With the latest OL7.2, selinux policy that is shipped
might not be the latest for it to work or build with
selinux policy for docker-1.12.
To be able to achieve that here is what is done:
1. Added systemd_machined policy which is part of systemd.
2. Temporarily comment out unconfined_typebounds because the
current OL7's selinux doesn't have unconfineduser selinux policy,
to include this will be too much. Will revisit this once we have
updated the selinux policy.
Fixes: #24612
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
(cherry picked from commit d6cae872c704c6cf36ee7d5c9b472e33280af202)
Signed-off-by: Tibor Vass <tibor@docker.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 32b1f26c5111b22fe4277879c4f5e4687a6a72fc)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 197f23da497d3d82f30beb6d920211f6d2055fa3)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit fa1b82e5ebc0e7dafe500e891c8b8c5fe5d4e1aa)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit b58ef479a6be7ddff79a354ee912f9dd73a9f41b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 46d3464362f18a1eb6d37fc51b120d0f0614653a)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit ab95ec3dd927d5c0c303410519f07631c8c99a4e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit f146f6127ce5c7a5f579b78f00bd06f68198ce0f)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 3cddda3bbb0cbc6f600b228b61e1110e0cf34c65)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 34d9a8240914d30f3a8fe28c1b7d1d4e36d0657b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 13c138ec2a896a87da8fa81693975e7ffbec85fd)
Signed-off-by: Tibor Vass <tibor@docker.com>
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit 0aa4e1e68973ede0c73f8a4356e2a17fc903f549)
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 57ae29aa74e77ade3c91b1c77ba766512dae9ab4)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit a04bba8b89f12480c4eaf0dda8f47442f99864ca)
Signed-off-by: Tibor Vass <tibor@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit a0ccd0d42fdb0dd2005f67604cb81a5a6b26787e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 42b4d6ebe44029155d98d623c9d51f0cda89e194)
Signed-off-by: Tibor Vass <tibor@docker.com>
`--with-registry-auth` is more explicit.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 8426f72107f351b769babadeabbf13f205126514)
Signed-off-by: Tibor Vass <tibor@docker.com>
Swarm join has been changed in f5e1f6f6880391a5a3399023cf93a3c48502e57d,
removing various options and the "node accept" command.
This removes the removed options from the completion
scripts.
NOTE: a new command ("docker swarm join-token") was
also added, but is not part of this commit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c4ab20c5f8c13d9d91dbd29fd41fc0d78f93ab0d)
Signed-off-by: Tibor Vass <tibor@docker.com>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 2cc5bd33eef038bf5721582e2410ba459bb656e9)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 6c98d5bfaccda4b211e537f5072767160a20d497)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 492fdf1f57bff10bed5d44bf63f344c1d7961eb2)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit cdb8383d7f4045a5cde0fe636f8fadb6560ba6cd)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit 45484f5458e3b4cf7996d4cb8481ed7e38982200)
Signed-off-by: Tibor Vass <tibor@docker.com>
Fixes#23981
The selinux issue we are seeing in the report is related to the socket
file for docker and nothing else. By removing the socket docker starts
up correctly.
However, there is another motivation for removing socket activation from
docker's systemd files and that is because when you have daemons running
with --restart always whenever you have a host reboot those daemons
will not be started again because the docker daemon is not started by
systemd until a request comes into the docker API.
Leave it for deb based systems because everything is working correctly
for both socket activation and starting normally at boot.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 04104c3a1e6cad30cb41b762e8832215466c0e95)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit bc6e3c0b5e415f09957955782b4d51e94a5ff2b9)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 823e161de73e2df04cd3905b72b7916c49091af4)
Signed-off-by: Tibor Vass <tibor@docker.com>
following the announcement;
https://groups.google.com/forum/m/#!topic/golang-announce/7JTsd70ZAT0
> [security] Go 1.6.3 and Go 1.7rc2 pre-announcement
>
> Hello gophers,
> We plan to issue Go 1.6.3 and Go 1.7rc2 on Monday July 18 at approximately 2am UTC.
> These are minor release to fix a security issue.
>
> Following our policy at https://golang.org/security, this is the pre-announcement of those releases.
>
> Because we are so late in the release cycle for Go 1.7, we will not issue a minor release of Go 1.5.
> Additionally, we plan to issue Go 1.7rc3 later next week, which will include any changes between 1.7rc1 and tip.
>
> Cheers,
> Chris on behalf of the Go team
**Note:**
the man/Dockerfile is not yet updated, because
the official image for Go 1.6.2 has not yet
been updated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 589bafddf391cbf6aff8b22044266dc819cdcaeb)
Signed-off-by: Tibor Vass <tibor@docker.com>
This adds the `--live-restore` option to the documentation.
Also synched usage description in the documentation
with the actual description, and re-phrased some
flag descriptions to be a bit more consistent.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 64a8317a5a306dffd0ec080d9ec5b4ceb2479a01)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 698bd5ab65ddc3db9679aa27b79c89ba1ca1fe23)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit 2e6922a6d3295857ae73fe7df7aa452d220f869d)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit 5d29732bdf8f6b3a52a8272c4549982a95727ef8)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit 64f08906a2429ac0b2192e263ca86574f7f0dded)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit ba5d9f63a3b5c39fdbb89778782367a55ce74809)
Signed-off-by: Tibor Vass <tibor@docker.com>
(and set $exec to dockerd instead)
This ensures end users do not need to make any configuration changes
due to the rename from docker to dockerd in version 1.12.
Signed-off-by: Paul Furtado <pfurtado@hubspot.com>
(cherry picked from commit acb41ddc9df80894d2ff84c34a98cc904b9241fa)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit e1e310ea1fc47488a7404e3fa52fa606fe270ed0)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7bf0faf42377a91a8535b443201d9ad62326889b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit e4a024d5902df1d3db8b9fff8865304afa2305e6)
Signed-off-by: Tibor Vass <tibor@docker.com>
Ref: https://github.com/docker/docker/pull/23324
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit c4846f697271d2990cca8481338f4827b2558112)
Signed-off-by: Tibor Vass <tibor@docker.com>
This commit add DUMMY and IPVLAN to check-config.sh
because they are need for ipvlan and macvlan network
driver.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
(cherry picked from commit f5940ef7255a0a387baa6e20e09f86473ddf6d08)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit a394490d3895fe0122b44a3f89acc04946b83bda)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit a44e71c4274cd311e99722277cb674b2bc84d86e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 009d50e2d8c4f74f38ebefe89b8dd44b69b46660)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 715754ee61a83a710f5c0c3974cfed6b453d5595)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 2b34fa0511a5193b1cb07493555872cfd6b70442)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit a859a336475f39c7b7d7739c58a1dae40df86a86)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Jonathan Lomas <jonathan@floatinglomas.ca>
(cherry picked from commit 7631dc80a6b1549b857192f44322fcee5e754254)
Signed-off-by: Tibor Vass <tibor@docker.com>
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if systemd
sets rlimits on the main Docker daemon process (because the limits
propogate to all children).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 8db61095a3d0bcb0733580734ba5d54bc27a614d)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit f5d768e2c53f777e1add70f0e367e58db561842e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Thomas Tanaka
Michael Crosby
Harald Albers
Steve Durrheimer
allencloud
Stephen J Day
Aaron Lehmann
Vincent Demeester
Sebastiaan van Stijn
Paul Furtado
Lei Jitang
Jonathan Lomas
Aleksa Sarai