There is a bug in the SELinux patch for the lxc execdriver, that
causes lxc containers to blow up whether or not SELinux is enabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: ca4224762b5fe9a319b6c1724ee16d1552403269
Component: engine
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled. We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled. Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: d76ac4d429e474a7c79f7aab396e318f4e176025
Component: engine
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work. Hard coding
the labels causes docker to break on older Fedora and RHEL systems
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 32ad78b0430079dcc53c245826a244afa2d9b6b6
Component: engine
This adds a bit of documentation for the `-a` flag for docker run.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
Upstream-commit: 63c7941172376e81c5e17206f39d7c78c0e95b69
Component: engine
Such nodes could already be created by importing a tarball to a container; now
they can be created from within the container itself.
This gives non-privileged containers the mknod kernel capability, and modifies
their cgroup settings to allow creation of *any* node, not just whitelisted
ones. Use of such nodes is still controlled by the existing cgroup whitelist.
Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
Upstream-commit: c94111b61988ad32d87f99d4421cbcde018c3fb4
Component: engine
We currently drop the global lock while holding a per-device lock when
waiting for device removal, and then we re-aquire it when the sleep is done.
This is causing a AB-BA deadlock if anyone at the same time tries to do any
operation on that device like this:
thread A: thread B
grabs global lock
grabs device lock
releases global lock
sleeps
grabs global lock
blocks on device lock
wakes up
blocks on global lock
To trigger this you can for instance do:
ID=`docker run -d fedora sleep 5`
cd /var/lib/docker/devicemapper/mnt/$ID
docker wait $ID
docker rm $ID &
docker rm $ID
The unmount will fail due to the mount being busy thus causing the
timeout and the second rm will then trigger the deadlock.
We fix this by adding a lock ordering such that the device locks
are always grabbed before the global lock. This is safe since the
device lookups now have a separate lock.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 2ffef1b7eb618162673c6ffabccb9ca57c7dfce3
Component: engine
Currently access to the Devices map is serialized by the main
DeviceSet lock, but we need to access it outside that lock, so we
add a separate lock for this and grab that everywhere we modify
or read the map.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 70826e8b3fee27b971852aad89053507c6866d3e
Component: engine
This centralizes the lookup of devices so it is only done in one place.
This will be needed later when we change the locking for it.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: e01b71cebeb96755641a18762dea5b843f107bee
Component: engine
We already have this at the caller, no need to look up again.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 74edcaf1e84aa8bf35e496b2bead833172a79fca
Component: engine
We already have the info in most cases, no need to look this up multiple times.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 5955846774c9b43291d6de0584fa8c3f62414c43
Component: engine
All the callers already have the info, no need for an extra lookup.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: 8e39b35c7cd02bbb644b7faf2a434de0098e6dea
Component: engine
There is no need to look this up again, we have it already in all callers.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Upstream-commit: e5394e35c7a8f730ac76d24dee74d769049a0428
Component: engine
Especially but not limited to:
- make BINDDIR= ... - for when you don't want a bind mount at all
- make DOCSPORT=9000 docs - for when you want a not-8000 docs port
- when we can't determine a branch name, we don't try to "docker build -t docker: ." anymore - we just "docker build -t docker ." (thus allowing Docker to assume ":latest")
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Upstream-commit: b51fe1783347c1bf679870925a271531a925b7e9
Component: engine
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled. We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled. Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 2224e0d65adfbd08e53430a1d7c750491f788257
Component: engine
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work. Hard coding
the labels causes docker to break on older Fedora and RHEL systems
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: f9b8161c60f58d383ca0eaf5a99865b83e4a41b8
Component: engine
