Type type was defined before the API had a definition fro the exec-inspect
response. When a type definition was added in [moby@2a34207], the definition
was moved from the backend to the API, and the backend type implemented as
an alias.
Technically, we could keep a _concrete_ type for the backend, and handle
conversion to the corresponding API type in the router, but currently,
this would likely only add extra complexity.
We could still opt for doing so when the backend requires additional fields
or changes that should not be reflected in the API response.
[moby@2a34207]: 2a342079c6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This type was introduced in [moby@3f9f231], at which type no API response
types were defined, and the [`containerRouter.getExecByID`] would return
the daemon's internal [`exec.Config`] type from [`backend.ContainerExecInspect`].
Tracing back history about the discrepancy between the type used by the client
and the actual response type; commit [moby@2a34207] added the missing type in
the API, which was documented as part of the API swagger definition since the
start ([moby@0243936]), and updated in [moby@74cb739], so we can't use the
reduced struct as response type.
[moby@3f9f231]: 3f9f23114f
[moby@2a34207]: 2a342079c6
[`containerRouter.getExecByID`]: 3f9f23114f/api/server/router/container/exec.go (L18-L25)
[`backend.ContainerExecInspect`]: 3f9f23114f/api/server/router/container/backend.go (L18)
[`exec.Config`]: 3f9f23114f/daemon/exec/exec.go (L13-L31)
[moby@0243936]: 0243936d92
[moby@74cb739]: 74cb739766
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This option is no longer supported by runc, and is deprecated in the kernel.
We removed support for this feature from all API versions, so it's better
to also amend the docs for older API versions.
[kernel v5.4]: https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
kernel-memory limits are not supported in cgroups v2, and were obsoleted in
[kernel v5.4], producing a `ENOTSUP` in kernel v5.16. Support for this option
was removed in runc and other runtimes, as various LTS kernels contained a
broken implementation, resulting in unpredictable behavior.
We deprecated this option in [moby@b8ca7de], producing a warning when used,
and actively ignore the option since [moby@0798f5f].
Given that setting this option had no effect in most situations, we should
just remove this option instead of continuing to handle it with the expectation
that a runtime may still support it.
Note that we still support RHEL 8 (kernel 4.18) and RHEL 9 (kernel 5.14). We
no longer build packages for Ubuntu 20.04 (kernel 5.4) and Debian Bullseye 11
(kernel 5.10), which still have an LTS / ESM programme, but for those it would
only impact situations where a runtime is used that still supports it, and
an old API version was used.
[kernel v5.4]: https://github.com/torvalds/linux/commit/0158115f702b0ba208ab0
[moby@b8ca7de]: b8ca7de823
[moby@0798f5f]: 0798f5f5cf
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This introduces a `WithMinimumAPIVersion` RouteWrapper to configure the
minimum API version required for a route. It produces a 400 (Invalid Request)
error when accessing the endpoint on API versions lower than the given version.
Note that technically, it should produce a 404 ("not found") error,
as the endpoint should be considered "non-existing" on such API versions,
but 404 status-codes are used in business logic for various endpoints.
This patch allows removal of corresponding API-version checks from the client,
and other implementation of clients for the API. While the produced error message
is slightly more "technical", these situations should be rare and only happen
when the API version of the client is explicitly overridden, or a client was
implemented with a fixed API version (potentially missing version checks).
Before this patch, these errors were produced by the client:
DOCKER_API_VERSION=v1.24 docker container prune -f
docker container prune requires API version 1.25, but the Docker daemon API version is 1.24
With this patch applied, the error is returned by the daemon:
DOCKER_API_VERSION=v1.24 docker container prune -f
Error response from daemon: POST /containers/prune requires minimum API version 1.25
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Windows test workflow jobs were missing the dependency on the
`validate-dco` job so they ran regardless whether the DCO check passed
or not.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The format for filters changed in 93d1dd8036
(docker v1.10 / API v1.22). As part of that implementation, the daemon
would parse the new format, and fall back to parsing the old format if
this failed. This fallback was not based on API version, so any version
of the API released since would continue to accept both the legacy and
curent format.
For the client, the change in format caused a regression when connecting
to an older daemon; a `ToParamWithVersion` utility was introduced in
[docker/engine-api@81388f0] to produce the old format when the client was
connected to a docker v1.9 or older daemon, using an old API version.
Given that any version of docker 1.10 or above would support both formats,
regardless of the API version used, and API v1.22 is no longer supported,
it should be safe to assume we can drop the version-specific format in the
client. Even if the client would be using API v1.22 (or older), the format
would only be necessary for an actual docker v1.9 daemon, which would be
very unlikely, and a daemon that's 9 Years old.
[docker/engine-api@81388f0]: 81388f00dd
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
On docker 1.12 (API v1.24) and older, the `SecurityOptions` field of the
`/info` response would only list names of the security options that are
enabled in the daemon. API v1.25 added additional information to this
information. Initially, this included a change to return the information
in structured format (b237189e6c), which
was a backward-incompatible change, so an alternative format was introduced
in 514ca09426 to used a string-slice, but
prefixing options with `name=`, followed by the name of the security-options
and any config options related to it as `key[=<value>]` pairs.
On current API versions:
curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.51/info' | jq .SecurityOptions
[
"name=seccomp,profile=builtin",
"name=cgroupns"
]
On API version v1.24:
curl -s --unix-socket /var/run/docker.sock 'http://localhost/v1.24/info' | jq .SecurityOptions
[
"seccomp",
"cgroupns"
]
The Docker CLI unconditionally handles either format when presenting the
information; for backward-compatibility, it contains fallback code to handle
cases where no `name=` prefix is present, but this logic is not based on
API version.
Given that any current version of the CLI is handling either format, and
versions of the CLI that did not have this handling are at least 9 Years
old (and long EOL), removing the old format is unlikely to be causing
issues and we can remove this special handling, and return the information
in the current format.
If we consider this information to be relevant for clients, we should
ultimately consider making it available in a more structured format as
was the original intent of b237189e6c.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- move api/types/container.ExecOptions to the client
- rename api/types/container.ExecOptions to ExecCreateRequest
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- move api/types/container.ExecStartOptions to the client
- move api/types/container.ExecAttachOptions to the client
- rename api/types/container.ExecStartOptions to ExecStartRequest
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon versions before v18.09 (API v1.39) returned a magic `<unknown>` value
for the `KernelVersion` and `OperatingSystem` if these values were not set.
Commit e6e8ab50fa removed this magic values,
but kept a fallback for old versions of the CLI that expected this value to
be pre-formatted this way. Given that this change was over 7 Years ago, and
never was a strict contract of the API, we can remove this fallback. Current
versions of the CLI properly handle presentation, so this would only impact
EOL versions of the CLI.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Update changelog to include mention of the new fields added
in 3f86797d3f.
- Update changelog to mention removal of the deprecated fields
in b092c8ca64
- Sync v1.52 swagger docs with the current version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When running:
docker network create --ipv6 b46
docker run --rm -ti \
--network name=b46,driver-opt=com.docker.network.endpoint.sysctls=net.ipv6.conf.IFNAME.disable_ipv6=1 \
busybox
IPv6 is enabled in the container and the network, so an IPv6 address
will be allocated for the endpoint.
But, when the sysctl is applied, the IPv6 address will be removed
from the interface ... so, no unsolicited neighbour advertisement
should be (or can be) sent and, the endpoint should not be treated
as dual-stack when selecting a gateway endpoint and, if it is
selected as the gateway endpoint, setting up an IPv6 route via the
network will fail.
So, if the IPv6 address disappears after sysctls have been applied,
release the address and remove it from the endpoint's config.
Signed-off-by: Rob Murray <rob.murray@docker.com>
And move the Endpoint.populateNetworkResources code into the
all-platforms part of the Sandbox method.
Signed-off-by: Rob Murray <rob.murray@docker.com>
DNS is set up when the endpoint is joined to a network.
It was added in commit 4850c5f (Avoid duplicate entries in
/etc/hosts) then simplified in bcca214 (libnetwork: open-code
updating svc records) and seems to be related to setting up a
name on a swarm node that isn't running the container with the
endpoint.
But, all callers of Network.createEndpoint follow up with an
Endpoint.Join, which also sets up the DNS entry. Those callers are:
Network.createLoadBalancerSandbox
Network.CreateEndpoint
- called by Daemon.connectToNetwork
- called by Sandbox.setupDefaultGateway
- called by builder-net/executor.go: iface.init
None of them bail out before the Join for a Swarm case.
So, it looks like enough has changed that the createEndpoint code is
no longer needed (it predates the internal DNS server) ... remove it.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When the SetKey hook is used (by a build container) it's called after
Endpoint.sbJoin, which will have called Sandbox.populateNetworkResources
to set up address, routes, sysctls and so on - but it's not able to do
any config until the osSbox exists. So, Sandbox.populateNetworkResources
is called again by SetKey to finish that config.
But, that means the rest of Endpoint.sbJoin has already happened before
the osSbox existed - it will have configured DNS, /etc/hosts, gateways
and so on before anything was set up for the OS.
So, if the osSbox configuration isn't applied as expected (for example,
a sysctl disables IPv6 on the endpoint), that sbJoin configuration is
incorrect.
To avoid unnecessary config+cleanup in thoses cases - delay the config
currently done by sbJoin until the osSbox exists.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This option was deprecated in Docker 27.0 through 7ea9acc97f,
and removed in 28.0 through ae96ce866f.
The field was kept to provide a user-friendly error when used; this
patch removes the field altogether.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When Windows reboots, it removes HNS networks. They're restored
from Docker's store (unlike after a daemon restart, where Docker
networks are restored from HNS networks).
When that happens, preserve the driver-opt that reports the HNS
network name when that happens.
Signed-off-by: Rob Murray <rob.murray@docker.com>
After creating a new network, inspect shows that there's no value
for option "com.docker.network.windowsshim.networkname". After
restarting the daemon, it shows up with the docker network name
(not the HNS network name, which defaults to the docker network's
id).
Creating the network with "-o com.docker.network.windowsshim.networkname"
sets the HNS network name, and it shows up in inspect. Until the
daemon is restarted, then it shows the docker network name.
So - set the option value to the HNS network name on creation (the id
if no name is given), and on restore after restart use the name
reported by HNS.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When ipvlan in "l2" mode is given no '--gateway' option, an
address is allocated from IPAM and a default route is set up
via that gateway. But, the gateway address is not assigned to
anything in the Docker ipvlan network - it must be external,
and IPAM shouldn't try to guess it.
So ...
- always disable IPAM gateway address allocation for ipvlan-l2
- tell libnet to assume the endpoint has a gateway instead
- update the Join code to allow for no configured gateway
- always disable 'docker_gwbridge' connection for ipvlan
networks, so it's not hooked up when there is no gateway
address.
Signed-off-by: Rob Murray <rob.murray@docker.com>
When macvlan is given no '--gateway' option, an address is
allocated from IPAM and a default route is set up via that
gateway. But, the gateway address is not assigned to anything
in the Docker macvlan network - it must be external, and
IPAM shouldn't try to guess it.
When IPv6 auto-configuration is enabled in the network the
macvlan is connected to, the macvlan driver races against it
to set up the gateway. When autoconfig wins, container creation
fails because the default route already exists.
So ...
- disable IPAM gateway address allocation for macvlan
- update the Join code to allow for no configured gateway
- always disable 'docker_gwbridge' connection for macvlan
networks, so it's not hooked up when there is no gateway
address.
Libnet assumes an endpoint with no statically configured default
gateway or route does not provide external connectivity. So, it
disables external DNS access, and will not select the endpoint
as gateway for containers. So, where an IPAM allocated gateway
address would have been assigned before, tell libnet to assume
there will be an auto-configured gateway.
Signed-off-by: Rob Murray <rob.murray@docker.com>
This field was deprecated in 0c182d4d57,
which should be included in a 28.x release, but we don't need to carry
it in the new module.
We should also considering duplicating the `ExecOptions` type as a client
option, and renaming it to `ExecCreateRequest`, so that we can decouple
client options from the shape of the request.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was deprecated in 83f8f4efd7,
and the package is internal to the daemon, so we can remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was deprecated in 54a556a5ef,
and the package is now internal to the daemon, so we can remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Complete the removal of the deprecated network structs by dropping the
remaining references in daemon code.
Signed-off-by: Cory Snider <csnider@mirantis.com>
