Commit Graph

216 Commits

Author SHA1 Message Date
Tonis Tiigi 8a81c46272 Move consumeSlow() under test utils
Signed-off-by: Tõnis Tiigi <tonistiigi@gmail.com> (github: tonistiigi)
2014-10-30 20:55:08 +02:00
Jessie Frazelle f936a10d80 Merge pull request #8571 from ncdc/3631-stdout-premature-eof
Fix stdout premature EOF
2014-10-29 11:36:32 -07:00
Alexandr Morozov 77dcab133c Merge pull request #8735 from estesp/fix-test-timeout-on-drone
Up test timeout to 10s based on recent drone.io timeout failures
2014-10-23 13:02:34 -07:00
Phil Estes ee17b93df9 Up test timeout to 10s based on recent drone.io timeout failures
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2014-10-23 14:30:39 -04:00
Phil Estes 6589044b5b Fix volume test using "find" to properly call find with /hello path
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2014-10-23 14:13:11 -04:00
Jessica Frazelle 93e17b2eca TestRunRedirectStdout kept failing with timed out.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-22 15:51:14 -07:00
Andy Goldstein 5572dbb750 Fix stdout premature EOF
Never close attached stream before both stdout and stderr have written
all their buffered contents. Remove stdinCloser because it is not needed
any more as the stream is closed anyway after attach has finished.

Fixes #3631

Signed-off-by: Andy Goldstein <agoldste@redhat.com>
2014-10-22 16:34:42 -04:00
Brian Goff 964f9965c7 Clean volume paths
Fixes #8659

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2014-10-20 19:07:56 -04:00
Alexandr Morozov ad136e1ae3 Don't write pull output to stdout on container creating
Fixes #8632

Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-10-17 11:08:53 -07:00
Jessica Frazelle 66ac7420a9 Cleanup errorOut resp run tests
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-16 15:06:20 -07:00
Jessica Frazelle c091397d51 Replace '%s' in run tests
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-14 10:59:19 -07:00
Andrea Luzzardi 5b8379a434 Disable stable IPs.
Stable IPs causes some regressions in the way people use Docker, see GH#8493.

Reverting it for 1.3, we'll enable it back for the next release.

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2014-10-09 15:15:17 -07:00
Michael Crosby 4eb812e042 Merge pull request #8457 from jfrazelle/pr_8455
Check /etc/resolv.conf every time for 127.* content
2014-10-08 16:21:14 -07:00
Jessica Frazelle dbe6c6651e cleanup resolve.conf code
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-08 15:15:51 -07:00
Michael Crosby 0486bd022e Merge pull request #8450 from dqminh/fix-proxy-exit
dont close proxy's stdout/stderr prematurely
2014-10-08 14:20:33 -07:00
Brian Goff c985302c5c Fixes re-creating volume on (re)start
When a container is restarted all the volume configs are parsed again.
Even if the volume was already handled in a previous start it was still
calling "FindOrCreateVolume" on the volume repo causing a new volume to
be created.

This wasn't being detected because as part of the mount initialization
it checks to see if the the _mount_ was already initialized, but this
happens after the parsing of the configs.
So a check is added during parsing to skip a volume which was already
created for that container.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2014-10-08 16:25:51 -04:00
Daniel, Dao Quang Minh 3b9d88210e pass extra file to child process as status handler
When stdout/stderr is closed prematurely, the proxy's writes to stdout/stderr
(i.e. `log.Errorf/log.Printf`) will returns with EPIPE error, and go runtime
will terminate the proxy when stdout/stderr writes trigger 10 EPIPE errors.

instead of using stdout/stderr as the status handler, we pass an extra file to
the child process and write `0\n` or `1\nerror message` to it and close it
after. This allow the child process to handle stdout/stderr as normal.

Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
2014-10-08 12:53:43 -04:00
Jessica Frazelle acd511786e Test for check /etc/resolv.conf on every docker run for 127.* content.
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-07 16:51:51 -07:00
Alexandr Morozov a650ab7f29 Merge pull request #8409 from unclejack/integcli_lint
integcli: lint fixes
2014-10-06 14:32:08 -07:00
unclejack c0e632246d integcli: lint fixes
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-10-06 23:15:17 +03:00
Brian Goff e95b6fb648 Fix #8398 - volumes copying data unexpectedly
Prior to the volumes re-factor, data was not being copied on
volumes-from or host-mounted volumes.
After the re-factor, data was being copied for volumes-from.
This reverts this unintentional change in behavior.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2014-10-06 14:21:46 -04:00
Andrea Luzzardi 84d9fd37b0 Merge pull request #8392 from jfrazelle/pr_8389
Invalid mount mode for volumes in
2014-10-03 17:22:21 -07:00
Jessica Frazelle b10b458b6e Add test for invalid mount mode for volumes in.
Closes #8389.

Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-10-03 16:17:51 -07:00
Brian Goff 007b4f6340 Fixes bad validMountMode check
Needed to check if the mode was invalid and return error, not valid and
return error.

This didn't get picked up because the existing integration-cli tests
were all either expecting errors when a valid mode was passed in (e.g.
"ro" passed in, we expected an error because it was testing write).  So
modified a test which was testing for "rw" to actually pass in "rw"
instead of assuming the "rw"

Docker-DCO-1.1-Signed-off-by: Brian Goff <bgoff@cpuguy83-mbp.home> (github: cpuguy83)
2014-10-03 16:55:39 -04:00
Andrea Luzzardi b669025949 Stable MAC addresses: Add support for MAC address restoring.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2014-10-03 13:46:24 -07:00
Andrea Luzzardi a487593729 Stable Networking: Keep the same network settings across container restarts.
This change will allocate network settings (IP and public ports) at
container creation rather than start and keep them throughout the
lifetime of the container (i.e. until it gets destroyed) instead of
discarding them when the container is stopped.

Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
2014-10-03 13:46:24 -07:00
Brian Goff 882223c0f8 Fix #8259 - Can't reuse symlink'd bindmount
volumes.Get was not checking for symlinked paths meanwhile when adding a
new volume it was following the symlink.
So when trying to use a bind-mount that is a symlink, the volume is
added with the correct path, but when another container tries to use the
same volume it got a "Volume exists" error because volumes.Get returned
nil and as such attempted to create a new volume.

Docker-DCO-1.1-Signed-off-by: Brian Goff <cpuguy83@gmail.com> (github: cpuguy83)
2014-09-26 14:36:44 -04:00
Michael Crosby 0bb5f98731 Merge pull request #8233 from tiborvass/pr-7658
Fix Interactive container hangs when redirecting stdout
2014-09-26 11:31:29 -07:00
Tibor Vass 29a62ceefc Add DockerCli tests
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-09-25 20:58:43 +02:00
Victor Vieux 857b739e29 Merge pull request #8208 from estesp/7851-fix-hostname-fqdn
Provide full hostname with domainname to underlying container layer
2014-09-25 11:33:50 -07:00
Phil Estes 5239ba3d06 Provide full hostname with domainname to underlying container layer
Addresses #7851

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2014-09-25 09:23:39 -04:00
unclejack f2fad5c290 Merge pull request #8173 from crosbymichael/update-mem-limit
Update memory limit for container
2014-09-24 20:55:25 +03:00
Michael Crosby 9b755412ab Update memory limit for container
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-09-22 21:41:14 +00:00
Alexandr Morozov 652cd6a842 Test on execdriver dir behavior
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-22 22:49:21 +04:00
Brian Goff 45407cf00a Split volumes out from daemon
Docker-DCO-1.1-Signed-off-by: Brian Goff <cpuguy83@gmail.com> (github: cpuguy83)
2014-09-19 17:47:47 -05:00
Alexandr Morozov aa536b27a7 Use prefix naming for docker_cli_run_test.go
Signed-off-by: Alexandr Morozov <lk4d4@docker.com>
2014-09-19 21:56:24 +04:00
Jessica Frazelle 42dafe4bd8 test for panic on daemon restart
Docker-DCO-1.1-Signed-off-by: Jessica Frazelle <jess@docker.com> (github: jfrazelle)
2014-09-18 21:54:42 +00:00
Tim Hockin 68e48b65a6 Allow extra lines in /etc/hosts
This adds a --add-host host:ip flag which appends lines to /etc/hosts.  This is needed in places where you want the container to get a different name resolution than it would through DNS.  This was submitted before as #5525, closed, and now I am re-opening.  It has come up 2 or 3 times in the last couple days.

Signed-off-by: Tim Hockin <thockin@google.com>
2014-09-16 23:38:23 +00:00
Brian Goff 0a3211f131 Fix #7792 - Order mounts
Docker-DCO-1.1-Signed-off-by: Brian Goff <cpuguy83@gmail.com> (github: cpuguy83)
2014-09-16 14:51:06 -07:00
Alexandr Morozov 00fd008170 Merge pull request #8062 from vishh/run_in_phase2
Add support for 'docker exec' - phase 2
2014-09-16 23:56:12 +04:00
Vishnu Kannan d980589de6 Adding integration tests for docker exec feature.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-09-15 16:59:59 +00:00
Erik Hollensbe 09b700288e Allow /etc/hosts and /etc/resolv.conf to be updated both outside and
inside the container.

Docker-DCO-1.1-Signed-off-by: Erik Hollensbe <github@hollensbe.org> (github: erikh)
2014-09-13 11:27:34 -07:00
Michael Crosby a96811272a Merge pull request #7934 from LK4D4/fix_double_allocation
Fix error propagation from userland-proxy
2014-09-12 11:39:10 -07:00
unclejack 3ec564bfda integ-cli: better debug output for run & import
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-09-12 16:51:21 +03:00
Alexandr Morozov 41e9e93e27 Fix my own comments from #7927
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-12 10:05:07 +04:00
Tibor Vass 3109fc9537 Add Test for port allocation bug (port already in use by other programs than docker)
Signed-off-by: Tibor Vass <teabee89@gmail.com>
2014-09-12 09:51:14 +04:00
Alexandr Morozov 2e7cf6b0ce Deallocate port before trying to delete iptables chain
Fixes #7954
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-10 00:40:46 +04:00
unclejack 05a76477e6 integ-cli: increase verbosity for mem & cpu test
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-09-08 20:46:45 +03:00
Alexandr Morozov ba24820284 Don't initialize network for 'none' mode
Fixes #7837

Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-04 09:50:58 +04:00
Michael Crosby c0a5ec75c5 Add more error info to TestDockerRunEchoStdoutWithMemoryLimit
This test fails on my CI server often so we need more info when it does
happen with this test.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2014-09-01 17:09:52 -07:00
Alexandr Morozov 195cee9983
Move TestRunCidFileCheckIDLength to integration-cli
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-01 20:15:20 +04:00
Alexandr Morozov 8892320835
Move TestRunCidFileCleanupIfEmpty to integration-cli
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-09-01 19:55:39 +04:00
Alexandr Morozov 3c984a6d15
Add logDone logs where it's missing
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-28 09:25:57 +04:00
Michael Crosby 2a5e29adc6 Merge pull request #7677 from erikh/update_hosts_linked_containers
Update /etc/hosts when linked container is restarted
2014-08-27 19:54:09 -07:00
Michael Crosby 77eefbc688 Merge pull request #7672 from cpuguy83/cleanup_volumes_from
Cleanup: applyVolumesFrom
2014-08-27 19:43:16 -07:00
Victor Vieux 450740c891 Update /etc/hosts when linked container is restarted
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-08-27 18:23:41 -07:00
Victor Vieux 5b27fbc0e2 move TestEntrypoint & TestBindMounts
Signed-off-by: Victor Vieux <vieux@docker.com>
2014-08-28 00:25:10 +00:00
Brian Goff 7495fbc0e3 Cleanup: applyVolumesFrom
Docker-DCO-1.1-Signed-off-by: Brian Goff <cpuguy83@gmail.com> (github: cpuguy83)
2014-08-26 20:52:58 -04:00
Alexandr Morozov 17b95ecb08
Handle error from GetDevice early
Also more verbose error.

Fixes panic from #7701

Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-24 14:09:30 +04:00
Victor Vieux fc39f9c78d add tests
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-08-19 17:06:17 +00:00
Alexandr Morozov c19e0fe7e2
Move TestRunExit to integration-cli
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-12 13:40:14 +04:00
Alexandr Morozov a44f065f17
Move TestRunWorkdirExistsAndIsFile to integration-cli
Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com>
2014-08-12 12:22:25 +04:00
Michael Crosby 01022a305d Merge pull request #7405 from LK4D4/indicate_run_volume_test_pass
Print about "copy volume content" test passing
2014-08-07 15:09:41 -07:00
LK4D4 825ca10dfd Print about "copy volume content" test passing
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-08-04 21:27:28 +04:00
Alexandr Morozov aa2d6dbc0c Inherit Cmd only if no --entrypoint specified on run
Fixes #5147
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-08-04 21:17:37 +04:00
Michael Crosby 5d2a62d8de Merge pull request #7295 from vishh/rbind
Make lxc driver rbind all user specified mounts.
2014-08-01 10:25:45 -07:00
Tianon Gravi 8ea7242250 Update TestEnvironment to explicitly set "HOME" to be empty so it gets autofilled
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-07-31 12:46:41 -06:00
Tianon Gravi 57b9467f45 Add support for autodetected HOME from USER (if HOME is unset)
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-07-31 12:46:36 -06:00
Vishnu Kannan 3e1c1567ea Add a cli integration test for recursive bind mounting.
Docker-DCO-1.1-Signed-off-by: Vishnu Kannan <vishnuk@google.com> (github: vishh)
2014-07-30 02:23:24 +00:00
Victor Vieux b3ee9ac74e update go import path and libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-24 22:19:50 +00:00
LK4D4 e88487b321 Move TestCopyVolumeContent to integration-cli
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-07-19 12:42:27 +04:00
LK4D4 9a7c5be7d1 Move TestCopyVolumeUidGid to integration-cli
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-07-19 12:42:27 +04:00
Alexandr Morozov 4162309d11 Tests on container state changing
It could catch error that was fixed in #6954
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-07-18 21:51:55 +04:00
Victor Vieux 5948b105e7 Merge pull request #7083 from mheon/6983_bugfix
Fix Panic with -t and -a stderr
2014-07-17 18:41:24 -07:00
Matthew Heon 1476f295ac Bugfix: only use io.Copy in hijack if attaching both stdout and stderr
Add regression tests to ensure issue is fixed.

Docker-DCO-1.1-Signed-off-by: Matt Heon <mheon@redhat.com> (github: mheon)
2014-07-17 13:47:33 -04:00
unclejack be8cea9856 don't allow links to be used with --net=host
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-07-17 00:32:24 +03:00
Michael Crosby 7c19499c63 Allow case insensitive caps for add and drop
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-07-16 11:47:55 -07:00
Victor Vieux c04230c42b add check for invalid caps
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Victor Vieux 064b5f870d support add and drop in both order
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Victor Vieux 222a6f4401 add basic support for 'all'
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Victor Vieux 8344b6d736 fix job and add tests
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-07-11 23:43:21 +00:00
Timothy e855c4b921 Add --device flag to allow additional host devices in container
We add a --device flag which can be used like:

 docker run --device /dev/sda:/dev/xvda:rwm ubuntu /bin/bash

To allow the container to have read write permissions to access the host's /dev/sda via a node named /dev/xvda in the container.

Note: Much of this code was written by Dinesh Subhraveti dineshs@altiscale.com (github: dineshs-altiscale) and so he deserves a ton of credit.

Docker-DCO-1.1-Signed-off-by: Timothy <timothyhobbs@seznam.cz> (github: timthelion)
2014-07-10 10:35:53 -07:00
Fabio Falci 804b00cd7d Relax dns search to accept empty domain
In that case /etc/resolv.conf will be generated with no search
option. Usage: --dns-search=.

Docker-DCO-1.1-Signed-off-by: Fabio Falci <fabiofalci@gmail.com> (github: fabiofalci)
2014-07-04 09:33:53 +01:00
unclejack 38b005ec69 integcli: add test to ensure -v /:/ isn't allowed
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-06-27 19:51:24 +03:00
Michael Crosby e39b8eade1 Allow / as source of -v
We discussed this at the docker plumbers meetup and for tools and
working on the system for things like boot2docker and coreos this is
needed.  You can already bypass this check so we felt it is ok to start
allowing this feature.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@docker.com> (github: crosbymichael)
2014-06-26 10:50:18 -07:00
Tibor Vass baacc7006b add integration test for --workdir=/
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
2014-06-25 11:02:59 -04:00
Tibor Vass 385c9b1a08 fix bug in FollowSymlinkInScope when link == root
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
2014-06-25 11:02:59 -04:00
Tibor Vass def86d0cf4 rename TestVolumeWithSymlink to TestCreateVolumeWithSymlink and remove run_tests folder
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
2014-06-18 15:51:27 -04:00
Tibor Vass c4c92e66cd add integration test
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
2014-06-18 15:50:39 -04:00
LK4D4 f08cd445b0 Fix go vet errors
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)

Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-18 17:39:57 +00:00
Victor Vieux 9494643bf1 add test
Docker-DCO-1.1-Signed-off-by: Victor Vieux <vieux@docker.com> (github: vieux)
2014-06-12 19:11:51 +00:00
Michael Crosby 41f7cef2bd Add SYS_CHROOT cap to unprivileged containers
Fixes #6103
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-06-02 18:23:47 -07:00
Timothy Hobbs 608702b980 Refactor device handling code
We now have one place that keeps track of (most) devices that are allowed and created within the container.  That place is pkg/libcontainer/devices/devices.go

This fixes several inconsistencies between which devices were created in the lxc backend and the native backend.  It also fixes inconsistencies between wich devices were created and which were allowed.  For example, /dev/full was being created but it was not allowed within the cgroup.  It also declares the file modes and permissions of the default devices, rather than copying them from the host.  This is in line with docker's philosphy of not being host dependent.

Docker-DCO-1.1-Signed-off-by: Timothy Hobbs <timothyhobbs@seznam.cz> (github: https://github.com/timthelion)
2014-05-30 19:21:29 +00:00
Michael Crosby 2487237937 Update ip test to parse new output
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 13:22:01 -07:00
Michael Crosby 581e8e8918 Update integration tests with --net flag
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-23 11:31:01 -07:00
Brandon Philips 61ac745d7a integration-cli: fix spelling error in test
Docker-DCO-1.1-Signed-off-by: Brandon Philips <brandon.philips@coreos.com> (github: philips)
2014-05-21 15:20:29 -07:00
Alexandr Morozov 72d1e40c4a Check uid ranges
Fixes #5647
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
2014-05-18 20:49:08 +04:00
Michael Crosby adbe3096e8 Add cpuset cpus support for docker
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-05-13 18:17:12 -07:00
Jérôme Petazzoni 1c4202a614 Mount /proc and /sys read-only, except in privileged containers.
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
2014-05-01 15:26:58 -07:00
Michael Crosby e88ef454b7 Merge pull request #5464 from tianon/close-leftover-fds 2014-04-30 12:27:52 -07:00
Tianon Gravi d5d62ff955 Close extraneous file descriptors in containers
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)

Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
2014-04-29 16:45:28 -06:00
Tibor Vass e9a42a45bf Fixes #5152 : symlink in volume path
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
2014-04-28 13:18:12 -07:00
Michael Crosby 90678b3133 Update create with apparmor import
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 81e5026a6a No not mount sysfs by default for non privilged containers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-24 10:35:20 -07:00
Michael Crosby 296fcf331f Port privileged tests
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 03:20:17 +00:00
Michael Crosby caad45d0ed Port networking tests
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 03:12:27 +00:00
Michael Crosby 47510bd6eb Port environment test
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 02:53:08 +00:00
Michael Crosby e2ed4b9077 Port user tests and concurrent tests
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 02:47:39 +00:00
Michael Crosby 03993eb534 Port volumes and exit code tests
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 02:34:10 +00:00
Michael Crosby 76a19bb3a9 Add test verify container ID
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-18 01:58:20 +00:00
Michael Crosby af9746412b Move volumesfrom to hostconfig
This also migrates the volumes from integration tests into the new cli
integration test framework.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-08 21:45:06 +00:00
Michael Crosby b6042f252d Ensure that ro mounts are remounted
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-07 18:23:22 -07:00
Alexander Larsson bd94f84ded Fix --volumes-from mount failure
As explained in https://github.com/dotcloud/docker/issues/4979
--volumes-from fails with ENOFILE errors.

This is because the code tries to look at the "from" volume without
ensuring that it is mounted yet. We fix this by mounting the containers
before stating in it.

Also includes a regression test.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-03 19:33:20 +02:00
Michael Crosby 904bf049c1 Force abs paths for host volumes
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-03-31 19:10:19 +00:00
Michael Crosby 28015f8e57 Add integration test for volumes-from as file
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-03-31 17:42:34 +00:00
unclejack 6db32fdefd initial version of cli integration tests
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
2014-03-29 23:09:40 +02:00