Some of these tests were making assumptions about the daemon's internals
by using `config.DefaultShmSize` from the daemon config package.
Rewrite them to start a daemon with a custom default, and verify the
tests to use that default.
This migrates the following tests from integration-cli to integration;
- `DockerAPISuite.TestPostContainersCreateShmSizeNegative`
- `DockerAPISuite.TestPostContainersCreateShmSizeHostConfigOmitted`
- `DockerAPISuite.TestPostContainersCreateShmSizeOmitted`
- `DockerAPISuite.TestPostContainersCreateWithShmSize`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The stringid package is used in many places; while it's trivial
to implement a similar utility, let's just provide it as a utility
package in the client, removing the daemon-specific logic.
For integration tests, I opted to use the implementation in the
client, as those should not ideally not make assumptions about
the daemon implementation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The stdcopy package is used to produce and read multiplexed streams for
"attach" and "logs". It is used both by the API server (to produce), and
the client (to read / de-multiplex).
Move it to the api package, so that it can be included in the api module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test is failing frequently (50%) on Windows;
=== FAIL: github.com/docker/docker/integration/container TestExecResize/success (0.01s)
exec_test.go:144: assertion failed: error is not nil: Error response from daemon: NotFound: exec: '9c19c467436132df24d8b606b0c462b1110dacfbbd13b63e5b42579eda76d7fc' in task: '7d1f371218285a0c653ae77024a1ab3f5d61a5d097c651ddf7df97364fafb454' not found: not found
Let's keep the test, but log the failure and skip on Windows.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test depended on the container to die after running the `true` command,
but this condition failed frequently on Windows 2025.
=== Failed
=== FAIL: github.com/docker/docker/integration/container TestRemoveContainerWithVolume (32.68s)
remove_test.go:61: timeout hit after 10s: waiting for container State.Status to be 'exited', currently 'running'
While this may be revealing an actual issue (and we should have a test for
that), it's irrelevant for this test, which;
- creates and starts a container with an anonymous volume
- verifies the anonymous volume was created
- removes the container
- verifies the anonymous volume was removed
We can force-remove the container to kill, and removed it; we probably
could've sufficed with "container create" (without starting), but it's
good to add extra coverage, in case running the container impacts whether
we're able to remove the volume.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make sure we have basic coverage for this function; integration-cli may
have additional tests covering this as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Use ContainerInspect instead of manually unmarshaling the raw JSON
- Explicitly stop the container instead of polling for it to die
- Add test for privileged containers
- Use subtests and run parallel
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Use ContainerInspect instead of manually unmarshaling the raw JSON
- Explicitly stop the container instead of polling for it to die
- Use subtests and run parallel
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Assert that we're not using empty IDs
- stringid.TruncateID already truncates algorithm, so we can just feed
it the full id
- Fail early on error, and skip asserting the `resp.ID` to reduce some
noise;
=== FAIL: github.com/docker/docker/integration/container TestCreateByImageID/image_short-ID (60.33s)
create_test.go:134: assertion failed: resp.ID is ""
create_test.go:135: assertion failed: error is not nil: error during connect: Post "http://%2F%2F.%2Fpipe%2Fdocker_engine/v1.48/containers/create": EOF
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This field was added in 5130fe5d38, which
added it for use as intermediate struct when parsing CLI flags (through
`runconfig.ParseExec`) in c786a8ee5e.
Commit 9d9dff3d0d rewrote the CLI to use
Cobra, and as part of this introduced a separate `execOptions` type in
`api/client/container`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It looks like the error returned by Windows changed in Windows 2025; before
Windows 2025, this produced a `ERROR_INVALID_NAME`;
The filename, directory name, or volume label syntax is incorrect.
But Windows 2025 produces a `ERROR_DIRECTORY` ("The directory name is invalid."):
CreateFile \\\\?\\Volume{d9f06b05-0405-418b-b3e5-4fede64f3cdc}\\windows\\system32\\drivers\\etc\\hosts\\: The directory name is invalid.
Docs; https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These comments were added to enforce using the correct import path for
our packages ("github.com/docker/docker", not "github.com/moby/moby").
However, when working in go module mode (not GOPATH / vendor), they have
no effect, so their impact is limited.
Remove these imports in preparation of migrating our code to become an
actual go module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add ability for the device driver to implement a device discovery
mechanism and expose discovered devices in the `docker info` output.
Currently it's only implemented for CDI devices.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Before this patch, and error would be produced when starting the exec,
but the CLI would wait for the exec to complete, timing out after 10
seconds (default). With this change, an error is returned immediately
when creating the exec.
Note that "technically" this check may have some TOCTOU issues, because
'/etc/passwd' and '/etc/groups' may be mutated by the container in between
creating the exec and starting it.
This is very likely a corner-case, but something we can consider changing
in future (either allow creating an invalid exec, and checking before
starting, or checking both before create and before start).
With this patch:
printf 'FROM alpine\nRUN rm -f /etc/group' | docker build -t nogroup -
ID=$(docker run -dit nogroup)
time docker exec -u 0:root $ID echo hello
Error response from daemon: unable to find group root: no matching entries in group file
real 0m0.014s
user 0m0.010s
sys 0m0.003s
# numericc uid/gid (should not require lookup);
time docker exec -u 0:0 $ID echo hello
hello
real 0m0.059s
user 0m0.007s
sys 0m0.008s
# no user specified (should not require lookup);
time docker exec $ID echo hello
hello
real 0m0.057s
user 0m0.013s
sys 0m0.008s
docker rm -fv $ID
# container that does have a valid /etc/groups
ID=$(docker run -dit alpine)
time docker exec -u 0:root $ID echo hello
hello
real 0m0.063s
user 0m0.010s
sys 0m0.009s
# non-existing user or group
time docker exec -u 0:blabla $ID echo hello
Error response from daemon: unable to find group blabla: no matching entries in group file
real 0m0.013s
user 0m0.004s
sys 0m0.009s
docker rm -fv $ID
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
gotest.tools v3.0.1 and up support Go's native test.Cleanup(), which
means that manually calling the cleanup functions in a defer is no
longer needed.
Some of these could probably be replaced by Go's native `t.TempDir()`,
but keeping that for a follow-up exercise.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It seems to help with the flakiness in the CI.
However, I can't reproduce the flakiness locally.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Improve performance of function daemon.Containers() (used by docker ps) to
mitigate a latency increase when running large number of containers using the
containerd image store.
We do this by refactoring daemon.Containers() to collect info for containers in
parallel, rather than sequentially, using up to log2(N) worker threads. This
improves the performance from O(N) to O(log2(N)), where N is the number of
containers.
To verify correctness, this commits adds unit and integration tests.
Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
On Linux, mask "/proc/interrupts" and "/sys/devices/system/cpu/cpu<x>/thermal_throttle"
inside containers by default. Privileged containers or containers started
with --security-opt="systempaths=unconfined" are not affected.
Mitigates potential Thermal Side-Channel Vulnerability Exploit
(https://github.com/moby/moby/security/advisories/GHSA-6fw5-f8r9-fgfm).
Also: improve integration test TestCreateWithCustomMaskedPaths() to ensure
default masked paths don't apply to privileged containers.
Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
The test had 2 almost identical separate implementations (Linux and
Windows). The Windows one was skipped anyway.
Make one test that covers all test cases.
The test still needs to be fixed for Windows, so don't unskip it yet.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
While going through some logs from CI, I noticed this log-entry on Windows,
produced as part of a test;
2025-02-25T03:23:17.6584227Z [Error] Handler for POST /v1.48/containers/b47b1e632188426d6d42a4be04f9a3cc1eca40cfed9536d277011052af0b04f5/update returned error: Cannot update container b47b1e632188426d6d42a4be04f9a3cc1eca40cfed9536d277011052af0b04f5: Restart policy cannot be updated because AutoRemove is enabled for the container
While updating is an error for the user, it's not an error in the daemon,
so we should return the correct error-type (and avoid logging it as an
error in daemon logs).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
