Correct parent chain in v2 push when v1Compatibility files on the disk are inconsistent
Upstream-commit: c00c64c20eb65152b8f379e7efaf9e014656bcdd
Component: engine
This fixes an issue where two images with the same filesystem contents
and configuration but different remote IDs could share a v1Compatibility
file, resulting in corrupted manifests.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 0ab6b1d9221f7a2a65c6565fed8f3d6f29fcec2d
Component: engine
This fix avoids overwritting the previous error messages, ensures the client gets the correct error messages and not just the most recent message during the pull request.
For this `var lastErr` replaced with a slice which acts as a temp place holder for the list of returned error messages for every attempt.
The slice is later joined and returned to the caller function after searching for the image with diffirent versions(v2,v1,v0).
Updated the code with check for no space left on device error occurance and prevent the
daemon on falling back to v1,v0.
Incorporated the comments from @calavera, @RichardScothern, @cpuguy83
Signed-off-by: Anil Belur <askb23@gmail.com>
Upstream-commit: 31cdc63419a29badad2d79590db83fe617ee8e03
Component: engine
Exceptions for the windows base layer handling.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Upstream-commit: 18c7c34d4be593110a1c3df3f00c40eec4603dea
Component: engine
This change will allow us to run SELinux in a container with
BTRFS back end. We continue to work on fixing the kernel/BTRFS
but this change will allow SELinux Security separation on BTRFS.
It basically relabels the content on container creation.
Just relabling -init directory in BTRFS use case. Everything looks like it
works. I don't believe tar/achive stores the SELinux labels, so we are good
as far as docker commit.
Tested Speed on startup with BTRFS on top of loopback directory. BTRFS
not on loopback should get even better perfomance on startup time. The
more inodes inside of the container image will increase the relabel time.
This patch will give people who care more about security the option of
runnin BTRFS with SELinux. Those who don't want to take the slow down
can disable SELinux either in individual containers or for all containers
by continuing to disable SELinux in the daemon.
Without relabel:
> time docker run --security-opt label:disable fedora echo test
test
real 0m0.918s
user 0m0.009s
sys 0m0.026s
With Relabel
test
real 0m1.942s
user 0m0.007s
sys 0m0.030s
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Upstream-commit: 1716d497a420f0cd4e53a99535704c6d215e38c7
Component: engine
Importing an image currently logs an event with id:tag. This format is
strange and nonstandard - possibly a mistake. Just log the ID instead.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 77cd22ea73f83491d0e7e0fd084b6c6a2b1dc9cb
Component: engine
- Add a *version* file placeholder.
- Update autogen and builds to use it and an autogen build flag
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 8054a303870b81eebe05e38261c1b68197b68558
Component: engine
This updates the vendored docker/distribution to the current master
branch.
Note the following changes:
- The manifest package was split into manifest/schema1. Most references
to the manifest package in the engine needed to be updated to use
schema1 instead.
- Validation functions in api/v2 were replaced by the
distribution/reference package. The engine code has been updated to
use the reference package for validation where necessary. A future PR
will change the engine to use the types defined in
distribution/reference more comprehensively.
- The reference package explicitly allows double _ characters in
repository names. registry_test.go was updated for this.
- TestPullFailsWithAlteredManifest was corrupting the manifest JSON, now
that the schema1 package unmarshals the correct payload. The test is
being changed to modify the JSON without affecting its length, which
allows the pull to succeed to the point where digest validation
happens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 257c59251bd9a03aea4f3188a8160c54f37950ae
Component: engine
This reverts commit d5cd032a86617249eadd7142227c5355ba9164b4.
Commit caused issues on systems with case-insensitive filesystems.
Revert for now
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: b78ca243d9fc25d81c1b50008ee69f3e71e940f6
Component: engine
- Move autogen/dockerversion to version
- Update autogen and "builds" to use this package and a build flag
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: d5cd032a86617249eadd7142227c5355ba9164b4
Component: engine
Without this buffering, the compressor was outputting 64 bytes at a
time to the HTTP stream, which was resulting in absurdly small chunk
sizes and a lot of extra overhead. The buffering restores the chunk size
to 32768 bytes, which matches the behavior with 1.8.2.
Times pushing to a local registry:
1.8.2: 0m18.934s
master: 0m20.564s
master+this commit: 0m17.593s
Fixes: #17038
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: bb69f10df91fe5ed044e7f0c81a118a2b666757d
Component: engine
To be coherent with /images/json (images command)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: f664f6e4b19d4e155d78af2eacddcd941dae4fce
Component: engine
PR #15493 removed compression of layers when pushing them to a V2
registry. This this makes layer uploads larger than they should be.
This commit restores the compression. It uses an io.Pipe to turn the
gzip compressor output Writer into a Reader, so the ReadFrom method can
be used on the BlobWriter (which is very important for avoiding many
PATCH requests per layer).
Fixes#17209Fixes#17038
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 4dce280d96797b6a82e3eb54243e21bce7f55e5d
Component: engine
Also remove unused func `newTempFile` and prevent a possible deadlock
between pull_v2 `attemptIDReuse` and graph `register`
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Upstream-commit: f6577be1c93150149c291f9d18375d7bcae9ebb1
Component: engine
Lookup the graph parent reference to detect a builder cache miss before
looping the whole graph image index to build a parent-children tree.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Upstream-commit: f9e81b40f4065e3d0851172759ef58fda6572cce
Component: engine
also fix a typo in pkg/truncindex package comment
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Upstream-commit: 56f5e3459f8d7477d2aa60dee02bc7cd8a8731ad
Component: engine
After v1.8.3 layer checksum is used for image ID
validation. Rewriting the checksums on push would
mean that next pulls will get different image IDs
and pulls may fail if its detected that same
manifest digest can now point to new image ID.
Fixes#17178
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Upstream-commit: fb4a7256921b9863bd27079ec821b9612368fee8
Component: engine
Ensure v2 registries are given more than 5 seconds to return a ping and avoid an unnecessary fallback to v1.
Elevates log level about failed v2 ping to a warning to match the warning related to using v1 registries.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Upstream-commit: f8ea4ad16d51f6f062be2c250be26d731b92bd3c
Component: engine
