To ensure that we don't revert CVE-2017-14992, add a test that is quite
similar to that upstream tar-split test (create an empty archive with
lots of junk and make sure the daemon doesn't crash).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 0a13f827a10d3bf61744d9b3f7165c5885a39c5d)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
This helper acts like /dev/zero (outputs \x00 indefinitely) in an
OS-independent fashion. This ensures we don't need to special-case
around Windows in tests that want to open /dev/zero.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 2f8d3e1c33f77187c68893803018756d43daff15)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Update to the latest version of tar-split, which includes a change to
fix a memory exhaustion issue where a malformed image could cause the
Docker daemon to crash.
* tar: asm: store padding in chunks to avoid memory exhaustion
Fixes: CVE-2017-14992
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit e0ff7cccc3cac73da41ec9ef007b0e4e97c55d01)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Signed-off-by: John Stephens <johnstep@docker.com>
(cherry picked from commit a97817b673cbd3bfaf6e752282c4992ac43ff594)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
The `docker info` code was shelling out to obtain the
version of containerd (using the `--version` flag).
Parsing the output of this version string is error-prone,
and not needed, as the containerd API can return the
version.
This patch adds a `Version()` method to the containerd Client
interface, and uses this to get the containerd version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fec2b144feaaa18998ec2ed34c9bc843c4c29abd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is writeable, and can be used to remove devices. Containers do
not need to know about scsi devices.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Log drivers may have an internal buffer size that can be accommodated
by the copier as it is more effective to buffer and send fewer though
larger messages that the log driver can consume.
This eliminates the need for Partial handling for drivers that do not
support the concept (ie: awslogs, which can only have events up to
service limits).
Signed-off-by: Jacob Vallejo <jakeev@amazon.com>
Upstream-commit: e1ada0b885b31de0bb0e79b4d99ae4d48b65f721
Component: engine
Extra hosts (`extra_hosts` in compose-file, or `--hosts` in services) adds
custom host/ip mappings to the container's `/etc/hosts`.
The current implementation used a `map[string]string{}` as intermediate
storage, and sorted the results alphabetically when converting to a service-spec.
As a result, duplicate hosts were removed, and order of host/ip mappings was not
preserved (in case the compose-file used a list instead of a map).
According to the **host.conf(5)** man page (http://man7.org/linux/man-pages/man5/host.conf.5.html)
multi Valid values are on and off. If set to on, the resolver
library will return all valid addresses for a host that
appears in the /etc/hosts file, instead of only the first.
This is off by default, as it may cause a substantial
performance loss at sites with large hosts files.
Multiple entries for a host are allowed, and even required for some situations,
for example, to add mappings for IPv4 and IPv6 addreses for a host, as illustrated
by the example hosts file in the **hosts(5)** man page (http://man7.org/linux/man-pages/man5/hosts.5.html):
# The following lines are desirable for IPv4 capable hosts
127.0.0.1 localhost
# 127.0.1.1 is often used for the FQDN of the machine
127.0.1.1 thishost.mydomain.org thishost
192.168.1.10 foo.mydomain.org foo
192.168.1.13 bar.mydomain.org bar
146.82.138.7 master.debian.org master
209.237.226.90 www.opensource.org
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
This patch changes the intermediate storage format to use a `[]string`, and only
sorts entries if the input format in the compose file is a mapping. If the input
format is a list, the original sort-order is preserved.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: dbdf8f6468
Component: cli
The `--host-add` flag adds a new `host:ip` mapping. Even though
adding an entry is idempotent (adding the same mapping multiple
times does not update the service's definition), it does not
_update_ an existing mapping with a new IP-address (multiple
IP-addresses can be defined for a host).
This patch removes the "or update" part from the flag's
description.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 79b19cba16
Component: cli
This adds a mechanism (read-only) to check for project quota support
in a standard way. This mechanism is leveraged by the tests, which
test for the following:
1. Can we get a quota controller?
2. Can we set the quota for a particular directory?
3. Is the quota being over-enforced?
4. Is the quota being under-enforced?
5. Can we retrieve the quota?
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Upstream-commit: 6966dc0aa9134c518babcbf1f02684cae5374843
Component: engine
Do not print "Data file" and "Metadata file" if they're
not used, and sort/group output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 8f702de9b705ced68b6244239ac81d86ebdd6b0a
Component: engine
go1.8.5 (released 2017/10/25) includes fixes to the compiler, linker, runtime,
documentation, go command, and the crypto/x509 and net/smtp packages. It
includes a fix to a bug introduced in Go 1.8.4 that broke go get of non-Git
repositories under certain conditions. See the Go 1.8.5 milestone on our issue
tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.8.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 503fe408da376a046c37c4940f7f3af0cfa81c38
Component: engine
golang:1.8.4-alpine does not have multi-arch images available in the
manifest. (s390x, ppc64le, etc.)
This makes it so that if you are trying to compile on different
arches you aren't forced to have to write your own Dockerfile and can
instead use the one bundled with the CLI repo.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 9d1d9f2fa3
Component: cli
and enable the new WarnUnmatchedDirective to warn if a nolint is unnecessary.
remove some unnecessary nolint
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: c0d004f7cf
Component: cli
The example in the documentation used "runc", which is a
reserved runtime name (as it's the default).
This patch updates the example, and uses a different name.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 1e5d013064
Component: cli
Since the API and the CLI both have a "Usage" field for memory, clarify
that the CLI does additional calculations to avoid confusion of API
consumers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: a6acacc533
Component: cli
Currently, if a container removal has failed for some reason,
any client waiting for removal (e.g. `docker run --rm`) is
stuck, waiting for removal to succeed while it has failed already.
For more details and the reproducer, please check
https://github.com/moby/moby/issues/34945
This commit addresses that by allowing `ContainerWait()` with
`container.WaitCondition == "removed"` argument to return an
error in case of removal failure. The `ContainerWaitOKBody`
stucture returned to a client is amended with a pointer to `struct Error`,
containing an error message string, and the `Client.ContainerWait()`
is modified to return the error, if any, to the client.
Note that this feature is only available for API version >= 1.34.
In order for the old clients to be unstuck, we just close the connection
without writing anything -- this causes client's error.
Now, docker-cli would need a separate commit to bump the API to 1.34
and to show an error returned, if any.
[v2: recreate the waitRemove channel after closing]
[v3: document; keep legacy behavior for older clients]
[v4: convert Error from string to pointer to a struct]
[v5: don't emulate old behavior, send empty response in error case]
[v6: rename legacy* vars to include version suffix]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: f963500c544daa3c158c0ca3d2985295c875cb6b
Component: engine
To ensure that namesgenerator binary outputs random name
by initializing Seed.
Signed-off-by: Mizuki Urushida <z11111001011@gmail.com>
not use init function.
Signed-off-by: Mizuki Urushida <z11111001011@gmail.com>
Upstream-commit: eaab2f715039e212dd67c71c30f1f8a8cfc03ded
Component: engine
This changeset allows Docker's VFS, and Overlay to take advantage of
Linux's zerocopy APIs.
The copy function first tries to use the ficlone ioctl. Reason being:
- they do not allow partial success (aka short writes)
- clones are expected to be a fast metadata operation
See: http://oss.sgi.com/archives/xfs/2015-12/msg00356.html
If the clone fails, we fall back to copy_file_range, which internally
may fall back to splice, which has an upper limit on the size
of copy it can perform. Given that, we have to loop until the copy
is done.
For a given dirCopy operation, if the clone fails, we will not try
it again during any other file copy. Same is true with copy_file_range.
If all else fails, we fall back to traditional copy.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Upstream-commit: 3ec4ec2857c714387e7b59c2cf324565f6ae55e2
Component: engine
For obvious reasons that it is not really supported now.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 5a9b5f10cf967f31f0856871ad08f9a0286b4a46
Component: engine
Checks + pulls down the frozen images in the integration-cli
tests too. Fixes an issue where they wouldn't be pulled if running
against just integration-cli tests, e.g. through TESTFLAGS
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: c95b17e598409000deb265945c5e80256de7db9f
Component: engine
The experimental `docker build --squash` feature has a number
of limitations. For most use-cases, multi-stage builds are
a better alternative.
This patch lists the known limitations, and adds a link to
multi-stage builds.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: bcc228ac6b
Component: cli
The shutdown timeout for containers in insufficient on Windows. If the daemon is shutting down, and a container takes longer than expected to shut down, this can cause the container to remain in a bad state after restart, and never be able to start again. Increasing the timeout makes this less likely to occur.
Signed-off-by: Darren Stahl <darst@microsoft.com>
Upstream-commit: ed74ee127f42f32ee98be7b908e1562b1c0554d7
Component: engine
Probably a good idea to treat `*.Dockerfile` as dockerfile format as well. In general, it's better to use the `Dockerfile` part as an extension rather than a basename.
Signed-off-by: Andrew Pennebaker <andrew.pennebaker@gmail.com>
Upstream-commit: 2f5146ba1d413a7a07943648fd37e73f076361be
Component: engine
Before this commit if "--config-file" wasn't set the daemon would use
the default configuration file which is "/etc/docker/daemon.json".
When attempting to reload the daemon if that file didn't exist
and error message would display.
This behaviour is changed in a way that if the default configuration
file does not exist and no other configuration file is set
the daemon uses an empty configuration which later will be updated
and reloaded using the "reload" function given as an argument in Reload.
However, if the "--config-file" is set and the file is removed
or renamed an error message will be displayed and no reload will be done.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Upstream-commit: 0f8119a87dc301e9543c45c416d6b4545da1fc46
Component: engine
Ensures that the frozen test images are loaded in the daemon
before any tests are run.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: 58151358c0c296c2cf601aea528d5e8a11a20d12
Component: engine
In some cases (e.g. NFS), a chown may technically be a no-op but still
return `EPERM`, so only call `chown` when neccessary.
This is particularly problematic for docker users bind-mounting an NFS
share into a container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: fa9709a3fc51785c3dc0f7ca8f54dafde2e291ab
Component: engine
Update golang.org/x/sys to 8dbc5d05d6edcc104950cc299a1ce6641235bc86 in
order to get the Major, Minor and Mkdev functions for every unix-like
OS. Use them instead of the locally defined versions which currently use
the Linux specific device major/minor encoding.
This means that the device number should now be properly encoded on e.g.
Darwin, FreeBSD or Solaris.
Also, the SIGUNUSED constant was removed from golang.org/x/sys/unix in
https://go-review.googlesource.com/61771 as it is also removed from the
respective glibc headers.
Remove it from signal.SignalMap as well after the golang.org/x/sys
re-vendoring.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Upstream-commit: 86f080cff0914e9694068ed78d503701667c4c00
Component: engine
Describe more how host port allocation is done when
container is stopped/started in "PublishAllPorts".
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Upstream-commit: dfd706e1a59c3830c87b8240c466489ae6cc9d15
Component: engine
With `rprivate` there exists a race where a reference to a mount has
propagated to the new namespace, when `rprivate` is set the parent
namespace is not able to remove the mount due to that reference.
With `rslave` unmounts will propagate correctly into the namespace and
prevent the sort of transient errors that are possible with `rprivate`.
This is a similar fix to 117c92745b
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 5ede64d63fec0b9d4cf921b6f8fb946e65287538
Component: engine
When runc is bind-mounting a particular path "with options", it has to
do so by first creating a bind-mount and the modifying the options of
said bind-mount via remount. However, in a user namespace, there are
restrictions on which flags you can change with a remount (due to
CL_UNPRIVILEGED being set in this instance). Docker historically has
ignored this, and as a result, internal Docker mounts (such as secrets)
haven't worked with --userns-remap. Fix this by preserving
CL_UNPRIVILEGED mount flags when Docker is spawning containers with user
namespaces enabled.
Ref: https://github.com/opencontainers/runc/pull/1603
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: c0f883fdeeb2480970fb48fbcbc2a842aa5a90e8
Component: engine
If a 400 error is returned due to an API version mismatch, no
version and server-identification headers were returned by the API.
All information in these headers is "static", so there is no
reason to omit the information in case of an error being
returned.
This patch updates the version middleware to always
return the headers.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: e9dac5ef5e8a4b0ecce0c89d337fea90f2c6aef3
Component: engine
If a network is created with a name that matches another
network's ID, the network with that name was masking the
other network's ID.
As a result, it was not possible to remove the network
with a given ID.
This patch changes the order in which networks are
matched to be what we use for other cases;
1. Match on full ID
2. Match on full Name
3. Match on Partial ID
Before this patch:
$ docker network create foo
336717eac9eaa3da6557042a04efc803f7e8862ce6cf96f6b9565265ba5c618b
$ docker network create 336717eac9eaa3da6557042a04efc803f7e8862ce6cf96f6b9565265ba5c618b
4a698333f1197f20224583abce14876d7f25fdfe416a8545927006c315915a2a
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
4a698333f119 336717eac9eaa3da6557042a04efc803f7e8862ce6cf96f6b9565265ba5c618b bridge local
d1e40d43a2c0 bridge bridge local
336717eac9ea foo bridge local
13cf280a1bbf host host local
d9e4c03728a0 none null local
$ docker network rm 336717eac9eaa3da6557042a04efc803f7e8862ce6cf96f6b9565265ba5c618b
4a698333f1197f20224583abce14876d7f25fdfe416a8545927006c315915a2a
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
d1e40d43a2c0 bridge bridge local
336717eac9ea foo bridge local
13cf280a1bbf host host local
d9e4c03728a0 none null local
After this patch:
$ docker network create foo
2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835
$ docker network create 2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835
6cbc749a529cd2d9d3b10566c84e56c4203dd88b67417437b5fc7a6e955dd48f
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
6cbc749a529c 2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835 bridge local
166c943dbeb5 bridge bridge local
2d1791a7def4 foo bridge local
6c45b8aa6d8e host host local
b11c96b51ea7 none null local
$ docker network rm 2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835
2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
6cbc749a529c 2d1791a7def4e2a1ef0f6b83c6add333df0bb4ced2f196c584cb64e6bd94b835 bridge local
166c943dbeb5 bridge bridge local
6c45b8aa6d8e host host local
b11c96b51ea7 none null local
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: e52001c56e12e4fc63fb5d89ef919295d6ddd5d5
Component: engine
83c2152de503012195bd26069fd8fbd2dea4b32f sets the kernel param for
fs.may_detach_mounts, but this is not neccessary for the daemon to
operate. Instead of erroring out (and thus aborting startup) just log
the error.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: c6a2044497e0e1ff61350859c8572a2c31c17ced
Component: engine
Fixes previously flaky TestAPISwarmRaftQuorum.
In the test we are shutting down 2 of 3 nodes, all of which are managers.
When this happens the remaining node prepares to step down from being
a leader because there is no longer an active quorum. This test was
written before that change was implemented, and assumes that the
remaining node can still handle requests to create a service (it can't)
There was further flakiness depending on whether or not the node has
stepped down or was in the process of doing so. Fix this by waiting
for the node to completely step down and checking to see if it errors
out like it should.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: fd32d49c490126d830be6c1008ab20f6ffcee56c
Component: engine
As part of the Moby transition (see #35115), update the Roadmap to
reflect the new priorities. Also just update it as it was written
a while back, and we made some progress in areas such as `containerd`.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: de86d33b4a39d095e29b4857bc768363a70b3adc
Component: engine
The main point is to fix a non ASCII space character that wrecks the
markdown handling.
Signed-off-by: Akim Demaille <akim.demaille@docker.com>
Upstream-commit: ce58cd5a346d2ef02cd9b893e4a51f10382aaf11
Component: engine
No longer used as we are using the Moby logo.
Refer to #35115 for more details.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 9b87491729ad0b3e7bc2a97a1006ae43f5aef969
Component: engine
Also add TEST_DEBUG env variable for debugging E2E tests.
And change icmd environment helpers to fit the CmdOp interface os they
can be passed to 'icmd.RunCmd()'
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: b11c11ea74
Component: cli
This PR adds the nice concept of "Lego set" back in README.md.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: d3787d1fdabd1c01b1de1aa761d76f888a533a01
Component: engine
Commit e98e4a71110fd33852bb755a9b8b4ebc9df904db implemented API version
negotiation using the `/_ping` endpoint. In that change, URL validation for the
maximum supported API version was removed from the API server (validation for
the _minimum_ version was kept in place).
With this feature, clients that support version negotiation would negotiate the
maximum version supported by the daemon, and downgrade to an older API version
if the client's default API version is not supported.
However, clients that do _not_ support version negotiation can call API versions
that are higher than the maximum supported version. Due to the missing version
check, this is silently ignored, and the daemon's default API version is used.
This is a problem, because the actual API version in use is non-deterministic;
for example, calling `/v9999.9999/version` on a daemon that runs API v1.34 will
use API v1.34, but calling the same URL on an older daemon may use API version
v1.24.
This patch reverts the removal of the API check for maximum supported versions.
The documentation has been updated accordingly
Before this patch is applied, the daemon returns a 200 (success):
$ curl -v --unix-socket /var/run/docker.sock http://localhost/v9999.9999/version
* Trying /var/run/docker.sock...
* Connected to localhost (/Users/sebastiaan/Library/Containers/com.dock) port 80 (#0)
> GET /v9999.9999/version HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Api-Version: 1.32
< Content-Length: 240
< Content-Type: application/json
< Date: Tue, 10 Oct 2017 09:11:29 GMT
< Docker-Experimental: true
< Ostype: linux
< Server: Docker/17.09.0-ce (linux)
<
{"Version":"17.09.0-ce","ApiVersion":"1.32","MinAPIVersion":"1.12","GitCommit":"afdb6d4","GoVersion":"go1.8.3","Os":"linux","Arch":"amd64","KernelVersion":"4.9.49-moby","Experimental":true,"BuildTime":"2017-09-26T22:45:38.000000000+00:00"}
* Connection #0 to host localhost left intact
After this patch is applied, a 400 (Bad Request) is returned:
$ curl -v --unix-socket /var/run/docker.sock http://localhost/v9999.9999/version
* Trying /var/run/docker.sock...
* Connected to localhost (/var/run/docker.sock) port 80 (#0)
> GET /v9999.9999/info HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Content-Type: application/json
< Date: Tue, 10 Oct 2017 08:08:34 GMT
< Content-Length: 89
<
{"message":"client version 9999.9999 is too new. Maximim supported API version is 1.34"}
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 01f9227ec9116b3969cb0725787e43a5fa26aac2
Component: engine
This patch removes the nested if's in the Get function
and makes the code more readable.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
Upstream-commit: 36ebf9489c3c6c8422d8ff9bb6e2cb65a9a66698
Component: engine
- Call the function that create an event entry while volumes are
pruning.
- Pass volume.Volume type on volumeRm instead of a name. Volume lookup is done
on the exported VolumeRm function.
- Skip volume deletion when force option used and it does not exists.
Signed-off-by: Nicolas Sterchele <sterchele.nicolas@gmail.com>
Upstream-commit: 63864ad8c17f0119a38af3cb9b1bc64a8afd0584
Component: engine
As described in #35115 Completing the Moby Transition, we would like to complete the transition
stage that we began a while back. This tries to clarify what and who this project is for.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 737410d3f5f8579a26cfa009f4a654bbdf9ce485
Component: engine
Signed-off-by: John Howard <jhoward@microsoft.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: d2c41f06c36dc24b2170fef365563d64cc5bd8ec
Component: engine
ContainerExecAttach used `types.ExecConfig` instead of `types.ExecStartCheck`,
which is the type that's expected by the `/exec/execid/start` API endpoint.
Investigating when this inconsistency was introduced, I found that the client has
sent the additional properties since its first imlpementation in
c786a8ee5e9db8f5f609cf8721bd1e1513fb0043.
The `postContainerExecStart()` at that time used the "jobs" package, which
only took the information from the body that was needed (`Detach` and `Tty`).
Commit 24425021d26f29a475702064181e6c99fb6bd1c5 refactored the Exec commands
to remove the "jobs", and introduced the `ExecStartCheck` type, but failed to
update the `cli.hijack()` call with the new type.
The change in this patch should not affect compatibility with older clients,
as the additional information from the `ExecConfig` type is not used (the
API server already decodes to the `ExecStartCheck` type).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 5fee8bddfeb9b268f3e0b3c91e0932ee9a5eff83
Component: engine
- The default was not changed in 17.09 but will be in 17.10
- `service scale` and `service rollback` are also affected.
Signed-off-by: Harald Albers <github@albersweb.de>
Upstream-commit: 20d9ceca78
Component: cli
The default value for
`docker service create|update|scale|rollback --detach|-d` changed from
`true` to `false`.
This updates bash completion to complete just `--detach|-d`.
Signed-off-by: Harald Albers <github@albersweb.de>
Upstream-commit: 60bfaba6fb
Component: cli
Signed-off-by: John Howard <jhoward@microsoft.com>
This PR has the API changes described in https://github.com/moby/moby/issues/34617.
Specifically, it adds an HTTP header "X-Requested-Platform" which is a JSON-encoded
OCI Image-spec `Platform` structure.
In addition, it renames (almost all) uses of a string variable platform (and associated)
methods/functions to os. This makes it much clearer to disambiguate with the swarm
"platform" which is really os/arch. This is a stepping stone to getting the daemon towards
fully multi-platform/arch-aware, and makes it clear when "operating system" is being
referred to rather than "platform" which is misleadingly used - sometimes in the swarm
meaning, but more often as just the operating system.
Upstream-commit: 0380fbff37922cadf294851b1546f4c212c7f364
Component: engine
These files don't exist under proc so this rule does nothing.
They are protected against by docker's default cgroup devices since they're
both character devices and not explicitly allowed.
Signed-off-by: Tycho Andersen <tycho@docker.com>
Upstream-commit: b4a6ccbc5fe695062111cad5a20bb3d0ac5a94db
Component: engine
Update logic to choose manifest from manifest list to check
for os version on Windows. Separate the logic for windows
and unix to keep unix logic the same.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Upstream-commit: 38aef56e1fcb8ea318df98c89cf002267b88a136
Component: engine
Markdown nested in a HTML table doesn't work, so changing
the link to a plain HTML link.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6b6511f191
Component: cli
It is the same thing
Signed-off-by: Alexander Morozov <lk4d4math@gmail.com>
Upstream-commit: 1a517a4a429d2b4db15383fc9d514fc8db66f8d3
Component: engine
Commit ebcb7d6b406fe50ea9a237c73004d75884184c33 removed string checking
for error messages, in favor of typed errors.
In this change, the status code for conflicting container names
changed from 409 to 400 (validationError).
This patch add a `nameConflictError`, changing the status code to
409 as it was in older versions.
With this change applied, the correct 409 status is returned:
```bash
$ docker create --name c1 busybox
```
```bash
$ curl --unix-socket /var/run/docker.sock -v -XPOST -H"Content-Type: application/json" -d'{"Image":"busybox"}' http://localhost/containers/create?name=c1
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying /var/run/docker.sock...
* Connected to localhost (/var/run/docker.sock) port 80 (#0)
> POST /containers/create?name=c1 HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 19
>
* upload completely sent off: 19 out of 19 bytes
< HTTP/1.1 409 Conflict
< Api-Version: 1.33
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/17.06.0-dev (linux)
< Date: Thu, 28 Sep 2017 15:07:23 GMT
< Content-Length: 229
<
{"message":"Conflict. The container name \"/c1\" is already in use by container \"ed2efdc806c1883954e677eb9ab8cbc7e286c9c5934ef6724fd5d93c56744923\". You have to remove (or rename) that container to be able to reuse that name."}
* Curl_http_done: called premature == 0
* Connection #0 to host localhost left intact
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: e424343b4348f994d5c2922e7556629a620b4b3b
Component: engine
Commit ddadd3db49 changed
the heading levels of various sections, but as a result,
the "daemon configuration file" section (and other sections)
changed from a H2 to a H4, therefore no longer showing
up in the page's TOC / navigation bar.
This patch changes the heading level to a H3 for
sections that should show up in the page navigation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: aca0421eb8
Component: cli
s390x node-1 has kernel 4.6.0, kernel.CompareKernelVersion()
returns 0 if the kernels are equal, so include that.
Full logic for CompareKernelVersion() is
a > b ret 1,
a == b ret 0,
a < b ret -1
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: aa5ea652c8864f014e1fa480d7e504f0d742c170
Component: engine
When deploying a stack from a compose file, the output did not show
that a secret or config was created. This patch adds messages for these.
Create a configuration file and compose file:
$ cat > config.yml <<EOF
hello: world
EOF
$ cat > secret.txt <<EOF
p@ssw0rd
EOF
$ cat > docker-compose.yml <<EOF
version: "3.3"
services:
test:
image: nginx:alpine
configs:
- source: myconfig
target: /my-config.yml
secrets:
- source: mysecret
target: /my-secret.txt
configs:
myconfig:
file: ./config.yml
secrets:
mysecret:
file: ./secret.txt
EOF
Before this patch is applied:
$ docker stack deploy -c docker-compose.yml example
Creating network example_default
Creating service example_test
After this patch is applied:
$ docker stack deploy -c docker-compose.yml example
Creating network example_default
Creating secret example_mysecret
Creating config example_myconfig
Creating service example_test
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a5113f4368
Component: cli
Also skip.IfCondition directly from the test, so that the skip message is correct
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 104c1c68438c5c59ab0e7a5fb2da6bae4ce6d080
Component: engine
I strongly disagree with the design of this pull request.
Signed-off-by: David Sheets <dsheets@docker.com>
Upstream-commit: 1574d91463efd4741c2f6620718abdb624967584
Component: engine
The missing console mode constants were added to go-ansiterm in
Azure/go-ansiterm#23. Use these constants instead of defining them
locally.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Upstream-commit: 9335683fa50c4863ada4bf00a30e7dfbfef3c783
Component: engine
Re-vendor go-ansiterm to d6e3b3328b783f23731bc4d058875b0371ff8109 in
order to get the newly added console mode constants.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Upstream-commit: 2b946fbc7012eff745e23aa43672f4ce4c5208a6
Component: engine
Running `docker service ps --quiet` should print the
full, non-truncated ID, even if the `--no-trunc` option
is not set.
This patch disables truncation if the `--quiet` flag
is set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: c5f267d95c
Component: cli
removes the stevvooe/continuity dependency, which has moved to
containerd/continuity.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 197842fd45
Component: cli
removes the stevvooe/continuity dependency, which has moved to
containerd/continuity.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: e3c130df944bc433efe7bc5bddebbb1ac0f35d93
Component: engine
Docker 17.10 was cut off from ab2b03a0e139537376bbf66c1e1e9e897a403f06
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 288abf0854852b4542da359400b3c29e99941fc9
Component: engine
Changed push message from "The push refers to a repository" to "The push refers to the repository" to make it clearer that this is just an information about the local source and not a distinction between pushing single images or whole repositories.
Signed-off-by: Pascal <pascalgn@users.noreply.github.com>
Upstream-commit: d82948b75d8aba97816ff5257240c1edb5e8de5b
Component: engine
Includes a fix to cleanup unused vendor-directories
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 67b1f54dc2413a018ac42e4335ca182a2d0b8a1d
Component: engine
When use overlay2 as the graphdriver and the kernel enable
`CONFIG_OVERLAY_FS_REDIRECT_DIR=y`, rename a dir in lower layer
will has a xattr to redirct its dir to source dir. This make the
image layer unportable. This patch fallback to use naive diff driver
when kernel enable CONFIG_OVERLAY_FS_REDIRECT_DIR
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Upstream-commit: 49c3a7c4bac2877265ef8c4eaf210159560f08b4
Component: engine
you must stop all containers before upgrading to Docker CE 17.11.
If you don't, any containers started by Docker versions that predate
17.11 won't be recognized by Docker after the upgrade and will keep
running, un-managed, on the system.
### Builder
*Reset uid/gid to 0 in uploaded build context to share build cache with other clients [docker/cli#513](https://github.com/docker/cli/pull/513)
+ Add support for `ADD` urls without any sub path [moby/moby#34217](https://github.com/moby/moby/pull/34217)
*Test & Fix build with rm/force-rm matrix [moby/moby#35139](https://github.com/moby/moby/pull/35139)
- Fix build with `--stream` with a large context [moby/moby#35404](https://github.com/moby/moby/pull/35404)
### Client
*Move output of `docker stack rm` to stdout [docker/cli#491](https://github.com/docker/cli/pull/491)
*Use natural sort secrets and configs in cli [docker/cli#307](https://github.com/docker/cli/pull/307)
*Use non-detached mode as default for `docker service` commands [docker/cli#525](https://github.com/docker/cli/pull/525)
* Set APIVersion on the client, even when Ping fails [docker/cli#546](https://github.com/docker/cli/pull/546)
- Fix loader error with different build syntax in `docker stack deploy` [docker/cli#544](https://github.com/docker/cli/pull/544)
*Change the default output format for `docker container stats` to show `CONTAINER ID` and `NAME` [docker/cli#565](https://github.com/docker/cli/pull/565)
+ Add `--no-trunc` flag to `docker container stats` [docker/cli#565](https://github.com/docker/cli/pull/565)
+ Add support for Windows version filtering on pull [moby/moby#35090](https://github.com/moby/moby/pull/35090)
- Fixes LCOW after containerd 1.0 introduced regressions [moby/moby#35320](https://github.com/moby/moby/pull/35320)
* ContainerWait on remove: don't stuck on rm fail [moby/moby#34999](https://github.com/moby/moby/pull/34999)
* oci: obey CL_UNPRIVILEGED for user namespaced daemon [moby/moby#35205](https://github.com/moby/moby/pull/35205)
* Don't abort when setting may_detach_mounts [moby/moby#35172](https://github.com/moby/moby/pull/35172)
- Fix panic on get container pid when live restore containers [moby/moby#35157](https://github.com/moby/moby/pull/35157)
- Mask `/proc/scsi` path for containers to prevent removal of devices (CVE-2017-16539) [moby/moby#35399](https://github.com/moby/moby/pull/35399)
* Update to github.com/vbatts/tar-split@v0.10.2 (CVE-2017-14992) [moby/moby#35424](https://github.com/moby/moby/pull/35424)
### Swarm Mode
*Produce an error if `docker swarm init --force-new-cluster` is executed on worker nodes [moby/moby#34881](https://github.com/moby/moby/pull/34881)
+ Add support for `.Node.Hostname` templating in swarm services [moby/moby#34686](https://github.com/moby/moby/pull/34686)
*Modifying integration test due to new ipam options in swarmkit [moby/moby#35103](https://github.com/moby/moby/pull/35103)
- Fix deadlock on getting swarm info [moby/moby#35388](https://github.com/moby/moby/pull/35388)
+ Expand the scope of the `Err` field in `TaskStatus` to also cover non-terminal errors that block the task from progressing [docker/swarmkit#2287](https://github.com/docker/swarmkit/pull/2287)
### Packaging
+ Build packages for Debian 10 (Buster) [docker/docker-ce-packaging#50](https://github.com/docker/docker-ce-packaging/pull/50)
+ Build packages for Ubuntu 17.10 (Artful) [docker/docker-ce-packaging#55](https://github.com/docker/docker-ce-packaging/pull/55)
// check that the public key is the only file output in CWD
cwdKeyFiles,err:=ioutil.ReadDir(pubKeyCWD)
assert.NoError(t,err)
assert.Len(t,cwdKeyFiles,1)
}
funcTestValidateKeyArgs(t*testing.T){
pubKeyCWD,err:=ioutil.TempDir("","pub-keys-")
assert.NoError(t,err)
deferos.RemoveAll(pubKeyCWD)
err=validateKeyArgs("a",pubKeyCWD)
assert.NoError(t,err)
err=validateKeyArgs("a/b",pubKeyCWD)
assert.Error(t,err)
assert.Equal(t,err.Error(),"key name \"a/b\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character")
err=validateKeyArgs("-",pubKeyCWD)
assert.Error(t,err)
assert.Equal(t,err.Error(),"key name \"-\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character")
returnfmt.Errorf("key name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character",options.keyName)
assert.Contains(t,fmt.Sprintf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add",pubKeyFilepath),err.Error())
Short:"Manage entities who can sign Docker images (experimental)",
Args:cli.NoArgs,
RunE:command.ShowHelp(dockerCli.Err()),
}
cmd.AddCommand(
newSignerAddCommand(dockerCli),
newSignerRemoveCommand(dockerCli),
)
returncmd
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
