Ignore failure to set oom_score_adj, as happens in an unprivileged container.
Upstream-commit: d316e172da464bd7fb88e45069cb459f90f710bd
Component: engine
Also, do not shadow err with :=
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Upstream-commit: 44c280afbf27534dffdbc9c462692e4d2d3cc99a
Component: engine
- Do not create the default "bridge" network
- Get rid of the docker0 bridge
Signed-off-by: Alessandro Boch <aboch@docker.com>
Upstream-commit: a0af884d3a499460bdb8b41bc7cd61b1a56e6d22
Component: engine
init layer is read/write layer and not read only layer. Following commit
introduced new graph driver method CreateReadWrite.
ef5bfad Adding readOnly parameter to graphdriver Create method
So far only windows seem to be differentiating between above two methods.
Making this change to make sure -init layer calls right method so that
we don't have surprises in future.
Windows does not need init layer. This patch also gets rid of creation of
init layer on windows.
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Upstream-commit: 2508ca000e79dfe1a956b0078a0d196dd6b66dab
Component: engine
The restriction is no longer necessary given changes at the runc layer
related to mount options of the rootfs. Also cleaned up the docs on
restrictions left for userns enabled mode. Re-enabled tests related to
--read-only when testing a userns-enabled daemon in integration-cli.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Upstream-commit: 6062ae5742e49ec1a79073c327f3d1343c218a12
Component: engine
This moves the types for the `engine-api` repo to the existing types
package.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 91e197d614547f0202e6ae9b8a24d88ee131d950
Component: engine
Warn the user and fail daemon start if the graphdir path has any
elements which will deny access to the remapped root uid/gid.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
Upstream-commit: 43a1df6be2fa0c76b521680bbd5dc84db2cfd898
Component: engine
It is safe to set other namespaces to host when user ns is set to host
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
Upstream-commit: 3c3d2bf85229f9ca4879a24072762477e96c4344
Component: engine
Remove checks that prevent overlay and SELinux from working together.
Fixes are arriving in the 4.9 kernel.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Upstream-commit: b71cd179fa7651a48955d3879fae647d6d933bf0
Component: engine
Fixes: #25073
Update kernel memory on running containers without initialized
is forbidden only on kernel version older than 4.6.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: da5d66fb70064b093f73cc31eddb7e8285048161
Component: engine
A kernel may support any of these, but an admin may have unmounted
certain cgroups, so let's include that possibility in the error so
as to avoid users thinking they have a kernel issue.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Upstream-commit: 846f33f93d9cd32ed90680d106cd5d9eb96b0ddd
Component: engine
This version introduces the following:
- uses nanosecond timestamps for event
- ensure events are sent once their effect is "live"
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 29b2714580d085533c29807fa337c2b7a302abb6
Component: engine
This adds an `--oom-score-adjust` flag to the daemon so that the value
provided can be set for the docker daemon's process. The default value
for the flag is -500. This will allow the docker daemon to have a
less chance of being killed before containers do. The default value for
processes is 0 with a min/max of -1000/1000.
-500 is a good middle ground because it is less than the default for
most processes and still not -1000 which basically means never kill this
process in an OOM condition on the host machine. The only processes on
my machine that have a score less than -500 are dbus at -900 and sshd
and xfce( my window manager ) at -1000. I don't think docker should be
set lower, by default, than dbus or sshd so that is why I chose -500.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: a894aec8d81de5484152a76d76b80809df9edd71
Component: engine
Now that Windows base images can be loaded directly into docker via "docker load" of a specialized tar file (with docker pull support on the horizon) we no longer have need of the custom images code path that loads images from a shared central location. Removing that code and it's call points.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Upstream-commit: 3e109f349ff42ea1a0f555b6e645c51d9bc1539b
Component: engine
This also moves the variable holding the default runtime name from the
engine-api repository into docker repository
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: 69af7d0d13670b8e2a03a38b4d9a849fc109b338
Component: engine
This fix tries to fix logrus formatting by adding `f` to the end of
`logrus.[Error|Warn|Debug|Fatal|Panic|Info](` when formatting string
is present but the function `logrus.[Error|Warn|Debug|Fatal|Panic|Info](`
is used (incorrectly).
This fix is related to #23459, and is a follow up of #23461.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: d917723331c090d5003b70decda7f80bf123f966
Component: engine
SELinux labeling should be disabled when using --privileged mode
/etc/hosts, /etc/resolv.conf, /etc/hostname should not be relabeled if they
are volume mounted into the container.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Upstream-commit: c3dd6074b0f07cd7e57d677cc06b4c57a302a02f
Component: engine
There's no need to warn that "ip-forwarding" is disabled
if a container doesn't use networking.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 27f34593eac04fa5e43a540eb13b20d739169140
Component: engine
Containers using the host network stack (--net=host)
are not affected by "ip-forwarding" being disabled,
so there's not need to show a warning.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 5fb7f9b29e9a85f36d02c4ecec6c04498fdb4315
Component: engine
There was an error in validation logic before, should use period
instead of quota, and also add check for negative
number here, if not with that, it would had cpu.cfs_period_us: invalid argument
which is not good for users.
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
Upstream-commit: 62cb06a6c1db5599f1f5b9b95b298be83c509860
Component: engine
Running on kernel versions older than 3.10 has not been
supported for a while (as it's known to be unstable).
With the containerd integration, this has become more
apparent, because kernels < 3.4 don't support PR_SET_CHILD_SUBREAPER,
which is required for containerd-shim to run.
Change the previous "warning" to a "fatal" error, so
that we refuse to start.
There's still an escape-hatch for users by setting
"DOCKER_NOWARN_KERNEL_VERSION=1" so that they can
run "at their own risk".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 51b23d88422918c24291f5876df35f91b23a446a
Component: engine
Other places referring to the same configuration, including docs, have
the correct spelling.
Signed-off-by: Rodolfo Carvalho <rhcarvalho@gmail.com>
Upstream-commit: fee7e7c7a31023be9f0c26608e6cbd4e8a97d25b
Component: engine
Kernel has no limit for memory reservation, but in different
kernel versions, the default behavior is different.
On kernel 3.13,
docker run --rm --memory-reservation 1k busybox cat /sys/fs/cgroup/memory/memory.soft_limit_in_bytes
the output would be 4096, but on kernel 4.1, the output is 0.
Since we have minimum limit for memory and kernel memory, we
can have this limit for memory reservation as well, to make
the behavior consistent.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Upstream-commit: 50a61810056a421fb94acf26277995f2c1f31ede
Component: engine
