Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 2cc5bd33eef038bf5721582e2410ba459bb656e9
Component: engine
Allow partial name match for service ls --filter, node ls --filter, node tasks --filter
Upstream-commit: 7d84c715005dd123b0a63f23b207c12cb998786f
Component: engine
This fix is an extension to last commit to expand the partial
filter to node and task searches.
Additional integration tests have been added to cover the changes.
This fix fixes 24270.
This fix fixes 24112.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: e734fa58eadb4dfaa33b4be275d6f8f29d899e78
Component: engine
This fix tries to address the issue raised in 24270 where it was
not possible to have a partial name match when list services
with name filter.
This fix updates swarmkit and allows prefix search when name is
provided as the filter for listing services.
An additional integration test is added to cover the changes.
This fix fixes 24270.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 1d600ebcb5750c4c93356fae08e562d836ecee45
Component: engine
The error message;
unable to delete .... (must be forced) - image is referenced in one or more repositories
Looks to be incorrect
Given the following images:
docker images | grep 2d36b1c0ea40
registry 2 2d36b1c0ea40 7 weeks ago 171.2 MB
registry 2.4.1 2d36b1c0ea40 7 weeks ago 171.2 MB
Removing the image by *id* fails:
docker rmi 2d36b1c0ea40
Error response from daemon: conflict: unable to delete 2d36b1c0ea40 (must be forced) - image is referenced in one or more repositories
However, after untagging one image:
docker rmi registry:2
Untagged: registry:2
Removing the image works:
docker rmi 2d36b1c0ea40
Untagged: registry:2.4.1
Deleted: sha256:2d36b1c0ea40159adc8b36f7563f1d7a6d443384fe2611e8b393c1cb3ae2e6ad
Deleted: sha256:7abfddbf4e61927307b6646010845eeb7513ecc6541f33ea6103b2493e36aa4e
Deleted: sha256:f512d7699dbb2994fe15d30ee1d404e57b58c3c310617b4471db649680b4cfa0
Deleted: sha256:7291e34714908270aeda93f1dc681485f9734d41314e2fdc6c11f32ffa782a21
Deleted: sha256:548f6562929484f3d78267e4b1e31dcfeb9f303059668888b4423ce5501c7fbc
Deleted: sha256:afe56b46629e6d8e0bfc36fed13395a7cfa2bd83b58bb489976ef13553eff20b
Deleted: sha256:cf0c3bd5d6a0a14ebf96cc7d3df79a37774a70f3086273e09da71a86fe74fec2
Deleted: sha256:c5fdaf8b055f544d0211043e687905315c3a0b71c1c08df07e473dd0a30e43c8
docker images | grep 2d36b1c0ea40
<empty>
This changes the error message to reflect that behavior
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: f0988dd39598a46d911abc54c19fc3377698d630
Component: engine
This version introduces the following:
- uses nanosecond timestamps for event
- ensure events are sent once their effect is "live"
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 29b2714580d085533c29807fa337c2b7a302abb6
Component: engine
Adds log driver support for service creation and update. Add flags
`--log-driver` and `--log-opt` to match `docker run`. Log drivers are
configured per service.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: e778ba2d5b1e5074fe413dffaa365f3d37b175c7
Component: engine
This adds the `--live-restore` option to the documentation.
Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 64a8317a5a306dffd0ec080d9ec5b4ceb2479a01
Component: engine
This adds an `--oom-score-adjust` flag to the daemon so that the value
provided can be set for the docker daemon's process. The default value
for the flag is -500. This will allow the docker daemon to have a
less chance of being killed before containers do. The default value for
processes is 0 with a min/max of -1000/1000.
-500 is a good middle ground because it is less than the default for
most processes and still not -1000 which basically means never kill this
process in an OOM condition on the host machine. The only processes on
my machine that have a score less than -500 are dbus at -900 and sshd
and xfce( my window manager ) at -1000. I don't think docker should be
set lower, by default, than dbus or sshd so that is why I chose -500.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: a894aec8d81de5484152a76d76b80809df9edd71
Component: engine
Kernel memory is not allowed to be updated if container is
running, it's not actually a precise kernel limitation.
Before kernel version 4.6, kernel memory will not be accounted
until kernel memory limit is set, if a container created with
kernel memory initialized, kernel memory is accounted as soon
as process created in container, so kernel memory limit update
is allowed afterward. If kernel memory is not initialized,
kernel memory consumed by processes in container will not be
accounted, so we can't update the limit because the account
will be wrong.
So update kernel memory of a running container with kernel memory
initialized is allowed, we should soften the limitation by docker.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: 08c7075c403b86111b2c393b49075a81a1d2263f
Component: engine
Add option to skip kernel check for older kernels which have been patched to support multiple lower directories in overlayfs.
Fixes#24023
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Upstream-commit: ff98da0607c4d6a94a2356d9ccaa64cc9d7f6a78
Component: engine
For any operation that involves netwoks (other than network create),
swarmkit expects the target as network-id. Service upate was using
network-name as the target and that caused the issue.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: b32cfb32a3f654f27bc9d4356b36c6a7e5e53b21
Component: engine
This fix tries to address the issue raised in #24374 where
`docker info` outputs seccomp support in Ubuntu 14.04 but
the seccomp wass not actually supported.
The issue is that in the current docker implementation, seccomp
support is only checked against the kernel by inspect CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER. However, seccomp might not be enabled
when building docker (through golang build flag).
This fix adds a supportSeccomp boolean variable. The supportSeccomp
is only set to true when seccomp is enabled when building docker.
This fix fixes#24374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: a3b9dd89a1b19e7f84617b91f3756ae816c11035
Component: engine
