The change in question is the one made within a system-protected file, for which the container had to be launched in privileged mode. That change does survive container restarts though, but it does not seem to get carried over to the target image of “docker commit”.
Details
The docker commit
command is supposed to persist the complete current state of the file-system of a container (whether running or stopped) and create an image with those contents, which, as a layer, is based on the same image as the said container was launched from. In one particular case, this isn’t working.
Here are steps to reproduce it:
1 - This launches a container based on public "alpine", runs in in privileged mode, because it has to change a system-protected setting (tcp_keepalive_time, from the default 7200 to 300):
docker run --name alpine-tcp -it --privileged --sysctl "net.ipv4.tcp_keepalive_time=300" --entrypoint sh alpine:latest
-
At this point, a shell is presented, and it’s easy to verify the above change:
cat /proc/sys/net/ipv4/tcp_keepalive_time
. -
If you were to launch this image without
--sysctl "net.ipv4.tcp_keepalive_time=300"
argument, and then execute thiscat
command, you’d get7200
(instead of 300), which is the default (irrelevant, but it’s a value expressed in seconds, equivalent to 2 hours. -
Other changes can be made, to demonstrate that
docker commit
does carry those over; e.g:
touch myfile
adduser test
2 - This command dumps the content of the above created alpine-tcp
container into an image, creating one named local/alpine:optimized-tcp
:
docker commit alpine-tcp local/alpine:optimized-tcp
3 - This launches another container based on the newly created local/alpine:optimized-tcp
image:
docker run --name alpine-tcp-copy -it --rm --entrypoint sh local/alpine:optimized-tcp
- This new container should now contain all changes created within
alpine-tcp
container; verify:
ls myfile
id testuser
cat /proc/sys/net/ipv4/tcp_keepalive_time
However, the “keepalive” change prints the default value of 7200, whereas 300 is expected. Why would docker-commit skip this, and is there a work-around? Even though the change is over a specially protected file, it can obviously be read, as the interactive command proves.
Thank you.