This simplifies `dockerd-rootless.sh` by removing the workaround for
`CDI: Error associated with spec file /etc/cdi: failed to monitor for changes: permission denied`.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
In rootless mode, the Engine needs to call the rootless port driver to
know which IP address it should bind to inside of its network namespace.
The slirp4netns port drivers doesn't support binding to IPv6 address, so
we need to detect that before listening on the port.
Before commit 201968cc0, this wasn't a problem because the Engine was
binding the port, then calling rootless port driver to learn whether the
proto/IP family was supported, and listen on the port if so.
Starting with that commit, the Engine does bind + listen in one go, and
then calls the port driver — this is too late. Fix the bug by checking
if the port driver supports the PortBindingReq, and only allocate the
port if so.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
During a network disconnect, log rather than returning an error
if it's not possible to set up a new gateway.
This restores the behaviour from before commit 53390f8 ("Put
clearNetworkResources() inline in its only caller"). It's not
ideal, but by the time new gateways are selected the old
endpoint has been disconnected - and nothing puts things back.
Until that's cleaned up, a broken state is inevitable, but
letting endpoint deletion complete means the container can
be restarted or re-connected to the network without a zombie
endpoint causing further issues.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Throw an error if the containerd snapshotter is enabled on Windows but
containerd has not been configured. This fixes a panic in this case when
trying to use an uninitialized client.
Signed-off-by: Derek McGowan <derek@mcg.dev>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When the endpoint providing a container's default gateway
is removed, there's no need to select a new gateway if the
container is being removed.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Call resolvconf.UserModified() in sandbox.setupDNS() to check if
resolv.conf was manually modified before regenerating it during
container restart for non-host network modes.
Signed-off-by: zhangguanzhang <zhangguanzhang@qq.com>
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
When ep.needResolver() is true, sb.startResolver() calls sb.rebuildDNS()
which doesn't update the resolv.conf hash file.
Subsequent calls to sb.updateDNS() (which is only called by
populateNetworkResourcesOS) won't have any effect since it'll compare
the hash file and consider that the file was manually modified.
Make this explicit by gating the call to updateDNS() on !needResolver().
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Make the DiscoverNew switch only responsible for asserting the correct
data type, and push the conversion logic into the setKeys and updateKeys
methods.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also:
- remove the hostConfig param from Daemon.createContainerVolumesOS.
- rename var container -> ctr
Signed-off-by: Rob Murray <rob.murray@docker.com>
The container's constructor, Daemon.newContainer, already has
hostConfig and can just assign it directly.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Call registerMountPoints after the rest of the container's
configuration has been set up.
This will make it possible to call an NRI plugin with the
container's config, allowing it to adjust the mounts in that
config, before it's used to find volumes etc.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Daemon.createContainerOSSpecificSettings adds container config for
the OS, and creates volumes. Split those two things.
This will make it possible to call an NRI plugin after the config
is complete, before volumes are created - so the NRI plugin can
adjust a full set of config, including volumes.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The call from Daemon.create -> Daemon.setHostConfig acquired
container.Lock, but didn't need to because the container is
newly created and solely owned by the caller. The call from
Daemon.restore did not acquire the lock.
Signed-off-by: Rob Murray <rob.murray@docker.com>
If a container is using a docker_gwbridge endpoint as its gateway,
when it's connected to another network that provides a gateway, the
docker_gwbridge endpoint is removed when that endpoint is added (in
a recursive nightmare).
So, the "before" gateway for the container has been removed
before the new gateway is updateExternalConnectivity'd.
Don't pass the old gateway to updateExternalConnectivity in that
case, because the network driver's already forgotten about it.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Export trace spans from the github.com/microsoft/hcsshim module, which
is instrumented with OpenCensus, to the daemon's OpenTelemetry exporter
to provide more visibility into Windows container lifecycle operations.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Commit a8b9eff90 removed a call to Network.updateSvcRecord from
Network.createEndpoint on the grounds that:
> all callers of Network.createEndpoint follow up with an Endpoint.Join,
> which also sets up the DNS entry.
However, the original call in Network.createEndpoint was gated by:
```
if !n.getController().isSwarmNode() || n.Scope() != scope.Swarm || !n.driverIsMultihost() {
n.updateSvcRecord(context.WithoutCancel(ctx), ep, true)
}
```
whereas the call in Endpoint.sbJoin() (invoked by Endpoint.Join()) is
gated by:
```
if !n.getController().isAgent() {
if !n.getController().isSwarmNode() || n.Scope() != scope.Swarm || !n.driverIsMultihost() {
n.updateSvcRecord(context.WithoutCancel(ctx), ep, true)
}
}
```
As a result, once a node has joined a Swarm cluster, no DNS entries are
created for non swarm-scoped networks.
Change the condition used by `sbJoin` to match the original condition
used in `createEndpoint`.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
The priority order for determining image store choice was incorrect when
a prior graphdriver existed.
The issue occurred because the prior graphdriver check happened after
processing explicit driver configuration, effectively ignoring user
intent when prior state existed.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Updates docker pull to pull related attestation manifest and
any signatures for that manifest in cosign referrer objects.
These objects are transferred with the image when running
docker save and docker load and can be used to identify
the image in future updates.
Push is not updated atm as the currect push semantics
in containerd mode do not have correct immutability
guaranteed and don't work with image indexes.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The image exporter wrapper was unconditionally setting `unpack=true` for
all build exports, preventing users from controlling this behavior
through buildkit's output image exporter option.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
