Restart docker container in privileged mode

docker proc

I have a docker container that is not coping with the load.

I need increase the value in /proc/sys/net/core/somaxconn but I'm unable to do so because the container is not running in privileged mode.

Since creating the docker file, there have been several tweaks to the nignx and php configurations.

Is it possible to restart the container with privileged mode without losing the configuration changes I've already made?


Solution 1:

The container configuration is in /var/lib/docker/containers/<id>/hostconfig.json - you can edit it and restart your container, but docker shouldn't be running when you edit it.

# docker run -ti --name test fedora:25 /bin/bash
# echo 512 > /proc/sys/net/core/somaxconn   # in docker
bash: /proc/sys/net/core/somaxconn: Read-only file system
# exit # exit docker, back to host
# systemctl stop docker # or stop it with whatever servicemanager you're using

# cd /var/lib/docker/containers/b48fcbce0ab29749160e5677e3e9fe07cc704b47e84f7978fa74584f6d9d3c40/
# cp hostconfig.json{,.bak}
# cat hostconfig.json.bak | jq '.Privileged=true' | jq '.SecurityOpt=["label=disable"]' > hostconfig.json

# systemctl start docker
# docker start test
test
# docker exec -ti test /bin/bash
# echo 512 > /proc/sys/net/core/somaxconn   # in docker, now works

This will off course shut down all containers while you're making the changes.

Solution 2:

No, and you should not be configuring containers directly. Doing so results in an environment that's difficult to maintain (which you've found). Include your configuration in your docker-compose.yml, an attached volume, or the Dockerfile, as appropriate. That allows you to update the container by replacing it.

For reference, the only settings docker lets you update on a running container are the following:

$ docker update --help

Usage:  docker update [OPTIONS] CONTAINER [CONTAINER...]

Update configuration of one or more containers

Options:
      --blkio-weight uint16        Block IO (relative weight), between 10
                                   and 1000, or 0 to disable (default 0)
      --cpu-period int             Limit CPU CFS (Completely Fair Scheduler)
                                   period
      --cpu-quota int              Limit CPU CFS (Completely Fair Scheduler)
                                   quota
      --cpu-rt-period int          Limit the CPU real-time period in microseconds
      --cpu-rt-runtime int         Limit the CPU real-time runtime in
                                   microseconds
  -c, --cpu-shares int             CPU shares (relative weight)
      --cpus decimal               Number of CPUs
      --cpuset-cpus string         CPUs in which to allow execution (0-3, 0,1)
      --cpuset-mems string         MEMs in which to allow execution (0-3, 0,1)
      --help                       Print usage
      --kernel-memory bytes        Kernel memory limit
  -m, --memory bytes               Memory limit
      --memory-reservation bytes   Memory soft limit
      --memory-swap bytes          Swap limit equal to memory plus swap:
                                   '-1' to enable unlimited swap
      --restart string             Restart policy to apply when a container exits

Related

How does VLAN subnetting work on IPv6?
Will upgrading the kernel of the proxy NGINX server be enough to prevent CVE-2017-6214 exploitation?
Get back hyper-v VMs after in place reinstall of host OS
systemctl --user: Process org.freedesktop.systemd1 exited with status 1
Are Dell PERC H200 H700 RAID cards supported by ".deb" based Linux distros?
Completely disable Date and Time sync in a Hyper-V VM
Server 2016 Running Hyper-V Stuck in "Shutting down service: Hyper-V Virtual Machine Management"
Remove --add-forward-port rule in firewall-cmd
~/.bashrc is NOT sourced on ssh 'command'
Nginx variable equivalent of: $scheme://$host:$port
Cannot create nested network namespace
How can I make strongSwan clients auto reconnect when server is down?