Use tabwriter to print the version output
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 48eb7a082d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Darren Stahl <darst@microsoft.com>
(cherry picked from commit 1f28844d7869609f371ab2a7881e4488a79a7e27)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix was part of 8c3d0b93d6,
but was reverted due to the order in which other changes were
backported.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Importing from moby's DockerTrustSuite tests.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 8b00c5cfd8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some of them are skipped for now (because the feature is not supported
or needs more work), some of them are fixed.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 0cf2e6353a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds a `make.ps1` powershell script to make it easy to compile and test.
```
.\scripts\make.ps1 -Binary
INFO: make.ps1 starting at 03/01/2018 14:37:28
INFO: Building...
________ ____ __.
\_____ \ | |/ _|
/ | \| <
/ | \ | \
\_______ /____|__ \
\/ \/
INFO: make.ps1 ended at 03/01/2018 14:37:30
.\scripts\make.ps1 -TestUnit
```
The next step is to run e2e tests on windows too.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit facb22573d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- `replaceDockerfileForContentTrust` is only used when content trust is
enabled, so remove the boolean.
- rename `isContentTrustEnabled` to `contentTrustEnabled`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 63ebcae382)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Rename IsTrusted to ContentTrustEnabled
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit feae0e9756)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the global variable used. Allows easier unit testing.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 6e21829af4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With a default filename tests will leave a file in the working directory
that is never cleaned up.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit 7c8b5708eb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix tests that failed when using cmp.Compare()
internal/test/testutil/assert
InDelta
Fix DeepEqual with kube metav1.Time
Convert some ErrorContains to assert
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit 5155cda716)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 5433ceb12ead305d8c85e8e27c4b4d842ef88ae0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was added as part of a53930a04fa81b082aa78e66b342ff19cc63cc5f with
the intent to sort the mounts in the plugin config, but this was sorting
*all* the mounts from the default OCI spec which is problematic.
In reality we don't need to sort this because we are only adding a
self-binded mount to flag it as rshared.
We may want to look at sorting the plugin mounts before they are added
to the OCI spec in the future, but for now I think the existing behavior
is fine since the plugin author has control of the order (except for the
propagated mount).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ec90839ca302ca53a7d55e4c7f79e7b4779f5e15)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This is a test case for issue https://github.com/moby/moby/issues/35123,
making sure we can set container's memory limit when using
`native.cgroupdriver=systemd`.
[v2: skip if no systemd present]
[v3: add --iptables=false to avoid flaky tests with t.Parallel()]
[v4: rebase after PR#36507 merge]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 4ca5c5361059e29ed31074ca5b96f8b2030b5f99)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Exec processes do not automatically inherit AppArmor
profiles from the container.
This patch sets the AppArmor profile for the exec
process.
Before this change:
apparmor_parser -q -r <<EOF
#include <tunables/global>
profile deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
network,
deny /tmp/** w,
capability,
}
EOF
docker run -dit --security-opt "apparmor=deny-write" --name aa busybox
docker exec aa sh -c 'mkdir /tmp/test'
(no error)
With this change applied:
docker exec aa sh -c 'mkdir /tmp/test'
mkdir: can't create directory '/tmp/test': Permission denied
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update libnetwork to 1b91bc94094ecfdae41daa465cc0c8df37dfb3dd to bring in a fix
for stale HNS endpoints on Windows:
When Windows Server 2016 is restarted with the Docker service running, it is
possible for endpoints to be deleted from the libnetwork store without being
deleted from HNS. This does not occur if the Docker service is stopped cleanly
first, or forcibly terminated (since the endpoints still exist in both). This
change works around the issue by removing any stale HNS endpoints for a network
when creating it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fb364f07468e94226250a1e77579ee6117c64be2)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
This updates libnetwork to 8892d7537c67232591f1f3af60587e3e77e61d41 to bring in
IPAM fixes for duplicate IP addresses.
- IPAM tests (libnetwork PR 2104) (no changes in vendored files)
- Fix for Duplicate IP issues (libnetwork PR 2105)
Also bump golang/x/sync to match libnetwork (no code-changes, other
than the README being updated)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55e0fe24db68b16edccb2fa49c3b1b9d3a9ce58c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR prevents automatic removal of the load balancing sandbox
endpoint when the endpoint is the last one in the network but
the network is marked as ingress.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit bebad150c9c3bc6eb63758c10ef24b9298ecf6e2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ingress networks will no longer automatically remove their
load-balancing endpoint (and sandbox) automatically when the network is
otherwise upopulated. This is to prevent automatic removal of the
ingress networks when all the containers leave them. Therefore
explicit removal of an ingress network also requires explicit removal
of its load-balancing endpoint.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit 3da4ebf355d3494d1403b2878a1ae6958b2724e9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The commit https://github.com/moby/moby/pull/35422 had the result of
accidentally causing the removal of the ingress network when the
last member of a service left the network. This did not appear
in swarm instances because the swarm manager would still maintain
and return cluster state about the network even though it had
removed its sandbox and endpoint. This test verifies that after a
service gets added and removed that the ingress sandbox remains
in a functional state.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit 805b6a7f749a6c7cbb237e21ee7260d536621808)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker trust` commands were moved out of experimental,
and the `docker trust view` command was changed to
`docker trust inspect --pretty`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2a6808db87)
