Added daemon field to it, will use it later for acces to daemon from
handlers
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: d9ed3165228b60cb89c31d0d66b99e01ab83eb3e
Component: engine
It is simplifies code and lead to next refactoring step, where daemon
will be incorporated to some structure which represents API.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 181fea24aac7499a3d6dc0c8c9de67e6c0036140
Component: engine
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.
With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].
Libvirt has been doing this for quite a long time now.
Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
Portmapper fortunatelly keeps list of mapped ports,
so we can easily recreate firewall rules on firewalld restart/reload
New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
When setting a bridge, basic firewall rules are created.
This is done at once during start, it's parametrized and nowhere
tracked so how can one know what and how to set it again when
there's been firewalld restart/reload ?
The only solution that came to my mind is using of closures [4],
i.e. I keep list of references to closures (anonymous functions
together with a referencing environment) and when there's firewalld
restart/reload I re-call them in the same order.
3) links/links.go - linking containers
Link is added in Enable() and removed in Disable().
In Enable() we add a callback function, which creates the link,
that's OK so far.
It'd be ideal if we could remove the same function from
the list in Disable(). Unfortunatelly that's not possible AFAICT,
because we don't know the reference to that function
at that moment, so we can only add a reference to function,
which removes the link. That means that after creating and
removing a link there are 2 functions in the list,
one adding and one removing the link and after
firewalld restart/reload both are called.
It works, but it's far from ideal.
[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Upstream-commit: b052827e025267336f0d426df44ec536745821f8
Component: engine
Firewalld [1] is a firewall managing daemon with D-Bus interface.
What sort of problem are we trying to solve with this ?
Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4b3b451d6f8
But it'd still be better if docker used firewalld when it's running.
Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.
This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.
[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChainhttps://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
Upstream-commit: 8301dcc6d702a97feeb968ee79ae381fd8a4997a
Component: engine
Two main things
- Create a real struct Info for all of the data with the proper types
- Add test for REST API get info
Signed-off-by: Hu Keping <hukeping@huawei.com>
Upstream-commit: f4942ed864f00a31591ef0257a971ef41ddd4c70
Component: engine
After engine refactor, some functions are no longer used.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: 641a7ec9ad61a42b255d203b7791198431761104
Component: engine
THe port tests in integration-cli tests just for the port-mapping as
seen by Docker daemon. But it doesn't perform a more indepth testing by
checking for the exposed port on the host.
This change helps to fill that gap.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Upstream-commit: 448a1a7139cf89a0f4f985ec027a93799d0befb7
Component: engine
Fixing registry index
Tested on beta and this redirect works
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 7b2b7df3866d0c0101e9367b7f4f63bfed5faac4
Component: engine
Single value labels do not work in 1.6 and multi-label instructions only work when separated by non-EOL whitespace.
I also added an example snip from the inspect output with the labels that are included in this guide.
Signed-off-by: Jeff Nickoloff <jeff@allingeek.com>
Upstream-commit: 89df65be5d3ee72cd6e1b4aa53953a62f4b5d00a
Component: engine
- should be also easier to maintain
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Upstream-commit: bbe6df128802b22605f9eb079f105460ec78ac6f
Component: engine
- Compose teamhad forgotten some documentation
- Updated ENV for Distribution also
- Forgot one of the readability sections
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: 3a883672417fcb2b3ac0d57d992285849840bfb2
Component: engine
Changed method declaration. Fixed all calls to dockerCmd
method to reflect the change.
resolves#12355
Signed-off-by: bobby abbott <ttobbaybbob@gmail.com>
Upstream-commit: 621b601b3c602aab5ef0f07903fdf413881bb261
Component: engine
The existing text didn't explain what had changed.
(See #9774)
Signed-off-by: Peter Waller <p@pwaller.net>
Upstream-commit: 609fa93aa2fd98f2eac30933623f15ece59e4527
Component: engine
