When the daemon is configured to run with an authorization-plugin and if
the plugin is disabled, the daemon continues to send API requests to the
plugin and expect it to respond. But the plugin has been disabled. As a
result, all API requests are blocked. Fix this behavior by removing the
disabled plugin from the authz middleware chain.
Tested using riyaz/authz-no-volume-plugin and observed that after
disabling the plugin, API request/response is functional.
Fixes#31836
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Upstream-commit: 38de272bd4dfea945985b7031cd353ac5f6507c5
Component: engine
The current error-handling only checked for version annotations
on the subcommand itself, but did not check the top-level command.
This patch always traverses the command path (parents), and
prints an error if the command is not supported.
Before this change:
$ docker service
Usage: docker service COMMAND
Manage services
Options:
--help Print usage
Commands:
create Create a new service
inspect Display detailed information on one or more services
ls List services
ps List the tasks of one or more services
rm Remove one or more services
scale Scale one or multiple replicated services
update Update a service
Run 'docker service COMMAND --help' for more information on a command.
$ docker service ls
ID NAME MODE REPLICAS IMAGE
After this change:
$ DOCKER_API_VERSION=1.12 docker service
docker service requires API version 1.24, but the Docker daemon API version is 1.12
$ DOCKER_API_VERSION=1.12 docker service ls
docker service ls requires API version 1.24, but the Docker daemon API version is 1.12
$ DOCKER_API_VERSION=1.24 docker plugin --help
docker plugin requires API version 1.25, but the Docker daemon API version is 1.24
$ DOCKER_API_VERSION=1.25 docker plugin upgrade --help
docker plugin upgrade requires API version 1.26, but the Docker daemon API version is 1.25
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 15d63f1c5ba40a0937a935c866c384c953c79b16
Component: engine
In more recent versions of Cobra, `--help` parsing is done before
anything else resulting in TestDaemonCommand not actually passing. I'm
actually unsure if this test ever passed since it appears that !daemon
is not being run as part of the test suite.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: dd7159060f60ea04007c069df189a29fda2c655f
Component: engine
This fix is the follow up of the last commit.
In this fix:
1. If any of the parents of a command has tags, then this command's
`Args` (Args validation func) will be wrapped up. The warpped up func
will check to see if the feature is supported or not. If it is not supported,
then a not supported message is generated instead.
This fix is related to 28626.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 8421fc634907a68889b0f20c13b0cf135f0817c6
Component: engine
This fix tries to address several issues raised in 28626 where
run against a non-experimental daemon may not generate correct
error message:
1. Incorrect flags were not checked against the supported features:
```
$ docker stack --nonsense
unknown flag: --nonsense
```
2. Subcommands were not checked against the supported features:
```
$ docker stack ls
Error response from daemon: This node is not a swarm manager...
```
This fix address the above mentioned issues by:
1. Add a pre-check for FlagErrorFunc
2. Recursively check if a feature is supported for cmd and its parents.
This fix fixes 28626.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 9f6fea8e7bd3e64edab2bc5bac337b4118ea97df
Component: engine
This also moves some cli specific in `cmd/dockerd` as it does not
really belong to the `daemon/config` package.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: db63f9370e26d725357c703cbaf9ab63cc7b6d0a
Component: engine
Docker 1.13 and up allows a client to communicate
with older daemons. As a result, flags may be
present that are not supported by the older daemon.
The client already _hides_ flags that are not
supported yet, but this doesn't present users
from using those flags.
This change shows an error if a flag is used
that is not supported by the daemon (either
based on the API version, or because experimental
features are not enabled).
Note that for some options, a check is already
in place in the API client. For those
options, this is just a minor enhancement
to more clearly indicate which _flag_ is
not supported.
Before this change;
DOCKER_API_VERSION=1.24 docker run -d --stop-timeout=30 busybox top
mjfyt3qpvnq0iwmun3sjwth9i
echo -e "FROM busybox\nRUN echo foo > bar" | DOCKER_API_VERSION=1.24 docker build --squash -
"squash" requires API version 1.25, but the Docker server is version 1.24
After this change;
DOCKER_API_VERSION=1.24 docker run -d --stop-timeout=30 busybox top
"--stop-timeout" requires API version 1.25, but the Docker daemon is version 1.24
echo -e "FROM busybox\nRUN echo foo > bar" | DOCKER_API_VERSION=1.24 docker build --squash -
"--squash" requires API version 1.25, but the Docker daemon is version 1.24
echo -e "FROM busybox\nRUN echo foo > bar" | docker build --squash -
"--squash" is only supported on a Docker daemon with experimental features enabled
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 34148978bd0f71692e2584add60018e10b8ff68d
Component: engine
Go style calls for mixed caps instead of all caps:
https://golang.org/doc/effective_go.html#mixed-caps
Change LOOKUP, ACQUIRE, and RELEASE to Lookup, Acquire, and Release.
This vendors a fork of libnetwork for now, to deal with a cyclic
dependency issue. The change will be upstream to libnetwork once this is
merged.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 428600108cce0a11e65ec4ebd9e439e947b55da7
Component: engine
I felt it made more sence 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: ce964a607ad7395af7b74a0ba1efc5ab3cb15790
Component: engine
Move plugins to shared distribution stack with images.
Create immutable plugin config that matches schema2 requirements.
Ensure data being pushed is same as pulled/created.
Store distribution artifacts in a blobstore.
Run init layer setup for every plugin start.
Fix breakouts from unsafe file accesses.
Add support for `docker plugin install --alias`
Uses normalized references for default names to avoid collisions when using default hosts/tags.
Some refactoring of the plugin manager to support the change, like removing the singleton manager and adding manager config struct.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Upstream-commit: 3d86b0c79b16334ce5836c0315e4c310b84c2e17
Component: engine
Instead of not adding experimental routes at all, fail with an explicit
message if the daemon is not running in experimental mode.
Added the `router.Experimental` which does this automatically.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: 3976a33c1a578827da3726bec3927cc058fe326a
Component: engine
Cli initialization pings back to remote API and
creates a deadlock if socket is already being
listened by systemd.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Upstream-commit: 5b0a52f7dcd04017a1def7326f8adbb8547ebe89
Component: engine
Signed-off-by: Victor Vieux <vieux@docker.com>
update cobra and use Tags
Signed-off-by: Victor Vieux <vieux@docker.com>
allow client to talk to an older server
Signed-off-by: Victor Vieux <vieux@docker.com>
Upstream-commit: e98e4a71110fd33852bb755a9b8b4ebc9df904db
Component: engine
