Update libnetwork to 1b91bc94094ecfdae41daa465cc0c8df37dfb3dd to bring in a fix
for stale HNS endpoints on Windows:
When Windows Server 2016 is restarted with the Docker service running, it is
possible for endpoints to be deleted from the libnetwork store without being
deleted from HNS. This does not occur if the Docker service is stopped cleanly
first, or forcibly terminated (since the endpoints still exist in both). This
change works around the issue by removing any stale HNS endpoints for a network
when creating it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fb364f07468e94226250a1e77579ee6117c64be2)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
This updates libnetwork to 8892d7537c67232591f1f3af60587e3e77e61d41 to bring in
IPAM fixes for duplicate IP addresses.
- IPAM tests (libnetwork PR 2104) (no changes in vendored files)
- Fix for Duplicate IP issues (libnetwork PR 2105)
Also bump golang/x/sync to match libnetwork (no code-changes, other
than the README being updated)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55e0fe24db68b16edccb2fa49c3b1b9d3a9ce58c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR prevents automatic removal of the load balancing sandbox
endpoint when the endpoint is the last one in the network but
the network is marked as ingress.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit bebad150c9c3bc6eb63758c10ef24b9298ecf6e2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ingress networks will no longer automatically remove their
load-balancing endpoint (and sandbox) automatically when the network is
otherwise upopulated. This is to prevent automatic removal of the
ingress networks when all the containers leave them. Therefore
explicit removal of an ingress network also requires explicit removal
of its load-balancing endpoint.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit 3da4ebf355d3494d1403b2878a1ae6958b2724e9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The commit https://github.com/moby/moby/pull/35422 had the result of
accidentally causing the removal of the ingress network when the
last member of a service left the network. This did not appear
in swarm instances because the swarm manager would still maintain
and return cluster state about the network even though it had
removed its sandbox and endpoint. This test verifies that after a
service gets added and removed that the ingress sandbox remains
in a functional state.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
(cherry picked from commit 805b6a7f749a6c7cbb237e21ee7260d536621808)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests were enabled by changing a config option on the ci
machines, instead of from a patch, so let me disable them
for now on ppc64le and open up another patch to enable them, where I can find
out what the issues are with them.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
(cherry picked from commit 620ddc78a1437feaa42f40853ef586d268991620)
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 33dd562e3acff71ee18a2543d14fcbecf9bf0e62)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only in case of --ipc private.
This happens because in this case the mount comes from OCI spec
(since commit 7120976d74195), and is a regression caused by that
commit.
The meaning of --read-only flag is to only have a "main" container
filesystem read-only, not the auxiliary stuff (that includes /dev/shm,
other mounts and volumes, --tmpfs, /proc, /dev and so on).
So, let's make sure /dev/shm that comes from OCI spec is not made
read-only.
Fixes: 7120976d74195 ("Implement none, private, and shareable ipc modes")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit cad74056c09f6276b0f4a996a1511553177cd3d7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There was a typo with the buildmode flag for containerd
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 5e4885b9afb1de30133627ce751af2c0e7b72a4e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These were originally static binaries in the first place, this changes
them back to that.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit 63c7bb24637fdbfd905096ecc75b435ecefd31e9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Ingress network should not be attachable
Ingress network is a special network used only to expose
ports. For this reason the network cannot be explicitly
attached during service create or service update
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With the inclusion of PR 30897, creating service for host network
fails in 18.02. Modified IsPreDefinedNetwork check and return
NetworkNameError instead of errdefs.Forbidden to address this issue
Signed-off-by: selansen <elango.siva@docker.com>
(cherry picked from commit 7cf8b20762cc9491f52ff3f3d94c880378183696)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix runc exec on big-endian, causing:
container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit aab5eaddccb8cb196fdb1e285890dfa94a071b14)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
Possibly relevant changes included:
- chroot when no mount namespaces is provided
- fix systemd slice expansion so that it could be consumed by cAdvisor
- libcontainer/capabilities_linux: Drop os.Getpid() call
- Update console dependency to fix runc exec on BE (causing: `container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory"`)
- libcontainer: setupUserNamespace is always called (fixes: Devices are mounted with wrong uid/gid)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a2f5a1a5b2d77d694c5bd47798be15b3c0bcdf70)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Originally I worked on this for the multi-stage build Dockerfile
changes. Decided to split this out as we are still waiting for
multi-stage to be available on CI and rebasing these is pretty annoying.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit b529d1b0936b90ae14d584c73f7332919f8d76b7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit 00d409f03ed825f623b6ef8ec5a3a91cd26194c2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove TestBuildRenamedDockerfile and TestBuildDockerfileOutsideContext
that are cli-only tests (and already tested in the docker/cli
repository).
Also adds some comments on few tests that could be migrate to
docker/cli.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 894c213b3bd6f4d8f344837b5b5084360a013680)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit 847b610620a8b8294d61c717d3c4aa13cb7a8b33)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
This leaks information about keyrings on the host. Keyrings are
not namespaced.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: de23cb939858a66829d5b75057c7ac664c5acda5
Component: engine
Also adds a note to the API version history
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a3efeaad529b945ce5af78c4b08a6ed47399f8d5
Component: engine
Use the default version because it is used by the client package
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: e73d742cd7deee396eac3c97664b40264ee358cb
Component: engine
Test made some bad assumptions about on-disk state of volume data.
This updates the test to only test based on what the volume API is
designed to provide.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 0df654f3d61d8691ee113a8429bcc8ef65786bc7
Component: engine
The function name should be TestUpdateCPUQuota and not TestUpdateCPUQUota.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 31825081d4c5e643a150b515547cb2a2ea223de4
Component: engine
Use client instead of helpers for TLS in integration test
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: a68ae4a2d95b1ff143025a435195af0f1ab30ace
Component: engine
