docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
22,226 Commits 21 Branches 28 Tags 816 MiB
Commit Graph

494 Commits

Author SHA1 Message Date
Victor Vieux 99a396902f fix common misspell 
Signed-off-by: Victor Vieux <vieux@docker.com>
 2016-02-11 15:49:36 -08:00
David Calavera dfebb6074f Merge pull request #20210 from Microsoft/jjh/hcswin32-v2 
Windows: Revendor HCS to use revised error scheme
 2016-02-10 17:20:14 -08:00
John Howard 54263a9393 Windows: Use new error code mechanism from HCS 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-10 14:48:24 -08:00
John Howard d4b0732499 Windows: Fix 'isolation' 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-10 13:19:19 -08:00
John Howard 7853193edb Windows CI: Another reliability fix 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-10 11:07:29 -08:00
Dan Walsh ba38d58659 Make mqueue container specific 
mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers.  Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied.  If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
 2016-02-05 16:50:35 +01:00
Tonis Tiigi b9a395c85d Remove case sensitive duplicate dir in vendor 
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
 2016-02-03 13:06:32 -08:00
John Howard 14c53160d7 Windows CI: One more reliability hack 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-02 13:15:35 -08:00
John Howard 6f0831930f Windows CI: Re-do TP4 CI reliability hack 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-02 09:36:18 -08:00
Brian Goff a39ad952ec Merge pull request #19889 from Microsoft/jjh/reliabilitytake2 
Windows CI: TP4 reliability hack
 2016-02-01 22:30:51 -05:00
John Howard 2ebcb48cf1 Windows CI: TP4 reliability hack 
Signed-off-by: John Howard <jhoward@microsoft.com>
 2016-02-01 18:02:57 -08:00
Fangyuan Gao 5d07d83ee0 remove the unused Info interface in daemon/execdriver/driver.go and related code 
Signed-off-by: Fangyuan Gao <21551127@zju.edu.cn>
 2016-02-02 09:04:52 +08:00
Joey Geiger 318b4f0b5f Fix typos in create.go 
There were a few spelling issues that I noticed when reading about shared mounts.

Signed-off-by: jgeiger <joey.geiger@irco.com>
 2016-01-28 14:08:11 -07:00
Arnaud Porterie 3a70ab3a2c Merge pull request #19688 from crosbymichael/tmpfs-tar 
Remove tar copy-up for tmpfs mounts
 2016-01-26 17:03:07 -08:00
Michael Crosby ae8ec4860e Move tar copy-up for tmpfs mounts 
We cannot rely on the tar command for this type of operation because tar
versions, flags, and functionality can very from distro to distro.
Since this is in the container execution path it is not safe to have
this as a dependency from dockers POV where the user cannot change the
fact that docker is adding these pre and post mount commands.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
 2016-01-26 14:00:39 -08:00
Aleksa Sarai 4357ed4a73 *: purge dockerinit from source code 
dockerinit has been around for a very long time. It was originally used
as a way for us to do configuration for LXC containers once the
container had started. LXC is no longer supported, and /.dockerinit has
been dead code for quite a while. This removes all code and references
in code to dockerinit.

Signed-off-by: Aleksa Sarai <asarai@suse.com>
 2016-01-26 23:47:02 +11:00
Jessica Frazelle bed0bb7d01
move default seccomp profile into package 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-21 16:55:29 -08:00
Jessica Frazelle 35e50119fc
move default apparmor policy into package 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-21 16:55:27 -08:00
Phil Estes 3233f45609 Merge pull request #19263 from jfrazelle/update-aa-parser 
refactor aaparser pkg, add unit tests
 2016-01-21 19:40:53 -05:00
Jessica Frazelle 308eff99e8
add send, recv, and x32 so we can install i386 pkgs on amd64 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-18 19:24:01 -08:00
Jessica Frazelle 446f498eba
refactor aaparser pkg, add unit tests 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-13 08:43:12 -08:00
Jessica Frazelle 062d0b3921
read seccomp profile locally then pass to daemon 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-12 13:12:29 -08:00
Jess Frazelle a96a0b3781 Merge pull request #19217 from justincormack/arm_syscalls 
Add arm specific syscalls to default seccomp profile
 2016-01-11 15:26:09 -08:00
Jess Frazelle 9c9a1d1b4b Merge pull request #19069 from jfrazelle/apparmor-regex-proc 
fix proc regex
 2016-01-11 13:50:25 -08:00
Sebastiaan van Stijn 967acd56c1 Merge pull request #18512 from euank/18510-fixOomKilled 
Set OOMKilled state on any OOM event
 2016-01-11 00:09:26 +01:00
Justin Cormack 37d35f3c28 Add arm specific syscalls to default seccomp profile 
Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-10 19:55:24 +00:00
Justin Cormack 13a9d4e899 Add i386 specific modify_ldt syscall to default seccomp filter 
This syscall is used by Go on i386 binaries, although not by libc.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-10 12:00:11 +00:00
Jess Frazelle 938d28e772 Merge pull request #19144 from LK4D4/fix_parent_systemd 
Choose default-cgroup parent by cgroup driver
 2016-01-07 10:24:51 -08:00
Alexander Morozov c1cd45d547 Choose default-cgroup parent by cgroup driver 
It's "/docker" for cgroupfs and "system.slice" for systemd.

Fix #19140

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
 2016-01-07 08:56:26 -08:00
David Calavera 907407d0b2 Modify import paths to point to the new engine-api package. 
Signed-off-by: David Calavera <david.calavera@gmail.com>
 2016-01-06 19:48:59 -05:00
David Calavera 4ee3048fa8 Merge pull request #19110 from brahmaroutu/update_openc 
update runc to the latest code base to fix gccgo builds
 2016-01-06 15:09:11 -08:00
Jessica Frazelle 2b4f64e590
fix proc regex 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-06 10:08:35 -08:00
Srini Brahmaroutu 9982631707 update runc to the latest code base to fix gccgo build 
Signed-off-by: Srini Brahmaroutu <srbrahma@us.ibm.com>
 2016-01-06 00:02:56 +00:00
Justin Cormack 822c4f79ab
Allow the waitpid syscall 
This version is sometimes used eg by glibc on x86

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-05 09:29:16 -08:00
Justin Cormack ca3ae72e43
Support compatible architectures with default seccomp rules 
In the default seccomp rule, allow use of 32 bit syscalls on
64 bit architectures, so you can run x86 Linux images on x86_64
without disabling seccomp or using a custom rule.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-05 09:28:42 -08:00
Justin Cormack d8e06d54cf
Allow sigreturn syscall 
This is used on some 32 bit architectures, eg x86

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-04 16:11:59 -08:00
Justin Cormack 923609179b
Add _llseek syscall 
This is the newer verion of lseek on many 32 bit platforms

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-04 11:55:28 -08:00
Justin Cormack d6a9c5abed
Do not allow obsolete syscalls 
sysfs and ustat syscalls are marked obsolete.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-04 11:55:28 -08:00
Justin Cormack c1b57fc1c9
Do not allow name_to_handle_at, as we have already blocked open_by_handle_at 
Being able to obtain a file handle is no use as we cannot perform
any operation in it, and it may leak kernel state.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2016-01-04 11:55:27 -08:00
Jessica Frazelle a1747b3cc8
add 32bit syscalls to whitelist 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-04 11:55:26 -08:00
Jessica Frazelle 17735c3c98
change seccomp blacklist to whitelist 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2016-01-04 11:55:21 -08:00
Lukas Waslowski 9a03967f0a Fix declarations of of execdriver/native.NewDriver to have the same signature. 
This change is done so that driver_unsupported.go and driver_unsupported_nocgo.go
declare the same signature for NewDriver as driver.go.

Fixes #19032

Signed-off-by: Lukas Waslowski <cr7pt0gr4ph7@gmail.com>
 2016-01-02 19:55:37 +01:00
Jess Frazelle abc695d9d5 Merge pull request #18974 from jfrazelle/remove-seccomp-from-seccomp-profile 
remove seccomp from seccomp profile
 2015-12-29 13:15:14 -08:00
Arnaud Porterie a81e438544 Merge pull request #18969 from justincormack/vm86 
Block vm86 syscalls in default seccomp profile
 2015-12-29 11:57:35 -08:00
Arnaud Porterie 2307f47fdd Merge pull request #18972 from justincormack/bpf 
Block bpf syscall from default seccomp profile
 2015-12-29 11:57:07 -08:00
Arnaud Porterie e01cab1cc5 Merge pull request #18971 from justincormack/ptrace 
Block additional ptrace related syscalls in default seccomp profile
 2015-12-29 11:56:51 -08:00
Jessica Frazelle b610fc226a
remove seccomp from seccomp profile 
This can be allowed because it should only restrict more per the seccomp docs, and multiple apps use it today.

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-29 11:21:33 -08:00
Arnaud Porterie 94e0760868 Merge pull request #18947 from jfrazelle/fix-seccomp-unsupported 
fix default profile where unsupported
 2015-12-29 10:21:07 -08:00
Arnaud Porterie afdc4747dc Merge pull request #18953 from justincormack/robust_list 
Allow use of robust list syscalls in default seccomp policy
 2015-12-29 10:19:41 -08:00
Arnaud Porterie a32b06b067 Merge pull request #18956 from justincormack/umount 
Block original umount syscall in default seccomp filter
 2015-12-29 10:19:04 -08:00