Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.
Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: 2f7596aaef3a9f8ec1f2d0937462d9263bee8b6b
Component: engine
Before getReaderForOffset returned always nil and wrong offset.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: f3627c37269d02bacec42831f5a791ae4fd0bc5e
Component: engine
Also consolidate the leftover packages under cli.
Remove pkg/mflag.
Make manpage generation work with new cobra layout.
Remove remaining mflag and fix tests after rebase with master.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 14712f9ff0d20a3b64a60103608b8cc998909242
Component: engine
Warn the user and fail daemon start if the graphdir path has any
elements which will deny access to the remapped root uid/gid.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Upstream-commit: 43a1df6be2fa0c76b521680bbd5dc84db2cfd898
Component: engine
darwin had unbuildable support for our system.Stat() implementation.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Upstream-commit: 76a416ac37e5bd184990c93ed19aa6fa544b7b03
Component: engine
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.
This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.
This fix fixes the issue by placing `WriteHeader` after.
A test has been added to cover the changes.`
This fix fixes 25927
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 9cb8fb6ea03fcd78010ce7dd33585d96cd73e38c
Component: engine
Fix delete containers and make sure it prints errors correctly.
Rename Result.Fails to Result.Assert()
Create a constant for the default expected.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 243885808f5c69143679d094d964d333c47e69bf
Component: engine
Remove some run functions and replace them with the unified run command.
Remove DockerCmdWithStdoutStderr
Remove many duplicate runCommand functions.
Also add dockerCmdWithResult()
Allow Result.Assert() to ignore the error message if an exit status is expected.
Fix race in DockerSuite.TestDockerInspectMultipleNetwork
Fix flaky test DockerSuite.TestRunInteractiveWithRestartPolicy
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: d7022f2b46589cb9d860219e1d8278351ba147c3
Component: engine
if there is no cookie set in dm task, or flag DM_UDEV_DISABLE_LIBRARY_FALLBACK
is cleared for a DM_DEV_REMOVE task, libdevmapper will fallback to clean up the
symlink under /dev/mapper by itself, no matter the device removal is executed
immediately or deferred by the kernel.In some cases, the removal is deferred by the
kernel, while the symlink is deleted directly by libdevmapper, when docker tries to
activate the device again, the deferred removal will be canceld, but the symlink will
not show up again, so docker's attempt to mount the device by the symlink will fail,
and it will eventually leads to a `docker start/diff` error.
Fixes#24671
Signed-off-by: Ji.Zhilong <zhilongji@gmail.com>
Upstream-commit: 5e505d101f0201a4d045510d0a9b0c66697dedfe
Component: engine
Plugin discovery on Windows is not possible using named pipes. However,
it is possible using spec file (tcp based). This adds Windows specific
paths for discovery.
Fixes#23605
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Upstream-commit: 36cf93fb0c45ce62b3cb1e82e1ecae1486017c9b
Component: engine
The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Upstream-commit: dc950567c105153c0a2f8b40d16b989bbddcdb3c
Component: engine
If we are running in a user namespace, don't try to mknod as
it won't be allowed. libcontainer will bind-mount the host's
devices over files in the container anyway, so it's not needed.
The chrootarchive package does a chroot (without mounting /proc) before
its work, so we cannot check /proc/self/uid_map when we need to. So
compute it in advance and pass it along with the tar options.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Upstream-commit: 617c352e9225b1d598e893aa5f89a8863808e4f2
Component: engine
This patch implements an Ellipsis utility to
append an ellipsis (...) when truncating
strings in output.
It also fixes the existing Truncate() utility
to be compatible with unicode/multibyte characters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 51dc35cf23a5418e93128854bedc2e59d8ca743a
Component: engine
Fixes case where shutdown occurs before content is synced to disked
on layer creation. This case can leave the layer store in an bad
state and require manual recovery. This change ensures all files
are synced to disk before a layer is committed. Any shutdown that
occurs will only cause the layer to not show up but will allow it to
be repulled or recreated without error.
Added generic io logic to ioutils package to abstract it out of
the layer store package.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Upstream-commit: c37bd10f8cfc4cb6df5513881eed53e6c5f0be09
Component: engine
Problem Description:
An example scenario that involves deferred removal
1. A new base image gets created (e.g. 'docker load -i'). The base device is activated and
mounted at some point in time during image creation.
2. While image creation is in progress, a privileged container is started
from another image and the host's mount name space is shared with this
container ('docker run --privileged -v /:/host').
3. Image creation completes and the base device gets unmounted. However,
as the privileged container still holds a reference on the base image
mount point, the base device cannot be removed right away. So it gets
flagged for deferred removal.
4. Next, the privileged container terminates and thus its reference to the
base image mount point gets released. The base device (which is flagged
for deferred removal) may now be cleaned up by the device-mapper. This
opens up an opportunity for a race between a 'kworker' thread (executing
the do_deferred_remove() function) and the Docker daemon (executing the
CreateSnapDevice() function).
This PR cancel the deferred removal, if the device is marked for it. And reschedule the
deferred removal later after the device is resumed successfully.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
Upstream-commit: 0e633ee14aca32480ac4735675222c35f4e11d8c
Component: engine
Fixes: #25073
Update kernel memory on running containers without initialized
is forbidden only on kernel version older than 4.6.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: da5d66fb70064b093f73cc31eddb7e8285048161
Component: engine
