By default, using go with package will only validate the go file for the
current platform (or at last misses file_windows.go for example). This
tries to fix that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: fa34f07ec04e22b2e0631cc0656ba569b453d21c
Component: engine
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 39dae54a3f40035b1b7e5ca86c53d05dec832ed2
Component: engine
The docker-py commit used in the standard `Dockerfile` is from Feb. 2015
and is out of date with the current API level and has fixes for things
like the new docker cli config location and registry v2 changes/API
responses as well.
Also pass "NOT_ON_HOST=true" to docker-py test suite so that tests
relying on direct HOST interaction (versus running in a container) are
skipped.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Upstream-commit: 65fb04228eba7c6d8640bc8de8800ade05efe2f1
Component: engine
tar-split is a facility to disassemble and reassemble tar archives
Signed-off-by: Vincent Batts <vbatts@redhat.com>
Upstream-commit: 7fb061832a0ebf197abb41c576887a1d2aca18be
Component: engine
Fix the following warnings:
pkg/mount/mountinfo.go:5:6: type name will be used as mount.MountInfo by other packages, and that stutters; consider calling this Info
pkg/mount/mountinfo.go:7:2: struct field Id should be ID
Signed-off-by: Antonio Murdaca <runcom@linux.com>
Upstream-commit: 0f5c9d301b9b1cca66b3ea0f9dec3b5317d3686d
Component: engine
Add a set of newly linted packages, and fix the script.
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Upstream-commit: 7f02cc420ab068f129ec24f3c7514a838bddb1ce
Component: engine
Add golint to the Dockerfile, and a `validate-lint` task to the
Makefile. Currently, the linter will process a harcoded list of packages
that will expand as we fix more warnings. Eventually, the linter should
process all subpackages of the repo (excluding vendored code).
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Upstream-commit: 6cce8d18384a5ae1212e7b0f7b7ac9662a89c8c1
Component: engine
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 80d99236c1ef9d389dbaca73c1a949da16b56b42
Component: engine
This is fix for proper setup of nested containers cgroups.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: f0f261a899acf3c11d01c97e2503ec0ddb200232
Component: engine
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.
Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: c86189d554ba14aa04b6314970d3699e5ddbf4de
Component: engine
This update includes removal of libcontainer dependency.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: b84ceb3d0ac53690f19cfc05f6b0e91e1998aa41
Component: engine
These will create the apt & yum repos for the deb/rpms generated by build-deb
and build-rpm.
Adds sign-repo script which signs the repo metadata with a gpg key.
Signed-off-by: Jessica Frazelle <princess@docker.com>
Upstream-commit: c850e97c84abffc71509692ab1accd38408fa51b
Component: engine
For hybrid cloud, some ubuntu vm images doesn't have the directory
`/etc/apt/sources.list.d` which cause failure on creating
`/etc/apt/sources.list.d/docker.list`.
To fix this issue, create this directory first (if it doesn't exist).
Signed-off-by: Penghan Wang <ph.wang@daocloud.io>
Upstream-commit: 80e90499aafabb27c68a2ddca31339aa125c40ae
Component: engine
