swarmkit's API type. Make sure this parameter gets propagated to
swarmkit, and also add an extra option to the CLI when providing
external CAs to parse the CA cert from a file.
Signed-off-by: Ying Li <ying.li@docker.com>
Upstream-commit: b0401a71f7479a52b2670346e0d1e97cb68089a4
Component: engine
This test shuts down two out of three managers and then asserts that the
swarm has a leader. A swarm that lost quorum won't necessarily have a
leader, and in this case only has one because the old leader is still
around. Soon SwarmKit will be changed so the leader gives up leadership
when quorum is lost. This will avoid confusing situations, like
read-only APIs succeeding, while ones that write to Raft hang.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: c27603238c5493909ec9b657b342b67b23e615e3
Component: engine
Server-side rollback can take advantage of the rollback-specific update
parameters, instead of being treated as a normal update that happens to
go back to a previous version of the spec.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: f9bd8ec8b268581f93095c5a80679f0a8ff498bf
Component: engine
This adds support for placement preferences in Swarm services.
- Convert PlacementPreferences between GRPC API and HTTP API
- Add --placement-pref, --placement-pref-add and --placement-pref-rm to CLI
- Add support for placement preferences in service inspect --pretty
- Add integration test
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 17288c611a4f3f75ecb3bbb4533820b1836c55a6
Component: engine
This fix tries to address the issue raised in 30178 where
service healthcheck is `{}` in remote API will result in
dns resolve failue.
The reason was that when service healthcheck is `{}`,
service binding was not done.
This fix fixes the issue.
An integration test has been added.
This fix fixes 30178.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 8feb5c5a48eaadc1686e3b370f7ef9be128dd3cb
Component: engine
This fix tries to address the issue raised in 30242 where the `Scope`
field always changed to `swarm` in the ouput of `docker network ls/inspect`
when duplicate networks name exist.
The reason for the issue was that `buildNetworkResource()` use network name
(which may not be unique) to check for the scope.
This fix fixes the issue by always use network ID in `buildNetworkResource()`.
A test has been added. The test fails before the fix and passes after the fix.
This fix fixes 30242.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 05a831a775be5e8d752deaef620e629deb15cb89
Component: engine
check to see if the node is part of a swarm, and if so, if it is unlocked first.
If neither of these are true, abort the command.
Signed-off-by: Ying Li <ying.li@docker.com>
Upstream-commit: a6a0880a22e2b135d8a20a46b9ba34c7a9cf2f10
Component: engine
… to make sure it doesn't fail. It also introduce StartWithError,
StopWithError and RestartWithError in case we care about the
error (and want the error to happen).
This removes the need to check for error and make the intent more
clear : I want a deamon with busybox loaded on it — if an error occur
it should fail the test, but it's not the test code that has the
responsability to check that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: c502fb49dc7af89adfb2a9686354aa78c2c46002
Component: engine
- use /secrets for swarm secret create route
- do not specify omitempty for secret and secret reference
- simplify lookup for secret ids
- do not use pointer for secret grpc conversion
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Upstream-commit: 189f89301e0abfee32447f2ca23dacd3a96de06d
Component: engine
- fix lint issues
- use errors pkg for wrapping errors
- cleanup on error when setting up secrets mount
- fix erroneous import
- remove unneeded switch for secret reference mode
- return single mount for secrets instead of slice
Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
Upstream-commit: 857e60c2f943a09e3ec0ac0f236821b797935900
Component: engine
A recent change fixed integration tests to use "API" in test names
instead of "Api". A new test was added in a PR opened before this
change, and didn't benefit from the cleanup. Fix its name.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 073d8115871f15ad36b6ab34e2af1f8f22ec333f
Component: engine
This adds support for two enhancements to swarm service rolling updates:
- Failure thresholds: In Docker 1.12, a service update could be set up
to either pause or continue after a single failure occurs. This adds
an --update-max-failure-ratio flag that controls how many tasks need to
fail to update for the update as a whole to be considered a failure. A
counterpart flag, --update-monitor, controls how long to monitor each
task for a failure after starting it during the update.
- Rollback flag: service update --rollback reverts the service to its
previous version. If a service update encounters task failures, or
fails to function properly for some other reason, the user can roll back
the update.
SwarmKit also has the ability to roll back updates automatically after
hitting the failure thresholds, but we've decided not to expose this in
the Docker API/CLI for now, favoring a workflow where the decision to
roll back is always made by an admin. Depending on user feedback, we may
add a "rollback" option to --update-failure-action in the future.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 6d4b527699b3e95d21d79f6b327252a6cdaca5b0
Component: engine
No substantial code change.
- Api --> API
- Cli --> CLI
- Http, Https --> HTTP, HTTPS
- Id --> ID
- Uid,Gid,Pid --> UID,PID,PID
- Ipam --> IPAM
- Tls --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)
Didn't touch in this commit:
- Git: because it is officially "Git": https://git-scm.com/
- Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
- Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Upstream-commit: 7fb7a477d79c67ab53c432977780662ccbfeec57
Component: engine
This moves the types for the `engine-api` repo to the existing types
package.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 91e197d614547f0202e6ae9b8a24d88ee131d950
Component: engine
This fix tries to address the issue raised in 26090 where
remote API `POST /services/(id or name)/update` cannot
use `name` to update. This is not consistent with the
documentation of the remote API.
This fix fixes this issue by performing a lookup with `getService`
in case `name` instead of `id` is used in API.
This fix adds an integration test to cover the changes.
This fix fixes 26090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 80e3975117161ae4ce00cc34c7e2b70e45ee43c5
Component: engine
Since 24237 has been merged, it is not necessary to require network
for swarm integration tests (`integration-cli/docker_api_swarm_test.go`)
any more.
This fix removes testRequires(c, Network) from swarm integration
tests.
This fix could be verified by disable networking, and all related
tests pass.
This fix is related to 24547, 24490, 24237.
This fix fixes 24547.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 85c9ef8a47fcf552ae9f436e7c00340dacf03030
Component: engine
It's too long to wait for reschedule.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 307b7b0d151e949024e7ab7ad276b174802a75f2
Component: engine
Ensure convergence before moving on with testing leader election
conditions. This reduce the flakiness of this test when run in different
environments.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: 946e23776be78510799f3f242f7b9f7acbbfd357
Component: engine
If no restart delay is specified for a swarm service, the default
restart delay is 5 seconds. This is a reasonable value for actual
deployments - one example of where it's useful is that if a bad image is
specified, the orchestrator will wait 5 seconds between attempts to
restart it instead of restarting it in a tight loop.
In integration tests, this 5 second delay is dead time. The tests run
faster if the delay is reduced. Set it to 100 ms to avoid the waste of
time.
This appears to speed up a few tests:
DockerSwarmSuite.TestApiSwarmForceNewCluster 37.241s -> 34.323s
DockerSwarmSuite.TestApiSwarmRestartCluster 22.038s -> 15.545s
DockerSwarmSuite.TestApiSwarmServicesMultipleAgents 24.456s -> 19.853s
DockerSwarmSuite.TestApiSwarmServicesStateReporting 19.240s -> 10.049s
...a small step towards making the Swarm integration tests run in a
reasonable amount of time.
Also, change the update delay for the rolling update test from 8 seconds
to 4 seconds, which should be sufficient to differentiate between
batches of updated tasks. This reduces the runtime for
DockerSwarmSuite.TestApiSwarmServicesUpdate from 28s to 20s.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: c93c6492589504ed9474922f7c98f9ecb24df77f
Component: engine
In `TestApiSwarmRestartCluster`, it's calling `checkClusterHealth`.
`checkClusterHealth` calls `d.info()`, which will return an error if
there is no cluster leader... problem is `checkClusterHealth` is doing a
nil error assertion w/o giving any time for a leader to be elected.
This moves the `d.info()` call into a `waitAndAssert` using the default
reconciliation timeout.
It also moves some other checks into a `waitAndAssert` to give the
cluster enough time to come back up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: fdcde8bb65acf2c459e93678bf2659139ef5e918
Component: engine
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 57ae29aa74e77ade3c91b1c77ba766512dae9ab4
Component: engine
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: a0ccd0d42fdb0dd2005f67604cb81a5a6b26787e
Component: engine
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 2cc5bd33eef038bf5721582e2410ba459bb656e9
Component: engine
