- Volume store created dir with wrong permissions
- Local volume driver hardcoded uid/gid 0
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: d15734ec3c10eda667b716f67e18d5d86e708e3e
Component: engine
Since Go 1.7, context is a standard package. Since Go 1.9, everything
that is provided by "x/net/context" is a couple of type aliases to
types in "context".
Many vendored packages still use x/net/context, so vendor entry remains
for now.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 7d62e40f7e4f3c17d229a7687d6fcca5448de813
Component: engine
Fix a version mismatch in the API documentation.
Signed-off-by: Wassim DHIF <wassimdhif@gmail.com>
Upstream-commit: 2058928edc284653b1fb8e719d713ac7edecd091
Component: engine
- Some of them don't make sense anymore
- Some are deprecated and removed from the engine since a few versions
already.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 740d260cd2
Component: cli
Use more gotestyourself for `env.Patch`, and `icmd.RunCommand`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: ae03dd7f46
Component: cli
It should check `os.Geteuid` with `uid` instead of `os.Getegid`.
On the container (where the tests run), the uid and gid seems to be
the same, thus this doesn't fail.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 5d8b88b114da7c40f04a95909a35287ae1dac37f
Component: engine
This fix consists of some improvement in restart_test.go
by replacing Fatal with assert, so that they are consistent
with other tests in integration/container.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 67535921b32f68863f7a882d2300b59e0bbeffa4
Component: engine
govet complains (when using standard "context" package):
> the cancel function returned by context.WithTimeout should be called,
> not discarded, to avoid a context leak (vet)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 05e2f7e2fafd0fbc818c9f4cda7ac513c785d49c
Component: engine
We are using interface in the api routers to not explicitely depend on
the daemon struct (`daemon.Daemon`), but somehow, we do depend on the
`daemon` package for the cluster functionalities.
This removes this dependency by defining the correct interfaces.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: f4106b46db47524b4f38abeee48137d42e3fe4eb
Component: engine
That way, those lines won't be reported in the failure.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: cb8db44395df70fa3044d2a9683d6d24438cfa74
Component: engine
This is not for the sake of test to run faster of course;
this is to simplify the code as well as have some more
testing for mount.SingleEntryFilter().
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: ce468f0ad0d075c5d0c44c78bd61c489e6d7d70c
Component: engine
There is no need to parse mount table and iterate through the list of
mounts, and then call Unmount() which again parses the mount table and
iterates through the list of mounts.
It is totally OK to call Unmount() unconditionally.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: ac39a95ea618601f78662972c35838d928858904
Component: engine
Now, every Unmount() call takes a burden to parse the whole nine yards
of /proc/self/mountinfo to figure out whether the given mount point is
mounted or not (and returns an error in case parsing fails somehow).
Instead, let's just call umount() and ignore EINVAL, which results
in the same behavior, but much better performance.
Note that EINVAL is returned from umount(2) not only in the case when
`target` is not mounted, but also for invalid flags. As the flags are
hardcoded here, it can't be the case.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: a1d095199ddb9b4811e1417b6adcdfadad7d73f4
Component: engine
The mountinfo parser implemented via `fmt.Sscanf()` is slower than the one
using `strings.Split()` and `strconv.Atoi()`. This rewrite helps to speed it
up to a factor of 8x, here is a result from go bench:
> BenchmarkParsingScanf-4 300 22294112 ns/op
> BenchmarkParsingSplit-4 3000 2780703 ns/op
I tried other approaches, such as using `fmt.Sscanf()` for the first
three (integer) fields and `strings.Split()` for the rest, but it slows
things down considerably:
> BenchmarkParsingMixed-4 1000 8827058 ns/op
Note the old code uses `fmt.Sscanf`, when a linear search for '-' field,
when a split for the last 3 fields. The new code relies on a single
split.
I have also added more comments to aid in future development.
Finally, the test data is fixed to now have white space before the first field.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: c611f18a7f16d8aa878a5a5c7537d23a0937c40a
Component: engine
The flow of getSourceMount was:
1 get all entries from /proc/self/mountinfo
2 do a linear search for the `source` directory
3 if found, return its data
4 get the parent directory of `source`, goto 2
The repeated linear search through the whole mountinfo (which can have
thousands of records) is inefficient. Instead, let's just
1 collect all the relevant records (only those mount points
that can be a parent of `source`)
2 find the record with the longest mountpath, return its data
This was tested manually with something like
```go
func TestGetSourceMount(t *testing.T) {
mnt, flags, err := getSourceMount("/sys/devices/msr/")
assert.NoError(t, err)
t.Logf("mnt: %v, flags: %v", mnt, flags)
}
```
...but it relies on having a specific mount points on the system
being used for testing.
[v2: add unit tests for ParentsFilter]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 871c957242df9f8c74faf751a2f14eb5178d4140
Component: engine
Use mount.SingleEntryFilter as we're only interested in a single entry.
Test case data of TestShouldUnmountRoot is modified accordingly, as
from now on:
1. `info` can't be nil;
2. the mountpoint check is not performed (as SingleEntryFilter
guarantees it to be equal to daemon.root).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: d3ebcde82aae79be8cbecab365367b17adac4b3e
Component: engine
Functions `GetMounts()` and `parseMountTable()` return all the entries
as read and parsed from /proc/self/mountinfo. In many cases the caller
is only interested only one or a few entries, not all of them.
One good example is `Mounted()` function, which looks for a specific
entry only. Another example is `RecursiveUnmount()` which is only
interested in mount under a specific path.
This commit adds `filter` argument to `GetMounts()` to implement
two things:
1. filter out entries a caller is not interested in
2. stop processing if a caller is found what it wanted
`nil` can be passed to get a backward-compatible behavior, i.e. return
all the entries.
A few filters are implemented:
- `PrefixFilter`: filters out all entries not under `prefix`
- `SingleEntryFilter`: looks for a specific entry
Finally, `Mounted()` is modified to use `SingleEntryFilter()`, and
`RecursiveUnmount()` is using `PrefixFilter()`.
Unit tests are added to check filters are working.
[v2: ditch NoFilter, use nil]
[v3: ditch GetMountsFiltered()]
[v4: add unit test for filters]
[v5: switch to gotestyourself]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: bb934c6aca3e77541dd4fd51b9ab2706294dadda
Component: engine
This moves the platform specific stuff in a separate package and keeps
the `volume` package and the defined interfaces light to import.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 6a70fd222b95643a8a6b88e2634d5f085ae4122a
Component: engine
All `plugins` tests that require an `ExperimentalDaemon` are migrated
to `integration/plugin/*` and start an experimental daemon to test on
it.
The end goal being to remove the `experimental` build.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 69bab3832ce1d72dd1d3ed2f2b53143ec9ff102c
Component: engine
This makes sure that if the daemon root was already a self-binded mount
(thus meaning the daemonc only performed a remount) that the daemon does
not try to unmount.
Example:
```
$ sudo mount --bind /var/lib/docker /var/lib/docker
$ sudo dockerd &
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: c403f0036b9945bd58a84e2c93f794ed9861fe99
Component: engine
The primary need for this is x/net/context now is just a type alias to
the stdlib context package.
This makes issues with conflicts between "golang.org/x/net/context" and
the stdib "context" go away (primarily a concern in interface
definitions/implementations).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 848ef1da8b0d1c01a84fbe215f24f00fa741690d
Component: engine
Also starts to create more "poll/check" function to `internal/test/daemon`.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: aa0db6f9e1d0fd0420271f419d0d225089a95bbd
Component: engine
Instead of using a global store for volume drivers, scope the driver
store to the caller (e.g. the volume store). This makes testing much
simpler.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 977109d808ae94eb3931ae920338b1aa669f627e
Component: engine
Since the volume store already provides this functionality, we should
just use it rather than duplicating it.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 63826e291ba3b88443b64802084bbb3931857b56
Component: engine
This unblocks the client to take other restore requests and makes sure
that a long/stuck request can't block the client forever.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 806700e410a1b30aa1033d71d825e57880c75298
Component: engine
… and change a bit the method signature
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 42f6fdf059807ecbe66cce90676021363a541154
Component: engine
Porting helpers from `integration-cli/daemon.Daemon` to this struct
and use the API instead of the cli.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 9722214c8add2a83f6c4974848139cadc79d9f0e
Component: engine
Update all build stages to output artefacts to /build
Signed-off-by: Jeff Hajewski <jeff.hajewski@gmail.com>
Upstream-commit: 00555f7b261111084b966920da607a504b068953
Component: engine
- Move go package used by both `integration-cli` and `integration` to
`internal/test/fixtures`.
- Remove fixtures that are not used anymore (moved to `docker/cli` a
while ago) : deploy, notary, secrets.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 5f56503f583f21d655394f755f71849381bd58c7
Component: engine
This use case is currently _working correctly_, which is nice, but there is no documentation to be found about it. This PR fixes that.
Signed-off-by: Per Lundberg <perlun@gmail.com>
Upstream-commit: 82c23208ee
Component: cli
This fix converts some `client.ContainerCreate` to `container.Create`,
and removes some unneeded `name` fields when test containers are created.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: ab9bb47b05b1dde445a5e4ba78ae97303208dc8b
Component: engine
This fix migrates image tag tests from integration-cli to api tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 9bcb960508a6066811cffcca1e35ca44d7f1cf94
Component: engine
- Move the code from `integration-cli` to `internal/test`.
- Use `testingT` and `assert` when creating the registry.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 66de2e6e3b6d927a3396743cd7c363aa9f7b776e
Component: engine
In Go 1.10.1, the Deps for pkg\tarsum\tarsum_test.go are empty ([]) and
the PowerShell script ends up setting its import list to a string value
of False instead of an empty array. This can be remedied by forcing the
result to be an array, by concatenating to an empty array (@() + ...)
Signed-off-by: John Stephens <johnstep@docker.com>
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit ec3f9230d70506c536a24e844da0f0b3af9b43f6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: ee508d47c3917b423b6caae0ad2867c4f6ffe696
Component: engine
Add synchronization around adding logs to a plugin
and reading those logs. Without the follow configuration,
a race occurs between go routines to add the logs into
the plugin and read the logs out of the plugin. This
adds a function to synchronize the action to avoid the
race.
Removes use of file for buffering, instead buffering whole
messages so log count can be checked discretely.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: c208f1c8a8d57f9a7f48f63345e77146774aa7a6
Component: engine
Prevent changing the tar output by setting the format to
PAX and keeping the times truncated.
Without this change the archiver will produce different tar
archives with different hashes with go 1.10.
The addition of the access and changetime timestamps would
also cause diff comparisons to fail.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: fb170206ba12752214630b269a40ac7be6115ed4
Component: engine
Remove invalid flush commands, flush should only occur when file
has been completely written. This is already handle, remove these calls.
Ensure data gets written after EOF in correct order and before close.
Remove gname and uname from sum for hash compatibility.
Update tarsum tests for gname/uname removal.
Return valid length after eof.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a422774e593b33bd287d9890544ad9e09b380d8c
Component: engine
This fix is now upstream in Go 1.10
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 950a1aa3170cedabd904cdcfcfa70c7d551a5e16
Component: engine
Full diff
5c1218c956...c15b372ef2
Fixes a panic on concurrent read/write to a map.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 248aed5766ba330ab8cb2b10b03b6ce57dc64283
Component: engine
Docker daemon has a 16K buffer for log messages. If a message length
exceeds 16K, it should be split by the logger and merged at the
endpoint.
This change adds `PartialLogMetaData` struct for enhanced partial support
- LastPartial (bool) : indicates if this is the last of all partials.
- ID (string) : unique 32 bit ID. ID is same across all partials.
- Ordinal (int starts at 1) : indicates the position of msg in the series of partials.
Also, the timestamps across partials in the same.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Upstream-commit: 0b4b0a7b5d5de8cb575b666312fceaa2cd58e658
Component: engine
When the authz response buffer limit is hit, perform a flush.
This prevents excessive buffer sizes, especially on large responses
(e.g. `/containers/<id>/archive` or `/containers/<id>/export`).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 74f8e47352e71aad4015d8d9dea8f16e7a055863
Component: engine
This remove the daemon.Swarm construction by make the new test Daemon
struct aware of swarm.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 83d18cf4e3e84055f7034816eed2a10c04e777ca
Component: engine
… making each folder/suites quicker to run
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: a3323d2e4349b7e8d449c6e571ca3d4aa3e53d63
Component: engine
All `Ipvlan` related test on `DockerSuite` and `DockerNetworkSuite`
are migrated to `ipvlan_test.go`.
The end goal being to remove the `experimental` builds.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 24f934751120ea420b7ba4d2e314df805f3eff06
Component: engine
… and do not use the `docker` cli in it. One of the reason of this
move is to not make `integration` package using legacy
`integration-cli` package.
Next move will be to support swarm within this package *and* provide
some helper function using the api (compared to the one using cli in
`integration-cli/daemon` package).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: f0d277fe84a72b29c0d2d541c20d5a9c4d7e4884
Component: engine
It does not make any sense to vary this based on whether the
rootfs is read only. We removed all the other mount dependencies
on read-only eg see #35344.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: a729853bc712910574a7417f67764ec8c523928b
Component: engine
… and other cases too. Updating mergo fixes the bugs (but introduced a
slight behaviour change that had to be fixed too)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 0122730faf
Component: cli
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go command, and
net/http/pprof package. See the Go 1.9.5 milestone on the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.9.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: c62336593118020462d65d4e9784143e07de2da7
Component: packaging
We have seen a panic when re-joining a node to a swarm cluster. The
cause of the issue is unknown, so we just need to add a test for nil
objects and log when we get the condition. Hopefully this can prevent
the crash and we can recover the config at a later time.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: 454128c6e82cded211c1412e3eb350b1f7533ee2
Component: engine
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go
command, and net/http/pprof package. See the Go 1.9.5 milestone on
the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.9.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 0b6f8a7eff325a683b10d64db363da2145aa1c36
Component: engine
* libnetwork#2121: Retry other external DNS servers on ServFail
* libnetwork#2125: Fix README flag and expose orphan network peers
* libnetwork#2126: Adding goreport card
* libnetwork#2130: Modify awk to use cut in check_ip_overlap
* libnetwork#2117: [Carry 1534] Improve scalabiltiy of bridge network isolation rules
Full changes: 2bf63300c5...5c1218c956
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Upstream-commit: b159da19734269c4a162763ebfa28dff07b703f3
Component: engine
Changes included:
- Ingress network should not be attachable
- [manager/state] Add fernet as an option for raft encryption
- Log GRPC server errors
- Log leadership changes at manager level
- [state/raft] Increase raft ElectionTick to 10xHeartbeatTick
- Remove the containerd executor
- agent: backoff session when no remotes are available
- [ca/manager] Remove root CA key encryption support entirely
- Fix agent logging race (fixes https://github.com/docker/swarmkit/issues/2576)
- Adding logic to restore networks in order
Also adds github.com/fernet/fernet-go as a new dependency
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 27749659d5a30999691e401a351221780a483099
Component: engine
Update the docs so that users don't use `echo` when creating
secrets from STDIN. `echo` adds a trailing new line, so users
will probably be confused when their passwords don't work.
Signed-off-by: Joao Fernandes <joao.fernandes@docker.com>
Upstream-commit: 5238f3e93e
Component: cli
This change fixes bug when $CURDIR contains special character e.g. '&&'.
Change-Id: I658eb60d97c2229cf8b4e0a61dbbecf3edc9d573
Signed-off-by: Fangming.Fang <fangming.fang@arm.com>
Upstream-commit: 83062593d7ce759bb96e271e30460afa4a695dba
Component: engine
commit 617c352e9225 "Don't create devices if in a user namespace"
introduced check, which meant to skip mknod operation when run
in user namespace, but instread skipped FIFO and socket files
copy.
Signed-off-by: Maxim Ivanov <ivanov.maxim@gmail.com>
Upstream-commit: 6f084f292932c464a30b56edb9edbe238bdcf0aa
Component: engine
There is no need to perform a separate losetup step; mount (even
the one in busybox!) is smart enough to set up a loopback device
all by itself (even without -o loop present!). More to say, while
doing this, it sets LO_FLAGS_AUTOCLEAR flag for the kernel to
delete the loopback device as soon as its fs is unmounted (this
is supposed to work since kernel 2.6.25).
Also, remove mount options (-t ext4, -o loop,rw) as they are
either defaults (rw) or mount is smart enough to figure out.
Leave -n so it won't do unnecessary write to container's /etc/mtab.
While at it, touch up some comments.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: a978fd22daefcc68d37c46177a545f7e1dfc6d9e
Component: engine
All `docker build` tests that require an `ExperimentalDaemon` are
migrated to `integration/build` package and start an experimental
daemon to test on it.
The end goal being to remove the `experimental` builds.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 183076e89df64928bd2e94ad0da9725b482367cd
Component: engine
A minor nit. `test01` never been created and used in
`TestDockerNetworkInspectCustomSpecified()` function, so correct it.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: f041953d04bffa2be05466173f02dd016c68286d
Component: engine
Makes sure that if the user cancels a request that the daemon stops
trying to traverse a directory.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 9d46c4c138d7b3f7778c13fe84857712bd6c97a9
Component: engine
Using the default PollSettings functions to adjust the timeout
value instead of changing the value each time when needed.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: b8912feeffcdfd489c9fc1212277840adac2719c
Component: engine
Add the default function per resource to override the `pollSettings`
which will be re-used where it's needed.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: ee6959addc5664a5c55765f2c721f84414ea4779
Component: engine
This call was added as part of commit a042e5a20 and at the time was
useful. sandbox.DisableService() basically calls
endpoint.deleteServiceInfoFromCluster() for every endpoint in the
sandbox. However, with the libnetwork change, endpoint.sbLeave()
invokes endpoint.deleteServiceInfoFromCluster(). The releaseNetwork()
call invokes sandbox.Delete() immediately after
sandbox.DisableService(). The sandbox.Delete() in turn ultimately
invokes endpoint.sbLeave() for every endpoint in the sandbox which thus
removes the endpoint's load balancing entry via
endpoint.deleteServiceInfoFromCluster(). So the call to
sandbox.DisableService() is now redundant.
It is noteworthy that, while redundant, the presence of the call would
not cause errors. It would just be sub-optimal. The DisableService()
call would cause libnetwork to down-weight the load balancing entries
while the call to sandbox.Delete() would cause it to remove the entries
immediately afterwards. Aside from the wasted computation, the extra
call would also propagate an extra state change in the networkDB gossip
messages. So, overall, it is much better to just avoid the extra
overhead.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Upstream-commit: c27417aa7de46daa415600b39fc8a9c411c8c493
Component: engine
This patch allows endpoints to complete servicing connections while
being removed from a service. The fix is entirely within libnetwork
and requires no changes to the moby codebase proper. It operates
by initially down-weighting a container endpoint in the load balancer
to 0 while keeping the endpoint present in the load balancer. This
allows traffic to continue to flow to the endpoint while preventing new
connections from going to the endpoint. This allows the container
to complete requests during the "stop_grace_period" and then exit when
finished without interruption of service.
This change requires propagating the status of disabled service
endpoints via the networkDB. Accordingly, the patch includes both code
to generate and handle service update messages. It also augments the
service structure with a ServiceDisabled boolean to convey whether an
endpoint should ultimately be removed or just disabled. This,
naturally, required a rebuild of the protocol buffer code.
The protocol buffer encoding is designed to support additions of fields
to messages in a backwards-compatible manner. Protocol buffer
unmarshalling code automatically skips past any fields that it isn't
aware of. As a result, an older moby daemon without this fix can
receive and will process correctly networkDB messages from newer moby
daemons with this patch.
As it turns out, the additional field is simply a bool that is otherwise
irrelevent on networkDB create and delete events. So its absence in
older moby daemon processing has no impact. However, the fix leverages
the "update" networkDB message which was previously unused in
libnetwork. Although older libnetwork implementations parse the message
cleanly, they will see the message as unexpected and as such issue a log
at error level indicating the receipt of such.
Other than this there should be no other negative impact for use of this
patch in mixed environments. (Although older mobys won't be able to
gracefully downgrade connections on their nodes of course.)
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Upstream-commit: 50dbdeff9fd186bb0e9926996436e1f56529a831
Component: engine
This fixes an issue where the containerd client is cached in a container
object in libcontainerd and becomes stale after containerd is restarted.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 2c682d5209d1d1cdd232ce3909fa25b6023f9a5b
Component: engine
This does not bump the containerd binary.
Picks last commit before go1.10 switch, which is not currently supported
in moby.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 30cb23360e21c7914f41e69496abde4780bd7bc1
Component: engine
This was added as part of a53930a04fa81b082aa78e66b342ff19cc63cc5f with
the intent to sort the mounts in the plugin config, but this was sorting
*all* the mounts from the default OCI spec which is problematic.
In reality we don't need to sort this because we are only adding a
self-binded mount to flag it as rshared.
We may want to look at sorting the plugin mounts before they are added
to the OCI spec in the future, but for now I think the existing behavior
is fine since the plugin author has control of the order (except for the
propagated mount).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: ec90839ca302ca53a7d55e4c7f79e7b4779f5e15
Component: engine
All `Macvlan` related test on `DockerSuite` and `DockerNetworkSuite`
are migrated to `macvlan_test.go`.
Also, as `macvlan` seems to be out of experimental, this removes
the *skip* when the run is not experimental (and doesn't start a
daemon with experimental either).
The end goal being to remove the `experimental` builds.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: ef5bc603266b9fa5df525319d67329ebc14a8ee7
Component: engine
Now all of the storage drivers use the field "storage-driver" in their log
messages, which is set to name of the respective driver.
Storage drivers changed:
- Aufs
- Btrfs
- Devicemapper
- Overlay
- Overlay 2
- Zfs
Signed-off-by: Alejandro GonzÃlez Hevia <alejandrgh11@gmail.com>
Upstream-commit: 9392838150f5495a63f33fed6570ae41f5a6d62e
Component: engine
When updating a service with the `--force` option, the `ForceUpdate`
property of the taskspec is incremented.
Stack deploy did not take this into account, and reset this
field to its default value (0), causing the service to be
re-deployed.
This patch copies the existing value before updating the service.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 76439457d2
Component: cli
This clarifies that the behaviour of `unless-stopped` will restart the container on daemon start. This was implied before, but now the restart-on-daemon-start behaviour is mentioned directly.
Signed-off-by: David Beitey <david@davidjb.com>
Upstream-commit: 8ca237054f
Component: cli
Using `dpkg --print-architecture` instead of the `uname -m` to abstract
the architecture value from the container images, which the build process
is running inside, to match exactly the behavior specified by the following
Docker file while not 'passthru' to the host.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 803a756941f5e4b68429a3642d52585c8ea6dbaa
Component: engine
Since the recent release of CRIU has already supported other
arches such as AArch64, ppc64le, and s390x, so we can enable
it now.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 7fd54a7a48f9f1bb2b28144e38c886d1fe813a04
Component: engine
Use unique names for test resources of container/inspect, container/ps, container/stop tests
Upstream-commit: 57c504799d979caa706142e6f5dc4be4a5b1e3e2
Component: engine
> HasAvailableFlags checks if the command contains any flags (local
> plus persistent from the entire structure) which are not hidden or
> deprecated.
This fix the `--help` display when the `Options` is empty (but
showing), like on `docker trust key`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 66fdd085a5
Component: cli
If container will run as non root user, drop permitted, effective caps early
Upstream-commit: b67c1e078c7eeb20199dce301e95fa8999c98109
Component: engine
`--rm` moved to the daemon, so is now also supported
when combined with `-d`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: e9ce688d6e
Component: cli
TestServiceWithPredefinedNetwork test case was failing
at times. To fix the issue, added new API to check
for services after we clean up all services. Tested
multiple times and this sould fix flaky issue.
Signed-off-by: selansen <elango.siva@docker.com>
Upstream-commit: dabffd806c98ab13dbc25e57bee21c5291b9a50c
Component: engine
This moves some of the code that was conditionally
executed on Windows to a separate, windows-only file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: cd3e84c6b38e74d03ab31db804bc9b49dcab8243
Component: engine
receive operations on a nil channel will always block, this lead containerd not started.
Signed-off-by: Shukui Yang <yangshukui@huawei.com>
Upstream-commit: a50d9c0765d9861d226b323ffe190c0c99c3ac17
Component: engine
Found a bug where a number was being appended to the nightly dev builds
package name causing the latest packages not to be considered as the
latest packages by the package manager.
This makes it so that the nubmer is not included on dev builds.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 63be84fc6ed88847a003dfb32e0dc8bc9126411e
Component: packaging
As soon as the initial executable in the container is executed as a non root user,
permitted and effective capabilities are dropped. Drop them earlier than this, so
that they are dropped before executing the file. The main effect of this is that
if `CAP_DAC_OVERRIDE` is set (the default) the user will not be able to execute
files they do not have permission to execute, which previously they could.
The old behaviour was somewhat surprising and the new one is definitely correct,
but it is not in any meaningful way exploitable, and I do not think it is
necessary to backport this fix. It is unlikely to have any negative effects as
almost all executables have world execute permission anyway.
Use the bounding set not the effective set as the canonical set of capabilities, as
effective will now vary.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 15ff09395c001bcb0f284461abbc404a1d8bab4d
Component: engine
This is a test case for issue https://github.com/moby/moby/issues/35123,
making sure we can set container's memory limit when using
`native.cgroupdriver=systemd`.
[v2: skip if no systemd present]
[v3: add --iptables=false to avoid flaky tests with t.Parallel()]
[v4: rebase after PR#36507 merge]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 4ca5c5361059e29ed31074ca5b96f8b2030b5f99
Component: engine
… mainly by skipping if daemon is remote.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 6016e79d2552b21643f4bfd093ce76d8ef956d79
Component: engine
error
local digest cache will be removed when error occured on push image
but it should not be removed if it is an auth error while on auth was
provided
https://github.com/moby/moby/issues/36309
Signed-off-by: 慕陶 <jihui.xjh@alibaba-inc.com>
Upstream-commit: 8b387b165ab2eaab3f9fdac25caa186d05d236a0
Component: engine
There was a lot of repeated parts in this Makefile, I moved them to a
common variable so that if / when we decide to change how things are run
then it's easy to do so.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: c869c9fcf510d1a6c4e25c1a14ea6cb0bb3e6aa4
Component: packaging
Enables the usage of a new versioning scheme for test builds:
* tp -> Technical Previews
* beta -> Beta Releases
* rc -> Release Candidates
* ga -> General Availability Releases
This PR fixes the versioning order for both `deb` and `rpm` packages
when it relates to the new versioning scheme (which may or may not be
used).
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 9ba8e36e8588ea75209d813558c8065844c953a0
Component: packaging
Commit fd0e24b7189374e0fe7c55b6d26ee916d3ee1655 changed
the stats collection loop to use a `sleep()` instead
of `time.Tick()` in the for-loop.
This change caused a regression in situations where
no stats are being collected, or an error is hit
in the loop (in which case the loop would `continue`,
and the `sleep()` is not hit).
This patch puts the sleep at the start of the loop
to guarantee it's always hit.
This will delay the sampling, which is similar to the
behavior before fd0e24b7189374e0fe7c55b6d26ee916d3ee1655.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 481b8e54b45955e40075f49a9af321afce439320
Component: engine
This PR adds support for compressibility of log file.
I added a new option conpression for the jsonfile log driver,
this option allows the user to specify compression algorithm to
compress the log files. By default, the log files will be
not compressed. At present, only support 'gzip'.
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
'docker logs' can read from compressed files
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
Add Metadata to the gzip header, optmize 'readlog'
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
Upstream-commit: f69f09f44ce9fedbc9d70f11980c1fc8d7f77cec
Component: engine
This test case checks that a container created before start
of the currently running dockerd can be exported (as reported
in #36561). To satisfy this condition, either a pre-existing
container is required, or a daemon restart after container
creation.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 6e7141c7a2c0de6fa3d6c9dcc56978a81f9d835e
Component: engine
Bring in:
- moby 36517 ensure hijackedConn implements CloseWrite function
- moby 36489 (fixes `errdefs.ErrSystem` interface)
- moby 36506 pkg/mount: use sort.Slice
- moby 36451 Windows: Report Version and UBR
Also update moby dependencies to keep them in sync
- golang.org/x/sync (no code changes)
- Bump runc to 4fc53a81fb7c994640722ac585fa9ca548971871
- Bump swarmkit to 49a9d7f6ba3c1925262641e694c18eb43575f74b
no local code changes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: b17215c456
Component: cli
Update libnetwork to 1b91bc94094ecfdae41daa465cc0c8df37dfb3dd to bring in a fix
for stale HNS endpoints on Windows:
When Windows Server 2016 is restarted with the Docker service running, it is
possible for endpoints to be deleted from the libnetwork store without being
deleted from HNS. This does not occur if the Docker service is stopped cleanly
first, or forcibly terminated (since the endpoints still exist in both). This
change works around the issue by removing any stale HNS endpoints for a network
when creating it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: fb364f07468e94226250a1e77579ee6117c64be2
Component: engine
- `replaceDockerfileForContentTrust` is only used when content trust is
enabled, so remove the boolean.
- rename `isContentTrustEnabled` to `contentTrustEnabled`
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 63ebcae382
Component: cli
This updates libnetwork to 8892d7537c67232591f1f3af60587e3e77e61d41 to bring in
IPAM fixes for duplicate IP addresses.
- IPAM tests (libnetwork PR 2104) (no changes in vendored files)
- Fix for Duplicate IP issues (libnetwork PR 2105)
Also bump golang/x/sync to match libnetwork (no code-changes, other
than the README being updated)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 55e0fe24db68b16edccb2fa49c3b1b9d3a9ce58c
Component: engine
connection does. If this isn't done, then a container listening on stdin won't
receive an EOF when the client closes the stream at their end.
Signed-off-by: Jim Minter <jminter@redhat.com>
Upstream-commit: 37983921c90b468cafd3ba2ca2574fb81cafe5a7
Component: engine
* added tests on Kubernetes service conversion to swarm service
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
Upstream-commit: b816bde6cc
Component: cli
Commit 7a7357dae1bccc ("LCOW: Implemented support for docker cp + build")
changed `container.BaseFS` from being a string (that could be empty but
can't lead to nil pointer dereference) to containerfs.ContainerFS,
which could be be `nil` and so nil dereference is at least theoretically
possible, which leads to panic (i.e. engine crashes).
Such a panic can be avoided by carefully analysing the source code in all
the places that dereference a variable, to make the variable can't be nil.
Practically, this analisys are impossible as code is constantly
evolving.
Still, we need to avoid panics and crashes. A good way to do so is to
explicitly check that a variable is non-nil, returning an error
otherwise. Even in case such a check looks absolutely redundant,
further changes to the code might make it useful, and having an
extra check is not a big price to pay to avoid a panic.
This commit adds such checks for all the places where it is not obvious
that container.BaseFS is not nil (which in this case means we do not
call daemon.Mount() a few lines earlier).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: d6ea46cedaca0098c15843c5254a337d087f5cd6
Component: engine
In case ContainerExport() is called for an unmounted container, it leads
to a daemon panic as container.BaseFS, which is dereferenced here, is
nil.
To fix, do not rely on container.BaseFS; use the one returned from
rwlayer.Mount().
Fixes: 7a7357dae1bccc ("LCOW: Implemented support for docker cp + build")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 81f6307eda44ab3a91de6e29304810a976161d74
Component: engine
The `docker trust` commands were moved out of experimental,
and the `docker trust view` command was changed to
`docker trust inspect --pretty`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 2a6808db87
Component: cli
With the ticker this could end up just doing back-to-back checks, which
isn't really what we want here.
Instead use a sleep to ensure we actually sleep for the desired
interval.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 04a0d6b863ed50cfffa79936cf9cdab7a3a9e7df
Component: engine
In info, we only need the number of images, but `CountImages` was
getting the whole map of images and then grabbing the length from that.
This causes a lot of unnecessary CPU usage and memory allocations, which
increases with O(n) on the number of images.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: f6a7763b6f3256bed9a7352021745189d0ca8dc9
Component: engine
I noticed this test failed on Windows:
> 17:46:24 docker_cli_run_test.go:4361:
> 17:46:24 c.Fatal("running container timed out") // cleanup in teardown
I also noticed that in general tests are running slower on Windows,
for example TestStartAttachSilent (which runs a container with
`busybox echo test` and then starts it again) took 29.763s.
This means a simple container start can easily take 15s, which
explains the above failure.
Double the timeout from 15s to 30s.
Fixes: 4e262f6387 ("Fix race on sending stdin close event")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 5043639645123f2728c81c9a55fea525475ec324
Component: engine
I am not quite sure why but this test is sometimes failing like this:
> 15:21:41 --- FAIL: TestLinksEtcHostsContentMatch (0.53s)
> 15:21:41 assertions.go:226:
>
> Error Trace: links_linux_test.go:46
> 15:21:41
> Error: Not equal:
> 15:21:41
> expected: "127.0.0.1\tlocalhost\n::1\tlocalhost
> ip6-localhost
> ip6-loopback\nfe00::0\tip6-localnet\nff00::0\tip6-mcastprefix\nff02::1\tip6-allnodes\nff02::2\tip6-allrouters\n172.17.0.2\tf53feb6df161\n"
> 15:21:41
> received: ""
To eliminate some possible failures (like ignoring stderr from `cat` or
its exit code), let's use container.Exec() to read a file from a container.
Fixes: e6bd20edcbf ("Migrate some integration-cli test to api tests")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: ad2f88d8ccbd9dd0a8d9c4f96ece3956f60489df
Component: engine
As mentioned in commit 9e31938, test cases that use t.Parallel()
and start a docker daemon might step on each other toes as they
try to configure iptables during startup, resulting in flaky tests.
To avoid this, --iptables=false should be used while starting daemon.
Fixes: eaa5192856c1 ("Make container resource mounts unbindable")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: c125e10a0486623ba3badebf974ea6e582373151
Component: engine
Ingress networks will no longer automatically remove their
load-balancing endpoint (and sandbox) automatically when the network is
otherwise upopulated. This is to prevent automatic removal of the
ingress networks when all the containers leave them. Therefore
explicit removal of an ingress network also requires explicit removal
of its load-balancing endpoint.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Upstream-commit: 3da4ebf355d3494d1403b2878a1ae6958b2724e9
Component: engine
This PR prevents automatic removal of the load balancing sandbox
endpoint when the endpoint is the last one in the network but
the network is marked as ingress.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Upstream-commit: bebad150c9c3bc6eb63758c10ef24b9298ecf6e2
Component: engine
The commit https://github.com/moby/moby/pull/35422 had the result of
accidentally causing the removal of the ingress network when the
last member of a service left the network. This did not appear
in swarm instances because the swarm manager would still maintain
and return cluster state about the network even though it had
removed its sandbox and endpoint. This test verifies that after a
service gets added and removed that the ingress sandbox remains
in a functional state.
Signed-off-by: Chris Telfer <ctelfer@docker.com>
Upstream-commit: 805b6a7f749a6c7cbb237e21ee7260d536621808
Component: engine
Since now we have only one Dockerfile, so the arch-specific suffix
of the Dockerfile is not needed anymore.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 8eb7ed673b687ae17e2c7df5dd40f8081c299bc2
Component: engine
Removing all the existing arch-specific Dockerfiles since we already
have a new multi-arch supported one as the replacement.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 162f9aee476bd204c2b0146c0128949182e8bd5e
Component: engine
This PR consolidates the existing arch-specific Dockerfiles into only
one file `Dockefile` to ease the code maintenance effort.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: f1701a741d77a92d28138944193e23aabfc74abe
Component: engine
These tests were enabled by changing a config option on the ci
machines, instead of from a patch, so let me disable them
for now on ppc64le and open up another patch to enable them, where I can find
out what the issues are with them.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Upstream-commit: 620ddc78a1437feaa42f40853ef586d268991620
Component: engine
It has been pointed out that if --read-only flag is given, /dev/shm
also becomes read-only in case of --ipc private.
This happens because in this case the mount comes from OCI spec
(since commit 7120976d74195), and is a regression caused by that
commit.
The meaning of --read-only flag is to only have a "main" container
filesystem read-only, not the auxiliary stuff (that includes /dev/shm,
other mounts and volumes, --tmpfs, /proc, /dev and so on).
So, let's make sure /dev/shm that comes from OCI spec is not made
read-only.
Fixes: 7120976d74195 ("Implement none, private, and shareable ipc modes")
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: cad74056c09f6276b0f4a996a1511553177cd3d7
Component: engine
The test case checks that in case of IpcMode: private and
ReadonlyRootfs: true (as in "docker run --ipc private --read-only")
the resulting /dev/shm mount is NOT made read-only.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 33dd562e3acff71ee18a2543d14fcbecf9bf0e62
Component: engine
Remove the global variable used. Allows easier unit testing.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 6e21829af4
Component: cli
Scripts were changed around to do static by default, this changes so
that we have "dynamic" inserted where it needs to be inserted
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 130f74155e39ddc36b59d7c47867230284739710
Component: packaging
There was a typo with the buildmode flag for containerd
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 5e4885b9afb1de30133627ce751af2c0e7b72a4e
Component: engine
These were originally static binaries in the first place, this changes
them back to that.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 63c7bb24637fdbfd905096ecc75b435ecefd31e9
Component: engine
To avoid noise in sampling CPU usage metrics, we now sample the system
usage closer to the actual response from the underlying runtime. Because
the response from the runtime may be delayed, this makes the sampling
more resilient in loaded conditions. In addition to this, we also
replace the tick with a sleep to avoid situations where ticks can backup
under loaded conditions.
The trade off here is slightly more load reading the system CPU usage
for each container. There may be an optimization required for large
amounts of containers but the cost is on the order of 15 ms per 1000
containers. If this becomes a problem, we can time slot the sampling,
but the complexity may not be worth it unless we can test further.
Unfortunately, there aren't really any good tests for this condition.
Triggering this behavior is highly system dependent. As a matter of
course, we should qualify the fix with the users that are affected.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: fd0e24b7189374e0fe7c55b6d26ee916d3ee1655
Component: engine
Some of them are skipped for now (because the feature is not supported
or needs more work), some of them are fixed.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 0cf2e6353a
Component: cli
Adds a `make.ps1` powershell script to make it easy to compile and test.
```
.\scripts\make.ps1 -Binary
INFO: make.ps1 starting at 03/01/2018 14:37:28
INFO: Building...
________ ____ __.
\_____ \ | |/ _|
/ | \| <
/ | \ | \
\_______ /____|__ \
\/ \/
INFO: make.ps1 ended at 03/01/2018 14:37:30
.\scripts\make.ps1 -TestUnit
```
The next step is to run e2e tests on windows too.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: facb22573d
Component: cli
Sorting by mount point length can be implemented in a more
straightforward fashion since Go 1.8 introduced sort.Slice()
with an ability to provide a less() function in place.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: a00310b54c0cdcafb402aeea92feca865da9fdf3
Component: engine
This makes `go test .` to pass if run as non-root user, skipping
those tests that require superuser privileges (for `mount`).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 4aae77602a7540b4f977572f3fbdc0891ac57cab
Component: engine
Layer metadata storage has not been implemented outside of the layer
store and will be deprecated by containerd metadata storage. To prepare
for this and freeze the current metadata storage, remove the exported
interface and make it internal to the layer store.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Upstream-commit: 0aebcbc32dc6a7b35982a2bfc44335562cbb68ec
Component: engine
With a default filename tests will leave a file in the working directory
that is never cleaned up.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 7c8b5708eb
Component: cli
The TestAPIServiceUpdatePort test performs exactly
the same steps.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 36e1646e4f010ea033643c6df3d9c3dccc166ed2
Component: engine
Fix tests that failed when using cmp.Compare()
internal/test/testutil/assert
InDelta
Fix DeepEqual with kube metav1.Time
Convert some ErrorContains to assert
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 5155cda716
Component: cli
With the inclusion of PR 30897, creating service for host network
fails in 18.02. Modified IsPreDefinedNetwork check and return
NetworkNameError instead of errdefs.Forbidden to address this issue
Signed-off-by: selansen <elango.siva@docker.com>
Upstream-commit: 7cf8b20762cc9491f52ff3f3d94c880378183696
Component: engine
While a `types.go` file is handly when there are a lot of record types,
it is completely obnoxious when used for concrete, utility types with a
struct, new function and method set in the same file. This change
removes the `types.go` file in favor of the simpler approach.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Upstream-commit: 244e59e94f153af82e6c3bd8a6c200a48d3cea60
Component: engine
The types defined in the errdefs package do not
satisfy the `error` interface, because they do not
implement `Error()`.
Instead of returning the matched interface, return
the original error.
When matching _multiple_ interfaces/types, Golang doesn't complain:
func getImplementer(err error) error {
switch e := err.(type) {
case
ErrNotFound,
ErrInvalidParameter:
return e
default:
return err
}
}
But matching a single interface/type:
func getImplementer(err error) error {
switch e := err.(type) {
case
ErrNotFound:
return e
default:
return err
}
}
Produces an error:
cannot use e (type ErrNotFound) as type error in return argument: ErrNotFound does not implement error (missing Error method)
Return the original `err` instead of the matched interface/type instead.
Also added some additional tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 59854e407d1541d644a7d814e8e0096dc477dd82
Component: engine
This fix addresses `expected` vs `actual` in integration tests
so that they match `assert.Equal(t, expected, actual)`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 8a854e933b3dbb26cfce28b920cff61909412c6f
Component: engine
This fix migrates docker rm test in integration-cli
to api tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: ed58ba99fb28ceac56063b7f003f38b597ddef80
Component: engine
Move the "unmount and deactivate" code into a separate method, and
optimize it a bit:
1. Do not use filepath.Walk() as there's no requirement to recursively
go into every directory under home/mnt; a list of directories in mnt
is sufficient. With filepath.Walk(), in case some container will fail
to unmount, it'll go through the whole container filesystem which is
excessive and useless.
2. Do not use GetMounts() and check if a directory is mounted; just
unmount it and ignore "not mounted" error. Note the same error
is returned in case of wrong flags set, but as flags are hardcoded
we can safely ignore such case.
While at it, promote "can't unmount" log level from debug to warning.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: f1a459229724f5e8e440b49f058167c2eeeb2dc6
Component: engine
1. Make sure it's clear the error is from unmount.
2. Simplify the code a bit to make it more readable.
[v2: use errors.Wrap]
[v3: use errors.Wrapf]
[v4: lowercase the error message]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 9d00aedebc25507042c5afd4ab8fc6b333ca7c53
Component: engine
This fix migrates events tests in integration-cli to api tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 3a749157d2c2b320fea49f7aa4d4eb634f52662f
Component: engine
Log the error returned from logdriver.Log() instead of the logdriver
itself.
Signed-off-by: Cody Roseborough <crrosebo@amazon.com>
Upstream-commit: a1956b5623fad186ad39ae8aca998284003b0cd3
Component: engine
1. Replace EnsureRemoveAll() with Rmdir(), as here we are removing
the container's mount point, which is already properly unmounted
and is therefore an empty directory.
2. Ignore the Rmdir() error (but log it unless it's ENOENT). This
is a mount point, currently unmounted (i.e. an empty directory),
and an older kernel can return EBUSY if e.g. the mount was
leaked to other mount namespaces.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 732dd9b848bec70a2ecb5b4998918886a0cec497
Component: engine
This fix adds several improvement:
1. No need for explicit ContainerRemove as it has been handled in setupTest()
2. Added `container.WithImage` helper function and used it in commit tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 6ab465804b0b8cec6c5ac278a21151d49e34885d
Component: engine
We were on a slightly earlier random commit.
We should try to stay on releases where possible...
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Upstream-commit: 9da428da2e
Component: cli
Exec processes do not automatically inherit AppArmor
profiles from the container.
This patch sets the AppArmor profile for the exec
process.
Before this change:
apparmor_parser -q -r <<EOF
#include <tunables/global>
profile deny-write flags=(attach_disconnected) {
#include <abstractions/base>
file,
network,
deny /tmp/** w,
capability,
}
EOF
docker run -dit --security-opt "apparmor=deny-write" --name aa busybox
docker exec aa sh -c 'mkdir /tmp/test'
(no error)
With this change applied:
docker exec aa sh -c 'mkdir /tmp/test'
mkdir: can't create directory '/tmp/test': Permission denied
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 8f3308ae10ec9ad0dd4edfb46fde53a0e1e19b34
Component: engine
This fix migrates export tests in integration-cli to api tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 4e702cf70d50ee5b0737270f27d9973fd3084c66
Component: engine
The canonical import comment was added some time ago, though several
newly added files do not have the comment. This fix adds the missing
canonical import comment to files in integration tests
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 9045406144413920da49629a181bb787c670197e
Component: engine
The Docker 18.03 branch was cut from
CLI: 84c7dd6057
Engine: fb005971c2bd82de482d1cfe924f2f4ec60c60ae
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 06dd62ab1e)
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
This fix is a minor enhancement to replace several ContainerCreate with
helper funcs of `container.Create` in tests.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 6ad4720c78d6ac61a60a3e7ed1d0c0119c5d103e
Component: engine
Fix runc exec on big-endian, causing:
container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: aab5eaddccb8cb196fdb1e285890dfa94a071b14
Component: engine
Release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc5
Possibly relevant changes included:
- chroot when no mount namespaces is provided
- fix systemd slice expansion so that it could be consumed by cAdvisor
- libcontainer/capabilities_linux: Drop os.Getpid() call
- Update console dependency to fix runc exec on BE (causing: `container_linux.go:265: starting container process caused "open /dev/pts/4294967296: no such file or directory"`)
- libcontainer: setupUserNamespace is always called (fixes: Devices are mounted with wrong uid/gid)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: a2f5a1a5b2d77d694c5bd47798be15b3c0bcdf70
Component: engine
Overriding is the incorrect part of speech for this sentence. It is more common to state that the values are overridden instead.
Other options would include:
```golang
// ldflags is overriding these values
```
```golang
// These values will be overridden by ldflags
```
etc.
Signed-off-by: Kevin Kirsche <kevin.kirsche@verizon.com>
Upstream-commit: 0e2fdc92ce
Component: cli
It looks like no one uses this function.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Upstream-commit: 0450f61cb995c8fc2f41a6909526be6ed4093565
Component: engine
Remove temp directories and close file loggers in container unit tests.
Signed-off-by: mnussbaum <michael.nussbaum@getbraintree.com>
Upstream-commit: 07d5446fe27cb92d881df48be6e8a6510d9608b0
Component: engine
This fix migrates config inspect test in integration-cli
to api test.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 4b99d782079dc390c2d8fb78f6973bbeee7d8a47
Component: engine
Changes Details:
--------------
Fixes: #36395
Refactoring the code to do the following:
1. Add the method `errBindSourceDoesNotExist` inside `validate.go` to be in-line with the rest of error message
2. Utilised the new method inside `linux_parser.go`, `windows_parser.go` and `validate_test.go`
3. Change the format from `bind mount source path: '%s' does not exist` to `bind mount source path does not exist: %s`
4. Reflected the format change into the 2 unit tests, namely: `volume_test.go` and `validate_test.go`
5. Reflected the format change into `docker_api_containers_test.go` integration test
Signed-off-by: Amr Gawish <amr.gawish@gmail.com>
Upstream-commit: df6af282b9048dfedcd7b7a9a89126aca887f4e1
Component: engine
This fix migrates several docker rm tests to api tests
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 6bd4f4801b244555213f0040b9885033e99d4ae8
Component: engine
Remove TestBuildRenamedDockerfile and TestBuildDockerfileOutsideContext
that are cli-only tests (and already tested in the docker/cli
repository).
Also adds some comments on few tests that could be migrate to
docker/cli.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 894c213b3bd6f4d8f344837b5b5084360a013680
Component: engine
Commit 2b17f4c8a8 fixed the way empty labels
are taken into account (i.e. not interpolated from environment variable),
but it created a regression.
`ValidateLabel` functions doesn't allow empty label value, but it has
always been possible to pass an empty label via the cli (`docker run --label foo`).
This fixes that by not validating the label flag.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 31dc5c0a9a
Component: cli
Using the `busybox:glibc` instead of `busybox:latest` to the
network related test cases (`ping` issue).
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 0d31dee5ec724731607e277a415b1ca4ecb7b2c4
Component: engine
Adding `busybox:latest` and `busybox:glibc` as the frozen images
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 3ae45c5f173d88ba621116f9e1b5611fe687e050
Component: engine
This fix migrates volumes tests in integration-cli to api tests
in integration/
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: d896f87c0595134fa2f0787dad30b237815f233f
Component: engine
imageService provides the backend for the image API and handles the
imageStore, and referenceStore.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Upstream-commit: 0dab53ff3cb0aae91aae068a3f1f2fd32339e23b
Component: engine
The Docker 18.03 branch was cut from
CLI: 84c7dd6057
Engine: fb005971c2bd82de482d1cfe924f2f4ec60c60ae
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 06dd62ab1e
Component: cli
This fix migrates some secret create tests to api tests,
and remove redundant TestConfigCreate.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 99e28188507bbcb925b0c09df6b53cdd882d24c5
Component: engine
This fix update docker-py so that containers from the tests run
could be cleaned up during teardown:
```diff
-ENV DOCKER_PY_COMMIT 5e28dcaace5f7b70cbe44c313b7a3b288fa38916
+ENV DOCKER_PY_COMMIT 8b246db271a85d6541dc458838627e89c683e42f
```
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 66935a0f64f0a72162fb3919c759f4f500b6c372
Component: engine
This fix moves helper functions containerIsStopped and
containerIsInState to integration/internal/container,
so that they could be used outside of integration/container.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: eda311c18f388ed4541dc44dcfba08cd4347a685
Component: engine
Binary installation was broken after the
hack/dockerfile/install-binaries script was removed.
This remedies that.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Upstream-commit: 59164bedeab571029805a107e8e5a32fc9cd56b3
Component: packaging
We need to clean the resources created in some test cases, else
in some cases we'll get below error for other tests:
> FAIL: docker_experimental_network_test.go:37: DockerNetworkSuite.TestDockerNetworkMacvlanPersistance
> docker_experimental_network_test.go:44:
> ...
> Command: ip link add dm-dummy0 type dummy
> ExitCode: 2
> Error: exit status 2
> Stdout:
> Stderr: RTNETLINK answers: File exists
> ...
Logically, each test case should be independent, the failure of previous
test case should not have side-effect for the test cases followed.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
Upstream-commit: 57d85e7e54f7d074af8c496cba43ee18d3815207
Component: engine
Signed-off-by: John Howard <jhoward@microsoft.com>
While debugging #32838, it was found (https://github.com/moby/moby/issues/32838#issuecomment-356005845) that the utility VM in some circumstances was crashing. Unfortunately, this was silently thrown away, and as far as the build step (also applies to docker run) was concerned, the exit code was zero and the error was thrown away. Windows containers operate differently to containers on Linux, and there can be legitimate system errors during container shutdown after the init process exits. This PR handles this and passes the error all the way back to the client, and correctly causes a build step running a container which hits a system error to fail, rather than blindly trying to keep going, assuming all is good, and get a subsequent failure on a commit.
With this change, assuming an error occurs, here's an example of a failure which previous was reported as a commit error:
```
The command 'powershell -Command $ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; Install-WindowsFeature -Name Web-App-Dev ; Install-WindowsFeature -Name ADLDS; Install-WindowsFeature -Name Web-Mgmt-Compat; Install-WindowsFeature -Name Web-Mgmt-Service; Install-WindowsFeature -Name Web-Metabase; Install-WindowsFeature -Name Web-Lgcy-Scripting; Install-WindowsFeature -Name Web-WMI; Install-WindowsFeature -Name Web-WHC; Install-WindowsFeature -Name Web-Scripting-Tools; Install-WindowsFeature -Name Web-Net-Ext45; Install-WindowsFeature -Name Web-ASP; Install-WindowsFeature -Name Web-ISAPI-Ext; Install-WindowsFeature -Name Web-ISAPI-Filter; Install-WindowsFeature -Name Web-Default-Doc; Install-WindowsFeature -Name Web-Dir-Browsing; Install-WindowsFeature -Name Web-Http-Errors; Install-WindowsFeature -Name Web-Static-Content; Install-WindowsFeature -Name Web-Http-Redirect; Install-WindowsFeature -Name Web-DAV-Publishing; Install-WindowsFeature -Name Web-Health; Install-WindowsFeature -Name Web-Http-Logging; Install-WindowsFeature -Name Web-Custom-Logging; Install-WindowsFeature -Name Web-Log-Libraries; Install-WindowsFeature -Name Web-Request-Monitor; Install-WindowsFeature -Name Web-Http-Tracing; Install-WindowsFeature -Name Web-Stat-Compression; Install-WindowsFeature -Name Web-Dyn-Compression; Install-WindowsFeature -Name Web-Security; Install-WindowsFeature -Name Web-Windows-Auth; Install-WindowsFeature -Name Web-Basic-Auth; Install-WindowsFeature -Name Web-Url-Auth; Install-WindowsFeature -Name Web-WebSockets; Install-WindowsFeature -Name Web-AppInit; Install-WindowsFeature -Name NET-WCF-HTTP-Activation45; Install-WindowsFeature -Name NET-WCF-Pipe-Activation45; Install-WindowsFeature -Name NET-WCF-TCP-Activation45;' returned a non-zero code: 4294967295: container shutdown failed: container ba9c65054d42d4830fb25ef55e4ab3287550345aa1a2bb265df4e5bfcd79c78a encountered an error during WaitTimeout: failure in a Windows system call: The compute system exited unexpectedly. (0xc0370106)
```
Without this change, it would be incorrectly reported such as in this comment: https://github.com/moby/moby/issues/32838#issuecomment-309621097
```
Step 3/8 : ADD buildtools C:/buildtools
re-exec error: exit status 1: output: time="2017-06-20T11:37:38+10:00" level=error msg="hcsshim::ImportLayer failed in Win32: The system cannot find the path specified. (0x3) layerId=\\\\?\\C:\\ProgramData\\docker\\windowsfilter\\b41d28c95f98368b73fc192cb9205700e21
6691495c1f9ac79b9b04ec4923ea2 flavour=1 folder=C:\\Windows\\TEMP\\hcs232661915"
hcsshim::ImportLayer failed in Win32: The system cannot find the path specified. (0x3) layerId=\\?\C:\ProgramData\docker\windowsfilter\b41d28c95f98368b73fc192cb9205700e216691495c1f9ac79b9b04ec4923ea2 flavour=1 folder=C:\Windows\TEMP\hcs232661915
```
Upstream-commit: 8c52560ea4593935322c1d056124be44e234b934
Component: engine
This images is used to run integration and integration-cli tests on
anything that implements the docker api :). The image wasn't building
anywore :D
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Upstream-commit: 9c46b587eec84f6d9b525ecca1d8b66a51055c12
Component: engine
Originally I worked on this for the multi-stage build Dockerfile
changes. Decided to split this out as we are still waiting for
multi-stage to be available on CI and rebasing these is pretty annoying.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: b529d1b0936b90ae14d584c73f7332919f8d76b7
Component: engine
This fixes an issue where the container LogPath was empty when the
non-blocking logging mode was enabled. This change sets the LogPath on
the container as soon as the path is generated, instead of setting the
LogPath on a logger struct and then attempting to pull it off that
logger at a later point. That attempt to pull the LogPath off the logger
was error prone since it assumed that the logger would only ever be a
single type.
Prior to this change docker inspect returned an empty string for
LogPath. This caused issues with tools that rely on docker inspect
output to discover container logs, e.g. Kubernetes.
This commit also removes some LogPath methods that are now unnecessary
and are never invoked.
Signed-off-by: junzhe and mnussbaum <code@getbraintree.com>
Upstream-commit: 20ca612a59c45c0bd58c71c199a7ebd2a6bf1a9e
Component: engine
dm_task_deferred_remove is not supported by all distributions, due to
out-dated versions of devicemapper. However, in the case where the
devicemapper library was updated without rebuilding Docker (which can
happen in some distributions) then we should attempt to dynamically load
the relevant object rather than try to link to it.
This can only be done if Docker was built dynamically, for obvious
reasons.
In order to avoid having issues arise when dlsym(3) was unnecessary,
gate the whole dlsym(3) logic behind a buildflag that we disable by
default (libdm_dlsym_deferred_remove).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Upstream-commit: 98fe4bd8f1e35f8e498e268f653a43cbfa31e751
Component: engine
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
