This fix tries to address the issue raised in 29972 where
it was not possible to specify `--read-only` for `docker service create`
and `docker service update`, in order to have the container's root file
system to be read only.
This fix adds `--read-only` and update the `ReadonlyRootfs` in `HostConfig`
through `service create` and `service update`.
Related docs has been updated.
Integration test has been added.
This fix fixes 29972.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 499a0dd43e50c6f253f8890f5c54ae99675b1e7e
Component: engine
Docker inspect "AppArmorProfile" field now shows "docker-default" when AppArmor is enabled and no other profile was defined
Upstream-commit: 61b2cda9f58a548bd62ac62c8896cfd7ccac6733
Component: engine
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
gofmt'd
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
go fmt
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Upstream-commit: d97a00dfd5ec884a98e087b1fc6e705459ca81e9
Component: engine
There is 5 calls left, that use StdinPipe that is not yet supported by
icmd.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: ecbb0e62f66da7d698c4f4583f36b927d8cfa811
Component: engine
This fix updates SwarmKit to 78ae345f449ac69aa741c762df7e5f0020f70275
(from 037b4913929019d44bc927870bf2d92ce9ca261f)
The following issues in docker are related
- Can not update service in host publish mode (#30199) (fixed)
- Add `ReadonlyRootfs` in ContainerSpec for `--read-only` (#29972) (needed)
- Explicitly disallow network pluginv1 creation in swarm mode
(See discussion in docker/swarmkit/pull/1899, docker/swarmkit/pull/1894,
and docker/docker/pull/30332#issuecomment-274277948)
This fix fixes#30199
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 849816dd0fbd70d0e46567fffc7416b667bff9b5
Component: engine
These are arm variants with different argument ordering because of
register alignment requirements.
fix#30516
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: d6adcd6a82ba0997fcc123090711b5502da5cbfd
Component: engine
The following command fails when the target directory does not exist.
$ sudo make install DOCKER_MAKE_INSTALL_PREFIX=/opt/docker AUTO_GOPATH=1
KEEPBUNDLE=1 hack/make.sh install-binary
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#
---> Making bundle: install-binary (in bundles/1.14.0-dev/install-binary)
Installing docker to /opt/docker/bin/
cp: cannot create regular file '/opt/docker/bin/': No such file or directory
make: *** [Makefile:119: install] Error 1
The patch installs the target directory before copying any binaries.
$ sudo make install DOCKER_MAKE_INSTALL_PREFIX=/opt/docker AUTO_GOPATH=1
KEEPBUNDLE=1 hack/make.sh install-binary
# WARNING! I don't seem to be running in a Docker container.
# The result of this command might be an incorrect build, and will not be
# officially supported.
#
# Try this instead: make all
#
---> Making bundle: install-binary (in bundles/1.14.0-dev/install-binary)
Installing docker to /opt/docker/bin/
Installing dockerd to /opt/docker/bin/
Installing docker-runc to /opt/docker/bin/
Installing docker-containerd to /opt/docker/bin/
Installing docker-containerd-ctr to /opt/docker/bin/
Installing docker-containerd-shim to /opt/docker/bin/
Installing docker-proxy to /opt/docker/bin/
Installing docker-init to /opt/docker/bin/
Signed-off-by: Gaël PORTAY <gael.portay@savoirfairelinux.com>
Upstream-commit: 425cd7d1c5c17af5eeebc241d289d81519e748ab
Component: engine
Adjust "nuke-graph-directory.sh" shebang to be explicitly Bash (includes a Bashism as of https://github.com/docker/docker/pull/27869)
Upstream-commit: 6d1937aa2d803e10124eea5ef68e2e4f89d3b4b3
Component: engine
This fix tries to address the issue raised in 29344 where it was
not possible to create log group for awslogs (CloudWatch) on-demand.
Log group has to be created explicitly before container is running.
This behavior is inconsistent with AWS logs agent where log groups
are always created as needed.
There were several concerns previously (See comments in 19617 and 29344):
1. There is a limit of 500 log groups/account/region so resource might
be exhausted if there is any typo or incorrect region.
2. Logs are generated for every container so CreateLogGroup (or equally,
DescribeLogGroups) might be called every time, which is redundant and
potentially surprising.
3. CreateLogStream and CreateLogGroup have different IAM policies.
This fix addresses the issue by add `--log-opt awslogs-create-group`
which by default is `false`. It requires user to explicitly request
that log groups be created as needed.
Related unit test has been updated. And tests have also been done
manually in AWS.
This fix fixes 29334.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 864b0c2e47e66e1037115b5d7267e641ba776d49
Component: engine
This fix is a follow up for comment:
https://github.com/docker/docker/pull/28896#issuecomment-265392703
Currently secret name or ID prefix resolving is done at the client
side, which means different behavior of API and CMD.
This fix moves the resolving from client to daemon, with exactly the
same rule:
- Full ID
- Full Name
- Partial ID (prefix)
All existing tests should pass.
This fix is related to #288896, #28884 and may be related to #29125.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: fa358a87571f9212f91d8fde6696926d76ecca64
Component: engine
