This change will allow us to run SELinux in a container with
BTRFS back end. We continue to work on fixing the kernel/BTRFS
but this change will allow SELinux Security separation on BTRFS.
It basically relabels the content on container creation.
Just relabling -init directory in BTRFS use case. Everything looks like it
works. I don't believe tar/achive stores the SELinux labels, so we are good
as far as docker commit.
Tested Speed on startup with BTRFS on top of loopback directory. BTRFS
not on loopback should get even better perfomance on startup time. The
more inodes inside of the container image will increase the relabel time.
This patch will give people who care more about security the option of
runnin BTRFS with SELinux. Those who don't want to take the slow down
can disable SELinux either in individual containers or for all containers
by continuing to disable SELinux in the daemon.
Without relabel:
> time docker run --security-opt label:disable fedora echo test
test
real 0m0.918s
user 0m0.009s
sys 0m0.026s
With Relabel
test
real 0m1.942s
user 0m0.007s
sys 0m0.030s
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
The docker run commands in these tests uses the -m flag,
so the tests should require that it's supported to run.
Fixes 17215 (maybe)
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
- Logic is broken when gateway ip falls in ip-range
and ip-range is not the first block in the network
Signed-off-by: Alessandro Boch <aboch@docker.com>
Closes#17781
This allows for env vars in EXPOSE to be parsed for spaces so that each
"word" is then treated independently instead of as a single word/arg.
Signed-off-by: Doug Davis <dug@us.ibm.com>
So we don't print those <no value> in the client and we don't fail
executing inspect templates with API field names.
Make sure those fields are initialized as empty slices when
a container is loaded from disk and their values are nil.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Container has private network namespace can not to connect to host
and container with host network can not be disconnected from host.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
Since --exec-driver flag has been removed, we don't need environment
DOCKER_EXECDRIVER in integration-cli and Makefile any more.
Signed-off-by: Lei Jitang <leijiang@huawei.com>
This patch adds the ability to run `docker stats` w/o arguments and get
statistics for all running containers by default. Also add a new
`--all` flag to list statistics for all containers (like `docker ps`).
New running containers are added to the list as they show up also.
Add integration tests for this new behavior.
Docs updated accordingly. Fix missing stuff in man/commandline
reference for `docker stats`.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Fixes#17290
Fixes following issues:
- Cache checksums turning off while walking a broken symlink.
- Cache checksums were taken from symlinks while targets were actually copied.
- Copying a symlink pointing to a file to a directory used the basename of the target as a destination basename, instead of basename of the symlink.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
The LXC driver was deprecated in Docker 1.8.
Following the deprecation rules, we can remove a deprecated feature
after two major releases. LXC won't be supported anymore starting on Docker 1.10.
Signed-off-by: David Calavera <david.calavera@gmail.com>
This commit makes `docker network inspect` print container names as
service discovery is based on container name.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
The purpose of this PR is for users to distinguish Docker errors from
contained command errors.
This PR modifies 'docker run' exit codes to follow the chroot standard
for exit codes.
Exit status:
125 if 'docker run' itself fails
126 if contained command cannot be invoked
127 if contained command cannot be found
the exit status otherwise
Signed-off-by: Sally O'Malley <somalley@redhat.com>
This updates the vendored docker/distribution to the current master
branch.
Note the following changes:
- The manifest package was split into manifest/schema1. Most references
to the manifest package in the engine needed to be updated to use
schema1 instead.
- Validation functions in api/v2 were replaced by the
distribution/reference package. The engine code has been updated to
use the reference package for validation where necessary. A future PR
will change the engine to use the types defined in
distribution/reference more comprehensively.
- The reference package explicitly allows double _ characters in
repository names. registry_test.go was updated for this.
- TestPullFailsWithAlteredManifest was corrupting the manifest JSON, now
that the schema1 package unmarshals the correct payload. The test is
being changed to modify the JSON without affecting its length, which
allows the pull to succeed to the point where digest validation
happens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
- On `docker run --net <network id> ...`
the bug would cause the container to attempt
to connect to the network two times
- Also made sure endpoint creation rollback will
be executed on failures in `func (container *Container) connectToNetwork()`
Signed-off-by: Alessandro Boch <aboch@docker.com>
removed the if/else statements and added c.Assert statements for docker_api_create_test.go.
Removed check.commentf in c.Assert statements
Signed-off-by: Zuhayr Elahi <elahi.zuhayr@gmail.com>
The `d.root` dir is resolved to the full path to the graph dir after the
daemon starts, but on restart, should be set back to the parent (without
the "<uid>.<gid>" ending) so that it uses/resolves to the same graphdir
on restart.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
- As the retrieved info may not be available at
Endpoint creation time for certain network drivers
- Also retrieve the MAC address from Endpoint.Info().Iface()
Signed-off-by: Alessandro Boch <aboch@docker.com>
When an image has multiple tags and rmi is called with force on a tag, only the single tag should be removed.
The current behavior is broken and removes all tags and the image.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
This reverts commit d5cd032a86.
Commit caused issues on systems with case-insensitive filesystems.
Revert for now
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Move autogen/dockerversion to version
- Update autogen and "builds" to use this package and a build flag
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
--cluster-advertise daemon option is enahanced to support <interface-name>
in addition to <ip-address> in order to amke it automation friendly using
docker-machine.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
- Only user named containers will be published into
other containers' etc/hosts file.
- Also block linking to containers which are not
connected to the default network
Signed-off-by: Alessandro Boch <aboch@docker.com>
Added waitRun(containerID) statement after docker run -d and docker restart
to ensure the container is restarted before issuing a exec cmd.
Signed-off-by: Anil Belur <askb23@gmail.com>
This is done by calling waitRun() followed by the docker run, which ensures the container is loaded
before calling docker exec to obtain the env variable set previously.
Incorporated the change as suggeted by duglin.
Signed-off-by: Anil Belur <askb23@gmail.com>
- Do not execute the template directly in the cli outout, go is not atomic
in this operation and can send bytes before failing the execution.
- Fail after evaluating a raw interface if the typed execution also
failed, assuming there is a template parsing error.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Also remove unused func `newTempFile` and prevent a possible deadlock
between pull_v2 `attemptIDReuse` and graph `register`
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
To be consistent with other inspect command (on container and images),
add the possiblity to pass multiple network to the network inspect
commands.
`docker network inspect host bridge none` is possible now.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Also requires some tests to be updated which relied on behavior
of a busybox image that wasn't actually "busybox:latest"; meaning these
tests were unable to be verified/run against a real busybox:latest image
on a daemon.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Part of #16756
Use c.Assert instead of condition judgement in
integration-cli/docker_cli_start_test.go
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Instead of returning only the container ID, starting a container may
also return a warning:
"WARNING: Your kernel does not support swap
limit capabilities, memory limited without
swap.\nff6ebd9f7a8d035d17bb9a61eb9d3f0a5d563160cc43471a9d7ac9f71945d061"
The test assumes that only the container ID is returned and uses the
entire message as the name for the inspect command. To avoid the need to
parse the container ID from the output after the run command, give the
container a name and use that instead.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
This is useful for cluster systems such as swarm to sync the image
state when new images are successfully built.
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
- do existence check instead of get container
- new connect method on daemon.
- cli network disconnect integration test
Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
When running LXC dind (outer docker is started with native driver)
cgroup paths point to `/docker/CID` inside `/proc/self/mountinfo` but
these paths aren't mounted (root is wrong). This fix just discard the
cgroup dir from mountinfo and set it to root `/`.
This patch fixes/skip OOM LXC tests that were failing.
Fix#16520
Signed-off-by: Antonio Murdaca <runcom@linux.com>
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
On LXC memory swap was only set to memory_limit*2 even if a value for
memory swap was provided. This patch fix this behavior to be the same
as the native driver and set correct memory swap in the template.
Also add a test specifically for LXC but w/o adding a new test
requirement.
Signed-off-by: Antonio Murdaca <runcom@linux.com>
introduced --subnet, --ip-range and --gateway options in docker network
command. Also, user can allocate driver specific ip-address if any using
the --aux-address option.
Supports multiple subnets per network and also sharing ip range
across networks if the network-driver and ipam-driver supports it.
Example, Bridge driver doesnt support sharing same ip range across
networks.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
* Made use of IPAM driver primitives for legacy IP configurations
* Replaced custom Generics with backend labels
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Tags and digests are kept in the same storage. We want to make sure that they are completely separated - tags are something users set and digests can only be set by pull-by-digest code path.
Reverts #14664
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Generate a hash chain involving the image configuration, layer digests,
and parent image hashes. Use the digests to compute IDs for each image
in a manifest, instead of using the remotely specified IDs.
To avoid breaking users' caches, check for images already in the graph
under old IDs, and avoid repulling an image if the version on disk under
the legacy ID ends up with the same digest that was computed from the
manifest for that image.
When a calculated ID already exists in the graph but can't be verified,
continue trying SHA256(digest) until a suitable ID is found.
"save" and "load" are not changed to use a similar scheme. "load" will
preserve the IDs present in the tar file.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
All the go-lint work forced any existing "Uid" -> "UID", but seems to
not have the same rules for Gid, so stat package has calls UID() and
Gid().
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
refactor integration-cli/docker_cli_netmode_test.go use Assert statement
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update integration-cli/docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update integration-cli/docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update integration-cli/docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update integration-cli/docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
update integration-cli/docker_cli_netmode_test.go
part of #16756
Signed-off-by: Xiaoxu Chen <chenxiaoxu14@otcaix.iscas.ac.cn>
Vincent Demeester
David Calavera
Mohammed Aaqib Ansari
Antonio Murdaca
Dan Walsh
Tibor Vass
Alessandro Boch
Ma Shimiao
Zuhayr Elahi
Christy Perez
Tonis Tiigi
Doug Davis
Alexander Morozov
Vincent Demeester
Lei Jitang
Brian Goff
Sebastiaan van Stijn
Antonio Murdaca
Aditi Rajagopal
Santhosh Manohar
Alexander Morozov
Antonio Murdaca
Solomon Hykes
Zhang Wei
Jess Frazelle
Sally O'Malley
Zhang Kun
Doug Davis
Aaron Lehmann
Derek McGowan
Madhu Venugopal
Phil Estes
Arnaud Porterie
Donald Huang
Shijiang Wei
John Howard
Jessica Frazelle
Wen Cheng Ma
Alexandre Beslic
James Carey
Michael Crosby
Srini Brahmaroutu
Hu Keping
Federico Gimenez
liaoqingwei
Jian Zhang
weiyan
Anil Belur
Morgan Bauer
Phil Estes
Yuan Sun
Tobias Gesellchen
Zachary Jaffee
Kevin P. Kucharczyk
Zachary Jaffee
Antonio Murdaca
Hao Zhang
Mageee
Xiaoxu Chen