The errors returned from Mount and Unmount functions are raw
syscall.Errno errors (like EPERM or EINVAL), which provides
no context about what has happened and why.
Similar to os.PathError type, introduce mount.Error type
with some context. The error messages will now look like this:
> mount /tmp/mount-tests/source:/tmp/mount-tests/target, flags: 0x1001: operation not permitted
or
> mount tmpfs:/tmp/mount-test-source-516297835: operation not permitted
Before this patch, it was just
> operation not permitted
[v2: add Cause()]
[v3: rename MountError to Error, document Cause()]
[v4: fixes; audited all users]
[v5: make Error type private; changes after @cpuguy83 reviews]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 65331369617e89ce54cc9be080dba70f3a883d1c)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 7f1c6bf5a745c8faeba695d3556dff4c4ff5f473
Component: engine
It has been pointed out that we're ignoring EINVAL from umount(2)
everywhere, so let's move it to a lower-level function. Also, its
implementation should be the same for any UNIX incarnation, so
let's consolidate it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 90be078fe59a8cfeff2bcc5dc2f34a00309837b6)
Upstream-commit: 47c51447e1b6dacf92b40574f6f929958ca9d621
Component: engine
As standard mount.Unmount does what we need, let's use it.
In addition, this adds ignoring "not mounted" condition, which
was previously implemented (see PR#33329, commit cfa2591d3f26)
via a very expensive call to mount.Mounted().
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 77bc327e24a60791fe7e87980faf704cf7273cf9)
Upstream-commit: 893b24b80db170279d5c9532ed508a81c328de5e
Component: engine
[18.09 backport] Pass root to chroot to for chroot Tar/Untar (CVE-2018-15664)
Upstream-commit: 72797601723f6a8847027a1abbd1a3cea2667718
Component: engine
Previously only unpack operations were supported with chroot.
This adds chroot support for packing operations.
This prevents potential breakouts when copying data from a container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 3029e765e241ea2b5249868705dbf9095bc4d529)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 61e0459053c359e322b8d5c017e855f616fd34c0
Component: engine
This is useful for preventing CVE-2018-15664 where a malicious container
process can take advantage of a race on symlink resolution/sanitization.
Before this change chrootarchive would chroot to the destination
directory which is attacker controlled. With this patch we always chroot
to the container's root which is not attacker controlled.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit d089b639372a8f9301747ea56eaf0a42df24016a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 155939994f453559676656bc4b05635e83ebef56
Component: engine
[18.09] Backport Forcing a nil IP specified in PortBindings to IPv4 zero (0.0.0.0).
Upstream-commit: c882c0011f0857da5e8cef1ea48e0aa80019abf1
Component: engine
full diff: c9029898e3...872f0a83c9
- docker/libnetwork#2354 [18.09 backport] Cleanup the cluster provider when the agent is closed
- backport of docker/libnetwork#2307 Fix for problem where agent is stopped and does not restart
- fixesdocker/for-linux#495 Docker swarm overlay networking not working after --force-new-cluster
- docker/libnetwork#2369 [18.09 BACKPORT] Pick a random host port if the user does not specify a host port
- backport of docker/libnetwork#2368 (windows) Pick a random host port if the user does not specify a host port
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 5354408039681020f9ad6afe4bf696fc90f9ce69
Component: engine
[18.09 backport] test-fixes and updates, and fix images filter when use multi reference filter
Upstream-commit: 82a2b8882e5a9dc2ba4389f589ad28dc9cee0d57
Component: engine
In case of failure, stale out was printed.
Fixes: 6212ea669b4e92b3
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 1921753b4b30dcca4fe772e7c1b0bc3f7bb7cd62)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: b60ecd32a1d3ba7debf02d15fe346ea5ca607bbd
Component: engine
Move the test case from integration-cli to integration.
The test logic itself has not changed, except these
two things:
* the new test sets default-ipc-mode via command line
rather than via daemon.json (less code);
* the new test uses current API version.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9fd765f07cc08ccc2ea991d21835bf50ece9318b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: b228a498d55fcd47c741d51a510a7f5eab0794f7
Component: engine
NOTE TestUpdateRestartPolicy is left as is as otherwise
it will decrease its readability.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit f664df01d1836686c7a8a917e9da81d56c758d74)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 2c546aace40872169b03e18f07294d3fbfa3d452
Component: engine
Since container.Create() already initializes HostConfig
to be non-nil, there is no need for this code. Remove it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 17022b3ad2d95863e5acd17ebaf943b7761623cc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: ed48a92a580b7ccc5c5837c7d802f787000146eb
Component: engine
This test sometimes failed because the number of events received did not
match the expected number:
FAIL: docker_cli_events_test.go:316: DockerSuite.TestEventsFilterLabels
docker_cli_events_test.go:334:
c.Assert(len(events), checker.Equals, 3)
... obtained int = 2
... expected int = 3
This patch makes the test more stable, by:
- use a wider range between `--since` and `--until`. These options were set
so that the client detaches after events were received, but the actual
range should not matter. Changing the range will cause more events to be
returned, but we're specifically looking for the container ID's, so this
should not make a difference for the actual test.
- use `docker create` instead of `docker run` for the containers. the
containers don't have to be running to trigger an event; using `create`
speeds up the test.
- check the exit code of the `docker create` to verify the containers were
succesfully created.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0e15c02465c87c82908bcc45b0c1d6bd38f27c32)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 26f7e0a8b08b2890d079d4083735c05377770ca8
Component: engine
I noticed that this test failed, because the node was in status "pending".
The test checks for the node's status immediately after it was restarted, so
possibly it needs some time to unlock.
14:07:10 FAIL: docker_cli_swarm_test.go:1128: DockerSwarmSuite.TestSwarmLockUnlockCluster
...
14:07:10 docker_cli_swarm_test.go:1168:
14:07:10 checkSwarmLockedToUnlocked(c, d)
14:07:10 docker_cli_swarm_test.go:1017:
14:07:10 c.Assert(getNodeStatus(c, d), checker.Equals, swarm.LocalNodeStateActive)
14:07:10 ... obtained swarm.LocalNodeState = "pending"
14:07:10 ... expected swarm.LocalNodeState = "active"
This patch adds a `waitAndAssert` for the node's status, with a 1 second timeout.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 973ca00d60712ef644b5b37abf7fa01078bb4ade)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 954425f8bdb5db95355cb20be465d248f7c3b1f1
Component: engine
When starting docker daemons for swarm testing, we disable iptables
and use lo for communication (in order to avoid network conflicts).
The problem is, these options are lost on restart, that can lead
to any sorts of network conflicts and thus connectivity issues
between swarm nodes.
Fix this. This does not fix issues with swarm test failures, but
it seems they appear are less often after this one.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 2ed512c7faea938b0b07e69187b8a132e2ecb66a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 553b09684cb68962403ebdc5495fb548364f778f
Component: engine
This is repeated 6 times in different tests, with slight
minor variations. Let's factor it out, for clarity.
While at it, simplify the code: instead of more complex
parsing of "docker swarm init|update --autolock" output (1)
and checking if the key is also present in
"docker swarm unlock-key" output (2), get the key
from (2) and check it is present in (1).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 24cbb9897193894f4716583d1861091ab2fa1ae2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6ec991ec8371bdba94480c587eea6ea24f3e9d43
Component: engine
A timer is leaking on every daemon start and stop.
Probably nothing major, but given the amount of
daemon starts/stops during tests, it's better to
be accurate about it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 6016520162fdcb19f50d08c4f0b54b06a7a6eac0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 784a89354b118ef68f1f20fb4ff383c6282ea03c
Component: engine
Since commit 17173efbe00 checkSwarmLockedToUnlocked() no longer
require its third argument, so remove it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 66cb1222d6559e120d9d1a29932aa778aa517894)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 2a02a2e9dae0045d550e98fa849aceafc0c41a0e
Component: engine
1. Using MNT_FORCE flag does not make sense for nsfs. Using MNT_DETACH
though might help.
2. When -check.vv is added to TESTFLAGS, there are a lot of messages
like this one:
> unmount of /tmp/dxr/d847fd103a4ba/netns failed: invalid argument
and some like
> unmount of /tmp/dxr/dd245af642d94/netns failed: no such file or directory
The first one means directory is not a mount point, the second one
means it's gone. Do ignore both of these.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 73baee2dcf546b2561bdd9a500b0af08cb62b1be)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 90cb9b6545fbf7f91cf3eb427f627a7353ea684f
Component: engine
Signed-off-by: John Howard <jhoward@microsoft.com>
(cherry picked from commit b1b9937bc75f0db9c804838ecce9bb6792a42525)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 533b0f602d10af8fe325c3544a2411f5060a47b8
Component: engine
It looks like the logic of the test became wrong after commit
ae0883c ("Move TestAttachDetach to integration-cli").
The original logic was:
* (a few first steps skipped for clarity)
* send escape sequence to "attach";
* check "attach" is exiting (i.e. escape sequence works);
* check the container is still alive;
* kill the container.
Also, timeouts were big at that time, in the order of seconds.
The logic after the above mentioned commit and until now is:
* ...
* send escape sequence to "attach";
* check the container is running (why shouldn't it?);
* kill the container;
* checks that the "attach" has exited.
So, from the "let's check detach using escape sequence is working"
the test became something like "let's check that attach is gone
once we kill the container".
Let's fix the above test, also increasing the timeout waiting
for attach to exit (which fails from time to time on power CI).
Now, the second test, TestAttachDetachTruncatedID, does the exact
same thing, except it uses a truncated container ID. It does not
seem to be of much value, so let's remove it.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 9f3a343a5101ab661a6a97c9e149a0b11ccc320a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 17ae129697c10e9f866ffc253bc211f8912588df
Component: engine
This introduces `NoTasksForService` and `NoTasks` poller checks, that
can be used to check if no tasks are left in general, or for a specific
service.
Some redundant checks were also removed from some tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 56a68c15f8a093b1761e77a74d8b7acdfbcb30a2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 8f6421457d3be6280236aa466e533fb32cb4509b
Component: engine
Clean up and refactor this test;
- make `serviceRunningTasksCount` to use a `desired-state` filter
- use subtests, and inline the `validNetworkVerbose` checks; also use
asserts for the individual checks, so that any failure will log exactly
what failed
- remove helper functions that are no longer needed
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 60d93aab2e68b13b3f22c43add4762d3e8108227)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 046352162f1a23f10a05b59e4fac9d932bcd4f35
Component: engine
This fix removes code duplication and consolidates networkIsRemoved
into one place.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 28b7824caa9c8f1acc0471136a8a4fd80e51f491)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: dd20556e037b262473f3f8163dfc7c21e9161c8e
Component: engine
