This is especially important for distributions like NixOS where `/bin/bash` doesn't exist, or for MacOS users who've installed a newer version of Bash than the one that comes with their OS.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 52379fa76dee07ca038624d639d9e14f4fb719ff
Component: engine
Use the generate.sh script instead of md2man directly.
Update Dockerfile for generating man pages.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 00a8a40398263429f99b1a5f0be59048e1c6f38d
Component: engine
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 39dae54a3f40035b1b7e5ca86c53d05dec832ed2
Component: engine
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 80d99236c1ef9d389dbaca73c1a949da16b56b42
Component: engine
Adding in other areas per comments
Updating with comments; equalizing generating man page info
Updating with duglin's comments
Doug is right here again;fixing.
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: eacae64bd89ccc95a6db7bda76d36014e71e70ac
Component: engine
Using "DEST" for our build artifacts inside individual bundlescripts was already well-established convention, but this officializes it by having `make.sh` itself set the variable and create the directory, also handling CYGWIN oddities in a single central place (instead of letting them spread outward from `hack/make/binary` like was definitely on their roadmap, whether they knew it or not; sneaky oddities).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: ac3388367b6493987cef8017774fa4cdb5d2098f
Component: engine
better safe then sorry. especially for rm
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Upstream-commit: ac20568b0a62c794c0f1190703f051bd1cfac341
Component: engine
This also removes the now-defunct `*maintainer*.sh` scripts that don't work with the new TOML format, and moves a couple not-build-or-release-related scripts to `contrib/` instead.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 949a21b55f3b8d7d1ae7a7b9829111a8f0dbf7e2
Component: engine
We might want to break it up into smaller pieces (eg. tools in one
place, documents in another) but let's worry about that later.
Signed-off-by: Solomon Hykes <solomon@docker.com>
Upstream-commit: 32e61b8f5c3f855f5e204064be1aea6a877dda43
Component: engine
Update md2man script to generate manpages inside docs/man/ directory. Update
usage documentation in the readme to point to the new docs/man path. Update
Ubuntu makefile to use new path to manpages
Docker-DCO-1.1-Signed-off-by: Matthew Heon <mheon@redhat.com> (github: mheon)
Upstream-commit: fa3ac2d37032583a7c1171c24d71fbf93e330acc
Component: engine
I tested to verify that if neither package is available (for example, on Debian Wheezy), apt still continues installing properly.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Upstream-commit: 314818e7ba4c675b63caaaabadcfd12d10c4f3a6
Component: engine
This also removes all the old man pages, .gitignores their directory, and updates the md2man-all.sh script to be easier to read and more friendly to being called within hack/make/ubuntu.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Upstream-commit: e55ed741c24fe9e974d08f4893c79752fb279dc4
Component: engine
This *should* have the same effect as the previous strategy: Instead of
'mkdir empty; fpm -s dir -C empty ...' we can simply do 'fpm -s empty'
Docker-DCO-1.1-Signed-off-by: Jordan Sissel <jls@semicomplete.com> (github: jordansissel)
Upstream-commit: a02450d048d0a858aceda2343ef4d7633eca6ebb
Component: engine
It's only in "Recommends" because it's only required for all but the esoteric configurations (since you can't "docker pull" from the index without it, but that's about it).
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Upstream-commit: e5189b5dd2c044030e7e2ab7029eba0fe91c3b25
Component: engine
This is to especially fix FPM 1.0+ complaining that we told it we have an /etc/default/docker "config file", but didn't actually include one.
Upstream-commit: 7fd6dcc831d28cc1ca1a5d56c9043354228f087d
Component: engine
This reverts commit c81bb20f5b2b5d86059c6004e60ba23b03d30fe0.
After re-reading the documentation: "The Recommends field should list packages that would be found together with this one in all but unusual installations."
Thus, "Recommends" is an acceptable place for this dep, and anyone disabling that gets to keep the pieces.
The main crux of why this needs to be reverted is because it breaks Debian completely because "lxc" and "cgroup-bin" can't be installed concurrently.
Upstream-commit: e01732f85769ac434e2614652aa25cd0ace7a4df
Component: engine
Since cgroup-bin is only "recommended" by the lxc package on Ubuntu, but is necessary for having the proper cgroups mounted for Docker to function, this makes some sense for us to add separately.
Fixes#2990
Upstream-commit: c81bb20f5b2b5d86059c6004e60ba23b03d30fe0
Component: engine
