These Markdown files are now embedded in a YAML
file for templating in the documentation, and
these special markers are no longer needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7e3169f26d)
Command name should be a H1
Only Description, Examples, and Related Commands should be H2
Changed 'Related information' heading to 'Related commands' since 99% it is only linking commands
Added some examples where relevant
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
(cherry picked from commit 52df69f00d)
Add zsh completion for missing 'docker plugin' commands and options
(cherry picked from commit da9a162301)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
fix status-code for "locked" swarm and "certificate expired"
(cherry picked from commit 6486924f0b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Windows: Retry workaround for RS1/RS2 compute system enumeration
(cherry picked from commit 7761c69e23)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- otherwise the attachment task will stay in store and
consume IP addresses and there is no way to remove it.
Signed-off-by: Alessandro Boch <aboch@docker.com>
add status code 404 for plugin api endpoint enable and disable
(cherry picked from commit 0113128b2a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
API: Delete container can return 409, but that isn't documented.
(cherry picked from commit 86f962a4a8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes manpages for p and z by downloading a specific version
of go instead of relying on the distro version.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit 5bec1b6864)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
While it is important to not create controllers for an invalid task,
certain properties should only be checked immediately before use. Early
host validation of mounts prevents resolution of the task Executor when
the mounts are not relevant to execution flow. In this case, we have a
check for the existence of a bind mount path in a creation function that
prevents a task controller from being resolved. Such early validation
prevents one from interacting directly with a controller and result in
unnecessary error reporting.
In accordance with the above, we move the validation of the existence of
host bind mount paths to the `Controller.Start` phase. We also call
these "checks", as they are valid mounts but reference non-existent
paths.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit 92899ffac8)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This persists the "propagated mount" for plugins outside the main
rootfs. This enables `docker plugin upgrade` to not remove potentially
important data during upgrade rather than forcing plugin authors to hard
code a host path to persist data to.
Also migrates old plugins that have a propagated mount which is in the
rootfs on daemon startup.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e8307b868d)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This allows a plugin to be upgraded without requiring to
uninstall/reinstall a plugin.
Since plugin resources (e.g. volumes) are tied to a plugin ID, this is
important to ensure resources aren't lost.
The plugin must be disabled while upgrading (errors out if enabled).
This does not add any convenience flags for automatically
disabling/re-enabling the plugin during before/after upgrade.
Since an upgrade may change requested permissions, the user is required
to accept permissions just like `docker plugin install`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 03c6949739)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to address the issue raised in 29291 where
the output of `--replicas` in `service create/update`:
```
--replicas uint Number of tasks (default none)
```
is misleading. User might incorrectly assume the number of replicas
would be `0` (`none`) by default, while the actual default is `1`.
The issue comes from the fact that some of the default values are
from daemon and it is not possible for client to find out the default
value.
In this case, it might be better to just simply not displaying `(default none)`.
This fix returns "" for `Uint64Opt` so that `(default none)` is hidden.
In addition to `--replicas`, this fix also changes
`--restart-delay`, `--restart-max-attempts`, `--stop-grace-period`,
`--health-interval`, `--health-timeout`, and `--restart-window`
in a similiar fashion.
New Output:
```
--health-interval duration Time between running the check (ns|us|ms|s|m|h)
--health-timeout duration Maximum time to allow one check to run (ns|us|ms|s|m|h)
...
--replicas uint Number of tasks
...
--restart-delay duration Delay between restart attempts (ns|us|ms|s|m|h)
--restart-max-attempts uint Maximum number of restarts before giving up
--restart-window duration Window used to evaluate the restart policy (ns|us|ms|s|m|h)
...
--stop-grace-period duration Time to wait before force killing a container (ns|us|ms|s|m|h)
```
The docs has been updated. Note the docs for help output of `service create/update`
is out of sync with the current master. This fix replace with the update-to-date
help output.
This fix fixes 29291.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit acc93db32b)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Signed-off-by: John Howard <jhoward@microsoft.com>
Working directory processing was handled differently for Hyper-V and Windows-Server containers, as annotated in the builder documentation (updated in this PR). For Hyper-V containers, the working directory set by WORKDIR was not created. This PR makes Hyper-V containers work the same as Windows Server containers (and the same as Linux).
Example (only applies to Hyper-V containers, so not reproducible under CI environment)
Dockerfile:
FROM microsoft/nanoserver
WORKDIR c:\installer
ENV GOROOT=c:\installer
ADD go.exe .
RUN go --help
Running on Windows Server 2016, using docker master without this change, but with daemon set to --exec-opt isolation=hyperv as it would be for Client operating systems.
PS E:\go\src\github.com\docker\docker> dockerd -g c:\control --exec-opt isolation=hyperv
time="2017-02-01T15:48:09.657286100-08:00" level=info msg="Windows default isolation mode: hyperv"
time="2017-02-01T15:48:09.662720900-08:00" level=info msg="[graphdriver] using prior storage driver: windowsfilter"
time="2017-02-01T15:48:10.011588000-08:00" level=info msg="Graph migration to content-addressability took 0.00 seconds"
time="2017-02-01T15:48:10.016655800-08:00" level=info msg="Loading containers: start."
time="2017-02-01T15:48:10.460820000-08:00" level=info msg="Loading containers: done."
time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Daemon has completed initialization"
time="2017-02-01T15:48:10.509859600-08:00" level=info msg="Docker daemon" commit=3c64061 graphdriver=windowsfilter version=1.14.0-dev
First with no explicit isolation:
PS E:\docker\build\unifyworkdir> docker build --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 7e0f41d08204
Removing intermediate container 236c7802042a
Step 3/5 : ENV GOROOT c:\installer
---> Running in 8ea5237183c1
---> 394b70435261
Removing intermediate container 8ea5237183c1
Step 4/5 : ADD go.exe .
---> e47401a1745c
Removing intermediate container 88dcc28e74b1
Step 5/5 : RUN go --help
---> Running in efe90e1b6b8b
container efe90e1b6b8b76586abc5c1dc0e2797b75adc26517c48733d90651e767c8463b encountered an error during CreateProcess: failure in a Windows system call: The directory name is invalid. (0x10b) extra info: {"ApplicationName":"","CommandLine":"cmd /S /C go --help","User":"","WorkingDirectory":"C:\\installer","Environment":{"GOROOT":"c:\\installer"},"EmulateConsole":false,"CreateStdInPipe":true,"CreateStdOutPipe":true,"CreateStdErrPipe":true,"ConsoleSize":[0,0]}
PS E:\docker\build\unifyworkdir>
Then forcing process isolation:
PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 350c955980c8
Removing intermediate container 8339c1e9250c
Step 3/5 : ENV GOROOT c:\installer
---> Running in bde511c5e3e0
---> b8820063b5b6
Removing intermediate container bde511c5e3e0
Step 4/5 : ADD go.exe .
---> e4ac32f8902b
Removing intermediate container d586e8492eda
Step 5/5 : RUN go --help
---> Running in 9e1aa235af5f
Cannot mkdir: C:\installer is not a directory
PS E:\docker\build\unifyworkdir>
Now compare the same results after this PR. Again, first with no explicit isolation (defaulting to Hyper-V containers as that's what the daemon it set to) - note it now succeeds 😄
PS E:\docker\build\unifyworkdir> docker build --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> 4f319f301c69
Removing intermediate container 61b9c0b1ff6f
Step 3/5 : ENV GOROOT c:\installer
---> Running in c464a1d612d8
---> 96a26ab9a7b5
Removing intermediate container c464a1d612d8
Step 4/5 : ADD go.exe .
---> 0290d61faf57
Removing intermediate container dc5a085fffe3
Step 5/5 : RUN go --help
---> Running in 60bd56042ff8
Go is a tool for managing Go source code.
Usage:
go command [arguments]
The commands are:
build compile packages and dependencies
clean remove object files
doc show documentation for package or symbol
env print Go environment information
fix run go tool fix on packages
fmt run gofmt on package sources
generate generate Go files by processing source
get download and install packages and dependencies
install compile and install packages and dependencies
list list packages
run compile and run Go program
test test packages
tool run specified go tool
version print Go version
vet run go tool vet on packages
Use "go help [command]" for more information about a command.
Additional help topics:
c calling between Go and C
buildmode description of build modes
filetype file types
gopath GOPATH environment variable
environment environment variables
importpath import path syntax
packages description of package lists
testflag description of testing flags
testfunc description of testing functions
Use "go help [topic]" for more information about that topic.
The command 'cmd /S /C go --help' returned a non-zero code: 2
And the same with forcing process isolation. Also works 😄
PS E:\docker\build\unifyworkdir> docker build --isolation=process --no-cache .
Sending build context to Docker daemon 10.1 MB
Step 1/5 : FROM microsoft/nanoserver
---> 89b8556cb9ca
Step 2/5 : WORKDIR c:\installer
---> f423b9cc3e78
Removing intermediate container 41330c88893d
Step 3/5 : ENV GOROOT c:\installer
---> Running in 0b99a2d7bf19
---> e051144bf8ec
Removing intermediate container 0b99a2d7bf19
Step 4/5 : ADD go.exe .
---> 7072e32b7c37
Removing intermediate container a7a97aa37fd1
Step 5/5 : RUN go --help
---> Running in 7097438a54e5
Go is a tool for managing Go source code.
Usage:
go command [arguments]
The commands are:
build compile packages and dependencies
clean remove object files
doc show documentation for package or symbol
env print Go environment information
fix run go tool fix on packages
fmt run gofmt on package sources
generate generate Go files by processing source
get download and install packages and dependencies
install compile and install packages and dependencies
list list packages
run compile and run Go program
test test packages
tool run specified go tool
version print Go version
vet run go tool vet on packages
Use "go help [command]" for more information about a command.
Additional help topics:
c calling between Go and C
buildmode description of build modes
filetype file types
gopath GOPATH environment variable
environment environment variables
importpath import path syntax
packages description of package lists
testflag description of testing flags
testfunc description of testing functions
Use "go help [topic]" for more information about that topic.
The command 'cmd /S /C go --help' returned a non-zero code: 2
PS E:\docker\build\unifyworkdir>
(cherry picked from commit f42033ba94)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This bumps RunC and libcontainer to fix a regression
in 1.13 that caused SELinux labels to not be
applied correctly.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix cherry-pick SwarmKit update to 0af40501a9cc98cd3e9425d2e4246dd3eff5526e
for branch 1.13.x. The following has been added:
- [docker/swarmkit#1909]: raft: Disable address change detection
- [docker/swarmkit#1910]: Fix issue in service update of published ports in host mode
This fix fixes#30199 in docker.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
cherry pick #30545
These are arm variants with different argument ordering because of
register alignment requirements.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The `DOCKER_HIDE_LEGACY_COMMANDS` environment
variable was added in a7c8bcac2b
but not documented.
This adds the variable to the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2ef82fd237)
Signed-off-by: Victor Vieux <vieux@docker.com>
- When the node leaves the cluster, if any user run
container(s) is connected to the swarm network,
then daemon needs to detach the container(s) and
remove the network.
Signed-off-by: Alessandro Boch <aboch@docker.com>
(cherry picked from commit 3cedca5d53)
Signed-off-by: Victor Vieux <vieux@docker.com>
Using source, the following error is made:
invalid field in secret request: src
Signed-off-by: Michael Irwin <mikesir87@gmail.com>
(cherry picked from commit 9250117d58)
Signed-off-by: Victor Vieux <vieux@docker.com>
This patch adds a "src" alias for `--secret`
to be consistent with `--mount`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 950658bbb6)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue raised in 30242 where the `Scope`
field always changed to `swarm` in the ouput of `docker network ls/inspect`
when duplicate networks name exist.
The reason for the issue was that `buildNetworkResource()` use network name
(which may not be unique) to check for the scope.
This fix fixes the issue by always use network ID in `buildNetworkResource()`.
A test has been added. The test fails before the fix and passes after the fix.
This fix fixes 30242.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 05a831a775)
Signed-off-by: Victor Vieux <vieux@docker.com>
go 1.7.4 introduced official go ppc64le binaries, so use those
instead of using older versions of go and building from src.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit 62ab6809bd)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to fix the issue in 30279 where `docker ps --format`
fails if `.Label` has args. For example:
```
docker ps --format '{{.ID}}\t{{.Names}}\t{{.Label "some.label"}}'
```
The reason for the failure is that during the preprocessing phase
to detect the existance of `.Size`, the `listOptionsProcessor`
does not has a method of `Label(name string) string`.
This results in the failure of
```
template: :1:24: executing "" at <.Label>: Label is not a method but has arguments
```
This fix fixes the issue by adding needed method of `Label(name string) string`.
This fix fixes 30279.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 2cd4ba1e56)
Signed-off-by: Victor Vieux <vieux@docker.com>
When a plugin has an activation error, it was not being checked in the
`waitActive` loop. This means it will just wait forever for a manifest
to be populated even though it may never come.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit f2d384fca6)
Signed-off-by: Victor Vieux <vieux@docker.com>
commit 56f77d5ade
added support for cpu-rt-period and cpu-rt-runtime,
but always initialized the cgroup path, even if not
used.
As a result, containers failed to start on a
read-only filesystem.
This patch only creates the cgroup path if
one of these options is set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f285d5b3e8)
Signed-off-by: Victor Vieux <vieux@docker.com>
Upon each container create I'm seeing these warning **every** time in the
daemon output:
```
WARN[0002] Your kernel does not support swap memory limit
WARN[0002] Your kernel does not support cgroup rt period
WARN[0002] Your kernel does not support cgroup rt runtime
```
Showing them for each container.create() fills up the logs and encourages
people to ignore the output being generated - which means its less likely
they'll see real issues when they happen. In short, I don't think we
need to show these warnings more than once, so let's only show these
warnings at daemon start-up time.
Signed-off-by: Doug Davis <dug@us.ibm.com>
(cherry picked from commit ff42a2eb41)
Signed-off-by: Victor Vieux <vieux@docker.com>
c54b717 caused a regression for pluginv1 on Windows, where extraneous
backslashes were added to BasePath of the plugin. For pluginv1 on windows,
BasePath() should return an empty string, since the plugin is fully aware
of the mount path. Also, unlike Linux where all paths are relative to "/",
Windows paths are dependent on system drives and mapped drives.
Fixes#30148
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
(cherry picked from commit 0ef21eb0e3)
Signed-off-by: Victor Vieux <vieux@docker.com>
The top-level `docker inspect` command could return
an error if the nodes Swarm certificates were expired.
In situations where the user did not explicitly
ask for an object-type (`--type=foo`), we should
ignore these errors, and consider them equal to
"node is not a swarm manager".
This change makes `docker inspect` ignore these
errors if no type was specified.
As a further optimization, the "swarm status"
result is now stored in a variable, so that
other swarm-specific API calls can be skipped.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 66cf4cc7f7)
Signed-off-by: Victor Vieux <vieux@docker.com>
Instead of a timeout the context is cancelled on error to ensure
proper cleanup of the associated fifos' goroutines.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit c178700a04)
Signed-off-by: Victor Vieux <vieux@docker.com>
As noted by #30083, the new strict checking of mediatypes misses some
cases where earlier bugs caused nonstandard mediatypes to be stored in
manifests. Two of the known cases are text/html and application/json,
which were returned by certain registries and stored by earlier versions
of Docker. Add special cases for text/html and application/json.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit a215e15cb1)
Signed-off-by: Victor Vieux <vieux@docker.com>
When Size was reverted to be equal to VirtualSize, the df command
formatter was not correctly updated to account for the change.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit dcc1b4baf6)
Signed-off-by: Victor Vieux <vieux@docker.com>
This is necessary for swarmkit to support cluster wide plugins, such as
globally scoped network plugins.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
This test checks to make sure both v1.12 and v1.13 client against v1.13 daemon get correct `Size` after the fix.
This test is related to 30027.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit d9451f1c8c)
Signed-off-by: Victor Vieux <vieux@docker.com>
The prune PR changed the meaning of the file to mean "space on disk
only unique to this image", this PR revert this change.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit be20dc15af)
Signed-off-by: Victor Vieux <vieux@docker.com>
When storeLayer.Parent returns the parent layer, it needs to use the same logic as Get where it wraps in a describablyStoreLayer if the layer is describable. Otherwise, on Windows, this can result in pushing the foreign layers, which is not supposed to be allowed.
This fixes https://github.com/docker/docker/issues/30080.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
(cherry picked from commit d14b7212ad)
Signed-off-by: Victor Vieux <vieux@docker.com>
This reverts commit 105bc63295,
which (although correct), resulted in a backward incompatible
change.
We can re-implement this in future, after this changes
goes through a deprecation cycle
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit 9322636c89
temporarily switched to a fork of go-memdb, because
a pull request that was needed was not yet merged
upstream.
this pull request was merged, so we can un-fork
this dependency.
this change does not bump the dependency, and
only un-forks. bumping the dependency should
be done in a separate change, if needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5f057f6350)
Signed-off-by: Victor Vieux <vieux@docker.com>
Vendor the latest official logrus release instead of a custom fork
(which now happens to be identical to the fork).
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 11df2db538)
Signed-off-by: Victor Vieux <vieux@docker.com>
- default network is only created if needed
- it's possible to override default network configuration
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The base selinux policies on centos/rhel/oraclelinux have all been
updated in a way that conflicts with the policies we install with
`docker-engine-selinux`. This patch fixes these conflicts.
In addition, removes special cases for old/unsupported versions of
fedora in our selinux package, and change to use a single minimum
version for the selinux base policy package, as this is the minimum
version required to use our selinux policy package.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ec9a05e5e2)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`plugins.GetAll()` was not locking the plugin map when checking if a
plugin exists, this can cause a race and potentially a panic if another
goroutine is trying to load a plugin into the map at the same time.
Also fixes a race during activation where a plugin inserts itself into
the plugin map but does not check if something else is already there.
This is already checked before trying to activate the plugin, however
the map lock is not held for this entire period, so other plugins may be
loaded during this time.
To fix, before inserting the plugin into the map, check if one with the
same name already exists and use that instead.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 21fcbb39b7)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Call daemon.Mount will increase the refcount of mounted path,
for those previous running containers, `Mount` call will make
the refcount to 2. see
https://github.com/docker/docker/blob/v1.13.0-rc4/daemon/graphdriver/counter.go#L38
```
if !m.check {
m.check = true
if c.checker.IsMounted(path) {
m.count++
}
}
m.count++
```
graphdrive could restore on reboot after #22541, call
daemon.Mount to resore the graphdriver is not necessary.
And call `daemon.Mount` on restorting will mount all the containers
mounted layer even if it was stop.
This fix call Mount and then Unmount to get `BaseFs`
Signed-off-by: Lei Jitang <leijitang@huawei.com>
This fix is a follow up to #29365. In #29365 a bug was fixed for
`docker exec -u user` after live restore by remounting.
However, #29365 will prevent containers from restored if mount failed.
In this fix, containers will be restored even if mount in that step failed.
Some functionalities might be missing (like `docker exec -u user`) but
at least it is possible to do certain operations like stop/restart/delete.
This fix is related to #29365.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3003ae1d8b)
returned in "docker info". Currently info endpoint isnt using the
GetAllByCap, but relies on existing networks to get the plugin names.
This causes a basic issue when it comes to global network plugins which
swarm-mode relies on, wherein swarmkit will not be able to schedule the
network on the worker nodes due to the filtering logic.
In order to break this chicken & egg issue, we must start to use the
GetAllManagedPluginsByCap. We are unable to use GetAllByCap due to
various issues with Plugin-V1's lazy loading approach causing issues
especially during daemon restarts (which uses SystemInfo)
Signed-off-by: Madhu Venugopal <madhu@docker.com>
When a plugin is activated, and then `plugins.Handle` is called to
register a new handler for a given plugin type, a deadlock occurs when
for anything which calls `waitActive`, including `Get`, and `GetAll`.
This happens because `Handle()` is setting `activated` to `false` to
ensure that plugin handlers are run on next activation.
Maybe these handlers should be called immediately for any plugins which
are already registered... but to preserve the existing behavior while
fixing the deadlock, track if handlers have been run on plugins and
reset when a new handler is registered.
The simplest way to reproduce the deadlock with Docker is to add a `-v
/foo` to the test container created for the external graphdriver tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 2938dce794)
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue raised in 28581 and 28927
where it is not possible to create a secret from a file (only
through STDIN).
This fix add a flag `--file` to `docker secret create` so that
it is possible to create a secret from a file with:
```
docker secret create --file secret.in secret.name
```
or
```
echo TEST | docker secret create --file - secret.name
```
Related docs has been updated.
An integration test has been added to cover the changes.
This fix fixes 28581.
This fix is related to 28927.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit c6f0b7f448)
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In #28507 and #28885, `docker service/node ps -a` has been removed so that
information about slots are show up even without `-a` flag.
The output of `docker stack ps` reused the same output as `docker service/node ps`.
However, the `-a` was still there. It might make sense to remove `docker stack ps -a`
as well to bring consistency with `docker service/node ps`.
This fix is related to #28507, #28885, and #25983.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 9155e14e77)
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In cases where there is high latency (ie, not-local network)
`waitExitOrRemoved` was not receiving events for short-lived containers.
This caused the client to hang while waiting for a notification that the
container has stopped.
This happens because `client.Events()` returns immediately and spins a
goroutine up to process events. The problem here is it returns before
the request to the events endpoint is even made.
Even without high-latency issues, there is no guarantee that the
goroutine is even scheduled by the time the function returns.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 47585996bf)
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to fix 29667 where image's `CMD` is modified
after `WORKDIR` in Dockerfile.
The value of `b.runConfig.Cmd` was modified in the processing
of `WORKDIR`, in order to fix 28902. However, the same
`b.runConfig.Cmd` is passed to `commit()`.
This fix restored the `b.runConfig.Cmd` before `commit()`
the image for `WORKDIR`.
A test has been added.
This fix fixes 29667.
This fix is related to 28902, 28909, 28514.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 0836023847)
Signed-off-by: Victor Vieux <vieux@docker.com>
`docker plugin enable` and `docker plugin disable` only
accept one plugin.
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 390effdd11)
Signed-off-by: Victor Vieux <vieux@docker.com>
bolt k/v pairs are only valid for the life of a transaction.
This means the memory that the k/v pair is referencing may be invalid if
it is accessed outside of the transaction.
This can potentially cause a panic.
For reference: https://godoc.org/github.com/boltdb/bolt#hdr-Caveats
To fix this issue, unmarshal the stored data into volume meta before
closing the transaction.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4876a9047e)
Signed-off-by: Victor Vieux <vieux@docker.com>
The current GetAll handles both V2 and legacy plugins. Also due to the
nature of V1 plugins, it also loads them. This causes problems when
loading is not required. Hence adding an independent API that will
return only the plugins that are loaded using v2 mangaed plugins.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
The current validation only checked for the
number of elements in the volume-spec, however,
did not validate if the elements were empty.
Because of this, an empty volume-spec (""),
or volume spec only containing separators ("::")
would not be invalidated.
This adds a simple check for empty elements in
the volume-spec, and returns an error if
the spec is invalid.
A unit-test is also added to verify the behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the `convertVolumeToMount()` function did not take
anonymous volumes into account when converting
volume specifications to bind-mounts.
this resulted in the conversion to try to
look up an empty "source" volume, which
lead to an error;
undefined volume:
this patch distinguishes "anonymous"
volumes from bind-mounts and named-volumes,
and skips further processing if no source
is defined (i.e. the volume is "anonymous").
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Move plugins to shared distribution stack with images.
Create immutable plugin config that matches schema2 requirements.
Ensure data being pushed is same as pulled/created.
Store distribution artifacts in a blobstore.
Run init layer setup for every plugin start.
Fix breakouts from unsafe file accesses.
Add support for `docker plugin install --alias`
Uses normalized references for default names to avoid collisions when using default hosts/tags.
Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
(cherry picked from commit 3d86b0c79b)
Move configurations into a single file.
Abstract download manager in pull config.
Add supports for schema2 only and schema2 type checking.
Add interface for providing push layers.
Abstract image store to generically handle configurations.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
(cherry picked from commit 3c7676a057)
Manifest builder allows setting the configuration type
for the manifest being build. Additionally the default
type has been renamed to reflect it is an image type.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
(cherry picked from commit 61ac7c4bf8)
When plugins have a positive refcount, they were not allowed to be
removed. However, plugins could still be disabled when volumes
referenced it and containers using them were running.
This change fixes that by enforcing plugin refcount during disable.
A "force" disable option is also added to ignore reference refcounting.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 8cb2229cd1)
This fix is a follow up for comment:
https://github.com/docker/docker/pull/29186/files#r91277345
While #29186 addresses the issue of `docker inspect <unknown object>`
on Windows, it actually makes `docker plugin inspect <unknown object>`
out `object not found` on Windows as well. This is actually misleading
as plugin is not supported on Windows.
This fix reverted the change in #29186 while at the same time,
checks `not supported` in `docker inspect <unknown object>` so that
- `docker plugin inspect <unknown object>` returns `not supported` on Windows
- `docker inspect <unknown object>` returns `not found` on Windows
This fix is related to #29186 and #29185.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 0b3c10ac4d)
This fix is a follow up to the comment:
https://github.com/docker/docker/pull/28717#discussion_r90040589
Currently, the collision checking is done at the last step `Add()` of
plugin creation. However, at this stage the context such as plugin
directories have already been creation. In case of name collision,
rollback is needed which could be expensive.
This fix performs the check at the beginning of CreateFromContext using
GetByName. In this way, collision fails fast and no context creation
or rollback is needed.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 52405a9b58)
Previously, it was comparing against the driver name passed in by the
caller. This could lead to subtle issues when using plugins, like
"plugin" vs. "plugin:latest".
Also, remove "conflict:" prefix to improve the error message.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit a854cf262336e5625ec06e8e12e8ebc1500ce656)
Ensures all known volumes (known b/c they are persisted to disk) have
their volume drivers refcounted properly.
In testing this, I found an issue with `--live-restore` (required since
currently the provided volume plugin doesn't keep state on restart)
where restorted plugins did not have a plugin client loaded causing a
panic when trying to use the plugin.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 6ef1060cd0)
Signed-off-by: Victor Vieux <vieux@docker.com>
Previously, it doesn't allow creating such a network:
e.g.
$ docker network inspect -f '{{.Id}}' ingress
84xh9knigj6zyt00u31e26nj3
$ docker network create 84
Error response from daemon: network with name 84 already exists
Fix#27866
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
(cherry picked from commit edfbc3b876)
Signed-off-by: Victor Vieux <vieux@docker.com>
the "docker swarm leave" command description
mentioned that the command can only be used
for workers, however, the command can also
be used for managers (using the `-f` / `--force`
option).
this patch removes the "(workers only)" part
of the command description.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f89eee5d9d)
Signed-off-by: Victor Vieux <vieux@docker.com>
Also enables `PropagatedMount` for graphdrivers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 500210475f)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue raised in 24352. Previously,
when `docker swarm update` has no flags, the output is
```
Swarm updated.
```
even though nothing was updated. This could be misleading for
users.
This fix tries to address the issue by adding a `PreRunE` function
in the command so that in case no flag is provided (`cmd.Flags().NFlag() == 0`),
the usage will be outputed instead.
An integration has been added to cover the changes.
This fix fixes 24352.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 5aa5a1cb00)
Signed-off-by: Victor Vieux <vieux@docker.com>
Fixes a case where removing the plugin from disk would
fail silently. Also moves pluginStore remove after we
remove from disk, so 'docker plugin ls' doesn't isn't
empty in case it errors out.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit fb11164c4f)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue raised in 29342 where
`docker exec -u` after docker daemon restart returns an error:
```
unable to find user test: no matching entries in passwd file
```
The reason was that `container.BaseFS` is not present after restart.
This fix adds the `daemon.Mount` during the restore to bring up the
`container.BaseFS`.
An integration test has been added to cover the changes.
This fix fixes 29342.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 7feb2a17e4)
Signed-off-by: Victor Vieux <vieux@docker.com>
Implement notary-based digest lookup in the client when
DOCKER_CONTENT_TRUST=1.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit d4d6f8c0d0)
Split these into cli/trust so that other commands can make use of them.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 4b8c79f25e)
This removes some very old vestigial code that really should have been
removed during the content addressability transition. It implements
something called "reference" but it behaves differently from the actual
reference package. This was only used by client-side content trust code,
and is relatively easy to extricate.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit d91ed88365)
`--publish-add 8081:81 --publish-add 8082:82 --publish-rm 80
--publish-rm 81/tcp --publish-rm 82/tcp` would thus result in 81 and
82 to be published.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In #29071, we made the tags the correct name for generating types,
at the expense of the menu in the documentation looking good.
ReDoc now has support for tag display names
( https://github.com/Rebilly/ReDoc/pull/152 ), so we can assign
a more human-friendly name to the menu items.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit 0caa6c218c)
Signed-off-by: Victor Vieux <vieux@docker.com>
Adds 2 new methods to v2 plugin `Acquire` and `Release` which allow
refcounting directly at the plugin level instead of just the store.
Since a graphdriver is initialized exactly once, and is really managed
by a separate object, it didn't really seem right to call
`getter.Get()` to refcount graphdriver plugins.
On shutdown it was particularly weird where we'd either need to keep a
driver reference in daemon, or keep a reference to the pluggin getter in
the layer store, and even then still store extra details on if the
graphdriver is a plugin or not.
Instead the plugin proxy itself will handle calling the neccessary
refcounting methods directly on the plugin object.
Also adds a new interface in `plugingetter` to account for these new
functions which are not going to be implemented by v1 plugins.
Changes terms `plugingetter.CREATE` and `plugingetter.REMOVE` to
`ACQUIRE` and `RELEASE` respectively, which seems to be better
adjectives for what we're doing.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit f29bbd16f5)
Signed-off-by: Victor Vieux <vieux@docker.com>
Fixes an issue when starting the daemon with live-restore
where previously it was not set, plugins are not running.
Fixes an issue when starting the daemon with live-restore, the plugin
client (for interacting with the plugins HTTP interface) is not set,
causing a panic when the plugin is called.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit cb6633175c)
Signed-off-by: Victor Vieux <vieux@docker.com>
commit bbd2018ee1
changed the output format of `docker service ps`.
this patch updates the reference docs
to match the updated output format.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5902fa3384)
Signed-off-by: Victor Vieux <vieux@docker.com>
When inspecting a container, `NetworkSettings` contains top-level
information about the default ("bridge") network;
`EndpointID`, `Gateway`, `GlobalIPv6Address`, `GlobalIPv6PrefixLen`,
`IPAddress`, `IPPrefixLen`, `IPv6Gateway`, and `MacAddress`.
These properties are deprecated in favor of per-network properties in
`NetworkSettings.Networks`. These properties were already "deprecated" in
docker 1.9, but kept around for backward compatibility.
Refer to [#17538](https://github.com/docker/docker/pull/17538) for further
information.
This officially deprecates these properties, and marks them
for removal in 1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae6f09b29c)
Signed-off-by: Victor Vieux <vieux@docker.com>
Due to the test plugins being architecture specific, these
tests fail to start the plugin (even though they don't fail yet)
Temporary fix until we can build architecture specific test
plugins.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit ebff8c79a3)
Signed-off-by: Victor Vieux <vieux@docker.com>
In certain cases (unattended upgrades), system services can disable
loaded AppArmor profiles. However, since /etc being read-only is a
supported setup we cannot just write a copy of the profile to
/etc/apparmor.d.
Instead, dynamically load the docker-default AppArmor profile if a
container is started with that profile set. This code will short-cut if
the profile is already loaded.
Fixes: 2f7596aaef ("apparmor: do not save profile to /etc/apparmor.d")
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 567ef8e785)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to fix the issue raised in 29044 where
the IPAM options is missing in swarm network mode
after the service is deployed. Before the service
is deployed, the IPAM options is available.
The reason for the issue is that, before service is
deployed, `network inspect` is querying the swarm and
obtained the correct information.
However, after service is deployed, swarm executor
does not pass the IPAM options to the backend (daemon).
Also after service is deployed, `network inspect` is
actually querying the local daemon for information.
At this time the network information with missing IPAM
options is returned.
This fix fixes the issue by updating the swarm network
allocator and swarm executor.
A separate PR for swarmkit will be opened.
An integration test has been added to cover the change.
This fix fixes 29044.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 4d958e99c1)
Signed-off-by: Victor Vieux <vieux@docker.com>
- Display the ID column
- Do not append the task ID in the name column
- (NEW): Truncate task IDs, unless --no-trunc is specified
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
(cherry picked from commit bbd2018ee1)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix update swarmkit to b5f07ce49c66d2f5feee83998b23d4c905b78155
The following changes have been included:
- Fix missing IPAM options in swarm network mode (docker/swarmkit#1789)
The above PR is related to docker PR #29074 and docker issue #29044.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 29129 where
"--hostname" not working when running in "--net=host" for
`docker run`.
The fix fixes the issue by not resetting the `container.Config.Hostname`
if the `Hostname` has already been assigned through `--hostname`.
An integration test has been added to cover the changes.
This fix fixes 29129.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b0a7b0120f)
Signed-off-by: Victor Vieux <vieux@docker.com>
This reverts 26103. 26103 was trying to make it so that if someone did:
docker build --build-arg FOO .
and FOO wasn't set as an env var then it would pick-up FOO from the
Dockerfile's ARG cmd. However, it went too far and removed the ability
to specify a build arg w/o any value. Meaning it required the --build-arg
param to always be in the form "name=value", and not just "name".
This PR does the right fix - it allows just "name" and it'll grab the value
from the env vars if set. If "name" isn't set in the env then it still needs
to send "name" to the server so that a warning can be printed about an
unused --build-arg. And this is why buildArgs in the options is now a
*string instead of just a string - 'nil' == mentioned but no value.
Closes#29084
Signed-off-by: Doug Davis <dug@us.ibm.com>
(cherry picked from commit cdb8ea90b0)
Signed-off-by: Victor Vieux <vieux@docker.com>
The install script currently includes some
distros that we don't actually have packages
for.
For these distros, the script currently
performs step to install Docker from
the distro's repository.
This patch removes those distros from
the install script, because we have no
control over these packages, and cannot
provide support for them.
Installing docker anyway will give the
false impression that they installed
a package from our repository (but they
didn't), and that they need to contact
us for support.
It's better to tell people that we don't
install in that case, and refer them to
the installation documentation, or the
documentation of their distro.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 29b98b6ee6)
Signed-off-by: Victor Vieux <vieux@docker.com>
Legacy plugins expect host-relative paths (such as for Volume.Mount).
However, a containerized plugin cannot respond with a host-relative
path. Therefore, this commit modifies new volume plugins' paths in Mount
and List to prepend the container's rootfs path.
This introduces a new PropagatedMount field in the Plugin Config.
When it is set for volume plugins, RootfsPropagation is set to rshared
and the path specified by PropagatedMount is bind-mounted with rshared
prior to launching the container. This is so that the daemon code can
access the paths returned by the plugin from the host mount namespace.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit c54b717caf)
Signed-off-by: Victor Vieux <vieux@docker.com>
v2/Plugin struct had fields that were
- purely used by the manager.
- unsafely exposed without proper locking.
This change fixes this, by moving relevant fields to the manager as well
as making remaining fields as private and providing proper accessors for
them.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit b35490a8ba)
Signed-off-by: Victor Vieux <vieux@docker.com>
It provides an ASLR-bypassing target with usable ROP gadgets.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 49dcce7ba0)
Signed-off-by: Victor Vieux <vieux@docker.com>
Distribution client change for class in resource
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit d1f5e0f7a6)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue raised on 29185 where
`docker inspect <unknown object>` on Windows will return:
```
Error response from daemon: plugins are not supported on this platform
```
The reason was that in case `--type` is not specified, `docker inspect`
will iterate through different types `container`, `image`, `network`,
`plugin` etc. The `plugin` object is the last type to check.
However, as `plugin` is not supported on Windows yet, the error message
is not very informative for `plugins are not supported on this platform`.
This fix tries to fix the issue by return a `not found` error on unsupported
platforms as well.
An integration test has been added to cover the changes for Windows/Linux.
This fix fixes 29185.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 88fcdb0a82)
Signed-off-by: Victor Vieux <vieux@docker.com>
Logging configuration was completely ignore when deploy a compose file
to swarm. This fixes it.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 806cc1e0f8)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue in 28884 where
it is possible to mask the secret ID by name.
The reason was that searching a secret is based on name.
However, searching a secret should be done based on:
- Full ID
- Full Name
- Partial ID (prefix)
This fix addresses the issue by changing related implementation
in `getCliRequestedSecretIDs()`
An integration test has been added to cover the changes.
This fix fixes 28884
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3638ca4d14)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix convert DanglingOnly in ImagesPruneConfig to Filters,
so that it is possible to maintain API compatibility in the future.
Several integration tests have been added to cover changes.
This fix is related to 28497.
A follow up to this PR will be done once this PR is merged.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit a6be56b54e)
Signed-off-by: Victor Vieux <vieux@docker.com>
Validation is still done by swarmkit on the service side.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit ef39256dfb)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to address the proposal raised in 28946
to support plugins in `docker inspect`.
The command `docker inspect` already supports
"container", "image", "node", "network", "service", "volume", "task".
However, `--type plugin` is not supported yet at the moment.
This fix address this issue by adding the support of `--type plugin`
for `docker inspect`.
An additional integration test has been added to cover the changes.
This fix fixes 28946.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 90bb2cdb9f)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to address the enhancement proposed in 28708 to display
ID field for the output of `docker plugin ls`.
This fix add `ID` field to the output of `docker plugin ls`
Related docs has been updated.
This fix fixes 28708.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 8a226ed643)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Fix issue where out-of-band deletions and then a `docker volume create`
on the same driver caused volume to not be re-created in the driver but
return as created since it was stored in the cache.
Previous fix only worked if the driver names did not match.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit d8ce4a6e10)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This is required to make the type generation put things in the
correct directory, but unfortunately makes the names in the
documentation menu look a bit crap.
I think the best solution would be to add a `x-display-name`
extension to tags to determine how the tags show up in the menu,
rather than it depend on the name of the tag. I shall do this in
a follow-up PR - for now, let's fix the breakage.
Fixes#29045
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit 30a9249e15)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This pins the version of go-swagger used, because
the results generated by different versions
can differ quite a bit (tested between 0.7.2 - 0.7.4),
and can cause CI / validation to fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ba20c3e65e)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
the restart policy validation was moved from
the client to the daemon in 94e95e4711
As part of that change, retry-counts < 1
were marked as "invalid".
However, the default is 0 (unlimited), causing
docker run -d --restart=on-failure nginx
To fail.
This changes the validation to only invalidate
retry-counts < 0.
A test was added, and other tests renamed
to allow running just these tests :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9db5d649ae)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to address the issue raised in discussion of
PR 28735 where it was not possible to manage plugin based on
plugin ID. Previously it was not possible to invoke
`docker plugin inspect` with a plugin ID (or ID prefix).
This fix updates the implementation of `docker plugin inspect`
so that it is possbile to search based on a plugin name, or a
plugin ID. A short format of plugin ID (prefix) is also possible,
as long as there is no ambiguity.
Previously the check of `docker plugin inspect` was mostly done
on the client side. This could potentially cause inconsistency
between API and CMD. This fix move all the checks to daemon side
so that API and CMD will be consistent.
An integration test has been added to cover the changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 0ce6e070f7)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
- Consistent naming (plural, etc)
- Add section descriptions
- Add docs in swagger.yaml about how to maintain them
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit 2aea9ad56b)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Jekyll automatically adds titles based on the title of the page,
so this was causing duplicate titles.
Also, made all the headings the correct level.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit d9b109b807)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This ensures that graphdriver plugins can properly cleanup on daemon
exit.
Also prevents errors during shutdown when it tries to send the plugin a
`Cleanup()` request but ultimately times out since it's already been
shutdown.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4b400ecc4d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
When building a manifest during a push operation, all layers must have
an associated descriptor. If a layer is missing a descriptor, that leads
to a panic.
A break inside a switch in layerAlreadyExists meant to break from the
loop surrounding the switch, but instead breaks from the switch. This
causes the loop to continue, and can overwrite the descriptor with an
empty one, leading to the panic.
Also, fix layerAlreadyExists not to abort the push when a speculative
stat on a candidate layer digest fails with an error. This could happen
in situations like a potential cross-repository mount where the user
does not have permission to access the source repository.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit e0702e9f37)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Allows replacing of the default httpredir.debian.org in /etc/apt/sources.list
with a user-specified mirror. This will (hopefully) fix CI apt issues.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit 150a519a0b)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
If a swarm service is created using an image ID, it's useless to try to
pull this reference or resolve it to a manifest digest. Avoid doing this
when a fully qualified image ID is given.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 089842c4b4)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
If the network is marked as external, don't use the namespace on
it. Otherwise, it's not found.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 6fff845409)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Dump stack dumps to exec root instead of daemon root.
When no path is provided to the stack dumper, such is the case with
SIGQUIT, dump to stderr.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 0bd720b28d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
If, using the API, a user submits an init request with a spec that has a
name other than "default", the engine will rename the "default" cluster
object. Some parts of swarmkit depend on having a cluster object named
"default". Reject any specs that use other names.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 9dba9e3248)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Make sure current client code can talk for ImageList can still talk to
older daemon.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit c6e31454ba)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
A plugin has an `ExitChan` channel which is used to signal the exit of
the plugin process. In a recent change, the initialization was
incorrectly moved to the daemon Shutdown path.
Fix this by initializing the channel during plugin enable.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 890a98ceed)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to fix the issue raised in 28684:
1. Duplicate plugin create with the same name will override the old plugin reference
2. In case an error happens in the middle of the plugin creation, plugin directories
in `/var/lib/docker/plugins` are not cleaned up.
This fix update the plugin store so that `Add()` will return an error if a plugin
with the same name already exist.
This fix also will clean up the directory in `/var/lib/docker/plugins` in case
an error happens in the middle of the plugin creation.
This fix fixes 28684.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 662d456928)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
`docker stack config` command does not exists anymore, removing it
from the command reference documentation.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 3f98871a19)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
The error didn't hint at how to resolve it. Google auto-suggest
also implies that people have been Googling this error.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit 70acb89fa2)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Chosing LEGACY_VSYSCALL_NONE (over NATIVE or EMULATE) will mean that binaries
using eglibc <= 2.13 will not run (segfault).
Fixes#28705.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
(cherry picked from commit 163db04452)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Currently the help output of `docker network ls --filter` is:
```
Options:
-f, --filter value Provide filter values (i.e. 'dangling=true') (default [])
...
```
This caused confusion as only the following filters are supported at the moment:
- `driver`
- `type`
- `name`
- `id`
- `label`
This fix update the help output of `docker network ls --filter` and `network_ls.md`.
The `dangling=true` description has been replace to:
```
Options:
-f, --filter filter Provide filter values (i.e. 'driver=bridge')
...
```
This fix fixes 28786.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 2510f254ee)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to address the issue raised in 28769 where
checkpoint name was not checked before passing to containerd.
As a result, it was possible to use a special checkpoint name
to get outside of the container's directory.
This fix add restriction `[a-zA-Z0-9][a-zA-Z0-9_.-]+` (`RestrictedNamePattern`).
This is the same as container name restriction.
This fix fixes 28769.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit c90ec05175)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Mainly adding requirements on Network or NotUserNamespace to make it pass.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit eb5fe064cf)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This updates secret inspect to support inspect by ID in addition to name
as well as inspecting multiple secrets. This also cleans up the
help text for consistency.
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
(cherry picked from commit 70d2cefd51)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Fedora 25 was released today, and the official
image will be available soon.
This removes the temporary override, so that
we can build using the official image.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 545a2f009e)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
- Tidied up copy
- API version is now mandatory
- Links to previous API versions
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit c97f67dbab)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
See: https://github.com/docker/docker.github.io/pull/606
Also:
- Add missing redirects to API reference pages
- Remove v1.25 and 1.26, because they are being replaced with
swagger generated docs.
- Remove all other docs which aren't reference material, because
this can live in docker/docker.github.io
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
(cherry picked from commit 993854f58f)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Document and link to the concurrent uploads/downloads daemon option.
Signed-off-by: Jacob Tomlinson <jacob@tom.linson.uk>
(cherry picked from commit b303381a4d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
In the plugin manifest, Capabilities has been moved to
Linux.Capabilities to avoid confusion with Interface.Types[i].Capability
A DeviceCreation boolean has also been added to the manifest. This could
be changed in the future to be specific to a major number.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 9f239281b1)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Instead of converting nicely typed service mounts into untyped `Binds`
when creating containers, use the new `Mounts` API which is a 1-1
mapping between service mounts and container mounts.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 821aeb6a6f)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fixes services networks list to be ignored when loading.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 01b70a95c9)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
For previous versions of Docker, `--rm` was handled client side, as such
there was no support in the daemon for it.
Now it is handled daemon side, but we still need to handle the case of a
newer client talking to an older daemon.
Falls back to client-side removal when the daemon does not support it.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit f4bb8c51de)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
The "--no-trunc" option toggles between showing/hiding
digests.
This updates the reference to show this difference.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 90993640f0)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
A recent PR added `(ns|us|ms|s|m|h)` to the descriptions of some
duration options, but not all. Add it to the remaining options for
consistency.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 32b12a28fc)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
network is `nil` if the following case:
```
services:
foo:
image: nginx
networks:
mynetwork:
```
It's a valid compose so we should not panic.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 158388ef8d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
If env var "DOCKER_API_VERSION" is specified by user, we'll set
`cli.manualOverride`, before this, this field is always true due to
wrong logic.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
(cherry picked from commit 4d54d30477)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Adds section about the hub deprecating the v1 protocol.
Adds note about intent to disable by default and remove support.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit c8f826f407)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
`docker stack deploy` now supports a composefile v3 format that have a
healthcheck.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 3bd64de7a9)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
In case, a container is restarting indefinitely running
"docker stats --no-stream <restarting_container>" is suspended.
To fix this, the daemon makes sure the container is either not
running or restarting if `--no-stream` is set to true and if so
returns an empty stats.
Should fix#27772.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
(cherry picked from commit 786a95493d)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Currently the plugin initialization is too late for a loaded v2 plugin
to be usable as a graph driver.
This moves the initialization up before we create the graph driver.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 020b051dfb)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Instead of not adding experimental routes at all, fail with an explicit
message if the daemon is not running in experimental mode.
Added the `router.Experimental` which does this automatically.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
(cherry picked from commit 3976a33c1a)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
… for healthcheck. It make the code a little cleaner and more
future/usage proof.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 5f81cf11f6)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
the service definition uses the format as defined
in http://man7.org/linux/man-pages/man5/hosts.5.html
(IP_address canonical_hostname [aliases...])
This format is the _reverse_ of the format used in
the container API.
Commit f32869d956
inadvertently used the incorrect order.
This fixes the order, and correctly sets it to;
IP-Address hostname
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f1b9df9172)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
For some reason, `go vet` and `go fmt` validate does not capture
several issues.
The following was the output of `go vet`:
```
ubuntu@ubuntu:~/docker$ go vet ./... 2>&1 | grep -v ^vendor | grep -v '^exit status 1$'
cli/command/formatter/container_test.go:393: possible formatting directive in Log call
volume/volume_test.go:257: arg mp.RW for printf verb %s of wrong type: bool
```
The following was the output of `go fmt -s`:
```
ubuntu@ubuntu:~/docker$ gofmt -s -l . | grep -v ^vendor
cli/command/stack/list.go
daemon/commit.go
```
Fixed above issues with `go vet` and `go fmt -s`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit ace786e9d5)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Modify the service update and create APIs to return optional warning
messages as part of the response. Populate these messages with an
informative reason when digest resolution fails.
This is a small API change, but significantly improves the UX. The user
can now get immediate feedback when they've specified a nonexistent
image or unreachable registry.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 948e60691e)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
When swarm-mode is disabled, we need to return an error indicating this.
406 was chosen for the "Not Acceptable" verbiage, but this code has
specific semantics in relation to the `Accept` header, which aren't
applicable here.
We now use a 503 for this case. While it is not a perfect match, it does
make it clear that the particular "service" (read: API endpoint) is not
available. The body of the message provides the user with enough
information to take action on it by enabling swarm-mode and ensuring the
service is available.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit 1d90d76048)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix is an attempt to address the issue raised in 28339. In
`docker ps`, the formatter needs to expose all fields of `types.Container`
to `preProcessor` so that template could be executed.
This direct exposing is unreliable and could cause issues as user may incorrectly
assume all fields in `types.Container` will be available for templating.
However, the purpose of `preProcessor` is to only find out if `.Size`
is defined (so that opts.size could be set accordingly).
This fix defines `preProcessor` as `map[string]bool` with a func `Size()`.
In this way, any unknown fields will be ignored.
This fix adds several test cases to the existing `TestBuildContainerListOptions`.
This fix fixes 28339.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 312cc7eebd)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix fixes error messages for `--cpus` from daemon.
When `docker run` takes `--cpus`, it will translate into NanoCPUs
and pass the value to daemon. The `NanoCPU` is not visible to the user.
The error message generated from daemon used 'NanoCPU' which may cause
some confusion to the user.
This fix fixes this issue by returning the error in CPUs instead.
This fix fixes 28456.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit d22ac2f3a0)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
During error cases, we dont cleanup correctly. This commit takes care
of removing the plugin, if there are errors after the pull passed. It
also shuts down the plugin, if there are errors after the plugin in the
enable path.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 1144f8f1d4)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
It doesn't make sense to use omitempty here. 0 is a meaningful value and
it's different from the default. If someone sets Parallelism to 0, we
want to show that Parallelism is 0, not hide the field.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit d8b8b12994)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
This fix tries to fix the crash caused by `docker service inspect --pretty`,
by performing necessary nil pointer check.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b6857e91c1)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Error code resolution is powered by string matching. Not the greatest
thing in the world and I hope no one is proud of this code, but it
works. However, because a map is used, the iteration order of the map is
random, such that if an error matches two of the snippets, it may return
a different error code depending on the seed of the hashmap. This change
converts it to use a slice instead.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit 3484e02590)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
DEVPTS_MULTIPLE_INSTANCES is no longer an option, it is always set, so
do not check for this post 4.8.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 228ee16df3)
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
Cli initialization pings back to remote API and
creates a deadlock if socket is already being
listened by systemd.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
All images in the default registry (AKA docker.io, index.docker.io, and
registry-1.docker.io) are available via the v2 protocol, so there's no
reason to use the v1 protocol. Disabling it prevents useless fallbacks.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
Daemon still does validation and errors out on incorrect options.
Fixes an issue where non-Linux clients attempting to pass tmpfs options
on `docker run` to a Linux daemon will incorrectly error out.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
It is not required to have version prefix for all the remote
APIs. Though there are still quite a few example requests
in api docs that does not have the version prefix.
This fix update the remote api docs to address this issue.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix updates docs for `docker info` for most recent changes.
It also made several chagnes:
1. Replace 0.12.0-dev to 0.13.0 for api docs v1.24.
2. Replace 0.13.0-dev to 0.13.0 for api docs v1.25
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Quite a few changes, as it seems like previous wrapping was done
manually, so it's all over the place.
As noted in #28424
Signed-off-by: Jonathan Boulle <jonathanboulle@gmail.com>
In 28186, `dns-options-add/rm` has been changed to `dns-option-add/rm`
in `docker service create/update`, for the purpose of consistency.
This fix updates bash completion to remove extra `s`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`StreamConfig` carries with it a dep on libcontainerd, which is used by
other projects, but libcontainerd doesn't compile on all platforms, so
move it to `github.com/docker/docker/container/stream`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
change reading order from beginning at the end to beginning at a buffer start
added intergration tests for boundary cases
Removed whitespace
Signed-off-by: Shayne Wang <shaynexwang@gmail.com>
As is specified in 28018, it would be useful to know the manager's addresses
even in a worker node. This is especially useful when there are many
worker nodes in a big cluster.
The information is available in `info.Swarm.RemoteManagers`.
This fix add the information of `Manager Addresses` to the output
of `docker info`, to explicitly show it.
A test has been added for this fix.
This fix fixes 28018.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
… for `docker images`.
This deprecates the `filter` param for the `/images` endpoint and make a
new filter called `reference` to replace it. It does change the CLI
side (still possible to do `docker images busybox:musl`) but changes the
cli code to use the filter instead (so that `docker images --filter
busybox:musl` and `docker images busybox:musl` act the same).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Translate pull errors to provide a more consistent and user friendly
error message.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
If the image reference in the spec uses a digest, and an image with that
digest already exists locally, avoid an unnecessary repull.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Naivediff fails when layers are created directly on top of
each other. Other graphdrivers which use naivediff already
skip these tests. Until naivediff is fixed, skip with overlay2
when running tests on a kernel which causes naivediff fallback.
Fix applydiff to never use the naivediff size when not applying
changes with naivediff.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This change incorporates feedback from @thaJeztah in the PR that added
the autolock flag. It changes the descriptions to be different for
"swarm init" and "swarm update" so that the boolean nature so that the
purpose of the flag in both contexts is clearer.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This is a temporary version for building
Fedora 25. Fedora 25 will be released during
code-freeze, and is currently in beta, so no
official images are available yet.
Current release date is scheduled for 2016-11-15
https://fedoraproject.org/wiki/Releases/25/Schedule
Once released, the image will be updated for
GA
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes#22564
When an error occurs on mount, there should not be any call later to
unmount. This can throw off refcounting in the underlying driver
unexpectedly.
Consider these two cases:
```
$ docker run -v foo:/bar busybox true
```
```
$ docker run -v foo:/bar -w /foo busybox true
```
In the first case, if mounting `foo` fails, the volume driver will not
get a call to unmount (this is the incorrect behavior).
In the second case, the volume driver will not get a call to unmount
(correct behavior).
This occurs because in the first case, `/bar` does not exist in the
container, and as such there is no call to `volume.Mount()` during the
`create` phase. It will error out during the `start` phase.
In the second case `/bar` is created before dealing with the volume
because of the `-w`. Because of this, when the volume is being setup
docker will try to copy the image path contents in the volume, in which
case it will attempt to mount the volume and fail. This happens during
the `create` phase. This makes it so the container will not be created
(or at least fully created) and the user gets the error on `create`
instead of `start`. The error handling is different in these two phases.
Changed to only send `unmount` if the volume is mounted.
While investigating the cause of the reported issue I found some odd
behavior in unmount calls so I've cleaned those up a bit here as well.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to address 27902 by adding a flag `--host`
to `docker service create` and `--host-add/--host-rm` to
`docker service update`, so that it is possible to
specify extra `host:ip` settings in `/etc/hosts`.
This fix adds `Hosts` in swarmkit's `ContainerSpec` so that it
is possible to specify extra hosts during service creation.
Related docs has been updated.
An integration test has been added.
This fix fixes 27902.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The ANSI escape codes \e[0A (cursor up 0 lines) and \e[0B (cursor down 0 lines)
are not well defined and are treated differently by different terminals. In
particular xterm treats 0 as a missing parameter and therefore defaults to 1,
whereas rxvt-unicode treats these escapes as a request to move 0 lines.
However the use of these codes is unnecessary and were really just hiding the
fact that we were not correctly computing diff when adding a new line. Having
added the new line to the ids map and output the corresponding \n we need to
then calculate a correct diff of 1 rather than leaving it as the default 0
(which xterm then interprets as 1). The fix is to pull the diff calculation out
of the else case and to always do it.
With this in place we can then avoid outputting escapes for moving 0 lines.
Actually diff should never be 0 to start with any more, but check to be safe.
This fixes corruption of `docker pull` seen with rxvt-unicode (and likely other
terminals in that family) seen in #28111. Tested with rxvt-unicode
($TERM=rxvt-unicode), xterm ($TERM=xterm), mlterm ($TERM=mlterm) and aterm
($TERM=kterm).
The test cases have been updated to match the new behaviour.
Signed-off-by: Ian Campbell <ian.campbell@docker.com>
- Neither swarm init or swarm update should take an unlock key
- Add an autolock flag to turn on autolock
- Make the necessary docker api changes
- Add SwarmGetUnlockKey API call and use it when turning on autolock
- Add swarm unlock-key subcommand
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Fixes two tests that tested containers restart policy without
actually having a restart policy
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Fixes a race condition in the kill tests where the container
would be killed but inspected before it's state changed. Fixes
this by waiting for a state change instead.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
When running on a kernel which is not patched for the copy up bug
overlay2 will use the naive diff driver.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This allows for easy extension of adding more parameters to existing
parameters list. Otherwise adding a single parameter changes code
at so many places.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This fix is a follow up to #27567 based on:
https://github.com/docker/docker/pull/27567#issuecomment-259295055
In #27567, `--dns-options` has been added to `service create/update`,
together with `--dns` and `--dns-search`. The `--dns-opt` was used
in `docker run`.
This fix add `--dns-option` (not `--dns-options`) to `docker run/create`, and hide
`--dns-opt`. It is still possible to use `--dns-opt` with
`docker run/create`, though it will not show up in help output.
This fix change `--dns-options`to --dns-option` for `docker service create`
and `docker service update`.
This fix also updates the docs and bash/zsh completion scripts.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The changelog is auto generated and the comment in the generate.sh
script is a lie, these should not be in alphabetical order but
in chronological order.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
- use Filters instead of Filter for secret list
- UID, GID -> string
- getSecrets -> getSecretsByName
- updated test case for secrets with better source
- use golang.org/x/context instead of context
- for grpc conversion allocate with make
- check for nil with task.Spec.GetContainer()
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- use /secrets for swarm secret create route
- do not specify omitempty for secret and secret reference
- simplify lookup for secret ids
- do not use pointer for secret grpc conversion
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
- fix lint issues
- use errors pkg for wrapping errors
- cleanup on error when setting up secrets mount
- fix erroneous import
- remove unneeded switch for secret reference mode
- return single mount for secrets instead of slice
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
See #21157 for more details.
In a future version of Docker, providing a version to API calls
will be mandatory. An implementation of this is in #27801.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
This fix is based on the comment:
https://github.com/docker/docker/pull/28147#discussion_r86996347
Previously the output string of the `DurationOpt` is `duration-ptr`
and `Uint64Opt` is `uint64-ptr`. While it is clear to developers,
for a normal user `-ptr` might not be very informative.
On the other hand, the default value of `DurationOpt` and `Uint64Opt`
has already been quite informative: `none`. That means if no flag
provided, the value will be treated as none.
(like a ptr with nil as the default)
For that reason this fix removes the `-ptr`.
Also, the output in the docs of `service create` has been quite
out-of-sync with the true output. So this fix updates the docs
to have the most up-to-date help output of `service create --help`.
This fix is related to #28147.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Refactored to move resolution code into the idresolver
- Made `ps` output more bearable by shortening service IDs in task names
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
This fix adds `--dns-add`, `--dns-rm`, `--dns-opt-add`, `--dns-opt-rm`,
`--dns-search-add` and `--dns-search-rm` to `service update`.
An integration test and a unit test have been added to cover the changes in this fix.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the issue raised in 24391 about allowing
custom DNS settings to service definition.
This fix adds `DNSConfig` (`Nameservers`, `Options`, `Search`) to
service definition, as well as `--dns`, `--dns-opt`, and `dns-search`
to `service create`.
An integration test has been added to cover the changes in this fix.
This fix fixes 24391.
A PR in swarmkit will be created separately.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
There is no reason to duplicate efforts and tini is well built and
better than grimes. It is a much stronger option for the default init
and @krallin has done a great job maintaining it and helping make
changes so that it will work with Docker.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add the following options to "swarm init" and "swarm update":
- --max-snapshots: Retain this many old Raft snapshots in addition
to the latest one
- --snapshot-interval: Number of log entries between Raft snapshots
These options already existed in SwarmKit and the Docker API but were
never exposed in the CLI. I'm adding them here to fix this oversight.
--max-snapshots may be useful for debugging purposes and more
conservative users who want to store rolling backups of old versions of
the Raft state.
--snapshot-interval is most useful for performance tuning. The default
value of 10000 may not be ideal for some setups.
There is also a LogEntriesForSlowFollowers option that is not exposed. I
decided not to expose it along with these others because I don't think
it's generally useful (and I'm not sure what I would call the CLI flag).
But if people want, I can expose it for the sake of completeness.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
We clean up the journald logger with these four changes.
1. Make field array static
2. Make function name more appropriate
3. Initialize the file descriptors only once
4. Avoid copying the journald cursor
Point 4 is the most significant change: instead of treating the journald
cursor like a Go string we use it as a raw C.char pointer. That way we
avoid the copying by the C.CString and C.GoString functions.
Signed-off-by: Silvan Jegen <s.jegen@gmail.com>
This version:
- properly follow context cancellation on Start and Exec
- add support for Solaris
- ensure exec exit events are always seen before init's
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This remove a dependency on `go-check` (and more) when using
`pkg/idtools`. `pkg/integration` should never be called from any other
package then `integration`.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix is based on the comment in
https://github.com/docker/docker/pull/27567#discussion_r86910604
Basically, in the help output of `docker service update`, the `--xxx-add`
flags typically have plural forms while `--xxx-rm` flags have singular
forms.
This fix updates the help output for consistency.
This fix also updates the related docs in `service_update.md`.
The help output in `service_update.md` has been quite out-of-sync
with the actual output so this fix replaces the output with the
most up-to-date output.
This fix is related to #27567.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
update cobra and use Tags
Signed-off-by: Victor Vieux <vieux@docker.com>
allow client to talk to an older server
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix revendor swarmkit to 29950a4e9912178cadb72abc5a445e3a857cb2b0.
This fix is related to 28031.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to add `--tty` to `docker service create/update`. As was
specified in 25644, `TTY` flag has been added to SwarmKit and is
already vendored.
This fix add `--tty` to `docker service create/update`.
Related document has been updated.
Additional integration tests has been added.
This fix fixes 25644.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- yamllint to ensure it is a valid YAML file
- go-swagger validate to ensure it is a valid swagger file
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
- Some objects were missing `type: "object"`
- Some examples had invalid null values (go-swagger validation
doesn't support x-nullable, so they have just been removed)
- ImageSummary example was out of date
- Removed timeNano because YAML interprets it as a float, not
a long (sigh)
- Tidy up archive errors
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
Fixes a bug where a test would fail due to jq syntax
not being supported on all versions. Changes the syntax
to an equivalent way also supported on older versions.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This fix is part of the fix for issue 25099. In 25099, if an env
has a empty name, then `docker run` will throw out an error:
```
ubuntu@ubuntu:~/docker$ docker run -e =A busybox true
docker: Error response from daemon: invalid header field value "oci runtime error:
container_linux.go:247: starting container process caused \"process_linux.go:295:
setting oom score for ready process caused \\\"write /proc/83582/oom_score_adj:
invalid argument\\\"\"\n".
```
This fix validates the Env in the container spec before it is sent
to containerd/runc.
Integration tests have been created to cover the changes.
This fix is part of fix for 25099 (not complete yet, non-utf case
may require a fix in `runc`).
This fix is related to 25300.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Ubuntu 16.10 has been released http://releases.ubuntu.com/yakkety/
Note that this is a short-term release, so will
EOL (and removed again) in 9 months
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
PR 24978 adds hint of of progress to the output of `docker build`
for 1.13, in the format of
```
Step 1/5 ...
...
Step 2/5 ...
...
```
Though some of the docs hasn't been updated.
This fix did a grep in docs and updated the related places.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Remove the following comment in pullV2Tag:
// NOTE: not using TagService.Get, since it uses HEAD requests
// against the manifests endpoint, which are not supported by
// all registry versions.
This is actually not an issue, because TagService.Get does a fallback to
GET if HEAD fails. It has done this ever since TagService was added to
the distribution API, so this comment was probably based on an early
version of TagService before it was merged, or was always a
misunderstanding.
However, we continue to use ManifestService.Get instead because it
saves a round trip. The manifest can be retrieved directly instead of
resolving the digest first.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.
Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.
Test for #27590
Update runc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fix tries to address the proposal raised in 27921 and add
`--cpus` flag for `docker run/create`.
Basically, `--cpus` will allow user to specify a number (possibly partial)
about how many CPUs the container will use. For example, on a 2-CPU system
`--cpus 1.5` means the container will take 75% (1.5/2) of the CPU share.
This fix adds a `NanoCPUs` field to `HostConfig` since swarmkit alreay
have a concept of NanoCPUs for tasks. The `--cpus` flag will translate
the number into reused `NanoCPUs` to be consistent.
This fix adds integration tests to cover the changes.
Related docs (`docker run` and Remote APIs) have been updated.
This fix fixes 27921.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The validate-lint script excludes any package names that match
api/types. However, the only subpackage that appears to cause issues is
api/types/container (due to stuttering names). Tighten the filtering so
that other code inside api/types is validated.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When a container is attached to an "--attachable" network, it strictly
forms the attacherKey using either the network-id or network-name
because at the time of attachment, the daemon may not have the network
downloaded locally from the manager. Hence, when the NetworkDettach is
called, it should use either network-name or network-id. This fix
addresses the missing network-id based dettachment case.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Allow each script to run directly without the hack/make.sh wrapper. These
scripts do not produce artifacts and do not benefit from the "bundles"
framework.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
In some cases, attempting to `docker cp` to a container's volume dir
would fail due to the volume mounts not existing after performing a
bind-mount on the container path prior to doing a pivot_root.
This does not seem to be effecting all systems, but was found to be a
problem on centos.
The solution is to use an `rbind` rather than `bind` so that any
existing mounts are carried over.
The `MakePrivate` on `path` is no longer neccessary since we are already
doing `MakeRPrivate` on `/`.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The short description should be kept short. Spanning on several lines is
a bit ugly. A user can still get more information in the manual or we
can expand the long description instead if we want (there is currently
none).
This reverts a bit of #26683.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Updates the ppc64le `make deb` trusty download link to be
consistent with the other Dockerfiles. Also minor clarification
to how we install go.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
When a conflict is found in the volume cache, check with the driver if
that volume still actually exists.
If the volume doesn't exist, purge it from the cache and allow the
create to happen.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Manager now auto-detects the address that an agent connects to the cluster
from and stores it. This is useful for many kinds of internal cluster
management tools.
Signed-off-by: Drew Erny <drew.erny@docker.com>
This adds support to display names or id of container instead of what
was provided in the request.
This keeps the default behavior (`docker stats byname` will display
`byname` in the `CONTAINER` colmun and `docker stats byid` will display
the id in the `CONTAINER` column) but adds two new format directive.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The PowerShell completion script was outdated,
and removed from this repository in
65fdbf0210.
A more up to date implementation can be found
here; https://github.com/samneirinck/posh-docker
Removing this script from the tgz
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Although primarily a human readable script, it is quite useful
to return success or failure from this script so it can be used
as a basic test.
Fail if any check fails, including some that are optional,
other than the storage driver tests, where only one needs to
succeed, so the system has at least one workable storage driver.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
The overlay2 change ensures that the correct path is used to resolve the
symlink. The current code will not fail since the symlinks are always given
a value of "../id/diff" which ends up ignoring the incorrect "link" value.
Fix this code so it doesn't cause unexpected errors in the future if the
symlink changes.
The layerstore cleanup ensures that the empty layer returns a tar stream if
the provided parent is empty. Any value other than empty still returns an
error since the empty layer has no parent. Currently empty layer is not
used anywhere that TarStreamFrom is used but could break in the future if
this function is called.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
diff:
```patch
diff --git a/Makefile b/Makefile
index 0b2b063..70df01b 100644
--- a/Makefile
+++ b/Makefile
@@ -1,3 +1,4 @@
+GIT_VERSION := $(shell git describe --abbrev=40 --long --dirty --always --tags)
all:
- gcc -O2 -o init -static grimes.c
+ gcc -O2 -DVERSION=\"$(GIT_VERSION)\" -o init -static grimes.c
diff --git a/grimes.c b/grimes.c
index d0f836b..ffeea98 100644
--- a/grimes.c
+++ b/grimes.c
@@ -29,7 +29,7 @@ typedef struct reaper_t {
} reaper_t;
// reaper_new initializes the reaper with the provided process.
-// it also sets up the signal handlers and child handlers for restore
+// it also sets up the signal handlers and child handlers for restore
// when the child is execed
int reaper_new(reaper_t * reaper, process_t * process)
{
@@ -57,7 +57,7 @@ int reaper_new(reaper_t * reaper, process_t * process)
return 0;
}
-// reaper_exit closes the reaper's signalfd and exits with the
+// reaper_exit closes the reaper's signalfd and exits with the
// child's exit status
void reaper_exit(reaper_t * reaper, int status)
{
@@ -68,11 +68,11 @@ void reaper_exit(reaper_t * reaper, int status)
exit(WEXITSTATUS(status));
}
-// reaper_reap reaps any dead processes. If the process that is reaped
+// reaper_reap reaps any dead processes. If the process that is reaped
// is the child process that we spawned get its exit status and exit this program
int reaper_reap(reaper_t * reaper)
{
- int status, child_exited, child_status = 0;
+ int status = 0, child_exited = 0, child_status = 0;
for (;;) {
pid_t pid = waitpid(-1, &status, WNOHANG);
switch (pid) {
@@ -140,6 +140,12 @@ int main(int argc, char **argv)
{
process_t process;
reaper_t reaper;
+
+ if (argc == 2 && !strcmp(argv[1], "--version")) {
+ printf("grimes version %s\n", VERSION);
+ exit(0);
+ }
+
if (reaper_new(&reaper, &process) != 0) {
bail("initialize reaper %s", strerror(errno));
}
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
When trying to attach to swarm scope network for an unmanaged container
sometimes even if attaching to network succeeds, we may not find the
network because some other container which was using the network went
down and removed the network. So if it is not found, try to detach and
reattach to re-download the network from the manager.
Fixes#26588
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
This fix tries to address the issue raised in 27969 where
duplicate identical bind mounts for `docker run` caused additional volumes
to be created.
The reason was that in `runconfig`, if duplicate identical bind mounts
have been specified, the `copts.volumes.Delete(bind)` will not truly
delete the second entry from the slice. (Only the first entry is deleted).
This fix fixes the issue.
An integration test has been added to cover the changes
This fix fixes 27969.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Previously, when the graphdir was a root of a mountpoint, we would not
be able to cleanup the graphdir, as the script would umount in case
target dir is a mount itself
```/etc/mtab
/dev/xvdc1 /var/lib/docker btrfs
```
When running the script, the graphdir would be unmounted and it would
remove a (possibly) empty folder.
```
Nuking /var/lib/docker ...
(if this is wrong, press Ctrl+C NOW!)
+ sleep 10
+ umount -f /var/lib/docker
+ rm -rf /var/lib/docker
```
This PR includes the necessary changes to nuke the folder on this
scenario, including when the graphdir is a btrfs mount iself.
Signed-off-by: Bruno Tavares <btavare@thoughtworks.com>
RWLayers do not implement the tar stream from, moved the
definition to Layer instead of TarStreamer
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Allow built images to be squash to scratch.
Squashing does not destroy any images or layers, and preserves the
build cache.
Introduce a new CLI argument --squash to docker build
Introduce a new param to the build API endpoint `squash`
Once the build is complete, docker creates a new image loading the diffs
from each layer into a single new layer and references all the parent's
layers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These features were originally scheduled
for removal in docker 1.13, but we changed
our deprecation policy to keep features
for three releases instead of two.
This updates the deprecation version
to match the deprecation policy.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In file `api/types/client.go`, some of the "*Options{}" structs own a
`Filters` field while some else have the name of `Filter`, this commit
will rename all `Filter` to `Filters` for consistency. Also `Filters`
is consistent with API with format `/xxx?filters=xxx`, that's why
`Filters` is the right name.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Now that overlay has matured, using
overlay is a better choice than devicemapper
on loopback devices.
This change promotes overlay in the
priority list. It also adds the
overlay2 graphdriver to the list
because overlay2 (if supported)
should be preferred over overlay.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds Akihiro as a maintainer for
docker/docker, as was proposed and
voted on the maintainers mailinglist.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.
Fixed issue #23459
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Since the plugin APIs have not changed for local-scoped network drivers
between plugin-v1 and v2, a simple test to validate the bootstrapping
and network creation APIs would suffice.
Any network driver specific API validations are handled independent of
plugin v1 or v2 format.
Using a sample v2 network plugin :
https://github.com/mavenugo/test-docker-netplugin/
Signed-off-by: Madhu Venugopal <madhu@docker.com>
As is seem in the comment of `normaliseWorkdir` for windows:
```
...
// WORKDIR c:\\foo --> C:\foo
// WORKDIR \\foo --> C:\foo
...
```
However, this is not the case in the current implementation because
`filepath.FromSlash` is used and `FromSlash` does not replace multiple
separator with a single one (`file.Clean` does).
So `normaliseWorkdir` does not truly normalize workdir.
This fix changes the implementation of `normaliseWorkdir` and use
`filepath.Clean` instead of `filepath.FromSlash`.
Additional test cases have been added to the unit test.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The current check for uname -m just looks for *64 which hits a lot
more cases than it should (mips for ex), and ignores a few that it shouldn't.
This check will run the install script if on a supported architecture
(x86_64 or amd64) or an unofficial one with a docker repository
(armv6l or armv7l) and will give a more accurate error on an unofficial
64-bit architecture that isn't in the docker repository.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
To load an image from a tar file, you can specify
the tar file in the -i/--input option:
docker load -i image_1.tar
or using stdin:
docker load < image_1.tar
cat image_1.tat | docker load
If the image file isn't given the `docker load`
command gets stuck.
To avoid that, the load makes sure the CLI input is
not a terminal or the `--input` option was set.
If not then an error message is shown.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
When a container is run on a --attachable network, the endpoint
configs passed by the user were incorrectly overwritten.
Copy the relevant configs instead of overwriting the entire configs.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Just to help the next time someone goes looking for it while debugging.
Like @jhowardmsft and I did while looking at #27545.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Commit dd28ded711
brought in new networking features and API, but
did not document the available IPAM options.
This adds a description of those options.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If user namespaces is enabled on the daemon, reveal that via docker info
by adding "userns" to the list of security options reported by the
info endpoint.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
When processing the --userns-remap flag, add the
capability to call out to `getent` if the user and
group information is not found via local file
parsing code already in libcontainer/user.
Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
* change workdir for accessing install-binaries.sh
* use other gopath for binaries to preserve sources
* add sources of proxy and grimes to rpc spec
* use dynamic proxy with -linkmode external in deb and rpm
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
It seems that `max-concurrent-downloads` and `max-concurrent-uploads`
are supported in Windows for `config.json`. Though that was not
mentioned in the docs for dockerd.md.
This fix adds the following to the example `config.json` file for Windows:
```
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
--group-add was used for specifying groups for both service create
and service update. For create it was confusing since we don't have
an existing set of groups. Instead I added --group to create, and
moved --group-add to service update only, like --group-rm
This deals with issue 27646
Signed-off-by: Lily Guo <lily.guo@docker.com>
Update flag documentation
Specify that --group, --group-add and --groupd-rm refers to
supplementary user groups
Signed-off-by: Lily Guo <lily.guo@docker.com>
Fix docs for groups and update completion scripts
Signed-off-by: Lily Guo <lily.guo@docker.com>
When converting an opaque directory always keep the original
directory tar entry to ensure directory is created with correct
permissions on restore.
Closes#27298
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Right now we do have a problem to store the .debs for raspbian-jessie and
debian-jessie distro version for armhf arch. Both .debs have the same filename
so we have to include the distro version, too.
Signed-off-by: Dieter Reuter <dieter.reuter@me.com>
As for `ps`, `images`, `network ls` and `volume ls`, this makes it
possible to define a custom default format.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When daemon fails to load an authz plugin, it should be removed from
the plugin list. Else the plugin is retried on every request and
response, resulting in undesired behavior (eg. daemon panic)
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
A HealthConfig entry was added to the ContainerSpec associated with the
service being created or updated.
Signed-off-by: Cezar Sa Espinola <cezarsa@gmail.com>
fmt package formats an error by calling its Error() method.
This results in recursion. Fix this. Also remove dead code.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Many distributions now use ext4 to provide ext2 and ext3 support,
so do not warn about possibly missing ext3 support if the config
option is used.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Fixes#27779
Currently `followLogs` can get into a deadlock if we receive an inotify
IN_MODIFY event while we are trying to close the `fileWatcher`. This is
due to the fact that closing the `fileWatcher` happens in the same block
as consumes events from the `fileWatcher`. We are trying to run
`fileWatcher.Close`, which is waiting for an IN_IGNORE event to come in
over inotify to confirm the watch was been removed. But, because an
IN_MODIFY event has appeared after `Close` was entered but before the
IN_IGNORE, the broadcast never comes. The IN_MODIFY cannot be consumed
as the events channel is unbuffered and the only `select` that reads
from it is busy waiting for the IN_IGNORE event.
In order to try and fix this race condition I've moved the removal of
the `fileWatcher` out to a separate go block that waits for a signal to
close, removes the watcher and then signals to the previous selects on
the close signal.
This has introduced a `fileWatcher.Remove` in the final case, but if we
try and remove a watcher that does not exist it will just return an
error saying so. We are not doing any checking on the return of `Remove`
so this shouldn't cause any side-effects.
Signed-off-by: Tom Booth <tombooth@gmail.com>
It's leftover from #20342 . We used to need this so we
can use armv6 binaries as bootstrap to build golang.
Now it's not needed.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Make it possible to use health_status, exec_start and exec_create as
is in event filter. This way, using `health_status` as filter will allow
to get all health_status events (healthy, unhealthy, …) instead of
having to us all combination (`health_status: healthy`, `health_status:
unhealthy`, …). Same goes for `exec_start` and `exec_create`.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue in 24712 and add
`--env-file` file to `docker create service`.
Related documentation has been updated.
An additional integration has been added.
This fix fixes 24712.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the bug reported by #24693 where an empty
line after escape will not be stopped by the parser.
This fix addresses this issue by stop the parser from continue
with an empty line after escape.
An additional integration test has been added.
This fix fixes#24693.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This adds a metrics packages that creates additional metrics. Add the
metrics endpoint to the docker api server under `/metrics`.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add metrics to daemon package
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
api: use standard way for metrics route
Also add "type" query parameter
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Convert timers to ms
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The --name flag was inadvertently added to
docker service update, but is not supported,
as it has various side-effects (e.g., existing
tasks are not renamed).
This removes the flag from the service update
command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the issue raised in 26341
where multiple addresses in a bridge may cause `--fixed-cidr`
to not have the correct addresses.
The issue is that `netutils.ElectInterfaceAddresses(bridgeName)`
only returns the first IPv4 address.
This fix (together with the PR created in libnetwork )
changes `ElectInterfaceAddresses()` and `addresses()`
so that all IPv4 addresses are returned. This will allow the
possibility of selectively choose the address needed.
In `daemon_unix.go`, bridge address is chosen by comparing with
the `--fixed-cidr` first, thus resolve the issue in 26341.
This fix is tested manually, as is described in 26341:
```
brctl addbr cbr0
ip addr add 10.111.111.111/20 dev cbr0 label cbr0:main
ip addr add 10.222.222.222/12 dev cbr0 label cbr0:docker
ip link set cbr0 up
docker daemon --bridge=cbr0 --iptables=false --ip-masq=false --fixed-cidr=10.222.222.222/24
docker run --rm busybox ip route get 8.8.8.8 | grep -Po 'src.*'
src 10.222.222.0
```
This fix fixes 26341.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`golint` had the following issue when linting this file:
```
daemon/logger/jsonfilelog/read.go:116:10: should omit type io.Reader
from declaration of var rdr; it will be inferred from the right-hand
side
```
In order to keep it happy changing it to an indirect assignment will
still maintain the same functionality.
Signed-off-by: Tom Booth <tombooth@gmail.com>
containers may specify these cgroup values at runtime. This will allow
processes to change their priority to real-time within the container
when CONFIG_RT_GROUP_SCHED is enabled in the kernel. See #22380.
Also added sanity checks for the new --cpu-rt-runtime and --cpu-rt-period
flags to ensure that that the kernel supports these features and that
runtime is not greater than period.
Daemon will support a --cpu-rt-runtime flag to initialize the parent
cgroup on startup, this prevents the administrator from alotting runtime
to docker after each restart.
There are additional checks that could be added but maybe too far? Check
parent cgroups to ensure values are <= parent, inspecting rtprio ulimit
and issuing a warning.
Signed-off-by: Erik St. Martin <alakriti@gmail.com>
Even after a slew of PRs, this still wasn't quite right. Now, we ensure
the task name is calculared in one place in the executor, as least.
We'll have to follow this up once the `api/naming` package from SwarmKit
lands.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to address the issue raised in 26179 where an env file
with non-ascii or utf8 bytes will crash on windows platform.
The issue is two-fold:
- Windows will adds a BOM mark at the begining with Notepad as the editor
- Non-utf8 bytes can not be handled by env file parser.
This fix removes utf8 BOM marker if exists so that utf8 encoded env file
could be processed.
This fix also returns an error (instead of a runtime CreateProcess crash)
if env file contains non-utf8 bytes, thus giving users better experiences.
Additional test cases has been added in unit tests.
This fix fixes 26179.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This means we can vendor libnetwork without special casing, and
it is built the same way as the other external binaries.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
In #23614 `docker inspect` was semantically enhanced to inspect "everything".
Therefore moving its logic to `_docker_container_inspect` was not correct.
This commit moves it back to its original top-level location (`_docker_inspect`)
so that it can be called by `_docker_{container,image}_inspect` and others (will
be added in follow-up PRs).
Parameterization was added in order to get caller-specific behavior.
Signed-off-by: Harald Albers <github@albersweb.de>
`docker network prune` prunes unused networks, including overlay ones.
`docker system prune` also prunes unused networks.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
The following sentences (introduced in v1.11 via #21160) were misleading for Swarm mode services (>= v1.12)
For networks backed by multi-host network driver, such as Overlay,
this command also shows the container endpoints in other hosts in the
cluster. These endpoints are represented as "ep-{endpoint-id}" in the output.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
A recent change fixed integration tests to use "API" in test names
instead of "Api". A new test was added in a PR opened before this
change, and didn't benefit from the cleanup. Fix its name.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to address the issue raised in 27695 where
duplicate `nat` and `null` has been listed in `docker info`
for Windows.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently, there's no way to restart the tasks of a service without
making an actual change to the service. This leads to us giving awkward
workarounds as in
https://github.com/docker/docker.github.io/pull/178/files, where we tell
people to scale a service up and down to restore balance, or make
unnecessary changes to trigger a restart.
This change adds a --force option to "docker service update", which
forces the service to be updated even if no changes require that.
Since rolling update parameters are respected, the user can use
"docker service --force" to do a rolling restart. For example, the
following is supported:
docker service update --force --update-parallelism 2 \
--update-delay 5s myservice
Since the default value of --update-parallelism is 1, the default
behavior is to restart the service one task at a time.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
cURL 7.50 changed the validation for URL's
when using socket connections. cURL 7.4x
did not expect a hostname, whereas cURL
7.5x and above _requires_ a hostname.
See https://github.com/curl/curl/issues/936
This updates the example to take both
versions into account, because cURL 7.4x
is still widely used by distros.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `archive` package defines aliases for `io.ReadCloser` and
`io.Reader`. These don't seem to provide an benefit other than type
decoration. Per this change, several unnecessary type cases were
removed.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
If parent of the destination path is shared, this
path will be unmounted from the parent ns even if
the path itself is private.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Passing {{.Networks}} to the format parameter will prompt ps to
display all the networks the container is connected to.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fix tries to address the issue raised in 25545 where
volume options at the creation time is not showed up
in `docker volume inspect`.
This fix adds the field `Options` in `Volume` type and
persist the options in volume db so that `volume inspect`
could display the options.
This fix adds a couple of test cases to cover the changes.
This fix fixes 25545.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Keeping the current behavior for exec, i.e., inheriting
variables from main process. New variables will be added
to current ones. If there's already a variable with that
name it will be overwritten.
Example of usage: docker exec -it -e TERM=vt100 <container> top
Closes#24355.
Signed-off-by: Jonh Wendell <jonh.wendell@redhat.com>
Go can falsely report a larger page size than supported,
causing overlay2 mount arguments to be truncated. When overlay2
detects the mount arguments have hit the page limit, it will
switch to using relative paths. If this limit is smaller than
the actual page size there is no behavioral problems, but if it
is larger mounts can fail for images with many layers.
Closes#27384
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This vendors a fork of logrus with fixes to deal with errors generated
by the github.com/pkg/errors package. Without these fixes, the errors
are mishandled when passed to WithError:
- When printing to a terminal (colors enabled), stack traces are
included in the error fields on a log line.
- When printing to a file (or with colors disabled), the error value is
missing entirely.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This adds support for two enhancements to swarm service rolling updates:
- Failure thresholds: In Docker 1.12, a service update could be set up
to either pause or continue after a single failure occurs. This adds
an --update-max-failure-ratio flag that controls how many tasks need to
fail to update for the update as a whole to be considered a failure. A
counterpart flag, --update-monitor, controls how long to monitor each
task for a failure after starting it during the update.
- Rollback flag: service update --rollback reverts the service to its
previous version. If a service update encounters task failures, or
fails to function properly for some other reason, the user can roll back
the update.
SwarmKit also has the ability to roll back updates automatically after
hitting the failure thresholds, but we've decided not to expose this in
the Docker API/CLI for now, favoring a workflow where the decision to
roll back is always made by an admin. Depending on user feedback, we may
add a "rollback" option to --update-failure-action in the future.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This version is across all plugin types and it versions the actual RPC
API between the daemon and the plugin.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This fix tries to add a daemon config parameter `--shutdown-timeout`
that specifies the timeout value to stop containers gracefully
(before SIGKILL). The default value is 15s.
The `--shutdown-timeout` parameter is added to daemon options and
config file. It will also be updated during daemon reload.
Additional test cases have been added to cover the change.
This fix fixes#22471.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24392 where
labels with duplicate keys exist in `docker info`, which
contradicts with the specifications in the docs.
The reason for duplicate keys is that labels are stored as
slice of strings in the format of `A=B` (and the input/output).
This fix tries to address this issue by checking conflict
labels when daemon started, and remove duplicate labels (K-V).
The existing `/info` API has not been changed.
An additional integration test has been added to cover the
changes in this fix.
This fix fixes 24392.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fixes a regression bug not to connect the destination node twice or more.
That regression was brought by v1.2.0, and it also makes many goroutines for
first reconnection (these will finish after first reconnection established).
Signed-off-by: Satoshi Tagomori <tagomoris@gmail.com>
This fix tries to add a flag `--stop-timeout` to specify the timeout value
(in seconds) for the container to stop before SIGKILL is issued. If stop timeout
is not specified then the default timeout (10s) is used.
Additional test cases have been added to cover the change.
This fix is related to #22471. Another pull request will add `--shutdown-timeout`
to daemon for #22471.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In kernel version >= v4.5 the project quota ioctl definitions
have been made public via the include/uapi/linux/fs.h API, so
that ext4 could use the same API.
Avoid re-defining the ioctl API if it is already defined in fs.h.
Signed-off-by: Amir Goldstein <amir73il@aquasec.com>
As of https://github.com/docker/swarmkit/pull/1607, swarmkit honors
global network plugins while allocating network resources.
This IT covers the e2e integration between libnetwork, swarmkit and
docker engine to support global network-plugins for swarm-mode
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Currently the plugins pkg allows a single handler. This assumption
breaks down if there are mutiple listeners to a plugin of a certain
Manifest such as NetworkDriver or IpamDriver when swarm-mode is enabled.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Unfortunately, `(f)` aka `(ps:\n:)` flag will not create an array when
there is only one line. The subsequent use of indexes will then affect
the string. This leads to `docker rmi <tab>` to complete on the header
line instead of nothing.
Therefore, for each use of `(f)`, we ensure that we have an extra new
line to be sure we get an array.
Credit to @povesteam for the original report and fix in #27373.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Fedora 22 reached end of life on July 19th, and
will no longer receive updates;
https://fedoramagazine.org/fedora-22-end-of-life-2016-july/
With the recent release of Fedora 24, Fedora 22 will officially enter End Of
Life (EOL) status on July 19th, 2016. After July 19th, all packages in the
Fedora 22 repositories will no longer receive security, bugfix, or enhancement
updates, and no new packages will be added to the Fedora 22 collection.
Upgrading to Fedora 23 or Fedora 24 before July 19th 2016 is highly recommended
for all users still running Fedora 22.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 9bd8a9b66b
added KernelMemory to the API, but forgot
to include this in the API changelog.
This adds the missing entry in the API
changelog.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was added in e41de3e631,
but can be a bit confusing due to the "outer" brackets
being for JSON, and the "inner" brackets to indicate
optional values.
During review of that change, this alternative
format was suggested.
Updating the example to use the format that was discussed
during review :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to fix an incorrect `WARNING` output in `docker run/create`:
```
ubuntu@ubuntu:~/docker$ docker run -d --cpu-percent 80 busybox top
WARNING: %s does not support CPU percent. Percent discarded.
WARNING: linux
e963d1108e455e7f8f57626ca1305b5f1999e46025d2865b9a21fc8abc51a546
```
The reason was that in `daemon/daemon_unix.go`, the warning string
was not combined with `fmt.Sprintf` before appended to the output.
This fix fixes this issue.
This fix has been manually tested and verified:
```
ubuntu@ubuntu:~/docker$ docker run -d --cpu-percent 80 busybox top
WARNING: linux does not support CPU percent. Percent discarded.
fcf53f79d389235bae846d3d40804834659ac025edbc0d075ed91841a8e4c740
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
On Raspbian and Debian Jessie for ARMv7 (aka armhf), the builtags for runc
were missing. These buildtags should include 'apparmor' and 'selinux'.
Signed-off-by: Jean-Christophe Berthon <huygens@berthon.eu>
TestBuildLabelsOverride was consistently failing due to "Windows does not support FROM scratch" error
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
- some function signatures have changed - use the new ones
- re-generate the notary delegation key certs, since notary doesn't allow SHA1
- fix some error message mapping because now if a root rotation fails to validate trusted operations will fail
Signed-off-by: cyli <cyli@twistedmatrix.com>
Some frontmatter such as the weights, menu stuff, etc is no longer used
'draft=true' becomes 'published: false'
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
This fix tries to address the issue raised in 25855 where the command
`docker deploy` can only accept a STACK without extension of `.dab`.
In other words, `docker deploy hellojavaee.dab` gives an error:
```
Bundle hellojavaee.dab.dab not found. Specify the path with --file
```
This fix updates the way namespace STACK is taken so that in case
`STACK.dab` is provided with `docker deploy`:
```
$ docker deploy STACK.dab
```
The `STACK` is used as namespace (instead of `STACK.dab`).
NOTE: This fix will only allows `.dab` extension in namespace, because
it is not possible to have a namespace with `.` in the middle. In other
words, a namespace `hello.java.ee` will not work anyway (whether the file
`hello.java.ee` exists or not).
An additional integration test has been added to cover the changes.
This fix fixes 25855.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is related to 27049 and 27047. For `--label` flag, if string slice is
used (like 27047), then quote can not be used in command and will result in
an error :
```
line 1, column 14: bare " in non-quoted-field
```
The issue 27047 has been fixed by 27049.
Recently I found out that both `docker network create --label` and `docker volume create --label`
still use string slice and will return the same error when quotes are used.
This fix fixes `docker network create --label` and `docker volume create --label`
by using `ListOpt` (as 27049) as well.
This fix has been tested and verified manually.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
On typical x86_64 machines, /sys/firmware can contain SMBIOS and ACPI tables.
There is no need to expose the directory to containers.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
The code that handles waiting for the servicing container to complete correctly grabs the exit code and logs a failure, but doesn't return that failure to the caller, mistakenly causing servicing operations to look successful when they really failed during processing.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
The docker client has historically used Transport.TLSClientConfig to set
the scheme for the API client. A recent moved the resolution to use the
http.Transport directly, rather than save the TLSClientConfig state on a
client struct. This caused issues when mutliple calls made with a single
client would have this field set in the http package on pre-1.7
installations. This fix detects the presence of the TLSClientConfig once
and sets the scheme accordingly.
We still don't know why this issue doesn't happen with Go 1.7 but it
must be more deterministic in the newer version.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
In 27294, `Size` and `RefCount` has been wrapped into `UsageData`
and is only exposed in `GET system/df`. Though the docs was not
updated in `docker_remote_api_v1.25.md`.
This fix updates the docs to refect the changes for `UsageData`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This information was added in
1efc940e6f,
but removed again in
a271eaeba2
to make the help-output fit in a 80-chars
terminal.
This adds the available options again
in the help output, and updates the CLI
reference documentation to match actual
output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The formatter.ContainerStats struct exposes its Mutex.
This is a bad design and should be fixed.
To fix that, I separated the statistics
attributes from ContainerStats to StatsEntry and
hid the mutex. Notice that the mutex protects both
the `err` field and the statistics attributes.
Then, implemented SetStatistics, SetError, GetStatistics
and GetError to avoid races.
Moreover, to make this less granular, I decided to
replace the read-write mutex with the regular mutex and
to pass a StatsEntry slice to formatter.ContainerStatsWrite
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.
Previously there was no way to allow containers not running as root
capabilities in a useful way.
Fix#8460
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
- Tightened up copy in README
- Make example in README a bit simpler
- Update README to point at GoDoc
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
This fixes an issue when wait4 returns a 0 return status causing the
reaping loop to continue to run.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Apparently, Debian stretch does not come with gpg installed by
default. This patch ensures that gpg is installed.
Signed-off-by: Tibor Vass <tibor@docker.com>
This performs a similar check to the `"ConEmuANSI"` check that was recently
added to enable arrow keys navigation in docker container terminals.
Signed-off-by: Josh Wilson <josh.wilson@fivestars.com>
After building docker from the git repo, you can run
```
./contrib/mac-install-bundle.sh install
```
and this will tell Docker for Mac to look for a bundle at the current
path to run instead of the built in version of Docker. This will persist
until you do a factory reset or run
```
./contrib/mac-install-bundle.sh undo
```
A factory reset is advised to reset as a development Docker may break your
install.
The path must be a path that is shared with Docker for Mac so that the VM
can find it - nothing is installed into the image.
This is in `contrib/` as it is a best effort attempt to make it easier for
Docker for Mac users to test master or pull requests. If it breaks anything
a factory reset is your friend.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
During the recent OCI changes, I mistakenly thought LayerFolderPath is only needed for Windows Server containers (isolation=process) and not for Hyper-V Containers, but it turns out it is also required for servicing containers used to finish installing updates. Since the servicing containers need to reuse the container's create options, this change makes it so that LayerFolderPath is always filled in for all containers as part of constructing the create options.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
plugingetter is indepedent of docker/docker packages, so it can be
moved to pkg. This is also necessary for authorization plugins (part of
pkg) to use pluginv2. The original path at plugin/getter will be
eventually removed, when external repos (eg. libnetwork) update their
import paths.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
While look at #27039 I noticed that we allow for whitespace after
the continuation char (\\) which is wrong. It needs to be the very
last char in the line.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This appears to be missing. NAT (via iptables) is required in order to
setup Docker networking.
Signed-off-by: Charlie Drage <charlie@charliedrage.com>
This update adds support for non-base layers that have utility VM updates
and hard links. This is necessary to support Microsoft-released layers
with servicing updates.
Signed-off-by: John Starks <jostarks@microsoft.com>
Signed-off-by: Sean Rodman <srodman7689@gmail.com>
Updated the check for the permission error to use os.IsPermission instead of checking the error string. Also, changed the PermissionDenied method to just a new error.
Fixed a typo in client/request.go
Fixed Error name as specified by Pull request builder output.
Worked on making changes to the permissiondenied error.
Fixed typo
Signed-off-by: Sean Rodman <srodman7689@gmail.com>
Updated error message as requested.
Fixed the error as requested
Signed-off-by: Sean Rodman <srodman7689@gmail.com>
When sending a build context to a remote server it may be
(significantly) advantageous to compress the build context. This commit
adds support for gz compression when constructing a build context
using a command like "docker build --compress ."
Signed-off-by: Paul Kehrer <paul.l.kehrer@gmail.com>
As is specified in 26964, it is possible to specify
a filter based on the node name or node ID.
This fix updates the related docs for that.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
restart-condition for services from "on_failure" to "on-failure".
Since GRPC does not support dashes in properties, this change
added a conversion when _setting_ the restart-condition.
However, when inspecting a service, no conversion took place
from the internal GRPC value, resulting in "on_failure" to
be shown.
This change updates the conversion to fix this, and removes
a "hack" that was previously used for this, now using a
Switch to compare to actual types.
Before this change:
docker service create --name web --restart-condition=on-failure nginx:alpine
docker service inspect --format '{{ json .Spec.TaskTemplate.RestartPolicy }}' web
{"Condition":"on_failure","MaxAttempts":0}
Afer this change:
docker service create --name web --restart-condition=on-failure nginx:alpine
docker service inspect --format '{{ json .Spec.TaskTemplate.RestartPolicy }}' web
{"Condition":"on-failure","MaxAttempts":0}
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
No substantial code change.
- Api --> API
- Cli --> CLI
- Http, Https --> HTTP, HTTPS
- Id --> ID
- Uid,Gid,Pid --> UID,PID,PID
- Ipam --> IPAM
- Tls --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)
Didn't touch in this commit:
- Git: because it is officially "Git": https://git-scm.com/
- Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
- Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This fix tries to address the issue raised in 27021 where
HTML strings like (`&, >, <, etc`) in environmental variables
are escaped for JSON output for `docker inspect`. For example,
`TEST_ENV="soanni&rtr"` has been escaped to `TEST_ENV="soanni\u0026rtr"`
This fix disabled HTML escaping with `SetEscapeHTML`, which is available
since golang 1.7.0. This changes will be applied to all JSON output
that utilize `httputils.WriteJSON`.
An integration test has been added to cover the changes.
This fix fixes 27021.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fixes#26823
Fixes an issue where apparmor was not loaded into the kernel, because
apparmor_parser was being called incorrectly.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
- What I did
While building docker from source, to get the dependencies installed had done make build, then had got this error.
- How I did it
In the DockerFIle, instead using space a tab was put, which when was done make build the next line was getting combined and was unable to install the package.
image
image
Refer the below Hex View of the earlier file.
image
- How to verify it
After fixing, changing tab to space, built from source to install dependencies and was success
- Description for the changelog
Fixing Issue #27035
Signed-off-by: Rojin George itsmerojin@gmail.com
Signed-off-by: rojingeorge <itsmerojin@gmail.com>
Microsoft will be distributing non-base layers that have utility VM image
updates. Update libcontainerd to use the top-most utility VM image that is
available in the image chain when launching Hyper-V-isolated container.
Signed-off-by: John Starks <jostarks@microsoft.com>
These new endpoints request the daemon to delete all resources
considered "unused" in their respective category:
- all stopped containers
- all volumes not attached to any containers
- images with no associated containers
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Those data include:
- size of data shared with other images
- size of data unique to a given image
- how many containers are using a given image
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Classify blobs into three categories based on size.
Use a very limited number of mount attempts and no existence check for
small blobs. Use more attempts for bigger blobs.
Also remember blob associations during layer existence check.
Blob digests are now checked in the target repository from newest to
latest. If the blob exists and the metadata entry does not, it will be
created. If the blob is not found, the metadata entry will be removed.
Signed-off-by: Michal Minář <miminar@redhat.com>
Don't fallback back immediately to blob upload if the cross-repo mount
fails and layer upload is initiated by registry.
Instead cancel the upload and re-try cross-repo mount from different
source repository before doing full re-upload.
Signed-off-by: Michal Minář <miminar@redhat.com>
to avoid unnecessary blob re-uploads.
Cross repository mount from particular repo will most probably fail if
the user pushing to the registry is not the same as the one who pulled
or pushed to the source repo.
This PR attempts first to cross-repo mount from the source repositories
associated with the pusher's auth config. Then it falls back to other
repositories sorted from the most similar to the target repo to the
least.
It also prevents metadata deletion in cases where cross-repo mount fails
and the auth config hashes differ.
Signed-off-by: Michal Minář <miminar@redhat.com>
This fix updates docs for `service ps` as now the TASK ID part has been
removed.
Also, this fix fixes several incorrect sample output.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Under the convoluted code path for the transport configuration,
TLSConfig was being set even though the socket type is unix. This caused
other code detecting the TLSConfig to assume https, rather than using
the http scheme. This led to a situation where if `DOCKER_CERT_PATH` is
set, unix sockets start reverting to https. There is other odd behavior
from go-connections that is also reproduced here.
For the most part, we try to reproduce the side-effecting behavior from
go-connections to retain the current docker behavior. This whole mess
needs to ripped out and fixed, as this pile spaghetti is unnacceptable.
This code is way to convoluted for an http client. We'll need to fix
this but the Go API will break to do it.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Pulls in fix for tar split disassembly incorrectly storing the padding
at the end of the file, leading to a hash difference on the
re-assembled tar archive.
Closes#26434
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This fix tries to address the issue raised in 24958 where previously
`docker swarm init` will automatically fill in all the default value
(instead of letting swarmkit to handle the default).
This fix update the `swarm init` so that initial value are passed only
when a flag change has been detected.
This fix fixes 24958.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue related to 24108 and 24790, and
also the case from 24620#issuecomment-233715656
The reason for the failure case in the above mentioned issues is that
currently Task names are actually indexed by Service Name
(`e.ServiceAnnotations.Name`)
To fix it, a pull request in swarmkit (swarmkit/pull/1193) has been
opened separately.
This fix adds the integration tests for the above mentioned issues.
Swarmkit revendoring is needed to completely fix the issues.
This fix fixes 24108.
This fix fixes 24790.
This fix is related to 24620.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The AUTHORS file should be updated before
each release, and updated using only the
commits that are in the release branch.
This adds updating the file to the release
checklist.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit d2bc5d6276 added
a setupInitLayer() for all platforms, but did not
add a placeholder for Solaris.
This adds the missing placeholder.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When calling the /networks/ endpoint with a trailing
slash, the default network was returned.
This changes the endpoint to return the list of networks
instead (same response as `/networks` without trailing
slash).
Also updated the description for GetNetworkByName to
explain that the "default" network is returned if
no name or id is provided.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently, if the service mode is not "global", this code assumes that
Replicated is non-nil. This assumption may not be true in the future.
Instead of making the assumption, explicitly check that Replicated is
non-nil before using it.
Similarly, for limits and reservations, enclose methods that read from
Limits and Reservations within checks that those fields are non-nil.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This commit revendor swarmkit to 7b202f058db2f3a7d41351a56e5ef720c9b5a45d
to improve error message for removing pre-defined (e.g., `ingress`) network.
This commit is related to 24538.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24538
where the error message is unclear when removing pre-defined networks:
```
docker network rm ingress
Error response from daemon: rpc error: code = 7 desc = 4vlxuzpk8bxdsxpyvkxluol5g is a pre-defined network and cannot be removed
```
This fix improve the error message so that if network's name is specified
in the `RemoveNetwork`, then error message will contain the name and the ID
(instead of just an ID):
```
docker network rm ingress
Error response from daemon: rpc error: code = 7 desc = ingress (4vlxuzpk8bxdsxpyvkxluol5g) is a pre-defined network and cannot be removed
```
An integration test has been added to cover the changes.
This fix fixes 24538.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Found a couple of places where pretty low level errors were never being
wrapped with any sort of context.
For example, if you try to create a local volume using some bad mount
options, the kernel will return `invalid argument` when we try to mount
it at container start.
What would happen is a user would `docker run` with this volume and get
an error like `Error response from daemon: invalid argument`.
This uses github.com/pkg/errors to provide some context to the error
message without masking the original error.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Fixes certain node management issues when a daemon is restarted or fails
or leaves and joins a swarm.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
To use a deferred func to overwrite the returned error requires using
the 'named' error. So reuse err, instead of pipelineError. Also, the old
pipelineError will never be nil, since its executed before the error can
be set.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
"VolumeDriver.Mount" is being called on container start.
Make the symmetric call on container stop.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
The Windows BCD store for the utility VM is mutated during layer import,
which causes failures in docker save. Back up the BCD store and related
log files so that save has access to their original contents.
Fixes#25893.
Signed-off-by: John Starks <jostarks@microsoft.com>
The daemon is in a separate (dockerd) binary
since docker 1.12, so should no longer be
used.
This marks the command as deprecated, and
adds it to the deprecated features list.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "user" feature was added in docker 1.7.0, and
"privileged" feature was added in docker 1.9.0
only contained CLI docs.
This adds the missing API docs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit updates documentation and change log to include
the preliminary validation of the dockerfile before instructions
in dockerfile is run one-by-one.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The bundles dir used to be automatically made a volume if BINDDIR was
not set.
The `PKGCACHE_*` stuff was added recently which gets added to
`DOCKER_MOUNT`. This breaks the case where someone wants to use the
package cache (DOCKER_INCREMENTAL_BINARY is enabled) but has not
specified a bind dir but needs the bundles dir made a volume.
Moves the package cache handling to after the bundles dir is made a
volume.
Before this patch, if you have `DOCKER_GRAPHDRIVER` set to anything
other than vfs, the tests in the daemon suite (and swarm suite, and
registry suite) will fail to run since they cannot startup a daemon
(except for speicifc cases where <driver> over <driver> is possible,
like devmapper).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Allow passing --storage-opt size=X to docker create/run commands
for the `overlay2` graphriver.
The size option is only available if the backing fs is xfs that is
mounted with the `pquota` mount option.
The user can pass any size less then the backing fs size.
Signed-off-by: Amir Goldstein <amir73il@aquasec.com>
This class implements XFS project quota controls
for setting quota limits on a newly created directory.
It currently supports the legacy XFS specific ioctls.
Using this class, quota limits per container can be set
by directory based storage drivers (e.g. overlay), when
backing storage is XFS mounted with 'pquota' mount option.
TODO: use generic quota control ioctl FS_IOC_FS{GET,SET}XATTR
for both xfs/ext4 for kernel version >= v4.5
Signed-off-by: Amir Goldstein <amir73il@aquasec.com>
Signed-off-by: albam.c <albam.c@navercorp.com>
A few points of work:
- Took the topic out of the left-hand nav and made it
reachable from the User guide intro
- Condensed the topic's contents, presenting only conceptual
info and pointing instead to the command-line references
for each type of object
- Added brief information about the `LABELS` keyword to the
Dockerfile reference
A big part of the point is to establish a pattern of
thinking and use around how Docker uses labels and what they
mean in different contexts.
Signed-off-by: Misty Stanley-Jones <misty@docker.com>
init layer is read/write layer and not read only layer. Following commit
introduced new graph driver method CreateReadWrite.
ef5bfad Adding readOnly parameter to graphdriver Create method
So far only windows seem to be differentiating between above two methods.
Making this change to make sure -init layer calls right method so that
we don't have surprises in future.
Windows does not need init layer. This patch also gets rid of creation of
init layer on windows.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
New grpc uses failfast by default, but that code was written with other
default in mind, so just preserve it for now.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
As part of making graphdrivers support pluginv2, a PluginGetter
interface was necessary for cleaner separation and avoiding import
cycles.
This commit creates a PluginGetter interface and makes pluginStore
implement it. Then the pluginStore object is created in the daemon
(rather than by the plugin manager) and passed to plugin init as
well as to the different subsystems (eg. graphdrivers, volumedrivers).
A side effect of this change was that some code was moved out of
experimental. This is good, since plugin support will be stable soon.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
TestBuildApiDockerFileRemote has been consistently failing (EPERM) on the host
with #26618, which prohibits /sys/firmware from being accessed using apparmor.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This renames `MaximumIOps` to `IOMaximumBandwidth`,
and `MaximumIOBps` to `IOMaximumIOps` to match
the actual code.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix race condition issue to solve an issue about "panic: runtime error: invalid memory address or nil pointer dereference".
This fix stabilize Docker daemon under the situation of communication problem with Fluentd processes.
Signed-off-by: Satoshi Tagomori <tagomoris@gmail.com>
This removes the SetStoppedLocking, and
SetRestartingLocking functions, which
were not used anywhere.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds a small C binary for fighting zombies. It is mounted under
`/dev/init` and is prepended to the args specified by the user. You
enable it via a daemon flag, `dockerd --init`, as it is disable by
default for backwards compat.
You can also override the daemon option or specify this on a per
container basis with `docker run --init=true|false`.
You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.
```c
int main(int argc, char ** argv) {
pid_t pid = fork();
if (pid == 0) {
pid = fork();
if (pid == 0) {
exit(0);
}
sleep(3);
exit(0);
}
printf("got pid %d and exited\n", pid);
sleep(20);
}
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
On container start, volume mounts are setup which should include
invoking "VolumeDriver.Mount" to setup necessary mounts. This was
missing for Windows containers. Fix that.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Allows the user to use `pretty` as the format string.
This enables users to put custom format options into their CLI config
just like is supported for `docker ps` and `docker images`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These installation procedures are very similar, so
synchronized these docs and removed some differences.
Also;
- updated markdown, added language-hints where possible
- replaced "service docker start" with "systemctl start"
- replaced "chkconfig docker on" with "systemctl enable"
- added "systemctl enable" to the list of steps for
installation, because most people want to have docker
started automatically (and overlooked this step).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This package doesn't really seem to do anything of real interest.
Removing it and replacing with a few helper functions. Most of this was
maintaining a fork of ctxhttp to support a mock that was unnecessary.
We could probably do with a further refactor of the client interface.
There is a lot of confusion of between transport, http layer and
application layer that makes for some awkward code. This change
improves the situation to the point where no breaking changes are
introduced.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
The regex used to describe the max-file and max-size logging options for
the json-file logger were incorrect. The regexes would only match a
single character (a digit or a literal +). Instead the regexes should
match 1 or more digits.
The character class for the units of the max-size also included a pipe
which meant that the regex would match 1| instead of only matching 1m,
1k, and 1g.
Signed-off-by: Steven Erenst <stevenerenst@gmail.com>
Better formatting for usage template.
Group commands in usage to management/operation commands.
Remove the word Docker from the description of management commands.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Although the example is just for illustrational
purposes, many users are now switching to
Ubuntu 16.04 as the "default" version for Ubuntu,
so updating the example for those that use
this example as a starting point.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This synchronizes changes between API versions, and:
- applies e0a552504e to
older versions of the documentation
- applies a2a0a03e2b to
API version 1.25
- syncs some minor differences
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was added in fc7b904dce,
but some parts of the documentation ended up in the
wrong API version, and was overlooked during
review :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The documentation contained some outdated information
on these endpoints.
This change fixes those parts of the documentation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I always forget which one is which. Now, I can't forget. This is
probably in the docs somewhere but now it's handy at a glance.
Signed-off-by: Drew Erny <drew.erny@docker.com>
Because we standardize on using a non-privileged
prompt (`$`) instead of `#`, replacing the
examples to use `sudo` instead to indicate
this has to be run as root.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "format" example got lost during the
rewrite of the documentation for Cobra. This
restores the missing example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
ProgressReader outputs progress information every 500 KB. This could be
excessive if something is being transfered at a fast rate. Rate-limit
progress output to 10 per second.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This adds a direct link to the event chart image
so that the full-resolution image can be "zoomed"
in to.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix fixes a couple of issues in Get Started docs' Step Four:
1. `Sending build context to Docker daemon 158.8 MB` should be
`Sending build context to Docker daemon 2.048 kB` as there is only
one Dockerfile for context.
2. There are only 3 steps altogether in stead of 4 steps as
`RUN apt-get -y update && apt-get install -y fortunes` is one step.
So `Step 3 : RUN apt-get install -y fortunes` should be removed and
`Step 4 : CMD /usr/games/fortune -a | cowsay` should be changed to
`Step 3 : CMD /usr/games/fortune -a | cowsay`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Test is testing that a user can disconnect from the default network
before it is started (#26220).
This test does not need to use `--rm`, which is never aken into account
since the container is never started.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These docs were outdated, and not actively
maintained. Also, there are no official packages
available for this distribution, so better to
remove it from the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add errexit to mkimage-yum bash script to abort early. This to prevent
disaster when mktemp fails and leave $target variable empty.
Signed-off-by: Carl Loa Odin <carlodin@gmail.com>
This fix tries to address the issue raised in 26453 where bad syntax
on dockerfile is not checked before building, thus user has to wait
before seeing error in dockerfile.
This fix fixes the issue by evaluating all the instructions and check
syntax before dockerfile is invoked actually.
All existing tests pass.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The swarm scope network connected containers with autostart enabled
there was a dependency problem with the cluster to be initialized before
we can autostart them. With the current container restart code happening
before cluster init, these containers were not getting autostarted
properly. Added a fix to delay the container start of those containers
which has atleast one swarm scope endpoint to until after the cluster is
initialized.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
`Mounts` allows users to specify in a much safer way the volumes they
want to use in the container.
This replaces `Binds` and `Volumes`, which both still exist, but
`Mounts` and `Binds`/`Volumes` are exclussive.
The CLI will continue to use `Binds` and `Volumes` due to concerns with
parsing the volume specs on the client side and cross-platform support
(for now).
The new API follows exactly the services mount API.
Example usage of `Mounts`:
```
$ curl -XPOST localhost:2375/containers/create -d '{
"Image": "alpine:latest",
"HostConfig": {
"Mounts": [{
"Type": "Volume",
"Target": "/foo"
},{
"Type": "bind",
"Source": "/var/run/docker.sock",
"Target": "/var/run/docker.sock",
},{
"Type": "volume",
"Name": "important_data",
"Target": "/var/data",
"ReadOnly": true,
"VolumeOptions": {
"DriverConfig": {
Name: "awesomeStorage",
Options: {"size": "10m"},
Labels: {"some":"label"}
}
}]
}
}'
```
There are currently 2 types of mounts:
- **bind**: Paths on the host that get mounted into the
container. Paths must exist prior to creating the container.
- **volume**: Volumes that persist after the
container is removed.
Not all fields are available in each type, and validation is done to
ensure these fields aren't mixed up between types.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.
Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
When `docker inspect` is invoked, it is possible to pass a flag of
`-s` for container types to display size information. If `-s` is used
for non-container types then a warning `WARNING: --size ignored for volume`
will show up.
However, currently `WARNING: --size ignored for volume` will show up even
when `-s` is not passed to `docker inspect` for non-container types.
This fix fixes this issue by checking if `-s` has been passed or not (`getSize`).
Also, since image inspect does not support `-s`, `IsSizeSupported` has been changed
to false for images.
This fix is tested manually.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Triaging issues has become a little challenging since the meat
of the information is below a large amount of unstructured
command line output. These changes add a description and move
the reproduction and expected/received results above the
unstructured output.
This should help for initial triaging, as well as self-triaging.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
A test failed expecting 200, but received -1, which is an err rc,
not an HTTP status code, so move these checks up.
Also log the output an not just check for a nil err.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
When the `-t` flag is passed on exec make sure to add the TERM env var
to mirror the expected configuration from run.
Fixes#9299
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
New driver options:
- `splunk-gzip` - gzip compress all requests to Splunk HEC
(enabled by default)
- `splunk-gzip-level` - change compression level.
Messages are sent in batches by 1000, with frequency of 5 seconds.
Maximum buffer is 10,000 events. If HEC will not be available, Splunk
Logging Driver will keep retrying while it can hold messages in buffer.
Added unit tests for driver.
Signed-off-by: Denis Gladkikh <denis@gladkikh.email>
With this patch and Docker PR 25883 ("Add a Dockerfile for generating
manpages on s390x") "make deb" creates the following packages for s390x:
# cd bundles/1.13.0-dev/build-deb/
# find .
.
./ubuntu-xenial
./ubuntu-xenial/docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial_s390x.deb
./ubuntu-xenial/docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial.dsc
./ubuntu-xenial/docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial_s390x.changes
./ubuntu-xenial/Dockerfile.build
./ubuntu-xenial/docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial.tar.gz
./docker.log
./test.log
Package "docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial_s390x.deb"
could be successfully installed on a s390x Ubuntu system:
# cat /etc/issue
Ubuntu 16.04.1 LTS \n \l
# dpkg -i docker-engine_1.13.0~dev~git20160823.161729.0.2693af4-0~xenial_s390x.deb
...
Installing new version of config file /etc/init.d/docker ...
Installing new version of config file /etc/init/docker.conf ...
Processing triggers for systemd (229-4ubuntu7) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for man-db (2.7.5-1) ...
# docker version
Client:
Version: 1.13.0-dev
API version: 1.25
Go version: go1.7
Git commit: 2693af4-unsupported
Built: Wed Aug 24 11:41:13 2016
OS/Arch: linux/s390x
Server:
...
The s390x "generate.sh" is a modified version of "ppc64le/generate.sh".
We removed seccomp for s390x because we need at least libseccomp version
2.3.1 which is not provided by Ubuntu Xenial.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
daemon/events/testutils: rename eventstestutils to testutils
volume/testutils: rename volumetestutils to testutils
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
The indexing of steps in the output of `docker build` starts with `Step 1`.
However, there are several places in the docs that start with `Step 0`.
This fix addresses the issue and changes `Step 0` to `Step 1` (and subsequent steps).
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The "Stream details" sections are currently a part of the Status codes list.
This change moves them out to the same level as other surrounding sections.
Use () for a paramaters
Remove query param from end point heading
Signed-off-by: Matt Hoyle <matt@deployable.co>
- So that swarm init will still work w/o specifying the advertise
address when the daemon is running inside a container
Signed-off-by: Alessandro Boch <aboch@docker.com>
The restriction is no longer necessary given changes at the runc layer
related to mount options of the rootfs. Also cleaned up the docs on
restrictions left for userns enabled mode. Re-enabled tests related to
--read-only when testing a userns-enabled daemon in integration-cli.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This fix tries to address the issue raised in 26300. Previously
`docker images` will use `HumanSize()` to display the size which
has a fixed precision of 4 (thus 3 fractional digits). This
could be problematic in certain languages (e.g. , German, see
26300) as `.` may be interpreted as thousands-separator in number.
This fix use `CustomSize()` instead and limit the precision to 3
(thus 2 fractional digits).
This fix has been tested manually.
This fix fixes 26300.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Instead of reformatting error from the request action, we wrap it,
allowing the cause to be recovered. This is important for consumers that
need to be able to detect context errors, such as `Cancelled` and
`DeadlineExceeded`.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
We finally have a s390x binary tarball for go on "storage.googleapis.com".
So use this instead of bootstrapping with gccgo.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
This fix tries to fix 26326 where `docker inspect` will not show
ulimit even when daemon default ulimit has been set.
This fix merge the HostConfig's ulimit with daemon default in
`docker inspect`, so that when daemon is started with `default-ulimit`
and HostConfig's ulimit is not set, `docker inspect` will output
the daemon default.
An integration test has been added to cover the changes.
This fix fixes 26326.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds support for running regular containers to be connected to
swarm mode multi-host network so that:
- containers connected to the same network across the cluster can
discover and connect to each other.
- Get access to services(and their associated loadbalancers)
connected to the same network
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
- Fixes#25325
- Fixes certain issues with workers leaving swarm and rejoining
- Adds cluster provider interface methods to support docker run on
overlay in swarm mode.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
moves ensure-frozen-images to go
moves ensure-syscall-test to go
moves ensure-nnp-test to go
moves ensure-httpserver to go
Also makes some of the fixtures load only for the required tests.
This makes sure that fixtures that won't be needed for a test run such as
`make TESTFLAGS='-check.f Swarm' test-integration-cli` (for example)
aren't loaded... like the syscall tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Adds a new task runtime to support network attachmemt for plain old
docker containers so that they can participate multi-host networks and
get access to services.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
We just introduced a new tunable dm.xfs_nospace_max_retries. But this tunable
will work only on new kernels where xfs supports this feature. On older
kernels xfs does not allow tuning this behavior.
There are two issues. First one is that if xfsSetNospaceRetries() fails,
it returns error but leaves the device activated and mounted. We should
be unmounting the device and deactivate it before returning.
Second issue is, if docker is started on older kernel, with
dm.xfs_nospace_max_retries specified, then docker will silently ignore the
fact that /sys file to tweak this behavior is not present and will continue.
But I think it might be better to fail container creation/start if kernel
does not support this feature.
This patch fixes it. After this patch, user will get an error like following
when container is run.
# docker run -ti fedora bash
docker: Error response from daemon: devmapper: user specified daemon option dm.xfs_nospace_max_retries but it does not seem to be supported on this system :open /sys/fs/xfs/dm-5/error/metadata/ENOSPC/max_retries: no such file or directory.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Passses down BUILD_APT_MIRROR to the docker env.
Ensures BUILD_APT_MIRROR is used when building debs, but only when the
consuming `Dockerfile` actually uses it, otherwise it will cause the
build to fail (e.g. on Ubuntu builds we aren't using APT_MIRROR).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Adds a new bundle `verify-integration-tests` which pre-compiles a test
binary for the integration tests.
This makes sure that the integration tests will actually compile before
doing other tasks which take much longer, such as building dockerd and
loading test fixtures.
When it comes time to actually run the tests, the pre-compiled binary
will be used so it doesn't have to compile the tests a 2nd time.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Fixes#24805
Changes test daemon id generation from using time.Now().UnixNano() to using
stringid. This is because of a go bug (fixed upstream for 1.8) on ppc64le
and s390x where time.Now().UnixNano() would not return nanosecond precision,
so initializing consecutive daemons sometimes would result in them having
the same id.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Legacy plugins (aka pluginv1) calls in libnetwork are replaced with
calls using the new plugin model (aka pluginv2). pkg/plugins is still
used for managing the http client connections to the plugin.
This commit makes the necessary changes in docker/docker. Part 2 will
will take care of the libnetwork changes.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This was removed in a clean-up
(060f4ae617) but should not have been.
Fixes issues with volumes when upgrading from pre-1.7.0 daemons.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The `--rm` flag has been part of the `docker create` and
related docs in `docs/reference/commandline/create.md`
already includes the `--rm` flag. However, man page
`man/docker-create.1.md` has not adds the `--rm` flag yet.
This fix adds the description of `--rm` flag to
`man/docker-create.1.md`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
As is raised in 26312, in `docker network ls`, the help output was
mistaken to `volume names`:
```
-q, --quiet Only display volume names
```
This fix changes the help output to:
```
-q, --quiet Only display network IDs
```
This fix also updates the documentation in:
`docs/reference/commandline/network_ls.md`
This fix fixes 26312.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This makes sure that:
1. Already existing directories are left untouched
2. Newly created directories are chowned to the correct root UID/GID in case of user namespaces
3. All parent directories still get created with host root UID/GID
Fix#21738
Signed-off-by: Antonis Kalipetis <akalipetis@gmail.com>
Fix issue where environment variables with embedded equals signs were
being dropped and not passed to the container.
Fixes#26178.
Signed-off-by: Matt Richardson <matt.richardson@octopus.com>
This fix tries to address the issue raised in 26220 where
disconnecting a container from network does not work if
the network id (instead of network name) has been specified.
The issue was that internally when trying to disconnecting
a contaienr fromt the network, the originally passed network
name or id has been used.
This fix uses the resolved network name (e.g., `bridge`).
An integration test has been added to cover the changes.
This fix fixes 26220.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue in 26173 where `docker import -c`
with quoted flags returns an error.
The issue was that in `api/client/image/import.go` the flag
`--change/-c` was handled by `StringSliceVarP` which does not handle
the quote well.
The similiar issue was enountered for 23309 (`docker commit`).
This fix takes the same approach as 23309 where `StringSliceVarP`
was replaced with `VarP` and `opts.ListOpts`.
An integration test has been added to cover the changes.
This fix fixes 26173.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Instead of having the misconfigured token server test
fail after maxing out retries, only retry a few times
then return an error which will not retry.
Referenced by #19425
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
It makes systemd integration less intrusive, notably needed for
docker machine (cf. https://github.com/docker/machine/pull/3605).
The default storage driver would now be devicemapper, until the
deb package is updated.
Signed-off-by: Bilal Amarni <bilal.amarni@gmail.com>
Now that gccgo isn't supported, change the ppc64le dockerfile base image
from a debian:jessie based + gccgo image to a debian:jessie + golang image.
Also includes a go path change to be more consistent across Dockerfiles.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
When xfs filesystem is being used on top of thin pool, xfs can get ENOSPC
errors from thin pool when thin pool is full. As of now xfs retries the
IO and keeps on retrying and does not give up. This can result in container
application being stuck for a very long time. In fact I have seen instances
of unkillable processes. So that means once thin pool is full and process
gets stuck, container can't be stopped/killed either and only option left
seems to be power recycle of the box.
In another instance, writer did not block but failed after a while. But
when I tried to exit/stop the container, unmounting xfs hanged and only
thing I could do was power cycle the machine.
Now upstream kernel has committed patches where it allows user space to
customize user space behavior in case of errors. One of the knobs is
max_retries, which specifies how many times an IO should be retried
when ENOSPC is encountered.
This patch sets provides a tunable knob (dm.xfs_nospace_max_retries) so
that user can specify value for max_retries and tune xfs behavior. If
one sets this value to 0, xfs will not retry IO when ENOSPC error is
encountered. It will instead give up and shutdown filesystem.
This knob can be useful if one is running into unkillable
processes/containers issue on top of xfs.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
On join, remote addresses are supposed to be detected by the manager
that receives the join request. However, the daemon is interfering with
this by automatically detecting an advertise address and specifying that
to the remote manager. Fix this so that an advertise address is only
specified while joining a cluster if one was given by the user.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
We attached the JSON flag to the wrong AST node, causing Docker to treat
the exec form ["binary", "arg"] as if the shell form "binary arg" had
been used. This failed if "ls" was not present.
Added a test to detect this.
Fixes#26174
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Before:
$ docker update --cpu-period
Status: flag needs an argument: --cpu-period
See 'docker update --help'., Code: 125
After:
$ docker update --cpu-period
flag needs an argument: --cpu-period
See 'docker update --help'.
Also remove flagErrorFunc function which isn't needed anymore.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix tries to address the issue raised in comment:
https://github.com/docker/docker/pull/25943#discussion_r76843081
Previously, the validation for `ip6` is done by checking ParseIP().To16().
However, in case an IPv4 address or an IPv4-mapped Ipv6 address has been
provided, the validation will pass (should fail).
This fix first check if `--ip6` is passed with a valid IP address and returns
error for invalid IP addresses. It then check if an IPv4 or IPv4-mapped Ipv6
address is passed, and return error accordingly.
This fix adds two more cases in the tests. One for IPv4 address passed to `--ip6`
and another for Ipv4-mapped IPv6 address passed to `--ip6`. In both cases,
without this fix the validation will pass through.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is a follow-up of 26154. I did a grep on `integration-cli` and
found out that there are several tests in `docker_cli_daemon_test.go`
that still use `NewDaemon` instread of `DockerDaemonSuite`.
This fix changes related tests from DockerSuite to DockerDaemonSuite in
`docker_cli_daemon_test.go`.
With this fix, now `NewDaemon` is only called from `SetUpTest` on
various DockerXXXSuite. That should help maintain the test code base.
This fix is related to the comments in:
26115
24533.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to add the registry mirrors information in the output
of `docker info`.
In our active deployment, we use registry mirrors to help speeding
up the `docker pull`. In the current output of `docker info`,
registry mirrors is not present though it is available in `/info` API.
I think it makes sense to add the registry mirrors to `docker info`,
similiar to insecure registries.
This fix adds the registry mirrors to the output of `docker info`:
```
Registry Mirrors:
https://192.168.1.2/http://registry.mirror.com:5000/
```
An integration test has been added to cover the changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
DOCKER_BUILD_APT_MIRROR
This allows passthrough of other options like HTTP_PROXY from
DOCKER_BUILD_ARGS to work on all builds (for example,
ensure-syscall-test) when APT_MIRROR is set.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to address the issue raised in 26090 where
remote API `POST /services/(id or name)/update` cannot
use `name` to update. This is not consistent with the
documentation of the remote API.
This fix fixes this issue by performing a lookup with `getService`
in case `name` instead of `id` is used in API.
This fix adds an integration test to cover the changes.
This fix fixes 26090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
As explained in the test comment itself, the error message may vary on
different platform.
This patch adds another condition found while testing w/o network
access on RHEL based distros (Fedora, RHEL, CentOS).
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix tries to address the issue raised in 25304 to support
`--group-add` and `--group-rm` in `docker service create`.
This fix adds `--group-add` to `docker service create` and `docker service update`,
adds `--group-rm` to `docker service update`.
This fix updates docs for `docker service create` and `docker service update`:
1. Add `--group-add` to `docker service create` and `docker service update`
2. Add `--group-rm` to `docker service update`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Split plugin package into `store` and `v2/plugin`. Now the functionality
is clearly delineated:
- Manager: Manages the global state of the plugin sub-system.
- PluginStore: Manages a collection of plugins (in memory and on-disk)
- Plugin: Manages the single plugin unit.
This also facilitates splitting the global PluginManager lock into:
- PluginManager lock to protect global states.
- PluginStore lock to protect store states.
- Plugin lock to protect individual plugin states.
Importing "github.com/docker/docker/plugin/store" will provide access
to plugins and has lesser dependencies when compared to importing the
original monolithic `plugin package`.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
There are cases such as migrating from classic overlay network to the
swarm-mode networking (without kv-store), such a mechanism to allow
disconnecting a container even when a network isnt available will be
useful.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
updated d4mac, d4win clarification per Charles's comments
copyedits and streamline wording
fixed links
streamlined, fixed line wraps
incorporated more review comments
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
incorporated more review comments
incorporated more edit comments and fixed line wraps
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
There can be a race between getting the container ids for matches and
getting the actual container. This makes sure that we check that the
container returned by `Get` is non-nil before adding it to the list of
matches.
Fixes#25991
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
`TestDaemonDiscoveryBackendConfigReload` was doing some wierd things
with files, creating a file (directly in `./integration-cli`), removing
it, then creating a new file.
This is just weird, so fixed it to use a single file, file will go into
a temp dir so it doesn't pollute integration-cli.
It was also blindly sending a SIGHUP to the daemon process then sleeping
for 3 seconds. This is racey, and slow.
Change this to look for the daemon-reload event in the event stream.
Reload logic is moved to a separate function and blocks (w/ a timeout)
waiting for the reload event to fire.
Runtime of the test is now ~0.5s on my machine, where as it was a
minimum of 3s due to the `time.Sleep` before.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to fix the issue raised in 25863 where `--ip` value
is not validated for `docker create`. As a result, the IP address
passed by `--ip` is not used for `docker create` (ignored silently).
This fix adds validation in the daemon so that `--ip` and `--ip6`
are properly validated for `docker create`.
An integration test has been added to cover the changes.
This fix fixes 25863.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Since 20848 has been merged and both `docker create` and
`docker run` share the same `runconfig` parser, now both
`docker run` and `docker create` allow to specify the
`--rm` flag. However, docs for `docker create` has not
been udpated yet.
This fix updates docs for `docker create` so that `--rm`
flag has been included.
This fix is related to 20848 and 25577.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
handleLegacy is a flag to indicate whether daemon is supporting legacy
plugins. When the time comes to remove support for legacy plugins,
flipping this bool is all that will be needed to remove legacy plugin
support. This can be a global variable rather than be embedded in the
manager, thereby cleaning up code.
Also rename to allowV1PluginsFallback for clarity.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This may take some time, but start by pointing people at
LABEL instead.
MAINTAINER predates general LABEL and has basically no tooling,
only allows a single item to be added, and is has been
unofficially deprecated for some time, with many images not
including it, but we have never specifically said that it
should be replaced by LABEL as a better more generic metadata
solution.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Support args to RunCommand
Fix docker help text test.
Fix for ipv6 tests.
Fix TLSverify option.
Fix TestDaemonDiscoveryBackendConfigReload
Use tempfile for another test.
Restore missing flag.
Fix tests for removal of shlex.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Also consolidate the leftover packages under cli.
Remove pkg/mflag.
Make manpage generation work with new cobra layout.
Remove remaining mflag and fix tests after rebase with master.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Cleanup cobra integration
Update windows files for cobra and pflags
Cleanup SetupRootcmd, and remove unnecessary SetFlagErrorFunc.
Use cobra command traversal
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Currently start command will invoke getExitCode - which is based on
Inspect API - to get returned exit code after container exits.
There's two race conditions here:
if container is started with Restart Policy, there's chance that the
container is restarted quickly before it calls getExitCode, under such
circumstance, the exit code is wrong.
if container is started with --rm, it's possible that container is
removed before getExitCode, in this situation, you can't get correct
exit code either.
Replace getExitCode with waitExitOrRemoved can solve this problem.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
docker is trying to set system.posix_acl_access but using BTRFS this fails if
CONFIG_BTRFS_FS_POSIX_ACL is not activated.
Signed-off-by: Andrei Gherzan <andrei@resin.io>
Warn the user and fail daemon start if the graphdir path has any
elements which will deny access to the remapped root uid/gid.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
No user of GetNetworkDriverList needs to access the map by key.
The only user of GetNetworkDriverList is in docker info and with a map
the network list is always flipping because loop is not deterministic.
Fix this by returning a string slice which instead is.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.
This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.
This fix fixes the issue by placing `WriteHeader` after.
A test has been added to cover the changes.`
This fix fixes 25927
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue in 25000 where `docker stats`
will not show network stats with `NetworkDisabled=true`.
The `NetworkDisabled=true` could be either invoked through
remote API, or through `docker daemon -b none`.
The issue was that when `NetworkDisabled=true` either by API or
by daemon config, there is no SandboxKey for container so an error
will be returned.
This fix fixes this issue by skipping obtaining SandboxKey if
`NetworkDisabled=true`.
Additional test has bee added to cover the changes.
This fix fixes 25000.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fix delete containers and make sure it prints errors correctly.
Rename Result.Fails to Result.Assert()
Create a constant for the default expected.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Remove some run functions and replace them with the unified run command.
Remove DockerCmdWithStdoutStderr
Remove many duplicate runCommand functions.
Also add dockerCmdWithResult()
Allow Result.Assert() to ignore the error message if an exit status is expected.
Fix race in DockerSuite.TestDockerInspectMultipleNetwork
Fix flaky test DockerSuite.TestRunInteractiveWithRestartPolicy
Signed-off-by: Daniel Nephin <dnephin@docker.com>
if there is no cookie set in dm task, or flag DM_UDEV_DISABLE_LIBRARY_FALLBACK
is cleared for a DM_DEV_REMOVE task, libdevmapper will fallback to clean up the
symlink under /dev/mapper by itself, no matter the device removal is executed
immediately or deferred by the kernel.In some cases, the removal is deferred by the
kernel, while the symlink is deleted directly by libdevmapper, when docker tries to
activate the device again, the deferred removal will be canceld, but the symlink will
not show up again, so docker's attempt to mount the device by the symlink will fail,
and it will eventually leads to a `docker start/diff` error.
Fixes#24671
Signed-off-by: Ji.Zhilong <zhilongji@gmail.com>
With golang version 1.7 the s390x architecture is officially supported.
To be in sync with the other architectures now switch also for s390x
from gccgo 6.1 to golang:
- golang: build and install to /usr/src/go
* Download golang-1.7 sources
* Bootstrap with gccgo 6.1
- go lint: Sync GO_LINT_COMMIT with other Dockerfiles
- notary: Remove GO15VENDOREXPERIMENT and softlink hack
With this patch the current CI on s390x completes with:
- OK: 1375 passed, 43 skipped
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
TMPDIR was changed to DOCKER_TMPDIR in pull request 7113 but the file still asks user to set TMPDIR.
I am new to docker and wasted sometime this morning because of this.
I am using docker version 1.12.1 on ubuntu server 14.04
Signed-off-by: Neyazul Haque <nuhaque@gmail.com>
In the common case where the user is using /var/lib/docker and
an image with less than 60 layers, forking is not needed. Calculate
whether absolute paths can be used and avoid forking to mount in
those cases.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Plugin discovery on Windows is not possible using named pipes. However,
it is possible using spec file (tcp based). This adds Windows specific
paths for discovery.
Fixes#23605
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
It makes little sense to have swarm related code into the daemon
package. This refactor the `daemon` and `cluster` package to remove
`ListContainersForNode` from the daemon.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Right now docker puts swarm's control socket into the docker root dir
(e.g. /var/lib/docker).
This can cause some nasty issues with path length being > 108
characters, especially in our CI environment.
Since we already have some other state going in the daemon's exec root
(libcontainerd and libnetwork), I think it makes sense to move the
control socket to this location, especially since there are other unix
sockets being created here by docker so it must always be at a path that
works.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This flag has been deprecated in version below 1.10 so it's safe to
remove now, according to our deprecation policy.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue in raised #23367 where an out-of-band
volume driver deletion leaves some data in docker. This prevent the
reuse of deleted volume names (by out-of-band volume driver like flocker).
This fix adds a `--force` field in `docker volume rm` to forcefully purge
the data of the volume that has already been deleted.
Related documentations have been updated.
This fix is tested manually with flocker, as is specified in #23367.
An integration test has also been added for the scenario described.
This fix fixes#23367.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In `man/Dockerfile` we are specifying a tagged version of glide to
checkout, but never actually checking it out.
This checks out the requested version before building.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When the daemon is started, it looks at all the volumes and checks to
see if any of them have mount options persisted to disk, and loads them
from disk if it does.
In some cases a volume will be created with an empty map causing the
options file to be persisted and volume options set to a non-nil value
on daemon restart... this causes problems later when the driver checks
for a non-nil value to determine if it should try and mount with the
persisted volume options.
Ensures 2 things:
1. Instead of only checking nilness for the opts map, use `len` to make
sure it is not an empty map, which we don't really need to persit.
2. An empty (or nulled) opts.json will not inadvertnatly set volume
options on daemon restart.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Fix#24803 as this had been failing sometimes.
As the parallel tests are probably genuine failures, and
had already been cut down, I will re-create these specifically
as a parallel execution test with no seccomp to make the
cause clearer.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
this improves the error message if a user tries to
create a volume with a single-character name:
Before this change:
docker volume create --name a
Error response from daemon: create a: "a" includes invalid characters for a local volume name, only "[a-zA-Z0-9][a-zA-Z0-9_.-]" are allowed
After this change:
docker volume create --name a
Error response from daemon: create a: volume name is too short, names should be at least two alphanumeric characters
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This feature was added in docker 1.8, through
7491f9a9c1.
However, the API docs ended up in the wrong
API version (1.19 instead of 1.20), so were
never included in future API docs.
Also, the CLI docs got lost during splitting
up the cli.md docs into separate files;
561bfb268d
This moves the API docs to the correct
versions, and restores the CLI documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add sentece to RUN, CMD, and ENTRYPOINT exec sections making it clear
that it is the shell doing the environment variable expansion.
Signed-off-by: David Dooling <dooling@gmail.com>
`--log-opt splunk-format=inline|json|raw` allows to change how logging
driver sends data to Splunk, where
`inline` - default value, format used before, message is injected as a
line in JSON payload
`json` - driver will try to parse each line as a JSON object and embed it
inside of the JSON payload
`raw` - driver will send Raw payload instead of JSON, tag and attributes
will be prefixed before the message
`--log-opt splunk-verify-connection=true|false` - allows to skip
verification for Splunk Url
Signed-off-by: Denis Gladkikh <denis@gladkikh.email>
fixes#25766
If a container's AutoRemove is enabled, client will wait until it's
removed after container exits, this is implemented based on "destroy"
event.
Currently an "AutoRemove" container will report "destroy" event to
notify a hanging client to exit before all volumes are removed, this is
wrong, we should wait container until everything is cleaned up.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Image inspect doesn't have a "size" query parameter.
The client sent this (when doing `docker inspect --size`),
but was unused in the daemon.
This removes the unused parameter, and a test that
didn't actually test anything.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Dockerfile parser does not subsitute ENV variables in any form of
the ENTRYPOINT command. Any substitution, if done, is done by the shell
when the command is executed.
Signed-off-by: David Dooling <dooling@gmail.com>
Several other places in the document it states that when using the shell
form of ENTRYPOINT, CMD and command line arguments are ignored. That is
accurate, this table was not. It is now.
Signed-off-by: David Dooling <dooling@gmail.com>
"--restart" and "--rm" are conflict options, if a container is started
with AutoRemove flag, we should forbid the update action for its Restart
Policy.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to address the issue raised in 25661 where verbose
"Sending build context" messages were not suppressed in non tty (e.g. log file)
sencarios.
This fix suppress the "Sending build context" message (other than the last one)
if the output is not a tty. The last update of the "Sending build context"
message is still sent to the output.
This fix has been tested manually:
```
docker build -t tmp . > build.log
```
The output is (only one "Sending build context"):
```
Sending build context to Docker daemon 249.4 MB
Step 1 : FROM busybox
---> 2b8fd9751c4c
Step 2 : RUN echo 'test'
---> Using cache
---> 7db298b6c493
Successfully built 7db298b6c493
```
This fix fixes 25661.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Fixes a SNAT issue in loadbalancer when multiple networks are involved
- Fixes an issue with SRV query forwarding in DNS
- Fixes a map race
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
The main intent of handling plugin exit is for graceful shutdown
of plugins during daemon shutdown. So avoid plugin lookup during
plugin exits caused by other reasons (eg. force remove)
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
There exists a race in container servicing on Windows where, during normal operation, the container will begin to shut itself down while docker calls shutdown explicitly. If the former succeeds just as the latter is attempting to communicate with the container to request the shutdown, an error comes back that can cause the servicing to incorrectly register as a failure. Instead, we just wait for the servicing container to shutdown on it's own, using a reasonable timeout to allow for merging in the updates.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Fixes a race where the log reader would get events for both an actual
rotation as we from fsnotify (`fsnotify.Rename`).
This issue becomes extremely apparent when rotations are fast, for
example:
```
$ docker run -d --name test --log-opt max-size=1 --log-opt max-file=2
busybox sh -c 'while true; do echo hello; usleep 100000; done'
```
With this change the log reader for jsonlogs can handle rotations that
happen as above.
Instead of listening for both fs events AND rotation events
simultaneously, potentially meaning we see 2 rotations for only a single
rotation due to channel buffering, only listen for fs events (like
`Rename`) and then wait to be notified about rotation by the logger.
This makes sure that we don't see 2 rotations for 1, and that we don't
start trying to read until the logger is actually ready for us to.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This example was added in b0b2f979c7,
but got lost during splitting up the cli.md docs into separate files;
561bfb268d
This restores the missing example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The service create/update endpoints support
passing registry-authentication information,
but this was not documented.
This adds the missing information about passing
a X-Registry-Auth header.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
If we are running in a user namespace, don't try to mknod as
it won't be allowed. libcontainer will bind-mount the host's
devices over files in the container anyway, so it's not needed.
The chrootarchive package does a chroot (without mounting /proc) before
its work, so we cannot check /proc/self/uid_map when we need to. So
compute it in advance and pass it along with the tar options.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
The export command operates on containers, not images, so it should be listed under the container commands, not the image commands.
Signed-off-by: David Lechner <david@lechnology.com>
This device is not required by the OCI spec.
The rationale for this was linked to docker/docker#2393
So a non functional /dev/fuse was created, and actual fuse use still is
required to add the device explicitly. However even old versions of the JVM
on Ubuntu 12.04 no longer require the fuse package, and this is all not
needed.
See also https://github.com/opencontainers/runc/pull/983 although this
change alone stops the fuse device being created.
Tested and does not change actual ability to use fuse.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Commit 353af0b3ec updated
the `/image/load` endpoint to consistendly return
JSON, but did not update the associated documentation.
This updates the example response in the documentation
to match the actual response.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These flags were not supported (daemon returns an error), and it was an
oversight. They were not present in completion scripts.
Signed-off-by: Tibor Vass <tibor@docker.com>
This brings in a much newer version of etcd/raft.
An unrelated change in swarmkit should fix some problems with
integration tests on ARM.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Volumes and other content created under a bind mount should be
recursively propagated using rshared, not shared. This could be
the reason for EBUSY during removal. Override options with rbind,
rshared and see if CI errors are fixed.
May fix#25511
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
During image pulls on docker service create, logs will only show status
updates and updates every 1 second on long-running actions like
downloading and extracting. Adds golang.org/x/time/rate as dependency.
Ports docker/swarmkit#1352 to docker/docker.
Signed-off-by: Drew Erny <drew.erny@docker.com>
/proc/timer_list seems to leak information about the host. Here is
an example from a busybox container running on docker+kubernetes.
# cat /proc/timer_list | grep -i -e kube
<ffff8800b8cc3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2497
<ffff880129ac3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3478
<ffff8800b1b77db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3470
<ffff8800bb6abdb0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2499
Signed-Off-By: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
This patch allows to only release the packages that were built and are
present under the bundles/ directory instead of assuming packages exist
for all distros enumerated in the contrib/builder/ directory.
It also now adds support for armhf architecture for apt repositories.
Signed-off-by: Tibor Vass <tibor@docker.com>
Since we added labels for volume, it is desired to have
filter support label for volume
Closes: #21416
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Remove checks that prevent overlay and SELinux from working together.
Fixes are arriving in the 4.9 kernel.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
This patch implements an Ellipsis utility to
append an ellipsis (...) when truncating
strings in output.
It also fixes the existing Truncate() utility
to be compatible with unicode/multibyte characters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Docker 1.12 ships with an updated unit file on RPM
based distros. Users that have local modifications
to the unit file, or have a drop-in file installed
may not automatically get the updated unit file,
or get an error when starting docker.
This adds a warning to the changelog, and instructions
on how to resolve the issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
added the firewalld.service symbol in the After line docker
will always start after firewalld, thus eliminating the issue
of firewall blocking all mapped traffic.
Signed-off-by: Ramon Brooker <Ramon.Brooker@imaginecommunications.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "since" query parameter can be *useful*
for polling (in combination with "until"), but
doesn't actualy stop the endpoint from streaming
events.
This patch updates the description to better
clarify that "since" does not make the endpoint
non-streaming.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With the latest OL7.2, selinux policy that is shipped
might not be the latest for it to work or build with
selinux policy for docker-1.12.
To be able to achieve that here is what is done:
1. Added systemd_machined policy which is part of systemd.
2. Temporarily comment out unconfined_typebounds because the
current OL7's selinux doesn't have unconfineduser selinux policy,
to include this will be too much. Will revisit this once we have
updated the selinux policy.
Fixes: #24612
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
This fix updates docs so that log-opts takes map (`{}`) instead
of `[]`, as is defined in the impmenetation (`map[string]string`)
This fix fixes 22311.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Use `OnTimeout` callback on test timeouts to trigger a stack dump for
running daemons. This will help analyze stuck tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.
This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
New codes introduced a new method to wait container's exit code and
removal via Events API, but it specified a "since" filter based on
client side clock, which sometimes isn't synced up with daemon's clock,
hence leads the client to hang on waiting container's exit status.
This commit brings the Events call before start, and removes the time
filter, so that it can catch daemon events correctly without care of the
clock issue.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to address the issue raised in 25529 wehre the
image/load API returns `application/json` for quiet=0 and
`text/plain` for quite=1.
This fix makes the change so that `application/json` is returned
for both quiet=0 and quite=1.
This fix has been tested manually.
This fix fixes 25529.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In cases there are failures in task start, swarmkit might be trying to
restart the task again in the same node which might keep failing. This
creates a race where when a failed task is getting removed it might
remove the associated network while another task for the same service
or a different service but connected to the same network is proceeding
with starting the container knowing that the network is still
present. Fix this by reacting to `ErrNoSuchNetwork` error during
container start by trying to recreate the managed networks. If they
have been removed it will be recreated. If they are already present
nothing bad will happen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Fixes case where shutdown occurs before content is synced to disked
on layer creation. This case can leave the layer store in an bad
state and require manual recovery. This change ensures all files
are synced to disk before a layer is committed. Any shutdown that
occurs will only cause the layer to not show up but will allow it to
be repulled or recreated without error.
Added generic io logic to ioutils package to abstract it out of
the layer store package.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
commit 41d580c7a6 added
"Joined at" to the output of node inspect,
but I forgot that docs changes are needed.
This change updates the example output
of node inspect in the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Progress reporting during image load was added
in 415dd86886, but
the corresponding query-parameter was not documented
in the API docs.
This updates the API docs, and adds a response example
both with quiet enabled and disabled.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Without a content-type header, Go uses a max post size
of 10 megabytes, which makes loading images fail
if they're larger than 10 megabytes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the issue in 25404 where updating environmental
variable in `service update --env-add` will not work.
The issue is because `--env-add` will only append the env, not update if
the same env already exist.
This fix tracks the env variable with a map and update if the variable
is the same.
An integration test has been added.
This fix fixes 25404.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This change allows btrfs subvolumes to be found in additional system
configurations. The old logic failed to correctly identify subvolumes
when the root fs was mounted as a subvolume that was not the btrfs
filesystem root.
Signed-off-by: Adam Mills <adam@armills.info>
The error message suggests you need one argument even when you
have provided one. Suggest having another argument.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Unlike `docker run -v..`, `docker service create --mount`
does not allow bind-mounting non-existing host paths.
This adds validation for the specified `source`, and
produces an error if the path is not found on the
host.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this, container's auto-removal after exit is done in a goroutine,
this commit will get ContainerRm out of the goroutine.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
If AutoRemove is set, wait until client get `destroy` events, or get
`detach` events that implies container is detached but not stopped.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
`--rm` is a client side flag which caused lots of problems:
1. if client lost connection to daemon, including client crash or be
killed, there's no way to clean garbage container.
2. if docker stop a `--rm` container, this container won't be
autoremoved.
3. if docker daemon restart, container is also left over.
4. bug: `docker run --rm busybox fakecmd` will exit without cleanup.
In a word, client side `--rm` flag isn't sufficient for garbage
collection. Move the `--rm` flag to daemon will be more reasonable.
What this commit do is:
1. implement a `--rm` on daemon side, adding one flag `AutoRemove` into
HostConfig.
2. Allow `run --rm -d`, no conflicting `--rm` and `-d` any more,
auto-remove can work on detach mode.
3. `docker restart` a `--rm` container will succeed, the container won't
be autoremoved.
This commit will help a lot for daemon to do garbage collection for
temporary containers.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
The memory should always be smaller than memoryswap,
we should error out with message that user know how
to do rather than just an invalid argument error if
user update the memory limit bigger than already set
memory swap.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
When running a `make manpages` the image `docker-manpage-dev` will be build and started to create
the man pages. But the container will not be deleted afterwards. So I propose to start it with
`docker run --rm ...`, otherwise we'll collect some trash.
```
$ docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
e3d9f721d862 docker-manpage-dev "man/generate.sh" 19 minutes ago Exited (0) 16 minutes ago berserk_jang
5738a23fb682 docker-manpage-dev "man/generate.sh" 9 hours ago Exited (0) 9 hours ago boring_bartik
15490b5e63f7 docker-manpage-dev "man/generate.sh" 10 hours ago Exited (0) 10 hours ago lonely_joliot
```
Signed-off-by: Dieter Reuter <dieter.reuter@me.com>
This fix tries to address the issue raised in #23498 to allow unset
`--entrypoint` in `docker run` or `docker create`.
This fix checks the flag `--entrypoint` and, in case `--entrypoint=` (`""`)
is passed, unset the Entrypoint during the container run.
Additional integration tests have been created to cover changes in this fix.
This fix fixes#23498.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
As of now promoting (or demoting) a node that has its role
left unchanged will always print a successful message.
This PR fixes the issue by matching the behavior on swarmkit's
swarmctl command and printing a message when desired role is
the current role of the node.
As a result this also avoids calling update when it is not
necessary.
Signed-off-by: Alexandre Beslic <alexandre.beslic@gmail.com>
This fix tries to address the issue raised in #23528 where
docker labels caused journald log error because journald
has special requirements on field names.
This fix addresses this issue by sanitize the labels per
requirements of journald.
Additional unit tests have been added to cover the changes.
This fix fixes#23528.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Interactive integration testing is useful when you're developing new tests, or
making changes to cli code.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This fix tries to address the issue raised in 25374 where the
output of `docker ps --filter` is in random order and
not deterministic.
This fix sorts the list of containers by creation time so that the
output is deterministic.
An integration test has been added.
This fix fixes 25374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
- Create container.go and image.go for specific context code
- Keep common code in formatter.go and custom.go
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
These changes update the example output for `docker service ps` in the
swarm tutorial's rolling update and node draining sections to match that
produced by 1.12.0: shutdown tasks are listed and the column order and
naming has changed.
Signed-off-by: Ilkka Laukkanen <ilkka@ilkka.io>
This test is already covered in the individual graph driver tests and it
adds 15s to the test run without adding value. The original idea was to
test max number of layers, this is fulfilled by the graph drivers.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
As discussed on the maintainers mailinglist,
and during a maintainers review session;
We've recently made changes to the Dockerfile
syntax (e.g., `HEALTHCHECK`, `SHELL`), so
mentioning the Dockerfile syntax as a frozen
feature is no longer accurate.
Removing it from frozen features does NOT
automatically state an intent to make big
changes to the syntax; making changes
to the syntax are important decisions and
should never be taken lightly.
This change is just to indicate that we
can *accept* changes if they are meaningful,
and we're confident they can be made.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `--user`/`-u` of the `docker create` is the same as
`docker run`, which could take either `uid` or `uid:gid`
format. However, the description in the man page of `docker create`
is missing and may cause some confusions (comared with `docker run`).
This fix updates the man page of `docker create` so that it is
consistent with the man page of `docker run`.
This fix is related to 25304.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
There were couple issues in the previous version of this Dockerfile
1. [MongoDB manual](https://docs.mongodb.com/manual/tutorial/install-mongodb-on-ubuntu/) uses 3.2 repo version as of July'16.
2. Command `# lsb_release -sc` doesn't work out of box, because of `bash: lsb_release: command not found`.
Signed-off-by: Maxim Fedchyshyn <sevmax@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Printing off networks as part of --pretty was missing a newline, causing
the next thing printed to be concatenated onto the end of the line.
Added an empty println after all networks are printed.
Signed-off-by: Drew Erny <drew.erny@docker.com>
this change improves the instructions for
swarm join-token and swarm init;
- only print the join-token command for workers
instead of for both managers and workers, to
prevent users from copying the wrong command.
An extra line is added to explain how to obtain
the manager token.
- print a message that a token was rotated
sucesfully if '--rotate' is used.
- add some extra white-space before / after
the join commands, to make copy/pasting
easier.
this change also does some refactoring of join-token;
- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
to prevent checking for them multiple times, and to
keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
this makes it easier to copy, and cleans up the
code a tiny bit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Problem Description:
An example scenario that involves deferred removal
1. A new base image gets created (e.g. 'docker load -i'). The base device is activated and
mounted at some point in time during image creation.
2. While image creation is in progress, a privileged container is started
from another image and the host's mount name space is shared with this
container ('docker run --privileged -v /:/host').
3. Image creation completes and the base device gets unmounted. However,
as the privileged container still holds a reference on the base image
mount point, the base device cannot be removed right away. So it gets
flagged for deferred removal.
4. Next, the privileged container terminates and thus its reference to the
base image mount point gets released. The base device (which is flagged
for deferred removal) may now be cleaned up by the device-mapper. This
opens up an opportunity for a race between a 'kworker' thread (executing
the do_deferred_remove() function) and the Docker daemon (executing the
CreateSnapDevice() function).
This PR cancel the deferred removal, if the device is marked for it. And reschedule the
deferred removal later after the device is resumed successfully.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
In `docker service create/update`, flag `--user` actually supports
`uid:gid` (same as `docker run`). However, this is not reflected
in the help and documentation yet.
This fix updates docs in `docker service create/update` to change
the description to `Username or UID (format: <name|uid>[:<group|gid>])`.
The help message output has also been updated.
This fix is related to 25304.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fixes: #25073
Update kernel memory on running containers without initialized
is forbidden only on kernel version older than 4.6.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This is intended as a minor fix for 1.12.1 so that task creation doesn't
do unexpected things when the user supplies erroneous paths.
In particular, because we're currently using hostConfig.Binds to setup
mounts, if a user uses an absolute path for a volume mount source, or a
non-absolute path for a bind mount source, the engine will do the
opposite of what the user requested since all absolute paths are
treated as binds and all non-absolute paths are treated as named
volumes.
Fixes#25253
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
On daemon restart the local volume driver will read options that it
persisted to disk, however it was reading an incorrect path, causing
volume options to be silently ignored after a daemon restart.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This is a minor fix that tries to replace `"workdir"` with const in `service create`.
Since `"workdir"` is the only string not defined as const in `func addServiceFlags()`,
I think it makes sense to replace `"workdir"` with a const to be consistent.
The flag `"workdir"` in `service update` has also been replaced.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Unfortunately, combining a job as CTO and maintaining
Docker is too much to combine, so David asked to be
moved to the alumni section.
Thanks for all the awesome work on Docker!
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to improve error messages when IP address
autodetection fails, as is specified in 25141.
Previously, error messages only indicate that multiple IPs
exist when autodetection fails. In this fix, if one
interface consists of multiple addresses or multiple
interfaces consist of addresses, the error messages output
the address names and interface names so that end user could
take notice.
This fix is verified manually.
When multiple addresses exist on multiple interfaces:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses on different
interfaces (192.168.186.128 on ens33 and 192.168.100.199 on eth10)
- specify one with --advertise-addr
```
When multiple addresses exist on single interface:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses
on interface ens33 (192.168.186.128 and 192.168.55.199)
- specify one with --advertise-addr
```
This fix fixes 25141.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Since 24237 has been merged, it is not necessary to require network
for swarm integration tests (`integration-cli/docker_api_swarm_test.go`)
any more.
This fix removes testRequires(c, Network) from swarm integration
tests.
This fix could be verified by disable networking, and all related
tests pass.
This fix is related to 24547, 24490, 24237.
This fix fixes 24547.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 25195 where external
CA configurations are not present in `docker info`.
This fix adds the output of external CAs in `docker info` in swarm
mode.
The test is done manually with:
```
docker run -p 8888:8888 -e CXFSSL_ADDRESS=0.0.0.0 -d fabric8/cfssl
docker swarm init --external-ca protocol=cfssl,url=http://172.17.0.2:8888
```
The `docker info` output:
```
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot interval: 10000
Heartbeat tick: 1
Election tick: 3
Dispatcher:
Heartbeat period: 5 seconds
CA configuration:
Expiry duration: 3 months
External CAs:
cfssl: https://172.17.0.2:8888
```
This fix fixes 25195.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Using the environment variable here also has the advantage that it can be copied and pasted directly in a terminal and it will work.
Signed-off-by: David Lechner <david@lechnology.com>
Windows base layers are no longer the special "layers+base" type, so we can remove all the special handling for that.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
On Ubuntu and Debian there is a sysctl which allows to block
clone(CLONE_NEWUSER) via "sysctl kernel.unprivileged_userns_clone=0"
for unprivileged users that do not have CAP_SYS_ADMIN.
See: https://lists.ubuntu.com/archives/kernel-team/2016-January/067926.html
The DockerSuite.TestRunSeccompUnconfinedCloneUserns testcase fails if
"kernel.unprivileged_userns_clone" is set to 0:
docker_cli_run_unix_test.go:1040:
c.Fatalf("expected clone userns with --security-opt seccomp=unconfined
to succeed, got %s: %v", out, err)
... Error: expected clone userns with --security-opt seccomp=unconfined
to succeed, got clone failed: Operation not permitted
: exit status 1
So add a check and skip the testcase if kernel.unprivileged_userns_clone is 0.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
A kernel may support any of these, but an admin may have unmounted
certain cgroups, so let's include that possibility in the error so
as to avoid users thinking they have a kernel issue.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Currently, the counter only shows tasks on READY nodes. It's more
correct to also count nodes in the other states except DOWN, because
the tasks assocated with those nodes are still assumed to be running for
orchestration purposes. One example of when this could matter is during
a leader failover when agents are in the process of reconnecting.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When there is no event for the container it can happen because of a
crash and the container state on the persistent disk will have a
mismatch between what was in `/run` ( machine crash ).
This situation will create an unkillable container in docker because
containerd does not see it and it is not running but docker thinks it is
and you cannot tell it anything different.
This fixes the issue by checking if containerd has the container running
if we do not have an event instead of just returning.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Instead of using the bundles dir, which may be mounted in and ultimately
break if using b2d/d4mac/d4win. This makes it much easier to collect
test daemon logs and more natural for use d4mac/d4win users to run tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
join-tokens are not needed for this endpoint, and should not be as part
of /info
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit d8f3b3f006)
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.
This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.
There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
These links were temporarily changed, because the
docs were published before the 1.12.0 tag was
available.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
this brings back the trailing whitespace in "runmetrics",
that were there intentially to force a line-break
also removes a duplicate redirect, that was present
on two pages
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ensure convergence before moving on with testing leader election
conditions. This reduce the flakiness of this test when run in different
environments.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
If no restart delay is specified for a swarm service, the default
restart delay is 5 seconds. This is a reasonable value for actual
deployments - one example of where it's useful is that if a bad image is
specified, the orchestrator will wait 5 seconds between attempts to
restart it instead of restarting it in a tight loop.
In integration tests, this 5 second delay is dead time. The tests run
faster if the delay is reduced. Set it to 100 ms to avoid the waste of
time.
This appears to speed up a few tests:
DockerSwarmSuite.TestApiSwarmForceNewCluster 37.241s -> 34.323s
DockerSwarmSuite.TestApiSwarmRestartCluster 22.038s -> 15.545s
DockerSwarmSuite.TestApiSwarmServicesMultipleAgents 24.456s -> 19.853s
DockerSwarmSuite.TestApiSwarmServicesStateReporting 19.240s -> 10.049s
...a small step towards making the Swarm integration tests run in a
reasonable amount of time.
Also, change the update delay for the rolling update test from 8 seconds
to 4 seconds, which should be sufficient to differentiate between
batches of updated tasks. This reduces the runtime for
DockerSwarmSuite.TestApiSwarmServicesUpdate from 28s to 20s.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This is an attempt to fix the flaky test of TestSwarmNodeTaskListFilter in 25029.
Basically this fix adds a check to wait until 3 containers has already up,
before processing `node tasks ...`.
This might fix 25029.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24881 where
the stack name is not visable when inspecting containers
deployed through stacks.
This fix adds `labelNamespace` (`com.docker.stack.namespace`)
to containers at the client side so that the stack name label
will show up after containers are deployed.
This fix is tested manually:
- Build the binary with `make DOCKER_EXPERIMENTAL=1`
- Create a bundle file and deploy with the `docker stack deploy`
- Verify that `com.docker.stack.namespace` has been
set properly by checking contaners with `docker inspect <ContainerID>`
This fix fixes 24881.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In `TestApiSwarmRestartCluster`, it's calling `checkClusterHealth`.
`checkClusterHealth` calls `d.info()`, which will return an error if
there is no cluster leader... problem is `checkClusterHealth` is doing a
nil error assertion w/o giving any time for a leader to be elected.
This moves the `d.info()` call into a `waitAndAssert` using the default
reconciliation timeout.
It also moves some other checks into a `waitAndAssert` to give the
cluster enough time to come back up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`TestParseWords` needs to use the `tokenEscape` for one of the test
cases, but `tokenEscape` was not being set unless tests ran in a
specific order.
This sets a default value for `tokenEscape`... `\`... so that tests that
rely on this global are not affected by test ordering.
This is the simplest fix for these cases. Ideally the token should not
be set as a global but rather passed down, which is a much larger
change.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
With digests being added by default, all images have multiple references.
The check for whether force is required to remove the reference should use the new check for single reference which accounts for digest references.
This change restores pre-1.12 behavior and ensures images are not accidentally left dangling while a container is running.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
When updating values in the spec according to CLI flags, don't write
into the existing pointers. They may be nil. Instead, update them to
point to the new value we're writing.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Context cancellations were previously causing `Prepare` to fail
completely on re-entrant calls. To prevent this, we filtered out cancels
and deadline errors. While this allowed the service to proceed without
errors, it had the possibility of interrupting long pulls, causing the
pull to happen twice.
This PR forks the context of the pull to match the lifetime of
`Controller`, ensuring that for each task, the pull is only performed
once. It also ensures that multiple calls to `Prepare` are re-entrant,
ensuring that the pull resumes from its original position.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Remove the swarm inspect command and use docker info instead to display
swarm information if the current node is a manager.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
When using encrypted vxlan network, some of the xfrm states are left
stale. This fix also filters out self advertise-addr rules.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Swarm mode makes it possible through the API to set labels to containers
but not through command line. This tries to fix it.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Ensure that cancellation of a pull propagates rather than continuing to
container creation. This ensures that the `Prepare` method is properly
re-entrant.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Instead reserve exit code 2 to be future proof, document that it should
not be used. Implementation-wise, it is considered as unhealthy, but
users should not rely on this as it may change in the future.
Signed-off-by: Tibor Vass <tibor@docker.com>
Relative paths are now calculated from a base path rather than from the file path, which gets treated like a directory.
Symlinks will now properly point to the file as "../<layer dir>/layer.tar" rather the incorrect "../../<layer dir>/layer.tar".
Fixes#24951
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
There is no example bundlefile in the documentation
so a bundlefile example has been added. This should
help in case user don't want to search inside the
source code.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This adds a guide with recommendations on how to setup
Managers and keep the Swarm cluster healthy.
Signed-off-by: Alexandre Beslic <alexandre.beslic@gmail.com>
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Truncated dir name can't give any useful information, print whole dir
name will.
Bad debug log is like this:
```
DEBU[2449] aufs error unmounting /var/lib/doc: no such file or directory
```
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
There's existing code to generate these
kind of errors, so make the errors added
in commit cc493a52a4
less DRY.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit cc493a52a4 added
a constraint to network connect/disconnect operations
on "Swarm scoped" networks.
This adds those errors to the API documentation. Also
changes the error to lowercase for consistency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Swarm handles service updates quite differently and also it doesnt
support worker driver network operations. Hence prevent containers from
connecting to swarm scoped networks
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Hostnames are not supported for now because libnetwork can't use them
for overlay networking yet.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to address the issue raised in 24912 where docker
build only consists of the current step without overall total steps.
This fix adds the overall total steps so that end user could follow
the progress of the docker build.
An additonal test has been added to cover the changes.
This fix fixes 24912.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Update documentation to account for the changes in #24952.
docs/swarm/swarm-tutorial/rolling-update.md doesn't need any changes,
but the CLI reference pages should show the current help text.
drain-node.md no longer needs to specify --update-parallelism 1 in its
example.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
SetConsoleMode() on input handles appears to remember invalid bits that
were set, causing problems for other programs (such as xcopy.exe) trying
to set the console mode after docker.exe has exited. Always restore
the input console mode on set failure.
Signed-off-by: John Starks <jostarks@microsoft.com>
When updates happen, the current behavior is to kill all running
instances and dispatch new tasks. Common use cases for container updates
involve small numbers of containers, meaning the app will go down on
most updates. Setting parallelism to 1 ensures that at most one task
will go down during the update. Services with higher replica counts can
increase this number accordingly to meet their needs.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
f5e1f6f688 replaced "secrets"
with "join tokens", which also removed the "auto-accept"
policy.
This removes some remaining references to those features.
Note that there are other references, but those
are already addressed in another pull request.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This renames the `rotate_xxx` flags to camelBack, for
consistency with other API query-params, such as
`detachKeys`, `noOverwriteDirNonDir`, and `fromImage`.
Also makes this flag accept a wider range of boolean
values ("0", "1", "true", "false"), and throw an error
if an invalid value is passed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was preventing the "exit" event to be correctly processed during
the restore process without live-restore enabled.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Swarm join has been changed in f5e1f6f688,
removing various options and the "node accept" command.
This removes the removed options from the completion
scripts.
NOTE: a new command ("docker swarm join-token") was
also added, but is not part of this commit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In 24823, `swarm join` has been updated to take a `--token`
flag and flag `--manager` has been removed. Though in errNoManager()
the error message still use the old description.
This fix update the error message in errNoManager() and conforms
to the current available flags.
This fix is related to 24823.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Tasks will display all tasks (`-a` is the default and was removed)
- Nest tasks to help display history
- Display task errors inline
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Simplifies the mount option usage by providing common aliases for
`source` and `target`. The default mount type is now volume.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When #24648 was merged, only the main Dockerfile was updated with the
new containerd commit, this commit brings the other Dockerfile up to
speed.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
this improves the formatting, and code-highlighting
of the `docker ps` reference page, and wraps sentences
to 80 chars
also adds single quotes around the formatting
example for labels.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
these values were changed to lowercase in
690cb2d08c,
but not changed accordingly in docker/docker.
this changes the mounttypes to lowercase
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes the hard coded restriction for non-linux platforms to v2 registries. Previously, the check was above the flag parsing, which would overwrite the hard coded value and prevent correct operation. This change also removes the related daemon flag from Windows to avoid confusion, as it has no meaning when the value is going to always be hard coded to true.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
`volume-driver-opt` was too verbose for its own existence and the sanity
of those in the vicinity. The much better, sleeker `volume-opt` replaces
it. 7 bytes and a case of carpal tunnel syndrome are saved!
Signed-off-by: Stephen J Day <stephen.day@docker.com>
the output/response slightly changed in
340964db1c,
and `:latest` is no longer required for
various actions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit update swarmkit to 9ee5fc3b8db5de8c8593a57bc45fc178f74ceee1.
This is part of step to fix#24270.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is an extension to last commit to expand the partial
filter to node and task searches.
Additional integration tests have been added to cover the changes.
This fix fixes 24270.
This fix fixes 24112.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This renames the '--bundle' flag for docker (stack) deploy
to be consistent with 'docker build'.
Note that there's no shorthand '-f' added for now,
because this may be confusing on 'docker stack config',
which also takes a file, and for which we may want to
have a '--format' flag in future.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds documentation for "--log-driver" and "--log-opt"
for services.
Also updated the API docs to include the new
options, and generated a more complete JSON
example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This slightly simplifies TruncateID() by only
trimming the string if needed.
Also improved unit-tests for this package;
- Add a test for GenerateNonCryptoID()
- Add a test for shortening a sha-256 ID
- Make TestShortenId() more "unit", by using a fixed string, instead of calling GenerateRandomID()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes#23981
The selinux issue we are seeing in the report is related to the socket
file for docker and nothing else. By removing the socket docker starts
up correctly.
However, there is another motivation for removing socket activation from
docker's systemd files and that is because when you have daemons running
with --restart always whenever you have a host reboot those daemons
will not be started again because the docker daemon is not started by
systemd until a request comes into the docker API.
Leave it for deb based systems because everything is working correctly
for both socket activation and starting normally at boot.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This fix tries to address the issue raised in 24270 where it was
not possible to have a partial name match when list services
with name filter.
This fix updates swarmkit and allows prefix search when name is
provided as the filter for listing services.
An additional integration test is added to cover the changes.
This fix fixes 24270.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Legacy plugin model maintained a map of plugins. This is
not used by the new model. Using this map in the new model
causes incorrect lookup of plugins. This change uses adds
a plugin to the map only if its legacy.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
This removes the logic to automatically
add [OPTIONS] to the usage output.
The current logic was broken if a command
only has deprecated or hidden flags, and
in many cases put the [OPTIONS] in the
wrong location.
Requiring the usage string to be set
manually gives more predictable results,
and shouldn't require much to maintain.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The error message;
unable to delete .... (must be forced) - image is referenced in one or more repositories
Looks to be incorrect
Given the following images:
docker images | grep 2d36b1c0ea40
registry 2 2d36b1c0ea40 7 weeks ago 171.2 MB
registry 2.4.1 2d36b1c0ea40 7 weeks ago 171.2 MB
Removing the image by *id* fails:
docker rmi 2d36b1c0ea40
Error response from daemon: conflict: unable to delete 2d36b1c0ea40 (must be forced) - image is referenced in one or more repositories
However, after untagging one image:
docker rmi registry:2
Untagged: registry:2
Removing the image works:
docker rmi 2d36b1c0ea40
Untagged: registry:2.4.1
Deleted: sha256:2d36b1c0ea40159adc8b36f7563f1d7a6d443384fe2611e8b393c1cb3ae2e6ad
Deleted: sha256:7abfddbf4e61927307b6646010845eeb7513ecc6541f33ea6103b2493e36aa4e
Deleted: sha256:f512d7699dbb2994fe15d30ee1d404e57b58c3c310617b4471db649680b4cfa0
Deleted: sha256:7291e34714908270aeda93f1dc681485f9734d41314e2fdc6c11f32ffa782a21
Deleted: sha256:548f6562929484f3d78267e4b1e31dcfeb9f303059668888b4423ce5501c7fbc
Deleted: sha256:afe56b46629e6d8e0bfc36fed13395a7cfa2bd83b58bb489976ef13553eff20b
Deleted: sha256:cf0c3bd5d6a0a14ebf96cc7d3df79a37774a70f3086273e09da71a86fe74fec2
Deleted: sha256:c5fdaf8b055f544d0211043e687905315c3a0b71c1c08df07e473dd0a30e43c8
docker images | grep 2d36b1c0ea40
<empty>
This changes the error message to reflect that behavior
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
following the announcement;
https://groups.google.com/forum/m/#!topic/golang-announce/7JTsd70ZAT0
> [security] Go 1.6.3 and Go 1.7rc2 pre-announcement
>
> Hello gophers,
> We plan to issue Go 1.6.3 and Go 1.7rc2 on Monday July 18 at approximately 2am UTC.
> These are minor release to fix a security issue.
>
> Following our policy at https://golang.org/security, this is the pre-announcement of those releases.
>
> Because we are so late in the release cycle for Go 1.7, we will not issue a minor release of Go 1.5.
> Additionally, we plan to issue Go 1.7rc3 later next week, which will include any changes between 1.7rc1 and tip.
>
> Cheers,
> Chris on behalf of the Go team
**Note:**
the man/Dockerfile is not yet updated, because
the official image for Go 1.6.2 has not yet
been updated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use module name logrus instead of log.
Use logrus.[Error|Warn|Debug|Fatal|Panic|Info]f instead of w/o f
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
This version introduces the following:
- uses nanosecond timestamps for event
- ensure events are sent once their effect is "live"
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
In API docs, `CPU` and `Memory` were used for resource settings on
services. The actual settings should be `NanoCPUs` and `MemoryBytes`.
This fix address the inconsistent fields between API docs and actual
settings.
This fix fixes#24058.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The none-https url results in a redirect
to https://support.oracle.com/epmos/faces/MosIndex.jspx?......
which our link-checker didn't like.
The https link looks to be a direct link,
and not resulting in a redirect, so updating the URL.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds log driver support for service creation and update. Add flags
`--log-driver` and `--log-opt` to match `docker run`. Log drivers are
configured per service.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This adds the `--live-restore` option to the documentation.
Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Unix sockets are limited to 108 bytes. As a result, we need to be
careful in not using exec-root as the parent directory for pluginID
(which is already 64 bytes), since it can result in socket path names
longer than 108 bytes. Use /tmp instead. Before this change, setting:
- dockerd --exec-root=/go/src/github.com/do passes
- dockerd --exec-root=/go/src/github.com/doc fails
After this change, there's no failure.
Also, write a volume plugins test to verify that the plugins socket
responds.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Make sure that the users enable both the socket and service for docker
as part of the default install instructions. If both are not enabled
docker will not start at boot and restart containers.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(and set $exec to dockerd instead)
This ensures end users do not need to make any configuration changes
due to the rename from docker to dockerd in version 1.12.
Signed-off-by: Paul Furtado <pfurtado@hubspot.com>
- the constraint expression needs to be quoted
- add an actual redis container to run so the command line works
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
Using tabs here seems to cause copy/paste problems in some terminals.
Using spaces is safer.
Fixes#24609
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Updates the v1 search endpoint to also support v2 auth when an identity token is given.
Only search v1 endpoint is supported since there is not v2 search currently defined to replace it.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
improve help text for service update remove flags
implement proper merge update of placement flag
more code re-use in update functions using a toRemove set.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if rlimits are
set on the main Docker daemon process (because the limits
propogate to all children).
We recommend using cgroups to do container-local accounting.
This applies the change added in 8db61095a3
to other init scripts.
Note that nfile cannot be set to unlimited, and the limit
is hardcoded to 1048576 (2^20) , see:
http://stackoverflow.com/a/1213069/1811501
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
At the moment docker's deprecation policy is 2 release cycles by
default, which is around 5 months. This may not be enough for
production environment and there is a need to extend the
deprecation cycle to 3 releases (see #24494).
This fix updates the docs/deprecated.md and extend the deprecation
cycle to 3 releases.
This fix is related to #24494 and #24534.
This fix fixes#24534.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The output uses tabs, but those don't
translate well to the rendered output in
the docs, so replacing the tabs with spaces.
Also updates the output, because REPLICATED,
and SPREAD are no longer all-caps in the
actual output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds an `--oom-score-adjust` flag to the daemon so that the value
provided can be set for the docker daemon's process. The default value
for the flag is -500. This will allow the docker daemon to have a
less chance of being killed before containers do. The default value for
processes is 0 with a min/max of -1000/1000.
-500 is a good middle ground because it is less than the default for
most processes and still not -1000 which basically means never kill this
process in an OOM condition on the host machine. The only processes on
my machine that have a score less than -500 are dbus at -900 and sshd
and xfce( my window manager ) at -1000. I don't think docker should be
set lower, by default, than dbus or sshd so that is why I chose -500.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
the executiondriver property was removed in
880484992c, but docs
were only updated for the 1.25 API, not for 1.24
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The original sed placement was creating packages with an
"unsupported" tag in the package name.
Fixes#24197
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
The "none" option was not added to the documentation.
This adds an example, and adds additional information
on manually accepting or rejecting a node.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a `--network` flag which replaces `--net` without deprecating it
yet. The `--net` flag remains hidden and supported.
Add a `--network-alias` flag which replaces `--net-alias` without deprecating
it yet. The `--net-alias` flag remains hidden and supported.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
Looks like there's issues with sourceforge project
pages. Given that sourceforge isn't really what
it used to be, trying to find alternative URLs
where possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Flatten the list of `docker run` flags and group them loosely by
category (general purpose, security, networking, ...).
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
Kernel memory is not allowed to be updated if container is
running, it's not actually a precise kernel limitation.
Before kernel version 4.6, kernel memory will not be accounted
until kernel memory limit is set, if a container created with
kernel memory initialized, kernel memory is accounted as soon
as process created in container, so kernel memory limit update
is allowed afterward. If kernel memory is not initialized,
kernel memory consumed by processes in container will not be
accounted, so we can't update the limit because the account
will be wrong.
So update kernel memory of a running container with kernel memory
initialized is allowed, we should soften the limitation by docker.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
If the remote registry responds with a NAME_UNKNOWN error, treat this as
a fatal error and don't retry the push.
Tested against an ECR registry.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The `--pid` flag was added in Docker 1.5.0, but the
API changes were not documented. In Docker 1.12.0,
`--pid=container:<name|id>` was added as an additional
option, but also undocumented.
This adds the missing API documentation for this
option.
Also see commits
47e3da848f (for 1.5.0), and
ebeb5a0422 (for 1.12.0).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add option to skip kernel check for older kernels which have been patched to support multiple lower directories in overlayfs.
Fixes#24023
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
For any operation that involves netwoks (other than network create),
swarmkit expects the target as network-id. Service upate was using
network-name as the target and that caused the issue.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This fix tries to address the issue raised in #24374 where
`docker info` outputs seccomp support in Ubuntu 14.04 but
the seccomp wass not actually supported.
The issue is that in the current docker implementation, seccomp
support is only checked against the kernel by inspect CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER. However, seccomp might not be enabled
when building docker (through golang build flag).
This fix adds a supportSeccomp boolean variable. The supportSeccomp
is only set to true when seccomp is enabled when building docker.
This fix fixes#24374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
`make run` allows you to fire up a daemon (in a container) just using
the existing built binaries. This allows for more rapid iteration
instead of dealing with firing up a shell just to start the daemon.
By default the daemon will listen on port 2375 on the default network
interface.
If a port forward is required to access the daemon, the user can set
`make DOCKER_PORT=2375 run` to get a port forward on a random port with
the daemon listening on port 2375, or `make DOCKER_PORT=2375:2375 run`
to get a daemon running with port 2375 forwarded to the daemon running
on 2375.
Note that the daemon is automatically configured to listen on whatever
port is set for the container side of the `DOCKER_PORT` port spec.
When running on docker4mac, the user must do the following:
```
$ make BINDDIR=. DOCKER_PORT=2375 run
```
This makes sure the binaries are loaded in the container and a port is
forwarded, since it is currently impossible to route traffic from the
mac directly to a container IP.
To get a fresh binary:
```
$ make BINDDIR=. DOCKER_PORT=2375 binary run
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The archive is only available on docs.docker.com, and not
when doing a "make docs", so relative links will not resolve.
Making these links absolute, so that they always
point to the live "docs.docker.com" domain.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is now up to date with contents of 1.12 tgz
Also change usage to `dockerd` not `docker daemon`
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit add DUMMY and IPVLAN to check-config.sh
because they are need for ipvlan and macvlan network
driver.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Now that Windows base images can be loaded directly into docker via "docker load" of a specialized tar file (with docker pull support on the horizon) we no longer have need of the custom images code path that loads images from a shared central location. Removing that code and it's call points.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
- Update ps with `--last` flag
- Update commands with current output
- Make sure hugo does not detect the wrong language
- Update usage for `tag` command to be more coherent with the other ones
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This reduces memory usage with a lot of docker proxy processes.
On Docker for Mac we are currently carrying a patch to replace
the binary as we modify it to forward ports to the Mac rather
than the Linux VM, this allows us to simply replace this binary
in our packaging with one that has a compatible interface. This
patch does not provide an easy way to substitute a binary as
the interface is complex and there are few use cases, but where
needed this can be done.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
In #24159, the title field of `docker node ls` has been
changed from NAME to HOSTNAME. However, in the docs the
NAMEs are still used for the output of `docker node ls`.
This fix updates docs so that NAME field is changed to
HOSTNAME for all `docker node ls`.
This fix is related to #24159 and #24090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
In the API:
`Writable` changed to `ReadOnly`
`Populate` changed to `NoCopy`
Corresponding CLI options updated to:
`volume-writable` changed to `volume-readonly`
`volume-populate` changed to `volume-nocopy`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.
Closes#23785
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
In order to keep a little bit of "sanity" on the API side, validate
hostname only starting from v1.24 API version.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This is done in a hacky way as currently there is no better way.
Uses known implementation details about how tasks are scheduled to be
able to operate on the underlying container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Mike is going to help us with triaging issues,
so adding him to the curators list to make it
official.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The image spec did not match the regexp that validates tags. It
neglected to mention that period and dash characters are allowed in
tags, as long as they are not the first character. It also did not
mention the length limit for tags.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if systemd
sets rlimits on the main Docker daemon process (because the limits
propogate to all children).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
schema1 manifests is not working on ARM64, we should skip integration-cli
tests for schema1 manifests on ARM64.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
British mathematician Andrew Wiles is notable for solving Fermat's LAst
Theorem. Florence Nightingale was the first female inducted into the
Royal Statistical Society. Thomas Alva Edison was a prolific inventor,
noted for inventing the incandescent light bulb, the phonograph and the
motion picture camera (among many other).
Signed-off-by: Shourya Sarcar <shourya.sarcar@gmail.com>
lowercase the output, to prevent "About" halfway,
and add "ago" to the output, as timestamps are always
in the past.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The --auto-accept documentation currently says that both worker and
manager nodes are automatically accepted by default. Correct it.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
error: line 89: Invalid version (epoch must be unsigned integer):
%{epoch}:1.12.0-0.3.rc3.fc24: Requires(pre): docker-engine-selinux >=
%%{epoch}:1.12.0-0.3.rc3.fc24
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
For consistency with other filters (such as
"is-official"), this renames the desired_state
filter to "desired-state".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Swarm was putting volume type mounts into the container config's
"Volumes" field, but really these need to go into "Binds".
"Volumes" is only for normal "-v /foo" volumes, not named volumes or
anything else.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to fix the issue raised in #24168 where
golang.org/x/sys causes s390x build failure.
This fix revendor golang.org/x/sys to removed the import
of "golang.org/x/sys/unix".
Note: The last commit removes the reference to
"golang.org/x/sys/unix".
This fix fixes#24168.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the issue raised in #24168 where
golang.org/x/sys causes s390x build failure.
This fix removed the import of "golang.org/x/sys/unix".
This fix fixes#24168.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
… on `docker node tasks` and `docker service tasks` commands.
This changes is mainly server-side (between engine api and
swarmkit). There is just a check in `api/client/service/tasks.go` to
handle the special *self* meaning.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
I think we doesn't provide dm.no_warn_on_loop_devices option
at all. I didn't found any code to handle this option.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
This fix tries to address an issue raised in #24090 where
the title field of `docker node ls` use NAME instead of
HOSTNAME. Yet the content of this field is actually
hostname.
The fix makes needed changes for the output of
`docker node ls`.
An additional test has been added to cover the change in
this fix.
This fix fixes#24090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
* Detect name conflicts on network creation
* Detect and prevent network connect/disconnect for managed containers
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Perform chmod before rename with the atomic file writer.
Ensure writeErr is set on short write and file is removed on write error.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
fixing install script for rhel7
fixing install script for rhel7
Signed-off-by: Adam Kunk <adam.kunk@tiaa-cref.org>
updates to fix install script for RHEL
fixing install script for rhel7
fixing install script for rhel7
Signed-off-by: Adam Kunk <adam.kunk@tiaa-cref.org>
Just like `docker service tasks`, we should add `desired_state` filters
only in case there is no provided filters.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Fix two test issues:
- pidof is not available in PATH on some Jenkins systems (rhel, centos)
Use kill -0 instead.
- Cleanup after plugin test. This is a stop gap fix. The right way to
fix this, is to shutdown the plugin on daemon shutdown path (except
for the live-restore case). This will be done in a follow up PR.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Part of #23998. Adds a daemon to this test, so that the
volume that's created is added to this test daemon's vol store
instead of the main test daemons.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
This will kill any left over containerd-shims to avoid the integration
script to stay stuck while it waits on them.
It will then causes CI to fail (even if all the tests succeeded).
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fix tries to address issue raised in #23973 where the
`docker rename` does not update namedIndex and linkIndex,
thus resulting in failures when the linked containers are
referenced later on.
This fix updates the namedIndex and linkIndex during the
`docker rename` and fixes the issue.
An integration test has been added to cover the changes
in this fix.
This fix fixes#23973.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The libtrust keyfile which is used to set the "ID" property of a daemon must be generated or loaded on every startup.
If the process crashes during startup this could cause the file to be incomplete causing future startup errors.
Ensure that the file is written atomically to ensure the file is never in an incomplete state.
Fixes#23985
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This updates containerd to b93a33be39bc4ef0fb00bfcb79147a28c33d9d43
fixing the start sync issues.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This deprecates the shorthand '-h', because we don't mention it as an option,
and it conflicts with the 'docker create -h/--hostname' option, so cannot be
used for all commands consistently.
This also removes the (single-dash) '-help' option. The single-dash variant was
marked "deprecated" in version 1.5.0 (basically, since it was added in
a2b529ead2), but still kept around to
prevent '-help' being treated as '-h -e -l -p', causing confusing
warnings.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Most modern distros have the limit for the maximum root keys at 1000000
but some do not. Because we are creating a new key for each container
we need to bump this up as the older distros are having this limit at
200.
Using 1000000 as the limit because that is that most distros are setting
this to now. If someone has this value configured over that we do not
change it.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Always attempt to add digest even when tag already exists.
Ensure digest does not currently exist.
When image id is mismatched, output an error log.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Its a minor thing but the daemon's output looks like this when there are
no containers to load:
```
INFO[0001] Loading containers: start.
INFO[0001] Loading containers: done.
```
That blank line (or more correctly, the \n) is unnecessary when
there are no containers to load since there is no `.` printed
Signed-off-by: Doug Davis <dug@us.ibm.com>
This fix tries to fix wrong CPU count after CPU hot-plugging.
On windows, GetProcessAffinityMask has been used to probe the
number of CPUs in real time.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address issues raised in #23768 where the CPU count
is not updated after cpu ho-plugging.
This fix follows the suggestion from #23768 and replace go's `runtime.NumCPU()`
with `sysconf(_SC_NPROCESSORS_ONLN)` so that correct CPU count could
be obtained even after CPU hot-plugging.
This fix is tested manually, as is suggested in #23768.
This fix fixes#23768.
The NumCPU() in Linux is based on @wmark 's implementation.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The Windows TP5 image is not compatible with the Hyper-V isolated
container clone feature. Detect old images and pass a flag specifying that
clone should not be enabled.
Signed-off-by: John Starks <jostarks@microsoft.com>
When calling docker load on an image tar containing a compressed layer,
apply NewProgressReader to the compressed layer (whose size is known), not
the uncompressed stream. This fixes progress reporting to the client in
this case.
Signed-off-by: John Starks <jostarks@microsoft.com>
On stop there were multiple places that marked
`cluster.node` nil. Now stop waits for the node to
set itself nil.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This warning appears in the course of normal use of swarm mode. Since
it's meant more as an internal TODO than something which should be
exposed to a user, remove the log message.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
During the renaming of a container, no need to call `container.Lock()`
if `oldName == newName`.
This is a follow-up from #23360 (commit 88d1ee6c11)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Currently when overlay creates a whiteout file then the overlay2 layer is archived,
the correct tar header will be created for the whiteout file, but the tar logic will then attempt to open the file causing a failure.
When tar encounters such failures the file is skipped and excluded for the archive, causing the whiteout to be ignored.
By skipping the copy of empty files, no open attempt will be made on whiteout files.
Fixes#23863
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Always enable VT output emulation when starting the process so that
non-attaching commands can still output VT codes.
Also remove the version block for using the native console and just rely
on supported flags being present.
Signed-off-by: John Starks <jostarks@microsoft.com>
the previous fix changed the lsb_dist variable
too early. We only normalize to "centos"
for the repository-location, so changing
it just before that.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Due to the issue of go-md2man, a numbered list in `man docker login` was not rendered correctly.
a8f937e113
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This also moves the variable holding the default runtime name from the
engine-api repository into docker repository
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker update` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Previously, 'local.target' was used which is not going to work
out-of-the-box for lots of users.
The 'default.target' is the default unit systemd starts at bootup and
hence what most users would be expected to use.
Signed-off-by: Tadej Janež <tadej.j@nez.si>
If "docker logs" was used on an offline container, the logger is leaked, leaving it up to the finalizer to close the file handle, which could block removal of the container. Further, the json file logger could leak an open handle if the logs are read without follow due to an early return without a close. This change addresses both cases.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
The code for default port was already there but
it didn’t work because split function errored out
before. This should be the desired behavior that
matches daemon listen address with swarm listen
address.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
commit 79e1d3877a
updated the v1.25 API with changes in SwarmKit,
but these changes should apply to v1.24.
This updates the 1.24 API with the same changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The docs are currently published from "master" for the RC,
so hiding v1.25 API, which is for docker 1.13
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The reason why the issue occurs is because sh parses the first argument after -c as the whole script to execute.
Everything after isn't executed as one might expect.
When working on the 'fix' I found out the same fix is also done in commit 2af7c5cfe2, except only for one occurrence.
Signed-off-by: Serhat Gülçiçek <serhat+signoff@equil.nl>
- don't indent code-blocks that use fences
- fixed some formatting
- wrapped long lines to 80-chars
- removed stray empty lines
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix fixes one of the Jenkins docs failure:
https://jenkins.dockerproject.org/job/docs-docker-pr/9754/
There are 7 errors. This fix addresses one:
`* link error: (in page engine/userguide/storagedriver/device-mapper-driver.md) ../../reference/commandline/dockerd/#storage-driver-options`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Other docker command always print "[OPTIONS]" right after `docker
COMMAND`, but `build` and `push` has inconsistent help message.
This commit will fix help information format.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to fix the issue raised in #23716 where `docker start`
causes an error of `No such container:` if the container has been
renamed before `docker start` returns.
The issue is that `docker start` use container name passed at the
beginning to check for exit code at the end of the `docker start`.
This fix addresses the issue by always use container's `ID` to get
the information during `docker start`.
Additional integration tests have been added to cover this fix.
This fix fixes#23716.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The completion for the new `docker service`, `docker swarm` and
`docker node` command families were partly added in non-alphabetical
order.
Signed-off-by: Harald Albers <github@albersweb.de>
Layer uploads are deduplicated by a "key" made up of the layer DiffID
and the repository name. The repository name being used to form this key
was a remote version of the name that didn't include the name of the
registry. Consequently, pushes of the same layer in a repository with
the same remote name to different registries would wrongly be
deduplicated.
Correct the key by using the full name of the repository, which includes
the registry hostname as well as the image's name.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Change `docker service update` to replace attributes of the target
service rather than augment them. One particular occurrence where the
previous behavior proved problematic is when trying to update a port
mapping: the merge semantics provided no way of removing published
ports, but strictly of adding more.
The utility merge* functions where renamed accordingly to update*.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
fixing links to d4mac and d4win
updates per @Sven and @theJeztah, fixing links, typos, menu definitions, etc.
updates per Sven's comments in the PR
removed duplicate line in tutorials menu.md
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Add integration test for removing by image id with tag and digest reference to the same repository.
Add integration test to ensure only tag to other repository remains after deleting tag with accompanying digest reference.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Updates the rmi code to treat canonical references as related to tagged references from the same repository during deletion.
Canonical references with a different repository name will be treated as separate references.
Updates the remove by ID logic to still remove an image if there is a single tag reference and only canonical references to the same repository remaining.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This changes `docker swarm help` to be consistent with capitals
and removes full stops.
Before:
```
Commands:
init Initialize a Swarm.
join Join a Swarm as a node and/or manager.
update update the Swarm.
leave Leave a Swarm.
inspect Inspect the Swarm
```
After:
```
Commands:
init Initialize a Swarm
join Join a Swarm as a node and/or manager
update Update the Swarm
leave Leave a Swarm
inspect Inspect the Swarm
```
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
During a docker exec, if no TTY is specified, the code would still leave stdin open instead of closing it. This change adds handling for the execConfig TTY bool that mirrors what is already done for container config. (Updated this change to be Windows only.)
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Instructions for installing the static binaries
has changed, so updated the instructions.
The comment on top already requires the steps
to be executed as root, so removing the 'sudo'
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change the kill mode to process so that systemd does not kill container
processes when the daemon is shutdown but only the docker daemon
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The test was waiting for the container to exit after failing its
healthcheck. However, we no longer automatically terminate containers,
so this waited instead for the container to time-out by itself.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
To provide users a view of service status, list the number of running
task over the requested number of replicas.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
The `--update-parallelism` flaag should default to 0, which is
interpreted by the backend as unlimited. In other words, by default all
services should update simultaneously.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
updated link to faqs/troubleshoot to point to new location /toolbox
fixed docker-for-mac link error
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Do not gate with CAP_IPC_LOCK as unprivileged use is now
allowed in Linux. This returns it to how it was in 1.11.
Fixes#23587
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This ensures that:
- The in-memory plugin store is populated with all the plugins
- Plugins which were active before daemon restart are active after.
This utilizes the liverestore feature when available, otherwise it
manually starts the plugin.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When a repository has a tag and digests, show tag for each digest value.
Do not duplicate rows for the same image name with both tag and digest.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
fixing links after moving surfacing tutorials
fixing more links for the newly located tutorials
WIP: merging 3 getting started tutorials into one to cover all platforms, added new files
fixing broken images and links in 3-in-1 getting started, re-wrote story flow, linked to Toolbox, d4mac,d4win
Signed-off-by: Victoria Bialas <victoria.bialas@docker.com>
Removes the leader column from node ls and shows whether a node is the
leader in the manager status column instead.
Signed-off-by: Drew Erny <drew.erny@docker.com>
The security infomation has already been added to `GET /info` in #21172.
However, it is not part of the output of `docker info` yet.
This fix adds the security information to `docker info`.
Additional tests has been added to cover changes.
This fix fixes#23500. This fix is related to #20909, #21172.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This change updates how we handle long lines of output from the
container. The previous logic used a bufio reader to read entire lines
of output from the container through an intermediate BytesPipe, and that
allowed the container to cause dockerd to consume an unconstrained
amount of memory as it attempted to collect a whole line of output, by
outputting data without newlines.
To avoid that, we replace the bufio reader with our own buffering scheme
that handles log lines up to 16k in length, breaking up anything longer
than that into multiple chunks. If we can dispense with noting this
detail properly at the end of output, we can switch from using
ReadBytes() to using ReadLine() instead. We add a field ("Partial") to
the log message structure to flag when we pass data to the log driver
that did not end with a newline.
The Line member of Message structures that we pass to log drivers is now
a slice into data which can be overwritten between calls to the log
driver's Log() method, so drivers which batch up Messages before
processing them need to take additional care: we add a function
(logger.CopyMessage()) that can be used to create a deep copy of a
Message structure, and modify the awslogs driver to use it.
We update the jsonfile log driver to append a "\n" to the data that it
logs to disk only when the Partial flag is false (it previously did so
unconditionally), to make its "logs" output correctly reproduce the data
as we received it.
Likewise, we modify the journald log driver to add a data field with
value CONTAINER_PARTIAL_MESSAGE=true to entries when the Partial flag is
true, and update its "logs" reader to refrain from appending a "\n" to
the data that it retrieves if it does not see this field/value pair (it
also previously did this unconditionally).
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
Right now, if we hit an error retrieving the exit code in HCS process.ExitCode, we return that 0 and that error. Golang convention says that if an error is returned the other values should not be used, but the caller of ExitCode in libcontainerd has to fall through if an error is received. Rather than return a success exit code in that failure case, we should return -1 to indicate a generic failure.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
As the #23387 comment, the temp fix for UT need to be improved
to make it test the expected behavior. So let's add it.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Add a benchmark for measuring how the logger.Copier implementation
handles logged lines of sizes ranging up from 64 bytes to 256KB.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
If there is multiple networks to connect to on container starting,
the order of these networks is random because we "range a map". But
the defautl network "bridge" should be connected first since only
"bridge" support link and we should have do some settings on sandbox
creation, and only the first connect will setting the sandbox.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2016-05-26 03:20:53 -04:00
4632 changed files with 439180 additions and 259804 deletions
@@ -5,6 +5,599 @@ information on the list of deprecated flags and APIs please have a look at
https://docs.docker.com/engine/deprecated/ where target removal dates can also
be found.
## 17.03.0-ce (2017-03-01)
### Client
* Fix panic in `docker stats --format`
### Contrib
* Update various `bash` and `zsh` completion scripts [#30823](https://github.com/docker/docker/pull/30823), [#30945](https://github.com/docker/docker/pull/30945) and more...
2. Restart Docker. Verify that the Docker daemon starts with no errors.
3. Reinstall your plugins.
### Builder
+ Add capability to specify images used as a cache source on build. These images do not need to have local parent chain and can be pulled from other registries [#26839](https://github.com/docker/docker/pull/26839)
+ (experimental) Add option to squash image layers to the FROM image after successful builds [#22641](https://github.com/docker/docker/pull/22641)
* Fix dockerfile parser with empty line after escape [#24725](https://github.com/docker/docker/pull/24725)
- Add step number on `docker build` [#24978](https://github.com/docker/docker/pull/24978)
+ Add support for compressing build context during image build [#25837](https://github.com/docker/docker/pull/25837)
+ add `--network` to `docker build` [#27702](https://github.com/docker/docker/pull/27702)
- Fix inconsistent behavior between `--label` flag on `docker build` and `docker run` [#26027](https://github.com/docker/docker/issues/26027)
- Fix image layer inconsistencies when using the overlay storage driver [#27209](https://github.com/docker/docker/pull/27209)
* Unused build-args are now allowed. A warning is presented instead of an error and failed build [#27412](https://github.com/docker/docker/pull/27412)
- Fix builder cache issue on Windows [#27805](https://github.com/docker/docker/pull/27805)
+ Allow `USER` in builder on Windows [#28415](https://github.com/docker/docker/pull/28415)
+ Handle env case-insensitive on Windows [#28725](https://github.com/docker/docker/pull/28725)
### Contrib
+ Add support for building docker debs for Ubuntu 16.04 Xenial on PPC64LE [#23438](https://github.com/docker/docker/pull/23438)
+ Add support for building docker debs for Ubuntu 16.04 Xenial on s390x [#26104](https://github.com/docker/docker/pull/26104)
+ Add support for building docker debs for Ubuntu 16.10 Yakkety Yak on PPC64LE [#28046](https://github.com/docker/docker/pull/28046)
- Add RPM builder for VMWare Photon OS [#24116](https://github.com/docker/docker/pull/24116)
+ Add shell completions to tgz [#27735](https://github.com/docker/docker/pull/27735)
* Update the install script to allow using the mirror in China [#27005](https://github.com/docker/docker/pull/27005)
+ Add DEB builder for Ubuntu 16.10 Yakkety Yak [#27993](https://github.com/docker/docker/pull/27993)
+ Add RPM builder for Fedora 25 [#28222](https://github.com/docker/docker/pull/28222)
+ Add `make deb` support for aarch64 [#27625](https://github.com/docker/docker/pull/27625)
### Distribution
* Update notary dependency to 0.4.2 (full changelogs [here](https://github.com/docker/notary/releases/tag/v0.4.2)) [#27074](https://github.com/docker/docker/pull/27074)
- Support for compilation on windows [docker/notary#970](https://github.com/docker/notary/pull/970)
- Improved error messages for client authentication errors [docker/notary#972](https://github.com/docker/notary/pull/972)
- Support for finding keys that are anywhere in the `~/.docker/trust/private` directory, not just under `~/.docker/trust/private/root_keys` or `~/.docker/trust/private/tuf_keys` [docker/notary#981](https://github.com/docker/notary/pull/981)
- Previously, on any error updating, the client would fall back on the cache. Now we only do so if there is a network error or if the server is unavailable or missing the TUF data. Invalid TUF data will cause the update to fail - for example if there was an invalid root rotation. [docker/notary#982](https://github.com/docker/notary/pull/982)
- Improve root validation and yubikey debug logging [docker/notary#858](https://github.com/docker/notary/pull/858) [docker/notary#891](https://github.com/docker/notary/pull/891)
- Warn if certificates for root or delegations are near expiry [docker/notary#802](https://github.com/docker/notary/pull/802)
- Warn if role metadata is near expiry [docker/notary#786](https://github.com/docker/notary/pull/786)
- Fix passphrase retrieval attempt counting and terminal detection [docker/notary#906](https://github.com/docker/notary/pull/906)
- Avoid unnecessary blob uploads when different users push same layers to authenticated registry [#26564](https://github.com/docker/docker/pull/26564)
* Allow external storage for registry credentials [#26354](https://github.com/docker/docker/pull/26354)
### Logging
* Standardize the default logging tag value in all logging drivers [#22911](https://github.com/docker/docker/pull/22911)
- Improve performance and memory use when logging of long log lines [#22982](https://github.com/docker/docker/pull/22982)
+ Enable syslog driver for windows [#25736](https://github.com/docker/docker/pull/25736)
+ Update of AWS log driver to support tags [#27707](https://github.com/docker/docker/pull/27707)
+ Unix socket support for fluentd [#26088](https://github.com/docker/docker/pull/26088)
* Enable fluentd logging driver on Windows [#28189](https://github.com/docker/docker/pull/28189)
- Sanitize docker labels when used as journald field names [#23725](https://github.com/docker/docker/pull/23725)
- Fix an issue where `docker logs --tail` returned less lines than expected [#28203](https://github.com/docker/docker/pull/28203)
- Splunk Logging Driver: performance and reliability improvements [#26207](https://github.com/docker/docker/pull/26207)
- Splunk Logging Driver: configurable formats and skip for verifying connection [#25786](https://github.com/docker/docker/pull/25786)
### Networking
+ Add `--attachable` network support to enable `docker run` to work in swarm-mode overlay network [#25962](https://github.com/docker/docker/pull/25962)
+ Add support for host port PublishMode in services using the `--publish` option in `docker service create` [#27917](https://github.com/docker/docker/pull/27917) and [#28943](https://github.com/docker/docker/pull/28943)
+ Add support for Windows server 2016 overlay network driver (requires upcoming ws2016 update) [#28182](https://github.com/docker/docker/pull/28182)
* Change the default `FORWARD` policy to `DROP` [#28257](https://github.com/docker/docker/pull/28257)
+ Add support for specifying static IP addresses for predefined network on windows [#22208](https://github.com/docker/docker/pull/22208)
- Fix `--publish` flag on `docker run` not working with IPv6 addresses [#27860](https://github.com/docker/docker/pull/27860)
- Fix inspect network show gateway with mask [#25564](https://github.com/docker/docker/pull/25564)
- Fix an issue where multiple addresses in a bridge may cause `--fixed-cidr` to not have the correct addresses [#26659](https://github.com/docker/docker/pull/26659)
+ Add creation timestamp to `docker network inspect` [#26130](https://github.com/docker/docker/pull/26130)
- Show peer nodes in `docker network inspect` for swarm overlay networks [#28078](https://github.com/docker/docker/pull/28078)
- Enable ping for service VIP address [#28019](https://github.com/docker/docker/pull/28019)
### Plugins
- Move plugins out of experimental [#28226](https://github.com/docker/docker/pull/28226)
- Add `--force` on `docker plugin remove` [#25096](https://github.com/docker/docker/pull/25096)
* Add support for dynamically reloading authorization plugins [#22770](https://github.com/docker/docker/pull/22770)
+ Add description in `docker plugin ls` [#25556](https://github.com/docker/docker/pull/25556)
+ Add `-f`/`--format` to `docker plugin inspect` [#25990](https://github.com/docker/docker/pull/25990)
+ Add a new `is-task` ps filter [#24411](https://github.com/docker/docker/pull/24411)
+ Add `--env-file` flag to `docker service create` [#24844](https://github.com/docker/docker/pull/24844)
+ Add `--format` on `docker stats` [#24987](https://github.com/docker/docker/pull/24987)
+ Make `docker node ps` default to `self` in swarm node [#25214](https://github.com/docker/docker/pull/25214)
+ Add `--group` in `docker service create` [#25317](https://github.com/docker/docker/pull/25317)
+ Add `--no-trunc` to service/node/stack ps output [#25337](https://github.com/docker/docker/pull/25337)
+ Add Logs to `ContainerAttachOptions` so go clients can request to retrieve container logs as part of the attach process [#26718](https://github.com/docker/docker/pull/26718)
+ Allow client to talk to an older server [#27745](https://github.com/docker/docker/pull/27745)
* Inform user client-side that a container removal is in progress [#26074](https://github.com/docker/docker/pull/26074)
+ Add `Isolation` to the /info endpoint [#26255](https://github.com/docker/docker/pull/26255)
+ Add `userns` to the /info endpoint [#27840](https://github.com/docker/docker/pull/27840)
- Do not allow more than one mode be requested at once in the services endpoint [#26643](https://github.com/docker/docker/pull/26643)
+ Add capability to /containers/create API to specify mounts in a more granular and safer way [#22373](https://github.com/docker/docker/pull/22373)
+ Add `--format` flag to `network ls` and `volume ls` [#23475](https://github.com/docker/docker/pull/23475)
* Allow the top-level `docker inspect` command to inspect any kind of resource [#23614](https://github.com/docker/docker/pull/23614)
+ Add --cpus flag to control cpu resources for `docker run` and `docker create`, and add `NanoCPUs` to `HostConfig` [#27958](https://github.com/docker/docker/pull/27958)
- Allow unsetting the `--entrypoint` in `docker run` or `docker create` [#23718](https://github.com/docker/docker/pull/23718)
* Restructure CLI commands by adding `docker image` and `docker container` commands for more consistency [#26025](https://github.com/docker/docker/pull/26025)
- Remove `COMMAND` column from `service ls` output [#28029](https://github.com/docker/docker/pull/28029)
+ Add `--format` to `docker events` [#26268](https://github.com/docker/docker/pull/26268)
* Allow specifying multiple nodes on `docker node ps` [#26299](https://github.com/docker/docker/pull/26299)
* Restrict fractional digits to 2 decimals in `docker images` output [#26303](https://github.com/docker/docker/pull/26303)
+ Add `--dns-option` to `docker run` [#28186](https://github.com/docker/docker/pull/28186)
+ Add Image ID to container commit event [#28128](https://github.com/docker/docker/pull/28128)
+ Add external binaries version to docker info [#27955](https://github.com/docker/docker/pull/27955)
+ Add information for `Manager Addresses` in the output of `docker info` [#28042](https://github.com/docker/docker/pull/28042)
+ Add a new reference filter for `docker images` [#27872](https://github.com/docker/docker/pull/27872)
### Runtime
+ Add `--experimental` daemon flag to enable experimental features, instead of shipping them in a separate build [#27223](https://github.com/docker/docker/pull/27223)
+ Add a `--shutdown-timeout` daemon flag to specify the default timeout (in seconds) to stop containers gracefully before daemon exit [#23036](https://github.com/docker/docker/pull/23036)
+ Add `--stop-timeout` to specify the timeout value (in seconds) for individual containers to stop [#22566](https://github.com/docker/docker/pull/22566)
+ Add a new daemon flag `--userland-proxy-path` to allow configuring the userland proxy instead of using the hardcoded `docker-proxy` from `$PATH` [#26882](https://github.com/docker/docker/pull/26882)
+ Add boolean flag `--init` on `dockerd` and on `docker run` to use [tini](https://github.com/krallin/tini) a zombie-reaping init process as PID 1 [#26061](https://github.com/docker/docker/pull/26061) [#28037](https://github.com/docker/docker/pull/28037)
+ Add a new daemon flag `--init-path` to allow configuring the path to the `docker-init` binary [#26941](https://github.com/docker/docker/pull/26941)
+ Add support for live reloading insecure registry in configuration [#22337](https://github.com/docker/docker/pull/22337)
+ Add support for storage-opt size on Windows daemons [#23391](https://github.com/docker/docker/pull/23391)
* Improve reliability of `docker run --rm` by moving it from the client to the daemon [#20848](https://github.com/docker/docker/pull/20848)
+ Add support for `--cpu-rt-period` and `--cpu-rt-runtime` flags, allowing containers to run real-time threads when `CONFIG_RT_GROUP_SCHED` is enabled in the kernel [#23430](https://github.com/docker/docker/pull/23430)
* Implement XFS quota for overlay2 [#24771](https://github.com/docker/docker/pull/24771)
- Fix partial/full filter issue in `service tasks --filter` [#24850](https://github.com/docker/docker/pull/24850)
- Allow engine to run inside a user namespace [#25672](https://github.com/docker/docker/pull/25672)
- Fix a race condition between device deferred removal and resume device, when using the devicemapper graphdriver [#23497](https://github.com/docker/docker/pull/23497)
- Add `docker stats` support in Windows [#25737](https://github.com/docker/docker/pull/25737)
- Allow using `--pid=host` and `--net=host` when `--userns=host` [#25771](https://github.com/docker/docker/pull/25771)
+ (experimental) Add metrics (Prometheus) output for basic `container`, `image`, and `daemon` operations [#25820](https://github.com/docker/docker/pull/25820)
- Fix issue in `docker stats` with `NetworkDisabled=true` [#25905](https://github.com/docker/docker/pull/25905)
+ Add `docker top` support in Windows [#25891](https://github.com/docker/docker/pull/25891)
+ Record pid of exec'd process [#27470](https://github.com/docker/docker/pull/27470)
+ Add support for looking up user/groups via `getent` [#27599](https://github.com/docker/docker/pull/27599)
+ Add new `docker system` command with `df` and `prune` subcommands for system resource management, as well as `docker {container,image,volume,network} prune` subcommands [#26108](https://github.com/docker/docker/pull/26108) [#27525](https://github.com/docker/docker/pull/27525) / [#27525](https://github.com/docker/docker/pull/27525)
- Fix an issue where containers could not be stopped or killed by setting xfs max_retries to 0 upon ENOSPC with devicemapper [#26212](https://github.com/docker/docker/pull/26212)
- Fix `docker cp` failing to copy to a container's volume dir on CentOS with devicemapper [#28047](https://github.com/docker/docker/pull/28047)
+ Add `--seccomp-profile` daemon flag to specify a path to a seccomp profile that overrides the default [#26276](https://github.com/docker/docker/pull/26276)
- Fix ulimits in `docker inspect` when `--default-ulimit` is set on daemon [#26405](https://github.com/docker/docker/pull/26405)
- Add workaround for overlay issues during build in older kernels [#28138](https://github.com/docker/docker/pull/28138)
+ Add `TERM` environment variable on `docker exec -t` [#26461](https://github.com/docker/docker/pull/26461)
* Honor a container’s `--stop-signal` setting upon `docker kill` [#26464](https://github.com/docker/docker/pull/26464)
+ Add support for templating service options (hostname, mounts, and environment variables) [#28025](https://github.com/docker/docker/pull/28025)
* Display the endpoint mode in the output of `docker service inspect --pretty` [#26906](https://github.com/docker/docker/pull/26906)
* Make `docker service ps` output more bearable by shortening service IDs in task names [#28088](https://github.com/docker/docker/pull/28088)
* Make `docker node ps` default to the current node [#25214](https://github.com/docker/docker/pull/25214)
+ Add `--dns`, -`-dns-opt`, and `--dns-search` to service create. [#27567](https://github.com/docker/docker/pull/27567)
+ Add `--force` to `docker service update` [#27596](https://github.com/docker/docker/pull/27596)
+ Add `--health-*` and `--no-healthcheck` flags to `docker service create` and `docker service update` [#27369](https://github.com/docker/docker/pull/27369)
+ Add `-q` to `docker service ps` [#27654](https://github.com/docker/docker/pull/27654)
* Display number of global services in `docker service ls` [#27710](https://github.com/docker/docker/pull/27710)
- Remove `--name` flag from `docker service update`. This flag is only functional on `docker service create`, so was removed from the `update` command [#26988](https://github.com/docker/docker/pull/26988)
- Fix worker nodes failing to recover because of transient networking issues [#26646](https://github.com/docker/docker/issues/26646)
* Add support for health aware load balancing and DNS records [#27279](https://github.com/docker/docker/pull/27279)
+ Add `--hostname` to `docker service create` [#27857](https://github.com/docker/docker/pull/27857)
+ Add `--host` to `docker service create`, and `--host-add`, `--host-rm` to `docker service update` [#28031](https://github.com/docker/docker/pull/28031)
+ Add `--tty` flag to `docker service create`/`update` [#28076](https://github.com/docker/docker/pull/28076)
* Autodetect, store, and expose node IP address as seen by the manager [#27910](https://github.com/docker/docker/pull/27910)
* Encryption at rest of manager keys and raft data [#27967](https://github.com/docker/docker/pull/27967)
+ Add `--update-max-failure-ratio`, `--update-monitor` and `--rollback` flags to `docker service update` [#26421](https://github.com/docker/docker/pull/26421)
- Fix an issue with address autodiscovery on `docker swarm init` running inside a container [#26457](https://github.com/docker/docker/pull/26457)
+ (experimental) Add `docker service logs` command to view logs for a service [#28089](https://github.com/docker/docker/pull/28089)
+ Pin images by digest for `docker service create` and `update` [#28173](https://github.com/docker/docker/pull/28173)
* Add short (`-f`) flag for `docker node rm --force` and `docker swarm leave --force` [#28196](https://github.com/docker/docker/pull/28196)
+ Add options to customize Raft snapshots (`--max-snapshots`, `--snapshot-interval`) [#27997](https://github.com/docker/docker/pull/27997)
- Don't repull image if pinned by digest [#28265](https://github.com/docker/docker/pull/28265)
+ Swarm-mode support for Windows [#27838](https://github.com/docker/docker/pull/27838)
+ Allow hostname to be updated on service [#28771](https://github.com/docker/docker/pull/28771)
+ Support v2 plugins [#29433](https://github.com/docker/docker/pull/29433)
+ Add content trust for services [#29469](https://github.com/docker/docker/pull/29469)
### Volume
+ Add support for labels on volumes [#21270](https://github.com/docker/docker/pull/21270)
+ Add support for filtering volumes by label [#25628](https://github.com/docker/docker/pull/25628)
* Add a `--force` flag in `docker volume rm` to forcefully purge the data of the volume that has already been deleted [#23436](https://github.com/docker/docker/pull/23436)
* Enhance `docker volume inspect` to show all options used when creating the volume [#26671](https://github.com/docker/docker/pull/26671)
* Add support for local NFS volumes to resolve hostnames [#27329](https://github.com/docker/docker/pull/27329)
### Security
- Fix selinux labeling of volumes shared in a container [#23024](https://github.com/docker/docker/pull/23024)
- Prohibit `/sys/firmware/**` from being accessed with apparmor [#26618](https://github.com/docker/docker/pull/26618)
### DEPRECATION
- Marked the `docker daemon` command as deprecated. The daemon is moved to a separate binary (`dockerd`), and should be used instead [#26834](https://github.com/docker/docker/pull/26834)
- Deprecate unversioned API endpoints [#28208](https://github.com/docker/docker/pull/28208)
- Remove Ubuntu 15.10 (Wily Werewolf) as supported platform. Ubuntu 15.10 is EOL, and no longer receives updates [#27042](https://github.com/docker/docker/pull/27042)
- Remove Fedora 22 as supported platform. Fedora 22 is EOL, and no longer receives updates [#27432](https://github.com/docker/docker/pull/27432)
- Remove Fedora 23 as supported platform. Fedora 23 is EOL, and no longer receives updates [#29455](https://github.com/docker/docker/pull/29455)
- Deprecate the `repo:shortid` syntax on `docker pull` [#27207](https://github.com/docker/docker/pull/27207)
- Deprecate backing filesystem without `d_type` for overlay and overlay2 storage drivers [#27433](https://github.com/docker/docker/pull/27433)
- Deprecate `MAINTAINER` in Dockerfile [#25466](https://github.com/docker/docker/pull/25466)
- Deprecate `filter` param for endpoint `/images/json` [#27872](https://github.com/docker/docker/pull/27872)
default "bridge" network: failed to parse pool request
for address space "LocalDefault" pool " subpool ":
could not find an available, non-overlapping IPv6 address
pool among the defaults to assign to the network
```
To resolve this error, either remove the `--ipv6` flag (to preserve the same
behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the
value of the `--fixed-cidr-v6` flag.
In a similar way, if you specify the `--ipv6` flag when creating a network
with the default IPAM driver, without providing an IPv6 `--subnet`, network
creation will fail with the following message:
```none
Error response from daemon: failed to parse pool request for address space
"LocalDefault" pool "" subpool "": could not find an
available, non-overlapping IPv6 address pool among
the defaults to assign to the network
```
To resolve this, either remove the `--ipv6` flag (to preserve the same behavior
as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the
`--subnet` flag.
The network network creation will instead succeed if you use an external IPAM driver
which supports automatic allocation of IPv6 subnets.
### Runtime
- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)
### Networking
- Fix panic in docker network ls when a network was created with `--ipv6` and no ipv6 `--subnet` in older docker versions [#29416](https://github.com/docker/docker/pull/29416)
### Contrib
- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)
## 1.12.4 (2016-12-12)
**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
upgrading from an older version of docker, the upgrade process may not
automatically install the updated version of the unit file, or fail to start
the docker service if;
- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
Starting the docker service will produce an error:
Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
or
no sockets found via socket activation: make sure the service was started by systemd.
To resolve this:
- Backup the current version of the unit file, and replace the file with the
[version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
After making those changes, run `sudo systemctl daemon-reload`, and `sudo
systemctl restart docker` to reload changes and (re)start the docker daemon.
### Runtime
- Fix issue where volume metadata was not removed [#29083](https://github.com/docker/docker/pull/29083)
- Asynchronously close streams to prevent holding container lock [#29050](https://github.com/docker/docker/pull/29050)
- Fix selinux labels for newly created container volumes [#29050](https://github.com/docker/docker/pull/29050)
- Fix race in serializing sandbox to string [docker/libnetwork#1495](https://github.com/docker/libnetwork/pull/1495)
- Fix race during deletion [docker/libnetwork#1503](https://github.com/docker/libnetwork/pull/1503)
* Reset endpoint port info on connectivity revoke in bridge driver [docker/libnetwork#1504](https://github.com/docker/libnetwork/pull/1504)
- Fix a deadlock in networking code [docker/libnetwork#1507](https://github.com/docker/libnetwork/pull/1507)
- Fix a race in load balancer state [docker/libnetwork#1512](https://github.com/docker/libnetwork/pull/1512)
### Logging
* Update fluent-logger-golang to v1.2.1 [#27474](https://github.com/docker/docker/pull/27474)
### Contrib
* Update buildtags for armhf ubuntu-trusty [#27327](https://github.com/docker/docker/pull/27327)
* Add AppArmor to runc buildtags for armhf [#27421](https://github.com/docker/docker/pull/27421)
## 1.12.2 (2016-10-11)
**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
@@ -117,7 +710,7 @@ systemctl restart docker` to reload changes and (re)start the docker daemon.
- Fix issue preventing `service update --publish-add` to work as intended [#25428](https://github.com/docker/docker/pull/25428)
- Remove `service update --network-add` and `service update --network-rm` flags
because this feature is not yet implemented in 1.12, but was inadvertently added
to the client in 1.12.0 [#25646](https://github.com/docker/docker/pull/25646)
to the client in 1.12.0 [#25646](https://github.com/docker/docker/pull/25646)
### Contrib
@@ -325,7 +918,7 @@ installing docker, please make sure to update them accordingly.
### DEPRECATION
* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
* Environment variables `DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE` and `DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE` have been renamed
to `DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE` and `DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE` respectively [#22574](https://github.com/docker/docker/pull/22574)
* Remove deprecated `syslog-tag`, `gelf-tag`, `fluentd-tag` log option in favor of the more generic `tag` one [#22620](https://github.com/docker/docker/pull/22620)
* Remove deprecated feature of passing HostConfig at API container start [#22570](https://github.com/docker/docker/pull/22570)
@@ -496,7 +1089,7 @@ installing docker, please make sure to update them accordingly.
- Fix a panic that could occur when cleanup after a container started with invalid parameters ([#21716](https://github.com/docker/docker/pull/21716))
- Fix a race with event timers stopping early ([#21692](https://github.com/docker/docker/pull/21692))
- Fix race conditions in the layer store, potentially corrupting the map and crashing the process ([#21677](https://github.com/docker/docker/pull/21677))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
- Un-deprecate auto-creation of host directories for mounts. This feature was marked deprecated in ([#21666](https://github.com/docker/docker/pull/21666))
Docker 1.9, but was decided to be too much of a backward-incompatible change, so it was decided to keep the feature.
+ It is now possible for containers to share the NET and IPC namespaces when `userns` is enabled ([#21383](https://github.com/docker/docker/pull/21383))
+ `docker inspect <image-id>` will now expose the rootfs layers ([#21370](https://github.com/docker/docker/pull/21370))
@@ -1220,7 +1813,7 @@ by another client (#15489)
#### Security
- Fix tar breakout vulnerability
* Extractions are now sandboxed chroot
- Security options are no longer comitted to images
- Security options are no longer committed to images
printf'diff --git a/src/runtime/sys_darwin_amd64.s b/src/runtime/sys_darwin_amd64.s\nindex e09b906..fa8ff2f 100644\n--- a/src/runtime/sys_darwin_amd64.s\n+++ b/src/runtime/sys_darwin_amd64.s\n@@ -157,6 +157,7 @@ systime:\n\t// Fall back to system call (usually first call in this thread).\n\tMOVQ\tSP, DI\n\tMOVQ\t$0, SI\n+\tMOVQ\t$0, DX // required as of Sierra; Issue 16570\n\tMOVL\t$(0x2000000+116), AX\n\tSYSCALL\n\tCMPQ\tAX, $0\n'| patch -p1 &&\
# env vars passed through directly to Docker's build scripts
# to allow things like `make KEEPBUNDLE=1 binary` easily
# `docs/sources/contributing/devenvironment.md ` and `project/PACKAGERS.md` have some limited documentation of some of these
# `project/PACKAGERS.md` have some limited documentation of some of these
DOCKER_ENVS:=\
-e BUILD_APT_MIRROR \
-e BUILDFLAGS \
-e KEEPBUNDLE \
-e DOCKER_BUILD_ARGS \
-e DOCKER_BUILD_GOGC \
-e DOCKER_BUILD_PKGS \
-e DOCKER_DEBUG \
@@ -20,12 +22,19 @@ DOCKER_ENVS := \
-e DOCKER_GITCOMMIT \
-e DOCKER_GRAPHDRIVER=$(DOCKER_GRAPHDRIVER)\
-e DOCKER_INCREMENTAL_BINARY \
-e DOCKER_PORT \
-e DOCKER_REMAP_ROOT \
-e DOCKER_STORAGE_OPTS \
-e DOCKER_USERLANDPROXY \
-e TESTDIRS \
-e TESTFLAGS \
-e TIMEOUT
-e TIMEOUT\
-e HTTP_PROXY \
-e HTTPS_PROXY \
-e NO_PROXY \
-e http_proxy \
-e https_proxy \
-e no_proxy
# note: we _cannot_ add "-e DOCKER_BUILDTAGS" here because even if it's unset in the shell, that would shadow the "ENV DOCKER_BUILDTAGS" set in our Dockerfile, which is very important for our official builds
# to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
# This allows the test suite to be able to run without worrying about the underlying fs used by the container running the daemon (e.g. aufs-on-aufs), so long as the host running the container is running a supported fs.
# The volume will be cleaned up when the container is removed due to `--rm`.
# Note that `BIND_DIR` will already be set to `bundles` if `DOCKER_HOST` is not set (see above BIND_DIR line), in such case this will do nothing since `DOCKER_MOUNT` will already be set.
Read our <a href="https://docs.docker.com/project/get-help/#irc-quickstart" target="_blank">IRC quickstart guide</a> for an easy way to get started.
Read our <a href="https://docs.docker.com/opensource/get-help/#/irc-quickstart" target="_blank">IRC quickstart guide</a> for an easy way to get started.
</td>
</tr>
<tr>
@@ -238,7 +238,7 @@ We are always open to suggestions on process improvements, and are always lookin
This directory contains code pertaining to the Docker API:
# Working on the Engine API
- Used by the docker client when communicating with the docker daemon
The Engine API is an HTTP API used by the command-line client to communicate with the daemon. It can also be used by third-party software to control the daemon.
- Used by third party tools wishing to interface with the docker daemon
It consists of various components in this repository:
-`api/swagger.yaml` A Swagger definition of the API.
-`api/types/` Types shared by both the client and server, representing various objects, options, responses, etc. Most are written manually, but some are automatically generated from the Swagger definition. See [#27919](https://github.com/docker/docker/issues/27919) for progress on this.
-`cli/` The command-line client.
-`client/` The Go client used by the command-line client. It can also be used by third-party Go programs.
-`daemon/` The daemon, which serves the API.
##Swagger definition
The API is defined by the [Swagger](http://swagger.io/specification/) definition in `api/swagger.yaml`. This definition can be used to:
1. To automatically generate documentation.
2. To automatically generate the Go server and client. (A work-in-progress.)
3. Provide a machine readable version of the API for introspecting what it can do, automatically generating clients for other languages, etc.
## Updating the API documentation
The API documentation is generated entirely from `api/swagger.yaml`. If you make updates to the API, you'll need to edit this file to represent the change in the documentation.
The file is split into two main sections:
-`definitions`, which defines re-usable objects used in requests and responses
-`paths`, which defines the API endpoints (and some inline objects which don't need to be reusable)
To make an edit, first look for the endpoint you want to edit under `paths`, then make the required edits. Endpoints may reference reusable objects with `$ref`, which can be found in the `definitions` section.
There is hopefully enough example material in the file for you to copy a similar pattern from elsewhere in the file (e.g. adding new fields or endpoints), but for the full reference, see the [Swagger specification](https://github.com/docker/docker/issues/27919)
`swagger.yaml` is validated by `hack/validate/swagger` to ensure it is a valid Swagger definition. This is useful for when you are making edits to ensure you are doing the right thing.
## Viewing the API documentation
When you make edits to `swagger.yaml`, you may want to check the generated API documentation to ensure it renders correctly.
All the documentation generation is done in the documentation repository, [docker/docker.github.io](https://github.com/docker/docker.github.io). The Swagger definition is vendored periodically into this repository, but you can manually copy over the Swagger definition to test changes.
Copy `api/swagger.yaml` in this repository to `engine/api/[VERSION_NUMBER]/swagger.yaml` in the documentation repository, overwriting what is already there. Then, run `docker-compose up` in the documentation repository and browse to [http://localhost:4000/engine/api/](http://localhost:4000/engine/api/) when it finishes rendering.
// Package client provides a command-line interface for Docker.
//
// Run "docker help SUBCOMMAND" or "docker SUBCOMMAND --help" to see more information on any Docker subcommand, including the full list of options supported for the subcommand.
// See https://docs.docker.com/installation/ for instructions on installing Docker.
flags.StringVarP(&opts.author,"author","a","","Author (e.g., \"John Hannibal Smith <hannibal@a-team.com>\")")
opts.changes=dockeropts.NewListOpts(nil)
flags.VarP(&opts.changes,"change","c","Apply Dockerfile instruction to the created image")
// FIXME: --run is deprecated, it will be replaced with inline Dockerfile commands.
flags.StringVar(&opts.config,"run","","This option is deprecated and will be removed in a future version in favor of inline Dockerfile-compatible commands")
flags.MarkDeprecated("run","it will be replaced with inline Dockerfile commands.")
fmt.Fprintln(dockerCli.Err(),`SECURITY WARNING: You are building a Docker image from Windows against a non-Windows Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories.`)
}
// Everything worked so if -q was provided the output from the daemon
// should be just the image ID and we'll print that to stdout.
ifoptions.quiet{
fmt.Fprintf(dockerCli.Out(),"%s",buildBuff)
}
ifclient.IsTrusted(){
// Since the build was successful, now we must tag any of the resolved
// print a warning if devicemapper is using a loopback file
ifpair[0]=="Data loop file"{
fmt.Fprintln(cli.err," WARNING: Usage of loopback devices is strongly discouraged for production use. Use `--storage-opt dm.thinpooldev` to specify a custom block storage device.")
// if this is a default registry (docker hub), then display the following message.
fmt.Fprintln(cli.out,"Login with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.")
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
