TL;DR: stop building static binary that may fail
Linker flag --unresolved-symbols=ignore-in-shared-libs was added
in commit 06d0843 two years ago for the static build case, presumably
to avoid dealing with problem of missing libraries.
For the record, this is what ld(1) man page says:
> --unresolved-symbols=method
> Determine how to handle unresolved symbols. There are four
> possible values for method:
> .........
> ignore-in-shared-libs
> Report unresolved symbols that come from regular object files,
> but ignore them if they come from shared libraries. This can
> be useful when creating a dynamic binary and it is known that
> all the shared libraries that it should be referencing are
> included on the linker's command line.
Here, the flag is not used for its purpose ("creating a dynamic binary")
and does more harm than good. Instead of complaining about missing symbols
as it should do if some libraries are missing from LIBS/LDFLAGS, it lets
ld create a binary with unresolved symbols, ike this:
$ readelf -s bundles/1.7.1/binary/docker-1.7.1 | grep -w UND
........
21029: 0000000000000000 0 NOTYPE GLOBAL DEFAULT UND dlopen
.........
Such binary is working just fine -- until code calls one of those
functions, then it crashes (for apparently no reason, i.e. it is
impossible to tell why from the diagnistics printed).
In other words, adding this flag allows to build a static binary
with missing libraries, hiding the problem from both a developer
(who forgot to add a library to #cgo: LDFLAGS -- I was one such
developer a few days ago when I was working on ploop graphdriver)
and from a user (who expects the binary to work without crashing,
and it does that until the code calls a function in one of those
libraries).
Removing the flag immediately unveils the problem (as it should):
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libsqlite3.a(sqlite3.o):
In function `unixDlError':
(.text+0x20971): undefined reference to `dlerror'
/usr/lib/gcc/x86_64-linux-gnu/4.8/../../../x86_64-linux-gnu/libsqlite3.a(sqlite3.o):
In function `unixDlClose':
(.text+0x8814): undefined reference to `dlclose'
The problem is, gosqlite package says:
#cgo LDFLAGS: -lsqlite3
which is enough for dynamic linking, as indirect dependencies (i.e.
libraries required by libsqlite3.so) are listed in .so file and will be
resolved dynamically by ldd upon executing the binary.
For static linking though, one has to list all the required libraries,
both direct and indirect. For libraries with pkgconfig support the
list of required libraries can be obtained with pkg-config:
$ pkg-config --libs sqlite3 # dynamic linking case
-lsqlite3
$ pkg-config --libs --static sqlite3 # static case
-lsqlite3 -ldl -lpthread
It seems that all one has to do is to fix gosqlite this way:
-#cgo LDFLAGS: -lsqlite3
+#cgo pkg-config: sqlite3
Unfortunately, cmd/go doesn't know that it needs to pass --static
flag to pkg-config in case of static linking
(see https://github.com/golang/go/issues/12058).
So, for one, one has to do one of these things:
1. Patch sqlite.go like this:
-#cgo LDFLAGS: -lsqlite3
+#cgo pkg-config: --static sqlite3
(this is exactly what I do in goploop, see
https://github.com/kolyshkin/goploop/commit/e9aa072f51)
2. Patch sqlite.go like this:
-#cgo LDFLAGS: -lsqlite3
+#cgo LDFLAGS: -lsqlite3 -ldl -lpthread
(I would submit this patch to gosqlite but it seems that
https://code.google.com/p/gosqlite/ is deserted and not maintained,
and patching it here is not right as it is "vendored")
3. Explicitly add -ldl for the static link case.
This is what this patch does.
4. Fork sqlite to github and maintain it there. Personally I am not
ready for that, as I'm neither a Go expert nor gosqlite user.
Now, #3 doesn't look like a clear solution, but nevertheless it makes
the build much better than it was before.
Signed-off-by: Kir Kolyshkin <kir@openvz.org>
Main changes in this vendoring are to allow user name space integration in docker.
And it includes major fix for network namespace handling
Signed-off-by: Alessandro Boch <aboch@docker.com>
Signed-off-by: Alessandro Boch <aboch@docker.com>
- some method names were changed to have a 'Locking' suffix, as the
downcased versions already existed, and the existing functions simply
had locks around the already downcased version.
- deleting unused functions
- package comment
- magic numbers replaced by golang constants
- comments all over
Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
This allows someone running the image to use `-v` to mount a non-tmpfs `/tmp` into their image if they so require/desire.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
With this, you can specify a branch name in the
vendor script instead of a commit ID. This makes it easier
to quickly test changes in dep'd repos outside of the DIND
environment.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Windows: add support for images stored in alternate location.
Signed-off-by: Stefan J. Wernli <swernli@microsoft.com>
Updating netlink package to 4b5dce31de6d42af5bb9811c6d265472199e0fec
to fix certain wierd netlink issues seen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Fixes rare edge case of handling GNU LongLink and LongName entries.
Perf improvements. /dev/null writes were taking CPU time during docker
push. Thanks @LK4D4
Various cleanup too.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
This update fixes Windows client console bugs and increases VT100
compatibility. With this change, nano and emacs become usable, and bash
works better.
Signed-off-by: John Starks <jostarks@microsoft.com>
- downcase and privatize exported variables that were unused
- make accurate an error message
- added package comments
- remove unused var ReadLogsNotSupported
- enable linter
- some spelling corrections
Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
- comments on exported values
- constant string replaced by constant reference
- unexport implementation details of VolumeDriver 'local'
- add fixed packages to linter list
Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
This version includes a fix that avoids checking against specific HTTP
status codes. The previous behavior violated the registry API spec.
Fixes#14975
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
* Add godoc documentation where it was missing
* Change identifier names that don't match Go style, such as INDEX_NAME
* Rename RegistryInfo to PingResult, which more accurately describes
what this structure is for. It also has the benefit of making the name
not stutter if used outside the package.
Updates #14756
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Currently the vendor script removes directories which do not have imported go packages, however this also ends up removing license files which may be other directories.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
By default, using go with package will only validate the go file for the
current platform (or at last misses file_windows.go for example). This
tries to fix that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
The docker-py commit used in the standard `Dockerfile` is from Feb. 2015
and is out of date with the current API level and has fixes for things
like the new docker cli config location and registry v2 changes/API
responses as well.
Also pass "NOT_ON_HOST=true" to docker-py test suite so that tests
relying on direct HOST interaction (versus running in a container) are
skipped.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Fix the following warnings:
pkg/mount/mountinfo.go:5:6: type name will be used as mount.MountInfo by other packages, and that stutters; consider calling this Info
pkg/mount/mountinfo.go:7:2: struct field Id should be ID
Signed-off-by: Antonio Murdaca <runcom@linux.com>
The Ansi parser and their associated actions have been decoupled. Now
parsing results in call backs to an interface which performs the
appropriate actions depending on the environment.
This improvement provides a functional Vi experience and the vttest no
longer panics.
This PR replaces docker/docker #13224 with the latest console updates.
Signed-off-by: John Howard <jhoward@microsoft.com>
Add golint to the Dockerfile, and a `validate-lint` task to the
Makefile. Currently, the linter will process a harcoded list of packages
that will expand as we fix more warnings. Eventually, the linter should
process all subpackages of the repo (excluding vendored code).
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.
Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
These will create the apt & yum repos for the deb/rpms generated by build-deb
and build-rpm.
Adds sign-repo script which signs the repo metadata with a gpg key.
Signed-off-by: Jessica Frazelle <princess@docker.com>
For hybrid cloud, some ubuntu vm images doesn't have the directory
`/etc/apt/sources.list.d` which cause failure on creating
`/etc/apt/sources.list.d/docker.list`.
To fix this issue, create this directory first (if it doesn't exist).
Signed-off-by: Penghan Wang <ph.wang@daocloud.io>
Add a few links to the release output that the release captain can use to announce the release.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Vendoring libnetwork commit: 8fb0a8bc9e3166216ca3da2d0bb15332f6685745
- Fixes breakage in k/v store handling logic in experimental
- Adds back all the fixes that went in 1.7.1 to master
- Change VXLAN port in overlay driver to IANA assigned port
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
When a container is started with `--net=host` with
a particular name and it is subsequently destroyed,
then all subsequent creations of the container with
the same name will fail. This is because in `--net=host`
the namespace is shared i.e the host namespace so
trying to destroy the host namespace by calling
`LeaveAll` will fail and the endpoint is left with
the dangling state. So the fix is, for this mode, do
not attempt to destroy the namespace but just cleanup
the endpoint state and return.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
- brings in vxlan based native multihost networking
- added a daemon flag required by libkv for dist kv operations
- moved the daemon flags to experimental
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This commit also brings in the ability to specify a default network and its
corresponding driver as daemon flags. This helps in existing clients to
make use of newer networking features provided by libnetwork.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
I ran a single integration test and got an error that the file
/sys/module/apparmor/parameters/enabled doesn't exist. I don't have
apparmor installed. So, just check the file first to avoid a confusing
error.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
This PR brings the vendored libnetwork code to
3be488927db8d719568917203deddd630a194564, which pulls in quite a few
fixes to support kvstore, windows daemon compilation fixes,
multi-network support for Bridge driver, etc...
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This helps ensure that `github.com/docker/docker/pkg/...` is actually safe to use in isolation (ie, doesn't import anything from `github.com/docker/docker` except other things from `pkg` or vendored dependencies).
Adding `github.com/docker/docker/utils` to the imports of `pkg/version/version.go`:
```
---> Making bundle: validate-pkg (in bundles/1.7.0-dev/validate-pkg)
These files import internal code: (either directly or indirectly)
- pkg/version/version.go imports github.com/docker/docker/autogen/dockerversion
- pkg/version/version.go imports github.com/docker/docker/utils
```
And then removing it again:
```
---> Making bundle: validate-pkg (in bundles/1.7.0-dev/validate-pkg)
Congratulations! "./pkg/..." is safely isolated from internal code.
```
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Adding in other areas per comments
Updating with comments; equalizing generating man page info
Updating with duglin's comments
Doug is right here again;fixing.
Signed-off-by: Mary Anthony <mary@docker.com>
no longer load hide critical code such as in .integration-daemon-{start,stop},
if this step failed, it will had logged the corresponding module before:
---> Making bundle: .integration-daemon-start (in bundles/1.7.0-dev/daemon-start)
which is nicer to debug.
This will make it also easier to execute a single tests in an interactive shell.
$ make shell
docker> . hack/make.sh binary .integration-daemon-start .integration-daemon-setup
docker> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
docker> go test github.com/docker/docker/integration-cli
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
When the daemon is going down trigger immediate
garbage collection of libnetwork resources deleted
like namespace path since there will be no way to
remove them when the daemon restarts.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Kir Kolyshkin
Jessie Frazelle
Tianon Gravi
Jessica Frazelle
Tibor Vass
Vincent Demeester
Michael Crosby
Alessandro Boch
Mike Dougherty
David Calavera
Derek McGowan
Morgan Bauer
John Howard
Srini Brahmaroutu
Christy Perez
Stefan J. Wernli
Jana Radhakrishnan
Madhu Venugopal
Arnaud Porterie
John Starks
Vincent Batts
Zhang Wei
Brian Goff
Qiang Huang
Ben Hall
Lei Jitang
Veres Lajos
Alexander Morozov
root
John Howard
Filipe Oliveira
Antonio Murdaca
Alexander Morozov
Hu Keping
Tibor Vass
Eric Windisch
Avi Miller
Srini Brahmaroutu
root
Jessica Frazelle
Félix Cantournet
Antonio Murdaca
Aaron Lehmann
Doug Davis
Sebastiaan van Stijn
evalle
Phil Estes
Ben Firshman
Penghan Wang
Stephen J Day
Phil Estes
Peeyush Gupta
Thomas Sjögren
TAGOMORI Satoshi
Mrunal Patel
Mary Anthony
Marius Sturm
Jörg Thalheim