Add a test that the default seccomp profile allows execution of 32 bit binaries
Upstream-commit: 8a8a63aa32a60e12b3c4d8e9e3397a8bd3b96d54
Component: engine
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: 0aa4e1e68973ede0c73f8a4356e2a17fc903f549
Component: engine
While testing #24510 I noticed that 32 bit syscalls were incorrectly being
blocked and we did not have a test for this, so adding one.
This is only tested on amd64 as it is the only architecture that
reliably supports 32 bit code execution, others only do sometimes.
There is no 32 bit libc in the buildpack-deps so we cannot build
32 bit C code easily so use the simplest assembly program which
just calls the exit syscall.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 93bbc76ee53240e0862c6f1ff409e7a4ee0883dc
Component: engine
Ensure convergence before moving on with testing leader election
conditions. This reduce the flakiness of this test when run in different
environments.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: 946e23776be78510799f3f242f7b9f7acbbfd357
Component: engine
If no restart delay is specified for a swarm service, the default
restart delay is 5 seconds. This is a reasonable value for actual
deployments - one example of where it's useful is that if a bad image is
specified, the orchestrator will wait 5 seconds between attempts to
restart it instead of restarting it in a tight loop.
In integration tests, this 5 second delay is dead time. The tests run
faster if the delay is reduced. Set it to 100 ms to avoid the waste of
time.
This appears to speed up a few tests:
DockerSwarmSuite.TestApiSwarmForceNewCluster 37.241s -> 34.323s
DockerSwarmSuite.TestApiSwarmRestartCluster 22.038s -> 15.545s
DockerSwarmSuite.TestApiSwarmServicesMultipleAgents 24.456s -> 19.853s
DockerSwarmSuite.TestApiSwarmServicesStateReporting 19.240s -> 10.049s
...a small step towards making the Swarm integration tests run in a
reasonable amount of time.
Also, change the update delay for the rolling update test from 8 seconds
to 4 seconds, which should be sufficient to differentiate between
batches of updated tasks. This reduces the runtime for
DockerSwarmSuite.TestApiSwarmServicesUpdate from 28s to 20s.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: c93c6492589504ed9474922f7c98f9ecb24df77f
Component: engine
This is an attempt to fix the flaky test of TestSwarmNodeTaskListFilter in 25029.
Basically this fix adds a check to wait until 3 containers has already up,
before processing `node tasks ...`.
This might fix 25029.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 63c0366bc9a7f326ad61cdfa69fa860cf844a2c7
Component: engine
In `TestApiSwarmRestartCluster`, it's calling `checkClusterHealth`.
`checkClusterHealth` calls `d.info()`, which will return an error if
there is no cluster leader... problem is `checkClusterHealth` is doing a
nil error assertion w/o giving any time for a leader to be elected.
This moves the `d.info()` call into a `waitAndAssert` using the default
reconciliation timeout.
It also moves some other checks into a `waitAndAssert` to give the
cluster enough time to come back up.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: fdcde8bb65acf2c459e93678bf2659139ef5e918
Component: engine
Remove the swarm inspect command and use docker info instead to display
swarm information if the current node is a manager.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: e6923f6d75c2bd1b22cc1229214ffceca3251cc6
Component: engine
This prevents unnecessary API call to containerd.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Upstream-commit: b867f6c6e18f9d999ddec911a241941428777569
Component: engine
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 57ae29aa74e77ade3c91b1c77ba766512dae9ab4
Component: engine
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: a0ccd0d42fdb0dd2005f67604cb81a5a6b26787e
Component: engine
This renames the `rotate_xxx` flags to camelBack, for
consistency with other API query-params, such as
`detachKeys`, `noOverwriteDirNonDir`, and `fromImage`.
Also makes this flag accept a wider range of boolean
values ("0", "1", "true", "false"), and throw an error
if an invalid value is passed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: bd81df12780b0765e55582574eaa2a125adf65fa
Component: engine
When daemon has liveRestore set, daemon shutdown should not shutdown
plugins. Fixes#24759
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Upstream-commit: 4a44cf1d4c8e540b67aaa3834291a964c6ab7524
Component: engine
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 2cc5bd33eef038bf5721582e2410ba459bb656e9
Component: engine
Allow partial name match for service ls --filter, node ls --filter, node tasks --filter
Upstream-commit: 7d84c715005dd123b0a63f23b207c12cb998786f
Component: engine
