Restart docker container in privileged mode

Question

I have a docker container that is not coping with the load.

I need increase the value in /proc/sys/net/core/somaxconn but I'm unable to do so because the container is not running in privileged mode.

Since creating the docker file, there have been several tweaks to the nignx and php configurations.

Is it possible to restart the container with privileged mode without losing the configuration changes I've already made?

Answer 1

The container configuration is in /var/lib/docker/containers/<id>/hostconfig.json - you can edit it and restart your container, but docker shouldn't be running when you edit it.

# docker run -ti --name test fedora:25 /bin/bash
# echo 512 > /proc/sys/net/core/somaxconn   # in docker
bash: /proc/sys/net/core/somaxconn: Read-only file system
# exit # exit docker, back to host
# systemctl stop docker # or stop it with whatever servicemanager you're using

# cd /var/lib/docker/containers/b48fcbce0ab29749160e5677e3e9fe07cc704b47e84f7978fa74584f6d9d3c40/
# cp hostconfig.json{,.bak}
# cat hostconfig.json.bak | jq '.Privileged=true' | jq '.SecurityOpt=["label=disable"]' > hostconfig.json

# systemctl start docker
# docker start test
test
# docker exec -ti test /bin/bash
# echo 512 > /proc/sys/net/core/somaxconn   # in docker, now works

This will off course shut down all containers while you're making the changes.

Answer 2

No, and you should not be configuring containers directly. Doing so results in an environment that's difficult to maintain (which you've found). Include your configuration in your docker-compose.yml, an attached volume, or the Dockerfile, as appropriate. That allows you to update the container by replacing it.

For reference, the only settings docker lets you update on a running container are the following:

$ docker update --help

Usage:  docker update [OPTIONS] CONTAINER [CONTAINER...]

Update configuration of one or more containers

Options:
      --blkio-weight uint16        Block IO (relative weight), between 10
                                   and 1000, or 0 to disable (default 0)
      --cpu-period int             Limit CPU CFS (Completely Fair Scheduler)
                                   period
      --cpu-quota int              Limit CPU CFS (Completely Fair Scheduler)
                                   quota
      --cpu-rt-period int          Limit the CPU real-time period in microseconds
      --cpu-rt-runtime int         Limit the CPU real-time runtime in
                                   microseconds
  -c, --cpu-shares int             CPU shares (relative weight)
      --cpus decimal               Number of CPUs
      --cpuset-cpus string         CPUs in which to allow execution (0-3, 0,1)
      --cpuset-mems string         MEMs in which to allow execution (0-3, 0,1)
      --help                       Print usage
      --kernel-memory bytes        Kernel memory limit
  -m, --memory bytes               Memory limit
      --memory-reservation bytes   Memory soft limit
      --memory-swap bytes          Swap limit equal to memory plus swap:
                                   '-1' to enable unlimited swap
      --restart string             Restart policy to apply when a container exits

Answer 3

ID=$(docker run -it --name ubuntu -d ubuntu 2>&1|tee|tail -1)
docker inspect --format='{{.HostConfig.Privileged}}' $(docker container ls -q)
# false   :(
systemctl stop docker
DIR="/var/lib/docker/containers/$ID"
ls $DIR/hostconfig.json
cp $DIR/hostconfig.json{,.bak}
cat $DIR/hostconfig.json.bak | jq '.Privileged=true' | jq '.SecurityOpt=["label=disable"]' > $DIR/hostconfig.json
systemctl start docker
docker start ubuntu
docker inspect --format='{{.HostConfig.Privileged}}' $(docker container ls -q)
# true :)
#
# remove
docker stop ubuntu;docker rm ubuntu;docker image rm ubuntu