The remote API allows full privilege escalation and is equivalent to
having root access on the host. Because of this, the API should never
be accessible through an insecure connection (TCP without TLS, or TCP
without TLS verification).
Although a warning is already logged on startup if the daemon uses an
insecure configuration, this warning is not very visible (unless someone
decides to read the logs).
This patch attempts to make insecure configuration more visible by sending
back warnings through the API (which will be printed when using `docker info`).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 547b993e07330f3e74cba935975fce05e8661381
Component: engine
This feature allows user to specify list of subnets for global
default address pool. User can configure subnet list using
'swarm init' command. Daemon passes the information to swarmkit.
We validate the information in swarmkit, then store it in cluster
object. when IPAM init is called, we pass subnet list to IPAM driver.
Signed-off-by: selansen <elango.siva@docker.com>
Upstream-commit: f7ad95cab9cc7ba8925673a933028d53284c13f5
Component: engine
This fix migrates some ipc container tests from integration-cli
to integration test.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 80c92c9b692b79273200b6e37f14a6d4e984ab8d
Component: engine
fix the race condition in the integration test TestRunContainerWithBridgeNone
Upstream-commit: 9149ef67be8ac945d68fafb16a1aa4ccb2f72249
Component: engine
This test occassionally fails on s390x and Power;
03:16:04 --- FAIL: TestExternalGraphDriver/pull (1.08s)
03:16:04 external_test.go:402: assertion failed: error is not nil: Error: No such image: busybox:latest
Most likely these failures are caused due to Docker Hub updating
the busybox:latest image, but not all architectures yet being
available.
Instead of using `:latest`, pull an image by digest, so that
the test doesn't depend on Docker Hub having all architectures
available for `:latest`.
I selected the same digest as is currently used as "frozen image"
in the Dockerfile.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 352db26d5fd896b681046b1119f07e0ce1ed45b8
Component: engine
This fix migrates some ipcmode tests in integration-cli
to integration tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: e0403604e26868b1546a766ab0b40b6cb1677ee6
Component: engine
It's already supported by `swarmkit`, and act the same as
`HostConfig.Init` on container creation.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: e401b88e59e098745744917c555d549f08353e6d
Component: engine
This adds MaskedPaths and ReadOnlyPaths options to HostConfig for containers so
that a user can override the default values.
When the value sent through the API is nil the default is used.
Otherwise the default is overridden.
Adds integration tests for MaskedPaths and ReadonlyPaths.
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
Upstream-commit: 3694c1e34e40fa2e255a97b5541645cec9c8d1d5
Component: engine
Updates swarmkit, grpc, and all related vendors
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Upstream-commit: 52ed3e0896c203013388a3eb603658f345a9d80a
Component: engine
This fix adds `t.Name()` to tests in integration/network
so that services created in those tests have unique names.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 76195f8047eb9a6be710d53ec493ab97bcf86e20
Component: engine
This fix was not yet included in Docker 17.05, so
API version v1.37 was not the right selector (Docker
18.03, 18.04 and 18.05 all support API v1.37).
We should change these checks for engine versions,
or use a different method to skip tests when running
against older engines.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a061b1e2d8f6117b0524e44de7b6bc391245864e
Component: engine
remove unnescessary import aliases, brackets, and so on.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: f23c00d8701e4bd0f2372a586dacbf66a26f9a51
Component: engine
