With the latest OL7.2, selinux policy that is shipped
might not be the latest for it to work or build with
selinux policy for docker-1.12.
To be able to achieve that here is what is done:
1. Added systemd_machined policy which is part of systemd.
2. Temporarily comment out unconfined_typebounds because the
current OL7's selinux doesn't have unconfineduser selinux policy,
to include this will be too much. Will revisit this once we have
updated the selinux policy.
Fixes: #24612
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
(cherry picked from commit d6cae872c704c6cf36ee7d5c9b472e33280af202)
Signed-off-by: Tibor Vass <tibor@docker.com>
This patch allows to only release the packages that were built and are
present under the bundles/ directory instead of assuming packages exist
for all distros enumerated in the contrib/builder/ directory.
It also now adds support for armhf architecture for apt repositories.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 2ff2e9a73076b737948c68c26f26b7bda5ac7db8)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b487497cd2d7586fd7e10affdcc514ca6b7884f6)
Signed-off-by: Tibor Vass <tibor@docker.com>
Docker 1.12 ships with an updated unit file on RPM
based distros. Users that have local modifications
to the unit file, or have a drop-in file installed
may not automatically get the updated unit file,
or get an error when starting docker.
This adds a warning to the changelog, and instructions
on how to resolve the issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 66b656684e32884b46c9abb08c874b202f6c77e8)
Signed-off-by: Tibor Vass <tibor@docker.com>
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.
This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit c1ca124682a90f3306b34ad104ba80e413f7bf88)
Signed-off-by: Tibor Vass <tibor@docker.com>
In cases there are failures in task start, swarmkit might be trying to
restart the task again in the same node which might keep failing. This
creates a race where when a failed task is getting removed it might
remove the associated network while another task for the same service
or a different service but connected to the same network is proceeding
with starting the container knowing that the network is still
present. Fix this by reacting to `ErrNoSuchNetwork` error during
container start by trying to recreate the managed networks. If they
have been removed it will be recreated. If they are already present
nothing bad will happen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 117cef5e9766d6ba228770c225e816c6afd16ff8)
Signed-off-by: Tibor Vass <tibor@docker.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 32b1f26c5111b22fe4277879c4f5e4687a6a72fc)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
(cherry picked from commit ab12ed4a5642edb4d96b54b6152f12260093f3ea)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue in 25404 where updating environmental
variable in `service update --env-add` will not work.
The issue is because `--env-add` will only append the env, not update if
the same env already exist.
This fix tracks the env variable with a map and update if the variable
is the same.
An integration test has been added.
This fix fixes 25404.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit c6de8add5fd5443aa820adbcd3c9a438df78823f)
Signed-off-by: Tibor Vass <tibor@docker.com>
Unlike `docker run -v..`, `docker service create --mount`
does not allow bind-mounting non-existing host paths.
This adds validation for the specified `source`, and
produces an error if the path is not found on the
host.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 84d5ab96ef33355e65f5c31210eb1777db372c52)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 197f23da497d3d82f30beb6d920211f6d2055fa3)
Signed-off-by: Tibor Vass <tibor@docker.com>
Fixes#25453
Signed-off-by: Dave Tucker <dt@docker.com>
(cherry picked from commit 0e1fe4516fc7af03259753f6d264e91d11fe4d1a)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit fa1b82e5ebc0e7dafe500e891c8b8c5fe5d4e1aa)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25374 where the
output of `docker ps --filter` is in random order and
not deterministic.
This fix sorts the list of containers by creation time so that the
output is deterministic.
An integration test has been added.
This fix fixes 25374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3f971335463b99a7caedcf597ffc544845b37a21)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit b58ef479a6be7ddff79a354ee912f9dd73a9f41b)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
(cherry picked from commit 42360d164b9f25fb4b150ef066fcf57fa39559a7)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is intended as a minor fix for 1.12.1 so that task creation doesn't
do unexpected things when the user supplies erroneous paths.
In particular, because we're currently using hostConfig.Binds to setup
mounts, if a user uses an absolute path for a volume mount source, or a
non-absolute path for a bind mount source, the engine will do the
opposite of what the user requested since all absolute paths are
treated as binds and all non-absolute paths are treated as named
volumes.
Fixes#25253
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 38f8b0eb10725c40fb3c7e0719accd240cd39e22)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Daniel Nephin <dnephin@docker.com>
(cherry picked from commit fcde27e6db9ccdb952a1259788404fc500995f98)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Harald Albers <github@albersweb.de>
(cherry picked from commit 46d3464362f18a1eb6d37fc51b120d0f0614653a)
Signed-off-by: Tibor Vass <tibor@docker.com>
Printing off networks as part of --pretty was missing a newline, causing
the next thing printed to be concatenated onto the end of the line.
Added an empty println after all networks are printed.
Signed-off-by: Drew Erny <drew.erny@docker.com>
(cherry picked from commit 02ebaf364ff0463c65d63fd1c3c11840a578fc45)
Signed-off-by: Tibor Vass <tibor@docker.com>
Fixes#25331
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 63983f3ffe7895fce3a75115a5bcfe8258e5654c)
Signed-off-by: Tibor Vass <tibor@docker.com>
this change improves the instructions for
swarm join-token and swarm init;
- only print the join-token command for workers
instead of for both managers and workers, to
prevent users from copying the wrong command.
An extra line is added to explain how to obtain
the manager token.
- print a message that a token was rotated
sucesfully if '--rotate' is used.
- add some extra white-space before / after
the join commands, to make copy/pasting
easier.
this change also does some refactoring of join-token;
- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
to prevent checking for them multiple times, and to
keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
this makes it easier to copy, and cleans up the
code a tiny bit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ebebd4176940bc907ba4e8f5fbe62f6a050f8ed4)
Signed-off-by: Tibor Vass <tibor@docker.com>
On daemon restart the local volume driver will read options that it
persisted to disk, however it was reading an incorrect path, causing
volume options to be silently ignored after a daemon restart.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit c560dd968600ebc9c1ff78f256ee93a6ded9a728)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25195 where external
CA configurations are not present in `docker info`.
This fix adds the output of external CAs in `docker info` in swarm
mode.
The test is done manually with:
```
docker run -p 8888:8888 -e CXFSSL_ADDRESS=0.0.0.0 -d fabric8/cfssl
docker swarm init --external-ca protocol=cfssl,url=http://172.17.0.2:8888
```
The `docker info` output:
```
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot interval: 10000
Heartbeat tick: 1
Election tick: 3
Dispatcher:
Heartbeat period: 5 seconds
CA configuration:
Expiry duration: 3 months
External CAs:
cfssl: https://172.17.0.2:8888
```
This fix fixes 25195.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 995128e9ebfc1a84bbfe8765d3642f132a4f630d)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to improve error messages when IP address
autodetection fails, as is specified in 25141.
Previously, error messages only indicate that multiple IPs
exist when autodetection fails. In this fix, if one
interface consists of multiple addresses or multiple
interfaces consist of addresses, the error messages output
the address names and interface names so that end user could
take notice.
This fix is verified manually.
When multiple addresses exist on multiple interfaces:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses on different
interfaces (192.168.186.128 on ens33 and 192.168.100.199 on eth10)
- specify one with --advertise-addr
```
When multiple addresses exist on single interface:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses
on interface ens33 (192.168.186.128 and 192.168.55.199)
- specify one with --advertise-addr
```
This fix fixes 25141.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 59db01049ac6a8e54490565dc44661f780c13734)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit ab95ec3dd927d5c0c303410519f07631c8c99a4e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
(cherry picked from commit f146f6127ce5c7a5f579b78f00bd06f68198ce0f)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f0230049f0afd318217c60ebe486aab3b54538fd)
Signed-off-by: Tibor Vass <tibor@docker.com>
Fix#25046
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
(cherry picked from commit b1e71bdd1d624e297509a62b072082524dc841fc)
Signed-off-by: Tibor Vass <tibor@docker.com>
This prevents unnecessary API call to containerd.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit b867f6c6e18f9d999ddec911a241941428777569)
Signed-off-by: Tibor Vass <tibor@docker.com>
It's too long to wait for reschedule.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
(cherry picked from commit 307b7b0d151e949024e7ab7ad276b174802a75f2)
Signed-off-by: Tibor Vass <tibor@docker.com>
update intro to say there are four things to consider
(cherry picked from commit ce2ca236db87f8f580cb29be27b4f0b5341af0ca)
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
(cherry picked from commit 7cee444f8b90d435cc3358e2f510d0614e4e02fd)
Signed-off-by: Tibor Vass <tibor@docker.com>
Add delete and update API documentation
(cherry picked from commit 2f167a760904f5cf4f6250a55aa8f735fba74594)
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
Conflicts:
docs/reference/api/docker_remote_api_v1.25.md
(cherry picked from commit ee59531352e3d98d4cc167733e0ffb99528dbd22)
Signed-off-by: Tibor Vass <tibor@docker.com>
Update example output for node inspect
(cherry picked from commit 80c49d1e5206eabf314069c262f7f643adf021e1)
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
(cherry picked from commit adf552821a35361b5c975189d6fd5c26f700e86a)
Signed-off-by: Tibor Vass <tibor@docker.com>
Thomas Tanaka
Tibor Vass
Yong Tang
Sebastiaan van Stijn
Madhu Venugopal
Justin Cormack
Jana Radhakrishnan
Michael Crosby
Dieter Reuter
Victor Vieux
Diogo Monica
Harald Albers
Dave Tucker
Kenfe-Mickael Laventure
Tonis Tiigi
Steve Durrheimer
Brian Goff
Daniel Nephin
Drew Erny
Anusha Ragunathan
allencloud
Akihiro Suda
Alexander Morozov
Sebastiaan van Stijn
Sven Dowideit