Do not run the seccomp tests that use default.json on non x86 architectures
Upstream-commit: 4d376e9cc265c098c7faf03d0e75c1164cbf24e0
Component: engine
Add support for two now filter on the `images` command : `before` and
`since`. They work the same as the one on the `ps` command but for
images.
$ docker images --filter before=myimage
# display all images older than myimage
$ docker images --filter since=myimage
# display all images younger than myimage
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 750e16f57c0121aa8cdad1763f0bb6e54b8c6d75
Component: engine
This fix tries to address the issue raised in #21976 and allows
the options of `--add-host` and `--net=host` to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 90bd41a74d57080711678bffa2bc4371020ee3a5
Component: engine
The generated profile that we check in is for amd64 and i386 architectures
and does not work correctly on arm as it is missing required syscalls,
and also specifies the architectures that are supported. It works on
ppc64le at the moment but better to skip the test as it is likely to
break in future.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 75385dc216e784d24535326376352de03eaeb059
Component: engine
This fix tries to address the issue raised in #21976 and allows
the options of `--dns`, `--dns-search`, `--dns-opt` and `--net=host`
to work at the same time.
The documentation has been updated and additional tests have been
added to cover this change.
This fix fixes#21976.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 23821fe5867427fa36c265bc994b1a2c3cf9b21f
Component: engine
Fixes the test by loading in the architecture specific busybox
image when the test daemon starts.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: 7832e2ae82ae56e9719c6930b054f643285a79b3
Component: engine
Currently, using a custom detach key with an invalid sequence, eats a
part of the sequence, making it weird and difficult to enter some key
sequence.
This fixes by keeping the input read when trying to see if it's the key
sequence or not, and "writing" then is the key sequence is not the right
one, preserving the initial input.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 0fb6190243d6101f96283e487cd4911142a05483
Component: engine
This fix tries to cover the issue raised in #22463 by adding
filter for events emitted by docker daemon so that user could
utilize filter to receive events of interest.
Documentations have been updated for this fix.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 62014aaf9abeb4256cb66e7ae06bfdf5a77d1140
Component: engine
This fix tries to cover the issue raised in #22463 by emitting
events for docker daemon so that user could be notified by
scenarios like config reload, etc.
This fix adds the `daemon reload`, and events for docker daemon.
Additional tests have been added to cover the changes in this fix.
This fix fixes#22463.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 382c152a73dfa1d771334ffbe79759c5c3596144
Component: engine
It appears that on some systems apparmor gets in the way of libc.so.6
shared library being loaded - which means the ping fails.
To get around this if we run ping under `/lib64/ld-linux-x86-64.so.2`
then it works. So we only do this for linux and only if the first attempt
fails. If this 2nd attempt fails then we'll show the original error to
the user for debugging.
Also s/Output/CombinedOutput/ to help debugging in the future. It didn't
show the real error msg.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Upstream-commit: 94d057130461b3b56957b2755da9dae00a937e81
Component: engine
This was not changed when the additional tests were added.
It may be the reason for occasional test failures.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 3598f2e33198686f0afa08aca640dbda8697fcb2
Component: engine
This test is not applicable anymore now that containers are not stopped
when the daemon is restored.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 31e903b0e17d01a4240f7890218a80088d32658c
Component: engine
The filtering is made server-side, and the following filters are
supported:
* is-official (boolean)
* is-automated (boolean)
* has-stars (integer)
Signed-off-by: Fabrizio Soppelsa <fsoppelsa@mirantis.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: e009ebdf4c0bf0ff64da8d48eefad63d0644de3e
Component: engine
This fix tries to address issues raised in #20936 and #22443
where `docker pull` or `docker push` fails because of the
concurrent connection failing.
Currently, the number of maximum concurrent connections is
controlled by `maxDownloadConcurrency` and `maxUploadConcurrency`
which are hardcoded to 3 and 5 respectively. Therefore, in
situations where network connections don't support multiple
downloads/uploads, failures may encounter for `docker push`
or `docker pull`.
This fix tries changes `maxDownloadConcurrency` and
`maxUploadConcurrency` to adjustable by passing
`--max-concurrent-uploads` and `--max-concurrent-downloads` to
`docker daemon` command.
The documentation related to docker daemon has been updated.
Additional test case have been added to cover the changes in this fix.
This fix fixes#20936. This fix fixes#22443.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 7368e41c07c21a1e2c6a49abecd1c2fc76404e49
Component: engine
Currently the default seccomp profile is fixed. This changes it
so that it varies depending on the Linux capabilities selected with
the --cap-add and --cap-drop options. Without this, if a user adds
privileges, eg to allow ptrace with --cap-add sys_ptrace then still
cannot actually use ptrace as it is still blocked by seccomp, so
they will probably disable seccomp or use --privileged. With this
change the syscalls that are needed for the capability are also
allowed by the seccomp profile based on the selected capabilities.
While this patch makes it easier to do things with for example
cap_sys_admin enabled, as it will now allow creating new namespaces
and use of mount, it still allows less than --cap-add cap_sys_admin
--security-opt seccomp:unconfined would have previously. It is not
recommended that users run containers with cap_sys_admin as this does
give full access to the host machine.
It also cleans up some architecture specific system calls to be
only selected when needed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: a01c4dc8f85827f32d88522e5153dddc02f11806
Component: engine
Add the swapMemorySupport requirement to all tests related to the OOM killer. The --memory option has the subtle side effect of defaulting --memory-swap to double the value of --memory. The OOM killer doesn't kick in until the container exhausts memory+swap, and so without the memory swap cgroup the tests will timeout due to swap being effectively unlimited.
Document the default behavior of --memory-swap in the docker run man page.
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Upstream-commit: adabb51311ecac031bd72378c5ed1669d1835d40
Component: engine
Fixes the negative networking test to include the new error string
from recent Windows builds.
Signed-off-by: Justin Terry <juterry@microsoft.com>
Upstream-commit: 47ef6d7969a3396f6ecc3bb27aac425b1a65b344
Component: engine
Since 1.9, Docker Content Trust Offline key has been renamed to
Root key and the Tagging key has been renamed to Repository key.
The corresponding environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE`
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE`
have also been deprecated and renamed to
`DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
`DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`
This fix removed the deprecated ENV passphrase variables for
1.12 and updated the docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 1f0d5aba50803ff401197f96f6a830384d0c04c5
Component: engine
