Until we can support existing behaviour with `sudo` disable
ambient capabilities in runc build.
Add tests that non root user cannot use default capabilities,
and that capabilities are working as expected.
Test for #27590
Update runc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: c5251f7116e3d9095a7169fc31bd170dff997c2e
Component: engine
This fix tries to address the proposal raised in 27921 and add
`--cpus` flag for `docker run/create`.
Basically, `--cpus` will allow user to specify a number (possibly partial)
about how many CPUs the container will use. For example, on a 2-CPU system
`--cpus 1.5` means the container will take 75% (1.5/2) of the CPU share.
This fix adds a `NanoCPUs` field to `HostConfig` since swarmkit alreay
have a concept of NanoCPUs for tasks. The `--cpus` flag will translate
the number into reused `NanoCPUs` to be consistent.
This fix adds integration tests to cover the changes.
Related docs (`docker run` and Remote APIs) have been updated.
This fix fixes 27921.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 846baf1fd3efcbfbf9d3eb99e436ca9a59d3e185
Component: engine
When a container is attached to an "--attachable" network, it strictly
forms the attacherKey using either the network-id or network-name
because at the time of attachment, the daemon may not have the network
downloaded locally from the manager. Hence, when the NetworkDettach is
called, it should use either network-name or network-id. This fix
addresses the missing network-id based dettachment case.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: 5f17e0f6c91b36a8f33d1efa1be879d6eb80132f
Component: engine
When a conflict is found in the volume cache, check with the driver if
that volume still actually exists.
If the volume doesn't exist, purge it from the cache and allow the
create to happen.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 6a0bdffc1adf9225c6cca92f741ccafd2f90a618
Component: engine
Came from looking at issue #27545
Signed-off-by: Doug Davis <dug@us.ibm.com>
Upstream-commit: eaf0b5708fc91ab0c78eeee1a2c9c1251439d4a8
Component: engine
This fix tries to address the issue raised in 27969 where
duplicate identical bind mounts for `docker run` caused additional volumes
to be created.
The reason was that in `runconfig`, if duplicate identical bind mounts
have been specified, the `copts.volumes.Delete(bind)` will not truly
delete the second entry from the slice. (Only the first entry is deleted).
This fix fixes the issue.
An integration test has been added to cover the changes
This fix fixes 27969.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 90ce6de50b3e5e39f8417e9804970c0fd1377062
Component: engine
Allow built images to be squash to scratch.
Squashing does not destroy any images or layers, and preserves the
build cache.
Introduce a new CLI argument --squash to docker build
Introduce a new param to the build API endpoint `squash`
Once the build is complete, docker creates a new image loading the diffs
from each layer into a single new layer and references all the parent's
layers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 362369b4bbea38881402d281ee2015d16e8b10ce
Component: engine
Since the plugin APIs have not changed for local-scoped network drivers
between plugin-v1 and v2, a simple test to validate the bootstrapping
and network creation APIs would suffice.
Any network driver specific API validations are handled independent of
plugin v1 or v2 format.
Using a sample v2 network plugin :
https://github.com/mavenugo/test-docker-netplugin/
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: 259441c027226683d38080caac7a39d6192c9dfa
Component: engine
Moves the resposne types to a package under api/types
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 29df3bdb117a058ae040686dd0f2565ae9ad743a
Component: engine
To load an image from a tar file, you can specify
the tar file in the -i/--input option:
docker load -i image_1.tar
or using stdin:
docker load < image_1.tar
cat image_1.tat | docker load
If the image file isn't given the `docker load`
command gets stuck.
To avoid that, the load makes sure the CLI input is
not a terminal or the `--input` option was set.
If not then an error message is shown.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Upstream-commit: 4426189b35aee4a64bedfb48604ad342a3a5b946
Component: engine
When a container is run on a --attachable network, the endpoint
configs passed by the user were incorrectly overwritten.
Copy the relevant configs instead of overwriting the entire configs.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: c5dd4d70c6ea3371d61409112a45c0573280111d
Component: engine
--group-add was used for specifying groups for both service create
and service update. For create it was confusing since we don't have
an existing set of groups. Instead I added --group to create, and
moved --group-add to service update only, like --group-rm
This deals with issue 27646
Signed-off-by: Lily Guo <lily.guo@docker.com>
Update flag documentation
Specify that --group, --group-add and --groupd-rm refers to
supplementary user groups
Signed-off-by: Lily Guo <lily.guo@docker.com>
Fix docs for groups and update completion scripts
Signed-off-by: Lily Guo <lily.guo@docker.com>
Upstream-commit: 2f58494ae6e796325329f849cf547bcf94bb68e3
Component: engine
