Adds the new label to the documentation. The
impact/distribution label is intended for changes
that affect the image-format or interaction
with the registry (distribution).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: ac0180620d906c39486963460415502f7abbd16f
Component: engine
Also, fix up some minor whitespace consistency issues, remove a little cruft, and update GOARM for armhf to 7 so that we're explicit.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: dc38061bee468ebfbfa3c89f0bb5b2edb5fd5147
Component: engine
Only two of these are not handled, the one in `TestBuildForceRm`
is intended to not be handled, while the other one in
`TestBuildResourceConstraintsAreUsed` causes problem.
In test case `TestBuildResourceConstraintsAreUsed`, somehow we
are not able to access network to get base image, but the error
message is:
```
Error: failed to inspect container : Unable to read inspect data: json: cannot unmarshal array into Go value of type types.ContainerJSON
```
Totally confusion.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: 1b34008532849467623039f78191e0f706fb34a5
Component: engine
When a container create with -m 100m and then docker update other
cgroup settings such as --cpu-quota, the memory limit show by
docker stats will become the default value but not the 100m.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Upstream-commit: 518ed75e1ab5b102fffd7fcbf046c127b44c7be7
Component: engine
- Use the ones provided by docker/go-connections, they are a drop in replacement.
- Remove pkg/sockets from docker.
- Keep pkg/tlsconfig because libnetwork still needs it and there is a
circular dependency issue.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Upstream-commit: 8e034802b7ad92a29f08785e553415adcd1348a3
Component: engine
This can be allowed because it should only restrict more per the seccomp docs, and multiple apps use it today.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: b610fc226afdf663b0ad46ad982c27fdee61f671
Component: engine
Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: a0a8ca0ae0bc9dc7faa0b8bacf4ca376c7257348
Component: engine
The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 33568405f34f363de49b1146119cc53bcb9e5f16
Component: engine
These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6c3ea7a511ca641cdf4fa4da1d775d5b6f4bef3e
Component: engine
The stime syscall is a legacy syscall on some architectures
to set the clock, should be blocked as time is not namespaced.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 6300a08be905969b16197f6a82a3d0d99a3f99cd
Component: engine
`docker kill 123` will show something like:
`Error response from daemon: Cannot kill container 123: nosuchcontainer: No such container: 123`
Notice the `nosuchcontainer` text, that should not be there as that's an internal ID that means nothing to the end user.
This PR fixes this by using `util.GetErrorMessage()` to extract just the message.
While in that dir I found a couple of other spots that could use the same call, just to be safe.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Upstream-commit: b3e1178ad0e2cee43e9958f0f3b6e720bddc4ea4
Component: engine
For operations on multi containers, we printed error for each
failed container, then printed an extra message for container
names, it seems redundant.
Addresses comments:
https://github.com/docker/docker/pull/15078#discussion_r47988449
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: e0dc4f27f66d4311238adf4d7027bb3c6b58ad26
Component: engine
clock_adjtime is the new posix style version of adjtime allowing
a specific clock to be specified. Time is not namespaced, so do
not allow.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 0e5c43cddad304301ca8a82f652e15f75ee68cfe
Component: engine
This is a new version of init_module that takes a file descriptor
rather than a file name.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 0d5306a0b69c912a981f3a4bd41b80beb1207851
Component: engine
The original umount syscall without flags argument needs to
be blocked too.
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
Upstream-commit: 9be0d93cf74d1bb31c401f1154abc773af31cbd6
Component: engine
