All docker subcommands support `-h` as an alias for `--help`
unless they have `-h` aliased to something else like `docker run`,
which uses `-h` for `--hostname`.
`-h` is not included in the help messages of the commands, though.
It ist visible in
* reference: only in `docker daemon` reference,
see output of `grep -Rse --help=false docs`
* man pages: only in `docker` man page
see output of `grep -RF '**-h**' man`
For consistency reasons, this commit removes `-h` as an alias for
`--help` from the reference page, man page and the bash completion.
Signed-off-by: Harald Albers <github@albersweb.de>
This option was incorrectly ported to the new `daemon` subcommand
structure.
Beside the obvious effect that completion of `docker daemon --log-opt`
did not work, this also caused completion of `docker` and `docker xxx`
to fail on macs with
> bash: words: bad array subscript
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 18381faee6)
Conflicts:
contrib/completion/bash/docker
Updating netlink package to 4b5dce31de6d42af5bb9811c6d265472199e0fec
to fix certain wierd netlink issues seen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 7948b755c7)
Conflicts:
hack/vendor.sh
Docker ps default format should not take precedence over cli flags.
This happens effectively for other flags except `-q`.
We need to let the cli to set the format as table to print the
expected output with `-q`.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Fixes rare edge case of handling GNU LongLink and LongName entries.
Perf improvements. /dev/null writes were taking CPU time during docker
push. Thanks @LK4D4
Various cleanup too.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Removing references to regsitry 1.0, pointing to distribution
Updating links and title
Adding in comments
Signed-off-by: Mary Anthony <mary@docker.com>
(cherry picked from commit d550d729e1)
- started from Diogo's work
- updated after discussions with team
- Updating with new key names
- fixing weight
- adding in sandbox
- adding in gliffy for images
- backing out to old names for now
- Copy edit pass
- Entering comments from the content trust team
- Update name of branch and image name
- Removing the last diogo reference
- Updating with Seb's comments
Signed-off-by: Mary Anthony <mary@docker.com>
(cherry picked from commit 753bf40f15)
With systemd in version 219 IP forwarding should be forced in the interface configuration file.
Signed-off-by: yyekhlef <yyekhlef@gmail.com>
(cherry picked from commit 35aebdc803)
The documentation for Debian and Ubuntu explains how to enable memory
and swap accounting but doesn't explain why it is disabled in the first
place. The problem with those subsystems is that they incurs a
performance hit even when not used at all. Add this explanation.
The provided figure are quite vague. The memory overhead is easily
verifiable. It is for example cited in [RedHat documentation][]. For the
performance hit, maybe the performance is better now, but a few years
ago, it was said to be [between 6 and 15%][].
The goal is that people don't just enable memory accounting if they
don't have a use for it.
[RedHat documentation]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/sec-memory.html
[between 6 and 15%]: https://lwn.net/Articles/517562/
Signed-off-by: Vincent Bernat <vincent@bernat.im>
(cherry picked from commit 56b33e9f27)
Currently some notary tests change the system clock to check for expiration.
Skip these tests until the code can be refactored to not rely on updating the system clock.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit bf3c1e6a3a)
This patch splits LookupEndpoints into LookupPullEndpoints and
LookupPushEndpoints so that mirrors added with --registry-mirror are
skipped in the list returned by LookupPushEndpoints.
Fixes https://github.com/docker/distribution/issues/823
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit b899977ee2)
The process of pulling an image spawns a new goroutine for each layer in the
image manifest. If any of these downloads fail we would stop everything and
return the error, even though other goroutines would still be running and
writing output through a progress reader which is attached to an http response
writer. Since the request handler had already returned from the first error,
the http server panics when one of these download goroutines makes a write to
the response writer buffer.
This patch prevents this crash in the daemon http server by waiting for all of
the download goroutines to complete, even if one of them fails. Only then does
it return, terminating the request handler.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
(cherry picked from commit d80c4244d3)
Currently the service type is 'simple', the default, meaning that
docker.service is considered to be started straight after
spawning. This is incorrect as there is significant amount of time
between spawning and docker ready to accept connections on the passed
sockets. Docker does implement systemd socket activate and
notification protocol, and send the ready signal to systemd, once it
is ready. However for systemd to take those notifications into
account, the service file type should be set to notify.
Signed-off-by: Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
(cherry picked from commit d3e5179c29)
- Removing references to Boot2Docker replacing with Docker Machine
- Removing sudo warnings in instances where appropriate (no sudo in file)
- Updating with comments
Signed-off-by: Mary Anthony <mary@docker.com>
(cherry picked from commit cc375a1e48)
Fixes error continuing execution when the parsing fails.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 3d3db0d4af)
The custom configuration will also be used in docker invocations made
by the completion script itself, just like `-H`.
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit b898111d3a)
"Options:" listed when you run "docker --help" and "docker daemon
--help" do not match the options listed in "man/docker.1.md". This PR
makes 'docker --help', 'docker daemon --help' and 'man docker' consistent.
Also 2 typo fixes.
Signed-off-by: Sally O'Malley <somalley@redhat.com>
(cherry picked from commit f3bea61c80)
Integration tests were failing due to proc filter behavior
changes with new apparmor policies.
Also include the missing docker-unconfined policy resolving
potential startup errors. This policy is complain-only so
it should behave identically to the standard unconfined policy,
but will not apply system path-based policies within containers.
Signed-off-by: Eric Windisch <eric@windisch.us>
(cherry picked from commit 5832715052)
- Because of a bug, all the statically preallocated
bridge networks have /24 as network mask.
Signed-off-by: Alessandro Boch <aboch@docker.com>
(cherry picked from commit dab0447ae0)
We noticed a regression since the 1.7.1 patch after some refactoring. This
patch corrects the behavior and adds integration tests for modified manifest
and rootfs layer blobs.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
(cherry picked from commit de52a3bcaa)
Completion now filters the images and containers by given
`--type`.
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 69cde5a302)
Minor fixes:
* v1.19: GET /containers/(id)/logs - add missing '/'
* v1.18: Break up POST /containers/create and POST /containers/(id)/start into separate lines.
Signed-off-by: Charles Chan <charleswhchan@users.noreply.github.com>
(cherry picked from commit 084d464081)
Update UX to use aliases for root, snapshot, and target key
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit 6ce76cd9ed)
Use updated notary to pick up updates from security review
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit d594c6fcd8)
After tailing a file, if the number of lines requested is > the number
of lines in the file, this would cause a json unmarshalling error to
occur when we later try to go follow the file.
So brute force set it to the end if any tailing occurred.
There is potential that there could be some missing log messages if logs
are being written very quickly, however I was not able to make this
happen even with `while true; do echo hello; done`, so this is probably
acceptable.
While testing this I also found a panic in LogWatcher.Close can be
called twice due to a race. Fix channel close to only close when there
has been no signal to the channel.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit c57faa91e2)
Without this fix, `docker -l info ` would not complete the commands.
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit aab82c5c22)
It's a bit confusing: the "global options" are valid as "global options"
for all client commands (i.e. all but daemon).
Example: `docker --log-level info run`
For `docker daemon`, these "global options" are only valid as "command
options".
Example: `docker daemon --log-level info`
As command completion cannot tell which command the user is going to
type next, completion for the daemon command has to allow illegal
syntaxes like
`docker --log-level info daemon --log-level info`
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit e0dad9a153)
This patch fixes a bug where a user specifies a v1 mirror for
--registry-mirror and pull an image from the Hub.
It used to not fallback because of an unexpected error returned when
trying to JSON marshal nginx output.
We now ensure that any unexpected error falls back to the next endpoint
in the list.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit a21ba12f4e)
If I run two containers with the same network they share the same /etc/resolv.conf.
The current code changes the labels of the /etc/resolv.conf currently to the
private label which causes it to be unusable in the first container.
This patch changes the labels to a shared label if more then one container
will use the content.
Docker-DCO-1.1-Signed-off-by: Dan Walsh dwalsh@redhat.com (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
(cherry picked from commit 90b8cebda6)
[pkg/archive] Update archive/copy path handling
- Remove unused TarOptions.Name field.
- Add new TarOptions.RebaseNames field.
- Update some of the logic around path dir/base splitting.
- Update some of the logic behind archive entry name rebasing.
[api/types] Add LinkTarget field to PathStat
[daemon] Fix stat, archive, extract of symlinks
These operations *should* resolve symlinks that are in the path but if the
resource itself is a symlink then it *should not* be resolved. This patch
puts this logic into a common function `resolvePath` which resolves symlinks
of the path's dir in scope of the container rootfs but does not resolve the
final element of the path. Now archive, extract, and stat operations will
return symlinks if the path is indeed a symlink.
[api/client] Update cp path hanling
[docs/reference/api] Update description of stat
Add the linkTarget field to the header of the archive endpoint.
Remove path field.
[integration-cli] Fix/Add cp symlink test cases
Copying a symlink should do just that: copy the symlink NOT
copy the target of the symlink. Also, the resulting file from
the copy should have the name of the symlink NOT the name of
the target file.
Copying to a symlink should copy to the symlink target and not
modify the symlink itself.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
(cherry picked from commit 75f6929b44)
Fix#14915. Add unit test for #14915.
Thanks @runcom for the test case: when the client calls 1.18 api
version w/o hostconfig it results in a nil pointer dereference.
Signed-off-by: Stephen Rust <srust@blockbridge.com>
(cherry picked from commit c358a4cd35)
The 'deny ptrace' statement was supposed to only ignore
ptrace failures in the AUDIT log. However, ptrace was implicitly
allowed from unconfined processes (such as the docker daemon and
its integration tests) due to the abstractions/base include.
This rule narrows the definition such that it will only ignore
the failures originating inside of the container and will not
cause denials when the daemon or its tests ptrace inside processes.
Introduces positive and negative tests for ptrace /w apparmor.
Signed-off-by: Eric Windisch <eric@windisch.us>
(cherry picked from commit f5c388b35a)
Builds where the base images have been resolved to trusted digest
references will now be tagged with the original tag reference from
the Dockerfile on a successful build.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
(cherry picked from commit bb2e6c72d2)
The `ApplyDiff` function takes a tar archive stream that is
automagically decompressed later. This was causing a double
decompression, and when the layer was empty, that causes an early EOF.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
(cherry picked from commit 273f50c741)
In `ApplyLayer` and `Untar`, the stream is magically decompressed. Since
this is not able to be toggled, rather than break this ./pkg/ API, add
an `ApplyUncompressedLayer` and `UntarUncompressed` that does not
magically decompress the layer stream.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
(cherry picked from commit 56bf275e32)
Currently login and search do not load per registry certificates.
This is a regression caused by the last refactor since this was recently fixed.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit e863a07b89)
Return an error when the container is stopped only in api versions
equal or greater than 1.20 (docker 1.8).
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 621e3d8587)
So we marshal/unmarshal its value properly when it's empty.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 4e25d2982b)
The engine policy will now only complain
as a temporary measure to ensure we do not
cause breakages while users exercise this
policy.
This is NOT the policy for containers, but
for the newly-introduced policy for the
daemon itself.
Signed-off-by: Eric Windisch <eric@windisch.us>
(cherry picked from commit 6c887be769)
Implements the policies for the remaining binaries
called by the Docker engine and eliminates the
giant whitelisted 'all files' permission in favor
of granular whitelisting and child-specific policies.
It should be possible now to remove the 'file' permission,
but for the sake of keeping Docker unbroken, we'll try
to gradually tighten the policy.
Signed-off-by: Eric Windisch <eric@windisch.us>
(cherry picked from commit 8b2fcddcd2)
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.
A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.
Also introduces documentation for AppArmor.
Signed-off-by: Eric Windisch <eric@windisch.us>
(cherry picked from commit 3edc88f76d)
I think it was original intention, because even half of a comment was about
MaxInt32.
Fix#15038
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
(cherry picked from commit eb45602d2f)
Symbolic links in the context directory path are now evaluated.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
(cherry picked from commit 01d570ad30)
This version includes a fix that avoids checking against specific HTTP
status codes. The previous behavior violated the registry API spec.
Fixes#14975
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 091dbc1034)
In 1.6.2 we were decoding inspect API response into interface{}.
time.Time fields were JSON encoded as RFC3339Nano in the response
and when decoded into interface{} they were just strings so the inspect
template treated them as just strings.
From 1.7 we are decoding into types.ContainerJSON and when the template
gets executed it now gets a time.Time and it's formatted as
2015-07-22 05:02:38.091530369 +0000 UTC.
This patch brings back the old behavior by typing time.Time fields
as string so they gets formatted as they were encoded in JSON -- RCF3339Nano
Signed-off-by: Antonio Murdaca <runcom@linux.com>
(cherry picked from commit c9207bc0aa)
Update help line to allow 90 characters instead of 80
The trust flag pushes out the help description column wider, requiring more room to display help messages.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Clean up tests to remove duplicate code
Add tests which run pull and create in an isolated configuration directory.
Add build test for untrusted tag
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The Dockerfile is rewritten with images references on FROM
instructions resolved to trusted digests. The rewritten Dockerfile
is swapped with the original one during context upload.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Separated preparation of context and Dockerfile for
the various different methods of specifying them.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Added notary server to docker base image.
Created trust suite which runs trust server for running trusted commands.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Add a trusted flag to force the cli to resolve a tag into a digest via the notary trust library and pull by digest.
On push the flag the trust flag will indicate the digest and size of a manifest should be signed and push to a notary server.
If a tag is given, the cli will resolve the tag into a digest and pull by digest.
After pulling, if a tag is given the cli makes a request to tag the image.
Use certificate directory for notary requests
Read certificates using same logic used by daemon for registry requests.
Catch JSON syntax errors from Notary client
When an uncaught error occurs in Notary it may show up in Docker as a JSON syntax error, causing a confusing error message to the user.
Provide a generic error when a JSON syntax error occurs.
Catch expiration errors and wrap in additional context.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
* Add godoc documentation where it was missing
* Change identifier names that don't match Go style, such as INDEX_NAME
* Rename RegistryInfo to PingResult, which more accurately describes
what this structure is for. It also has the benefit of making the name
not stutter if used outside the package.
Updates #14756
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There is no option validation for "journald" log-driver, so it makes no
sense to fail in that case.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Based on the list containers with filters options it would seem that filtering containers with label `test=docker-java` could be done with `{"test":["docker-java"]}` which doesn't work
The options that work are `{"label":["test"]}` and `{"label":["test=docker-java"]}`
As seen in https://github.com/docker-java/docker-java/pull/262
Signed-off-by: Carlos Sanchez <carlos@apache.org>
A moratorium has been added to the road map to add a moratorium on adding
remote registry access to commands that don't already do so.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This patch creates a new cli package that allows to combine both client
and daemon commands (there is only one daemon command: docker daemon).
The `-d` and `--daemon` top-level flags are deprecated and a special
message is added to prompt the user to use `docker daemon`.
Providing top-level daemon-specific flags for client commands result
in an error message prompting the user to use `docker daemon`.
This patch does not break any old but correct usages.
This also makes `-d` and `--daemon` flags, as well as the `daemon`
command illegal in client-only binaries.
Signed-off-by: Tibor Vass <tibor@docker.com>
Currently the vendor script removes directories which do not have imported go packages, however this also ends up removing license files which may be other directories.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The header row was not being printed when "docker ps" was invoked without containers thanks to the new format support, and we instead received a single blank line.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Without this fix, `docker --log-opt ` would not complete anything
because the completions were driver specific.
Signed-off-by: Harald Albers <github@albersweb.de>
Without this fix, `docker --log-driver fluentd --log-opt fluentd-tag=b`
would complete `b` to `build`.
Completion of the commands has to be nailed to __docker_pos_first_nonflag
Signed-off-by: Harald Albers <github@albersweb.de>
pushV2Tag already deduplicates layers, but the scope of this
deduplication is only for a particular tag. If we are pushing all tags
in a repository, we may check layers several times. Fix this by moving
the layersSeen map from the pushV2Tag function to the v2Pusher struct.
In addition to avoiding some useless round-trips, this makes the "docker
push" output less confusing. It formerly could contain many repeated
lines like:
124e2127157f: Image already exists
124e2127157f: Image already exists
...
Add test coverage based on the "docker push" output: a hash should not
appear multiple times when pushing multiple tags.
Fixes#14873
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
By default, using go with package will only validate the go file for the
current platform (or at last misses file_windows.go for example). This
tries to fix that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
After removing the duplicate ROADMAP in a separate PR, a few other
issues were noted in README.md which are fixed here:
- the directory is project, not hack
- make.sh is no longer in the current dir since hack/ is not project/
anymore
- MAINTAINERS is no longer here as a markdown file, but is a TOML file
in the root of the project
- links were added to all files to make it easier to follow from here
to the appropriate location
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
Prevent the docker daemon from mounting the created network files over
those provided by the user via -v command line option. This would otherwise
hide the one provide by the user.
The benefit of this is that a user can provide these network files using the
-v command line option and place them in a size-limited filesystem.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
The docker-py commit used in the standard `Dockerfile` is from Feb. 2015
and is out of date with the current API level and has fixes for things
like the new docker cli config location and registry v2 changes/API
responses as well.
Also pass "NOT_ON_HOST=true" to docker-py test suite so that tests
relying on direct HOST interaction (versus running in a container) are
skipped.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Re-add the docs from @calavera's PR to the moved cli cmd reference docs.
Fix gofmt and vet issues from carried commits
Add integration test for using format with --no-trunc and multi-names
Fix custom_test map order dependency on expected value check
Add docs to reference/commandline/ps.md
Remove "-F" flag option from original carried PR content
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
with the current duplication of code in the grap.go split-up, this puts
all assembly/disassembly logic into isolated functions
Signed-off-by: Vincent Batts <vbatts@redhat.com>
if there is a tar-data.json.gz present for an image layer, then use it
to create the tar archive, instead of the traditional graphdriver Diff.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Conflicts:
graph/graph.go
Preserve the entries from the tar archive for layers added to the graph.
With these entries and relative filesystem path, the tar archives can be
reassembled later.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.
For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.
Fixes GH#5490
Signed-off-by: Eric Windisch <eric@windisch.us>
When we are creating a container, first we call into graph driver to take
snapshot of image and create root for container-init. Then we write some
files to it and call into graph driver again to create container root
from container-init as base.
Once we have written files to container-init root, we don't unmount it
before taking a snapshot of it. Looks like with XFS it leaves it in such
a state that when we mount the container root, it goes into log recovery
path.
Jul 22 10:24:54 vm2-f22 kernel: XFS (dm-6): Mounting V4 Filesystem
Jul 22 10:24:54 vm2-f22 kernel: XFS (dm-6): Starting recovery (logdev: internal)
Jul 22 10:24:54 vm2-f22 kernel: XFS (dm-6): Ending recovery (logdev: internal)
This should not be required. So let us unmount container-init before use
it as a base for container root and then XFS does not go into this
internal recovery path.
Somebody had raised this issue for ext4 sometime back and proposed the same
change. I had shot it down at that point of time. I think now time has
come for this change.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Fix the following warnings:
pkg/mount/mountinfo.go:5:6: type name will be used as mount.MountInfo by other packages, and that stutters; consider calling this Info
pkg/mount/mountinfo.go:7:2: struct field Id should be ID
Signed-off-by: Antonio Murdaca <runcom@linux.com>
It's introduced in
68ba5f0b69 (Execdriver implementation on new libcontainer API)
But I don't see reson why we need it.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Documented changes to API to enable new `docker cp` behavior.
Added documentation on `docker cp` usage and behavior.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
If a registry mirror is using TLS, ensure that certs for it
are picked up from /etc/docker/certs.d
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
Adds several integration tests for `docker cp` behavior with over a dozen
tests for each of:
container -> local
local -> container
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Supports copying things INTO a container from a local file or from a tar
archive read from stdin.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Adds http handlers for new API endpoints:
GET ContainersArchivePath
Return a Tar Archive of the contents at the specified location in a
container. Deprecates POST ContainersCopy. Use a HEAD request to stat
the resource.
PUT ContainersExtractToDir
Extract the Tar Archive from the request body to the directory at the
specified location inside a container.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
The only uses of RequestAuthorization and its associated functions were
removed in 19515a7ad8 ("Update graph to
use vendored distribution client for the v2 codepath")
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The following methods will deprecate the Copy method and introduce
two new, well-behaved methods for creating a tar archive of a resource
in a container and for extracting a tar archive into a directory in a
container.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Adds TarResource and CopyTo functions to be used for creating
archives for use with the new `docker cp` behavior.
Adds multiple test cases for the CopyFrom and CopyTo
functions in the pkg/archive package.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Add golint to the Dockerfile, and a `validate-lint` task to the
Makefile. Currently, the linter will process a harcoded list of packages
that will expand as we fix more warnings. Eventually, the linter should
process all subpackages of the repo (excluding vendored code).
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
After merging mounting cgroups in container this tests doing wrong
checks. Cgroup paths could be prepended by other cgroups from host.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Fixes an issue with curly braces being escaped when they should not be.
This was particularly an issue in places where `--format '{{ ... }}'`
is used in the man docs.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
There are several bug reports on this error happening, and error is
not helpful unless you read the code. Google brings up removing
the repositories.btrfs file.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
* api/client/ps.go: Refactor CmdPs to use a fields list of
characters to determine which columns to print on `docker ps`
invocation.
This adds an ability for the docker command to print the columns of
output in arbitrary order.
Signed-off-by: Jeff Mickey <j@codemac.net>
Docker-DCO-1.1-Signed-off-by: Jeff Mickey <j@codemac.net>
- fully capitalize HTTP in HTTPHeaders
- comment for CONFIGFILE
- camelcase and privatize oldConfigfile, defaultIndexserver
- remove unused var errConfigFileMissing
- comments for methods and functions throughout
- external references to renamed variables changed
Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
This solves several problems that arise from the special treatment of
"=" in Bash.
The fix was required as some log drivers have options in a key=value
form. It also addresses the --option=value and the negated boolean syntax
(--boolean=false).
Note that this is not a general fix for these problems, it is limited to
the __docker_pos_first_nonflag function.
Signed-off-by: Harald Albers <github@albersweb.de>
The ZFS driver should raise proper errors when the ZFS utility is
missing or when there's no zfs partition active on the system. Raising the
proper errors make possible to silently ignore the ZFS storage
driver when no default storage driver is specified.
Previous to this commit it was no longer possible to start the
docker daemon in that way:
docker -d --storage-opt dm.loopdatasize=2GB
The above command resulted in an exit error because the ZFS driver
tried to use the storage options.
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
As suggested in https://github.com/docker/docker/pull/14004/files#r34022527
The concern there is we can't differentiate whether user explicitly
asked for an invalid value of -1 or he did not specify anything.
I don't think this would be a problem, because:
- like all other default values like zero, we can't differentiate
user specify it or not, most of which, zeros are also invalid, so
default is default, we show these default values in help info,
so users would know if they set value as default, it'll be like
they set nothing.
- we can't do this kind of string check in REST api request, so
it'll make the behave different from docker command and RESTapi.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Closes#14621
This one grew to be much more than I expected so here's the story... :-)
- when a bad port string (e.g. xxx80) is passed into container.create()
via the API it wasn't being checked until we tried to start the container.
- While starting the container we trid to parse 'xxx80' in nat.Int()
and would panic on the strconv.ParseUint(). We should (almost) never panic.
- In trying to remove the panic I decided to make it so that we, instead,
checked the string during the NewPort() constructor. This means that
I had to change all casts from 'string' to 'Port' to use NewPort() instead.
Which is a good thing anyway, people shouldn't assume they know the
internal format of types like that, in general.
- This meant I had to go and add error checks on all calls to NewPort().
To avoid changing the testcases too much I create newPortNoError() **JUST**
for the testcase uses where we know the port string is ok.
- After all of that I then went back and added a check during container.create()
to check the port string so we'll report the error as soon as we get the
data.
- If, somehow, the bad string does get into the metadata we will generate
an error during container.start() but I can't test for that because
the container.create() catches it now. But I did add a testcase for that.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Current default basesize is 10G. Change it to 100G. Reason being that for
some people 10G is turning out to be too small and we don't have capabilities
to grow it dyamically.
This is just overcommitting and no real space is allocated till container
actually writes data. And this is no different then fs based graphdrivers
where virtual size of a container root is unlimited.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
The check for the end of the loop was off by one which is why we saw
errors on the following inpsect() call instead of a timeout
Signed-off-by: Doug Davis <dug@us.ibm.com>
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.
Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Check if there is a plugin socket first under `/run/docker/plugins/NAME.sock`.
If there is no socket for a plugin, check `/etc/docker/plugins/NAME.spec` and
`/usr/lib/docker/plugins/NAME.spec` for spec files.
Signed-off-by: David Calavera <david.calavera@gmail.com>
These will create the apt & yum repos for the deb/rpms generated by build-deb
and build-rpm.
Adds sign-repo script which signs the repo metadata with a gpg key.
Signed-off-by: Jessica Frazelle <princess@docker.com>
The pull request reviewing process and labeling strategy is described as
part of a dedicated file in `project/REVIEWING.md`: remove the existing
description from the `MAINTAINERS` file.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
If there's an error while unpacking the build context then we weren't erasing
the tmp dir created to persist the context.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Currently canonical name gets set to the local name and displayed in the errors.
Canonical name should be the unique and canonical name for an image.
Use docker.io as the canonical domain for images on the public registry.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
- Add fluentd logging driver to zsh completion #12876
- Add inspect --type flag to zsh completion #13187
- Respect -H option in zsh completion #13195
- Fix number of argument limit for pause and unpause in zsh completion
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
This PR adds recommendations in man pages to use only [a-z0-9-_.] when
naming and tagging images. The purpose of this is to add consistency
and to make image naming caps rules seem less arbitrary.
This PR addresses confusion with:
1. BaseImage:Tagged (not allowed)
2. baseimage:Tagged (allowed)
3. baseimage/tagged:V1 (allowed)
4. baseimage/Tagged:V1 (not allowed)
Signed-off-by: Sally O'Malley <somalley@redhat.com>
- Refactor opts.ValidatePath and add an opts.ValidateDevice
ValidePath will now accept : containerPath:mode, hostPath:containerPath:mode
and hostPath:containerPath.
ValidateDevice will have the same behavior as current.
- Refactor opts.ValidateEnv, opts.ParseEnvFile
Environment variables will now be validated with the following
definition :
> Environment variables set by the user must have a name consisting
> solely of alphabetics, numerics, and underscores - the first of
> which must not be numeric.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Memory swappiness option takes 0-100, and helps to tune swappiness
behavior per container.
For example, When a lower value of swappiness is chosen
the container will see minimum major faults. When no value is
specified for memory-swappiness in docker UI, it is inherited from
parent cgroup. (generally 60 unless it is changed).
Signed-off-by: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
For hybrid cloud, some ubuntu vm images doesn't have the directory
`/etc/apt/sources.list.d` which cause failure on creating
`/etc/apt/sources.list.d/docker.list`.
To fix this issue, create this directory first (if it doesn't exist).
Signed-off-by: Penghan Wang <ph.wang@daocloud.io>
The docker/distribution dependency was updated in the previous commit to allow
repository name components to only consist of a single letter. The unit tests
have been updated to cement this change.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Carry #11675
Aside from what #11675 says, to me a key usecase for this is to support
more than one Docker cli running at the same time but each may have its
own set of config files.
Signed-off-by: Doug Davis <dug@us.ibm.com>
`docker login` in 1.7 produces a config file in `~/docker/config.json`
instead of a `~/.dockercfg`.
Signed-off-by: Nate Brennand <nate.brennand@clever.com>
This is a follow-on to PR #14520.
PR #14520 is the quick fix to get the testing working again.
This PR makes sure that the list of execs associated with a container goes
from zero to one (as a new exec is run), then back to zero when the exec is
finished. However, we should be able to query the exec while the container
is still around, and even though the exec isn't listed in the container's
inspect data.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Libcontainer already supported mount container's own cgroup into
container, with this patch, we can see container's own cgroup info
in container.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
By adding this header AuthTransport will add Basic authentication to the request and allow 'docker search' results to include private images.
Signed-off-by: Matt Moore <mattmoor@google.com>
Now that we have ROADMAP.md in the root of the project, the outdated and
non-specific ROADMAP.md in project/ can be removed.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This takes the final removal for exec commands in two steps. The first
GC tick will mark the exec commands for removal and then the second tick
will remove the config from the daemon.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add a few links to the release output that the release captain can use to announce the release.
Signed-off-by: David Calavera <david.calavera@gmail.com>
It was missing some variants and 'maintainer' isn't actually supported.
Also sorted the list of allowed cmds in the code just to make it easier
to diff with the docs.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This adds an event loop for running a GC cleanup for exec command
references that are on the daemon. These cannot be cleaned up
immediately because processes may need to get the exit status of the
exec command but it should not grow out of bounds. The loop is set to a
default 5 minute interval to perform cleanup.
It should be safe to perform this cleanup because unless the clients are
remembering the exec id of the process they launched they can query for
the status and see that it has exited. If they don't save the exec id
they will have to do an inspect on the container for all exec instances
and anything that is not live inside that container will not be returned
in the container inspect.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This removes the exec config from the container after the command exits
so that dead exec commands are not displayed in the container inspect.
The commands are still kept on the daemon so that when you inspect the
exec command, not the container, you are still able to get it's exit
status.
This also changes the ProcessConfig to a pointer.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The ability to save and verify base device UUID (#13896) introduced a
situation where the initialization would panic when removing the device
returns EBUSY.
Functions `verifyBaseDeviceUUID` and `saveBaseDeviceUUID` now take the
lock on the `DeviceSet`, which solves the problem as `removeDevice`
assumes it owns the lock.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Often it happens that docker is not able to shutdown/remove the thin
pool it created because some device has leaked into some mount name
space. That means device is in use and that means pool can't be removed.
Docker will leave pool as it is and exit. Later when user starts the
docker, it finds pool is already there and docker uses it. But docker
does not know it is same pool which is using the loop devices. Now
docker thinks loop devices are not being used. That means it does not
display the data correctly in "docker info", giving user wrong information.
This patch tries to detect if loop devices as created by docker are
being used for pool and fills in the right details in "docker info".
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
With apologies (it wasn't clear from the contributing guidelines how this project feels about PRs for one or two word doc fixes).
Signed-off-by: Erik M. Bray <erik.m.bray@gmail.com>
Options for zfs storage driver were incorrectly placed
under 'exec driver options' header. Move the header to
the correct place.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
The features Docker relies on are called "cgroups" and "namespaces",
so fix the language accordingly.
Also for cgroups, provide a link to Linux kernel documentation that
is more relevant (and deep) than the Wikipedia article.
Cc: Ankush Agarwal <ankushagarwal11@gmail.com>
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Vendoring libnetwork commit: 8fb0a8bc9e3166216ca3da2d0bb15332f6685745
- Fixes breakage in k/v store handling logic in experimental
- Adds back all the fixes that went in 1.7.1 to master
- Change VXLAN port in overlay driver to IANA assigned port
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Showing "$$ exit 13" caught my eye and wasn't correct.
While in there I also made it so the following paragraph didn't go past 80 chars
Signed-off-by: Doug Davis <dug@us.ibm.com>
Currently the layer array is initialized with the first layer then the first layer is appened to the layer list. Adding the first layer twice causes the layer to appear twice in the manifest, making a duplicate push and pull attempt occur.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
There is no reason to error out or not do what the user expects when -i
is specified on the cli. We should always attach to the stdin of the
container in this situation.
Closes#14390
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
It seems http://hub.docker.com is not accessible anymore, so switching
to https://hub.docker.com for testRequires(c, Network).
Adds a Timeout check on the TestRequirement to *panic* if there is a
timeout (fail fast).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Update the man page for 'docker commit' to make explicit the fact that
'commit' does not save data in volumes.
Addresses comments in #7583
Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
When using boot2docker through git bash, there is a nasty issue when trying to share a folder, due to how git bash parses the URIs. The issue is explained in [issue #12751](https://github.com/docker/docker/issues/12751) but needs more visibility in the docs.
Signed-off-by: Matthieu Larcher <github@ringabell.org>
One part of script relies on messages that are
output by some system tool. In non-en locale
those messages get localized which breaks the
script.
This patch enforces en locale for that system
tool.
Signed-off-by: Maxim Kulkin <maxim.kulkin@gmail.com>
Some devs might want to download the binary directly,
especially for systems where the install script does not
work.
Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
If a container is read-only, also set /proc, /sys,
& /dev to read-only. This should apply to both privileged and
unprivileged containers.
Note that when /dev is read-only, device files may still be
written to. This change will simply prevent the device paths
from being modified, or performing mknod of new devices within
the /dev path.
Tests are included for all cases. Also adds a test to ensure
that /dev/pts is always mounted read/write, even in the case of a
read-write rootfs. The kernel restricts writes here naturally and
bad things will happen if we mount it ro.
Signed-off-by: Eric Windisch <eric@windisch.us>
DeviceMapper must be explicitly selected because the Docker binary might not be linked to the right devmapper library.
With this change, Docker fails fast if the driver detection finds the devicemapper directory but the driver is not the default option.
The option `override_udev_sync_check` doesn't make sense anymore, since the user must be explicit to select devicemapper, so it's being removed.
Docker fails to use devicemapper only if Docker has been built statically unless the option was explicit.
Signed-off-by: David Calavera <david.calavera@gmail.com>
- Container networking statistics are no longer
retrievable from libcontainer after the introduction
of libnetwork. This change adds the missing code
for docker daemon to retireve the nw stats from
Endpoint.
Signed-off-by: Alessandro Boch <aboch@docker.com>
Add unit tests of the ParseEnvFile function. Test for:
* good file
* empty file
* non existent file
* badly formatted file
Signed-off-by: Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
Return an error value if bufio failed to properly read a token.
Avoids running a container with partial environment.
Fixes: #14266
Signed-off-by: Matthieu Hauglustaine <matt.hauglustaine@gmail.com>
libnetwork host, none and bridge driver initialization is incorrectly
disabled if the daemon flag --bridge=none. The expected behavior of
setting --bridge as none is to disable the bridge driver alone and let
all other modes to be operational.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
The link pointed to experimental.md, but that didn't exist. It looks like README.md was intended. Probably experimental.md was renamed.
Signed-off-by: Leen Besselink <github@consolejunkie.net>
By convention /pkg is safe to use from outside the docker tree, for example
if you're building a docker orchestrator.
/nat currently doesn't have any dependencies outside of /pkg, so it seems
reasonable to move it there.
This rename was performed with:
```
gomvpkg -vcs_mv_cmd="git mv {{.Src}} {{.Dst}}" \
-from github.com/docker/docker/nat \
-to github.com/docker/docker/pkg/nat
```
Signed-off-by: Peter Waller <p@pwaller.net>
The registry client's TLS configuration used the
default cipher list, including RC4. This change
copies the default cipher list from Golang 1.4 and
removes RC4 from that list. RC4 ciphers are considered
weak and vulnerable to a number of attacks.
Uses the tlsconfig package to define allowed ciphers.
Signed-off-by: Eric Windisch <eric@windisch.us>
cgroups and namespaces links are broken. They point to blog.dotcloud.com which is dead. Updating the links to point to informative pages.
Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
This adds a more meaningful error on the client side so the "bad
certificate" error coming from the TLS dial code has some context for
the user.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
During `(*Graph).Register, there was no protection on adding new layers
concurrently. In some cases, this resulted in corruption of a layer by creating
the directory but not the underlying data. This manifested in several different
IO errors reported in the client. This attempts to fix this by adding a mutex
by Image ID to protect the Register operation.
We do not completely understand the root cause of this corruption other than
the result is somehow tied to this particular function. This fix has been
confirmed to address the issue through testing.
Unfortunately, this fix does not address existing corruption. The user will
have to remove and re-pull the corrupt layer to stop the error from happening
in the future. This change only ensures that the layer will not become corrupt.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Export metadata for container and image in docker-inspect when overlay
graphdriver is in use. Right now it is done only for devicemapper graph
driver.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
- creating index which is overview of configuring logs
- linking to individual journald/fluent material
- leaving behind table and link to index in run
Signed-off-by: Mary Anthony <mary@docker.com>
When a container is started with `--net=host` with
a particular name and it is subsequently destroyed,
then all subsequent creations of the container with
the same name will fail. This is because in `--net=host`
the namespace is shared i.e the host namespace so
trying to destroy the host namespace by calling
`LeaveAll` will fail and the endpoint is left with
the dangling state. So the fix is, for this mode, do
not attempt to destroy the namespace but just cleanup
the endpoint state and return.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
The last "," should not shown up, otherwise you will get the error
back as below:
- invalid character '}' looking for beginning of object key string.
Signed-off-by: Hu Keping <hukeping@huawei.com>
With the 1.7 release, we introduced a change to how we store registry
credentials, but the build API endpoint did not expect a change in the format
of that file. This patch fixes this problem so that you can again pull private
images during `docker build`.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
The current documentation correctly states that dockerignore pattern
searches are non-recursive. However, the example given for Markdown
files seems to contradict this by saying that `*.md` will exclude *all*
Markdown files. This commit clarifies the situation by explicitly
specifying that `*.md` will only exclude files in the root directory of
the project.
Signed-off-by: Tim Wraight <tim.wraight@tangentlabs.co.uk>
With publish-service and default-network support, a container could be
connected to a user-defined network that is backed by any driver/plugin.
But if the user uses port mapping or expose commands, the expectation
for that container is to behave like existing bridge network.
Thanks to the Libnetwork's CNM model, containers can be connected
to the bridge network as a secondary network in addition to the
user-specified network.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Now that the default network mode is "default" and this mode is chosen
even if the mode is empty string, it is not correct to have builder
still pointing to "bridge" as default (though this is daemon default).
Signed-off-by: Madhu Venugopal <madhu@docker.com>
- brings in vxlan based native multihost networking
- added a daemon flag required by libkv for dist kv operations
- moved the daemon flags to experimental
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This commit makes use of the CNM model supported by LibNetwork and
provides an ability to let a container to publish a specified service.
Behind the scenes, if a service with the given name doesnt exist, it is
automatically created on appropriate network and attach the container.
Signed-off-by: Alessandro Boch <aboch@docker.com>
Signed-off-by: Madhu Venugopal <madhu@docker.com>
* `--compression=none` and `--no-compression` to disable compression.
* `--compression=auto` to use the default compression (enabled by default).
* `--compression=xz` to use xz compression (default compression).
* `--compression=gz` to use gzip compression.
Signed-off-by: Robin Schneider <ypid@riseup.net>
Today, endpoints implementing v2 cannot properly fallback to v1 because the underlying transport that deals with authentication (Basic / Token) doesn't get annotated.
This doesn't affect DockerHub because the DockerHub endpoint appears as 'https://index.docker.io/v1/' (in .dockercfg), and the 'v1' tricks this logic just long enough that the transport is always annotated for DockerHub accesses.
Signed-off-by: Matt Moore <mattmoor@google.com>
Just to make life easier on devs so they don't need to 'cd' into
the docs dir just to test their docs edits. This doesn't do anything
more than "cd docs && make docs" so that all of the smarts are still
in the docs's Makefile and not in docker's.
Signed-off-by: Doug Davis <dug@us.ibm.com>
The cleanup to sysinfo package introduced a regression.
If memory cgroup isn't supported and --memory is specified when
starting a container, we should return info instead of nil in
checkCgroupMem(), otherwise we'll access a nil pointer.
Signed-off-by: Zefan Li <lizefan@huawei.com>
These have both been updated to no longer include the empty "scratch" layer, and `hello-world` has a fix for http->https.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
By default, the cgroup setting in libcontainer's configs.Cgroup for
memory swappiness will default to 0, which is a valid choice for memory
swappiness, but that means by default every container's memory
swappiness will be set to zero instead of the default 60, which is
probably not what users are expecting.
When the swappiness UI PR comes into Docker, there will be docker run
controls to set this per container, but for now we want to make sure
*not* to change the default, as well as work around an older kernel
issue that refuses to allow it to be set when cgroup hiearchies are in
use.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This commit also brings in the ability to specify a default network and its
corresponding driver as daemon flags. This helps in existing clients to
make use of newer networking features provided by libnetwork.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
when trying to use docker without sudo and the DOCKER_HOST env var is set docker tries to connect to the specified host instead of using the unix socket.
Signed-off-by: Campbell Allen <campbell.allen@gmail.com>
Signed-off-by: Mary Anthony <mary@docker.com>
Upding sed, adding script to avoid redirects, remove mkdos
Signed-off-by: Mary Anthony <mary@docker.com>
Ignoring graphics with sed
Signed-off-by: Mary Anthony <mary@docker.com>
Fixing kitematic image
Signed-off-by: Mary Anthony <mary@docker.com>
Removing draft
Signed-off-by: Mary Anthony <mary@docker.com>
Fixing link
Signed-off-by: Mary Anthony <mary@docker.com>
removing from the menu
Signed-off-by: Mary Anthony <mary@docker.com>
Updatiing order of project material
Signed-off-by: Mary Anthony <mary@docker.com>
Removing from Regsitry v2 content per Olivier
Signed-off-by: Mary Anthony <mary@docker.com>
tweaking the touchup
Signed-off-by: Mary Anthony <mary@docker.com>
Removing include; only used four places; hugo global var replace
Signed-off-by: Mary Anthony <mary@docker.com>
Entering fixes from page-by-page
Signed-off-by: Mary Anthony <mary@docker.com>
I ran a single integration test and got an error that the file
/sys/module/apparmor/parameters/enabled doesn't exist. I don't have
apparmor installed. So, just check the file first to avoid a confusing
error.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
It is easy for one to use docker for a while, shut it down and restart
docker with different set of storage options for device mapper driver
which will effectively change the thin pool. That means any of the
metadata stored in /var/lib/docker/devicemapper/metadata/ is not valid
for the new pool and user will run into various kind of issues like
container not found in the pool etc.
Users think that their images or containers are lost but it might just
be the case of configuration issue. People might use wrong metadata
with wrong pool.
To detect such situations, save UUID of base image and once docker
starts later, query and compare the UUID of base image with the
stored one. If they don't match, fail the initialization with the
error that UUID failed to match.
That way user will be forced to cleanup /var/lib/docker/ directory
and start docker again.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
An inspection of the graph package showed this function to be way out of place.
It is only depended upon by the daemon code. The function prepares a top-level
readonly layer used to provide a consistent runtime environment for docker
images.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Working docs
Update after check
update to centos 7 after second test
Updating with hopefully correct urls
Adding thaJetzah's comments
Updating with the new images
Updating after a visual check
Signed-off-by: Mary Anthony <mary@docker.com>
Updating with comments
Signed-off-by: Mary Anthony <mary@docker.com>
DOCEKR_TLS_VERIFY was being ignored because we were just checking if the
`-tlsverify` flag was set, not the actual value, which is defaulted to
the value of `os.Getenv("DOCKER_TLS_VERIFY") != ""`
The problem that this specifically fixes is where the client has set the
`DOCKER_TLS_VERIFY` env var but is connecting to a daemon that is not
verifed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
If no Mtu value is provided to the docker daemon, get the mtu from the
default route's interface. If there is no default route, default to a
mtu of 1500.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Tweaking for Hugo
Updating the Dockerfile with new sed; fix broken link on Kitematic
Fixing image pull for Dockerfile
Removing docs targets
Signed-off-by: Mary Anthony <mary@docker.com>
while wokring on another PR, I noticed that hack/vendor.sh was picking
up unrelated files. Maybe a previous update to the hack/vendor.sh failed
to run the script and push the vendor changes ?
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Currently digests are not stored on pull, causing a simple re-tag or re-push to send up all layers. Storing the digests on pull will allow subsequent pushes to the same repository to not push up content.
This does not address pushing content to a new repository. When content is pushed to a new repository, the digest will be recalculated. Since only one digest is currently stored, it may cause a new content push to the original repository.
Fixes#13883
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Export image/container metadata stored in graph driver. Right now 3 fields
DeviceId, DeviceSize and DeviceName are being exported from devicemapper.
Other graph drivers can export fields as they see fit.
This data can be used to mount the thin device outside of docker and tools
can look into image/container and do some kind of inspection.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This PR brings the vendored libnetwork code to
3be488927db8d719568917203deddd630a194564, which pulls in quite a few
fixes to support kvstore, windows daemon compilation fixes,
multi-network support for Bridge driver, etc...
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This helps ensure that `github.com/docker/docker/pkg/...` is actually safe to use in isolation (ie, doesn't import anything from `github.com/docker/docker` except other things from `pkg` or vendored dependencies).
Adding `github.com/docker/docker/utils` to the imports of `pkg/version/version.go`:
```
---> Making bundle: validate-pkg (in bundles/1.7.0-dev/validate-pkg)
These files import internal code: (either directly or indirectly)
- pkg/version/version.go imports github.com/docker/docker/autogen/dockerversion
- pkg/version/version.go imports github.com/docker/docker/utils
```
And then removing it again:
```
---> Making bundle: validate-pkg (in bundles/1.7.0-dev/validate-pkg)
Congratulations! "./pkg/..." is safely isolated from internal code.
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Eliminate any chance of race condition by replacing a call to sleep by a
call to top, and rely on test cleanup logic to have it exit cleanly.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
When cmd failed, log its ouput as string instead of byte array to prevent test
log like: [49 53 ....] exit status 1
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
Per @ewindisch, removing the CBC ciphers from the client preferred TLS
cipher suites. This will allow a future version of the server to also
remove the CBC ciphers from the accepted list.
This changes the server default to client + additional CBC cipher list,
and client default to the non-CBC ciphers.
Also, cipher order preference is modified so that best and highest-bit count
ciphers are most preferred.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
The main Dockerfile to was updated - this update brings the
sub-directory specific file inline with it.
Fixes#12866
Signed-off-by: Brian Exelbierd <bex@pobox.com>
Adding in other areas per comments
Updating with comments; equalizing generating man page info
Updating with duglin's comments
Doug is right here again;fixing.
Signed-off-by: Mary Anthony <mary@docker.com>
This is breaking various setups where the host's rootfs is mount shared
correctly and breaks live migration with bind mounts.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The "TestChangesWithChanges" case randomlly fails on my development
VM with the following errors:
```
--- FAIL: TestChangesWithChanges (0.00s)
changes_test.go:201: no change for expected change C /dir1/subfolder != A /dir1/subfolder/newFile
```
If I apply the following patch to changes_test.go, the test passes.
```diff
diff --git a/pkg/archive/changes_test.go b/pkg/archive/changes_test.go
index 290b2dd..ba1aca0 100644
--- a/pkg/archive/changes_test.go
+++ b/pkg/archive/changes_test.go
@@ -156,6 +156,7 @@ func TestChangesWithChanges(t *testing.T) {
}
defer os.RemoveAll(layer)
createSampleDir(t, layer)
+ time.Sleep(5 * time.Millisecond)
os.MkdirAll(path.Join(layer, "dir1/subfolder"), 0740)
// Let's modify modtime for dir1 to be sure it's the same for the two layer (to not having false positive)
```
It seems that if a file is created immediately after the directory is created,
the `archive.Changes` function could't recognize that the parent directory of
the new file is modified.
Perhaps the problem may reproduce on machines with low time precision?
I had successfully reproduced the failure on my development VM as well as
a VM on DigitalOcean.
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
no longer load hide critical code such as in .integration-daemon-{start,stop},
if this step failed, it will had logged the corresponding module before:
---> Making bundle: .integration-daemon-start (in bundles/1.7.0-dev/daemon-start)
which is nicer to debug.
This will make it also easier to execute a single tests in an interactive shell.
$ make shell
docker> . hack/make.sh binary .integration-daemon-start .integration-daemon-setup
docker> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
docker> go test github.com/docker/docker/integration-cli
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
This patch ensures no auth headers are set for v1 registries if there
was a 302 redirect.
This also ensures v2 does not use authTransport.
Signed-off-by: Tibor Vass <tibor@docker.com>
Minor tweak to the quoted/json form and made man page look like the Dockerfile
docs. W/o the `,` people may think there should be a space delimited list.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Build cache uses pgk/tarsum to get a digest of content which is
ADD'd or COPY'd during a build. The builder has always used v0 of
the tarsum algorithm which includes mtimes however since the whole
file is hashed anyway, the mtime doesn't really provide any extra
information about whether the file has changed and many version
control tools like Git strip mtime from files when they are cloned.
This patch updates the build subsystem to use v1 of Tarsum which
explicitly ignores mtime when calculating a digest. Now ADD and
COPY will result in a cache hit if only the mtime and not the file
contents have changed.
NOTE: Tarsum is NOT a meant to be a cryptographically secure hash
function. It is a best-effort approach to determining if two sets of
filesystem content are different.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Show how to use `systemctl show` and recommend against modifying
system unit files in `/usr` and `/lib`.
Fixes#13796.
Signed-off-by: Eric-Olivier Lamey <eo@lamey.me>
When the daemon is going down trigger immediate
garbage collection of libnetwork resources deleted
like namespace path since there will be no way to
remove them when the daemon restarts.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Update get and set functions to use digests.
Update push code to use the digest type instead of string
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Move graph related functions in image to graph package.
Consolidating graph functionality is the first step in refactoring graph into an image store model.
Subsequent refactors will involve breaking up graph into multiple types with a strongly defined interface.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The scratch image used to be a regular image, but as of
commit 8936789919 it is a
special case, and cannot be used with 'docker pull.'
Update this doc to reflect the new behavior and clear up
confusion surrounding this image.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Labels are metadata that apply to a particular resource: image,
container, maybe volumes and networks in the future. We shouldn't have
containers inherit from its image labels: they are not the same obejcts,
and labels cannot be interpreted in the way.
It remains possible to apply metadata to an image using the LABEL
Dockerfile instruction, to query them using `docker inspect <img>`, or
to filter images on them using `docker images --filter <key>=<value>`.
Fixes#13770.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
This patch creates a new `tlsconfig` package to handle creation of
secure-enough TLS configurations for clients and servers.
The package was created by refactoring TLS code in the client and the
daemon. After this patch, it is expected that all code creating TLS
configurations use this `tlsconfig` package for greater security,
consistency and readability.
On the server side, this fixes a bug where --tlsverify was not taken
into account. Now, if specified, it will require the client to
authenticate.
Signed-off-by: Tibor Vass <tibor@docker.com>
Previous versions of libcontainer allowed CpuShares that were greater
than the maximum or less than the minimum supported by the kernel, and
relied on the kernel to do the right thing. Newer libcontainer fails
after creating the container if the requested CpuShares is different
from what was actually created by the kernel, which breaks compatibility
with earlier Docker Remote API versions. This change explicitly adjusts
the requested CpuShares in API versions < 1.20.
Signed-off-by: Samuel Karp <skarp@amazon.com>
Remove reference to experimental releases as it is really a nightly
channel rather than a scheduled release.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
container.config.NetworkDisabled is set for both daemon's
DisableNetwork and --networking=false case. Hence using
this flag instead to fix#13725.
There is an existing integration-test to catch this issue,
but it is working for the wrong reasons.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
I added 301 redirects from dockerproject.com to dockerproject.org but may as
well make sure everything is updated anyways.
Signed-off-by: Jessica Frazelle <princess@docker.com>
This removes complexity of current implementation and makes the test
correct and assert the right things.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Fixes#13107. This change enables Go duration strings
computed relative to the client machine’s time to be used
as input parameters to `docker events --since/--until`
and `docker logs --since` arguments.
Added unit tests for pkg/timeutils.GetTimestamp as well.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
And removing unused code.
- tarsum.go :
NewTarSumHash could be non exported (for now)
NewTarSumForLabel is never used, except for the tests
- fileinfosums.go:
SortByPos is never used, except for the tests
- versionning.go:
GetVersions is never used, expect for the tests
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Refactoring in Docker 1.7 changed the behavior to add this header where as Docker <= 1.6 wouldn't emit this Header on a HTTP 302 redirect.
This closes#13649
Signed-off-by: Jeffrey van Gogh <jvg@google.com>
It should not print to STDOUT so that it only prints the debugTransport
output if there was an error in one of the registry tests.
Signed-off-by: Tibor Vass <tibor@docker.com>
Fix - Download button does not download
Users got confused when Kitematic is not being downloaded after clicking on the download button, and instead got brought to a screen to teach them how to download Kitematic.
The additional step caused a significant drop in Kitematic downloads. This pull request fixes the issue, to allow users to directly download Kitematic after clicking on the Download button.
Signed-off-by: Michael Chiang <michael.chiang@docker.com>
Move some calls to container.LogEvent down lower so that there's
less of a chance of them being missed. Also add a few more events
that appear to have been missed.
Added testcases for new events: commit, copy, resize, attach, rename, top
Signed-off-by: Doug Davis <dug@us.ibm.com>
Using "DEST" for our build artifacts inside individual bundlescripts was already well-established convention, but this officializes it by having `make.sh` itself set the variable and create the directory, also handling CYGWIN oddities in a single central place (instead of letting them spread outward from `hack/make/binary` like was definitely on their roadmap, whether they knew it or not; sneaky oddities).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Noticed that there were a few newlines in the middle of a \`...\` blocks that
made the text look funny when displayed in HTML.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Change CLI error msg because it was too specific and didn't make sense
when there were errors not related to inaccessible files.
Removed some log.Error() calls since they're not really errors we should
log. Returning the error will be enough.
Closes: #13417
Signed-off-by: Doug Davis <dug@us.ibm.com>
It is already possible to set labels at commit when using the API. But
it is not present in the API documentation. Added an integration test
too, to validate this work (and will be in the future).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Merge user specified devices correctly with default devices.
Otherwise the user specified devices end up without permissions.
Signed-off-by: David R. Jenni <david.r.jenni@gmail.com>
To ensure manifest integrity when pulling by digest, this changeset ensures
that not only the remote digest provided by the registry is verified but also
that the digest provided on the command line is checked, as well. If this check
fails, the pull is cancelled as with an error. Inspection also should that
while layers were being verified against their digests, the error was being
treated as tech preview image signing verification error. This, in fact, is not
a tech preview and opens up the docker daemon to man in the middle attacks that
can be avoided with the v2 registry protocol.
As a matter of cleanliness, the digest package from the distribution project
has been updated to latest version. There were some recent improvements in the
digest package.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This highlights `RUN`, `CMD`, and `ENTRYPOINT` lines using shell highlighting. It doesn't bother detecting the JSON forms, but that's OK because JSON arrays highlight pretty reasonably with shell highlights. :)
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Ubuntu Precise has a number of warts that made it non-trivial to add initially, but I've managed to work through some of them and come up with a working build. Two important parts to note are that it has neither the `btrfs` nor the `devicemapper` graphdriver backends since `btrfs-tools` and `libdevmapper-dev` in the precise repositories are too ancient for them to even compile.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
When using a scanner, log lines over 64K will crash the Copier with
bufio.ErrTooLong. Subsequently, the ioutils.bufReader will grow without
bound as the logs are no longer being flushed to disk.
Signed-off-by: Burke Libbey <burke.libbey@shopify.com>
This ensures that AppArmor, not other mechanisms used
by Docker or the kernel is restricting the mount.
Signed-off-by: Eric Windisch <eric@windisch.us>
This will now properly check whether /etc/init.d/docker or service docker is
invoking the script and respond to the user accordingly.
Signed-off-by: Steven Richards <steven@axiomzen.co>
daemon.Diff already implements mounting for naivegraphdriver and
aufs which does diffing on its owns does not need the container to be mounted.
So new filesystem driver should mount filesystems on their own if it is needed
to implement Diff(). This issue was reported by @kvasdopil while working on a
freebsd port, because freebsd does not allow mount an already mounted
filesystem. Also it saves some cycles for other operating systems as well.
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
I ran into a situation where I was trying:
`docker rmi busybox`
and it kept failing saying:
`could not find image: Prefix can't be empty`
While I have no idea how I got into this situation, it turns out this is
error message is from `daemon.canDeleteImage()`. In that func we loop over
all containers checking to see if they're using the image we're trying to
delete. In my case though, I had a container with no ImageID. So the code
would die tryig to find that image (hence the "Prefix can't be empty" err).
This would stop all processing despite the fact that the container we're
checking had nothing to do with 'busybox'.
My change logs the bad situation in the logs and then skips that container.
There's no reason to fail all `docker rmi ...` calls just because of one
bad container.
Will continue to try to figure out how I got a container w/o an ImageID
but as of now I have no idea, I didn't do anything but normal docker cli
commands.
Signed-off-by: Doug Davis <dug@us.ibm.com>
- 79 char line length (non-command).
- Consistent single space between sentences.
- Replace start of line tabs with spaces.
- Remove trailing white space.
- Consistent "**Note:**" style.
https://docs.docker.com/project/doc-style/#notes
- Replace the ``` sections with indented code.
Signed-off-by: Lloyd Dewolf <foolswisdom@gmail.com>
Fixes a regression from the volumes refactor where the vfs graphdriver
was setting labels for volumes to `s0` so that they can both be written
to by the container and shared with other containers.
When moving away from vfs this was never re-introduced.
Since this needs to happen regardless of volume driver, this is
implemented outside of the driver.
Fixes issue where `z` and `Z` labels are not set for bind-mounts.
Don't lock while creating volumes
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This patch is extending the qualifiers on the -v command to allow
an admin to tell the system to relabel, content. There might be a
need for something similar for changing the DAC Permissions.
Signed-off-by: Jessica Frazelle <princess@docker.com>
UnmountVolumes used to also unmount 'specialMounts' but it no longer does after
a recent refactor of volumes. This patch corrects this behavior to include
unmounting of `networkMounts` which replaces `specialMounts` (now dead code).
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
The v2 registry will act as a pull-through cache, and needs to be
handled differently by the client to the v1 registry mirror.
See docker/distribution#459 for details
Configuration
Only one v2 registry can be configured as a mirror. Acceptable configurations
in this chanage are: 0...n v1 mirrors or 1 v2 mirror. A mixture of v1 and v2
mirrors is considered an error.
Pull
If a v2 mirror is configured, all pulls are redirected to that mirror. The
mirror will serve the content locally or attempt a pull from the upstream mirror,
cache it locally, and then serve to the client.
Push
If an image is tagged to a mirror, it will be pushed to the mirror and be
stored locally there. Otherwise, images are pushed to the hub. This is
unchanged behavior.
Signed-off-by: Richard Scothern <richard.scothern@gmail.com>
Having the line break in the middle of a code span caused the line break to appear on the web site version, even though it doesn't appear in the preview.
The other two changes are just small grammar improvements.
Signed-off-by: don <donkirkby@gmail.com>
I'm fairly consistently seeing an error in
DockerSuite.TestContainerApiRestartNotimeoutParam:
docker_api_containers_test.go:969:
c.Assert(status, check.Equals, http.StatusNoContent)
... obtained int = 500
... expected int = 204
And in the daemon logs I see:
INFO[0003] Container 8cf77c20275586b36c5095613159cf73babf92ba42ed4a2954bd55dca6b08971 failed to exit within 0 seconds of SIGTERM - using the force
ERRO[0003] Handler for POST /containers/{name:.*}/restart returned error: Cannot restart container 8cf77c20275586b36c5095613159cf73babf92ba42ed4a2954bd55dca6b08971: [2] Container does not exist: container destroyed
ERRO[0003] HTTP Error err=Cannot restart container 8cf77c20275586b36c5095613159cf73babf92ba42ed4a2954bd55dca6b08971: [2] Container does not exist: container destroyed
statusCode=500
Note the "container destroyed" error message. This is being generatd by
the libcontainer code and bubbled up in container.Kill() as a result of the
call to `container.killPossiblyDeadProcess(9)` on line 439.
See the comment in the code, but what I think is going on is that because we
don't have any timeout on the Stop() call we immediate try to force things to
stop. And by the time we get into libcontainer code the process just finished
stopping due to the initial signal, so this secondary sig-9 fails due to the
container no longer running (ie. its 'destroyed').
Since we can't look for "container destroyed" to just ignore the error, because
some other driver might have different text, I opted to just ignore the error
and keep going - with the assumption that if it couldnt send a sig-9 to the
process then it MUST be because its already dead and not something else.
To reproduce this I just run:
curl -v -X POST http://127.0.0.1:2375/v1.19/containers/8cf77c20275586b36c5095613159cf73babf92ba42ed4a2954bd55dca6b08971/restart
a few times and then it fails with the HTTP 500.
Would like to hear some other ideas on to handle this since I'm not
thrilled with the proposed solution.
Signed-off-by: Doug Davis <dug@us.ibm.com>
* Don't AllocateNetwork when network is disabled
* Don't createNetwork in execdriver when network is disabled
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Continues 11858 by:
- Making sure the exit code is always zero when we ask for help
- Making sure the exit code isn't zero when we print help on error cases
- Making sure both short and long usage go to the same stream (stdout vs stderr)
- Making sure all docker commands support --help
- Test that all cmds send --help to stdout, exit code 0, show full usage, no blank lines at end
- Test that all cmds (that support it) show short usage on bad arg to stderr, no blank line at end
- Test that all cmds complain about a bad option, no blank line at end
- Test that docker (w/o subcmd) does the same stuff mentioned above properly
Signed-off-by: Doug Davis <dug@us.ibm.com>
We should let user create container even if the container he wants
join is not running, that check should be done at start time.
In this case, the running check is done by getIpcContainer() when
we start container.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
We already vendor distribution under ./vendor, but
because the GOPATH is /go:/go/src/github.com/.../vendor
Go will always compile the source code at /go not in ./vendor.
Apart from the fact that it is very inconvenient during
development, it was also a time-bomb: someone vendors a fix
from upstream distribution, but forgets to update
REGISTRY_COMMIT in the Dockerfile, and the binary doesn't get
the fix.
Signed-off-by: Tibor Vass <tibor@docker.com>
Sometimes container.cleanup() can be called from multiple paths
for the same container during error conditions from monitor and
regular startup path. So if the container network has been already
released do not try to release it again.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Signed-off-by: Mary Anthony <mary@docker.com>
Adding experimental features into the mix
Signed-off-by: Mary Anthony <mary@docker.com>
renaming file
Signed-off-by: Mary Anthony <mary@docker.com>
Because I just used it somewhere else and it would be nice if I didn't have to copy and paste the code.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The DOCKER_EXPERIMENTAL environment variable drives the activation of
the 'experimental' build tag.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Give Docker more time to kill containers before upstart kills Docker.
The default kill timeout is 5 seconds.
This will help decrease the chance of but not eliminate the chance of
orphaned container processes.
Signed-off-by: David Xia <dxia@spotify.com>
If a container was started with a non-root user the container
may not be able to resolve DNS names because of too restrictive
permission in the /etc/resolv.conf container file. This problem
is in how this file gets created in libnetwork and ths PR
attempts to fix the issue by vendoring in the libnetwork code
with the fix.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
As part of this some generic packages like iptables, etchosts and resolvconf
have also been moved to libnetwork. Even though they can still be
consumed in a generic fashion they will reside and be maintained
from within the libnetwork project.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
- Updated Dockerfile to satisfy libnetwork GOPATH requirements.
- Reworked daemon to allocate network resources using libnetwork.
- Reworked remove link code to also update network resources in libnetwork.
- Adjusted the exec driver command population to reflect libnetwork design.
- Adjusted the exec driver create command steps.
- Updated a few test cases to reflect the change in design.
- Removed the dns setup code from docker as resolv.conf is entirely managed
in libnetwork.
- Integrated with lxc exec driver.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
This stops us from erroneously adding "squeeze-lts" to "oldstable" which is now "wheezy", not "squeeze" (but "oldoldstable" _is_ squeeze, hence the new check on `/etc/debian_version` being `6.*` instead, and done as a `case` for the eventual addition of `wheezy-lts`, etc).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This patch removes the need for requestFactories and decorators
by implementing http.RoundTripper transports instead.
It refactors some challenging-to-read code.
NewSession now takes an *http.Client that can already have a
custom Transport, it will add its own auth transport by wrapping
it.
The idea is that callers of http.Client should not bother
setting custom headers for every handler but instead it should
be transparent to the callers of a same context.
This patch is needed for future refactorings of registry,
namely refactoring of the v1 client code.
Signed-off-by: Tibor Vass <tibor@docker.com>
Not 100% sure why our Windows test don't complain about some of these,
I'm guessing it because we have bash as part of some git package, but
either way we really shouldn't require bash to run our tests unless we
really need to - which in these cases we don't
Signed-off-by: Doug Davis <dug@us.ibm.com>
The intention of the user is to download a verified image if explicitly
pulling with a digest and falling back to v1 registry circumvents that
protection.
Signed-off-by: Nuutti Kotivuori <naked@iki.fi>
In cases where this is failing it's ok to have the test take extra time,
but we don't want it to fail because of some race/performance
differences between systems.
So make the timeout go to 30s and double the sleep time in between
checks so it's not pounding the daemon quite so fast.
Originally I couldn't make this test fail (pre-change), but changed
graphdrivers and saw a failure pretty quickly.
This change seems to smooth that out.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently check-config.sh just said enable or missing, when I used
a fresh kernel, made check-config.sh happy, still can't start
container. It take me days debuging kernel and Docker and finally
found it's because I enabled some CONFIGs as modules and never
loaded these modules.
So I think it's necessary to let check-config.sh told users which
configs are enabled as modules.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
when the daemon can't download the image from a `docker import` the
error message was lost due to 'err' being redefined with a block by
mistake. This removes the ":" from "... err := " which fixes it.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fix for #13175.
This change allows user-input timestamps (e.g. to `docker events
--since/--until` or `docker logs --since` to be parsed using
standard RFC3339Nano layout in Go instead of the layout that parses
all timestamps into fixed-length strings (currently buggy).
User inputs need not to be complying to the internal format
(`RFC3339NanoFixed`) anyway.
Added test case for `events --since/--until` with all possible
timestamp input formats.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Prior to this patch, the response of
- GET /images/json
- GET /containers/json
- GET /images/(name)/history
display the Created Time as UNIX format which doesn't make sense.
These should be more readable as CLI command `docker inspect` shows.
Due to the case that an older client with a newer version daemon, we
need the version check for now.
Signed-off-by: Hu Keping <hukeping@huawei.com>
TestLogsSince used to rely on time synchronization and precision of
the timestamps. This change provides a less flaky alternative.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
- noplog driver pkg for '--log-driver=none' (null object pattern)
- centralized factory for log drivers (instead of case/switch)
- logging drivers registers themselves to factory upon import
(easy plug/unplug of drivers in daemon/logdrivers.go)
- daemon now doesn't start with an invalid log driver
- Name() method of loggers is actually now their cli names (made it useful)
- generalized Read() logic, made it unsupported except json-file (preserves
existing behavior)
Spotted some duplication code around processing of legacy json-file
format, didn't touch that and refactored in both places.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Previously the cache was only updated once on startup, because the graph
code only check for filesystems on startup. However this breaks the API as it
was supposed and so unit tests.
Fixes#13142
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Add handler for SIGUSR1 based on feedback regarding when to dump
goroutine stacks. This will also dump goroutine stack traces on SIGQUIT
followed by a hard-exit from the daemon.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Added --since argument to `docker logs` command. Accept unix
timestamps and shows logs only created after the specified date.
Default value is 0 and passing default value or not specifying
the value in the request causes parameter to be ignored (behavior
prior to this change).
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Previous fix used %q which incorrectly go-escaped things. For example:
```
RUN echoo A \& B C
```
would result in the user seeing:
```
INFO[0000] The command '/bin/sh -c echoo A \\& B\tC' returned a non-zero code: 127
```
Note the double-\ and the \t instead of a tab character
The testcase had to double escape things due to logrus getting in the way
but I'm going to fix that in another PR because its a change to the UX.
Signed-off-by: Doug Davis <dug@us.ibm.com>
If firewalld is not installed (or I suppose not running), firewalld was
producing an error in the daemon init logs, even though firewalld is not
required for iptables stuff to function.
The firewalld library code was also logging directly to logrus instead
of returning errors.
Moved logging code higher up in the stack and changed firewalld code to
return errors where appropriate.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
I believe this was failing because 'nc' wouldn't show the data
it received sometimes. So intead of looking for that data we now
look for the output of the echo that comes after the nc command
successfully runs
Signed-off-by: Doug Davis <dug@us.ibm.com>
Generation based on CAP_LAST_CAP, I hardcoded
capability.CAP_BLOCK_SUSPEND as last for systems which has no
/proc/sys/kernel/cap_last_cap
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
The docker graph call driver.Exists() on initialisation for each filesystem in
the graph. This results will results in a lot `zfs get all` commands. To reduce
this, retrieve all descend filesystem at startup and cache it for later checks
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
instead of let zfs automaticly mount datasets, mount them on demand using mount(2).
This speed up this graph driver in 2 ways:
- less zfs processes needed to start a container
- /proc/mounts get smaller, so zfs userspace tools has less to read (which can
a significant amount of data as the number of layer grows)
This ways it can be also ensured that the correct mountpoint is always used.
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Previously, we've taken advantage of the fact that libcontainer's `update-vendor.sh` is the same syntax as Docker's `vendor.sh` with some shell magic. This changes that to copy libcontainer's dependencies into this file explicitly so that we can scale to more projects with varying methods of vendoring (assuming they don't use import re-writing, which screws up everyone).
We'll need to stay diligent in making sure this list matches what's in libcontainer's `update-vendor.sh` (minus the not-required codegangsta/cli dep), but that's a fair trade-off for being able to scale our dependency model better (and track new discrete dependencies more directly).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Before this PR the list of commands that were printed for the help
text was statically put into the flags.Usage() function via main.init(). This
made it impossible to modify later on when we add new commands
via plugins.
This PR moves the list of commands (name & description) into a structure
that is sorted and printed dynamically by the Usage func. This will allow
the code to add to the list of commands after the init() func is done
but before the help text is printed for the user.
This just moves code around - it should have no UX impact at all.
Signed-off-by: Doug Davis <dug@us.ibm.com>
* daemon creation wasn't parallel to request buffering
* it was possible that empty volume will be created in
/var/run/docker.sock by some container
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add tests for mounting into /proc and /sys
These two locations should be prohibited from mounting volumes into
those destinations.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Also, `curl` is smart enough to see when the consumer of the pipe is going slow that it should slow down the transfer, so this gives a reasonable indication of extraction progress too.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This makes the "Buffering to disk" part of `docker push` 70% faster in
my use-case (having already applied #12833).
fsync'ing here serves no valuable purpose: if the drive's operation is
interrupted, so it the program's, and this archive has no value other
than the immediate and transient one.
Signed-off-by: Burke Libbey <burke.libbey@shopify.com>
The lxc code here is doing the exact same thing on calling
execdriver.Terminate, so let's just use that.
Also removes some dead comments originally introduced
50144aeb42 but no longer relevant since we
have restart policies.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fixes the part of #12996 that I forgot. 👼
This also fixes a minor path issue (there's no `libexec` in Debian), and fixes a minor bug with the `debVersion` parsing.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
To account for "/" not working in filenames, we replace it with "_" for our temporary files (that exist only to emulate Bash 4's associative arrays in Bash 3).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
`lxc-stop` does not support sending arbitrary signals.
By default, `lxc-stop -n <id>` would send `SIGPWR`.
The lxc driver was always sending `lxc-stop -n <id> -k`, which always
sends `SIGKILL`. In this case `lxc-start` returns an exit code of `0`,
regardless of what the container actually exited with.
Because of this we must send signals directly to the process when we
can.
Also need to set quiet mode on `lxc-start` otherwise it reports an error
on `stderr` when the container exits cleanly (ie, we didn't SIGKILL it),
this error is picked up in the container logs... and isn't really an
error.
Also cleaned up some potential races for waitblocked test.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When RUN returns with a non-zero return code it prints the command
that was executed as a Go []string:
```
INFO[0000] The command &{[/bin/sh -c noop a1 a2]} returned a non-zero code: 127
```
instead it should look like this:
```
INFO[0000] The command "/bin/sh -c noop a1 a2" returned a non-zero code: 127
```
Signed-off-by: Doug Davis <dug@us.ibm.com>
This fixes an issue where the build output for the "Steps" would look like:
```
Step 1: RUN echo hi echo hi
```
instead of
```
Step 1: RUN echo hi
```
Also, I noticed that there were no checks to make sure invalid Dockerfile
cmd flags were caught on cmds that didn't use cmd flags at all. They would
have been caught on the cmds that had flags, but cmds that didn't bother
to add a new code for flags would have just ignored them. So, I added
checks to each cmd to flag it.
Added testcases for issues.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This change adds a new docker-in-docker dynamic binary make target which
builds a centos container for creating the dynamically linked binary.
To use it, you first must create the static binary and then call the
dind-dynbinary target. You can call it like:
$ hack/make.sh binary dind-dynbinary rpm
This would then package the dynamic binary into the rpm after having
created it in the centos build container. Unfortunately with this approach
you can't create the rpms and the debs with the same command. They have to
be created separately otherwise the wrong version (static vs. dynamic) gets
packaged.
Various RPM fixes including:
- Adding missing RPM dependencies.
- Add sysconfig configuration files to the RPM.
- Add an epoch to silence the fpm warning.
- Remove unnecessary empty package.
Signed-off-by: Patrick Devine <patrick.devine@docker.com>
Signed-off-by: Chad Metcalf <chad@docker.com>
The `--userland-proxy` daemon flag makes it possible to rely on hairpin
NAT and additional iptables routes instead of userland proxy for port
publishing and inter-container communication.
Usage of the userland proxy remains the default as hairpin NAT is
unsupported by older kernels.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
To help avoid version mismatches between libcontainer and Docker, this updates libcontainer to be the source of truth for which version of logrus the project is using. This should help avoid potential incompatibilities in the future, too. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Adds a `stream` query param to the stats API which allows API users to
only collect one stats entry and disconnect instead of keeping the
connection alive to stream more stats.
Also adds a `--no-stream` flag to `docker stats` which does the same
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
Remove empty line after client.CmdInspect docstring
fix#12706
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
Remove empty line after client.CmdInspect docstring
fix#12706
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
See https://github.com/docker-library/docker/issues/2 for some of the context around this; essentially, we're looking to create an official `docker` image that includes the Docker CLI (and the dependencies necessary for easy Docker-in-Docker), but it makes sense to use the `docker` namespace for that image. The `docker-dev` official image is already builds of Docker's own `Dockerfile` (but specifically of releases), so this seemed like a good fit. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Turns out that `-f` on a file that's in `.dockerignore` actually does work. No idea why it wasn't when I was doing this before, but oh well! 🤘
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
With this, `docker pull deb<tab>` will show all `debian:*` tags, as before, but `docker pull -a deb<tab>` will complete directly to just `debian`. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Right now devicemapper mounts thin device using online discards by default
and passes mount option "discard". Generally people discourage usage of
online discards as they can be a drain on performance. Instead it is
recommended to use fstrim once in a while to reclaim the space.
In case of containers, we recommend to keep data volumes separate. So
there might not be lot of rm, unlink operations going on and there might
not be lot of space being freed by containers. So it might not matter
much if we don't reclaim that free space in pool.
User can still pass mount option explicitly using dm.mountopt=discard to
enable discards if they would like to.
So this is more like setting the containers by default for better performance
instead of better space efficiency in pool. And user can change the behavior
if they don't like default behavior.
Reported-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Minor thing but docker cp --help was:
Copy files/folders from a PATH on the container to a HOSTDIR on the host
running the command. Use '-' to write the data
as a tar file to STDOUT.
This changes it to:
Copy files/folders from a PATH on the container to a HOSTDIR on the host
running the command. Use '-' to write the data as a tar file to STDOUT.
The \n made the output look funky.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This patch modifies the journald log driver to store the container ID in
a field named CONTAINER_ID, rather than (ab)using the MESSAGE_ID field.
Additionally, this adds the CONTAINER_ID_FULL field containing the
complete container ID and CONTAINER_NAME, containing the container name.
When using the journald log driver, this permits you to see log messages
from a particular container like this:
# journalctl CONTAINER_ID=a9238443e193
Example output from "journalctl -o verbose" includes the following:
CONTAINER_ID=27aae7361e67
CONTAINER_ID_FULL=27aae7361e67e2b4d3864280acd2b80e78daf8ec73786d8b68f3afeeaabbd4c4
CONTAINER_NAME=web
Closes: #12864
Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
prioritize the ports with static mapping before dynamic mapping. This removes
the port conflicts when we allocate static port in the reserved range
together with dynamic ones.
When static port is allocated first, Docker will skip those when determining
free ports for dynamic ones.
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
We encountered a situation where concurrent invocations of the docker daemon on a machine with an older version of iptables led to nondeterministic errors related to simultaenous invocations of iptables.
While this is best resolved by upgrading iptables itself, the particular situation would have been avoided if the docker daemon simply took care not to concurrently invoke iptables. Of course, external processes could also cause iptables to fail in this way, but invoking docker in parallel seems like a pretty common case.
Signed-off-by: Aaron Davidson <aaron@databricks.com>
The `-N` option is not compatible with the `-O` option of wget (see the man page).
The example command now matches the example in the script on http://get.docker.com/.
Signed-off-by: Nik Nyby <nikolas@gnu.org>
This adds support for Dockerfile commands to have options - e.g:
COPY --user=john foo /tmp/
COPY --ignore-mtime foo /tmp/
Supports both booleans and strings.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Before, inspect cont1 cont2 shows:
[{
xxx
}
,{
xxx
}
]
After, it shows:
[
{
xxx
}
,{
xxx
}
]
Because `func (*Encoder) Encode` always followed by a newline character,
so it's difficult to put '}' and ']' one the same line.
To get symmetry, above is our choice.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
The existing page is focused on listing a set of requirements for
proposing a new repository. This information has become outdated and is
duplicated in the `docker-library/official-images` and
`docker-library/docs` GitHub repositories. This PR rewrites the
Official Repositories page to describe what they actually are, and
defers to GitHub/IRC for the subset of users that are interested in
contributing. I also removed the requirement to contact
partners@docker.com and made it optional to reduce the barrier to entry.
Signed-off-by: Peter Salvatore <peter@psftw.com>
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <jess@docker.com> (github: jfrazelle)
docs: crop and optimize images
Cropped and optimized images.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
Testing and updating the Windows material
Signed-off-by: Mary Anthony <mary@docker.com>
checkpoint
Signed-off-by: Mary Anthony <mary@docker.com>
Fitting the Windows specific material into the contributor guide
Signed-off-by: Mary Anthony <mary@docker.com>
Entering James comments
Signed-off-by: Mary Anthony <mary@docker.com>
If we tear through a few layers of abstraction, we can get at the inodes
contained in a directory without having to stat all the files. This
allows us to eliminate identical files much earlier in the changelist
generation process.
Signed-off-by: Burke Libbey <burke@libbey.me>
When a container has errors on removal, it gets flagged as dead.
If you `docker rm -f` a dead container the container is dereffed from
the daemon and doesn't show up on `docker ps` anymore... except that the
container JSON file may still be lingering around and becomes undead
when you restart the daemon.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
in https://docs.docker.com/articles/ambassador_pattern_linking/
svendowideit/ambassador images is from docker-ut built using this script
and uses socat but socat complains as follows
socat: error while loading shared libraries: libreadline.so.5: cannot open shared object file: No such file or directory
socat: error while loading shared libraries: libssl.so.1.0.0: cannot open shared object file: No such file or directory
socat: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
socat: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory
/usr/lib/x86_64-linux-gnu/lib{crypto,ssl}.so* lib are symlinks so removing -P option from cp
adding libreadline.so and libtinfo.so
Signed-off-by: Jinsoo Park <cellpjs@gmail.com>
update libssl.so path
Signed-off-by: Jinsoo Park <cellpjs@gmail.com>
Remove mkimage-unittest.sh
Signed-off-by: Jinsoo Park <cellpjs@gmail.com>
ParseRestartPolicy is useful function for third party go programs to use
so that they can parse the restart policy in the same way that Docker
does
Signed-off-by: Darren Shepherd <darren@rancher.com>
statsCollector.publishers must be protected to prevent
modifications during the iteration in run().
Being locked for a long time is bad, so pairs of containers &
publishers (pointers) are copied to release the lock fast.
Signed-off-by: Anton Tiurin <noxiouz@yandex.ru>
This only happens with the old git http dumb protocol, but that's what we use in our integration tests.
We check the Content-Type header advertised in http requests to make sure the http transport is the git smart transport:
See this commit as a reference:
4656bf47fc
Signed-off-by: David Calavera <david.calavera@gmail.com>
Add tests on:
- changes.go
- archive.go
- wrap.go
Should fix#11603 as the coverage is now 81.2% on the ``pkg/archive``
package. There is still room for improvement though :).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Several parts of the codebase didn't use the correct path sanitisation
wrappers. Now that the wrappers have been exposed, use those.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
Due to the importance of path safety, the internal sanitisation wrappers
for volumes and containers should be exposed so other parts of Docker
can benefit from proper path sanitisation.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
Assuming that docker kill is trying to actually kill the container
is a mistake. If the container is not running we should report it
back to the caller as a error.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Regan McCooey <rmccooey27@aol.com> (github: rmccooey27)
Docker-DCO-1.1-Signed-off-by: Regan McCooey <rmccooey27@aol.com> (github: rhatdan)
If memory cgroup is mounted, memory limit is always supported,
no need to check if these files are exist.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This also moves `exec -i` test to _unix_test.go because it seems to need a
pty to reliably reproduce the behavior.
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
Since docker test suite is now using gocheck, ``defer
deleteContainer(…)`` is not needed anymore.
Fixes#12705
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
From the Bash manual's `set -e` description:
(https://www.gnu.org/software/bash/manual/bashref.html#index-set)
> Exit immediately if a pipeline (see Pipelines), which may consist of a
> single simple command (see Simple Commands), a list (see Lists), or a
> compound command (see Compound Commands) returns a non-zero status.
> The shell does not exit if the command that fails is part of the
> command list immediately following a while or until keyword, part of
> the test in an if statement, part of any command executed in a && or
> || list except the command following the final && or ||, any command
> in a pipeline but the last, or if the command’s return status is being
> inverted with !. If a compound command other than a subshell returns a
> non-zero status because a command failed while -e was being ignored,
> the shell does not exit.
Additionally, further down:
> If a compound command or shell function executes in a context where -e
> is being ignored, none of the commands executed within the compound
> command or function body will be affected by the -e setting, even if
> -e is set and a command returns a failure status. If a compound
> command or shell function sets -e while executing in a context where
> -e is ignored, that setting will not have any effect until the
> compound command or the command containing the function call
> completes.
Thus, the only way to have our `.integration-daemon-stop` script
actually run appropriately to clean up our daemon on test/script failure
is to use `trap ... EXIT`, which we traditionally avoid because it does
not have any stacking capabilities, but in this case is a reasonable
compromise because it's going to be the only script using it (for now,
at least; we can evaluate more complex solutions in the future if they
actually become necessary).
The alternatives were much less reasonable. One is to have the entire
complex chains in any script wanting to use `.integration-daemon-start`
/ `.integration-daemon-stop` be chained together with `&&` in an `if`
block, which is untenable. The other I could think of was taking the
body of these scripts out into separate scripts, essentially meaning
we'd need two files for each of these, which further complicates the
maintenance.
Add to that the fact that our `trap ... EXIT` is scoped to the enclosing
subshell (`( ... )`) and we're in even more reasonable territory with
this pattern.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
We need this, so client can get error from stream and not from status
code, which is already 200, because write to ResponseWriter was occured.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
When docker pull a non-existent repo, daemon will report "image xxx not found"
with an error code 500, which should be 404.
This commit add 404 "not found" mapping and refactor httpError function.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Currently `docker inspect -f` use json.Unmarshal() unmarshal
to interface, it will store all JSON numbers in float64, so
we use `docker inspect 4f0d73b75a0d | grep Memory` and
`docker inspect -f {{.HostConfig.Memory}} 4f0d73b75a0d` will
get different values.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
- Mount struct now called volumeMount
- Merged volume creation for each volume type (volumes-from, binds, normal
volumes) so this only happens in once place
- Simplified container copy of volumes (for when `docker cp` is a
volume)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Parse the history output to locate the size fields and check
whether they are the correct format or not. Use Column name SIZE
to mark start and end indices of the size fields
Fixes#12578
Signed-off-by: Ankush Agarwal <ankushagarwal11@gmail.com>
https://www.kali.org/ is a Debian derivative. This script completes
succesfully using the Debian install path
Signed-off-by: Andrew Martin <sublimino@gmail.com>
If device is being reactivated before it could go away and deferred
deactivation is scheduled on it, cancel it.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Deferred reove functionality was added to library later. So in old version
of library it did not report deferred_remove field.
Create a new function which also gets deferred_remove field and it will be
called only on newer version of library.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
If a device has been scheduled for deferred deactivation and container
is started again and we need to activate device again, we need to cancel
the deferred deactivation which is already scheduled on the device.
Create a method for the same.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
This will help with debugging as one could just do "docker info" and figure
out of deferred removal is enabled or not.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Provide a new command line knob dm.deferred_device_removal which will enable
deferred device deactivation if driver and library support it.
This patch also checks for library support and driver version.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
A lot of time device mapper devices leak across mount namespace which docker
does not know about and when docker tries to deactivate/delete device,
operation fails as device is open in some mount namespace.
Create a mechanism where one can defer the device deactivation/deletion
so that docker operation does not fail and device automatically goes
away when last reference to it is dropped.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
libdm started offering deferred remove functionality from version
1.02.89. As docker still builds against older libdm, define a tag
libdm_no_deferred_remove to determine whether we are compiling
against new libdm or older one and enable/disable deferred remove
functionality accordingly.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
When ever something vendor/ changes the go dependencies have to downloaded again,
which requires internet access and there for is potential slow. COPY and go install is much faster, while the git urls does not change not this often.
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Thanks to @dmcgowan for noticing.
Added a testcase to make sure Save() can create the dir and then
read from it.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Though I am not clear on the intent of the sentence if it means that existing data in the base image is copied into the new volume then the additions I propose make that more clear than the present language.
Signed-off-by: Kent Johnson <kentoj@gmail.com>
This PR does the following:
- migrated ~/.dockerfg to ~/.docker/config.json. The data is migrated
but the old file remains in case its needed
- moves the auth json in that fie into an "auth" property so we can add new
top-level properties w/o messing with the auth stuff
- adds support for an HttpHeaders property in ~/.docker/config.json
which adds these http headers to all msgs from the cli
In a follow-on PR I'll move the config file process out from under
"registry" since it not specific to that any more. I didn't do it here
because I wanted the diff to be smaller so people can make sure I didn't
break/miss any auth code during my edits.
Signed-off-by: Doug Davis <dug@us.ibm.com>
It is simplifies code and lead to next refactoring step, where daemon
will be incorporated to some structure which represents API.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.
With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].
Libvirt has been doing this for quite a long time now.
Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
Portmapper fortunatelly keeps list of mapped ports,
so we can easily recreate firewall rules on firewalld restart/reload
New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
When setting a bridge, basic firewall rules are created.
This is done at once during start, it's parametrized and nowhere
tracked so how can one know what and how to set it again when
there's been firewalld restart/reload ?
The only solution that came to my mind is using of closures [4],
i.e. I keep list of references to closures (anonymous functions
together with a referencing environment) and when there's firewalld
restart/reload I re-call them in the same order.
3) links/links.go - linking containers
Link is added in Enable() and removed in Disable().
In Enable() we add a callback function, which creates the link,
that's OK so far.
It'd be ideal if we could remove the same function from
the list in Disable(). Unfortunatelly that's not possible AFAICT,
because we don't know the reference to that function
at that moment, so we can only add a reference to function,
which removes the link. That means that after creating and
removing a link there are 2 functions in the list,
one adding and one removing the link and after
firewalld restart/reload both are called.
It works, but it's far from ideal.
[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Firewalld [1] is a firewall managing daemon with D-Bus interface.
What sort of problem are we trying to solve with this ?
Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4b3b451d6f8
But it'd still be better if docker used firewalld when it's running.
Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.
This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.
[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChainhttps://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Two main things
- Create a real struct Info for all of the data with the proper types
- Add test for REST API get info
Signed-off-by: Hu Keping <hukeping@huawei.com>
THe port tests in integration-cli tests just for the port-mapping as
seen by Docker daemon. But it doesn't perform a more indepth testing by
checking for the exposed port on the host.
This change helps to fill that gap.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Single value labels do not work in 1.6 and multi-label instructions only work when separated by non-EOL whitespace.
I also added an example snip from the inspect output with the labels that are included in this guide.
Signed-off-by: Jeff Nickoloff <jeff@allingeek.com>
- Compose teamhad forgotten some documentation
- Updated ENV for Distribution also
- Forgot one of the readability sections
Signed-off-by: Mary Anthony <mary@docker.com>
Changed method declaration. Fixed all calls to dockerCmd
method to reflect the change.
resolves#12355
Signed-off-by: bobby abbott <ttobbaybbob@gmail.com>
- sort inspect out
- update output fields
- format output
- add doc about go template
- other minor fix
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This patch changes two things
1. Set facility to LOG_DAEMON
2. Remove ": " from tag so that the tag + pid become a single column in
the log
Signed-off-by: Darren Shepherd <darren@rancher.com>
Without adding the user to the group you're going to hit nasty TLS errors. Figured I'd save the next guy the hassle.
Problem more accurately described here:
https://github.com/docker/docker/issues/5314
Signed-off-by: Jason Divock <jdivock@box.com>
sockRequest now makes the status code available in the returned
values. This helps avoid string checking for non-HttpStatusOK(=200)
yet successful error messages.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Check test correctness of untar by comparing destination with
source. For part 2, it checkes hashes of source and destination
files or the target files of symbolic links.
This is a supplement to the #11601 fix.
Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
Instead of seeding/polluting the global random instance,
creating a local `rand.Random` instance which provides the same
level of randomness.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Before this, a storage driver would be defaulted to based on the
priority list, and only print a warning if there is state from other
drivers.
This meant a reordering of priority list would "break" users in an
upgrade of docker, such that there images in the prior driver's state
were now invisible.
With this change, prior state is scanned, and if present that driver is
preferred.
As such, we can reorder the priority list, and after an upgrade,
existing installs with prior drivers can have a contiguous experience,
while fresh installs may default to a driver in the new priority list.
Ref: https://github.com/docker/docker/pull/11962#issuecomment-88274858
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Everything else was gone from this file except these utils which are
being used in other files and can't yet be removed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This test is already being skipped, and is also fully tested by
`TestRunContainerWithRmFlagExitCodeNotEqualToZero`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
Alphabetize FSMagic list to make more human-readable.
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
Check whether the swap limit capabilities are disabled or not only when memory swap is set to greater than 0.
Signed-off-by: David Calavera <david.calavera@gmail.com>
This is a symlink to the latest "bundle" that was assembled. For example, if `VERSION` is currently `1.5.0-dev`, then `bundles/latest` will be a symlink to `bundles/1.5.0-dev` after an attempted build.
One interesting property of this is that after a successful `binary` build, we can `./bundles/latest/binary/docker -v` and get back something like `Docker version 1.5.0-dev, build 3ff6723-dirty`.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Testcase TestBuildResourceConstraintsAreUsed run build without
--no-cache, so if you run this test twice, it will fail the
second time.
TESTFLAGS='-v -run ^TestBuildResourceConstraintsAreUsed$' ./hack/make.sh binary test-integration-cli
[PASSED]
TESTFLAGS='-v -run ^TestBuildResourceConstraintsAreUsed$' ./hack/make.sh binary test-integration-cli
[FAIL]
Because we'll use cID to inspect field and will get empty cID
if we have cache.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
After finding our initial thinking on env. space versus arg list space
was wrong, we need to solve this by using a pipe between the caller and
child to marshall the (potentially very large) options array to the
archiver.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Updates most of the instances of HTTP urls in the engine's
comments. Does not account for any use in the code itself,
documentation, contrib, or project files.
Signed-off-by: Eric Windisch <eric@windisch.us>
using standard unix postfixes add unit test for display
also change doc for memory usage display change
for example GiB will be GB
Signed-off-by: Sun Jianbo <wonderflow@zju.edu.cn>
If an image has been tagged to multiple repos and tags, 'docker
rmi -f IMAGE_ID' will just untag one random repo instead of
untagging all and deleting the image. This patch implement
this. This commit is composed of:
*untag all names and delete the image
*add test to this feature
*modify commandline/cli.md to explain this
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
This provides an override for forcing the daemon to still attempt
running the devicemapper driver even when udev sync is not supported.
Intended to be a very clear impairment for those choosing to use it. If
udev sync is false, there will still be an error in the daemon logs,
even when the override is in place. The docs have an explicit WARNING.
Including link to the docs for users that encounter this daemon error
during an upgrade.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
As reported in #11294, the Docker daemon will execute contains it
shouldn't run in the event that a requested tag is present in an image's
ID. This leads to the wrong image being started up silently.
This change reduces the risk of such a collision by using the short ID
iff the actual revOrTag looks like a short ID (not that it necessarily
is).
Signed-off-by: Richard Burnison <rburnison@ebay.com>
This will assure that the install script will not
begin executing until after it has been downloaded should
it be utilized in a 'curl | bash' workflow.
Signed-off-by: Eric Windisch <eric@windisch.us>
This patch include the following fixs:
- fix image name error when docker ps
- fix docker events test failure: use the exact image name for filter
- fix docker build CI test failure due to "docker events" change
Because of change of daemon log behavior. Now we record
the exact Image name as you typed. So docker run -d busybux sh
and docker run -d busybox:latest are not the same in the log.
So it will affect the docker events. So change the related CI
Signed-off-by: Liu Hua <sdu.liu@huawei.com>
This also seemed to be checking the ordering of the events, which
doesn't seem like something we sould be interested in this particular
test.
Added check to make sure the filtered events have the expected ID's.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`TestInfoEnsureSucceeds` is supposed to check existence of all
expected fields that are going to be shown in `docker info` command.
If this list was complete, it could have helped catching the missing
`"Logging Driver:"` regression.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This flag is passed to the daemon CLI. In my opinion, "Container's
logging driver" is not accurate and refers to 'one container'.
Also the `syslog` driver was missing from the list. Having the list
of all logging drivers won't scale here (should be <80 chars per line)
and we have `rotation` driver coming up in the pipeline as well (gh11485).
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
When we tag an Image with several names and we run one of them,
The "create" job will log this event with
+job log(create, containerID, Imagename).
And the "Imagename" is always the first one (sorted). It is the
same to "start/stop/rm" jobs. So use the correct name instand.
This PR refer to #10479
Signed-off-by: Liu Hua <sdu.liu@huawei.com>
Preventing the test execution to pollute the deterministic runtime environment
by seeding the global rand.Random.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Check test correctness of untar by comparing destination with
source. For part one, it only compares the directories.
This is a supplement to the #11601 fix.
Signed-off-by: Yestin Sun <yestin.sun@polyera.com>
Corrected integer size passed to Windows
Corrected DisableEcho / SetRawTerminal to not modify state
Cleaned up and made routines more idiomatic
Corrected raw mode state bits
Removed duplicate IsTerminal
Corrected off-by-one error
Minor idiomatic change
Signed-off-by: Brendan Dixon <brendand@microsoft.com>
Updated Windows installation documentation with newest
screencasts and Chocolatey instructions to install windows
client CLI.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
registry/SearchResults was missing the "is_automated" field.
I added it back in.
Pull this 'table' removal one from the others because it fixed
a bug too
Signed-off-by: Doug Davis <dug@us.ibm.com>
* when no containers are returned, go test would then aborts with:
panic: runtime error: index out of range
Signed-off-by: Todd Whiteman <todd.whiteman@joyent.com>
Right now we try device removal at the interval of 10ms and keep on trying
till either device is removed or 10 seconds are over. That means if device
is busy, we will try 1000 times in those 10 seconds.
Sounds too high a frequency of deivce removal retrial. All the logs are
filled easily. I think it is a good idea to slow down a bit and retry at
the interval of 100ms instead of 10ms.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
During device removal, we are first waiting for device to close() in a tight
loop for 10 seconds. I am not sure why do we need it. First of all we come
here once the umount() is successful so device should be free. For some reason
of device is temporarily busy, then removeDevice() logic retries device removal
logic in a loop for 10 seconds and that should cover it. Can't see why one
more 10 seoncds loop is required before attempting device removal.
One loop should be able to cover all the temporary device busy conditions and
if condition is not temporary then 10 seconds loop is not going to help anyway.
So instead of two loops of 10 seconds each, I am converting it to a single
loop of 20 seconds. May be 10 second loop is good enough but for now I am
keeping it 20 seconds to avoid any regressions.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently in device removal path (device deactivation), we wait
for 10 seconds for devive to actually go away. waitRemove().
In current code this is not required. If dm removal task has completed
and one has done the wait on udev cookie, then device is gone and there
is no need to write another loop to wait for device removal.
This patch removes the waitRemove() which waits for 10 seconds after
device removal. This seems unnecessary.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
UdevWait() is deferred and takes uint cookie as an argument. As arguments
to deferred functions are calculated at the time of call, it is possible
that any update to cookie later by libdm are not taken into account when
UdevWait() is called. Hence use a pointer to uint as argument to UdevWait()
function.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
devmapper graph driver retries device removal 1000 times in case of failure
and if this fills up console with 1000 messages (when daemon is running in
debug mode). So remove these debug messages.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
There are issues with libdm logging. Right now if docker daemon is run
in debug mode, logging by libdm is too verbose. And if a device can't
be removed, thousands of messages fill the console and one can not see
what's going on.
This patch removes devicemapper.LogInitVerbose() call as that call will
only work if docker was not registering its own log handler with libdm.
For some reason docker registers one with libdm and libdm hands over
all the messages to docker (including debug ones). And now it is up to
devmapper backend to figure out which ones should go to console and
which ones should not.
So by default log only fatal messages from libdm. One can easily modify
the code to change it for debugging purposes.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
add a pair of accent mark around dockerfile commands
in docker-commit, as the same thing in docker-import.
Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
Some bullet lists didn't render as bullet-lists because
of a missing newline.
Also added missing "label" filter for `docker ps` and
slightly re-worded the header above the supported filters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I have seen a lot of people try to do this and reach out to me on how to mount
/dev/snd because it is returning "not a device node". The docs imply you can
_just_ mount /dev/snd and that is not the case. This fixes that. It also allows
for coolness if you want to mount say /dev/usb.
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <hugs@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <jess@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
When working with Go channels you must not set it to nil or else the
channel will block forever. It will not panic reading from a nil chan
but it blocks. The correct way to do this is to create the channel then
close it as the correct results to the caller will be returned.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Fixes: #11552
- scalable SVG
- uses colours from the rest of the page
- emphasizes that boot2docker is the ordinary Linux setup in a VM
- Add new graphic for architecture diagram
- Add windows boot2docker diagram
- Add windows diagram to documentation
- Remove old PNGs; replaced with SVGs
- Add redirects for new SVG versions of installation diagrams
Signed-off-by: Nick Irvine <nfirvine@nfirvine.com>
I can never get it to work for me when its just 3 seconds.
With this change it generates the OOM message around 17 seconds, but
I increased the timeout to 30 for people with slower machines
Signed-off-by: Doug Davis <dug@us.ibm.com>
This makes `registry.Service` a first class type and does not use jobs
to interact with this type.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Syslog was a heading-2, but should be heading-3;
changed the headings to heading-4 to match the
"network settings" section.
Also changed "Log driver" to "logging driver" for JSON.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Closing activationLock only if it's not closed already. This is needed
only because integration tests using docker code directly and doesn't
care about global state.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Update registry package to use the v2 registry api from distribution. Update interfaces to directly take in digests.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
It's about time to let folks not hit 'vfs', when 'overlay' is supported
on their kernel. Especially now that v3.18.y is a long-term kernel.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Currently the progress reader won't close properly by not setting the close size.
fixes#11849
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Api requesting port for daemon before init_networkdriver called.
Problem is that now initialization of api depends on initialization of
daemon and their intializations runs in parallel. Proper fix will be
just do it sequentially. For now I don't want refactor it, because it
can bring additional problems in 1.6.0.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Do not remove container if any of the resource could not be cleaned up. We
don't want to leak resources.
Two new states have been created. RemovalInProgress and Dead. Once container
is Dead, it can not be started/restarted. Dead container signifies the
container where we tried to remove it but removal failed. User now needs to
figure out what went wrong, corrent the situation and try cleanup again.
RemovalInProgress signifies that container is already being removed. Only
one removal can be in progress.
Also, do not allow start of a container if it is already dead or removal is
in progress.
Also extend existing force option (-f) to docker rm to not return an error
and remove container from user view even if resource cleanup failed.
This will allow a user to get back to old behavior where resources
might leak but atleast user will be able to make progress.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Docker does not know about our named cpuacct,cpu,cpuset cgroup
hierarchy with multiple subsystems in it. So to use them with docker
in integration-cli test TestRunWithCpuset inside docker container
we need to add symlinks to them in hack/dind script.
Example:
old version of parser will do:
cat /proc/1/cgroup
11:cpu,cpuacct,name=my_cpu_cpuacct:/
...
and create and mount this hierarchy to directory
/cgroup/cpu,cpuacct,name=my_cpu_cpuacct/
so docker cannot find it because it has strange name
in new parser directory will be same as on host
/cgroup/my_cpu_cpuacct
and have symlinks for docker to find it
/cgroup/cpu -> /cgroup/my_cpu_cpuacct
/cgroup/cpuacct -> /cgroup/my_cpu_cpuacct
in other case if where is no name
cat /proc/1/cgroup
11:cpu,cpuacct:/
...
mount will be same for both parsers
/cgroup/cpu,cpuacct
and new one will also create symlinks
/cgroup/cpu -> /cgroup/cpu,cpuacct
/cgroup/cpuacct -> /cgroup/cpu,cpuacct
Signed-off-by: Pavel Tikhomirov <ptikhomirov@parallels.com>
This has a few hacks in it but it ensures that the bridge driver does
not use global state in the mappers, atleast as much as possible at this
point without further refactoring. Some of the exported fields are
hacks to handle the daemon port mapping but this results in a much
cleaner approach and completely remove the global state from the mapper
and allocator.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Once the job has failed and is respawned, the status becomes `docker
respawn/post-start` after subsequent failures (as opposed to `docker
stop/post-start`), so the post-start script needs to take this into
account.
I could not find specific documentation on the job transitioning to the
`respawn/post-start` state, but this was observed on Ubuntu 14.04.2.
Signed-off-by: Lewis Marshall <lewis@lmars.net>
If job "acceptconnections" is called before "serveapi" the API Accept()
method will hang forever waiting for activation. This is due to the fact
that when "acceptconnections" ran the activation channel was nil.
Signed-off-by: Darren Shepherd <darren@rancher.com>
When buffering to file add support for compressing the tar contents. Since digest should be computed while writing buffer, include digest creation during buffer.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Installs and configures bash completion for Docker.
Note that bash completion still has to be initialized by a custom
.bashrc file.
Signed-off-by: Harald Albers <github@albersweb.de>
Generally, when using Remote API to push images there needs a http Header
X-Registry-Auth.
For compatibility if there was no authConfig header, everything will be
okay if a proper JSON-http-body was applied.
But when both X-Registry-Auth Header and the Body are missing, due to
the function of decode JSON, it will return an EOF error which was not
very clear to user.
So I think we can make the respone error be more nice.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Boot2Docker experience is updated now that we have a Docker
client on Windows. Instead of running `boot2docker ssh`, users
can also use boot2docker on Windows Command Prompt (`cmd.exe`)
and PowerShell.
Updated documentation and screenshots, added a few details,
reorganized sections by importance, fixed a few errors.
Remaining: the video link in the Demonstration section needs
to be updated once I shoot a new video.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
dockerize-image tool takes a virtual disk image file
and creates a Docker image based on it. You can
specify a base Docker image to make this tool create
an image that will contain only filesystem diff
instead of full filesystem.
See tools usage for details.
Signed-off-by: Maxim Kulkin <maxim.kulkin@gmail.com>
These images was just sitting around and referenced from
nowhere, nor they seemed any useful.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
The git model uses `upstream master` to refer to the branch on
the remote repository, and `upstream/master` to refer to the
local cache of the upstream branch.
I did not explain the difference in the docs (that seemed a bit
excessive), but I did clarify the instructions so that it refers
to the correct concept in each place.
Signed-off-by: Katrina Owen <katrina.owen@gmail.com>
This change makes `monitorTtySize` work correctly on windows by polling
into win32 API to get terminal size (because there's no SIGWINCH on
windows) and send it to the engine over Remove API properly.
Average getttysize syscall takes around 30-40 ms on an average windows
machine as far as I can tell, therefore in a `for` loop, checking every
250ms if size has changed or not.
I'm not sure if there's a better way to do it on windows, if so,
somebody please send a link 'cause I could not find.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This change fixes a bug where stdout/stderr handles are not identified
correctly.
Previously we used to set the window size to fixed size to fit the default
tty size on the host (80x24). Now the attach/exec commands can correctly
get the terminal size from windows.
We still do not `monitorTtySize()` correctly on windows and update the tty
size on the host-side, in order to fix that we'll provide a
platform-specific `monitorTtySize` implementation in the future.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
We now advise people to configure docker group and
add to sudo. Mac shouldn't use sudo. Removed sudo
from command examples. Left in installation to be removed
in installation doc sweep -- removing requires finer
grain control.
Signed-off-by: Mary Anthony <mary@docker.com>
We now have instructions in our Unix installs about setting up
docker group to avoid sudo. Also, Mac/Windows shouldn't use
sudo. So, I've removed sudo from our examples and added a
section at the top reminding them that if they have to use
sudo to run docker they can change that.
Signed-off-by: Mary Anthony <mary@docker.com>
Set cpuset to "0" so that it works on single core machines.
W/o this (and set to "1") we'll see something like this error
when running:
System error: write /cgroup/cpuset/docker/66689499bbd08cd8dccc9b7bfd1d6b34e85d73ce8c84d3c69b5e91944322da60/docker/79d7c548b58c85c4cfad6cd01eb7c3b30db254d1014c496137edd93ddc528a6f/cpuset.cpus: invalid argument"
Signed-off-by: Doug Davis <dug@us.ibm.com>
This patch causes `The image you are pulling has been verified` status
message to be produced also when the repository is pulled for the first
time.
Signed-off-by: Michal Minar <miminar@redhat.com>
Since `dirperm1` requires a more recent aufs patch than many current OS release,
we cant remove #783 completely. This documents that docker will apply `dirperm1`
automatically for systems that support it
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
Automatically detect support for aufs `dirperm1` option and apply it.
`dirperm1` tells aufs to check the permission bits of the directory on the
topmost branch and ignore the permission bits on all lower branches.
It can be used to fix aufs' permission bug (i.e., upper layer having
broader mask than the lower layer).
More information about the bug can be found at https://github.com/docker/docker/issues/783
`dirperm1` man page is at: http://aufs.sourceforge.net/aufs3/man.html
Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com>
c79b9bab54 (Remove engine.Status and replace it with standard go error)
cause a regression that create container won't get any warnings, we still
need this to send useful informations to user.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
We removed it, because upstream removed it. But now it will be coming
back, so work with it either way.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
The validation script from #10681 is too pedantic, and does not handle
well situations like:
```
cat <<EOF # or <<-EOF
Whether the leading whitespace is stripped out or not by bash
it should still be considered as valid.
EOF
```
This reverts commit 4e65c1c319.
Signed-off-by: Tibor Vass <tibor@docker.com>
Having the list in one spot makes it easier for people to see what's
avaiable instead of having to scan all of the docs and extract the info.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fixes#10958 by moving utils.daemon to pkg.pidfile.
Test cases were also added.
Updated the daemon to use the new pidfile.
Signed-off-by: Rick Wieman <git@rickw.nl>
Continuation of: #11660, working on issue #11626.
Wrapped portmapper global state into a struct. Now portallocator and
portmapper have no global state (except configuration, and a default
instance).
Unfortunately, removing the global default instances will break
```api/server/server.go:1539```, and ```daemon/daemon.go:832```, which
both call the global portallocator directly. Fixing that would be a much
bigger change, so for now, have postponed that.
Signed-off-by: Paul Bellamy <paul.a.bellamy@gmail.com>
For positerity (largely of packagers) lets leave around the generated
version files that happen during build.
They're already ignored in git, and recreated on every build.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
This disables recently added ANSI emulation feature in certain Windows
shells (like ConEmu) where ANSI output is emulated by default with builtin
functionality in the shell.
MSYS (mingw) runs in cmd.exe window and it doesn't support emulation.
Cygwin doesn't even pass terminal handles to docker.exe as far as I can
tell, stdin/stdout/stderr handles are behaving like non-TTY. Therefore not
even including that in the check.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
No longer add the body to the error when a 404 is received on get repository data.
closes#11510
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Link to new guide. Added a quickstart contributor guide for experienced people.
Converting narrative style to procedures for easier use. I think there is something missing in the
release publishing section...but it looks like it was missing in the original.
Updates per thaJeztah
Edits per Fred
Updating with comments from Sven
Signed-off-by: Mary Anthony <mary@docker.com>
Add the capability to cancel the build by disconnecting the client.
This adds a `cancelled` channel which is used to signal that a build
should halt. The build is halted by sending a Kill signal and noticing
that the cancellation channel is closed.
This first pass implementation does not allow cancellation during a
pull, but that will come in a subsequent PR.
* Add documentation of cancellation to cli and API
* Protect job cancellation with sync.Once
* Add TestBuildCancelationKillsSleep
* Add test case for build cancellation of RUN statements.
Signed-off-by: Peter Waller <p@pwaller.net>
Changes relevant for Docker since 0.6.6 are (most other changes are hooks and
options for formatters):
* Debugging color output changed to gray.
* Don't quote the number 9 when it's by it self (i.e. `omg=9` instead of
`omg="8"`, this was the case for all other numbers)
* Performance is better when running a high logging level with lots of low-level
logging.
* Minor internal refactoring and more tests.
Signed-off-by: Simon Eskildsen <sirup@sirupsen.com>
`TestBuildSpaces` is used to do string manipulation to redact timestamps
from compared cmd output. However it was assuming there is going to be
only one `time=".."` in the output --not the case on windows. Therefore
I wrote a regexp to redact all log timestamps.
Also the test used to have a copy/paste bug (see err1/err2). This fixes
that, too.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
With this Dockerfile
```
FROM ubuntu
ENV ABC=""
VOLUME $ABC
```
It builds ok but then at run time I get this error:
FATA[0002] Error response from daemon: Cannot start container 8902b4a7aaf5c4e4b11a38070d392db465fa97ad88c91c8b38dda5ab8149ccac: [8] System error: no such file or directory
Because the Volume config shows "" as the path. This PR checks for "" as
the path and stops it at build time.
Signed-off-by: Doug Davis <dug@us.ibm.com>
The problem is when I create container though REST api, set memory limit
in hostConfig, the memory limit didn't work. Because when we DecodeEnv,
we got hostConfig part of Env like this:
{"Binds":["/:/tmp"],"CpuShares":512,"CpusetCpus":"0,1","Devices":[],"Memory":1.6777216e+07,"MemorySwap":0}
And we cannot unmarshal number 1.6777216e+07 into Go value of type int64,
so we got 0.
We can fix this by setting Decoder as UseNumber().
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Resolved conflict in the following file:
docs/sources/installation/MAINTAINERS
File was deleted upstream and changed in this branch. Deleting the file in this branch as well.
Signed-off-by: Casey Bisson <casey.bisson@joyent.com>
This shows a warning message about adjusted file/directory permission bits
when the `docker build` cli command is executed on windows.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Pushing a v2 image layer has two steps:
- POST to get a new upload URL
- PUT to that upload URL
We were previously not checking the response code of
the POST request and the PUT would fail in weird ways.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
When pushing to the official registry, v2 push will be attempted first. If the v2 endpoint is unavailable, a push to v1 will occur. If a v2 push is started and failed, the push operation will fail. Pulling non-official images the official v2 registry is also enabled to pull the newly push images. When a pull of a v2 image fails, v1 will always be attempted.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
They say we should only use the BTRFS_LIB_VERSION
They will no longer support this since it had to be managed manually
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
container.
docker run -v /dev:/dev should stop mounting other default mounts in i
libcontainer otherwise directories and devices like /dev/ptx get mishandled.
We want to be able to run libvirtd for launching vms and it needs
access to the hosts /dev. This is a key componant of OpenStack.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
w/o this I would see:
```
unexpected file format for /proc/self/cgroup - ""
```
while running the cgroup tests
Signed-off-by: Doug Davis <dug@us.ibm.com>
Adding instructions that refers to the Microsoft Azure
documentation on creating Docker-ready Linux VMs on Azure
platform.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Thanks to @tiborvass's review of another PR it was noticed that
we didn't have a testcase to make sure the cache checking for LABEL
was being done properly. This adds a test for it.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This ensures that the libcontainer state is fully removed for a
container after it is terminated.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This addresses a subtle deadlock where an error during a copy prevented pipe
closure to propagate correctly. By closing down the read end of the pipe rather
than the write end, the waiting writer is properly signaled. A nice side-effect
of this change is that errors encountered by io.Copy are now propagated to the
verifier's Write method.
A test to ensure validation errors for unsupported digest types has been added,
as well.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Closes#10191
Allow `docker build` to set --cpu-shares, --cpuset, --memory,
--memory-swap for all containers created by the build.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently the http clients used by auth use the default tls config. The config needs to be updated to only support TLS1.0 and newer as well as respect registry insecure configuration.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Following bugs are fixed:
1.Handle out of bound cursor movements: vi in busybox sets cursor
to (999,999) expecting it to be set to right, bottom correctly.
2.Correctly determine redirected non-terminal file.
Signed-off-by: Sachin Joshi <sachin_jayant_joshi@hotmail.com>
The previous state assumed that the HOSTPATH argument referred to a
file. As clarified by moxiegirl in PR #11305, it is a directory.
Adjusted completion to reflect this.
Signed-off-by: Harald Albers <github@albersweb.de>
* fixes#10001
* test for global subnets <= 80
* test for global subnets > 80
* test link local allocations
* test duplicated addresses
* test regression from bug #11427
Signed-off-by: Christian Simon <simon@swine.de>
When docker push get response with unknown HTTP status, docker daemon
print:
"Error: Status XXX trying to push repository XXX: XXX"
But when docker pull meets response with unknown status code, it gives:
"HTTP code: XXX"
This commit helps docker pull print more detailed error info like push
does, so push and pull can behave consistently when error happens.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
$ docker run -ti --rm -m 300M --memory-swap=-1 ubuntu:14.04
WARNING: Your kernel does not support swap limit capabilities. Limitation discarded.
root@813aafc019d5:/#
When we disable memoryswap, it should not warning swap limit not support.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
When the deamon starts up with log level set to INFO it will show something
like this:
```
INFO[0000] Loading containers: start.
................................................................
INFO[0000] Loading containers: done.
```
where the dots represent containers in the system.
When you run with log level set to "error" it will still show the dots
w/o the "Loading..." lines before and after which looks really odd.
This PR will fix it so that the dots are only shown IFF the "Loading..."
lines are also shown
Signed-off-by: Doug Davis <dug@us.ibm.com>
The default for rlimit handling should be to inherit the rlimit of the
daemon unless explicitly set.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Currently the daemon will not stop on error because the serve API job is
blocking the channel wait for daemon init. A better way is to run the
blocking serve API job as a goroutine and make sure that error
notification gets back to the main daemon thread (using the already
existing channel) so that clean shutdown can occur on error.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
# The first commit's message is:
Updating Ubuntu installation to use wget; eliminating elo
Signed-off-by: Mary Anthony <mary.anthony@docker.com>
# This is the 2nd commit message:
Adding in James comments
Signed-off-by: Mary Anthony <mary@docker.com>
on overlay fs, the mtime of directories changes in a container where new
files are added in an upper layer (e.g. '/etc'). This flags the
directory as a change where there was none.
Closes#9874
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Add ability to refer to an image by repository name and digest using the
format repository@digest. Works for pull, push, run, build, and rmi.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
Copied code from CmdSave into CmdExport. This should work, not an expert in the API calls being made. But it does make more sense to have a consistent export/save flag.
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
checkpoint before edits on the export functions
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
Added an --output flag to docker export and created tests.
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
White space cleanup.
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
Docker-DCO-1.1-Signed-off-by: Joseph Kern <jkern@semafour.net> (github: jfrazelle)
checkpoint before edits on the export functions
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
White space cleanup.
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
Added text to reflect a new output option for the export command.
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
Whitespace clean up
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
Added man page documentation for the new --output flag in export
Signed-off-by: Joseph Kern <joseph.a.kern@gmail.com>
- command.Commands was missing "Label"
- used the correct error string in dispatcher when LABEL has no args, otherwise
the test TestBuildMissingArgs will not work
- removed the premature error msg in line_parser that was blocking the
label() func in dispatcher from showing the err msg in previous bullet
- since LABEL uses the env parser it needs to be added to the replaceEnvAllowed
list so that proper quote processing will be done. Especially once
PR #10431 is merged.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Created a validation that detects all trailing whitespaces from every
text file that isn't *.go, *.md, vendor/*,
docs/theme/mkdocs/tipuesearch*
Removed trailing whitespaces from every text file except from vendor/*
builder/parser/testfiles*, docs/theme/mkdocs/tipuesearch* and *.md
Signed-off-by: André Martins <martins@noironetworks.com>
This makes APT be appropriately aggressive about removing packages it added due to `Recommends` or `Depends` if the packages they were added for are removed (even if other packages only have the softer `Suggests` relationship).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Windows client being official supported, publish Docker client Windows
binaries as part of the release.sh script.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Currently when registry error strings contain new line characters only the last line is displayed to the client. Quote the string to ensure the client can see the entire body value.
fixes#11346
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Currently when the registry ping is sent, it creates the request directly from http.NewRequest instead of from the http request factory. The request factory adds useful header information such as user agent which is needed by the registry.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This modifies iptables.Exists so that it must be called with an explicit
table and chain. This allows us (a) to generate an appropriate command
line for "iptables -C", which was not previously possible, and (b) it
allows us to limit our strings.Contains() search to just the table and
chain in question, preventing erroneous matches against unrelated rules.
Resolves#10781
Signed-off-by: Lars Kellogg-Stedman <lars@redhat.com>
It is implemented by intercepting and interpreting the output
escape sequence by calling win32 console apis.
In addition the input from win32 console is translated to linux keycodes
Signed-off-by: Sachin Joshi <sachin_jayant_joshi@hotmail.com>
After the new libcontainer API, the reexec.Self() output of the daemon
binary is used as the libcontainer factory InitPath. If it is relative,
it can't be found at container start time. This patch solves the
problem by making sure that we return a rooted/absolute path if a
relative path is used.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This requires that any environment where we wish to run the integration-cli tests includes both the `Dockerfile` and `curl`, which has been deemed an appropriate and acceptable trade-off.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
The STDOUT behavior of cp is not yet released in 1.50 so removed.
Also, tested against 1.5 all other behaviors and extended documentation to match.
Renamed HOSTPATH to HOSTDIR to give a self documenting name.
Adding back in the references to STDOUT
fix the command string
Entering Doug's comment re append and ~/tmp/foo in the glass
Adding in Doug's comments regarding PATHs and missing |-
Updating with James comments
Signed-off-by: Mary Anthony <mary@docker.com>
Update pull code to consider any layer download or new tag as an update.
Update hello-world frozen image to be explicitly tagged as frozen, to not interfere with pull tests. The hello-world is used by pull tests because of its small size and there is no other official image with such a size.
fixes#11383
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Instead of just printing a warning and going on, this will generate
an error and stop processing.
This used to be part of #10561 but I decided it might need its own
independent discussion/PR as to not derail #10561.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This also removes the now-defunct `*maintainer*.sh` scripts that don't work with the new TOML format, and moves a couple not-build-or-release-related scripts to `contrib/` instead.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Adds more documentation for labels and adds the label instruction to the
man-pages.
Also included is a document called "Labels - custom meta-data in Docker"
in the user-guide, this is still a work-in-progress I started to describe
the "namespaces" conventions, an example on storing structured data.
I ran a bit "out of steam" (writers block?) on that document, but kept
it in (for now), in case it still ends up useful.
The Remote API documentation changes will need to be moved to the
docker_remote_api_v1.18.md document when rebasing the whole PR.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Darren Shepherd <darren@rancher.com>
Save "LABEL" field in Dockerfile into image content.
This will allow a user to save user data into an image, which
can later be retrieved using:
docker inspect IMAGEID
I have copied this from the "Comment" handling in docker images.
We want to be able to add Name/Value data to an image to describe the image,
and then be able to use other tools to look at this data, to be able to do
security checks based on this data.
We are thinking about adding version names,
Perhaps listing the content of the dockerfile.
Descriptions of where the code came from etc.
This LABEL field should also be allowed to be specified in the
docker import --change LABEL:Name=Value
docker commit --change LABEL:Name=Value
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
See also https://bugs.gentoo.org/show_bug.cgi?id=536546:
```console
$ docker run learn/tutorial echo "hello world"
FATA[0001] Error response from daemon: Cannot start container 1d0c0ca5cc7f39a271ec40c1479a80bffb7190fab97392b3453a1fc0b2dc8e78: mountpoint for cpuset not found
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Unless `file` is wrapped with buffered reader, `fmt.Fscanf` will read
just one byte and terminate with `EOF`.
Signed-off-by: Michal Minar <miminar@redhat.com>
This uses a bit of on-disk state in our export directory to emulate our associative array for generating the "repositories" JSON file.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
In several cases graphdriver were just returning the low-level syscall
error and that was making it all the way up to the daemon logs and in
many cases was difficult to tell it was even coming from the graphdriver
at all.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
`docker rmi` output in docs/sources/reference/commandline/cli.md
is different from real scene. This commit fixes it.
Signed-off-by: Deng Guangxing <dengguangxing@huawei.com>
This adds two more tables to the run reference documentation.
- the list of 'modes' for Network settings is now a table.
- the "note" for `--net="host"` was moved from the list to the detailed
description.
- the 'options' for "Runtime constraints on CPU and memory" are
now a table
- slightly re-worded the description for "memory" options, e.g.
"It is not allowed..." was rewriten to "The *container* is not allowed..."
- fix example in "Runtime privilege, Linux capabilities, and LXC configuration"
being indented twice
- slightly reduced indenting in some `usage` output to be better readable.
- fixes a typo `/ets/hosts` -> `/etc/hosts`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As we started running CI machines on Azure cloud and Azure
doesn't have ICMP stack implemented by replacing
`ping 8.8.8.8` with `nslookup google.com`.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Fixes#11315
After rename occured the graphdb was updated but the container struct
was never commited back to disk, so on daemon restart it loads the old
name again.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fixes the `docker events`-related tests as they have been
failing due to clock skew between CI machine and test daemon on
some other machine (even 1-2 seconds of diff causes races as
we pass local time to --since/--until).
If we're running in same host, we keep using time.Now(), otherwise
we read the system time of the daemon from `/info` endpoint.
Fixes pretty much all events-related tests on windows CI.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Clear the cache for all files. Don't worry about what changed.
Move the docs release script back to the docker/docker repo, so we all can
easily watch the changes.
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <hugs@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
In fact, it doesn't work as the bare `\` backslashes are now preserved
and therefore are not valid regex matches on any test, making it not run
any tests at all. I assume at some point there was a process in the
pipeline that needed escaping, but on master (for quite a while) this
has not worked.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
A minor thing, but I noticed that the "Reference" drop-down menu just
says "Command line". This was fine when we just had one command line,
but now there's also 'Compose command line' and I suspect we may add
others later. We should qualify the Docker one with the word "Docker"
in front
Signed-off-by: Doug Davis <dug@us.ibm.com>
FROM scratch
ADD echo /
RUN [ "echo" ]
will die with
exec: "/bin/sh": stat /bin/sh: no such file or directory
Signed-off-by: Doug Davis <dug@us.ibm.com>
delete unecessary blank after "[OPTIONS] "
and add a blank to the log between options and signature.
To make the code style consistency.
Signed-off-by: Zen Lin(Zhinan Lin) <linzhinan@huawei.com>
An earlier commit was causing docker windows CLI build to not to pick up
the shorthand form for home directory (`%USERPROFILE%`) shown in when
`docker --help` is executed.
Fixing that bug and making the if statement concise and clear.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This change enables `fakeGIT()` to use the new `fakeStorage`
server which is automatically starting a container on the remote test
daemon machine using the git repo directory (when requested).
Fixes the following tests:
- `TestBuildApiLowerDockerfile`
- `TestBuildApiBuildGitWithF`
- `TestBuildApiDoubleDockerfile` (skipped on windows: NTFS case-insensitive)
- `TestBuildFromGIT` (still needs local server)
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Cgroup resources are host dependent, they should be in hostConfig.
For backward compatibility, we just copy it to hostConfig, and leave it in
Config for now, so there is no regressions, but the right way to use this
throught json is to put it in HostConfig, like:
{
"Hostname": "",
...
"HostConfig": {
"CpuShares": 512,
"Memory": 314572800,
...
}
}
As we will add CpusetMems, CpusetCpus is definitely a better name, but some
users are already using Cpuset in their http APIs, we also make it compatible.
The main idea is keep using Cpuset in Config Struct, and make it has the same
value as CpusetCpus, but not always, some scenarios:
- Users use --cpuset in docker command, it can setup cpuset.cpus and can
get Cpuset field from docker inspect or other http API which will get
config info.
- Users use --cpuset-cpus in docker command, ditto.
- Users use Cpuset field in their http APIs, ditto.
- Users use CpusetCpus field in their http APIs, they won't get Cpuset field
in Config info, because by then, they should already know what happens
to Cpuset.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
This change adds daemon's system time as RFC3339Nano to the `/info` endpoint
and shows in a more readable format (UnixDate) in `docker -D info` output.
I will be using this to fix the clock skew between the remote test host and
the CI machines running `docker events`-related tests as they're using `--since`
and `--until` and the timestamps are not matching when daemon is not on the
same machine.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
We should warn users who use the `--dns` command line option to point
DNS to a localhost address, either IPv4 or IPv6. Unless they have
specifically set up the container as a DNS server or are using
--net=host (which is why this should be allowed, but warned on because
those are pretty unique cases) a localhost address as a resolver will
not reach what they might expect (e.g. expecting it will hit localhost
on the Docker daemon/host).
Added a test for the message, and fixed up tests to separate stdout and
stderr that were using `--dns=127.0.0.1` to test the options.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Thanks to @ahmetalpbalkan for noticing... we had an old check in this
testcase that no longer applied (due to stuff being removing recently).
However, while in there I added a check to make sure that the file referenced
by the query parameter isn't used at all.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Manifest is now generated during a v2 push, not relying on previously generated hashes. When pushing a layer, the hash is directly calculated from the tar contents which will be pushed. Computing the hash on push ensures that the hash contents always match what is seen by the registry. This also mitigates issues with tarsum differences and permits using pure SHA digests.
Additionally the new manifest function is moved to the unit tests since it is no longer called outside the tests.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This makes it much simpler to add new "frozen" images -- simply add them to the `Dockerfile` and in `hack/make/.ensure-frozen-images` and you're off to the races.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This also updates the comments at the top of the file to note that `-v /var/lib/docker` should be supplied for running `test-integration-cli` and that `hack/dind` is actually also required for `test-unit`.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
parser_test only needed the directory-names for
the tests to run. This replaces f.Readdir() with
f.Readdirnames() to only return the names.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When we run `docker login` we will be asked to input our username.
Prior to this PR, "userA" and " userA" will be considered as two
diferrent user, which is not right.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Implemented a FakeStorage alternative that supports spinning
up a remote container on DOCKER_TEST_HOST to serve files over
an offline-compiled Go static web server image so that tests which
use URLs in Dockerfile can build them over at the daemon side.
`fakeStorage` function now automatically chooses if it should
use a local httptest.Server or a remote container.
This fixes the following tests when running against a remote
daemon:
- `TestBuildCacheADD`
- `TestBuildCopyWildcardNoFind`
- `TestBuildCopyWildcardCache`
- `TestBuildADDRemoteFileWithCache`
- `TestBuildADDRemoteFileWithoutCache`
- `TestBuildADDRemoteFileMTime`
- `TestBuildADDLocalAndRemoteFilesWithCache`
- `TestBuildADDLocalAndRemoteFilesWithoutCache`
- `TestBuildFromURLWithF`
- `TestBuildApiDockerFileRemote`
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This patch adds detail on how the host's `/etc/resolv.conf` file is
filtered when creating the copy for the container.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Previously on error either from the daemon or from the api it is just
exiting with exit status 1 but not performing a shutdown.
This can produce insconsistent state depending on where the error came
from.
This makes sure that before we exit on error that the engine gets fully
shutdown.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Read `/proc/sys/net/ipv4/ip_local_port_range` kernel parameter to obtain
ephemeral port range that now sets the boundaries of port allocator
which finds free host ports for those exported by containers.
Signed-off-by: Michal Minar <miminar@redhat.com>
This cleans up the recently added project docs and
fixes some minor issues.
- remove inline styles where possible
- add redirects for renamed/replaced documents
- add styles for GitHub labels to match the style on GitHub
- fix minor markdown issues causing some code-blocks
to be shown as text
- wrap the documents to 80-chars
- use 4 spaces in stead of tabs for identing and remove
trailing whitespace/redundant blank lines
- optimized 'gordon' image
NOTE:
This alternative commit/PR re-introduces some inline
styles because the docs/base image has not yet been
updated for the current docs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Windows CI fails to dial remote test host over tcp in the test cases where
we clear environment variables during `exec(dockerBinary, ...)` in the
absence of `SystemRoot` environment variable (typically points to `c:\windows`).
This fixes tests:
- `TestRunEnvironmentErase`
- `TestRunEnvironmentOverride`
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Private registries should support having images pushed with only a single name component (e.g. localhost:5000/myapp).
The public registry currently requires two name components, but this is already enforced in the registry code.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The call to io.Copy was not being checked for errors at a critical point in the
pull logic. This patch will log the error value if not nil.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
`TestCliProxyDisableProxyUnixSock` verifies that HTTP_PROXY env var is
used when DOCKER_HOST is not set and cli connects to `unix://...` by
default.
In the windows/darwin CLI CIs, daemon is on remote host and we always
connect via `tcp://`, therefore this test fails very straight. Skipping
this test to run only on "same host daemon" assumption.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
"docker create" for data containers should specify a dummy command to
avoid accidential "docker start" to cause unexpected data loss.
Signed-off-by: Hong Xu <hong@topbug.net>
TestRunCidFileCleanupIfEmpty fails on windows/mac because the test runs
the command `docker run scratch` and it gives the following error:
Unable to find image 'scratch:latest' locally
Pulling repository scratch
511136ea3c5a: Download complete
FATA[0004] 'scratch' is a reserved name
I am not entirely sure if this is a test issue or not but I had a quick
workaround by creating another image using `FROM scratch` and using that.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
They used single-quotes (') in the exec-form of onbuild run command
and things blew up. They asked to fix the man page to explain why.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
The tests end up overwriting the `dockerfile` with `Dockerfile` since
windows filesystems are case-insensitive. The following methods are
skipped:
- TestBuildRenamedDockerfile
- TestBuildFromMixedcaseDockerfile
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
daemon/volumes.go
This SetFileCon call made no sense, it was changing the labels of any
directory mounted into the containers SELinux label. If it came from me,
then I apologize since it is a huge bug.
The Volumes Mount code should optionally do this, but it should not always
happen, and should never happen on a --privileged container.
The change to
daemon/graphdriver/vfs/driver.go, is a simplification since this it not
a relabel, it is only a setting of the shared label for docker volumes.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Added link to original issue and clarified text so someone without any
background on the original issue can understand why the test exists.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
The overlay filesystem does not support inotify at this time. The
resolv.conf updater test was passing on overlay-based Jenkins because of
a fluke--because it was DIND, /etc/resolv.conf on the "host" was really
a bind-mounted resolv.conf from the outer container, which means a watch
directly on that file worked as it was not overlay backed. The new test
(from #10703) unmounts the bind-mounted copy to test create and modify
code-paths, which caused us to hit the issue.
This PR also adds a note to the docs about the lack of auto-update when
using the overlay storage driver.
See https://lkml.org/lkml/2012/2/28/223 for more info on inotify and
overlay.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
We could use EXPOSE ip:hostPort:containerPort,
but actually it did as EXPOSE ::containerPort
commit 2275c833 already warned user on daemon side.
This patch will print warning message on client side.
Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
This moves some information on restart-policies from
the "command line" page to "run reference".
Also fixes some minor typos and adds a "NOTE"
about --rm and --restart not allowed to be combined.
Also removes inline CSS styles from tables,
which will be styled by the stylesheet, and fixes
some minor MarkDown errors (`<` -> <)
depends on https://github.com/docker/docs-base/pull/1resolves#11069
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change modifies the chmod bits of build context archives built on
windows to preserve the execute bit and remove the r/w bits from
grp/others.
Also adjusted integ-cli tests to verify permissions based on the platform
the tests are running.
Fixes#11047.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
The original description has some mistakes and lack of many useful
information, I rewrite them to make it accurate and complete.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Closes#10807
Adds support for `dockerfile` ONLY when `Dockerfile` can't be found.
If we're building from a Dockerfile via stdin/URL then always download
it a `Dockerfile` and ignore the -f flag.
Signed-off-by: Doug Davis <dug@us.ibm.com>
and add a testcase to catch this in the future.
While in there I also:
- removed extra periods from the few options that had them (new test)
- made the --filter option consistent across all command
Signed-off-by: Doug Davis <dug@us.ibm.com>
This is the absolute bare minimum necessary to compile and test Docker -- this is going to be especially useful for testing and verifying assumptions.
With this, we can setup a Jenkins job that tests to ensure that all the work we do to make sure our build scripts and tests don't contain assumptions is not effort spent in vain.
This is important because this is the kind of bare-bones stock environment our packagers build in. Additionally, this verifies that our scripts will work reasonably on other platforms (such as Darwin and Windows) as well.
Assumptions existing tests make that currently fail:
- `registry-v2` exists as a binary in `$PATH` (FIXED IN #11005🎉)
- `unprivilegeduser` exists as a user in `/etc/passwd`
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This downloads a specific image ID of `busybox:latest` from the Hub directly (within the `Dockerfile`, ready for `docker load`) instead of grabbing the source from GitHub and doing a `docker build` at daemon start time. This ensures the test suite runs more consistently.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
If `.bashrc` exists at the root of the source tree, it will be used as the `~/.bashrc` inside the container.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
The document referenced https but was using the http port. I changed the
examples from https to http.
Also, fyi, when I tried accessing https using the correct 443 port, it
did not work. I have not investigated why. Port 80 worked fine.
For me:
jay-mac:.ssh jay$ docker port web
80/tcp -> 0.0.0.0:49153
443/tcp -> 0.0.0.0:49154
jay-mac:.ssh jay$ boot2docker ip
192.168.59.103
works: http://192.168.59.103:49153/
fails: https://192.168.59.103:49154/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Instead of applying it only for the final `chroot`, this adds a chroot helper function to apply it appropriately for every chroot, including making sure that we find `chroot` in our current host `PATH` in case it's in a strange place.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
when running in the chroot, it would be expected to have a Debian-ish environment,
most important the PATH variable. Otherwise the host PATH would be used which can wrong
for Debian, especially if the host is Arch (which doesn't have /bin, /sbin or /usr/sbin).
Signed-off-by: Damjan Georgievski <gdamjan@gmail.com>
Use `-it` combination in example instead of `-ti`, because this is how it used everywhere in examples.
Update dockerfile_best-practices.md
Fix typo in command name
Signed-off-by: Dmitry Gusev <dmitry.gusev@gmail.com>
If the tests are running outside a container (i.e.
executed without `make test`), we are using a `busybox`
pulled from Docker Hub (not jpatezzo's docker-busybox).
That one adds an extra
`PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin`
env var all the time and that messes the test `TestCommitChange`.
That's currently breaking the windows CI.
I'm keeping the same PATH here but making it explicit
so that it's always set and we verify what we set. It's actually the same
thing if I set `ENV PATH foo` here but I thought it may lead to some
problems hard to debug in the future.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Update the "Docker Remote API Client Libraries" documentation page to
include a reference to the Go-based docker-reg-client package.
Signed-off-by: Brian DeHamer <brian@dehamer.com>
Fixes: 10855
The example was actually incorrect for many situations, and also, now
that we have IPv6 we should not that the example is for IPv4 and note
how to find IPv6 addresses. Also, the device they want to connect to
could be the bridge, or main ethernet device, or some other device
name, so note that as well.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Some pull/push tests are launching `registry-v2`
binary which is compiled and installed if the tests
are running in-container through `make test-integration-cli`.
However, registry is not supported to run on non-linux
platforms and we can't really spin up any registry-v2
containers in the remote DOCKER_TEST_HOST at this point.
Just skipping those with the new TestRequirement called
`RegistryHosting`.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
`TestRunBindMounts` requires daemon to be on the same host.
Running this cli test on Linux is fair enough coverage for
this functionality and we can skip this for platforms where
daemon cannot run side-by-side with the cli for now.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Currently TestBuildRenamedDockerfile fails since passing
custom dockerfile paths like:
docker build -f dir/file .
fails on windows because those are unix paths. Instead, on
windows accept windows style paths like:
docker build -f dir\file .
and convert them to unix style paths using the helper we
have in `pkg/archive` so that daemon can correctly locate
the path in the context.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Use the new `runCommandPipelineWithOutput` helper to
remove bash dependency required for piping in
`TestSaveDirectoryPermissions`.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This type is produced on the server side and is a type safe struct that
can be encoded to json. It is consumed via the client.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Move the stats structs from the api/stats package into a new package
api/types that will contain all the api structs for docker's api request
and responses.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
In addition to config env, `commit` now will also accepts a `changes` env which
is a string contains new-line separated Dockerfile instructions.
`commit` will evaluate `changes` into `runconfig.Config` and merge it with
`config` env, and then finally commit a new image with the changed config
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: rhatdan)
Instead of building the actual image, `build_config` will serialize a subset of
dockerfile ast into *runconfig.Config
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Create container job could fail because a container specified with
`--volumes-from` does not exist. This error is not propagated to client
though. Instead it's recognized by higher levels as "image not found".
Client then tries to pull the image and launch the container again.
This patch changes the lower level error message so that it's not
recognized as "image not found" and thus it's propagated to client.
Signed-off-by: Michal Minar <miminar@redhat.com>
Phil has been very active across the repository for a few months now.
He has not only triaged issues but also contributed to features and bug
fixes and is a very active participant on the project.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
zsh completion is updated with the content of
felixr/docker-zsh-completion.
ef4a3fce0437 Update completion for `wait' as per 1.5.0
ace5aa9c1282 Add completion for `stats'
91f112834865 Update completion for `search' as per 1.5.0
a5e4febe4bf6 Update completion for `save' as per 1.5.0
1cdbdb18a384 Add completion for `rename'
2f004bb724b9 Update completion for `pull' as per 1.5.0
773b88e0885b Update completion for `logs' as per 1.5.0
c57e5d5c4551 Update completion for `load' to favor archive files
9af7d12b487e Update completion for `images` as per 1.5.0
0d59e66aff30 update completion for `exec' to complete on commands
46b6c66760d7 Update completion for `events' as per 1.5.0
307e0bdc4c34 Update completion for `commit' as per 1.5.0
c4b331f38cc4 Update completion for `build' as per 1.5.0
Also added myself in the `MAINTAINERS` file.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Some integration-cli tests assume daemon and cli are running
on the same machine and therefore they examine side effects
of executed docker commands on docker host by reading files
or running other sort of commands.
In case of windows/darwin CLI tests these provide little
or no value and should be OK to skip.
List of skipped tests:
- `TestContainerNetworkMode`
- `TestCpVolumePath`
- `TestCreateVolumesCreated`
- `TestBuildContextCleanup`
- `TestBuildContextCleanupFailedBuild`
- `TestLinksEtcHostsContentMatch`
- `TestRmContainerWithRemovedVolume`
- `TestRunModeIpcHost`
- `TestRunModeIpcContainer`
- `TestRunModePidHost`
- `TestRunNetHost`
- `TestRunDeallocatePortOnMissingIptablesRule`
- `TestRunPortInUse`
- `TestRunPortProxy`
- `TestRunMountOrdering`
- `TestRunModeHostname`
- `TestRunDnsDefaultOptions`
- `TestRunDnsOptionsBasedOnHostResolvConf`
- `TestRunResolvconfUpdater`
- `TestRunVolumesNotRecreatedOnStart`
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This way, we only leave around autogenerated files if the build fails (which is reasonable IMO, since that's when you'd need them for debugging the build failure).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This optimizes a number of images and removes a duplicate image.
Also consolidated images in the 'docker-hub' section.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Docker require to run before redis container run.
2. 'start' command can not accept more options like "run -e xx ..."
3. Remove wrong command 'Author='
Signed-off-by: Daniel YC Lin <dlin.tw@gmail>
Despite being wrong we are kinda calling our users dumb, I feel it is a bit
demeaning. As well as just wrong.
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <hugs@docker.com> (github: jfrazelle)
Skip tests based on remote daemon's exec support (to exclude
these tests from `make test` ran in LXC case). Makes use of
`test_no_exec` build tag passed by build scripts.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Shout out to @estesp for the idea. Some use cases of
`readContainerFile` can be replaced with `docker exec $id cat $file`.
This helper method can eliminate the requirement that
host/cli should be on the same machine.
TestRunMutableNetworkFiles and TestRunResolvconfUpdater still
need to access the docker host filesystem as they modify
the file directly from there assuming cli and daemon are
on the same machine.
This fixes TestLinksUpdateOnRestart and TestLinksHostsFilesInject
for Windows CI.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
In its current form, if an error message has two trailing "\n" instead
of one, an empty line is resulted (see engine/job.go for an example of
such usages).
Skipping all trailing whitespaces will give a better error message.
Signed-off-by: Nghia Tran <nghia@google.com>
Some of the links in this document contained hard-wrapped URL portions, which causes Markdown to insert a literal URL encoded `\n` inside the link, thus breaking them.
Signed-off-by: Bradley Wright <brad@intranation.com>
This fixes a few misuses of `deleteAllContainers()` cleanup
method in integration-cli suite by moving call to the
beginning of the method and guaranteeing their execution
(including panics) with `defer`s.
Also added some forgotten cleanup calls while I'm at it.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
`docker build -q .` where Dockerfile contains a RUN cmd will hang on the
RUN. It waits for the output stream to close but because of -q we never
attached to the container and end up waiting forever.
The fact that no one noticed this tells me that people may not actually
use -q and if so I wonder if it would make sense to make -q work the may
it does for other commands (like `docker ps`) and make it so it only
shows the container ID at the end. A -q/quiet option that only hides the
container RUN output apparently isn't really that useful since no one is
using it. See: https://github.com/docker/docker/issues/4094
Signed-off-by: Doug Davis <dug@us.ibm.com>
TestBuildAddBadLinks used to build a path by
concenating unix-style forward slashes. Fixed that
by providing a windows-equivalent using `runtime.GOOS`.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Although this doesn't fix the test (os.Symlink is not yet
implemented for Windows), this prevents unix-style paths
from being passed to os.Symlink. Also makes code cleaner
for linux.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Skipping some of the tests closely tied to running in a
unix environment. Windows does not support chmod/chown
and this causes some tests to fail creating desired
behavior.
- `TestBuildWithInaccessibleFilesInContext`: uses chown/chmod
- `TestBuildDockerfileOutsideContext`: uses os.Symlink, not implemented on
windows
- `TestCpUnprivilegedUser`: uses chmod, and requires 'unprivilegeduser'
created by Dockerfile (and thus requires to run inside container)
- `TestBuildChownSingleFile`: uses chown
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
NetworkManager updates resolve.conf by replacing the current file
with an updated one. This change enables docker to listen for these
events.
Signed-off-by: Sami Wagiaalla <swagiaal@redhat.com>
The most obvious use case is when one wants to make sure as fast
as possible that a command is a valid Dockerfile command.
Signed-off-by: kargakis <kargakis@users.noreply.github.com>
This fixes `TestVolumesNoCopyData` for test execution on
windows by passing a unix-style path as volume even though
it's running on windows.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
estesp noticed that when $HOME is / the ~ substitutions messes up
becuase it tries to replace all paths that start with "/" with "~".
This fixes it so that it will only replace it when $HOME isn't "/".
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fixes#10426
Because of the ability to easily overload the shell max argument list
length once the image count is several hundred, `docker load` will
start to fail because of this as it passes an excludes list of all
images in the graph. This patch uses an environment variable with the
json marshalled through it to get around the arg length limitation.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
`TestBuildRenamedDockerfile` tests hard-code unix-style
path building. Made use of `path/filepath` to make these
tests work on Windows as well.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Currently when containers are linked the alias name (e.g. from `--link
name:alias`) is added to the parent container's `/etc/hosts` with a
reference to the IP of the linked container. Some software requires
using the official hostname or node name in operations that need to
match on those values, and it is therefore helpful if the parent
container can refer to the child/link using those same values and still
access the same IP.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Fixes: #10701
Updates the IPv6 documentation and images to reflect the more modern
`ip -6` command set versus `route` and `ifconfig`. Also removes the
use of the special 2002: address range as that is reserved for 6to4
addressing, as well as use of any public address range and re-works the
switched routing example to use 3 subnets of the documentation IPv6
prefix range.
Also conformed all use of addresses to the same doc range per @MalteJ's
commit.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Signed-off-by: Malte Janduda <mail@janduda.net>
This makes use of `%USERPROFILE%` as a substitute for
`~` on Windows and prints shorter strings for default
cert paths etc.
Also removes string escaping/quotes around default
path values printed in `docker help` command as they
are not really necessary and adds double backslashes
(\\) on windows.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
In order to fit printed messages to fit 80 chars,
rewording messages for `-H` and `--tls` flags.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Since `cirros.tar.gz` only existed to test `docker import`'s display and
presence in `docker events`, we can instead just use `docker export`
piped directly to `docker import` to achieve the same goal without
another external dependency besides `busybox` (which we already have).
While I was at it, I updated `TestImportDisplay` to also test that the
imported image actually runs successfully as well (so we're testing the
full import round-trip).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Use `env -i` to very explicitly control exactly which environment variables leak into our tests. This enforces a clean separation of "build environment knobs" versus "test suite knobs".
This also includes a minor tweak to how we handle starting our integration daemon, especially to catch failure to start sooner than failing tests.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Mainly to make sure we don't treat the -f value as relative to the
root of the build context, but instead it must be relative to the current
dir.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Some of the `docker cp` tests were using `path/filepath` to
craft unix paths. This wouldn't work on Windows since filepath
is platform-dependent.
Moved code to `path` as much as possible and hacked away some
`path/filepath` functionality that doesn't exist in `path` pkg.
This fixes the following test cases:
- `TestCpGarbagePath`
- `TestCpRelativePath`
- `TestCpAbsoluteSymlink`
- `TestCpSymlinkComponent`
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This change enables TestRunSetMacAddress to run on windows
without `bash` dependency. Also `defer`red call of cleanup
method.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
The test case `TestImagesFilterWhiteSpaceTrimmingAndLowerCasingWorking`
fails based on time because it uses full `docker images` output and
value in the `CREATED` column turns from `A minute ago` to `2 minutes ago`
in the middle of execution and output comparison fails.
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
This removes `bash` dependency from save/load integration tests.
It used to call `/bin/bash -c 'c:\...\docker.exe'` which is not valid.
Also removed usage of tempdirs and temp files for saving/loading
repos. All are now done using in-memory pipes and buffers.
Created `runCommandPipelineWithOutput` helper to replace the
`/bin/bash -c 'a | b | c'` using pipes and returning output from
last command in the pipeline. This makes the code even shorter
and readable.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Currently pkg/archive stores nested windows files with
backslashes (e.g. `dir\`, `dir\file.txt`) and this causes
tar not being correctly extracted on Linux daemon.
This change assures we canonicalize all paths to unix
paths and add them to tar with that name independent of platform.
Fixes the following test cases for Windows CI:
- TestBuildAddFileWithWhitespace
- TestBuildCopyFileWithWhitespace
- TestBuildAddDirContentToRoot
- TestBuildAddDirContentToExistingDir
- TestBuildCopyDirContentToRoot
- TestBuildCopyDirContentToExistDir
- TestBuildDockerignore
- TestBuildEnvUsage
- TestBuildEnvUsage2
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
source /etc/bash_completion.d/docker.io was not working for me, since the file is called docker, not docker.io.
There might be versions with 'io' ending; star is general enough.
Signed-off-by: Ferenc Szabo <pragmaticfrank@gmail.com>
Or else we can violate array range boundaries in:
out = strings.Split(out, ":")[1]
and get runtime error.
We got this runtime error when run TestRunPortFromDockerRangeInUse
Somehow docker goes silently if it cannot publish port because
of no bridge.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@parallels.com>
Some tests in `docker_api_containers_test.go` assume the
docker daemon is running at the same machine as the cli
and uses `ioutil.TempDir` to create temp dirs and use them
in the test.
On windows ioutil.TempDir and os.TempDir would create win-style
paths and pass them to daemon. Instead, I hardcoded `/tmp/` and
generate some random path manually and allow daemon to create
the directory.
Fixes tests:
- TestContainerApiStartVolumeBinds
- TestContainerApiStartDupVolumeBinds
- TestVolumesFromHasPriority
Downside:
- Does not clean the temp dirs generated on the remote daemon
machine unless delete container deletes them.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
If DOCKER_CLIENTONLY is set for test-integration-cli, we don't set
the 'daemon' build tag. 'isRemoteDaemon' will help us skip such
tests without a need to move them to a separate file and accidentally
lose track of them.
Added `testRequires` function to skip tests based on predefined
conditions evaluated in runtime. This way we can easily extend test
requirements like:
testRequires(t, Networking, SameHostDaemon, Linux)
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
TestCliProxyDisableProxyUnixSock runs `docker info` by
clearing env however if the daemon is set up to run in a
different machine (e.g. Windows CI case) it does not make
use of DOCKER_TEST_HOST and tries to connect unix sock.
This fix injects DOCKER_HOST back to the test.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
A comment in https://github.com/docker/docker/issues/6354#issuecomment-74160215
brought to light that the "Managing Data in containers" section contained an
incorrect (or confusing) line;
"Volumes persist until no containers use them"
Which implies that volumes are automatically removed if they are no longer
referenced by a container.
This pull-request attempts to add some information explaining that volumes are
never automatically removed by Docker and adds some extra hints on working
with data volumes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For Windows, we run integration-cli with DOCKER_TEST_HOST env var b/c
daemon is on some remote machine. This keeps the DOCKER_HOST set by
bash scripts in the env.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Fixes TestRmiForceWithExistingContainers test to make it use
`busybox` image rather than /docker-busybox hardcoded path
and rebuilding image.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
TestEventsUntag requires a `timeout` command which does not
exist on OS X or Windows (in fact, windows has a totally different
timeout program and this test was accidentally using it).
- Created runCommandWithOutputForDuration.
This entirely replaces runDockerCommandWithTimeout and
removes dependency to `timeout` command.
- Made runDockerCommandWithTimeout reuse runDockerCommandForDuration.
TestEventsUntag works now on Windows.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Current uses of `makeRandomString` is to create really
long strings. In #10794, I used them to create nearly-unique
unix paths for the daemon. Although collions are harmless and
don't fail the tests, this prevents the same strings from being
created consistently in every run by seeding rand.Random.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
os.Exec("bash", "-c", dockerBinary) ends up making a call like
bash -c c:\...\docker.exe on windows msys shell, which does not work.
This test makes use of exec.Command.Stdin to pass image back to
docker import.
- Upside: fixes the test on windows
- Downside: cat/tee compatibility is no longer tested in this test case
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
It turns out the back-to-back `D`s here were tripping people up because visually, it looks like a typo. This renames the variable to `BIND_DIR`, but allows `BINDDIR` to continue working for backwards-compatibility.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Fixes newly introduced error flow from daemon.Get() in the link setup
code. Also added more detail to daemon.Get() comments for clarity.
Added test to test the bogus container link codepath.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Make the install script independent from the ubuntu keyserver by using
the sks-keyservers pool instead.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
TestBuildAddTarXz/TestBuildAddTarXzGz make exec calls like
'cd %SOME_TEMP_DIR%; xz test.gz' but this fails when called
from integration-cli tests (doesn't fail from msys or cmd shell).
It fails with error: "xz: test.tar: Cannot remove: Permission denied."
Proposing workaround of using the `xz --keep` argument since keeping
test.tar is harmless and it's already in os.TempDir().
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
TestGetContainersAttachWebsocket is currently broken on Windows CI tests
b/c it has hardcoded unix://var/run/docker.sock. This change makes use
of @icecrime's code in docker_utils and generalizes it with sockConn()
to provide a net.Conn by making use of DOCKER_TEST_HOST. Also fixes
the test.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
This fixes the build break in Jenkins Windows CI tests and
fixes TestInspectImage for Windows CLI.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
Makes sure the CLI does not use HTTP_PROXY when connecting to unix
socket.
Also adds some tests to make sure this functionality works as expected.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
d1e9d07c introduces a dependency to libcontainer and other daemon
related packages through builder package. The only thing test needs
is set of the Dockerfile commands. Extracting them to a separate
package.
This was causing CI tests to not to compile on non-Linux platforms.
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
subjectAltName=IP:x.x.x.x
this allows for connecting to the docker server from docker client
using the dns name OR using the IP address (lots of docker stuff
prefers IP addresses)
Signed-off-by: Greg Fausak <greg@tacodata.com>
pushV2Image() calls TarLayer() which returns an archive. One needs to
Close() the archive once done otherwise it will leave mounted devices
if devicemapper graph driver is being used.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
manifest code calls TarLayer() and gets archive. This archive needs to
be closed once caller is done using it to release the resrouces held
by archive. For the devicemapper graphdriver, archive keeps a device
mounted (device which is backing the layer). If archive.Close() is not
called, that device remains mounted and later deletion of device fails
leading to various other issues.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Fixes#9981
Allows a volume which was created by docker (ie, in
/var/lib/docker/vfs/dir) to be used as a Bind argument via the container
start API and overwrite an existing volume.
For example:
```bash
docker create -v /foo --name one
docker create -v /foo --name two
```
This allows the volume from `one` to be passed into the container start
API as a bind to `two`, and it will overwrite it.
This was possible before 7107898d5c
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The trust graph currently pulls the keys needed to verify official images. For non-official images this graph check is useless. To avoid hitting the key statement url when pulling from private v2 registries, restrict the check to official image pulls.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Pushing by image ID is not allowed in the Docker CLI and not supported by the registry. An unnamed image also cannot be pushed to a private registry, since no endpoint is specified and it will default to the hub. The hub also does not support this use case, therefore removing the code path is the best solution.
The ability to push a layer without a name is unsupported by the v2 registry.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
If you have a Dockefile with just:
FROM scratch
An error is generated but its never shown to the CLI. This PR fixes that.
Signed-off-by: Doug Davis <dug@us.ibm.com>
set LimitCORE=infinity to ensure complete core creation,
allows extraction of as much information as possible.
Thanks to Ulrich Obergfell <uobergfe@redhat.com>
and Jeremy Eder <jeder@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Fixes: #10655
As noted in the issue, bad format was being returned even if the format
was appropriate, but the IP was invalid. This adds a better error
message for when the IP address fails validation.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Handles missed comments in PR#10622 and adds an API test to validate
error returned properly for duplicate bind mounts for the same
container target path.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This allows us to use build tags in the code directly to include/exclude code based on our binary's "staticness".
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Right now its really hard for a newbie to find our Image specification
so I'm adding a link to it (and libcontainer's) to the main README.
I'm also trying to figure out how to add a link to it from the main docs
too but that's proving harder than I expected. I'll be working with Sven on
a subsequent PR to make that happen, but it might not happen until after 1.5
is out.
Signed-off-by: Doug Davis <dug@us.ibm.com>
`openssl req -new -x509 -text -key client.key -out client.cert` creates a self-sign certificate but not a certificate request.
Signed-off-by: Wei-Ting Kuo <waitingkuo0527@gmail.com>
We're hoping to add some new commands that don't have any args so this
PR will enable that by removing all of the hard-coded checks that require
commands to have at least one arg. It also adds some checks to each
command so we're consistent in the error message we get. Added a test
for this too.
We actually had this check in at least 3 different places (twice in the
parser and once in most cmds), this removes 2 of them (the parser ones).
Had to remove/modify some testcases because its now legal to have certain
commands w/o args - e.g. RUN. This was actually inconsistent because
we used to allow "RUN []" but not "RUN" even though they would generate
(almost) the same net result. Now we're consistent.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Applied multi parameters to pause and unpause.
Created a new test file dedicated for pause commands.
Created a new utility function to get a slice of paused containers.
Updated documentation
Signed-off-by: André Martins <martins@noironetworks.com>
Adding instructions to exit the test shell and a link to the user guide (as is done in the following sections for 12.04 and 13.04/10
Signed-off-by: Steven Koch <sjkoch@unm.edu>
I don't think that it was very useful feature in current implementation,
but when you have a lot of links - your daemon became unusable because
on first call of /containers global graphdb lock will be acquired and it
can take a lot of time: 30m for 15 containers linked to each other.
Links names can be seen with `--no-trunc`, but I think it's useless :)
Fixes#9967
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Addresses: #10618
Given that the user has no notification that they tried to bind mount
different directories on the same target in the container, this errors
out in that case, without changing the current code allowing for
--volumes-from to trump -v/VOLUME specifications.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
As I was reworking https://github.com/docker/docker/pull/9402 I realized
that the new testcase I just added that verified all help text is within
80 characters really should be smarter and ask "docker help" for the list
of commands to check instead of having a hard-coded list. This way
it will catch "docker execwait" automagically once #9402 is merged.
Signed-off-by: Doug Davis <dug@us.ibm.com>
sort changes found and exported.
Sorting the files before appending them to the tar archive
would mean a dependable ordering for types like hardlinks.
Also, combine sort logic used
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Per Erikh's suggestion at:
https://github.com/docker/docker/pull/9989#issuecomment-69832009
this PR will trim spaces in the parser to ensure that the user gets the same
results irrespetive of leading/trailing spaces.
Per @tiborvass's suggestion I added a test to make sure spaces in quotes
are not touched.
Signed-off-by: Doug Davis <dug@us.ibm.com>
We only accepted lower case proto: tcp, udp.
This patch will enable us to use upper case
of proto such as: EXPOSE 1234/TCP
Signed-off-by: Chen Hanxiao <chenhanxiao@cn.fujitsu.com>
Reflow change in commit 195f3a3f removed newlines in the config format.
This change reverts the sample config to the original formatting, which
matches the actual config format of a `awsconfig` file.
Signed-off-by: Katie McLaughlin <katie@glasnt.com>
Only show the verification message if all the tarsum checks pass and the image manifest is verified.
No longer return an error when a tarsum verification fails, just reset the verification flag.
Tarsum verification is less meaningful without a verified manifest and therefore it should not cause an error.
Updated the verified image test to pull an image which expected to have a verified manifest and contents.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Refactored getHomeDir in docker/docker to GetHomeDir in utils
pkg. Currently covers all use cases on the client-side.
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
Lxc images have /dev (devices). This creates a list with the /dev paths in the test.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Currently docker build is not passing HostConfig to daemon.Create.
this patch creates the default HostConfig and passes it to daemon.Create.
This will cause the SELinux labeling to turn on for docker build. Basically
it causes a SecurtyOpt field to be created. In the future this might also
allow us to use seccomp and UserNamespace with docker build.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This is sort of "revert" of #8415. There is some problems with using
logs:
* Non-live progressbars
* Races when you can try to get logs before it was written(there was
occasional errors in tests)
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
It didn't work on v2 anyways. And an image with a lot of aliases was slow to
fetch.
Docker-DCO-1.1-Signed-off-by: Jessie Frazelle <princess@docker.com> (github: jfrazelle)
On pull treat an unavailable v2 registry as a non-error fallback.
On push only show v2 error message in debug mode.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The -u/--user flag optionaly takes a group/gui. This change documents this behavior and specifies the complete format of the value.
Signed-off-by: Jeff Nickoloff <jeff@allingeek.com>
Added a missed semi-colon for consistency with other messages.
Signed-off-by: Jeff Nickoloff <jeff@allingeek.com>
No longer push to the official v2 registry when it is available. This allows pulling images from the v2 registry without defaulting push. Only pull official images from the v2 official registry.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Introduced in Docker v0.4.5 / Remove API v1.1 (#848), the remote
parameter of the API method POST /build allows to specify a buildable
remote URL (HTTPS, HTTP or Git).
Signed-off-by: Vincent Giersch <vincent.giersch@ovh.net>
This modifies the "docker help" text so that it is no wider than 80 chars
and each description fits on one line. This will also try to use ~ when
possible
Added a test to make sure we don't go over 80 chars again.
Added a test to make sure we use ~
Applied rules/tests to all docker commands - not just main help text
Closes#10214
Signed-off-by: Doug Davis <dug@us.ibm.com>
Since the separator for extra host settings (for /etc/hosts in a
container) is a ":", the code that handles extra hosts needed to only
split on the first ":" to preserve IPv6 addresses which are passed via
the command line settings as well as stored in the JSON container
config.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This ensures that ca-certificates are installed and that they get
updated in case they were already installed.
Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
I noticed that while we have tests to make sure that people don't
specify a Dockerfile (via -f) that's outside of the build context
when using the docker cli, we don't check on the server side to make
sure that API users have the same check done. This would be a security
risk.
While in there I had to add a new util func for the tests to allow us to
send content to the server that isn't json encoded - in this case a tarball
Signed-off-by: Doug Davis <dug@us.ibm.com>
When calling stats on stopped container's print out zeros for all of the
values to populate the initial table. This signals to the user that the
operations completed and will not block.
Closes#10504
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
It's ambiguous to say that `ENV` is _functionally equivalent to prefixing the command with `<key>=<value>`_. `ENV` sets the environment for all future commands, but `RUN` can take chained commands like `RUN foo=bar bash -c 'echo $foo' && bash -c 'echo $foo $bar'`. Users with a solid understanding of `exec` may grok this without confusion, but less experienced users may need this distinction.
Signed-off-by: Michael A. Smith <msmith3@ebay.com>
Improve Environment Handling Descriptions
- Link `ENV` and `Environment Replacement`
- Improve side-effects of `ENV` text
- Rearrange avoiding side effects text
Signed-off-by: Michael A. Smith <msmith3@ebay.com>
The cmd.Lookup should be "-attach" and not "attach", as seen in
docker/docker/runconfig/parse.go
Signed-off-by: André Martins <martins@noironetworks.com>
This list is outdated. It could be updated instead of removed... but why should it be maintained? I do not see a reason.
Signed-off-by: João Bruni <contato@jbruni.com.br>
When requesting a token, the basic auth header is always being set even
if there is no username value. This patch corrects this and does not set
the basic auth header if the username is empty.
Also fixes an issue where pulling all tags from a v2 registry succeeds
when the image does not actually exist on the registry.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
When getting the URL from a v2 registry url builder, it does not
honor the scheme from the endpoint object and will cause an https
endpoint to return urls starting with http.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Wait for the local registry-v2 test instance to become available to
avoid random tests failures.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
The link to project/MAINTAINERS.md was broken, in
addition, /MAINTAINERS containers more relevant
information on the LGTM process and contains info
about maintainers of all subsystems.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The checksum is now being stored in a separate file beside the image
JSON file.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Fixes#10387
Without TCP keep-alive set on socket connections to the daemon, any
long-running container with std{out,err,in} attached that doesn't
read/write for a minute or longer will end in ECONNTIMEDOUT (depending
on network settings/OS defaults, etc.), leaving the docker client side
believing it is still waiting on data with no actual underlying socket
connection.
This patch turns on TCP keep-alive for the underlying TCP connection
for both TLS and standard HTTP hijacked daemon connections from the
docker client, with a keep-alive timeout of 30 seconds.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
While checksums are verified when a layer is pulled from v2 registries,
there are known issues where the checksum may change when the layer diff
is computed again. To avoid these issues, the checksum should no longer
be computed and stored until after it has been extracted to the docker
storage driver. The checksums are instead computed lazily before they
are pushed to a v2 registry.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Don't run docker in interactive mode in the archlinux container build script. Recent versions of Docker error out with "cannot enable tty mode on non tty input" when being run non-interactively (such as in a cron job, Jenkins build, etc.)
Signed-off-by: Jared Biel <jared.biel@bolderthinking.com>
The API documentation uses the "base" image in various
places. The "base" image is deprecated and it is no longer
possible to download this image.
This changes the API documentation to use "ubuntu" in stead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes the daemon's failure to start when setting --ipv6=true for
the first time without deleting `docker0` bridge from a prior use with
only IPv4 addressing.
The addition of the IPv6 bridge address is factored out into a separate
initialization routine which is called even if the bridge exists but no
IPv6 addresses are found.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Fixes a few typos in IPv6 addresses. Will make it easier for users who
actually try and copy/paste or use the example addresses directly.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Under certain cases, such as when putting a manifest or check for the existence
of a layer, the status code checks in session_v2.go were too narrow for their
purpose. In the case of putting a manifest, the handler only cares that an
error is not returned. Whether it is a 304 or 202 does not matter, as long as
the server reports success. Having the client only accept specific http codes
inhibits future protocol evolution.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
The build job will sometimes trigger a pull job when the base image
does not exist. Now that engine jobs properly close their output by default
the pull job would also close the build job's stdout in a cascading close
upon completion of the pull.
This patch corrects this by wrapping the `pull` job's stdout with a
nopCloseWriter which will not close the stdout of the `build` job.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Update fixes some rendering issues, including improperly escaping '$' in
blocks, and actual parsing of blockcode.
`ID=$(sudo docker run -d fedora /usr/bin/top -b)` was being converted to
`ID=do docker run -d fedora/usr/bin/top -b)`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The docs around COPY/ADD already mentioned that it will do a relative
copy/add based on WORKDIR, so that part is already ok. Just needed to
tweak the WORKDIR section since w/o mentioning COPY/ADD it can be misleading.
Noticed by @phemmer
Signed-off-by: Doug Davis <dug@us.ibm.com>
This revision is from docker_1.5 branch, because we don't want to
introduce user namespace in docker 1.5, but fix for --pid=host is
needed.
Fixes#10303
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
When unmarshaling the json response from the API in languages to a
dynamic object having the omitempty field tag on types such as float64
case the key to be omitted on 0.0 values. Various langages will
interpret this as a null when 0.0 is the actual value.
This patch removes the omitempty tags on fields that are not structs
where they can be safely omited.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
When calling delete on a bind-mount volume, the config file was bing
removed, but it was not actually being removed from the volume index.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Note: this deprecates the fine-grained, high-overlap cascading MAINTAINERS files,
and replaces them with a single top-level file, using a new structure:
* More coarse grained subsystems with dedicated teams of maintainers
* Core maintainers with a better-defined role and a wider scope (if it's
not in a subsystem, it's up to the core maintainers to figure it out)
* Architects
* Operators
This is work in progress, the goal is to start a conversation
Signed-off-by: Solomon Hykes <solomon@docker.com>
Signed-off-by: Erik Hollensbe <github@hollensbe.org>
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Signed-off-by: Tibor Vass <teabee89@gmail.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Before the V2 registry changes, images with no config could be pushed.
This change fixes a regression that made those images not able to be
pushed to a registry.
Signed-off-by: Euan Kemp <euank@euank.com>
The title `Image JSON Schema` was used as a header in the section
which describes the layout and fields of the image metadata JSON
file. It was pointed out that `JSON Schema` is its own term for
describing JSON in a machine-and-human-readable format, while the
word "Schema" in this context was used more generically to say that
the section is meant to be an example and outline of the Image JSON.
http://spacetelescope.github.io/understanding-json-schema/
This section now has the title `Image JSON Description` in order
to not cause this confusion.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Docker inspect can also be used on images, this patch fixed the
minor typo in file docker/flags.go and docs/man/docker.1.md
Signed-off-by: DiuDiugirl <sophia.wang@pku.edu.cn>
When progress reader closes it overwrites the progress line with the full progress bar, replaces the completed message.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Currently loading the trust key uses path instead of filepath. This creates problems on some operating systems such as Windows.
Fixes#10319
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Updates `image.StoreImage()` to always ensure that images
that are installed in Docker have a tarsum.v1 checksum.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
If stop/kill command hits a short window between process' exit and
container's cleanup, it will no longer fail with 'no such process'
error.
Resolves#10182
Signed-off-by: Michal Minar <miminar@redhat.com>
Since it can still be tested natively without this, this won't cause any harm while we fix the tests to actually work on Windows.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
* Adjust header to match _page_title
* Add instructions on deletion of CSRs and setting permissions
* Simplify some path expressions and commands
* Consqeuently use ~ instead of ${HOME}
* Precise formulation ('key' vs. 'public key')
* Fix wrong indentation of output of `openssl req`
* Use dash ('--') instead of minus ('-')
Remark on permissions:
It's not a problem to `chmod 0400` the private keys, because the
Docker daemon runs as root (can read the file anyway) and the Docker
client runs as user.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
Based on some feedback, when you have a container via the cli that you
are monitoring for stats, if you stop the container it will stay in the
display but report the last datapoint that was received.
This PR changes the display to zero out the values for containers where
an update has not been received within a specified duration, i.e. 2
seconds. This signals the user that the container has stopped as it
reports cpu and memory usage of 0.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since the Docker-Distribution-API-Version header value may contain multiple
space delimited versions as well as many instances of the header key, the
header value is now split on whitespace characters to iterate over all versions
that may be listed in one instance of the header.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Implementing the deamon flags the traditional way introduced even more
redundancy than usual because the same list of options with flags
had to be added twice.
This can be avoided by using variables in the case statements when
using the extglob shell option.
Signed-off-by: Harald Albers <github@albersweb.de>
This fixes various tests by checking for non zero exit code, accounting for lxc-specific base-diffs, and by removing lxc specific environment vars.
It also adds the --share-ipc option to lxc-start for shared ipc namespaces.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Update our "registry" install to use the included Godeps libraries so that it
doesn't require anything from our current source (hence moving it up for
better caching too)
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
v2 ping now checks for a Docker-Distribution-API-Version
header that identifies the endpoint as "registry/2.0"
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Due to the iptables package being `init`ed at start of the docker
runtime, this means the iptables --wait command listing all rules
is run, no matter if the command is simply "docker -h". It makes
more sense to both locate the iptables command and check for the
wait flag support at the time iptables is actually used, as it
may not be used at all if certain network support is off/configured
differently.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Some calls like json.Encoder.Encode mask the number of bytes written to
an io.Writer. The solution provides a wrapper io.Writer around the
actual io.Writer that allows multiple calls to Write to be considered as
one and allow access to this count.
Signed-off-by: Pierre Wacrenier <pierre.wacrenier@gmail.com>
Also, this decouples the emptyfs script from the busybox one -- they're now functionally separate thanks to the scratch no-op change. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
unshare the mount namespace of the docker daemon to avoid other pids
outside the daemon holding mount references of docker containers.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Fixes#9629#9768
A couple of issues:
1) Volume config is not restored if we couldn't find it with the graph
driver, but bind-mounts would never be found by the graph driver since
they aren't in that dir
2) container volumes were only being restored if they were found in the
volumes repo, but volumes created by old daemons wouldn't be in the
repo until the container is at least started.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This systemd.exec setting will construct a new mount namespace for the
docker daemon, and use slave shared-subtree mounts so that volume mounts
propogate correctly into containers.
By having an unshared mount namespace for the daemon it ensures that
mount references are not held by other pids outside of the docker
daemon. Frequently this can be seen in EBUSY or "device or resource
busy" errors.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
This is literally the only failing test on Go 1.3.3: 🎉
```
--- FAIL: TestBuildWithTabs (0.43 seconds)
docker_cli_build_test.go:4307: Missing tabs.
Got:["/bin/sh","-c","echo\u0009one\u0009\u0009two"]
Exp:["/bin/sh","-c","echo\tone\t\ttwo"]
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
The assumption is not true if user specifies an IP address other than
the first IP, in that case the first IP address is never allocated to
any container.
Signed-off-by: Hu Tao <hutao@cn.fujitsu.com>
Addresses #5811
This cleans up an error in the logic which removes localhost resolvers
from the host resolv.conf at container creation start time. Specifically
when the determination is made if any nameservers are left after
removing localhost resolvers, it was using a string match on the word
"nameserver", which could have been anywhere (including commented out)
leading to incorrect situations where no nameservers were left but the
default ones were not added.
This also adds some complexity to the regular expressions for finding
nameservers in general, as well as matching on localhost resolvers due
to the recent addition of IPv6 support. Because of IPv6 support now
available in the Docker daemon, the resolvconf code is now aware of
IPv6 enable/disable state and uses that for both filter/cleaning of
nameservers as well as adding default Google DNS (IPv4 only vs. IPv4
and IPv6 if IPv6 enabled). For all these changes, tests have been
added/strengthened to test these additional capabilities.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
DM_UDEV_DISABLE_LIBRARY_FALLBACK is disabled by most applications today
when using device-mapper, and ensuring that device-mapper is in sync
with udev. This flag instructs devicemapper to not fallback to creating
the device nodes itself. In the case of udev sync not being supported,
devicemapper will attempt to create the devices in a timely manner,
regardless of udev.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
when initializing the devmapper driver, attempt to sync udev and device
mapper. If udev sync is not supported, print a warning. Eventually we'll
likely bail here to avoid unpredictable behavior for users.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Since "go test" doesn't seem to support "-installsuffix" as quite the same perfect solution that "go build" is happy to let it be, let's just switch those crappy old "integration/" tests to use our separate static dockerinit binary so we don't have to worry about compiling the entire test harness statically. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
See #10141 for more info, but the main point of this is to make sure
that if you do "docker run -e FOO ..." that FOO from the current env
is passed into the container. This means that if there's a value, its
set. But it also means that if FOO isn't set then it should be unset in
the container too - even if it has to remove it from the env. So,
unset HOSTNAME
docker run -e HOSTNAME busybox env
should _NOT_ show HOSTNAME in the list at all
Closes#10141
Signed-off-by: Doug Davis <dug@us.ibm.com>
Set lxc.auto.mount = proc:mixed in unprivilged mode. This ensures that lxc mounts sys and proc/sysrq-trigger as readonly.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
To run shell(and not exit), lxc needs STDIN. Without STDIN open, it will exit 0.
Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Fixes#9709
In cases where the volumes-from container is removed and the consuming
container is restarted, docker was trying to re-apply volumes from that
now missing container, which is uneccessary since the volumes are
already applied.
Also cleaned up the volumes-from parsing function, which was doing way more than
it should have been.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Fixes#10129
Makes the .dockercfg more human parsable.
Also cleaned up the (technically) racey login test.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Sending capability ids instead of capability names ot LXC for --cap-add and --cap-drop.
Also fixed tests.
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
Fixes#9960
This adds the output of a "Backing Filesystem:" entry to `docker info`
to overlay, aufs, and devicemapper graphdrivers. The default list
includes a fairly complete list of common filesystem names from
linux/include/uapi/linux/magic.h, but if the backing filesystem is not
recognized, the code will simply show "<unknown>"
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Token cache prevents the need to get a new token for every registry interaction.
Since the tokens are short lived, the cache expires after only a minute.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The v2 session code will no longer update the indexEndpoint value, therefore it is not necessary to save and restore the value for use with v1.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
While the v2 pull operation is writing the body of the layer blob to disk
it now computes the tarsum checksum of the archive before extracting it to
the backend storage driver. If the checksum does not match that from the
image manifest an error is raised.
Also adds more debug logging to the pull operation and fixes existing test
cases which were failing. Adds a reverse lookup constructor to the tarsum
package so that you can get a tarsum object using a checksum label.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Because docker core cannot vendor non-master Go dependencies, we need to remove
dependencies on registry package. The definition of digest.Digest has been
changed to a string and the regular expressions have been ported from
docker-registry/common library.
We'll likely change this be dependent on the registry in the future when the
API stabilizies and use of the master branch becomes the norm.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This package, ported from next-generation docker regsitry, includes route and
error definitions. These facilitate compliant V2 client implementation. The
portions of the HTTP API that are included in this package are considered to be
locked down and should only be changed through a careful change proposal.
Descriptor definitions package layout may change without affecting API behavior
until the exported Go API is ready to be locked down.
When the new registry stabilizes and becomes the master branch, this package
can be vendored from the registry.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Registry authorization token is now taken from the response body rather than
the repsonse header.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
summary of changes:
registry/auth.go
- More logging around the login functions
- split Login() out to handle different code paths for v1 (unchanged logic)
and v2 (does not currently do account creation)
- handling for either basic or token based login attempts
registry/authchallenge.go
- New File
- credit to Brian Bland <brian.bland@docker.com> (github: BrianBland)
- handles parsing of WWW-Authenticate response headers
registry/endpoint.go
- EVEN MOAR LOGGING
- Many edits throught to make the coad less dense. Sparse code is more
readable code.
- slit Ping() out to handle different code paths for v1 (unchanged logic)
and v2.
- Updated Endpoint struct type to include an entry for authorization
challenges discovered during ping of a v2 registry.
- If registry endpoint version is unknown, v2 code path is first attempted,
then fallback to v1 upon failure.
registry/service.go
- STILL MOAR LOGGING
- simplified the logic around starting the 'auth' job.
registry/session.go
- updated use of a registry.Endpoint struct field.
registry/token.go
- New File
- Handles getting token from the parameters of a token auth challenge.
- Modified from function written by Brian Bland (see above credit).
registry/types.go
- Removed 'DefaultAPIVersion' in lieu of 'APIVersionUnknown = 0'`
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Make sure that as we build the CMD/ENTRYPOINT cache strings that we don't
treat ["echo","hi"] and ["echo hi"] as the same thing due to the fact that
we're just doing a strcat on the array.
Closes#10097
Signed-off-by: Doug Davis <dug@us.ibm.com>
The documentation on `docker export` doesn't mention that
data in volumes is not included in the export.
This adds a note that volumes are not part of the export
and refers to the "Backup, restore, or migrate data volumes"
to give the user some pointers.
Relates to https://github.com/docker/docker/issues/10095
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Under the restart policy "--restart=no", there is no record about it
in the information from docker inspect.
To keep it consistent around the three(maybe more in the future) restart
policies and distinguish with no restart policy specified cases, it's
worth to record it even though it is the default restart policy which
will not restart the container.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Adjust builder to validate that JSON in Dockerfiles are arrays of strings and nothing else to match how we describe them to people (and what all our existing tests already assumed)
Tests no longer make the assumption that the daemon can be accessed
through unix:///var/run/docker.sock.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Add a --readonly flag to allow the container's root filesystem to be
mounted as readonly. This can be used in combination with volumes to
force a container's process to only write to locations that will be
persisted. This is useful in many cases where the admin controls where
they would like developers to write files and error on any other
locations.
Closes#7923Closes#8752
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
We want to be able to use container without the PID namespace. We basically
want containers that can manage the host os, which I call Super Privileged
Containers. We eventually would like to get to the point where the only
namespace we use is the MNT namespace to bring the Apps userspace with it.
By eliminating the PID namespace we can get better communication between the
host and the clients and potentially tools like strace and gdb become easier
to use. We also see tools like libvirtd running within a container telling
systemd to place a VM in a particular cgroup, we need to have communications of the PID.
I don't see us needing to share PID namespaces between containers, since this
is really what docker exec does.
So currently I see us just needing docker run --pid=host
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Fixes: #9860
Fixes: detach and attach tty mode
We never actually need to close container `stdin` after `stdout/stderr` finishes. We only need to close the `stdin` goroutine. In some cases this also means closing `stdin` but that is already controlled by the goroutine itself.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This refactors the starting work by the prior commits to make this safe
for access. A maximum of 5 worker go routines are started to lookup
images on the endpoint. Another go routine consumes the images that are
required to be pushed into a map for quick lookups. The map is required
because the pushing of the image json and layer have to be done in the
correct order or the registry will explode in fire.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
The "or rename" part was removed from the error-message,
because renaming wasn't possible at the time.
Now that https://github.com/docker/docker/pull/8570 is merged,
renaming existing containers is possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If an error message happens while parsing docker run or docker exec, the message
is not being printed out.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Since the failure count of container will increase by 1 every time it
exits successfully, the compare in function shouldRestart() will stop
container to restart by the last time.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Many iterations have gone into documenting a v1 specification of Docker's Image
format.
v1 Image spec: clarify parent field
- metalivedev pointed out that the description was ambiguous, so I've removed
mention that it was randomly generated. It IS the ID of the parent image.
Updated v1 image specificatino documentation
- More complete details and deprication notifications for each field
in the JSON metadata of an image.
- Details on the format for packaging combined Image JSON + Filesystem
Changeset archives for all layers of an image.
Clarify description of an image "Layer" in v1 spec
Updated intro of image v1 spec
Updated image v1 spec after more review
- Removed description of "Image" from the terminology section. The entire
document is meant to serve this purpose.
- Updated the definition of "Image Filesystem Changeset".
- Clarified the level of randomness needed for generating image IDs.
- Updated the description of "Image Checksum".
- Added term descriptions for "Repository" and "Tag"
- Removed extraneous/implementation-specific fields from the Image JSON
example file and field descriptions:
- removed "container_config" and "docker_version" fields.
- Added missing "author" field example and description.
- Removed extraneous/implementation-specific fields from the "config" struct
example and description:
- removed "Hostname", "Domainname", "Cpuset", "AttachStdin", "AttachStdout",
"AttachStderr", "PortSpecs", "Tty", "OpenStdin", "StdinOnce", "Image",
"NetworkDisabled", and "OnBuild".
- Updated example Image JSON config with better example values for "Env",
"Cmd", "Volumes", "WorkingDir", "Entrypoint", "CpuShares", "Memory",
"MemorySwap", and "User".
- Added notices that any fields not specified are to be considered as
implementation specific and should be ignored my implementations which
are unable to interpret them.
- Updated example of creating layer filesystem changesets to use less formal
language.
- Listed more details in the section regarding extraction of a bundle of image
layers into the root filesystem of a container.
- Updated the closing mention of Docker as an evolving implementation.
More updates to the v1 image spec
- Added line wrapping after 80 columns per line to adhere to documentation
style guides, as pointed out by @jamtur01
- Removed references to any specific docker commands, updated a few descriptions
or drop repeated statements, as pointed out by @cpuguy83
Cleanup image v1 spec draft after fredlf comments
Address comments by mmdriley on v1 image spec
Improve description of image v1 spec 'config.User`
- Improves description of image v1 specification for the 'User' runtime
parameter after recomendations by tianon.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
There are a couple of drivers that swallow errors that may occur in
their Put() implementation.
This changes the signature of (*Driver).Put for all the drivers implemented.
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
to docs.master.dockerproject.com.
- Make the invaidation profile the bucket variable, not hard coded.
- Add no cache variable for settings cache to "no-cache"
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
This fixes the container start issue for containers which were started
on a daemon prior to the resolv.conf updater PR. The update code will
now safely ignore these containers (given they don't have a sha256 hash
to compare against) and will not attempt to update the resolv.conf
through their lifetime.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This refactors version number usage for several of our "download/install this exact version" bits so we have an easier time replacing the version numbers in Jenkins.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Presenly the "Data file:" shows either the loopback _file_ or the block device.
With this, the "Data file:" will always show the device, and if it is a
loopback, then there will additionally be a "Data loop file:".
(Same for "Metadata file:")
Signed-off-by: Vincent Batts <vbatts@redhat.com>
`uint64(buf.Type)` on i686 is ffffffff9123683e on i686 due to sign extension, so it cannot be compared with `FsMagic(0x9123683E)`
Signed-off-by: Andrii Melnykov <andy.melnikov@gmail.com>
Passing RepositoryInfo to ResolveAuthConfig, pullRepository, and pushRepository
Moving --registry-mirror configuration to registry config
Created resolve_repository job
Repo names with 'index.docker.io' or 'docker.io' are now synonymous with omitting an index name.
Adding test for RepositoryInfo
Adding tests for opts.StringSetOpts and registry.ValidateMirror
Fixing search term use of repoInfo
Adding integration tests for registry mirror configuration
Normalizing LookupImage image name to match LocalName parsing rules
Normalizing repository LocalName to avoid multiple references to an official image
Removing errorOut use in tests
Removing TODO comment
gofmt changes
golint comments cleanup. renaming RegistryOptions => registry.Options, and RegistryServiceConfig => registry.ServiceConfig
Splitting out builtins.Registry and registry.NewService calls
Stray whitespace cleanup
Moving integration tests for Mirrors and InsecureRegistries into TestNewIndexInfo unit test
Factoring out ValidateRepositoryName from NewRepositoryInfo
Removing unused IndexServerURL
Allowing json marshaling of ServiceConfig. Exposing ServiceConfig in /info
Switching to CamelCase for json marshaling
PR cleanup; removing 'Is' prefix from boolean members. Removing unneeded json tags.
Removing non-cleanup related fix for 'localhost:[port]' in splitReposName
Merge fixes for gh9735
Fixing integration test
Reapplying #9754
Adding comment on config.IndexConfigs use from isSecureIndex
Remove unused error return value from isSecureIndex
Signed-off-by: Don Kjer <don.kjer@gmail.com>
Adding back comment in isSecureIndex
Signed-off-by: Don Kjer <don.kjer@gmail.com>
Only modifies non-running containers resolv.conf bind mount, and only if
the container has an unmodified resolv.conf compared to its contents at
container start time (so we don't overwrite manual/automated changes
within the container runtime). For containers which are running when
the host resolv.conf changes, the update will only be applied to the
container version of resolv.conf when the container is "bounced" down
and back up (e.g. stop/start or restart)
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
It seems odd to have such an important API hidden under 'misc'.
While in there I noticed that during the "-f Dockerfile" PR I changed
the query param from f to dockerfile and missed this one spot in the docs.
Signed-off-by: Doug Davis <dug@us.ibm.com>
w/o this one-liner the v1.17 docs didn't appear in the Reference dropdown
and I would get a 404 when I tried to access
.../reference/api/docker_remote_api_v1.17/
Not sure if there are other spots that need to be fixed but this seemed to
fix it for me.
Signed-off-by: Doug Davis <dug@us.ibm.com>
The cli now doesn't echo the container ID when started using either -a
or -i. Also fixes `TestStartAttachCorrectExitCode` which incorrectly
called start with the result of wait rather than the container ID.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Add a check to make sure Dockerfile is in the build context
Add docs and a testcase
Make -f relative to current dir, not build context
Signed-off-by: Doug Davis <dug@us.ibm.com>
If .dockerignore mentions either then the client will send them to the
daemon but the daemon will erase them after the Dockerfile has been parsed
to simulate them never being sent in the first place.
an events test kept failing for me so I tried to fix that too
Closes#8330
Signed-off-by: Doug Davis <dug@us.ibm.com>
Usage string isn't printed anymore. User is adviced to see help instead
- according to coreutils standard.
Signed-off-by: Michal Minar <miminar@redhat.com>
Ignoring return value of ParseFlags leads to exit code 0 if bad
arguments are supplied. This patch makes sure that subcommands exit
with non-zero code in such a case.
Signed-off-by: Michal Minar <miminar@redhat.com>
* Do not log bad options error message twice, e.g.:
$ docker run --pouet
flag provided but not defined: --pouet
See 'docker run --help'.
2014/11/05 21:41:23 flag provided but not defined: --pouet
With this patch just the first two lines will be produced.
* Print 'docker' just once when run without a command, e.g.:
$ docker --hel
flag provided but not defined: --hel
See 'docker docker --help'.
Signed-off-by: Michal Minar <miminar@redhat.com>
--help and help are successful commands so output should not go to error.
QE teams have requested this change, also users doing docker help | less
or docker run --help | less would expect this to work.
Usage statement should only be printed when the user asks for it.
Errors should print error message and then suggest the docker COMMAND --help
command to see usage information.
The current behaviour causes the user to have to search for the error message
and sometimes scrolls right off the screen. For example a error on a
"docker run" command is very difficult to diagnose.
Finally erros should always exit with a non 0 exit code, if the user
makes a CLI error.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Function shouldRestart() checks the restart policy and records the
debug info and there should be two arguments in the log.Debugf().
Prior to the this patch, the logs were something like this:
- client: $ docker run --restart=on-failure:3 ubuntu /bin/sh -c 'exit 1'
- daemon: INFO[0168] ...
DEBU[0168] stopping restart of container %!s(int=3) because maximum
failure could of %!d(MISSING) has been reached
INFO[0086] ...
Btw, fix a spelling error in the same file:
- cotnainer -> container
----------------------------------------
Signed-off-by: Hu Keping <hukeping@huawei.com>
Also makes streamConfig Pipe methods not return error, since there was
no error for them to be able to return anyway.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This also adds more tests to help verify this, including unicode and nonprintable characters (hence the earlier commit switching to strconv.Quote).
As a bonus, this fixes a subtle bug where [] was turned into [""] and then turned back into [] (and thus [""] was impossible to actually round-trip correctly in a Dockerfile).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This is:
git format-patch -1 --stdout HEAD \
| patch -p1 docs/sources/reference/api/docker_remote_api_v1.*.md
Applying the changes I initially made on the docs for v1.15 to all
other versions led to acceptable results.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
Copyright notices must reflect the current year. This commit updates the listed year to 2015 with a starting year of 2013 from
a27b4b8cb8
Docker-DCO-1.1-Signed-off-by: Patrick Stapleton <github@gdi2290.com> (github: gdi2290)
Using --insecure is (you guessed it) *insecure* as the server side
certificate is not being validated. To offer the same degree of
security as invocations of the docker client in "Secure by default"
with cURL, the trusted CA certificate must be supplied.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
With -CAcreateserial the serial file will be automatically created
and initialized if it is missing.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
syscall.Unmount failed sometimes when user interrupted exporting,
for example a Ctrl-C, or pipe to commands which closed the pipe early,
like "docker export <container_name> | file -"; this syscall.Unmount
could sometimes return EBUSY and didn't actually umount the filesystem;
which would cause a following export command fail to mount;
change to lazy Unmount with MNT_DETACH can fix the problem, this is
the same behavior as in Shutdown;
```text
time="2015-01-03T21:27:26Z" level=error msg="Warning: error unmounting device
34a3e77cdbca17ceffd0636aee0415bb412996adb12360bfe2585ce30467fa8e: device or resource busy"
```
```
$ docker export thirsty_ardinghelli | file -
/dev/stdin: POSIX tar archive
time="2015-01-03T21:58:17Z" level=fatal msg="write /dev/stdout: broken pipe"
$ docker export thirsty_ardinghelli
time="2015-01-03T21:54:33Z" level=fatal msg="Error: thirsty_ardinghelli: Error getting container
34a3e77cdbca17ceffd0636aee0415bb412996adb12360bfe2585ce30467fa8e from driver devicemapper:
Error mounting '/dev/mapper/docker-253:0-3148372-34a3e77cdbca17ceffd0636aee0415bb412996adb12360bfe2585ce30467fa8e'
on '/var/lib/docker/devicemapper/mnt/34a3e77cdbca17ceffd0636aee0415bb412996adb12360bfe2585ce30467fa8e': device or resource busy"
```
Signed-off-by: Derek Che <drc@yahoo-inc.com>
Fixed:
* Invalid JSON
* Inconsistent spacing at colon
Expression for binary data streams (line 468 vs. 1474) remain inconsistent.
Could fix that too, if you like.
Signed-off-by: Lorenz Leutgeb <lorenz.leutgeb@gmail.com>
This introduces a sort order for options:
Arrange options sorted alphabetically by long name with the short
options immediately following their corresponding long form.
Signed-off-by: Harald Albers <github@albersweb.de>
Moves some information around, expanding information on
user namespaces, pull/load security, cap add/drop.
Also includes various grammar improvements and edits.
Signed-off-by: Eric Windisch <eric@windisch.us>
This way, we can embed the link/description lines directly in the array itself, conflicts between PRs to this section are minimized, new PRs are easier to review, and it's a lot easier to notice when people are missing a link/description (like the few that currently are).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This file is one APT creates to make sure we don't "autoremove" our currently in-use kernel, which doesn't really apply to debootstraps/Docker images that don't even have kernels installed.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This fixes the issue where an lxc.conf override of lxc.network.ipv4 was not being honored.
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
This commit contains changes for docker:
* user.GetGroupFile to user.GetGroupPath docker/libcontainer#301
* Add systemd support for OOM docker/libcontainer#307
* Support for custom namespaces docker/libcontainer#279, docker/libcontainer#312
* Fixes#9699docker/libcontainer#308
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This changes the error message that is returned by the daemon when
a container-name already exists.
The old message suggests that containers can be renamed, which is
currently not possible.
To prevent confusion, the part "(or rename)" is removed from
the error-message.
Message before this change;
FATA[0000] Error response from daemon: Conflict, The name foobar is already assigned to 728ac36fb0ab. You have to delete (or rename) that container to be able to assign foobar to a container again.
Message after this change;
FATA[0000] Error response from daemon: Conflict. The name 'foobar' is already in use by container 728ac36fb0ab. You have to delete that container to be able to reuse that name.
Relates to: https://github.com/docker/docker/issues/3036
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
People might find it hard to find the newer/related Docker projects,
especially when they're just github issues. So, while I would have
preferred to have this at http://github.com/docker, I couldn't find
a doc to edit to make that happen, so this is the next best spot.
Signed-off-by: Doug Davis <dug@us.ibm.com>
If `--insecure-registry mydomain.com` was specified, it would match a registry at mydomain.com on any port.
This was accidentally added in #9735 and is now being reverted.
Signed-off-by: Tibor Vass <teabee89@gmail.com>
- move docker/docker-py clone to the Dockerfile
- put "integration test daemon startup" code in a separate file for both scripts to source
- add new test-docker-py Makefile target
- include "python-websocket" package in Dockerfile for running the tests
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Because the patch is not in 1.4, the v1.16 docs shouldn't have been
updated. Docs were promoted to v1.17 by #9742.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
There has been a lot of discussion (issues 4242 and 5262) about making
`FROM scratch` either a special case or making `FROM` optional, implying
starting from an empty file system.
This patch makes the build command `FROM scratch` special cased from now on
and if used does not pull/set the the initial layer of the build to the ancient
image ID (511136ea..) but instead marks the build as having no base image. The
next command in the dockerfile will create an image with a parent image ID of "".
This means every image ever can now use one fewer layer!
This also makes the image name `scratch` a reserved name by the TagStore. You
will not be able to tag an image with this name from now on. If any users
currently have an image tagged as `scratch`, they will still be able to use that
image, but will not be able to tag a new image with that name.
Goodbye '511136ea3c5a64f264b78b5433614aec563103b4d4702f3ba7d4d2698e22c158',
it was nice knowing you.
Fixes#4242
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
To avoid an expensive call to archive.ChangesDirs() which walks two directory
trees and compares every entry, archive.ApplyLayer() has been extended to
also return the size of the layer changes.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This clones and run the integration tests for docker-py master as part
of the integration tests created on master. docker-py hits the api
directly and should be a good way to identify regressions in the api.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This commit is patch for following comment
// TODO: This method should return the errors instead of masking them and returning false
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
As we move forward on automating our pull request review process and
tooling these exceptions hurt more than they help. For consistency we
should not allow small patch exceptions for anything. The source of
truth going forward for DCO and builds are the official drone status on
each pull request.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Fixes#6647: Other upstart jobs that depend on docker by specifying
"start on started docker" would often start before the docker daemon was
ready, so they'd fail with "Cannot connect to the Docker daemon" or
"dial unix /var/run/docker.sock: no such file or directory".
This is because "docker -d" doesn't daemonize, it runs in the
foreground, so upstart can't know when the daemon is ready to receive
incoming connections. (Traditionally, a daemon will create all necessary
sockets and then fork to signal that it's ready; according to @tianon
this "isn't possible in Go"[1]. See also [2].)
Presumably this isn't a problem with systemd init with its socket
activation. The SysV init scripts may or may not suffer from this
problem but I have no motivation to fix them.
This commit adds a "post-start" stanza to the upstart configuration
that waits for the socket to be available. Upstart won't emit the
"started" event until the "post-start" script completes.[3]
Note that the system administrator might have specified a different path
for the socket, or a tcp socket instead, by customising
/etc/default/docker. In that case we don't try to figure out what the
new socket is, but at least we don't wait in vain for
/var/run/docker.sock to appear.
If the main script (`docker -d`) fails to start, the `initctl status
$UPSTART_JOB | grep -q "stop/"` line ensures that we don't loop forever.
I stole this idea from Steve Langasek.[4]
If for some reason we *still* end up in an infinite loop --I guess
`docker -d` must have hung-- then at least we'll be able to see the
"Waiting for /var/run/docker.sock" debug output in
/var/log/upstart/docker.log.
I considered using inotifywait instead of sleep, but it isn't worth
the complexity & the extra dependency.
[1] https://github.com/docker/docker/issues/6647#issuecomment-47001613
[2] https://code.google.com/p/go/issues/detail?id=227
[3] http://upstart.ubuntu.com/cookbook/#post-start
[4] https://lists.ubuntu.com/archives/upstart-devel/2013-April/002492.html
Signed-off-by: David Röthlisberger <david@rothlis.net>
This tests ensures that the content from a dir within a build is carried
over even if VOLUME for that dir is specified in the Dockerfile. This
test ensures this long standing functionality.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
_docker_run and _docker_create had only one differing line.
This refactoring features:
- direct completion for both commands to the same function
- factor out the common arguments, sort & format them nicely
- compute the argument for _docker_pos_first_nonflag.
Signed-off-by: Harald Albers <github@albersweb.de>
When we use the engine/env object we can run into a situation where
a string is passed in as the value but later on when we json serialize
the name/value pairs, because the string is made up of just numbers
it appears as an integer and not a string - meaning no quotes. This
can cause parsing issues for clients.
I tried to find all spots where we call env.Set() and the type of the
name being set might end up having a value that could look like an int
(like author). In those cases I switched it to use env.SetJson() instead
because that will wrap it in quotes.
One interesting thing to note about the testcase that I modified is that
the escaped quotes should have been there all along and we were incorrectly
letting it thru. If you look at the metadata stored for that resource you
can see the quotes were escaped and we lost them during the serialization
steps because of the env.Set() stuff. The use of env is probably not the
best way to do all of this.
Closes: #9602
Signed-off-by: Doug Davis <dug@us.ibm.com>
This test tests nothing because of error in cmd, where "echo 'should
fail'" passed as binary. Also this test directly contradicts
documentation and current daemon behavior.
Fixes#7826
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
When the user is not using the full has to retrieve a container it's
possible that we find conflicts with the ids of other containers.
At the moment it's just failing saying that it can not find a container,
but it doesn't say why. Adding a small log saying that duplicates where
found is going to help the user.
Closes#8098
Signed-off-by: Alex Gonzalez <agonzalezro@gmail.com>
Fixed a missing link and a few small formatting issues. Also deleted 1.3 notes as originally intended.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
This tests ensures that the content from a dir within a build is carried
over even if VOLUME for that dir is specified in the Dockerfile. This
test ensures this long standing functionality.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
He is unfortunately out of power and internet because of storms :(
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
This patch fixes the permission fixing code used by addContext, which
would not be responsible for Lchown-ing top-level directories added to a
destination that didn't exist prior to untar-ing the context.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
I was confused earlier when I did:
```
docker push localhost.localdomain:1234/foo
```
Because docker told me:
```
No such id: localhost.localdomain:1234/foo
```
I actually had buried in my mind the solution to this, but the error
message
confused me because I had recently had some fun trying to get the
registry
working and therefore thought it was telling me that I didn't have an
account
on the registry.
This pull request makes it unambiguous that the error is that the
specified
image is unknown.
/cc @cpuguy83
Docker-DCO-1.1-Signed-off-by: Peter Waller <p@pwaller.net> (github: pwaller)
Sometimes rm begins before process death, but Kill called already after
it, so we get error - no such process.
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
Incase of a 3xx redirect the var was being overshowed and ever changed
causing an infinite loop.
Fixes#9480
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Forbid `docker run -t` with a redirected stdin (such as `echo test |
docker run -ti busybox cat`). Forbid `docker exec -t` with a redirected
stdin. Forbid `docker attach` with a redirect stdin toward a tty enabled
container.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
This makes sure that we don't buffer in memory and that we also flush
stdin from diff as well as untar.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Copying the entire docker service file isn't necessary to add an
environment variable, instead use a drop-in configuration file. The nice
side-effect is that the user gets any vendor updates to the
docker.service file.
Signed-off-by: Brandon Philips <brandon.philips@coreos.com>
If two interrupts were fired really quickly interruptCount could have been incremented twice before the LoadUint32 making cleanup not being called at all.
Signed-off-by: Erik Dubbelboer <erik@dubbelboer.com>
This adds the docker daemon's root directory to docker info when running
in debug mode. This allows the user to view the root directory where
docker is writing and storing state.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Update the webhook JSON payloads to real ones,
and show there is a difference between an automated build webhook payload and a normal repo payload
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@docker.com> (github: SvenDowideit)
Signed-off-by: Sven Dowideit <SvenDowideit@docker.com>
Permissions after an ADD or COPY build instructions are now restricted
to the scope of files potentially modified by the operation rather than
the entire impacted tree.
Fixes#9401.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
I've re-jigged the run man page so that each option's text begins with the
cli's help text for that flag, and then ay subsequent lines in the man page
are carried forward.
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> (github: SvenDowideit)
Right now 'docker build' will send:
Sending build context to Docker daemon
to stderr, instead of stdout. This PR fixes that.
I looked in the rest of api/client/commands.go for other cases
that might do this and only one jumped out at me:
https://github.com/docker/docker/blob/master/api/client/commands.go#L2202
but I think if I changed that to go to stdout then it'll mess people up
who are expecting just the container ID to be printed to the screen and
there is no --quiet type of flag we can check.
Closes#9404
Signed-off-by: Doug Davis <dug@us.ibm.com>
The installation guide for EC2 is outdated, as the current version of Amazon Linux (2014.09) is now Docker ready. No need to go through the manual route anymore. The official AMI has Docker packages in the repository now (this was the 'pre-release' option in the outdated instructions).
Docker-DCO-1.1-Signed-off-by: David Mat <david@davidmat.com> (github: davidmat)
The code no longer assumes a net.TCPConn underlying the HTTP connection
in order to close attached streams.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Another update to TarSum tests, this patch fixes an issue where
the benchmarks were generating archives incorrectly by not closing
the tarWriter.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
With 32ba6ab from #9261, TempArchive now closes the underlying file and
cleans it up as soon as the file's contents have been read. When pushing
an image, PushImageLayerRegistry attempts to call Close() on the layer,
which is a TempArchive that has already been closed. In this situation,
Close() returns an "invalid argument" error.
Add a Close method to TempArchive that does a no-op if the underlying
file has already been closed.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
These two cases did not actually read the same content with each iteration
of the benchmark. After the first read, the buffer was consumed. This patch
corrects this by using a bytes.Reader and seeking to the beginning of the
buffer at the beginning of each iteration.
Unfortunately, this benchmark was not actually as fast as we believed. But
the new results do bring its results closer to those of the other benchmarks.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Use transaction logic during device deletion and do rollback if transaction
is not complete. Following is the sequence of events.
- Open transaction and save to metafile
- Delete device from pool
- Delete device metadata file from disk
- Close Transaction
If docker crashes without closing transaction then rollback will take
place upon next docker start.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Finally this patch uses the notion of transaction for device or snapshot
device creation.
Following is sequence of event.
- Open a trasaction and save details in a file.
- Create a new device/snapshot device
- If a new device id is used, refresh transaction with new device id details.
- Create device metadata file
- Close transaction.
If docker crashes anywhere in between without closing transaction, then
upon next start, docker will figure out that there was a pending transaction
and it will roll back transaction. That is it will do following.
- Delete Device from pool
- Delete device metadata file
- Remove transaction file to mark no transaction is pending.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Finally, we seem to have all the bits to keep track of all used device
Ids and find a free device Id to use when creating a new device. Start
using it.
Ideally we should completely move away from retry logic when pool returns
-EEXISTS. For now I have retained that logic and I simply output a warning.
When things are stable, we should be able to get rid of it.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Open code createDevice() and createSnapDevice() and move all the logic
in the caller.
This is a sheer code reorganization so that all device Id allocation
logic is in one function. That way in case of erros, one can easily
cleanup and mark device Id free again. (Later patches benefit from
it).
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Right now we are accessing devices.NextDeviceId directly and also
incrementing it at various places.
Instead provide a helper function which is responsile for
incrementing NextDeviceId and return next deviceId.
This is just code structuring. This will help later once we
convert this function to find a free device Id and it goes
through a bitmap of used/free device Ids.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
When docker starts, build a used/free Device Id map from the per
device meta files we already have. These meta files have the data
which device Ids are in use. Parse these files and mark device as
used in the map.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently devicemapper backend does not keep track of used device Ids in
the pool. It tries a device Id and if that device Id exists in pool, it
tries with a different Id and keeps on doing this in a loop till it succeeds.
This worked fine so far but now we are moving to transaction based
device creation and deletion. We will keep deviceId information in
transaction which will be rolled back if docker crashed before transaction
was complete.
If we store a deviceId in transaction and later figure out it already
existed in pool and docker crashed, then we will rollback and remove
that existing device Id from pool (which we should not have).
That means, we should know free device Id in pool in advance before
we put that device Id in transaction.
Hence this patch creates a bitmap (one bit each for a deviceId), and
sets the bit if device Id is used otherwise resets it. This patch
is just preparing the ground right now. Actual usage will follow
in later patches.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Right now setupBaseImage() uses deleteDevice() to delete uninitialized
base image while rest of the code uses DeleteDevice(). Change it and
use a common function everywhere for the sake of uniformity.
I can't see what harm can be done by doing little extra locking done
by DeleteDevice().
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Very soon we will have the notion of an open transaction and keep its
details in a metafile.
When a new transaction is opened, we allocate a new transaction Id,
do the device creation/deletion and then we will close the transaction.
I thought that OpenTransactionId better represents the semantics of
transaction Id associated with an open transaction instead of NewtransactionId.
This patch just does the renaming. No functionality change.
I have also introduced a structure "Transaction" which will keep all
the details associated with a transaction. Later patches will add more
fields in this structure.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently new transaction Id is created using allocateTransactionId()
function. This function takes NewTransactionId and bumps up by one
to create NewTransactionId.
I think ideally we should be bumping up devices.TransactionId by 1
to come up with NewTransactionId. Because idea is that devices.TransactionId
contains the current pool transaction Id and to come up with a new
transaction Id bump it up by one.
Current code is not wrong as we are keeping NewTransactionId and
TransactionId in sync. But it will be more direct if we look at
devices.TransactionId to come up with NewTransactionId. That way
we don't have to even initialize NewTransactionId during startup
as first time somebody wants to do a transaction, it will be
allocated fresh.
So simplify the code a bit. No functionality change.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently updatePoolTransactionId() checks if NewTransactionId and
TransactionId are not same only then update the transaction Id in pool. This
check is redundant. Currently we call updatePoolTransactionId() only from
two places and both of these first allocate a new transaction Id.
Also updatePoolTransactionId() should only be called after allocating
new transaction Id otherwise it does not make any sense.
Remove the redundant check and reduce confusion.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Create two new helper functions for device and snap device creation. These
functions will not only create the device and also register the device.
Again, makes the code structure better and keeps all transaction logic
contained to functions instead of spilling over into functions like
setupBaseImage or AddDevice().
Just the code reorganization. No functionality change.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently registerDevice() adds a device to in-memory table, saves metadata
and also updates the pool transaction ID.
Now move transaciton Id update out of registerDevice() and provide a new
function unregisterDevice() which does the reverse of registerDevice().
This will simplify some code down the line and make it more structured.
This is just code reorganization and should not change functionality.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently devicemapper CreateDevice and CreateSnapDevice keep on retrying
device creation till a suitable device id is found.
With new transaction mechanism we need to store device id in transaction
before it has been created.
So change the logic in such a way that caller decides the devices Id to
use. If that device Id is not available, caller bumps up the device Id
and retries.
That way caller can update transaciton too when it tries a new Id. Transaction
related patches will come later in the series.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
When we are deleting a device, we also delete associated metadata file. If
that file removal fails, we are adding back the device in in-memory
table. I really can't see what's the point. When next lookup takes place
it will be automatically loaded if need be. Remove that code.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Right now initMetaData() first queries the pool for current transaciton Id
and then it migrates the old metafile.
Move pool transaction Id query and file migration in separate functions
for better code reuse and organization.
Given we have removed device transaction Id dependency from saveMetaData(),
we don't have to query pool transaction Id before migrating files.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Right now saveMetaData() is kind of little overloaded function. It is
supposed to save file metadata to disk. But in addition if user has
bumped up NewTransactionId before calling saveMetaData(), then it will
also update the transaction ID in pool.
Keep saveMetaData() simple and let it just save the file. Any update
of pool transaction ID is done inline in the code which needs it.
Also create an helper function updatePoolTransactionId() to update pool
transaction Id.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Remove call to allocateTransactionId() during device removal. This seems to
be unnecessary and it is not clear what this call is doing.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Again, just because device transaction id is greater than pool transaction
id, it does not guarantee that device is in the pool. So do not check
of this during loading of device metadata.
Docker needs to deal with it. And device activation will fail when we try
to activate a device for whom metafile is present but there is no device
in the pool.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Current code is associating a transaction id with each device and if pool
transaction id is greater that value, then current code assumes that device
is there in pool.
Transaction id of pool is a mechanism so that during device creation and
removal one can define a transaction and during startup figure out if
transaction was complete or not. I think we are using transaction id
throughout the code little inappropriately.
For example, if a device is being deleted, it is possible that we deleted
the device from pool but before we could delete metafile docker crashed.
When docker comes back it will think that device is in the pool (due to
device transaction id being less than pool transaction id) but device
is not in the pool.
Similary, it could happen that some data in the pool is corrupted and
during pool repair some devices are lost (without docker knowing about
it). In that case tool pool transaction id will be higher than device
transaction id and there are no guaratees that device is actually in
the pool.
So move away from this model where we think that a device is in pool if pool
transaction id is greater than device transaction Id. Per device
transaction Id just says that after device creation this should be pool's
transaction Id and nothing more.
Transaction id is per pool property (as opposed to per device property) and
will be used internally to figure out if last transaction was complete or
not and recover from failure during docker startup.
If for some reason metafile is present but device is not in pool, then
device activation will fail later.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Documented --storage-opt=[] option in man page. Content taken from:
daemon/graphdriver/devmapper/README.md
Signed-off-by: Michal Minar <miminar@redhat.com>
Docker-DCO-1.1-Signed-off-by: Michal Minar <miminar@redhat.com> (github: SvenDowideit)
Current description is misleading. It make an impression the --icc=false
prevents containers to talk with each other.
Signed-off-by: Michal Minar <miminar@redhat.com>
Docker-DCO-1.1-Signed-off-by: Michal Minar <miminar@redhat.com> (github: SvenDowideit)
I noticed that 3 of the tarsum test cases had expected a tarsum with
a sha256 hash of
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
As I've been working with sha256 quite a bit lately, it struck me that
this is the initial digest value for sha256, which means that no data
was processed. However, these tests *do* process data. It turns out that
there was a bug in the test handling code which did not wait for tarsum
to end completely. This patch corrects these test cases.
I'm unaware of anywhere else in the code base where this would be an issue,
though we definitily need to look out in the future to ensure we are
completing tarsum reads (waiting for EOF).
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Since Linux 3.18-rc6, overlayfs has been renamed overlay.
This change was introduced by the following commit in linux.git:
ef94b1864d1ed5be54376404bb23d22ed0481feb ovl: rename filesystem type to "overlay"
Signed-off-by: Lénaïc Huard <lhuard@amadeus.com>
Properly CloseWrite() the client socket once done with stdin when using
TLS connection (this used to rely on an erroneous type assertion).
Fixes#8658.
Fixes#8642.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Signed-off-by: Michael Crosby <crosby.michael@gmail.com>
Sometimes other programs can bind on ports from our range, so we just
skip this ports on allocation.
Fixes#9293
Probably fixes#8714
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Prior to this patch, one would get the output of docker inspect xxx
as below:
user@server:/mnt$ docker inspect ubuntu
[{
"Architecture": "amd64",
...
"VirtualSize": 199257566
}
]user@server:/mnt$
The last ']' was on the same line with the prompt, i wonder if it is
really what we want it be, it is a little weird, so i add a '\n' to it.
Signed-off-by: Hu Keping <hukeping@huawei.com>
Updated the documentation to cover the installation of Docker on
openSUSE and on SUSE Linux Enterprise.
Docker-DCO-1.1-Signed-off-by: Flavio Castelli <fcastelli@suse.com> (github: flavio)
The documentation for EXPOSE seems to indicate, that EXPOSE is only relevant in
the context of links, which is not the case.
Signed-off-by: Jacob Atzen <jatzen@gmail.com>
Current implementation is comingling things that ought not be together.
There are _some_ similarities between parsing for the different proto
types, but they are more different than alike, making the code extremely
difficult to reason about.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Currently this content gets a system label and is not writable based on
SELinux controls. This patch will set the labels to the correct label.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
The -n and --networking options were removed because they are
unsupported.
Bash completion should not reveal the existence of otherwise
undocumented unsupported options.
Signed-off-by: Harald Albers <github@albersweb.de>
This reverts commit 967a42f116.
Signed-off-by: Tatsushi Inagaki <e29253@jp.ibm.com>
Roll back the change to fix the parameter of HumanSize from int64 to float64
This moves the IsGIT and IsURL functions out of the generic `utils`
package and into their own `urlutil` pkg.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Signed-off-by: Tibor Vass <teabee89@gmail.com>
Conflicts:
pkg/archive/archive.go
fixed conflict which git couldn't fix with the added BreakoutError
Conflicts:
pkg/archive/archive_test.go
fixed conflict in imports
These settings need to be in the HostConfig so that they are not
committed to an image and cannot introduce a security issue.
We can safely move this field from the Config to the HostConfig
without any regressions because these settings are consumed at container
created and used to populate fields on the Container struct. Because of
this, existing settings will be honored for containers already created
on a daemon with custom security settings and prevent values being
consumed via an Image.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Conflicts:
daemon/create.go
changing config to hostConfig was required to fix the
build
This ensures that ServerAddress is set, while previously it was getting
set after configFile.Configs.
Signed-off-by: Vaidas Jablonskis <jablonskis@gmail.com>
A lot of flags have been added on the output of `docker help`. Use a
more robust method to extract the list of available subcommands by
spotting the `Command:` line and the next blank line.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Adds pertitent information about what is expected in the json payload
and comments out unsupported (exec) features in runConfig.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The gist here is a reemphasizing of the explicitly "user mutable" bits by putting them first (and hopefully improving readability a little bit in the process).
Signed-off-by: Andrew Page <admwiggin@gmail.com>
I also needed to add a mflag.IsSet() function that allows you to check
to see if a certain flag was actually specified on the cmd line.
Per #9221 - also tweaked the docs to fix a typo.
Closes#9221
Signed-off-by: Doug Davis <dug@us.ibm.com>
If you execute
DEBUG=-g hack/make.sh dynbinary
Docker will be build with the debug info making it easier to use
cgdb or lightide to debug.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
still supports the old form: ENV name value
Also, fixed an issue with the parser where it would ignore lines
at the end of the Dockerfile that ended with \
Closes#2333
Signed-off-by: Doug Davis <dug@us.ibm.com>
This fixes the removal of TempArchives which can read with only one
read. Such archives weren't getting removed because EOF wasn't being
triggered.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Mark the daemon listening ports as allocated in the portallocator in
order to prevent containers from exposing this port themselves.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Now filter name is trimmed and lowercased before evaluation for case
insensitive and whitespace trimemd check.
Signed-off-by: Oh Jinkyun <tintypemolly@gmail.com>
This adds an integration test for checking that the network namespace
fds are the same when a container joins another container's network
namespace.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Fixes:
- link -H windows is not compatible with -linkmode external
- under Cygwin go does not play well with cygdrive type paths
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Common patterns:
- Multiple images were built with same name but only one cleanup.
- Containers were deleted after images.
- Images not removed after retagging.
Signed-off-by: Tõnis Tiigi <tonistiigi@gmail.com> (github: tonistiigi)
COPY/ADD just copies the contents of dirs, not dirs themselves.
This PR tries to clear that up in the docs.
Closes#8775
Signed-off-by: Doug Davis <dug@us.ibm.com>
Next steps, in another PR, would be:
- make all logging go through the logrus stuff
- I'd like to see if we can remove the env var stuff (like DEBUG) but we'll see
Closes#5198
Signed-off-by: Doug Davis <dug@us.ibm.com>
Currently we set up a cookie and upon failure not call UdevWait(). This
does not cleanup the cookie and associated semaphore and system will
soon max out on total number of semaphores.
To avoid this, call UdevWait() even in failure path which in turn will
cleanup associated semaphore.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Vincent Batts <vbatts@redhat.com>
used path package instead of path/filepath so that --volumes and
--device parameters to always validate paths as unix paths instead of
OS-dependent path convention
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
pkg/archive contains code both invoked from cli (cross platform) and
daemon (linux only) and Unix-specific dependencies break compilation on
Windows. We extracted those stat-related funcs into platform specific
implementations at pkg/system and added unit tests.
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
Some parts of pkg/archive is called on both client/daemon code. To get
it compiling on Windows, these funcs are extracted into files with
build tags.
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
TreeSize uses syscall.Stat_t which is not available on Windows.
It's called only on daemon path, therefore extracting it to daemon
with build tag 'daemon'
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
SIGCHLD and SIGWINCH used in api/client (cli code) are not
available on Windows. Extracting into separate files with build
tags.
Signed-off-by: Ahmet Alp Balkan <ahmetb@microsoft.com>
Fixes#8942
Current behavior is that volumes aren't initialized until start.
Volumes still need to be initialized on start since VolumesFrom and
Binds can be passed in as part of HostConfig on start, however anything
that's already been initialized will just be skipped as is the current
behavior.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Therer is a bug in the 'skip' decision when exporting a repository
(`docker save repo`)
Only the layers of the first image are included in the archive (the
layers of the next images are missing)
Signed-off-by: Anthony Baire <Anthony.Baire@irisa.fr>
Since the build uses ubuntu 14.04, which has an old btrfs, include the
buildtags needed for this old version to not break the build.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
I was trying to just build the Docker client but DOCKER_CLIENTONLY wasn't
getting passed thru from the shell to the container building docker.
So, this PR passes this var (via the -e option) on the docker run command
so we pick it up from the devs shell when running "make ...".
While in there I pulled all of the "-e" options into a new Makefile variable
so its easy to see just the list of env vars we pass along.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Fixes#1171Fixes#6465
Data passed to mount(2) is clipped to PAGE_SIZE if its bigger. Previous
implementation checked if error was returned and then started to append layers
one by one. But if the PAGE_SIZE clipping appeared in between the paths, in the
permission sections or in xino definition the call would not error and
remaining layers would just be skipped(or some other unknown situation).
This also optimizes system calls as it tries to mount as much as possible with
the first mount.
Signed-off-by: Tõnis Tiigi <tonistiigi@gmail.com> (github: tonistiigi)
this test checks if exposing a large number of ports in Dockerfile properly
saves the port in configs. We dont actually expose a VERY large number of ports
here because the result is the same and it increases the test time by a few
seconds
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Signal proxy does work only in non-TTY mode (--tty=false). Man pages and
commands should not lie about it.
Signed-off-by: Michal Minar <miminar@redhat.com>
Ideally lvm2 would be used to create/manage the thin-pool volume that is
then handed to docker to exclusively create/manage the thin and thin
snapshot volumes needed for it's containers. Managing the thin-pool
outside of docker makes for the most feature-rich method of having
docker utilize device mapper thin provisioning as the backing storage
for docker's containers. lvm2-based thin-pool management feature
highlights include: automatic or interactive thin-pool resize support,
dynamically change thin-pool features, automatic thinp metadata checking
when lvm2 activates the thin-pool, etc.
Docker will not activate/deactivate the specified thin-pool device but
it will exclusively manage/create thin and thin snapshot volumes in it.
Docker will not take ownership of the specified thin-pool device unless
it has 0 data blocks used and a transaction id of 0. This should help
guard against using a thin-pool that is already in use.
Also fix typos in setupBaseImage() relative to the thin volume type of
the base image.
Docker-DCO-1.1-Signed-off-by: Mike Snitzer <snitzer@redhat.com> (github: snitm)
Otherwise udev can unecessarily execute various rules (and issue
scanning IO, etc) against the thin-pool -- which can never be a
top-level device.
Docker-DCO-1.1-Signed-off-by: Mike Snitzer <snitzer@redhat.com> (github: snitm)
Some workloads rely on IPC for communications with other processes. We
would like to split workloads between two container but still allow them
to communicate though shared IPC.
This patch mimics the --net code to allow --ipc=host to not split off
the IPC Namespace. ipc=container:CONTAINERID to share ipc between containers
If you share IPC between containers, then you need to make sure SELinux labels
match.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Took care of some review comments from crosbymichael.
v2:
- Return "err = nil" if file deviceset-metadata file does not exist.
- Use json.Decoder() interface for loading deviceset metadata.
v3:
- Reverted back to json marshal interface in loadDeviceSetMetaData().
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Saving ports as `map[nat.Port]struct{}` directly has ordering issue which is
more replicatable where we expose a huge number of ports at the same time. As a
result, the cache will be burst whenever the map order is different from the
previous build.
This sorts the ports first and save them as a whitespace-separated list instead
of the map representation, so the order will always be consistent if the port
list isnt changed.
NOTICE: this will burst the old expose caches
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
changing order of EXPOSE ports should not invalidate the cache as the content
doesnt change
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Whenever a command arguments is formed by a large linked list, repeatedly
appending to arguments and displayed messages took a long time because go will
have to allocate/copy a lot of times.
This speeds up the allocation by preallocate arrays of correct size for args
and msg
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
I noticed a few things that were bugging me in the output
of the integration-cli tests.
- one of the tests used println to stdout so we had garage sent to the screen
- some of the test, in their final log message, didn't include the name of
the group/file e.g. daemon - run,iptables was just run,iptables
And yes, I noticed this because I'm anal :-) but also because we should keep
the output of the tests as clean as possible so its easy to spot it when
things go bad.
Signed-off-by: Doug Davis <dug@us.ibm.com>
This passed the --net=container:CONTINER_ID to lxc-start as --share-net
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
The Docker Governance Advisory Board (DGAB) met for the first time Tue 10/21/2014.
Among other topics, the DGAB reviewed and refreshed the Docker Project Statement of Direction.
(Sven added from the Pull Req #9055)
Docker-DCO-1.1-Signed-off-by: Scott Johnston <scott.johnston@docker.com> (github: j0hnst0n)
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
Current implementation is hard to reason about because of trying to mix
unix/tcp server implementations, even though they are quite different.
This cleans that up.
Also makes it possible to create and manage a new API server easily,
e.g. for adding an introspection socket to a container.
Built in such a way as to allow a non-HTTP server to work as well, such
as libchan.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Linking to the docs readme to help would-be contributors discover the style guide and docs contribution guidelines.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Running parseVolumesFromSpec on all VolumesFrom specs before initialize
any mounts endures that we don't leave container.Volumes in an
inconsistent (partially initialized) if one of out mount groups is not
available (e.g. the container we're trying to mount from does not
exist).
Keeping container.Volumes in a consistent state ensures that next time
we Start() the container, it'll run prepareVolumes() again.
The attached test demonstrates that when a container fails to start due
to a missing container specified in VolumesFrom, it "remembers" a Volume
that worked.
Fixes: #8726
Signed-off-by: Thomas Orozco <thomas@orozco.fr>
We might want to break it up into smaller pieces (eg. tools in one
place, documents in another) but let's worry about that later.
Signed-off-by: Solomon Hykes <solomon@docker.com>
Signed-off-by: Prasanna Gautam <prasannagautam@gmail.com>
I found that certain docker installations do not handle binding to the source directory quite right. Just writing it based on help from backjlack and tibor in IRC.
Since the containers can handle the out of memory kernel kills gracefully, docker
will only provide out of memory information as an additional metadata as part of
container status.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
This patch fixes the compilation errors in Docker due to changes in the
libcontainer/user API. There is no functionality change due to this
patch.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This patch updates the vendor'd libcontainer version, so that Docker can
take advantage of the updates to the `user` API.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
Removing Sonat from docs maintainers because he no longer has time to complete all the responsibilities. Many thanks to Sonat for his help.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
The current implementation of the Docker Hub returns a list of objects
containing the tag name and the layer id.
Docker-DCO-1.1-Signed-off-by: Vincent Giersch <vincent.giersch@ovh.net>
In previous patch I had introduce json:"-" tags to be on safer side to make
sure certain fields are not marshalled/unmarshalled. But struct fields
starting with small letter are not exported so they will not be marshalled
anyway. So remove json:"-" tags from there.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Lxc driver was throwing errors for mounts where the mount point does not exist in the container.
This adds a create=dir/file mount option to the lxc template, to alleviate this issue.
Docker-DCO-1.1-Signed-off-by: Abin Shahab <ashahab@altiscale.com> (github: ashahab-altiscale)
We removed the syncpipe package and replaced it with specific calls to
create a new *os.File from a specified fd passed to the process. This
reduced code and an extra object to manage the container's init
lifecycle.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
My pull request failed the build due to gofmat issues. I have run gofmt
on specified files and this commit fixes it.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Now, newly created/imported layers will have the checksum of
the layer diff computed and stored in the image json file.
For now, it is not an error if the computed checksum does not
match an existing checksum, only a warning message is logged. The
eventual goal is to use the checksums in the image JSON to verify
the integrity of the layer contents when doing `docker load` or
`docker pull`, and error out if it does not match.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Instead of only checking `Progress != nil` (which is always true because
the server sends `"progressDetail":{}` when it doesnt have the progress), we
also check if `Progress.String() != ""`, which should be sufficient to filter
out the progress data.
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
The way thin-pool right now is designed, user space is supposed to keep
track of what device ids have already been used. If user space tries to
create a new thin/snap device and device id has already been used, thin
pool retuns -EEXIST.
Upon receiving -EEXIST, current docker implementation simply tries the
NextDeviceId++ and keeps on doing this till it finds a free device id.
This approach has two issues.
- It is little suboptimal.
- If device id already exists, current kenrel implementation spits out
a messsage on console.
[17991.140135] device-mapper: thin: Creation of new snapshot 33 of device 3 failed.
Here kenrel is trying to tell user that device id 33 has already been used.
And this shows up for every device id docker tries till it reaches a point
where device ids are not used. So if there are thousands of container and
one is trying to create a new container after fresh docker start, expect
thousands of such warnings to flood console.
This patch saves the NextDeviceId in a file in
/var/lib/docker/devmapper/metadata/deviceset-metadata and reads it back
when docker starts. This way we don't retry lots of device ids which
have already been used.
There might be some device ids which are free but we will get back to them
once device numbers wrap around (24bit limit on device ids).
This patch should cut down on number of kernel warnings.
Notice that I am creating a deviceset metadata file which is a global file
for this pool. So down the line if we need to save more data we should be
able to do that.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
I was trying to save nextDeviceId to a file but it would not work and
json.Marshal() will do nothing. Then some search showed that I need to
make first letter of struct field capital, exporting this field and
now json.Marshal() works.
This is a preparatory patch for the next one.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Currently we save device metadata and have a helper function saveMetadata()
which converts data in json format as well as saves it to file. For
converting data in json format, one needs to know what is being saved.
Break this function down in two functions. One function only has file
write capability and takes in argument about byte array of json data.
Now this function does not have to know what data is being saved. It
only knows about a stream of json data is being saved to a file.
This allows me to reuse this function to save a different type of
metadata. In this case I am planning to save NextDeviceId so that
docker can use this device Id upon next restart. Otherwise docker
starts from 0 which is suboptimal.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
The current Dev version of TarSum includes hashing of extended
file attributes and omits inclusion of modified time headers.
I refactored the logic around the version differences to make it
more clear that the difference between versions is in how tar
headers are selected and ordered.
TarSum Version 1 is now declared with the new Dev version continuing
to track it.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This removes the pull of the hello-world image from install.sh to
address privacy concerns.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Fixed the following errors:
1. Request(0) causes a dead loop when the map is full and map.last == BEGIN.
2. When map.last is the only available port (or ip), Request(0) returns ErrAllPortsAllocated (or ErrNoAvailableIPs). Exception is when map.last == BEGIN.
Signed-off-by: shuai-z <zs.broccoli@gmail.com>
This re-applies commit b39d02b with additional iptables rules to solve the issue with containers routing back into themselves.
The previous issue with this attempt was that the DNAT rule would send traffic back into the container it came from. When this happens you have 2 issues.
1) reverse path filtering. The container is going to see the traffic coming in from the outside and it's going to have a source address of itself. So reverse path filtering will kick in and drop the packet.
2) direct return mismatch. Assuming you turned reverse path filtering off, when the packet comes back in, it's goign to have a source address of itself, thus when the reply traffic is sent, it's going to have a source address of itself. But the original packet was sent to the host IP address, so the traffic will be dropped because it's coming from an address which the original traffic was not sent to (and likely with an incorrect port as well).
The solution to this is to masquerade the traffic when it gets routed back into the origin container. However for this to work you need to enable hairpin mode on the bridge port, otherwise the kernel will just drop the traffic.
The hairpin mode set is part of libcontainer, while the MASQ change is part of docker.
This reverts commit 63c303eecd.
Docker-DCO-1.1-Signed-off-by: Patrick Hemmer <patrick.hemmer@gmail.com> (github: phemmer)
The argument specified the json data to save to disk when registering
a new image into the image graph. If it is nil, then the given image
is serialized to json and that is written by default. This default
behavior is sufficient if the given image was originally deserialzed
from this jsonData to begin with which has always been the case.
Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
E.g. "docker foobar run" would have printed "Command not found:
foobar" and printed the help text for "run". It should instead
print the root help message for docker.
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
While working on the fix for #8330 I noticed a few things:
1 - the split() call for the .dockerignore process will generate a blank
"exclude". While this isn't causing an issue right now, I got worried
that in the future some code later on might interpret "" as something bad,
like "everything" or ".". So I added a check for an empty "exclude"
and skipped it
2 - if someone puts "foo" in their .dockerignore then we'll skip "foo".
However, if they put "./foo" then we won't due to the painfully
simplistic logic of go's filepath.Match algorithm. To help things
a little (and to treat ./Dockerfile just like Dockerfile) I added
code to filepath.Clean() each entry in .dockerignore. It should
result in the same semantic path but ensure that no matter how the
user expresses the path, we'll match it.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Reuse WORKDIR wording to specify that the USER instructions affect the
following RUN, CMD, and ENTRYPOINT instructions.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Since V2 registry does not yet implement mirrors, when mirrors are given automatically fallback to V1 without checking V2 first.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The note under the RUN header refers to the CMD instruction. It should refer to the RUN instruction instead.
Signed-off-by: Huu Nguyen <whoshuu@gmail.com>
- Removed some commands related to autocomplete/symlinks that don't seem to be required anymore on Ubuntu 14.04
- Fixed one minor typo ("see LINK _for_ details," not "see LINK details")
- Moved section "Giving non-root access" to top level, rather than being under Ubuntu 13 (the section isn't specific to Ubuntu 13, and even references Ubuntu 14).
Signed-off-by: Scott Walls <sawalls@umich.edu>
Fix issue with restoring the tag store and setting static configuration
from the daemon. i.e. the field on the TagStore struct must be made
internal or the json.Unmarshal in restore will overwrite the insecure
registries to be an empty struct.
Signed-off-by: Michael Crosby <michael@docker.com>
Conflicts:
graph/pull.go
graph/push.go
graph/tags.go
With current implementation there was a possibility
that /start responds quicker than /attach, meaning that
some output would be clipped.
Fixed so the implementation matches with `docker run`.
This also fixes the flaky test results for TestCreateEchoStdout.
Signed-off-by: Tõnis Tiigi <tonistiigi@gmail.com> (github: tonistiigi)
Fixes#8832
All stdio streams need to finish writing before the
connection can be closed.
Signed-off-by: Tõnis Tiigi <tonistiigi@gmail.com> (github: tonistiigi)
Update for changes in docker 1.2. Running the docker daemon with "-r=false" has been deprecated in favor of per-container restart policies.
Signed-off-by: wilsaj <wilson.andrew.j+github@gmail.com>
If we need to raise an error, make sure the internal state is clean, because
a successful driver.Get() may have its internal state changed (eg. counting,
or mounts), while callers will only do that after a succussful Mount().
Signed-off-by: shuai-z <zs.broccoli@gmail.com>
Includes changes to mkdocs yml and removes style info from docs Read Me, adding a link instead.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Conflicts:
docs/README.md
Revisions to style guide based on review.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
More Style Guide revisions based on review.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
A few more style guide copy edits
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
By default is a demo of file differences, but can be used to create a
tar of changes between an old and new path.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
In an effort to make layer content 'stable' between import
and export from two different graph drivers, we must resolve
an issue where AUFS produces metadata files in its layers
which other drivers explicitly ignore when importing.
The issue presents itself like this:
- Generate a layer using AUFS
- On commit of that container, the new stored layer contains
AUFS metadata files/dirs. The stored layer content has some
tarsum value: '1234567'
- `docker save` that image to a USB drive and `docker load`
into another docker engine instance which uses another
graph driver, say 'btrfs'
- On load, this graph driver explicitly ignores any AUFS metadata
that it encounters. The stored layer content now has some
different tarsum value: 'abcdefg'.
The only (apparent) useful aufs metadata to keep are the psuedo link
files located at `/.wh..wh.plink/`. Thes files hold information at the
RW layer about hard linked files between this layer and another layer.
The other graph drivers make sure to copy up these psuedo linked files
but I've tested out a few different situations and it seems that this
is unnecessary (In my test, AUFS already copies up the other hard linked
files to the RW layer).
This changeset adds explicit exclusion of the AUFS metadata files and
directories (NOTE: not the whiteout files!) on commit of a container
using the AUFS storage driver.
Also included is a change to the archive package. It now explicitly
ignores the root directory from being included in the resulting tar archive
for 2 reasons: 1) it's unnecessary. 2) It's another difference between
what other graph drivers produce when exporting a layer to a tar archive.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This backend uses the overlayfs union filesystem for containers
plus hard link file sharing for images.
Each container/image can have a "root" subdirectory which is a plain
filesystem hierarchy, or they can use overlayfs.
If they use overlayfs there is a "upper" directory and a "lower-id"
file, as well as "merged" and "work" directories. The "upper"
directory has the upper layer of the overlay, and "lower-id" contains
the id of the parent whose "root" directory shall be used as the lower
layer in the overlay. The overlay itself is mounted in the "merged"
directory, and the "work" dir is needed for overlayfs to work.
When a overlay layer is created there are two cases, either the
parent has a "root" dir, then we start out with a empty "upper"
directory overlaid on the parents root. This is typically the
case with the init layer of a container which is based on an image.
If there is no "root" in the parent, we inherit the lower-id from
the parent and start by making a copy if the parents "upper" dir.
This is typically the case for a container layer which copies
its parent -init upper layer.
Additionally we also have a custom implementation of ApplyLayer
which makes a recursive copy of the parent "root" layer using
hardlinks to share file data, and then applies the layer on top
of that. This means all chile images share file (but not directory)
data with the parent.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
The vfs storage driver currently shells out to the `cp` binary on the host
system to perform an 'archive' copy of the base image to a new directory.
The archive option preserves the modified time of the files which are created
but there was an issue where it was unable to preserve the modified time of
copied symbolic links on some host systems with an outdated version of `cp`.
This change no longer relies on the host system implementation and instead
utilizes the `CopyWithTar` function found in `pkg/archive` which is used
to copy from source to destination directory using a Tar archive, which
should correctly preserve file attributes.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
This will allow us to use a common Git prefix check for both api/clients/commands.go and
builder/job.go. Previous prefix check in build from Git (in builder/jobs.go) ignored valid prefixes such as "git@", "http://" or "https://".
Signed-off-by: Lakshan Perera <lakshan@laktek.com>
Made a few tweaks to Dockerfile tutorial links and removed some cruft from the tutorial itself.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
If we first request port 49153 (BeginPortRange) explicitly, and later some time request the next free port (of same ip/proto) by calling RequestPort() with port number 0, we will again get 49153 returned, even if it's currently in use. Because findPort() blindly retured BeginPortRange the first run, without checking if it has already been taken.
Signed-off-by: shuai-z <zs.broccoli@gmail.com>
when a container failed to start, saves the error message into State.Error so
that it can be retrieved when calling `docker inspect` instead of having to
look at the log
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Never close attached stream before both stdout and stderr have written
all their buffered contents. Remove stdinCloser because it is not needed
any more as the stream is closed anyway after attach has finished.
Fixes#3631
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
Do not run containers in the background in the integration tests if you
depend on the run completing. It is better especially if you just want
to ensure that the run has completed with a `true` to just run in
foreground and use a known name for the container to query it after it
has stopped.
The failures can be reproduced on most machines by giving your dind
container one core and a cpushare.
docker run -c 200 --cpuset 0 -ti --rm --privileged -e
DOCKER_GRAPHDRIVER=vfs docker hack/make.sh binary test-integration-cli
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
As of 1.3 `docker ps` no longer shows links between containers.
This updates the documentation to reflect that change.
sudo docker docker inspect -f "{{ .HostConfig.Links }}" web
Signed-off-by: Philipp Weissensteiner <mail@philippweissensteiner.com>
graphdriver is not always specified when the log printed, because
it's provided in another thread. This patch will fix this.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
So far, it looks like the declarations are not used, and so its safer not to
confuse people into thinking they do something.
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@docker.com> (github: SvenDowideit)
Fixes#1992
Right now when you `docker cp` a path which is in a volume, the cp
itself works, however you end up getting files that are in the
container's fs rather than the files in the volume (which is not in the
container's fs).
This makes it so when you `docker cp` a path that is in a volume it
follows the volume to the real path on the host.
archive.go has been modified so that when you do `docker cp mydata:/foo
.`, and /foo is the volume, the outputed folder is called "foo" instead
of the volume ID (because we are telling it to tar up
`/var/lib/docker/vfs/dir/<some id>` and not "foo", but the user would be
expecting "foo", not the ID
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
We do this to prevent leakage of information, we don't want people
to be able to probe for existing content.
According to RFC 2616, "This status code (404) is commonly used when the server does not
wish to reveal exactly why the request has been refused, or when no other response i
is applicable."
https://www.ietf.org/rfc/rfc2616.txt
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request SHOULD NOT be repeated.
If the request method was not HEAD and the server wishes to make
public why the request has not been fulfilled, it SHOULD describe the
reason for the refusal in the entity. If the server does not wish to
make this information available to the client, the status code 404
(Not Found) can be used instead.
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No
indication is given of whether the condition is temporary or
permanent. The 410 (Gone) status code SHOULD be used if the server
knows, through some internally configurable mechanism, that an old
resource is permanently unavailable and has no forwarding address.
This status code is commonly used when the server does not wish to
reveal exactly why the request has been refused, or when no other
response is applicable.
When docker is running through its certificates, it should continue
trying with a new certificate even if it gets back a 404 error code.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
zsh completion is updated with the content of
felixr/docker-zsh-completion.
The major change since the last merge is the addition of
exec/create (but they were already present in the docker repository) as
well as pause/unpause/logout/events and the use of short/long options
when they are available. Some missing options were also added.
12f00abd7178 Add completion for `exec'
4e2faa075f9a Merge `run' and `create' commands.
34134de077de Add missing long/short options for most commands.
d09f62339ab5 Add completion for `pause' and `unpause'
e4754c3b3b9d Add completion for `logout'
e0935eb3d5d2 Add completion for `events'
dae353cb9afb Add completion for `create`
Docker-DCO-1.1-Signed-off-by: Vincent Bernat <vincent@bernat.im> (github: vincentbernat)
The Dockerfile Instruction to create the .vnc directory results in a failure :
-storepasswd failed for file: /root/.vnc/passwd
Signed-off-by: Madhu Venugopal <madhu@socketplane.io>
Use /etc/os-release to determine distro
Contents of /etc/os-release on Amazon Linux AMI 2014.09:
NAME="Amazon Linux AMI"
VERSION="2014.09"
ID="amzn"
ID_LIKE="rhel fedora"
VERSION_ID="2014.09"
PRETTY_NAME="Amazon Linux AMI 2014.09"
ANSI_COLOR="0;33"
CPE_NAME="cpe:/o:amazon:linux:2014.09:ga"
HOME_URL="http://aws.amazon.com/amazon-linux-ami/"
Signed-off-by: Amit Bakshi <ambakshi@gmail.com>
Signed-off-by: Jessica Frazelle <jess@docker.com>
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Added link for CVEs.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Fixed some URLs.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
Added link for CVEs.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
An initial start to migration of the API tests from integration to
the integration-cli model.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
(github: estesp)
Made it clear signed images is a preview feature and added a little more info about how the feature works.
Docker-DCO-1.1-Signed-off-by: Fred Lifton <fred.lifton@docker.com> (github: fredlf)
First off, sorry for the noise. This is a cleaner step of #8508
Found more of a root cause of the open file handles.
After more testing I found that the open file descriptors will still
occur for TCP:// connections to the daemon, causing client and/or daemon
to fail.
The issue was instantiating a new http.Transport on _ever_ client
request. So each instance held the prior connection alive, but was only
ever used once.
By moving it out to the initilization of DockerCli, we can now have
reuse of idled connections. Simplifies the garbage overhead of the
client too, though that's not usually a deal.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Failure to do this means that file capabilites are not preserved in the image.
Ping fails to work as a non-root user if cap_net_raw is capability is not set
Signed-off-by: Dan Griffin <dgriffin@peer1.com>
I didn't realize the commit required a Docker-DCO so it failed the travis-ci build. So I removed the commit from my forked repo. Now it looks like there is a pull request with no commit. So here it is again:
Needed to add '--releasever=/' flag to run yum groupinstall on Centos7 (didn't try on anything else). This snippet from yum man page explains why:
```
Note: You may also want to use the option --releasever=/ when creating the installroot as otherwise the $releasever value is taken from the rpmdb within the installroot (and thus. will be empty, before creation).
```
Docker-DCO-1.1-Signed-off-by: Matt Schurenko <matt.schurenko@gmail.com> (github: mschurenko)
2014-07-12 12:15:42 -07:00
2711 changed files with 392148 additions and 167061 deletions
# Note: right now we don't use go-specific features of travis.
# Later we might automate "go test" etc. (or do it inside a docker container...?)
language:go
go:
# This should match the version in the Dockerfile.
- 1.3.1
# Test against older versions too, just for a little extra retrocompat.
- 1.2
# Let us have pretty experimental Docker-based Travis workers.
# (These spin up much faster than the VM-based ones.)
sudo:false
# Disable the normal go build.
install:
- export DOCKER_BUILDTAGS='exclude_graphdriver_btrfs exclude_graphdriver_devicemapper'# btrfs and devicemapper fail to compile thanks to a couple missing headers (which we can't install thanks to "sudo: false")
- export AUTO_GOPATH=1
# some of Docker's unit tests don't work inside Travis (yet!), so we purge those test files for now
- rm -f daemon/graphdriver/btrfs/*_test.go# fails to compile (missing header)
- rm -f daemon/graphdriver/devmapper/*_test.go# fails to compile (missing header)
- rm -f daemon/execdriver/lxc/*_test.go# fails to run (missing "lxc-start")
- rm -f daemon/graphdriver/aufs/*_test.go# fails to run ("backing file system is unsupported for this graph driver")
- rm -f daemon/graphdriver/vfs/*_test.go# fails to run (not root, which these tests assume "/var/tmp/... no owned by uid 0")
- rm -f daemon/networkdriver/bridge/*_test.go# fails to run ("Failed to initialize network driver")
- rm -f graph/*_test.go# fails to run ("mkdir /tmp/docker-test.../vfs/dir/foo/etc/postgres: permission denied")
- rm -f pkg/mount/*_test.go# fails to run ("permission denied")
+ `commit --change` to apply specified Dockerfile instructions while committing the image
+ `import --change` to apply specified Dockerfile instructions while importing the image
+ Builds no longer continue in the background when canceled with CTRL-C
#### Client
+ Windows Support
#### Runtime
+ Container and image Labels
+ `--cgroup-parent` for specifying a parent cgroup to place container cgroup within
+ Logging drivers, `json-file`, `syslog`, or `none`
+ Pulling images by ID
+ `--ulimit` to set the ulimit on a container
+ `--default-ulimit` option on the daemon which applies to all created containers (and overwritten by `--ulimit` on run)
## 1.5.0 (2015-02-10)
#### Builder
+ Dockerfile to use for a given `docker build` can be specified with the `-f` flag
* Dockerfile and .dockerignore files can be themselves excluded as part of the .dockerignore file, thus preventing modifications to these files invalidating ADD or COPY instructions cache
* ADD and COPY instructions accept relative paths
* Dockerfile `FROM scratch` instruction is now interpreted as a no-base specifier
* Improve performance when exposing a large number of ports
#### Hack
+ Allow client-side only integration tests for Windows
* Include docker-py integration tests against Docker daemon as part of our test suites
#### Packaging
+ Support for the new version of the registry HTTP API
* Speed up `docker push` for images with a majority of already existing layers
- Fixed contacting a private registry through a proxy
#### Remote API
+ A new endpoint will stream live container resource metrics and can be accessed with the `docker stats` command
+ Containers can be renamed using the new `rename` endpoint and the associated `docker rename` command
* Container `inspect` endpoint show the ID of `exec` commands running in this container
* Container `inspect` endpoint show the number of times Docker auto-restarted the container
* New types of event can be streamed by the `events` endpoint: ‘OOM’ (container died with out of memory), ‘exec_create’, and ‘exec_start'
- Fixed returned string fields which hold numeric characters incorrectly omitting surrounding double quotes
#### Runtime
+ Docker daemon has full IPv6 support
+ The `docker run` command can take the `--pid=host` flag to use the host PID namespace, which makes it possible for example to debug host processes using containerized debugging tools
+ The `docker run` command can take the `--read-only` flag to make the container’s root filesystem mounted as readonly, which can be used in combination with volumes to force a container’s processes to only write to locations that will be persisted
+ Container total memory usage can be limited for `docker run` using the `—memory-swap` flag
* Major stability improvements for devicemapper storage driver
* Better integration with host system: containers will reflect changes to the host's `/etc/resolv.conf` file when restarted
* Better integration with host system: per-container iptable rules are moved to the DOCKER chain
- Fixed container exiting on out of memory to return an invalid exit code
#### Other
* The HTTP_PROXY, HTTPS_PROXY, and NO_PROXY environment variables are properly taken into account by the client when connecting to the Docker daemon
## 1.4.1 (2014-12-15)
#### Runtime
- Fix issue with volumes-from and bind mounts not being honored after create
## 1.4.0 (2014-12-11)
#### Notable Features since 1.3.0
+ Set key=value labels to the daemon (displayed in `docker info`), applied with
new `-label` daemon flag
+ Add support for `ENV` in Dockerfile of the form:
`ENV name=value name2=value2...`
+ New Overlayfs Storage Driver
+ `docker info` now returns an `ID` and `Name` field
+ Filter events by event name, container, or image
+ `docker cp` now supports copying from container volumes
- Fixed `docker tag`, so it honors `--force` when overriding a tag for existing
image.
## 1.3.3 (2014-12-11)
#### Security
@@ -46,7 +323,7 @@
#### Builder
- Fix escaping `$` for environment variables
- Fix issue with lowercase `onbuild` Dockerfile instruction
- Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
- Restrict environment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
## 1.3.0 (2014-10-14)
@@ -214,7 +491,7 @@
#### Hack
* Clean up "go test" output from "make test" to be much more readable/scannable.
* Excluse more "definitely not unit tested Go source code" directories from hack/make/test.
* Exclude more "definitely not unit tested Go source code" directories from hack/make/test.
+ Generate md5 and sha256 hashes when building, and upload them via hack/release.sh.
- Include contributed completions in Ubuntu PPA.
+ Add cli integration tests.
@@ -494,7 +771,7 @@ With the ongoing changes to the networking and execution subsystems of docker te
* The ADD instruction now supports caching, which avoids unnecessarily re-uploading the same source content again and again when it hasn’t changed
* The new ONBUILD instruction adds to your image a “trigger” instruction to be executed at a later time, when the image is used as the base for another build
* Docker now ships with an experimental storage driver which uses the BTRFS filesystem for copy-on-write
* Docker is officially supported on Mac OSX
* Docker is officially supported on Mac OSX
* The Docker daemon supports systemd socket activation
## 0.7.6 (2014-01-14)
@@ -548,12 +825,12 @@ With the ongoing changes to the networking and execution subsystems of docker te
- Fix ADD caching issue with . prefixed path
- Fix docker build on devicemapper by reverting sparse file tar option
- Fix issue with file caching and prevent wrong cache hit
* Use same error handling while unmarshalling CMD and ENTRYPOINT
* Use same error handling while unmarshalling CMD and ENTRYPOINT
#### Documentation
* Simplify and streamline Amazon Quickstart
* Install instructions use unprefixed fedora image
* Install instructions use unprefixed Fedora image
* Update instructions for mtu flag for Docker on GCE
+ Add Ubuntu Saucy to installation
- Fix for wrong version warning on master instead of latest
@@ -728,7 +1005,7 @@ With the ongoing changes to the networking and execution subsystems of docker te
* Improve unit tests
* The test suite now runs all tests even if one fails
* Refactor C in Go (Devmapper)
- Fix OSX compilation
- Fix OSX compilation
## 0.7.0 (2013-11-25)
@@ -746,7 +1023,7 @@ With the ongoing changes to the networking and execution subsystems of docker te
#### Runtime
* Improve stability, fixes some race conditons
* Improve stability, fixes some race conditions
* Skip the volumes mounted when deleting the volumes of container.
* Fix layer size computation: handle hard links correctly
# see https://git.fedorahosted.org/cgit/lvm2.git/refs/tags for release tags
# note: we don't use "git clone -b" above because it then spews big nasty warnings about 'detached HEAD' state that we can't silence as easily as we can silence them using "git checkout" directly
# Compile and install lvm2
RUNcd /usr/local/lvm2 && ./configure --enable-static_link && make device-mapper && make install_device-mapper
RUNcd /usr/local/lvm2 \
&& ./configure --enable-static_link \
&& make device-mapper \
&& make install_device-mapper
# see https://git.fedorahosted.org/cgit/lvm2.git/tree/INSTALL
# to allow `make BINDDIR=. shell` or `make BINDDIR= test`
# env vars passed through directly to Docker's build scripts
# to allow things like `make DOCKER_CLIENTONLY=1 binary` easily
# `docs/sources/contributing/devenvironment.md ` and `project/PACKAGERS.md` have some limited documentation of some of these
DOCKER_ENVS:=\
-e BUILDFLAGS \
-e DOCKER_CLIENTONLY \
-e DOCKER_DEBUG \
-e DOCKER_EXECDRIVER \
-e DOCKER_EXPERIMENTAL \
-e DOCKER_GRAPHDRIVER \
-e DOCKER_STORAGE_OPTS \
-e DOCKER_USERLANDPROXY \
-e TESTDIRS \
-e TESTFLAGS \
-e TIMEOUT
# note: we _cannot_ add "-e DOCKER_BUILDTAGS" here because even if it's unset in the shell, that would shadow the "ENV DOCKER_BUILDTAGS" set in our Dockerfile, which is very important for our official builds
# to allow `make BIND_DIR=. shell` or `make BIND_DIR= test`
# (default to no bind mount if DOCKER_HOST is set)
BINDDIR:=$(if$(DOCKER_HOST),,bundles)
# to allow `make DOCSPORT=9000 docs`
DOCSPORT:=8000
# note: BINDDIR is supported for backwards-compatibility here
fmt.Fprintln(cli.err,`SECURITY WARNING: You are building a Docker image from Windows against a non-Windows Docker host. All files and directories added to build context will have '-rwxr-xr-x' permissions. It is recommended to double check and reset permissions for sensitive files and directories.`)
// Package client provides a command-line interface for Docker.
//
// Run "docker help SUBCOMMAND" or "docker SUBCOMMAND --help" to see more information on any Docker subcommand, including the full list of options supported for the subcommand.
// See https://docs.docker.com/installation/ for instructions on installing Docker.
flAuthor:=cmd.String([]string{"a","#author","-author"},"","Author (e.g., \"John Hannibal Smith <hannibal@a-team.com>\")")
flChanges:=opts.NewListOpts(nil)
cmd.Var(&flChanges,[]string{"c","-change"},"Apply Dockerfile instruction to the created image")
// FIXME: --run is deprecated, it will be replaced with inline Dockerfile commands.
flConfig:=cmd.String([]string{"#run","#-run"},"","This option is deprecated and will be removed in a future version in favor of inline Dockerfile-compatible commands")
// CmdImport creates an empty filesystem image, imports the contents of the tarball into the image, and optionally tags the image.
//
// The URL argument is the address of a tarball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) file or a path to local file relative to docker client. If the URL is '-', then the tar file is read from STDIN.
cmd:=Cli.Subcmd("import",[]string{"file|URL|- [REPOSITORY[:TAG]]"},"Create an empty filesystem image and import the contents of the\ntarball (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) into it, then\noptionally tag it.",true)
flChanges:=opts.NewListOpts(nil)
cmd.Var(&flChanges,[]string{"c","-change"},"Apply Dockerfile instruction to the created image")
cmd.Require(flag.Min,1)
cmd.ParseFlags(args,true)
var(
v=url.Values{}
src=cmd.Arg(0)
repository=cmd.Arg(1)
)
v.Set("fromSrc",src)
v.Set("repo",repository)
for_,change:=rangeflChanges.GetAll(){
v.Add("changes",change)
}
ifcmd.NArg()==3{
fmt.Fprintf(cli.err,"[DEPRECATED] The format 'file|URL|- [REPOSITORY [TAG]]' has been deprecated. Please use file|URL|- [REPOSITORY[:TAG]]\n")
// CmdLogin logs in or registers a user to a Docker registry service.
//
// If no server is specified, the user will be logged into or registered to the registry's index server.
//
// Usage: docker login SERVER
func(cli*DockerCli)CmdLogin(args...string)error{
cmd:=Cli.Subcmd("login",[]string{"[SERVER]"},"Register or log in to a Docker registry server, if no server is\nspecified \""+registry.IndexServer+"\" is the default.",true)
// CmdLogout logs a user out from a Docker registry.
//
// If no server is specified, the user will be logged out from the registry's index server.
//
// Usage: docker logout [SERVER]
func(cli*DockerCli)CmdLogout(args...string)error{
cmd:=Cli.Subcmd("logout",[]string{"[SERVER]"},"Log out from a Docker registry, if no server is\nspecified \""+registry.IndexServer+"\" is the default.",true)
// If a private port is specified, it also shows the public-facing port that is NATed to the private port.
//
// Usage: docker port CONTAINER [PRIVATE_PORT[/PROTO]]
func(cli*DockerCli)CmdPort(args...string)error{
cmd:=Cli.Subcmd("port",[]string{"CONTAINER [PRIVATE_PORT[/PROTO]]"},"List port mappings for the CONTAINER, or lookup the public-facing port that\nis NAT-ed to the PRIVATE_PORT",true)
// A running container is stopped by first sending SIGTERM and then SIGKILL if the container fails to stop within a grace period (the default is 10 seconds).
returnnil,resp.StatusCode,fmt.Errorf("Error: request returned %s for API route and version %s, check if the server supports the requested API version",http.StatusText(resp.StatusCode),req.URL)
}
returnnil,resp.StatusCode,fmt.Errorf("Error response from daemon: %s",bytes.TrimSpace(body))
returnserverResp,fmt.Errorf("Error: request returned %s for API route and version %s, check if the server supports the requested API version",http.StatusText(serverResp.statusCode),req.URL)
// Available version information is shown for: client Docker version, client API version, client Go version, client Git commit, client OS/Arch, server Docker version, server API version, server Go version, server Git commit, and server OS/Arch.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
