The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Upstream-commit: 80d99236c1ef9d389dbaca73c1a949da16b56b42
Component: engine
- Add fluentd logging driver to zsh completion #12876
- Add inspect --type flag to zsh completion #13187
- Respect -H option in zsh completion #13195
- Fix number of argument limit for pause and unpause in zsh completion
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
Upstream-commit: 12f67141f932db15fa9178b3304c7efbd485fd69
Component: engine
One part of script relies on messages that are
output by some system tool. In non-en locale
those messages get localized which breaks the
script.
This patch enforces en locale for that system
tool.
Signed-off-by: Maxim Kulkin <maxim.kulkin@gmail.com>
Upstream-commit: 8630ad1530f85c57a96f998e7251ee27c9cf267c
Component: engine
Adding in other areas per comments
Updating with comments; equalizing generating man page info
Updating with duglin's comments
Doug is right here again;fixing.
Signed-off-by: Mary Anthony <mary@docker.com>
Upstream-commit: eacae64bd89ccc95a6db7bda76d36014e71e70ac
Component: engine
This highlights `RUN`, `CMD`, and `ENTRYPOINT` lines using shell highlighting. It doesn't bother detecting the JSON forms, but that's OK because JSON arrays highlight pretty reasonably with shell highlights. :)
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 62d3b1bf2e830b6cdf7c4df86d356d48b58b1ab0
Component: engine
Ubuntu Precise has a number of warts that made it non-trivial to add initially, but I've managed to work through some of them and come up with a working build. Two important parts to note are that it has neither the `btrfs` nor the `devicemapper` graphdriver backends since `btrfs-tools` and `libdevmapper-dev` in the precise repositories are too ancient for them to even compile.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: 98180b89543396c07c1f1ea420554fbcce31c513
Component: engine
This will now properly check whether /etc/init.d/docker or service docker is
invoking the script and respond to the user accordingly.
Signed-off-by: Steven Richards <steven@axiomzen.co>
Upstream-commit: e5ff643aed78fb5dfb5e3fef518dfe56b82b3023
Component: engine
It is needed to use network with --userland-proxy=false and for
--icc=false
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 6cc4cf7c0cc8ae56974f16b3b2053c82be722349
Component: engine
It is needed for blkio.weight support
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: ceca037d05faee05f4286b5e00e40936744a8236
Component: engine
Give Docker more time to kill containers before upstart kills Docker.
The default kill timeout is 5 seconds.
This will help decrease the chance of but not eliminate the chance of
orphaned container processes.
Signed-off-by: David Xia <dxia@spotify.com>
Upstream-commit: 2f9e7a067a7273a0f344c1c9a6397e4bb61d7554
Component: engine
This stops us from erroneously adding "squeeze-lts" to "oldstable" which is now "wheezy", not "squeeze" (but "oldoldstable" _is_ squeeze, hence the new check on `/etc/debian_version` being `6.*` instead, and done as a `case` for the eventual addition of `wheezy-lts`, etc).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Upstream-commit: c64466fb68c1ef204b8dc0759da62398a3372732
Component: engine
Alexander Morozov
Eric Windisch
Sebastiaan van Stijn
Jessica Frazelle
Jessie Frazelle
Steve Durrheimer
Vincent Bernat
Mrunal Patel
Avi Miller
Harald Albers
Maxim Kulkin
Shishir Mahajan
Michael Crosby
David Calavera
Asbjørn Enge
Mary Anthony
Tianon Gravi
Eric-Olivier Lamey
Qiang Huang
Steven Richards
Alexander Morozov
David Xia