All other options we have use `=` as separator, labels,
log configurations, graph configurations and so on.
We should be consistent and use `=` for the security
options too.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The GCP logging driver is calling out to GCP cloud service on package
init.
This is regardless if you are using GCP logging or not.
This change makes this happen on the first invocation of a new GCP
logging driver instance instead.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Validates whether the given hostname is RFC 1123
(https://tools.ietf.org/html/rfc1123) compliant.
Fixes#20371
Signed-off-by: Andrew Guenther <guenther.andrew.j@gmail.com>
The issue of the flaky test is because when the second container
starts, the first container in the detached mode may have only
been created and not yet entering the running state. So the
port 8000 might be used by the second container first.
This fix added a check to make sure the first container is already
in running state, before the second container is invoked.
This fix fixes#21247.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Change user/group creation to use flags to adduser/useradd to enforce it
being a system user. Use system user defaults that auto-create a
matching group. These changes allow us to remove all group creation
code, and in doing so we also removed the code that finds available uid,
gid integers and use post-creation query to gather the system-generated
uid and gid.
The only added complexity is that today distros don't auto-create
subordinate ID ranges for a new ID if it is a system ID, so we now need
to handle finding a free range and then calling the `usermod` tool to
add the ranges for that ID. Note that this requires the distro supports
the `-v` and `-w` flags on `usermod` for subordinate ID range additions.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
This adds the following new syscalls that are supported in libseccomp 2.3.0,
including calls added up to kernel 4.5-rc4:
mlock2 - same as mlock but with a flag
copy_file_range - copy file contents, like splice but with reflink support.
The following are not added, and mentioned in docs:
userfaultfd - userspace page fault handling, mainly designed for process migration
The following are not added, only apply to less common architectures:
switch_endian
membarrier
breakpoint
set_tls
I plan to review the other architectures, some of which can now have seccomp
enabled in the build as they are now supported.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This fixes problems encountered when running with a remapped root (the
syscalls related to the metadata directory will fail under user
namespaces). Using 0711 rather than 0701 (which solved the problem
previously) fixes the issue.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
- cherry-pick from 1.10.3 branch: 0186f4d4223a094a050d06f456355da3ae431468
- add token service test suite
- add integration test (missing in 1.10.3 branch)
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
David Calavera
Michael Crosby
Arnaud Porterie
allencloud
Alexander Morozov
Vincent Demeester
Vivek Goyal
Thomas Gazagnaire
Brian Goff
Antonio Murdaca
Brent Salisbury
Dan Walsh
Antonio Murdaca
Zhang Wei
Andrew Guenther
Tonis Tiigi
Yong Tang
Jessica Frazelle
Sebastiaan van Stijn
Phil Estes
Justin Cormack
Alessandro Boch
Riyaz Faizullabhoy
Phil Estes
Harald Albers
Aleksa Sarai