This adds ppc64le and s390x architectures to those supported
by hack/make/release-debs
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: 9db1d16053b9c94586d4233a1f4067eede24947e
Component: engine
This drops support for migrations from pre-1.10 Docker versions, which
should be done via an external tool or an intermediate upgrade.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: f8119bb7a76b5c42defb6e0a2dc67bd77ad29a5e
Component: engine
With commit ee59f25c2d503cd68262679250387e140171c685 we changed from
gcc-go to golang 1.7. By switching to debian we can reduce the base
layer from 1.4 GB to around 130 MB.
Signed-off-by: Dominik Dingel <dingel@linux.vnet.ibm.com>
Upstream-commit: 1bd6836a4249210090ed99c4e281374e9e16e138
Component: engine
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
Upstream-commit: 175792a65563b6ee14d049631d46749cd4165a3c
Component: engine
There is no reason to duplicate efforts and tini is well built and
better than grimes. It is a much stronger option for the default init
and @krallin has done a great job maintaining it and helping make
changes so that it will work with Docker.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: d58b47623b252803f5cd12f6d9ca584d1587ab22
Component: engine
this switches all go download links to use a redirect,
https://golang.org/dl/ instead of the direct source.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: 732d1035d2f1d8f0b6f3410035fa393431b93d89
Component: engine
This means we can vendor libnetwork without special casing, and
it is built the same way as the other external binaries.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 3996975b0840033bda3919440d122d734a4bc66b
Component: engine
It should allow easier updates for containerd and runc
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 1b41125ad9f1a3881b71bd044d76fd285170addb
Component: engine
This adds a small C binary for fighting zombies. It is mounted under
`/dev/init` and is prepended to the args specified by the user. You
enable it via a daemon flag, `dockerd --init`, as it is disable by
default for backwards compat.
You can also override the daemon option or specify this on a per
container basis with `docker run --init=true|false`.
You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.
```c
int main(int argc, char ** argv) {
pid_t pid = fork();
if (pid == 0) {
pid = fork();
if (pid == 0) {
exit(0);
}
sleep(3);
exit(0);
}
printf("got pid %d and exited\n", pid);
sleep(20);
}
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: ee3ac3aa66bfb27b7c21dfb253fdaa113baedd4e
Component: engine
We finally have a s390x binary tarball for go on "storage.googleapis.com".
So use this instead of bootstrapping with gccgo.
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Upstream-commit: 47f13d3b84fb0ee867c6b6c2a213d78b471754bf
Component: engine
Necessary for merging in #22049.
Signed-off-by: Ross Boucher <rboucher@gmail.com>
Upstream-commit: e0123adafdc1e6a14a1dac10c5371da11b6fc063
Component: engine
They're included in go since 1.5.
Also I've removed comment about ancient gofmt version.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 08c16f8abfdc1f91119a35056c92d131b815fbf8
Component: engine
With golang version 1.7 the s390x architecture is officially supported.
To be in sync with the other architectures now switch also for s390x
from gccgo 6.1 to golang:
- golang: build and install to /usr/src/go
* Download golang-1.7 sources
* Bootstrap with gccgo 6.1
- go lint: Sync GO_LINT_COMMIT with other Dockerfiles
- notary: Remove GO15VENDOREXPERIMENT and softlink hack
With this patch the current CI on s390x completes with:
- OK: 1375 passed, 43 skipped
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Upstream-commit: ee59f25c2d503cd68262679250387e140171c685
Component: engine
When #24648 was merged, only the main Dockerfile was updated with the
new containerd commit, this commit brings the other Dockerfile up to
speed.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: d5cbc57eff0df651bfbfb455608da45747651d0c
Component: engine
This version introduces the following:
- uses nanosecond timestamps for event
- ensure events are sent once their effect is "live"
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 29b2714580d085533c29807fa337c2b7a302abb6
Component: engine
This updates containerd to b93a33be39bc4ef0fb00bfcb79147a28c33d9d43
fixing the start sync issues.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 7db7e046315eed5ccfb3a913b965be4b1a595601
Component: engine
Due to the issue of go-md2man, a numbered list in `man docker login` was not rendered correctly.
a8f937e113
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Upstream-commit: cfe16e0d5b4bb7d1d194553f2a82cc1879d60e6b
Component: engine
We have to wait until runc version (RUNC_COMMIT) is bumped.
Otherwise we get the following error:
oci runtime error: string SCMP_ARCH_S390 is not a valid
arch for seccomp
Fixes: bf2a577c131d899 ("Enable seccomp for s390x")
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Upstream-commit: e6e51d37f7b6509f6422ad97533e9bb581042461
Component: engine
This bumps containerd to cf554d59dd96e459544748290eb9167f4bcde509 and
includes various fixes and updates the grpc package and types generated
for use.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: d17b9f3da064f4c7e70867be5e64d06b127df301
Component: engine
To implement seccomp for s390x the following changes are required:
1) seccomp_default: Add s390 compat mode
On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
compat mode. Therefore add this information to arches().
2) seccomp_default: Use correct flags parameter for sys_clone on s390x
On s390x the second parameter for the clone system call is the flags
parameter. On all other architectures it is the first one.
See kernel code kernel/fork.c:
#elif defined(CONFIG_CLONE_BACKWARDS2)
SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
int __user *, parent_tidptr,
So fix the docker default seccomp rule and check for the second
parameter on s390/s390x.
3) seccomp_default: Add s390 specific syscalls
For s390 we currently have three additional system calls that should
be added to the seccomp whitelist:
- Other architectures can read/write unprivileged from/to PCI MMIO memory.
On s390 the instructions are privileged and therefore we need system
calls for that purpose:
* s390_pci_mmio_write()
* s390_pci_mmio_read()
- Runtime instrumentation:
* s390_runtime_instr()
4) test_integration: Do not run seccomp default profile test on s390x
The generated profile that we check in is for amd64 and i386
architectures and does not work correctly on s390x.
See also: 75385dc216e ("Do not run the seccomp tests that use
default.json on non x86 architectures")
5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Upstream-commit: bf2a577c131d8998eb6ecac986d80e1289e6c801
Component: engine
