US_TOPIC_0184808136"></a>
# Checking the Container Health Status
- [Checking the Container Health Status](#checking-the-container-health-status)
- [Scenarios](#scenarios-7)
- [Configuration Methods](#configuration-methods)
- [Check Rules](#check-rules)
- [Usage Restrictions](#usage-restrictions-8)
## Scenarios
In the production environment, bugs are inevitable in applications provided by developers or services provided by platforms. Therefore, a management system is indispensable for periodically checking and repairing applications. The container health check mechanism adds a user-defined health check function for containers. When a container is created, the **--health-cmd** option is configured so that commands are periodically executed in the container to monitor the health status of the container based on return values.
## Configuration Methods
Configurations during container startup:
```
isula run -itd --health-cmd "echo iSulad >> /tmp/health_check_file || exit 1" --health-interval 5m --health-timeout 3s --health-exit-on-unhealthy busybox bash
```
The configurable options are as follows:
- **--health-cmd**: This option is mandatory. If **0** is returned after a command is run in a container, the command execution succeeds. If a value other than **0** is returned, the command execution fails.
- **--health-interval**: interval between two consecutive command executions. The default value is **30s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\). If the input parameter is set to **0s**, the default value is used.
- **--health-timeout**: maximum duration for executing a single check command. If the execution times out, the command execution fails. The default value is **30s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\). If the input parameter is set to **0s**, the default value is used. Only containers whose runtime is of the LCR type are supported.
- **--health-start-period**: container initialization time. The default value is **0s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\).
- **--health-retries**: maximum number of retries for the health check. The default value is **3**. The maximum value is the maximum value of Int32.
- **--health-exit-on-unhealthy**: specifies whether to kill a container when it is unhealthy. The default value is **false**.
## Check Rules
1. After a container is started, the container status is **health:starting**.
2. After the period specified by **start-period**, the **cmd** command is periodically executed in the container at the interval specified by **interval**. That is, after the command is executed, the command will be executed again after the specified period.
3. If the **cmd** command is successfully executed within the time specified by **timeout** and the return value is **0**, the check is successful. Otherwise, the check fails. If the check is successful, the container status changes to **health:healthy**.
4. If the **cmd** command fails to be executed for the number of times specified by **retries**, the container status changes to **health:unhealthy**, and the container continues the health check.
5. When the container status is **health:unhealthy**, the container status changes to **health:healthy** if a check succeeds.
6. If **--exit-on-unhealthy** is set, and the container exits due to reasons other than being killed \(the returned exit code is **137**\), the health check takes effect only after the container is restarted.
7. When the **cmd** command execution is complete or times out, Docker daemon will record the start time, return value, and standard output of the check to the configuration file of the container. A maximum of five records can be recorded. In addition, the configuration file of the container stores health check parameters.
8. When the container is running, the health check status is written into the container configurations. You can run the **isula inspect** command to view the status.
```
"Health": {
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2018-03-07T07:44:15.481414707-05:00",
"End": "2018-03-07T07:44:15.556908311-05:00",
"ExitCode": 0,
"Output": ""
},
{
"Start": "2018-03-07T07:44:18.557297462-05:00",
"End": "2018-03-07T07:44:18.63035891-05:00",
"ExitCode": 0,
"Output": ""
},
......
}
```
## Usage Restrictions
- A maximum of five health check status records can be stored in a container. The last five records are saved.
- If health check parameters are set to **0** during container startup, the default values are used.
- After a container with configured health check parameters is started, if iSulad daemon exits, the health check is not executed. After iSulad daemon is restarted, the health status of the running container changes to **starting**. Afterwards, the check rules are the same as above.
- If the health check fails for the first time, the health check status will not change from **starting** to **unhealthy** until the specified number of retries \(**--health-retries**\) is reached, or to **healthy** until the health check succeeds.
- The health check function of containers whose runtime is of the Open Container Initiative \(OCI\) type needs to be improved. Only containers whose runtime is of the LCR type are supported.
content/en/docs/Container/cni-network-configuration-description.md 已删除 100644 → 0
浏览文件 @ 0065df62
# CNI Network Configuration Description<a name="EN-US_TOPIC_0184808073"></a>
The CNI network configuration includes two types, both of which are in the .json file format.
- Single-network plane configuration file with the file name extension .conf or .json. For details about the configuration items, see [Table 1](cni-parameters.md#en-us_topic_0184347952_table425023335913) in the appendix.
- Multi-network plane configuration file with the file name extension .conflist. For details about the configuration items, see [Table 3](cni-parameters.md#en-us_topic_0184347952_table657910563105) in the appendix.
content/en/docs/Container/cni-parameters.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/command-reference.md
浏览文件 @ 00dfefa0
# Command Reference<a name="EN-US_TOPIC_0184808236"></a>
# Command Reference
- [Command Reference](#command-reference)
- [Container Engine](#container-engine)
- [Container Management](#container-management-40)
- [Image Management](#image-management-43)
- [Statistics](#statistics)
content/en/docs/Container/commit.md 已删除 100644 → 0
浏览文件 @ 0065df62
# commit<a name="EN-US_TOPIC_0184808240"></a>
Syntax: **docker commit \[**_options_**\] **_container _**\[**_repository\[:tag\]_**\]**
Function: creates an image from a container.
Parameter description:
**-a**, **--author=""**: specifies an author.
**-m**, **--message=""**: specifies the submitted information.
**-p**, **--pause=true**: pauses the container during submission.
Example:
Run the following command to start a container and submit the container as a new image:
```
$ sudo docker commit test busybox:test
sha256:be4672959e8bd8a4291fbdd9e99be932912fe80b062fba3c9b16ee83720c33e1
$ sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
busybox latest e02e811dd08f 2 years ago 1.09MB
```
  
content/en/docs/Container/common-cnis.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Common CNIs<a name="EN-US_TOPIC_0184808072"></a>
Common CNIs include CNI network configuration items in the CNI network configuration and pod configuration. These CNIs are visible to users.
- CNI network configuration items in the CNI network configuration refer to those used to specify the path of the CNI network configuration file, path of the binary file of the CNI network plug-in, and network mode. For details, see [Table 1](#en-us_topic_0183259146_table18221919589).
- CNI network configuration items in the pod configuration refer to those used to set the additional CNI network list to which the pod is added. By default, the pod is added only to the default CNI network plane. You can add the pod to multiple CNI network planes as required.
**Table 1** CNI network configuration items
<a name="en-us_topic_0183259146_table18221919589"></a>
<table><thead align="left"><tr id="en-us_topic_0183259146_row2225191085"><th class="cellrowborder" valign="top" width="30.826917308269174%" id="mcps1.2.5.1.1"><p id="en-us_topic_0183259146_p1022619489"><a name="en-us_topic_0183259146_p1022619489"></a><a name="en-us_topic_0183259146_p1022619489"></a><strong id="en-us_topic_0183259146_b842352706184423"><a name="en-us_topic_0183259146_b842352706184423"></a><a name="en-us_topic_0183259146_b842352706184423"></a>Function</strong></p>
</th>
<th class="cellrowborder" valign="top" width="16.328367163283673%" id="mcps1.2.5.1.2"><p id="en-us_topic_0183259146_p1022419587"><a name="en-us_topic_0183259146_p1022419587"></a><a name="en-us_topic_0183259146_p1022419587"></a>Command</p>
</th>
<th class="cellrowborder" valign="top" width="17.028297170282972%" id="mcps1.2.5.1.3"><p id="en-us_topic_0183259146_p3226192815"><a name="en-us_topic_0183259146_p3226192815"></a><a name="en-us_topic_0183259146_p3226192815"></a>Configuration File</p>
</th>
<th class="cellrowborder" valign="top" width="35.816418358164185%" id="mcps1.2.5.1.4"><p id="en-us_topic_0183259146_p1689202318912"><a name="en-us_topic_0183259146_p1689202318912"></a><a name="en-us_topic_0183259146_p1689202318912"></a>Description</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0183259146_row822131914815"><td class="cellrowborder" valign="top" width="30.826917308269174%" headers="mcps1.2.5.1.1 "><p id="en-us_topic_0183259146_p62201919815"><a name="en-us_topic_0183259146_p62201919815"></a><a name="en-us_topic_0183259146_p62201919815"></a>Path of the binary file of the CNI network plug-in</p>
</td>
<td class="cellrowborder" valign="top" width="16.328367163283673%" headers="mcps1.2.5.1.2 "><p id="en-us_topic_0183259146_p15221919480"><a name="en-us_topic_0183259146_p15221919480"></a><a name="en-us_topic_0183259146_p15221919480"></a>--cni-bin-dir</p>
</td>
<td class="cellrowborder" valign="top" width="17.028297170282972%" headers="mcps1.2.5.1.3 "><p id="en-us_topic_0183259146_p112261910816"><a name="en-us_topic_0183259146_p112261910816"></a><a name="en-us_topic_0183259146_p112261910816"></a>"cni-bin-dir": "",</p>
</td>
<td class="cellrowborder" valign="top" width="35.816418358164185%" headers="mcps1.2.5.1.4 "><p id="en-us_topic_0183259146_p156897237917"><a name="en-us_topic_0183259146_p156897237917"></a><a name="en-us_topic_0183259146_p156897237917"></a>The default value is <strong id="en-us_topic_0183259146_b27602031133415"><a name="en-us_topic_0183259146_b27602031133415"></a><a name="en-us_topic_0183259146_b27602031133415"></a>/opt/cni/bin</strong>.</p>
</td>
</tr>
<tr id="en-us_topic_0183259146_row822719788"><td class="cellrowborder" valign="top" width="30.826917308269174%" headers="mcps1.2.5.1.1 "><p id="en-us_topic_0183259146_p16221519887"><a name="en-us_topic_0183259146_p16221519887"></a><a name="en-us_topic_0183259146_p16221519887"></a>Path of the CNI network configuration file</p>
</td>
<td class="cellrowborder" valign="top" width="16.328367163283673%" headers="mcps1.2.5.1.2 "><p id="en-us_topic_0183259146_p13221191487"><a name="en-us_topic_0183259146_p13221191487"></a><a name="en-us_topic_0183259146_p13221191487"></a>--cni-conf-dir</p>
</td>
<td class="cellrowborder" valign="top" width="17.028297170282972%" headers="mcps1.2.5.1.3 "><p id="en-us_topic_0183259146_p192251917811"><a name="en-us_topic_0183259146_p192251917811"></a><a name="en-us_topic_0183259146_p192251917811"></a>"cni-conf-dir": "",</p>
</td>
<td class="cellrowborder" valign="top" width="35.816418358164185%" headers="mcps1.2.5.1.4 "><p id="en-us_topic_0183259146_p4689023297"><a name="en-us_topic_0183259146_p4689023297"></a><a name="en-us_topic_0183259146_p4689023297"></a>The system traverses all files with the extension .conf, .conflist, or .json in the directory. The default value is <strong id="en-us_topic_0183259146_b837081743516"><a name="en-us_topic_0183259146_b837081743516"></a><a name="en-us_topic_0183259146_b837081743516"></a>/etc/cni/net.d</strong>.</p>
</td>
</tr>
<tr id="en-us_topic_0183259146_row192251915816"><td class="cellrowborder" valign="top" width="30.826917308269174%" headers="mcps1.2.5.1.1 "><p id="en-us_topic_0183259146_p42211193817"><a name="en-us_topic_0183259146_p42211193817"></a><a name="en-us_topic_0183259146_p42211193817"></a>Network mode</p>
</td>
<td class="cellrowborder" valign="top" width="16.328367163283673%" headers="mcps1.2.5.1.2 "><p id="en-us_topic_0183259146_p17221519484"><a name="en-us_topic_0183259146_p17221519484"></a><a name="en-us_topic_0183259146_p17221519484"></a>--network-plugin</p>
</td>
<td class="cellrowborder" valign="top" width="17.028297170282972%" headers="mcps1.2.5.1.3 "><p id="en-us_topic_0183259146_p1122131911812"><a name="en-us_topic_0183259146_p1122131911812"></a><a name="en-us_topic_0183259146_p1122131911812"></a>"network-plugin": "",</p>
</td>
<td class="cellrowborder" valign="top" width="35.816418358164185%" headers="mcps1.2.5.1.4 "><p id="en-us_topic_0183259146_p1268916231694"><a name="en-us_topic_0183259146_p1268916231694"></a><a name="en-us_topic_0183259146_p1268916231694"></a>Specifies a network plug-in. The value is a null character by default, indicating that no network configuration is available and the created sandbox has only the loop NIC. The CNI and null characters are supported. Other invalid values will cause iSulad startup failure.</p>
</td>
</tr>
</tbody>
</table>
Additional CNI network configuration mode:
Add the network plane configuration item "network.alpha.kubernetes.io/network" to annotations in the pod configuration file.
The network plane is configured in JSON format, including:
- **name**: specifies the name of the CNI network plane.
- **interface**: specifies the name of a network interface.
The following is an example of the CNI network configuration method:
```
"annotations" : {
"network.alpha.kubernetes.io/network": "{\"name\": \"mynet\", \"interface\": \"eth1\"}"
}
```
  
content/en/docs/Container/configurable-cgroup-path.md
浏览文件 @ 00dfefa0
# Configurable Cgroup Path<a name="EN-US_TOPIC_0184808020"></a>
# Configurable Cgroup Path
## Function Description<a name="en-us_topic_0182200835_section260316324238"></a>
- [Configurable Cgroup Path](#configurable-cgroup-path)
## Function Description
System containers provide the capabilities of isolating and reserving container resources on hosts. You can use the **--cgroup-parent** parameter to specify the cgroup directory used by a container to another directory, thereby flexibly allocating host resources. For example, if the cgroup parent path of containers A, B, and C is set to **/lxc/cgroup1**, and the cgroup parent path of containers D, E, and F is set to **/lxc/cgroup2**, the containers are divided into two groups through the cgroup paths, implementing resource isolation at the cgroup level.
## Parameter Description<a name="en-us_topic_0182200835_section9477144472316"></a>
## Parameter Description
<a name="en-us_topic_0182200835_table1869210387418"></a>
<table><thead align="left"><tr id="en-us_topic_0182200835_row1569373816419"><th class="cellrowborder" valign="top" width="21.09%" id="mcps1.1.4.1.1"><p id="en-us_topic_0182200835_p106936387415"><a name="en-us_topic_0182200835_p106936387415"></a><a name="en-us_topic_0182200835_p106936387415"></a><strong id="en-us_topic_0182200835_b925451112420"><a name="en-us_topic_0182200835_b925451112420"></a><a name="en-us_topic_0182200835_b925451112420"></a>Command</strong></p>
</th>
<th class="cellrowborder" valign="top" width="34.03%" id="mcps1.1.4.1.2"><p id="en-us_topic_0182200835_p15693173814112"><a name="en-us_topic_0182200835_p15693173814112"></a><a name="en-us_topic_0182200835_p15693173814112"></a>Parameter</p>
......@@ -46,12 +49,12 @@ In addition to specifying the cgroup parent path for a system container using co
</tbody>
</table>
## Constraints<a name="en-us_topic_0182200835_section948115902011"></a>
## Constraints
- If the **cgroup parent** parameter is set on both the daemon and client, the value specified on the client takes effect.
- If container A is started before container B, the cgroup parent path of container B is specified as the cgroup path of container A. When deleting a container, you need to delete container B and then container A. Otherwise, residual cgroup resources exist.
## Example<a name="en-us_topic_0182200835_section495911542237"></a>
## Example
Start a system container and specify the **--cgroup-parent** parameter.
......
content/en/docs/Container/configuration-methods.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Configuration Methods<a name="EN-US_TOPIC_0184808138"></a>
Configurations during container startup:
```
isula run -itd --health-cmd "echo iSulad >> /tmp/health_check_file || exit 1" --health-interval 5m --health-timeout 3s --health-exit-on-unhealthy busybox bash
```
The configurable options are as follows:
- **--health-cmd**: This option is mandatory. If **0** is returned after a command is run in a container, the command execution succeeds. If a value other than **0** is returned, the command execution fails.
- **--health-interval**: interval between two consecutive command executions. The default value is **30s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\). If the input parameter is set to **0s**, the default value is used.
- **--health-timeout**: maximum duration for executing a single check command. If the execution times out, the command execution fails. The default value is **30s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\). If the input parameter is set to **0s**, the default value is used. Only containers whose runtime is of the LCR type are supported.
- **--health-start-period**: container initialization time. The default value is **0s**. The value ranges from **1s** to the maximum value of Int64 \(unit: nanosecond\).
- **--health-retries**: maximum number of retries for the health check. The default value is **3**. The maximum value is the maximum value of Int32.
- **--health-exit-on-unhealthy**: specifies whether to kill a container when it is unhealthy. The default value is **false**.
content/en/docs/Container/configuration-toml-31.md 已删除 100644 → 0
浏览文件 @ 0065df62
# configuration.toml<a name="EN-US_TOPIC_0184808187"></a>
>![](public_sys-resources/icon-note.gif) **NOTE:**
>The value of each field in the **configuration.toml** file is subject to the **configuration.toml** file in the **kata-containers-<**_version_**\>.rpm package**. You cannot set any field in the configuration file.
```
[hypervisor.qemu]
path: specifies the execution path of the virtualization QEMU.
kernel: specifies the execution path of the guest kernel.
initrd: specifies the guest initrd execution path.
image: specifies the execution path of the guest image (not applicable).
machine_type: specifies the type of the analog chip. The value is virt for the ARM architecture and pc for the x86 architecture.
kernel_params: specifies the running parameters of the guest kernel.
firmware: specifies the firmware path. If this parameter is left blank, the default firmware is used.
machine_accelerators: specifies an accelerator.
default_vcpus: specifies the default number of vCPUs for each SB/VM.
default_maxvcpus: specifies the default maximum number of vCPUs for each SB/VM.
default_root_ports: specifies the default number of root ports for each SB/VM.
default_bridges: specifies the default number of bridges for each SB/VM.
default_memory: specifies the default memory size of each SB/VM. The default value is 1024 MiB.
memory_slots: specifies the number of memory slots for each SB/VM. The default value is 10.
memory_offset: specifies the memory offset. The default value is 0.
disable_block_device_use: disables the block device from being used by the rootfs of the container.
shared_fs: specifies the type of the shared file system. The default value is virtio-9p.
virtio_fs_daemon: specifies the path of the vhost-user-fs daemon process.
virtio_fs_cache_size: specifies the default size of the DAX cache.
virtio_fs_cache: specifies the cache mode.
block_device_driver: specifies the driver of a block device.
block_device_cache_set: specifies whether to set cache-related options for a block device. The default value is false.
block_device_cache_direct: specifies whether to enable O_DIRECT. The default value is false.
block_device_cache_noflush: specifies whether to ignore device update requests. The default value is false.
enable_iothreads: enables iothreads.
enable_mem_prealloc: enables VM RAM pre-allocation. The default value is false.
enable_hugepages: enables huge pages. The default value is false.
enable_swap: enables the swap function. The default value is false.
enable_debug: enables QEMU debugging. The default value is false.
disable_nesting_checks: disables nested check.
msize_9p = 8192: specifies the number of bytes transmitted in each 9p packet.
use_vsock: uses vsocks to directly communicate with the agent (the prerequisite is that vsocks is supported). The default value is false.
hotplug_vfio_on_root_bus: enables the hot swap of the VFIO device on the root bus. The default value is false.
disable_vhost_net: disables vhost_net. The default value is false.
entropy_source: specifies the default entropy source.
guest_hook_path: specifies the binary path of the guest hook.
[factory]
enable_template: enables the VM template. The default value is false.
template_path: specifies the template path.
vm_cache_number: specifies the number of VM caches. The default value is 0.
vm_cache_endpoint: specifies the address of the Unix socket used by the VMCache. The default value is /var/run/kata-containers/cache.sock.
[proxy.kata]
path: specifies the kata-proxy running path.
enable_debug: enables proxy debugging. The default value is false.
[shim.kata]
path: specifies the running path of kata-shim.
enable_debug: enables shim debugging. The default value is false.
enable_tracing: enables shim opentracing.
[agent.kata]
enable_debug: enables the agent debugging function. The default value is false.
enable_tracing: enables the agent tracing function.
trace_mode: specifies the trace mode.
trace_type: specifies the trace type.
enable_blk_mount: enables guest mounting of the block device.
[netmon]
enable_netmon: enables network monitoring. The default value is false.
path: specifies the kata-netmon running path.
enable_debug: enables netmon debugging. The default value is false.
[runtime]
enable_debug: enables runtime debugging. The default value is false.
enable_cpu_memory_hotplug: enables CPU and memory hot swap. The default value is false.
internetworking_model: specifies the network interconnection mode between VMs and containers.
disable_guest_seccomp: disables the seccemp security mechanism in the guest application. The default value is true.
enable_tracing: enables runtime opentracing. The default value is false.
disable_new_netns: disables network namespace creation for the shim and hypervisor processes. The default value is false.
experimental: enables the experimental feature, which does not support user-defined configurations.
```
content/en/docs/Container/configuring-health-check-during-container-creation.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Configuring Health Check During Container Creation<a name="EN-US_TOPIC_0184808228"></a>
Docker provides the user-defined health check function for containers. You can configure the **HEALTHCHECK CMD** option in the Dockerfile, or configure the **--health-cmd** option when a container is created so that commands are periodically executed in the container to monitor the health status of the container based on return values.
## Configuration Methods<a name="en-us_topic_0182302402_section20733184718277"></a>
- Add the following configurations to the Dockerfile file:
```
HEALTHCHECK --interval=5m --timeout=3s --health-exit-on-unhealthy=true \
CMD curl -f http://localhost/ || exit 1
```
The configurable options are as follows:
1. **--interval=DURATION**: interval between two consecutive command executions. The default value is **30s**. After a container is started, the first check is performed after the interval time.
2. **--timeout=DURATION**: maximum duration for executing a single check command. If the execution times out, the command execution fails. The default value is **30s**.
3. **--start-period=DURATION**: container initialization period. The default value is **0s**. During the initialization, the health check is also performed, while the health check failure is not counted into the maximum number of retries. However, if the health check is successful during initialization, the container is considered as started. All subsequent consecutive check failures are counted in the maximum number of retries.
4. **--retries=N**. maximum number of retries for the health check. The default value is **3**.
5. **--health-exit-on-unhealthy=BOOLEAN**: whether to kill a container when it is unhealthy. The default value is **false**.
6. **CMD**: This option is mandatory. If **0** is returned after a command is run in a container, the command execution succeeds. If a value other than **0** is returned, the command execution fails.
After **HEALTHCHECK** is configured, related configurations are written into the image configurations during image creation. You can run the **docker inspect** command to view the configurations. For example:
```
"Healthcheck": {
"Test": [
"CMD-SHELL",
"/test.sh"
]
},
```
- Configurations during container creation:
```
docker run -itd --health-cmd "curl -f http://localhost/ || exit 1" --health-interval 5m --health-timeout 3s --health-exit-on-unhealthy centos bash
```
The configurable options are as follows:
1. **--health-cmd**: This option is mandatory. If **0** is returned after a command is run in a container, the command execution succeeds. If a value other than **0** is returned, the command execution fails.
2. **--health-interval**: interval between two consecutive command executions. The default value is **30s**. The upper limit of the value is the maximum value of Int64 \(unit: nanosecond\).
3. **--health-timeout**: maximum duration for executing a single check command. If the execution times out, the command execution fails. The default value is **30s**. The upper limit of the value is the maximum value of Int64 \(unit: nanosecond\).
4. **--health-start-period**: container initialization time. The default value is **0s**. The upper limit of the value is the maximum value of Int64 \(unit: nanosecond\).
5. **--health-retries**: maximum number of retries for the health check. The default value is **3**. The maximum value is the maximum value of Int32.
6. **--health-exit-on-unhealthy**: specifies whether to kill a container when it is unhealthy. The default value is **false**.
After the container is started, the **HEALTHCHECK** configurations are written into the container configurations. You can run the **docker inspect** command to view the configurations. For example:
```
"Healthcheck": {
"Test": [
"CMD-SHELL",
"/test.sh"
]
},
```
## Check Rules<a name="en-us_topic_0182302402_section11838258122711"></a>
1. After a container is started, the container status is **health:starting**.
2. After the period specified by **start-period**, the **cmd** command is periodically executed in the container at the interval specified by **interval**. That is, after the command is executed, the command will be executed again after the specified period.
3. If the **cmd** command is successfully executed within the time specified by **timeout** and the return value is **0**, the check is successful. Otherwise, the check fails. If the check is successful, the container status changes to **health:healthy**.
4. If the **cmd** command fails to be executed for the number of times specified by **retries**, the container status changes to **health:unhealthy**, and the container continues the health check.
5. When the container status is **health:unhealthy**, the container status changes to **health:healthy** if a check succeeds.
6. If **--health-exit-on-unhealthy** is set, and the container exits due to reasons other than being killed \(the returned exit code is **137**\), the health check takes effect only after the container is restarted.
7. When the **cmd** command execution is complete or times out, Docker daemon will record the start time, return value, and standard output of the check to the configuration file of the container. A maximum of five latest records can be recorded. In addition, the configuration file of the container stores health check parameters.
Run the **docker ps** command to view the container status.
```
[root@bac shm]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
7de2228674a2 testimg "bash" About an hour ago Up About an hour (unhealthy) cocky_davinci
```
When the container is running, the health check status is written into the container configurations. You can run the **docker inspect** command to view the configurations.
```
"Health": {
"Status": "healthy",
"FailingStreak": 0,
"Log": [
{
"Start": "2018-03-07T07:44:15.481414707-05:00",
"End": "2018-03-07T07:44:15.556908311-05:00",
"ExitCode": 0,
"Output": ""
},
{
"Start": "2018-03-07T07:44:18.557297462-05:00",
"End": "2018-03-07T07:44:18.63035891-05:00",
"ExitCode": 0,
"Output": ""
},
......
}
```
>![](public_sys-resources/icon-note.gif) **NOTE:**
>- A maximum of five health check status records can be stored in a container. The last five records are saved.
>- Only one health check configuration item can take effect in a container at a time. The later items configured in the Dockerfile will overwrite the earlier ones. Configurations during container creation will overwrite those in images.
>- In the Dockerfile, you can set **HEALTHCHECK NONE** to cancel the health check configuration in a referenced image. When a container is running, you can set **--no-healthcheck** to cancel the health check configuration in an image. Do not configure the health check and **--no-healthcheck** parameters at the same time during the startup.
>- After a container with configured health check parameters is started, if Docker daemon exits, the health check is not executed. After Docker daemon is restarted, the container health status changes to **starting**. Afterwards, the check rules are the same as above.
>- If health check parameters are set to **0** during container image creation, the default values are used.
>- If health check parameters are set to **0** during container startup, the default values are used.
content/en/docs/Container/configuring-networking-for-a-secure-container.md
浏览文件 @ 00dfefa0
# Configuring Networking for a Secure Container<a name="EN-US_TOPIC_0216616133"></a>
# Configuring Networking for a Secure Container
## TAP-based Network Support<a name="en-us_topic_0182219836_section25241548181515"></a>
- [Configuring Networking for a Secure Container](#configuring-networking-for-a-secure-container)
## TAP-based Network Support
The secure container technology is implemented based on QEMU VMs. For a physical machine system, a secure container is equivalent to a VM. Therefore, the secure container may connect the VM to an external network in the Neutron network by using the test access point \(TAP\) technology. You do not need to pay attention to TAP device creation and bridging. You only need to hot add the specified TAP device \(with an existing host\) to the VM in the pause container and update the NIC information.
......@@ -33,7 +36,7 @@ Related commands are as follows:
The fields in the JSON file are described as follows:
<a name="en-us_topic_0182219836_table19254101817513"></a>
<table><thead align="left"><tr id="en-us_topic_0182219836_row1254161815116"><th class="cellrowborder" valign="top" width="20.14%" id="mcps1.1.4.1.1"><p id="en-us_topic_0182219836_p1254171865115"><a name="en-us_topic_0182219836_p1254171865115"></a><a name="en-us_topic_0182219836_p1254171865115"></a>Field</p>
</th>
<th class="cellrowborder" valign="top" width="20.68%" id="mcps1.1.4.1.2"><p id="en-us_topic_0182219836_p5437983523"><a name="en-us_topic_0182219836_p5437983523"></a><a name="en-us_topic_0182219836_p5437983523"></a>Mandatory/Optional</p>
......@@ -260,9 +263,9 @@ Related commands are as follows:
The preceding are common commands. For details about the command line interfaces, see [APIs](apis-32.md#EN-US_TOPIC_0184808188).
The preceding are common commands. For details about the command line interfaces, see [APIs](#apis-32.md#EN-US_TOPIC_0184808188).
## Kata IPVS Subsystem<a name="en-us_topic_0182219836_section135961247151620"></a>
## Kata IPVS Subsystem
The secure container provides an API for adding the **ipvs** command and setting the IPVS rule for the container. The functions include adding, editing, and deleting virtual services, adding, editing, and deleting real servers, querying IPVS service information, setting connection timeout, clearing the system connection cache, and importing rules in batches.
......@@ -338,6 +341,6 @@ The secure container provides an API for adding the **ipvs** command and setti
>1. Each container supports a maximum of 20000 iptables rules \(5000 services and three servers/services\). Both add-service and add-server are rules.
>2. Before importing rules in batches, you need to clear existing rules.
>3. No concurrent test scenario exists.
>4. The preceding are common commands. For details about the command line interfaces, see [APIs](apis-32.md#EN-US_TOPIC_0184808188).
>4. The preceding are common commands. For details about the command line interfaces, see [APIs](#apis-32.md#EN-US_TOPIC_0184808188).
content/en/docs/Container/configuring-the-docker-engine.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Configuring the Docker Engine<a name="EN-US_TOPIC_0184808166"></a>
To enable the Docker engine to support kata-runtime, perform the following steps to configure the Docker engine:
1. Ensure that all software packages \(**docker-engine** and **kata-containers**\) have been installed in the environment.
2. Stop the Docker engine.
```
systemctl stop docker
```
3. Modify the configuration file **/etc/docker/daemon.json** of the Docker engine and add the following configuration:
```
{
"runtimes": {
"kata-runtime": {
"path": "/usr/bin/kata-runtime",
"runtimeArgs": [
"--kata-config",
"/usr/share/defaults/kata-containers/configuration.toml"
]
}
}
}
```
4. Restart the Docker engine.
```
systemctl start docker
```
content/en/docs/Container/configuring-the-ulimit-value-in-a-container.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Configuring the ulimit Value in a Container<a name="EN-US_TOPIC_0184808085"></a>
## Description<a name="en-us_topic_0183316275_section13350115135310"></a>
You can use parameters to control the resources for executed programs.
## **Usage**<a name="en-us_topic_0183316275_section188811239165314"></a>
Set the **--ulimit** parameter when creating or running a container, or configure the parameter on the daemon to control the resources for executed programs in the container.
## Parameters<a name="en-us_topic_0183316275_section204328722112"></a>
Use either of the following methods to configure ulimit:
1. When running the **isula create/run** command, use **--ulimit <type\>=<soft\>\[:<hard\>\]** to control the resources of the executed shell program.
<a name="en-us_topic_0183316275_table192755843616"></a>
<table><thead align="left"><tr id="en-us_topic_0183316275_row1927175818360"><th class="cellrowborder" valign="top" width="25%" id="mcps1.1.5.1.1"><p id="en-us_topic_0183316275_p2027105863611"><a name="en-us_topic_0183316275_p2027105863611"></a><a name="en-us_topic_0183316275_p2027105863611"></a><strong id="en-us_topic_0183316275_b122755815363"><a name="en-us_topic_0183316275_b122755815363"></a><a name="en-us_topic_0183316275_b122755815363"></a>Parameter</strong></p>
</th>
<th class="cellrowborder" valign="top" width="25%" id="mcps1.1.5.1.2"><p id="en-us_topic_0183316275_p92717581368"><a name="en-us_topic_0183316275_p92717581368"></a><a name="en-us_topic_0183316275_p92717581368"></a><strong id="en-us_topic_0183316275_b15271058103614"><a name="en-us_topic_0183316275_b15271058103614"></a><a name="en-us_topic_0183316275_b15271058103614"></a>Description</strong></p>
</th>
<th class="cellrowborder" valign="top" width="25%" id="mcps1.1.5.1.3"><p id="en-us_topic_0183316275_p162711588364"><a name="en-us_topic_0183316275_p162711588364"></a><a name="en-us_topic_0183316275_p162711588364"></a>Value Range</p>
</th>
<th class="cellrowborder" valign="top" width="25%" id="mcps1.1.5.1.4"><p id="en-us_topic_0183316275_p152715819368"><a name="en-us_topic_0183316275_p152715819368"></a><a name="en-us_topic_0183316275_p152715819368"></a>Mandatory or Not</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0183316275_row5282058193614"><td class="cellrowborder" valign="top" width="25%" headers="mcps1.1.5.1.1 "><p id="en-us_topic_0183316275_p02895810364"><a name="en-us_topic_0183316275_p02895810364"></a><a name="en-us_topic_0183316275_p02895810364"></a>--ulimit</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.1.5.1.2 "><p id="en-us_topic_0183316275_p2288589368"><a name="en-us_topic_0183316275_p2288589368"></a><a name="en-us_topic_0183316275_p2288589368"></a>Limits the resources of the executed shell program.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.1.5.1.3 "><p id="en-us_topic_0183316275_p113155510143"><a name="en-us_topic_0183316275_p113155510143"></a><a name="en-us_topic_0183316275_p113155510143"></a>64-bit integer The value of the soft limit must be less than or equal to that of the hard limit. If only the soft limit is specified, the value of the hard limit is equal to that of the soft limit. Some types of resources do not support negative numbers. For details, see the following table.</p>
</td>
<td class="cellrowborder" valign="top" width="25%" headers="mcps1.1.5.1.4 "><p id="en-us_topic_0183316275_p128558163611"><a name="en-us_topic_0183316275_p128558163611"></a><a name="en-us_topic_0183316275_p128558163611"></a>No</p>
</td>
</tr>
</tbody>
</table>
2. Use daemon parameters or configuration files.
For details, see --default-ulimits in [Deployment Mode](deployment-mode.md#EN-US_TOPIC_0184808043).
**--ulimit** can limit the following types of resources:
<a name="en-us_topic_0183316275_table107744812507"></a>
<table><thead align="left"><tr id="en-us_topic_0183316275_row1277419815508"><th class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.1.4.1.1"><p id="en-us_topic_0183316275_p2774681505"><a name="en-us_topic_0183316275_p2774681505"></a><a name="en-us_topic_0183316275_p2774681505"></a><strong id="en-us_topic_0183316275_b1777458105010"><a name="en-us_topic_0183316275_b1777458105010"></a><a name="en-us_topic_0183316275_b1777458105010"></a>Type</strong></p>
</th>
<th class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.1.4.1.2"><p id="en-us_topic_0183316275_p6774168185013"><a name="en-us_topic_0183316275_p6774168185013"></a><a name="en-us_topic_0183316275_p6774168185013"></a><strong id="en-us_topic_0183316275_b157749817506"><a name="en-us_topic_0183316275_b157749817506"></a><a name="en-us_topic_0183316275_b157749817506"></a>Description</strong></p>
</th>
<th class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.1.4.1.3"><p id="en-us_topic_0183316275_p10774983500"><a name="en-us_topic_0183316275_p10774983500"></a><a name="en-us_topic_0183316275_p10774983500"></a>Value Range</p>
</th>
</tr>
</thead>
<tbody><tr id="en-us_topic_0183316275_row677516855018"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p177518155011"><a name="en-us_topic_0183316275_p177518155011"></a><a name="en-us_topic_0183316275_p177518155011"></a>core</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p1977548165019"><a name="en-us_topic_0183316275_p1977548165019"></a><a name="en-us_topic_0183316275_p1977548165019"></a>limits the core file size (KB)</p>
</td>
<td class="cellrowborder" rowspan="14" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.3 "><p id="en-us_topic_0183316275_p1577516855011"><a name="en-us_topic_0183316275_p1577516855011"></a><a name="en-us_topic_0183316275_p1577516855011"></a>64-bit integer, without unit. The value can be 0 or a negative number. The value -1 indicates no limit. Other negative numbers are forcibly converted into a large positive integer.</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row38865448572"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p128837446571"><a name="en-us_topic_0183316275_p128837446571"></a><a name="en-us_topic_0183316275_p128837446571"></a>cpu</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p24819486261"><a name="en-us_topic_0183316275_p24819486261"></a><a name="en-us_topic_0183316275_p24819486261"></a>max CPU time (MIN)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row18167105285716"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p7165205217570"><a name="en-us_topic_0183316275_p7165205217570"></a><a name="en-us_topic_0183316275_p7165205217570"></a>data</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p216335710265"><a name="en-us_topic_0183316275_p216335710265"></a><a name="en-us_topic_0183316275_p216335710265"></a>max data size (KB)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row58218531574"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p68201953145714"><a name="en-us_topic_0183316275_p68201953145714"></a><a name="en-us_topic_0183316275_p68201953145714"></a>fsize</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p1541711817270"><a name="en-us_topic_0183316275_p1541711817270"></a><a name="en-us_topic_0183316275_p1541711817270"></a>maximum filesize (KB)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row13444185518573"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p244205517578"><a name="en-us_topic_0183316275_p244205517578"></a><a name="en-us_topic_0183316275_p244205517578"></a>locks</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p6620718182710"><a name="en-us_topic_0183316275_p6620718182710"></a><a name="en-us_topic_0183316275_p6620718182710"></a>max number of file locks the user can hold</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row4246175712575"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p1324485745719"><a name="en-us_topic_0183316275_p1324485745719"></a><a name="en-us_topic_0183316275_p1324485745719"></a>memlock</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p224415785717"><a name="en-us_topic_0183316275_p224415785717"></a><a name="en-us_topic_0183316275_p224415785717"></a>max locked-in-memory address space (KB)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row3759820162420"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p177551620192416"><a name="en-us_topic_0183316275_p177551620192416"></a><a name="en-us_topic_0183316275_p177551620192416"></a>msgqueue</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p0755220122413"><a name="en-us_topic_0183316275_p0755220122413"></a><a name="en-us_topic_0183316275_p0755220122413"></a>max memory used by POSIX message queues (bytes)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row584929152411"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p7811329152419"><a name="en-us_topic_0183316275_p7811329152419"></a><a name="en-us_topic_0183316275_p7811329152419"></a>nice</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p151801412182815"><a name="en-us_topic_0183316275_p151801412182815"></a><a name="en-us_topic_0183316275_p151801412182815"></a>nice priority</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row2387203192415"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p015081417259"><a name="en-us_topic_0183316275_p015081417259"></a><a name="en-us_topic_0183316275_p015081417259"></a>nproc</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p1454164112283"><a name="en-us_topic_0183316275_p1454164112283"></a><a name="en-us_topic_0183316275_p1454164112283"></a>max number of processes</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row510363316245"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p1210193311244"><a name="en-us_topic_0183316275_p1210193311244"></a><a name="en-us_topic_0183316275_p1210193311244"></a>rss</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p1330124872810"><a name="en-us_topic_0183316275_p1330124872810"></a><a name="en-us_topic_0183316275_p1330124872810"></a>max resident set size (KB)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row10182634162415"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p71806346245"><a name="en-us_topic_0183316275_p71806346245"></a><a name="en-us_topic_0183316275_p71806346245"></a>rtprio</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p8180153492410"><a name="en-us_topic_0183316275_p8180153492410"></a><a name="en-us_topic_0183316275_p8180153492410"></a>max realtime priority</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row731643517244"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p331311358242"><a name="en-us_topic_0183316275_p331311358242"></a><a name="en-us_topic_0183316275_p331311358242"></a>rttime</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p375422114613"><a name="en-us_topic_0183316275_p375422114613"></a><a name="en-us_topic_0183316275_p375422114613"></a>realtime timeout</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row189151636172412"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p791383610241"><a name="en-us_topic_0183316275_p791383610241"></a><a name="en-us_topic_0183316275_p791383610241"></a>sigpending</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p12730126203111"><a name="en-us_topic_0183316275_p12730126203111"></a><a name="en-us_topic_0183316275_p12730126203111"></a>max number of pending signals</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row163861238152414"><td class="cellrowborder" valign="top" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p23846383242"><a name="en-us_topic_0183316275_p23846383242"></a><a name="en-us_topic_0183316275_p23846383242"></a>stack</p>
</td>
<td class="cellrowborder" valign="top" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p19713835143120"><a name="en-us_topic_0183316275_p19713835143120"></a><a name="en-us_topic_0183316275_p19713835143120"></a>max stack size (KB)</p>
</td>
</tr>
<tr id="en-us_topic_0183316275_row144841516818"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.1 "><p id="en-us_topic_0183316275_p47292201381"><a name="en-us_topic_0183316275_p47292201381"></a><a name="en-us_topic_0183316275_p47292201381"></a>nofile</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.2 "><p id="en-us_topic_0183316275_p972982017813"><a name="en-us_topic_0183316275_p972982017813"></a><a name="en-us_topic_0183316275_p972982017813"></a>max number of open file descriptors</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.1.4.1.3 "><p id="en-us_topic_0183316275_p77290204817"><a name="en-us_topic_0183316275_p77290204817"></a><a name="en-us_topic_0183316275_p77290204817"></a>64-bit integer, without unit. The value cannot be negative. A negative number is forcibly converted to a large positive number. In addition, "Operation not permitted" is displayed during the setting.</p>
</td>
</tr>
</tbody>
</table>
## Example<a name="en-us_topic_0183316275_section1734193235916"></a>
When creating or running a container, add **--ulimit <type\>=<soft\>\[:<hard\>\]**. For example:
```
isula create/run -tid --ulimit nofile=1024:2048 busybox sh
```
## **Constraints**<a name="en-us_topic_0183316275_section346363019141"></a>
The ulimit cannot be configured in the **daemon.json** and **/etc/sysconfig/iSulad** files \(or the iSulad command line\). Otherwise, an error is reported when iSulad is started.
content/en/docs/Container/configuring-tls-authentication-and-enabling-remote-access.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Configuring TLS Authentication and Enabling Remote Access<a name="EN-US_TOPIC_0184808049"></a>
## Description<a name="en-us_topic_0183092517_section142111513104513"></a>
iSulad is designed in C/S mode. By default, the iSulad daemon process listens only on the local/var/run/isulad.sock. Therefore, you can run commands to operate containers only on the local client iSula. To enable iSula's remote access to the container, the iSulad daemon process needs to listen on the remote access port using TCP/IP. However, listening is performed only by simply configuring tcp ip:port. In this case, all IP addresses can communicate with iSulad by calling **isula -H tcp://**_remote server IP address_**:port**, which may cause security problems. Therefore, it is recommended that a more secure version, namely Transport Layer Security \(TLS\), be used for remote access.
## Generating TLS Certificate<a name="en-us_topic_0183092517_section992244212139"></a>
- Example of generating a plaintext private key and certificate
```
#!/bin/bash
set -e
echo -n "Enter pass phrase:"
read password
echo -n "Enter public network ip:"
read publicip
echo -n "Enter host:"
read HOST
echo " => Using hostname: $publicip, You MUST connect to iSulad using this host!"
mkdir -p $HOME/.iSulad
cd $HOME/.iSulad
rm -rf $HOME/.iSulad/*
echo " => Generating CA key"
openssl genrsa -passout pass:$password -aes256 -out ca-key.pem 4096
echo " => Generating CA certificate"
openssl req -passin pass:$password -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem -subj "/C=CN/ST=zhejiang/L=hangzhou/O=Huawei/OU=iSulad/CN=iSulad@huawei.com"
echo " => Generating server key"
openssl genrsa -passout pass:$password -out server-key.pem 4096
echo " => Generating server CSR"
openssl req -passin pass:$password -subj /CN=$HOST -sha256 -new -key server-key.pem -out server.csr
echo subjectAltName = DNS:$HOST,IP:$publicip,IP:127.0.0.1 >> extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
echo " => Signing server CSR with CA"
openssl x509 -req -passin pass:$password -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile extfile.cnf
echo " => Generating client key"
openssl genrsa -passout pass:$password -out key.pem 4096
echo " => Generating client CSR"
openssl req -passin pass:$password -subj '/CN=client' -new -key key.pem -out client.csr
echo " => Creating extended key usage"
echo extendedKeyUsage = clientAuth > extfile-client.cnf
echo " => Signing client CSR with CA"
openssl x509 -req -passin pass:$password -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile-client.cnf
rm -v client.csr server.csr extfile.cnf extfile-client.cnf
chmod -v 0400 ca-key.pem key.pem server-key.pem
chmod -v 0444 ca.pem server-cert.pem cert.pem
```
- Example of generating an encrypted private key and certificate request file
```
#!/bin/bash
echo -n "Enter public network ip:"
read publicip
echo -n "Enter pass phrase:"
read password
# remove certificates from previous execution.
rm -f *.pem *.srl *.csr *.cnf
# generate CA private and public keys
echo 01 > ca.srl
openssl genrsa -aes256 -out ca-key.pem -passout pass:$password 2048
openssl req -subj '/C=CN/ST=zhejiang/L=hangzhou/O=Huawei/OU=iSulad/CN=iSulad@huawei.com' -new -x509 -days $DAYS -passin pass:$password -key ca-key.pem -out ca.pem
# create a server key and certificate signing request (CSR)
openssl genrsa -aes256 -out server-key.pem -passout pass:$PASS 2048
openssl req -new -key server-key.pem -out server.csr -passin pass:$password -subj '/CN=iSulad'
echo subjectAltName = DNS:iSulad,IP:${publicip},IP:127.0.0.1 > extfile.cnf
echo extendedKeyUsage = serverAuth >> extfile.cnf
# sign the server key with our CA
openssl x509 -req -days $DAYS -passin pass:$password -in server.csr -CA ca.pem -CAkey ca-key.pem -out server-cert.pem -extfile extfile.cnf
# create a client key and certificate signing request (CSR)
openssl genrsa -aes256 -out key.pem -passout pass:$password 2048
openssl req -subj '/CN=client' -new -key key.pem -out client.csr -passin pass:$password
# create an extensions config file and sign
echo extendedKeyUsage = clientAuth > extfile.cnf
openssl x509 -req -days 365 -passin pass:$password -in client.csr -CA ca.pem -CAkey ca-key.pem -out cert.pem -extfile extfile.cnf
# remove the passphrase from the client and server key
openssl rsa -in server-key.pem -out server-key.pem -passin pass:$password
openssl rsa -in key.pem -out key.pem -passin pass:$password
# remove generated files that are no longer required
rm -f ca-key.pem ca.srl client.csr extfile.cnf server.csr
```
## APIs<a name="en-us_topic_0183092517_section6889142610137"></a>
```
{
"tls": true,
"tls-verify": true,
"tls-config": {
"CAFile": "/root/.iSulad/ca.pem",
"CertFile": "/root/.iSulad/server-cert.pem",
"KeyFile":"/root/.iSulad/server-key.pem"
}
}
```
## Restrictions<a name="en-us_topic_0183092517_section4153102261410"></a>
The server supports the following modes:
- Mode 1 \(client verified\): tlsverify, tlscacert, tlscert, tlskey
- Mode 2 \(client not verified\): tls, tlscert, tlskey
The client supports the following modes:
- Mode 1 \(verify the identity based on the client certificate, and verify the server based on the specified CA\): tlsverify, tlscacert, tlscert, tlskey
- Mode 2 \(server verified\): tlsverify, tlscacert
Mode 1 is used for the server, and mode 2 for the client if the two-way authentication mode is used for communication.
Mode 2 is used for the server and the client if the unidirectional authentication mode is used for communication.
>![](public_sys-resources/icon-notice.gif) **NOTICE:**
>- If RPM is used for installation, the server configuration can be modified in the **/etc/isulad/daemon.json** and **/etc/sysconfig/iSulad** files.
>- Two-way authentification is recommended as it is more secure than non-authentication or unidirectional authentication.
>- GRPC open-source component logs are not taken over by iSulad. To view gRPC logs, set the environment variables **gRPC\_VERBOSITY** and **gRPC\_TRACE** as required.
>  
## Example<a name="en-us_topic_0183092517_section953765812481"></a>
On the server:
```
isulad -H=tcp://0.0.0.0:2376 --tlsverify --tlscacert ~/.iSulad/ca.pem --tlscert ~/.iSulad/server-cert.pem --tlskey ~/.iSulad/server-key.pem
```
On the client:
```
isula version -H=tcp://$HOSTIP:2376 --tlsverify --tlscacert ~/.iSulad/ca.pem --tlscert ~/.iSulad/cert.pem --tlskey ~/.iSulad/key.pem
```
content/en/docs/Container/constraints-2.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Constraints<a name="EN-US_TOPIC_0184808120"></a>
1. If **log\_directory** is configured in the **PodSandboxConfig** parameter when a sandbox is created, **log\_path** must be specified in **ContainerConfig** when all containers that belong to the sandbox are created. Otherwise, the containers may not be started or deleted by using the CRI.
The actual value of **LOGPATH** of containers is **log\_directory/log\_path**. If **log\_path** is not set, the final value of **LOGPATH** is changed to **log\_directory**.
- If the path does not exist, iSulad will create a soft link pointing to the actual path of container logs when starting a container. Then **log\_directory** becomes a soft link. There are two cases:
1. In the first case, if **log\_path** is not configured for other containers in the sandbox, **log\_directory** will be deleted and point to **log\_path** of the newly started container. As a result, logs of the first started container point to logs of the later started container.
2. In the second case, if **log\_path** is configured for other containers in the sandbox, the value of **LOGPATH** of the container is **log\_directory/log\_path**. Because **log\_directory** is a soft link, the creation fails when **log\_directory/log\_path** is used as the soft link to point to the actual path of container logs.
- If the path exists, iSulad will attempt to delete the path \(non-recursive\) when starting a container. If the path is a folder path containing content, the deletion fails. As a result, the soft link fails to be created, the container fails to be started, and the same error occurs when the container is going to be deleted.
2. If **log\_directory** is configured in the **PodSandboxConfig** parameter when a sandbox is created, and **log\_path** is specified in **ContainerConfig** when a container is created, the final value of **LOGPATH** is **log\_directory/log\_path**. iSulad does not recursively create **LOGPATH**, therefore, you must ensure that **dirname\(LOGPATH\)** exists, that is, the upper-level path of the final log file path exists.
3. If **log\_directory** is configured in the **PodSandboxConfig** parameter when a sandbox is created, and the same **log\_path** is specified in **ContainerConfig** when multiple containers are created, or if containers in different sandboxes point to the same **LOGPATH**, the latest container log path will overwrite the previous path after the containers are started successfully.
4. If the image content in the remote registry changes and the original image is stored in the local host, the name and tag of the original image are changed to **none** when you call the CRI Pull image API to download the image again.
An example is as follows:
Locally stored images:
```
IMAGE TAG IMAGE ID SIZE
rnd-dockerhub.huawei.com/pproxyisulad/test latest 99e59f495ffaa 753kB
```
After the **rnd-dockerhub.huawei.com/pproxyisulad/test:latest** image in the remote registry is updated and downloaded again:
```
IMAGE TAG IMAGE ID SIZE
<none> <none> 99e59f495ffaa 753kB
rnd-dockerhub.huawei.com/pproxyisulad/test latest d8233ab899d41 1.42MB
```
Run the **isula images** command. The value of **REF** is displayed as **-**.
```
REF IMAGE ID CREATED SIZE
rnd-dockerhub.huawei.com/pproxyisulad/test:latest d8233ab899d41 2019-02-14 19:19:37 1.42MB
- 99e59f495ffaa 2016-05-04 02:26:41 753kB
```
content/en/docs/Container/constraints.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Constraints<a name="EN-US_TOPIC_0184808047"></a>
- In high concurrency scenarios \(200 containers are concurrently started\), the memory management mechanism of Glibc may cause memory holes and large virtual memory \(for example, 10 GB\). This problem is caused by the restriction of the Glibc memory management mechanism in the high concurrency scenario, but not by memory leakage. Therefore, the memory consumption does not increase infinitely. You can set **MALLOC\_ARENA\_MAX** to reducevirtual memory error and increase the rate of reducing physical memory. However, this environment variable will cause the iSulad concurrency performance to deteriorate. Set this environment variable based on the site requirements.
```
To balance performance and memory usage, set MALLOC_ARENA_MAX to 4. (The iSulad performance on the ARM64 server is affected by less than 10%.)
Configuration method:
1. To manually start iSulad, run the export MALLOC_ARENA_MAX=4 command and then start iSulad.
2. If systemd manages iSulad, you can modify the /etc/sysconfig/iSulad file by adding MALLOC_ARENA_MAX=4.
```
- Precautions for specifying the daemon running directories
Take **--root** as an example. When **/new/path/** is used as the daemon new root directory, if a file exists in **/new/path/** and the directory or file name conflicts with that required by iSulad \(for example, **engines** and **mnt**\), iSulad may update the original directory or file attributes including the owner and permission.
Therefore, please note the impact of re-specifying various running directories and files on their attributes. You are advised to specify a new directory or file for iSulad to avoid file attribute changes and security issues caused by conflicts.
- Log file management:
>![](public_sys-resources/icon-notice.gif) **NOTICE:**
>Log function interconnection: logs are managed by systemd as iSulad is and then transmitted to rsyslogd. By default, rsyslog restricts the log writing speed. You can add the configuration item **$imjournalRatelimitInterval 0** to the **/etc/rsyslog.conf** file and restart the rsyslogd service.
- Restrictions on command line parameter parsing
When the iSulad command line interface is used, the parameter parsing mode is slightly different from that of Docker. For flags with parameters in the command line, regardless of whether a long or short flag is used, only the first space after the flag or the character string after the equal sign \(=\) directly connected to the flag is used as the flag parameter. The details are as follows:
1. When a short flag is used, each character in the character string connected to the hyphen \(-\) is considered as a short flag. If there is an equal sign \(=\), the character string following the equal sign \(=\) is considered as the parameter of the short flag before the equal sign \(=\).
**isula run -du=root busybox** is equivalent to **isula run -du root busybox**, **isula run -d -u=root busybox**, or **isula run -d -u root busybox**. When **isula run -du:root** is used, as **-:** is not a valid short flag, an error is reported. The preceding command is equivalent to **isula run -ud root busybox**. However, this method is not recommended because it may cause semantic problems.
1. When a long flag is used, the character string connected to **--** is regarded as a long flag. If the character string contains an equal sign \(=\), the character string before the equal sign \(=\) is a long flag, and the character string after the equal sign \(=\) is a parameter.
```
isula run --user=root busybox
```
or
```
isula run --user root busybox
```
- After an iSulad container is started, you cannot run the **isula run -i/-t/-ti** and **isula attach/exec** commands as a non-root user.
- When iSulad connects to an OCI container, only kata-runtime can be used to start the OCI container.
content/en/docs/Container/container-engine.md
浏览文件 @ 00dfefa0
# Container Engine<a name="EN-US_TOPIC_0184808237"></a>
# Container Engine
- [Container Engine](#container-engine)
Docker daemon is a system process that resides in the background. Before you run a docker subcommand, start Docker daemon.
......
content/en/docs/Container/container-management-36.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Container Management<a name="EN-US_TOPIC_0184808225"></a>
content/en/docs/Container/container.md
浏览文件 @ 00dfefa0
# About This Document <a name="EN-US_TOPIC_0183674366"></a>
# About This Document
## Overview<a name="section4537382116410"></a>
## Overview
The openEuler software package provides iSula, the basic platform for running containers.
......@@ -16,36 +16,9 @@ In addition, the following container forms are provided on different application
This document describes how to install and use the container engines and how to deploy and use containers in different forms.
## Intended Audience<a name="section4378592816410"></a>
## Intended Audience
This document is intended for openEuler users who need to install containers. You can better understand this document if you:
- Be familiar with basic Linux operations.
- Have a basic understanding of containers.
## Symbol Conventions<a name="section133020216410"></a>
The symbols that may be found in this document are defined as follows.
<a name="table17522428316"></a>
<table><thead align="left"><tr id="row25221921314"><th class="cellrowborder" valign="top" width="20.580000000000002%" id="mcps1.1.3.1.1"><p id="p252214203118"><a name="p252214203118"></a><a name="p252214203118"></a><strong id="b2136615816410"><a name="b2136615816410"></a><a name="b2136615816410"></a>Symbol</strong></p>
</th>
<th class="cellrowborder" valign="top" width="79.42%" id="mcps1.1.3.1.2"><p id="p1352216215311"><a name="p1352216215311"></a><a name="p1352216215311"></a><strong id="b4522132153120"><a name="b4522132153120"></a><a name="b4522132153120"></a>Description</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="row20523729310"><td class="cellrowborder" valign="top" width="20.580000000000002%" headers="mcps1.1.3.1.1 "><p id="p9523172173116"><a name="p9523172173116"></a><a name="p9523172173116"></a><a name="image185230243117"></a><a name="image185230243117"></a><span><img class="" id="image185230243117" height="25.270000000000003" width="55.9265" src="figures/en-us_image_0221924926.png"></span></p>
</td>
<td class="cellrowborder" valign="top" width="79.42%" headers="mcps1.1.3.1.2 "><p id="p1052314233112"><a name="p1052314233112"></a><a name="p1052314233112"></a>Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.</p>
<p id="p125237214313"><a name="p125237214313"></a><a name="p125237214313"></a>NOTICE is used to address practices not related to personal injury.</p>
</td>
</tr>
<tr id="row1652315219312"><td class="cellrowborder" valign="top" width="20.580000000000002%" headers="mcps1.1.3.1.1 "><p id="p1552314223110"><a name="p1552314223110"></a><a name="p1552314223110"></a><a name="image1452315212316"></a><a name="image1452315212316"></a><span><img class="" id="image1452315212316" height="15.96" width="47.88" src="figures/en-us_image_0221924927.png"></span></p>
</td>
<td class="cellrowborder" valign="top" width="79.42%" headers="mcps1.1.3.1.2 "><p id="p952316210315"><a name="p952316210315"></a><a name="p952316210315"></a>Supplements the important information in the main text.</p>
<p id="p1952320210313"><a name="p1952320210313"></a><a name="p1952320210313"></a>NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration.</p>
</td>
</tr>
</tbody>
</table>
content/en/docs/Container/containerstats.md 已删除 100644 → 0
浏览文件 @ 0065df62
# ContainerStats<a name="EN-US_TOPIC_0184808110"></a>
## Prototype<a name="en-us_topic_0183088056_section164301654155514"></a>
```
rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {}
```
## Description<a name="en-us_topic_0183088056_section729211519569"></a>
This API is used to return information about resources occupied by a container. Only containers whose runtime is of the LCR type are supported.
## Parameters<a name="en-us_topic_0183088056_section349492895613"></a>
<a name="en-us_topic_0183088056_table184320467318"></a>
<table><tbody><tr id="en-us_topic_0183088056_row78917461336"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088056_p1089154617315"><a name="en-us_topic_0183088056_p1089154617315"></a><a name="en-us_topic_0183088056_p1089154617315"></a><strong id="en-us_topic_0183088056_b1299984153312"><a name="en-us_topic_0183088056_b1299984153312"></a><a name="en-us_topic_0183088056_b1299984153312"></a>Parameter</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088056_p128984613319"><a name="en-us_topic_0183088056_p128984613319"></a><a name="en-us_topic_0183088056_p128984613319"></a><strong id="en-us_topic_0183088056_b349515718331"><a name="en-us_topic_0183088056_b349515718331"></a><a name="en-us_topic_0183088056_b349515718331"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088056_row10898461533"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088056_p759712497119"><a name="en-us_topic_0183088056_p759712497119"></a><a name="en-us_topic_0183088056_p759712497119"></a>string container_id</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088056_p1189846434"><a name="en-us_topic_0183088056_p1189846434"></a><a name="en-us_topic_0183088056_p1189846434"></a>Container ID.</p>
</td>
</tr>
</tbody>
</table>
## Return Values<a name="en-us_topic_0183088056_section10495164611565"></a>
<a name="en-us_topic_0183088056_table15296551936"></a>
<table><tbody><tr id="en-us_topic_0183088056_row18741555834"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088056_p197485518319"><a name="en-us_topic_0183088056_p197485518319"></a><a name="en-us_topic_0183088056_p197485518319"></a><strong id="en-us_topic_0183088056_b14824203215330"><a name="en-us_topic_0183088056_b14824203215330"></a><a name="en-us_topic_0183088056_b14824203215330"></a>Return Value</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088056_p374185520310"><a name="en-us_topic_0183088056_p374185520310"></a><a name="en-us_topic_0183088056_p374185520310"></a><strong id="en-us_topic_0183088056_b18656113519336"><a name="en-us_topic_0183088056_b18656113519336"></a><a name="en-us_topic_0183088056_b18656113519336"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088056_row87419551317"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088056_p3465158518"><a name="en-us_topic_0183088056_p3465158518"></a><a name="en-us_topic_0183088056_p3465158518"></a><a href="apis.md#en-us_topic_0182207110_li55689514215">ContainerStats</a> stats</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088056_p14745551137"><a name="en-us_topic_0183088056_p14745551137"></a><a name="en-us_topic_0183088056_p14745551137"></a>Container information. Note: Disks and inodes support only the query of containers started by OCI images.</p>
</td>
</tr>
</tbody>
</table>
content/en/docs/Container/containerstatus.md 已删除 100644 → 0
浏览文件 @ 0065df62
# ContainerStatus<a name="EN-US_TOPIC_0184808104"></a>
## Prototype<a name="en-us_topic_0183088050_section164301654155514"></a>
```
rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {}
```
## Description<a name="en-us_topic_0183088050_section729211519569"></a>
This API is used to return the container status information. If the container does not exist, an error will be returned.
## Parameters<a name="en-us_topic_0183088050_section349492895613"></a>
<a name="en-us_topic_0183088050_table184320467318"></a>
<table><tbody><tr id="en-us_topic_0183088050_row78917461336"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p1089154617315"><a name="en-us_topic_0183088050_p1089154617315"></a><a name="en-us_topic_0183088050_p1089154617315"></a><strong id="en-us_topic_0183088050_b10433175315277"><a name="en-us_topic_0183088050_b10433175315277"></a><a name="en-us_topic_0183088050_b10433175315277"></a>Parameter</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p128984613319"><a name="en-us_topic_0183088050_p128984613319"></a><a name="en-us_topic_0183088050_p128984613319"></a><strong id="en-us_topic_0183088050_b295315557278"><a name="en-us_topic_0183088050_b295315557278"></a><a name="en-us_topic_0183088050_b295315557278"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088050_row10898461533"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p1019112316015"><a name="en-us_topic_0183088050_p1019112316015"></a><a name="en-us_topic_0183088050_p1019112316015"></a>string container_id</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p1189846434"><a name="en-us_topic_0183088050_p1189846434"></a><a name="en-us_topic_0183088050_p1189846434"></a>Container ID.</p>
</td>
</tr>
<tr id="en-us_topic_0183088050_row134851364619"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p956148114812"><a name="en-us_topic_0183088050_p956148114812"></a><a name="en-us_topic_0183088050_p956148114812"></a>bool verbose</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p155615864815"><a name="en-us_topic_0183088050_p155615864815"></a><a name="en-us_topic_0183088050_p155615864815"></a>Whether to display additional information about the sandbox. This parameter does not take effect now.</p>
</td>
</tr>
</tbody>
</table>
## Return Values<a name="en-us_topic_0183088050_section10495164611565"></a>
<a name="en-us_topic_0183088050_table15296551936"></a>
<table><tbody><tr id="en-us_topic_0183088050_row18741555834"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p197485518319"><a name="en-us_topic_0183088050_p197485518319"></a><a name="en-us_topic_0183088050_p197485518319"></a><strong id="en-us_topic_0183088050_b87305415283"><a name="en-us_topic_0183088050_b87305415283"></a><a name="en-us_topic_0183088050_b87305415283"></a>Return Value</strong></p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p374185520310"><a name="en-us_topic_0183088050_p374185520310"></a><a name="en-us_topic_0183088050_p374185520310"></a><strong id="en-us_topic_0183088050_b194651461282"><a name="en-us_topic_0183088050_b194651461282"></a><a name="en-us_topic_0183088050_b194651461282"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183088050_row87419551317"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p157445512318"><a name="en-us_topic_0183088050_p157445512318"></a><a name="en-us_topic_0183088050_p157445512318"></a><a href="apis.md#en-us_topic_0182207110_li1234063113301">ContainerStatus</a> status</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p14745551137"><a name="en-us_topic_0183088050_p14745551137"></a><a name="en-us_topic_0183088050_p14745551137"></a>Container status information.</p>
</td>
</tr>
<tr id="en-us_topic_0183088050_row27545518311"><td class="cellrowborder" valign="top" width="39.54%"><p id="en-us_topic_0183088050_p953212217505"><a name="en-us_topic_0183088050_p953212217505"></a><a name="en-us_topic_0183088050_p953212217505"></a>map&lt;string, string&gt; info</p>
</td>
<td class="cellrowborder" valign="top" width="60.46%"><p id="en-us_topic_0183088050_p47512557310"><a name="en-us_topic_0183088050_p47512557310"></a><a name="en-us_topic_0183088050_p47512557310"></a>Additional information about the sandbox. The key can be any string, and the value is a JSON character string. The information can be any debugging content. When <strong id="en-us_topic_0183088050_b33801996615"><a name="en-us_topic_0183088050_b33801996615"></a><a name="en-us_topic_0183088050_b33801996615"></a>verbose</strong> is set to <strong id="en-us_topic_0183088050_b203801491961"><a name="en-us_topic_0183088050_b203801491961"></a><a name="en-us_topic_0183088050_b203801491961"></a>true</strong>, <strong id="en-us_topic_0183088050_b103811492068"><a name="en-us_topic_0183088050_b103811492068"></a><a name="en-us_topic_0183088050_b103811492068"></a>info</strong> cannot be empty. This parameter does not take effect now.</p>
</td>
</tr>
</tbody>
</table>
content/en/docs/Container/copying-data-between-a-container-and-a-host.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Copying Data Between a Container and a Host<a name="EN-US_TOPIC_0184808069"></a>
## Description<a name="en-us_topic_0183385750_section13350115135310"></a>
To copy data between a host and a container, run the **isula cp** command. Only containers whose runtime is of the LCR type are supported.
## **Usage**<a name="en-us_topic_0183385750_section188811239165314"></a>
```
isula cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH
isula cp [OPTIONS] SRC_PATH CONTAINER:DEST_PATH
```
## Parameters<a name="en-us_topic_0183385750_section4322824135919"></a>
The following table lists the parameters supported by the **cp** command.
**Table 1** Parameter description
<a name="en-us_topic_0183385750_table45852013111514"></a>
<table><tbody><tr id="en-us_topic_0183385750_row1790211601513"><td class="cellrowborder" valign="top" width="17.333333333333336%"><p id="en-us_topic_0183385750_p7179821161516"><a name="en-us_topic_0183385750_p7179821161516"></a><a name="en-us_topic_0183385750_p7179821161516"></a><strong id="en-us_topic_0183385750_b91798219151"><a name="en-us_topic_0183385750_b91798219151"></a><a name="en-us_topic_0183385750_b91798219151"></a>Command</strong></p>
</td>
<td class="cellrowborder" valign="top" width="39.57575757575758%"><p id="en-us_topic_0183385750_p15179121111511"><a name="en-us_topic_0183385750_p15179121111511"></a><a name="en-us_topic_0183385750_p15179121111511"></a>Parameter</p>
</td>
<td class="cellrowborder" valign="top" width="43.09090909090909%"><p id="en-us_topic_0183385750_p10180152151511"><a name="en-us_topic_0183385750_p10180152151511"></a><a name="en-us_topic_0183385750_p10180152151511"></a><strong id="en-us_topic_0183385750_b718015216152"><a name="en-us_topic_0183385750_b718015216152"></a><a name="en-us_topic_0183385750_b718015216152"></a>Description</strong></p>
</td>
</tr>
<tr id="en-us_topic_0183385750_row89859561117"><td class="cellrowborder" valign="top" width="17.333333333333336%"><p id="en-us_topic_0183385750_p69851856411"><a name="en-us_topic_0183385750_p69851856411"></a><a name="en-us_topic_0183385750_p69851856411"></a><strong id="en-us_topic_0183385750_b192299211024"><a name="en-us_topic_0183385750_b192299211024"></a><a name="en-us_topic_0183385750_b192299211024"></a>cp</strong></p>
</td>
<td class="cellrowborder" valign="top" width="39.57575757575758%"><p id="en-us_topic_0183385750_p549293210212"><a name="en-us_topic_0183385750_p549293210212"></a><a name="en-us_topic_0183385750_p549293210212"></a>-H, --host</p>
</td>
<td class="cellrowborder" valign="top" width="43.09090909090909%"><p id="en-us_topic_0183385750_p1049213321528"><a name="en-us_topic_0183385750_p1049213321528"></a><a name="en-us_topic_0183385750_p1049213321528"></a>Specifies the iSulad socket file path to be accessed.</p>
</td>
</tr>
</tbody>
</table>
## Constraints<a name="en-us_topic_0183385750_section18811125219118"></a>
- When iSulad copies files, note that the **/etc/hostname**, **/etc/resolv.conf**, and **/etc/hosts** files are not mounted to the host, neither the **--volume** and **--mount** parameters. Therefore, the original files in the image instead of the files in the real container are copied.
```
[root@localhost tmp]# isula cp b330e9be717a:/etc/hostname /tmp/hostname
[root@localhost tmp]# cat /tmp/hostname
[root@localhost tmp]#
```
- When decompressing a file, iSulad does not check the type of the file or folder to be overwritten in the file system. Instead, iSulad directly overwrites the file or folder. Therefore, if the source is a folder, the file with the same name is forcibly overwritten as a folder. If the source file is a file, the folder with the same name will be forcibly overwritten as a file.
```
[root@localhost tmp]# rm -rf /tmp/test_file_to_dir && mkdir /tmp/test_file_to_dir
[root@localhost tmp]# isula exec b330e9be717a /bin/sh -c "rm -rf /tmp/test_file_to_dir && touch /tmp/test_file_to_dir"
[root@localhost tmp]# isula cp b330e9be717a:/tmp/test_file_to_dir /tmp
[root@localhost tmp]# ls -al /tmp | grep test_file_to_dir
-rw-r----- 1 root root 0 Apr 26 09:59 test_file_to_dir
```
- iSulad freezes the container during the copy process and restores the container after the copy is complete.
## Example<a name="en-us_topic_0183385750_section1734193235916"></a>
Copy the **/test/host** directory on the host to the **/test** directory on container 21fac8bb9ea8.
```
isula cp /test/host 21fac8bb9ea8:/test
```
Copy the **/www** directory on container 21fac8bb9ea8 to the **/tmp** directory on the host.
```
isula cp 21fac8bb9ea8:/www /tmp/
```
content/en/docs/Container/cp.md 已删除 100644 → 0
浏览文件 @ 0065df62
# cp<a name="EN-US_TOPIC_0184808241"></a>
Syntax: **docker cp \[**_options_**\] **_container_**:**_src\_path_ _dest\_path_**|-**
**docker cp \[**_options_**\]** _src\_path_**|-** _container_**:**_dest\_path_
Function: Copies a file or folder from a path in a container to a path on the host or copies a file or folder from the host to the container:
Precautions: The **docker cp** command does not support the copy of files in virtual file systems such as **/proc**, **/sys**, **/dev**, and **/tmp** in the container and files in the file systems mounted by users in the container.
Parameter description:
**-a**, **--archive**: Sets the owner of the file copied to the container to the **container** user \(**--user**\).
**-L**, **--follow-link**: Parses and traces the symbolic link of a file.
Example:
Run the following command to copy the **/test** directory in the registry container to the **/home/**_aaa_ directory on the host:
```
$ sudo docker cp registry:/test /home/aaa
```
content/en/docs/Container/createcontainer.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/cri.md
浏览文件 @ 00dfefa0
此差异已折叠。
content/en/docs/Container/daemon-network-configuration.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Daemon Network Configuration<a name="EN-US_TOPIC_0184808198"></a>
- After the network segment of the docker0 bridge is specified by using the **--bip** parameter on Docker daemon, if the **--bip** parameter is deleted during the next Docker daemon restart, the docker0 bridge uses the previous value of **--bip**, even if the docker0 bridge is deleted before the restart. The reason is that Docker saves the network configuration and restores the previous configuration by default during the next restart.
- When running the **docker network create** command to concurrently create networks, you can create two networks with the same name. The reason is that Docker networks are distinguished by IDs. The name is only an alias that is easy to identify and may not be unique.
- In the Docker bridge network mode, a Docker container establishes external communication through NAT on the host. When Docker daemon starts a Docker container, a docker-proxy process is started for each port mapped on the host to access the proxy. It is recommended that you map only the necessary ports when using userland-proxy to reduce the resources consumed by the port mapping of docker-proxy.
content/en/docs/Container/deleting-images.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/deployment-configuration-27.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Deployment Configuration<a name="EN-US_TOPIC_0184808165"></a>
content/en/docs/Container/deployment-configuration.md 已删除 100644 → 0
浏览文件 @ 0065df62
# Deployment Configuration<a name="EN-US_TOPIC_0184808042"></a>
content/en/docs/Container/description-18.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/description.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/diff.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/events.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/exec-42.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/exec.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/execsync.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/export.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/history.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/image-service.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/imagefsinfo.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/images.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/imagestatus.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/import.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/info.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/inspect.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/introduction.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/listcontainers.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/listimages.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/listing-images-4.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/listing-images.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/listpodsandbox.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/load.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/loading-images-3.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/loading-images.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/login.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/logout.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/logs.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/nic-management.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/overview-0.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/overview-21.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/overview-24.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/overview-33.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/overview.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/pause-unpause.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/podsandboxstatus.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/port.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/precautions.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/ps.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/pull.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/pullimage.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/push.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/removecontainer.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/removeimage.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/removepodsandbox.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/rename.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/restart.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/rm.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/rmi.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/route-management.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/run.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/runpodsandbox.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/runtime-service.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/save.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/scenarios-12.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/scenarios-15.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/scenarios-7.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/scenarios-9.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/scenarios.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/search.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/start.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/startcontainer.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/stats.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/status.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/stop.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/stopcontainer.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/stoppodsandbox.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/tag.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/terms-of-use.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/top.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/update.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/usage-guide-11.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/usage-guide-14.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/usage-guide-17.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/usage-guide-22.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/version.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/viewing-images.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/docs/Container/wait.md 已删除 100644 → 0
浏览文件 @ 0065df62
此差异已折叠。
content/en/menu/index.md
浏览文件 @ 00dfefa0
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册