Bumped version to 0.2.2

* vagrant: Use only one deb line in /etc/apt

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.2.2 (2012-05-03)
+ + Support for data volumes ('docker run -v=PATH')
+ + Share data volumes between containers ('docker run -volumes-from')
+ + Improved documentation
+ * Upgrade to Go 1.0.3
+ * Various upgrades to the dev environment for contributors
+
 ## 0.2.1 (2012-05-01)
  + 'docker commit -run' bundles a layer with default runtime options: command, ports etc. 
  * Improve install process on Vagrant

Makefile

@@ -38,14 +38,15 @@ $(DOCKER_BIN): $(DOCKER_DIR)
 
 $(DOCKER_DIR):
 	@mkdir -p $(dir $@)
-	@rm -f $@
-	@ln -sf $(CURDIR)/ $@
+	@if [ -h $@ ]; then rm -f $@; fi; ln -sf $(CURDIR)/ $@
 	@(cd $(DOCKER_MAIN); go get $(GO_OPTIONS))
 
 whichrelease:
 	echo $(RELEASE_VERSION)
 
 release: $(BINRELEASE)
+	s3cmd -P put $(BINRELEASE) s3://get.docker.io/builds/`uname -s`/`uname -m`/docker-$(RELEASE_VERSION).tgz
+
 srcrelease: $(SRCRELEASE)
 deps: $(DOCKER_DIR)
 
@@ -75,4 +76,7 @@ fmt:
 	@gofmt -s -l -w .
 
 hack:
-	cd $(CURDIR)/buildbot && vagrant up
+	cd $(CURDIR)/hack && vagrant up
+
+ssh-dev:
+	cd $(CURDIR)/hack && vagrant ssh

Vagrantfile

@@ -11,7 +11,7 @@ Vagrant::Config.run do |config|
   config.vm.box_url = BOX_URI
   # Add docker PPA key to the local repository and install docker
   pkg_cmd = "apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys #{PPA_KEY}; "
-  pkg_cmd << "echo 'deb http://ppa.launchpad.net/dotcloud/lxc-docker/ubuntu precise main' >>/etc/apt/sources.list; "
+  pkg_cmd << "echo 'deb http://ppa.launchpad.net/dotcloud/lxc-docker/ubuntu precise main' >/etc/apt/sources.list.d/lxc-docker.list; "
   pkg_cmd << "apt-get update -qq; apt-get install -q -y lxc-docker"
   if ARGV.include?("--provider=aws".downcase)
     # Add AUFS dependency to amazon's VM
@@ -50,12 +50,4 @@ Vagrant::VERSION >= "1.1.0" and Vagrant.configure("2") do |config|
     config.vm.box = BOX_NAME
     config.vm.box_url = BOX_URI
   end
-
-  config.vm.provider :vmware_fusion do |vm|
-    config.vm.box = "precise64"
-    config.vm.box_url = "http://files.vagrantup.com/precise64_vmware_fusion.box"
-    config.vm.provision :shell, :inline => <<-UPDATE
-      apt-get install -y linux-image-extra-3.2.0-29-virtual
-    UPDATE
-  end
 end

commands.go

@@ -10,6 +10,7 @@ import (
 	"log"
 	"net/http"
 	"net/url"
+	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
@@ -18,7 +19,7 @@ import (
 	"unicode"
 )
 
-const VERSION = "0.2.1"
+const VERSION = "0.2.2"
 
 var (
 	GIT_COMMIT string
@@ -400,7 +401,8 @@ func (srv *Server) CmdHistory(stdin io.ReadCloser, stdout io.Writer, args ...str
 }
 
 func (srv *Server) CmdRm(stdin io.ReadCloser, stdout io.Writer, args ...string) error {
-	cmd := rcli.Subcmd(stdout, "rm", "CONTAINER [CONTAINER...]", "Remove a container")
+	cmd := rcli.Subcmd(stdout, "rm", "[OPTIONS] CONTAINER [CONTAINER...]", "Remove a container")
+	v := cmd.Bool("v", false, "Remove the volumes associated to the container")
 	if err := cmd.Parse(args); err != nil {
 		return nil
 	}
@@ -408,15 +410,40 @@ func (srv *Server) CmdRm(stdin io.ReadCloser, stdout io.Writer, args ...string)
 		cmd.Usage()
 		return nil
 	}
+	volumes := make(map[string]struct{})
 	for _, name := range cmd.Args() {
 		container := srv.runtime.Get(name)
 		if container == nil {
 			return fmt.Errorf("No such container: %s", name)
 		}
+		// Store all the deleted containers volumes
+		for _, volumeId := range container.Volumes {
+			volumes[volumeId] = struct{}{}
+		}
 		if err := srv.runtime.Destroy(container); err != nil {
 			fmt.Fprintln(stdout, "Error destroying container "+name+": "+err.Error())
 		}
 	}
+	if *v {
+		// Retrieve all volumes from all remaining containers
+		usedVolumes := make(map[string]*Container)
+		for _, container := range srv.runtime.List() {
+			for _, containerVolumeId := range container.Volumes {
+				usedVolumes[containerVolumeId] = container
+			}
+		}
+
+		for volumeId := range volumes {
+			// If the requested volu
+			if c, exists := usedVolumes[volumeId]; exists {
+				fmt.Fprintf(stdout, "The volume %s is used by the container %s. Impossible to remove it. Skipping.\n", volumeId, c.Id)
+				continue
+			}
+			if err := srv.runtime.volumes.Delete(volumeId); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }
 
@@ -913,6 +940,25 @@ func (opts AttachOpts) Get(val string) bool {
 	return false
 }
 
+// PathOpts stores a unique set of absolute paths
+type PathOpts map[string]struct{}
+
+func NewPathOpts() PathOpts {
+	return make(PathOpts)
+}
+
+func (opts PathOpts) String() string {
+	return fmt.Sprintf("%v", map[string]struct{}(opts))
+}
+
+func (opts PathOpts) Set(val string) error {
+	if !filepath.IsAbs(val) {
+		return fmt.Errorf("%s is not an absolute path", val)
+	}
+	opts[filepath.Clean(val)] = struct{}{}
+	return nil
+}
+
 func (srv *Server) CmdTag(stdin io.ReadCloser, stdout io.Writer, args ...string) error {
 	cmd := rcli.Subcmd(stdout, "tag", "[OPTIONS] IMAGE REPOSITORY [TAG]", "Tag an image into a repository")
 	force := cmd.Bool("f", false, "Force")

container.go

@@ -48,6 +48,7 @@ type Container struct {
 	runtime *Runtime
 
 	waitLock chan struct{}
+	Volumes  map[string]string
 }
 
 type Config struct {
@@ -66,6 +67,8 @@ type Config struct {
 	Cmd          []string
 	Dns          []string
 	Image        string // Name of the image as it was passed by the operator (eg. could be symbolic)
+	Volumes      map[string]struct{}
+	VolumesFrom  string
 }
 
 func ParseRun(args []string, stdout io.Writer, capabilities *Capabilities) (*Config, error) {
@@ -97,6 +100,11 @@ func ParseRun(args []string, stdout io.Writer, capabilities *Capabilities) (*Con
 	var flDns ListOpts
 	cmd.Var(&flDns, "dns", "Set custom dns servers")
 
+	flVolumes := NewPathOpts()
+	cmd.Var(flVolumes, "v", "Attach a data volume")
+
+	flVolumesFrom := cmd.String("volumes-from", "", "Mount volumes from the specified container")
+
 	if err := cmd.Parse(args); err != nil {
 		return nil, err
 	}
@@ -136,6 +144,8 @@ func ParseRun(args []string, stdout io.Writer, capabilities *Capabilities) (*Con
 		Cmd:          runCmd,
 		Dns:          flDns,
 		Image:        image,
+		Volumes:      flVolumes,
+		VolumesFrom:  *flVolumesFrom,
 	}
 
 	if *flMemory > 0 && !capabilities.SwapLimit {
@@ -394,10 +404,40 @@ func (container *Container) Start() error {
 		log.Printf("WARNING: Your kernel does not support swap limit capabilities. Limitation discarded.\n")
 		container.Config.MemorySwap = -1
 	}
+	container.Volumes = make(map[string]string)
+
+	// Create the requested volumes volumes
+	for volPath := range container.Config.Volumes {
+		if c, err := container.runtime.volumes.Create(nil, container, "", "", nil); err != nil {
+			return err
+		} else {
+			if err := os.MkdirAll(path.Join(container.RootfsPath(), volPath), 0755); err != nil {
+				return nil
+			}
+			container.Volumes[volPath] = c.Id
+		}
+	}
+
+	if container.Config.VolumesFrom != "" {
+		c := container.runtime.Get(container.Config.VolumesFrom)
+		if c == nil {
+			return fmt.Errorf("Container %s not found. Impossible to mount its volumes", container.Id)
+		}
+		for volPath, id := range c.Volumes {
+			if _, exists := container.Volumes[volPath]; exists {
+				return fmt.Errorf("The requested volume %s overlap one of the volume of the container %s", volPath, c.Id)
+			}
+			if err := os.MkdirAll(path.Join(container.RootfsPath(), volPath), 0755); err != nil {
+				return nil
+			}
+			container.Volumes[volPath] = id
+		}
+	}
 
 	if err := container.generateLXCConfig(); err != nil {
 		return err
 	}
+
 	params := []string{
 		"-n", container.Id,
 		"-f", container.lxcConfigPath(),
@@ -456,6 +496,7 @@ func (container *Container) Start() error {
 
 	// Init the lock
 	container.waitLock = make(chan struct{})
+
 	container.ToDisk()
 	go container.monitor()
 	return nil
@@ -787,6 +828,22 @@ func (container *Container) RootfsPath() string {
 	return path.Join(container.root, "rootfs")
 }
 
+func (container *Container) GetVolumes() (map[string]string, error) {
+	ret := make(map[string]string)
+	for volPath, id := range container.Volumes {
+		volume, err := container.runtime.volumes.Get(id)
+		if err != nil {
+			return nil, err
+		}
+		root, err := volume.root()
+		if err != nil {
+			return nil, err
+		}
+		ret[volPath] = path.Join(root, "layer")
+	}
+	return ret, nil
+}
+
 func (container *Container) rwPath() string {
 	return path.Join(container.root, "rw")
 }

contrib/docker-build/docker-build

@@ -69,11 +69,14 @@ def insert(base, src, dst, author=None):
 	stdin.seek(0)
 	return run_and_commit(base, "cat > {0}; chmod +x {0}".format(dst), stdin=stdin, author=author)
 
-def push(base, dst, author=None):
+def add(base, src, dst, author=None):
 	print "PUSH to {} in {}".format(dst, base)
+	if src == ".":
+		tar = subprocess.Popen(["tar", "-c", "."], stdout=subprocess.PIPE).stdout
+	else:
+		tar = subprocess.Popen(["curl", src], stdout=subprocess.PIPE).stdout
 	if dst == "":
 		raise Exception("Missing argument to push")
-	tar = subprocess.Popen(["tar", "-c", "."], stdout=subprocess.PIPE).stdout
 	return run_and_commit(base, "mkdir -p '{0}' && tar -C '{0}' -x".format(dst), stdin=tar, author=author)
 
 def main():
@@ -104,8 +107,9 @@ def main():
 				steps.append(result)
 				base = result
 				print "===> " + base
-			elif op == "push":
-				result = push(base, param.strip(), author=maintainer)
+			elif op == "add":
+				src, dst = param.split("	", 1)
+				result = add(base, src, dst, author=maintainer)
 				steps.append(result)
 				base=result
 				print "===> " + base

docs/sources/commandline/command/commit.rst

@@ -9,3 +9,19 @@
     Create a new image from a container's changes
 
       -m="": Commit message
+      -author="": Author (eg. "John Hannibal Smith <hannibal@a-team.com>"
+      -run="": Config automatically applied when the image is run. "+`(ex: {"Cmd": ["cat", "/world"], "PortSpecs": ["22"]}')
+
+Full -run example::
+
+    {"Hostname": "",
+     "User": "",
+     "Memory": 0,
+     "MemorySwap": 0,
+     "PortSpecs": ["22", "80", "443"],
+     "Tty": true,
+     "OpenStdin": true,
+     "StdinOnce": true,
+     "Env": ["FOO=BAR", "FOO2=BAR2"],
+     "Cmd": ["cat", "-e", "/etc/resolv.conf"],
+     "Dns": ["8.8.8.8", "8.8.4.4"]}

docs/sources/commandline/command/run.rst

@@ -17,3 +17,5 @@
       -p=[]: Map a network port to the container
       -t=false: Allocate a pseudo-tty
       -u="": Username or UID
+      -d=[]: Set custom dns servers for the container
+      -v=[]: Creates a new volumes and mount it at the specified path. A container ID can be passed instead of a path in order to mount all volumes from the given container.

docs/sources/concepts/buildingblocks.rst

@@ -12,7 +12,7 @@ Images
 ------
 An original container image. These are stored on disk and are comparable with what you normally expect from a stopped virtual machine image. Images are stored (and retrieved from) repository
 
-Images are stored on your local file system under /var/lib/docker/images
+Images are stored on your local file system under /var/lib/docker/graph
 
 
 .. _containers:

docs/sources/examples/couchdb_data_volumes.rst

@@ -0,0 +1,53 @@
+:title: Sharing data between 2 couchdb databases
+:description: Sharing data between 2 couchdb databases
+:keywords: docker, example, package installation, networking, couchdb, data volumes
+
+.. _running_redis_service:
+
+Create a redis service
+======================
+
+.. include:: example_header.inc
+
+Here's an example of using data volumes to share the same data between 2 couchdb containers.
+This could be used for hot upgrades, testing different versions of couchdb on the same data, etc.
+
+Create first database
+---------------------
+
+Note that we're marking /var/lib/couchdb as a data volume.
+
+.. code-block:: bash
+
+    COUCH1=$(docker run -d -v /var/lib/couchdb shykes/couchdb:2013-05-03)
+
+Add data to the first database
+------------------------------
+
+We're assuming your docker host is reachable at `localhost`. If not, replace `localhost` with the public IP of your docker host.
+
+.. code-block:: bash
+
+    HOST=localhost
+    URL="http://$HOST:$(docker port $COUCH1 5984)/_utils/"
+    echo "Navigate to $URL in your browser, and use the couch interface to add data"
+
+Create second database
+----------------------
+
+This time, we're requesting shared access to $COUCH1's volumes.
+
+.. code-block:: bash
+
+    COUCH2=$(docker run -d -volumes-from $COUCH1) shykes/couchdb:2013-05-03)
+
+Browse data on the second database
+----------------------------------
+
+.. code-block:: bash
+
+    HOST=localhost
+    URL="http://$HOST:$(docker port $COUCH2 5984)/_utils/"
+    echo "Navigate to $URL in your browser. You should see the same data as in the first database!"
+
+Congratulations, you are running 2 Couchdb containers, completely isolated from each other *except* for their data.

docs/sources/examples/index.rst

@@ -18,3 +18,4 @@ Contents:
    python_web_app
    running_redis_service
    running_ssh_service
+   couchdb_data_volumes

docs/sources/index.rst

@@ -15,6 +15,7 @@ This documentation has the following resources:
    examples/index
    contributing/index
    commandline/index
+   registry/index
    faq
 
 

docs/sources/registry/api.rst

@@ -0,0 +1,464 @@
+===================
+Docker Registry API
+===================
+
+.. contents:: Table of Contents
+
+1. The 3 roles
+===============
+
+1.1 Index
+---------
+
+The Index is responsible for centralizing information about:
+- User accounts
+- Checksums of the images
+- Public namespaces
+
+The Index has different components:
+- Web UI
+- Meta-data store (comments, stars, list public repositories)
+- Authentication service
+- Tokenization
+
+The index is authoritative for those information.
+
+We expect that there will be only one instance of the index, run and managed by dotCloud.
+
+1.2 Registry
+------------
+- It stores the images and the graph for a set of repositories
+- It does not have user accounts data
+- It has no notion of user accounts or authorization
+- It delegates authentication and authorization to the Index Auth service using tokens
+- It supports different storage backends (S3, cloud files, local FS)
+- It doesn’t have a local database
+- It will be open-sourced at some point
+
+We expect that there will be multiple registries out there. To help to grasp the context, here are some examples of registries:
+
+- **sponsor registry**: such a registry is provided by a third-party hosting infrastructure as a convenience for their customers and the docker community as a whole. Its costs are supported by the third party, but the management and operation of the registry are supported by dotCloud. It features read/write access, and delegates authentication and authorization to the Index.
+- **mirror registry**: such a registry is provided by a third-party hosting infrastructure but is targeted at their customers only. Some mechanism (unspecified to date) ensures that public images are pulled from a sponsor registry to the mirror registry, to make sure that the customers of the third-party provider can “docker pull” those images locally.
+- **vendor registry**: such a registry is provided by a software vendor, who wants to distribute docker images. It would be operated and managed by the vendor. Only users authorized by the vendor would be able to get write access. Some images would be public (accessible for anyone), others private (accessible only for authorized users). Authentication and authorization would be delegated to the Index. The goal of vendor registries is to let someone do “docker pull basho/riak1.3” and automatically push from the vendor registry (instead of a sponsor registry); i.e. get all the convenience of a sponsor registry, while retaining control on the asset distribution.
+- **private registry**: such a registry is located behind a firewall, or protected by an additional security layer (HTTP authorization, SSL client-side certificates, IP address authorization...). The registry is operated by a private entity, outside of dotCloud’s control. It can optionally delegate additional authorization to the Index, but it is not mandatory.
+
+.. note::
+
+    Mirror registries and private registries which do not use the Index don’t even need to run the registry code. They can be implemented by any kind of transport implementing HTTP GET and PUT. Read-only registries can be powered by a simple static HTTP server. 
+
+.. note::
+
+    The latter implies that while HTTP is the protocol of choice for a registry, multiple schemes are possible (and in some cases, trivial):
+        - HTTP with GET (and PUT for read-write registries);
+        - local mount point;
+        - remote docker addressed through SSH.
+
+The latter would only require two new commands in docker, e.g. “registryget” and “registryput”, wrapping access to the local filesystem (and optionally doing consistency checks). Authentication and authorization are then delegated to SSH (e.g. with public keys).
+
+1.3 Docker
+----------
+
+On top of being a runtime for LXC, Docker is the Registry client. It supports:
+- Push / Pull on the registry
+- Client authentication on the Index
+
+2. Workflow
+===========
+
+2.1 Pull
+--------
+
+.. image:: /static_files/docker_pull_chart.png
+
+1. Contact the Index to know where I should download “samalba/busybox”
+2. Index replies:
+   a. “samalba/busybox” is on Registry A
+   b. here are the checksums for “samalba/busybox” (for all layers)
+   c. token
+3. Contact Registry A to receive the layers for “samalba/busybox” (all of them to the base image). Registry A is authoritative for “samalba/busybox” but keeps a copy of all inherited layers and serve them all from the same location.
+4. registry contacts index to verify if token/user is allowed to download images
+5. Index returns true/false lettings registry know if it should proceed or error out
+6. Get the payload for all layers
+
+It’s possible to run docker pull https://<registry>/repositories/samalba/busybox. In this case, docker bypasses the Index. However the security is not guaranteed (in case Registry A is corrupted) because there won’t be any checksum checks.
+
+Currently registry redirects to s3 urls for downloads, going forward all downloads need to be streamed through the registry. The Registry will then abstract the calls to S3 by a top-level class which implements sub-classes for S3 and local storage.
+
+Token is only returned when it is a private repo, public repos do not require tokens to be returned. The Registry will still contact the Index to make sure the pull is authorized (“is it ok to download this repos without a Token?”).
+
+API (pulling repository foo/bar):
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. (Docker -> Index) GET /v1/repositories/foo/bar/images
+    **Headers**:
+        Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+        X-Docker-Token: true
+    **Action**:
+        (looking up the foo/bar in db and gets images and checksums for that repo (all if no tag is specified, if tag, only checksums for those tags) see part 4.4.1)
+
+2. (Index -> Docker) HTTP 200 OK
+
+    **Headers**:
+        - Authorization: Token signature=123abc,repository=”foo/bar”,access=write
+        - X-Docker-Endpoints: registry.docker.io [, registry2.docker.io]
+    **Body**:
+        Jsonified checksums (see part 4.4.1)
+
+3. (Docker -> Registry) GET /v1/repositories/foo/bar/tags/latest
+    **Headers**: 
+        Authorization: Token signature=123abc,repository=”foo/bar”,access=write
+
+4. (Registry -> Index) GET /v1/repositories/foo/bar/images
+
+    **Headers**:
+        Authorization: Token signature=123abc,repository=”foo/bar”,access=read
+
+    **Body**:
+        <ids and checksums in payload>
+
+    **Action**:
+        ( Lookup token see if they have access to pull.)
+
+        If good: 
+            HTTP 200 OK
+            Index will invalidate the token
+        If bad: 
+            HTTP 401 Unauthorized
+
+5. (Docker -> Registry) GET /v1/images/928374982374/ancestry
+    **Action**:
+        (for each image id returned in the registry, fetch /json + /layer)
+
+.. note::
+
+    If someone makes a second request, then we will always give a new token, never reuse tokens.
+
+2.2 Push
+--------
+
+.. image:: /static_files/docker_push_chart.png
+
+1. Contact the index to allocate the repository name “samalba/busybox” (authentication required with user credentials)
+2. If authentication works and namespace available, “samalba/busybox” is allocated and a temporary token is returned (namespace is marked as initialized in index)
+3. Push the image on the registry (along with the token)
+4. Registry A contacts the Index to verify the token (token must corresponds to the repository name)
+5. Index validates the token. Registry A starts reading the stream pushed by docker and store the repository (with its images)
+6. docker contacts the index to give checksums for upload images
+
+.. note::
+
+    **It’s possible not to use the Index at all!** In this case, a deployed version of the Registry is deployed to store and serve images. Those images are not authentified and the security is not guaranteed.
+
+.. note::
+
+    **Index can be replaced!** For a private Registry deployed, a custom Index can be used to serve and validate token according to different policies.
+
+Docker computes the checksums and submit them to the Index at the end of the push. When a repository name does not have checksums on the Index, it means that the push is in progress (since checksums are submitted at the end).
+
+API (pushing repos foo/bar):
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+1. (Docker -> Index) PUT /v1/repositories/foo/bar/
+    **Headers**:
+        Authorization: Basic sdkjfskdjfhsdkjfh==
+        X-Docker-Token: true
+
+    **Action**::
+        - in index, we allocated a new repository, and set to initialized
+
+    **Body**::
+        (The body contains the list of images that are going to be pushed, with empty checksums. The checksums will be set at the end of the push)::
+
+        [{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”}]
+
+2. (Index -> Docker) 200 Created
+    **Headers**:
+        - WWW-Authenticate: Token signature=123abc,repository=”foo/bar”,access=write
+        - X-Docker-Endpoints: registry.docker.io [, registry2.docker.io]
+
+3. (Docker -> Registry) PUT /v1/images/98765432_parent/json
+    **Headers**:
+        Authorization: Token signature=123abc,repository=”foo/bar”,access=write
+
+4. (Registry->Index) GET /v1/repositories/foo/bar/images
+    **Headers**:
+        Authorization: Token signature=123abc,repository=”foo/bar”,access=write
+    **Action**::
+        - Index: 
+            will invalidate the token.
+        - Registry: 
+            grants a session (if token is approved) and fetches the images id
+
+5. (Docker -> Registry) PUT /v1/images/98765432_parent/json
+    **Headers**::
+        - Authorization: Token signature=123abc,repository=”foo/bar”,access=write
+        - Cookie: (Cookie provided by the Registry)
+
+6. (Docker -> Registry) PUT /v1/images/98765432/json
+    **Headers**:
+        Cookie: (Cookie provided by the Registry)
+
+7. (Docker -> Registry) PUT /v1/images/98765432_parent/layer
+    **Headers**:
+        Cookie: (Cookie provided by the Registry)
+
+8. (Docker -> Registry) PUT /v1/images/98765432/layer
+    **Headers**:
+        X-Docker-Checksum: sha256:436745873465fdjkhdfjkgh
+
+9. (Docker -> Registry) PUT /v1/repositories/foo/bar/tags/latest
+    **Headers**:
+        Cookie: (Cookie provided by the Registry)
+    **Body**:
+        “98765432”
+
+10. (Docker -> Index) PUT /v1/repositories/foo/bar/images
+
+    **Headers**:
+        Authorization: Basic 123oislifjsldfj==
+        X-Docker-Endpoints: registry1.docker.io (no validation on this right now)
+
+    **Body**:
+        (The image, id’s, tags and checksums)
+
+        [{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”, 
+        “checksum”: “b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087”}]
+
+    **Return** HTTP 204
+
+.. note::
+
+     If push fails and they need to start again, what happens in the index, there will already be a record for the namespace/name, but it will be initialized. Should we allow it, or mark as name already used? One edge case could be if someone pushes the same thing at the same time with two different shells.
+
+     If it's a retry on the Registry, Docker has a cookie (provided by the registry after token validation). So the Index won’t have to provide a new token.
+
+3. How to use the Registry in standalone mode
+=============================================
+
+The Index has two main purposes (along with its fancy social features):
+
+- Resolve short names (to avoid passing absolute URLs all the time)
+   - username/projectname -> https://registry.docker.io/users/<username>/repositories/<projectname>/
+   - team/projectname -> https://registry.docker.io/team/<team>/repositories/<projectname>/
+- Authenticate a user as a repos owner (for a central referenced repository)
+
+3.1 Without an Index
+--------------------
+Using the Registry without the Index can be useful to store the images on a private network without having to rely on an external entity controlled by dotCloud.
+
+In this case, the registry will be launched in a special mode (--standalone? --no-index?). In this mode, the only thing which changes is that Registry will never contact the Index to verify a token. It will be the Registry owner responsibility to authenticate the user who pushes (or even pulls) an image using any mechanism (HTTP auth, IP based, etc...).
+
+In this scenario, the Registry is responsible for the security in case of data corruption since the checksums are not delivered by a trusted entity.
+
+As hinted previously, a standalone registry can also be implemented by any HTTP server handling GET/PUT requests (or even only GET requests if no write access is necessary).
+
+3.2 With an Index
+-----------------
+
+The Index data needed by the Registry are simple:
+- Serve the checksums
+- Provide and authorize a Token
+
+In the scenario of a Registry running on a private network with the need of centralizing and authorizing, it’s easy to use a custom Index.
+
+The only challenge will be to tell Docker to contact (and trust) this custom Index. Docker will be configurable at some point to use a specific Index, it’ll be the private entity responsibility (basically the organization who uses Docker in a private environment) to maintain the Index and the Docker’s configuration among its consumers.
+
+4. The API
+==========
+
+The first version of the api is available here: https://github.com/jpetazzo/docker/blob/acd51ecea8f5d3c02b00a08176171c59442df8b3/docs/images-repositories-push-pull.md
+
+4.1 Images
+----------
+
+The format returned in the images is not defined here (for layer and json), basically because Registry stores exactly the same kind of information as Docker uses to manage them.
+
+The format of ancestry is a line-separated list of image ids, in age order. I.e. the image’s parent is on the last line, the parent of the parent on the next-to-last line, etc.; if the image has no parent, the file is empty.
+
+GET /v1/images/<image_id>/layer
+PUT /v1/images/<image_id>/layer
+GET /v1/images/<image_id>/json
+PUT /v1/images/<image_id>/json
+GET /v1/images/<image_id>/ancestry
+PUT /v1/images/<image_id>/ancestry
+
+4.2 Users
+---------
+
+4.2.1 Create a user (Index)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+POST /v1/users
+
+**Body**:
+    {"email": "sam@dotcloud.com", "password": "toto42", "username": "foobar"'}
+
+**Validation**:
+    - **username** : min 4 character, max 30 characters, all lowercase no special characters. 
+    - **password**: min 5 characters
+
+**Valid**: return HTTP 200
+
+Errors: HTTP 400 (we should create error codes for possible errors)
+- invalid json
+- missing field
+- wrong format (username, password, email, etc)
+- forbidden name
+- name already exists
+
+.. note::
+
+    A user account will be valid only if the email has been validated (a validation link is sent to the email address).
+
+4.2.2 Update a user (Index)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+PUT /v1/users/<username>
+
+**Body**:
+    {"password": "toto"}
+
+.. note::
+
+    We can also update email address, if they do, they will need to reverify their new email address.
+
+4.2.3 Login (Index)
+^^^^^^^^^^^^^^^^^^^
+Does nothing else but asking for a user authentication. Can be used to validate credentials. HTTP Basic Auth for now, maybe change in future.
+
+GET /v1/users
+
+**Return**:
+    - Valid: HTTP 200
+    - Invalid login: HTTP 401
+    - Account inactive: HTTP 403 Account is not Active
+
+4.3 Tags (Registry)
+-------------------
+
+The Registry does not know anything about users. Even though repositories are under usernames, it’s just a namespace for the registry. Allowing us to implement organizations or different namespaces per user later, without modifying the Registry’s API.
+
+4.3.1 Get all tags
+^^^^^^^^^^^^^^^^^^
+
+GET /v1/repositories/<namespace>/<repository_name>/tags
+
+**Return**: HTTP 200
+    {
+    "latest": "9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f",
+    “0.1.1”:  “b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087”
+    }
+
+4.3.2 Read the content of a tag (resolve the image id)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+GET /v1/repositories/<namespace>/<repo_name>/tags/<tag>
+
+**Return**:
+    "9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f"
+
+4.3.3 Delete a tag (registry)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+DELETE /v1/repositories/<namespace>/<repo_name>/tags/<tag>
+
+4.4 Images (Index)
+------------------
+
+For the Index to “resolve” the repository name to a Registry location, it uses the X-Docker-Endpoints header. In other terms, this requests always add a “X-Docker-Endpoints” to indicate the location of the registry which hosts this repository.
+
+4.4.1 Get the images
+^^^^^^^^^^^^^^^^^^^^^
+
+GET /v1/repositories/<namespace>/<repo_name>/images
+
+**Return**: HTTP 200
+    [{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”, “checksum”: “md5:b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087”}]
+
+
+4.4.2 Add/update the images
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+You always add images, you never remove them.
+
+PUT /v1/repositories/<namespace>/<repo_name>/images
+
+**Body**:
+    [ {“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”, “checksum”: “sha256:b486531f9a779a0c17e3ed29dae8f12c4f9e89cc6f0bc3c38722009fe6857087”} ]
+    
+**Return** 204
+
+5. Chaining Registries
+======================
+
+It’s possible to chain Registries server for several reasons:
+- Load balancing
+- Delegate the next request to another server
+
+When a Registry is a reference for a repository, it should host the entire images chain in order to avoid breaking the chain during the download.
+
+The Index and Registry use this mechanism to redirect on one or the other.
+
+Example with an image download:
+On every request, a special header can be returned:
+
+X-Docker-Endpoints: server1,server2
+
+On the next request, the client will always pick a server from this list.
+
+6. Authentication & Authorization
+=================================
+
+6.1 On the Index
+-----------------
+
+The Index supports both “Basic” and “Token” challenges. Usually when there is a “401 Unauthorized”, the Index replies this::
+
+    401 Unauthorized
+    WWW-Authenticate: Basic realm="auth required",Token
+
+You have 3 options:
+
+1. Provide user credentials and ask for a token
+
+    **Header**:
+        - Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+        - X-Docker-Token: true
+
+    In this case, along with the 200 response, you’ll get a new token (if user auth is ok):
+
+    **Response**:
+        - 200 OK
+        - X-Docker-Token: Token signature=123abc,repository=”foo/bar”,access=read
+
+2. Provide user credentials only
+
+    **Header**:
+        Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
+
+3. Provide Token
+
+    **Header**:
+        Authorization: Token signature=123abc,repository=”foo/bar”,access=read
+
+6.2 On the Registry
+-------------------
+
+The Registry only supports the Token challenge::
+
+    401 Unauthorized
+    WWW-Authenticate: Token
+
+The only way is to provide a token on “401 Unauthorized” responses::
+
+    Authorization: Token signature=123abc,repository=”foo/bar”,access=read
+
+Usually, the Registry provides a Cookie when a Token verification succeeded. Every time the Registry passes a Cookie, you have to pass it back the same cookie.::
+
+    200 OK
+    Set-Cookie: session="wD/J7LqL5ctqw8haL10vgfhrb2Q=?foo=UydiYXInCnAxCi4=&timestamp=RjEzNjYzMTQ5NDcuNDc0NjQzCi4="; Path=/; HttpOnly
+
+Next request::
+
+    GET /(...)
+    Cookie: session="wD/J7LqL5ctqw8haL10vgfhrb2Q=?foo=UydiYXInCnAxCi4=&timestamp=RjEzNjYzMTQ5NDcuNDc0NjQzCi4="

docs/sources/registry/index.rst

@@ -0,0 +1,15 @@
+:title: docker Registry documentation
+:description: Documentation for docker Registry and Registry API
+:keywords: docker, registry, api, index
+
+
+
+Registry
+========
+
+Contents:
+
+.. toctree::
+   :maxdepth: 2
+
+   api

hack/README.md

@@ -1 +0,0 @@
-This directory contains material helpful for hacking on docker.

hack/README.rst

@@ -0,0 +1,27 @@
+This directory contains material helpful for hacking on docker.
+
+make hack
+=========
+
+Set up an Ubuntu 13.04 virtual machine for developers including kernel 3.8
+and buildbot. The environment is setup in a way that can be used through
+the usual go workflow and/or the root Makefile. You can either edit on
+your host, or inside the VM (using make ssh-dev) and run and test docker
+inside the VM.
+
+dependencies: vagrant, virtualbox packages and python package requests
+
+
+Buildbot
+~~~~~~~~
+
+Buildbot is a continuous integration system designed to automate the
+build/test cycle. By automatically rebuilding and testing the tree each time
+something has changed, build problems are pinpointed quickly, before other
+developers are inconvenienced by the failure.
+
+When running 'make hack' at the docker root directory, it spawns a virtual
+machine in the background running a buildbot instance and adds a git
+post-commit hook that automatically run docker tests for you.
+
+You can check your buildbot instance at http://192.168.33.21:8010/waterfall

hack/Vagrantfile

@@ -0,0 +1,35 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+BOX_NAME = "ubuntu-dev"
+BOX_URI = "http://cloud-images.ubuntu.com/raring/current/raring-server-cloudimg-vagrant-amd64-disk1.box"
+VM_IP = "192.168.33.21"
+USER = "vagrant"
+GOPATH = "/data/docker"
+DOCKER_PATH = "#{GOPATH}/src/github.com/dotcloud/docker"
+CFG_PATH = "#{DOCKER_PATH}/hack/environment"
+BUILDBOT_PATH = "/data/buildbot"
+
+Vagrant::Config.run do |config|
+  # Setup virtual machine box
+  config.vm.box = BOX_NAME
+  config.vm.box_url = BOX_URI
+  config.vm.share_folder "v-data", DOCKER_PATH, "#{File.dirname(__FILE__)}/.."
+  config.vm.network :hostonly, VM_IP
+  # Stop if deployment has been done
+  config.vm.provision :shell, :inline => "[ ! -f /usr/bin/git ]"
+  # Touch for makefile
+  pkg_cmd = "touch #{DOCKER_PATH}; "
+  # Install docker dependencies
+  pkg_cmd << "export DEBIAN_FRONTEND=noninteractive; apt-get -qq update; " \
+    "apt-get install -q -y lxc bsdtar git golang make linux-image-extra-3.8.0-19-generic; " \
+    "chown -R #{USER}.#{USER} #{GOPATH}; " \
+    "install -m 0664 #{CFG_PATH}/bash_profile /home/#{USER}/.bash_profile"
+  config.vm.provision :shell, :inline => pkg_cmd
+  # Deploy buildbot CI
+  pkg_cmd = "apt-get install -q -y python-dev python-pip supervisor; " \
+    "pip install -r #{CFG_PATH}/requirements.txt; " \
+    "chown #{USER}.#{USER} /data; cd /data; " \
+    "#{CFG_PATH}/setup.sh #{USER} #{GOPATH} #{DOCKER_PATH} #{CFG_PATH} #{BUILDBOT_PATH}"
+  config.vm.provision :shell, :inline => pkg_cmd
+end

hack/dockerbuilder/Dockerfile

@@ -1,17 +1,23 @@
 # This will build a container capable of producing an official binary build of docker and
 # uploading it to S3
+maintainer	Solomon Hykes <solomon@dotcloud.com>
 from	ubuntu:12.10
 run	apt-get update
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q s3cmd
+run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q curl
 # Packages required to checkout and build docker
-run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q golang
+run	curl -s -o /go.tar.gz https://go.googlecode.com/files/go1.0.3.linux-amd64.tar.gz
+run	tar -C /usr/local -xzf /go.tar.gz
+run	echo "export PATH=$PATH:/usr/local/go/bin" > /.bashrc
+run	echo "export PATH=$PATH:/usr/local/go/bin" > /.bash_profile
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q git
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q build-essential
 # Packages required to build an ubuntu package
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q debhelper
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q autotools-dev
 copy	fake_initctl	/usr/local/bin/initctl
-run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q devscripts
-copy	dockerbuilder	/usr/local/bin/dockerbuilder
-copy	s3cfg	/.s3cfg
-# run $img dockerbuilder $REVISION_OR_TAG $S3_ID $S3_KEY
+run	apt-get install -y -q devscripts
+add	.	/src
+run	cp /src/dockerbuilder /usr/local/bin/ && chmod +x /usr/local/bin/dockerbuilder
+run	cp /src/s3cfg /.s3cfg
+cmd	["dockerbuilder"]

hack/dockerbuilder/dockerbuilder

@@ -2,6 +2,8 @@
 set -x
 set -e
 
+export PATH=$PATH:/usr/local/go/bin
+
 PACKAGE=github.com/dotcloud/docker
 
 if [ $# -gt 1 ]; then
@@ -13,12 +15,10 @@ export REVISION=$1
 
 if [ -z "$AWS_ID" ]; then
 	echo "Warning: environment variable AWS_ID is not set. Won't upload to S3."
-	NO_S3=1
 fi
 
 if [ -z "$AWS_KEY" ]; then
 	echo "Warning: environment variable AWS_KEY is not set. Won't upload to S3."
-	NO_S3=1
 fi
 
 if [ -z "$GPG_KEY" ]; then
@@ -26,28 +26,15 @@ if [ -z "$GPG_KEY" ]; then
 	NO_UBUNTU=1
 fi
 
-if [ -z "$REVISION" ]; then
-	rm -fr docker-master
-	git clone https://github.com/dotcloud/docker docker-master
-	cd docker-master
-else 
-	rm -fr docker-$REVISION
-	git init docker-$REVISION
-	cd docker-$REVISION
-	git fetch -t https://github.com/dotcloud/docker $REVISION
-	git reset --hard FETCH_HEAD
-fi
-
+rm -fr docker-release
+git clone https://github.com/dotcloud/docker docker-release
+cd docker-release
 if [ -z "$REVISION" ]; then
 	make release
 else
 	make release RELEASE_VERSION=$REVISION
 fi
 
-if [ -z "$NO_S3" ]; then
-	s3cmd -P put docker-$REVISION.tgz s3://get.docker.io/builds/$(uname -s)/$(uname -m)/docker-$REVISION.tgz
-fi
-
 if [ -z "$NO_UBUNTU" ]; then
 	(cd packaging/ubuntu && make ubuntu)
 fi

hack/environment/README.rst

@@ -0,0 +1 @@
+Files used to setup the developer virtual machine

hack/environment/bash_profile

@@ -0,0 +1,19 @@
+# ~/.bash_profile : executed by the command interpreter for login shells.
+
+# if running bash
+if [ -n "$BASH_VERSION" ]; then
+    # include .bashrc if it exists
+    if [ -f "$HOME/.bashrc" ]; then
+        . "$HOME/.bashrc"
+    fi
+fi
+
+# set PATH so it includes user's private bin if it exists
+[ -d "$HOME/bin" ] && PATH="$HOME/bin:$PATH"
+
+docker=/data/docker/src/github.com/dotcloud/docker
+[ -d $docker ] && cd $docker
+
+export GOPATH=/data/docker
+export PATH=$PATH:$GOPATH/bin
+

hack/environment/master.cfg

@@ -13,8 +13,8 @@ TEST_USER = 'buildbot'  # Credential to authenticate build triggers
 TEST_PWD = 'docker'     # Credential to authenticate build triggers
 BUILDER_NAME = 'docker'
 BUILDPASSWORD = 'pass-docker'  # Credential to authenticate buildworkers
-DOCKER_PATH = '/data/docker'
-
+GOPATH = '/data/docker'
+DOCKER_PATH = '{0}/src/github.com/dotcloud/docker'.format(GOPATH)
 
 c = BuildmasterConfig = {}
 
@@ -28,10 +28,7 @@ c['slavePortnum'] = PORT_MASTER
 c['schedulers'] = [ForceScheduler(name='trigger',builderNames=[BUILDER_NAME])]
 
 # Docker test command
-test_cmd = """(
-    cd {0}/..; rm -rf docker-tmp; git clone docker docker-tmp;
-    cd docker-tmp; make test; exit_status=$?;
-    cd ..; rm -rf docker-tmp; exit $exit_status)""".format(DOCKER_PATH)
+test_cmd = "GOPATH={0} make -C {1} test".format(GOPATH,DOCKER_PATH)
 
 # Builder
 factory = BuildFactory()

hack/environment/requirements.txt

@@ -0,0 +1,6 @@
+sqlalchemy<=0.7.9
+sqlalchemy-migrate>=0.7.2
+buildbot==0.8.7p1
+buildbot_slave==0.8.7p1
+nose==1.2.1
+requests==1.1.0

hack/environment/setup.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+
+# Setup of buildbot configuration. Package installation is being done by
+# Vagrantfile
+# Dependencies: buildbot, buildbot-slave, supervisor
+
+USER=$1
+GOPATH=$2
+DOCKER_PATH=$3
+CFG_PATH=$4
+BUILDBOT_PATH=$5
+SLAVE_NAME="buildworker"
+SLAVE_SOCKET="localhost:9989"
+BUILDBOT_PWD="pass-docker"
+IP=$(sed -nE 's/VM_IP = "(.+)"/\1/p' ${DOCKER_PATH}/hack/Vagrantfile)
+export PATH="/bin:sbin:/usr/bin:/usr/sbin:/usr/local/bin"
+
+function run { su $USER -c "$1"; }
+
+# Exit if buildbot has already been installed
+[ -d "$BUILDBOT_PATH" ] && exit 0
+
+# Setup buildbot
+run "mkdir -p $BUILDBOT_PATH"
+cd $BUILDBOT_PATH
+run "buildbot create-master master"
+run "cp $CFG_PATH/master.cfg master"
+run "sed -i 's/localhost/$IP/' master/master.cfg"
+run "sed -i -E 's#(GOPATH = ).+#\1\"$GOPATH\"#' master/master.cfg"
+run "sed -i -E 's#(DOCKER_PATH = ).+#\1\"$DOCKER_PATH\"#' master/master.cfg"
+run "buildslave create-slave slave $SLAVE_SOCKET $SLAVE_NAME $BUILDBOT_PWD"
+
+# Allow buildbot subprocesses (docker tests) to properly run in containers,
+# in particular with docker -u
+run "sed -i 's/^umask = None/umask = 000/' slave/buildbot.tac"
+
+# Setup supervisor
+cp $CFG_PATH/buildbot.conf /etc/supervisor/conf.d/buildbot.conf
+sed -i -E "s/^chmod=0700.+/chmod=0770\nchown=root:$USER/" /etc/supervisor/supervisord.conf
+kill -HUP $(pgrep -f "/usr/bin/python /usr/bin/supervisord")
+
+# Add git hook
+cp $CFG_PATH/post-commit $DOCKER_PATH/.git/hooks
+sed -i "s/localhost/$IP/" $DOCKER_PATH/.git/hooks/post-commit
+

lxc_template.go

@@ -79,7 +79,11 @@ lxc.mount.entry = {{.SysInitPath}} {{$ROOTFS}}/sbin/init none bind,ro 0 0
 
 # In order to get a working DNS environment, mount bind (ro) the host's /etc/resolv.conf into the container
 lxc.mount.entry = {{.ResolvConfPath}} {{$ROOTFS}}/etc/resolv.conf none bind,ro 0 0
-
+{{if .Volumes}}
+{{range $virtualPath, $realPath := .GetVolumes}}
+lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,rw 0 0
+{{end}}
+{{end}}
 
 # drop linux capabilities (apply mainly to the user root in the container)
 lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config

packaging/ubuntu/changelog

@@ -1,3 +1,12 @@
+lxc-docker (0.2.2-1) precise; urgency=low
+ - Support for data volumes ('docker run -v=PATH')
+ - Share data volumes between containers ('docker run -volumes-from')
+ - Improved documentation
+ - Upgrade to Go 1.0.3
+ - Various upgrades to the dev environment for contributors
+
+ -- dotCloud <ops@dotcloud.com>  Fri, 3 May 2013 00:00:00 -0700
+
 
 lxc-docker (0.2.1-1) precise; urgency=low
 

runtime.go

@@ -32,6 +32,7 @@ type Runtime struct {
 	capabilities   *Capabilities
 	kernelVersion  *KernelVersionInfo
 	autoRestart    bool
+	volumes        *Graph
 }
 
 var sysInitPath string
@@ -354,6 +355,27 @@ func (runtime *Runtime) restore() error {
 	return nil
 }
 
+func (runtime *Runtime) UpdateCapabilities(quiet bool) {
+	if cgroupMemoryMountpoint, err := FindCgroupMountpoint("memory"); err != nil {
+		if !quiet {
+			log.Printf("WARNING: %s\n", err)
+		}
+	} else {
+		_, err1 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.limit_in_bytes"))
+		_, err2 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.soft_limit_in_bytes"))
+		runtime.capabilities.MemoryLimit = err1 == nil && err2 == nil
+		if !runtime.capabilities.MemoryLimit && !quiet {
+			log.Printf("WARNING: Your kernel does not support cgroup memory limit.")
+		}
+
+		_, err = ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.memsw.limit_in_bytes"))
+		runtime.capabilities.SwapLimit = err == nil
+		if !runtime.capabilities.SwapLimit && !quiet {
+			log.Printf("WARNING: Your kernel does not support cgroup swap limit.")
+		}
+	}
+}
+
 // FIXME: harmonize with NewGraph()
 func NewRuntime(autoRestart bool) (*Runtime, error) {
 	runtime, err := NewRuntimeFromDirectory("/var/lib/docker", autoRestart)
@@ -369,23 +391,7 @@ func NewRuntime(autoRestart bool) (*Runtime, error) {
 			log.Printf("WARNING: You are running linux kernel version %s, which might be unstable running docker. Please upgrade your kernel to 3.8.0.", k.String())
 		}
 	}
-
-	if cgroupMemoryMountpoint, err := FindCgroupMountpoint("memory"); err != nil {
-		log.Printf("WARNING: %s\n", err)
-	} else {
-		_, err1 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.limit_in_bytes"))
-		_, err2 := ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.soft_limit_in_bytes"))
-		runtime.capabilities.MemoryLimit = err1 == nil && err2 == nil
-		if !runtime.capabilities.MemoryLimit {
-			log.Printf("WARNING: Your kernel does not support cgroup memory limit.")
-		}
-
-		_, err = ioutil.ReadFile(path.Join(cgroupMemoryMountpoint, "memory.memsw.limit_in_bytes"))
-		runtime.capabilities.SwapLimit = err == nil
-		if !runtime.capabilities.SwapLimit {
-			log.Printf("WARNING: Your kernel does not support cgroup swap limit.")
-		}
-	}
+	runtime.UpdateCapabilities(false)
 	return runtime, nil
 }
 
@@ -400,6 +406,10 @@ func NewRuntimeFromDirectory(root string, autoRestart bool) (*Runtime, error) {
 	if err != nil {
 		return nil, err
 	}
+	volumes, err := NewGraph(path.Join(root, "volumes"))
+	if err != nil {
+		return nil, err
+	}
 	repositories, err := NewTagStore(path.Join(root, "repositories"), g)
 	if err != nil {
 		return nil, fmt.Errorf("Couldn't create Tag store: %s", err)
@@ -427,6 +437,7 @@ func NewRuntimeFromDirectory(root string, autoRestart bool) (*Runtime, error) {
 		idIndex:        NewTruncIndex(),
 		capabilities:   &Capabilities{},
 		autoRestart:    autoRestart,
+		volumes:        volumes,
 	}
 
 	if err := runtime.restore(); err != nil {

runtime_test.go

@@ -93,7 +93,7 @@ func newTestRuntime() (*Runtime, error) {
 	if err != nil {
 		return nil, err
 	}
-
+	runtime.UpdateCapabilities(true)
 	return runtime, nil
 }