In cases there are failures in task start, swarmkit might be trying to
restart the task again in the same node which might keep failing. This
creates a race where when a failed task is getting removed it might
remove the associated network while another task for the same service
or a different service but connected to the same network is proceeding
with starting the container knowing that the network is still
present. Fix this by reacting to `ErrNoSuchNetwork` error during
container start by trying to recreate the managed networks. If they
have been removed it will be recreated. If they are already present
nothing bad will happen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 117cef5e9766d6ba228770c225e816c6afd16ff8)
Signed-off-by: Tibor Vass <tibor@docker.com>
Unlike `docker run -v..`, `docker service create --mount`
does not allow bind-mounting non-existing host paths.
This adds validation for the specified `source`, and
produces an error if the path is not found on the
host.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 84d5ab96ef33355e65f5c31210eb1777db372c52)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is intended as a minor fix for 1.12.1 so that task creation doesn't
do unexpected things when the user supplies erroneous paths.
In particular, because we're currently using hostConfig.Binds to setup
mounts, if a user uses an absolute path for a volume mount source, or a
non-absolute path for a bind mount source, the engine will do the
opposite of what the user requested since all absolute paths are
treated as binds and all non-absolute paths are treated as named
volumes.
Fixes#25253
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 38f8b0eb10725c40fb3c7e0719accd240cd39e22)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to improve error messages when IP address
autodetection fails, as is specified in 25141.
Previously, error messages only indicate that multiple IPs
exist when autodetection fails. In this fix, if one
interface consists of multiple addresses or multiple
interfaces consist of addresses, the error messages output
the address names and interface names so that end user could
take notice.
This fix is verified manually.
When multiple addresses exist on multiple interfaces:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses on different
interfaces (192.168.186.128 on ens33 and 192.168.100.199 on eth10)
- specify one with --advertise-addr
```
When multiple addresses exist on single interface:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses
on interface ens33 (192.168.186.128 and 192.168.55.199)
- specify one with --advertise-addr
```
This fix fixes 25141.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 59db01049ac6a8e54490565dc44661f780c13734)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f0230049f0afd318217c60ebe486aab3b54538fd)
Signed-off-by: Tibor Vass <tibor@docker.com>
Remove the swarm inspect command and use docker info instead to display
swarm information if the current node is a manager.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit e6923f6d75c2bd1b22cc1229214ffceca3251cc6)
Signed-off-by: Tibor Vass <tibor@docker.com>
Context cancellations were previously causing `Prepare` to fail
completely on re-entrant calls. To prevent this, we filtered out cancels
and deadline errors. While this allowed the service to proceed without
errors, it had the possibility of interrupting long pulls, causing the
pull to happen twice.
This PR forks the context of the pull to match the lifetime of
`Controller`, ensuring that for each task, the pull is only performed
once. It also ensures that multiple calls to `Prepare` are re-entrant,
ensuring that the pull resumes from its original position.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit d8d71ad5b94d44a2778f2d8989424259cac94e9b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Ensure that cancellation of a pull propagates rather than continuing to
container creation. This ensures that the `Prepare` method is properly
re-entrant.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit d99c6b837ffd18ffe5bce801feb4936bf0edd2aa)
Signed-off-by: Tibor Vass <tibor@docker.com>
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 57ae29aa74e77ade3c91b1c77ba766512dae9ab4)
Signed-off-by: Tibor Vass <tibor@docker.com>
Hostnames are not supported for now because libnetwork can't use them
for overlay networking yet.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit fca0b18dcba99a7fbb8b430a55dc7bf60d5c1356)
Signed-off-by: Tibor Vass <tibor@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit a0ccd0d42fdb0dd2005f67604cb81a5a6b26787e)
Signed-off-by: Tibor Vass <tibor@docker.com>
In 24823, `swarm join` has been updated to take a `--token`
flag and flag `--manager` has been removed. Though in errNoManager()
the error message still use the old description.
This fix update the error message in errNoManager() and conforms
to the current available flags.
This fix is related to 24823.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3d30155735d572376500729496de657459493213)
Signed-off-by: Tibor Vass <tibor@docker.com>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 2cc5bd33eef038bf5721582e2410ba459bb656e9)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix is an extension to last commit to expand the partial
filter to node and task searches.
Additional integration tests have been added to cover the changes.
This fix fixes 24270.
This fix fixes 24112.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit e734fa58eadb4dfaa33b4be275d6f8f29d899e78)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 24270 where it was
not possible to have a partial name match when list services
with name filter.
This fix updates swarmkit and allows prefix search when name is
provided as the filter for listing services.
An additional integration test is added to cover the changes.
This fix fixes 24270.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 1d600ebcb5750c4c93356fae08e562d836ecee45)
Signed-off-by: Tibor Vass <tibor@docker.com>
Adds log driver support for service creation and update. Add flags
`--log-driver` and `--log-opt` to match `docker run`. Log drivers are
configured per service.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit e778ba2d5b1e5074fe413dffaa365f3d37b175c7)
Signed-off-by: Tibor Vass <tibor@docker.com>
For any operation that involves netwoks (other than network create),
swarmkit expects the target as network-id. Service upate was using
network-name as the target and that caused the issue.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
(cherry picked from commit b32cfb32a3f654f27bc9d4356b36c6a7e5e53b21)
Signed-off-by: Tibor Vass <tibor@docker.com>
Needed for libnetwork vendoring
Update Secret API name change correspondingly
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit d428a7a425f071ee9e5707c7319d3197540adc19)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit a859a336475f39c7b7d7739c58a1dae40df86a86)
Signed-off-by: Tibor Vass <tibor@docker.com>
In the API:
`Writable` changed to `ReadOnly`
`Populate` changed to `NoCopy`
Corresponding CLI options updated to:
`volume-writable` changed to `volume-readonly`
`volume-populate` changed to `volume-nocopy`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 56f3422468a0b43da7bae7a01762ce4f0a92d9ff)
Signed-off-by: Tibor Vass <tibor@docker.com>
In order to keep a little bit of "sanity" on the API side, validate
hostname only starting from v1.24 API version.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 6daf3d2a783fd042e870c8af8bbd19fc28989505)
Signed-off-by: Tibor Vass <tibor@docker.com>
… on `docker node tasks` and `docker service tasks` commands.
This changes is mainly server-side (between engine api and
swarmkit). There is just a check in `api/client/service/tasks.go` to
handle the special *self* meaning.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit b0fc5a21f1138f48e0431a550c936e8908d72840)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Otto Kekäläinen <otto@seravo.fi>
(cherry picked from commit 644a7426cc31c338fedb6574d2b88d1cc2f43a08)
Signed-off-by: Tibor Vass <tibor@docker.com>
Swarm was putting volume type mounts into the container config's
"Volumes" field, but really these need to go into "Binds".
"Volumes" is only for normal "-v /foo" volumes, not named volumes or
anything else.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 2bc2165cbf3e949921d1659f09841b5f008f590d)
Signed-off-by: Tibor Vass <tibor@docker.com>
For consistency with other filters (such as
"is-official"), this renames the desired_state
filter to "desired-state".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d761719eb4e45fbd6f092f6d0b4eb42206e298f6)
Signed-off-by: Tibor Vass <tibor@docker.com>
On stop there were multiple places that marked
`cluster.node` nil. Now stop waits for the node to
set itself nil.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 1a8a473017299c5e999d55d14634874826062fce)
This warning appears in the course of normal use of swarm mode. Since
it's meant more as an internal TODO than something which should be
exposed to a user, remove the log message.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 39c93cfb47783f2531ba44f062fd9a8b351d2224)
Jana Radhakrishnan