From ad6983624745cbb7c8f5bd7fd22c68f190b42004 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Sat, 11 Jan 2014 05:46:11 -0700 Subject: [PATCH 1/8] Stop ADD from following symlinks outside the context when passed as the first argument Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) Docker-DCO-1.1-Signed-off-by: Tianon Gravi (github: crosbymichael) --- buildfile.go | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/buildfile.go b/buildfile.go index de03e5879f..6b568d7563 100644 --- a/buildfile.go +++ b/buildfile.go @@ -287,6 +287,11 @@ func (b *buildFile) CmdVolume(args string) error { func (b *buildFile) checkPathForAddition(orig string) error { origPath := path.Join(b.contextPath, orig) + if p, err := filepath.EvalSymlinks(origPath); err != nil { + return err + } else { + origPath = p + } if !strings.HasPrefix(origPath, b.contextPath) { return fmt.Errorf("Forbidden path outside the build context: %s (%s)", orig, origPath) } From 42fed841d3735658d738aff34e135f8e461012dd Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 14 Jan 2014 11:42:03 -0700 Subject: [PATCH 2/8] Fix "foo: no such file or directory" test failure, and normalize creation of custom error to always depend on if os.IsNotExist(err) so we don't hide other errors that might crop up in these tests Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) Docker-DCO-1.1-Signed-off-by: Tianon Gravi (github: crosbymichael) --- buildfile.go | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/buildfile.go b/buildfile.go index 6b568d7563..2b6d40c15d 100644 --- a/buildfile.go +++ b/buildfile.go @@ -288,6 +288,9 @@ func (b *buildFile) CmdVolume(args string) error { func (b *buildFile) checkPathForAddition(orig string) error { origPath := path.Join(b.contextPath, orig) if p, err := filepath.EvalSymlinks(origPath); err != nil { + if os.IsNotExist(err) { + return fmt.Errorf("%s: no such file or directory", orig) + } return err } else { origPath = p @@ -297,7 +300,10 @@ func (b *buildFile) checkPathForAddition(orig string) error { } _, err := os.Stat(origPath) if err != nil { - return fmt.Errorf("%s: no such file or directory", orig) + if os.IsNotExist(err) { + return fmt.Errorf("%s: no such file or directory", orig) + } + return err } return nil } @@ -313,7 +319,10 @@ func (b *buildFile) addContext(container *Container, orig, dest string) error { } fi, err := os.Stat(origPath) if err != nil { - return fmt.Errorf("%s: no such file or directory", orig) + if os.IsNotExist(err) { + return fmt.Errorf("%s: no such file or directory", orig) + } + return err } if fi.IsDir() { if err := archive.CopyWithTar(origPath, destPath); err != nil { From 8d19b2caa01535202c2fa82913ad99ec2594032a Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 14 Jan 2014 14:28:19 -0800 Subject: [PATCH 3/8] Add remount for bind mounts in ro Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) --- container.go | 2 +- mount/mount_test.go | 45 +++++++++++++++++++++++++++++++++++++++++- mount/mounter_linux.go | 10 +++++++++- 3 files changed, 54 insertions(+), 3 deletions(-) diff --git a/container.go b/container.go index cea316ae5c..9e4495890a 100644 --- a/container.go +++ b/container.go @@ -716,7 +716,7 @@ func (container *Container) Start() (err error) { for r, v := range container.Volumes { mountAs := "ro" - if container.VolumesRW[v] { + if container.VolumesRW[r] { mountAs = "rw" } diff --git a/mount/mount_test.go b/mount/mount_test.go index 5dc9dc256a..6edc31d410 100644 --- a/mount/mount_test.go +++ b/mount/mount_test.go @@ -48,7 +48,7 @@ func TestMounted(t *testing.T) { } f.Close() - if err := Mount(sourcePath, targetPath, "none", "bind,ro"); err != nil { + if err := Mount(sourcePath, targetPath, "none", "bind,rw"); err != nil { t.Fatal(err) } defer func() { @@ -64,4 +64,47 @@ func TestMounted(t *testing.T) { if !mounted { t.Fatalf("Expected %s to be mounted", targetPath) } + if _, err := os.Stat(targetPath); err != nil { + t.Fatal(err) + } +} + +func TestMountReadonly(t *testing.T) { + tmp := path.Join(os.TempDir(), "mount-tests") + if err := os.MkdirAll(tmp, 0777); err != nil { + t.Fatal(err) + } + defer os.RemoveAll(tmp) + + var ( + sourcePath = path.Join(tmp, "sourcefile.txt") + targetPath = path.Join(tmp, "targetfile.txt") + ) + + f, err := os.Create(sourcePath) + if err != nil { + t.Fatal(err) + } + f.WriteString("hello") + f.Close() + + f, err = os.Create(targetPath) + if err != nil { + t.Fatal(err) + } + f.Close() + + if err := Mount(sourcePath, targetPath, "none", "bind,ro"); err != nil { + t.Fatal(err) + } + defer func() { + if err := Unmount(targetPath); err != nil { + t.Fatal(err) + } + }() + + f, err = os.OpenFile(targetPath, os.O_RDWR, 0777) + if err == nil { + t.Fatal("Should not be able to open a ro file as rw") + } } diff --git a/mount/mounter_linux.go b/mount/mounter_linux.go index 1371f72bd9..dd4280c777 100644 --- a/mount/mounter_linux.go +++ b/mount/mounter_linux.go @@ -5,7 +5,15 @@ import ( ) func mount(device, target, mType string, flag uintptr, data string) error { - return syscall.Mount(device, target, mType, flag, data) + if err := syscall.Mount(device, target, mType, flag, data); err != nil { + return err + } + + // If we have a bind mount or remount, remount... + if flag&syscall.MS_BIND == syscall.MS_BIND && flag&syscall.MS_RDONLY == syscall.MS_RDONLY { + return syscall.Mount(device, target, mType, flag|syscall.MS_REMOUNT, data) + } + return nil } func unmount(target string, flag int) error { From 734b4566df879c2c071a9785d69b2c9c51d76b06 Mon Sep 17 00:00:00 2001 From: Fabio Falci Date: Mon, 13 Jan 2014 20:28:30 +0000 Subject: [PATCH 4/8] Use https to get the latest docker version To avoid unexpected results since docker was using http. For instance, my broadband doesn't return not found when it's down but a html page saying that the internet is down. Docker was showing that html instead of ignoring it. Fix #3570 Docker-DCO-1.1-Signed-off-by: Fabio Falci (github: fabiofalci) Docker-DCO-1.1-Signed-off-by: Fabio Falci (github: crosbymichael) --- utils/utils.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils/utils.go b/utils/utils.go index 4dfadb793f..e046dfa2a5 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -827,7 +827,7 @@ func ParseHost(defaultHost string, defaultPort int, defaultUnix, addr string) (s } func GetReleaseVersion() string { - resp, err := http.Get("http://get.docker.io/latest") + resp, err := http.Get("https://get.docker.io/latest") if err != nil { return "" } From 75293b12b36b3eef6706cf85f291be96500a40da Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 10 Jan 2014 13:03:59 -0700 Subject: [PATCH 5/8] Add ca-certificates to our package Recommends It's only in "Recommends" because it's only required for all but the esoteric configurations (since you can't "docker pull" from the index without it, but that's about it). Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) Docker-DCO-1.1-Signed-off-by: Tianon Gravi (github: crosbymichael) --- hack/make/ubuntu | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/make/ubuntu b/hack/make/ubuntu index bcffc6560f..f15608e920 100644 --- a/hack/make/ubuntu +++ b/hack/make/ubuntu @@ -111,6 +111,7 @@ EOF --depends lxc \ --depends aufs-tools \ --depends iptables \ + --deb-recommends ca-certificates \ --description "$PACKAGE_DESCRIPTION" \ --maintainer "$PACKAGE_MAINTAINER" \ --conflicts lxc-docker-virtual-package \ From 07b50a90a8e7380b781d75dda3773eb23cafb131 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 10 Jan 2014 10:20:31 -0700 Subject: [PATCH 6/8] Inline the test.docker.io fingerprint in the install.sh script as well As long as we're doing it, we ought to do it for all the "official" Docker properties at least Docker-DCO-1.1-Signed-off-by: Andrew Page (github: tianon) Docker-DCO-1.1-Signed-off-by: Tianon Gravi (github: crosbymichael) --- hack/install.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hack/install.sh b/hack/install.sh index 1f37018a7b..02d812f388 100755 --- a/hack/install.sh +++ b/hack/install.sh @@ -110,6 +110,8 @@ case "$lsb_dist" in set -x if [ "https://get.docker.io/" = "$url" ]; then $sh_c "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9" + elif [ "https://test.docker.io/" = "$url" ]; then + $sh_c "apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 740B314AE3941731B942C66ADF4FD13717AAD7D6" else $sh_c "$curl ${url}gpg | apt-key add -" fi From d103b6f6df74a9fe54b6af747c497641f5b19937 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 8 Jan 2014 00:27:50 -0700 Subject: [PATCH 7/8] Add more specific lvm2 version to PACKAGERS document I personally tested this using our container, and this was the lowest version that compiles and runs properly. Docker-DCO-1.0-Signed-off-by: Andrew Page (github: tianon) Docker-DCO-1.1-Signed-off-by: Tianon Gravi (github: crosbymichael) --- hack/PACKAGERS.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hack/PACKAGERS.md b/hack/PACKAGERS.md index 05283b909b..1dd039c3e3 100644 --- a/hack/PACKAGERS.md +++ b/hack/PACKAGERS.md @@ -38,7 +38,7 @@ To build docker, you will need the following system dependencies * A recent version of git and mercurial * Go version 1.2 or later * SQLite version 3.7.9 or later -* libdevmapper from lvm2 version 1.02.77 or later (http://www.sourceware.org/lvm2/) +* libdevmapper version 1.02.68-cvs (2012-01-26) or later from lvm2 version 2.02.89 or later * A clean checkout of the source must be added to a valid Go [workspace](http://golang.org/doc/code.html#Workspaces) under the path *src/github.com/dotcloud/docker*. From bc3b2ec0622f50879ae96f042056b6bd2e0b4fba Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Tue, 14 Jan 2014 17:53:20 -0800 Subject: [PATCH 8/8] Bump to version v0.7.6 Docker-DCO-1.1-Signed-off-by: Michael Crosby (github: crosbymichael) --- CHANGELOG.md | 16 ++++++++++++++++ VERSION | 2 +- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 72a0a2eecf..b416d450a2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,21 @@ # Changelog +## 0.7.6 (2014-01-14) + +#### Builder + +* Do not follow symlink outside of build context + +#### Runtime + +- Remount bind mounts when ro is specified +* Use https for fetching docker version + +#### Other + +* Inline the test.docker.io fingerprint +* Add ca-certificates to packaging documentation + ## 0.7.5 (2014-01-09) #### Builder diff --git a/VERSION b/VERSION index 8bd6ba8c5c..c006218557 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.7.5 +0.7.6