When there is an error unmounting a local volume, it is still possible
to call `Remove()` on the volume causing removal of the mounted
resources which is generally not desirable.
This ensures that resources are unmounted before attempting removal.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit db3576f8a0)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fixes issues where the underlying filesystem may be disconnected and
attempting to unmount may cause a hang.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit acbfe6bc56)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
The previous implementation would error out with "Unexpected EOF" which
was caused by an underlying "array index out-of-bounds" error.
The root cause was deleting items from the same array that was being
iterated over. The iteration was unaware that the array size had
changed, resulting in an error.
The new implementation builds a new array instead of mutating a copy of
the old one.
Fixes: #32744
Signed-off-by: Dave Tucker <dt@docker.com>
Revendors swarmkit with a change that fixes a rare segfault that can
occur when following logs on a brand new service with bad bind mount
options.
Fixesdocker/swarmkit#2147
Signed-off-by: Drew Erny <drew.erny@docker.com>
The source of a tag operation is allowed to be a 64-character hex
string. This means it should use ParseAnyReference for validation
instead of ParseNormalizedNamed.
This fixes a regression that happened in 17.04.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 4a0704cdbd)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
bash-completion script for 'docker build --network' calls
__docker_plugins, the correct name for this function is
__docker_plugins_bundled.
Closes#32588
Signed-off-by: Corey Farrell <git@cfware.com>
(cherry picked from commit eede2056fe)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Implements the following new CLI features:
- service logs is no longer experimental
- service logs also accepts task IDs
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 47615c9b9b)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
In some cases, if a user specifies `-f` when disabling a plugin mounts
can still exist on the plugin rootfs.
This can cause problems during upgrade where the rootfs is removed and
may cause data loss.
To resolve this, ensure the rootfs is unmounted
before performing an upgrade.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 83f44d232d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Since the certificate may be renewed multiple times, this check is
necessary.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 2b5ef9bfef)
Also fixed some examples of using `docker build` to clarify that the
positional argument is a directory, not a file.
Also fixed some terminology. Dockerfiles contain instructions, not directives or
commands.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
When a container was being destroyed was possible to have
flows in conntrack left behind on the host.
If a flow is present into the conntrack table, the packet
processing will skip the POSTROUTING table of iptables and
will use the information in conntrack to do the translation.
For this reason is possible that long lived flows created
towards a container that is destroyed, will actually affect
new flows incoming to the host, creating erroneous conditions
where traffic cannot reach new containers.
The fix takes care of cleaning them up when a container is
destroyed.
The test of this commit is actually reproducing the condition
where an UDP flow is established towards a container that is then
destroyed. The test verifies that the flow established is gone
after the container is destroyed.
Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Return dockerfile from parseDockerfile and pass the dockerfile nodes
as an arg
Strip unused arg from builder.NewBuilder.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
If no fields related to an update config or restart policy are
specified, these structs should not be created as part of the service,
to avoid hardcoding the current defaults.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This adds a new parameter insertDefaults to /services/{id}. When this is
set, an empty field (such as UpdateConfig) will be populated with
default values in the API response. Make "service inspect" use this, so
that empty fields do not result in missing information when inspecting a
service.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Service logs API is now stable. Service logs now support all features,
except retrieving details provided to the log driver.
Signed-off-by: Drew Erny <drew.erny@docker.com>
Logging plugins use the same HTTP interface as other plugins for basic
command operations meanwhile actual logging operations are handled (on
Unix) via a fifo.
The plugin interface looks like so:
```go
type loggingPlugin interface {
StartLogging(fifoPath string, loggingContext Context) error
StopLogging(fifoPath)
```
This means a plugin must implement `LoggingDriver.StartLogging` and
`LoggingDriver.StopLogging` endpoints and be able to consume the passed
in fifo.
Logs are sent via stream encoder to the fifo encoded with protobuf.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Moved DefaultInitBinary from daemon/daemon.go to
daemon/config/config.go since it's a daemon config and is referred in
config package files.
- Added condition in GetInitPath to check for any explicitly configured
DefaultInitBinary. If not, the default value of DefaultInitBinary is
returned.
- Changed all references of DefaultInitBinary to refer to the variable
from new location.
- Added TestCommonUnixGetInitPath to test for the various values of
GetInitPath.
Fixes#32314
Signed-off-by: Sunny Gogoi <indiasuny000@gmail.com>
This is the non-deprecated field, and the one that can be changed in a
service update.
Since old daemon versions don't allow migrating from one field to the
other, make this conditional on the API version.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Resolve networks IDs on the client side.
Avoid filling in deprecated Spec.Networks field.
Sort networks in the TaskSpec for update stability.
Add an integration test for changing service networks.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
- Defined "normalized" type for Credential Spec and SELinux
- Added --credential-spec to docker service create & update
- SELinux is API only at the time
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Paths resolving to c:\ or c:\windows are forbidden
Replaced the obscure (and non-working) regex with a simple case
insensitive comparison to the black listed paths (we should forbid c:\,
c:\windows but not d:\)
Also, add a test ensuring paths are case insensitive on windows
Also, made sure existing multi-staged build tests pass on windows
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
Invalid version strings for the init (tini)
binary were still accepted, which lead to (e.g.)
"hello world"
Being used as "vhello world"
This makes the version parsing slightly stricter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ubuntu 17.04 will be released soon http://releases.ubuntu.com/zesty/
Note that this is a short-term release, so will
EOL (and removed again) in 9 months
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactor container logs system to make communicating log messages
internally much simpler. Move responsibility for marshalling log
messages into the REST server. Support TTY logs. Pave the way for fixing
the ambiguous bytestream format. Pave the way for fixing details.
Signed-off-by: Drew Erny <drew.erny@docker.com>
This parameter controls the order of operations when rolling out an
update task. Either the old task is stopped before starting the new one,
or the new task is started first, and the running tasks will briefly
overlap.
This commit adds Rollout to the API, and --update-order / --rollback-order
flags to the CLI.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to address the issue raised in 31032 where it was
not possible to specify `--cpus` for `docker update`.
This fix adds `--cpus` support for `docker update`. In case both
`--cpus` and `--cpu-period/--cpu-quota` have been specified,
an error will be returned.
Related docs has been updated.
Integration tests have been added.
This fix fixes 31032.
This fix is related to 27921, 27958.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29999 where it was not
possible to mask these items (like important non-removable stuff)
from `docker system prune`.
This fix adds `label` and `label!` field for `--filter` in `system prune`,
so that it is possible to selectively prune items like:
```
$ docker container prune --filter label=foo
$ docker container prune --filter label!=bar
```
Additional unit tests and integration tests have been added.
This fix fixes 29999.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fixes https://github.com/docker/docker/issues/32400
We were already actually vendoring from github.com/ijc25/Gotty in order to
pickup github.com/Nvveen/Gotty#1. github.com/ijc25/Gotty#master now contains
merges of both of those upstream PRs.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Allowing the retries to go up to 10 causes the test to always
hit the check against ensuring the retry wait went up to 15 seconds.
Additionally we have the max download attempts in the code set to
5. This change did not protect against using this test to expose
a problem in the underlying code. Remove checks for retry since
there may be additional requests before the upload.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Unless we are adding or removing environment variables, their order
shouldn't be changed. This makes it look like the service's TaskSpec has
changed relative to the old version of the service, and containers need
to be redeployed.
The existing code always rebuilds the list of environment variables by
converting them to a map and back, but there's no reason to do this if
no environment variables are being added.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This commit adds a hidden placeholder of `.Self` for
`docker node ls --format` so that if the node is the same
as the current docker daemon, then a `*` is outputed.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the comment https://github.com/docker/docker/pull/30376#discussion_r97465334
where it was not possible to specify `--format` for `docker node ls`. The `--format` flag
is a quite useful flag that could be used in many places such as completion.
This fix implements `--format` for `docker node ls` and add `nodesFormat` in config.json
so that it is possible to specify the output when `docker node ls` is invoked.
Related documentations have been updated.
A set of unit tests have been added.
This fix is related to #30376.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
That way we can get stack dump earlier if there is something that
locks the daemon during start/restore phase.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When running "make install" in a build container,
docker is not installed the first time it's
run, causing these errors to appear;
$ make install
hack/make/.detect-daemon-osarch: line 11: docker: command not found
hack/make/.detect-daemon-osarch: line 11: docker: command not found
hack/make/.detect-daemon-osarch: line 11: docker: command not found
hack/make/.detect-daemon-osarch: line 11: docker: command not found
KEEPBUNDLE=1 hack/make.sh install-binary
This patch checks if docker exists, and if not
just continues silently :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactored the API to more easily accept new endpoints. Added REST,
client, and CLI endpoints for getting logs from a specific task. All
that is needed after this commit to enable arbitrary service log
selectors is a REST endpoint and handler.
Task logs can be retrieved by putting in a task ID at the CLI instead of
a service ID.
Signed-off-by: Drew Erny <drew.erny@docker.com>
This fix is related to 30232 wherw `docker service ls`
does not show `PORTS` information like `docker service ps`.
This fix adds `PORTS` fields for services that publish
ports in ingress mode.
Additional unit tests cases have been updated.
This fix is related to 30232.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
These integration tests were basically testing if a
decent error message was printed when attempting
to remove a running, paused, or restarting container.
Moving these tests to a unit-test to make the tests
not flaky (especially on the "restarting" container
test).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change "service create" and "service update" to wait until the creation
or update finishes, when --detach=false is specified. Show progress bars
for the overall operation and for each individual task (when there are a
small enough number of tasks), unless "-q" / "--quiet" is specified.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Test used to check whether ulimits applied by docker are in effect by
setting up nproc. However, in some environments (e.g. inside Virtuozzo
Containers), number of processes is higher and testcase fails. Hence, we
instead change testcase to check ulimits by setting nofile limit instead
of nproc.
Signed-off-by: Vitaly Ostrosablin <vostrosablin@virtuozzo.com>
This allows graphdrivers to declare that they can reproduce the original
diff stream for a layer. If they do so, the layer store will not use
tar-split processing, but will still verify the digest on layer export.
This makes it easier to experiment with non-default diff formats.
Signed-off-by: Alfred Landrum <alfred.landrum@docker.com>
None of the daemon flags use a constant for the
flag name.
This patch removes the constant for consistency
Also removes a FIXME, that was now in the wrong
location, and added a long time ago in
353b7c8ec7,
without a lot of context (and probably no longer really relevant).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The generated "changelog" was not removed
before re-generating, causing the changelog
to be added twice on repeated runs of "make rpm"
(when bind-mounting the local source).
As a result, rpms failed to build, because
the resulting file had entries in non-chronological
order.
This change removes the generated file
before re-generating, and adds the file
to .gitignore, to prevent it from
accidentally being added to source control.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently these fields are included in the response JSON with zero
values. It's better not to include them if the information is
unavailable (for example, on a worker node).
This turns Cluster into a pointer so that it can be left out.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This test doesn't clean the folder where it stores it's config (and
the trust folder), and thus, it fails if we run it more than
once (could also affect other tests at some point).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Add some required command operators to the `cli` package, and update
some tests to use this package, in order to remove a few functions
from `docker_utils_test.go`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Even though the flag `--api-enable-cors` is deprecated in favor of
`--api-cors-header`. Using only `--api-cors-header` does not enable
CORS.
Make changes to 'cmd/dockerd/daemon.go' to enable cors if either of
the above flags is set.
Signed-off-by: Karthik Nayak <Karthik.188@gmail.com>
When sending a bad URL in the fromSrc parameter using cURL
the response will have status code 200 while it should have 404
or 500 (depends on the error).
This commit addresses this problem in the following ways:
* Before, `src` was parsed using url.Parse and if the
returned `url.Scheme` was empty it was set to 'http'
and `url.Host` was set to `src`.
This is bad because if `src` was 'web.com/tars/image1.tar'
The `url.String()` returns 'web.com%2Ftars%2Fimage1.tar`
which will cause the daemon to fail downloading the file
* Before writing the "Downloading" message, the image
is attempted to be downloaded and if there is no error
the "Downloading" message is sent.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
"Giving THE developer...." -> "to express all THEIR application's.."
A developer is single.
"Their" refers to plural (multiple developers).
So, adjusted to plural ("developers") so that the two will match.
* The alternative would be to use "his / her" but that leads to gender reference issues, so the former alternative works better
Signed-off-by: Jonathan Saring <yoni@cocycles.com>
If a container is dead or marked for removal, the json log
file could have been removed, so docker logs will return
`<id>-json.log: no such file or directory`.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
While restoring plugins during daemon restart, some plugins can fail to
respond to net.Dial. These plugins should be explicitly set to disabled,
else they will retain their original state of enabled, which is
incorrect.
Tested with a plugin that fails to restart and observed that the state
was set to disabled.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This fix tries to address the request in 31324 by adding
`--filter scope=swarm|local` for `docker network ls`.
As `docker network ls` has a `SCOPE` column by default,
it is natural to add the support of `--filter scope=swarm|local`.
This fix adds the `scope=swarm|local` support for
`docker network ls --filter`.
Related docs has been updated.
Additional unit test cases have been added.
This fix fixes 31324.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Use type assertion to error out if the type isn't the right one
instead of panic as before this change.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Fixes#30841. The "filter" section had the wrong header size, which
caused sections following it to have the wrong indentation in the
right-side table of contents.
Signed-off-by: Greg Pflaum <gpflaum@users.noreply.github.com>
Notary switched to vendor a while ago, so make that change here. Change
is consistent with all other dockerfiles.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
When the daemon is configured to run with an authorization-plugin and if
the plugin is disabled, the daemon continues to send API requests to the
plugin and expect it to respond. But the plugin has been disabled. As a
result, all API requests are blocked. Fix this behavior by removing the
disabled plugin from the authz middleware chain.
Tested using riyaz/authz-no-volume-plugin and observed that after
disabling the plugin, API request/response is functional.
Fixes#31836
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Embedding DockerVersion in plugin config when the plugin is created,
enables users to do a docker plugin inspect and know which version
the plugin was built on. This is helpful in cases where users are
running a new plugin on older docker releases and confused at
unexpected behavior.
By embedding DockerVersion in the config, we claim that there's no
guarantee that if the plugin config's DockerVersion is greater that
the version of the docker engine the plugin is executed against, the
plugin will work as expected.
For example, lets say:
- in 17.03, a plugin was released as johndoe/foo:v1
- in 17.05, the plugin uses the new ipchost config setting and author
publishes johndoe/foo:v2
In this case, johndoe/foo:v2 was built on 17.05 using ipchost, but is
running on docker-engine version 17.03. Since 17.05 > 17.03, there's
no guarantee that the plugin will work as expected. Ofcourse, if the
plugin did not use newly added config settings (ipchost in this case)
in 17.05, it would work fine in 17.03.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
It is just an alias type and make the code a little bit more complex
and hard to use from outside `compose` package.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
"docker node ps" behaves strangely outside swarm mode:
$ docker node ps
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
Error: No such node:
It should explain that the node is not a swarm manager.
The reason this happens is that the argument to "docker node ps" defaults
to "self". The first thing the command does is try to resolve "self" to
a node ID using the /info endpoint. If there is no node ID, it tries to
use the empty string as an ID, and tries to GET /nodes/, which is not a
valid endpoint.
Change the command to check if the node ID is present in the /info
response. If it isn't, a swarm API endpoint can supply a useful error
message.
Also, avoid printing the column headers if the only following text is an
error.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Tested using global-net-plugin-ipc which sets PidHost in config.json.
Plugins might need access to host pid namespace. Add support for that.
Tested using aragunathan/global-net-plugin-ipc which sets "pidhost" in
config.json. Observed using `readlink /proc/self/ns/pid` that plugin and
host have the same ns.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Plugins might need access to host ipc namespace. A good usecase is
a volume plugin running iscsi multipath commands that need access to
host kernel locks.
Tested with a custom plugin (aragunathan/global-net-plugin-full) that's
built with `"ipchost" : true` in config.json. Observed using
`readlink /proc/self/ns/ipc` that plugin and host have the same ns.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Removes the build-args from the image history if they are in the
BuiltinAllowedBuildArgs map unless they are explicitly defined in an ARG
instruction.
Signed-off-by: Dave Tucker <dt@docker.com>
The `reference` filter is documented in the file, but is not present
in the list of available filters.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This patch makes sure that containers in the created-stated are
counted as stopped containers. Otherwise if you create a container,
don't run it and type: "docker rm ", followed by pressing tab in zsh, it won't show up.
Signed-off-by: Nikolas Garofil <nikolas.garofil@uantwerpen.be>
Signed-off-by: Nikolas Garofil <nikolas@garofil.be>
`docker node update` accepts only one node.
Before this change, bash completion would complete additional nodes.
Signed-off-by: Harald Albers <github@albersweb.de>
If a caller specifies an SELinux type or MCS Label and still wants to
share an IPC Namespace or the host namespace, we should allow them.
Currently we are ignoring the label specification if ipcmod=container
or pidmode=host.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
TestPluginTrustedInstall revealed a race in the plugin shutdown logic,
where the exit channel signal was sent even before the propagated mounts
were unmounted. If the same plugin was enabled, it would try to setup
propagated mounts *before* it was unmounted resulting in errors.
This change fixes the behavior by waiting until the unmount completes on
disable before marking the plugin as disabled.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This type is only used by CLI code. It duplicates SecretReference in the
types/swarm package. Change the CLI code to use that type instead.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
when i was using:
docker search --automated -s 3 nginx
told me:
Flag --automated has been deprecated, use --filter=automated=true instead
Flag --stars has been deprecated, use --filter=stars=3 instead
and when i use:
docker search --filter=automated=true --filter=stars=3 nginx
told me:
Error response from daemon: Invalid filter 'automated'
and i found out that the correct command should be:
docker search --filter=is-automated=true --filter=stars=3 nginx
Signed-off-by: Pure White <daniel48@126.com>
This more (in spirit) mimics the handler usage in net/http/pprof.
It also makes sure that any new profiles that are added are
automatically supported (e.g. `mutex` profiles in go1.8).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The current error-handling only checked for version annotations
on the subcommand itself, but did not check the top-level command.
This patch always traverses the command path (parents), and
prints an error if the command is not supported.
Before this change:
$ docker service
Usage: docker service COMMAND
Manage services
Options:
--help Print usage
Commands:
create Create a new service
inspect Display detailed information on one or more services
ls List services
ps List the tasks of one or more services
rm Remove one or more services
scale Scale one or multiple replicated services
update Update a service
Run 'docker service COMMAND --help' for more information on a command.
$ docker service ls
ID NAME MODE REPLICAS IMAGE
After this change:
$ DOCKER_API_VERSION=1.12 docker service
docker service requires API version 1.24, but the Docker daemon API version is 1.12
$ DOCKER_API_VERSION=1.12 docker service ls
docker service ls requires API version 1.24, but the Docker daemon API version is 1.12
$ DOCKER_API_VERSION=1.24 docker plugin --help
docker plugin requires API version 1.25, but the Docker daemon API version is 1.24
$ DOCKER_API_VERSION=1.25 docker plugin upgrade --help
docker plugin upgrade requires API version 1.26, but the Docker daemon API version is 1.25
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix#31350
As we can see in `daemon.Images()`, there is a gap between
`allImages = daemon.imageStore.Map()` and `l, err :=
daemon.layerStore.Get(layerID)`, so images which still exist when we hit
`allImages = daemon.imageStore.Map()` may have already been deleted when we hit
`l, err := daemon.layerStore.Get(layerID)`.
```
if danglingOnly {
allImages = daemon.imageStore.Heads()
} else {
allImages = daemon.imageStore.Map()
}
...
for id, img := range allImages {
...
layerID := img.RootFS.ChainID()
var size int64
if layerID != "" {
l, err := daemon.layerStore.Get(layerID)
if err != nil {
return nil, err
}
```
Signed-off-by: Yuanhong Peng <pengyuanhong@huawei.com>
This fix tries to address the request in 31325 by adding
`--filter mode=global|replicated` to `docker service ls`.
As `docker service ls` has a `MODE` column by default, it is natural
to support `--filter mode=global|replicated` for `docker service ls`.
There are multiple ways to address the issue. One way is to pass
the filter of mode to SwarmKit, another way is to process the filter
of mode in the daemon.
This fix process the filter in the daemon.
Related docs has been updated.
An integration test has been added.
This fix fixes 31325.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fixes an issue preventing containerd from starting if the state
directory didn't exist already.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Starting with docker 1.10, docker no longer uses
/etc/hosts for service discovery, but uses an
embedded DNS server. This patch removes a reference
to the old (pre 1.10) behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cpu.rt_runtime
PR https://github.com/docker/docker/pull/23430 introduced a couple more
flags including `--cpu-rt-runtime` to the docker daemon. It appears
recent changes or merge issues may have broken this. It currently does
not take the cgroup mount point into account when determining the cgroup
files to write values to. This breaks docker setting its own
`cpu.rt_runtime` for the daemon. This also means containers aren't able
to set theirs.
Also, the cgroups.FindCgroupMountpointAndRoot returns back a mount point
that includes the cgroup of the currently running container when docker
is run inside a docker container. this breaks the `--cpu-rt-runtime`
flag when running docker in docker. A fix has been placed here, but
potentially could be pulled up into libcontainer if this is a better
place for it.
Signed-off-by: Erik St. Martin <alakriti@gmail.com>
Load from env should only happen if the value is unset.
Extract a buildEnvironment function and revert some changes to tests.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
For an environment variable defined in the yaml without value,
the value needs to be propagated from the client, as in Docker Compose.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
- bash completion for `docker service create --placement-pref`
- bash completion for `docker service update --placement-pref-{add,rm}`
Signed-off-by: Harald Albers <github@albersweb.de>
When 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor
profiles") was merged, it didn't correctly handle the exec path if
AppArmor profiles were deleted. Fix this by duplicating the
ensureDefaultApparmorProfile code in the exec code.
Fixes: 567ef8e785 ("daemon: switch to 'ensure' workflow for AppArmor profiles")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This change adds the ability to do --tail and --since on docker service
logs. It wires up the API endpoints to each other and fixes some older
bugs. It adds integration tests for these new features.
Signed-off-by: Drew Erny <drew.erny@docker.com>
Right now getting logs from a service with an attached TTY does not
work. The behavior was undefined and caused the command to hang and
strange messages to occur in the daemon logs.
This returns errors, both deep in the swarmkit adapter (to guard against
undefined behavior, which is Bad) and in the daemon (to tell users that
the thing they're asking for is not possible).
Signed-off-by: Drew Erny <drew.erny@docker.com>
This include ensure that containerd GRPC healthcheck service is
register before the restore process is done as this can take a while.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
In https://github.com/torvalds/linux/commit/5ca3726 (released in v4.7-rc1) the
content of the `cpuacct.usage_percpu` file in sysfs was changed to include both
online and offline cpus. This broke the arithmetic in the stats helpers used by
`docker stats`, since it was using the length of the PerCPUUsage array as a
proxy for the number of online CPUs.
Add current number of online CPUs to types.StatsJSON and use it in the
calculation.
Keep a fallback to `len(v.CPUStats.CPUUsage.PercpuUsage)` so this code
continues to work when talking to an older daemon. An old client talking to a
new daemon will ignore the new field and behave as before.
Fixes#28941.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Changed per requested review to refactor to make it more logic clear.
Current output for "docker top <contianer-id> m" option,eg:
root@b2c7ec58399d:/go/src/github.com/docker/docker# docker top 755d5871ec45 am
PID TTY STAT TIME COMMAND
148 pts/0 - 0:00 bash
- - Ss+ 0:00 -
fixing issue:#30580
Signed-off-by: catinthesky <yaozaiyong@hotmail.com>
The response would never reach the client because it was being
redeclared in the current scope.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Running the rm command on a paused/restarting container
will give an error message saying the container is running
which is incorrect.
To fix that, the error message will have the correct
container state and a procedure to remove it accordingly.
Notice: docker-py was bumped to:
4a08d04aef0595322e1b5ac7c52f28a931da85a5
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Since it was introduced no reports were made and lsof seems to cause
issues on some systems.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
The description claims the directive is appearing after a comment but
the sample Dockerfile has the directive appear after an instruction.
Changed the ordering of the lines to match the example's description.
Signed-off-by: Remy Suen <remy.suen@gmail.com>
The cgo in `meminfo_solaris.go` initializes variables in for loops, and
therefore requires a `-std=c99` `CFLAG` in order to compile (at least on
modern SmartOS).
Signed-off-by: James Nugent <james@jen20.com>
- Align output. Previously, output would end up unaligned because of
longer task names (e.g. web.1 vs web.10)
- Truncate task IDs and add a --no-trunc option
- Added a --no-ids option to remove IDs altogether
- Got rid of the generic ID Resolver as we need more customization.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Some small changes to get the examples so that they run without error for me.
Improve consistency of presentation of the examples.
Fix some typos
Signed-off-by: kevinfeyrer <kevin.feyrer@btinternet.com>
Update vlan-networks.md
Restore "ip" accidentally removed
Signed-off-by: kevinfeyrer <kevin.feyrer@btinternet.com>
Update vlan-networks.md
Change prompt from container "$$" to host "$"
Signed-off-by: kevinfeyrer <kevin.feyrer@btinternet.com>
Update vlan-networks.md
Some changes suggested by cpuguy83 and thaJeztah
Signed-off-by: kevinfeyrer <kevin.feyrer@btinternet.com>
In the docker config.json, if `psFormat` or `imagesFormat` is set to a
non-standard format, it breaks autocompletion.
This fixes the issue by using a custom format.
Signed-off-by: Chris Gibson <chris@chrisg.io>
* run latest vndr so as to collect more LICENSE files
* remove unused packages
* vendor github.com/philhofer/fwd with LICENSE.md (MIT)
* vendor github.com/bsphere/le_go with LICENSE (MIT)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
The current behavior is for dockerd to fail to start if the swarm
component can't be started for some reason. This can be difficult to
debug remotely because the daemon won't be running at all, so it's not
possible to hit endpoints like /info to see what's going on. It's also
very difficult to recover from the situation, since commands like
"docker swarm leave" are unavailable.
Change the behavior to allow startup to proceed.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Because the plugins in dockerhub aren't multi-arch, they will
fail on non x86-64 platforms. Comment this test out like we do with
the others.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
When pinning by digest, the registry might be slow or unresponsive. This
could cause the context to already be expired by the time UpdateService
or CreateService is called. We want digest pinning to be a best-effort
operation, so it's problematic if a slow or misbehaving registry
prevents the service operation from completing. Replace the context
after communicating with the registry, so we have a fresh timeout for
the gRPC call.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
99.9% of use case for request call are using daemonHost. This makes it
default and adds a `request.DoOnHost` function to be able to specify
the host for specific, more complex use cases.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In more recent versions of Cobra, `--help` parsing is done before
anything else resulting in TestDaemonCommand not actually passing. I'm
actually unsure if this test ever passed since it appears that !daemon
is not being run as part of the test suite.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Server-side rollback can take advantage of the rollback-specific update
parameters, instead of being treated as a normal update that happens to
go back to a previous version of the spec.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When moving the clean function there, this check was not ported and
generated some errors on the CI. `deleteContainer` now fail if any
error but the clean function won't if "no such container" (because of
some races -_-).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Signed-off-by: John Howard <jhoward@microsoft.com>
This ensures that any compute processes in HCS are cleanedup
during daemon restore. Note Windows cannot (currently) reconnect
to containers on restore.
Previously building with seccomp disabled would cause build failures
because of a mismatch in the type signatures of DefaultProfile().
Signed-off-by: Aleksa Sarai <asarai@suse.de>
These Markdown files are now embedded in a YAML
file for templating in the documentation, and
these special markers are no longer needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds 'consistency' mode flags to the mount command line argument.
Initially, the valid 'consistency' flags are 'consistent', 'cached',
'delegated', and 'default'.
Signed-off-by: David Sheets <dsheets@docker.com>
Signed-off-by: Jeremy Yallop <yallop@docker.com>
When using `docker volume rm -f`, all errors were ignored,
and volumes where Purged, even if they were still in
use by a container.
As a result, repeated calls to `docker volume rm -f`
actually removed the volume.
The `-f` option was implemented to ignore errors
in case a volume was already removed out-of-band
by a volume driver plugin.
This patch changes the remove function to not
ignore "volume in use" errors if `-f` is used.
Other errors are still ignored as before.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
when doing devices.cancelDeferredRemoval, the device could have been removed
and return ErrEnxio, but it continue to check if it is need to do suspend.
doSuspend := devinfo != nil && devinfo.Exists != 0 uses a devinfo which is
get before devices.cancelDeferredRemoval(baseInfo), it is outdate, the device
has been removed and there is no need to do suspend. If do suspend it will return
devicemapper: Error running deviceSuspend dm_task_run failed.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Until the plugins are multi-arch plugins, or built on runtime,
skip these tests like we do with the remainder of the plugin tests.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Without this fix the error the client might see is:
target is unknown
which wasn't helpful to me when I saw this today. With this fix I
now see:
MediaType is unknown: 'text/html'
which helped me track down the issue to the registry I was talking to.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Per request for more debug info on how the engine deals with
multi-platform "manifest list" images, this adds information about the
manifest list entries and whether it found an os/arch match, and the
digest of the match.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
`request.SockRequestRaw` is deprecated, let's use appropriate methods
for those. This is a first pass, `SockRequest` still needs to be removed.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
… in order to remove duplication.
Each time we update a cluster object, we do some common
operations (lock, verify it's on a manager, get the request context,
and the update). This introduce a method and refactor few
update/remove method that allows to duplicate less code.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Both method are trying to detach the container from a cluster
network. The code is exactly the same, this removes the duplication.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Some methods need to get a container *and* validate some conditon on
these (is the container running, …). The CheckContainer allows
to do that and helps remove some duplication.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
endpointSpecFromGRPC and endpointFromGRPC do the exact same thing for
endpoint{,Spec}.Ports, let's extract that to a method.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When a plugin fails to start, we still incorrectly mark it as enabled.
This change verifies that we can dial to the plugin socket to confirm that
the plugin is functional and only then mark the plugin as enabled. Also,
dont delete the plugin on install, if only the enable fails.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This commit adds contrib/integration-cli-on-swarm/integration-cli-on-swarm.sh,
which enables IT to be running in parallel, using Swarm-mode and Funker.
Please refer to contrib/integration-cli-on-swarm/README.md
The test takes almost 5 to 6 minutes, with 10 n1-standard-4 GCE instances.
$ ./contrib/integration-cli-on-swarm/integration-cli-on-swarm.sh --push-worker-image example.gcr.io/foo/bar --replicas 30 --shuffle
2016/12/29 08:32:15 Loaded 1618 tests (30 chunks)
2016/12/29 08:32:15 Executing 30 chunks in parallel, against "integration-cli-worker"
2016/12/29 08:32:15 Executing chunk 0 (contains 54 test filters)
..
2016/12/29 08:34:34 Finished chunk 28 [1/30] with 54 test filters in 2m19.098068003s, code=0.
2016/12/29 08:34:38 Finished chunk 12 [2/30] with 54 test filters in 2m23.088569511s, code=0.
2016/12/29 08:34:48 Finished chunk 10 [3/30] with 54 test filters in 2m33.880679079s, code=0.
2016/12/29 08:34:54 Finished chunk 20 [4/30] with 54 test filters in 2m39.973747028s, code=0.
2016/12/29 08:35:11 Finished chunk 18 [5/30] with 54 test filters in 2m56.28384361s, code=0.
2016/12/29 08:35:11 Finished chunk 29 [6/30] with 52 test filters in 2m56.54047088s, code=0.
2016/12/29 08:35:15 Finished chunk 1 [7/30] with 54 test filters in 3m0.285044426s, code=0.
2016/12/29 08:35:22 Finished chunk 6 [8/30] with 54 test filters in 3m7.211775338s, code=0.
2016/12/29 08:35:24 Finished chunk 25 [9/30] with 54 test filters in 3m9.938413009s, code=0.
2016/12/29 08:35:30 Finished chunk 27 [10/30] with 54 test filters in 3m15.219834368s, code=0.
2016/12/29 08:35:36 Finished chunk 9 [11/30] with 54 test filters in 3m21.615434162s, code=0.
2016/12/29 08:35:41 Finished chunk 13 [12/30] with 54 test filters in 3m26.576907401s, code=0.
2016/12/29 08:35:45 Finished chunk 17 [13/30] with 54 test filters in 3m30.290752537s, code=0.
2016/12/29 08:35:53 Finished chunk 2 [14/30] with 54 test filters in 3m38.148423321s, code=0.
2016/12/29 08:35:55 Finished chunk 24 [15/30] with 54 test filters in 3m40.09669137s, code=0.
2016/12/29 08:35:57 Finished chunk 8 [16/30] with 54 test filters in 3m42.299945108s, code=0.
2016/12/29 08:35:57 Finished chunk 22 [17/30] with 54 test filters in 3m42.946558809s, code=0.
2016/12/29 08:35:59 Finished chunk 23 [18/30] with 54 test filters in 3m44.232557165s, code=0.
2016/12/29 08:36:02 Finished chunk 3 [19/30] with 54 test filters in 3m47.112051358s, code=0.
2016/12/29 08:36:11 Finished chunk 15 [20/30] with 54 test filters in 3m56.340656645s, code=0.
2016/12/29 08:36:11 Finished chunk 11 [21/30] with 54 test filters in 3m56.882401231s, code=0.
2016/12/29 08:36:22 Finished chunk 19 [22/30] with 54 test filters in 4m7.551093516s, code=0.
2016/12/29 08:36:23 Finished chunk 21 [23/30] with 54 test filters in 4m8.221093446s, code=0.
2016/12/29 08:36:25 Finished chunk 16 [24/30] with 54 test filters in 4m10.450451705s, code=0.
2016/12/29 08:36:27 Finished chunk 5 [25/30] with 54 test filters in 4m12.162272692s, code=0.
2016/12/29 08:36:28 Finished chunk 14 [26/30] with 54 test filters in 4m13.977801031s, code=0.
2016/12/29 08:36:29 Finished chunk 0 [27/30] with 54 test filters in 4m14.34086812s, code=0.
2016/12/29 08:36:49 Finished chunk 26 [28/30] with 54 test filters in 4m34.437085539s, code=0.
2016/12/29 08:37:14 Finished chunk 7 [29/30] with 54 test filters in 4m59.22902721s, code=0.
2016/12/29 08:37:20 Finished chunk 4 [30/30] with 54 test filters in 5m5.103469214s, code=0.
2016/12/29 08:37:20 Executed 30 chunks in 5m5.104379119s. PASS: 30, FAIL: 0.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
A phrase from the "Text files" section in build.md was incorrectly duplicated under the "Tarball contexts" section.
Signed-off-by: Peter Jaffe <pjaffe@nevo.com>
This adds support for placement preferences in Swarm services.
- Convert PlacementPreferences between GRPC API and HTTP API
- Add --placement-pref, --placement-pref-add and --placement-pref-rm to CLI
- Add support for placement preferences in service inspect --pretty
- Add integration test
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Fallback errors are not an error, but an
informational message.
This changes those errors to be logged
as "Info" instead of "Error".
After this patch, debug logs look like this;
DEBU[0050] Calling GET /_ping
DEBU[0050] Calling POST /v1.27/images/create?fromImage=localhost%3A5000%2Ffoo&tag=latest
DEBU[0050] Trying to pull localhost:5000/foo from https://localhost:5000 v2
WARN[0050] Error getting v2 registry: Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
INFO[0050] Attempting next endpoint for pull after error: Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
DEBU[0050] Trying to pull localhost:5000/foo from http://localhost:5000 v2
INFO[0050] Attempting next endpoint for pull after error: manifest unknown: manifest unknown
DEBU[0050] Trying to pull localhost:5000/foo from https://localhost:5000 v1
DEBU[0050] attempting v1 ping for registry endpoint https://localhost:5000/v1/
DEBU[0050] Fallback from error: Get https://localhost:5000/v1/_ping: http: server gave HTTP response to HTTPS client
INFO[0050] Attempting next endpoint for pull after error: Get https://localhost:5000/v1/_ping: http: server gave HTTP response to HTTPS client
DEBU[0050] Trying to pull localhost:5000/foo from http://localhost:5000 v1
DEBU[0050] [registry] Calling GET http://localhost:5000/v1/repositories/foo/images
ERRO[0050] Not continuing with pull after error: Error: image foo:latest not found
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, doing service logs was just tossing the stream
selectors and always using the default (both streams). This change adds
a check for which streams the user wants and only includes those.
Fixes#31306
Signed-off-by: Drew Erny <drew.erny@docker.com>
The overlay(2) drivers were moved up in the list of storage drivers,
and are known to have problems if the backing filesystem does not
support d_type.
Commit 2e20e63da2 added a warning,
which is logged in the daemon logs, however, many users do not
check those logs, and may overlook this warning.
This patch adds the same warning to the output of `docker info`
so that the warning is more easily found.
In addition, the output of warnings printed by `docker info` is
optimized, by;
- moving all warnings to the _end_ of the output, instead of
mixing them with the regular output
- wrapping the storage-driver warnings, so that they are more
easily readable
Example output with this patch applied
============================================
devicemapper using loopback devices:
...
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: devicemapper: usage of loopback devices is strongly discouraged for production use.
Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
overlay2 on xfs without d_type support;
...
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: overlay2: the backing xfs filesystem is formatted without d_type support, which leads to incorrect behavior.
Reformat the filesystem with ftype=1 to enable d_type support.
Running without d_type support will not be supported in future releases.
WARNING: bridge-nf-call-iptables is disabled
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Added 'golint', 'yamllint', and 'swagger'
- Fixed man/Dockerfile.aarch64 by bootstrapping Go 1.7.5
Signed-off-by: Boris Pruessmann <boris@pruessmann.org>
I found that sometimes tasks would end up in a rejected state when
trying to update them quickly. The problem was that Shutdown could fail
if called before the container was started. Instead of returning an
error in this case, Shutdown should succeed. This allows tasks to
progress to the "shutdown" state as expected.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Make sure that the cursor value returned by followJournal() is the last
of the values returned by its goroutine's calls to drainJournal() by
waiting for it, rather than returning a value that may be superceded by
another if we're singalling the goroutine that it should exit by closing
a pipe.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This fix is an attempt to improve the documentation of
`Version` usage for Swarm API in Swagger docs.
As is shown in the docs updates, `Version` field in Swarm
API is a way to ensure safe concurrency and determinism
so that multiple updates to the same swarm related objects
(Node, Service, etc) will not unintentially overwrite each other.
This fix fixes 29448.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 25696 where
it was not possible to specify `--stop-signal` for `docker service create`
and `docker service update`, in order to use special signal to stop
the container.
This fix adds `--stop-signal` and update the `StopSignal` in `Config`
through `service create` and `service update`.
Related docs has been updated.
Integration test has been added.
This fix fixes 25696.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Adding debian-jessie as output for running make deb on aarch64. Also
update GO_VERSION to 1.8 to fix issues with incorrect pagesize.-
Signed-off-by: Boris Pruessmann <boris@pruessmann.org>
This fix tries to address the issue in 31179 where
secrets fields is missing for `docker service create`
or `docker service update`.
This fix adds Secrets for `ContainerSpec` in Swagger docs.
This fix fixes 31179.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
PR #31197 made me think I needed to add more text explaing why
BuildArgs needs to be a *string instead of string.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This fix adds the missing fields of `Hostname`, `OpenStdin`,
`Hosts`, `Groups`, and `Healthcheck` to `ContainerSpec`.
This fix also moves the `Label` in `ContainerSpec` to align with
the definition order.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates the `docs/api/version-history.md`
for `ReadOnly` parameter, which is now available in
`POST /services/create` and `POST /services/(id or name)/update`.
This fix is a follow up to 30162.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This test was failing if after the busybox image switched to a
single layer.
The test fails because it alters the data of an empty layer and
relies on a side effect of another empty layer not being skipped
on pull to pass.
(The original patch was provided by Tonis Tiigi)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds Yong Tang as a maintainer for
docker/docker, as was proposed and
voted on the maintainers mailinglist.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to update the SwarmKit from
ed384f3b3957f65e3111bd020f9815f3d4296fa2
to
6bc357e9c5f0ac2cdf801898a43d08c260b4d5d0
The following is the list of docker related changes:
1. Took long time for Docker Swarm service turn desired state from Ready to Running (Issue #28291)
2. Native Swarm in 1.12 - panic: runtime error: index out of range (Issue #25608)
3. Global mode target replicas keep increasing (Issue #30854)
4. Creating service with publish mode=host and without published port crashes swarm manager (Issue #30938)
5. Define signals used to stop containers for updates (Issue #25696) (PR #30754)
This fix fixes#28291, #25608, #30854, #30938.
This fix is required by PR #30754.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- otherwise the attachment task will stay in store and
consume IP addresses and there is no way to remove it.
Signed-off-by: Alessandro Boch <aboch@docker.com>
If you remove an image with digest+tag, it will fail because it wont
find it in the reference store (where digest+tag -> digest). Let's
make sure we do the same in ImageDelete, stripping the tag if
digest+tag are present.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This loop is not ever going to return since it's never actually setting
the `err` var except on the first iteration.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
This fixes https://github.com/docker/docker/issues/30278 where
there is a race condition in HCS for RS1 and RS2 builds, and enumeration
of compute systems can return access is denied if a silo is being
torn down in the kernel while HCS is attempting to enumerate them.
Propagation type changes must be done as a separate call, in the
same way as read only bind mounts.
To fix this:
1. Ensure propagation type change flags aren't included in other calls.
2. Apply propagation type change in a separate call.
Also:
* Make it clear which parameters are ignored by passing them as empty.
* Add tests to ensure Mount options are applied correctly.
Fixes#30415
Signed-off-by: Steven Hartland <steven.hartland@multiplay.co.uk>
Previously, `docker logs` (and by extension, `docker service logs`) had
an error in the way they returned errors that occurred after a stream
had already been started. Specifically, the errors were added verbatim
to the HTTP response, which caused StdCopy to fail with an esoteric
error. This change updates StdCopy to accept errors from the source
stream and then return those errors when copying to the destination
stream.
Signed-off-by: Drew Erny <drew.erny@docker.com>
This fix is based on:
https://github.com/docker/docker/issues/29936#issuecomment-277494885
Currently the insecure registry is only checked to see if it contains
scheme (`http(s)://`) or not. No fully validation is done and this
caused many confusions like in #29936.
This fix tries to address the issue.
This fix adds additional validation so that an insecure registry
is validated to make sure it is in `host:port` format where host
could be IPv4/IPv6 or a host name, and port could be an integer
between 0-65535.
Additional unit tests have been added.
This fix is related to #29936.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates docker/distribution to b38e5838b7b2f2ad48e06ec4b500011976080621
from 545102ea07aa9796f189d82f606b7c27d7aa3ed3
Changes related to docker issue:
1. Validate insecure registry (`--insecure-registry`) values (30746)
This fix is related to 30746.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This is especially important for distributions like NixOS where `/bin/bash` doesn't exist, or for MacOS users who've installed a newer version of Bash than the one that comes with their OS.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This fix adds `Attachable` property for network object
in the documentation of Swagger API docs
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix ignore some functions in the Go template when header is
redendered, so that `--format "{{truncate .ID 1}}"` will still
be able to redener the header correctly.
Additional test cases have been added to the unit test.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is an attempt to address
https://github.com/docker/docker/pull/28213#issuecomment-273840405
Currently when specify table format with table `--format "table {{.ID}}..."`,
the delimiter in the header section of the table is always `"\t"`.
That is actually different from the content of the table as the delimiter
could be anything (or even contatenated with `.`, for example):
```
$ docker service ps web --format 'table {{.Name}}.{{.ID}}' --no-trunc
NAME ID
web.1.inyhxhvjcijl0hdbu8lgrwwh7
\_ web.1.p9m4kx2srjqmfms4igam0uqlb
```
This fix is an attampt to address the skewness of the table when delimiter
is not `"\t"`.
The basic idea is that, when header consists of `table` key, the header section
will be redendered the same way as content section. A map mapping each
placeholder name to the HEADER entry name is used for the context of the header.
Unit tests have been updated and added to cover the changes.
This fix is related to #28313.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is the follow up of the last commit.
In this fix:
1. If any of the parents of a command has tags, then this command's
`Args` (Args validation func) will be wrapped up. The warpped up func
will check to see if the feature is supported or not. If it is not supported,
then a not supported message is generated instead.
This fix is related to 28626.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address several issues raised in 28626 where
run against a non-experimental daemon may not generate correct
error message:
1. Incorrect flags were not checked against the supported features:
```
$ docker stack --nonsense
unknown flag: --nonsense
```
2. Subcommands were not checked against the supported features:
```
$ docker stack ls
Error response from daemon: This node is not a swarm manager...
```
This fix address the above mentioned issues by:
1. Add a pre-check for FlagErrorFunc
2. Recursively check if a feature is supported for cmd and its parents.
This fix fixes 28626.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 27189 where
it is not possible to support configured formatting stored in
config.json.
Since `--format` was not supported in `docker service ps`,
the flag `--format` has also been added in this fix.
This fix
1. Add `--format` to `docker service ps`
2. Add `tasksFormat` to config.json
3. Add `--format` to `docker stack ps`
4. Add `--format` to `docker node ps`
The related docs has been updated.
An integration test has been added.
This fix fixes 27189.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
With the switchover to the unified reference package, AddReference no
longer does the right thing when passed a reference that has both a
digest and a tag. It would put both the digest in the tag in the
reference stored in the repositories.json file, which isn't the right
format, and would mean that neither "docker run" nor docker services
could locate the image. This meant that a simple "docker service create"
command like "docker service create --name foo busybox top" would create
a service that immediately went into a restart loop, because it couldn't
use the image that had been pulled.
Fix AddReference to strip out the tag when both a tag and digest are
specified. We do this because we don't necessarily want to overwrite the
tag - when both a digest and tag are specified, the tag is only
advisory.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Sockets interface has been updated to take in a the group
id as an integer rather than a string.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
When `docker stats` stopped containers, client will get empty stats data,
this commit will gurantee client always get "Name" and "ID" field, so
that it can format with `ID` and `Name` fields successfully.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Command name should be a H1
Only Description, Examples, and Related Commands should be H2
Changed 'Related information' heading to 'Related commands' since 99% it is only linking commands
Added some examples where relevant
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
This fix updates SwarmKit to ed384f3b3957f65e3111bd020f9815f3d4296fa2.
Notable changes since last update (3ca4775ba4a5519e2225c3337c7db8901ec39d26):
1. Fix duplicated ports allocation with restarted swarm. (Docker issue #29247)
2. Topology-aware scheduling (Docker PR #30725)
Docker issue #29247 was labeled 1.13.1, though it is advised that
related SwarmKit changes only to be merged to master
(based on the feedback https://github.com/docker/swarmkit/pull/1802#issuecomment-274143500)
This fix fixes#29247 (master only).
This fix is related to #30725.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Add a daily job to randomly assign pull requests which have been opened
for more than two weeks.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
This also moves some cli specific in `cmd/dockerd` as it does not
really belong to the `daemon/config` package.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This commit fixes panic when execute stats command:
* use --format {{.Name}} with --all when there're exited containers.
* use --format {{.Name}} while stating exited container.
The root cause is when stating an exited container, the result from the
api didn't contain the Name and ID field, which will make format
process panic.
Panic log is like this:
```
panic: runtime error: slice bounds out of range [recovered]
panic: runtime error: slice bounds out of range
goroutine 1 [running]:
panic(0xb20f80, 0xc420014110)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
text/template.errRecover(0xc4201773e8)
/usr/local/go/src/text/template/exec.go:140 +0x2ad
panic(0xb20f80, 0xc420014110)
/usr/local/go/src/runtime/panic.go:458 +0x243
github.com/docker/docker/cli/command/formatter.(*containerStatsContext).Name(0xc420430160,
0x0, 0x0)
/go/src/github.com/docker/docker/cli/command/formatter/stats.go:148
+0x86
reflect.Value.call(0xb9a3a0, 0xc420430160, 0x2213, 0xbe3657, 0x4,
0x11bc9f8, 0x0, 0x0, 0x4d75b3, 0x1198940, ...)
/usr/local/go/src/reflect/value.go:434 +0x5c8
reflect.Value.Call(0xb9a3a0, 0xc420430160, 0x2213, 0x11bc9f8, 0x0, 0x0,
0xc420424028, 0xb, 0xb)
/usr/local/go/src/reflect/value.go:302 +0xa4
text/template.(*state).evalCall(0xc420177368, 0xb9a3a0, 0xc420430160,
0x16, 0xb9a3a0, 0xc420430160, 0x2213, 0x1178fa0, 0xc4203ea330,
0xc4203de283, ...)
/usr/local/go/src/text/template/exec.go:658 +0x530
```
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix is partially based on comment
https://github.com/docker/docker/issues/30242#issuecomment-273517205
Currently, `docker network inspect` relies on `FindNetwork()` which
does not take into consideration that multiple networks with the same
name might exist.
This fix propose to return `docker network inspect` in a similiar
fashion like other commands:
1. Lookup full ID
2. Lookup full name
3. Lookup partial ID
If multiple networks exist, an error will be returned.
NOTE: this fix is not a complete fix for the issue raised in
https://github.com/docker/docker/issues/30242#issuecomment-273517205
where SwarmKit is unable to update when multiple networks with the same
name exit.
To fix that issue requires multiple places when `FindNetwork()` is called.
Because of the impact of changing `FindNetwork()`, this fix focus on
the issue in `docker network inspect`.
A separate PR will be created to address
https://github.com/docker/docker/issues/30242#issuecomment-273517205
An integration test has been added.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Remove forked reference package. Use normalized named values
everywhere and familiar functions to convert back to familiar
strings for UX and storage compatibility.
Enforce that the source repository in the distribution metadata
is always a normalized string, ignore invalid values which are not.
Update distribution tests to use normalized values.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This commit adds support for expanded ports in Compose loader,
and add several unit tests for loading expanded port format.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit adds expanded port syntax to Compose schema and types
so that it is possible to have
```
ports:
- mode: host
target: 80
published: 9005
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the issue raised in 21845. The issue with 21845
is that if multiple `--volumes-from` with the same destination has been
specified, then one volume will be overridden by the other. This will mess
up with volumes reference and prevent the overridden volume from
being removed at the end.
Issue 21845 was observed with `docker-compose` though it is possible to
emulate the same behavior with `docker` alone:
```
$ cat Dockerfile
FROM busybox
VOLUME ["/tmp/data"]
$ docker build -t vimage .
$ docker run --name=data1 vimage true
$ docker run --name=data2 vimage true
$ docker run --name=app --volumes-from=data1 --volumes-from=data2 -d busybox top
$ docker rm -f -v $(docker ps -aq)
$ docker volume ls
$ docker volume rm ...
```
NOTE: Second case:
```
$ cat Dockerfile
FROM busybox
VOLUME ["/tmp/data"]
$ docker build -t vimage .
$ docker run --name=data1 vimage true
$ docker run --name=data2 vimage true
$ docker run --name=app --volumes-from=data1 --volumes-from=data2 -v /tmp/data:/tmp/data -d busybox top
$ docker rm -f -v $(docker ps -aq)
$ docker volume ls
$ docker volume rm ...
```
NOTE: Third case: Combination of --volumes-from and `HostConfig.Mounts` (API only)
This fix tries to address the issue by return an error if duplicate
mount points was used with `--volumes-from`.
An integration test has been added.
This fix fixes 21845.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
We ignored errors for simple syntax in `PortOpt` (missed that in the
previous migration of this code). This make sure we don't ignore
`nat.Parse` errors.
Test has been migrate too (errors are not exactly the same as before
though -_-)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
- libnetwork controller Networks() already returns
a copy list. Also Networks() correctly skips any
network which ahs already been marked for deletion
while getNetworks implementation bypass this.
Signed-off-by: Alessandro Boch <aboch@docker.com>
Fixes manpages for p and z by downloading a specific version
of go instead of relying on the distro version.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
While it is important to not create controllers for an invalid task,
certain properties should only be checked immediately before use. Early
host validation of mounts prevents resolution of the task Executor when
the mounts are not relevant to execution flow. In this case, we have a
check for the existence of a bind mount path in a creation function that
prevents a task controller from being resolved. Such early validation
prevents one from interacting directly with a controller and result in
unnecessary error reporting.
In accordance with the above, we move the validation of the existence of
host bind mount paths to the `Controller.Start` phase. We also call
these "checks", as they are valid mounts but reference non-existent
paths.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This adjusts `command.PromptForConfirmation` in `cli/command/utils.go` to use `bufio`'s `ReadLine` rather than using `fmt.Fscan` for reading input, which makes `<Enter>` properly accept the default value of "No" as one would expect.
This new code actually came from `cli/command/plugin/install.go`'s `acceptPrivileges` function, which I've also refactored here to use `command.PromptForConfirmation` as it should.
Additionally, this updates `cli/command/plugin/upgrade.go`'s `runUpgrade` function to use `command.PromptForConfirmation` for further consistency.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
`NetworksPrune()` is designed to ignore errors
encountered during removal of networks, and only
print them as warnings.
However, the last error encountered was returned
by the function, resulting in the prune command
to be reported as "failing" wheras it did not.
In addition, in situations where a network
failed to be removed, the networks that
_were_ succesfully removed were not reported
back.
This patch changes the function to not return
the error, and to return the list of networks
that were succesfully removed at all times.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix is an attempt to fix issue raised in #28005 where
`docker stats` on Windows shows Linux headers if there is
no containers in stats.
The reason for the issue is that, in case there is no container,
a header is faked in:
https://github.com/docker/docker/blob/v1.13.0/cli/command/formatter/formatter.go#L74-L78
which does not know OS type information (as OS was stored with container stat entries)
This fix tries to fix the issue by moving OS type information
to stats context (instead of individual container stats entry).
Additional unit tests have been added.
This fix fixes#28005.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29975 where
it was not possible to specify `attachable` flag for networks
in compose format.
NOTE: Compose format aleady supports `labels` in networks.
This fix adds the support of `attachable` for compose v3.1 format.
Additiona unit tests have been updated and added.
This fix fixes 29975.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Signed-off-by: Lewis Daly <lewisdaly@me.com>
Updated uid/gid reference to be more canonical - and signed commit
Signed-off-by: Lewis Daly <lewisdaly@me.com>
Editorial suggestion
I tried my hand at rewriting this a bit for readability. Can you please verify that the facts are correct, especially about the permission changes? You can feel free to squash my commit with yours so that it's signed. You'll need to pull the change from your fork to work on it locally.
Editorial suggestion
I tried my hand at rewriting this a bit for readability. Can you please verify that the facts are correct, especially about the permission changes? You can feel free to squash my commit with yours so that it's signed. You'll need to pull the change from your fork to work on it locally.
Docker 1.13 and up allows a client to communicate
with older daemons. As a result, flags may be
present that are not supported by the older daemon.
The client already _hides_ flags that are not
supported yet, but this doesn't present users
from using those flags.
This change shows an error if a flag is used
that is not supported by the daemon (either
based on the API version, or because experimental
features are not enabled).
Note that for some options, a check is already
in place in the API client. For those
options, this is just a minor enhancement
to more clearly indicate which _flag_ is
not supported.
Before this change;
DOCKER_API_VERSION=1.24 docker run -d --stop-timeout=30 busybox top
mjfyt3qpvnq0iwmun3sjwth9i
echo -e "FROM busybox\nRUN echo foo > bar" | DOCKER_API_VERSION=1.24 docker build --squash -
"squash" requires API version 1.25, but the Docker server is version 1.24
After this change;
DOCKER_API_VERSION=1.24 docker run -d --stop-timeout=30 busybox top
"--stop-timeout" requires API version 1.25, but the Docker daemon is version 1.24
echo -e "FROM busybox\nRUN echo foo > bar" | DOCKER_API_VERSION=1.24 docker build --squash -
"--squash" requires API version 1.25, but the Docker daemon is version 1.24
echo -e "FROM busybox\nRUN echo foo > bar" | docker build --squash -
"--squash" is only supported on a Docker daemon with experimental features enabled
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This persists the "propagated mount" for plugins outside the main
rootfs. This enables `docker plugin upgrade` to not remove potentially
important data during upgrade rather than forcing plugin authors to hard
code a host path to persist data to.
Also migrates old plugins that have a propagated mount which is in the
rootfs on daemon startup.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This allows a plugin to be upgraded without requiring to
uninstall/reinstall a plugin.
Since plugin resources (e.g. volumes) are tied to a plugin ID, this is
important to ensure resources aren't lost.
The plugin must be disabled while upgrading (errors out if enabled).
This does not add any convenience flags for automatically
disabling/re-enabling the plugin during before/after upgrade.
Since an upgrade may change requested permissions, the user is required
to accept permissions just like `docker plugin install`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This should go some way to unblocking a solution to #18797, #18385 etc by
removing the current rather restrictive constraints on help text length.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
$ git log --oneline dabebe21bf79..9ff6c6923cff
9ff6c69 Add FlagSet.FlagUsagesWrapped(cols) which wraps to the given column (#105)
a9a634f Add BoolSlice and UintSlice flag types. (#111)
a232f6d Merge pull request #102 from bogem/redundant
5126803 Merge pull request #110 from hardikbagdi/master
230dccf add badges to README.md
c431975 Merge pull request #107 from xilabao/add-user-supplied-func-when-parse
271ea0e Make command line parsing available outside pflag
25f8b5b Merge pull request #109 from SinghamXiao/master
1fcda0c too many arguments
5ccb023 Remove Go 1.5 from Travis
86d3545 Clean up code
I am interested in 9ff6c69 for a followup.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Pulling all the endpoints is a very resource heavy operation especially
for Global-scoped networks with a backing KVStore. Such heavy operations
can be fetched for individual network inspect. These are unneccessary
for a simple network list operation.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
RFC 5424 (https://tools.ietf.org/html/rfc5424#section-6.2) requires that
STRUCTURED-DATA be present, either as NILVALUE (-) or as one or more
SD-ELEMENT items. Because Docker doesn't ever create any SD-ELEMENT items,
the format should output the NILVALUE instead. This resolves parsing issues
in various RFC 5424-compliant syslog servers.
Signed-off-by: Mark Parker <godefroi@gmail.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
Working directory processing was handled differently for Hyper-V and Windows-Server containers, as annotated in the builder documentation (updated in this PR). For Hyper-V containers, the working directory set by WORKDIR was not created. This PR makes Hyper-V containers work the same as Windows Server containers (and the same as Linux).
Example (only applies to Hyper-V containers, so not reproducible under CI environment)
Dockerfile:
FROM microsoft/nanoserver
WORKDIR c:\installer
ENV GOROOT=c:\installer
ADD go.exe .
RUN go --help
Running on Windows Server 2016, using docker master without this change, but with daemon set to --exec-opt isolation=hyperv as it would be for Client operating systems.
PS E:\go\src\github.com\docker\docker> dockerd -g c:\control --exec-opt isolation=hyperv
time="2017-02-01T15:48:09.657286100-08:00" level=info msg="Windows default isolation mode: hyperv"
time="2017-02-01T15:48:09.662720900-08:00" level=info msg="[graphdriver] using prior storage driver: windowsfilter"
time="2017-02-01T15:48:10.011588000-08:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"
time="2017-02-01T15:48:10.016655800-08:00" level=info msg="Loading containers: start."
time="2017-02-01T15:48:10.460820000-08:00" level=info msg="Loading containers: done."
time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Daemon has completed initialization"
time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Docker daemon" commit=3c64061 graphdriver=windowsfilter version=1.14.0-dev
First with no explicit isolation:
PS E:\docker\build\unifyworkdir> docker build --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 7e0f41d08204
Removing intermediate container 236c7802042a
Step 3/5 : ENV GOROOT c:\installer
---> Running in 8ea5237183c1
---> 394b70435261
Removing intermediate container 8ea5237183c1
Step 4/5 : ADD go.exe .
---> e47401a1745c
Removing intermediate container 88dcc28e74b1
Step 5/5 : RUN go --help
---> Running in efe90e1b6b8b
container efe90e1b6b8b76586abc5c1dc0e2797b75adc26517c48733d90651e767c8463b encountered an error during CreateProcess: failure in a Windows system call: The directory name is invalid. (0x10b) extra info: {"ApplicationName":"","CommandLine":"cmd /S /C go --help","User":"","WorkingDirectory":"C:\\installer","Environment":{"GOROOT":"c:\\installer"},"EmulateConsole":false,"CreateStdInPipe":true,"CreateStdOutPipe":true,"CreateStdErrPipe":true,"ConsoleSize":[0,0]}
PS E:\docker\build\unifyworkdir>
Then forcing process isolation:
PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 350c955980c8
Removing intermediate container 8339c1e9250c
Step 3/5 : ENV GOROOT c:\installer
---> Running in bde511c5e3e0
---> b8820063b5b6
Removing intermediate container bde511c5e3e0
Step 4/5 : ADD go.exe .
---> e4ac32f8902b
Removing intermediate container d586e8492eda
Step 5/5 : RUN go --help
---> Running in 9e1aa235af5f
Cannot mkdir: C:\installer is not a directory
PS E:\docker\build\unifyworkdir>
Now compare the same results after this PR. Again, first with no explicit isolation (defaulting to Hyper-V containers as that's what the daemon it set to) - note it now succeeds 😄
PS E:\docker\build\unifyworkdir> docker build --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 4f319f301c69
Removing intermediate container 61b9c0b1ff6f
Step 3/5 : ENV GOROOT c:\installer
---> Running in c464a1d612d8
---> 96a26ab9a7b5
Removing intermediate container c464a1d612d8
Step 4/5 : ADD go.exe .
---> 0290d61faf57
Removing intermediate container dc5a085fffe3
Step 5/5 : RUN go --help
---> Running in 60bd56042ff8
Go is a tool for managing Go source code.
Usage:
go command [arguments]
The commands are:
build compile packages and dependencies
clean remove object files
doc show documentation for package or symbol
env print Go environment information
fix run go tool fix on packages
fmt run gofmt on package sources
generate generate Go files by processing source
get download and install packages and dependencies
install compile and install packages and dependencies
list list packages
run compile and run Go program
test test packages
tool run specified go tool
version print Go version
vet run go tool vet on packages
Use "go help [command]" for more information about a command.
Additional help topics:
c calling between Go and C
buildmode description of build modes
filetype file types
gopath GOPATH environment variable
environment environment variables
importpath import path syntax
packages description of package lists
testflag description of testing flags
testfunc description of testing functions
Use "go help [topic]" for more information about that topic.
The command 'cmd /S /C go --help' returned a non-zero code: 2
And the same with forcing process isolation. Also works 😄
PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> f423b9cc3e78
Removing intermediate container 41330c88893d
Step 3/5 : ENV GOROOT c:\installer
---> Running in 0b99a2d7bf19
---> e051144bf8ec
Removing intermediate container 0b99a2d7bf19
Step 4/5 : ADD go.exe .
---> 7072e32b7c37
Removing intermediate container a7a97aa37fd1
Step 5/5 : RUN go --help
---> Running in 7097438a54e5
Go is a tool for managing Go source code.
Usage:
go command [arguments]
The commands are:
build compile packages and dependencies
clean remove object files
doc show documentation for package or symbol
env print Go environment information
fix run go tool fix on packages
fmt run gofmt on package sources
generate generate Go files by processing source
get download and install packages and dependencies
install compile and install packages and dependencies
list list packages
run compile and run Go program
test test packages
tool run specified go tool
version print Go version
vet run go tool vet on packages
Use "go help [command]" for more information about a command.
Additional help topics:
c calling between Go and C
buildmode description of build modes
filetype file types
gopath GOPATH environment variable
environment environment variables
importpath import path syntax
packages description of package lists
testflag description of testing flags
testfunc description of testing functions
Use "go help [topic]" for more information about that topic.
The command 'cmd /S /C go --help' returned a non-zero code: 2
PS E:\docker\build\unifyworkdir>
After running the test suite with the race detector enabled I found
these gems that need to be fixed.
This is just round one, sadly lost my test results after I built the
binary to test this... (whoops)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This reduces allocs and bytes used per log entry significantly as well
as some improvement to time per log operation.
Each log driver, however, must put messages back in the pool once they
are finished with the message.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This allows the user to set a logging mode to "blocking" (default), or
"non-blocking", which uses the ring buffer as a proxy to the real log
driver.
This allows a container to never be blocked on stdio at the cost of
dropping log messages.
Introduces 2 new log-opts that works for all drivers, `log-mode` and
`log-size`. `log-mode` takes a value of "blocking", or "non-blocking"
I chose not to implement this as a bool since it is difficult to
determine if the mode was set to false vs just not set... especially
difficult when merging the default daemon config with the container config.
`log-size` takes a size string, e.g. `2MB`, which sets the max size
of the ring buffer. When the max size is reached, it will start
dropping log messages.
```
BenchmarkRingLoggerThroughputNoReceiver-8 2000000000 36.2 ns/op 856.35 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputWithReceiverDelay0-8 300000000 156 ns/op 198.48 MB/s 32 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay1-8 2000000000 36.1 ns/op 857.80 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay10-8 1000000000 36.2 ns/op 856.53 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay50-8 2000000000 34.7 ns/op 894.65 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay100-8 2000000000 35.1 ns/op 883.91 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay300-8 1000000000 35.9 ns/op 863.90 MB/s 0 B/op 0 allocs/op
BenchmarkRingLoggerThroughputConsumeDelay500-8 2000000000 35.8 ns/op 866.88 MB/s 0 B/op 0 allocs/op
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to improve the display of `docker service ls`
and adds `--format` flag to `docker service ls`.
In addition to `--format` flag, several other improvement:
1. Updates `docker stacks service`.
2. Adds `servicesFormat` to config file.
Related docs has been updated.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 28176 where
text frame was used in websocket attach endpoint. In case
the data send out contains non utf8 data, the connection
will be closed in certain browsers, e.g., Safari.
This fix address the issue by change `PayloadType` to `BinaryFrame`.
This fix is tested manually with Safari. The docker daemon is inside a Linux Virtual Machine.
Create a container with:
```
docker run -itd --name websocket busybox sh -c "while true; do echo -e 'he\\xc3\\x28o'; sleep 5; done"
```
Use the following url (172.16.66.128:2375 is the tcp address of the daemon):
```
file:///websocket.html?url=ws://172.16.66.128:2375/v1.25/containers/websocket/attach/ws?logs=1&stderr=1&stdout=1&stream=1&stdin=1
```
and the following html:
```
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Websocket</title>
<script type="text/javascript">
function DockerWebSocket() {
if ("WebSocket" in window) {
console.log("WebSocket is supported by Browser...")
// Remove '?url=' prefix
url = window.location.search.replace(/^(\?url=)/,"");
console.log("URL ["+url+"]...");
var ws = new WebSocket(url);
ws.onopen = function() {
console.log("Connection is opened...");
};
ws.onclose = function() {
console.log("Connection is closed...");
};
ws.onmessage = function (e) {
if (typeof e.data === "string") {
alert("WebSocket received text message ["+e.data+"]!")
} else {
console.log("Message is received...")
var blobReader = new FileReader();
blobReader.onload = function(event) {
console.log(JSON.stringify(blobReader.result))
};
blobReader.readAsText(e.data)
console.log("Message complete...")
}
};
} else {
alert("WebSocket is not supported by Browser!");
}
}
</script>
</head>
<body>
<div>
<a href="javascript:DockerWebSocket()">Run DockerWebSocket</a>
</div>
</body>
</html>
```
This fix fixes 28176.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the discussion in 28199 about using
`truncate` to replace `--no-trunc`.
As part of the fix, a new function `truncate` has been
added for Go templates so that it is possible to use
```
docker stack services --format "{{truncate .ID 5}}: {{.Mode}} {{.Replicas}}"
```
to show truncated ID.
A unit test has been added.
This fix is related to 28199.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29972 where
it was not possible to specify `--read-only` for `docker service create`
and `docker service update`, in order to have the container's root file
system to be read only.
This fix adds `--read-only` and update the `ReadonlyRootfs` in `HostConfig`
through `service create` and `service update`.
Related docs has been updated.
Integration test has been added.
This fix fixes 29972.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
gofmt'd
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
go fmt
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
This fix updates SwarmKit to 78ae345f449ac69aa741c762df7e5f0020f70275
(from 037b4913929019d44bc927870bf2d92ce9ca261f)
The following issues in docker are related
- Can not update service in host publish mode (#30199) (fixed)
- Add `ReadonlyRootfs` in ContainerSpec for `--read-only` (#29972) (needed)
- Explicitly disallow network pluginv1 creation in swarm mode
(See discussion in docker/swarmkit/pull/1899, docker/swarmkit/pull/1894,
and docker/docker/pull/30332#issuecomment-274277948)
This fix fixes#30199
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
These are arm variants with different argument ordering because of
register alignment requirements.
fix#30516
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fix tries to address the issue raised in 30178 where
service healthcheck is `{}` in remote API will result in
dns resolve failue.
The reason was that when service healthcheck is `{}`,
service binding was not done.
This fix fixes the issue.
An integration test has been added.
This fix fixes 30178.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The following command fails when the target directory does not exist.
$ sudo make install DOCKER_MAKE_INSTALL_PREFIX=/opt/docker AUTO_GOPATH=1
KEEPBUNDLE=1 hack/make.sh install-binary
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#
---> Making bundle: install-binary (in bundles/1.14.0-dev/install-binary)
Installing docker to /opt/docker/bin/
cp: cannot create regular file '/opt/docker/bin/': No such file or directory
make: *** [Makefile:119: install] Error 1
The patch installs the target directory before copying any binaries.
$ sudo make install DOCKER_MAKE_INSTALL_PREFIX=/opt/docker AUTO_GOPATH=1
KEEPBUNDLE=1 hack/make.sh install-binary
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#
---> Making bundle: install-binary (in bundles/1.14.0-dev/install-binary)
Installing docker to /opt/docker/bin/
Installing dockerd to /opt/docker/bin/
Installing docker-runc to /opt/docker/bin/
Installing docker-containerd to /opt/docker/bin/
Installing docker-containerd-ctr to /opt/docker/bin/
Installing docker-containerd-shim to /opt/docker/bin/
Installing docker-proxy to /opt/docker/bin/
Installing docker-init to /opt/docker/bin/
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
The original Compose config loading used the `compose` tag, which
was replaced by mapstructure. Some fields were left on the old tag. This
commit removes the old tag and uses types and mapstructure.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This fix tries to address the enhancement proposal raised in
27178 for filtering based on published or exposed ports of
`docker ps --filter`.
In this fix, two filter options, `publish` and `expose` have
been added to take either `<port>[/<protocol>]` or `<from>-<to>[/<protocol>]`
and filtering on containers.
An integration test has been added to cover the changes.
This fix fixes 27178.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix made several updates:
1. Update opts.MemBytes so that default value will not show up.
The reason is that in case a default value is decided by daemon,
instead of client, we actually want to not show default value.
2. Move `docker run/create/build` to use opts.MemBytes for `--shm-size`
This is to bring consistency between daemon and docker run
3. docs updates.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix fixes issue raised in 29492 where it was not
possible to specify a default `--default-shm-size` in daemon
configuration for each `docker run``.
The flag `--default-shm-size` which is reloadable, has been
added to the daemon configuation.
Related docs has been updated.
This fix fixes 29492.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29344 where it was
not possible to create log group for awslogs (CloudWatch) on-demand.
Log group has to be created explicitly before container is running.
This behavior is inconsistent with AWS logs agent where log groups
are always created as needed.
There were several concerns previously (See comments in 19617 and 29344):
1. There is a limit of 500 log groups/account/region so resource might
be exhausted if there is any typo or incorrect region.
2. Logs are generated for every container so CreateLogGroup (or equally,
DescribeLogGroups) might be called every time, which is redundant and
potentially surprising.
3. CreateLogStream and CreateLogGroup have different IAM policies.
This fix addresses the issue by add `--log-opt awslogs-create-group`
which by default is `false`. It requires user to explicitly request
that log groups be created as needed.
Related unit test has been updated. And tests have also been done
manually in AWS.
This fix fixes 29334.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is a follow up for comment:
https://github.com/docker/docker/pull/28896#issuecomment-265392703
Currently secret name or ID prefix resolving is done at the client
side, which means different behavior of API and CMD.
This fix moves the resolving from client to daemon, with exactly the
same rule:
- Full ID
- Full Name
- Partial ID (prefix)
All existing tests should pass.
This fix is related to #288896, #28884 and may be related to #29125.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix adds `--filter capability=[volumedriver|authz]` to `docker plugin ls`.
The related docs has been updated.
An integration test has been added.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix adds `--filter enabled=true` to `docker plugin ls`,
as was specified in 28624.
The related API and docs has been updated.
An integration test has been added.
This fix fixes 28624.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- When the node leaves the cluster, if any user run
container(s) is connected to the swarm network,
then daemon needs to detach the container(s) and
remove the network.
Signed-off-by: Alessandro Boch <aboch@docker.com>
`docker plugin ls` now has `--format`, so there is no more need for
postprocessing raw `docker plugin ls` output with `awk` any more.
This will make generation of plugin lists robust against changes
in `docker plugin ls` output.
Signed-off-by: Harald Albers <github@albersweb.de>
This introduce a new `--device-cgroup-rule` flag that allow a user to
add one or more entry to the container cgroup device `devices.allow`
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fix tries to address the issue raised in 30242 where the `Scope`
field always changed to `swarm` in the ouput of `docker network ls/inspect`
when duplicate networks name exist.
The reason for the issue was that `buildNetworkResource()` use network name
(which may not be unique) to check for the scope.
This fix fixes the issue by always use network ID in `buildNetworkResource()`.
A test has been added. The test fails before the fix and passes after the fix.
This fix fixes 30242.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In the journald log driver, attempt to drain the journal 1 more time
after being told to stop following the log. Due to a possible race
condition, sometimes data is written to the journal at almost the same
time the log watch is closed, and depending on the order of operations,
sometimes you miss the last journal entry.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
Docker special-cases build-contexts starting with `github.com`, and
treats them as remote URLs.
Because of this special treatment, local build contexts in a directory
named "github.com" are ignored by `docker build`.
This patch changes the way the build-context is detected and first
checks if a local path with the given name exists before considering
it to be a remote URL.
Before this change;
$ mkdir -p github.com/foo/bar && echo -e "FROM scratch\nLABEL iam=local" > github.com/foo/bar/Dockerfile
$ docker build -t dont-ignore-me github.com/foo/bar
Username for 'https://github.com':
After this change;
$ mkdir -p github.com/foo/bar && echo -e "FROM scratch\nLABEL iam=local" > github.com/foo/bar/Dockerfile
$ docker build -t dont-ignore-me github.com/foo/bar
Sending build context to Docker daemon 2.048 kB
Step 1/2 : FROM scratch
--->
Step 2/2 : LABEL iam local
---> Using cache
---> ae2c603fe970
Successfully built ae2c603fe970
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When a plugin has an activation error, it was not being checked in the
`waitActive` loop. This means it will just wait forever for a manifest
to be populated even though it may never come.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- export DOCKER_GITCOMMIT in the Makefile
- prioritize DOCKER_GITCOMMIT against the `git` command in
`./hack/make.sh`
- Also add `integration-cli/bundles` to gitignore (it's generated when
using integration-cli shell)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
to make goreportcard a bit happier
https://goreportcard.com/report/github.com/docker/docker
also found that `TestCpToErrDstParentNotExists()` was
partially broken, because a `runDockerCp()` was inadvertently
removed in f26a31e80c
`TestDaemonRestartSaveContainerExitCode()` didn't verify
the actual _Error_ message, so added that to the test,
and updated the test to take into account that the
"experimental" CI enables `--init` on containers.
`TestVolumeCLICreateOptionConflict()` only checked
for an error to occur, but didn't validate if the
error was due to conflicting options.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update swarmkit to 037b491.
As swarmkit switched to a newer gRPC version, this also involves
updating Docker's vendored gRPC, which in turn requires updating
containerd to a new version that has protobufs generated against this
gRPC version.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When Size was reverted to be equal to VirtualSize, the df command
formatter was not correctly updated to account for the change.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fix tries to fix the issue in 30279 where `docker ps --format`
fails if `.Label` has args. For example:
```
docker ps --format '{{.ID}}\t{{.Names}}\t{{.Label "some.label"}}'
```
The reason for the failure is that during the preprocessing phase
to detect the existance of `.Size`, the `listOptionsProcessor`
does not has a method of `Label(name string) string`.
This results in the failure of
```
template: :1:24: executing "" at <.Label>: Label is not a method but has arguments
```
This fix fixes the issue by adding needed method of `Label(name string) string`.
This fix fixes 30279.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`copyEscapable` is a copy/paste of io.Copy with some added handling for
checking for the attach escape sequence.
This removes the copy/paste and uses `io.Copy` directly. To be able to
do this, it now implements an `io.Reader` which proxies to the main
reader but looks for the escape sequence.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This cleans up attach a little bit, and moves it out of the container
package.
Really `AttachStream` is a method on `*stream.Config`, so moved if from
a package level function to one bound to `Config`.
In addition, uses a config struct rather than passing around tons and
tons of arguments.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Commit ed13c3abfb added flags
for Docker Content Trust. Depending on the `verify` boolean,
the message is "Skip image verification", or "Skip image signing".
"Signing" is intended for `docker push` / `docker plugin push`.
During the migration to Cobra, this boolean got flipped for
`docker push` (9640e3a451),
causing `docker push` to show the incorrect flag description.
This patch changes the flags to use the correct description
for `docker push`, and `docker plugin push`.
To prevent this confusion in future, the boolean argument
is removed, and a `AddTrustSigningFlags()` function is added.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the enhancement discussed in 28735 to add
`--format` for the output of `docker plugin ls`.
This fix
1. Add `--format` and `--quiet` flags to `docker plugin ls`
2. Convert the current implementation to use `formatter`, consistent with
other docker list commands.
3. Add `pluginsFormat` for config.json.
Related docs has been updated.
Several unit tests have been added to cover the changes.
This fix is related to 28708 and 28735.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
There was no validation for `docker run --tmpfs foo`.
In this PR, only two obvious rules are implemented:
- path must be absolute
- path must not be "/"
We should add more rules carefully.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This is necessary for swarmkit to support cluster wide plugins, such as
globally scoped network plugins.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Use resolving to repo info as the split point between the
legitimate reference package and forked reference package.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
As noted by #30083, the new strict checking of mediatypes misses some
cases where earlier bugs caused nonstandard mediatypes to be stored in
manifests. Two of the known cases are text/html and application/json,
which were returned by certain registries and stored by earlier versions
of Docker. Add special cases for text/html and application/json.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
How to test (it should not print `{}`, and just returns JSON with the actual data):
$ docker images --format '{{json .}}'
$ docker container stats --format '{{json .}}'
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Adds suggestions to where you can install docker in the case
that the install script fails to install because of the architecture
not being officially supported.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Docker has several capabilities enabled by default and some not.
It seems natural to follow this distinction in --cap-add and
--cap-drop.
Signed-off-by: Harald Albers <github@albersweb.de>
This drops support for migrations from pre-1.10 Docker versions, which
should be done via an external tool or an intermediate upgrade.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit addresses 2 issues:
1. in `tailfile()` if somehow the `logWatcher.Msg` were to become full and the watcher closed before space was made into it, we were getting stuck there forever since we were not checking for the watcher getting closed
2. when servicing `docker logs`, if the command was cancelled we were not closing the watcher (and hence notifying it to stop copying data)
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Expand the contributing doc to include tips for successful PRs and
guidance on commit messages. This should help contributers to have
better position PRs that are more likely to be merged.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
There is an issue with the ports leaking to other tests.
This is a workaround until the actual problem is addressed.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues
This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW
All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.
Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Find one escaped go vet error:
```
$ cd pkg/httputils/
$ go vet .
httputils_test.go:28: arg response for printf verb %q of wrong type:
*net/http.Response
```
You can also find it with
```
$ go vet github.com/docker/docker/pkg/httputils/
```
or
```
$ go vet ./...
```
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
- Remove deprecated buildImage* functions
- Rename buildImageNew to buildImage
- Use *check.C in fakeContext* setup and in getIdByName
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The Docker Captains are going to assist in our
triage process! \o/ \o/
This change adds the captains to the maintainers
file as a curator.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add missing "${DOCKER_BUILD_ARGS}" for building rpm with `docker build`,
this is quite important when running `make rpm` behind http proxy.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
After https://github.com/docker/docker/pull/28926, if saving multiple images
which have common layers at same time, the common layers can't share in the tar archive
because the hash ID changes because of the Create time. The Create time is used for
pre v1.9 which treat each layer as a image and make no sense for after v1.10.
To make the hash ID consistent and keep the image save from >1.10 working properly
on pre v1.9, using a constant Create time `time.Unix(0,0)`.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Use quoted form of container name and container id to improve copy-paste avoiding the extra `.` that slips into the clipboard
Signed-off-by: Jorge Marin <chipironcin@users.noreply.github.com>
Docker 1.13 moves the `--rm` flag to the daemon,
through an AutoRemove option in HostConfig.
When using API 1.24 and under, AutoRemove should not be
used, even if the daemon is version 1.13 or above and
"supports" this feature.
This patch fixes a situation where an 1.13 client,
talking to an 1.13 daemon, but using the 1.24 API
version, still set the AutoRemove property.
As a result, both the client _and_ the daemon
were attempting to remove the container, resulting
in an error:
ERRO[0000] error removing container: Error response from daemon:
removal of container ce0976ad22495c7cbe9487752ea32721a282164862db036b2f3377bd07461c3a
is already in progress
In addition, the validation of conflicting options
is moved from `docker run` to `opts.parse()`, so
that conflicting options are also detected when
running `docker create` and `docker start` separately.
To resolve the issue, the `AutoRemove` option is now
always set to `false` both by the client and the
daemon, if API version 1.24 or under is used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While investigating 29936 I noticed one potential issue
in `LoadInsecureRegistries`.
The implementation of the func assumes that the format
of insecure registry should be `host:port` if not CIDR.
However, it is very common that user may incorrectly
provide a registry with a scheme (e.g, `http://myregistry.com:5000`)
Such a registry format with a scheme will cause docker pull to
always try https endpoint.
The reason is that the func of `isSecureIndex()` actually will
check for the map of the index server for `myregistry.com:5000`
while the insecure registry only has a record of `http://myregistry.com:5000`.
As a consequence, docker assumes that `myregistry.com:5000` is not
a insecure registry and will go ahead with https endpoint.
This fix addresses the issue by error out insecure registries with scheme.
A unit test has been added.
This fix is related to 29936.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
c54b717 caused a regression for pluginv1 on Windows, where extraneous
backslashes were added to BasePath of the plugin. For pluginv1 on windows,
BasePath() should return an empty string, since the plugin is fully aware
of the mount path. Also, unlike Linux where all paths are relative to "/",
Windows paths are dependent on system drives and mapped drives.
Fixes#30148
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This fix catches the case where there is a single container port
and a dynamic host port and will fail out gracefully
Example docker-compose.yml snippet:
port:
ports:
- "8091-8093:8091"
- "80:8080"
Signed-off-by: Tony Abboud <tdabboud@hotmail.com>
Changes a couple of generate scripts so that the architecture
gets the go version from its own Dockerfile. This should cover a
rare case where the go version might have to be different from
the x86 Dockerfile.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Instead of a timeout the context is cancelled on error to ensure
proper cleanup of the associated fifos' goroutines.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Issue #30082 demonstrated that their is possible confusion with the "/."
where the tailing "." can appear to be merely punctuation within the
document rather than a highly pertinent part of `SRC_PATH`.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Commit b717de5153
changed the name of the "size" argument to
"virtualSize", as the "VirtualSize" field
was re-used for calculating the size of all
layers _not_ used by other images.
be20dc15af reverted
the change in calculation, but did not change
the argument name back to "size".
This changes the name back to its original
name, because since the introduction of the
content-addressable store in docker 1.10,
there no longer is a "virtual" size, so
"size" is a better name for this argument.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch fixed below 4 types of code line
1. Remove unnecessary variable assignment
2. Use variables declaration instead of explicit initial zero value
3. Change variable name to underbar when variable not used
4. Add erro check and return for ignored error
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
* Depending on the host configuration between the docker engine and the remote host we wish to mount using sshfs, a password may be required.
* Confirmed syntax for optional parameter with @vieux
* Verified change works as desired with engine running on Ubuntu host and mounting a volume from a file system on a Mac.
Signed-off-by: David Williamson <david.williamson@docker.com>
If you created containers from pre-OCI docker (e.g. docker-1.10.x)
upgrade may fail when restarting containers if the new docker daemon
has `--default-runtime` set.
In Fedora, we ship docker 1.12.6 with:
```
--default-runtime=oci
--add-runtime oci=/usr/libexec/docker/docker-runc-current
```
That way we don't rely on `docker-runc` being in `$PATH`.
The issue is, on upgrade from docker 1.10.3 without this patch, the
default runtime in `daemon/start_linux.go` is unconditionally set to
`runc=docker-runc` without honoring the `--default-runtime` flag set in
the docker daemon.
Reproducer:
- (1.10.3) `docker run -d -p 5000:5000 --restart=always --name registry
registry:2`
- upgrade to docker 1.12.6 (1.11.x has likely the same issue)
- the registry container fails to restart on upgrade with the following
log message `error="exec: \"docker-runc\": executable file not
found in $PATH: \"\""`
That error comes from the fact that we're setting the runtime in the
container's HostConfig to `runc` where instead we should have honored
the `--default-runtime` flag (in our case that's set to `oci`).
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This test checks to make sure both v1.12 and v1.13 client against v1.13 daemon get correct `Size` after the fix.
This test is related to 30027.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Join a few tests in one when it makes sense (reduce the number of
container run and thus the overall time of the suites)
- Remove some duplication on several tests
- Remove some unused methods
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The prune PR changed the meaning of the file to mean "space on disk
only unique to this image", this PR revert this change.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
When storeLayer.Parent returns the parent layer, it needs to use the same logic as Get where it wraps in a describablyStoreLayer if the layer is describable. Otherwise, on Windows, this can result in pushing the foreign layers, which is not supposed to be allowed.
This fixes https://github.com/docker/docker/issues/30080.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
This fix tries to address the issue raised in 29946 where
listing networks from API will return `null` if the result of
network filter is empty.
The reason for the issue was that inside the `filterNetworks()`,
the return value was initialized as `nil`:
```
var typeNet []types.NetworkResource
```
This is inconsistent with other places where return value was
initialized with `[]`
```
displayNet := []types.NetworkResource{}
```
This fix addresses the issue by changing `typeNet` to `[]` as well.
This fix fixes 29946.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix adds a new flag `--availability` to `swarm join`.
Related documentation has been updated.
An integration test has been added.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24596 where it was not
possible to join as manager only (`--availability=drain`).
This fix adds a new flag `--availability` to `swarm join`.
Related documentation has been updated.
An integration test has been added.
NOTE: Additional pull request for swarmkit and engine-api will
be created separately.
This fix fixes 24596.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently local volumes and other volumes that support SELinux do
not get labeled correctly. This patch will allow a user to specify
:Z or :z when mounting a volume and have it fix the label of the newly
created volume.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
- Make sure we use the correct network name for external ones.
- Make the default network overridable and only creates networks that
are used by services — so that default network is only created if a
service doesn't declare a network.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue raised in docker/docker-29730
where a service with multiple published ports mapping to the same target
port (e.g., `--publish 5000:80 --publish 5001:80`) can't be allocated.
The reason for the issue is that, `getPortConfigKey` is used for both
allocated ports and configured (may or may not be allocated) ports.
However, `getPortConfigKey` will not take into consideration the
`PublishedPort` field, which actually could be different for different
allocated ports.
This fix saves a map of `portKey:portNum:portState`, instead of currently
used `portKey:portState` so that multiple published ports could be processed.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
At the "Build image from Dockerfile" section in the API docs
the Content-Type header is missing.
In addition, some parts in the code are still setting the
Content-Type header to application/tar while it was changed
to application/x-tar since 16th September 2015.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
This reverts commit 105bc63295,
which (although correct), resulted in a backward incompatible
change.
We can re-implement this in future, after this changes goes
through a deprecation cycle
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Start work on adding unit tests to our cli code in order to have to
write less costly integration test.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
* Unlike other methods in truncindex, Iterate was not locking before
using the Trie, making it potentially race e.g. Delete could result in
setting a child to nil, while Iterate dereferenced that node
while walking the Trie.
Signed-off-by: Petar Petrov <pppepito86@gmail.com>
commit 56f77d5ade
added support for cpu-rt-period and cpu-rt-runtime,
but always initialized the cgroup path, even if not
used.
As a result, containers failed to start on a
read-only filesystem.
This patch only creates the cgroup path if
one of these options is set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit 9322636c89
temporarily switched to a fork of go-memdb, because
a pull request that was needed was not yet merged
upstream.
this pull request was merged, so we can un-fork
this dependency.
this change does not bump the dependency, and
only un-forks. bumping the dependency should
be done in a separate change, if needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The keyserver infrastructure is unreliable, and just adds another point
of failure without adding any security. Instead, commit the key used at
build time for ZFS to the repo, and inline our signing key into the
install script rather than just its fingerprint.
fix#28510fix#13555
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The `digest` data type, used throughout docker for image verification
and identity, has been broken out into `opencontainers/go-digest`. This
PR updates the dependencies and moves uses over to the new type.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
The base selinux policies on centos/rhel/oraclelinux have all been
updated in a way that conflicts with the policies we install with
`docker-engine-selinux`. This patch fixes these conflicts.
In addition, removes special cases for old/unsupported versions of
fedora in our selinux package, and change to use a single minimum
version for the selinux base policy package, as this is the minimum
version required to use our selinux policy package.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
In the event that the docker daemon is managed by systemd and spontaneously
dies the default service configuration does not have docker restart. For people
who just want to install and start docker then never worry about whether docker
is running a better default may be to restart the service on a failure.
Signed-off-by: Ryan Abrams <rdabrams@gmail.com>
`plugins.GetAll()` was not locking the plugin map when checking if a
plugin exists, this can cause a race and potentially a panic if another
goroutine is trying to load a plugin into the map at the same time.
Also fixes a race during activation where a plugin inserts itself into
the plugin map but does not check if something else is already there.
This is already checked before trying to activate the plugin, however
the map lock is not held for this entire period, so other plugins may be
loaded during this time.
To fix, before inserting the plugin into the map, check if one with the
same name already exists and use that instead.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This test checks for the substring "foo" in the "secret ls" output. This
is a valid base36 substring and can sometimes show up by chance:
docker_cli_secret_create_test.go:86:
c.Assert(out, checker.Not(checker.Contains), name)
... obtained string = "" +
... "ID NAME CREATED UPDATED\n" +
... "ob8y4t4feuz8pn5h6vla9oxoz stefoo7e268ozqfupi9s4se9q Less than a second ago Less than a second ago\n"
... substring string = "foo"
Change the secret name to test_secret, matching other tests. Underscores
can't appear in base36 so this name is safe to grep for.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Vendor the latest official logrus release instead of a custom fork
(which now happens to be identical to the fork).
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
I often get complains that container removal failed and users got following
error message.
"Driver devicemapper failed to remove root filesystem 18a69ba82aaf7a039ce7d44156215012d703001643079775190ac7dd6c6acf56:Device is Busy"
This error message talks about container id but does not give any info
about which particular device id is busy. Most likely device is mounted
in some other mount namespace and if one knows the device id, they
can try to do some debugging figuring which process and which mount
namespace is keeping the device busy and how did we reach that stage.
Without that information, it becomes almost impossible to debug the
problem.
So to improve the debuggability, when device removal fails, also return
device id in error message. Now new message looks as follows.
"Driver devicemapper failed to remove root filesystem 18a69ba82aaf7a039ce7d44156215012d703001643079775190ac7dd6c6acf56: Failed to remove device dbc15bdf9994a17c613d8ef9e924f3cffbf67f91e4f709295c901ad628377991:Device is Busy"
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This fix tries to address the issue raised in 29810
where btrfs subvolume removal failed when docker
is in an unprivileged lxc container. The failure
was caused by `Failed to rescan btrfs quota` with
`operation not permitted`.
However, if disk quota is not enabled, there is no
need to run a btrfs rescan at the first place.
This fix checks for `quotaEnabled` and only run btrfs
rescan if `quotaEnabled` is true.
This fix fixes 29810.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to add a placeholder `.CreatedAt` for Go
format template in `docker network ls --format`.
While working on 29226, I noticed that it is not possible to
display network's creation time in `docker network ls`, with or
without `--format`.
We are able to find the timestamp through `docker network inspect` though.
However, as we allows networks to be pruned based on the timestamp
(see 29226), showing the timestamp in `docker network ls --format`
would be much useful now.
This fix adds the `.CreatedAt` placeholder for `docker network ls --format`.
The default output was not changed for `docker network ls --format`.
A test case for unit tests has been added.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is a follow up for comment
https://github.com/docker/docker/pull/28535#issuecomment-263215225
This fix provides `--filter until=<timestamp>` for `docker container/image prune`.
This fix adds `--filter until=<timestamp>` to `docker container/image prune`
so that it is possible to specify a timestamp and prune those containers/images
that are earlier than the timestamp.
Related docs has been updated
Several integration tests have been added to cover changes.
This fix fixes#28497.
This fix is related to #28535.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This makes the test a bit more robust to change and is a bit cleaner.
As implemented before this commit, we have two named plugins pointing to
the same http service. If the daemon makes any unexpected calls to the
plugin (e.g. during startup) we'll get more counts on the event counter
than expected since the daemon sees 2 plugins.
Found this while working on #29877 which broke this test originally (but
is no longer using V1 plugins, so is this is no longer broken there) and
took some time to debug what was going on.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
returned in "docker info". Currently info endpoint isnt using the
GetAllByCap, but relies on existing networks to get the plugin names.
This causes a basic issue when it comes to global network plugins which
swarm-mode relies on, wherein swarmkit will not be able to schedule the
network on the worker nodes due to the filtering logic.
In order to break this chicken & egg issue, we must start to use the
GetAllManagedPluginsByCap. We are unable to use GetAllByCap due to
various issues with Plugin-V1's lazy loading approach causing issues
especially during daemon restarts (which uses SystemInfo)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Go style calls for mixed caps instead of all caps:
https://golang.org/doc/effective_go.html#mixed-caps
Change LOOKUP, ACQUIRE, and RELEASE to Lookup, Acquire, and Release.
This vendors a fork of libnetwork for now, to deal with a cyclic
dependency issue. The change will be upstream to libnetwork once this is
merged.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
When building a Dockerfile from a Windows client on a Linux daemon, a
"security warning" is printed
on stderr. Having this warning printed on stderr makes it difficult to
distinguish a failed build from one that's succeeding, and the only way to
suppress the warning is through the -q option, which also suppresses every
output. This change prints the warning on stdout, instead of stderr, to
resolve this situation.
- Use the word letter rather than character to refer to letters ;) when trying to specify that only letters and numbers can be used, and not ANY character...
- Small corrections
Fixes#29821
Signed-off-by: Timothy Hobbs <timothy@hobbs.cz>
The goal is to remove function from `docker_utils.go` and setup
simple, one-responsability package that can be well tested ; and to
ease writing request.
This moves all the calls to `sockRequest` (and similar methods) to
their counterpart in the `request` package.
This introduce `request.Do` to write easier request (with functional
argument to easily augment the request) with some pre-defined function
for the most used http method (i.e. `request.Get`, `request.Post` and
`request.Delete`).
Few of the `sockRequest` call have been moved to `request.Do` (and
`Get`, etc.) to showcase the usage of the package. There is still a
whole lot to do.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
If the container is not found when removing, it means it's already not
there anymore, so it's safe to ignore. This should reduce a bit some
`TearDown` flakyness..
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
- `TestRunMountReadOnlyDevShm` and `TestRunHostnameInHostMode` needs
`NotUserNamespace` requirement as these are known limitation of
userns.
- `TestBuildWorkdirCmd` should use a preload image (`busybox`) instead
of one that require network access.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This extract what was in registry_test.go and
registry_mock_test.go. This also move `RegistryHosting`
requirement to `registry.Hosting`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When using both `--secret-rm` and `--secret-add` on `docker service update`,
`--secret-rm` was always performed last. This made it impossible to update
a secret that was already in use on a service (for example, to change
it's permissions, or mount-location inside the container).
This patch changes the order in which `rm` and `add` are performed,
allowing updating a secret in a single `docker service update`.
Before this change, the `rm` was always performed "last", so the secret
was always removed:
$ echo "foo" | docker secret create foo -f -
foo
$ docker service create --name myservice --secret foo nginx:alpine
62xjcr9sr0c2hvepdzqrn3ssn
$ docker service update --secret-rm foo --secret-add source=foo,target=foo2 myservice
myservice
$ docker service inspect --format '{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}' myservice | jq .
null
After this change, the `rm` is performed _first_, allowing users to
update a secret without updating the service _twice_;
$ echo "foo" | docker secret create foo -f -
1bllmvw3a1yaq3eixqw3f7bjl
$ docker service create --name myservice --secret foo nginx:alpine
lr6s3uoggli1x0hab78glpcxo
$ docker service update --secret-rm foo --secret-add source=foo,target=foo2 myservice
myservice
$ docker service inspect --format '{{ json .Spec.TaskTemplate.ContainerSpec.Secrets }}' myservice | jq .
[
{
"File": {
"Name": "foo2",
"UID": "0",
"GID": "0",
"Mode": 292
},
"SecretID": "tn9qiblgnuuut11eufquw5dev",
"SecretName": "foo"
}
]
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `DOCKER_HIDE_LEGACY_COMMANDS` environment
variable was added in a7c8bcac2b
but not documented.
This adds the variable to the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit a77f2450c7 switched `docker run`
to use the `pflags` package. Due to this change, the usage output for
the `--blkio-weight-device` and `--device-*` flags changed and now
showed `weighted-device`, and `throttled-device` as value type. As a
result, the output of `docker run --help` became a lot wider.
This patch changes the output to show `list` instead, which is
consistent with other options that allow to be set multiple times.
Output before this change;
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device weighted-device Block IO weight (relative device weight) (default [])
--device list Add a host device to the container (default [])
--device-read-bps throttled-device Limit read rate (bytes per second) from a device (default [])
--device-read-iops throttled-device Limit read rate (IO per second) from a device (default [])
--device-write-bps throttled-device Limit write rate (bytes per second) to a device (default [])
--device-write-iops throttled-device Limit write rate (IO per second) to a device (default [])
-w, --workdir string Working directory inside the container
Output after this change;
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
--blkio-weight uint16 Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
--blkio-weight-device list Block IO weight (relative device weight) (default [])
--device list Add a host device to the container (default [])
--device-read-bps list Limit read rate (bytes per second) from a device (default [])
--device-read-iops list Limit read rate (IO per second) from a device (default [])
--device-write-bps list Limit write rate (bytes per second) to a device (default [])
--device-write-iops list Limit write rate (IO per second) to a device (default [])
-w, --workdir string Working directory inside the container
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Because "tty" is closed in s.d.Stop() for "--raw-logs=false" test,
we need to open another pair of pty before test "--raw-logs=true"
option.
This patch fix#29772.
Signed-off-by: Jiuyue Ma <majiuyue@huawei.com>
I was seeing this for windowsRS1 testing:
17:20:36 ----------------------------------------------------------------------
17:20:36 FAIL: docker_cli_restart_test.go:31: DockerSuite.TestRestartRunningContainer
17:20:36
17:20:36 docker_cli_restart_test.go:39:
17:20:36 c.Assert(out, checker.Equals, "foobar\n")
17:20:36 ... obtained string = ""
17:20:36 ... expected string = "foobar\n"
17:20:36
17:20:59
17:20:59 ----------------------------------------------------------------------
and I think its because there's a delay between the time the container is
started and the 'echo' is actually run. This gives it up to 10 seconds
to do the 'echo' before giving up.
/cc @jhowardmsft
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fix#29344
If HOME is not set, the gcplogs logging driver will call os/user.Current() via oauth2/google.
However, in static binary, os/user.Current() leads to segfault due to a glibc issue that won't be fixed
in a short term. (golang/go#13470, https://sourceware.org/bugzilla/show_bug.cgi?id=19341)
So we forcibly set HOME so as to avoid call to os/user/Current().
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Call daemon.Mount will increase the refcount of mounted path,
for those previous running containers, `Mount` call will make
the refcount to 2. see
https://github.com/docker/docker/blob/v1.13.0-rc4/daemon/graphdriver/counter.go#L38
```
if !m.check {
m.check = true
if c.checker.IsMounted(path) {
m.count++
}
}
m.count++
```
graphdrive could restore on reboot after #22541, call
daemon.Mount to resore the graphdriver is not necessary.
And call `daemon.Mount` on restorting will mount all the containers
mounted layer even if it was stop.
This fix call Mount and then Unmount to get `BaseFs`
Signed-off-by: Lei Jitang <leijitang@huawei.com>
This fix is a follow up based on comment:
and a follow up to:
https://github.com/docker/docker/pull/29222#issuecomment-268908937
As #28789 has been merged in, it is possible for `docker plugin inspect`
to search based on Name or ID Prefix. However, ID-based
`docker plugin enable/disable/rm/set` are still not possible.
This fix addes test for `docker plugin enable/disable/rm/set` to search based on:
- Full ID
- Full Name
- Partial ID (prefix)
The actual fix is done in #29487.
This fix is a follow up of #28789 and #29487.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Move *one-shot* (one use) function where it is actually used (easier
to know what's going on).
- Remove `pullImageIfNotExist` function as it might be an artifact
from way back. We don't need it as we already have frozen/loaded
image of busybox.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
- Make it possible to define a shorter waiting time of httputils
- Make a small hack to reduce the waiting time on distribution/xfer
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When a plugin is activated, and then `plugins.Handle` is called to
register a new handler for a given plugin type, a deadlock occurs when
for anything which calls `waitActive`, including `Get`, and `GetAll`.
This happens because `Handle()` is setting `activated` to `false` to
ensure that plugin handlers are run on next activation.
Maybe these handlers should be called immediately for any plugins which
are already registered... but to preserve the existing behavior while
fixing the deadlock, track if handlers have been run on plugins and
reset when a new handler is registered.
The simplest way to reproduce the deadlock with Docker is to add a `-v
/foo` to the test container created for the external graphdriver tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to fix 29667 where image's `CMD` is modified
after `WORKDIR` in Dockerfile.
The value of `b.runConfig.Cmd` was modified in the processing
of `WORKDIR`, in order to fix 28902. However, the same
`b.runConfig.Cmd` is passed to `commit()`.
This fix restored the `b.runConfig.Cmd` before `commit()`
the image for `WORKDIR`.
A test has been added.
This fix fixes 29667.
This fix is related to 28902, 28909, 28514.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In #28507 and #28885, `docker service/node ps -a` has been removed so that
information about slots are show up even without `-a` flag.
The output of `docker stack ps` reused the same output as `docker service/node ps`.
However, the `-a` was still there. It might make sense to remove `docker stack ps -a`
as well to bring consistency with `docker service/node ps`.
This fix is related to #28507, #28885, and #25983.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This change does some minor cleanups in the
cli/command/container package;
- sort imports
- replace `fmt.Fprintf()` with `fmt.Fprintln()` if no formatting is used
- replace `fmt.Errorf()` with `errors.New()` if no formatting is used
- remove some redundant `else`'s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
… or could be in `opts` package. Having `runconfig/opts` and `opts`
doesn't really make sense and make it difficult to know where to put
some code.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Move plugins to shared distribution stack with images.
Create immutable plugin config that matches schema2 requirements.
Ensure data being pushed is same as pulled/created.
Store distribution artifacts in a blobstore.
Run init layer setup for every plugin start.
Fix breakouts from unsafe file accesses.
Add support for `docker plugin install --alias`
Uses normalized references for default names to avoid collisions when using default hosts/tags.
Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
When plugins have a positive refcount, they were not allowed to be
removed. However, plugins could still be disabled when volumes
referenced it and containers using them were running.
This change fixes that by enforcing plugin refcount during disable.
A "force" disable option is also added to ignore reference refcounting.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This fix tries to address issue raised in 25228 to support
multiple service IDs on `docker service ps`.
Multiple IDs are allowed with `docker service ps ...`, and
related documentation has been updated.
A test has been added to cover the changes.
This fix fixes 25228.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The current GetAll handles both V2 and legacy plugins. Also due to the
nature of V1 plugins, it also loads them. This causes problems when
loading is not required. Hence adding an independent API that will
return only the plugins that are loaded using v2 mangaed plugins.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
bolt k/v pairs are only valid for the life of a transaction.
This means the memory that the k/v pair is referencing may be invalid if
it is accessed outside of the transaction.
This can potentially cause a panic.
For reference: https://godoc.org/github.com/boltdb/bolt#hdr-Caveats
To fix this issue, unmarshal the stored data into volume meta before
closing the transaction.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to fix the issue in 29619 where
labels passed from `build --labels` are not sorted.
As a result, if multiple labels have been passed,
each `docker build --labels A=A --labels B=B --labels C=C`
will generate different layers.
This fix fixes the issue by sort the Labels before
they are concatenated to `LABEL ...`.
A unit test has been added to cover the changes
This fix fixes 29619.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Some words such as "swarm" and "apparmor" were recognized as "arm".
So remove "arm" from the list at the moment.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Change the `State` field of the `/containers/json` remote API response to lowercase.
This change involves docs/api/v1.23.md and docs/api/v1.24.md
Signed-off-by: Anran Qiao <anran.qiao@daocloud.io>
This fix is a follow up for comment:
https://github.com/docker/docker/pull/29186/files#r91277345
While #29186 addresses the issue of `docker inspect <unknown object>`
on Windows, it actually makes `docker plugin inspect <unknown object>`
out `object not found` on Windows as well. This is actually misleading
as plugin is not supported on Windows.
This fix reverted the change in #29186 while at the same time,
checks `not supported` in `docker inspect <unknown object>` so that
- `docker plugin inspect <unknown object>` returns `not supported` on Windows
- `docker inspect <unknown object>` returns `not found` on Windows
This fix is related to #29186 and #29185.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29291 where
the output of `--replicas` in `service create/update`:
```
--replicas uint Number of tasks (default none)
```
is misleading. User might incorrectly assume the number of replicas
would be `0` (`none`) by default, while the actual default is `1`.
The issue comes from the fact that some of the default values are
from daemon and it is not possible for client to find out the default
value.
In this case, it might be better to just simply not displaying `(default none)`.
This fix returns "" for `Uint64Opt` so that `(default none)` is hidden.
In addition to `--replicas`, this fix also changes
`--restart-delay`, `--restart-max-attempts`, `--stop-grace-period`,
`--health-interval`, `--health-timeout`, and `--restart-window`
in a similiar fashion.
New Output:
```
--health-interval duration Time between running the check (ns|us|ms|s|m|h)
--health-timeout duration Maximum time to allow one check to run (ns|us|ms|s|m|h)
...
--replicas uint Number of tasks
...
--restart-delay duration Delay between restart attempts (ns|us|ms|s|m|h)
--restart-max-attempts uint Maximum number of restarts before giving up
--restart-window duration Window used to evaluate the restart policy (ns|us|ms|s|m|h)
...
--stop-grace-period duration Time to wait before force killing a container (ns|us|ms|s|m|h)
```
The docs has been updated. Note the docs for help output of `service create/update`
is out of sync with the current master. This fix replace with the update-to-date
help output.
This fix fixes 29291.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Sets a kernel requirement for for `TestGraphdriverPlugin` since the
graphdriver being used is overlay2.. and also makes sure to skip the
kernel check in the actual graphdriver since we may be able to detect
kernels with backported support for overlay2 style mounts a bit more
freely in the test code.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Move configurations into a single file.
Abstract download manager in pull config.
Add supports for schema2 only and schema2 type checking.
Add interface for providing push layers.
Abstract image store to generically handle configurations.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Manifest builder allows setting the configuration type
for the manifest being build. Additionally the default
type has been renamed to reflect it is an image type.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
The `docker logs` command performed a
client-side check if the container's
logging driver was supported.
Now that we allow the client to connect
to both "older" and "newer" daemon versions,
this check is best done daemon-side.
This patch remove the check on the client
side, and leaves validation to the daemon,
which should be the source of truth.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
… and given where it was used, it should be quicker to create an empty
folder instead of passing potentially a big context with unrelated file.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
criu 2.8 and 2.9 contain various fixes,
so updating the version in the Dockerfile
to match the newer version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The current validation only checked for the
number of elements in the volume-spec, however,
did not validate if the elements were empty.
Because of this, an empty volume-spec (""),
or volume spec only containing separators ("::")
would not be invalidated.
This adds a simple check for empty elements in
the volume-spec, and returns an error if
the spec is invalid.
A unit-test is also added to verify the behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the `convertVolumeToMount()` function did not take
anonymous volumes into account when converting
volume specifications to bind-mounts.
this resulted in the conversion to try to
look up an empty "source" volume, which
lead to an error;
undefined volume:
this patch distinguishes "anonymous"
volumes from bind-mounts and named-volumes,
and skips further processing if no source
is defined (i.e. the volume is "anonymous").
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While looking into `docker stats <c1> <c2> ...` I noticed that
the error output is quite long, especially if there are multiple errors:
```sh
ubuntu@ubuntu:~/docker$ docker stats nofound
: Error response from daemon: No such container: nofound
ubuntu@ubuntu:~/docker$ docker stats nofound foo bar
: Error response from daemon: No such container: nofound, : Error response from daemon: No such container: foo, : Error response from daemon: No such container: bar
```
There are several issues,
1. There is an extra `: ` at the beginning. That is because if container is not found,
the name will not be available from the daemon.
2. Multiple errors are concatenated with `, ` which will be quite long.
This fix:
1. Only prient out the error from daemon.
2. Multiple errors are printed out line by line.
Below is the new output:
```sh
ubuntu@ubuntu:~/docker$ docker stats nofound
Error response from daemon: No such container: nofound
ubuntu@ubuntu:~/docker$ docker stats nofound foo bar
Error response from daemon: No such container: nofound
Error response from daemon: No such container: foo
Error response from daemon: No such container: bar
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the issue raised in 29486 where interrupted
`docker build` leaves some tmp files in `/var/lib/docker/tmp`.
With tmp file name prefixed with `/var/lib/docker/tmp/docker-builderXXXXXX`.
The reason for the issue is that in `MakeTarSumContext()`:
```
if err := chrootarchive.Untar(sum, root, nil); err != nil {
return nil, err
}
```
the `err` is shadowed and caused the clean up function in `defer func()`
not being called.
This fix fixes the issue.
This fix is tested manually, as was specified in 29486:
```
rm -rf /var/lib/docker/tmp
mkdir repro && cd repro
fallocate -l 300M bigfile
cat > Dockerfile <<EOF
FROM scratch
COPY ./bigfile /
EOF
docker build .
{Cancel}
ls -la /var/lib/docker/tmp
```
This fix fixes 29486.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
check to see if the node is part of a swarm, and if so, if it is unlocked first.
If neither of these are true, abort the command.
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, it was comparing against the driver name passed in by the
caller. This could lead to subtle issues when using plugins, like
"plugin" vs. "plugin:latest".
Also, remove "conflict:" prefix to improve the error message.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Ensures all known volumes (known b/c they are persisted to disk) have
their volume drivers refcounted properly.
In testing this, I found an issue with `--live-restore` (required since
currently the provided volume plugin doesn't keep state on restart)
where restorted plugins did not have a plugin client loaded causing a
panic when trying to use the plugin.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
In cases where there is high latency (ie, not-local network)
`waitExitOrRemoved` was not receiving events for short-lived containers.
This caused the client to hang while waiting for a notification that the
container has stopped.
This happens because `client.Events()` returns immediately and spins a
goroutine up to process events. The problem here is it returns before
the request to the events endpoint is even made.
Even without high-latency issues, there is no guarantee that the
goroutine is even scheduled by the time the function returns.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
the "docker swarm leave" command description
mentioned that the command can only be used
for workers, however, the command can also
be used for managers (using the `-f` / `--force`
option).
this patch removes the "(workers only)" part
of the command description.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
By using `make CONTAINER_NAME=docker-dev shell` you're able to name
the docker-dev container to what you want. The idea behind it is by
knowing the name of your dev container you can automate easily some
thing using `docker exec` later.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix is a follow up to #29365. In #29365 a bug was fixed for
`docker exec -u user` after live restore by remounting.
However, #29365 will prevent containers from restored if mount failed.
In this fix, containers will be restored even if mount in that step failed.
Some functionalities might be missing (like `docker exec -u user`) but
at least it is possible to do certain operations like stop/restart/delete.
This fix is related to #29365.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
"docker service" can also refer to an init system's service named docker
This would prevent labeling e.g. systemd related issues to swarm.
Signed-off-by: Tibor Vass <tibor@docker.com>
Previously, it doesn't allow creating such a network:
e.g.
$ docker network inspect -f '{{.Id}}' ingress
84xh9knigj6zyt00u31e26nj3
$ docker network create 84
Error response from daemon: network with name 84 already exists
Fix#27866
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
With commit ee59f25c2d we changed from
gcc-go to golang 1.7. By switching to debian we can reduce the base
layer from 1.4 GB to around 130 MB.
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Fixes a case where removing the plugin from disk would
fail silently. Also moves pluginStore remove after we
remove from disk, so 'docker plugin ls' doesn't isn't
empty in case it errors out.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Much easier than the previous method of copying over to the docs
repository and generating the docs.
And, as @cpuguy83 pointed out, that actually didn't work
because the PR that adds Swagger docs isn't merged yet. Oopsy.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
In #29071, we made the tags the correct name for generating types,
at the expense of the menu in the documentation looking good.
ReDoc now has support for tag display names
( https://github.com/Rebilly/ReDoc/pull/152 ), so we can assign
a more human-friendly name to the menu items.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
… to flood a little bit less the integration cli output. Now use any
testing framework that has a LogF function.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue raised in 29342 where
`docker exec -u` after docker daemon restart returns an error:
```
unable to find user test: no matching entries in passwd file
```
The reason was that `container.BaseFS` is not present after restart.
This fix adds the `daemon.Mount` during the restore to bring up the
`container.BaseFS`.
An integration test has been added to cover the changes.
This fix fixes 29342.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fixes an issue when starting the daemon with live-restore
where previously it was not set, plugins are not running.
Fixes an issue when starting the daemon with live-restore, the plugin
client (for interacting with the plugins HTTP interface) is not set,
causing a panic when the plugin is called.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The top-level `docker inspect` command could return
an error if the nodes Swarm certificates were expired.
In situations where the user did not explicitly
ask for an object-type (`--type=foo`), we should
ignore these errors, and consider them equal to
"node is not a swarm manager".
This change makes `docker inspect` ignore these
errors if no type was specified.
As a further optimization, the "swarm status"
result is now stored in a variable, so that
other swarm-specific API calls can be skipped.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the issue raised in 28581 and 28927
where it is not possible to create a secret from a file (only
through STDIN).
This fix add a flag `--file` to `docker secret create` so that
it is possible to create a secret from a file with:
```
docker secret create --file secret.in secret.name
```
or
```
echo TEST | docker secret create --file - secret.name
```
Related docs has been updated.
An integration test has been added to cover the changes.
This fix fixes 28581.
This fix is related to 28927.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24352. Previously,
when `docker swarm update` has no flags, the output is
```
Swarm updated.
```
even though nothing was updated. This could be misleading for
users.
This fix tries to address the issue by adding a `PreRunE` function
in the command so that in case no flag is provided (`cmd.Flags().NFlag() == 0`),
the usage will be outputed instead.
An integration has been added to cover the changes.
This fix fixes 24352.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
commit bbd2018ee1
changed the output format of `docker service ps`.
this patch updates the reference docs
to match the updated output format.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The success of the win2lin CI before was really "by chance" on the
DockerDaemonSuite : the DockerDaemonSuite was panicking when starting
the daemon on the first non-skipped test.The suite panicked but as
the error returned from `StartWithBusybox` was nil, the test kept
going and was OK because the client had all the correct environment
variables set up to discuss with the remote daemon.
Then, as the suite panicked, no more test attached on the
DockerDaemonSuite ran (that's why on win2lin, `DockerDaemonSuite` was
only composed by 5 tests !). The really bad thing is, we didn't get
any report of the panic on the suite (go-check hiding something
somewhere).
As DockerDaemonSuite needs to run test on the same host as it's
running, this adds a `SameHostDaemon` requirement to the Suite.
This changes also make sure `TestRestartContainerWithRestartPolicy`
does left weirdies behind it.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Due to the test plugins being architecture specific, these
tests fail to start the plugin (even though they don't fail yet)
Temporary fix until we can build architecture specific test
plugins.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
… to make sure it doesn't fail. It also introduce StartWithError,
StopWithError and RestartWithError in case we care about the
error (and want the error to happen).
This removes the need to check for error and make the intent more
clear : I want a deamon with busybox loaded on it — if an error occur
it should fail the test, but it's not the test code that has the
responsability to check that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
`--publish-add 8081:81 --publish-add 8082:82 --publish-rm 80
--publish-rm 81/tcp --publish-rm 82/tcp` would thus result in 81 and
82 to be published.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to fix the issue raised in 29044 where
the IPAM options is missing in swarm network mode
after the service is deployed. Before the service
is deployed, the IPAM options is available.
The reason for the issue is that, before service is
deployed, `network inspect` is querying the swarm and
obtained the correct information.
However, after service is deployed, swarm executor
does not pass the IPAM options to the backend (daemon).
Also after service is deployed, `network inspect` is
actually querying the local daemon for information.
At this time the network information with missing IPAM
options is returned.
This fix fixes the issue by updating the swarm network
allocator and swarm executor.
A separate PR for swarmkit will be opened.
An integration test has been added to cover the change.
This fix fixes 29044.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Adds 2 new methods to v2 plugin `Acquire` and `Release` which allow
refcounting directly at the plugin level instead of just the store.
Since a graphdriver is initialized exactly once, and is really managed
by a separate object, it didn't really seem right to call
`getter.Get()` to refcount graphdriver plugins.
On shutdown it was particularly weird where we'd either need to keep a
driver reference in daemon, or keep a reference to the pluggin getter in
the layer store, and even then still store extra details on if the
graphdriver is a plugin or not.
Instead the plugin proxy itself will handle calling the neccessary
refcounting methods directly on the plugin object.
Also adds a new interface in `plugingetter` to account for these new
functions which are not going to be implemented by v1 plugins.
Changes terms `plugingetter.CREATE` and `plugingetter.REMOVE` to
`ACQUIRE` and `RELEASE` respectively, which seems to be better
adjectives for what we're doing.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix updates swarmkit to 5a6df4b07d83e6dbd72e39e354c325dc9b91850f.
This fix is needed by #29074 (docker PR) and is related to
docker/swarmkit#1789 (swarmkit PR) and #29044
This fix may be needed for 1.13.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Legacy plugins expect host-relative paths (such as for Volume.Mount).
However, a containerized plugin cannot respond with a host-relative
path. Therefore, this commit modifies new volume plugins' paths in Mount
and List to prepend the container's rootfs path.
This introduces a new PropagatedMount field in the Plugin Config.
When it is set for volume plugins, RootfsPropagation is set to rshared
and the path specified by PropagatedMount is bind-mounted with rshared
prior to launching the container. This is so that the daemon code can
access the paths returned by the plugin from the host mount namespace.
Signed-off-by: Tibor Vass <tibor@docker.com>
go 1.7.4 introduced official go ppc64le binaries, so use those
instead of using older versions of go and building from src.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This fix fixes a couple of incorrect version strings in swagger.yaml
`v1.25` should be `v1.26`. This applies to 1.14 version only.
Also checked 1.13rc and it is fine.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This reverts 26103. 26103 was trying to make it so that if someone did:
docker build --build-arg FOO .
and FOO wasn't set as an env var then it would pick-up FOO from the
Dockerfile's ARG cmd. However, it went too far and removed the ability
to specify a build arg w/o any value. Meaning it required the --build-arg
param to always be in the form "name=value", and not just "name".
This PR does the right fix - it allows just "name" and it'll grab the value
from the env vars if set. If "name" isn't set in the env then it still needs
to send "name" to the server so that a warning can be printed about an
unused --build-arg. And this is why buildArgs in the options is now a
*string instead of just a string - 'nil' == mentioned but no value.
Closes#29084
Signed-off-by: Doug Davis <dug@us.ibm.com>
- Display the ID column
- Do not append the task ID in the name column
- (NEW): Truncate task IDs, unless --no-trunc is specified
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This removes some very old vestigial code that really should have been
removed during the content addressability transition. It implements
something called "reference" but it behaves differently from the actual
reference package. This was only used by client-side content trust code,
and is relatively easy to extricate.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Otherwise, while using test-integration-shell, it runs the tests using
the previously compiled test binary.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In certain cases (unattended upgrades), system services can disable
loaded AppArmor profiles. However, since /etc being read-only is a
supported setup we cannot just write a copy of the profile to
/etc/apparmor.d.
Instead, dynamically load the docker-default AppArmor profile if a
container is started with that profile set. This code will short-cut if
the profile is already loaded.
Fixes: 2f7596aaef ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
v2/Plugin struct had fields that were
- purely used by the manager.
- unsafely exposed without proper locking.
This change fixes this, by moving relevant fields to the manager as well
as making remaining fields as private and providing proper accessors for
them.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This fix tries to address the issue raised on 29185 where
`docker inspect <unknown object>` on Windows will return:
```
Error response from daemon: plugins are not supported on this platform
```
The reason was that in case `--type` is not specified, `docker inspect`
will iterate through different types `container`, `image`, `network`,
`plugin` etc. The `plugin` object is the last type to check.
However, as `plugin` is not supported on Windows yet, the error message
is not very informative for `plugins are not supported on this platform`.
This fix tries to fix the issue by return a `not found` error on unsupported
platforms as well.
An integration test has been added to cover the changes for Windows/Linux.
This fix fixes 29185.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29129 where
"--hostname" not working when running in "--net=host" for
`docker run`.
The fix fixes the issue by not resetting the `container.Config.Hostname`
if the `Hostname` has already been assigned through `--hostname`.
An integration test has been added to cover the changes.
This fix fixes 29129.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Some containers were being built (`docker build`) without
the DOCKER_BUILD_ARGS variable, which was causing some
issues because of the lack of network proxy configuration.
Fixes#29132
Signed-off-by: Luiz Svoboda <luizek@gmail.com>
The test ensures that `docker run --read-only -v /var/empty:/dev/shm:ro`
makes /dev/shm read-only
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Changes the default when incremental build is enabled to use named
volumes instead of bindmounts.
The reason for this is, on Mac/Windows the bind mounts will go over the
shared fs, which is incredibly slow and itself uses lots of CPU.
Makes an incremental build on OSX go from ~40s to 10s.
To get the old behavior, can set `PKGCACHE_DIR=.go-pkg-cache`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The current implementation of getRefs is a bit fragile. It returns a
slice to callers without copying its contents, and assumes the contents
will not be modified elsewhere.
Also, the current implementation of Dereference requires copying the
slice of references, excluding the one we wish to remove.
To improve both of these things, change refs to be a map of maps.
Deleting an item becomes trivial, and returning a slice of references
necessitates copying from the map.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
test.main was unexpectedly created under docker/integration-cli/bundles/VERSION/test-integration-cli directory.
This commit moves test.main to docker/bundles/VERSION/test-integration-cli.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
With this change we can run a Docker build in QEMU and build ARM or ARM64 binaries directly on an Intel build machine. This feature already supports building with Docker4Mac (Beta31). So it's easy for a developer to compile and test the Docker binaries locally on his dev machine w/o the need of the target hardware. Another use case would be to run builds on a clound CI like Travis to get an instant feedback loop for PR's, all on a common Intel platform w/o the need to set up the CI system on the target hardware.
Usage: build static Docker binaries for ARM 32-bit
```
DOCKER_ENGINE_OSARCH="linux/arm" make binary
```
Usage: build static Docker binaries for ARM64 aka AARCH64
```
DOCKER_ENGINE_OSARCH="linux/arm64" make binary
```
Signed-off-by: Dieter Reuter <dieter.reuter@me.com>
This fix tries to address the issue in 28884 where
it is possible to mask the secret ID by name.
The reason was that searching a secret is based on name.
However, searching a secret should be done based on:
- Full ID
- Full Name
- Partial ID (prefix)
This fix addresses the issue by changing related implementation
in `getCliRequestedSecretIDs()`
An integration test has been added to cover the changes.
This fix fixes 28884
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix convert DanglingOnly in ImagesPruneConfig to Filters,
so that it is possible to maintain API compatibility in the future.
Several integration tests have been added to cover changes.
This fix is related to 28497.
A follow up to this PR will be done once this PR is merged.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the enhancement proposed in 28708 to display
ID field for the output of `docker plugin ls`.
This fix add `ID` field to the output of `docker plugin ls`
Related docs has been updated.
This fix fixes 28708.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the proposal raised in 28946
to support plugins in `docker inspect`.
The command `docker inspect` already supports
"container", "image", "node", "network", "service", "volume", "task".
However, `--type plugin` is not supported yet at the moment.
This fix address this issue by adding the support of `--type plugin`
for `docker inspect`.
An additional integration test has been added to cover the changes.
This fix fixes 28946.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This is required to make the type generation put things in the
correct directory, but unfortunately makes the names in the
documentation menu look a bit crap.
I think the best solution would be to add a `x-display-name`
extension to tags to determine how the tags show up in the menu,
rather than it depend on the name of the tag. I shall do this in
a follow-up PR - for now, let's fix the breakage.
Fixes#29045
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
This make it more consistent with the other image builds and allow to
build manpages behind a proxy for example.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
.dockerignore pattern of **/.foo incorrectly matched **/bar.foo
because **/.foo was getting converted into a .*\.foo regex
instead of (.*/)*\.foo
Closes#29014
Signed-off-by: Doug Davis <dug@us.ibm.com>
the restart policy validation was moved from
the client to the daemon in 94e95e4711
As part of that change, retry-counts < 1
were marked as "invalid".
However, the default is 0 (unlimited), causing
docker run -d --restart=on-failure nginx
To fail.
This changes the validation to only invalidate
retry-counts < 0.
A test was added, and other tests renamed
to allow running just these tests :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This pins the version of go-swagger used, because
the results generated by different versions
can differ quite a bit (tested between 0.7.2 - 0.7.4),
and can cause CI / validation to fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When UpdateStatus was not present, the empty values of the timestamps
would be present:
"UpdateStatus": {
"StartedAt": "0001-01-01T00:00:00Z",
"CompletedAt": "0001-01-01T00:00:00Z"
}
To fix this, make the timestamps pointers, so they can be set to nil
when they should not be shown.
Also make UpdateStatus itself a pointer, so an empty object does not
show up when there is no UpdateStatus.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to address the issue raised in discussion of
PR 28735 where it was not possible to manage plugin based on
plugin ID. Previously it was not possible to invoke
`docker plugin inspect` with a plugin ID (or ID prefix).
This fix updates the implementation of `docker plugin inspect`
so that it is possbile to search based on a plugin name, or a
plugin ID. A short format of plugin ID (prefix) is also possible,
as long as there is no ambiguity.
Previously the check of `docker plugin inspect` was mostly done
on the client side. This could potentially cause inconsistency
between API and CMD. This fix move all the checks to daemon side
so that API and CMD will be consistent.
An integration test has been added to cover the changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upon each container create I'm seeing these warning **every** time in the
daemon output:
```
WARN[0002] Your kernel does not support swap memory limit
WARN[0002] Your kernel does not support cgroup rt period
WARN[0002] Your kernel does not support cgroup rt runtime
```
Showing them for each container.create() fills up the logs and encourages
people to ignore the output being generated - which means its less likely
they'll see real issues when they happen. In short, I don't think we
need to show these warnings more than once, so let's only show these
warnings at daemon start-up time.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fix issue where out-of-band deletions and then a `docker volume create`
on the same driver caused volume to not be re-created in the driver but
return as created since it was stored in the cache.
Previous fix only worked if the driver names did not match.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When building a manifest during a push operation, all layers must have
an associated descriptor. If a layer is missing a descriptor, that leads
to a panic.
A break inside a switch in layerAlreadyExists meant to break from the
loop surrounding the switch, but instead breaks from the switch. This
causes the loop to continue, and can overwrite the descriptor with an
empty one, leading to the panic.
Also, fix layerAlreadyExists not to abort the push when a speculative
stat on a candidate layer digest fails with an error. This could happen
in situations like a potential cross-repository mount where the user
does not have permission to access the source repository.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This ensures that graphdriver plugins can properly cleanup on daemon
exit.
Also prevents errors during shutdown when it tries to send the plugin a
`Cleanup()` request but ultimately times out since it's already been
shutdown.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Modified newV1DependencyImage and generateDependencyImages not to return
errors instead of always return nil.
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
This fix is a follow up to the comment:
https://github.com/docker/docker/pull/28717#discussion_r90040589
Currently, the collision checking is done at the last step `Add()` of
plugin creation. However, at this stage the context such as plugin
directories have already been creation. In case of name collision,
rollback is needed which could be expensive.
This fix performs the check at the beginning of CreateFromContext using
GetByName. In this way, collision fails fast and no context creation
or rollback is needed.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Allows replacing of the default httpredir.debian.org in /etc/apt/sources.list
with a user-specified mirror. This will (hopefully) fix CI apt issues.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
If, using the API, a user submits an init request with a spec that has a
name other than "default", the engine will rename the "default" cluster
object. Some parts of swarmkit depend on having a cluster object named
"default". Reject any specs that use other names.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
If a swarm service is created using an image ID, it's useless to try to
pull this reference or resolve it to a manifest digest. Avoid doing this
when a fully qualified image ID is given.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
A plugin has an `ExitChan` channel which is used to signal the exit of
the plugin process. In a recent change, the initialization was
incorrectly moved to the daemon Shutdown path.
Fix this by initializing the channel during plugin enable.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This fix tries to fix the issue raised in 28684:
1. Duplicate plugin create with the same name will override the old plugin reference
2. In case an error happens in the middle of the plugin creation, plugin directories
in `/var/lib/docker/plugins` are not cleaned up.
This fix update the plugin store so that `Add()` will return an error if a plugin
with the same name already exist.
This fix also will clean up the directory in `/var/lib/docker/plugins` in case
an error happens in the middle of the plugin creation.
This fix fixes 28684.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`docker stack config` command does not exists anymore, removing it
from the command reference documentation.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In case when docker was not running init script stop was returning value <> 0.
Due to this fact it was impossible to uninstall the docker-engine if the docker service was stopped.
Signed-off-by: Cyprian Gracz <cyprian.gracz@micro-jumbo.eu>
Fixed message logging
Signed-off-by: Cyprian Gracz <cyprian.gracz@micro-jumbo.eu>
- Consistent naming (plural, etc)
- Add section descriptions
- Add docs in swagger.yaml about how to maintain them
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
Jekyll automatically adds titles based on the title of the page,
so this was causing duplicate titles.
Also, made all the headings the correct level.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
Currently the help output of `docker network ls --filter` is:
```
Options:
-f, --filter value Provide filter values (i.e. 'dangling=true') (default [])
...
```
This caused confusion as only the following filters are supported at the moment:
- `driver`
- `type`
- `name`
- `id`
- `label`
This fix update the help output of `docker network ls --filter` and `network_ls.md`.
The `dangling=true` description has been replace to:
```
Options:
-f, --filter filter Provide filter values (i.e. 'driver=bridge')
...
```
This fix fixes 28786.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The error didn't hint at how to resolve it. Google auto-suggest
also implies that people have been Googling this error.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
Chosing LEGACY_VSYSCALL_NONE (over NATIVE or EMULATE) will mean that binaries
using eglibc <= 2.13 will not run (segfault).
Fixes#28705.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
This fix tries to address the issue raised in 28769 where
checkpoint name was not checked before passing to containerd.
As a result, it was possible to use a special checkpoint name
to get outside of the container's directory.
This fix add restriction `[a-zA-Z0-9][a-zA-Z0-9_.-]+` (`RestrictedNamePattern`).
This is the same as container name restriction.
This fix fixes 28769.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fedora 25 was released today, and the official
image will be available soon.
This removes the temporary override, so that
we can build using the official image.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This updates secret inspect to support inspect by ID in addition to name
as well as inspecting multiple secrets. This also cleans up the
help text for consistency.
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Instead of converting nicely typed service mounts into untyped `Binds`
when creating containers, use the new `Mounts` API which is a 1-1
mapping between service mounts and container mounts.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
See: https://github.com/docker/docker.github.io/pull/606
Also:
- Add missing redirects to API reference pages
- Remove v1.25 and 1.26, because they are being replaced with
swagger generated docs.
- Remove all other docs which aren't reference material, because
this can live in docker/docker.github.io
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
For previous versions of Docker, `--rm` was handled client side, as such
there was no support in the daemon for it.
Now it is handled daemon side, but we still need to handle the case of a
newer client talking to an older daemon.
Falls back to client-side removal when the daemon does not support it.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
In the plugin manifest, Capabilities has been moved to
Linux.Capabilities to avoid confusion with Interface.Types[i].Capability
A DeviceCreation boolean has also been added to the manifest. This could
be changed in the future to be specific to a major number.
Signed-off-by: Tibor Vass <tibor@docker.com>
SetupTest could fail creating a Daemon object (eg, out of space when
creating daemon root dir). In such a case, TearDownTest fails when
accessing the daemon object. This commit adds the required nil check.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Adds section about the hub deprecating the v1 protocol.
Adds note about intent to disable by default and remove support.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
network is `nil` if the following case:
```
services:
foo:
image: nginx
networks:
mynetwork:
```
It's a valid compose so we should not panic.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The "--no-trunc" option toggles between showing/hiding
digests.
This updates the reference to show this difference.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If env var "DOCKER_API_VERSION" is specified by user, we'll set
`cli.manualOverride`, before this, this field is always true due to
wrong logic.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Currently the plugin initialization is too late for a loaded v2 plugin
to be usable as a graph driver.
This moves the initialization up before we create the graph driver.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
the service definition uses the format as defined
in http://man7.org/linux/man-pages/man5/hosts.5.html
(IP_address canonical_hostname [aliases...])
This format is the _reverse_ of the format used in
the container API.
Commit f32869d956
inadvertently used the incorrect order.
This fixes the order, and correctly sets it to;
IP-Address hostname
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Modify the service update and create APIs to return optional warning
messages as part of the response. Populate these messages with an
informative reason when digest resolution fails.
This is a small API change, but significantly improves the UX. The user
can now get immediate feedback when they've specified a nonexistent
image or unreachable registry.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
DEVPTS_MULTIPLE_INSTANCES is no longer an option, it is always set, so
do not check for this post 4.8.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Why? Most of the time I end up needing an editor when in `make shell`.
Spent much time doing `apt-get update && apt-get install vim`.
Since we're already installing vim-common anyway...
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Instead of not adding experimental routes at all, fail with an explicit
message if the daemon is not running in experimental mode.
Added the `router.Experimental` which does this automatically.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
use secret store interface instead of embedded secret data into container
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
When swarm-mode is disabled, we need to return an error indicating this.
406 was chosen for the "Not Acceptable" verbiage, but this code has
specific semantics in relation to the `Accept` header, which aren't
applicable here.
We now use a 503 for this case. While it is not a perfect match, it does
make it clear that the particular "service" (read: API endpoint) is not
available. The body of the message provides the user with enough
information to take action on it by enabling swarm-mode and ensuring the
service is available.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
For some reason, `go vet` and `go fmt` validate does not capture
several issues.
The following was the output of `go vet`:
```
ubuntu@ubuntu:~/docker$ go vet ./... 2>&1 | grep -v ^vendor | grep -v '^exit status 1$'
cli/command/formatter/container_test.go:393: possible formatting directive in Log call
volume/volume_test.go:257: arg mp.RW for printf verb %s of wrong type: bool
```
The following was the output of `go fmt -s`:
```
ubuntu@ubuntu:~/docker$ gofmt -s -l . | grep -v ^vendor
cli/command/stack/list.go
daemon/commit.go
```
Fixed above issues with `go vet` and `go fmt -s`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Error code resolution is powered by string matching. Not the greatest
thing in the world and I hope no one is proud of this code, but it
works. However, because a map is used, the iteration order of the map is
random, such that if an error matches two of the snippets, it may return
a different error code depending on the seed of the hashmap. This change
converts it to use a slice instead.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to fix the crash caused by `docker service inspect --pretty`,
by performing necessary nil pointer check.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
It doesn't make sense to use omitempty here. 0 is a meaningful value and
it's different from the default. If someone sets Parallelism to 0, we
want to show that Parallelism is 0, not hide the field.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
During error cases, we dont cleanup correctly. This commit takes care
of removing the plugin, if there are errors after the pull passed. It
also shuts down the plugin, if there are errors after the plugin in the
enable path.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Move some of the optional parameters of CreateRWLayer() in a struct
called CreateRWLayerOpts. This will make it easy to add more options
arguments without having to change signature of CreateRWLayer().
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This fix is an attempt to address the issue raised in 28339. In
`docker ps`, the formatter needs to expose all fields of `types.Container`
to `preProcessor` so that template could be executed.
This direct exposing is unreliable and could cause issues as user may incorrectly
assume all fields in `types.Container` will be available for templating.
However, the purpose of `preProcessor` is to only find out if `.Size`
is defined (so that opts.size could be set accordingly).
This fix defines `preProcessor` as `map[string]bool` with a func `Size()`.
In this way, any unknown fields will be ignored.
This fix adds several test cases to the existing `TestBuildContainerListOptions`.
This fix fixes 28339.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Cli initialization pings back to remote API and
creates a deadlock if socket is already being
listened by systemd.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
There is no need to populate device id during unregisterDevice(). Nobody
makes use of this information. We just need to remove file associated
with device and that file is looked up using the hash and not the
device id which is used for thin pool operations.
So get rid of device id argument to unregisterDevice().
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Dump stack dumps to exec root instead of daemon root.
When no path is provided to the stack dumper, such is the case with
SIGQUIT, dump to stderr.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix fixes error messages for `--cpus` from daemon.
When `docker run` takes `--cpus`, it will translate into NanoCPUs
and pass the value to daemon. The `NanoCPU` is not visible to the user.
The error message generated from daemon used 'NanoCPU' which may cause
some confusion to the user.
This fix fixes this issue by returning the error in CPUs instead.
This fix fixes 28456.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Daemon still does validation and errors out on incorrect options.
Fixes an issue where non-Linux clients attempting to pass tmpfs options
on `docker run` to a Linux daemon will incorrectly error out.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This speeds up docker build time drastically. It still possible to
disable this by setting `DOCKER_INCREMENTAL_BUILD` to `0` (and this is
what should be done on the CI).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When inspecting a container, `NetworkSettings` contains top-level
information about the default ("bridge") network;
`EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`,
`IPAddress`, `IPPrefixLen`, `IPv6Gateway`, and `MacAddress`.
These properties are deprecated in favor of per-network properties in
`NetworkSettings.Networks`. These properties were already "deprecated" in
docker 1.9, but kept around for backward compatibility.
Refer to [#17538](https://github.com/docker/docker/pull/17538) for further
information.
This officially deprecates these properties, and marks them
for removal in 1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Quite a few changes, as it seems like previous wrapping was done
manually, so it's all over the place.
As noted in #28424
Signed-off-by: Jonathan Boulle <jonathanboulle@gmail.com>
`StreamConfig` carries with it a dep on libcontainerd, which is used by
other projects, but libcontainerd doesn't compile on all platforms, so
move it to `github.com/docker/docker/container/stream`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
change reading order from beginning at the end to beginning at a buffer start
added intergration tests for boundary cases
Removed whitespace
Signed-off-by: Shayne Wang <shaynexwang@gmail.com>
In 28186, `dns-options-add/rm` has been changed to `dns-option-add/rm`
in `docker service create/update`, for the purpose of consistency.
This fix updates bash completion to remove extra `s`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates docs for `docker info` for most recent changes.
It also made several chagnes:
1. Replace 0.12.0-dev to 0.13.0 for api docs v1.24.
2. Replace 0.13.0-dev to 0.13.0 for api docs v1.25
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
It is not required to have version prefix for all the remote
APIs. Though there are still quite a few example requests
in api docs that does not have the version prefix.
This fix update the remote api docs to address this issue.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
A recent PR added `(ns|us|ms|s|m|h)` to the descriptions of some
duration options, but not all. Add it to the remaining options for
consistency.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This seems clearer to me and avoids a miniscule amount of string formatting.
I have deliberately not changed the tests here to avoid the possibility of
changing both wrongly.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
Although our use of ANSI codes here is rather simple it is generally good
practice to use terminfo in order to be portable to different terminal
emulators.
Vendor github.com/Nvveen/Gotty (actually my fork with a fix, see
https://github.com/Nvveen/Gotty/pull/1) and use that to parse the terminfo
files.
Note that "\e]2K" (clear entire line) is not covered by terminfo. We can
achieve the same end by first clearing from begining of line to cursor
(el1="\e]1K") and then clearing from cursor to end of line (el="\e]k").
Test suite has been updated and forces (either directly or by setting $TERM to
something highly unlikely to exist) the use of the non-terminfo fallbacks which
retains the same output behaviour as previously. This is preferable even to
relying on a well-known and relatively static terminfo (like vt102) since even
that in principal might have different terminfo encodings.
In case terminfo is not available at all for $TERM or doesn't expose the
specific capabilities which we use then fall back to the previous manual
escapes, with the exception that we avoid "\e]2K" as discussed above.
Tested with a manual docker pull with rxvt-unicode ($TERM=rxvt-unicode), xterm
($TERM=xterm), mlterm ($TERM=mlterm) and aterm ($TERM=kterm).
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
When logging the failure of a case which involves control characters add line
feeds and spacing such that the expected and actual strings are aligned in the
same columns making comparisons easier.
Turns:
jsonmessage_test.go:156: Expected "\x1b[2K\rstatus 1 B\r", got "\x1b[1K\x1b[K\rstatus 1 B\r"
Into:
jsonmessage_test.go:156:
Expected "\x1b[2K\rstatus 1 B\r"
got "\x1b[1K\x1b[K\rstatus 1 B\r"
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
The majority already did so, but a few used %v.
Compared with %v using %q escapes any control characters ensuring they are
visible in the logs (otherwise they can cause scrolling and overwriting etc).
The %q formatter also includes the surrounding "s making the manual use of []
to wrap/delimit the %v output unnecessary.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
All images in the default registry (AKA docker.io, index.docker.io, and
registry-1.docker.io) are available via the v2 protocol, so there's no
reason to use the v1 protocol. Disabling it prevents useless fallbacks.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
In case, a container is restarting indefinitely running
"docker stats --no-stream <restarting_container>" is suspended.
To fix this, the daemon makes sure the container is either not
running or restarting if `--no-stream` is set to true and if so
returns an empty stats.
Should fix#27772.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
The install script currently includes some
distros that we don't actually have packages
for.
For these distros, the script currently
performs step to install Docker from
the distro's repository.
This patch removes those distros from
the install script, because we have no
control over these packages, and cannot
provide support for them.
Installing docker anyway will give the
false impression that they installed
a package from our repository (but they
didn't), and that they need to contact
us for support.
It's better to tell people that we don't
install in that case, and refer them to
the installation documentation, or the
documentation of their distro.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We first added error to not allow overlay with selinux enabled. Then later
we removed it as kernel was getting close to get the support. But this
means user does not get meaningful message on old kernels.
This patch introduces a warning (Instead of error). Difference is that it
dynamically tries to detect if underlying kernel supports overlayfs with
selinux or not. And if it does not, it warns.
It will not warn if it detects that kernel supports overlayfs with selinux.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2016-10-04 15:35:56 -04:00
2469 changed files with 199009 additions and 234016 deletions
@@ -5,9 +5,331 @@ information on the list of deprecated flags and APIs please have a look at
https://docs.docker.com/engine/deprecated/ where target removal dates can also
be found.
## 1.13.0 (2016-12-08)
## 17.05.0-ce (2017-05-04)
### Builder
+ Add multi-stage build support [#31257](https://github.com/docker/docker/pull/31257) [#32063](https://github.com/docker/docker/pull/32063)
+ Allow using build-time args (`ARG`) in `FROM` [#31352](https://github.com/docker/docker/pull/31352)
+ Add an option for specifying build target [#32496](https://github.com/docker/docker/pull/32496)
* Accept `-f -` to read Dockerfile from `stdin`, but use local context for building [#31236](https://github.com/docker/docker/pull/31236)
* The values of default build time arguments (e.g `HTTP_PROXY`) are no longer displayed in docker image history unless a corresponding `ARG` instruction is written in the Dockerfile. [#31584](https://github.com/docker/docker/pull/31584)
- Fix setting command if a custom shell is used in a parent image [#32236](https://github.com/docker/docker/pull/32236)
- Fix `docker build --label` when the label includes single quotes and a space [#31750](https://github.com/docker/docker/pull/31750)
### Client
* Add `--mount` flag to `docker run` and `docker create` [#32251](https://github.com/docker/docker/pull/32251)
* Add `--type=secret` to `docker inspect` [#32124](https://github.com/docker/docker/pull/32124)
* Add `--format` option to `docker secret ls` [#31552](https://github.com/docker/docker/pull/31552)
* Add `--filter` option to `docker secret ls` [#30810](https://github.com/docker/docker/pull/30810)
* Add `--filter scope=<swarm|local>` to `docker network ls` [#31529](https://github.com/docker/docker/pull/31529)
* Add `--cpus` support to `docker update` [#31148](https://github.com/docker/docker/pull/31148)
* Add label filter to `docker system prune` and other `prune` commands [#30740](https://github.com/docker/docker/pull/30740)
*`docker stack rm` now accepts multiple stacks as input [#32110](https://github.com/docker/docker/pull/32110)
* Improve `docker version --format` option when the client has downgraded the API version [#31022](https://github.com/docker/docker/pull/31022)
* Prompt when using an encrypted client certificate to connect to a docker daemon [#31364](https://github.com/docker/docker/pull/31364)
* Display created tags on successful `docker build` [#32077](https://github.com/docker/docker/pull/32077)
+ Add support for building docker debs for Ubuntu 17.04 Zesty on amd64 [#32435](https://github.com/docker/docker/pull/32435)
### Daemon
- Fix `--api-cors-header` being ignored if `--api-enable-cors` is not set [#32174](https://github.com/docker/docker/pull/32174)
- Cleanup docker tmp dir on start [#31741](https://github.com/docker/docker/pull/31741)
- Deprecate `--graph` flag in favor or `--data-root` [#28696](https://github.com/docker/docker/pull/28696)
### Logging
+ Add support for logging driver plugins [#28403](https://github.com/docker/docker/pull/28403)
* Add support for showing logs of individual tasks to `docker service logs`, and add `/task/{id}/logs` REST endpoint [#32015](https://github.com/docker/docker/pull/32015)
* Add `--log-opt env-regex` option to match environment variables using a regular expression [#27565](https://github.com/docker/docker/pull/27565)
### Networking
+ Allow user to replace, and customize the ingress network [#31714](https://github.com/docker/docker/pull/31714)
- Fix UDP traffic in containers not working after the container is restarted [#32505](https://github.com/docker/docker/pull/32505)
- Fix files being written to `/var/lib/docker` if a different data-root is set [#32505](https://github.com/docker/docker/pull/32505)
### Runtime
- Ensure health probe is stopped when a container exits [#32274](https://github.com/docker/docker/pull/32274)
### Swarm Mode
+ Add update/rollback order for services (`--update-order` / `--rollback-order`) [#30261](https://github.com/docker/docker/pull/30261)
+ Add support for synchronous `service create` and `service update` [#31144](https://github.com/docker/docker/pull/31144)
+ Add support for "grace periods" on healthchecks through the `HEALTHCHECK --start-period` and `--health-start-period` flag to
`docker service create`, `docker service update`, `docker create`, and `docker run` to support containers with an initial startup
time [#28938](https://github.com/docker/docker/pull/28938)
*`docker service create` now omits fields that are not specified by the user, when possible. This will allow defaults to be applied inside the manager [#32284](https://github.com/docker/docker/pull/32284)
*`docker service inspect` now shows default values for fields that are not specified by the user [#32284](https://github.com/docker/docker/pull/32284)
* Move `docker service logs` out of experimental [#32462](https://github.com/docker/docker/pull/32462)
* Add support for Credential Spec and SELinux to services to the API [#32339](https://github.com/docker/docker/pull/32339)
* Add `--entrypoint` flag to `docker service create` and `docker service update` [#29228](https://github.com/docker/docker/pull/29228)
* Add `--network-add` and `--network-rm` to `docker service update` [#32062](https://github.com/docker/docker/pull/32062)
* Add `--credential-spec` flag to `docker service create` and `docker service update` [#32339](https://github.com/docker/docker/pull/32339)
* Add `--filter mode=<global|replicated>` to `docker service ls` [#31538](https://github.com/docker/docker/pull/31538)
* Resolve network IDs on the client side, instead of in the daemon when creating services [#32062](https://github.com/docker/docker/pull/32062)
* Add `--format` option to `docker node ls` [#30424](https://github.com/docker/docker/pull/30424)
* Add `--prune` option to `docker stack deploy` to remove services that are no longer defined in the docker-compose file [#31302](https://github.com/docker/docker/pull/31302)
* Add `PORTS` column for `docker service ls` when using `ingress` mode [#30813](https://github.com/docker/docker/pull/30813)
- Fix unnescessary re-deploying of tasks when environment-variables are used [#32364](https://github.com/docker/docker/pull/32364)
- Fix `docker stack deploy` not supporting `endpoint_mode` when deploying from a docker compose file [#32333](https://github.com/docker/docker/pull/32333)
- Proceed with startup if cluster component cannot be created to allow recovering from a broken swarm setup [#31631](https://github.com/docker/docker/pull/31631)
### Security
* Allow setting SELinux type or MCS labels when using `--ipc=container:` or `--ipc=host` [#30652](https://github.com/docker/docker/pull/30652)
### Deprecation
- Deprecate `--api-enable-cors` daemon flag. This flag was marked deprecated in Docker 1.6.0 but not listed in deprecated features [#32352](https://github.com/docker/docker/pull/32352)
- Remove Ubuntu 12.04 (Precise Pangolin) as supported platform. Ubuntu 12.04 is EOL, and no longer receives updates [#32520](https://github.com/docker/docker/pull/32520)
## 17.04.0-ce (2017-04-05)
### Builder
* Disable container logging for build containers [#29552](https://github.com/docker/docker/pull/29552)
* Fix use of `**/` in `.dockerignore` [#29043](https://github.com/docker/docker/pull/29043)
### Client
+ Sort `docker stack ls` by name [#31085](https://github.com/docker/docker/pull/31085)
+ Flags for specifying bind mount consistency [#31047](https://github.com/docker/docker/pull/31047)
* Output of docker CLI --help is now wrapped to the terminal width [#28751](https://github.com/docker/docker/pull/28751)
* Suppress image digest in docker ps [#30848](https://github.com/docker/docker/pull/30848)
* Hide command options that are related to Windows [#30788](https://github.com/docker/docker/pull/30788)
* Fix `docker plugin install` prompt to accept "enter" for the "N" default [#30769](https://github.com/docker/docker/pull/30769)
+ Add `truncate` function for Go templates [#30484](https://github.com/docker/docker/pull/30484)
* Support expanded syntax of ports in `stack deploy` [#30476](https://github.com/docker/docker/pull/30476)
* Support expanded syntax of mounts in `stack deploy` [#30597](https://github.com/docker/docker/pull/30597) [#31795](https://github.com/docker/docker/pull/31795)
+ Add `--add-host` for docker build [#30383](https://github.com/docker/docker/pull/30383)
+ Add `.CreatedAt` placeholder for `docker network ls --format` [#29900](https://github.com/docker/docker/pull/29900)
* Update order of `--secret-rm` and `--secret-add` [#29802](https://github.com/docker/docker/pull/29802)
+ Add `--filter enabled=true` for `docker plugin ls` [#28627](https://github.com/docker/docker/pull/28627)
+ Add `--format` to `docker service ls` [#28199](https://github.com/docker/docker/pull/28199)
+ Add `publish` and `expose` filter for `docker ps --filter` [#27557](https://github.com/docker/docker/pull/27557)
* Support multiple service IDs on `docker service ps` [#25234](https://github.com/docker/docker/pull/25234)
+ Allow swarm join with `--availability=drain` [#24993](https://github.com/docker/docker/pull/24993)
* Docker inspect now shows "docker-default" when AppArmor is enabled and no other profile was defined [#27083](https://github.com/docker/docker/pull/27083)
### Logging
+ Implement optional ring buffer for container logs [#28762](https://github.com/docker/docker/pull/28762)
+ Add `--log-opt awslogs-create-group=<true|false>` for awslogs (CloudWatch) to support creation of log groups as needed [#29504](https://github.com/docker/docker/pull/29504)
- Fix segfault when using the gcplogs logging driver with a "static" binary [#29478](https://github.com/docker/docker/pull/29478)
### Networking
* Check parameter `--ip`, `--ip6` and `--link-local-ip` in `docker network connect` [#30807](https://github.com/docker/docker/pull/30807)
+ Added support for `dns-search` [#30117](https://github.com/docker/docker/pull/30117)
+ Added --verbose option for docker network inspect to show task details from all swarm nodes [#31710](https://github.com/docker/docker/pull/31710)
* Clear stale datapath encryption states when joining the cluster [docker/libnetwork#1354](https://github.com/docker/libnetwork/pull/1354)
+ Ensure iptables initialization only happens once [docker/libnetwork#1676](https://github.com/docker/libnetwork/pull/1676)
* Fix bad order of iptables filter rules [docker/libnetwork#961](https://github.com/docker/libnetwork/pull/961)
+ Add anonymous container alias to service record on attachable network [docker/libnetwork#1651](https://github.com/docker/libnetwork/pull/1651)
+ Support for `com.docker.network.container_interface_prefix` driver label [docker/libnetwork#1667](https://github.com/docker/libnetwork/pull/1667)
+ Improve network list performance by omitting network details that are not used [#30673](https://github.com/docker/docker/pull/30673)
### Runtime
* Handle paused container when restoring without live-restore set [#31704](https://github.com/docker/docker/pull/31704)
- Do not allow sub second in healthcheck options in Dockerfile [#31177](https://github.com/docker/docker/pull/31177)
* Support name and id prefix in `secret update` [#30856](https://github.com/docker/docker/pull/30856)
* Use binary frame for websocket attach endpoint [#30460](https://github.com/docker/docker/pull/30460)
* Fix linux mount calls not applying propagation type changes [#30416](https://github.com/docker/docker/pull/30416)
* Fix ExecIds leak on failed `exec -i` [#30340](https://github.com/docker/docker/pull/30340)
* Prune named but untagged images if `danglingOnly=true` [#30330](https://github.com/docker/docker/pull/30330)
+ Add daemon flag to set `no_new_priv` as default for unprivileged containers [#29984](https://github.com/docker/docker/pull/29984)
+ Automatic service rollback on failure [#31108](https://github.com/docker/docker/pull/31108)
+ Worker and manager on the same node are now connected through a UNIX socket [docker/swarmkit#1828](https://github.com/docker/swarmkit/pull/1828), [docker/swarmkit#1850](https://github.com/docker/swarmkit/pull/1850), [docker/swarmkit#1851](https://github.com/docker/swarmkit/pull/1851)
* Improve raft transport package [docker/swarmkit#1748](https://github.com/docker/swarmkit/pull/1748)
* No automatic manager shutdown on demotion/removal [docker/swarmkit#1829](https://github.com/docker/swarmkit/pull/1829)
* Use TransferLeadership to make leader demotion safer [docker/swarmkit#1939](https://github.com/docker/swarmkit/pull/1939)
* Decrease default monitoring period [docker/swarmkit#1967](https://github.com/docker/swarmkit/pull/1967)
+ Add Service logs formatting [#31672](https://github.com/docker/docker/pull/31672)
* Fix service logs API to be able to specify stream [#31313](https://github.com/docker/docker/pull/31313)
+ Add `--stop-signal` for `service create` and `service update` [#30754](https://github.com/docker/docker/pull/30754)
+ Add `--read-only` for `service create` and `service update` [#30162](https://github.com/docker/docker/pull/30162)
+ Renew the context after communicating with the registry [#31586](https://github.com/docker/docker/pull/31586)
+ (experimental) Add `--tail` and `--since` options to `docker service logs` [#31500](https://github.com/docker/docker/pull/31500)
+ (experimental) Add `--no-task-ids` and `--no-trunc` options to `docker service logs` [#31672](https://github.com/docker/docker/pull/31672)
### Windows
* Block pulling Windows images on non-Windows daemons [#29001](https://github.com/docker/docker/pull/29001)
## 17.03.1-ce (2017-03-27)
### Remote API (v1.27) & Client
* Fix autoremove on older api [#31692](https://github.com/docker/docker/pull/31692)
* Fix default network customization for a stack [#31258](https://github.com/docker/docker/pull/31258/)
* Correct CPU usage calculation in presence of offline CPUs and newer Linux [#31802](https://github.com/docker/docker/pull/31802)
* Fix issue where service healthcheck is `{}` in remote API [#30197](https://github.com/docker/docker/pull/30197)
### Runtime
* Update runc to 54296cf40ad8143b62dbcaa1d90e520a2136ddfe [#31666](https://github.com/docker/docker/pull/31666)
* Update containerd to 4ab9917febca54791c5f071a9d1f404867857fcc [#31662](https://github.com/docker/docker/pull/31662) [#31852](https://github.com/docker/docker/pull/31852)
* Register healtcheck service before calling restore() [docker/containerd#609](https://github.com/docker/containerd/pull/609)
* Fix `docker exec` not working after unattended upgrades that reload apparmor profiles [#31773](https://github.com/docker/docker/pull/31773)
* Fix unmounting layer without merge dir with Overlay2 [#31069](https://github.com/docker/docker/pull/31069)
* Do not ignore "volume in use" errors when force-delete [#31450](https://github.com/docker/docker/pull/31450)
### Swarm Mode
* Update swarmkit to 17756457ad6dc4d8a639a1f0b7a85d1b65a617bb [#31807](https://github.com/docker/docker/pull/31807)
* Scheduler now correctly considers tasks which have been assigned to a node but aren't yet running [docker/swarmkit#1980](https://github.com/docker/swarmkit/pull/1980)
* Allow removal of a network when only dead tasks reference it [docker/swarmkit#2018](https://github.com/docker/swarmkit/pull/2018)
* Retry failed network allocations less aggressively [docker/swarmkit#2021](https://github.com/docker/swarmkit/pull/2021)
* Avoid network allocation for tasks that are no longer running [docker/swarmkit#2017](https://github.com/docker/swarmkit/pull/2017)
* Cleanup HCS on restore [#31503](https://github.com/docker/docker/pull/31503)
## 17.03.0-ce (2017-03-01)
**IMPORTANT**: Starting with this release, Docker is on a monthly release cycle and uses a
new YY.MM versioning scheme to reflect this. Two channels are available: monthly and quarterly.
Any given monthly release will only receive security and bugfixes until the next monthly
release is available. Quarterly releases receive security and bugfixes for 4 months after
initial release. This release includes bugfixes for 1.13.1 but
there are no major feature additions and the API version stays the same.
Upgrading from Docker 1.13.1 to 17.03.0 is expected to be simple and low-risk.
### Client
* Fix panic in `docker stats --format` [#30776](https://github.com/docker/docker/pull/30776)
### Contrib
* Update various `bash` and `zsh` completion scripts [#30823](https://github.com/docker/docker/pull/30823), [#30945](https://github.com/docker/docker/pull/30945) and more...
* Fix bug on overlay encryption keys rotation in cross-datacenter swarm [#30727](https://github.com/docker/docker/pull/30727)
* Fix side effect panic in overlay encryption and network control plane communication failure ("No installed keys could decrypt the message") on frequent swarm leader re-election [#25608](https://github.com/docker/docker/pull/25608)
* Several fixes around system responsiveness and datapath programming when using overlay network with external kv-store [docker/libnetwork#1639](https://github.com/docker/libnetwork/pull/1639), [docker/libnetwork#1632](https://github.com/docker/libnetwork/pull/1632) and more...
* Release the network attachment on allocation failure [#31073](https://github.com/docker/docker/pull/31073)
* Fix port allocation when multiple published ports map to the same target port [docker/swarmkit#1835](https://github.com/docker/swarmkit/pull/1835)
### Runtime
* Fix a deadlock in docker logs [#30223](https://github.com/docker/docker/pull/30223)
* Fix cpu spin waiting for log write events [#31070](https://github.com/docker/docker/pull/31070)
* Fix a possible crash when using journald [#31231](https://github.com/docker/docker/pull/31231) [#31263](https://github.com/docker/docker/pull/31263)
* Fix a panic on close of nil channel [#31274](https://github.com/docker/docker/pull/31274)
* Fix duplicate mount point for `--volumes-from` in `docker run` [#29563](https://github.com/docker/docker/pull/29563)
* Fix `--cache-from` does not cache last step [#31189](https://github.com/docker/docker/pull/31189)
### Swarm Mode
* Shutdown leaks an error when the container was never started [#31279](https://github.com/docker/docker/pull/31279)
* Fix possibility of tasks getting stuck in the "NEW" state during a leader failover [docker/swarmkit#1938](https://github.com/docker/swarmkit/pull/1938)
* Fix extraneous task creations for global services that led to confusing replica counts in `docker service ls` [docker/swarmkit#1957](https://github.com/docker/swarmkit/pull/1957)
* Fix problem that made rolling updates slow when `task-history-limit` was set to 1 [docker/swarmkit#1948](https://github.com/docker/swarmkit/pull/1948)
* Restart tasks elsewhere, if appropriate, when they are shut down as a result of nodes no longer satisfying constraints [docker/swarmkit#1958](https://github.com/docker/swarmkit/pull/1958)
* (experimental)
## 1.13.1 (2017-02-08)
**IMPORTANT**: On Linux distributions where `devicemapper` was the default storage driver,
the `overlay2`, or `overlay` is now used by default (if the kernel supports it).
To use devicemapper, you can manually configure the storage driver to use through
the `--storage-driver` daemon option, or by setting "storage-driver" in the `daemon.json`
configuration file.
**IMPORTANT**: In Docker 1.13, the managed plugin api changed, as compared to the experimental
version introduced in Docker 1.12. You must **uninstall** plugins which you installed with Docker 1.12
_before_ upgrading to Docker 1.13. You can uninstall plugins using the `docker plugin rm` command.
If you have already upgraded to Docker 1.13 without uninstalling
previously-installed plugins, you may see this message when the Docker daemon
starts:
Error starting daemon: json: cannot unmarshal string into Go value of type types.PluginEnv
To manually remove all plugins and resolve this problem, take the following steps:
2. Restart Docker. Verify that the Docker daemon starts with no errors.
3. Reinstall your plugins.
### Builder
+ Add capability to specify images used as a cache source on build. These images do not need to have local parent chain and can be pulled from other registries [#26839](https://github.com/docker/docker/pull/26839)
+ (experimental) Add option to squash image layers to the FROM image after successful builds [#22641](https://github.com/docker/docker/pull/22641)
* Fix dockerfile parser with empty line after escape [#24725](https://github.com/docker/docker/pull/24725)
@@ -18,15 +340,20 @@ be found.
- Fix image layer inconsistencies when using the overlay storage driver [#27209](https://github.com/docker/docker/pull/27209)
* Unused build-args are now allowed. A warning is presented instead of an error and failed build [#27412](https://github.com/docker/docker/pull/27412)
- Fix builder cache issue on Windows [#27805](https://github.com/docker/docker/pull/27805)
+ Allow `USER` in builder on Windows [#28415](https://github.com/docker/docker/pull/28415)
+ Handle env case-insensitive on Windows [#28725](https://github.com/docker/docker/pull/28725)
### Contrib
+ Add support for building docker debs for Ubuntu Xenial on PPC64 [#23438](https://github.com/docker/docker/pull/23438)
+ Add support for building docker debs for Ubuntu Xenial on s390x [#26104](https://github.com/docker/docker/pull/26104)
+ Add support for building docker debs for Ubuntu 16.04 Xenial on PPC64LE [#23438](https://github.com/docker/docker/pull/23438)
+ Add support for building docker debs for Ubuntu 16.04 Xenial on s390x [#26104](https://github.com/docker/docker/pull/26104)
+ Add support for building docker debs for Ubuntu 16.10 Yakkety Yak on PPC64LE [#28046](https://github.com/docker/docker/pull/28046)
- Add RPM builder for VMWare Photon OS [#24116](https://github.com/docker/docker/pull/24116)
+ Add shell completions to tgz [#27735](https://github.com/docker/docker/pull/27735)
* Update the install script to allow using the mirror in China [#27005](https://github.com/docker/docker/pull/27005)
+ Add DEB builder for Ubuntu 16.10 Yakkety Yak [#27993](https://github.com/docker/docker/pull/27993)
+ Add RPM builder for Fedora 25 [#28222](https://github.com/docker/docker/pull/28222)
+ Add `make deb` support for aarch64 [#27625](https://github.com/docker/docker/pull/27625)
### Distribution
@@ -52,11 +379,14 @@ be found.
+ Unix socket support for fluentd [#26088](https://github.com/docker/docker/pull/26088)
* Enable fluentd logging driver on Windows [#28189](https://github.com/docker/docker/pull/28189)
- Sanitize docker labels when used as journald field names [#23725](https://github.com/docker/docker/pull/23725)
- Fix an issue where `docker logs --tail` returned less lines than expected [#28203](https://github.com/docker/docker/pull/28203)
- Splunk Logging Driver: performance and reliability improvements [#26207](https://github.com/docker/docker/pull/26207)
- Splunk Logging Driver: configurable formats and skip for verifying connection [#25786](https://github.com/docker/docker/pull/25786)
### Networking
+ Add `--attachable` network support to enable `docker run` to work in swarm-mode overlay network [#25962](https://github.com/docker/docker/pull/25962)
+ Add support for host port PublishMode in services using the `--port` option in `docker service create` [#27917](https://github.com/docker/docker/pull/27917)
+ Add support for host port PublishMode in services using the `--publish` option in `docker service create` [#27917](https://github.com/docker/docker/pull/27917) and [#28943](https://github.com/docker/docker/pull/28943)
+ Add support for Windows server 2016 overlay network driver (requires upcoming ws2016 update) [#28182](https://github.com/docker/docker/pull/28182)
* Change the default `FORWARD` policy to `DROP` [#28257](https://github.com/docker/docker/pull/28257)
+ Add support for specifying static IP addresses for predefined network on windows [#22208](https://github.com/docker/docker/pull/22208)
+ Add a new `is-task` ps filter [#24411](https://github.com/docker/docker/pull/24411)
+ Add `--env-file` flag to `docker create service` [#24844](https://github.com/docker/docker/pull/24844)
+ Add `--env-file` flag to `docker service create` [#24844](https://github.com/docker/docker/pull/24844)
+ Add `--format` on `docker stats` [#24987](https://github.com/docker/docker/pull/24987)
+ Make `docker node ps` default to `self` in swarm node [#25214](https://github.com/docker/docker/pull/25214)
+ Add `--group` in `docker service create` [#25317](https://github.com/docker/docker/pull/25317)
+ Add `--no-trunc` to service/node/stack ps output [#25337(https://github.com/docker/docker/pull/25337)
+ Add `--no-trunc` to service/node/stack ps output [#25337](https://github.com/docker/docker/pull/25337)
+ Add Logs to `ContainerAttachOptions` so go clients can request to retrieve container logs as part of the attach process [#26718](https://github.com/docker/docker/pull/26718)
+ Allow client to talk to an older server [#27745](https://github.com/docker/docker/pull/27745)
* Inform user client-side that a container removal is in progress [#26074](https://github.com/docker/docker/pull/26074)
+ Add `Isolation` to the /info endpoint [#26255](https://github.com/docker/docker/pull/26255)
+ Add `userns` to the /info endpoint [#27840](https://github.com/docker/docker/pull/27840)
- Do not allow more than one mode be requested at once in the services endpoint [#26643](https://github.com/docker/docker/pull/26643)
+ Add `--mount` flag to `docker create` and `docker run` [#26825](https://github.com/docker/docker/pull/26825)[#28150](https://github.com/docker/docker/pull/28150)
+ Add capability to /containers/create API to specify mounts in a more granular and safer way [#22373](https://github.com/docker/docker/pull/22373)
+ Add `--format` flag to `network ls` and `volume ls` [#23475](https://github.com/docker/docker/pull/23475)
* Allow the top-level `docker inspect` command to inspect any kind of resource [#23614](https://github.com/docker/docker/pull/23614)
+ Add --cpus flag to control cpu resources for `docker run` and `docker create`, and add `NanoCPUs` to `HostConfig` [#27958](https://github.com/docker/docker/pull/27958)
- Allow unsetting the `--entrypoint` in `docker run` or `docker create` [#23718](https://github.com/docker/docker/pull/23718)
* Restructure CLI commands by adding `docker image` and `docker container` commands for more consistency [#26025](https://github.com/docker/docker/pull/26025)
- Remove `COMMAND` column from `service ls` output [#28029](https://github.com/docker/docker/pull/28029)
@@ -132,7 +463,7 @@ be found.
- Fix a race condition between device deferred removal and resume device, when using the devicemapper graphdriver [#23497](https://github.com/docker/docker/pull/23497)
- Add `docker stats` support in Windows [#25737](https://github.com/docker/docker/pull/25737)
- Allow using `--pid=host` and `--net=host` when `--userns=host` [#25771](https://github.com/docker/docker/pull/25771)
+ Add support for templating service options (hostname, mounts, and environment variables) [#28025](https://github.com/docker/docker/pull/28025)
* Display the endpoint mode in the output of `docker service inspect --pretty` [#26906](https://github.com/docker/docker/pull/26906)
* Make `docker service ps` output more bearable by shortening service IDs in task names [#28088](https://github.com/docker/docker/pull/28088)
*`docker node ps` now defaults to the current node [#25214](https://github.com/docker/docker/pull/25214)
+ Add `-a`/`--all` flags to `docker service ps` and `docker node ps` to show all results [#25983](https://github.com/docker/docker/pull/25983)
* Make`docker node ps` default to the current node [#25214](https://github.com/docker/docker/pull/25214)
+ Add `--dns`, -`-dns-opt`, and `--dns-search` to service create. [#27567](https://github.com/docker/docker/pull/27567)
+ Add `--force` to `docker service update` [#27596](https://github.com/docker/docker/pull/27596)
+ Add `--health-*` and `--no-healthcheck` flags to `docker service create` and `docker service update` [#27369](https://github.com/docker/docker/pull/27369)
+ Add `-q` to `docker service ps` [#27654](https://github.com/docker/docker/pull/27654)
* Display number of global services in `docker service ls` [#27710](https://github.com/docker/docker/pull/27710)
- Remove `--name` flag from `docker service update`. This flag is only functional on `docker service create`, so was removed from the `update` command [#26988](https://github.com/docker/docker/pull/26988)
- Fix worker nodes failing to recover because of transient networking issues [#26646](https://github.com/docker/docker/issues/26646)
* Add support for health aware load balancing and DNS records [#27279](https://github.com/docker/docker/pull/27279)
* Add `--hostname` to `docker service create` [#27857](https://github.com/docker/docker/pull/27857)
- Add `--tty` flag to `docker service create`/`update` [#28076](https://github.com/docker/docker/pull/28076)
+ Add `--hostname` to `docker service create` [#27857](https://github.com/docker/docker/pull/27857)
+ Add `--host` to `docker service create`, and `--host-add`, `--host-rm` to `docker service update` [#28031](https://github.com/docker/docker/pull/28031)
+ Add `--tty` flag to `docker service create`/`update` [#28076](https://github.com/docker/docker/pull/28076)
* Autodetect, store, and expose node IP address as seen by the manager [#27910](https://github.com/docker/docker/pull/27910)
* Encryption at rest of manager keys and raft data [#27967](https://github.com/docker/docker/pull/27967)
+ Add `--update-max-failure-ratio`, `--update-monitor` and `--rollback` flags to `docker service update` [#26421](https://github.com/docker/docker/pull/26421)
- Fix an issue with address autodiscovery on `docker swarm init` running inside a container [#26457](https://github.com/docker/docker/pull/26457)
+ (experimental) Add `docker service logs` command to view logs for a service [#28089](https://github.com/docker/docker/pull/28089)
- Pin images by digest for `docker service create` and `update` [#28173](https://github.com/docker/docker/pull/28173)
- Add short (`-f`) flag for `docker node rm --force` and `docker swarm leave --force` [#28196](https://github.com/docker/docker/pull/28196)
+ Don't repull image if pinned by digest [#28265](https://github.com/docker/docker/pull/28265)
+ swarm-mode support for indows [#27838](https://github.com/docker/docker/pull/27838)
+ Pin images by digest for `docker service create` and `update` [#28173](https://github.com/docker/docker/pull/28173)
* Add short (`-f`) flag for `docker node rm --force` and `docker swarm leave --force` [#28196](https://github.com/docker/docker/pull/28196)
+ Add options to customize Raft snapshots (`--max-snapshots`, `--snapshot-interval`) [#27997](https://github.com/docker/docker/pull/27997)
- Don't repull image if pinned by digest [#28265](https://github.com/docker/docker/pull/28265)
+ Swarm-mode support for Windows [#27838](https://github.com/docker/docker/pull/27838)
+ Allow hostname to be updated on service [#28771](https://github.com/docker/docker/pull/28771)
+ Support v2 plugins [#29433](https://github.com/docker/docker/pull/29433)
+ Add content trust for services [#29469](https://github.com/docker/docker/pull/29469)
### Volume
+ Add support for labels on volumes [#25628](https://github.com/docker/docker/pull/21567)
+ Add support for labels on volumes [#21270](https://github.com/docker/docker/pull/21270)
+ Add support for filtering volumes by label [#25628](https://github.com/docker/docker/pull/25628)
* Add a `--force` flag in `docker volume rm` to forcefully purge the data of the volume that has already been deleted [#23436](https://github.com/docker/docker/pull/23436)
* Enhance `docker volume inspect` to show all options used when creating the volume [#26671](https://github.com/docker/docker/pull/26671)
@@ -186,16 +523,242 @@ be found.
- Fix selinux labeling of volumes shared in a container [#23024](https://github.com/docker/docker/pull/23024)
- Prohibit `/sys/firmware/**` from being accessed with apparmor [#26618](https://github.com/docker/docker/pull/26618)
### DEPRECATION
### Deprecation
- Marked the `docker daemon` command as deprecated. The daemon is moved to a separate binary (`dockerd`), and should be used instead [#26834](https://github.com/docker/docker/pull/26834)
- Deprecate unversioned API endpoints [#28208](https://github.com/docker/docker/pull/28208)
- Remove Ubuntu 15.10 (Wily Werewolf) as supported platform. Ubuntu 15.10 is EOL, and no longer receives updates [#27042](https://github.com/docker/docker/pull/27042)
- Remove Fedora 22 as supported platform. Fedora 22 is EOL, and no longer receives updates [#27432](https://github.com/docker/docker/pull/27432)
- Remove Fedora 23 as supported platform. Fedora 23 is EOL, and no longer receives updates [#29455](https://github.com/docker/docker/pull/29455)
- Deprecate the `repo:shortid` syntax on `docker pull` [#27207](https://github.com/docker/docker/pull/27207)
- Deprecate backing filesystem without d_type for overlay/overlay2 storage drivers [#27433](https://github.com/docker/docker/pull/27433)
- Deprecate MAINTAINER in Dockerfile [#25466](https://github.com/docker/docker/pull/25466)
- Deprecated filter param for endpoint `/images/json` [#27872](https://github.com/docker/docker/pull/27872)
- Deprecate backing filesystem without `d_type` for overlay and overlay2 storage drivers [#27433](https://github.com/docker/docker/pull/27433)
- Deprecate `MAINTAINER` in Dockerfile [#25466](https://github.com/docker/docker/pull/25466)
- Deprecate `filter` param for endpoint `/images/json` [#27872](https://github.com/docker/docker/pull/27872)
default "bridge" network: failed to parse pool request
for address space "LocalDefault" pool " subpool ":
could not find an available, non-overlapping IPv6 address
pool among the defaults to assign to the network
```
To resolve this error, either remove the `--ipv6` flag (to preserve the same
behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the
value of the `--fixed-cidr-v6` flag.
In a similar way, if you specify the `--ipv6` flag when creating a network
with the default IPAM driver, without providing an IPv6 `--subnet`, network
creation will fail with the following message:
```none
Error response from daemon: failed to parse pool request for address space
"LocalDefault" pool "" subpool "": could not find an
available, non-overlapping IPv6 address pool among
the defaults to assign to the network
```
To resolve this, either remove the `--ipv6` flag (to preserve the same behavior
as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the
`--subnet` flag.
The network network creation will instead succeed if you use an external IPAM driver
which supports automatic allocation of IPv6 subnets.
### Runtime
- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)
### Networking
- Fix panic in docker network ls when a network was created with `--ipv6` and no ipv6 `--subnet` in older docker versions [#29416](https://github.com/docker/docker/pull/29416)
### Contrib
- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)
## 1.12.4 (2016-12-12)
**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
upgrading from an older version of docker, the upgrade process may not
automatically install the updated version of the unit file, or fail to start
the docker service if;
- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
Starting the docker service will produce an error:
Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
or
no sockets found via socket activation: make sure the service was started by systemd.
To resolve this:
- Backup the current version of the unit file, and replace the file with the
[version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
After making those changes, run `sudo systemctl daemon-reload`, and `sudo
systemctl restart docker` to reload changes and (re)start the docker daemon.
### Runtime
- Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083)
- Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050)
- Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050)
- Run "dnf upgrade" before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)
- Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)
- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)
## 1.12.3 (2016-10-26)
@@ -583,8 +1146,9 @@ installing docker, please make sure to update them accordingly.
- Windows: Enable auto-creation of host-path to match Linux [#22094](https://github.com/docker/docker/pull/22094)
### DEPRECATION
* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
### Deprecation
* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
to `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE` and `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` respectively [#22574](https://github.com/docker/docker/pull/22574)
* Remove deprecated `syslog-tag`, `gelf-tag`, `fluentd-tag` log option in favor of the more generic `tag` one [#22620](https://github.com/docker/docker/pull/22620)
* Remove deprecated feature of passing HostConfig at API container start [#22570](https://github.com/docker/docker/pull/22570)
@@ -755,7 +1319,7 @@ installing docker, please make sure to update them accordingly.
- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
Docker 1.9, but was decided to be too much of a backward-incompatible change, so it was decided to keep the feature.
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
@@ -1120,7 +1684,7 @@ that allows to add build-time environment variables (#15182)
# This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
# The volume will be cleaned up when the container is removed due to `--rm`.
# Note that `BIND_DIR` will already be set to `bundles` if `DOCKER_HOST` is not set (see above BIND_DIR line), in such case this will do nothing since `DOCKER_MOUNT` will already be set.
This directory contains code pertaining to the Docker API:
# Working on the Engine API
- Used by the docker client when communicating with the docker daemon
The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.
- Used by third party tools wishing to interface with the docker daemon
It consists of various components in this repository:
-`api/swagger.yaml` A Swagger definition of the API.
-`api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
-`cli/` The command-line client.
-`client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
-`daemon/` The daemon, which serves the API.
##Swagger definition
The API is defined by the [Swagger](http://swagger.io/specification/) definition in `api/swagger.yaml`. This definition can be used to:
1. To automatically generate documentation.
2. To automatically generate the Go server and client. (A work-in-progress.)
3. Provide a machine readable version of the API for introspecting what it can do, automatically generating clients for other languages, etc.
## Updating the API documentation
The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, you'll need to edit this file to represent the change in the documentation.
The file is split into two main sections:
-`definitions`, which defines re-usable objects used in requests and responses
-`paths`, which defines the API endpoints (and some inline objects which don't need to be reusable)
To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.
There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919)
`swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful for when you are making edits to ensure you are doing the right thing.
## Viewing the API documentation
When you make edits to `swagger.yaml`, you may want to check the generated API documentation to ensure it renders correctly.
Run `make swagger-docs` and a preview will be running at `http://localhost`. Some of the styling may be incorrect, but you'll be able to ensure that it is generating the correct documentation.
The production documentation is generated by vendoring `swagger.yaml` into [docker/docker.github.io](https://github.com/docker/docker.github.io).
errExperimentalFeature=errors.New("This experimental feature is disabled by default. Start the Docker daemon with --experimental in order to enable it.")
)
// ExperimentalRoute defines an experimental API route that can be enabled or disabled.
typeExperimentalRouteinterface{
Route
Enable()
Disable()
}
// experimentalRoute defines an experimental API route that can be enabled or disabled.
@@ -18,18 +19,43 @@ type ContainerAttachConfig struct {
Streambool
DetachKeysstring
// Used to signify that streams are multiplexed and therefore need a StdWriter to encode stdout/sderr messages accordingly.
// Used to signify that streams are multiplexed and therefore need a StdWriter to encode stdout/stderr messages accordingly.
// TODO @cpuguy83: This shouldn't be needed. It was only added so that http and websocket endpoints can use the same function, and the websocket function was not using a stdwriter prior to this change...
// HOWEVER, the websocket endpoint is using a single stream and SHOULD be encoded with stdout/stderr as is done for HTTP since it is still just a single stream.
// Since such a change is an API change unrelated to the current changeset we'll keep it as is here and change separately.
MuxStreamsbool
}
// ContainerLogsConfig holds configs for logging operations. Exists
// for users of the backend to to pass it a logging configuration.
typeContainerLogsConfigstruct{
types.ContainerLogsOptions
OutStreamio.Writer
// LogMessage is datastructure that represents piece of output produced by some
// container. The Line member is a slice of an array whose contents can be
// changed after a log driver's Log() method returns.
// changes to this struct need to be reflect in the reset method in
// daemon/logger/logger.go
typeLogMessagestruct{
Line[]byte
Sourcestring
Timestamptime.Time
AttrsLogAttributes
Partialbool
// Err is an error associated with a message. Completeness of a message
// with Err is not expected, tho it may be partially complete (fields may
// be missing, gibberish, or nil)
Errerror
}
// LogAttributes is used to hold the extra attributes available in the log message
// Primarily used for converting the map type to string and sorting.
typeLogAttributesmap[string]string
// LogSelector is a list of services and tasks that should be returned as part
// of a log stream. It is similar to swarmapi.LogSelector, with the difference
// that the names don't have to be resolved to IDs; this is mostly to avoid
// accidents later where a swarmapi LogSelector might have been incorrectly
// used verbatim (and to avoid the handler having to import swarmapi types)
typeLogSelectorstruct{
Services[]string
Tasks[]string
}
// ContainerStatsConfig holds information for configuring the runtime
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
