libcontainer.GetNamespace returns nil on FreeBSD because
libcontainer.namespaceList is empty. In this case, Namespaces#Get should
return nil instead of being panic.
Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
Upstream-commit: c5226d94fab4e261fe2407262d9b5177326d4062
Component: engine
Implement system.LUtimesNano and system.UtimesNano. The latter might be
removed in future because it's basically same as os.Chtimes. That's why
the test is mainly focusing LUtimesNano.
Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
Upstream-commit: 1c90a4dd9a83526ca3837ab9231ff6a9af07e072
Component: engine
It seems that netlink in older kernels, including RHEL6, does not
support RTM_SETLINK with IFLA_MASTER. It just silently ignores it, reporting
no error, causing netlink.NetworkSetMaster() to not do anything yet
return no error.
We fix this by introducing and using AddToBridge() in a very similar manner
to CreateBridge(), which use the old ioctls directly.
This fixes https://github.com/dotcloud/docker/issues/4668
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 59c1b2880be8fb9d9a632fa42a10097c1580591a
Component: engine
This also includes some portability changes so that the package can be
imported with the top level runtime.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Upstream-commit: 82f37b874ea17c5e0040f3e41dc761c88d576e33
Component: engine
The variables that were defined at the top of the apparmor profile are best
pulled in via the <tunables/global> include.
Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
Upstream-commit: 726206f2aa45b8a537ae6d6c819f21befc2e0aca
Component: engine
Add 'pid' variable pointing to 'self' to allow parsing of profile to succeed
Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
Upstream-commit: 320b3e0d211d389addda02998a0f47839827b2af
Component: engine
Encountered problems on 14.04 relating to signals between container
processes being blocked by apparmor. The base abstraction contains
appropriate rules to allow this communication.
Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
Upstream-commit: e35c23311fce853fab318527789f11cc8c150ea2
Component: engine
These two patches should fix problems we see with running docker in the wild.
Upstream-commit: 9687c087ab09feb106b040628423e70b320a51e2
Component: engine
This also improves the logic around formatting the labels for selinux
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Upstream-commit: 94233a204f82f857536c16f36f94d3a8ff0069dd
Component: engine
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled. We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled. Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: d76ac4d429e474a7c79f7aab396e318f4e176025
Component: engine
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work. Hard coding
the labels causes docker to break on older Fedora and RHEL systems
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 32ad78b0430079dcc53c245826a244afa2d9b6b6
Component: engine
Such nodes could already be created by importing a tarball to a container; now
they can be created from within the container itself.
This gives non-privileged containers the mknod kernel capability, and modifies
their cgroup settings to allow creation of *any* node, not just whitelisted
ones. Use of such nodes is still controlled by the existing cgroup whitelist.
Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
Upstream-commit: c94111b61988ad32d87f99d4421cbcde018c3fb4
Component: engine
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled. We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled. Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 2224e0d65adfbd08e53430a1d7c750491f788257
Component: engine
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work. Hard coding
the labels causes docker to break on older Fedora and RHEL systems
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: f9b8161c60f58d383ca0eaf5a99865b83e4a41b8
Component: engine
Added Adele Goldstine, Erna Schneider Hoover, Grace Hopper, Jean Bartik,
Jean E. Sammet, Karen Spärck Jones, Radia Perlman and Sophie Wilson.
Thanks to @jamtur01 for Sophie Kowalevski, Hypatia, Jane Goodall, Maria
Mayer, Rosalind Franklin, Gertrude Elion, Elizabeth Blackwell,
Marie-Jeanne de Lalande, Maria Kirch, Maria Ardinghelli, Jane Colden,
June Almeida, Mary Leakey, Lise Meitner, Johanna Mestorf.
Thanks to @xamebax for Françoise Barré-Sinoussi, Rachel Carson, Barbara
McClintock, Ada Yonath.
Docker-DCO-1.1-Signed-off-by: Johannes 'fish' Ziemke <github@freigeist.org> (github: discordianfish)
Upstream-commit: 7808886744595af509b7b144890900674ea5ccfd
Component: engine
