This way, you don't have to specify the ":latest" tag for some command
and not for others
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit cb321e82db)
This changes `docker swarm help` to be consistent with capitals
and removes full stops.
Before:
```
Commands:
init Initialize a Swarm.
join Join a Swarm as a node and/or manager.
update update the Swarm.
leave Leave a Swarm.
inspect Inspect the Swarm
```
After:
```
Commands:
init Initialize a Swarm
join Join a Swarm as a node and/or manager
update Update the Swarm
leave Leave a Swarm
inspect Inspect the Swarm
```
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
(cherry picked from commit 0ec78739ac)
This ensures that:
- The in-memory plugin store is populated with all the plugins
- Plugins which were active before daemon restart are active after.
This utilizes the liverestore feature when available, otherwise it
manually starts the plugin.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit dfd9187305)
When a repository has a tag and digests, show tag for each digest value.
Do not duplicate rows for the same image name with both tag and digest.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit 79eada3814)
The security infomation has already been added to `GET /info` in #21172.
However, it is not part of the output of `docker info` yet.
This fix adds the security information to `docker info`.
Additional tests has been added to cover changes.
This fix fixes#23500. This fix is related to #20909, #21172.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit eee20b564f)
We added docs about ecryptfs check but not in code side.
Also refactor code to make it clean.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
(cherry picked from commit 136323b043)
To provide users a view of service status, list the number of running
task over the requested number of replicas.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit b86cb293ec)
Change the kill mode to process so that systemd does not kill container
processes when the daemon is shutdown but only the docker daemon
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit db435f526a)
Instructions for installing the static binaries
has changed, so updated the instructions.
The comment on top already requires the steps
to be executed as root, so removing the 'sudo'
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e233c8dd72)
The test was waiting for the container to exit after failing its
healthcheck. However, we no longer automatically terminate containers,
so this waited instead for the container to time-out by itself.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
(cherry picked from commit 18a59bb869)
The `--update-parallelism` flaag should default to 0, which is
interpreted by the backend as unlimited. In other words, by default all
services should update simultaneously.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
(cherry picked from commit f22d0174f3)
Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.
Fixes#23587
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit bdf01cf5de)
This fixes an issue with hanging tests due to store.
Fixes#23560
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit e927df7b4b)
updated link to faqs/troubleshoot to point to new location /toolbox
fixed docker-for-mac link error
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
(cherry picked from commit 1d80f8ca19)
fixing links after moving surfacing tutorials
fixing more links for the newly located tutorials
WIP: merging 3 getting started tutorials into one to cover all platforms, added new files
fixing broken images and links in 3-in-1 getting started, re-wrote story flow, linked to Toolbox, d4mac,d4win
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
(cherry picked from commit 0254c12e1e)
Removes the leader column from node ls and shows whether a node is the
leader in the manager status column instead.
Signed-off-by: Drew Erny <drew.erny@docker.com>
(cherry picked from commit 4104c1dc13)
Make `--dispatcher-heartbeat-period` a duration in `docker swarm
update`, allowing to express the value as "5s", "1h", etc.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
With the rolling update there can be a possibility
that the container count matches the update has
completely finished yet.
The actual bug for the flakiness was fixed with the
swarmkit update.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This patch introduces a new experimental engine-level plugin management
with a new API and command line. Plugins can be distributed via a Docker
registry, and their lifecycle is managed by the engine.
This makes plugins a first-class construct.
For more background, have a look at issue #20363.
Documentation is in a separate commit. If you want to understand how the
new plugin system works, you can start by reading the documentation.
Note: backwards compatibility with existing plugins is maintained,
albeit they won't benefit from the advantages of the new system.
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Symlinks are currently not getting cleaned up when removing layers since only the root directory is removed.
On remove, read the link file and remove the associated link from the link directory.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Diff apply is sometimes producing a different change list causing the tests to fail.
Overlay has a known issue calculating diffs of files which occur within the same second they were created.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
As described in our ROADMAP.md, introduce new Swarm management commands
to call to the corresponding API endpoints.
This PR is fully backward compatible (joining a Swarm is an optional
feature of the Engine, and existing commands are not impacted).
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
As described in our ROADMAP.md, introduce new Swarm management API
endpoints relying on swarmkit to deploy services. It currently vendors
docker/engine-api changes.
This PR is fully backward compatible (joining a Swarm is an optional
feature of the Engine, and existing commands are not impacted).
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Add a dependency to `docker/swarmkit` in preparation for adding
first-class Swarm-wide service management inside the Docker Engine as
described in our ROADMAP.md.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This flags enables full support of daemonless containers in docker. It
ensures that docker does not stop containers on shutdown or restore and
properly reconnects to the container when restarted.
This is not the default because of backwards compat but should be the
desired outcome for people running containers in prod.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
fixing links after moving surfacing tutorials
fixing more links for the newly located tutorials
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
the instructions by providing a single compose file that runs the notary server, registry,
and a docker-in-docker trust sandbox.
Signed-off-by: cyli <cyli@twistedmatrix.com>
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Added explanation for the example with image's digest ( as per @thaJeztah 's comment
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
Wrapped to ~80 chars
Signed-off-by: Shoubhik Bose <sbose78@gmail.com>
fix some formatting issues and consistency;
- Change capitalization (Query Parameters -> Query parameters, Json -> JSON)
- Make Query/JSON parameters and Status codes headings bold
- Fix indentation of some code blocks
- Fix headings (H2 -> H1), although all headings should be shifted the other way
round ;-)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to fix logrus formatting by adding `f` to the end of
`logrus.[Error|Warn|Debug|Fatal|Panic|Info](` when formatting string
is present but the function `logrus.[Error|Warn|Debug|Fatal|Panic|Info](`
is used (incorrectly).
This fix is related to #23459, and is a follow up of #23461.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.
This fix fixes#23459.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This change adjusts the calling pattern for servcing containers to use waiting on the process instead of expecting start to block. This is safer, as it avoids timeouts in the start code path for the potentially expensive update operation.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
When pivot_root fails we need to unmount the bind mounted path we
previously mounted in preparation for pivot_root.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
We have to wait until runc version (RUNC_COMMIT) is bumped.
Otherwise we get the following error:
oci runtime error: string SCMP_ARCH_S390 is not a valid
arch for seccomp
Fixes: bf2a577c13 ("Enable seccomp for s390x")
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Also moves some common stuff around :
- `api/client/registry.go` for registry related
method (`ElectAuthServer`, …)
- `api/client/credentials.go` to interact with credentials
Migrate logout command to cobra
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
There might be other (valid) reasons for setxattr(2) to fail, so only
ignore it when it's a not supported error (ENOTSUP). Otherwise, bail.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
The script failed if an empty volume is used
to generate the repo. This adds the directory
if missing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
from a docker push output digest.DigestRegexp.FindString(output) does
not retrive the sha256: prefixed digest but just a string - in many
cases it's the registry host. The checks in the code are completely
wrong then. Fix this by using the DigestRegexp from the
distribution/reference package which correctly retrieves the digest
from the output.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker commit` to use spf13/cobra
NOTE: `RequiresMinMaxArgs()` has been renamed to `RequiresRangeArgs()`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
fixed broken links created from Engine Overview update by adding missing topic to daemon reference page and updating the hrefs in the api pages
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
the order in which disconnect takes place is undetermined,
so don't check for the full name
this test was passing due to a previous bug, that
always returned the same network-name.
this bug was recently fixed in 148bcda329
(pull request 23375), exposing this test to be
flaky.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
installation for man-8 was added in 1514b499f0
(pull-request 23236), but had a typo in a path,
causing generation of the RPM's to fail.
This fixes the path
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
During a `docker load` there are times when nothing is printed
to the screen, leaving the user with no idea whether something happened.
When something *is* printed, often its just something like:
```
1834950e52ce: Loading layer 1.311 MB/1.311 MB
5f70bf18a086: Loading layer 1.024 kB/1.024 kB
```
which isn't necessarily the same as the image IDs.
This PR will either show:
- all of the tags for the image, or
- all of the image IDs if there are no tags
Sample output:
```
$ docker load -i busybox.tar
Loaded image: busybox:latest
$ docker load -i a.tar
Loaded image ID: sha256:47bcc53f74dc94b1920f0b34f6036096526296767650f223433fe65c35f149eb
```
IOW, show the human-friendly stuff first and then only if there are no tags
default back to the image IDs, so they have something to work with.
For me this this is needed because I have lots of images and after a
recent `docker load` I had no idea what image I just imported and had a
hard time figuring it out. This should fix that by telling the user
which images they just imported.
I'll add tests once there's agreement that we want this change.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Adds a new overlay driver which uses multiple lower directories to create the union fs.
Additionally it uses symlinks and relative mount paths to allow a depth of 128 and stay within the mount page size limit.
Diffs and done directly over a single directory allowing diffs to be done efficiently and without the need fo the naive diff driver.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This bumps containerd to cf554d59dd96e459544748290eb9167f4bcde509 and
includes various fixes and updates the grpc package and types generated
for use.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker tag` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker version` to use spf13/cobra
NOTE: Most of the commands like `run`, `images` etc. goes to packages of
`container`, `image`, `network`, etc. Didn't find a good place for
`docker version` so just use the package `client` for now.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker images` to use spf13/cobra
NOTE: As part of this fix, a new function `RequiresMaxArgs()`
has been defined in `cli/required.go`. This func returns an
error if there is not at most max args
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This adds support for filtering by network ID, to be
consistent with other filter options.
Note that only *full* matches are returned; this is
consistent with other filters (e.g. volume), that
also return full matches only.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change the test back to what it was before
e83dad090a
And added an extra test-case to check the
output if an incorrect number of arguments
is passed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Any command that expects extra flags after positional args needs to set flags.SetInterspersed(false).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix fixed a couple of typos in the docs of `docker attach`:
docs/reference/commandline/attach.md
man/docker-attach.1.md
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
If Windows updates are being applied via a RUN command in a docker build, the build will not stop if there was a failure in postRunProcessing. To enable this behavior, we explicitly set the exit code of the container to a failure if postRunProcessing fails during servicing container step. For completeness, also avoid running servicing operation if the original exit code of the container is non-zero so that original failure exit code does not get overwritten.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker rename` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker pause` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker history` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker top` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker port` to use spf13/cobra
Note: As part of this fix, a new function `RequiresMinMaxArgs(min int, max int)`
has been added in cli/required.go. This function restrict the args
to be at least min and at most max.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fixes some Markup and formatting
issues in the network documentation;
- wrap text to 80 chars
- add missing language hints for code examples
- add missing line continuations (\)
- update USAGE output for Cobra
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
To implement seccomp for s390x the following changes are required:
1) seccomp_default: Add s390 compat mode
On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
compat mode. Therefore add this information to arches().
2) seccomp_default: Use correct flags parameter for sys_clone on s390x
On s390x the second parameter for the clone system call is the flags
parameter. On all other architectures it is the first one.
See kernel code kernel/fork.c:
#elif defined(CONFIG_CLONE_BACKWARDS2)
SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
int __user *, parent_tidptr,
So fix the docker default seccomp rule and check for the second
parameter on s390/s390x.
3) seccomp_default: Add s390 specific syscalls
For s390 we currently have three additional system calls that should
be added to the seccomp whitelist:
- Other architectures can read/write unprivileged from/to PCI MMIO memory.
On s390 the instructions are privileged and therefore we need system
calls for that purpose:
* s390_pci_mmio_write()
* s390_pci_mmio_read()
- Runtime instrumentation:
* s390_runtime_instr()
4) test_integration: Do not run seccomp default profile test on s390x
The generated profile that we check in is for amd64 and i386
architectures and does not work correctly on s390x.
See also: 75385dc216 ("Do not run the seccomp tests that use
default.json on non x86 architectures")
5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker wait` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Migrates network command and subcommands (connect, create, disconnect,
inspect, list and remove) to spf13/cobra
- Create a RequiredExactArgs helper function for command that require an
exact number of arguments.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
e.g.
```
$ docker run -i --restart always busybox sh
pwd
/
exit 11
<...hang...>
```
This is because Attach(daemon side) and Run(client side) both hangs on
WaitStop, if container is restarted too quickly, wait won't have chance
to get exit signal.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Currently `start` will hide some errors and throw a consolidated error,
which will make it hard to debug because developer can't find the
original error.
This commit allow daemon to log original errors first.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker unpause` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker logs` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker diff` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix fixes a couple of typos in docker attach docs:
docs/reference/commandline/attach.md
man/docker-attach.1.md
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This is similar to network scopes where a volume can either be `local`
or `global`. A `global` volume is one that exists across the entire
cluster where as a `local` volume exists on a single engine.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Testing for the number of commands in `help` output doesn't seem to
contribute much to the quality of the project, and adds additional
burden for the developer to update.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker stop` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fix a bug in the vendor helpers that took packages
that started with github.com/docker/docker like if
they were from within the project.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The error message changed from
remote error: bad certificate
To
remote error: tls: bad certificate
In Go 1.7, so just checking for "bad certificate"
to make this test work on both Go 1.6 and 1.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Move container options into a struct so that tests should pass.
Remove unused FlagSet arg from Parse
Disable interspersed args on docker run
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This fix addresses an issue where including the `{{.Size}}` format
field in conjunction with `docker ps --format`, without the `--size`
flag, would not correctly display the size of containers.
This is done by doing a check on the custom format string, and setting
the size flag on the options struct if the field is found. This struct
gets passed to the engine API which then generates the correct query.
An integration test is included which runs `docker ps --format "table
{{.Size}}"` without `--size`, and checks that the returned output is
not `0 B`.
Fixes#21991
As suggested by @cpuguy83, a parser is implemented to process the format
string as a template, and then traverses the template tree to determine
if `.Size` was called.
This was then reworked by making use of template execution with a
pre-processor struct that will set the `--size` option if the template
calls for the field.
The pre-processor now also sets a boolean in the context passed to the
writer. There is an integration test for this that calls `docker ps
--size --format "{{.Size}}"` and then checks that `size: {{.Size}}` is
not appended, as it would with previous behavior.
Finally, a change was made to the formatter to not automatically
add a `{{.Size}}` if a custom format is provided.
Signed-off-by: Paulo Ribeiro <paigr.io@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This endpoint has been deprecated since 1.8. Return an error starting
from this API version (1.24) in order to make sure it's not used for the
next API version and so that we can remove it some times later.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address issues related to #23221 where Dockerignore
may consists of UTF-8 BOM. This likely happens when Notepad
tries to save a file as UTF-8 in Windows.
This fix skips the UTF-8 BOM bytes from the beginning of the
Dockerignore if exists.
Additional tests has been added to cover the changes in this fix.
This fix is related to #23221 (UTF-8 BOM in Dockerfile).
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Before, the TCP handshake had to time out (approx 30s) before
this test completed. If you use a hostname that doesn't resolve,
then it fails faster.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
This fix tries to address issues in #23221 where Dockerfile
may consists of UTF-8 BOM. This likely happens when Notepad
tries to save a file as UTF-8 in Windows.
This fix skips the UTF-8 BOM bytes from the beginning of the
Dockerfile if exists.
Additional tests has been added to cover the changes in this
fix.
This fix fixes#23221.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This installs docker and dockerd to `$DOCKER_MAKE_INSTALL_PREFIX/bin`, which
defaults to `/usr/local/bin`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If we attach to a running container and stream is closed afterwards, we
can never be sure if the container is stopped or detached. Adding a new
type of `detach` event can explicitly notify client that container is
detached, so client will know that there's no need to wait for its exit
code and it can move forward to next step now.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to address several issues in deprecated.md:
1. For deprecated and removal versions, some include link reference
to the release tag but some does not point to the release tag. This
fix adds the missing links as long as the version is <= 1.12.
2. Technically, 1.12 is not released yet so the link to 1.12 does
not exist yet. However, at the time 1.12 is released this
deprecated.md doc should have been part of the release as well.
There is a circular dependency. This fix adds 1.12 for now.
3. `HostConfig at API container start` has already been removed
by #22570 so this fix changes `Target For Removal In Release: v1.12`
to `Removed In Release: v1.12`.
4. `Docker search 'automated' and 'stars' options` has not been removed
yet so this fix changes `Removed In Release: v1.14` to
`Target For Removal In Release: v1.14`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #23055.
Currently `docker search` result caps at 25 and there is
no way to allow getting more results (if exist).
This fix adds the flag `--limit` so that it is possible
to return more results from the `docker search`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#23055.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #20083 where
comment is not supported in `.dockerignore`.
This fix updated the processing of `.dockerignore` so that any
lines starting with `#` are ignored, which is similiar to the
behavior of `.gitignore`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#20083.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds support for user-defined health-check probes for Docker
containers. It adds a `HEALTHCHECK` instruction to the Dockerfile syntax plus
some corresponding "docker run" options. It can be used with a restart policy
to automatically restart a container if the check fails.
The `HEALTHCHECK` instruction has two forms:
* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)
The `HEALTHCHECK` instruction tells Docker how to test a container to check that
it is still working. This can detect cases such as a web server that is stuck in
an infinite loop and unable to handle new connections, even though the server
process is still running.
When a container has a healthcheck specified, it has a _health status_ in
addition to its normal status. This status is initially `starting`. Whenever a
health check passes, it becomes `healthy` (whatever state it was previously in).
After a certain number of consecutive failures, it becomes `unhealthy`.
The options that can appear before `CMD` are:
* `--interval=DURATION` (default: `30s`)
* `--timeout=DURATION` (default: `30s`)
* `--retries=N` (default: `1`)
The health check will first run **interval** seconds after the container is
started, and then again **interval** seconds after each previous check completes.
If a single run of the check takes longer than **timeout** seconds then the check
is considered to have failed.
It takes **retries** consecutive failures of the health check for the container
to be considered `unhealthy`.
There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
more than one then only the last `HEALTHCHECK` will take effect.
The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
see e.g. `ENTRYPOINT` for details).
The command's exit status indicates the health status of the container.
The possible values are:
- 0: success - the container is healthy and ready for use
- 1: unhealthy - the container is not working correctly
- 2: starting - the container is not ready for use yet, but is working correctly
If the probe returns 2 ("starting") when the container has already moved out of the
"starting" state then it is treated as "unhealthy" instead.
For example, to check every five minutes or so that a web-server is able to
serve the site's main page within three seconds:
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
To help debug failing probes, any output text (UTF-8 encoded) that the command writes
on stdout or stderr will be stored in the health status and can be queried with
`docker inspect`. Such output should be kept short (only the first 4096 bytes
are stored currently).
When the health status of a container changes, a `health_status` event is
generated with the new status. The health status is also displayed in the
`docker ps` output.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When told to read additional attributes from logs that we've sent to the
journal, pull out all of the non-trusted, non-user fields that we didn't
hard-code ourselves. More of PR#20726 and PR#21889.
When reading entries in the journald log reader, set the time zone on
timestamps that we read to UTC, so that we send UTC values to the client
instead of values that are local to whatever timezone dockerd happens to
be running in.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
In order to be consistent on creation of volumes for bind mounts
we need to create the source directory if it does not exist and the
user specified he wants it relabeled.
Can not do this lower down the stack, since we are not passing in the
mode fields.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
The -f flag on docker tag has been deprecated in docker 1.10 and
is expected to be removed in docker 1.12.
This fix removed the -f flag on docker tag and also updated
deprecated.md.
NOTE: A separate pull request for engine-api has been opened to
cover the related changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates engine-api to 6facb3f3c38717b8f618dcedc4c8ce20d1bfc61e.
This fix is related to #23090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This does a minor cleanup of the logging driver
documentation;
- Add a table-header to the driver-options
table.
- Add language hints to code-blocks to
prevent incorrect highlighting
- Wrap some code examples so that they
fit in the default layout
- Wrap text to 80-chars
- Fix ordering in menu
- Some minor rewording
We should still create separate pages
for all available drivers (for example,
json-file, syslog, and GELF don't have
their own configuration page)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the llvm apt repo was removed and finding the exact rev of the llvm
toolchain that worked perfecting in our dockerfile is a problem.
We looked at the reasons why we were using this version of clang and it
appears to be this compiler warning.
`was built for newer OSX version (10.11) than being linked
(10.6)`
When you look at the dockerfile this makes sense.
```
ENV OSX_SDK MacOSX10.11.sdk
ENV OSX_CROSS_COMMIT 8aa9b71a394905e6c5f4b59e2b97b87a004658a4
RUN set -x \
&& export OSXCROSS_PATH="/osxcross" \
&& git clone https://github.com/tpoechtrager/osxcross.git $OSXCROSS_PATH \
&& ( cd $OSXCROSS_PATH && git checkout -q $OSX_CROSS_COMMIT) \
&& curl -sSL https://s3.dockerproject.org/darwin/v2/${OSX_SDK}.tar.xz -o "${OSXCROSS_PATH}/tarballs/${OSX_SDK}.tar.xz" \
&& UNATTENDED=yes OSX_VERSION_MIN=10.6 ${OSXCROSS_PATH}/build.sh
ENV PATH /osxcross/target/bin:$PATH
```
We are basically using the 10.11 sdk but linking to 10.6 as the
min version so this warning should be expected.
Also the docs on the osxcross project require clan 3.2+, not 3.8.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Log drivers are instantiated on a per-container basis, and passed the
container ID (along with other information) when they're initialized.
Drivers that care about that value are caching the value that they're
passed when they're initialized and using it in favor of the value
contained in Message structures that are passed to them, so the field in
Messages is unused, so we remove it.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
device Base should not exists on failure:
--- FAIL: TestDevmapperCreateBase (0.06s)
graphtest_unix.go:122: stat
/tmp/docker-graphtest-079240530/devicemapper/mnt/Base/rootfs/a subdir:
no such file or directory
--- FAIL: TestDevmapperCreateSnap (0.00s)
graphtest_unix.go:219: devmapper: device Base already
exists.
it should be:
--- FAIL: TestDevmapperCreateBase (0.25s)
graphtest_unix.go:122: stat
/tmp/docker-graphtest-828994195/devicemapper/mnt/Base/rootfs/a subdir:
no such file or directory
--- FAIL: TestDevmapperCreateSnap (0.13s)
graphtest_unix.go:122: stat
/tmp/docker-graphtest-828994195/devicemapper/mnt/Snap/rootfs/a subdir:
no such file or directory
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Fixes#23031
If a profile is explicitly passed but the system is not built with seccomp support,
error out rather than just running without a profile at all as we would previously.
Behaviour is unchanged if no profile is specified or unconfined is specified.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Pull request #22840 and commit 40b21745cc ("Upgrade to golang 1.6.2")
introduces gcc 6.1 for Dockerfile.gccgo and Dockerfile.ppc64le.
So do this also for s390x and use "s390x/gcc:6.1" as base image.
In addition to this use "GO15VENDOREXPERIMENT=0" for notary build
as a workaround for:
* golang/go#15814
* golang/go#15628
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
When a partial ID or name is used in `docker ps` filters, today the
entire list of containers is walked even though there are shorter paths
to acquiring the subset of containers that match the ID or name. Also,
container's locks are used during this walk, causing increased lock
contention on a busy daemon.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This fix tries to fix build errors caused by updating
aws-sdk-go to v1.1.30.
This fix fixes#22961.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to update aws-sdk-go to v1.1.30.
The following dependencies has been added:
github.com/go-ini/ini 060d7da055ba6ec5ea7a31f116332fe5efa04ce0
github.com/jmespath/go-jmespath 0b12d6b521d83fc7f755e7cfc1b1fbdd35a01a74
Note: the commits matches v1.1.30 of aws-sdk-go.
The following dependency has been removed
github.com/vaughan0/go-ini a98ad7ee00ec53921f08832bc06ecf7fd600e6a1
This fix fixes#22961.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The Seccomp tests ran 11 tests in parallel and this appears to be
hitting some sort of bug on CI. Splitting into two tests means that
I can no longer repeoduce the failure on the slow laptop where I could
reproduce the failures before.
Obviously this does not fix the underlying issue, which I will
continue to investigate, but not having the tests failing a lot
before the freeze for 1.12 would be rather helpful.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
1) docker create / run / start: this would create a snapshot device and mounts it onto the filesystem.
So the first time GET operation is called. it will create the rootfs directory and return the path to rootfs
2) Now when I do docker commit. It will call the GET operation second time. This time the refcount will check
that the count > 1 (count=2). so the rootfs already exists, it will just return the path to rootfs.
Earlier it was just returning the mp: /var/lib/docker/devicemapper/mnt/{ID} and hence the inconsistent paths error.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
This environment variable is no longer
needed in Go 1.6 (as it's not the default).
Removed this environment variable from
all Dockerfiles except the Dockerfile.s390x,
which is still using gcc 5.3 (Go 1.5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix fixes an error in documentation (dockerd.md). In the
example given by dockerd.md, the option `cluster-store-opts`
is assigned with an array but this option can only be assigned
as a map.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in #22420. When
`--tmpfs` is specified with `/tmp`, the default value is
`rw,nosuid,nodev,noexec,relatime,size=65536k`. When `--tmpfs`
is specified with `/tmp:rw`, then the value changed to
`rw,nosuid,nodev,noexec,relatime`.
The reason for such an inconsistency is because docker tries
to add `size=65536k` option only when user provides no option.
This fix tries to address this issue by always pre-progating
`size=65536k` along with `rw,nosuid,nodev,noexec,relatime`.
If user provides a different value (e.g., `size=8192k`), it
will override the `size=65536k` anyway since the combined
options will be parsed and merged to remove any duplicates.
Additional test cases have been added to cover the changes
in this fix.
This fix fixes#22420.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Since 1.9, the following short variant options have been
deprecated in favor of their long variants:
`docker run -c (--cpu-shares)`
`docker build -c (--cpu-shares)`
`docker create -c (--cpu-shares)`
`docker update -c (--cpu-shares)`
However, `-c` is still widely used and is considered as
a convenient option for swarm (see #16271).
This fix undeprecated the command line short
variant options of `-c` and updated the deprecated.md.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Updated documents markdown file on Debian installation.
Added details on the fact that backports are necessary on Wheezy as discussed in issue #16878
Signed-off-by: George Hafiz <george@hafiz.uk>
Updating `integration-cli/daemon.go` to use `dockerd` instead of `docker
daemon` to start up the daemon.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
SELinux labeling should be disabled when using --privileged mode
/etc/hosts, /etc/resolv.conf, /etc/hostname should not be relabeled if they
are volume mounted into the container.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
In #22554 I aligned seccomp and capabilities, however the case of
the chown calls and CAP_CHOWN was less clearcut, as these are
simple calls that the capabilities will block if they are not
allowed. They are needed when no new privileges is not set in
order to allow docker to call chown before the container is
started, so there was a workaround but this did not include
all the chown syscalls, and Arm was failing on some seccomp
tests because it was using a different syscall from just the
fchown that was allowed in this case. It is simpler to just
allow all the chown calls in the default seccomp profile and
let the capabilities subsystem block them.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
A previous change added a TTY fixup for stdin on older Windows versions to
work around a Windows issue with backspace/delete behavior. This change
used the OS version to determine whether to activate the behavior.
However, the Windows bug is actually in the image, not the OS, so it
should have used the image's OS version.
This ensures that a Server TP5 container running on Windows 10 will have
reasonable console behavior.
Signed-off-by: John Starks <jostarks@microsoft.com>
Add support for two now filter on the `images` command : `before` and
`since`. They work the same as the one on the `ps` command but for
images.
$ docker images --filter before=myimage
# display all images older than myimage
$ docker images --filter since=myimage
# display all images younger than myimage
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This works around golang/go#15286 by explicitly loading shell32.dll at
load time, ensuring that syscall can load it dynamically during process
startup.
Signed-off-by: John Starks <jostarks@microsoft.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix tries to address the issue raised in #21976 and allows
the options of `--add-host` and `--net=host` to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The generated profile that we check in is for amd64 and i386 architectures
and does not work correctly on arm as it is missing required syscalls,
and also specifies the architectures that are supported. It works on
ppc64le at the moment but better to skip the test as it is likely to
break in future.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fix tries to address the issue raised in #21976 and allows
the options of `--dns`, `--dns-search`, `--dns-opt` and `--net=host`
to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fixes the test by loading in the architecture specific busybox
image when the test daemon starts.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
The mount check is now done by the FSChecker. This function is no longer needed and shouldn't be called.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Currently, using a custom detach key with an invalid sequence, eats a
part of the sequence, making it weird and difficult to enter some key
sequence.
This fixes by keeping the input read when trying to see if it's the key
sequence or not, and "writing" then is the key sequence is not the right
one, preserving the initial input.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
… and refactor a little bit some daemon on the way.
- Move `SearchRegistryForImages` to a new file (`daemon/search.go`) as
`daemon.go` is getting pretty big.
- `registry.Service` is now an interface (allowing us to decouple it a
little bit and thus unit test easily).
- Add some unit test for `SearchRegistryForImages`.
- Use UniqueExactMatch for search filters
- And use empty restore id for now in client.ContainerStart.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In order to do this, allow the socketcall syscall in the default
seccomp profile. This is a multiplexing syscall for the socket
operations, which is becoming obsolete gradually, but it is used
in some architectures. libseccomp has special handling for it for
x86 where it is common, so we did not need it in the profile,
but does not have any handling for ppc64le. It turns out that the
Debian images we use for tests do use the socketcall, while the
newer images such as Ubuntu 16.04 do not. Enabling this does no
harm as we allow all the socket operations anyway, and we allow
the similar ipc call for similar reasons already.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fix tries to cover the issue raised in #22463 by adding
filter for events emitted by docker daemon so that user could
utilize filter to receive events of interest.
Documentations have been updated for this fix.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to cover the issue raised in #22463 by emitting
events for docker daemon so that user could be notified by
scenarios like config reload, etc.
This fix adds the `daemon reload`, and events for docker daemon.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
It appears that on some systems apparmor gets in the way of libc.so.6
shared library being loaded - which means the ping fails.
To get around this if we run ping under `/lib64/ld-linux-x86-64.so.2`
then it works. So we only do this for linux and only if the first attempt
fails. If this 2nd attempt fails then we'll show the original error to
the user for debugging.
Also s/Output/CombinedOutput/ to help debugging in the future. It didn't
show the real error msg.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This was not changed when the additional tests were added.
It may be the reason for occasional test failures.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Check for the rootDir first because the mergeDir may not exist if root
is present.
Also fix unmounting in the defer to make sure it does not have a
refcount.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
For things that we can check if they are mounted by using their fsmagic
we should use that and for others do it the slow way.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This test is not applicable anymore now that containers are not stopped
when the daemon is restored.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
For me when I run the test I see:
```
Downloading from http://nourl/bad
Importing 283 B
Untar re-exec error: exit status 1: output: unexpected EOF
```
and nothing about "dial tcp" so it appears that the output is
system dependent and therefore we can't really check it. I think
checking for non-zero exit code is sufficient so I'm removing this
string check.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Using golang 1.6, is it now possible to ignore SIGPIPE events on
stdout/stderr. Previous versions of the golang library cached 10
events and then killed the process receiving the events.
systemd-journald sends SIGPIPE events when jounald is restarted and
the target of the unit file writes to stdout/stderr. Docker logs to stdout/stderr.
This patch silently ignores all SIGPIPE events.
Signed-off-by: Jhon Honce <jhonce@redhat.com>
Rework memoryStore so that filters and apply run
on a cloned list of containers after the lock has
been released. This avoids possible deadlocks when
these filter/apply callbacks take locks for a
container.
Fixes#22732
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
similar to the changes made in a4192471cd,
clean the branch-name before using it as a tag-name
for the image that's built.
this also changes the "image name" for docs images
being built from "docs-base" to "docker-docs", to
be in line with the main Makefile
before this change:
/usr/bin/make -C docs docs
docker build -t "docs-base:docs/slashes" .
invalid value "docs-base:docs/slashes" for flag -t: Error parsing reference: "docs-base:docs/slashes" is not a valid repository/tag
See 'docker build --help'.
make[1]: *** [docs-build] Error 125
make: *** [docs] Error 2
after this change:
/usr/bin/make -C docs docs
docker build -t "docker-docs:docs-slashes" .
Sending build context to Docker daemon 9.165 MB
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
hack/vendor.sh can now accept command line arguments
`./hack/vendor.sh github.com/docker/engine-api` will revendor only the
engine-api dependency.
`./hack/vendor.sh github.com/docker/engine-api v0.3.3` will vendor only
engine-api at the specified tag/commit.
`./hack/vendor.sh git github.com/docker/engine-api v0.3.3` is the same
but specifies the VCS for cases where the VCS is something else than git
`./hack/vendor.sh git golang.org/x/sys
eb2c74142fd19a79b3f237334c7384d5167b1b46
https://github.com/golang/sys.git` will vendor only golang.org/x/sys
downloading from the specified URL
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Add link to valid image name and tag formats in referenced files
- Per review comments, updated docs to remove reference to `USERNAME` and
`REGISTRYHOST`.
- Per review comment, removed links from man page.
- Per review comment, added and updated examples on `docker tag`
Signed-off-by: Subhajit Ghosh <isubuz.g@gmail.com>
Make better default usage on context.Context on the `api/client` package
to share the context (it is useless if not shared, which was the case
for a lot of commands).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In Windows containers in TP5, DEL is interpreted as the delete key, but
Linux generally interprets it as backspace. This prevents backspace from
working when using a Linux terminal or the native console terminal
emulation in Windows.
To work around this, translate DEL to BS in Windows containers stdin when
TTY is enabled. Do this only for builds that do not have the fix in
Windows itself.
Signed-off-by: John Starks <jostarks@microsoft.com>
Initially this checks the kernel's maxkeys setting which is
low in some older distribution kernels, such that only 200 containers
can be created, reported in #22865.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Automatic translation of MLS labels is currently not
supported, so should not be documented as an example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The filtering is made server-side, and the following filters are
supported:
* is-official (boolean)
* is-automated (boolean)
* has-stars (integer)
Signed-off-by: Fabrizio Soppelsa <fsoppelsa@mirantis.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Now supports setting a containers storage size when using zfs as the
storage engine. By passing in `--storage-opt size=<size>`, the created
container's storage size will be limited to the given size. Note that
the way zfs works, the given specified storage size will be given in
addition to the base container size.
Example:
The node image reports a size of `671M` from `df -h` when started.
Setting `--storage-opt size=2G` will result in a drive the size of
`671M` + `2G`, `2.7G` in total. Available space will be `2.0G`.
The storage size is achieved by setting the zfs option `quota` to the
given size on the zfs volume.
Signed-off-by: Ken Herner <kherner@progress.com>
Containers using the host network stack (--net=host)
are not affected by "ip-forwarding" being disabled,
so there's not need to show a warning.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This includes a fix to soft database corruption that would cause Docker
to fail to start if the daemon died in the middle of a transaction
write.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
CONFIG_MEMCG_KMEM is removed since 4.6, it's accounted by default
since 4.6, so it's merged to CONFIG_MEMCG.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
The LXC built-in exec driver has been deprecated in 1.8 and
further removed in 1.10, yet in deprecated.md it still shows:
```
Target For Removal In Release: v1.10
```
This fix changes the above to `Removed In Release:`.
In addition, lxc-conf flag and API fields have already been
removed in 1.10 as well so the related description has also been
updated in this fix.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This commit is a follow up of the last commit:
Vendor engine-api to allow docker daemon reload event.
After vendor/engine-api has been updated, the following
unit test fails:
```
--- FAIL: TestRestartPolicy (0.00s)
hostconfig_test.go:177: RestartPolicy.IsNone for { 0} should have been false but was true
```
The reason for the above failed unit test is that pull request:
https://github.com/docker/engine-api/pull/200
updated behavior of the restart policy and makes restartpolicy.IsNone
return true if restart policy name is `""`. As a result, the above
mentioned unit test fails.
This fix fixes the inconsistency of the unit test so that `TestRestartPolicy`
could pass again.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updated the vendored engine-api to version
e374c4fb5b121a8fd4295ec5eb91a8068c6304f4, which defines a new event
type of `DaemonEventType`. The purpose is to allow emitting`
`daemon reload` event as is raised in #22463.
This fix is related to #22463 and #22590.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This improves reliability by doing parsing of potentially untrusted data
in a separate process. It opens the door for further security improvements
if we can lock down the reexec-ed process. It also improves import
performance by only taking the backup and restore privileges once, for the
whole process.
Signed-off-by: John Starks <jostarks@microsoft.com>
This fixes a variety of small bugs in layer handling and adds a new API
for acquiring privileges for the whole process.
Fixes#22404 (but only for new images -- existing images will need to be
re-pushed).
Signed-off-by: John Starks <jostarks@microsoft.com>
This fix tries to address the issue raised in #22358 where syslog's
message tag always starts with `docker/` and can not be removed
by changing the log tag templates.
The issue is that syslog driver hardcodes `path.Base(os.Args[0])`
as the prefix, which is the binary file name of the daemon (`dockerd`).
This could be an issue for certain situations (e.g., #22358) where
user may prefer not to have a dedicated prefix in syslog messages.
There is no way to override this behavior in the current verison of
the docker.
This fix tries to address this issue without making changes in the
default behavior of the syslog driver. An additional
`{{.DaemonName}}` has been introduced in the syslog tag. This is
assigned as the `docker` when daemon starts. The default log tag
template has also been changed from
`path.Base(os.Args[0]) + "/{{.ID}}"` to `{{.DaemonName}}/{{.ID}}`.
Therefore, there is no behavior changes when log-tag is not provided.
In order to be consistent, the default log tag for fluentd has been
changed from `docker.{{.ID}}` to `{{DaemonName}}.{{.ID}}` as well.
The documentation for log-tag has been updated to reflect this change.
Additional test cases have been added to cover changes in this fix.
This fix fixes#22358.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Removing the call to Shutdown from within Signal in order to rely on waitExit handling the exit of the process.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
The image spec in image/spec/v1.md is quite a bit out of date. Not only
is it missing the changes that went into 1.10 for content
addressability, but it has inaccuracies that date back further, such as
mentioning storing tarsum in the image configuration.
This commit creates image/spec/v1.1.md which brings the specification up
to date. It discusses content addressability, new fields in the image
configuration, the repository/tag grammar, and the current mechanism for
exporting an image.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to address issues raised in #20936 and #22443
where `docker pull` or `docker push` fails because of the
concurrent connection failing.
Currently, the number of maximum concurrent connections is
controlled by `maxDownloadConcurrency` and `maxUploadConcurrency`
which are hardcoded to 3 and 5 respectively. Therefore, in
situations where network connections don't support multiple
downloads/uploads, failures may encounter for `docker push`
or `docker pull`.
This fix tries changes `maxDownloadConcurrency` and
`maxUploadConcurrency` to adjustable by passing
`--max-concurrent-uploads` and `--max-concurrent-downloads` to
`docker daemon` command.
The documentation related to docker daemon has been updated.
Additional test case have been added to cover the changes in this fix.
This fix fixes#20936. This fix fixes#22443.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
It includes a small improvement, we hit test timeout sometimes
for some reason, print out the timed out case would be very
helpful.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
the 'modify_ldt' was listed as "blocked by default",
but was whitelisted in 13a9d4e899
this updates the documentation to reflect this
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This gives discovery a chance to initialize, particularly if the K/V
store being used is in a container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The old command line options have been deprecated in 1.8.0 and
eventually removed in 1.10.0 through PR #17724, though the
deprecated.md still shows `Target For Removal In Release`.
This fix updates the deprecated.md and changes
`Target For Removal In Release` to `Removed In Release`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.
While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.
It also cleans up some architecture specific system calls to be
only selected when needed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Add the swapMemorySupport requirement to all tests related to the OOM killer. The --memory option has the subtle side effect of defaulting --memory-swap to double the value of --memory. The OOM killer doesn't kick in until the container exhausts memory+swap, and so without the memory swap cgroup the tests will timeout due to swap being effectively unlimited.
Document the default behavior of --memory-swap in the docker run man page.
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
use a consistent approach for checking if the
backing filesystem is compatible with the
storage driver.
also add an error-message for the AUFS driver if
an incompatible combination is found.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since 1.9, driver specific log tag options
`syslog-tag`
`gelf-tag`
`fluentd-tag`
have been deprecated in favor of the generic tag
option which is standard across different logging
drivers.
This fix removed the deprecated driver specific
log tag options of `syslog-tag`, `gelf-tag`,
`fluentd-tag` for 1.12 and updated the docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The path we're trying to remove doesn't exist after a successful
chroot+chdir because a / is only appended after pivot_root is
successful and so we can't cleanup anymore with the old path.
Also fix leaking .pivot_root dirs under /var/lib/docker/tmp/docker-builder*
on error.
Fix https://github.com/docker/docker/issues/22587
Introduced by https://github.com/docker/docker/pull/22506
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Since 1.9, Docker Content Trust Offline key has been renamed to
Root key and the Tagging key has been renamed to Repository key.
The corresponding environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE`
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE`
have also been deprecated and renamed to
`DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
`DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`
This fix removed the deprecated ENV passphrase variables for
1.12 and updated the docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The colon separator(`:`) of `--security-opt` flag was deprecated
in 1.11.0. However, the subtitle in deprecated docs is missing
so it is placed under the same subtitle as the deprecated `-e` and
`--email` flags.
This fix adds the missing subtitle in deprecated docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The jsonlog logger currently allows specifying envs and labels that
should be propagated to the log message, however there has been no way
to read that back.
This adds a new API option to enable inserting these attrs back to the
log reader.
With timestamps, this looks like so:
```
92016-04-08T15:28:09.835913720Z foo=bar,hello=world hello
```
The extra attrs are comma separated before the log message but after
timestamps.
Without timestaps it looks like so:
```
foo=bar,hello=world hello
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Add description for "process" labels to the reviewing
documentation. Also changed some headings from h1 -> h2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Auto-creation of host-paths has been un-deprecated,
so to have feature-parity between Linux and Windows,
this feature should also be present on Windows.
This enables auto-creation on Windows.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the documentations says that you can drop "a file" into the
`docker.service.d` directory, but does not note that the file must end
with `.conf` in order to be recognized by systemd. This can lead to
some [confusion][] if readers are not previously familiar with
systemd.
[confusion]: https://botbot.me/freenode/docker/2016-05-06/?msg=65605541&page=11
Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
- Update now returns only an error
- NewNotaryRepository now takes a trustpinning configuration - we will provide an empty one for now.
Signed-off-by: cyli <cyli@twistedmatrix.com>
This updates the supervisor example documentation
to use an up-to-date version of Ubuntu.
Also reduced the use of "royal We", and tweaked some
language.
Finally, added some language hints for code-highlighting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The uek kernel needs to be install first in order to get the correct
btrfs tools version.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fixes one issue with Docker running under a grsec kernel, which
denies chmod and mknod under chroot.
Note, if pivot_root fails it will still fallback to chroot.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently on kernels booted without the "cgroup_enable=memory" kernel
parameter the testcase TestApiStatsContainerGetMemoryLimit fails with:
FAIL: docker_api_stats_test.go:231: TestApiStatsContainerGetMemoryLimit.pN52_github_com_docker_docker_integration_cli.DockerSuite
docker_api_stats_test.go:256:
c.Assert(fmt.Sprintf("%d", v.MemoryStats.Limit), checker.Equals, fmt.Sprintf("%d", info.MemTotal))
... obtained string = "0"
... expected string = "33759145984"
Fix this and skip the testcase if the kernel does not support cgroup memory
limit. In that case the output would be:
SKIP: docker_api_stats_test.go:231:
TestApiStatsContainerGetMemoryLimit.pN52_github_com_docker_docker_integration_cli.DockerSuite
(Test requires an environment that supports cgroup memory limit.)
ChangeLog:
----------
v4: Move TestApiStatsContainerGetMemoryLimit to docker_api_stats_unix_test.go
v3: Use existing "memoryLimitSupport" from requirements_unix.go
v2: Move check to requirements.go
Fixes#22477
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
See https://www.debian.org/News/2016/20160425 and https://wiki.debian.org/LTS/Using for more details.
> For Debian 7 "Wheezy" LTS there will be no requirement to add a separate wheezy-lts suite to your sources.list any more. In fact you will not notice the switch to LTS because after the official security support by the Debian Security Team ends, security updates will be provided via security.debian.org 's wheezy/updates.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
dotCloud no longer exists, and since this part of the
readme is refering to "where it all started", replaced
the link with an archive link around the time that
Docker was publicly announced.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to addess the issue in #21956 where `docker inspect`
will overwrite the log config options with default option even when
the `--log-driver` is not empty and `--log-opt` is empty. In this
situation, `docker inspect` and `docker run` is different.
With the introduction of #21153, the `HostConfig` will always have
the correct log-driver and log-opt values.
However, the previous processing of `docker inspect` was not updated
after the change in #21153. This results in the incorrect behavior.
This fix addresses this issue by updating `docker inspect` to conform
to #21153 so the the behavior of `docker inspect` and `docker run` is
consistent.
A integration test has been added to cover this fix.
This fix fixes#21956. This fix is related to #21153.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
An environment variable cannot directly be used as a bash array, this
patch loops through all the IFS separated value (which default to
space) instead.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
When `psFormat` is used in the docker client config json, if the output
is non-standard it breaks some of the completion handling for
containers.
This fixes that by ensuring that calls to `ps` use the default/standard
formatting by calling `docker ps --format 'table'`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This adds support for reloading the docker daemon
(SIGHIUP) so that changes in '/etc/docker/daemon.json'
can be loaded at runtime by reloading the service
through systemd ('systemctl reload docker')
Before this change, systemd would output an error
that "reloading" is not supported for the docker
service;
systemctl reload docker
Failed to reload docker.service: Job type reload is not applicable for unit docker.service.
After this change, the docker daemon can be reloaded
through 'systemctl reload docker', which reloads
the configuration;
journalctl -f -u docker.service
May 02 03:49:20 testing systemd[1]: Reloading Docker Application Container Engine.
May 02 03:49:20 testing docker[28496]: time="2016-05-02T03:49:20.143964103-04:00" level=info msg="Got signal to reload configuration, reloading from: /etc/docker/daemon.json"
May 02 03:49:20 testing systemd[1]: Reloaded Docker Application Container Engine.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- added an image-link to the contributors guide
- added a link to forums.docker.com
- removed link to the docker-user Google Group, which is no longer in use
- remove the "Issue Report Template", because we now have a template for this on GitHub
- remove reference to the old "Docker-DCO-1.1-Signed-off-by" sign-off
- changed some none-https links to https
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We need to have labels applied even if a container is running in privileged
mode. On an tightly locked down SELinux system, this will cause running
without labels will cause SELinux to block privileged mode containers.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This flag can be set on disk if the daemon were to crash or error out
while trying to remove container in which case subsequent tries to
delete the container would all fail.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
before:
```
$ time docker --help
real 0m0.177s
user 0m0.000s
sys 0m0.040s
```
after:
```
$ time docker --help
real 0m0.010s
user 0m0.000s
sys 0m0.000s
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
the events API was rewritten in 723be0a332,
but the example response in the documentation doesn't reflect the actual output
this fixes the example response
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- [x] Update man page description
- [x] Update man page sample output to something more current
Tested with: `TESTFLAGS='-check.f DockerSuite.TestInfoEnsureSucceeds*'
make test-integration-cli`
Signed-off-by: Lucas Chan <lucas-github@lucaschan.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This add a new filter to 'docker network ls'
to allow filtering by driver-name.
Contrary to "ID" and "name" filters, this
filter only supports an *exact* match.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This generates an ID string for calls to Mount/Unmount, allowing drivers
to differentiate between two callers of `Mount` and `Unmount`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When exec a non-exist command, it should print a newline at last.
Currently:
```
$ docker exec -ti f5f703ea2c0a144 bash
rpc error: code = 2 desc = "oci runtime error: exec failed: exec:
\"bash\": executable file not found in $PATH"$
```
Signed-off-by: Feng Yan <fy2462@gmail.com>
TestBuildNotVerboseFailure use a non-exist image busybox1,
it requires network connection to access to Dockerhub, skip
this test if there is no network.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
The runc compile currently fails on s390x:
Step 35 : RUN set -x && export GOPATH="$(mktemp -d)" && git clone
https://github.com/opencontainers/runc.git
"$GOPATH/src/github.com/opencontainers/runc" && cd
"$GOPATH/src/github.com/opencontainers/runc" && git checkout -q
"$RUNC_COMMIT" && make static BUILDTAGS="seccomp apparmor selinux" &&
cp runc /usr/local/bin/docker-runc
[snip]
# github.com/seccomp/libseccomp-golang
Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp.go:25:22:
fatal error: seccomp.h: No such file or directory
// #include <seccomp.h>
The problem is that the installed libseccomp version in trusty is too old.
Fix this and install version 2.3.0 of libseccomp like it is done in the
x86 Dockerfile.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Remove function `WaitRunning` because it's actually not necessary, also
remove wait channel for state "running" to avoid mixed use of the state
wait channel.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This adds support for Windows dockerd to run as a Windows service, managed
by the service control manager. The log is written to the Windows event
log (and can be viewed in the event viewer or in PowerShell). If there is
a Go panic, the stack is written to a file panic.log in the Docker root.
Signed-off-by: John Starks <jostarks@microsoft.com>
"TestRestartContainerwithRestartPolicy" contains some codes that could be
flaky, it's supposed to be fixed in #22256.
This commit removes unnecessary code, make the test case cleaner.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This change enables the workflow of finishing installing Windows OS updates in the container after it has completed running, via a special servicing container.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Use sockets.DialerFromEnvironment, as is done in other places,
to transparently support SOCKS proxy config from ALL_PROXY
environment variable.
Requires the *engine* have the ALL_PROXY env var set, which
doesn't seem ideal. Maybe it should be a CLI option somehow?
Only tested with push and a v2 registry so far. I'm happy to look
further into testing more broadly, but I wanted to get feedback on
the general idea first.
Signed-off-by: Brett Higgins <brhiggins@arbor.net>
This fix tries to address the issue raised in #22271 where
relative symlinks don't work with --device argument.
Previously, the symlinks in --device was implemneted (#20684)
with `os.Readlink()` which does not resolve if the linked
target is a relative path. In this fix, `filepath.EvalSymlinks()`
has been used which will reolve correctly with relative
paths.
An additional test case has been added to the existing
`TestRunDeviceSymlink` to cover changes in this fix.
This fix is related to #13840 and #20684, #22271.
This fix fixes#22271.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
commit 20a038eca6 changed
daemon configuration reloading to check if a value
was actually set, however, it checked for the wrong
property ("label" instead of "labels"), which resulted
in the labels only to be loaded from daemon.json if both
a "label" -and- a "labels" property was present.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change adds file version information to docker.exe and dockerd.exe by
adding a Windows version resource with the windres tool.
This change adds a dependency to binutils-mingw-w64 on Linux, but removes
a dependency on rsrc. Most Windows build environments should already have
windres if they have gcc (which is necessary to build dockerd).
Signed-off-by: John Starks <jostarks@microsoft.com>
This fix tries to address the inconsistency in #22036 where labels
set on the command line will not override labels specified in
Dockerfile, but will override labels inherited from `FROM` images.
The fix add a LABEL with command line options at the end of the
processed Dockerfile so that command line options labels always
override the LABEL in Dockerfiles (or through `FROM`).
An integration test has been added for test cases specified in #22036.
This fix fixes#22036.
NOTE: Some changes are from #22266 (@tiborvass).
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue in #22244 where the remote
API `/auth` will not set the default value of `serveraddress`
if not provided. This behavior happens after only in 1.11.0
and is a regression as in 1.10.3 `serveraddress` will be assigned
with `IndexServer` if no value is provided.
The default value `IndexServer` is assigned to `serveraddress` if
no value provided in this fix.
An integration test `TestAuthApi` has been added to cover this change
This fix fixes#22244.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Restore the 1.10 logic that will reset the restart manager's timeout or
backoff delay if a container executes longer than 10s reguardless of
exit status or policy.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
With gcc 5 version 1.4.2 of go is included. This version does not support
go's "native vendoring" which is needed to build notary since git commit
51dc1747e4ab5 ("Move the godeps workspace to the vendor directory to be
compliant with Go 1.6").
As a workaround create a symlink "vendor/src" that points to "vendor/".
This allows to compile notary with gcc 5.
Closes#22007
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
This avoid an extra bind mount within /var/run/docker/libcontainerd
This should resolve situations where a container having the host
/var/run bound prevents other containers from being cleanly removed
(e.g. #21969).
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
For each language, if there is one library which is clearly the
best or most active, I've removed the other libraries so users
aren't mislead.
I've removed the web UIs because they're not really client
libraries.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
Add a proxy to support 'docker daemon'
Fix configFile option, and remove a test that is no longer relevant.
Remove daemon build tag.
Remove DOCKER_CLIENTONLY from build scripts.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Change docker-daemon to dockerd.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This functionality has been fixed by
7bca932182 but then it has been broken
again by a793564b25 and finally refixed
here.
Basically the functionality was to prompt for login when trying to pull
from the official docker hub.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
There was an error in validation logic before, should use period
instead of quota, and also add check for negative
number here, if not with that, it would had cpu.cfs_period_us: invalid argument
which is not good for users.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
These syscalls are already blocked by the default capabilities:
mlock mlock2 mlockall require CAP_IPC_LOCK
vhangup requires CAP_SYS_TTY_CONFIG
There is therefore no reason to allow them in the default profile
as they cannot be used anyway.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This makes sure fsdiff doesn't try to unmount things that shouldn't be.
**Note**: This is intended as a temporary solution to have as minor a
change as possible for 1.11.1. A bigger change will be required in order
to support container re-attach.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Right now there is no way to know what's the minimum free space threshold
daemon is applying. It would be good to export it through docker info and
then user knows what's the current value. Also this could be useful to
higher level management tools which can look at this value and setup their
own internal thresholds for image garbage collection etc.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This fix tries to fix the http panics caused by container deletion
with empty names in #22210.
The issue was because when an empty string was passed, `GetByName()`
tried to access the first element of the name string without checking
the length. A length check has been added.
A test case for #22210 has been added.
This fix fixes#22210.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Leslie B. Lamport is an American computer scientist. Lamport is
best known for his seminal work in distributed systems and as the
initial developer of the document preparation system LaTeX.
Maria Gaetana Agnesi was an Italian mathematician, philosopher,
theologian and humanitarian. She was the first woman to write a
mathematics handbook and the first woman appointed as a Mathematics
Professor at a University.
Signed-off-by: Ali Dehghani <ali.dehghani.g@gmail.com>
when it is passed with bad arguments and no arguments. This patch would divide the total number of commands into five sets and runs them in parallel.
Test time is improved from around 9 seconds to around 3 seconds
Signed-off-by: Sainath Grandhi <sainath.grandhi@intel.com>
Why? Because the `mount` here will sometimes fail when run in
`debian:jessie`, which is what the environrment hosting the test suite
is running if run from the `Makefile`.
Also, why the heck not containerize it, all the things.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Docker 1.5 and older is no longer supported by Docker Hub,
so there's not much need to document the API for those
versions.
Documentation is still available on GitHub, and through
the older versions of the documentation for those
that really need it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to fix issues mentioned in #22100 for incorrect
description of remote API's container creation params.
Several issues have been fixed:
1. CPU and memory related params (e.g., `MemorySwap`, `CpuShares`, etc.)
were incorrectly placed under the top level instead of under the HostConfig.
(v1.18-v1.24)
2. The param `Cpuset` has been deprecated but was never removed.
(v1.18-v1.24)
3. The param `PidsLimit` was not added even though the description
has been added.
(v1.23-v1.24)
This fix fixes#22100
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
pidfile.New() was opening a file in /proc to determine if the owning
process still exists. Use syscall.OpenProcess() on Windows instead.
Other OSes may also need to be updated here.
Signed-off-by: John Starks <jostarks@microsoft.com>
People have reported following issue with overlay
$ docker run -ti --name=foo -v /dev/:/dev fedora bash
$ docker cp foo:/bin/bash /tmp
$ exit container
Upon container exit, /dev/pts gets unmounted too. This happens because
docker cp volume mounts get propagated to /run/docker/libcontainer/....
and when container exits, it must be tearing down mount point under
/run/docker/libcontainerd/... and as these are "shared" mounts it
propagates events to /dev/pts and it gets unmounted too.
One way to solve this problem is to make sure "docker cp" volume mounts
don't become visible under /run/docker/libcontainerd/..
Here are more details of what is actually happening.
Make overlay home directory (/var/lib/docker/overlay) private mount when
docker starts and unmount it when docker stops. Following is the reason
to do it.
In fedora and some other distributions / is "shared". That means when
docker creates a container and mounts it root in /var/lib/docker/overlay/...
that mount point is "shared".
Looks like after that containerd/runc bind mounts that rootfs into
/runc/docker/libcontainerd/container-id/rootfs. And this puts both source
and destination mounts points in shared group and they both are setup
to propagate mount events to each other.
Later when "docker cp" is run it sets up container volumes under
/var/lib/dokcer/overlay/container-id/... And all these mounts propagate
to /runc/docker/libcontainerd/... Now mountVolumes() makes these new
mount points private but by that time propagation already has happened
and private only takes affect when unmount happens.
So to stop this propagation of volumes by docker cp, make
/var/lib/docker/overlay a private mount point. That means when a container
rootfs is created, that mount point will be private too (it will inherit
property from parent). And that means when bind mount happens in /runc/
dir, overlay mount point will not propagate mounts to /runc/.
Other graphdrivers like devicemapper are already doing it and they don't
face this issue.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
link feature in docker0 bridge by default provides short-id as a
container alias. With built-in SD feature, providing a container
short-id as a network alias will fill that gap.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Fixes#22030
Because the publisher uses this same value to all the
stats endpoints we need to make a copy of this as soon as we get it so
that we can make our modifications without it affecting others.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This patch did following:
1) Make filter check logic same as `docker ps ` filters
Right now docker container logic work as following:
when same filter used like below:
-f name=jack -f name=tom
it would get all containers name is jack or tom(it is or logic)
when different filter used like below:
-f name=jack -f id=7d1
it would get all containers name is jack and id contains 7d1(it is and logic)
It would make sense in many user cases, but it did lack of compliate filter cases,
like "I want to get containers name is jack or id=7d1", it could work around use
(get id=7d1 containers' name and get name=jack containers, and then construct the
final containers, they could be done in user side use shell or rest API)
2) Fix one network filter bug which could include duplicate result
when use -f name= -f id=, it would get duplicate results
3) Make id filter same as container id filter, which means match any string.
not use prefix match.
It is for consistent match logic
Closes: #21417
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
RPC connection closing error will be reported every time we shutdown
daemon, this error is expected, so we should remove this error to avoid
confusion to user.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
For context: https://github.com/golang/go/issues/15286
This commit downloads go1.5.3 in addition to go1.5.4 in order to
workaround the issue.
It is not expected to do a Docker release without a proper fix, however
this should help unblock Docker development on Windows TP5.
Signed-off-by: Tibor Vass <tibor@docker.com>
Docker 1.11 added a feature to set labels on volumes,
networks and images (during build), but these changes
were not documented in the API documentation.
This adds the new features to the documentation.
Also fixes some minor formatting, and options that
were not used in the examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "registry" query-param was in added 10c0e99037,
and removed in docker 0.5.0 via 66a9d06d9f.
Aparently, it was never removed from the documentation,
and included in all versions of the API docs.
This removes it from the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `Status` field is a `map[string]interface{}` which allows the driver to pass
back low-level details about the underlying volume.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
People have reported following problem.
- docker run -ti --name=foo -v /dev/:/dev/ fedora bash
- docker cp foo:/bin/bash /tmp
Once the cp operation is complete, it unmounted /dev/pts on the host. /dev/pts
is a submount of /dev/. This is completely unexpected. Following is the
reson for this behavior.
containerArchivePath() call mountVolumes() which goes through all the mounts
points of a container and mounts them in daemon mount namespace in
/var/lib/docker/devicemapper/mnt/<containerid>/rootfs dir. And once we have
extracted the data required, these are unmounted using UnmountVolumes().
Mounts are done using recursive bind (rbind). And these are unmounted using
lazy mount option on top level mount. (detachMounted()). That means if there
are submounts under top level mounts, these mount events will propagate and
they were "shared" mounts with host, it will unmount the submount on host
as well.
For example, try following.
- Prepare a parent and child mount point.
$ mkdir /root/foo
$ mount --bind /root/foo /root/foo
$ mount --make-rshared /root/foo
- Prepare a child mount
$ mkdir /root/foo/foo1
$ mount --bind /root/foo/foo1 /root/foo/foo1
- Bind mount foo at bar
$ mkdir /root/bar
$ mount --rbind /root/foo /root/bar
- Now lazy unmount /root/bar and it will unmount /root/foo/foo1 as well.
$ umount -l /root/bar
This is not unintended. We just wanted to unmount /root/bar and anything
underneath but did not have intentions of unmounting anything on source.
So far this was not a problem as docker daemon was running in a seprate
mount namespace where all propagation was "slave". That means any unmounts
in docker daemon namespace did not propagate to host namespace.
But now we are running docker daemon in host namespace so that it is possible
to mount some volumes "shared" with container. So that if container mounts
something it propagates to host namespace as well.
Given mountVolumes() seems to be doing only temporary mounts to read some
data, there does not seem to be a need to mount these shared/slave. Just
mount these private so that on unmount, nothing propagates and does not
have unintended consequences.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This test was flaky on ppc64le, where the average time to close was
around 1 second. This bumps that timeout to 60 seconds which should be
plently.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Running on kernel versions older than 3.10 has not been
supported for a while (as it's known to be unstable).
With the containerd integration, this has become more
apparent, because kernels < 3.4 don't support PR_SET_CHILD_SUBREAPER,
which is required for containerd-shim to run.
Change the previous "warning" to a "fatal" error, so
that we refuse to start.
There's still an escape-hatch for users by setting
"DOCKER_NOWARN_KERNEL_VERSION=1" so that they can
run "at their own risk".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Auto-creation of non-existing host directories
is no longer deprecated (9d5c26bed2),
so this warning is no longer relevant.
This removes the deprecation warning.
Also removes the "system" package here, because it's only used
on non-Windows, so basically just called os.MkdirAll()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Using new methods from engine-api, that make it clearer which element is
required when consuming the API.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
If contaner start fail of (say) "command not found", the container
actually didn't start at all, we shouldn't log start and die event for
it, because that doesnt actually happen.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Don't throw "restartmanager canceled" error for no restart policy container
and add the container id to the warning message if a container has restart policy
and has been canceled.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
If a build context tar has path names of the form 'x/./y', they will be
stored in this unnormalized form internally by tarsum. When the builder
walks the untarred directory tree and queries hashes for each relative
path, it will query paths of the form 'x/y', and they will not be found.
To correct this, have tarsum normalize path names by calling Clean.
Add a test to detect this caching false positive.
Fixes#21715
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This change allow to filter events that happened in the past
without waiting for future events. Example:
docker events --since -1h --until -30m
Signed-off-by: David Calavera <david.calavera@gmail.com>
Distro packagers will often use the tarball to build a package and have
the build script for the package in git. To avoid that the docker build
script picks up the git commit from the distro repo we also check for a
directory named .git before check for -unsupported builds.
Signed-off-by: Natanael Copa <natanael.copa@docker.com>
This feature was added after the 1.11 code-freeze,
so will be part of the 1.12 release. Moving it to the
right API version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some fixes in the changelog were not regressions
since 1.10.x, but only present in 1.11 release candidates
so don't need to be mentioned for the release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 99589731ac)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, containers are silently removed from the stats list
on error. This patch instead will display `--` for all fields for the
container that had the error, allowing it to recover from errors.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
In TP5, Hyper-V containers need all image files ACLed so that the virtual
machine process can access them. This was fixed post-TP5 in Windows, but
for TP5 we need to explicitly add these ACLs.
Signed-off-by: John Starks <jostarks@microsoft.com>
* Fix closing strings in graphdriver plugin documentation
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Fix documenation for Err type in graphdriver plugins
Fix https://github.com/docker/go-plugins-helpers/issues/24
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Add missing MountLabel argument in graphdriver plugin documentation
The real `Create` seems also to take more arguments (the `storageOpt`) which
are not exposed to the plugin API (yet?).
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
* Add missing CreateReadWrite in graphdriver plugin documentation
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
Copy edit the content
Updates to existing material
Adding mbentley's comments
Updating with last minute comments
Update with Seb's comments
Signed-off-by: Mary Anthony <mary@docker.com>
Binaries are now distributed as a '.tgz' or '.zip'
archive, and contain multiple binaries for Linux.
This updates the instructions for 1.11.
Also mention that the Windows 64-bit binary
actually can be used as a daemon. Given that
this is still in beta, no instructions were
added for *running* a daemon on Windows.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The documentation already says the cache miss happens only at `ARG`
variable usage, not declaration, but there is a very common implicit
usage: `RUN`, which this commit documents even more, improving on #21790.
Also, use `definition` instead of `declaration`: it's the same thing, and
`definition` is already used in this documentation, contrary to
`declaration`.
Also, distinguish between "instructions" and "variables defined by `ARG`
instructions".
Signed-off-by: Thomas Riccardi <riccardi@systran.fr>
Implements a `CachedPath` function on the volume plugin adapter that we
call from the volume list function instead of `Path.
If a driver does not implement `CachedPath` it will just call `Path`.
Also makes sure we store the path on Mount and remove the path on
Unmount.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This patch will allow users to specify namespace specific "kernel parameters"
for running inside of a container.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Since there are other users of pkg/listeners, it doesn't make sense to
contain Docker-specific semantics and warnings inside it. To that end,
move the scary warning about -tlsverify and the libnetwork port
allocation code to CmdDaemon (where they belong). This helps massively
reduce the dependency tree for users of pkg/listeners.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
@nwt noticed that the media type specified in the config section of a
schema2 manifest is application/octet-stream, instead of the correct
value application/vnd.docker.container.image.v1+json.
This brings in https://github.com/docker/distribution/pull/1622 to fix
this.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Newly created containers which are not started yet should not list
when "exited=0" filter is used with "ps -a"
Signed-off-by: Boynux <boynux@gmail.com>
This change supports the importing of layers that contain utility VM
images. This is necessary to support Hyper-V containers running on a
non-centrally-managed image.
Signed-off-by: John Starks <jostarks@microsoft.com>
This improves getting the source for the binaries that are compiled on
the system so that they can be copied into the bundles output.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
If aufs is already modprobe'd but we are in a user namespace, the
aufs driver will happily load but then get eperm when it actually tries
to do something. So detect that condition.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This makes separating middlewares from the core api easier.
As an example, the authorization middleware is moved to
it's own package.
Initialize all static middlewares when the server is created, reducing
allocations every time a route is wrapper with the middlewares.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Currently if you restart docker daemon, all the containers with restart
policy `on-failure` regardless of its `RestartCount` will be started,
this will make daemon cost more extra time for restart.
This commit will stop these containers to do unnecessary start on
daemon's restart.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to fix the issue in #21848 where `docker stats` will not correctly
display the container stats in case the container reuse another container's
network stack.
The issue is that when `stats` is performed, the daemon will check for container
network setting's `SandboxID`. Unfortunately, for containers that reuse another
container's network stack (`NetworkMode.IsConnected()`), SandboxID is not assigned.
Therefore, the daemon thinks the id is invalid and remote API will never return.
This fix tries to resolve the SandboxID by iterating through connected containers
and identify the appropriate SandboxID.
A test case for `stats` remote API has been added to check if `stats` will return
within the timeout.
This fix fixes#21848.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the incorrect request json body for
`/containers/create` in remote API docs.
When using the example json request for `/containers/create`, there are two
errors:
(1). `invalid character '"' after object key:value pair`
This is because a `,` is missing after `"Volumes": {}`
This issue exists in v1.20-v1.24
(2). `Invalid --security-opt: ""`
This is becasue in `"SecurityOpt": [""]` line, an empty string
`""` is passed yet `""` is not a valid `SecurityOpt`. Either no string,
or a valid string (e.g., "no-new-privileges") could be used.
This issue exists in v1.15-v1.24
This fix updates the docs and correct the above two issues.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Now that we are checking if the image and host have the same architectures
via #21272, this value should be null so that the test passes on non-x86
machines
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This fix tries to fix the discrepancy between `docker stats` and
`docker run` where `docker run` uses RAMInBytes for all memory
related inputs but `docker stats` uses HumanSize for all memory
related outputs.
To be consistent, `docker stats` needs to use BytesSize for all
memory related outputs to conform to RAMInBytes in `docker run`.
This fix addresses this issue. As BytesSize is used, the test
cases needs to be adjusted to match `KiB/MiB/GiB` instead of
`KB/MB/GB`.
The documentation has also been updated.
This fix fixes#21765.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
When user try to restart a restarting container, docker client report
error: "container is already active", and container will be stopped
instead be restarted which is seriously wrong.
What's more critical is that when user try to start this container
again, it will always fail.
This error can also be reproduced with a `docker stop`+`docker start`.
And this commit will fix the bug.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to fix the discrepancy between API and CLI on hostname
validation. Previously, the hostname validation was handled at the
CLI interface in runconfig/opts/parse.go and return an error if the
hostname is invalid. However, if an end user use the remote API to
pass the hostname, the error will not be returned immediately.
Instead the error will only be thrown out when the container creation
fails. This creates behavior discrepancy between API and CLI.
In this fix, the hostname validation was moved to
verifyContainerSettings so the behavior will be the same for API and
CLI.
After the change, since CLI does not handle the hostname validation
any more, the previous unit tests about hostname validation on CLI
in runconfig/opts/parse_test.go has to be updated as well because
there is no validation at this stage. All those unit tests are moved
to integration test TestRunTooLongHostname so that the hostname
validation is still properly covered as before.
Note: Since the hostname validation moved to API, the error message
changes from `invalid hostname format for --hostname:` to
`invalid hostname format:` as well because `--hostname` is passed
to CLI only.
This fix fixes#21595.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to add an additional syslog-format of `rfc5424micro` which follows
the same as rfc5424 except that it use microsecond resolution for timestamp. The
purpose is to solve the issue raised in #21793 where log events might lose its
ordering if happens on the same second.
The timestamp field in rfc5424 is derived from rfc3339, though the maximium
resolution is limited to "TIME-SECFRAC" which is 6 (microsecond resolution).
The appropriate documentation (`docs/admin/logging/overview.md`) has been updated
to reflect the change in this fix.
This fix adds a unit test to cover the newly introduced format.
This fix fixes#21793.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
When container is automatically restarted based on restart policy,
docker events can't get "start" event but only get "die" event, this is
not consistent with previous behavior. This commit will add "start"
event back.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This adds support to the Windows graph driver for ApplyDiff on a base
layer. It also adds support for hard links, which are needed because the
Windows base layers double in size without hard link support.
Signed-off-by: John Starks <jostarks@microsoft.com>
These changes add support for importing base layers and change the tar
metadata for Windows layers to better match the intent of the tar format.
Signed-off-by: John Starks <jostarks@microsoft.com>
Previously, Windows only supported running with a OS-managed base image.
With this change, Windows supports normal, Linux-like layered images, too.
Signed-off-by: John Starks <jostarks@microsoft.com>
Fixes an issue that prevents nano server images from loading properly. Also updates logic for custom image loading to avoid preventing daemon start because an image failed to load.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
For test that should be exclusively run only in regular daemon builds
and not in the experimental version, add a requirement.
Verified using TestCleanupMountsAfterDaemonKill.
- On regular daemon, the test ran.
- On experimental daemon, the test skipped.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Temporarily include a fork of golang/net package
that includes a performance patch. Measured performance
gain is ~60ms for every `docker run` command.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Since we can't use the TasksMax value in the docker.service
file by default, we can uncomment it at buildtime.
See docker/docker/pull/21491 for some background.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Overlay tests were failing when /var/tmp was an overlay mount with a misleading message.
Now overlay tests will be skipped when attempting to be run on overlay.
Tests will now use the TMPDIR environment variable instead of only /var/tmp
Fixes#21686
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
On aufs, auplink is run before the Unmount. Irrespective of the
result, we proceed to issue a Unmount syscall. In which case,
demote erros on auplink to warning.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This should not have been in init() as it causes these lookups to happen
in all reexecs of the Docker binary. The only time it needs to be
resolved is when a user is added, which is extremely rare.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Since the layer store was introduced, the level above the graphdriver
now differentiates between read/write and read-only layers. This
distinction is useful for graphdrivers that need to take special steps
when creating a layer based on whether it is read-only or not.
Adding this parameter allows the graphdrivers to differentiate, which
in the case of the Windows graphdriver, removes our dependence on parsing
the id of the parent for "-init" in order to infer this information.
This will also set the stage for unblocking some of the layer store
unit tests in the next preview build of Windows.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
This else case was lost in the migration from native execdriver to OCI
implementation via runc. There is no need to have external setkey when
--net=host.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Kernel has no limit for memory reservation, but in different
kernel versions, the default behavior is different.
On kernel 3.13,
docker run --rm --memory-reservation 1k busybox cat /sys/fs/cgroup/memory/memory.soft_limit_in_bytes
the output would be 4096, but on kernel 4.1, the output is 0.
Since we have minimum limit for memory and kernel memory, we
can have this limit for memory reservation as well, to make
the behavior consistent.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Creates a `fixedBuffer` type that is used to encapsulate functionality
for reading/writing from the underlying byte slices.
Uses lazily-loaded set of sync.Pools for storing buffers that are no
longer needed so they can be re-used.
```
benchmark old ns/op new ns/op delta
BenchmarkBytesPipeWrite-8 138469 48985 -64.62%
BenchmarkBytesPipeRead-8 130922 56601 -56.77%
benchmark old allocs new allocs delta
BenchmarkBytesPipeWrite-8 18 8 -55.56%
BenchmarkBytesPipeRead-8 0 0 +0.00%
benchmark old bytes new bytes delta
BenchmarkBytesPipeWrite-8 66903 1649 -97.54%
BenchmarkBytesPipeRead-8 0 1 +Inf%
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This vendors in new spec/runc that supports
setting readonly and masked paths in the
configuration. Using this allows us to make an
exception for `—-privileged`.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
These fields are needed to specify the exact version of Windows that an
image can run on. They may be useful for other platforms in the future.
This also changes image.store.Create to validate that the loaded image is
supported on the current machine. This change affects Linux as well, since
it now validates the architecture and OS fields.
Signed-off-by: John Starks <jostarks@microsoft.com>
The prior error message caused confusion. If a user attempts to push an
image up to a registry, but they misspelled (or forgot to properly tag
their image) they would see the message 'Repository does not exist', which
is not very clear and causes some to think that there might be a problem
with the registry or connectivity to it, when the problem was simply just
that an image with that tag specified does not exist locally.
Signed-off-by: Dave MacDonald <mindlapse@gmail.com>
This fix tries to address the issue mentioned in Docker Remote API where
the examples for creating a container (`POST /containers/create`) with
volumes were incorrect. In the previous remote API document, the `Mounts`
fields was used for volume creation yet since v1.20 `Volumes` should be
used.
This fix fixes#21335.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
btrfs-progs-4.5 introduces device delete by devid
for this reason btrfs_ioctl_vol_args_v2's name was encapsulated
in a union
this patch is for setting btrfs_ioctl_vol_args_v2's name
using a C function in order to preserve compatibility
with all btrfs-progs versions
Signed-off-by: Julio Montes <imc.coder@gmail.com>
Now that listeners is no longer an internal of the client, make it less
Docker-specific (despite there still being some open questions as how to
deal with some of the warnings that listeners has to emit). We should
move as much of the Docker-specific stuff (especially the port
allocation) to docker/ where it belongs (or maybe pass a check function).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
This code will be used in containerd and is quite useful in general to
people who want a nice way of creating listeners from proto://address
arguments (even supporting socket activation). Separate it out from
docker/ so people can use it much more easily.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Fixed some http status codes and decreased site-order for docker_remote_api_v1.24.md to appear in the right order in the menu
Signed-off-by: Robin Naundorf <r.naundorf@fh-muenster.de>
Close could be called twice on a temporary download file, which could
have bad side effects.
This fixes the problem by setting to ld.tmpFile to nil when the download
completes sucessfully. Then the call to ld.Close will have no effect,
and only the download manager will close the temporary file when it's
done extracting the layer from it. ld.Close will be responsible for
closing the file if we hit the retry limit and there is still a partial
download present.
Fixes#21675
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Get was calling getReference without layerL held. This meant writes to
the references map could race. Such races are dangerous because they can
corrupt the map and crash the process.
Fixes#21616Fixes#21674
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
- Refactor generic and path based cleanup functions into a single function.
- Include aufs and zfs mounts in the mounts cleanup.
- Containers that receive exit event on restore don't require manual cleanup.
- Make missing sandbox id message a warning because currently sandboxes are always cleared on startup. libnetwork#975
- Don't unmount volumes for containers that don't have base path. Shouldn't be needed after #21372
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Also modify an integration test that hardcoded the error string so it
uses the exported error variable from libcontainer/user.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Auto-creation of host-directories was marked deprecated in
Docker 1.9, but was decided to be too much of an backward-incompatible
change, so it was decided to keep the feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes Windows behavior consistent with Linux -- the entry point must
be an executable, not an executable and set of arguments.
Signed-off-by: John Starks <jostarks@microsoft.com>
Existing tests assume that the entrypoint in a docker run command will be
split into multiple arguments, which is inconsistent with Linux. Fix the
tests depending on this behavior.
Signed-off-by: John Starks <jostarks@microsoft.com>
Its useful to have containerd logs as part of docker.
Containerd metrics are too chatty, so set interval to 0.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Following the discussion in #21556, adding a short description of the
default user authentication mechanism (without requiring authentication
plugins)
Signed-off-by: Liron Levin <liron@twistlock.com>
This pull request added a `SecurityOptions` field in the `GET /info`
output to show if there is `apparmor`, `seccomp`, or `selinux` suport.
The API changes are updated in the documentation and the update in
`GET /info` is covered by the test case in `TestInfoApi`.
This pull request fixes#20909.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This pull request tries to diagnosis and fix the flaky test of
TestRunAttachFailedNoLeak. The test failed several times in
Docker CI but is very difficult to repeat even in CI.
This pull request first try to repeat the issue at the Jenkins
server with some diagnosis message added to the output in case
the test fails again.
Since the added ouputs will only be invoked when test fails,
it will not add any unnecessary content in normal situations.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updated documentations to add the `Warnings` fields in
`GET /volumes` API.
The `Warnings` has been part of the `GET /volumes` API response
since Docker 1.10 (v1.21). However, the `Warnings` field is not
in the documentation so there are some confusions (See #21606).
This fix updated the related documentations in v1.22, v1.23, and
v1.24 and added this field to the API.
This fix is related to #21605.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This includes fixes for;
- outputing errors for missing seccomp options on seccomp versions < 2.3
- cap set apply EPERM errors on ARM systems
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix unmount issues in the daemon crash and restart lifecycle, w.r.t
graph drivers. This change sets a live container RWLayer's activity
count to 1, so that the RWLayer is aware of the mount. Note that
containerd has experimental support for restore live containers.
Added/updated corresponding tests.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.
Fixes 21475
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Currently the directory inside of the tgz files is /usr/local/bin
and this is causing some confusion, and problems with people who already
have stuff in those directories. This commit changes the directory
to /docker to help remove the confusion.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
Completion of these options was not handled consistently.
Now all such options immediatly complete with =false appended.
Signed-off-by: Harald Albers <github@albersweb.de>
The current error message is "Error: image [name] not found". This makes
sense from the perspective of the v1 pull, since we found the repository
doesn't exist over the v1 protocol. However, in the vast majority of
cases, this error will be produced by fallback situations, where we
first try to pull the tag with the v2 protocol, and then fall back the
v1 protocol, which probably isn't even supported by the server.
Including the tag in the error message makes a lot more sense since the
actual repository may exist on v2, but not the tag.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
It was suggested to me that documentation for "docker pull" and "docker
push" should reference "docker login", to make clearer how to specify
credentials for a push or pull operation. Add a note to the manual pages
and reference documentation explaining how registry credentials are
managed.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Despite the current issue with unix sockets and golang, I'm bumping this back up to 1.6.
Go <1.6 has major compatibility issues on ppc64* including not supporting dynamic binding,
so we would have to go back to gccgo, which is worse in a lot of other categories. Ultimately for us,
the amount of people affected by this issue isn't worth switching compilers.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This PR updates vendored engine-api to e37a82dfcea64559ca6a581776253c01d83357d9
in order to support `SecurityOptions` in `Info`.
See #20909, #21172 for details related to `SecurityOptions`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently Docker authorization framework does not use any user
information, which already available in the Docker context for TLS
connection.
The purpose of this CR is to complete the existing authz work by adding
the basic client certificate details (SUBJECT_NAME) and authentication
method (TLS) to the authz request.
We think this should be the default behavior when no extended
authorization module is specified (currently WIP under #20883).
Signed-off-by: Liron Levin <liron@twistlock.com>
`TEST_REPEAT=n` runs the test suite again n times or
until the first failure without doing building and
daemon setup. Useful for debugging flaky tests.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Avoids allocations and copying by using a buffer pool for intermediate
writes.
```
benchmark old ns/op new ns/op delta
BenchmarkWrite-8 996 175 -82.43%
benchmark old MB/s new MB/s speedup
BenchmarkWrite-8 4414.48 25069.46 5.68x
benchmark old allocs new allocs delta
BenchmarkWrite-8 2 0 -100.00%
benchmark old bytes new bytes delta
BenchmarkWrite-8 4616 0 -100.00%
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Add some missing dependencies in the Dockerfile:
- apt-utils for apt-ftparchive.conf
- bsdmainutils for our use of the column command in
hack/make/generate-index-listing
We also ensure that the docker daemon is started before calling
release-deb or release-rpm, since .detect-daemon-osarch, which is sourced
in each of them, requires the daemon to be running.
This commit also gets completely rid of s3cmd and fixes references to
AWS_* environment variables (changing from AWS_ACCESS_KEY to
AWS_ACCESS_KEY_ID and AWS_SECRET_KEY to AWS_SECRET_ACCESS_KEY) in order
to please awscli. Also AWS_DEFAULT_REGION is now important to specify,
the default has been set to the region used by get.docker.com and
test.docker.com.
Signed-off-by: Tibor Vass <tibor@docker.com>
* build-essential is needed by `make`
* libapparmor-dev is needed by runc
* seccomp is needed by runc
* Go is neeeded by runc
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
In this way, we can restore the Terminal as soon as possible once the hijacked
connection end. This not only fix weird output if cli enable -D, but also
remove duplicate code.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
This change include filter `name` and `driver`,
and also update related docs to reflect that filters usage.
Closes: #21243
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
These are the changes required due to the new binaries that containerd introduced.
The rpm, and deb packages now include 5 binaries.
docker, containerd, containerd-shim, ctr, and runc
The tar files also include all 5 binaries.
Signed-off-by: Ken Cochrane <KenCochrane@gmail.com>
.bashrc was removed in 29fbc9cc1d
but is still needed. It serves as a hook to customize the build environment.
Signed-off-by: Harald Albers <github@albersweb.de>
This fix tries to fix issues encountered when running a container with a hostname
that is longer than HOST_NAME_MAX(64).
Previously, `could not synchronise with container process` was generated as the
length of the regex check was missing.
This fix covers the length check so that a hostname that is longer than
HOST_NAME_MAX(64) will be given a correct error message.
Several unit tests cases and additional integration test cases are added as well.
This fix closes#21445.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The server configuration already keeps the current version
if the daemon. This patch changes the middleware logic
to use it rather than using the global value.
This removes the dockerversion package dependency from the api.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Following a journal log almost always requires a descriptor to be
allocated. In cases where we're running out of descriptors, this means
we might get stuck while attempting to start following the journal, at a
point where it's too late to report it to the client and clean up
easily. The journal reading context will cache the value once it's
allocated, so here we move the check earlier, so that we can detect a
problem when we can still report it cleanly.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
When we set up to start following a journal, if we get error results
from sd_journal_get_fd() or sd_journal_get_events() that prevent us from
following the journal, report the error instead of just mysteriously
failing.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
Contains fixes for:
- pid.max fix that is causing hang on network stats test.
- fix for early stdin close containerd-shim
- better logging for `could not synchronise with container process`
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Instead of implementing refcounts at each graphdriver, implement this in
the layer package which is what the engine actually interacts with now.
This means interacting directly with the graphdriver is no longer
explicitly safe with regard to Get/Put calls being refcounted.
In addition, with the containerd, layers may still be mounted after
a daemon restart since we will no longer explicitly kill containers when
we shutdown or startup engine.
Because of this ref counts would need to be repopulated.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When a plugin is first found, it is loaded into the available plugins
even though it's not activated yet.
If activation fails it is taken out of the list.
While it is in the list, other callers may see it and try to check it's
manifest. If it is not fully activated yet, the manifest will be nil and
cause a panic.
This is especially problematic for drivers that are down and have not
been activated yet.
We could just not load the plugin into the available list until it's
fully active, however that will just cause multiple of the same plugin
to attemp to be loaded.
We could check if the manifest is nil and return early (instead of
panicing on a nil manifest), but this will cause a 2nd caller to receive
a response while the first caller is still waiting, which can be
awkward.
This change uses a condition variable to handle activation (instead of
sync.Once). If the plugin is not activated, callers will all wait until
it is activated and receive a broadcast from the condition variable
signaling that it's ok to proceed, in which case we'll check if their
was an error in activation and proceed accordingly.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to fix Docker core dumps when removing network with special
characters. The issue is from the fact that when docker client tries to
pass the command to API, the networkID is not escaped in case of special
characters. This also means other commands (not just `docker network rm`)
may face the same issue (e.g., `docker network connect`).
This fix adds the URL path escape to properly handle it. In addition, an
integration test for network create and delete is added to cover the cases
in #21401.
This fix fixes#21401.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit f8dc5562d0)
Signed-off-by: David Calavera <david.calavera@gmail.com>
Removes the seccomp buildtag when building runc.
Because seccomp isn't currently being built, this would cause
the build to fail.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Since certain filesystems don't support extended attributes, ignore
errors produced (emitting a warning) when attempting to apply extended
attributes to file.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Allow --net=container and --ipc=container tests to run when user
namespaces are enabled.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Items starting with `DEPRECATE` are important deprecation notices. For more
information on the list of deprecated flags and APIs please have a look at
https://docs.docker.com/misc/deprecated/ where target removal dates can also
https://docs.docker.com/engine/deprecated/ where target removal dates can also
be found.
## 1.12.0 (2016-07-14)
### Builder
+ New `HEALTHCHECK` Dockerfile instruction to support user-defined healthchecks [#23218](https://github.com/docker/docker/pull/23218)
+ New `SHELL` Dockerfile instruction to specify the default shell when using the shell form for commands in a Dockerfile [#22489](https://github.com/docker/docker/pull/22489)
+ Add `#escape=` Dockerfile directive to support platform-specific parsing of file paths in Dockerfile [#22268](https://github.com/docker/docker/pull/22268)
+ Add support for comments in `.dockerignore` [#23111](https://github.com/docker/docker/pull/23111)
* Support for UTF-8 in Dockerfiles [#23372](https://github.com/docker/docker/pull/23372)
* Skip UTF-8 BOM bytes from `Dockerfile` and `.dockerignore` if exist [#23234](https://github.com/docker/docker/pull/23234)
* Windows: support for `ARG` to match Linux [#22508](https://github.com/docker/docker/pull/22508)
- Fix error message when building using a daemon with the bridge network disabled [#22932](https://github.com/docker/docker/pull/22932)
### Contrib
* Enable seccomp for Centos 7 and Oracle Linux 7 [#22344](https://github.com/docker/docker/pull/22344)
- Remove MountFlags in systemd unit to allow shared mount propagation [#22806](https://github.com/docker/docker/pull/22806)
### Distribution
+ Add `--max-concurrent-downloads` and `--max-concurrent-uploads` daemon flags useful for situations where network connections don't support multiple downloads/uploads [#22445](https://github.com/docker/docker/pull/22445)
* Registry operations now honor the `ALL_PROXY` environment variable [#22316](https://github.com/docker/docker/pull/22316)
* Provide more information to the user on `docker load` [#23377](https://github.com/docker/docker/pull/23377)
### Logging
+ Syslog logging driver now supports DGRAM sockets [#21613](https://github.com/docker/docker/pull/21613)
+ Add `--details` option to `docker logs` to also display log tags [#21889](https://github.com/docker/docker/pull/21889)
+ Enable syslog logger to have access to env and labels [#21724](https://github.com/docker/docker/pull/21724)
+ An additional syslog-format option `rfc5424micro` to allow microsecond resolution in syslog timestamp [#21844](https://github.com/docker/docker/pull/21844)
* Inherit the daemon log options when creating containers [#21153](https://github.com/docker/docker/pull/21153)
* Remove `docker/` prefix from log messages tag and replace it with `{{.DaemonName}}` so that users have the option of changing the prefix [#22384](https://github.com/docker/docker/pull/22384)
### Networking
+ Built-in Virtual-IP based internal and ingress load-balancing using IPVS [#23361](https://github.com/docker/docker/pull/23361)
+ Secured multi-host overlay networking using encrypted control-plane and Data-plane [#23361](https://github.com/docker/docker/pull/23361)
+ MacVlan driver is out of experimental [#23524](https://github.com/docker/docker/pull/23524)
+ Add `driver` filter to `network ls` [#22319](https://github.com/docker/docker/pull/22319)
+ Adding `network` filter to `docker ps --filter` [#23300](https://github.com/docker/docker/pull/23300)
+ Add `--link-local-ip` flag to `create`, `run` and `network connect` to specify a container's link-local address [#23415](https://github.com/docker/docker/pull/23415)
+ Add network label filter support [#21495](https://github.com/docker/docker/pull/21495)
* Removed dependency on external KV-Store for Overlay networking in Swarm-Mode [#23361](https://github.com/docker/docker/pull/23361)
* Add container's short-id as default network alias [#21901](https://github.com/docker/docker/pull/21901)
*`run` options `--dns` and `--net=host` are no longer mutually exclusive [#22408](https://github.com/docker/docker/pull/22408)
- Fix DNS issue when renaming containers with generated names [#22716](https://github.com/docker/docker/pull/22716)
- Allow both `network inspect -f {{.Id}}` and `network inspect -f {{.ID}}` to address inconsistency with inspect output [#23226](https://github.com/docker/docker/pull/23226)
### Plugins (experimental)
+ New `plugin` command to manager plugins with `install`, `enable`, `disable`, `rm`, `inspect`, `set` subcommands [#23446](https://github.com/docker/docker/pull/23446)
### Remote API (v1.24) & Client
+ Split the binary into two: `docker` (client) and `dockerd` (daemon) [#20639](https://github.com/docker/docker/pull/20639)
+ Add `before` and `since` filters to `docker images --filter` [#22908](https://github.com/docker/docker/pull/22908)
+ Add `--limit` option to `docker search` [#23107](https://github.com/docker/docker/pull/23107)
+ Add `--filter` option to `docker search` [#22369](https://github.com/docker/docker/pull/22369)
+ Add security options to `docker info` output [#21172](https://github.com/docker/docker/pull/21172) [#23520](https://github.com/docker/docker/pull/23520)
+ Add insecure registries to `docker info` output [#20410](https://github.com/docker/docker/pull/20410)
+ Extend Docker authorization with TLS user information [#21556](https://github.com/docker/docker/pull/21556)
+ devicemapper: expose Mininum Thin Pool Free Space through `docker info` [#21945](https://github.com/docker/docker/pull/21945)
* API now returns a JSON object when an error occurs making it more consistent [#22880](https://github.com/docker/docker/pull/22880)
- Prevent `docker run -i --restart` from hanging on exit [#22777](https://github.com/docker/docker/pull/22777)
- Fix API/CLI discrepancy on hostname validation [#21641](https://github.com/docker/docker/pull/21641)
- Fix discrepancy in the format of sizes in `stats` from HumanSize to BytesSize [#21773](https://github.com/docker/docker/pull/21773)
- authz: when request is denied return forbbiden exit code (403) [#22448](https://github.com/docker/docker/pull/22448)
### Runtime
+ Add `--live-restore` daemon flag to keep containers running when daemon shuts down, and regain control on startup [#23213](https://github.com/docker/docker/pull/23213)
+ Ability to add OCI-compatible runtimes (via `--add-runtime` daemon flag) and select one with `--runtime` on `create` and `run` [#22983](https://github.com/docker/docker/pull/22983)
+ New `overlay2` graphdriver for Linux 4.0+ with multiple lower directory support [#22126](https://github.com/docker/docker/pull/22126)
+ New load/save image events [#22137](https://github.com/docker/docker/pull/22137)
+ Add support for reloading daemon configuration through systemd [#22446](https://github.com/docker/docker/pull/22446)
+ Add disk quota support for btrfs [#19651](https://github.com/docker/docker/pull/19651)
+ Add disk quota support for zfs [#21946](https://github.com/docker/docker/pull/21946)
+ Add support for `docker run --pid=container:<id>` [#22481](https://github.com/docker/docker/pull/22481)
+ Align default seccomp profile with selected capabilities [#22554](https://github.com/docker/docker/pull/22554)
+ Add a `daemon reload` event when the daemon reloads its configuration [#22590](https://github.com/docker/docker/pull/22590)
+ Add `trace` capability in the pprof profiler to show execution traces in binary form [#22715](https://github.com/docker/docker/pull/22715)
+ Add a `detach` event [#22898](https://github.com/docker/docker/pull/22898)
+ Add support for setting sysctls with `--sysctl` [#19265](https://github.com/docker/docker/pull/19265)
+ Add `--storage-opt` flag to `create` and `run` allowing to set `size` on devicemapper [#19367](https://github.com/docker/docker/pull/19367)
* Undeprecate the `-c` short alias of `--cpu-shares` on `run`, `build`, `create`, `update` [#22621](https://github.com/docker/docker/pull/22621)
* Prevent from using aufs and overlay graphdrivers on an eCryptfs mount [#23121](https://github.com/docker/docker/pull/23121)
- Fix issues with tmpfs mount ordering [#22329](https://github.com/docker/docker/pull/22329)
- Created containers are no longer listed on `docker ps -a -f exited=0` [#21947](https://github.com/docker/docker/pull/21947)
- Fix an issue where containers are stuck in a "Removal In Progress" state [#22423](https://github.com/docker/docker/pull/22423)
- Fix bug that was returning an HTTP 500 instead of a 400 when not specifying a command on run/create [#22762](https://github.com/docker/docker/pull/22762)
- Fix bug with `--detach-keys` whereby input matching a prefix of the detach key was not preserved [#22943](https://github.com/docker/docker/pull/22943)
- SELinux labeling is now disabled when using `--privileged` mode [#22993](https://github.com/docker/docker/pull/22993)
- If volume-mounted into a container, `/etc/hosts`, `/etc/resolv.conf`, `/etc/hostname` are no longer SELinux-relabeled [#22993](https://github.com/docker/docker/pull/22993)
- Fix inconsistency in `--tmpfs` behavior regarding mount options [#22438](https://github.com/docker/docker/pull/22438)
- Fix an issue where daemon hangs at startup [#23148](https://github.com/docker/docker/pull/23148)
- Ignore SIGPIPE events to prevent journald restarts to crash docker in some cases [#22460](https://github.com/docker/docker/pull/22460)
- Containers are not removed from stats list on error [#20835](https://github.com/docker/docker/pull/20835)
- Fix `on-failure` restart policy when daemon restarts [#20853](https://github.com/docker/docker/pull/20853)
- Fix an issue with `stats` when a container is using another container's network [#21904](https://github.com/docker/docker/pull/21904)
### Swarm Mode
+ New `swarm` command to manage swarms with `init`, `join`, `leave`, `update` subcommands [#23361](https://github.com/docker/docker/pull/23361)
+ New `service` command to manage swarm-wide services with `create`, `inspect`, `update`, `remove`, `tasks` subcommands [#23361](https://github.com/docker/docker/pull/23361)
+ New `node` command to manage nodes with `accept`, `promote`, `demote`, `inspect`, `update`, `tasks`, `ls` and `rm` subcommands [#23361](https://github.com/docker/docker/pull/23361)
+ (experimental) New `stack` and `deploy` commands to manage and deploy multi-service applications [#23522](https://github.com/docker/docker/pull/23522)
### Volume
+ Add support for local and global volume scopes (analogous to network scopes) [#22077](https://github.com/docker/docker/pull/22077)
+ Allow volume drivers to provide a `Status` field [#21006](https://github.com/docker/docker/pull/21006)
+ Add name/driver filter support for volume [#21361](https://github.com/docker/docker/pull/21361)
* Mount/Unmount operations now receives an opaque ID to allow volume drivers to differentiate between two callers [#21015](https://github.com/docker/docker/pull/21015)
- Fix issue preventing to remove a volume in a corner case [#22103](https://github.com/docker/docker/pull/22103)
- Windows: Enable auto-creation of host-path to match Linux [#22094](https://github.com/docker/docker/pull/22094)
### DEPRECATION
* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
to `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE` and `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` respectively [#22574](https://github.com/docker/docker/pull/22574)
* Remove deprecated `syslog-tag`, `gelf-tag`, `fluentd-tag` log option in favor of the more generic `tag` one [#22620](https://github.com/docker/docker/pull/22620)
* Remove deprecated feature of passing HostConfig at API container start [#22570](https://github.com/docker/docker/pull/22570)
* Remove deprecated `-f`/`--force` flag on docker tag [#23090](https://github.com/docker/docker/pull/23090)
* Remove deprecated `docker ps` flags `--since` and `--before` [#22138](https://github.com/docker/docker/pull/22138)
* Deprecate the old 3-args form of `docker import` [#23273](https://github.com/docker/docker/pull/23273)
## 1.11.2 (2016-05-31)
### Networking
- Fix a stale endpoint issue on overlay networks during ungraceful restart ([#23015](https://github.com/docker/docker/pull/23015))
- Fix an issue where the wrong port could be reported by `docker inspect/ps/port` ([#22997](https://github.com/docker/docker/pull/22997))
### Runtime
- Fix a potential panic when running `docker build` ([#23032](https://github.com/docker/docker/pull/23032))
- Fix interpretation of `--user` parameter ([#22998](https://github.com/docker/docker/pull/22998))
- Fix a bug preventing container statistics to be correctly reported ([#22955](https://github.com/docker/docker/pull/22955))
- Fix an issue preventing container to be restarted after daemon restart ([#22947](https://github.com/docker/docker/pull/22947))
- Fix issues when running 32 bit binaries on Ubuntu 16.04 ([#22922](https://github.com/docker/docker/pull/22922))
- Fix a possible deadlock on image deletion and container attach ([#22918](https://github.com/docker/docker/pull/22918))
- Fix an issue where containers fail to start after a daemon restart if they depend on a containerized cluster store ([#22561](https://github.com/docker/docker/pull/22561))
- Fix an issue causing `docker ps` to hang on CentOS when using devicemapper ([#22168](https://github.com/docker/docker/pull/22168), [#23067](https://github.com/docker/docker/pull/23067))
- Fix a bug preventing to `docker exec` into a container when using devicemapper ([#22168](https://github.com/docker/docker/pull/22168), [#23067](https://github.com/docker/docker/pull/23067))
## 1.11.1 (2016-04-26)
### Distribution
- Fix schema2 manifest media type to be of type `application/vnd.docker.container.image.v1+json` ([#21949](https://github.com/docker/docker/pull/21949))
### Documentation
+ Add missing API documentation for changes introduced with 1.11.0 ([#22048](https://github.com/docker/docker/pull/22048))
### Builder
* Append label passed to `docker build` as arguments as an implicit `LABEL` command at the end of the processed `Dockerfile` ([#22184](https://github.com/docker/docker/pull/22184))
### Networking
- Fix a panic that would occur when forwarding DNS query ([#22261](https://github.com/docker/docker/pull/22261))
- Fix an issue where OS threads could end up within an incorrect network namespace when using user defined networks ([#22261](https://github.com/docker/docker/pull/22261))
### Runtime
- Fix a bug preventing labels configuration to be reloaded via the config file ([#22299](https://github.com/docker/docker/pull/22299))
- Fix a regression where container mounting `/var/run` would prevent other containers from being removed ([#22256](https://github.com/docker/docker/pull/22256))
- Fix an issue where it would be impossible to update both `memory-swap` and `memory` value together ([#22255](https://github.com/docker/docker/pull/22255))
- Fix a regression from 1.11.0 where the `/auth` endpoint would not initialize `serveraddress` if it is not provided ([#22254](https://github.com/docker/docker/pull/22254))
- Add missing cleanup of container temporary files when cancelling a schedule restart ([#22237](https://github.com/docker/docker/pull/22237))
- Remove scary error message when no restart policy is specified ([#21993](https://github.com/docker/docker/pull/21993))
- Fix a panic that would occur when the plugins were activated via the json spec ([#22191](https://github.com/docker/docker/pull/22191))
- Fix restart backoff logic to correctly reset delay if container ran for at least 10secs ([#22125](https://github.com/docker/docker/pull/22125))
- Remove error message when a container restart get cancelled ([#22123](https://github.com/docker/docker/pull/22123))
- Fix an issue where `docker` would not correctly clean up after `docker exec` ([#22121](https://github.com/docker/docker/pull/22121))
- Fix a panic that could occur when serving concurrent `docker stats` commands ([#22120](https://github.com/docker/docker/pull/22120))`
- Revert deprecation of non-existent host directories auto-creation ([#22065](https://github.com/docker/docker/pull/22065))
- Hide misleading rpc error on daemon shutdown ([#22058](https://github.com/docker/docker/pull/22058))
## 1.11.0 (2016-04-13)
**IMPORTANT**: With Docker 1.11, a Linux docker installation is now made of 4 binaries (`docker`, [`docker-containerd`](https://github.com/docker/containerd), [`docker-containerd-shim`](https://github.com/docker/containerd) and [`docker-runc`](https://github.com/opencontainers/runc)). If you have scripts relying on docker being a single static binaries, please make sure to update them. Interaction with the daemon stay the same otherwise, the usage of the other binaries should be transparent. A Windows docker installation remains a single binary, `docker.exe`.
### Builder
- Fix a bug where Docker would not use the correct uid/gid when processing the `WORKDIR` command ([#21033](https://github.com/docker/docker/pull/21033))
- Fix a bug where copy operations with userns would not use the proper uid/gid ([#20782](https://github.com/docker/docker/pull/20782), [#21162](https://github.com/docker/docker/pull/21162))
### Client
* Usage of the `:` separator for security option has been deprecated. `=` should be used instead ([#21232](https://github.com/docker/docker/pull/21232))
+ The client user agent is now passed to the registry on `pull`, `build`, `push`, `login` and `search` operations ([#21306](https://github.com/docker/docker/pull/21306), [#21373](https://github.com/docker/docker/pull/21373))
* Allow setting the Domainname and Hostname separately through the API ([#20200](https://github.com/docker/docker/pull/20200))
* Docker info will now warn users if it can not detect the kernel version or the operating system ([#21128](https://github.com/docker/docker/pull/21128))
- Fix an issue where `docker stats --no-stream` output could be all 0s ([#20803](https://github.com/docker/docker/pull/20803))
- Fix a bug where some newly started container would not appear in a running `docker stats` command ([#20792](https://github.com/docker/docker/pull/20792))
* Post processing is no longer enabled for linux-cgo terminals ([#20587](https://github.com/docker/docker/pull/20587))
- Values to `--hostname` are now refused if they do not comply with [RFC1123](https://tools.ietf.org/html/rfc1123) ([#20566](https://github.com/docker/docker/pull/20566))
+ Docker learned how to use a SOCKS proxy ([#20366](https://github.com/docker/docker/pull/20366), [#18373](https://github.com/docker/docker/pull/18373))
+ Docker now supports external credential stores ([#20107](https://github.com/docker/docker/pull/20107))
*`docker ps` now supports displaying the list of volumes mounted inside a container ([#20017](https://github.com/docker/docker/pull/20017))
*`docker info` now also reports Docker's root directory location ([#19986](https://github.com/docker/docker/pull/19986))
- Docker now prohibits login in with an empty username (spaces are trimmed) ([#19806](https://github.com/docker/docker/pull/19806))
* Docker events attributes are now sorted by key ([#19761](https://github.com/docker/docker/pull/19761))
*`docker ps` no longer shows exported port for stopped containers ([#19483](https://github.com/docker/docker/pull/19483))
- Docker now cleans after itself if a save/export command fails ([#17849](https://github.com/docker/docker/pull/17849))
* Docker load learned how to display a progress bar ([#17329](https://github.com/docker/docker/pull/17329), [#120078](https://github.com/docker/docker/pull/20078))
### Distribution
- Fix a panic that occurred when pulling an image with 0 layers ([#21222](https://github.com/docker/docker/pull/21222))
- Fix a panic that could occur on error while pushing to a registry with a misconfigured token service ([#21212](https://github.com/docker/docker/pull/21212))
+ All first-level delegation roles are now signed when doing a trusted push ([#21046](https://github.com/docker/docker/pull/21046))
+ OAuth support for registries was added ([#20970](https://github.com/docker/docker/pull/20970))
*`docker login` now handles token using the implementation found in [docker/distribution](https://github.com/docker/distribution) ([#20832](https://github.com/docker/docker/pull/20832))
*`docker login` will no longer prompt for an email ([#20565](https://github.com/docker/docker/pull/20565))
* Docker will now fallback to registry V1 if no basic auth credentials are available ([#20241](https://github.com/docker/docker/pull/20241))
* Docker will now try to resume layer download where it left off after a network error/timeout ([#19840](https://github.com/docker/docker/pull/19840))
- Fix generated manifest mediaType when pushing cross-repository ([#19509](https://github.com/docker/docker/pull/19509))
- Fix docker requesting additional push credentials when pulling an image if Content Trust is enabled ([#20382](https://github.com/docker/docker/pull/20382))
### Logging
- Fix a race in the journald log driver ([#21311](https://github.com/docker/docker/pull/21311))
* Docker syslog driver now uses the RFC-5424 format when emitting logs ([#20121](https://github.com/docker/docker/pull/20121))
* Docker GELF log driver now allows to specify the compression algorithm and level via the `gelf-compression-type` and `gelf-compression-level` options ([#19831](https://github.com/docker/docker/pull/19831))
* Docker daemon learned to output uncolorized logs via the `--raw-logs` options ([#19794](https://github.com/docker/docker/pull/19794))
+ Docker, on Windows platform, now includes an ETW (Event Tracing in Windows) logging driver named `etwlogs` ([#19689](https://github.com/docker/docker/pull/19689))
* Journald log driver learned how to handle tags ([#19564](https://github.com/docker/docker/pull/19564))
+ The fluentd log driver learned the following options: `fluentd-address`, `fluentd-buffer-limit`, `fluentd-retry-wait`, `fluentd-max-retries` and `fluentd-async-connect` ([#19439](https://github.com/docker/docker/pull/19439))
+ Docker learned to send log to Google Cloud via the new `gcplogs` logging driver. ([#18766](https://github.com/docker/docker/pull/18766))
### Misc
+ When saving linked images together with `docker save` a subsequent `docker load` will correctly restore their parent/child relationship ([#21385](https://github.com/docker/docker/pull/21385))
+ Support for building the Docker cli for OpenBSD was added ([#21325](https://github.com/docker/docker/pull/21325))
+ Labels can now be applied at network, volume and image creation ([#21270](https://github.com/docker/docker/pull/21270))
* The `dockremap` is now created as a system user ([#21266](https://github.com/docker/docker/pull/21266))
- Fix a few response body leaks ([#21258](https://github.com/docker/docker/pull/21258))
- Docker, when run as a service with systemd, will now properly manage its processes cgroups ([#20633](https://github.com/docker/docker/pull/20633))
*`docker info` now reports the value of cgroup KernelMemory or emits a warning if it is not supported ([#20863](https://github.com/docker/docker/pull/20863))
*`docker info` now also reports the cgroup driver in use ([#20388](https://github.com/docker/docker/pull/20388))
* Docker completion is now available on PowerShell ([#19894](https://github.com/docker/docker/pull/19894))
*`dockerinit` is no more ([#19490](https://github.com/docker/docker/pull/19490),[#19851](https://github.com/docker/docker/pull/19851))
+ Support for building Docker on arm64 was added ([#19013](https://github.com/docker/docker/pull/19013))
+ Experimental support for building docker.exe in a native Windows Docker installation ([#18348](https://github.com/docker/docker/pull/18348))
### Networking
- Fix panic if a node is forcibly removed from the cluster ([#21671](https://github.com/docker/docker/pull/21671))
- Fix "error creating vxlan interface" when starting a container in a Swarm cluster ([#21671](https://github.com/docker/docker/pull/21671))
*`docker network inspect` will now report all endpoints whether they have an active container or not ([#21160](https://github.com/docker/docker/pull/21160))
+ Experimental support for the MacVlan and IPVlan network drivers has been added ([#21122](https://github.com/docker/docker/pull/21122))
* Output of `docker network ls` is now sorted by network name ([#20383](https://github.com/docker/docker/pull/20383))
- Fix a bug where Docker would allow a network to be created with the reserved `default` name ([#19431](https://github.com/docker/docker/pull/19431))
*`docker network inspect` returns whether a network is internal or not ([#19357](https://github.com/docker/docker/pull/19357))
+ Control IPv6 via explicit option when creating a network (`docker network create --ipv6`). This shows up as a new `EnableIPv6` field in `docker network inspect` ([#17513](https://github.com/docker/docker/pull/17513))
* Support for AAAA Records (aka IPv6 Service Discovery) in embedded DNS Server ([#21396](https://github.com/docker/docker/pull/21396))
- Fix to not forward docker domain IPv6 queries to external servers ([#21396](https://github.com/docker/docker/pull/21396))
* Multiple A/AAAA records from embedded DNS Server for DNS Round robin ([#21019](https://github.com/docker/docker/pull/21019))
- Fix endpoint count inconsistency after an ungraceful dameon restart ([#21261](https://github.com/docker/docker/pull/21261))
- Move the ownership of exposed ports and port-mapping options from Endpoint to Sandbox ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed a bug which prevents docker reload when host is configured with ipv6.disable=1 ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed bug in iptables.Exists() logic [#21019](https://github.com/docker/docker/pull/21019)
- Fixed a Veth interface leak when using overlay network ([#21019](https://github.com/docker/docker/pull/21019))
- Fixed a bug which prevents docker reload after a network delete during shutdown ([#20214](https://github.com/docker/docker/pull/20214))
- Make sure iptables chains are recreated on firewalld reload ([#20419](https://github.com/docker/docker/pull/20419))
- Allow to pass global datastore during config reload ([#20419](https://github.com/docker/docker/pull/20419))
- For anonymous containers use the alias name for IP to name mapping, ie:DNS PTR record ([#21019](https://github.com/docker/docker/pull/21019))
- Fix a panic when deleting an entry from /etc/hosts file ([#21019](https://github.com/docker/docker/pull/21019))
- Source the forwarded DNS queries from the container net namespace ([#21019](https://github.com/docker/docker/pull/21019))
- Fix to retain the network internal mode config for bridge networks on daemon reload ([#21780] (https://github.com/docker/docker/pull/21780))
- Fix to retain IPAM driver option configs on daemon reload ([#21914] (https://github.com/docker/docker/pull/21914))
### Plugins
- Fix a file descriptor leak that would occur every time plugins were enumerated ([#20686](https://github.com/docker/docker/pull/20686))
- Fix an issue where Authz plugin would corrupt the payload body when faced with a large amount of data ([#20602](https://github.com/docker/docker/pull/20602))
### Runtime
- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
Docker 1.9, but was decided to be too much of a backward-incompatible change, so it was decided to keep the feature.
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
+ Docker Windows gained a minimal `top` implementation ([#21354](https://github.com/docker/docker/pull/21354))
* Docker learned to report the faulty exe when a container cannot be started due to its condition ([#21345](https://github.com/docker/docker/pull/21345))
* Docker with device mapper will now refuse to run if `udev sync` is not available ([#21097](https://github.com/docker/docker/pull/21097))
- Fix a bug where Docker would not validate the config file upon configuration reload ([#21089](https://github.com/docker/docker/pull/21089))
- Fix a hang that would happen on attach if initial start was to fail ([#21048](https://github.com/docker/docker/pull/21048))
- Fix an issue where registry service options in the daemon configuration file were not properly taken into account ([#21045](https://github.com/docker/docker/pull/21045))
- Fix a race between the exec and resize operations ([#21022](https://github.com/docker/docker/pull/21022))
- Fix an issue where nanoseconds were not correctly taken in account when filtering Docker events ([#21013](https://github.com/docker/docker/pull/21013))
- Fix the handling of Docker command when passed a 64 bytes id ([#21002](https://github.com/docker/docker/pull/21002))
* Docker will now return a `204` (i.e http.StatusNoContent) code when it successfully deleted a network ([#20977](https://github.com/docker/docker/pull/20977))
- Fix a bug where the daemon would wait indefinitely in case the process it was about to killed had already exited on its own ([#20967](https://github.com/docker/docker/pull/20967)
* The devmapper driver learned the `dm.min_free_space` option. If the mapped device free space reaches the passed value, new device creation will be prohibited. ([#20786](https://github.com/docker/docker/pull/20786))
+ Docker can now prevent processes in container to gain new privileges via the `--security-opt=no-new-privileges` flag ([#20727](https://github.com/docker/docker/pull/20727))
- Starting a container with the `--device` option will now correctly resolves symlinks ([#20684](https://github.com/docker/docker/pull/20684))
+ Docker now relies on [`containerd`](https://github.com/docker/containerd) and [`runc`](https://github.com/opencontainers/runc) to spawn containers. ([#20662](https://github.com/docker/docker/pull/20662))
- Fix docker configuration reloading to only alter value present in the given config file ([#20604](https://github.com/docker/docker/pull/20604))
+ Docker now allows setting a container hostname via the `--hostname` flag when `--net=host` ([#20177](https://github.com/docker/docker/pull/20177))
+ Docker now allows executing privileged container while running with `--userns-remap` if both `--privileged` and the new `--userns=host` flag are specified ([#20111](https://github.com/docker/docker/pull/20111))
- Fix Docker not cleaning up correctly old containers upon restarting after a crash ([#19679](https://github.com/docker/docker/pull/19679))
* Docker will now error out if it doesn't recognize a configuration key within the config file ([#19517](https://github.com/docker/docker/pull/19517))
- Fix container loading, on daemon startup, when they depends on a plugin running within a container ([#19500](https://github.com/docker/docker/pull/19500))
*`docker update` learned how to change a container restart policy ([#19116](https://github.com/docker/docker/pull/19116))
*`docker inspect` now also returns a new `State` field containing the container state in a human readable way (i.e. one of `created`, `restarting`, `running`, `paused`, `exited` or `dead`)([#18966](https://github.com/docker/docker/pull/18966))
+ Docker learned to limit the number of active pids (i.e. processes) within the container via the `pids-limit` flags. NOTE: This requires `CGROUP_PIDS=y` to be in the kernel configuration. ([#18697](https://github.com/docker/docker/pull/18697))
-`docker load` now has a `--quiet` option to suppress the load output ([#20078](https://github.com/docker/docker/pull/20078))
- Fix a bug in neighbor discovery for IPv6 peers ([#20842](https://github.com/docker/docker/pull/20842))
- Fix a panic during cleanup if a container was started with invalid options ([#21802](https://github.com/docker/docker/pull/21802))
- Fix a situation where a container cannot be stopped if the terminal is closed ([#21840](https://github.com/docker/docker/pull/21840))
### Security
* Object with the `pcp_pmcd_t` selinux type were given management access to `/var/lib/docker(/.*)?` ([#21370](https://github.com/docker/docker/pull/21370))
*`restart_syscall`, `copy_file_range`, `mlock2` joined the list of allowed calls in the default seccomp profile ([#21117](https://github.com/docker/docker/pull/21117), [#21262](https://github.com/docker/docker/pull/21262))
*`send`, `recv` and `x32` were added to the list of allowed syscalls and arch in the default seccomp profile ([#19432](https://github.com/docker/docker/pull/19432))
* Docker Content Trust now requests the server to perform snapshot signing ([#21046](https://github.com/docker/docker/pull/21046))
* Support for using YubiKeys for Content Trust signing has been moved out of experimental ([#21591](https://github.com/docker/docker/pull/21591))
### Volumes
* Output of `docker volume ls` is now sorted by volume name ([#20389](https://github.com/docker/docker/pull/20389))
* Local volumes can now accept options similar to the unix `mount` tool ([#20262](https://github.com/docker/docker/pull/20262))
- Fix an issue where one letter directory name could not be used as source for volumes ([#21106](https://github.com/docker/docker/pull/21106))
+ `docker run -v` now accepts a new flag `nocopy`. This tells the runtime not to copy the container path content into the volume (which is the default behavior) ([#21223](https://github.com/docker/docker/pull/21223))
## 1.10.3 (2016-03-10)
### Runtime
@@ -25,9 +362,9 @@ be found.
### Security
- Fix linux32 emulation to fail during docker build [#20672](https://github.com/docker/docker/pull/20672)
- Fix linux32 emulation to fail during docker build [#20672](https://github.com/docker/docker/pull/20672)
It was due to the `personality` syscall being blocked by the default seccomp profile.
- Fix Oracle XE 10g failing to start in a container [#20981](https://github.com/docker/docker/pull/20981)
- Fix Oracle XE 10g failing to start in a container [#20981](https://github.com/docker/docker/pull/20981)
It was due to the `ipc` syscall being blocked by the default seccomp profile.
- Fix user namespaces not working on Linux From Scratch [#20685](https://github.com/docker/docker/pull/20685)
- Fix issue preventing daemon to start if userns is enabled and the `subuid` or `subgid` files contain comments [#20725](https://github.com/docker/docker/pull/20725)
@@ -113,7 +450,7 @@ Engine 1.10 migrator can be found on Docker Hub: https://hub.docker.com/r/docker
+ Add `--tmpfs` flag to `docker run` to create a tmpfs mount in a container [#13587](https://github.com/docker/docker/pull/13587)
+ Add `--format` flag to `docker images` command [#17692](https://github.com/docker/docker/pull/17692)
+ Allow to set daemon configuration in a file and hot-reload it with the `SIGHUP` signal [#18587](https://github.com/docker/docker/pull/18587)
+ Updated docker events to include more meta-data and event types [#18888](https://github.com/docker/docker/pull/18888)
+ Updated docker events to include more meta-data and event types [#18888](https://github.com/docker/docker/pull/18888)
This change is backward compatible in the API, but not on the CLI.
+ Add `--blkio-weight-device` flag to `docker run` [#13959](https://github.com/docker/docker/pull/13959)
+ Add `--device-read-bps` and `--device-write-bps` flags to `docker run` [#14466](https://github.com/docker/docker/pull/14466)
@@ -148,18 +485,18 @@ Engine 1.10 migrator can be found on Docker Hub: https://hub.docker.com/r/docker
+ Add support for custom seccomp profiles in `--security-opt` [#17989](https://github.com/docker/docker/pull/17989)
+ Add `--authorization-plugin` flag to `daemon` to customize ACLs [#15365](https://github.com/docker/docker/pull/15365)
+ Docker Content Trust now supports the ability to read and write user delegations [#18887](https://github.com/docker/docker/pull/18887)
This is an optional, opt-in feature that requires the explicit use of the Notary command-line utility in order to be enabled.
+ Docker Content Trust now supports the ability to read and write user delegations [#18887](https://github.com/docker/docker/pull/18887)
This is an optional, opt-in feature that requires the explicit use of the Notary command-line utility in order to be enabled.
Enabling delegation support in a specific repository will break the ability of Docker 1.9 and 1.8 to pull from that repository, if content trust is enabled.
* Allow SELinux to run in a container when using the BTRFS storage driver [#16452](https://github.com/docker/docker/pull/16452)
### Distribution
* Use content-addressable storage for images and layers [#17924](https://github.com/docker/docker/pull/17924)
Note that a migration is performed the first time docker is run; it can take a significant amount of time depending on the number of images and containers present.
Images no longer depend on the parent chain but contain a list of layer references.
* Use content-addressable storage for images and layers [#17924](https://github.com/docker/docker/pull/17924)
Note that a migration is performed the first time docker is run; it can take a significant amount of time depending on the number of images and containers present.
Images no longer depend on the parent chain but contain a list of layer references.
`docker load`/`docker save` tarballs now also contain content-addressable image configurations.
For more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
For more information: https://github.com/docker/docker/wiki/Engine-v1.10.0-content-addressability-migration
* Add support for the new [manifest format ("schema2")](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md) [#18785](https://github.com/docker/docker/pull/18785)
* Lots of improvements for push and pull: performance++, retries on failed downloads, cancelling on client disconnect [#18353](https://github.com/docker/docker/pull/18353), [#18418](https://github.com/docker/docker/pull/18418), [#19109](https://github.com/docker/docker/pull/19109), [#18353](https://github.com/docker/docker/pull/18353)
Read our <a href="https://docs.docker.com/opensource/get-help/#irc-quickstart" target="_blank">IRC quickstart guide</a> for an easy way to get started.
flAuthor:=cmd.String([]string{"a","-author"},"","Author (e.g., \"John Hannibal Smith <hannibal@a-team.com>\")")
flChanges:=opts.NewListOpts(nil)
cmd.Var(&flChanges,[]string{"c","-change"},"Apply Dockerfile instruction to the created image")
// FIXME: --run is deprecated, it will be replaced with inline Dockerfile commands.
flConfig:=cmd.String([]string{"#-run"},"","This option is deprecated and will be removed in a future version in favor of inline Dockerfile-compatible commands")
cmd.Require(flag.Max,2)
cmd.Require(flag.Min,1)
cmd.ParseFlags(args,true)
var(
name=cmd.Arg(0)
repositoryAndTag=cmd.Arg(1)
repositoryNamestring
tagstring
)
//Check if the given image name can be resolved
ifrepositoryAndTag!=""{
ref,err:=reference.ParseNamed(repositoryAndTag)
iferr!=nil{
returnerr
}
repositoryName=ref.Name()
switchx:=ref.(type){
casereference.Canonical:
returnerrors.New("cannot commit to digest reference")
flags.StringVarP(&opts.author,"author","a","","Author (e.g., \"John Hannibal Smith <hannibal@a-team.com>\")")
opts.changes=dockeropts.NewListOpts(nil)
flags.VarP(&opts.changes,"change","c","Apply Dockerfile instruction to the created image")
// FIXME: --run is deprecated, it will be replaced with inline Dockerfile commands.
flags.StringVar(&opts.config,"run","","This option is deprecated and will be removed in a future version in favor of inline Dockerfile-compatible commands")
flags.MarkDeprecated("run","it will be replaced with inline Dockerfile commands.")
fmt.Fprintln(cli.err,`SECURITY WARNING: You are building a Docker image from Windows against a non-Windows Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories.`)
fmt.Fprintln(dockerCli.Err(),`SECURITY WARNING: You are building a Docker image from Windows against a non-Windows Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories.`)
}
// Everything worked so if -q was provided the output from the daemon
// should be just the image ID and we'll print that to stdout.
if*suppressOutput{
fmt.Fprintf(cli.out,"%s",buildBuff)
ifoptions.quiet{
fmt.Fprintf(dockerCli.Out(),"%s",buildBuff)
}
ifisTrusted(){
ifclient.IsTrusted(){
// Since the build was successful, now we must tag any of the resolved
// CmdImport creates an empty filesystem image, imports the contents of the tarball into the image, and optionally tags the image.
//
// The URL argument is the address of a tarball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) file or a path to local file relative to docker client. If the URL is '-', then the tar file is read from STDIN.
// CmdLogin logs in a user to a Docker registry service.
//
// If no server is specified, the user will be logged into or registered to the registry's index server.
//
// Usage: docker login SERVER
func(cli*DockerCli)CmdLogin(args...string)error{
cmd:=Cli.Subcmd("login",[]string{"[SERVER]"},Cli.DockerCommands["login"].Description+".\nIf no server is specified, the default is defined by the daemon.",true)
// if this is a defauly registry (docker hub), then display the following message.
fmt.Fprintln(cli.out,"Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
// CmdLogout logs a user out from a Docker registry.
//
// If no server is specified, the user will be logged out from the registry's index server.
//
// Usage: docker logout [SERVER]
func(cli*DockerCli)CmdLogout(args...string)error{
cmd:=Cli.Subcmd("logout",[]string{"[SERVER]"},Cli.DockerCommands["logout"].Description+".\nIf no server is specified, the default is defined by the daemon.",true)
cmd.Require(flag.Max,1)
cmd.ParseFlags(args,true)
varserverAddressstring
iflen(cmd.Args())>0{
serverAddress=cmd.Arg(0)
}else{
serverAddress=cli.electAuthServer()
}
// check if we're logged in based on the records in the config file
// which means it couldn't have user/pass cause they may be in the creds store
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
