This vendors in new spec/runc that supports
setting readonly and masked paths in the
configuration. Using this allows us to make an
exception for `—-privileged`.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Also modify an integration test that hardcoded the error string so it
uses the exported error variable from libcontainer/user.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Existing tests assume that the entrypoint in a docker run command will be
split into multiple arguments, which is inconsistent with Linux. Fix the
tests depending on this behavior.
Signed-off-by: John Starks <jostarks@microsoft.com>
Fix unmount issues in the daemon crash and restart lifecycle, w.r.t
graph drivers. This change sets a live container RWLayer's activity
count to 1, so that the RWLayer is aware of the mount. Note that
containerd has experimental support for restore live containers.
Added/updated corresponding tests.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
The current error message is "Error: image [name] not found". This makes
sense from the perspective of the v1 pull, since we found the repository
doesn't exist over the v1 protocol. However, in the vast majority of
cases, this error will be produced by fallback situations, where we
first try to pull the tag with the v2 protocol, and then fall back the
v1 protocol, which probably isn't even supported by the server.
Including the tag in the error message makes a lot more sense since the
actual repository may exist on v2, but not the tag.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Currently Docker authorization framework does not use any user
information, which already available in the Docker context for TLS
connection.
The purpose of this CR is to complete the existing authz work by adding
the basic client certificate details (SUBJECT_NAME) and authentication
method (TLS) to the authz request.
We think this should be the default behavior when no extended
authorization module is specified (currently WIP under #20883).
Signed-off-by: Liron Levin <liron@twistlock.com>
This change include filter `name` and `driver`,
and also update related docs to reflect that filters usage.
Closes: #21243
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
This fix tries to fix issues encountered when running a container with a hostname
that is longer than HOST_NAME_MAX(64).
Previously, `could not synchronise with container process` was generated as the
length of the regex check was missing.
This fix covers the length check so that a hostname that is longer than
HOST_NAME_MAX(64) will be given a correct error message.
Several unit tests cases and additional integration test cases are added as well.
This fix closes#21445.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Instead of implementing refcounts at each graphdriver, implement this in
the layer package which is what the engine actually interacts with now.
This means interacting directly with the graphdriver is no longer
explicitly safe with regard to Get/Put calls being refcounted.
In addition, with the containerd, layers may still be mounted after
a daemon restart since we will no longer explicitly kill containers when
we shutdown or startup engine.
Because of this ref counts would need to be repopulated.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Tibor Vass
Brian Goff
Shijiang Wei
John Howard
Tonis Tiigi
Yuan Sun
Sebastiaan van Stijn
Aaron Lehmann
Antonio Murdaca
Vincent Demeester
Antonio Murdaca
Tomasz Kopczynski
Aleksa Sarai
David Calavera
John Starks
Anusha Ragunathan
Arnaud Porterie
Alexander Morozov
Shishir Mahajan
allencloud
Alexander Morozov
Liron Levin
Kai Qiang Wu(Kennan)
Madhu Venugopal
Yong Tang