Fixed some http status codes and decreased site-order for docker_remote_api_v1.24.md to appear in the right order in the menu
Signed-off-by: Robin Naundorf <r.naundorf@fh-muenster.de>
(cherry picked from commit 5d2f6b3ea3)
Close could be called twice on a temporary download file, which could
have bad side effects.
This fixes the problem by setting to ld.tmpFile to nil when the download
completes sucessfully. Then the call to ld.Close will have no effect,
and only the download manager will close the temporary file when it's
done extracting the layer from it. ld.Close will be responsible for
closing the file if we hit the retry limit and there is still a partial
download present.
Fixes#21675
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 930ae3dbcb)
Get was calling getReference without layerL held. This meant writes to
the references map could race. Such races are dangerous because they can
corrupt the map and crash the process.
Fixes#21616Fixes#21674
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 0538981c31)
- Refactor generic and path based cleanup functions into a single function.
- Include aufs and zfs mounts in the mounts cleanup.
- Containers that receive exit event on restore don't require manual cleanup.
- Make missing sandbox id message a warning because currently sandboxes are always cleared on startup. libnetwork#975
- Don't unmount volumes for containers that don't have base path. Shouldn't be needed after #21372
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 05cc737f54)
Fix unmount issues in the daemon crash and restart lifecycle, w.r.t
graph drivers. This change sets a live container RWLayer's activity
count to 1, so that the RWLayer is aware of the mount. Note that
containerd has experimental support for restore live containers.
Added/updated corresponding tests.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 511a70583f)
Its useful to have containerd logs as part of docker.
Containerd metrics are too chatty, so set interval to 0.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit d9c3b653c0)
Following a journal log almost always requires a descriptor to be
allocated. In cases where we're running out of descriptors, this means
we might get stuck while attempting to start following the journal, at a
point where it's too late to report it to the client and clean up
easily. The journal reading context will cache the value once it's
allocated, so here we move the check earlier, so that we can detect a
problem when we can still report it cleanly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
(cherry picked from commit ab62ecf393)
When we set up to start following a journal, if we get error results
from sd_journal_get_fd() or sd_journal_get_events() that prevent us from
following the journal, report the error instead of just mysteriously
failing.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
(cherry picked from commit 8d597d25a8)
Auto-creation of host-directories was marked deprecated in
Docker 1.9, but was decided to be too much of an backward-incompatible
change, so it was decided to keep the feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0f70f53826)
Currently the directory inside of the tgz files is /usr/local/bin
and this is causing some confusion, and problems with people who already
have stuff in those directories. This commit changes the directory
to /docker to help remove the confusion.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
(cherry picked from commit 7df5b32834)
This includes fixes for;
- outputing errors for missing seccomp options on seccomp versions < 2.3
- cap set apply EPERM errors on ARM systems
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 752b31d3fe)
This fix updated documentations to add the `Warnings` fields in
`GET /volumes` API.
The `Warnings` has been part of the `GET /volumes` API response
since Docker 1.10 (v1.21). However, the `Warnings` field is not
in the documentation so there are some confusions (See #21606).
This fix updated the related documentations in v1.22, v1.23, and
v1.24 and added this field to the API.
This fix is related to #21605.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit d773927985)
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.
Fixes 21475
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 7ed3d265a4)
It was suggested to me that documentation for "docker pull" and "docker
push" should reference "docker login", to make clearer how to specify
credentials for a push or pull operation. Add a note to the manual pages
and reference documentation explaining how registry credentials are
managed.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit fb5ea0c0ef)
Completion of these options was not handled consistently.
Now all such options immediatly complete with =false appended.
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 39b9b63e36)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add some missing dependencies in the Dockerfile:
- apt-utils for apt-ftparchive.conf
- bsdmainutils for our use of the column command in
hack/make/generate-index-listing
We also ensure that the docker daemon is started before calling
release-deb or release-rpm, since .detect-daemon-osarch, which is sourced
in each of them, requires the daemon to be running.
This commit also gets completely rid of s3cmd and fixes references to
AWS_* environment variables (changing from AWS_ACCESS_KEY to
AWS_ACCESS_KEY_ID and AWS_SECRET_KEY to AWS_SECRET_ACCESS_KEY) in order
to please awscli. Also AWS_DEFAULT_REGION is now important to specify,
the default has been set to the region used by get.docker.com and
test.docker.com.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 996138bf8e)
This was done by making List not populate the cache.
fixes#21403
Signed-off-by: Viktor Stanchev <me@viktorstanchev.com>
(cherry picked from commit 800b9c5a26)
These are the changes required due to the new binaries that containerd introduced.
The rpm, and deb packages now include 5 binaries.
docker, containerd, containerd-shim, ctr, and runc
The tar files also include all 5 binaries.
Signed-off-by: Ken Cochrane <KenCochrane@gmail.com>
(cherry picked from commit bb66d7144f)
This fix tries to fix issues encountered when running a container with a hostname
that is longer than HOST_NAME_MAX(64).
Previously, `could not synchronise with container process` was generated as the
length of the regex check was missing.
This fix covers the length check so that a hostname that is longer than
HOST_NAME_MAX(64) will be given a correct error message.
Several unit tests cases and additional integration test cases are added as well.
This fix closes#21445.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit fa44b4e81e)
Contains fixes for:
- pid.max fix that is causing hang on network stats test.
- fix for early stdin close containerd-shim
- better logging for `could not synchronise with container process`
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 22d997b374)
Instead of implementing refcounts at each graphdriver, implement this in
the layer package which is what the engine actually interacts with now.
This means interacting directly with the graphdriver is no longer
explicitly safe with regard to Get/Put calls being refcounted.
In addition, with the containerd, layers may still be mounted after
a daemon restart since we will no longer explicitly kill containers when
we shutdown or startup engine.
Because of this ref counts would need to be repopulated.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 65d79e3e5e)
This fix tries to fix Docker core dumps when removing network with special
characters. The issue is from the fact that when docker client tries to
pass the command to API, the networkID is not escaped in case of special
characters. This also means other commands (not just `docker network rm`)
may face the same issue (e.g., `docker network connect`).
This fix adds the URL path escape to properly handle it. In addition, an
integration test for network create and delete is added to cover the cases
in #21401.
This fix fixes#21401.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit f8dc5562d0)
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit f154227608)
Removes the seccomp buildtag when building runc.
Because seccomp isn't currently being built, this would cause
the build to fail.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit 2caf09d37b)
When a plugin is first found, it is loaded into the available plugins
even though it's not activated yet.
If activation fails it is taken out of the list.
While it is in the list, other callers may see it and try to check it's
manifest. If it is not fully activated yet, the manifest will be nil and
cause a panic.
This is especially problematic for drivers that are down and have not
been activated yet.
We could just not load the plugin into the available list until it's
fully active, however that will just cause multiple of the same plugin
to attemp to be loaded.
We could check if the manifest is nil and return early (instead of
panicing on a nil manifest), but this will cause a 2nd caller to receive
a response while the first caller is still waiting, which can be
awkward.
This change uses a condition variable to handle activation (instead of
sync.Once). If the plugin is not activated, callers will all wait until
it is activated and receive a broadcast from the condition variable
signaling that it's ok to proceed, in which case we'll check if their
was an error in activation and proceed accordingly.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit baac2f4867)
The error message was changed from "unauthorized: access to the
requested resource is not authorized" to "unauthorized: authentication
required".
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
it's concurrent streams and should be synchronized before writing to response.
Otherwise there will be race in writing to *bufio.Writer in
net/http.response.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This adds a function for copying containerd and other binaries as well
as adding a hash for those files.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Instead of implementing refcounts at each graphdriver, implement this in
the layer package which is what the engine actually interacts with now.
This means interacting directly with the graphdriver is no longer
explicitly safe with regard to Get/Put calls being refcounted.
In addition, with the containerd, layers may still be mounted after
a daemon restart since we will no longer explicitly kill containers when
we shutdown or startup engine.
Because of this ref counts would need to be repopulated.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Restores the correct parent chain relationship
between images on docker load if multiple images
have been saved.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Now that the namespace sharing code via runc is vendored with the
containerd changes, we can disable the restrictions on container to
container net and IPC namespace sharing when the daemon has user
namespaces enabled.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Not sure if this is the right setup given the containerd change but I need
to have the built version of the nested exes (containerd, runc...) available
to me after the build is completed so I'm always testing using the latest
versions. This PR will copy them into the same bundles dir so people can
them use them if they wish w/o having to build each separately.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This allows a user to specify explicitly to enable
automatic copying of data from the container path to the volume path.
This does not change the default behavior of automatically copying, but
does allow a user to disable it at runtime.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This adds support for the passthrough on build, push, login, and search.
Revamp the integration test to cover these cases and make it more
robust.
Use backticks instead of quoted strings for backslash-heavy string
contstands.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This cleans up some of the use of the filepoller which makes reading
significantly more robust and gives fewer changes to fallback to the
polling based watcher.
In a lot of cases, if the file was being rotated while we were adding it
to the watcher, it would return an error that the file doesn't exist and
would fallback.
In some cases this fallback could be triggered multiple times even if we
were already on the fallback/poll-based watcher.
It also fixes an open file leak caused by not closing files properly on
rotate, as well as not closing files that were read via the `tail`
function until after the log reader is completed.
Prior to the above changes, it was relatively simple to cause the log
reader to error out by having quick rotations, for example:
```
$ docker run --name test --log-opt max-size=10b --log-opt max-files=10
-d busybox sh -c 'while true; do usleep 500000; echo hello; done'
$ docker logs -f test
```
After these changes I can run this forever without error.
Another fix removes 2 `os.Stat` calls when rotating files. The stat
calls are not needed since we are just calling `os.Rename` anyway, which
will in turn also just produce the same error that `Stat` would.
These `Stat` calls were also quite expensive.
Removing these stat calls also seemed to resolve an issue causing slow
memory growth on the daemon.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The form "Save an images" is not correct.
Either "Save an image" or "Save images" work, but since
the save commands accepts multiple images, I chose the
latter.
Fixed in all places where I could grep "Save an image(s)".
Signed-off-by: Martin Mosegaard Amdisen <martin.amdisen@praqma.com>
OomScoreAjd is not part of `/info` output
Wrong field name `DiscoveryBackend` in API reference
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The issue comes from the implementation of volumeSplitN() where a
driver letter (`[a-zA-Z]:`) was assumed to follow either `:`, `/`,
or `\\`.
In Windows driver letter appears in two situations:
a. `^[a-zA-Z]:` (A colon followed by `^[a-zA-Z]:` is OK as colon is
the separator in volume option)
b. A string in the format like `\\?\C:\Windows\...` (UNC).
Therefore, a driver letter can only follow either a `:` or `\\`
This PR removes the condition of `/` before the driver letter so
that options like `-v /tmp/q:/foo` could be handled correctly. A
couple of tests has also been added.
This PR fixes#20122.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates the Plugin API docs to cover the case of remote
plugins which could be deployed on a host different from the
docker host, through spec or json files.
This fix closes#20188.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
so that the user knows what's not in the container but should be.
Its not always easy for the user to know what exact command is being run
when the 'docker run' is embedded deep in something else, like a Makefile.
Saw this while dealing with the containerd migration.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Changes how the Engine interacts with Registry servers on image pull.
Previously, Engine sent a User-Agent string to the Registry server
that included only the Engine's version information. This commit
appends to that string the fields from the User-Agent sent by the
client (e.g., Compose) of the Engine. This allows Registry server
operators to understand what tools are actually generating pulls on
their registries.
Signed-off-by: Mike Goelzer <mgoelzer@docker.com>
In order to check that we can have the `ptrace` rule, we need to
actually calculate the version of apparmor_parser.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
ExecPath isn't used by anything, and the signal apparmor rule isn't used
because it refers to a peer that we don't ship.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
- Added a few more diagrams.
- Fixed typos and a few additional details.
- Moved experimental images to a new directory
in /experimental/images per @cpuguy83 suggestion.
Signed-off-by: Brent Salisbury <brent@docker.com>
Docker logs was only closing the logger when the HTTP response writer received a close notification, however in non-follow mode the writer never receives a close. This means that the daemon would leak the file handle to the log, preventing the container from being removed on Windows (file in use error). This change explicitly closes the log when the end of stream is hit.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Add a paragraph about how to force a stack trace dump to the daemon log.
This feature was added in Docker 1.9 I believe, but documentation was
never added.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This fix addressed the issue of test TestRestartStoppedContainer
in #21211. Inside the test, a `docker restart` command is
followed by a `docker logs` command. However, `docker restart`
returns immediately so there is no guarantee that `docker logs`
will wait until the restarted container completes the command
`echo foobar`.
This fix use the check of `{{.State.Running}} = false` to make
sure that the restarted container has already finished, before
invoking the `docker logs` command. The timeout is set to 20s
to make sure it passes WindowsTP4 check.
This fixes#21211.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
When following a journal-based log, it was possible for the worker
goroutine, which reads the journal using the journal context and sends
entry data down the message channel, to be scheduled after the function
which started it had returned. This could create problems, since the
invoking function was closing the journal context object and message
channel before it returned, which could trigger use-after-free segfaults
and write-to-closed-channel panics in the worker goroutine.
Make the cleanup in the invoking function conditional so that it's only
done when we're not following the logs, and if we are, that it's left to
the worker goroutine to close them.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
The journald log reader keeps a map of following readers so that it can
close them properly when the journald reader object itself is closed,
but it was possible for its worker goroutine to be scheduled so that the
worker attempted to remove a reader from the map before the reader had
been added to the map. This patch adds the item to the map before
starting the goroutine which is expected to eventually remove it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
This (the first tagged hcsshim release) fixes long-path bugs on
Windows TP5 that affect commit and save. These bugs were blocking
commit of Windows containers that had node.js installed.
Signed-off-by: John Starks <jostarks@microsoft.com>
All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The GCP logging driver is calling out to GCP cloud service on package
init.
This is regardless if you are using GCP logging or not.
This change makes this happen on the first invocation of a new GCP
logging driver instance instead.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The issue of the flaky test is because when the second container
starts, the first container in the detached mode may have only
been created and not yet entering the running state. So the
port 8000 might be used by the second container first.
This fix added a check to make sure the first container is already
in running state, before the second container is invoked.
This fix fixes#21247.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Change user/group creation to use flags to adduser/useradd to enforce it
being a system user. Use system user defaults that auto-create a
matching group. These changes allow us to remove all group creation
code, and in doing so we also removed the code that finds available uid,
gid integers and use post-creation query to gather the system-generated
uid and gid.
The only added complexity is that today distros don't auto-create
subordinate ID ranges for a new ID if it is a system ID, so we now need
to handle finding a free range and then calling the `usermod` tool to
add the ranges for that ID. Note that this requires the distro supports
the `-v` and `-w` flags on `usermod` for subordinate ID range additions.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.
The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration
The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fixes problems encountered when running with a remapped root (the
syscalls related to the metadata directory will fail under user
namespaces). Using 0711 rather than 0701 (which solved the problem
previously) fixes the issue.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
- cherry-pick from 1.10.3 branch: 0186f4d422
- add token service test suite
- add integration test (missing in 1.10.3 branch)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This relies on changes to go-winio to support CloseWrite() when the pipe
is in message mode. This fixes an issue where stdin is not properly closed
when there is no more input to docker run.
Signed-off-by: John Starks <jostarks@microsoft.com>
This revendor provides support for CloseWrite() in the npipe transport,
fixes a performance regression introduced in Go 1.6, and improves
npipe performance by allowing the pipe buffer size to be specified.
Signed-off-by: John Starks <jostarks@microsoft.com>
The old examples no longer worked due to changes in
the client and Docker Hub.
This updates the "docker pull" documentation and
adds more examples and explanation of the features.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test was checking that it received every progress update that was
produced. But delivery of these intermediate progress updates is not
guaranteed. A new update can overwrite the previous one if the previous
one hasn't been sent to the channel yet.
The call to t.Fatalf exited the current goroutine which was consuming
the channel, which caused a deadlock and eventual test timeout rather
than a proper failure message.
Failure seen here:
https://jenkins.dockerproject.org/job/Docker-PRs-experimental/16400/console
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
debhelper has changed the way it performs path validations and
building the deb package fails when it tries to compress the files.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The download manager assumed there was at least one layer involved in
all images. This can be false if the image is essentially a copy of
`scratch`.
Fix a nil pointer dereference that happened in this case. Add
integration tests that involve schema1 and schema2 manifests.
Fixes#21213
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
pkg/chrootarchive/diff_unix.go erroneously calls flush on stdout, which tries to read from stdout returning an error.
This has been fixed by removing the call and by modifying flush to return errors and checking for these errors on calls to flush.
Signed-off-by: Amit Krishnan <krish.amit@gmail.com>
this allows user to choose the compression type (i.e. gzip/zlib/none) using
--log-opt=gelf-compression-type=none or the compression level (-1..9) using
--log-opt=gelf-compression-level=0 for gelf driver.
Signed-off-by: Daniel Dao <dqminh@cloudflare.com>
Fixes: #21195
The current size of the debian image is 125.1 MB so I have updated the Markdown to say "under 150". Also removed "extremely" (minimal) as requested. Documentation built and tested using `make docs`.
Signed-off-by: Lucas Chan <lucas-github@lucaschan.com>
Either a single slash or localhost should be specified after http in the cURL URL, not http:// (double slash)
Signed-off-by: ohadschn <ohad188@gmail.com>
Now that we are using gc/go 1.6, update a few hashes as well
as actually building the notary binary
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
In TestJSONFormatProgress, the progress string was used for comparison.
However, the progress string (progress.String()) uses time.Now().UTC()
to generate the timeLeftBox which is not a fixed value and cannot be
compared reliably.
This PR fixes the issue by stripping the timeLeftBox field before doing
the comparison.
This PR fixes#21124.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Following #19995 and #17409 this PR enables skipping userns re-mapping
when creating a container (or when executing a command). Thus, enabling
privileged containers running side by side with userns remapped
containers.
The feature is enabled by specifying ```--userns:host```, which will not
remapped the user if userns are applied. If this flag is not specified,
the existing behavior (which blocks specific privileged operation)
remains.
Signed-off-by: Liron Levin <liron@twistlock.com>
- add test for pull from private registry with no credentials
- add test for push to docker hub with no credentials
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Signed-off-by: Antonio Murdaca <amurdaca@localhost.localdomain>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Prior to this change, the "docker network inspect" contains only the
endpoints that have active local container. This excludes all the remote
and stale endpoints. By including all the endpoints, it makes debugging
much simpler and also allows the user to cleanup any stale endpoints
using "docker network disconnect -f {network} {endpoint-name}".
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Updating Docker's documentation file docker configuration file on Windows hosts.
This is of importance for Windows users whom are utilizing the Docker Toolbox.
Signed-off-by: Liran Tal <liran.talh@gmail.com>
If the destination does not exist, it needs to be created with ownership
mapping to the remapped uid/gid ranges if user namespaces are enabled.
This fixes ADD operations, similar to the prior fixes for COPY and WORKDIR.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This page has been deleted from the Docker Cloud tutorials,
so adding redirects for the old locations.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This code was lost in a rebase in the PIDs cgroup merge, fix it so that
`docker stats` actually shows statistics from the PIDs cgroup.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
This PR adds the "notary" binary requirement for tests.
Previously, NotaryHosting was checking for the "notary-server"
binary under the name notaryBinary. This renames that reference to
notaryServerBinary, so that notaryBinary can rightly refer
to the actual "notary" binary.
Currently only one test actually uses the notary binary, so it's been
updated accordingly.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Resolves: #20113
Signed-off-by: Aditi Rajagopal <arajagopal@us.ibm.com>
Carry #20160
Tighten language
Updating with comments
Removing articles which is empty
Adding Brian's comments
Putting back what I took out
Signed-off-by: Mary Anthony <mary@docker.com>
Fixes a bug when the log output is empty.
The length of a slice containing an empty string is 1, not 0, so
the test fails to catch when the log is empty. Instead, take a look at
out, which is just a string.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This test for libdevmapper was always silently failing because the
linker never got the `-ldevmapper` information. Putting the flag last
corrects the test.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Fixes#20818
This syscall was blocked as there was some concern that it could be
used to bypass filtering of other syscall arguments. However none of the
potential syscalls where this could be an issue (poll, nanosleep,
clock_nanosleep, futex) are blocked in the default profile anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Fixes#20550
This update to libseccomp supports the new versions of socket
system calls that can be called directly rather than via the
socketcall syscall in kernel versions 4.3 or later with new glibc.
Note this library version now supports s390x and ppc64le, so
seccomp can be potentially be enabled for these architectures now.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Instead of being split between three files, let's let `hack/make/.detect-daemon-osarch` be our single source of truth for multiarch detection/vars. Not only does it make it slightly easier to make sure we change everything properly when these bits have to change, but it also makes it so that all bits of `hack/make.sh` (especially `hack/make/.ensure-frozen-images`) work properly outside the context of the `Makefile` on all platforms.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Going forward, Docker won't use a different default registry on Windows.
This changes Windows to use the standard Docker Hub registry as the
default registry.
There is a plan in place to migrate existing images from the Windows
registry to Hub's normal registry, in advance of the 1.11 release. In
the mean time, images on the Windows registry can be accessed by
prefixing them with `registry-win-tp3.docker.io/`.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When I use `docker exec -ti test ls`, I got error:
```
ERRO[0035] Handler for POST /v1.23/exec/9677ecd7aa9de96f8e9e667519ff266ad26a5be80e80021a997fff6084ed6d75/resize returned error: bad file descriptor
```
It's because `POST /exec/<id>/start` and
`POST /exec/<id>/resize` are asynchronous, it is
possible that exec process finishes and ternimal
is closed before resize. Then `console.Fd()` will
get a large invalid number and we got the above
error.
Fix it by adding synchronization between exec and
resize.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
The version of sed on MacOS X is different then the one on linux. The mac version
requires a parameter for the inline (-i) flag, where this isn't required on linux.
On the mac it thinks the -e flag is the parameter, and it causes the vendoring script
to fail.
This fix adds an empty string '' as a parameter to sed, which works fine on both the
mac and linux versions.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
Now what we provide dynamic binaries for all plaforms,
we shouldn't try to run docker without udev sync support.
This change changes the previous warning to an Error,
unless the user explicitly overrides the warning, in
which case they're at their own risk.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Attach can hang forever if there is no data to send. This PR adds notification
of Attach goroutine about container stop.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Docker creates a UTS namespace by default, even with --net=host, so it
is reasonable to let the user set the hostname. Note that --hostname is
forbidden if the user specifies --uts=host.
Closes#12076
Signed-off-by: Jason Heiss <jheiss@aput.net>
This change centralizes the template manipulation in a single package
and adds basic string functions to their execution.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Update unit test and documentation to handle the new case where Username
is set to <token> to indicate an identity token is involved.
Change the "Password" field in communications with the credential helper
to "Secret" to make clear it has a more generic purpose.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This mechanism exchanges basic auth credentials for an identity token.
The identity token is used going forward to request scoped-down tokens
to use for registry operations.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Use token handler options for initialization.
Update auth endpoint to set identity token in response.
Update credential store to match distribution interface changes.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Dump from 1.10.1 has this fields.
Signed-off-by: Kanstantsin Shautsou <kanstantsin.sha@gmail.com>
Close and carry #20377
Include David's request
Signed-off-by: Mary Anthony <mary@docker.com>
On redhat based distribution, checking that USER_NS is compiled in the
kernel is not sufficient, we also have to check that the feature as
been enabled.
With this commit, it is now done by checking the content of
`/sys/module/user_namespace/parameters/enable`.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Previously docker used obsolete rfc3164 syslog format for syslog. rfc3164 explicitly
uses semicolon as a separator between 'TAG' and 'Content' section of the log message.
Docker uses semicolon as a separator between image name and version tag.
When {{.ImageName}} was used as a tag expression and contained ":" syslog parser mistreated
"tag" part of the image name as syslog message body, which resulted in incorrect "syslogtag" been reported by syslog
daemon.
Use of rfc5424 log format partually fixes the issue as it does not use semicolon as a separator.
However using default rfc5424 syslog format itroduces backward incompatability because rsyslog template keyword %syslogtag%
is parsed differently. In rfc3164 it uses the "TAG" part reported before the "pid" part. In rfc5424 it uses "appname" part reported
before the pid part, while tag part is introduced by %msgid% part.
For more information on rsyslog configuration properties see: http://www.rsyslog.com/doc/master/configuration/properties.html
Added two options to specify logging in either rfc5424, rfc3164 format or unix format omitting hostname in order to keep backwards compatability with
previous versions.
Signed-off-by: Solganik Alexander <solganik@gmail.com>
Removed unnecessary RUN statements and combined some of the RUN statement into a single line.
The runtime performance is seen as follows:
pre-change:
PASS: docker_cli_build_test.go:3826: DockerSuite.TestBuildUsersAndGroups
63.074s
post-change:
PASS: docker_cli_build_test.go:3826: DockerSuite.TestBuildUsersAndGroups
49.698s
Signed-off-by: Anil Belur <askb23@gmail.com>
Correct creation of a non-existing WORKDIR during docker build to use
remapped root uid/gid on mkdir
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
I can reproduce this easily on one of my servers,
`docker exec -ti my_cont ls` will not print anything,
without `-t` it acts normally.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Fixes: #20709
As discussed in the issue, we need refine the message to
help user more understood, what happened for non-exist image.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
This fix tries to improve the time to run TestRunUnshareProc
in #19425.
In this fix goroutines are used to run test cases in parallel to
prevent the test from taking a long time to run.
As the majority of the execution time in the tests is from
multiple executions of 'docker run' and each of which takes
several seconds, parallel executions improve the test time.
Since each 'docker run' is independent, the purpose of the
test is not altered in this fix.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Once thin pool gets full, bad things can happen. Especially in case of xfs
it is possible that xfs keeps on retrying IO infinitely (for certain kind
of IO) and container hangs.
One way to mitigate the problem is that once thin pool is about to get full,
start failing some of the docker operations like pulling new images or
creation of new containers. That way user will get warning ahead of time
and can try to rectify it by creating more free space in thin pool. This
can be done either by deleting existing images/containers or by adding more
free space to thin pool.
This patch adds a new option dm.min_free_space to devicemapper graph
driver. Say one specifies dm.min_free_space=10%. This means atleast
10% of data and metadata blocks should be free in pool before new device
creation is allowed, otherwise operation will fail.
By default min_free_space is 10%. User can change it by specifying
dm.min_free_space=X% on command line. A value of 0% will disable the
check.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
The documentation for Docker 1.10.2 (API version 1.22) mentions under
the "Create a container"[1] section that `HostConfig.Binds` can be given
a "container path" which will automatically "create a new volume for the
container."
I interpreted this to mean it that the following two commands should
have the same net result:
# Create container with data volume via REST API
curl --unix-socket /var/run/docker.sock -XPOST \
http://localhost/containers/create \
-H"Content-Type: application/json" \
-d'{
"Image": "<image-id>",
...
"HostConfig": {
"Binds": [
"/some/data/volume"
]
}
}'
# Create container with data volume via CLI
docker create -v /some/data/volume <image-id> <command>
However, this turned out not the be the case, as the former would create
a mount with no source and no corresponding volume:
...
"Mounts": [
{
"Source": "",
"Destination": "/some/data/volume",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": "rprivate"
}
],
...
"Config": {
...
"Volumes": null,
...
}
...whereas the latter would create a volume and mount it:
...
"Mounts": [
{
"Name": "9b38af46d6..."
"Source": "/var/lib/docker/volumes/9b38af46d6.../_data",
"Destination": "/some/data/volume",
"Driver": "local",
"Mode": "",
"RW": true,
"Propagation": ""
}
],
...
"Config": {
...
"Volumes": {
"/some/data/volume": {}
},
...
}
However, if you instead specify the data volume via the `Volumes` key,
then it works as expected, e.g.
curl --unix-socket /var/run/docker.sock -XPOST \
http://localhost/containers/create \
-H"Content-Type: application/json" \
-d'{
"Image": "...",
...
"Volumes": {"/some/data/volume": {}}
}'
...will create a data volume and mount it.
Thus the documentation is either incorrect, or this is a bug and the
ability to create a data volume via `HostConfig.Binds` does not
work as advertised for API version 1.22 (and likely others).
I concluded that the documentation was incorrect. Since I've only
verified this behavior for Docker 1.10.2, I updated the docs for
API versions 1.22 and 1.23, but this may apply to other versions as
well.
[1] https://docs.docker.com/engine/reference/api/docker_remote_api_v1.22/#create-a-container
Signed-off-by: Shane da Silva <shane@dasilva.io>
On 32 bit x86 this is a multiplexing syscall for the system V
ipc syscalls such as shmget, and so needs to be allowed for
shared memory access for 32 bit binaries.
Fixes#20733
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
`docker stats --no-stream` always print zero values.
```
$ docker stats --no-stream
CONTAINER CPU % MEM USAGE / LIMIT MEM %
NET I/O BLOCK I/O
7f4ef234ca8c 0.00% 0 B / 0 B 0.00%
0 B / 0 B 0 B / 0 B
f05bd18819aa 0.00% 0 B / 0 B 0.00%
0 B / 0 B 0 B / 0 B
```
This commit will let docker client wait until it gets correct stat
data before print it on screen.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fixes an issue that caused the client to hang forever if the
process died before the code arrived to exit the `Kill` function.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Fixes a bug where a file would be created and not deleted in
DockerSuite.TestDaemonDiscoveryBackendConfigReload
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
The issue is armv6 released binaries are used as a GOROOT_BOOTSTRAP.
This might work on arm64 platforms that support 32-bit mode.
However not all arm64 platforms support 32-bit mode. 32-bit mode
is optional for ARMv8. So use gccgo as bootstrap.
The build image is bumped to use ubuntu wily.
Signed-off-by: Vijaya Kumar K <vijayak@caviumnetworks.com>
Only register a container once it's successfully started. This avoids a
race condition where the daemon is killed while in the process of
calling `libcontainer.Container.Start`, and ends up killing -1.
There is a time window where the container `initProcess` is not set, and
its PID unknown. This commit fixes the race Engine side.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Check whether or not the file system type of a mountpoint is aufs
by calling statfs() instead of parsing mountinfo. This assumes
that aufs graph driver does not allow aufs as a backing file
system.
Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
This PR fix the DockerSuite.TestBuildDockerignoringWildDirs test
in #19425.
Instead of having multiple RUN instructions in Dockerfile for every
single directory tested, this PR tries to collapse multiple RUN
instructions into one RUN instruction in Dockerfile.
When a docker image is built, each RUN instruction in Dockerfile
will generate one layer in history. It takes considerable amount of
time to build many layers if there are many RUN instructions within
the Dockerfile. Collapsing into one RUN instruction not only speeds
up the execution significantly, it also conforms to the general
guideline of the Dockerfile reference.
Since the test (DockerSuite.TestBuildDockerignoringWildDirs) is
really about testing the docker build with ignoring wild
directories, the purpose of the test is not altered with this PR
fix.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Allows users to submit options similar to the `mount` command when
creating a volume with the `local` volume driver.
For example:
```go
$ docker volume create -d local --opt type=nfs --opt device=myNfsServer:/data --opt o=noatime,nosuid
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This PR fix the DockerHubPullSuite.TestPullNonExistingImage test
in #19425. The majority of the execution time in this test is
from multiple executions of 'docker pull', each of which takes
more than one second even though it tries to pull a non-existing
image.
Without changing the behavior of the 'docker pull' itself, this
fix tries to execute the 'docker pull' command in parallel in
order to speed up the execution of the overall test.
Since each 'docker pull' is independent, executions in parallel
should not alter the purpose of the test.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Closes#20470
Before this PR we used to scan the entire build context when there were
exclusions in the .dockerignore file (paths that started with !). Now we
only traverse into subdirs when one of the exclusions starts with that dir
path.
Signed-off-by: Doug Davis <dug@us.ibm.com>
As drivername maybe "" in hostconfig, so we should not
directly print dirvername with var drivername,
instead, we use the real driver name property to print it.
Fixes: #20900
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Previously, Windows layer diffs were written using a Windows-internal
format based on the BackupRead/BackupWrite Win32 APIs. This caused
problems with tar-split and tarsum and led to performance problems
in implementing methods such as DiffPath. It also was just an
unnecessary differentiation point between Windows and Linux.
With this change, Windows layer diffs look much more like their
Linux counterparts. They use AUFS-style whiteout files for files
that have been removed, and they encode all metadata directly in
the tar file.
This change only affects Windows post-TP4, since changes to the Windows
container storage APIs were necessary to make this possible.
Signed-off-by: John Starks <jostarks@microsoft.com>
This change adds "KernelMemory" to the /info endpoint and
shows a warning if KernelMemory is not supported by the kernel.
This makes it more consistent with the other memory-limit
options.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR fix the DockerSuite.TestBuildHistory test in #19425.
It changes the base image from busybox into 'minimalBaseImage()'
and changes the RUN in Dockerfile into LABEL, which greatly
reduces the executation time.
Since the test (DockerSuite.TestBuildHistory) is really about
testing docker history, not about RUN in Dockerfile, the
purpose of the test is not altered.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Make sure credentials are removed from the store at logout (not only
in the config file). Remove not needed error check and auth erasing
at login (auths aren't stored anywhere at that point).
Add regression test.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
docker build is broken because it sends to the daemon the full
cliconfig file which has only Email(s). This patch retrieves all auth
configs from the credentials store.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Move the note more up, to prevent people from starting
the daemon with --userns-remap before touching the files.
Also clarify that these steps must be done *before* enabling
userns-remap and starting the daemon.
Also fixed some minor Markup formatting issues.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This changes the default transport for Windows from unencrypted TCP to
npipe. This is similar to how Linux runs with the unix socket transport by
default.
Signed-off-by: John Starks <jostarks@microsoft.com>
Retries after v1 fallbacks were added in #20411. The test still appears
to be flaky. There are two potential problems. The initial pull was not
protected against pulling from v1, so it could be giving us a different
hello-world image to compare against. Also, after experiencing a v1
fallback, we need to restore the original image before doing the next
pull, because otherwise the "Image is up to date for hello-world:latest"
message will not show up as expected.
See #17214.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Further differentiate the APIEndpoint used with V2 with the endpoint type which is only used for v1 registry interactions
Rename Endpoint to V1Endpoint and remove version ambiguity
Use distribution token handler for login
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Concurrent uploads which share layers worked correctly as of #18353,
but unfortunately #18785 caused a regression. This PR removed the logic
that shares digests between different push sessions. This overlooked the
case where one session was waiting for another session to upload a
layer.
This commit adds back the ability to propagate this digest information,
using the distribution.Descriptor type because this is what is received
from stats and uploads, and also what is ultimately needed for building
the manifest.
Surprisingly, there was no test covering this case. This commit adds
one. It fails without the fix.
See recent comments on #9132.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This allows a graph driver to provide a custom FileGetter for tar-split
to use. Windows will use this to provide a more efficient implementation
in a follow-up change.
Signed-off-by: John Starks <jostarks@microsoft.com>
This allows the test suite to be able to run without worrying about
the underlying fs used by the container running the daemon (e.g.
aufs-on-aufs), so long as the host running the container is running a
supported fs.
The volume will be cleaned up when the container is removed due to
`--rm`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This test is often failing on remote daemons. We tried many approaches
to fix it but none worked. In order to make the CI more reliable, this
will skip the test when running against a remote daemon (e.g. win2lin).
Signed-off-by: Tibor Vass <tibor@docker.com>
These were left-overs from the now deprecated
and removed functionality to registrer a new account
through "docker login"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use of "Set ..." and "Specify ..." are removed in favor of directly
using nouns.
Also:
- add description for `run --isolation`
- reduce description of `run --shm-size`
- fix `daemon --bip` argument handling
Signed-off-by: Vincent Bernat <vincent@bernat.im>
* Remvoe integration test of TestDaemonStartWithDaemonCommand
* Rewrite as unit test
Related issue #19425
Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
This removes the email prompt when you use docker login, and also removes the ability to register via the docker cli. Docker login, will strictly be used for logging into a registry server.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
In situations where a client is called like `docker stats` with no
arguments or flags, if a container which was already created but not
started yet is then subsequently started it will not be added to the
stats list as expected.
Also splits some of the stats helpers to a separate file from the stats
CLI which is already quite long.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This change implements communication with an external credentials store,
ala git-credential-helper. The client falls back the plain text store,
what we're currently using, if there is no remote store configured.
It shells out to helper program when a credential store is
configured. Those programs can be implemented with any language as long as they
follow the convention to pass arguments and information.
There is an implementation for the OS X keychain in https://github.com/calavera/docker-credential-helpers.
That package also provides basic structure to create other helpers.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Corrected titles to use title case. Added link to default.json and some numerical detail. Changed example JSON to a portion of the actual default file, with the correct defaultAction.
Signed-off-by: Steven Iveson <steven.iveson@infinityworks.com>
During "COPY" or other tar unpack operations, a target/destination
parent dir might not exist and should be created with ownership of the
root in the right context (including remapped root when user namespaces
are enabled)
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Subscribe to events and monitor for new containers before the initial
listing of currently running containers.
This fixes a race where a new container could appear between the first
list call but before the client was subscribed to events, leading to a
container never appearing in the output of `docker stats`.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
* users don't have to create an google account for using the google groups. They
can simply email to e.g. "docker-user+subscribe@googlegroups.com" to
subscribe.
* since this behavior is not mentioned on the google group website, i think its
a good idea to explain this method here.
Signed-off-by: toogley <toogley@mailbox.org>
Unlike the untrusted push without an explicit tag will push all
tags for that repo, the trusted push would expect an explicit tag.
So that the code that attempts to do smart logic around signing multiple
tags should be removed.
Signed-off-by: Hu Keping <hukeping@huawei.com>
This improves on an earlier change by adding another keyserver and using a for loop instead of duplicating the command
Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
Stop using global variables as prefixes to inject the writer header.
That can cause issues when two writers set the length of the buffer in
the same header concurrently.
Stop Writing to the internal buffer twice for each write. This could
mess up with the ordering information is written.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Moving all strings to the errors package wasn't a good idea after all.
Our custom implementation of Go errors predates everything that's nice
and good about working with errors in Go. Take as an example what we
have to do to get an error message:
```go
func GetErrorMessage(err error) string {
switch err.(type) {
case errcode.Error:
e, _ := err.(errcode.Error)
return e.Message
case errcode.ErrorCode:
ec, _ := err.(errcode.ErrorCode)
return ec.Message()
default:
return err.Error()
}
}
```
This goes against every good practice for Go development. The language already provides a simple, intuitive and standard way to get error messages, that is calling the `Error()` method from an error. Reinventing the error interface is a mistake.
Our custom implementation also makes very hard to reason about errors, another nice thing about Go. I found several (>10) error declarations that we don't use anywhere. This is a clear sign about how little we know about the errors we return. I also found several error usages where the number of arguments was different than the parameters declared in the error, another clear example of how difficult is to reason about errors.
Moreover, our custom implementation didn't really make easier for people to return custom HTTP status code depending on the errors. Again, it's hard to reason about when to set custom codes and how. Take an example what we have to do to extract the message and status code from an error before returning a response from the API:
```go
switch err.(type) {
case errcode.ErrorCode:
daError, _ := err.(errcode.ErrorCode)
statusCode = daError.Descriptor().HTTPStatusCode
errMsg = daError.Message()
case errcode.Error:
// For reference, if you're looking for a particular error
// then you can do something like :
// import ( derr "github.com/docker/docker/errors" )
// if daError.ErrorCode() == derr.ErrorCodeNoSuchContainer { ... }
daError, _ := err.(errcode.Error)
statusCode = daError.ErrorCode().Descriptor().HTTPStatusCode
errMsg = daError.Message
default:
// This part of will be removed once we've
// converted everything over to use the errcode package
// FIXME: this is brittle and should not be necessary.
// If we need to differentiate between different possible error types,
// we should create appropriate error types with clearly defined meaning
errStr := strings.ToLower(err.Error())
for keyword, status := range map[string]int{
"not found": http.StatusNotFound,
"no such": http.StatusNotFound,
"bad parameter": http.StatusBadRequest,
"conflict": http.StatusConflict,
"impossible": http.StatusNotAcceptable,
"wrong login/password": http.StatusUnauthorized,
"hasn't been activated": http.StatusForbidden,
} {
if strings.Contains(errStr, keyword) {
statusCode = status
break
}
}
}
```
You can notice two things in that code:
1. We have to explain how errors work, because our implementation goes against how easy to use Go errors are.
2. At no moment we arrived to remove that `switch` statement that was the original reason to use our custom implementation.
This change removes all our status errors from the errors package and puts them back in their specific contexts.
IT puts the messages back with their contexts. That way, we know right away when errors used and how to generate their messages.
It uses custom interfaces to reason about errors. Errors that need to response with a custom status code MUST implementent this simple interface:
```go
type errorWithStatus interface {
HTTPErrorStatusCode() int
}
```
This interface is very straightforward to implement. It also preserves Go errors real behavior, getting the message is as simple as using the `Error()` method.
I included helper functions to generate errors that use custom status code in `errors/errors.go`.
By doing this, we remove the hard dependency we have eeverywhere to our custom errors package. Yes, you can use it as a helper to generate error, but it's still very easy to generate errors without it.
Please, read this fantastic blog post about errors in Go: http://dave.cheney.net/2014/12/24/inspecting-errors
Signed-off-by: David Calavera <david.calavera@gmail.com>
The execdriver pipes setup uses OS pipes with fds so that they can be
chown'ed to the remapped root user for proper access. Recent flakiness
in certain short-lived tests (usually via the "exec" path) reveals that
the copy routines are not completing before exit/tear-down.
This fix adds synchronization and proper closure such that these
routines exit successfully.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
We generally want to filter the personality(2) syscall, as it
allows disabling ASLR, and turning on some poorly supported
emulations that have been the target of CVEs. However the use
cases for reading the current value, setting the default
PER_LINUX personality, and setting PER_LINUX32 for 32 bit
emulation are fine.
See issue #20634
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Since Docker is already skipping newlines in /etc/sub{uid,gid},
this patch skips commented out lines - otherwise Docker fails to start.
Add unit test also.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This will allow us to have a windows-to-linux CI, where the linux host
can be anywhere, connecting with TLS.
Signed-off-by: Tibor Vass <tibor@docker.com>
We need to add delegate yes to docker's service file so that it can
manage the cgroups of the processes that it launches without systemd
interfering with them and moving the processes after it is reloaded.
```
Delegate=
Turns on delegation of further resource control partitioning to
processes of the unit. For unprivileged services (i.e. those
using the User= setting), this allows processes to create a
subhierarchy beneath its control group path. For privileged
services and scopes, this ensures the processes will have all
control group controllers enabled.
```
This is the proper fix for issue #20152
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Instead of using a process expansion to feed the right arguments to
docker to run on "mh-keystore", just moves up the next step which makes
"mh-keystore" the default target. This makes the guide a bit shorter and
easier to understand.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
This enhancement is to fix the wrong list results on
`docker ps` before and since filters specifying the non-running container.
Fixes issue #20431
Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
Based on the discussion, we have changed the following:
1. Send body only if content-type is application/json (based on the
Docker official daemon REST specification, this is the provided for all
APIs that requires authorization.
2. Correctly verify that the msg body is smaller than max cap (this was
the actual bug). Fix includes UT.
3. Minor: Check content length > 0 (it was -1 for load, altough an
attacker can still modify this)
Signed-off-by: Liron Levin <liron@twistlock.com>
Because devices will be bind-mounted instead of using `mknod`, we need
to make sure the source exists and filter the list by only those whose
source is a valid path/current device entry.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Attempt layer mounts from up to 3 source repositories, possibly
falling back to a standard blob upload for cross repository pushes.
Addresses compatiblity issues with token servers which do not grant
multiple repository scopes, resulting in an authentication failure for
layer mounts, which would otherwise cause the push to terminate with an
error.
Signed-off-by: Brian Bland <brian.bland@docker.com>
There are five options 'debug' 'labels' 'cluster-store' 'cluster-store-opts'
and 'cluster-advertise' that can be reconfigured, configure any of these
options should not affect other options which may have configured in flags.
But this is not true, for example, I start a daemon with -D to enable the
debugging, and after a while, I want reconfigure the 'label', so I add a file
'/etc/docker/daemon.json' with content '"labels":["test"]' and send SIGHUP to daemon
to reconfigure the daemon, it work, but the debugging of the daemon is also diabled.
I don't think this is a expeted behaviour.
This patch also have some minor refactor of reconfiguration of cluster-advertiser.
Enable user to reconfigure cluster-advertiser without cluster-store in config file
since cluster-store could also be already set in flag, and we only want to reconfigure
the cluster-advertiser.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
In cases where the a plugin responds with both a null or empty volume
and a null or empty Err, the daemon would panic.
This is because we assumed the idiom if `err` is nil, then `v` must not
be but in reality the plugin may return whatever it wants and we want to
make sure it doesn't harm the daemon.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Just some suggested wording to update this page to take account of User Namespaces being available as of 1.10.
Signed-off-by: Rory McCune <rorym@mccune.org.uk>
Add a check in `check-config.sh` to see if we are running on a RHEL7 or
CentOS7 system, which may report that CONFIG_USERNS is OK/enabled, but
user namespaces still won't work because of the experimental feature
flag added by Redhat.
This will add a warning if it is actually disabled and notes what has to
be added to the grub/boot command line to enable it.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
The Releases file(s) and other bits for EOL-ed distros such as Ubuntu
Vivid should remain untouched when we are releasing debs.
However, few files in https://apt.dockerproject.org/repo/dists/ubuntu-vivid/
were being updated for the docker 1.10 release including the Release files.
This is due to apt-ftparchive generating index files for vivid as well,
due to the stale apt-ftparchive.conf
This change always creates config using suites in contrib/reprepro/suites.sh.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
If cgroup swap memory limit isn't enabled, then
the -m flag doesn't work and the container that is created for
both of these tests is very large. Because we are trying to run the
containers out of memory, this takes a very long time and causes the
tests to fail most of the time.
Follow-up to #17913
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
The container started with `-d` as part of the test requires a `waitRun`
to ensure it is actually running before attempting any other operation.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
When checking if we have the development files for libsystemd's journal
APIs, check for either 'libsystemd >= 209' and 'libsystemd-journal'. If
we find 'libsystemd', define the 'journald' tag, which defaults to using
the 'libsystemd.pc' file. If we find the older 'libsystemd-journal',
define both the 'journald' and 'journald_compat' tags, which causes the
'libsystemd-journal.pc' file to be consulted instead.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
- Allow to filter containers by volume with `--filter volume=name` and `filter volume=/dest`.
- Show their names in the list with the custom format `{{ .Mounts }}`.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Now that the various fixes are all committed, let's see if this gets
less flaky now.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Add `--restart` flag for `update` command, so we can change restart
policy for a container no matter it's running or stopped.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
The restarts in the authz plugin test suite seems to be causing
flakiness in CI, and can be avoided by separating the daemon start and
busybox image load.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
When the value for a configuration option in the file is `false`,
and the default value for a flag is `true`, we should not
take the value from the later as final value for the option,
because the user explicitly set `false`.
This change overrides the default value in the flagSet with
the value in the configuration file so we get the correct
result when we merge the two configurations together.
Signed-off-by: David Calavera <david.calavera@gmail.com>
This picks up the change for `Content-Type` which will help solve issues
with authz plugins.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
- Order the flow of the handlers more cleanly--read req, do actions,
write response.
- Add "always allowed" endpoints to handle `/_ping` and `/info` usage
from the test framework/daemon start/restart management
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
When execute `docker export -o path xxx` and path is a directory docker
has no privilege to write to, daemon will print lots of error logs that
most of them are duplicated and redundant.
This will remove unnecessary error logs and print only once.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This corrects `docker cp` behavior when user namespaces are enabled.
Instead of chown'ing copied-in files to real root (0,0), the code
queries for the remapped root uid & gid and sets the chown option
properly.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Since channel is getting a send instead of a close now, this can cause
random issues ranging through the list of channels if the channel is
unbuffered since the send may be blocked.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- It reverts fa163f5619 plus a small change
in order to allow passing the global scope datastore
to libnetwork after damon boot.
Signed-off-by: Alessandro Boch <aboch@docker.com>
There is a missing call to Close on the gzip.Writer that is used to
compress newly created tar-split files during layer migration. This can
result in corrupt tar-split files that later cause docker push and
docker save to fail. The Close call is necessary to flush buffered data
to the stream.
Fixes: #20104
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Seccomp is only *compiled* in binaries built for
distros that ship with seccomp 2.2.1 or higher,
and in the static binaries.
The static binaries are not really useful for
RHEL and CentOS, because devicemapper does
not work properly with the static binaries,
so static binaries is only an option for Ubuntu
and Debian.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows easier URL handling in code that uses APIEndpoint.
If we continued to store the URL unparsed, it would require redundant
parsing whenver we want to extract information from it. Also, parsing
the URL earlier should give improve validation.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When linking, position of `-l` flags is important since
they muse come _after_ any object files which uses symbols
from a specified library, that is due to --as-needed binutils
ld flag enabled by default
Signed-off-by: Maxim Ivanov <ivanov.maxim@gmail.com>
Sometimes transient network issues will cause
TestPullFromCentralRegistryImplicitRefParts to end up pulling with the
v1 protocol. This violates the assumptions behind the test. To make the
test more robust, allow a few retries if any pull ends up using the v1
protocol.
Fixes#17214
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
benchmark old ns/op new ns/op delta
BenchmarkPubSub-8 1036494796 1032443513 -0.39%
benchmark old allocs new allocs delta
BenchmarkPubSub-8 2467 1441 -41.59%
benchmark old bytes new bytes delta
BenchmarkPubSub-8 212216 187792 -11.51%
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Also changes missing storage layer for container
RWLayer to a soft failure.
Fixes#20147
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 2798d7a6a6)
This adds verification for getting layer data out
of layerstore. These failures should only be possible
if layer metadata files have been manually changed
of if something is wrong with tar-split algorithm.
Failing early makes sure we don’t upload invalid data
to the registries where it would fail after someone
tries to pull it.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit e29e580f7f)
It is not longer used by us, so hack/vendor.sh complains because it
removes unused files (but also complains about removing an entire
vendored project).
Signed-off-by: Aleksa Sarai <asarai@suse.com>
pkg/filenotify isn't used anymore and it causes problems with
hack/vendor.sh (nothing uses it, so hack/vendor.sh will remove the
vendored code).
Signed-off-by: Aleksa Sarai <asarai@suse.com>
Fixes: #20328
We sort network ls output with incresing order,
it may make output more easy to consume for users.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
If user specifies --read-only flag it should not effect /dev/mqueue.
This is causing SELinux issues in docker-1.10. --read-only blows up
on SELinux enabled machines. Mounting /dev/mqueue read/only would also
blow up any tool that was going to use /dev/mqueue.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
inotify event is trigged immediately there's data written to disk.
But at the time that the inotify event is received, the json line might
not fully saved to disk. If the json decoder tries to decode in such
case, an io.UnexpectedEOF will be trigged.
We used to retry for several times to mitigate the io.UnexpectedEOF error.
But there are still flaky tests caused by the partial log entries.
The daemon knows exactly when there are new log entries emitted. We can
use the pubsub package to notify all the log readers instead of inotify.
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
try to fix broken test. will squash once tests pass
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
Ubuntu ships apparmor_parser 2.9 erroniously as "2.8.95". Fix the
incorrect version check for >=2.8, when in fact 2.8 deosn't support the
required feature.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
Using {{if major}}{{if minor}} doesn't work as expected when the major
version changes. In addition, this didn't support patch levels (which is
necessary in some cases when distributions ship apparmor weirdly).
Signed-off-by: Aleksa Sarai <asarai@suse.com>
* Add network mode `none` to list of possible values for API version 1.15 - 1.23
* For API version 1.21 - 1.23 add explanation that any other value is taken as a custom network's name
Signed-off-by: Roland Huß <roland@jolokia.org>
Fixes broken-pipe issue when piping s3cmd to grep -q, by removing the -q
flag and redirecting to /dev/null instead.
Add net-tools for ifconfig, because some tests rely on ifconfig.
Harmonize all Dockerfiles in this direction.
Signed-off-by: Tibor Vass <tibor@docker.com>
With the --insecure-registry daemon option (or talking to a registry on
a local IP), the daemon will first try TLS, and then try plaintext if
something goes wrong with the push or pull. It doesn't make sense to try
plaintext if a HTTP request went through while using TLS. This commit
changes the logic to keep track of host/port combinations where a TLS
attempt managed to do at least one HTTP request (whether the response
code indicated success or not). If the host/port responded to a HTTP
using TLS, we won't try to make plaintext HTTP requests to it.
This will result in better error messages, which sometimes ended up
showing the result of the plaintext attempt, like this:
Error response from daemon: Get
http://myregistrydomain.com:5000/v2/: malformed HTTP response
"\x15\x03\x01\x00\x02\x02"
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Ideally I would love to just remove this check entirely because its
seems pretty useless. An old client talking to a new server isn't
an error condition, nor is it something to even worry about - its a normal
part of life. Flooding my screen (and logs) with a warning that isn't
something I (as an admin) need to be concerned about is silly and a
distraction when I need to look for real issues. If anything this should
be printed on the cli not the daemon since its the cli that needs to be
concerned, not the daemon.
However, since when you debug an issue it might be interesting to know the
client is old I decided to pull back a little and just change it from
a Warning to a Debug logrus call instead.
If others want it removed I still do that though :-)
Signed-off-by: Doug Davis <dug@us.ibm.com>
In Docker 1.10 and earlier, "docker build" can do a build FROM a private
repository that hasn't yet been pulled. This doesn't work on master. I
bisected this to https://github.com/docker/docker/pull/19414.
AuthConfigs is deserialized from the HTTP request, but not included in
the builder options.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
* Codified example container names
* Emphasised 'link' vs 'legacy link' (instead of using code markup)
* Add a missing ``` for a code example
Signed-off-by: Roland Huß <roland@jolokia.org>
Several improvements to error handling:
- Introduce ImageConfigPullError type, wrapping errors related to
downloading the image configuration blob in schema2. This allows for a
more descriptive error message to be seen by the end user.
- Change some logrus.Debugf calls that display errors to logrus.Errorf.
Add log lines in the push/pull fallback cases to make sure the errors
leading to the fallback are shown.
- Move error-related types and functions which are only used by the
distribution package out of the registry package.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
A few libnetwork integration tests require that the kernel be configured
with the "dummy" network interface and has the module loaded. However,
the dummy module is not available by default on arm images. This ensures
that it is built and loaded.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Progress toward being able to run integration-cli campaign using a
client hitting a remote host.
Most of these fixes imply flagging tests that assume they are running on
the same host than the Daemon. Also fixes the `contrib/httpserver` image
that couldn't run because of a dynamically linked Go binary inside the
busybox image.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
I was confused for the longest time on how to actually use and make requests against the remote API, so I think that it might help for those getting started with it to know how to actually test it out via curl. I added in parts on how to access the remote API via curl against the default unix socket, and also on how to configure the docker daemon to expose the API on a TCP port as well if desired.
Signed-off-by: Michelle Liu <michelle@michelleliu.io>
Fixes issues with layer remounting (e.g. a running container which then
has `docker cp` used to copy files in or out) by applying the same
refcounting implementation that exists in other graphdrivers like
overlay and aufs.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This fixes an issue where `docker run -v foo:/bar --volume-driver
<remote driver>` -> daemon restart -> `docker run -v foo:/bar` would
make a `local` volume after the restart instead of using the existing
volume from the remote driver.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
updated cloud install example per Olivier's comments, added better command examples
updates per @thaJeztah comments
fixed links per @theJeztah comments, renamed cloud.md to overview.md for better URL name
updates per @moxiegirl comments, added alias for renamed file, modified links, changed a title
fixed link errors
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
This PR makes restores the pre-Docker 1.10 behavior of allowing
uppercase characters in registry hostnames.
Note that this only applies to hostnames, not remote image names.
Previous versions also prohibited uppercase letters after the hostname,
but Docker 1.10 extended this to the hostname itself.
- Vendor updated docker/distribution.
- Add a check to "normalize" that rejects remote names with uppercase
letters.
- Add test cases to TestTagValidPrefixedRepo and
TestTagInvalidUnprefixedRepo
Fixes: #20056
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
It is difficult to gather information about docker volumes command
without a parent man page.
This man page attempts to explain docker volumes and then references
the command man pages.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This removes two tests on ppc64le.
There is an old bug with a syscall on power #8653, that causes
logrus to default to using logfmt. These two tests look for
logrus format specific strings, and fail if they don't see it.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Since we now automatically mount the mqueue device inside the
container (instead of bind mounting the one from the host), when
trying to start a container with --ipc=host, the mount will fail with
EPERM.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Currently, when running a container with --ipc=host, if /dev/mqueue is
a standard directory on the hos the daemon will bind mount it allowing
the container to create/modify files on the host.
This commit forces /dev/mqueue to always be of type mqueue except when
the user explicitely requested something to be bind mounted to
/dev/mqueue.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This feels like it's where it belongs and it makes it exported
again (which is needed for libcompose that was using it before 1.10).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Filters should not include stopped container if `-a` is not specified.
Right now, before and since filter are acting as --before and --since
deprecated flags. This commit is fixing that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Save was failing file integrity checksums due to bugs in both
Windows and Docker. This commit includes fixes to file time handling
in tarexport and system.chtimes that are necessary along with
the Windows platform fixes to correctly support save. With this
change, sysfile_backups for windowsfilter driver are no longer
needed, so that code is removed.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
This is done by moving the following types to api/types/config.go:
- ContainersConfig
- ContainerAttachWithLogsConfig
- ContainerWsAttachWithLogsConfig
- ContainerLogsConfig
- ContainerStatsConfig
Remove dependency on "version" package from types.ContainerStatsConfig.
Decouple the "container" router from the "daemon/exec" implementation.
* This is done by making daemon.ContainerExecInspect() return an interface{}
value. The same trick is already used by daemon.ContainerInspect().
Improve documentation for router packages.
Extract localRoute and router into separate files.
Move local.router to image.imageRouter.
Changes:
- Move local/image.go to image/image_routes.go.
- Move local/local.go to image/image.go
- Rename router to imageRouter.
- Simplify imports for image/image.go (remove alias for router package).
Merge router/local package into router package.
Decouple the "image" router from the actual daemon implementation.
Add Daemon.GetNetworkByID and Daemon.GetNetworkByName.
Decouple the "network" router from the actual daemon implementation.
This is done by replacing the daemon.NetworkByName constant with
an explicit GetNetworkByName method.
Remove the unused Daemon.GetNetwork method and the associated constants NetworkByID and NetworkByName.
Signed-off-by: Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
Signed-off-by: David Calavera <david.calavera@gmail.com>
The obscure `case "${words[$cword-2]}$prev=" in` idiom is no
longer used for key specific completions in options with map values.
The `__docker_map_key_of_current_option()` function does a much
better job.
Signed-off-by: Harald Albers <github@albersweb.de>
This is a refactoring in preparation of cleaning up the handling
of key specific subcompletions.
The new `__docker_map_key_of_current_option()` function will be used
instead of the `__docker_map_key_of_current_option()` idiom in the
following commit.
As this function is very specific, checks using it should be executed
before those checking for `$prev`.
This commit just moves the checks without any modification.
Signed-off-by: Harald Albers <github@albersweb.de>
On migration 2 different images can end up with same
content addressable ID, meaning `SetParent` will be called
multiple times. Previous version did not clear the old
in-memory reference.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
To support the requirement of blocking the request after the daemon
responded the authorization plugin use a `response recorder` that replay
the response after the flow ends.
This commit adds support for commands that hijack the connection and
flushes data via the http.Flusher interface. This resolves the error
with the event endpoint.
Signed-off-by: Liron Levin <liron@twistlock.com>
Fix root directory of the mountpoint being owned by real root. This is
unique to ZFS because of the way file mountpoints are created using the
ZFS tooling, and the remapping that happens at layer unpack doesn't
impact this root (already created) holding directory for the layer.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers. Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied. If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Bump both API and VERSION directly after the release
branch is created. All changes to master after that
are (by default) for the *next* release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
filepath.Clean converts filenames to filenames with native path
separators. Use ToSlash to normalize.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
For btrfs driver, in d.Create(), Get() of parentDir is called but not followed
by Put().
If we apply SElinux mount label, we need to mount btrfs subvolumes in d.Get(),
without a Put() would end up with a later Remove() failure on
"Device resourse is busy".
This calls the subvolume helper function directly in d.Create().
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
This PR adds support for using the DOCKER_BUILD_PKGS env var to
better help defining what packege to build. It also adds support
for the integration-daemon so we can run it as a bundle.
Signed-off-by: Paul Liljenberg <liljenberg.paul@gmail.com>
add directory test
Adds missing directory test. This helps verifying that
DOCKER_BUILD_PKGS is a directory and exists before continueing.
Signed-off-by: Paul Liljenberg <liljenberg.paul@gmail.com>
fix indent
Signed-off-by: Paul Liljenberg <liljenberg.paul@gmail.com>
This came in with the Windows CI work and I assume was meant for local
debug, but adds a bare printf line to the test output.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Fix error message for `--net container:b` and `--ipc container:b`,
container `b` is a restarting container.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
When the daemon shutdown ungracefully, it will left the running
containers' rootfs still be mounted. This will cause some error
when trying to remove the containers.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Avoid using the `/info` endpoint in the `login` and `logout` workflows
when the Registry endpoint is overriden by the user through the command
line.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
This is similar to the version in the registry package, but uses the
daemon's default index (as opposed to the default for the client's
platform) if using the "official index".
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This reverts commit 84b2162c1a.
The intent of this commit was to set an idle timeout on a HTTP
connection. If a read took more than 60 seconds to complete, or a write
took more than 60 seconds to complete, the connection would be
considered dead.
This doesn't work properly, because the HTTP internals apparently read
from the connection concurrently while writing. An upload that doesn't
complete in 60 seconds leads to a timeout.
Fixes#19967
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
duplicate dot in user namespaces error message:
$ docker run -ti --net=host ubuntu /bin/bash
docker: Error response from daemon: Cannot share the host or a
container's network namespace when user namespaces are enabled..
Signed-off-by: Liron Levin <liron@twistlock.com>
Currently some commands including `kill`, `pause`, `restart`, `rm`,
`rmi`, `stop`, `unpause`, `udpate`, `wait` will print a lot of error
message on client side, with a lot of redundant messages, this commit is
trying to remove the unuseful and redundant information for user.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
updated line on how to exit the container after the ping test - in my environment (Ubuntu 14.04.1, bash) ctrl-c does not work to exit the shell, and `exit` must be used instead.
Signed-off-by: Troy Denton <Troy.Denton@younessleeptechnologies.com>
In new content addressable model, image no longer
have virtual size column, it is now 'size'. So we
need to update related docs about them.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
After exec driver run, container lock is lost, so we should lock
container when changing its state to `restarting`
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This adds an npipe protocol option for Windows hosts, akin to unix
sockets for Linux hosts. This should become the default transport
for Windows, but this change does not yet do that.
It also does not add support for the client side yet since that
code is in engine-api, which will have to be revendored separately.
Signed-off-by: John Starks <jostarks@microsoft.com>
This update changes the way hcsshim invokes Windows DLLs to avoid races
with the garbage collector. It also now uses go-winio to access the
pipes used for communication with processes running in the container;
this reduces the number of threads used by docker.exe, improving
scalability.
Signed-off-by: John Starks <jostarks@microsoft.com>
Use a daemon-defined Registry URL for `docker login`. This allows a
Windows client interacting with a Linux daemon to properly use the
default Registry endpoint instead of the Windows specific one.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Currently, daemonbuilder package (part of daemon) implemented the
builder backend. However, it was a very thin wrapper around daemon
methods and caused an implementation dependency for api/server build
endpoint. api/server buildrouter should only know about the backend
implementing the /build API endpoint.
Removing daemonbuilder involved moving build specific methods to
respective files in the daemon, where they fit naturally.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Previously, this check only worked if no host was specified and was
hard coded to check for "/var/run/docker.sock"
This change generalizes that check and captures any specified socket
and waits for it to be created.
Caveat: This will only check the first socket specified, but it is an
improvement over none at all.
Fixes#185160
Signed-off-by: Andrew Guenther <guenther.andrew.j@gmail.com>
Most storage drivers call graphdriver.GetFSMagic(home),
it is more clean to easy to maintain. So btrfs need to
adopt such change.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
This is add support for #19559
We tried sort it in client side, and it sort follow go
sort : sorts a slice of strings in increasing order.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Updated documentation to reflect the new State property in the inspect remote api
Updated API changes for 1.23
Signed-off-by: Marius Gundersen <me@mariusgundersen.net>
Adding changes requested by @jamtur01 and wrapping to 80 chars
Adding typo fixes and replacing tabs with 4xspaces
Closes and fixes#19240
Updating with content addressable storage model changes
Signed-off-by: Nigel <nigelpoulton@hotmail.com>
SetMaxThreads from runtime/debug in Golang is called to set max threads
value to 90% of /proc/sys/kernel/threads-max
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
`Upload` already closes the reader returned by `compress` and the
progressreader passed into it, before returning. But even so, the
io.Copy inside compress' goroutine needs to attempt a read from the
progressreader to notice that it's closed, and this read has a side
effect of outputting a progress message. If this happens after `Upload`
returns, it can result in a write to a closed channel. Change `compress`
to return a channel that allows the caller to wait for its goroutine to
finish before freeing any resources connected to the reader that was
passed to it.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This PR moves the testRequires check from within setupRegistry
and setupNotary to when the Suite itself starts up.
This fixes a bug where testRequires() in setupRegistry() would
succeed and start registry, but testRequires() in setupNotary()
would fail. This immediately exits the goroutine with registry
still running.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
1. Replace raw `docker inspect -f xxx` with `inspectField`, to make code
cleaner and more consistent
2. assert the error in function `inspectField*` so we don't need to
assert the return value of it every time, this will make inspect easier.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
With this patch, the client blocks this type login, no sending
useless messages to daemon and registry. This saves lots of time.
Signed-off-by: Liu Hua <sdu.liu@huawei.com>
Right now in ubuntu section, instruction is not consistent
for sudo, so it is better to keep it style same.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
There is a weird behavior where we don't ask for a password
when the user you type in the prompt is the same you have configured
in the config file.
This is the source of many frustrations and also a bug.
If the authentication with a registry fails because the password
is incorrect, we won't ask for the password again with the current logic.
With this change, we also stop calling `CmdLogin` directly when
authentication fails. We don't need to parse flags from the cli or
setting up input destriptiors again, like the current behavior is doing.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Add `runSleepingContainer` and `runSleepingContainerInImage` helper
functions to factor out the way to run system-specific idle containers.
Define a sleeping container as command `top` in image `busybox` for
Unix and as command `sleep 60` in image `busybox` for Windows. Provide a
single point of code to update those.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
The restart container has already prepared the mountpoint, there is
no need to do that again. This can speed up the daemon start if
the restart container has a volume and the volume driver is not
available.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Remove the `-a` build flag and introduce `-i` in order to reuse
previously compiled dependencies.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Currently if we exec a restarting container, client will fail silently,
and daemon will print error that container can't be found which is not a
very meaningful prompt to user.
This commit will stop user from exec a restarting container and gives
more explicit error message.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Fixing the links
Updating with Seb's comments
Adding weight
Fixing the engine aliases
Updating after Arun pushed
Removing empty file
Signed-off-by: Mary Anthony <mary@docker.com>
Fixes#14203
This bump fixes the issue of having the container's pipes connection
reset by peer because of using the json.Encoder and having a \n added to
the output.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We cannot rely on the tar command for this type of operation because tar
versions, flags, and functionality can very from distro to distro.
Since this is in the container execution path it is not safe to have
this as a dependency from dockers POV where the user cannot change the
fact that docker is adding these pre and post mount commands.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Otherwise, some operations can get stuck indefinitely when the remote
side is unresponsive.
Fixes#12823
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This will only trim off the last '-' separated token to be checked for
RC status. This allows including a 'cs#' token in the version string.
Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
daemon cache was getting the whole image map and then iterating through
it to find children. This information is already stored in the image
store.
Prior to this change building the docker repo with a full cache took 30
seconds.
After it takes between 15 seconds or less (As low as 9 seconds).
This is an improvement on docker 1.9.1 which hovered around 17 seconds.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
A watcher would output the current progress item when it was detached,
in case it missed that item earlier, which would leave the user seeing
some intermediate step of the operation. This commit changes it to only
output it on detach if it didn't already output the same item.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This removes all references to InitPath and InitSha1, as well as pulling
in a few other minor engine-api fixes.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
User call `Start` could with args, and the args could
contains `--storage-driver`, but in `Start`, it will add
`--storage-driver` even though user has specified `--storage-driver`
in args.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
While the documentation is very patchy on dockerinit, remove all
references in packaging documentation to the now purged dockerinit.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
dockerinit has been around for a very long time. It was originally used
as a way for us to do configuration for LXC containers once the
container had started. LXC is no longer supported, and /.dockerinit has
been dead code for quite a while. This removes all code and references
in code to dockerinit.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
https://github.com/docker/libnetwork/pull/810 provides the more complete
solution for moving the Port-mapping ownership away from endpoint and
into Sandbox. But, this PR makes the best use of existing libnetwork
design and get a step closer to the gaol.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Currently, the temporary file storing downloaded layer data is only
removed after a successful download or a digest verification error. A
transport-level error does not cause it to be removed. This is a
regression from 1.9 that could cause disk usage to grow until the Docker
daemon is restarted.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Also, add "libsystemd-journal-dev" to the explicit list (which is what prompted the change in how we install).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Things could go wrong if Watch was called after the last existing
watcher was released. The call to Watch would succeed even though it was
not really adding a watcher, and the corresponding call to Release would
close hasWatchers a second time.
The fix for this is twofold:
1. We allow transfers to gain new watchers after the watcher count has
touched zero. This means that the channel returned by Released should
not be closed until all watchers have been released AND the transfer is
no longer tracked by the transfer manager, meaning it won't be possible
for additional calls to Watch to race with closing the channel returned
by Released.
The Transfer interface has a new method called Close so the transfer can
know when the transfer manager no longer references it.
Remove the Cancel method. It's not used and should not be exported.
2. Even though (1) makes it possible to add watchers after all the
previous watchers have been released, we want to avoid doing this in
practice. A transfer that has had all its watchers released is in the
process of being cancelled, and attaching to one of these will never be
the correct behavior. Add a check if a watcher is attaching to a
cancelled transfer. In this case, wait for the transfer to be removed
from the map and try again. This will ensure correct behavior when a
watcher tries to attach during the race window.
Either (1) or (2) should be sufficient to fix the race involved here,
but the combination is the most correct approach. (1) fixes the
low-level plumbing to be resilient to the race condition, and (2) avoids
using it in a racy way.
Fixes#19606
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
- Fixesdocker/docker#19576
- Fixed embedded DNS to listen in TCP as well
- Fixed a race-condition in IPAM to choose non-overlapping subnet for concurrent requests
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This makes it so when calling `docker run --rm`, or `docker rm -v`, only
volumes specified without a name, e.g. `docker run -v /foo` instead of
`docker run -v awesome:/foo` are removed.
Note that all volumes are named, some are named by the user, some get a
generated name. This is specifically about how the volume was specified
on `run`, assuming that if the user specified it with a name they expect
it to persist after the container is cleaned up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Replace `Tty` with `TTY` in all test case names so that we can run
a bundle of `TTY` related test cases with TESTFLAGS like
`-check.f TestExecTTY*`
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Resize by +1 when attaching to force redrawing.
Start monitoring window size after the attach begins instead of before. This way, you see the output
from the container without having to manually resize or hit enter. This makes attach consistent with
run and exec.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
Use a back-compat struct to handle listing volumes for volumes we know
about (because, presumably, they are being used by a container) for
volume drivers which don't yet support `List`.
Adds a fall-back for the volume driver `Get` call, which will use
`Create` when the driver returns a `404` for `Get`. The old behavior was
to always use `Create` to get a volume reference.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
TestBuildEnvUsage2 was flagged in https://github.com/docker/docker/issues/19425
as one of the slowest integration tests. It's slow because it has some
comprehensive builder test cases that end up creating a lot of layers.
Even with a busybox base image, this can be expensive. It's not possible
to build "FROM scratch" because the test cases need the shell to ensure
environment variables are set correctly.
Some of the ENV and RUN statements can be combined. This causes fewer
layers to get created. Doing this produces a marginal improvement in the
runtime.
Before:
PASS: docker_cli_build_test.go:3956: DockerSuite.TestBuildEnvUsage2 43.619s
After:
PASS: docker_cli_build_test.go:3956: DockerSuite.TestBuildEnvUsage2 31.286s
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
While hack/make.sh checks for systemd headers using pkg-config, we
forgot to ensure that they were there in the images that we use for
building binaries for RPM-based distributions. Add the right packages
to the generate.sh that we use for them, and update the copies of the
generated files that we carry in the source tree.
Notes: Fedora, CentOS, and Oracle Linux put the pkg-config command in
the "pkgconfig" package, while OpenSUSE calls the package "pkg-config".
The systemd-devel package, like systemd, is not in Oracle Linux 6.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This is used in `hack/make.sh` for detecting various dependencies such as `libsystemd-journal` -- without this, our packages don't support pulling logs back out of journald. 😢
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Divide event matching into two functions, a matcher and
a processor. That way, the error handling doesn't call
the channel closing logic at all.
Signed-off-by: David Calavera <david.calavera@gmail.com>
To ensure we don't regress on bad --cgroup-parent paths, add some
integration tests that check that the host hasn't toppled (or suddently
started to create files in the host).
Signed-off-by: Aleksa Sarai <asarai@suse.com>
This fixes a security vulnerability in Docker, which can cause a DoS
under certain circumstances. This is from the hotfix branch, so the
vendored commit is actually bf899fef451956be4abd63de6d6141d9f9096a02 in
runc master.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
For the CS Engine we need to have an install script like OSS does, but
the locations are all different, as is the GPG key used. This is
accomplished here by slightly altering the script itself and adding a
simple 'sed' based bundle for make.sh.
This install script is used in to change the URLs instead of sed in
release.sh.
Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
- Return an error if any of the keys don't match valid flags.
- Fix an issue ignoring merged values as named values.
- Fix tlsverify configuration key.
- Fix bug in mflag to avoid panics when one of the flag set doesn't have any flag.
Signed-off-by: David Calavera <david.calavera@gmail.com>
It is possible to invoke `docker ps -f status=dead`, but the
documentation for docker-ps does not mention `dead` as a valid option.
This commit fixes that.
Signed-off-by: Kareem Khazem <karkhaz@karkhaz.com>
Another day, another revendor.
This revision of distribution is more tolerant of incorrect Content-Type
headers when fetching manifests.
Fixes#19526
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There was already a check that prevented protocol-level fallback in this
situation, but retries within a specific protocol will still happen.
This makes it take a long time for the pull to finally error out.
This fixes slowness in TestDaemonNoSpaceleftOnDeviceError, which used to
take a long time due to the backoff between retry attempts:
PASS: docker_cli_daemon_test.go:1868: DockerDaemonSuite.TestDaemonNoSpaceleftOnDeviceError 5.882s
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The currently used idiom for handling key specific subcompletions
did not work here: behind `docker event -f type=network `, the completion
of networks triggered. The expected behaviour is not to complete
anything here.
In order to limit the scope of the corresponding PR, the new idiom is
currently only used in `docker events --filter`.
Signed-off-by: Harald Albers <github@albersweb.de>
The description "set `-1` to disable swap" is wrong, `build`,
`create` and `run` already fixed, we need to fix `update` as well.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
When authorization errors are returned by the token process the error will be wrapped in url.Error.
In order to check the underlying error for retry this error message should be unwrapped.
Unwrapping this error allows failure to push due to an unauthorized response to keep from retrying, possibly resulting in later 429 responses.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Fixes#19506
This fixes the issue of errors on create and the tty not being able to
be restored to its previous state because of a race where it was
in the hijack goroutine.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The daemon uses two similar filename extensions to identify different
kinds of certificates. ".crt" files are interpreted as CA certificates,
and ".cert" files are interprted as client certificates. If a CA
certificate is accidentally given the extension ".cert", it will lead to
the following error message:
Missing key ca.key for certificate ca.cert
To make this slightly less confusing, clarify the error message with a
note that CA certificates should use the extension ".crt".
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This helps ensure that only one thing is trying to intialize a plugin at
once while also keeping the global lock free during initialization.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Set the daemon log level to what's set in the configuration.
- Enable TLS when TLSVerify is enabled.
Signed-off-by: David Calavera <david.calavera@gmail.com>
During daemon startup, all containers are registered before any are
started.
During container registration it was calling out to initialize volumes.
If the volume uses a plugin that is running in a container, this will
cause the restart of that container to fail since the plugin is not yet
running.
This also slowed down daemon startup since volume initialization was
happening sequentially, which can be slow (and is flat out slow since
initialization would fail but take 8 seconds for each volume to do it).
This fix holds off on volume initialization until after containers are
restarted and does the initialization in parallel.
The containers that are restarted will have thier volumes initialized
because they are being started. If any of these containers are using a
plugin they will just keep retrying to reach the plugin (up to the
timeout, which is 8seconds) until the container with the plugin is up
and running.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The path here should be absolute, else it would
deem it as volume name.
Also link to release page to contain static binary,
the old link not work, because it is just used to
install docker in os distro, it can not be used
as static binary directly.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
`daemon.execCommandGC`
The daemon object (grep execCommandGC) iterate over a map
(grep execCommands.Commands) in a goroutine.
Lock can't protect concurrency access in this case.
Exec command storage object should return a copy of commands instead.
Signed-off-by: Pei Su <sillyousu@gmail.com>
This hopefully makes DockerTrustSuite.SetUpTest
less flaky.
Increased the number of attempts to check
if Notary is available before giving up.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes#19400
Note that this introduces an incompatibility with Docker 1.10-rc1,
because the media type used for schema1 manifests has been corrected in
the upstream distribution code. Docker 1.10-rc1 won't be able to pull
old manifests from Registry 2.3-rc0 and up, but because of this vendor
update, Docker 1.10-rc2 won't have this problem.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Correctly passes the DOCKER_ENGINE_GOARCH env var
to the testing environment
Also fixes logic for skipping a test if on ARM.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Add continue when layer fails on store creation
Trim whitespace from layerstore files to keep trailing space from failing a layer load
Fixes#19449
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The example is not right in parameter, and also
one command is same as first one, it should be typo
before, we should use 'rw' as example for that.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Default is predefined network and is reserved, so we should stop user
from creating network with name `default`
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Revert the portions of #17617 that report all errors when a pull
falls back, and go back to just reporting the last error. This was nice
to have, but causes some UX issues because nonexistent images show
additional "unauthorized" errors.
Keep the part of the PR that handled ENOSPC, as this appears to work
even without tracking multiple errors.
Fixes#19419
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
this prevents the copier from sending messages in the buffer to the closed
driver. If the copied took longer than the timeout to drain the buffer, this
aborts the copier read loop and return back so we can cleanup resources
properly.
Signed-off-by: Daniel Dao <dqminh@cloudflare.com>
Currently builder.Backend is implemented by daemonbuilder.Docker{} for
the daemon. This registration happens in the API/server code. However,
this is too implementation specific. Ideally we should be able to specify
that docker daemon (or any other) is implementing the Backend and abstract
the implementation details. So we should remove package daemonbuilder
dependency in build_routes.go
With this change, daemonbuilder.Docker is nothing more than the daemon.
A follow on change will remove the daemonbuilder package and move relevant
methods under daemon, so that API only knows about the backend.
Also cleanup code in api/client/build.go. docker cli always performs build
context tar download for remoteURLs and sends an empty remoteContext. So
remove relevant dead code.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Fixes: #18890
This fix add same filter validation logic as images. We should
add such check to make sure filters work make sense to end-users
Right now, we keep old use 1 as filter, but in long term, it should
be have same interface checking as images, it could be improved in
other patches.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Issue was caused when exec is tarted, exits, then stated again.
In this case, `Close` is called twice, which closes a channel twice.
Changes execConfig.ExitCode to a pointer so we can test if the it has
been set or not.
This allows us to return early when the exec has already been run.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This results in a significant time savings during repeated builds (since we don't have to re-download gcc for every test run).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Currently the TestInspectApiContainerVolumeDriver is testing the
existence of a volume driver without specifing any volume driver.
This commit fixes that.
Signed-off-by: André Martins <aanm90@gmail.com>
ppc64le now installs the second registry used for
f11b6a2ab3
Also, removed notary until the change to go 1.5.1+
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
We always need proxy for build, so we always use "docker build"
command instead of "make build", but now for some reasons, we need
macro defined in Makefile, so it would be helpful if we can use
"make build" without touching Dockerfile.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
file to require the Unbreakable Enterprise Kernel Release 4 on both Oracle Linux 6
and Oracle Linux 7.
The UEK R4 provides the required kernel functionality for VxLAN support
required by Docker 1.9 and user namespace support required for 1.10+.
The build of Docker on Oracle Linux 6 requires some manipulation of the build
environment so that the CGO compiler uses the UEK R4 headers instead of the old
default kernel headers.
Signed-off-by: Avi Miller <avi.miller@oracle.com>
2016-01-08 08:09:47 +11:00
1605 changed files with 93556 additions and 39026 deletions
Items starting with `DEPRECATE` are important deprecation notices. For more
information on the list of deprecated flags and APIs please have a look at
https://docs.docker.com/misc/deprecated/ where target removal dates can also
https://docs.docker.com/engine/deprecated/ where target removal dates can also
be found.
## 1.11.0 (2016-04-12)
**IMPORTANT**: With Docker 1.11, a Linux docker installation is now made of 4 binaries (`docker`, [`docker-containerd`](https://github.com/docker/containerd), [`docker-containerd-shim`](https://github.com/docker/containerd) and [`docker-runc`](https://github.com/opencontainers/runc)). If you have scripts relying on docker being a single static binaries, please make sure to update them. Interaction with the daemon stay the same otherwise, the usage of the other binaries should be transparent. A Windows docker installation remains a single binary, `docker.exe`.
### Builder
- Fix a bug where Docker would not used the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033))
- Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162))
### Client
* Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232))
+ The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373))
* Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200))
* Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128))
- Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803))
- Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792))
* Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587))
- Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566))
+ Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373))
+ Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107))
*`docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017))
*`docker info` now also report Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986))
- Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
* Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761))
*`docker ps` no longer show exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483))
- Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849))
* Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078))
### Distribution
- Fix a panic that occurred when pulling an images with 0 layers ([#21222](https://github.com/docker/docker/pull/21222))
- Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212))
+ All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046))
+ OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970))
*`docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832))
*`docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565))
* Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241))
* Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840))
- Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509))
### Logging
- Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311))
* Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121))
* Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831))
* Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794))
+ Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689))
* Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564))
+ The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439))
+ Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766))
### Misc
+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/c))
+ Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
+ Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
* The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
- Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258))
- Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633))
* Docker info now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863))
* Docker info now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388))
* Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894))
*`dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851))
+ Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013))
+ Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
### Networking
- Fix a bug where IPv6 addresses were not properly handled ([#20842](https://github.com/docker/docker/pull/20842))
*`docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160))
+ Experimental support for the MacVlan and IPVlan network drivers have been added ([#21122](https://github.com/docker/docker/pull/21122))
* Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383))
- Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431))
*`docker network inspect` now returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357))
+ Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513))
* Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server [#21396](https://github.com/docker/docker/pull/21396)
* Multiple A/AAAA records from embedded DNS Server for DNS Round robin [#21019](https://github.com/docker/docker/pull/21019)
### Plugins
- Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686))
- Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602))
### Runtime
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
+ Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354))
* Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345))
* Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097))
- Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
- Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048))
- Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045))
- Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022))
- Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013))
- Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002))
* Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977))
- Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967)
* The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
+ Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727))
- Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
+ Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662))
- Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604))
+ Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177))
+ Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111))
- Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679))
* Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517))
- Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500))
*`docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116))
*`docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966))
+ Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697))
-`docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078))
### Security
* Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370))
*`restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262))
*`send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432))
### Volumes
* Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389))
* Local volumes can now accepts options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262))
- Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
+ `docker run -v` now accepts a new flag `nocopy`. This tell the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))
## 1.10.3 (2016-03-10)
### Runtime
- Fix Docker client exiting with an "Unrecognized input header" error [#20706](https://github.com/docker/docker/pull/20706)
- Fix Docker exiting if Exec is started with both `AttachStdin` and `Detach` [#20647](https://github.com/docker/docker/pull/20647)
### Distribution
- Fix a crash when pushing multiple images sharing the same layers to the same repository in parallel [#20831](https://github.com/docker/docker/pull/20831)
- Fix a panic when pushing images to a registry which uses a misconfigured token service [#21030](https://github.com/docker/docker/pull/21030)
### Plugin system
- Fix issue preventing volume plugins to start when SELinux is enabled [#20834](https://github.com/docker/docker/pull/20834)
- Prevent Docker from exiting if a volume plugin returns a null response for Get requests [#20682](https://github.com/docker/docker/pull/20682)
- Fix plugin system leaking file descriptors if a plugin has an error [#20680](https://github.com/docker/docker/pull/20680)
### Security
- Fix linux32 emulation to fail during docker build [#20672](https://github.com/docker/docker/pull/20672)
It was due to the `personality` syscall being blocked by the default seccomp profile.
- Fix Oracle XE 10g failing to start in a container [#20981](https://github.com/docker/docker/pull/20981)
It was due to the `ipc` syscall being blocked by the default seccomp profile.
- Fix user namespaces not working on Linux From Scratch [#20685](https://github.com/docker/docker/pull/20685)
- Fix issue preventing daemon to start if userns is enabled and the `subuid` or `subgid` files contain comments [#20725](https://github.com/docker/docker/pull/20725)
## 1.10.2 (2016-02-22)
### Runtime
- Prevent systemd from deleting containers' cgroups when its configuration is reloaded [#20518](https://github.com/docker/docker/pull/20518)
- Fix SELinux issues by disregarding `--read-only` when mounting `/dev/mqueue` [#20333](https://github.com/docker/docker/pull/20333)
- Fix chown permissions used during `docker cp` when userns is used [#20446](https://github.com/docker/docker/pull/20446)
- Fix configuration loading issue with all booleans defaulting to `true` [#20471](https://github.com/docker/docker/pull/20471)
- Fix occasional panic with `docker logs -f` [#20522](https://github.com/docker/docker/pull/20522)
### Distribution
- Keep layer reference if deletion failed to avoid a badly inconsistent state [#20513](https://github.com/docker/docker/pull/20513)
- Handle gracefully a corner case when canceling migration [#20372](https://github.com/docker/docker/pull/20372)
- Fix docker import on compressed data [#20367](https://github.com/docker/docker/pull/20367)
- Fix tar-split files corruption during migration that later cause docker push and docker save to fail [#20458](https://github.com/docker/docker/pull/20458)
### Networking
- Fix daemon crash if embedded DNS is sent garbage [#20510](https://github.com/docker/docker/pull/20510)
### Volumes
- Fix issue with multiple volume references with same name [#20381](https://github.com/docker/docker/pull/20381)
### Security
- Fix potential cache corruption and delegation conflict issues [#20523](https://github.com/docker/docker/pull/20523)
## 1.10.1 (2016-02-11)
### Runtime
* Do not stop daemon on migration hard failure [#20156](https://github.com/docker/docker/pull/20156)
- Fix various issues with migration to content-addressable images [#20058](https://github.com/docker/docker/pull/20058)
- Fix ZFS permission bug with user namespaces [#20045](https://github.com/docker/docker/pull/20045)
- Do not leak /dev/mqueue from the host to all containers, keep it container-specific [#19876](https://github.com/docker/docker/pull/19876) [#20133](https://github.com/docker/docker/pull/20133)
- Fix `docker ps --filter before=...` to not show stopped containers without providing `-a` flag [#20135](https://github.com/docker/docker/pull/20135)
### Security
- Fix issue preventing docker events to work properly with authorization plugin [#20002](https://github.com/docker/docker/pull/20002)
### Distribution
* Add additional verifications and prevent from uploading invalid data to registries [#20164](https://github.com/docker/docker/pull/20164)
- Fix embedded DNS for user-defined networks in the presence of firewalld [#20060](https://github.com/docker/docker/pull/20060)
- Fix issue where removing a network during shutdown left Docker inoperable [#20181](https://github.com/docker/docker/issues/20181) [#20235](https://github.com/docker/docker/issues/20235)
- Embedded DNS is now able to return compressed results [#20181](https://github.com/docker/docker/issues/20181)
- Fix port-mapping issue with `userland-proxy=false` [#20181](https://github.com/docker/docker/issues/20181)
### Logging
- Fix bug where tcp+tls protocol would be rejected [#20109](https://github.com/docker/docker/pull/20109)
### Volumes
- Fix issue whereby older volume drivers would not receive volume options [#19983](https://github.com/docker/docker/pull/19983)
### Misc
- Remove TasksMax from Docker systemd service [#20167](https://github.com/docker/docker/pull/20167)
## 1.10.0 (2016-02-04)
**IMPORTANT**: Docker 1.10 uses a new content-addressable storage for images and layers.
A migration is performed the first time docker is run, and can take a significant amount of time depending on the number of images present.
Refer to this page on the wiki for more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
We also released a cool migration utility that enables you to perform the migration before updating to reduce downtime.
Engine 1.10 migrator can be found on Docker Hub: https://hub.docker.com/r/docker/v1.10-migrator/
### Runtime
+ New `docker update` command that allows updating resource constraints on running containers [#15078](https://github.com/docker/docker/pull/15078)
+ Add `--tmpfs` flag to `docker run` to create a tmpfs mount in a container [#13587](https://github.com/docker/docker/pull/13587)
+ Add `--format` flag to `docker images` command [#17692](https://github.com/docker/docker/pull/17692)
+ Allow to set daemon configuration in a file and hot-reload it with the `SIGHUP` signal [#18587](https://github.com/docker/docker/pull/18587)
+ Updated docker events to include more meta-data and event types [#18888](https://github.com/docker/docker/pull/18888)
This change is backward compatible in the API, but not on the CLI.
+ Add `--blkio-weight-device` flag to `docker run` [#13959](https://github.com/docker/docker/pull/13959)
+ Add `--device-read-bps` and `--device-write-bps` flags to `docker run` [#14466](https://github.com/docker/docker/pull/14466)
+ Add `--device-read-iops` and `--device-write-iops` flags to `docker run` [#15879](https://github.com/docker/docker/pull/15879)
+ Add `--oom-score-adj` flag to `docker run` [#16277](https://github.com/docker/docker/pull/16277)
+ Add `--detach-keys` flag to `attach`, `run`, `start` and `exec` commands to override the default key sequence that detaches from a container [#15666](https://github.com/docker/docker/pull/15666)
+ Add `--shm-size` flag to `run`, `create` and `build` to set the size of `/dev/shm` [#16168](https://github.com/docker/docker/pull/16168)
+ Show the number of running, stopped, and paused containers in `docker info` [#19249](https://github.com/docker/docker/pull/19249)
+ Show the `OSType` and `Architecture` in `docker info` [#17478](https://github.com/docker/docker/pull/17478)
+ Add `--cgroup-parent` flag on `daemon` to set cgroup parent for all containers [#19062](https://github.com/docker/docker/pull/19062)
+ Add `-L` flag to docker cp to follow symlinks [#16613](https://github.com/docker/docker/pull/16613)
+ New `status=dead` filter for `docker ps` [#17908](https://github.com/docker/docker/pull/17908)
* Change `docker run` exit codes to distinguish between runtime and application errors [#14012](https://github.com/docker/docker/pull/14012)
* Enhance `docker events --since` and `--until` to support nanoseconds and timezones [#17495](https://github.com/docker/docker/pull/17495)
* Add `--all`/`-a` flag to `stats` to include both running and stopped containers [#16742](https://github.com/docker/docker/pull/16742)
* Change the default cgroup-driver to `cgroupfs` [#17704](https://github.com/docker/docker/pull/17704)
* Emit a "tag" event when tagging an image with `build -t` [#17115](https://github.com/docker/docker/pull/17115)
* Best effort for linked containers' start order when starting the daemon [#18208](https://github.com/docker/docker/pull/18208)
* Add ability to add multiple tags on `build` [#15780](https://github.com/docker/docker/pull/15780)
* Permit `OPTIONS` request against any url, thus fixing issue with CORS [#19569](https://github.com/docker/docker/pull/19569)
- Fix the `--quiet` flag on `docker build` to actually be quiet [#17428](https://github.com/docker/docker/pull/17428)
- Fix `docker images --filter dangling=false` to now show all non-dangling images [#19326](https://github.com/docker/docker/pull/19326)
- Fix race condition causing autorestart turning off on restart [#17629](https://github.com/docker/docker/pull/17629)
- Fix obscure bug preventing to start containers [#19751](https://github.com/docker/docker/pull/19751)
- Forbid `exec` during container restart [#19722](https://github.com/docker/docker/pull/19722)
- devicemapper: Increasing `--storage-opt dm.basesize` will now increase the base device size on daemon restart [#19123](https://github.com/docker/docker/pull/19123)
### Security
+ Add `--userns-remap` flag to `daemon` to support user namespaces (previously in experimental) [#19187](https://github.com/docker/docker/pull/19187)
+ Add support for custom seccomp profiles in `--security-opt` [#17989](https://github.com/docker/docker/pull/17989)
+ Add `--authorization-plugin` flag to `daemon` to customize ACLs [#15365](https://github.com/docker/docker/pull/15365)
+ Docker Content Trust now supports the ability to read and write user delegations [#18887](https://github.com/docker/docker/pull/18887)
This is an optional, opt-in feature that requires the explicit use of the Notary command-line utility in order to be enabled.
Enabling delegation support in a specific repository will break the ability of Docker 1.9 and 1.8 to pull from that repository, if content trust is enabled.
* Allow SELinux to run in a container when using the BTRFS storage driver [#16452](https://github.com/docker/docker/pull/16452)
### Distribution
* Use content-addressable storage for images and layers [#17924](https://github.com/docker/docker/pull/17924)
Note that a migration is performed the first time docker is run; it can take a significant amount of time depending on the number of images and containers present.
Images no longer depend on the parent chain but contain a list of layer references.
`docker load`/`docker save` tarballs now also contain content-addressable image configurations.
For more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
* Add support for the new [manifest format ("schema2")](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md) [#18785](https://github.com/docker/docker/pull/18785)
* Lots of improvements for push and pull: performance++, retries on failed downloads, cancelling on client disconnect [#18353](https://github.com/docker/docker/pull/18353), [#18418](https://github.com/docker/docker/pull/18418), [#19109](https://github.com/docker/docker/pull/19109), [#18353](https://github.com/docker/docker/pull/18353)
- Fix issue where docker could hang indefinitely waiting for a nonexistent process to pull an image [#19743](https://github.com/docker/docker/pull/19743)
### Networking
+ Use DNS-based discovery instead of `/etc/hosts` [#19198](https://github.com/docker/docker/pull/19198)
+ Support for network-scoped alias using `--net-alias` on `run` and `--alias` on `network connect` [#19242](https://github.com/docker/docker/pull/19242)
+ Add `--ip` and `--ip6` on `run` and `network connect` to support custom IP addresses for a container in a network [#19001](https://github.com/docker/docker/pull/19001)
+ Add `--ipam-opt` to `network create` for passing custom IPAM options [#17316](https://github.com/docker/docker/pull/17316)
+ Add `--internal` flag to `network create` to restrict external access to and from the network [#19276](https://github.com/docker/docker/pull/19276)
+ Add `kv.path` option to `--cluster-store-opt` [#19167](https://github.com/docker/docker/pull/19167)
+ Add `discovery.heartbeat` and `discovery.ttl` options to `--cluster-store-opt` to configure discovery TTL and heartbeat timer [#18204](https://github.com/docker/docker/pull/18204)
+ Add `--format` flag to `network inspect` [#17481](https://github.com/docker/docker/pull/17481)
+ Add `--link` to `network connect` to provide a container-local alias [#19229](https://github.com/docker/docker/pull/19229)
+ Support for Capability exchange with remote IPAM plugins [#18775](https://github.com/docker/docker/pull/18775)
+ Add `--force` to `network disconnect` to force container to be disconnected from network [#19317](https://github.com/docker/docker/pull/19317)
* Support for multi-host networking using built-in overlay driver for all engine supported kernels: 3.10+ [#18775](https://github.com/docker/docker/pull/18775)
*`--link` is now supported on `docker run` for containers in user-defined network [#19229](https://github.com/docker/docker/pull/19229)
* Include container names in `network inspect` [#17615](https://github.com/docker/docker/pull/17615)
* Include auto-generated subnets for user-defined networks in `network inspect` [#17316](https://github.com/docker/docker/pull/17316)
* Add `--filter` flag to `network ls` to hide predefined networks [#17782](https://github.com/docker/docker/pull/17782)
* Add support for network connect/disconnect to stopped containers [#18906](https://github.com/docker/docker/pull/18906)
* Add network ID to container inspect [#19323](https://github.com/docker/docker/pull/19323)
- Fix MTU issue where Docker would not start with two or more default routes [#18108](https://github.com/docker/docker/pull/18108)
- Fix duplicate IP address for containers [#18106](https://github.com/docker/docker/pull/18106)
- Fix issue preventing sometimes docker from creating the bridge network [#19338](https://github.com/docker/docker/pull/19338)
- Do not substitute 127.0.0.1 name server when using `--net=host` [#19573](https://github.com/docker/docker/pull/19573)
### Logging
+ New logging driver for Splunk [#16488](https://github.com/docker/docker/pull/16488)
+ Add support for syslog over TCP+TLS [#18998](https://github.com/docker/docker/pull/18998)
* Enhance `docker logs --since` and `--until` to support nanoseconds and time [#17495](https://github.com/docker/docker/pull/17495)
* Enhance AWS logs to auto-detect region [#16640](https://github.com/docker/docker/pull/16640)
### Volumes
+ Add support to set the mount propagation mode for a volume [#17034](https://github.com/docker/docker/pull/17034)
* Add `ls` and `inspect` endpoints to volume plugin API [#16534](https://github.com/docker/docker/pull/16534)
Existing plugins need to make use of these new APIs to satisfy users' expectation
For that, please use the new MIME type `application/vnd.docker.plugins.v1.2+json` [#19549](https://github.com/docker/docker/pull/19549)
- Fix data not being copied to named volumes [#19175](https://github.com/docker/docker/pull/19175)
- Fix issues preventing volume drivers from being containerized [#19500](https://github.com/docker/docker/pull/19500)
- Fix `docker volumes ls --dangling=false` to now show all non-dangling volumes [#19671](https://github.com/docker/docker/pull/19671)
- Do not remove named volumes on container removal [#19568](https://github.com/docker/docker/pull/19568)
- Allow external volume drivers to host anonymous volumes [#19190](https://github.com/docker/docker/pull/19190)
### Builder
+ Add support for `**` in `.dockerignore` to wildcard multiple levels of directories [#17090](https://github.com/docker/docker/pull/17090)
- Fix handling of UTF-8 characters in Dockerfiles [#17055](https://github.com/docker/docker/pull/17055)
- Fix permissions problem when reading from STDIN [#19283](https://github.com/docker/docker/pull/19283)
### Client
+ Add support for overriding the API version to use via an `DOCKER_API_VERSION` environment-variable [#15964](https://github.com/docker/docker/pull/15964)
- Fix a bug preventing Windows clients to log in to Docker Hub [#19891](https://github.com/docker/docker/pull/19891)
### Misc
* systemd: Set TasksMax in addition to LimitNPROC in systemd service file [#19391](https://github.com/docker/docker/pull/19391)
### Deprecations
* Remove LXC support. The LXC driver was deprecated in Docker 1.8, and has now been removed [#17700](https://github.com/docker/docker/pull/17700)
* Remove `--exec-driver` daemon flag, because it is no longer in use [#17700](https://github.com/docker/docker/pull/17700)
* Remove old deprecated single-dashed long CLI flags (such as `-rm`; use `--rm` instead) [#17724](https://github.com/docker/docker/pull/17724)
* Deprecate HostConfig at API container start [#17799](https://github.com/docker/docker/pull/17799)
* Deprecate docker packages for newly EOL'd Linux distributions: Fedora 21 and Ubuntu 15.04 (Vivid) [#18794](https://github.com/docker/docker/pull/18794), [#18809](https://github.com/docker/docker/pull/18809)
* Deprecate `-f` flag for docker tag [#18350](https://github.com/docker/docker/pull/18350)
## 1.9.1 (2015-11-21)
### Runtime
@@ -1636,7 +1993,7 @@ With the ongoing changes to the networking and execution subsystems of docker te
+ Containers can expose public UDP ports (eg, '-p 123/udp')
+ Optionally specify an exact public port (eg. '-p 80:4500')
* 'docker login' supports additional options
- Dont save a container`s hostname when committing an image.
- Don't save a container`s hostname when committing an image.
# This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
# The volume will be cleaned up when the container is removed due to `--rm`.
# Note that `BIND_DIR` will already be set to `bundles` if `DOCKER_HOST` is not set (see above BIND_DIR line), in such case this will do nothing since `DOCKER_MOUNT` will already be set.
// CmdLogin logs in or registers a user to a Docker registry service.
// CmdLogin logs in a user to a Docker registry service.
//
// If no server is specified, the user will be logged into or registered to the registry's index server.
//
// Usage: docker login SERVER
func(cli*DockerCli)CmdLogin(args...string)error{
cmd:=Cli.Subcmd("login",[]string{"[SERVER]"},Cli.DockerCommands["login"].Description+".\nIf no server is specified \""+registry.IndexServer+"\" is the default.",true)
cmd:=Cli.Subcmd("login",[]string{"[SERVER]"},Cli.DockerCommands["login"].Description+".\nIf no server is specified, the default is defined by the daemon.",true)
// if this is a defauly registry (docker hub), then display the following message.
fmt.Fprintln(cli.out,"Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
// CmdLogout logs a user out from a Docker registry.
@@ -14,25 +13,28 @@ import (
//
// Usage: docker logout [SERVER]
func(cli*DockerCli)CmdLogout(args...string)error{
cmd:=Cli.Subcmd("logout",[]string{"[SERVER]"},Cli.DockerCommands["logout"].Description+".\nIf no server is specified \""+registry.IndexServer+"\" is the default.",true)
cmd:=Cli.Subcmd("logout",[]string{"[SERVER]"},Cli.DockerCommands["logout"].Description+".\nIf no server is specified, the default is defined by the daemon.",true)
cmd.Require(flag.Max,1)
cmd.ParseFlags(args,true)
serverAddress:=registry.IndexServer
varserverAddressstring
iflen(cmd.Args())>0{
serverAddress=cmd.Arg(0)
}else{
serverAddress=cli.electAuthServer()
}
// check if we're logged in based on the records in the config file
// which means it couldn't have user/pass cause they may be in the creds store
fmt.Fprintf(cli.err,"[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE\n")
fmt.Fprintf(cli.err,"[DEPRECATED] The environment variable DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE has been deprecated and will be removed in v1.10. Please use DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE\n")
returnbadRequestError{fmt.Errorf("client is newer than server (client API version: %s, server API version: %s)",apiVersion,defaultVersion)}
}
ifapiVersion.LessThan(minVersion){
returnbadRequestError{fmt.Errorf("client version %s is too old. Minimum supported API version is %s, please upgrade your client to a newer version",apiVersion,minVersion)}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
