diff --git a/CHANGELOG.md b/CHANGELOG.md index 45cb9057e3..6a7d3c2e19 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,28 @@ # Changelog +## 1.0.1 (2014-06-19) + +#### Notable features since 1.0.0 +* Enhance security for the LXC driver + +#### Builder +* Fix `ONBUILD` instruction passed to grandchildren + +#### Runtime +* Fix events subscription +* Fix /etc/hostname file with host networking +* Allow `-h` and `--net=none` +* Fix issue with hotplug devices in `--privileged` + +#### Client +* Fix artifacts with events +* Fix a panic with empty flags +* Fix `docker cp` on Mac OS X + +#### Miscellaneous +* Fix compilation on Mac OS X +* Fix several races + ## 1.0.0 (2014-06-09) #### Notable features since 0.12.0 diff --git a/MAINTAINERS b/MAINTAINERS index 1543c8f823..059ff79f09 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1,5 +1,4 @@ Solomon Hykes (@shykes) -Guillaume J. Charmes (@creack) Victor Vieux (@vieux) Michael Crosby (@crosbymichael) .mailmap: Tianon Gravi (@tianon) diff --git a/README.md b/README.md index c965efafe8..608e638eab 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,13 @@ It benefits directly from the experience accumulated over several years of large-scale operation and support of hundreds of thousands of applications and databases. -![Docker L](docs/theme/mkdocs/img/logo_compressed.png "Docker") +![Docker L](docs/theme/mkdocs/images/docker-logo-compressed.png "Docker") + +## Security Disclosure + +Security is very important to us. If you have any issue regarding security, +please disclose the information responsibly by sending an email to +security@docker.com and not by creating a github issue. ## Better than VMs @@ -142,11 +148,10 @@ Docker can be installed on your local machine as well as servers - both bare metal and virtualized. It is available as a binary on most modern Linux systems, or as a VM on Windows, Mac and other systems. -We also offer an interactive tutorial for quickly learning the basics of -using Docker. +We also offer an [interactive tutorial](http://www.docker.com/tryit/) +for quickly learning the basics of using Docker. -For up-to-date install instructions and online tutorials, see the -[Getting Started page](http://www.docker.io/gettingstarted/). +For up-to-date install instructions, see the [Docs](http://docs.docker.com). Usage examples ============== diff --git a/VERSION b/VERSION index 3eefcb9dd5..7dea76edb3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 +1.0.1 diff --git a/api/client/commands.go b/api/client/commands.go index a6a2e35539..0cdf3f1acb 100644 --- a/api/client/commands.go +++ b/api/client/commands.go @@ -89,25 +89,6 @@ func (cli *DockerCli) CmdHelp(args ...string) error { return nil } -// FIXME: 'insert' is deprecated. -func (cli *DockerCli) CmdInsert(args ...string) error { - fmt.Fprintf(os.Stderr, "Warning: '%s' is deprecated and will be removed in a future version. Please use 'docker build' and 'ADD' instead.\n") - cmd := cli.Subcmd("insert", "IMAGE URL PATH", "Insert a file from URL in the IMAGE at PATH") - if err := cmd.Parse(args); err != nil { - return nil - } - if cmd.NArg() != 3 { - cmd.Usage() - return nil - } - - v := url.Values{} - v.Set("url", cmd.Arg(1)) - v.Set("path", cmd.Arg(2)) - - return cli.stream("POST", "/images/"+cmd.Arg(0)+"/insert?"+v.Encode(), nil, cli.out, nil) -} - func (cli *DockerCli) CmdBuild(args ...string) error { cmd := cli.Subcmd("build", "[OPTIONS] PATH | URL | -", "Build a new image from the source code at PATH") tag := cmd.String([]string{"t", "-tag"}, "", "Repository name (and optionally a tag) to be applied to the resulting image in case of success") diff --git a/api/client/utils.go b/api/client/utils.go index 2620683708..13b5241d15 100644 --- a/api/client/utils.go +++ b/api/client/utils.go @@ -105,7 +105,7 @@ func (cli *DockerCli) call(method, path string, data interface{}, passAuthInfo b if len(body) == 0 { return nil, resp.StatusCode, fmt.Errorf("Error: request returned %s for API route and version %s, check if the server supports the requested API version", http.StatusText(resp.StatusCode), req.URL) } - return nil, resp.StatusCode, fmt.Errorf("Error: %s", bytes.TrimSpace(body)) + return nil, resp.StatusCode, fmt.Errorf("Error response from daemon: %s", bytes.TrimSpace(body)) } return resp.Body, resp.StatusCode, nil } diff --git a/api/server/server.go b/api/server/server.go index 61407b2648..ce1bdbd39e 100644 --- a/api/server/server.go +++ b/api/server/server.go @@ -398,7 +398,7 @@ func getContainersLogs(eng *engine.Engine, version version.Version, w http.Respo job.Stdout.Add(outStream) job.Stderr.Set(errStream) if err := job.Run(); err != nil { - fmt.Fprintf(outStream, "Error: %s\n", err) + fmt.Fprintf(outStream, "Error running logs job: %s\n", err) } return nil } @@ -811,7 +811,7 @@ func postContainersAttach(eng *engine.Engine, version version.Version, w http.Re job.Stdout.Add(outStream) job.Stderr.Set(errStream) if err := job.Run(); err != nil { - fmt.Fprintf(outStream, "Error: %s\n", err) + fmt.Fprintf(outStream, "Error attaching: %s\n", err) } return nil @@ -841,7 +841,7 @@ func wsContainersAttach(eng *engine.Engine, version version.Version, w http.Resp job.Stdout.Add(ws) job.Stderr.Set(ws) if err := job.Run(); err != nil { - utils.Errorf("Error: %s", err) + utils.Errorf("Error attaching websocket: %s", err) } }) h.ServeHTTP(w, r) @@ -1022,7 +1022,7 @@ func makeHttpHandler(eng *engine.Engine, logging bool, localMethod string, local } if err := handlerFunc(eng, version, w, r, mux.Vars(r)); err != nil { - utils.Errorf("Error: %s", err) + utils.Errorf("Error making handler: %s", err) httpError(w, err) } } diff --git a/api/server/server_unit_test.go b/api/server/server_unit_test.go index 8ab34127ac..32f8e42b18 100644 --- a/api/server/server_unit_test.go +++ b/api/server/server_unit_test.go @@ -114,6 +114,43 @@ func TestGetInfo(t *testing.T) { } } +func TestGetContainersByName(t *testing.T) { + eng := engine.New() + name := "container_name" + var called bool + eng.Register("container_inspect", func(job *engine.Job) engine.Status { + called = true + if job.Args[0] != name { + t.Fatalf("name != '%s': %#v", name, job.Args[0]) + } + if api.APIVERSION.LessThan("1.12") && !job.GetenvBool("dirty") { + t.Fatal("dirty env variable not set") + } else if api.APIVERSION.GreaterThanOrEqualTo("1.12") && job.GetenvBool("dirty") { + t.Fatal("dirty env variable set when it shouldn't") + } + v := &engine.Env{} + v.SetBool("dirty", true) + if _, err := v.WriteTo(job.Stdout); err != nil { + return job.Error(err) + } + return engine.StatusOK + }) + r := serveRequest("GET", "/containers/"+name+"/json", nil, eng, t) + if !called { + t.Fatal("handler was not called") + } + if r.HeaderMap.Get("Content-Type") != "application/json" { + t.Fatalf("%#v\n", r) + } + var stdoutJson interface{} + if err := json.Unmarshal(r.Body.Bytes(), &stdoutJson); err != nil { + t.Fatalf("%#v", err) + } + if stdoutJson.(map[string]interface{})["dirty"].(float64) != 1 { + t.Fatalf("%#v", stdoutJson) + } +} + func serveRequest(method, target string, body io.Reader, eng *engine.Engine, t *testing.T) *httptest.ResponseRecorder { r := httptest.NewRecorder() req, err := http.NewRequest(method, target, body) diff --git a/archive/archive.go b/archive/archive.go index 76c6e31289..1982218b46 100644 --- a/archive/archive.go +++ b/archive/archive.go @@ -262,11 +262,11 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, L ts := []syscall.Timespec{timeToTimespec(hdr.AccessTime), timeToTimespec(hdr.ModTime)} // syscall.UtimesNano doesn't support a NOFOLLOW flag atm, and if hdr.Typeflag != tar.TypeSymlink { - if err := system.UtimesNano(path, ts); err != nil { + if err := system.UtimesNano(path, ts); err != nil && err != system.ErrNotSupportedPlatform { return err } } else { - if err := system.LUtimesNano(path, ts); err != nil { + if err := system.LUtimesNano(path, ts); err != nil && err != system.ErrNotSupportedPlatform { return err } } diff --git a/archive/archive_test.go b/archive/archive_test.go index 72ffd99565..ea34f0798b 100644 --- a/archive/archive_test.go +++ b/archive/archive_test.go @@ -164,6 +164,6 @@ func TestUntarUstarGnuConflict(t *testing.T) { } } if !found { - t.Fatal("%s not found in the archive", "root/.cpanm/work/1395823785.24209/Plack-1.0030/blib/man3/Plack::Middleware::LighttpdScriptNameFix.3pm") + t.Fatalf("%s not found in the archive", "root/.cpanm/work/1395823785.24209/Plack-1.0030/blib/man3/Plack::Middleware::LighttpdScriptNameFix.3pm") } } diff --git a/contrib/check-config.sh b/contrib/check-config.sh index 8dd618cb67..fe4b9f1b9b 100755 --- a/contrib/check-config.sh +++ b/contrib/check-config.sh @@ -100,7 +100,7 @@ echo echo 'Generally Necessary:' echo -n '- ' -cgroupSubsystemDir="$(awk '/[, ](cpu|cpuacct|cpuset|devices|freezer|memory)([, ]|$)/ && $8 == "cgroup" { print $5 }' /proc/$$/mountinfo | head -n1)" +cgroupSubsystemDir="$(awk '/[, ](cpu|cpuacct|cpuset|devices|freezer|memory)[, ]/ && $3 == "cgroup" { print $2 }' /proc/mounts | head -n1)" cgroupDir="$(dirname "$cgroupSubsystemDir")" if [ -d "$cgroupDir/cpu" -o -d "$cgroupDir/cpuacct" -o -d "$cgroupDir/cpuset" -o -d "$cgroupDir/devices" -o -d "$cgroupDir/freezer" -o -d "$cgroupDir/memory" ]; then echo "$(wrap_good 'cgroup hierarchy' 'properly mounted') [$cgroupDir]" @@ -116,7 +116,7 @@ fi flags=( NAMESPACES {NET,PID,IPC,UTS}_NS DEVPTS_MULTIPLE_INSTANCES - CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_SCHED + CGROUPS CGROUP_CPUACCT CGROUP_DEVICE CGROUP_FREEZER CGROUP_SCHED MACVLAN VETH BRIDGE NF_NAT_IPV4 IP_NF_TARGET_MASQUERADE NETFILTER_XT_MATCH_{ADDRTYPE,CONNTRACK} diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index e2ddd2accf..f75b85ca8c 100755 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -309,14 +309,6 @@ _docker_info() return } -_docker_insert() -{ - local counter=$(__docker_pos_first_nonflag) - if [ $cword -eq $counter ]; then - __docker_image_repos_and_tags_and_ids - fi -} - _docker_inspect() { case "$prev" in @@ -393,7 +385,7 @@ _docker_ps() { case "$prev" in --since|--before) - __docker_containers_all + __docker_containers_all ;; -n) return @@ -438,9 +430,7 @@ _docker_push() { local counter=$(__docker_pos_first_nonflag) if [ $cword -eq $counter ]; then - __docker_image_repos - # TODO replace this with __docker_image_repos_and_tags - # see https://github.com/dotcloud/docker/issues/3411 + __docker_image_repos_and_tags fi } diff --git a/contrib/completion/fish/docker.fish b/contrib/completion/fish/docker.fish index a7fd52e312..00255bc0ae 100644 --- a/contrib/completion/fish/docker.fish +++ b/contrib/completion/fish/docker.fish @@ -120,10 +120,6 @@ complete -c docker -f -n '__fish_docker_no_subcommand' -a import -d 'Create a ne # info complete -c docker -f -n '__fish_docker_no_subcommand' -a info -d 'Display system-wide information' -# insert -complete -c docker -f -n '__fish_docker_no_subcommand' -a insert -d 'Insert a file in an image' -complete -c docker -A -f -n '__fish_seen_subcommand_from insert' -a '(__fish_print_docker_images)' -d "Image" - # inspect complete -c docker -f -n '__fish_docker_no_subcommand' -a inspect -d 'Return low-level information on a container' complete -c docker -A -f -n '__fish_seen_subcommand_from inspect' -s f -l format -d 'Format the output using the given go template.' diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker old mode 100755 new mode 100644 index a379fd40f8..4578d1eda7 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -139,11 +139,6 @@ __docker_subcommand () { (history) _arguments ':images:__docker_images' ;; - (insert) - _arguments '1:containers:__docker_containers' \ - '2:URL:(http:// file://)' \ - '3:file:_files' - ;; (kill) _arguments '*:containers:__docker_runningcontainers' ;; diff --git a/contrib/man/md/Dockerfile.5.md b/contrib/man/md/Dockerfile.5.md index 1d191e0f9c..d669122107 100644 --- a/contrib/man/md/Dockerfile.5.md +++ b/contrib/man/md/Dockerfile.5.md @@ -38,7 +38,7 @@ A Dockerfile is similar to a Makefile. **sudo docker build -t repository/tag .** -- specifies a repository and tag at which to save the new image if the build - succeeds. The Docker daemon runs the steps one-by-one, commiting the result + succeeds. The Docker daemon runs the steps one-by-one, committing the result to a new image if necessary before finally outputting the ID of the new image. The Docker daemon automatically cleans up the context it is given. diff --git a/contrib/man/md/docker-events.1.md b/contrib/man/md/docker-events.1.md index c9bfdec9e8..2ebe9247d4 100644 --- a/contrib/man/md/docker-events.1.md +++ b/contrib/man/md/docker-events.1.md @@ -20,7 +20,7 @@ seconds since epoch, or date string. ## Listening for Docker events After running docker events a container 786d698004576 is started and stopped -(The container name has been shortened in the ouput below): +(The container name has been shortened in the output below): # docker events [2014-04-12 18:23:04 -0400 EDT] 786d69800457: (from whenry/testimage:latest) start @@ -43,4 +43,4 @@ Again the output container IDs have been shortened for the purposes of this docu # HISTORY April 2014, Originally compiled by William Henry (whenry at redhat dot com) -based on docker.io source material and internal work. \ No newline at end of file +based on docker.io source material and internal work. diff --git a/contrib/man/md/docker-pull.1.md b/contrib/man/md/docker-pull.1.md index 1f64d3f648..40b7425f77 100644 --- a/contrib/man/md/docker-pull.1.md +++ b/contrib/man/md/docker-pull.1.md @@ -5,17 +5,18 @@ docker-pull - Pull an image or a repository from the registry # SYNOPSIS -**docker pull** NAME[:TAG] +**docker pull** [REGISTRY_PATH/]NAME[:TAG] # DESCRIPTION This command pulls down an image or a repository from the registry. If there is more than one image for a repository (e.g. fedora) then all images for that repository name are pulled down including any tags. +It is also possible to specify a non-default registry to pull from. -# EXAMPLE +# EXAMPLES -# Pull a reposiotry with multiple images +# Pull a repository with multiple images $ sudo docker pull fedora Pulling repository fedora @@ -31,6 +32,19 @@ images for that repository name are pulled down including any tags. fedora heisenbug 105182bb5e8b 5 days ago 372.7 MB fedora latest 105182bb5e8b 5 days ago 372.7 MB +# Pull an image, manually specifying path to the registry and tag + + $ sudo docker pull registry.hub.docker.com/fedora:20 + Pulling repository fedora + 3f2fed40e4b0: Download complete + 511136ea3c5a: Download complete + fd241224e9cf: Download complete + + $ sudo docker images + REPOSITORY TAG IMAGE ID CREATED VIRTUAL SIZE + fedora 20 3f2fed40e4b0 4 days ago 372.7 MB + + # HISTORY April 2014, Originally compiled by William Henry (whenry at redhat dot com) based on docker.io source material and internal work. diff --git a/contrib/man/md/docker.1.md b/contrib/man/md/docker.1.md index f990e5162f..ab5b67d11f 100644 --- a/contrib/man/md/docker.1.md +++ b/contrib/man/md/docker.1.md @@ -10,15 +10,15 @@ docker \- Docker image and container command line interface # DESCRIPTION **docker** has two distinct functions. It is used for starting the Docker daemon and to run the CLI (i.e., to command the daemon to manage images, -containers etc.) So **docker** is both a server, as a deamon, and a client +containers etc.) So **docker** is both a server, as a daemon, and a client to the daemon, through the CLI. -To run the Docker deamon you do not specify any of the commands listed below but +To run the Docker daemon you do not specify any of the commands listed below but must specify the **-d** option. The other options listed below are for the daemon only. The Docker CLI has over 30 commands. The commands are listed below and each has -its own man page which explain usage and arguements. +its own man page which explain usage and arguments. To see the man page for a command run **man docker **. diff --git a/contrib/man/md/md2man-all.sh b/contrib/man/md/md2man-all.sh index f33557934c..def876f47a 100755 --- a/contrib/man/md/md2man-all.sh +++ b/contrib/man/md/md2man-all.sh @@ -13,7 +13,7 @@ for FILE in *.md; do base="$(basename "$FILE")" name="${base%.md}" num="${name##*.}" - if [ -z "$num" -o "$base" = "$num" ]; then + if [ -z "$num" -o "$name" = "$num" ]; then # skip files that aren't of the format xxxx.N.md (like README.md) continue fi diff --git a/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage b/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage index 13b586e5cb..1d19a3ba2e 100644 --- a/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage +++ b/contrib/syntax/textmate/Docker.tmbundle/Syntaxes/Dockerfile.tmLanguage @@ -12,7 +12,7 @@ match - ^\s*(ONBUILD\s+)?(FROM|MAINTAINER|RUN|EXPOSE|ENV|ADD|VOLUME|USER|WORKDIR)\s + ^\s*(ONBUILD\s+)?(FROM|MAINTAINER|RUN|EXPOSE|ENV|ADD|VOLUME|USER|WORKDIR|COPY)\s captures 0 diff --git a/contrib/syntax/vim/syntax/dockerfile.vim b/contrib/syntax/vim/syntax/dockerfile.vim index ec79ae7476..2984bec5f8 100644 --- a/contrib/syntax/vim/syntax/dockerfile.vim +++ b/contrib/syntax/vim/syntax/dockerfile.vim @@ -11,7 +11,7 @@ let b:current_syntax = "dockerfile" syntax case ignore -syntax match dockerfileKeyword /\v^\s*(ONBUILD\s+)?(ADD|CMD|ENTRYPOINT|ENV|EXPOSE|FROM|MAINTAINER|RUN|USER|VOLUME|WORKDIR)\s/ +syntax match dockerfileKeyword /\v^\s*(ONBUILD\s+)?(ADD|CMD|ENTRYPOINT|ENV|EXPOSE|FROM|MAINTAINER|RUN|USER|VOLUME|WORKDIR|COPY)\s/ highlight link dockerfileKeyword Keyword syntax region dockerfileString start=/\v"/ skip=/\v\\./ end=/\v"/ diff --git a/daemon/container.go b/daemon/container.go index b4a33e3e18..2fd827eb9c 100644 --- a/daemon/container.go +++ b/daemon/container.go @@ -15,6 +15,8 @@ import ( "syscall" "time" + "github.com/docker/libcontainer/devices" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/archive" "github.com/dotcloud/docker/daemon/execdriver" "github.com/dotcloud/docker/daemon/graphdriver" @@ -22,8 +24,6 @@ import ( "github.com/dotcloud/docker/image" "github.com/dotcloud/docker/links" "github.com/dotcloud/docker/nat" - "github.com/dotcloud/docker/pkg/label" - "github.com/dotcloud/docker/pkg/libcontainer/devices" "github.com/dotcloud/docker/pkg/networkfs/etchosts" "github.com/dotcloud/docker/pkg/networkfs/resolvconf" "github.com/dotcloud/docker/pkg/symlink" @@ -85,7 +85,12 @@ type Container struct { } func (container *Container) FromDisk() error { - data, err := ioutil.ReadFile(container.jsonPath()) + pth, err := container.jsonPath() + if err != nil { + return err + } + + data, err := ioutil.ReadFile(pth) if err != nil { return err } @@ -101,15 +106,22 @@ func (container *Container) FromDisk() error { return container.readHostConfig() } -func (container *Container) ToDisk() (err error) { +func (container *Container) ToDisk() error { data, err := json.Marshal(container) if err != nil { - return + return err } - err = ioutil.WriteFile(container.jsonPath(), data, 0666) + + pth, err := container.jsonPath() if err != nil { - return + return err } + + err = ioutil.WriteFile(pth, data, 0666) + if err != nil { + return err + } + return container.WriteHostConfig() } @@ -118,33 +130,45 @@ func (container *Container) readHostConfig() error { // If the hostconfig file does not exist, do not read it. // (We still have to initialize container.hostConfig, // but that's OK, since we just did that above.) - _, err := os.Stat(container.hostConfigPath()) + pth, err := container.hostConfigPath() + if err != nil { + return err + } + + _, err = os.Stat(pth) if os.IsNotExist(err) { return nil } - data, err := ioutil.ReadFile(container.hostConfigPath()) + + data, err := ioutil.ReadFile(pth) if err != nil { return err } return json.Unmarshal(data, container.hostConfig) } -func (container *Container) WriteHostConfig() (err error) { +func (container *Container) WriteHostConfig() error { data, err := json.Marshal(container.hostConfig) if err != nil { - return + return err } - return ioutil.WriteFile(container.hostConfigPath(), data, 0666) + + pth, err := container.hostConfigPath() + if err != nil { + return err + } + + return ioutil.WriteFile(pth, data, 0666) } -func (container *Container) getResourcePath(path string) string { +func (container *Container) getResourcePath(path string) (string, error) { cleanPath := filepath.Join("/", path) - return filepath.Join(container.basefs, cleanPath) + return symlink.FollowSymlinkInScope(filepath.Join(container.basefs, cleanPath), container.basefs) } -func (container *Container) getRootResourcePath(path string) string { +func (container *Container) getRootResourcePath(path string) (string, error) { cleanPath := filepath.Join("/", path) - return filepath.Join(container.root, cleanPath) + return symlink.FollowSymlinkInScope(filepath.Join(container.root, cleanPath), container.root) } func populateCommand(c *Container, env []string) error { @@ -324,7 +348,12 @@ func (container *Container) StderrLogPipe() io.ReadCloser { } func (container *Container) buildHostnameFile() error { - container.HostnamePath = container.getRootResourcePath("hostname") + hostnamePath, err := container.getRootResourcePath("hostname") + if err != nil { + return err + } + container.HostnamePath = hostnamePath + if container.Config.Domainname != "" { return ioutil.WriteFile(container.HostnamePath, []byte(fmt.Sprintf("%s.%s\n", container.Config.Hostname, container.Config.Domainname)), 0644) } @@ -336,7 +365,11 @@ func (container *Container) buildHostnameAndHostsFiles(IP string) error { return err } - container.HostsPath = container.getRootResourcePath("hosts") + hostsPath, err := container.getRootResourcePath("hosts") + if err != nil { + return err + } + container.HostsPath = hostsPath extraContent := make(map[string]string) @@ -681,19 +714,23 @@ func (container *Container) Unmount() error { return container.daemon.Unmount(container) } -func (container *Container) logPath(name string) string { +func (container *Container) logPath(name string) (string, error) { return container.getRootResourcePath(fmt.Sprintf("%s-%s.log", container.ID, name)) } func (container *Container) ReadLog(name string) (io.Reader, error) { - return os.Open(container.logPath(name)) + pth, err := container.logPath(name) + if err != nil { + return nil, err + } + return os.Open(pth) } -func (container *Container) hostConfigPath() string { +func (container *Container) hostConfigPath() (string, error) { return container.getRootResourcePath("hostconfig.json") } -func (container *Container) jsonPath() string { +func (container *Container) jsonPath() (string, error) { return container.getRootResourcePath("config.json") } @@ -756,8 +793,7 @@ func (container *Container) Copy(resource string) (io.ReadCloser, error) { var filter []string - resPath := container.getResourcePath(resource) - basePath, err := symlink.FollowSymlinkInScope(resPath, container.basefs) + basePath, err := container.getResourcePath(resource) if err != nil { container.Unmount() return nil, err @@ -808,11 +844,16 @@ func (container *Container) GetPtyMaster() (*os.File, error) { } func (container *Container) HostConfig() *runconfig.HostConfig { - return container.hostConfig + container.Lock() + res := container.hostConfig + container.Unlock() + return res } func (container *Container) SetHostConfig(hostConfig *runconfig.HostConfig) { + container.Lock() container.hostConfig = hostConfig + container.Unlock() } func (container *Container) DisableLink(name string) { @@ -861,7 +902,13 @@ func (container *Container) setupContainerDns() error { } else if len(daemon.config.DnsSearch) > 0 { dnsSearch = daemon.config.DnsSearch } - container.ResolvConfPath = container.getRootResourcePath("resolv.conf") + + resolvConfPath, err := container.getRootResourcePath("resolv.conf") + if err != nil { + return err + } + container.ResolvConfPath = resolvConfPath + return resolvconf.Build(container.ResolvConfPath, dns, dnsSearch) } else { container.ResolvConfPath = "/etc/resolv.conf" @@ -886,12 +933,20 @@ func (container *Container) initializeNetworking() error { content, err := ioutil.ReadFile("/etc/hosts") if os.IsNotExist(err) { return container.buildHostnameAndHostsFiles("") - } - if err != nil { + } else if err != nil { return err } - container.HostsPath = container.getRootResourcePath("hosts") + if err := container.buildHostnameFile(); err != nil { + return err + } + + hostsPath, err := container.getRootResourcePath("hosts") + if err != nil { + return err + } + container.HostsPath = hostsPath + return ioutil.WriteFile(container.HostsPath, content, 0644) } else if container.hostConfig.NetworkMode.IsContainer() { // we need to get the hosts files from the container to join @@ -1007,12 +1062,18 @@ func (container *Container) setupWorkingDirectory() error { if container.Config.WorkingDir != "" { container.Config.WorkingDir = path.Clean(container.Config.WorkingDir) - pthInfo, err := os.Stat(container.getResourcePath(container.Config.WorkingDir)) + pth, err := container.getResourcePath(container.Config.WorkingDir) + if err != nil { + return err + } + + pthInfo, err := os.Stat(pth) if err != nil { if !os.IsNotExist(err) { return err } - if err := os.MkdirAll(container.getResourcePath(container.Config.WorkingDir), 0755); err != nil { + + if err := os.MkdirAll(pth, 0755); err != nil { return err } } @@ -1025,12 +1086,19 @@ func (container *Container) setupWorkingDirectory() error { func (container *Container) startLoggingToDisk() error { // Setup logging of stdout and stderr to disk - if err := container.daemon.LogToDisk(container.stdout, container.logPath("json"), "stdout"); err != nil { + pth, err := container.logPath("json") + if err != nil { return err } - if err := container.daemon.LogToDisk(container.stderr, container.logPath("json"), "stderr"); err != nil { + + if err := container.daemon.LogToDisk(container.stdout, pth, "stdout"); err != nil { return err } + + if err := container.daemon.LogToDisk(container.stderr, pth, "stderr"); err != nil { + return err + } + return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go index b990b0df60..c21ba3a38c 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -12,6 +12,8 @@ import ( "sync" "time" + "github.com/docker/libcontainer/label" + "github.com/docker/libcontainer/selinux" "github.com/dotcloud/docker/archive" "github.com/dotcloud/docker/daemon/execdriver" "github.com/dotcloud/docker/daemon/execdriver/execdrivers" @@ -26,10 +28,8 @@ import ( "github.com/dotcloud/docker/graph" "github.com/dotcloud/docker/image" "github.com/dotcloud/docker/pkg/graphdb" - "github.com/dotcloud/docker/pkg/label" "github.com/dotcloud/docker/pkg/namesgenerator" "github.com/dotcloud/docker/pkg/networkfs/resolvconf" - "github.com/dotcloud/docker/pkg/selinux" "github.com/dotcloud/docker/pkg/sysinfo" "github.com/dotcloud/docker/runconfig" "github.com/dotcloud/docker/utils" @@ -72,9 +72,11 @@ func (c *contStore) Delete(id string) { func (c *contStore) List() []*Container { containers := new(History) + c.Lock() for _, cont := range c.s { containers.Add(cont) } + c.Unlock() containers.Sort() return *containers } diff --git a/daemon/execdriver/MAINTAINERS b/daemon/execdriver/MAINTAINERS index 1cb551364d..1e998f8ac1 100644 --- a/daemon/execdriver/MAINTAINERS +++ b/daemon/execdriver/MAINTAINERS @@ -1,2 +1 @@ Michael Crosby (@crosbymichael) -Guillaume J. Charmes (@creack) diff --git a/daemon/execdriver/driver.go b/daemon/execdriver/driver.go index a5c5c814d7..a3d3bc260a 100644 --- a/daemon/execdriver/driver.go +++ b/daemon/execdriver/driver.go @@ -6,7 +6,7 @@ import ( "os" "os/exec" - "github.com/dotcloud/docker/pkg/libcontainer/devices" + "github.com/docker/libcontainer/devices" ) // Context is a generic key value pair that allows diff --git a/daemon/execdriver/lxc/MAINTAINERS b/daemon/execdriver/lxc/MAINTAINERS new file mode 100644 index 0000000000..e9753be645 --- /dev/null +++ b/daemon/execdriver/lxc/MAINTAINERS @@ -0,0 +1 @@ +Dinesh Subhraveti (@dineshs-altiscale) diff --git a/daemon/execdriver/lxc/driver.go b/daemon/execdriver/lxc/driver.go index 8f785e8a8f..59daf1afe1 100644 --- a/daemon/execdriver/lxc/driver.go +++ b/daemon/execdriver/lxc/driver.go @@ -15,11 +15,10 @@ import ( "syscall" "time" + "github.com/docker/libcontainer/cgroups" + "github.com/docker/libcontainer/label" + "github.com/docker/libcontainer/mount/nodes" "github.com/dotcloud/docker/daemon/execdriver" - "github.com/dotcloud/docker/pkg/label" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" - "github.com/dotcloud/docker/pkg/libcontainer/mount/nodes" - "github.com/dotcloud/docker/pkg/system" "github.com/dotcloud/docker/utils" ) @@ -37,16 +36,7 @@ func init() { if err := setupNetworking(args); err != nil { return err } - if err := setupCapabilities(args); err != nil { - return err - } - if err := setupWorkingDirectory(args); err != nil { - return err - } - if err := system.CloseFdsFrom(3); err != nil { - return err - } - if err := changeUser(args); err != nil { + if err := finalizeNamespace(args); err != nil { return err } diff --git a/daemon/execdriver/lxc/init.go b/daemon/execdriver/lxc/init.go index 5e77190e5a..1af7730cae 100644 --- a/daemon/execdriver/lxc/init.go +++ b/daemon/execdriver/lxc/init.go @@ -9,10 +9,8 @@ import ( "strings" "syscall" + "github.com/docker/libcontainer/netlink" "github.com/dotcloud/docker/daemon/execdriver" - "github.com/dotcloud/docker/pkg/netlink" - "github.com/dotcloud/docker/pkg/user" - "github.com/syndtr/gocapability/capability" ) // Clear environment pollution introduced by lxc-start @@ -107,65 +105,6 @@ func setupWorkingDirectory(args *execdriver.InitArgs) error { return nil } -// Takes care of dropping privileges to the desired user -func changeUser(args *execdriver.InitArgs) error { - uid, gid, suppGids, err := user.GetUserGroupSupplementary( - args.User, - syscall.Getuid(), syscall.Getgid(), - ) - if err != nil { - return err - } - - if err := syscall.Setgroups(suppGids); err != nil { - return fmt.Errorf("Setgroups failed: %v", err) - } - if err := syscall.Setgid(gid); err != nil { - return fmt.Errorf("Setgid failed: %v", err) - } - if err := syscall.Setuid(uid); err != nil { - return fmt.Errorf("Setuid failed: %v", err) - } - - return nil -} - -func setupCapabilities(args *execdriver.InitArgs) error { - if args.Privileged { - return nil - } - - drop := []capability.Cap{ - capability.CAP_SETPCAP, - capability.CAP_SYS_MODULE, - capability.CAP_SYS_RAWIO, - capability.CAP_SYS_PACCT, - capability.CAP_SYS_ADMIN, - capability.CAP_SYS_NICE, - capability.CAP_SYS_RESOURCE, - capability.CAP_SYS_TIME, - capability.CAP_SYS_TTY_CONFIG, - capability.CAP_AUDIT_WRITE, - capability.CAP_AUDIT_CONTROL, - capability.CAP_MAC_OVERRIDE, - capability.CAP_MAC_ADMIN, - capability.CAP_NET_ADMIN, - capability.CAP_SYSLOG, - } - - c, err := capability.NewPid(os.Getpid()) - if err != nil { - return err - } - - c.Unset(capability.CAPS|capability.BOUNDS, drop...) - - if err := c.Apply(capability.CAPS | capability.BOUNDS); err != nil { - return err - } - return nil -} - func getEnv(args *execdriver.InitArgs, key string) string { for _, kv := range args.Env { parts := strings.SplitN(kv, "=", 2) diff --git a/daemon/execdriver/lxc/lxc_init_linux.go b/daemon/execdriver/lxc/lxc_init_linux.go index 7288f5877b..3b15d096af 100644 --- a/daemon/execdriver/lxc/lxc_init_linux.go +++ b/daemon/execdriver/lxc/lxc_init_linux.go @@ -3,9 +3,60 @@ package lxc import ( + "fmt" "syscall" + + "github.com/docker/libcontainer/namespaces" + "github.com/docker/libcontainer/security/capabilities" + "github.com/docker/libcontainer/utils" + "github.com/dotcloud/docker/daemon/execdriver" + "github.com/dotcloud/docker/daemon/execdriver/native/template" + "github.com/dotcloud/docker/pkg/system" ) func setHostname(hostname string) error { return syscall.Sethostname([]byte(hostname)) } + +func finalizeNamespace(args *execdriver.InitArgs) error { + if err := utils.CloseExecFrom(3); err != nil { + return err + } + + // We use the native drivers default template so that things like caps are consistent + // across both drivers + container := template.New() + + if !args.Privileged { + // drop capabilities in bounding set before changing user + if err := capabilities.DropBoundingSet(container); err != nil { + return fmt.Errorf("drop bounding set %s", err) + } + + // preserve existing capabilities while we change users + if err := system.SetKeepCaps(); err != nil { + return fmt.Errorf("set keep caps %s", err) + } + } + + if err := namespaces.SetupUser(args.User); err != nil { + return fmt.Errorf("setup user %s", err) + } + + if !args.Privileged { + if err := system.ClearKeepCaps(); err != nil { + return fmt.Errorf("clear keep caps %s", err) + } + + // drop all other capabilities + if err := capabilities.DropCapabilities(container); err != nil { + return fmt.Errorf("drop capabilities %s", err) + } + } + + if err := setupWorkingDirectory(args); err != nil { + return err + } + + return nil +} diff --git a/daemon/execdriver/lxc/lxc_init_unsupported.go b/daemon/execdriver/lxc/lxc_init_unsupported.go index d68cb91a1e..079446e186 100644 --- a/daemon/execdriver/lxc/lxc_init_unsupported.go +++ b/daemon/execdriver/lxc/lxc_init_unsupported.go @@ -2,6 +2,12 @@ package lxc +import "github.com/dotcloud/docker/daemon/execdriver" + func setHostname(hostname string) error { panic("Not supported on darwin") } + +func finalizeNamespace(args *execdriver.InitArgs) error { + panic("Not supported on darwin") +} diff --git a/daemon/execdriver/lxc/lxc_template.go b/daemon/execdriver/lxc/lxc_template.go index fcebe134e7..88618f07fd 100644 --- a/daemon/execdriver/lxc/lxc_template.go +++ b/daemon/execdriver/lxc/lxc_template.go @@ -4,8 +4,8 @@ import ( "strings" "text/template" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/daemon/execdriver" - "github.com/dotcloud/docker/pkg/label" ) const LxcTemplate = ` diff --git a/daemon/execdriver/lxc/lxc_template_unit_test.go b/daemon/execdriver/lxc/lxc_template_unit_test.go index 12760adb7a..a9a67c421c 100644 --- a/daemon/execdriver/lxc/lxc_template_unit_test.go +++ b/daemon/execdriver/lxc/lxc_template_unit_test.go @@ -11,8 +11,8 @@ import ( "testing" "time" + "github.com/docker/libcontainer/devices" "github.com/dotcloud/docker/daemon/execdriver" - "github.com/dotcloud/docker/pkg/libcontainer/devices" ) func TestLXCConfig(t *testing.T) { diff --git a/daemon/execdriver/native/configuration/parse.go b/daemon/execdriver/native/configuration/parse.go index f18a60f797..77d4b297cb 100644 --- a/daemon/execdriver/native/configuration/parse.go +++ b/daemon/execdriver/native/configuration/parse.go @@ -7,7 +7,7 @@ import ( "strconv" "strings" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" "github.com/dotcloud/docker/pkg/units" ) diff --git a/daemon/execdriver/native/configuration/parse_test.go b/daemon/execdriver/native/configuration/parse_test.go index 5524adb857..c561f5e2d3 100644 --- a/daemon/execdriver/native/configuration/parse_test.go +++ b/daemon/execdriver/native/configuration/parse_test.go @@ -3,8 +3,8 @@ package configuration import ( "testing" + "github.com/docker/libcontainer" "github.com/dotcloud/docker/daemon/execdriver/native/template" - "github.com/dotcloud/docker/pkg/libcontainer" ) // Checks whether the expected capability is specified in the capabilities. diff --git a/daemon/execdriver/native/create.go b/daemon/execdriver/native/create.go index 9de500dbe5..b19620514e 100644 --- a/daemon/execdriver/native/create.go +++ b/daemon/execdriver/native/create.go @@ -6,12 +6,12 @@ import ( "os/exec" "path/filepath" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/apparmor" + "github.com/docker/libcontainer/devices" "github.com/dotcloud/docker/daemon/execdriver" "github.com/dotcloud/docker/daemon/execdriver/native/configuration" "github.com/dotcloud/docker/daemon/execdriver/native/template" - "github.com/dotcloud/docker/pkg/apparmor" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/devices" ) // createContainer populates and configures the container type with the diff --git a/daemon/execdriver/native/driver.go b/daemon/execdriver/native/driver.go index d3805b493c..840d9fbc41 100644 --- a/daemon/execdriver/native/driver.go +++ b/daemon/execdriver/native/driver.go @@ -11,12 +11,12 @@ import ( "sync" "syscall" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/apparmor" + "github.com/docker/libcontainer/cgroups/fs" + "github.com/docker/libcontainer/cgroups/systemd" + "github.com/docker/libcontainer/namespaces" "github.com/dotcloud/docker/daemon/execdriver" - "github.com/dotcloud/docker/pkg/apparmor" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups/fs" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups/systemd" - "github.com/dotcloud/docker/pkg/libcontainer/namespaces" "github.com/dotcloud/docker/pkg/system" ) diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go index 3488b2084e..e2f52f4445 100644 --- a/daemon/execdriver/native/template/default_template.go +++ b/daemon/execdriver/native/template/default_template.go @@ -1,9 +1,9 @@ package template import ( - "github.com/dotcloud/docker/pkg/apparmor" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/apparmor" + "github.com/docker/libcontainer/cgroups" ) // New returns the docker default configuration for libcontainer diff --git a/daemon/graphdriver/aufs/aufs.go b/daemon/graphdriver/aufs/aufs.go index 97e9b9748a..eb8ff77cde 100644 --- a/daemon/graphdriver/aufs/aufs.go +++ b/daemon/graphdriver/aufs/aufs.go @@ -30,9 +30,9 @@ import ( "sync" "syscall" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/archive" "github.com/dotcloud/docker/daemon/graphdriver" - "github.com/dotcloud/docker/pkg/label" mountpk "github.com/dotcloud/docker/pkg/mount" "github.com/dotcloud/docker/utils" ) diff --git a/daemon/graphdriver/devmapper/attach_loopback.go b/daemon/graphdriver/devmapper/attach_loopback.go index d2ab8c3a4b..28a648a5e1 100644 --- a/daemon/graphdriver/devmapper/attach_loopback.go +++ b/daemon/graphdriver/devmapper/attach_loopback.go @@ -39,7 +39,7 @@ func openNextAvailableLoopback(index int, sparseFile *os.File) (loopFile *os.Fil fi, err := os.Stat(target) if err != nil { if os.IsNotExist(err) { - utils.Errorf("There are no more loopback device available.") + utils.Errorf("There are no more loopback devices available.") } return nil, ErrAttachLoopbackDevice } diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go index 48323f6610..31c3f391e4 100644 --- a/daemon/graphdriver/devmapper/deviceset.go +++ b/daemon/graphdriver/devmapper/deviceset.go @@ -18,8 +18,8 @@ import ( "syscall" "time" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/daemon/graphdriver" - "github.com/dotcloud/docker/pkg/label" "github.com/dotcloud/docker/pkg/units" "github.com/dotcloud/docker/utils" ) @@ -55,7 +55,7 @@ type DevInfo struct { } type MetaData struct { - Devices map[string]*DevInfo `json:devices` + Devices map[string]*DevInfo `json:"Devices"` devicesLock sync.Mutex `json:"-"` // Protects all read/writes to Devices map } diff --git a/daemon/graphdriver/graphtest/graphtest.go b/daemon/graphdriver/graphtest/graphtest.go index d53878c45a..a667f2afa6 100644 --- a/daemon/graphdriver/graphtest/graphtest.go +++ b/daemon/graphdriver/graphtest/graphtest.go @@ -1,12 +1,13 @@ package graphtest import ( - "github.com/dotcloud/docker/daemon/graphdriver" "io/ioutil" "os" "path" "syscall" "testing" + + "github.com/dotcloud/docker/daemon/graphdriver" ) var ( @@ -94,10 +95,10 @@ func verifyFile(t *testing.T, path string, mode os.FileMode, uid, gid uint32) { if stat, ok := fi.Sys().(*syscall.Stat_t); ok { if stat.Uid != uid { - t.Fatal("%s no owned by uid %d", path, uid) + t.Fatalf("%s no owned by uid %d", path, uid) } if stat.Gid != gid { - t.Fatal("%s not owned by gid %d", path, gid) + t.Fatalf("%s not owned by gid %d", path, gid) } } diff --git a/daemon/inspect.go b/daemon/inspect.go index 4da09d5449..af6d4520fb 100644 --- a/daemon/inspect.go +++ b/daemon/inspect.go @@ -13,11 +13,13 @@ func (daemon *Daemon) ContainerInspect(job *engine.Job) engine.Status { } name := job.Args[0] if container := daemon.Get(name); container != nil { + container.Lock() + defer container.Unlock() if job.GetenvBool("dirty") { b, err := json.Marshal(&struct { *Container HostConfig *runconfig.HostConfig - }{container, container.HostConfig()}) + }{container, container.hostConfig}) if err != nil { return job.Error(err) } diff --git a/daemon/networkdriver/bridge/driver.go b/daemon/networkdriver/bridge/driver.go index a960aead61..8c5db9f843 100644 --- a/daemon/networkdriver/bridge/driver.go +++ b/daemon/networkdriver/bridge/driver.go @@ -8,13 +8,13 @@ import ( "strings" "sync" + "github.com/docker/libcontainer/netlink" "github.com/dotcloud/docker/daemon/networkdriver" "github.com/dotcloud/docker/daemon/networkdriver/ipallocator" "github.com/dotcloud/docker/daemon/networkdriver/portallocator" "github.com/dotcloud/docker/daemon/networkdriver/portmapper" "github.com/dotcloud/docker/engine" "github.com/dotcloud/docker/pkg/iptables" - "github.com/dotcloud/docker/pkg/netlink" "github.com/dotcloud/docker/pkg/networkfs/resolvconf" "github.com/dotcloud/docker/utils" ) diff --git a/daemon/networkdriver/network_test.go b/daemon/networkdriver/network_test.go index 6224c2dffb..d655cb30e4 100644 --- a/daemon/networkdriver/network_test.go +++ b/daemon/networkdriver/network_test.go @@ -1,7 +1,7 @@ package networkdriver import ( - "github.com/dotcloud/docker/pkg/netlink" + "github.com/docker/libcontainer/netlink" "net" "testing" ) diff --git a/daemon/networkdriver/utils.go b/daemon/networkdriver/utils.go index 0a4ef70c95..410d6010c4 100644 --- a/daemon/networkdriver/utils.go +++ b/daemon/networkdriver/utils.go @@ -6,7 +6,7 @@ import ( "fmt" "net" - "github.com/dotcloud/docker/pkg/netlink" + "github.com/docker/libcontainer/netlink" ) var ( diff --git a/daemon/volumes.go b/daemon/volumes.go index d9719369ac..f4b3921c9a 100644 --- a/daemon/volumes.go +++ b/daemon/volumes.go @@ -98,12 +98,17 @@ func applyVolumesFrom(container *Container) error { continue } - stat, err := os.Stat(c.getResourcePath(volPath)) + pth, err := c.getResourcePath(volPath) if err != nil { return err } - if err := createIfNotExists(container.getResourcePath(volPath), stat.IsDir()); err != nil { + stat, err := os.Stat(pth) + if err != nil { + return err + } + + if err := createIfNotExists(pth, stat.IsDir()); err != nil { return err } @@ -280,8 +285,8 @@ func initializeVolume(container *Container, volPath string, binds map[string]Bin delete(container.VolumesRW, volPath) } - container.Volumes[newVolPath] = destination - container.VolumesRW[newVolPath] = srcRW + container.Volumes[volPath] = destination + container.VolumesRW[volPath] = srcRW if err := createIfNotExists(source, volIsDir); err != nil { return err diff --git a/docker/README.md b/docker/README.md new file mode 100644 index 0000000000..015bc1333b --- /dev/null +++ b/docker/README.md @@ -0,0 +1,3 @@ +docker.go contains Docker's main function. + +This file provides first line CLI argument parsing and environment variable setting. diff --git a/docs/Dockerfile b/docs/Dockerfile index 694729d89b..68dbbec594 100644 --- a/docs/Dockerfile +++ b/docs/Dockerfile @@ -13,10 +13,8 @@ RUN pip install mkdocs #RUN easy_install -U setuptools #RUN pip install MarkdownTools2 -# this week I seem to need the latest dev release of awscli too -# awscli 1.3.6 does --error-document correctly -# https://github.com/aws/aws-cli/commit/edc2290e173dfaedc70b48cfa3624d58c533c6c3 -RUN pip install awscli +# this version works, the current versions fail in different ways +RUN pip install awscli==1.3.9 # get my sitemap.xml branch of mkdocs and use that for now RUN git clone https://github.com/SvenDowideit/mkdocs &&\ diff --git a/docs/README.md b/docs/README.md index fa3c501087..d74ec4ee87 100755 --- a/docs/README.md +++ b/docs/README.md @@ -53,12 +53,12 @@ run `mkdocs serve` ## Style guide -The documentation is written with paragraphs wrapped at 80 colum lines to make +The documentation is written with paragraphs wrapped at 80 column lines to make it easier for terminal use. ### Examples -When writing examples give the user hints by making them resemble what they see +When writing examples, give the user hints by making them resemble what they see in their shell: - Indent shell examples by 4 spaces so they get rendered as code. @@ -76,7 +76,7 @@ references them, or in a subdirectory if one already exists. ## Working using GitHub's file editor -Alternatively, for small changes and typos you might want to use GitHub's built +Alternatively, for small changes and typos you might want to use GitHub's built- in file editor. It allows you to preview your changes right on-line (though there can be some differences between GitHub Markdown and [MkDocs Markdown](http://www.mkdocs.org/user-guide/writing-your-docs/)). Just be @@ -85,8 +85,8 @@ work!](../CONTRIBUTING.md#sign-your-work) ## Publishing Documentation -To publish a copy of the documentation you need a `docs/awsconfig` To make life -easier for file containing AWS settings to deploy to. The release script will +To publish a copy of the documentation you need a `docs/awsconfig` +file containing AWS settings to deploy to. The release script will create an s3 if needed, and will then push the files to it. [profile dowideit-docs] aws_access_key_id = IHOIUAHSIDH234rwf.... diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index 03483abd08..5c3147a285 100755 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -101,10 +101,11 @@ pages: - ['reference/api/index.md', '**HIDDEN**'] - ['reference/api/docker-io_api.md', 'Reference', 'Docker Hub API'] - ['reference/api/registry_api.md', 'Reference', 'Docker Registry API'] -- ['reference/api/registry_index_spec.md', 'Reference', 'Registry & Index Spec'] +- ['reference/api/hub_registry_spec.md', 'Reference', 'Docker Hub and Registry Spec'] - ['reference/api/docker_remote_api.md', 'Reference', 'Docker Remote API'] +- ['reference/api/docker_remote_api_v1.12.md', 'Reference', 'Docker Remote API v1.12'] - ['reference/api/docker_remote_api_v1.11.md', 'Reference', 'Docker Remote API v1.11'] -- ['reference/api/docker_remote_api_v1.10.md', 'Reference', 'Docker Remote API v1.10'] +- ['reference/api/docker_remote_api_v1.10.md', '**HIDDEN**'] - ['reference/api/docker_remote_api_v1.9.md', '**HIDDEN**'] - ['reference/api/docker_remote_api_v1.8.md', '**HIDDEN**'] - ['reference/api/docker_remote_api_v1.7.md', '**HIDDEN**'] @@ -116,8 +117,8 @@ pages: - ['reference/api/docker_remote_api_v1.1.md', '**HIDDEN**'] - ['reference/api/docker_remote_api_v1.0.md', '**HIDDEN**'] - ['reference/api/remote_api_client_libraries.md', 'Reference', 'Docker Remote API Client Libraries'] -- ['reference/api/docker_io_oauth_api.md', 'Reference', 'Docker IO OAuth API'] -- ['reference/api/docker_io_accounts_api.md', 'Reference', 'Docker IO Accounts API'] +- ['reference/api/docker_io_oauth_api.md', 'Reference', 'Docker Hub OAuth API'] +- ['reference/api/docker_io_accounts_api.md', 'Reference', 'Docker Hub Accounts API'] - ['jsearch.md', '**HIDDEN**'] diff --git a/docs/release.sh b/docs/release.sh index 1be6268d70..2168dfe1ee 100755 --- a/docs/release.sh +++ b/docs/release.sh @@ -30,10 +30,10 @@ echo "cfg file: $AWS_CONFIG_FILE ; profile: $AWS_DEFAULT_PROFILE" setup_s3() { echo "Create $BUCKET" # Try creating the bucket. Ignore errors (it might already exist). - aws s3 mb s3://$BUCKET 2>/dev/null || true + aws s3 mb --profile $BUCKET s3://$BUCKET 2>/dev/null || true # Check access to the bucket. echo "test $BUCKET exists" - aws s3 ls s3://$BUCKET + aws s3 --profile $BUCKET ls s3://$BUCKET # Make the bucket accessible through website endpoints. echo "make $BUCKET accessible as a website" #aws s3 website s3://$BUCKET --index-document index.html --error-document jsearch/index.html @@ -41,7 +41,7 @@ setup_s3() { echo echo $s3conf echo - aws s3api put-bucket-website --bucket $BUCKET --website-configuration "$s3conf" + aws s3api --profile $BUCKET put-bucket-website --bucket $BUCKET --website-configuration "$s3conf" } build_current_documentation() { @@ -57,7 +57,42 @@ upload_current_documentation() { echo " to $dst" echo #s3cmd --recursive --follow-symlinks --preserve --acl-public sync "$src" "$dst" - aws s3 sync --cache-control "max-age=3600" --acl public-read --exclude "*.rej" --exclude "*.rst" --exclude "*.orig" --exclude "*.py" "$src" "$dst" + #aws s3 cp --profile $BUCKET --cache-control "max-age=3600" --acl public-read "site/search_content.json" "$dst" + + # a really complicated way to send only the files we want + # if there are too many in any one set, aws s3 sync seems to fall over with 2 files to go + endings=( json html xml css js gif png JPG ) + for i in ${endings[@]}; do + include="" + for j in ${endings[@]}; do + if [ "$i" != "$j" ];then + include="$include --exclude *.$j" + fi + done + echo "uploading *.$i" + run="aws s3 sync --profile $BUCKET --cache-control \"max-age=3600\" --acl public-read \ + $include \ + --exclude *.txt \ + --exclude *.text* \ + --exclude *Dockerfile \ + --exclude *.DS_Store \ + --exclude *.psd \ + --exclude *.ai \ + --exclude *.svg \ + --exclude *.eot \ + --exclude *.otf \ + --exclude *.ttf \ + --exclude *.woff \ + --exclude *.rej \ + --exclude *.rst \ + --exclude *.orig \ + --exclude *.py \ + $src $dst" + echo "=======================" + #echo "$run" + #echo "=======================" + $run + done } setup_s3 diff --git a/docs/s3_website.json b/docs/s3_website.json index d2262bf760..8a6f99beb7 100644 --- a/docs/s3_website.json +++ b/docs/s3_website.json @@ -18,9 +18,18 @@ { "Condition": { "KeyPrefixEquals": "use/working_with_links_names/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "userguide/dockerlinks/" } }, { "Condition": { "KeyPrefixEquals": "use/workingwithrepository/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "userguide/dockerrepos/" } }, { "Condition": { "KeyPrefixEquals": "use/port_redirection" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "userguide/dockerlinks/" } }, - { "Condition": { "KeyPrefixEquals": "use/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "examples/" } }, - { "Condition": { "KeyPrefixEquals": "use/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "examples/" } }, - { "Condition": { "KeyPrefixEquals": "docker-io/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "docker-hub/" } } + { "Condition": { "KeyPrefixEquals": "use/networking/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/networking/" } }, + { "Condition": { "KeyPrefixEquals": "use/puppet/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/puppet/" } }, + { "Condition": { "KeyPrefixEquals": "use/ambassador_pattern_linking/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/ambassador_pattern_linking/" } }, + { "Condition": { "KeyPrefixEquals": "use/basics/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/basics/" } }, + { "Condition": { "KeyPrefixEquals": "use/chef/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/chef/" } }, + { "Condition": { "KeyPrefixEquals": "use/host_integration/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/host_integration/" } }, + { "Condition": { "KeyPrefixEquals": "docker-io/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "docker-hub/" } }, + { "Condition": { "KeyPrefixEquals": "examples/cfengine_process_management/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/cfengine_process_management/" } }, + { "Condition": { "KeyPrefixEquals": "examples/https/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/https/" } }, + { "Condition": { "KeyPrefixEquals": "examples/using_supervisord/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "articles/using_supervisord/" } }, + { "Condition": { "KeyPrefixEquals": "reference/api/registry_index_spec/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "reference/api/hub_registry_spec/" } }, + { "Condition": { "KeyPrefixEquals": "use/" }, "Redirect": { "HostName": "$BUCKET", "ReplaceKeyPrefixWith": "examples/" } } ] } diff --git a/docs/sources/articles/networking.md b/docs/sources/articles/networking.md index a4640f3665..927cd80875 100644 --- a/docs/sources/articles/networking.md +++ b/docs/sources/articles/networking.md @@ -110,7 +110,9 @@ Finally, several networking options can only be provided when calling The following sections tackle all of the above topics in an order that moves roughly from simplest to most complex. -## Configuring DNS +## Configuring DNS + + How can Docker supply each container with a hostname and DNS configuration, without having to build a custom image with the hostname @@ -136,14 +138,14 @@ Four different options affect container domain name services. * `-h HOSTNAME` or `--hostname=HOSTNAME` — sets the hostname by which the container knows itself. This is written into `/etc/hostname`, - into `/etc/hosts` as the name of the container’s host-facing IP + into `/etc/hosts` as the name of the container's host-facing IP address, and is the name that `/bin/bash` inside the container will display inside its prompt. But the hostname is not easy to see from outside the container. It will not appear in `docker ps` nor in the `/etc/hosts` file of any other container. * `--link=CONTAINER_NAME:ALIAS` — using this option as you `run` a - container gives the new container’s `/etc/hosts` an extra entry + container gives the new container's `/etc/hosts` an extra entry named `ALIAS` that points to the IP address of the container named `CONTAINER_NAME`. This lets processes inside the new container connect to the hostname `ALIAS` without having to know its IP. The @@ -158,9 +160,9 @@ Four different options affect container domain name services. * `--dns-search=DOMAIN...` — sets the domain names that are searched when a bare unqualified hostname is used inside of the container, by - writing `search` lines into the container’s `/etc/resolv.conf`. + writing `search` lines into the container's `/etc/resolv.conf`. When a container process attempts to access `host` and the search - domain `exmaple.com` is set, for instance, the DNS logic will not + domain `example.com` is set, for instance, the DNS logic will not only look up `host` but also `host.example.com`. Note that Docker, in the absence of either of the last two options @@ -168,12 +170,14 @@ above, will make `/etc/resolv.conf` inside of each container look like the `/etc/resolv.conf` of the host machine where the `docker` daemon is running. The options then modify this default configuration. -## Communication between containers +## Communication between containers + + Whether two containers can communicate is governed, at the operating system level, by three factors. -1. Does the network topology even connect the containers’ network +1. Does the network topology even connect the containers' network interfaces? By default Docker will attach all containers to a single `docker0` bridge, providing a path for packets to travel between them. See the later sections of this document for other @@ -259,15 +263,17 @@ the `FORWARD` chain has a default policy of `ACCEPT` or `DROP`: > **Note**: > Docker is careful that its host-wide `iptables` rules fully expose -> containers to each other’s raw IP addresses, so connections from one +> containers to each other's raw IP addresses, so connections from one > container to another should always appear to be originating from the -> first container’s own IP address. +> first container's own IP address. -## Binding container ports to the host +## Binding container ports to the host + + By default Docker containers can make connections to the outside world, but the outside world cannot connect to containers. Each outgoing -connection will appear to originate from one of the host machine’s own +connection will appear to originate from one of the host machine's own IP addresses thanks to an `iptables` masquerading rule on the host machine that the Docker server creates when it starts: @@ -289,7 +295,7 @@ page. There are two approaches. First, you can supply `-P` or `--publish-all=true|false` to `docker run` which is a blanket operation that identifies every port with an `EXPOSE` -line in the image’s `Dockerfile` and maps it to a host port somewhere in +line in the image's `Dockerfile` and maps it to a host port somewhere in the range 49000–49900. This tends to be a bit inconvenient, since you then have to run other `docker` sub-commands to learn which external port a given service was mapped to. @@ -336,9 +342,11 @@ Again, this topic is covered without all of these low-level networking details in the [Docker User Guide](/userguide/dockerlinks/) document if you would like to use that as your port redirection reference instead. -## Customizing docker0 +## Customizing docker0 -By default, the Docker server creates and configures the host system’s + + +By default, the Docker server creates and configures the host system's `docker0` interface as an *Ethernet bridge* inside the Linux kernel that can pass packets back and forth between other physical or virtual network interfaces so that they behave as a single Ethernet network. @@ -347,7 +355,7 @@ Docker configures `docker0` with an IP address and netmask so the host machine can both receive and send packets to containers connected to the bridge, and gives it an MTU — the *maximum transmission unit* or largest packet length that the interface will allow — of either 1,500 bytes or -else a more specific value copied from the Docker host’s interface that +else a more specific value copied from the Docker host's interface that supports its default route. Both are configurable at server startup: * `--bip=CIDR` — supply a specific IP address and netmask for the @@ -380,8 +388,8 @@ install it. Finally, the `docker0` Ethernet bridge settings are used every time you create a new container. Docker selects a free IP address from the range available on the bridge each time you `docker run` a new container, and -configures the container’s `eth0` interface with that IP address and the -bridge’s netmask. The Docker host’s own IP address on the bridge is +configures the container's `eth0` interface with that IP address and the +bridge's netmask. The Docker host's own IP address on the bridge is used as the default gateway by which each container reaches the rest of the Internet. @@ -408,7 +416,9 @@ packets out on to the Internet unless its `ip_forward` system setting is `1` — see the section above on [Communication between containers](#between-containers) for details. -## Building your own bridge +## Building your own bridge + + If you want to take Docker out of the business of creating its own Ethernet bridge entirely, you can set up your own bridge before starting @@ -450,25 +460,27 @@ illustrate the technique. The result should be that the Docker server starts successfully and is now prepared to bind containers to the new bridge. After pausing to -verify the bridge’s configuration, try creating a container — you will +verify the bridge's configuration, try creating a container — you will see that its IP address is in your new IP address range, which Docker will have auto-detected. Just as we learned in the previous section, you can use the `brctl show` command to see Docker add and remove interfaces from the bridge as you start and stop containers, and can run `ip addr` and `ip route` inside a -container to see that it has been given an address in the bridge’s IP -address range and has been told to use the Docker host’s IP address on +container to see that it has been given an address in the bridge's IP +address range and has been told to use the Docker host's IP address on the bridge as its default gateway to the rest of the Internet. -## How Docker networks a container +## How Docker networks a container + + While Docker is under active development and continues to tweak and improve its network configuration logic, the shell commands in this section are rough equivalents to the steps that Docker takes when configuring networking for each new container. -Let’s review a few basics. +Let's review a few basics. To communicate using the Internet Protocol (IP), a machine needs access to at least one network interface at which packets can be sent and @@ -477,11 +489,11 @@ reachable through that interface. Network interfaces do not have to be physical devices. In fact, the `lo` loopback interface available on every Linux machine (and inside each Docker container) is entirely virtual — the Linux kernel simply copies loopback packets directly from -the sender’s memory into the receiver’s memory. +the sender's memory into the receiver's memory. Docker uses special virtual interfaces to let containers communicate with the host machine — pairs of virtual interfaces called “peers” that -are linked inside of the host machine’s kernel so that packets can +are linked inside of the host machine's kernel so that packets can travel between them. They are simple to create, as we will see in a moment. @@ -495,12 +507,12 @@ The steps with which Docker configures a container are: 3. Toss the other interface over the wall into the new container (which will already have been provided with an `lo` interface) and rename - it to the much prettier name `eth0` since, inside of the container’s + it to the much prettier name `eth0` since, inside of the container's separate and unique network interface namespace, there are no physical interfaces with which this name could collide. -4. Give the container’s `eth0` a new IP address from within the - bridge’s range of network addresses, and set its default route to +4. Give the container's `eth0` a new IP address from within the + bridge's range of network addresses, and set its default route to the IP address that the Docker host owns on the bridge. With these steps complete, the container now possesses an `eth0` @@ -516,7 +528,7 @@ values. * `--net=host` — Tells Docker to skip placing the container inside of a separate network stack. In essence, this choice tells Docker to - **not containerize the container’s networking**! While container + **not containerize the container's networking**! While container processes will still be confined to their own filesystem and process list and resource limits, a quick `ip addr` command will show you that, network-wise, they live “outside” in the main Docker host and @@ -524,10 +536,15 @@ values. **not** let the container reconfigure the host network stack — that would require `--privileged=true` — but it does let container processes open low-numbered ports like any other root process. + It also allows the container to access local network services + like D-bus. This can lead to processes in the container being + able to do unexpected things like + [restart your computer](https://github.com/dotcloud/docker/issues/6401). + You should use this option with caution. - * `--net=container:NAME_or_ID` — Tells Docker to put this container’s + * `--net=container:NAME_or_ID` — Tells Docker to put this container's processes inside of the network stack that has already been created - inside of another container. The new container’s processes will be + inside of another container. The new container's processes will be confined to their own filesystem and process list and resource limits, but will share the same IP address and port numbers as the first container, and processes on the two containers will be able to @@ -559,7 +576,7 @@ Docker do all of the configuration: $ sudo mkdir -p /var/run/netns $ sudo ln -s /proc/$pid/ns/net /var/run/netns/$pid - # Check the bridge’s IP address and netmask + # Check the bridge's IP address and netmask $ ip addr show docker0 21: docker0: ... @@ -621,14 +638,16 @@ of the same kinds of configuration. Here are two: * Brandon Rhodes has created a whole network topology of Docker containers for the next edition of Foundations of Python Network - Programming that includes routing, NAT’d firewalls, and servers that + Programming that includes routing, NAT'd firewalls, and servers that offer HTTP, SMTP, POP, IMAP, Telnet, SSH, and FTP: Both tools use networking commands very much like the ones you saw in the previous section, and will see in the following sections. -## Building a point-to-point connection +## Building a point-to-point connection + + By default, Docker attaches all containers to the virtual subnet implemented by `docker0`. You can create containers that are each @@ -646,7 +665,7 @@ The solution is simple: when you create your pair of peer interfaces, simply throw *both* of them into containers, and configure them as classic point-to-point links. The two containers will then be able to communicate directly (provided you manage to tell each container the -other’s IP address, of course). You might adjust the instructions of +other's IP address, of course). You might adjust the instructions of the previous section to go something like this: # Start up two containers in two terminal windows @@ -683,7 +702,7 @@ the previous section to go something like this: $ sudo ip netns exec 3004 ip route add 10.1.1.1/32 dev B The two containers should now be able to ping each other and make -connections sucessfully. Point-to-point links like this do not depend +connections successfully. Point-to-point links like this do not depend on a subnet nor a netmask, but on the bare assertion made by `ip route` that some other single IP address is connected to a particular network interface. @@ -691,7 +710,7 @@ interface. Note that point-to-point links can be safely combined with other kinds of network connectivity — there is no need to start the containers with `--net=none` if you want point-to-point links to be an addition to the -container’s normal networking instead of a replacement. +container's normal networking instead of a replacement. A final permutation of this pattern is to create the point-to-point link between the Docker host and one container, which would allow the host to diff --git a/docs/sources/articles/security.md b/docs/sources/articles/security.md index eef2577304..cdf5fdddd0 100644 --- a/docs/sources/articles/security.md +++ b/docs/sources/articles/security.md @@ -112,7 +112,7 @@ use traditional UNIX permission checks to limit access to the control socket. You can also expose the REST API over HTTP if you explicitly decide so. -However, if you do that, being aware of the abovementioned security +However, if you do that, being aware of the above mentioned security implication, you should ensure that it will be reachable only from a trusted network or VPN; or protected with e.g. `stunnel` and client SSL certificates. diff --git a/docs/sources/contributing/devenvironment.md b/docs/sources/contributing/devenvironment.md index 24e250dbb0..54b867cf40 100644 --- a/docs/sources/contributing/devenvironment.md +++ b/docs/sources/contributing/devenvironment.md @@ -50,6 +50,13 @@ This command will take some time to complete when you first execute it. If the build is successful, congratulations! You have produced a clean build of docker, neatly encapsulated in a standard build environment. +> **Note**: +> On Mac OS X, make targets such as `build`, `binary`, and `test` +> must **not** be built under root. So, for example, instead of the above +> command, issue: +> +> $ make build + ## Build the Docker Binary To create the Docker binary, run this command: diff --git a/docs/sources/docker-hub/accounts.md b/docs/sources/docker-hub/accounts.md index 43df62a9bb..7e951448d3 100644 --- a/docs/sources/docker-hub/accounts.md +++ b/docs/sources/docker-hub/accounts.md @@ -6,9 +6,11 @@ page_keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub ## Docker Hub Accounts -You can `search` for Docker images and `pull` them from [Docker Hub](https://hub.docker.com) -without signing in or even having an account. However, in order to `push` images, -leave comments or to *star* a repository, you are going to need a [Docker Hub](https://hub.docker.com) account. +You can `search` for Docker images and `pull` them from [Docker +Hub](https://hub.docker.com) without signing in or even having an +account. However, in order to `push` images, leave comments or to *star* +a repository, you are going to need a [Docker +Hub](https://hub.docker.com) account. ### Registration for a Docker Hub Account @@ -29,3 +31,19 @@ https://hub.docker.com/account/resend-email-confirmation/) page. If you can't access your account for some reason, you can reset your password from the [*Password Reset*](https://hub.docker.com/account/forgot-password/) page. + +## Organizations & Groups + +Also available on the Docker Hub are organizations and groups that allow +you to collaborate across your organization or team. You can see what +organizations [you belong to and add new organizations](Sam Alba +) from the Account +tab. + +![organizations](/docker-hub/orgs.png) + +From within your organizations you can create groups that allow you to +further manage who can interact with your repositories. + +![groups](/docker-hub/groups.png) + diff --git a/docs/sources/docker-hub/groups.png b/docs/sources/docker-hub/groups.png new file mode 100644 index 0000000000..d2ede76137 Binary files /dev/null and b/docs/sources/docker-hub/groups.png differ diff --git a/docs/sources/docker-hub/hub.png b/docs/sources/docker-hub/hub.png new file mode 100644 index 0000000000..b260c5f62d Binary files /dev/null and b/docs/sources/docker-hub/hub.png differ diff --git a/docs/sources/docker-hub/index.md b/docs/sources/docker-hub/index.md index 250f2b3a1b..92d0ee063b 100644 --- a/docs/sources/docker-hub/index.md +++ b/docs/sources/docker-hub/index.md @@ -1,8 +1,23 @@ +page_title: The Docker Hub Help +page_description: The Docker Help documentation home +page_keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub, docs, documentation, accounts, organizations, repositories, groups + # Docker Hub -## Contents: +![DockerHub](/docker-hub/hub.png) -- [Accounts](accounts/) -- [Repositories](repos/) -- [Automated Builds](builds/) +## [Accounts](accounts/) + +[Learn how to create](accounts/) a [Docker Hub](https://hub.docker.com) +account and manage your organizations and groups. + +## [Repositories](repos/) + +Find out how to share your Docker images in [Docker Hub +repositories](repos/) and how to store and manage private images. + +## [Automated Builds](builds/) + +Learn how to automate your build and deploy pipeline with [Automated +Builds](builds/) diff --git a/docs/sources/docker-hub/orgs.png b/docs/sources/docker-hub/orgs.png new file mode 100644 index 0000000000..e6de3ddb42 Binary files /dev/null and b/docs/sources/docker-hub/orgs.png differ diff --git a/docs/sources/docker-hub/repos.md b/docs/sources/docker-hub/repos.md index 5f8cb5b0ee..c219a1989a 100644 --- a/docs/sources/docker-hub/repos.md +++ b/docs/sources/docker-hub/repos.md @@ -4,63 +4,106 @@ page_keywords: Docker, docker, registry, accounts, plans, Dockerfile, Docker Hub # Repositories and Images on Docker Hub +![repositories](/docker-hub/repos.png) + ## Searching for repositories and images You can `search` for all the publicly available repositories and images using -Docker. If a repository is not public (i.e., private), it won't be listed on -the repository search results. To see repository statuses, you can look at your -[profile page](https://hub.docker.com) on [Docker Hub](https://hub.docker.com). +Docker. + + $ docker search ubuntu + +This will show you a list of the currently available repositories on the +Docker Hub which match the provided keyword. + +If a repository is private it won't be listed on the repository search +results. To see repository statuses, you can look at your [profile +page](https://hub.docker.com) on [Docker Hub](https://hub.docker.com). ## Repositories +Your Docker Hub repositories have a number of useful features. + ### Stars -Stars are a way to show that you like a repository. They are also an easy way -of bookmark your favorites. +Your repositories can be starred and you can star repositories in +return. Stars are a way to show that you like a repository. They are +also an easy way of bookmarking your favorites. ### Comments You can interact with other members of the Docker community and maintainers by leaving comments on repositories. If you find any comments that are not -appropriate, you can flag them for the admins' review. - -### Private Docker Repositories - -To work with a private repository on [Docker Hub](https://hub.docker.com), you -will need to add one via the [Add Repository](https://registry.hub.docker.com/account/repositories/add/) -link. Once the private repository is created, you can `push` and `pull` images -to and from it using Docker. - -> *Note:* You need to be signed in and have access to work with a private -> repository. - -Private repositories are just like public ones. However, it isn't possible to -browse them or search their content on the public registry. They do not get cached -the same way as a public repository either. - -It is possible to give access to a private repository to those whom you -designate (i.e., collaborators) from its settings page. - -From there, you can also switch repository status (*public* to *private*, or -viceversa). You will need to have an available private repository slot open -before you can do such a switch. If you don't have any, you can always upgrade -your [Docker Hub](https://registry.hub.docker.com/plans/) plan. +appropriate, you can flag them for review. ### Collaborators and their role -A collaborator is someone you want to give access to a private repository. Once -designated, they can `push` and `pull`. Although, they will not be allowed to -perform any administrative tasks such as deleting the repository or changing its -status from private to public. +A collaborator is someone you want to give access to a private +repository. Once designated, they can `push` and `pull` to your +repositories. They will not be allowed to perform any administrative +tasks such as deleting the repository or changing its status from +private to public. -> **Note:** A collaborator can not add other collaborators. Only the owner of +> **Note:** +> A collaborator cannot add other collaborators. Only the owner of > the repository has administrative access. -### Webhooks +You can also collaborate on Docker Hub with organizations and groups. +You can read more about that [here](accounts/). -You can configure webhooks on the repository settings page. A webhook is called -only after a successful `push` is made. The webhook calls are HTTP POST requests -with a JSON payload similar to the example shown below. +## Official Repositories + +The Docker Hub contains a number of [official +repositories](http://registry.hub.docker.com/official). These are +certified repositories from vendors and contributors to Docker. They +contain Docker images from vendors like Canonical, Oracle, and Red Hat +that you can use to build applications and services. + +If you use Official Repositories you know you're using a supported, +optimized and up-to-date image to power your applications. + +> **Note:** +> If you would like to contribute an official repository for your +> organization, product or team you can see more information +> [here](https://github.com/dotcloud/stackbrew). + +## Private Docker Repositories + +Private repositories allow you to have repositories that contain images +that you want to keep private, either to your own account or within an +organization or group. + +To work with a private repository on [Docker +Hub](https://hub.docker.com), you will need to add one via the [Add +Repository](https://registry.hub.docker.com/account/repositories/add/) +link. You get one private repository for free with your Docker Hub +account. If you need more accounts you can upgrade your [Docker +Hub](https://registry.hub.docker.com/plans/) plan. + +Once the private repository is created, you can `push` and `pull` images +to and from it using Docker. + +> *Note:* You need to be signed in and have access to work with a +> private repository. + +Private repositories are just like public ones. However, it isn't +possible to browse them or search their content on the public registry. +They do not get cached the same way as a public repository either. + +It is possible to give access to a private repository to those whom you +designate (i.e., collaborators) from its Settings page. From there, you +can also switch repository status (*public* to *private*, or +vice-versa). You will need to have an available private repository slot +open before you can do such a switch. If you don't have any available, +you can always upgrade your [Docker +Hub](https://registry.hub.docker.com/plans/) plan. + +## Webhooks + +You can configure webhooks for your repositories on the Repository +Settings page. A webhook is called only after a successful `push` is +made. The webhook calls are HTTP POST requests with a JSON payload +similar to the example shown below. > **Note:** For testing, you can try an HTTP request tool like > [requestb.in](http://requestb.in/). @@ -95,3 +138,7 @@ with a JSON payload similar to the example shown below. "repo_name":"username/reponame" } } + +Webhooks allow you to notify people, services and other applications of +new updates to your images and repositories. + diff --git a/docs/sources/docker-hub/repos.png b/docs/sources/docker-hub/repos.png new file mode 100644 index 0000000000..c2d6bf4364 Binary files /dev/null and b/docs/sources/docker-hub/repos.png differ diff --git a/docs/sources/faq.md b/docs/sources/faq.md index fa7deb4e24..2d38cf2ff8 100644 --- a/docs/sources/faq.md +++ b/docs/sources/faq.md @@ -122,8 +122,7 @@ functionalities: ### What is different between a Docker container and a VM? There's a great StackOverflow answer [showing the differences]( -http://stackoverflow.com/questions/16047306/ -how-is-docker-io-different-from-a-normal-virtual-machine). +http://stackoverflow.com/questions/16047306/how-is-docker-io-different-from-a-normal-virtual-machine). ### Do I lose my data when the container exits? @@ -185,8 +184,7 @@ this [mailbox](mailto:security@docker.com). ### Why do I need to sign my commits to Docker with the DCO? Please read [our blog post]( -http://blog.docker.io/2014/01/ -docker-code-contributions-require-developer-certificate-of-origin/) +http://blog.docker.io/2014/01/docker-code-contributions-require-developer-certificate-of-origin/) on the introduction of the DCO. ### Can I help by adding some questions and answers? diff --git a/docs/sources/index.md b/docs/sources/index.md index 2cb2b7f62f..06e1ac6d57 100644 --- a/docs/sources/index.md +++ b/docs/sources/index.md @@ -17,12 +17,12 @@ Docker consists of: * The Docker Engine - our lightweight and powerful open source container virtualization technology combined with a work flow for building and containerizing your applications. -* [Docker Hub](https://hub.docker.com) - our SAAS service for +* [Docker Hub](https://hub.docker.com) - our SaaS service for sharing and managing your application stacks. ## Why Docker? -- **Faster delivery of your applications** +- **Faster delivery of your applications** * We want your environment to work better. Docker containers, and the work flow that comes with them, help your developers, sysadmins, QA folks, and release engineers work together to get your code @@ -39,7 +39,7 @@ Docker consists of: sub-second launch times, reducing the cycle time of development, testing, and deployment. -- **Deploy and scale more easily** +- **Deploy and scale more easily** * Docker containers run (almost) everywhere. You can deploy containers on desktops, physical servers, virtual machines, into data centers, and up to public and private clouds. @@ -50,13 +50,13 @@ Docker consists of: down fast and easy. You can quickly launch more containers when needed and then shut them down easily when they're no longer needed. -- **Get higher density and run more workloads** +- **Get higher density and run more workloads** * Docker containers don't need a hypervisor, so you can pack more of them onto your hosts. This means you get more value out of every server and can potentially reduce what you spend on equipment and licenses. -- **Faster deployment makes for easier management** +- **Faster deployment makes for easier management** * As Docker speeds up your work flow, it gets easier to make lots of small changes instead of huge, big bang updates. Smaller changes mean reduced risk and more uptime. diff --git a/docs/sources/installation/MAINTAINERS b/docs/sources/installation/MAINTAINERS new file mode 100644 index 0000000000..6a2f512d46 --- /dev/null +++ b/docs/sources/installation/MAINTAINERS @@ -0,0 +1 @@ +google.md: Johan Euphrosine (@proppy) diff --git a/docs/sources/installation/mac.md b/docs/sources/installation/mac.md index 1d51022f44..a982c59845 100644 --- a/docs/sources/installation/mac.md +++ b/docs/sources/installation/mac.md @@ -7,13 +7,13 @@ page_keywords: Docker, Docker documentation, requirements, boot2docker, VirtualB > **Note:** > Docker is supported on Mac OS X 10.6 "Snow Leopard" or newer. -The Docker Engine uses Linux-specific kernel features, so we run it on OS X -using a lightweight virtual machine. You can use the OS X Docker client to -control the virtualized engine to build, run and manage Docker containers. +The Docker Engine uses Linux-specific kernel features, so to run it on OS X +we need to use a lightweight virtual machine (vm). You use the OS X Docker client to +control the virtualized Docker Engine to build, run, and manage Docker containers. -To make this process easier we designed a helper application called -[Boot2Docker](https://github.com/boot2docker/boot2docker) to install the -virtual machine and run the Docker daemon. +To make this process easier, we've designed a helper application called +[Boot2Docker](https://github.com/boot2docker/boot2docker) that installs the +virtual machine and runs the Docker daemon. ## Demonstration @@ -31,7 +31,7 @@ virtual machine and run the Docker daemon. 3. Run the `Boot2Docker` app in the `Applications` folder: ![](/installation/images/osx-Boot2Docker-Start-app.png) - Or to initiate Boot2Docker manually, open a terminal and run: + Or, to initiate Boot2Docker manually, open a terminal and run: $ boot2docker init $ boot2docker start @@ -41,8 +41,8 @@ virtual machine and run the Docker daemon. (but least secure) is to just hit [Enter]. This passphrase is used by the `boot2docker ssh` command. -Once you have an initialized virtual machine, you can `boot2docker stop` -and `boot2docker start` it. +Once you have an initialized virtual machine, you can control it with `boot2docker stop` +and `boot2docker start`. ## Upgrading @@ -60,36 +60,34 @@ and `boot2docker start` it. ## Running Docker -From your terminal, you can try the “hello world” example. Run: +From your terminal, you can test that Docker is running with a “hello world” example. +Start the vm and then run: $ docker run ubuntu echo hello world -This will download the `ubuntu` image and print `hello world`. +This should download the `ubuntu` image and print `hello world`. ## Container port redirection -The latest version of `boot2docker` sets up two network adapters: one using NAT -to allow the VM to download images and files from the Internet, and one host only -network adapter to which the container's ports will be exposed on. +The latest version of `boot2docker` sets up a host only network adaptor which provides +access to the container's ports. -If you run a container with an exposed port: +If you run a container with an exposed port, - $ docker run --rm -i -t -p 80:80 apache + $ docker run --rm -i -t -p 80:80 nginx -Then you should be able to access that Apache server using the IP address reported -to you using: +then you should be able to access that Nginx server using the IP address reported by: $ boot2docker ssh ip addr show dev eth1 -Typically, it is 192.168.59.103, but at this point it can change. - -If you want to share container ports with other computers on your LAN, you will -need to set up [NAT adaptor based port forwarding]( -https://github.com/boot2docker/boot2docker/blob/master/doc/WORKAROUNDS.md) +Typically, it is 192.168.59.103, but it could get changed by Virtualbox's DHCP +implementation. # Further details -The Boot2Docker management tool provides some commands: +If you are curious, the username for the boot2docker default user is `docker` and the password is `tcuser`. + +The Boot2Docker management tool provides several commands: $ ./boot2docker Usage: ./boot2docker [] @@ -97,4 +95,4 @@ The Boot2Docker management tool provides some commands: Continue with the [User Guide](/userguide/). -For further information or to report issues, please see the [Boot2Docker site](http://boot2docker.io). +For further information or to report issues, please visit the [Boot2Docker site](http://boot2docker.io). diff --git a/docs/sources/installation/ubuntulinux.md b/docs/sources/installation/ubuntulinux.md index 78a0679e55..f1ba4971eb 100644 --- a/docs/sources/installation/ubuntulinux.md +++ b/docs/sources/installation/ubuntulinux.md @@ -17,7 +17,7 @@ Please read [*Docker and UFW*](#docker-and-ufw), if you plan to use [UFW ## Ubuntu Trusty 14.04 (LTS) (64-bit) Ubuntu Trusty comes with a 3.13.0 Linux kernel, and a `docker.io` package which -installs all its prerequisites from Ubuntu's repository. +installs Docker 0.9.1 and all its prerequisites from Ubuntu's repository. > **Note**: > Ubuntu (and Debian) contain a much older KDE3/GNOME2 package called ``docker``, so the @@ -32,13 +32,45 @@ To install the latest Ubuntu package (may not be the latest Docker release): $ sudo ln -sf /usr/bin/docker.io /usr/local/bin/docker $ sudo sed -i '$acomplete -F _docker docker' /etc/bash_completion.d/docker.io +If you'd like to try the latest version of Docker: + +First, check that your APT system can deal with `https` +URLs: the file `/usr/lib/apt/methods/https` +should exist. If it doesn't, you need to install the package +`apt-transport-https`. + + [ -e /usr/lib/apt/methods/https ] || { + apt-get update + apt-get install apt-transport-https + } + +Then, add the Docker repository key to your local keychain. + + $ sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9 + +Add the Docker repository to your apt sources list, update and install +the `lxc-docker` package. + +*You may receive a warning that the package isn't trusted. Answer yes to +continue installation.* + + $ sudo sh -c "echo deb https://get.docker.io/ubuntu docker main\ + > /etc/apt/sources.list.d/docker.list" + $ sudo apt-get update + $ sudo apt-get install lxc-docker + +> **Note**: +> +> There is also a simple `curl` script available to help with this process. +> +> $ curl -s https://get.docker.io/ubuntu/ | sudo sh + To verify that everything has worked as expected: $ sudo docker run -i -t ubuntu /bin/bash Which should download the `ubuntu` image, and then start `bash` in a container. - ## Ubuntu Precise 12.04 (LTS) (64-bit) This installation path should work at all times. @@ -284,7 +316,7 @@ Docker daemon for the containers: $ sudo nano /etc/default/docker --- # Add: - $ docker_OPTS="--dns 8.8.8.8" + $ DOCKER_OPTS="--dns 8.8.8.8" # 8.8.8.8 could be replaced with a local DNS server, such as 192.168.1.1 # multiple DNS servers can be specified: --dns 8.8.8.8 --dns 192.168.1.1 diff --git a/docs/sources/installation/windows.md b/docs/sources/installation/windows.md index df9bd5ca22..447d8b280f 100644 --- a/docs/sources/installation/windows.md +++ b/docs/sources/installation/windows.md @@ -3,14 +3,17 @@ page_description: Docker installation on Microsoft Windows page_keywords: Docker, Docker documentation, Windows, requirements, virtualbox, boot2docker # Windows +> **Note:** +> Docker has been tested on Windows 7.1 and 8; it may also run on older versions. -Docker Engine runs on Windows using a lightweight virtual machine. There -is no native Windows Docker client yet, so everything is done inside the virtual -machine. -To make this process easier we designed a helper application called -[Boot2Docker](https://github.com/boot2docker/boot2docker) to install the -virtual machine and run the Docker daemon. +The Docker Engine uses Linux-specific kernel features, so to run it on Windows +we need to use a lightweight virtual machine (vm). You use the Windows Docker client to +control the virtualized Docker Engine to build, run, and manage Docker containers. + +To make this process easier, we've designed a helper application called +[Boot2Docker](https://github.com/boot2docker/boot2docker) that installs the +virtual machine and runs the Docker daemon. ## Demonstration @@ -19,8 +22,8 @@ virtual machine and run the Docker daemon. ## Installation 1. Download the latest release of the [Docker for Windows Installer](https://github.com/boot2docker/windows-installer/releases) -2. Run the installer, which will install VirtualBox, MSYS-git, the boot2docker Linux ISO and the - Boot2Docker management tool. +2. Run the installer, which will install VirtualBox, MSYS-git, the boot2docker Linux ISO, +and the Boot2Docker management tool. ![](/installation/images/windows-installer.png) 3. Run the `Boot2Docker Start` shell script from your Desktop or Program Files > Docker. The Start script will ask you to enter an ssh key passphrase - the simplest @@ -46,19 +49,18 @@ virtual machine and run the Docker daemon. ## Running Docker -Boot2Docker will log you in automatically so you can start using Docker -right away. +Boot2Docker will log you in automatically so you can start using Docker right away. Let's try the “hello world” example. Run $ docker run busybox echo hello world -This will download the small busybox image and print hello world. +This will download the small busybox image and print "hello world". # Further Details -The Boot2Docker management tool provides some commands: +The Boot2Docker management tool provides several commands: $ ./boot2docker Usage: ./boot2docker [] {help|init|up|ssh|save|down|poweroff|reset|restart|config|status|info|delete|download|version} [] @@ -66,18 +68,20 @@ The Boot2Docker management tool provides some commands: ## Container port redirection -The latest version of `boot2docker` sets up a host only -network adaptor on which the container's ports will be exposed. +If you are curious, the username for the boot2docker default user is `docker` and the password is `tcuser`. + +The latest version of `boot2docker` sets up a host only network adaptor which provides access to the container's ports. If you run a container with an exposed port: - docker run --rm -i -t -p 80:80 apache + docker run --rm -i -t -p 80:80 nginx -Then you should be able to access that Apache server using the IP address reported +Then you should be able to access that nginx server using the IP address reported to you using: boot2docker ip -Typically, it is `192.168.59.103`, but it can change. +Typically, it is 192.168.59.103, but it could get changed by Virtualbox's DHCP +implementation. For further information or to report issues, please see the [Boot2Docker site](http://boot2docker.io) diff --git a/docs/sources/introduction/understanding-docker.md b/docs/sources/introduction/understanding-docker.md index e9f5a1bfe8..3a7615ebc8 100644 --- a/docs/sources/introduction/understanding-docker.md +++ b/docs/sources/introduction/understanding-docker.md @@ -3,140 +3,129 @@ page_description: Docker explained in depth page_keywords: docker, introduction, documentation, about, technology, understanding # Understanding Docker - **What is Docker?** -Docker is a platform for developing, shipping, and running applications. -Docker is designed to deliver your applications faster. With Docker you -can separate your applications from your infrastructure AND treat your -infrastructure like a managed application. We want to help you ship code -faster, test faster, deploy faster and shorten the cycle between writing -code and running code. +Docker is an open platform for developing, shipping, and running applications. +Docker is designed to deliver your applications faster. With Docker you can +separate your applications from your infrastructure AND treat your +infrastructure like a managed application. Docker helps you ship code faster, +test faster, deploy faster, and shorten the cycle between writing code and +running code. -Docker does this by combining a lightweight container virtualization -platform with workflow and tooling that helps you manage and deploy your -applications. +Docker does this by combining a lightweight container virtualization platform +with workflows and tooling that help you manage and deploy your applications. -At its core Docker provides a way to run almost any application securely -isolated into a container. The isolation and security allows you to run -many containers simultaneously on your host. The lightweight nature of -containers, which run without the extra overload of a hypervisor, means -you can get more out of your hardware. +At its core, Docker provides a way to run almost any application securely +isolated in a container. The isolation and security allow you to run many +containers simultaneously on your host. The lightweight nature of containers, +which run without the extra load of a hypervisor, means you can get more out of +your hardware. -Surrounding the container virtualization, we provide tooling and a -platform to help you get your applications (and its supporting -components) into Docker containers, to distribute and ship those -containers to your teams to develop and test on them and then to deploy -those applications to your production environment whether it be in a -local data center or the Cloud. +Surrounding the container virtualization are tooling and a platform which can +help you in several ways: + +* getting your applications (and supporting components) into Docker containers +* distributing and shipping those containers to your teams for further development +and testing +* deploying those applications to your production environment, + whether it be in a local data center or the Cloud. ## What can I use Docker for? -* Faster delivery of your applications +*Faster delivery of your applications* Docker is perfect for helping you with the development lifecycle. Docker -can allow your developers to develop on local containers that contain -your applications and services. It can integrate into a continuous -integration and deployment workflow. +allows your developers to develop on local containers that contain your +applications and services. It can then integrate into a continuous integration and +deployment workflow. -Your developers write code locally and share their development stack via -Docker with their colleagues. When they are ready they can push their -code and the stack they are developing on to a test environment and -execute any required tests. From the testing environment you can then -push your Docker images into production and deploy your code. +For example, your developers write code locally and share their development stack via +Docker with their colleagues. When they are ready, they push their code and the +stack they are developing onto a test environment and execute any required +tests. From the testing environment, you can then push the Docker images into +production and deploy your code. -* Deploy and scale more easily +*Deploying and scaling more easily* -Docker's container platform allows you to have highly portable -workloads. Docker containers can run on a developer's local host, on -physical or virtual machines in a data center or in the Cloud. +Docker's container-based platform allows for highly portable workloads. Docker +containers can run on a developer's local host, on physical or virtual machines +in a data center, or in the Cloud. -Docker's portability and lightweight nature also makes managing -workloads dynamically easy. You can use Docker to build and scale out -applications and services. Docker's speed means that scaling can be near -real time. +Docker's portability and lightweight nature also make dynamically managing +workloads easy. You can use Docker to quickly scale up or tear down applications +and services. Docker's speed means that scaling can be near real time. -* Get higher density and run more workloads +*Achieving higher density and running more workloads** -Docker is lightweight and fast. It provides a viable (and -cost-effective!) alternative to hypervisor-based virtual machines. This -is especially useful in high density environments, for example building -your own Cloud or Platform-as-a-Service. But it is also useful -for small and medium deployments where you want to get more out of the -resources you have. +Docker is lightweight and fast. It provides a viable, cost-effective alternative +to hypervisor-based virtual machines. This is especially useful in high density +environments: for example, building your own Cloud or Platform-as-a-Service. But +it is also useful for small and medium deployments where you want to get more +out of the resources you have. ## What are the major Docker components? - Docker has two major components: + * Docker: the open source container virtualization platform. * [Docker Hub](https://hub.docker.com): our Software-as-a-Service platform for sharing and managing Docker containers. -**Note:** Docker is licensed with the open source Apache 2.0 license. -## What is the architecture of Docker? +**Note:** Docker is licensed under the open source Apache 2.0 license. -Docker has a client-server architecture. The Docker *client* talks to -the Docker *daemon* which does the heavy lifting of building, running -and distributing your Docker containers. Both the Docker client and the -daemon *can* run on the same system, or you can connect a Docker client -with a remote Docker daemon. The Docker client and service can -communicate via sockets or through a RESTful API. +## What is Docker's architecture? +Docker uses a client-server architecture. The Docker *client* talks to the +Docker *daemon*, which does the heavy lifting of building, running, and +distributing your Docker containers. Both the Docker client and the daemon *can* +run on the same system, or you can connect a Docker client to a remote Docker +daemon. The Docker client and service communicate via sockets or through a +RESTful API. ![Docker Architecture Diagram](/article-img/architecture.svg) ### The Docker daemon +As shown in the diagram above, the Docker daemon runs on a host machine. The +user does not directly interact with the daemon, but instead through the Docker +client. -As shown on the diagram above, the Docker daemon runs on a host machine. -The user does not directly interact with the daemon, but instead through -the Docker client. - -### The Docker client - +### The Docker client The Docker client, in the form of the `docker` binary, is the primary user -interface to Docker. It is tasked with accepting commands from the user -and communicating back and forth with a Docker daemon. +interface to Docker. It accepts commands from the user and communicates back and +forth with a Docker daemon. -### Inside Docker +### Inside Docker +To understand Docker's internals, you need to know about three components: -Inside Docker there are three concepts we’ll need to understand: - -* Docker images. -* Docker registries. +* Docker images. +* Docker registries. * Docker containers. #### Docker images -The Docker image is a read-only template, for example an Ubuntu operating system -with Apache and your web application installed. Docker containers are -created from images. You can download Docker images that other people -have created or Docker provides a simple way to build new images or -update existing images. You can consider Docker images to be the **build** -portion of Docker. +A Docker image is a read-only template. For example, an image could contain an Ubuntu +operating system with Apache and your web application installed. Images are used to create +Docker containers. Docker provides a simple way to build new images or update existing +images, or you can download Docker images that other people have already created. +Docker images are the **build** component of Docker. #### Docker Registries +Docker registries hold images. These are public or private stores from which you upload +or download images. The public Docker registry is called +[Docker Hub](http://index.docker.io). It provides a huge collection of existing +images for your use. These can be images you create yourself or you +can use images that others have previously created. Docker registries are the +**distribution** component of Docker. -Docker registries hold images. These are public (or private!) stores -that you can upload or download images to and from. The public Docker -registry is called [Docker Hub](https://hub.docker.com). It provides a -huge collection of existing images that you can use. These images can be -images you create yourself or you can make use of images that others -have previously created. You can consider Docker registries the -**distribution** portion of Docker. +####Docker containers +Docker containers are similar to a directory. A Docker container holds everything that +is needed for an application to run. Each container is created from a Docker +image. Docker containers can be run, started, stopped, moved, and deleted. Each +container is an isolated and secure application platform. Docker containers are the + **run** component of Docker. -#### Docker containers - -Docker containers are like a directory. A Docker container holds -everything that is needed for an application to run. Each container is -created from a Docker image. Docker containers can be run, started, -stopped, moved and deleted. Each container is an isolated and secure -application platform. You can consider Docker containers the **run** -portion of Docker. - -## So how does Docker work? - -We've learned so far that: +##So how does Docker work? +So far, we've learned that: 1. You can build Docker images that hold your applications. 2. You can create Docker containers from those Docker images to run your @@ -146,183 +135,152 @@ We've learned so far that: Let's look at how these elements combine together to make Docker work. -### How does a Docker Image work? +### How does a Docker Image work? +We've already seen that Docker images are read-only templates from which Docker +containers are launched. Each image consists of a series of layers. Docker +makes use of [union file systems](http://en.wikipedia.org/wiki/UnionFS) to +combine these layers into a single image. Union file systems allow files and +directories of separate file systems, known as branches, to be transparently +overlaid, forming a single coherent file system. -We've already seen that Docker images are read-only templates that -Docker containers are launched from. Each image consists of a series of -layers. Docker makes use of [union file -systems](http://en.wikipedia.org/wiki/UnionFS) to combine these layers -into a single image. Union file systems allow files and directories of -separate file systems, known as branches, to be transparently overlaid, -forming a single coherent file system. +One of the reasons Docker is so lightweight is because of these layers. When you +change a Docker image—for example, update an application to a new version— a new layer +gets built. Thus, rather than replacing the whole image or entirely +rebuilding, as you may do with a virtual machine, only that layer is added or +updated. Now you don't need to distribute a whole new image, just the update, +making distributing Docker images faster and simpler. -One of the reasons Docker is so lightweight is because of these layers. -When you change a Docker image, for example update an application to a -new version, this builds a new layer. Hence, rather than replacing the whole -image or entirely rebuilding, as you may do with a virtual machine, only -that layer is added or updated. Now you don't need to distribute a whole new image, -just the update, making distributing Docker images fast and simple. +Every image starts from a base image, for example `ubuntu`, a base Ubuntu image, +or `fedora`, a base Fedora image. You can also use images of your own as the +basis for a new image, for example if you have a base Apache image you could use +this as the base of all your web application images. -Every image starts from a base image, for example `ubuntu`, a base Ubuntu -image, or `fedora`, a base Fedora image. You can also use images of your -own as the basis for a new image, for example if you have a base Apache -image you could use this as the base of all your web application images. +> **Note:** Docker usually gets these base images from +> [Docker Hub](https://index.docker.io). +> +Docker images are then built from these base images using a simple, descriptive +set of steps we call *instructions*. Each instruction creates a new layer in our +image. Instructions include actions like: -> **Note:** -> Docker usually gets these base images from [Docker Hub](https://hub.docker.com). - -Docker images are then built from these base images using a simple -descriptive set of steps we call *instructions*. Each instruction -creates a new layer in our image. Instructions include steps like: - -* Run a command. -* Add a file or directory. +* Run a command. +* Add a file or directory. * Create an environment variable. * What process to run when launching a container from this image. -These instructions are stored in a file called a `Dockerfile`. Docker -reads this `Dockerfile` when you request an image be built, executes the -instructions and returns a final image. +These instructions are stored in a file called a `Dockerfile`. Docker reads this +`Dockerfile` when you request a build of an image, executes the instructions, and +returns a final image. ### How does a Docker registry work? +The Docker registry is the store for your Docker images. Once you build a Docker +image you can *push* it to a public registry [Docker Hub](https://index.docker.io) or to +your own registry running behind your firewall. -The Docker registry is the store for your Docker images. Once you build -a Docker image you can *push* it to a public registry [Docker -Hub](https://hub.docker.com) or to your own registry running behind your -firewall. +Using the Docker client, you can search for already published images and then +pull them down to your Docker host to build containers from them. -Using the Docker client, you can search for already published images and -then pull them down to your Docker host to build containers from them. - -[Docker Hub](https://hub.docker.com) provides both public and -private storage for images. Public storage is searchable and can be -downloaded by anyone. Private storage is excluded from search -results and only you and your users can pull them down and use them to -build containers. You can [sign up for a plan -here](https://registry.hub.docker.com/plans/). +[Docker Hub](https://index.docker.io) provides both public and private storage +for images. Public storage is searchable and can be downloaded by anyone. +Private storage is excluded from search results and only you and your users can +pull images down and use them to build containers. You can [sign up for a storage plan +here](https://index.docker.io/plans). ### How does a container work? - -A container consists of an operating system, user added files and -meta-data. As we've discovered each container is built from an image. That image tells -Docker what the container holds, what process to run when the container -is launched and a variety of other configuration data. The Docker image -is read-only. When Docker runs a container from an image it adds a -read-write layer on top of the image (using a union file system as we -saw earlier) in which your application is then run. +A container consists of an operating system, user-added files, and meta-data. As +we've seen, each container is built from an image. That image tells Docker +what the container holds, what process to run when the container is launched, and +a variety of other configuration data. The Docker image is read-only. When +Docker runs a container from an image, it adds a read-write layer on top of the +image (using a union file system as we saw earlier) in which your application can +then run. ### What happens when you run a container? - -The Docker client using the `docker` binary, or via the API, tells the -Docker daemon to run a container. Let's take a look at what happens -next. +Either by using the `docker` binary or via the API, the Docker client tells the Docker +daemon to run a container. $ docker run -i -t ubuntu /bin/bash -Let's break down this command. The Docker client is launched using the -`docker` binary with the `run` option telling it to launch a new -container. The bare minimum the Docker client needs to tell the -Docker daemon to run the container is: +Let's break down this command. The Docker client is launched using the `docker` +binary with the `run` option telling it to launch a new container. The bare +minimum the Docker client needs to tell the Docker daemon to run the container +is: -* What Docker image to build the container from, here `ubuntu`, a base - Ubuntu image; +* What Docker image to build the container from, here `ubuntu`, a base Ubuntu +image; * The command you want to run inside the container when it is launched, - here `bin/bash` to shell the Bash shell inside the new container. +here `/bin/bash`, to start the Bash shell inside the new container. -So what happens under the covers when we run this command? +So what happens under the hood when we run this command? -Docker begins with: +In order, Docker does the following: -- **Pulling the `ubuntu` image:** - Docker checks for the presence of the `ubuntu` image and if it doesn't - exist locally on the host, then Docker downloads it from - [Docker Hub](https://hub.docker.com). If the image already exists then - Docker uses it for the new container. -- **Creates a new container:** - Once Docker has the image it creates a container from it: - * **Allocates a filesystem and mounts a read-write _layer_:** - The container is created in the file system and a read-write layer is - added to the image. - * **Allocates a network / bridge interface:** - Creates a network interface that allows the Docker container to talk to - the local host. - * **Sets up an IP address:** - Finds and attaches an available IP address from a pool. -- **Executes a process that you specify:** - Runs your application, and; -- **Captures and provides application output:** - Connects and logs standard input, outputs and errors for you to see how - your application is running. +- **Pulls the `ubuntu` image:** Docker checks for the presence of the `ubuntu` +image and, if it doesn't exist locally on the host, then Docker downloads it from +[Docker Hub](https://index.docker.io). If the image already exists, then Docker +uses it for the new container. +- **Creates a new container:** Once Docker has the image, it uses it to create a +container. +- **Allocates a filesystem and mounts a read-write _layer_:** The container is created in +the file system and a read-write layer is added to the image. +- **Allocates a network / bridge interface:** Creates a network interface that allows the +Docker container to talk to the local host. +- **Sets up an IP address:** Finds and attaches an available IP address from a pool. +- **Executes a process that you specify:** Runs your application, and; +- **Captures and provides application output:** Connects and logs standard input, outputs +and errors for you to see how your application is running. -Now you have a running container! From here you can manage your running -container, interact with your application and then when finished stop -and remove your container. +You now have a running container! From here you can manage your container, interact with +your application and then, when finished, stop and remove your container. ## The underlying technology - Docker is written in Go and makes use of several Linux kernel features to -deliver the features we've seen. +deliver the functionality we've seen. ### Namespaces +Docker takes advantage of a technology called `namespaces` to provide the +isolated workspace we call the *container*. When you run a container, Docker +creates a set of *namespaces* for that container. -Docker takes advantage of a technology called `namespaces` to provide an -isolated workspace we call a *container*. When you run a container, -Docker creates a set of *namespaces* for that container. - -This provides a layer of isolation: each aspect of a container runs in -its own namespace and does not have access outside it. +This provides a layer of isolation: each aspect of a container runs in its own +namespace and does not have access outside it. Some of the namespaces that Docker uses are: - - **The `pid` namespace:** - Used for process isolation (PID: Process ID). - - **The `net` namespace:** - Used for managing network interfaces (NET: Networking). - - **The `ipc` namespace:** - Used for managing access to IPC resources (IPC: InterProcess -Communication). - - **The `mnt` namespace:** - Used for managing mount-points (MNT: Mount). - - **The `uts` namespace:** - Used for isolating kernel and version identifiers. (UTS: Unix Timesharing -System). + - **The `pid` namespace:** Used for process isolation (PID: Process ID). + - **The `net` namespace:** Used for managing network interfaces (NET: + Networking). + - **The `ipc` namespace:** Used for managing access to IPC + resources (IPC: InterProcess Communication). + - **The `mnt` namespace:** Used for managing mount-points (MNT: Mount). + - **The `uts` namespace:** Used for isolating kernel and version identifiers. (UTS: Unix +Timesharing System). ### Control groups - -Docker also makes use of another technology called `cgroups` or control -groups. A key need to run applications in isolation is to have them only -use the resources you want. This ensures containers are good -multi-tenant citizens on a host. Control groups allow Docker to -share available hardware resources to containers and if required, set up to -limits and constraints, for example limiting the memory available to a -specific container. +Docker also makes use of another technology called `cgroups` or control groups. +A key to running applications in isolation is to have them only use the +resources you want. This ensures containers are good multi-tenant citizens on a +host. Control groups allow Docker to share available hardware resources to +containers and, if required, set up limits and constraints. For example, +limiting the memory available to a specific container. ### Union file systems +Union file systems, or UnionFS, are file systems that operate by creating layers, +making them very lightweight and fast. Docker uses union file systems to provide +the building blocks for containers. Docker can make use of several union file system variants +including: AUFS, btrfs, vfs, and DeviceMapper. -Union file systems or UnionFS are file systems that operate by creating -layers, making them very lightweight and fast. Docker uses union file -systems to provide the building blocks for containers. We learned about -union file systems earlier in this document. Docker can make use of -several union file system variants including: AUFS, btrfs, vfs, and -DeviceMapper. - -### Container format - -Docker combines these components into a wrapper we call a container -format. The default container format is called `libcontainer`. Docker -also supports traditional Linux containers using -[LXC](https://linuxcontainers.org/). In future Docker may support other -container formats, for example integration with BSD Jails or Solaris -Zones. +### Container format +Docker combines these components into a wrapper we call a container format. The +default container format is called `libcontainer`. Docker also supports +traditional Linux containers using [LXC](https://linuxcontainers.org/). In the +future, Docker may support other container formats, for example, by integrating with +BSD Jails or Solaris Zones. ## Next steps - ### Installing Docker - -Visit the [installation](/installation/#installation) section. +Visit the [installation section](/installation/#installation). ### The Docker User Guide - -[Learn how to use Docker](/userguide/). +[Learn Docker in depth](/userguide/). diff --git a/docs/sources/reference/api.md b/docs/sources/reference/api.md index 720d40b2e8..b617211037 100644 --- a/docs/sources/reference/api.md +++ b/docs/sources/reference/api.md @@ -52,6 +52,7 @@ interfaces: - [Docker Remote API](docker_remote_api/) - [1. Brief introduction](docker_remote_api/#brief-introduction) - [2. Versions](docker_remote_api/#versions) + - [v1.12](docker_remote_api/#v1-12) - [v1.11](docker_remote_api/#v1-11) - [v1.10](docker_remote_api/#v1-10) - [v1.9](docker_remote_api/#v1-9) @@ -83,4 +84,4 @@ interfaces: - [1.3 List email addresses for a user](docker_io_accounts_api/#list-email-addresses-for-a-user) - [1.4 Add email address for a user](docker_io_accounts_api/#add-email-address-for-a-user) - [1.5 Update an email address for a user](docker_io_accounts_api/#update-an-email-address-for-a-user) - - [1.6 Delete email address for a user](docker_io_accounts_api/#delete-email-address-for-a-user) \ No newline at end of file + - [1.6 Delete email address for a user](docker_io_accounts_api/#delete-email-address-for-a-user) diff --git a/docs/sources/reference/api/docker_io_oauth_api.md b/docs/sources/reference/api/docker_io_oauth_api.md index dd2f6d75ec..c5d07720b8 100644 --- a/docs/sources/reference/api/docker_io_oauth_api.md +++ b/docs/sources/reference/api/docker_io_oauth_api.md @@ -117,7 +117,7 @@ an Authorization Code. ## 3.2 Get an Access Token Once the user has authorized your application, a request will be made to -your application'sspecified `redirect_uri` which +your application's specified `redirect_uri` which includes a `code` parameter that you must then use to get an Access Token. diff --git a/docs/sources/reference/api/docker_remote_api.md b/docs/sources/reference/api/docker_remote_api.md index 9d4069f70a..38cfc244e1 100644 --- a/docs/sources/reference/api/docker_remote_api.md +++ b/docs/sources/reference/api/docker_remote_api.md @@ -4,29 +4,27 @@ page_keywords: API, Docker, rcli, REST, documentation # Docker Remote API - - The Remote API is replacing rcli - - By default the Docker daemon listens on unix:///var/run/docker.sock - and the client must have root access to interact with the daemon - - If a group named *docker* exists on your system, docker will apply - ownership of the socket to the group + - The Remote API is replacing `rcli`. + - By default the Docker daemon listens on `unix:///var/run/docker.sock` + and the client must have `root` access to interact with the daemon. + - If a group named `docker` exists on your system, docker will apply + ownership of the socket to the group. - The API tends to be REST, but for some complex commands, like attach - or pull, the HTTP connection is hijacked to transport stdout stdin - and stderr + or pull, the HTTP connection is hijacked to transport STDOUT, STDIN, + and STDERR. - Since API version 1.2, the auth configuration is now handled client - side, so the client has to send the authConfig as POST in /images/(name)/push + side, so the client has to send the `authConfig` as a `POST` in `/images/(name)/push`. - authConfig, set as the `X-Registry-Auth` header, is currently a Base64 - encoded (json) string with credentials: + encoded (JSON) string with credentials: `{'username': string, 'password': string, 'email': string, 'serveraddress' : string}` - - The current version of the API is v1.12 -Calling /images//insert is the same as calling -/v1.12/images//insert +Calling `/images//insert` is the same as calling +`/v1.12/images//insert`. -You can still call an old version of the api using -/v1.12/images//insert +You can still call an old version of the API using +`/v1.12/images//insert`. ## v1.12 @@ -51,7 +49,7 @@ All the JSON keys are now in CamelCase Trusted builds are now Automated Builds - `is_trusted` is now `is_automated`. **Removed Insert Endpoint** -The insert endpoint has been removed. +The `insert` endpoint has been removed. ## v1.11 @@ -96,7 +94,7 @@ You can now use the force parameter to force delete of an `DELETE /containers/(id)` **New!** -You can now use the force paramter to force delete a +You can now use the force parameter to force delete a container, even if it is currently running ## v1.9 diff --git a/docs/sources/reference/api/docker_remote_api_v1.11.md b/docs/sources/reference/api/docker_remote_api_v1.11.md index 51c0def92b..90a5e7f362 100644 --- a/docs/sources/reference/api/docker_remote_api_v1.11.md +++ b/docs/sources/reference/api/docker_remote_api_v1.11.md @@ -6,12 +6,12 @@ page_keywords: API, Docker, rcli, REST, documentation ## 1. Brief introduction - - The Remote API has replaced rcli + - The Remote API has replaced `rcli`. - The daemon listens on `unix:///var/run/docker.sock` but you can bind Docker to another host/port or a Unix socket. - The API tends to be REST, but for some complex commands, like `attach` - or `pull`, the HTTP connection is hijacked to transport `stdout, stdin` - and `stderr` + or `pull`, the HTTP connection is hijacked to transport `STDOUT`, `STDIN` + and `STDERR`. # 2. Endpoints diff --git a/docs/sources/reference/api/docker_remote_api_v1.12.md b/docs/sources/reference/api/docker_remote_api_v1.12.md index c689ebdd53..5b6d79d2fb 100644 --- a/docs/sources/reference/api/docker_remote_api_v1.12.md +++ b/docs/sources/reference/api/docker_remote_api_v1.12.md @@ -6,13 +6,13 @@ page_keywords: API, Docker, rcli, REST, documentation ## 1. Brief introduction - - The Remote API has replaced rcli + - The Remote API has replaced `rcli`. - The daemon listens on `unix:///var/run/docker.sock` but you can [*Bind Docker to another host/port or a Unix socket*]( /use/basics/#bind-docker). - The API tends to be REST, but for some complex commands, like `attach` - or `pull`, the HTTP connection is hijacked to transport `stdout, stdin` - and `stderr` + or `pull`, the HTTP connection is hijacked to transport `STDOUT`, + `STDIN` and `STDERR`. # 2. Endpoints @@ -406,6 +406,7 @@ Start the container `id` { "Binds":["/tmp:/tmp"], + "Links":["redis3:redis"], "LxcConf":{"lxc.utsname":"docker"}, "PortBindings":{ "22/tcp": [{ "HostPort": "11022" }] }, "PublishAllPorts":false, @@ -1164,6 +1165,7 @@ Show the docker version information Content-Type: application/json { + "ApiVersion":"1.12", "Version":"0.2.2", "GitCommit":"5a2a5cc+CHANGES", "GoVersion":"go1.0.3" diff --git a/docs/sources/reference/api/registry_index_spec.md b/docs/sources/reference/api/hub_registry_spec.md similarity index 81% rename from docs/sources/reference/api/registry_index_spec.md rename to docs/sources/reference/api/hub_registry_spec.md index 93ba469221..bb0e4ec7e3 100644 --- a/docs/sources/reference/api/registry_index_spec.md +++ b/docs/sources/reference/api/hub_registry_spec.md @@ -1,29 +1,29 @@ page_title: Registry Documentation page_description: Documentation for docker Registry and Registry API -page_keywords: docker, registry, api, index +page_keywords: docker, registry, api, hub -# Registry & Index Spec +# The Docker Hub and the Registry spec ## The 3 roles -### Index +### Docker Hub -The Index is responsible for centralizing information about: +The Docker Hub is responsible for centralizing information about: - User accounts - Checksums of the images - Public namespaces -The Index has different components: +The Docker Hub has different components: - Web UI - Meta-data store (comments, stars, list public repositories) - Authentication service - Tokenization -The index is authoritative for those information. +The Docker Hub is authoritative for those information. -We expect that there will be only one instance of the index, run and +We expect that there will be only one instance of the Docker Hub, run and managed by Docker Inc. ### Registry @@ -31,7 +31,7 @@ managed by Docker Inc. - It stores the images and the graph for a set of repositories - It does not have user accounts data - It has no notion of user accounts or authorization - - It delegates authentication and authorization to the Index Auth + - It delegates authentication and authorization to the Docker Hub Auth service using tokens - It supports different storage backends (S3, cloud files, local FS) - It doesn't have a local database @@ -45,7 +45,7 @@ grasp the context, here are some examples of registries: docker community as a whole. Its costs are supported by the third party, but the management and operation of the registry are supported by dotCloud. It features read/write access, and delegates - authentication and authorization to the Index. + authentication and authorization to the Docker Hub. - **mirror registry**: such a registry is provided by a third-party hosting infrastructure but is targeted at their customers only. Some mechanism (unspecified to date) ensures that public images are @@ -57,7 +57,7 @@ grasp the context, here are some examples of registries: and managed by the vendor. Only users authorized by the vendor would be able to get write access. Some images would be public (accessible for anyone), others private (accessible only for authorized users). - Authentication and authorization would be delegated to the Index. + Authentication and authorization would be delegated to the Docker Hub. The goal of vendor registries is to let someone do “docker pull basho/riak1.3” and automatically push from the vendor registry (instead of a sponsor registry); i.e. get all the convenience of a @@ -67,7 +67,7 @@ grasp the context, here are some examples of registries: SSL client-side certificates, IP address authorization...). The registry is operated by a private entity, outside of dotCloud's control. It can optionally delegate additional authorization to the - Index, but it is not mandatory. + Docker Hub, but it is not mandatory. > **Note:** The latter implies that while HTTP is the protocol > of choice for a registry, multiple schemes are possible (and @@ -89,7 +89,7 @@ On top of being a runtime for LXC, Docker is the Registry client. It supports: - Push / Pull on the registry - - Client authentication on the Index + - Client authentication on the Docker Hub ## Workflow @@ -97,15 +97,15 @@ supports: ![](/static_files/docker_pull_chart.png) -1. Contact the Index to know where I should download “samalba/busybox” -2. Index replies: a. `samalba/busybox` is on Registry A b. here are the +1. Contact the Docker Hub to know where I should download “samalba/busybox” +2. Docker Hub replies: a. `samalba/busybox` is on Registry A b. here are the checksums for `samalba/busybox` (for all layers) c. token 3. Contact Registry A to receive the layers for `samalba/busybox` (all of them to the base image). Registry A is authoritative for “samalba/busybox” but keeps a copy of all inherited layers and serve them all from the same location. -4. registry contacts index to verify if token/user is allowed to download images -5. Index returns true/false lettings registry know if it should proceed or error +4. registry contacts Docker Hub to verify if token/user is allowed to download images +5. Docker Hub returns true/false lettings registry know if it should proceed or error out 6. Get the payload for all layers @@ -113,7 +113,7 @@ It's possible to run: $ docker pull https:///repositories/samalba/busybox -In this case, Docker bypasses the Index. However the security is not +In this case, Docker bypasses the Docker Hub. However the security is not guaranteed (in case Registry A is corrupted) because there won't be any checksum checks. @@ -131,7 +131,7 @@ and for an active account. **API (pulling repository foo/bar):** -1. (Docker -> Index) GET /v1/repositories/foo/bar/images: +1. (Docker -> Docker Hub) GET /v1/repositories/foo/bar/images: **Headers**: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== @@ -142,7 +142,7 @@ and for an active account. for that repo (all if no tag is specified, if tag, only checksums for those tags) see part 4.4.1) -2. (Index -> Docker) HTTP 200 OK +2. (Docker Hub -> Docker) HTTP 200 OK **Headers**: Authorization: Token @@ -158,7 +158,7 @@ and for an active account. Authorization: Token signature=123abc,repository=”foo/bar”,access=write -4. (Registry -> Index) GET /v1/repositories/foo/bar/images +4. (Registry -> Docker Hub) GET /v1/repositories/foo/bar/images **Headers**: Authorization: Token @@ -171,7 +171,7 @@ and for an active account. (Lookup token see if they have access to pull.) If good: - HTTP 200 OK Index will invalidate the token + HTTP 200 OK Docker Hub will invalidate the token If bad: HTTP 401 Unauthorized @@ -189,43 +189,43 @@ and for an active account. ![](/static_files/docker_push_chart.png) -1. Contact the index to allocate the repository name “samalba/busybox” +1. Contact the Docker Hub to allocate the repository name “samalba/busybox” (authentication required with user credentials) 2. If authentication works and namespace available, “samalba/busybox” is allocated and a temporary token is returned (namespace is marked - as initialized in index) + as initialized in Docker Hub) 3. Push the image on the registry (along with the token) -4. Registry A contacts the Index to verify the token (token must +4. Registry A contacts the Docker Hub to verify the token (token must corresponds to the repository name) -5. Index validates the token. Registry A starts reading the stream +5. Docker Hub validates the token. Registry A starts reading the stream pushed by docker and store the repository (with its images) -6. docker contacts the index to give checksums for upload images +6. docker contacts the Docker Hub to give checksums for upload images > **Note:** -> **It's possible not to use the Index at all!** In this case, a deployed +> **It's possible not to use the Docker Hub at all!** In this case, a deployed > version of the Registry is deployed to store and serve images. Those > images are not authenticated and the security is not guaranteed. > **Note:** -> **Index can be replaced!** For a private Registry deployed, a custom -> Index can be used to serve and validate token according to different +> **Docker Hub can be replaced!** For a private Registry deployed, a custom +> Docker Hub can be used to serve and validate token according to different > policies. -Docker computes the checksums and submit them to the Index at the end of -the push. When a repository name does not have checksums on the Index, +Docker computes the checksums and submit them to the Docker Hub at the end of +the push. When a repository name does not have checksums on the Docker Hub, it means that the push is in progress (since checksums are submitted at the end). **API (pushing repos foo/bar):** -1. (Docker -> Index) PUT /v1/repositories/foo/bar/ +1. (Docker -> Docker Hub) PUT /v1/repositories/foo/bar/ **Headers**: Authorization: Basic sdkjfskdjfhsdkjfh== X-Docker-Token: true **Action**: - - in index, we allocated a new repository, and set to + - in Docker Hub, we allocated a new repository, and set to initialized **Body**: @@ -235,7 +235,7 @@ the end). [{“id”: “9e89cc6f0bc3c38722009fe6857087b486531f9a779a0c17e3ed29dae8f12c4f”}] -2. (Index -> Docker) 200 Created +2. (Docker Hub -> Docker) 200 Created **Headers**: - WWW-Authenticate: Token @@ -249,14 +249,14 @@ the end). Authorization: Token signature=123abc,repository=”foo/bar”,access=write -4. (Registry->Index) GET /v1/repositories/foo/bar/images +4. (Registry->Docker Hub) GET /v1/repositories/foo/bar/images **Headers**: Authorization: Token signature=123abc,repository=”foo/bar”,access=write **Action**: - - Index: + - Docker Hub: will invalidate the token. - Registry: grants a session (if token is approved) and fetches @@ -292,7 +292,7 @@ the end). **Body**: “98765432” -10. (Docker -> Index) PUT /v1/repositories/foo/bar/images +10. (Docker -> Docker Hub) PUT /v1/repositories/foo/bar/images **Headers**: Authorization: Basic 123oislifjsldfj== X-Docker-Endpoints: @@ -307,33 +307,33 @@ the end). **Return**: HTTP 204 -> **Note:** If push fails and they need to start again, what happens in the index, +> **Note:** If push fails and they need to start again, what happens in the Docker Hub, > there will already be a record for the namespace/name, but it will be > initialized. Should we allow it, or mark as name already used? One edge > case could be if someone pushes the same thing at the same time with two > different shells. If it's a retry on the Registry, Docker has a cookie (provided by the -registry after token validation). So the Index won't have to provide a +registry after token validation). So the Docker Hub won't have to provide a new token. ### Delete -If you need to delete something from the index or registry, we need a +If you need to delete something from the Docker Hub or registry, we need a nice clean way to do that. Here is the workflow. -1. Docker contacts the index to request a delete of a repository +1. Docker contacts the Docker Hub to request a delete of a repository `samalba/busybox` (authentication required with user credentials) 2. If authentication works and repository is valid, `samalba/busybox` is marked as deleted and a temporary token is returned 3. Send a delete request to the registry for the repository (along with the token) -4. Registry A contacts the Index to verify the token (token must +4. Registry A contacts the Docker Hub to verify the token (token must corresponds to the repository name) -5. Index validates the token. Registry A deletes the repository and +5. Docker Hub validates the token. Registry A deletes the repository and everything associated to it. -6. docker contacts the index to let it know it was removed from the - registry, the index removes all records from the database. +6. docker contacts the Docker Hub to let it know it was removed from the + registry, the Docker Hub removes all records from the database. > **Note**: > The Docker client should present an "Are you sure?" prompt to confirm @@ -342,20 +342,20 @@ nice clean way to do that. Here is the workflow. **API (deleting repository foo/bar):** -1. (Docker -> Index) DELETE /v1/repositories/foo/bar/ +1. (Docker -> Docker Hub) DELETE /v1/repositories/foo/bar/ **Headers**: Authorization: Basic sdkjfskdjfhsdkjfh== X-Docker-Token: true **Action**: - - in index, we make sure it is a valid repository, and set + - in Docker Hub, we make sure it is a valid repository, and set to deleted (logically) **Body**: Empty -2. (Index -> Docker) 202 Accepted +2. (Docker Hub -> Docker) 202 Accepted **Headers**: - WWW-Authenticate: Token @@ -370,14 +370,14 @@ nice clean way to do that. Here is the workflow. Authorization: Token signature=123abc,repository=”foo/bar”,access=delete -4. (Registry->Index) PUT /v1/repositories/foo/bar/auth +4. (Registry->Docker Hub) PUT /v1/repositories/foo/bar/auth **Headers**: Authorization: Token signature=123abc,repository=”foo/bar”,access=delete **Action**: - - Index: + - Docker Hub: will invalidate the token. - Registry: deletes the repository (if token is approved) @@ -387,7 +387,7 @@ nice clean way to do that. Here is the workflow. 200 If success 403 if forbidden 400 if bad request 404 if repository isn't found -6. (Docker -> Index) DELETE /v1/repositories/foo/bar/ +6. (Docker -> Docker Hub) DELETE /v1/repositories/foo/bar/ **Headers**: Authorization: Basic 123oislifjsldfj== X-Docker-Endpoints: @@ -400,7 +400,7 @@ nice clean way to do that. Here is the workflow. ## How to use the Registry in standalone mode -The Index has two main purposes (along with its fancy social features): +The Docker Hub has two main purposes (along with its fancy social features): - Resolve short names (to avoid passing absolute URLs all the time): @@ -412,15 +412,15 @@ The Index has two main purposes (along with its fancy social features): - Authenticate a user as a repos owner (for a central referenced repository) -### Without an Index +### Without an Docker Hub -Using the Registry without the Index can be useful to store the images +Using the Registry without the Docker Hub can be useful to store the images on a private network without having to rely on an external entity controlled by Docker Inc. In this case, the registry will be launched in a special mode -(–standalone? –no-index?). In this mode, the only thing which changes is -that Registry will never contact the Index to verify a token. It will be +(–standalone? ne? –no-index?). In this mode, the only thing which changes is +that Registry will never contact the Docker Hub to verify a token. It will be the Registry owner responsibility to authenticate the user who pushes (or even pulls) an image using any mechanism (HTTP auth, IP based, etc...). @@ -433,21 +433,21 @@ As hinted previously, a standalone registry can also be implemented by any HTTP server handling GET/PUT requests (or even only GET requests if no write access is necessary). -### With an Index +### With an Docker Hub -The Index data needed by the Registry are simple: +The Docker Hub data needed by the Registry are simple: - Serve the checksums - Provide and authorize a Token In the scenario of a Registry running on a private network with the need -of centralizing and authorizing, it's easy to use a custom Index. +of centralizing and authorizing, it's easy to use a custom Docker Hub. The only challenge will be to tell Docker to contact (and trust) this -custom Index. Docker will be configurable at some point to use a -specific Index, it'll be the private entity responsibility (basically +custom Docker Hub. Docker will be configurable at some point to use a +specific Docker Hub, it'll be the private entity responsibility (basically the organization who uses Docker in a private environment) to maintain -the Index and the Docker's configuration among its consumers. +the Docker Hub and the Docker's configuration among its consumers. ## The API @@ -474,7 +474,7 @@ file is empty. ### Users -### Create a user (Index) +### Create a user (Docker Hub) POST /v1/users: @@ -497,7 +497,7 @@ etc) - forbidden name - name already exists > A user account will be valid only if the email has been validated (a > validation link is sent to the email address). -### Update a user (Index) +### Update a user (Docker Hub) PUT /v1/users/ @@ -508,7 +508,7 @@ etc) - forbidden name - name already exists > We can also update email address, if they do, they will need to reverify > their new email address. -### Login (Index) +### Login (Docker Hub) Does nothing else but asking for a user authentication. Can be used to validate credentials. HTTP Basic Auth for now, maybe change in future. @@ -525,7 +525,7 @@ GET /v1/users The Registry does not know anything about users. Even though repositories are under usernames, it's just a namespace for the registry. Allowing us to implement organizations or different namespaces -per user later, without modifying the Registry'sAPI. +per user later, without modifying the Registry's API. The following naming restrictions apply: @@ -554,9 +554,9 @@ GET /v1/repositories///tags DELETE /v1/repositories///tags/ -### 4.4 Images (Index) +### 4.4 Images (Docker Hub) -For the Index to “resolve” the repository name to a Registry location, +For the Docker Hub to “resolve” the repository name to a Registry location, it uses the X-Docker-Endpoints header. In other terms, this requests always add a `X-Docker-Endpoints` to indicate the location of the registry which hosts this repository. @@ -594,7 +594,7 @@ DELETE /v1/repositories// Return 200 OK -### Remove a Repository (Index) +### Remove a Repository (Docker Hub) This starts the delete process. see 2.3 for more details. @@ -613,7 +613,7 @@ When a Registry is a reference for a repository, it should host the entire images chain in order to avoid breaking the chain during the download. -The Index and Registry use this mechanism to redirect on one or the +The Docker Hub and Registry use this mechanism to redirect on one or the other. Example with an image download: @@ -627,10 +627,10 @@ list. ## Authentication & Authorization -### On the Index +### On the Docker Hub -The Index supports both “Basic” and “Token” challenges. Usually when -there is a `401 Unauthorized`, the Index replies +The Docker Hub supports both “Basic” and “Token” challenges. Usually when +there is a `401 Unauthorized`, the Docker Hub replies this: 401 Unauthorized diff --git a/docs/sources/reference/api/remote_api_client_libraries.md b/docs/sources/reference/api/remote_api_client_libraries.md index 4b90afc5b0..e299e6ed81 100644 --- a/docs/sources/reference/api/remote_api_client_libraries.md +++ b/docs/sources/reference/api/remote_api_client_libraries.md @@ -77,7 +77,7 @@ will add the libraries here. Java docker-java - https://github.com/kpelykh/docker-java + https://github.com/docker-java/docker-java Active @@ -122,11 +122,17 @@ will add the libraries here. https://github.com/alambike/eixo-docker Active - + Scala reactive-docker https://github.com/almoehi/reactive-docker Active + + Java + docker-client + https://github.com/spotify/docker-client + Active + diff --git a/docs/sources/reference/builder.md b/docs/sources/reference/builder.md index c8af26c5db..8717eb7bfc 100644 --- a/docs/sources/reference/builder.md +++ b/docs/sources/reference/builder.md @@ -216,7 +216,7 @@ from the resulting image. You can view the values using `docker inspect`, and change them using `docker run --env =`. > **Note**: -> One example where this can cause unexpected consequenses, is setting +> One example where this can cause unexpected consequences, is setting > `ENV DEBIAN_FRONTEND noninteractive`. Which will persist when the container > is run interactively; for example: `docker run -t -i image bash` @@ -468,7 +468,7 @@ For example you might add something like this: # VERSION 0.0.1 FROM ubuntu - MAINTAINER Guillaume J. Charmes + MAINTAINER Victor Vieux # make sure the package repository is up to date RUN echo "deb http://archive.ubuntu.com/ubuntu precise main universe" > /etc/apt/sources.list diff --git a/docs/sources/reference/commandline/cli.md b/docs/sources/reference/commandline/cli.md index acc590454c..e496ce425f 100644 --- a/docs/sources/reference/commandline/cli.md +++ b/docs/sources/reference/commandline/cli.md @@ -448,7 +448,7 @@ To see how the `docker:latest` image was built: The default `docker images` will show all top level images, their repository and tags, and their virtual size. -Docker images have intermediate layers that increase reuseability, +Docker images have intermediate layers that increase reusability, decrease disk usage, and speed up `docker build` by allowing each step to be cached. These intermediate layers are not shown by default. @@ -735,7 +735,7 @@ Running `docker ps` showing 2 linked containers. ## pull - Usage: docker pull NAME[:TAG] + Usage: docker pull [REGISTRY_PATH/]NAME[:TAG] Pull an image or a repository from the registry @@ -745,6 +745,11 @@ Most of your images will be created on top of a base image from the [Docker Hub](https://hub.docker.com) contains many pre-built images that you can `pull` and try without needing to define and configure your own. +It is also possible to manually specify the path of a registry to pull from. +For example, if you have set up a local registry, you can specify its path to +pull from it. A repository path is similar to a URL, but does not contain +a protocol specifier (https://, for example). + To download a particular image, or set of images (i.e., a repository), use `docker pull`: @@ -752,8 +757,11 @@ use `docker pull`: # will pull all the images in the debian repository $ docker pull debian:testing # will pull only the image named debian:testing and any intermediate layers - # it is based on. (typically the empty `scratch` image, a MAINTAINERs layer, - # and the un-tared base. + # it is based on. (Typically the empty `scratch` image, a MAINTAINERs layer, + # and the un-tarred base). + $ docker pull registry.hub.docker.com/debian + # manually specifies the path to the default Docker registry. This could + # be replaced with the path to a local registry to pull from another source. ## push @@ -873,7 +881,7 @@ removed before the image is removed. 'bridge': creates a new network stack for the container on the docker bridge 'none': no networking for this container 'container:': reuses another container network stack - 'host': use the host network stack inside the contaner + 'host': use the host network stack inside the container -p, --publish=[] Publish a container's port to the host format: ip:hostPort:containerPort | ip::containerPort | hostPort:containerPort (use 'docker port' to see the actual mapping) @@ -1066,7 +1074,7 @@ retrieve the container's ID once the container has finished running. $ sudo docker run -d --name static static-web-files sh $ sudo docker run -d --expose=8098 --name riak riakserver $ sudo docker run -d -m 100m -e DEVELOPMENT=1 -e BRANCH=example-code -v $(pwd):/app/bin:ro --name app appserver - $ sudo docker run -d -p 1443:443 --dns=dns.dev.org --dns-search=dev.org -v /var/log/httpd --volumes-from static --link riak --link app -h www.sven.dev.org --name web webserver + $ sudo docker run -d -p 1443:443 --dns=10.0.0.1 --dns-search=dev.org -v /var/log/httpd --volumes-from static --link riak --link app -h www.sven.dev.org --name web webserver $ sudo docker run -t -i --rm --volumes-from web -w /var/log/httpd busybox tail -f access.log This example shows 5 containers that might be set up to test a web @@ -1081,7 +1089,7 @@ application change: two environment variables `DEVELOPMENT` and `BRANCH` and bind-mounting the current directory (`$(pwd)`) in the container in read-only mode as `/app/bin`; 4. Start the `webserver`, mapping port `443` in the container to port `1443` on - the Docker server, setting the DNS server to `dns.dev.org` and DNS search + the Docker server, setting the DNS server to `10.0.0.1` and DNS search domain to `dev.org`, creating a volume to put the log files into (so we can access it from another container), then importing the files from the volume exposed by the `static` container, and linking to all exposed ports from diff --git a/docs/sources/reference/run.md b/docs/sources/reference/run.md index 7d5fcbc51f..5cb050c025 100644 --- a/docs/sources/reference/run.md +++ b/docs/sources/reference/run.md @@ -137,7 +137,7 @@ PID files): 'bridge': creates a new network stack for the container on the docker bridge 'none': no networking for this container 'container:': reuses another container network stack - 'host': use the host network stack inside the contaner + 'host': use the host network stack inside the container By default, all containers have networking enabled and they can make any outgoing connections. The operator can completely disable networking @@ -152,7 +152,7 @@ Supported networking modes are: * none - no networking in the container * bridge - (default) connect the container to the bridge via veth interfaces -* host - use the host's network stack inside the container +* host - use the host's network stack inside the container. Note: This gives the container full access to local system services such as D-bus and is therefore considered insecure. * container - use another container's network stack #### Mode: none diff --git a/docs/sources/userguide/dockerhub.md b/docs/sources/userguide/dockerhub.md index 7e7acbef16..99e9a0a922 100644 --- a/docs/sources/userguide/dockerhub.md +++ b/docs/sources/userguide/dockerhub.md @@ -4,70 +4,69 @@ page_keywords: documentation, docs, the docker guide, docker guide, docker, dock # Getting Started with Docker Hub -*How do I use Docker Hub?* -In this section we're going to introduce you, very quickly!, to -[Docker Hub](https://hub.docker.com) and create an account. +This section provides a quick introduction to the [Docker Hub](https://hub.docker.com) +and will show you how to create an account. -[Docker Hub](https://www.docker.io) is the central hub for Docker. It -helps you to manage Docker and its components. It provides services such -as: +The [Docker Hub](https://hub.docker.com) is a centralized resource for working with +Docker and its components. Docker Hub helps you collaborate with colleagues and get the +most out of Docker.To do this, it provides services such as: -* Hosting images. +* Docker image hosting. * User authentication. -* Automated image builds and work flow tools like build triggers and web +* Automated image builds and work-flow tools such as build triggers and web hooks. * Integration with GitHub and BitBucket. -Docker Hub helps you collaborate with colleagues and get the most out of -Docker. - -In order to use Docker Hub you will need to register an account. Don't -panic! It's totally free and really easy. +In order to use Docker Hub, you will first need to register and create an account. Don't +worry, creating an account is simple and free. ## Creating a Docker Hub Account -There are two ways you can create a Docker Hub account: +There are two ways for you to register and create a Docker Hub account: -* Via the web, or -* Via the command line. +1. Via the web, or +2. Via the command line. -### Sign up via the web! +### Register via the web -Fill in the [sign-up form](https://www.docker.io/account/signup/) and -choose your user name and specify some details such as an email address. +Fill in the [sign-up form](https://hub.docker.com/account/signup/) by +choosing your user name and password and specifying email address. You can also sign up +for the Docker Weekly mailing list, which has lots of information about what's going on +in the world of Docker. ![Register using the sign-up page](/userguide/register-web.png) -### Signup via the command line +### Register via the command line -You can also create a Docker Hub account via the command line using the +You can also create a Docker Hub account via the command line with the `docker login` command. $ sudo docker login ### Confirm your email -Once you've filled in the form then check your email for a welcome -message and activate your account. +Once you've filled in the form, check your email for a welcome message and confirmation +to activate your account. ![Confirm your registration](/userguide/register-confirm.png) -### Login! +### Login -Then you can login using the web console: +After you complete the confirmation process, you can login using the web console: ![Login using the web console](/userguide/login-web.png) -Or via the command line and the `docker login` command: +Or via the command line with the `docker login` command: $ sudo docker login -Now your Docker Hub account is active and ready for you to use! +Your Docker Hub account is now active and ready for you to use! ## Next steps -Now let's start Dockerizing applications with our "Hello World!" exercise. +Next, let's start learning how to Dockerize applications with our "Hello World!" +exercise. Go to [Dockerizing Applications](/userguide/dockerizing). diff --git a/docs/sources/userguide/dockerimages.md b/docs/sources/userguide/dockerimages.md index a4095f5f15..b58be90449 100644 --- a/docs/sources/userguide/dockerimages.md +++ b/docs/sources/userguide/dockerimages.md @@ -70,7 +70,7 @@ If instead we wanted to build an Ubuntu 12.04 image we'd use: $ sudo docker run -t -i ubuntu:12.04 /bin/bash If you don't specify a variant, for example you just use `ubuntu`, then Docker -will default to using the `ubunut:latest` image. +will default to using the `ubuntu:latest` image. > **Tip:** > We recommend you always use a specific tagged image, for example @@ -330,7 +330,7 @@ containers will get removed to clean things up. We can then create a container from our new image. - $ sudo docker run -t -i ouruser/sinatra /bin/bash + $ sudo docker run -t -i ouruser/sinatra:v2 /bin/bash root@8196968dac35:/# > **Note:** diff --git a/docs/sources/userguide/dockerizing.md b/docs/sources/userguide/dockerizing.md index cb9beca61a..afe18ce8df 100644 --- a/docs/sources/userguide/dockerizing.md +++ b/docs/sources/userguide/dockerizing.md @@ -13,7 +13,7 @@ application inside a container takes a single command: `docker run`. Let's try it now. - $ sudo docker run ubuntu:14.04 /bin/echo "Hello World!" + $ sudo docker run ubuntu:14.04 /bin/echo 'Hello World' Hello World! And you just launched your first container! @@ -34,7 +34,7 @@ image registry: [Docker Hub](https://hub.docker.com). Next we told Docker what command to run inside our new container: - /bin/echo "Hello World!" + /bin/echo 'Hello World!' When our container was launched Docker created a new Ubuntu 14.04 environment and then executed the `/bin/echo` command inside it. We saw @@ -134,7 +134,7 @@ do that with the `docker ps` command. The `docker ps` command queries the Docker daemon for information about all the container it knows about. - $ docker ps + $ sudo docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1e5535038e28 ubuntu:14.04 /bin/sh -c 'while tr 2 minutes ago Up 1 minute insane_babbage diff --git a/docs/sources/userguide/dockerlinks.md b/docs/sources/userguide/dockerlinks.md index 5c94879bf0..833f4aed98 100644 --- a/docs/sources/userguide/dockerlinks.md +++ b/docs/sources/userguide/dockerlinks.md @@ -68,7 +68,7 @@ configurations. For example if we've bound the container port to the `localhost` on the host machine this will be shown in the `docker port` output. - $ docker port nostalgic_morse + $ docker port nostalgic_morse 5000 127.0.0.1:49155 > **Note:** @@ -171,14 +171,11 @@ child container in two ways: * Environment variables, * Updating the `/etc/host` file. -Let's look first at the environment variables Docker sets. Inside the `web` -container let's run the `env` command to list the container's environment -variables. - - root@aed84ee21bde:/opt/webapp# env - HOSTNAME=aed84ee21bde +Let's look first at the environment variables Docker sets. Let's run the `env` +command to list the container's environment variables. + $ sudo docker run --rm --name web2 --link db:db training/webapp env . . . - DB_NAME=/web/db + DB_NAME=/web2/db DB_PORT=tcp://172.17.0.5:5432 DB_PORT_5000_TCP=tcp://172.17.0.5:5432 DB_PORT_5000_TCP_PROTO=tcp diff --git a/docs/sources/userguide/dockerrepos.md b/docs/sources/userguide/dockerrepos.md index 5ebad96986..5babfc76f4 100644 --- a/docs/sources/userguide/dockerrepos.md +++ b/docs/sources/userguide/dockerrepos.md @@ -147,7 +147,7 @@ It will stay in sync with your GitHub and BitBucket repository until you deactivate the Automated Build. If you want to see the status of your Automated Builds you can go to your -[Automated Builds page](https://registry.hub.docker.io/builds/) on the Docker Hub, +[Automated Builds page](https://registry.hub.docker.com/builds/) on the Docker Hub, and it will show you the status of your builds, and the build history. Once you've created an Automated Build you can deactivate or delete it. You diff --git a/docs/sources/userguide/dockervolumes.md b/docs/sources/userguide/dockervolumes.md index 0395986def..0c2f6cfac6 100644 --- a/docs/sources/userguide/dockervolumes.md +++ b/docs/sources/userguide/dockervolumes.md @@ -4,7 +4,7 @@ page_keywords: Examples, Usage, volume, docker, documentation, user guide, data, # Managing Data in Containers -So far we've been introduced some [basic Docker +So far we've been introduced to some [basic Docker concepts](/userguide/usingdocker/), seen how to work with [Docker images](/userguide/dockerimages/) as well as learned about [networking and links between containers](/userguide/dockerlinks/). In this section diff --git a/docs/sources/userguide/usingdocker.md b/docs/sources/userguide/usingdocker.md index 96aa7d52e3..54c094bfa9 100644 --- a/docs/sources/userguide/usingdocker.md +++ b/docs/sources/userguide/usingdocker.md @@ -183,6 +183,16 @@ see the application. Our Python application is live! +> **Note:** +> If you have used boot2docker on OSX you'll need to get the IP of the virtual +> host instead of using localhost. You can do this by running the following in +> the boot2docker shell. +> +> $ boot2docker ip +> The VM's Host only interface IP address is: 192.168.59.103 +> +> In this case you'd browse to http://192.168.59.103:49155 for the above example. + ## A Network Port Shortcut Using the `docker ps` command to return the mapped port is a bit clumsy so diff --git a/docs/theme/mkdocs/base.html b/docs/theme/mkdocs/base.html index b4e70002a2..f931be2c90 100644 --- a/docs/theme/mkdocs/base.html +++ b/docs/theme/mkdocs/base.html @@ -66,7 +66,7 @@ -
+ @@ -132,7 +132,7 @@ piCId = '1482'; if (userName) { $('.topmostnav_loggedout').hide(); $('.topmostnav_loggedin').show(); - $('.navbar #usernav .nav li a').text(userName); + $('#logged-in-header-username').text(userName); } else { $('.topmostnav_loggedout').show(); $('.topmostnav_loggedin').hide(); diff --git a/docs/theme/mkdocs/css/docs.css b/docs/theme/mkdocs/css/docs.css index b9fd819c68..0f42e22ef7 100644 --- a/docs/theme/mkdocs/css/docs.css +++ b/docs/theme/mkdocs/css/docs.css @@ -3,6 +3,10 @@ margin-bottom: 10px; } +#top-header .header2 { + font-weight: 400; +} + #usernav > ul { margin-top: 10px; z-index: 99999; @@ -49,6 +53,12 @@ ol li { margin: 0px; padding: 0em; } +#nav_menu > #docsnav > #main-nav > li > a { + color: #253237; +} +#nav_menu > #docsnav > #main-nav > li.dd_on_hover > a { + color: #5992a3; +} #nav_menu > #docsnav > #main-nav > li.dd_on_hover { background: #b1d5df; color: #5992a3; @@ -180,20 +190,42 @@ ol li { line-height: 1.7; } +.content-body ul { + padding: 10px 0px 10px 20px; + list-style-position: inherit; + list-style: circle; +} + +.content-body ul li { + padding-bottom: 5px; +} + +.content-body ul ul { + padding: 10px 0px 10px 40px; +} + .content-body h1 { display: block !important; - font-size: 18px; - font-weight: 700; + font-size: 27px; + font-weight: 400; color: #394d54; line-height: 1.33; - font-weight: normal; margin-bottom: 8px; margin-top: 6px; } -.content-body h2, .content-body h3 { - font-size: 14px; - font-weight: 500; +.content-body h2 { + font-size: 21px; + font-weight: 400; + color: #394d54; + line-height: 1.7; + margin-bottom: 4px; + margin-top: 10px; +} + +.content-body h3 { + font-size: 18px; + font-weight: 400; color: #394d54; line-height: 1.7; margin-bottom: 4px; @@ -234,8 +266,16 @@ ol li { padding-left: 15px; } -.content-body blockquote * { - color: #394d54; +.content-body ul { + margin-top: 0px !important; +} + +.content-body blockquote a { + color: #24b8eb; +} + +.content-body blockquote a:hover { + color: #008bb8; } .content-body ul { @@ -249,6 +289,11 @@ ol li { border-radius: 4px; -webkit-border-radius: 4px; -moz-border-radius: 4px; + overflow-x: auto; +} +.content-body pre code { + overflow-wrap: normal; + white-space: pre; } #leftnav .nav.nav-tabs li a { @@ -267,4 +312,4 @@ ol li { } .navbar #usernav .nav li { padding-top: 0px !important; -} \ No newline at end of file +} diff --git a/docs/theme/mkdocs/css/main.css b/docs/theme/mkdocs/css/main.css index fba97ec03d..42a7a18a56 100644 --- a/docs/theme/mkdocs/css/main.css +++ b/docs/theme/mkdocs/css/main.css @@ -305,7 +305,7 @@ body { margin: 0 auto -379px; } /* Set the fixed height of the footer here */ -#push, +#push-footer, #footer { height: 379px; background: #253237; diff --git a/docs/theme/mkdocs/header.html b/docs/theme/mkdocs/header.html index 9a438d9683..785797f0dc 100644 --- a/docs/theme/mkdocs/header.html +++ b/docs/theme/mkdocs/header.html @@ -31,16 +31,15 @@
diff --git a/docs/theme/mkdocs/images/docker-logo-compressed.png b/docs/theme/mkdocs/images/docker-logo-compressed.png new file mode 100644 index 0000000000..717d09d773 Binary files /dev/null and b/docs/theme/mkdocs/images/docker-logo-compressed.png differ diff --git a/docs/theme/mkdocs/nav.html b/docs/theme/mkdocs/nav.html index e38989d5eb..e8ea5c75cc 100644 --- a/docs/theme/mkdocs/nav.html +++ b/docs/theme/mkdocs/nav.html @@ -4,7 +4,9 @@ {% for menu in nav %} {% if menu.title != '**HIDDEN**' %}
  • - {{ menu.title }} + {% for first_item in menu.children[:1] %} + {{ menu.title }} + {% endfor %}
      {% for menu in menu.children %}
    • diff --git a/engine/remote.go b/engine/remote.go deleted file mode 100644 index 974ca02137..0000000000 --- a/engine/remote.go +++ /dev/null @@ -1,138 +0,0 @@ -package engine - -import ( - "fmt" - "github.com/dotcloud/docker/pkg/beam" - "github.com/dotcloud/docker/pkg/beam/data" - "io" - "os" - "strconv" - "sync" -) - -type Sender struct { - beam.Sender -} - -func NewSender(s beam.Sender) *Sender { - return &Sender{s} -} - -func (s *Sender) Install(eng *Engine) error { - // FIXME: this doesn't exist yet. - eng.RegisterCatchall(s.Handle) - return nil -} - -func (s *Sender) Handle(job *Job) Status { - cmd := append([]string{job.Name}, job.Args...) - env := data.Encode(job.Env().MultiMap()) - msg := data.Empty().Set("cmd", cmd...).Set("env", env) - peer, err := beam.SendConn(s, msg.Bytes()) - if err != nil { - return job.Errorf("beamsend: %v", err) - } - defer peer.Close() - var tasks sync.WaitGroup - defer tasks.Wait() - r := beam.NewRouter(nil) - r.NewRoute().KeyStartsWith("cmd", "log", "stdout").HasAttachment().Handler(func(p []byte, stdout *os.File) error { - tasks.Add(1) - go func() { - io.Copy(job.Stdout, stdout) - stdout.Close() - tasks.Done() - }() - return nil - }) - r.NewRoute().KeyStartsWith("cmd", "log", "stderr").HasAttachment().Handler(func(p []byte, stderr *os.File) error { - tasks.Add(1) - go func() { - io.Copy(job.Stderr, stderr) - stderr.Close() - tasks.Done() - }() - return nil - }) - r.NewRoute().KeyStartsWith("cmd", "log", "stdin").HasAttachment().Handler(func(p []byte, stdin *os.File) error { - go func() { - io.Copy(stdin, job.Stdin) - stdin.Close() - }() - return nil - }) - var status int - r.NewRoute().KeyStartsWith("cmd", "status").Handler(func(p []byte, f *os.File) error { - cmd := data.Message(p).Get("cmd") - if len(cmd) != 2 { - return fmt.Errorf("usage: %s <0-127>", cmd[0]) - } - s, err := strconv.ParseUint(cmd[1], 10, 8) - if err != nil { - return fmt.Errorf("usage: %s <0-127>", cmd[0]) - } - status = int(s) - return nil - - }) - if _, err := beam.Copy(r, peer); err != nil { - return job.Errorf("%v", err) - } - return Status(status) -} - -type Receiver struct { - *Engine - peer beam.Receiver -} - -func NewReceiver(peer beam.Receiver) *Receiver { - return &Receiver{Engine: New(), peer: peer} -} - -func (rcv *Receiver) Run() error { - r := beam.NewRouter(nil) - r.NewRoute().KeyExists("cmd").Handler(func(p []byte, f *os.File) error { - // Use the attachment as a beam return channel - peer, err := beam.FileConn(f) - if err != nil { - f.Close() - return err - } - f.Close() - defer peer.Close() - msg := data.Message(p) - cmd := msg.Get("cmd") - job := rcv.Engine.Job(cmd[0], cmd[1:]...) - // Decode env - env, err := data.Decode(msg.GetOne("env")) - if err != nil { - return fmt.Errorf("error decoding 'env': %v", err) - } - job.Env().InitMultiMap(env) - stdout, err := beam.SendRPipe(peer, data.Empty().Set("cmd", "log", "stdout").Bytes()) - if err != nil { - return err - } - job.Stdout.Add(stdout) - stderr, err := beam.SendRPipe(peer, data.Empty().Set("cmd", "log", "stderr").Bytes()) - if err != nil { - return err - } - job.Stderr.Add(stderr) - stdin, err := beam.SendWPipe(peer, data.Empty().Set("cmd", "log", "stdin").Bytes()) - if err != nil { - return err - } - job.Stdin.Add(stdin) - // ignore error because we pass the raw status - job.Run() - err = peer.Send(data.Empty().Set("cmd", "status", fmt.Sprintf("%d", job.status)).Bytes(), nil) - if err != nil { - return err - } - return nil - }) - _, err := beam.Copy(r, rcv.peer) - return err -} diff --git a/engine/remote_test.go b/engine/remote_test.go deleted file mode 100644 index 1563660c97..0000000000 --- a/engine/remote_test.go +++ /dev/null @@ -1,150 +0,0 @@ -package engine - -import ( - "bufio" - "bytes" - "fmt" - "github.com/dotcloud/docker/pkg/beam" - "github.com/dotcloud/docker/pkg/testutils" - "io" - "strings" - "testing" - "time" -) - -func TestHelloWorld(t *testing.T) { - for i := 0; i < 10; i++ { - testRemote(t, - - // Sender side - func(eng *Engine) { - job := eng.Job("echo", "hello", "world") - out := &bytes.Buffer{} - job.Stdout.Add(out) - job.Run() - if job.status != StatusOK { - t.Fatalf("#%v", job.StatusCode()) - } - lines := bufio.NewScanner(out) - var i int - for lines.Scan() { - if lines.Text() != "hello world" { - t.Fatalf("%#v", lines.Text()) - } - i++ - } - if i != 1000 { - t.Fatalf("%#v", i) - } - }, - - // Receiver side - func(eng *Engine) { - eng.Register("echo", func(job *Job) Status { - // Simulate more output with a delay in the middle - for i := 0; i < 500; i++ { - fmt.Fprintf(job.Stdout, "%s\n", strings.Join(job.Args, " ")) - } - time.Sleep(5 * time.Millisecond) - for i := 0; i < 500; i++ { - fmt.Fprintf(job.Stdout, "%s\n", strings.Join(job.Args, " ")) - } - return StatusOK - }) - }, - ) - } -} - -func TestStdin(t *testing.T) { - testRemote(t, - - func(eng *Engine) { - job := eng.Job("mirror") - job.Stdin.Add(strings.NewReader("hello world!\n")) - out := &bytes.Buffer{} - job.Stdout.Add(out) - if err := job.Run(); err != nil { - t.Fatal(err) - } - if out.String() != "hello world!\n" { - t.Fatalf("%#v", out.String()) - } - }, - - func(eng *Engine) { - eng.Register("mirror", func(job *Job) Status { - if _, err := io.Copy(job.Stdout, job.Stdin); err != nil { - t.Fatal(err) - } - return StatusOK - }) - }, - ) -} - -func TestEnv(t *testing.T) { - var ( - foo string - answer int - shadok_words []string - ) - testRemote(t, - - func(eng *Engine) { - job := eng.Job("sendenv") - job.Env().Set("foo", "bar") - job.Env().SetInt("answer", 42) - job.Env().SetList("shadok_words", []string{"ga", "bu", "zo", "meu"}) - if err := job.Run(); err != nil { - t.Fatal(err) - } - }, - - func(eng *Engine) { - eng.Register("sendenv", func(job *Job) Status { - foo = job.Env().Get("foo") - answer = job.Env().GetInt("answer") - shadok_words = job.Env().GetList("shadok_words") - return StatusOK - }) - }, - ) - // Check for results here rather than inside the job handler, - // otherwise the tests may incorrectly pass if the handler is not - // called. - if foo != "bar" { - t.Fatalf("%#v", foo) - } - if answer != 42 { - t.Fatalf("%#v", answer) - } - if strings.Join(shadok_words, ", ") != "ga, bu, zo, meu" { - t.Fatalf("%#v", shadok_words) - } -} - -// Helpers - -func testRemote(t *testing.T, senderSide, receiverSide func(*Engine)) { - sndConn, rcvConn, err := beam.USocketPair() - if err != nil { - t.Fatal(err) - } - defer sndConn.Close() - defer rcvConn.Close() - sender := NewSender(sndConn) - receiver := NewReceiver(rcvConn) - - // Setup the sender side - eng := New() - sender.Install(eng) - - // Setup the receiver side - receiverSide(receiver.Engine) - go receiver.Run() - - testutils.Timeout(t, func() { - senderSide(eng) - }) -} diff --git a/engine/rengine/main.go b/engine/rengine/main.go deleted file mode 100644 index b4fa01d39c..0000000000 --- a/engine/rengine/main.go +++ /dev/null @@ -1,43 +0,0 @@ -package main - -import ( - "fmt" - "github.com/dotcloud/docker/engine" - "github.com/dotcloud/docker/pkg/beam" - "net" - "os" -) - -func main() { - eng := engine.New() - - c, err := net.Dial("unix", "beam.sock") - if err != nil { - fmt.Fprintf(os.Stderr, "%v\n", err) - return - } - defer c.Close() - f, err := c.(*net.UnixConn).File() - if err != nil { - fmt.Fprintf(os.Stderr, "%v\n", err) - return - } - - child, err := beam.FileConn(f) - if err != nil { - fmt.Fprintf(os.Stderr, "%v\n", err) - return - } - defer child.Close() - - sender := engine.NewSender(child) - sender.Install(eng) - - cmd := eng.Job(os.Args[1], os.Args[2:]...) - cmd.Stdout.Add(os.Stdout) - cmd.Stderr.Add(os.Stderr) - if err := cmd.Run(); err != nil { - fmt.Fprintf(os.Stderr, "%v\n", err) - os.Exit(1) - } -} diff --git a/engine/spawn/spawn.go b/engine/spawn/spawn.go deleted file mode 100644 index 6680845bc1..0000000000 --- a/engine/spawn/spawn.go +++ /dev/null @@ -1,119 +0,0 @@ -package spawn - -import ( - "fmt" - "github.com/dotcloud/docker/engine" - "github.com/dotcloud/docker/pkg/beam" - "github.com/dotcloud/docker/utils" - "os" - "os/exec" -) - -var initCalled bool - -// Init checks if the current process has been created by Spawn. -// -// If no, it returns nil and the original program can continue -// unmodified. -// -// If no, it hijacks the process to run as a child worker controlled -// by its parent over a beam connection, with f exposed as a remote -// service. In this case Init never returns. -// -// The hijacking process takes place as follows: -// - Open file descriptor 3 as a beam endpoint. If this fails, -// terminate the current process. -// - Start a new engine. -// - Call f.Install on the engine. Any handlers registered -// will be available for remote invocation by the parent. -// - Listen for beam messages from the parent and pass them to -// the handlers. -// - When the beam endpoint is closed by the parent, terminate -// the current process. -// -// NOTE: Init must be called at the beginning of the same program -// calling Spawn. This is because Spawn approximates a "fork" by -// re-executing the current binary - where it expects spawn.Init -// to intercept the control flow and execute the worker code. -func Init(f engine.Installer) error { - initCalled = true - if os.Getenv("ENGINESPAWN") != "1" { - return nil - } - fmt.Printf("[%d child]\n", os.Getpid()) - // Hijack the process - childErr := func() error { - fd3 := os.NewFile(3, "beam-introspect") - introsp, err := beam.FileConn(fd3) - if err != nil { - return fmt.Errorf("beam introspection error: %v", err) - } - fd3.Close() - defer introsp.Close() - eng := engine.NewReceiver(introsp) - if err := f.Install(eng.Engine); err != nil { - return err - } - if err := eng.Run(); err != nil { - return err - } - return nil - }() - if childErr != nil { - os.Exit(1) - } - os.Exit(0) - return nil // Never reached -} - -// Spawn starts a new Engine in a child process and returns -// a proxy Engine through which it can be controlled. -// -// The commands available on the child engine are determined -// by an earlier call to Init. It is important that Init be -// called at the very beginning of the current program - this -// allows it to be called as a re-execution hook in the child -// process. -// -// Long story short, if you want to expose `myservice` in a child -// process, do this: -// -// func main() { -// spawn.Init(myservice) -// [..] -// child, err := spawn.Spawn() -// [..] -// child.Job("dosomething").Run() -// } -func Spawn() (*engine.Engine, error) { - if !initCalled { - return nil, fmt.Errorf("spawn.Init must be called at the top of the main() function") - } - cmd := exec.Command(utils.SelfPath()) - cmd.Env = append(cmd.Env, "ENGINESPAWN=1") - local, remote, err := beam.SocketPair() - if err != nil { - return nil, err - } - child, err := beam.FileConn(local) - if err != nil { - local.Close() - remote.Close() - return nil, err - } - local.Close() - cmd.ExtraFiles = append(cmd.ExtraFiles, remote) - // FIXME: the beam/engine glue has no way to inform the caller - // of the child's termination. The next call will simply return - // an error. - if err := cmd.Start(); err != nil { - child.Close() - return nil, err - } - eng := engine.New() - if err := engine.NewSender(child).Install(eng); err != nil { - child.Close() - return nil, err - } - return eng, nil -} diff --git a/engine/spawn/subengine/main.go b/engine/spawn/subengine/main.go deleted file mode 100644 index 3be7520a67..0000000000 --- a/engine/spawn/subengine/main.go +++ /dev/null @@ -1,61 +0,0 @@ -package main - -import ( - "fmt" - "github.com/dotcloud/docker/engine" - "github.com/dotcloud/docker/engine/spawn" - "log" - "os" - "os/exec" - "strings" -) - -func main() { - fmt.Printf("[%d] MAIN\n", os.Getpid()) - spawn.Init(&Worker{}) - fmt.Printf("[%d parent] spawning\n", os.Getpid()) - eng, err := spawn.Spawn() - if err != nil { - log.Fatal(err) - } - fmt.Printf("[parent] spawned\n") - job := eng.Job(os.Args[1], os.Args[2:]...) - job.Stdout.Add(os.Stdout) - job.Stderr.Add(os.Stderr) - job.Run() - // FIXME: use the job's status code - os.Exit(0) -} - -type Worker struct { -} - -func (w *Worker) Install(eng *engine.Engine) error { - eng.Register("exec", w.Exec) - eng.Register("cd", w.Cd) - eng.Register("echo", w.Echo) - return nil -} - -func (w *Worker) Exec(job *engine.Job) engine.Status { - fmt.Printf("--> %v\n", job.Args) - cmd := exec.Command(job.Args[0], job.Args[1:]...) - cmd.Stdout = job.Stdout - cmd.Stderr = os.Stderr - if err := cmd.Run(); err != nil { - return job.Errorf("%v\n", err) - } - return engine.StatusOK -} - -func (w *Worker) Cd(job *engine.Job) engine.Status { - if err := os.Chdir(job.Args[0]); err != nil { - return job.Errorf("%v\n", err) - } - return engine.StatusOK -} - -func (w *Worker) Echo(job *engine.Job) engine.Status { - fmt.Fprintf(job.Stdout, "%s\n", strings.Join(job.Args, " ")) - return engine.StatusOK -} diff --git a/engine/streams_test.go b/engine/streams_test.go index 83dd05c6f4..5cfd5d0e6c 100644 --- a/engine/streams_test.go +++ b/engine/streams_test.go @@ -141,7 +141,7 @@ func TestOutputAdd(t *testing.T) { t.Fatalf("Expected %d, got %d", len(input), n) } if output := b.String(); output != input { - t.Fatal("Received wrong data from Add.\nExpected: '%s'\nGot: '%s'", input, output) + t.Fatalf("Received wrong data from Add.\nExpected: '%s'\nGot: '%s'", input, output) } } diff --git a/engine/table.go b/engine/table.go index 292c4ed677..c7fe3ab444 100644 --- a/engine/table.go +++ b/engine/table.go @@ -137,5 +137,4 @@ func (t *Table) ReadFrom(src io.Reader) (n int64, err error) { } t.Add(env) } - return 0, nil } diff --git a/hack/MAINTAINERS.md b/hack/MAINTAINERS.md index 9dbdf99d9a..8af6013193 100644 --- a/hack/MAINTAINERS.md +++ b/hack/MAINTAINERS.md @@ -24,12 +24,12 @@ speak up! It is every maintainer's responsibility to: -* 1) Expose a clear roadmap for improving their component. -* 2) Deliver prompt feedback and decisions on pull requests. -* 3) Be available to anyone with questions, bug reports, criticism etc. +1. Expose a clear roadmap for improving their component. +2. Deliver prompt feedback and decisions on pull requests. +3. Be available to anyone with questions, bug reports, criticism etc. on their component. This includes IRC, GitHub requests and the mailing list. -* 4) Make sure their component respects the philosophy, design and +4. Make sure their component respects the philosophy, design and roadmap of the project. ## How are decisions made? diff --git a/hack/RELEASE-CHECKLIST.md b/hack/RELEASE-CHECKLIST.md index 2652e16c44..6d7ed15297 100644 --- a/hack/RELEASE-CHECKLIST.md +++ b/hack/RELEASE-CHECKLIST.md @@ -17,30 +17,51 @@ If you don't have an upstream remote, you can add one easily using something like: ```bash +export GITHUBUSER="YOUR_GITHUB_USER" git remote add origin https://github.com/dotcloud/docker.git -git remote add YOURUSER git@github.com:YOURUSER/docker.git +git remote add $GITHUBUSER git@github.com:$GITHUBUSER/docker.git ``` ### 1. Pull from master and create a release branch +Note: Even for major releases, all of X, Y and Z in vX.Y.Z must be specified (e.g. v1.0.0). + ```bash export VERSION=vX.Y.Z -git checkout release -git fetch -git reset --hard origin/release +git fetch origin +git branch -D release || true +git checkout --track origin/release git checkout -b bump_$VERSION git merge origin/master ``` ### 2. Update CHANGELOG.md -You can run this command for reference: +You can run this command for reference with git 2.0: ```bash -LAST_VERSION=$(git tag | grep -E 'v[0-9\.]+$' | sort -nr | head -n 1) -git log --stat $LAST_VERSION..HEAD +git fetch --tags +LAST_VERSION=$(git tag -l --sort=-version:refname "v*" | grep -E 'v[0-9\.]+$' | head -1) +git log --stat $LAST_VERSION..bump_$VERSION ``` +If you don't have git 2.0 but have a sort command that supports `-V`: +```bash +git fetch --tags +LAST_VERSION=$(git tag -l | grep -E 'v[0-9\.]+$' | sort -rV | head -1) +git log --stat $LAST_VERSION..bump_$VERSION +``` + +If releasing a major version (X or Y increased in vX.Y.Z), simply listing notable user-facing features is sufficient. +```markdown +#### Notable features since +* New docker command to do something useful +* Remote API change (deprecating old version) +* Performance improvements in some usecases +* ... +``` + +For minor releases (only Z increases in vX.Y.Z), provide a list of user-facing changes. Each change should be listed under a category heading formatted as `#### CATEGORY`. `CATEGORY` should describe which part of the project is affected. @@ -95,13 +116,7 @@ a count, add a simple `| wc -l`. echo ${VERSION#v} > VERSION ``` -### 4. Run all tests - -```bash -make test -``` - -### 5. Test the docs +### 4. Test the docs Make sure that your tree includes documentation for any modified or new features, syntax or semantic changes. @@ -120,44 +135,41 @@ To make a shared test at http://beta-docs.docker.io: make AWS_S3_BUCKET=beta-docs.docker.io docs-release ``` -### 6. Commit and create a pull request to the "release" branch +### 5. Commit and create a pull request to the "release" branch ```bash +export GITHUBUSER="YOUR_GITHUB_USER" git add VERSION CHANGELOG.md git commit -m "Bump version to $VERSION" -git push origin bump_$VERSION -echo "https://github.com/dotcloud/docker/compare/release...bump_$VERSION" +git push $GITHUBUSER bump_$VERSION +echo "https://github.com/$GITHUBUSER/docker/compare/dotcloud:master...$GITHUBUSER:bump_$VERSION?expand=1" ``` That last command will give you the proper link to visit to ensure that you open the PR against the "release" branch instead of accidentally against "master" (like so many brave souls before you already have). -### 7. Get 2 other maintainers to validate the pull request +### 6. Get 2 other maintainers to validate the pull request -### 8. Publish binaries +### 7. Publish binaries -To run this you will need access to the release credentials. -Get them from [the infrastructure maintainers]( -https://github.com/dotcloud/docker/blob/master/hack/infrastructure/MAINTAINERS). +To run this you will need access to the release credentials. Get them from the Core maintainers. + +Replace "..." with the respective credentials: ```bash docker build -t docker . -export AWS_S3_BUCKET="test.docker.io" -export AWS_ACCESS_KEY="$(cat ~/.aws/access_key)" -export AWS_SECRET_KEY="$(cat ~/.aws/secret_key)" -export GPG_PASSPHRASE=supersecretsesame docker run \ -e AWS_S3_BUCKET=test.docker.io \ - -e AWS_ACCESS_KEY \ - -e AWS_SECRET_KEY \ - -e GPG_PASSPHRASE \ + -e AWS_ACCESS_KEY="..." \ + -e AWS_SECRET_KEY="..." \ + -e GPG_PASSPHRASE="..." \ -i -t --privileged \ docker \ hack/release.sh ``` -It will run the test suite one more time, build the binaries and packages, +It will run the test suite, build the binaries and packages, and upload to the specified bucket (you should use test.docker.io for general testing, and once everything is fine, switch to get.docker.io as noted below). @@ -183,15 +195,15 @@ get.docker.io: ```bash docker run \ -e AWS_S3_BUCKET=get.docker.io \ - -e AWS_ACCESS_KEY \ - -e AWS_SECRET_KEY \ - -e GPG_PASSPHRASE \ + -e AWS_ACCESS_KEY="..." \ + -e AWS_SECRET_KEY="..." \ + -e GPG_PASSPHRASE="..." \ -i -t --privileged \ docker \ hack/release.sh ``` -### 9. Breakathon +### 8. Breakathon Spend several days along with the community explicitly investing time and resources to try and break Docker in every possible way, documenting any @@ -207,28 +219,28 @@ by the book. Any issues found may still remain issues for this release, but they should be documented and give appropriate warnings. -### 10. Apply tag +### 9. Apply tag + +It's very important that we don't make the tag until after the official +release is uploaded to get.docker.io! ```bash git tag -a $VERSION -m $VERSION bump_$VERSION git push origin $VERSION ``` -It's very important that we don't make the tag until after the official -release is uploaded to get.docker.io! - -### 11. Go to github to merge the `bump_$VERSION` branch into release +### 10. Go to github to merge the `bump_$VERSION` branch into release Don't forget to push that pretty blue button to delete the leftover branch afterwards! -### 12. Update the docs branch +### 11. Update the docs branch You will need the `awsconfig` file added to the `docs/` directory to contain the s3 credentials for the bucket you are deploying to. ```bash -git checkout docs +git checkout -b docs release || git checkout docs git fetch git reset --hard origin/release git push -f origin docs @@ -239,7 +251,7 @@ The docs will appear on http://docs.docker.io/ (though there may be cached versions, so its worth checking http://docs.docker.io.s3-website-us-west-2.amazonaws.com/). For more information about documentation releases, see `docs/README.md`. -### 13. Create a new pull request to merge release back into master +### 12. Create a new pull request to merge release back into master ```bash git checkout master @@ -250,14 +262,14 @@ git checkout -b merge_release_$VERSION echo ${VERSION#v}-dev > VERSION git add VERSION git commit -m "Change version to $(cat VERSION)" -git push origin merge_release_$VERSION -echo "https://github.com/dotcloud/docker/compare/master...merge_release_$VERSION" +git push $GITHUBUSER merge_release_$VERSION +echo "https://github.com/$GITHUBUSER/docker/compare/dotcloud:master...$GITHUBUSER:merge_release_$VERSION?expand=1" ``` Again, get two maintainers to validate, then merge, then push that pretty blue button to delete your branch. -### 14. Rejoice and Evangelize! +### 13. Rejoice and Evangelize! Congratulations! You're done. diff --git a/hack/ROADMAP.md b/hack/ROADMAP.md index 01fac1f712..c38be56f44 100644 --- a/hack/ROADMAP.md +++ b/hack/ROADMAP.md @@ -39,7 +39,3 @@ Expanding Docker’s kernel support is a priority. This includes running on olde ## Cross-architecture support Our goal is to make Docker run everywhere. However currently Docker only runs on x86_64 systems. We plan on expanding architecture support, so that Docker containers can be created and used on more architectures. - -## Production-ready - -Docker is still beta software, and not suited for production. We are working hard to get there, and we are confident that it will be possible within a few months. Stay tuned for a more detailed roadmap soon. diff --git a/hack/make.sh b/hack/make.sh index cc5582a8df..d5bcfcfbc0 100755 --- a/hack/make.sh +++ b/hack/make.sh @@ -50,7 +50,7 @@ DEFAULT_BUNDLES=( test-integration-cli dynbinary - dyntest + dyntest-unit dyntest-integration cover diff --git a/hack/make/dyntest b/hack/make/dyntest-unit similarity index 71% rename from hack/make/dyntest rename to hack/make/dyntest-unit index 56f624b1f5..ce934f1849 100644 --- a/hack/make/dyntest +++ b/hack/make/dyntest-unit @@ -5,7 +5,7 @@ DEST=$1 INIT=$DEST/../dynbinary/dockerinit-$VERSION if [ ! -x "$INIT" ]; then - echo >&2 'error: dynbinary must be run before dyntest' + echo >&2 'error: dynbinary must be run before dyntest-unit' false fi @@ -14,5 +14,5 @@ fi export LDFLAGS_STATIC_DOCKER=" -X github.com/dotcloud/docker/dockerversion.INITSHA1 \"$DOCKER_INITSHA1\" " - source "$(dirname "$BASH_SOURCE")/test" + source "$(dirname "$BASH_SOURCE")/test-unit" ) diff --git a/hack/vendor.sh b/hack/vendor.sh index 8084f2eb9d..e5158b1d8a 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -61,3 +61,4 @@ mv tmp-tar src/code.google.com/p/go/src/pkg/archive/tar clone git github.com/godbus/dbus v1 clone git github.com/coreos/go-systemd v2 +clone git github.com/docker/libcontainer v1.0.1 diff --git a/integration-cli/build_tests/TestBuildHistory/Dockerfile b/integration-cli/build_tests/TestBuildHistory/Dockerfile new file mode 100644 index 0000000000..56c47105cc --- /dev/null +++ b/integration-cli/build_tests/TestBuildHistory/Dockerfile @@ -0,0 +1,28 @@ +FROM busybox + +RUN echo "A" +RUN echo "B" +RUN echo "C" +RUN echo "D" +RUN echo "E" +RUN echo "F" +RUN echo "G" +RUN echo "H" +RUN echo "I" +RUN echo "J" +RUN echo "K" +RUN echo "L" +RUN echo "M" +RUN echo "N" +RUN echo "O" +RUN echo "P" +RUN echo "Q" +RUN echo "R" +RUN echo "S" +RUN echo "T" +RUN echo "U" +RUN echo "V" +RUN echo "W" +RUN echo "X" +RUN echo "Y" +RUN echo "Z" diff --git a/integration-cli/docker_cli_attach_test.go b/integration-cli/docker_cli_attach_test.go index 1480b807aa..606480c875 100644 --- a/integration-cli/docker_cli_attach_test.go +++ b/integration-cli/docker_cli_attach_test.go @@ -10,11 +10,19 @@ import ( func TestMultipleAttachRestart(t *testing.T) { cmd := exec.Command(dockerBinary, "run", "--name", "attacher", "-d", "busybox", - "/bin/sh", "-c", "sleep 1 && echo hello") + "/bin/sh", "-c", "sleep 2 && echo hello") group := sync.WaitGroup{} group.Add(4) + defer func() { + cmd = exec.Command(dockerBinary, "kill", "attacher") + if _, err := runCommand(cmd); err != nil { + t.Fatal(err) + } + deleteAllContainers() + }() + go func() { defer group.Done() out, _, err := runCommandWithOutput(cmd) @@ -41,11 +49,5 @@ func TestMultipleAttachRestart(t *testing.T) { group.Wait() - cmd = exec.Command(dockerBinary, "kill", "attacher") - if _, err := runCommand(cmd); err != nil { - t.Fatal(err) - } - deleteAllContainers() - - logDone("run - multiple attach") + logDone("attach - multiple attach") } diff --git a/integration-cli/docker_cli_build_test.go b/integration-cli/docker_cli_build_test.go index f000235843..9a360c1964 100644 --- a/integration-cli/docker_cli_build_test.go +++ b/integration-cli/docker_cli_build_test.go @@ -588,6 +588,7 @@ func TestBuildRm(t *testing.T) { logDone("build - ensure --rm doesn't leave containers behind and that --rm=true is the default") logDone("build - ensure --rm=false overrides the default") } + func TestBuildWithVolumes(t *testing.T) { name := "testbuildvolumes" expected := "map[/test1:map[] /test2:map[]]" @@ -766,6 +767,68 @@ func TestBuildEntrypoint(t *testing.T) { logDone("build - entrypoint") } +// #6445 ensure ONBUILD triggers aren't committed to grandchildren +func TestBuildOnBuildLimitedInheritence(t *testing.T) { + name1 := "testonbuildtrigger1" + dockerfile1 := ` + FROM busybox + RUN echo "GRANDPARENT" + ONBUILD RUN echo "ONBUILD PARENT" + ` + ctx1, err := fakeContext(dockerfile1, nil) + if err != nil { + t.Fatal(err) + } + + buildCmd := exec.Command(dockerBinary, "build", "-t", name1, ".") + buildCmd.Dir = ctx1.Dir + out1, _, err := runCommandWithOutput(buildCmd) + errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out1, err)) + defer deleteImages(name1) + + name2 := "testonbuildtrigger2" + dockerfile2 := ` + FROM testonbuildtrigger1 + ` + ctx2, err := fakeContext(dockerfile2, nil) + if err != nil { + t.Fatal(err) + } + + buildCmd = exec.Command(dockerBinary, "build", "-t", name2, ".") + buildCmd.Dir = ctx2.Dir + out2, _, err := runCommandWithOutput(buildCmd) + errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out2, err)) + defer deleteImages(name2) + + name3 := "testonbuildtrigger3" + dockerfile3 := ` + FROM testonbuildtrigger2 + ` + ctx3, err := fakeContext(dockerfile3, nil) + if err != nil { + t.Fatal(err) + } + + buildCmd = exec.Command(dockerBinary, "build", "-t", name3, ".") + buildCmd.Dir = ctx3.Dir + out3, _, err := runCommandWithOutput(buildCmd) + errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out3, err)) + defer deleteImages(name3) + + // ONBUILD should be run in second build. + if !strings.Contains(out2, "ONBUILD PARENT") { + t.Fatalf("ONBUILD instruction did not run in child of ONBUILD parent") + } + + // ONBUILD should *not* be run in third build. + if strings.Contains(out3, "ONBUILD PARENT") { + t.Fatalf("ONBUILD instruction ran in grandchild of ONBUILD parent") + } + + logDone("build - onbuild") +} + func TestBuildWithCache(t *testing.T) { name := "testbuildwithcache" defer deleteImages(name) @@ -1133,3 +1196,251 @@ func TestBuildWithVolumeOwnership(t *testing.T) { logDone("build - volume ownership") } + +// testing #1405 - config.Cmd does not get cleaned up if +// utilizing cache +func TestBuildEntrypointRunCleanup(t *testing.T) { + name := "testbuildcmdcleanup" + defer deleteImages(name) + if _, err := buildImage(name, + `FROM busybox + RUN echo "hello"`, + true); err != nil { + t.Fatal(err) + } + + ctx, err := fakeContext(`FROM busybox + RUN echo "hello" + ADD foo /foo + ENTRYPOINT ["/bin/echo"]`, + map[string]string{ + "foo": "hello", + }) + defer ctx.Close() + if err != nil { + t.Fatal(err) + } + if _, err := buildImageFromContext(name, ctx, true); err != nil { + t.Fatal(err) + } + res, err := inspectField(name, "Config.Cmd") + if err != nil { + t.Fatal(err) + } + // Cmd inherited from busybox, maybe will be fixed in #5147 + if expected := "[/bin/sh]"; res != expected { + t.Fatalf("Cmd %s, expected %s", res, expected) + } + logDone("build - cleanup cmd after RUN") +} + +func TestBuldForbiddenContextPath(t *testing.T) { + name := "testbuildforbidpath" + defer deleteImages(name) + ctx, err := fakeContext(`FROM scratch + ADD ../../ test/ + `, + map[string]string{ + "test.txt": "test1", + "other.txt": "other", + }) + + defer ctx.Close() + if err != nil { + t.Fatal(err) + } + if _, err := buildImageFromContext(name, ctx, true); err != nil { + if !strings.Contains(err.Error(), "Forbidden path outside the build context: ../../ (/)") { + t.Fatal("Wrong error, must be about forbidden ../../ path") + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - forbidden context path") +} + +func TestBuildADDFileNotFound(t *testing.T) { + name := "testbuildaddnotfound" + defer deleteImages(name) + ctx, err := fakeContext(`FROM scratch + ADD foo /usr/local/bar`, + map[string]string{"bar": "hello"}) + defer ctx.Close() + if err != nil { + t.Fatal(err) + } + if _, err := buildImageFromContext(name, ctx, true); err != nil { + if !strings.Contains(err.Error(), "foo: no such file or directory") { + t.Fatalf("Wrong error %v, must be about missing foo file or directory", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - add file not found") +} + +func TestBuildInheritance(t *testing.T) { + name := "testbuildinheritance" + defer deleteImages(name) + + _, err := buildImage(name, + `FROM scratch + EXPOSE 2375`, + true) + if err != nil { + t.Fatal(err) + } + ports1, err := inspectField(name, "Config.ExposedPorts") + if err != nil { + t.Fatal(err) + } + + _, err = buildImage(name, + fmt.Sprintf(`FROM %s + ENTRYPOINT ["/bin/echo"]`, name), + true) + if err != nil { + t.Fatal(err) + } + + res, err := inspectField(name, "Config.Entrypoint") + if err != nil { + t.Fatal(err) + } + if expected := "[/bin/echo]"; res != expected { + t.Fatalf("Entrypoint %s, expected %s", res, expected) + } + ports2, err := inspectField(name, "Config.ExposedPorts") + if err != nil { + t.Fatal(err) + } + if ports1 != ports2 { + t.Fatalf("Ports must be same: %s != %s", ports1, ports2) + } + logDone("build - inheritance") +} + +func TestBuildFails(t *testing.T) { + name := "testbuildfails" + defer deleteImages(name) + _, err := buildImage(name, + `FROM busybox + RUN sh -c "exit 23"`, + true) + if err != nil { + if !strings.Contains(err.Error(), "returned a non-zero code: 23") { + t.Fatalf("Wrong error %v, must be about non-zero code 23", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - fails") +} + +func TestBuildFailsDockerfileEmpty(t *testing.T) { + name := "testbuildfails" + defer deleteImages(name) + _, err := buildImage(name, ``, true) + if err != nil { + if !strings.Contains(err.Error(), "Dockerfile cannot be empty") { + t.Fatalf("Wrong error %v, must be about empty Dockerfile", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - fails with empty dockerfile") +} + +func TestBuildOnBuild(t *testing.T) { + name := "testbuildonbuild" + defer deleteImages(name) + _, err := buildImage(name, + `FROM busybox + ONBUILD RUN touch foobar`, + true) + if err != nil { + t.Fatal(err) + } + _, err = buildImage(name, + fmt.Sprintf(`FROM %s + RUN [ -f foobar ]`, name), + true) + if err != nil { + t.Fatal(err) + } + logDone("build - onbuild") +} + +func TestBuildOnBuildForbiddenChained(t *testing.T) { + name := "testbuildonbuildforbiddenchained" + defer deleteImages(name) + _, err := buildImage(name, + `FROM busybox + ONBUILD ONBUILD RUN touch foobar`, + true) + if err != nil { + if !strings.Contains(err.Error(), "Chaining ONBUILD via `ONBUILD ONBUILD` isn't allowed") { + t.Fatalf("Wrong error %v, must be about chaining ONBUILD", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - onbuild forbidden chained") +} + +func TestBuildOnBuildForbiddenFrom(t *testing.T) { + name := "testbuildonbuildforbiddenfrom" + defer deleteImages(name) + _, err := buildImage(name, + `FROM busybox + ONBUILD FROM scratch`, + true) + if err != nil { + if !strings.Contains(err.Error(), "FROM isn't allowed as an ONBUILD trigger") { + t.Fatalf("Wrong error %v, must be about FROM forbidden", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - onbuild forbidden from") +} + +func TestBuildOnBuildForbiddenMaintainer(t *testing.T) { + name := "testbuildonbuildforbiddenmaintainer" + defer deleteImages(name) + _, err := buildImage(name, + `FROM busybox + ONBUILD MAINTAINER docker.io`, + true) + if err != nil { + if !strings.Contains(err.Error(), "MAINTAINER isn't allowed as an ONBUILD trigger") { + t.Fatalf("Wrong error %v, must be about MAINTAINER forbidden", err) + } + } else { + t.Fatal("Error must not be nil") + } + logDone("build - onbuild forbidden maintainer") +} + +// gh #2446 +func TestBuildAddToSymlinkDest(t *testing.T) { + name := "testbuildaddtosymlinkdest" + defer deleteImages(name) + ctx, err := fakeContext(`FROM busybox + RUN mkdir /foo + RUN ln -s /foo /bar + ADD foo /bar/ + RUN [ -f /bar/foo ] + RUN [ -f /foo/foo ]`, + map[string]string{ + "foo": "hello", + }) + if err != nil { + t.Fatal(err) + } + defer ctx.Close() + if _, err := buildImageFromContext(name, ctx, true); err != nil { + t.Fatal(err) + } + logDone("build - add to symlink destination") +} diff --git a/integration-cli/docker_cli_history_test.go b/integration-cli/docker_cli_history_test.go new file mode 100644 index 0000000000..42edec2fd6 --- /dev/null +++ b/integration-cli/docker_cli_history_test.go @@ -0,0 +1,43 @@ +package main + +import ( + "fmt" + "os/exec" + "path/filepath" + "strings" + "testing" +) + +// This is a heisen-test. Because the created timestamp of images and the behavior of +// sort is not predictable it doesn't always fail. +func TestBuildHistory(t *testing.T) { + buildDirectory := filepath.Join(workingDirectory, "build_tests", "TestBuildHistory") + buildCmd := exec.Command(dockerBinary, "build", "-t", "testbuildhistory", ".") + + buildCmd.Dir = buildDirectory + out, exitCode, err := runCommandWithOutput(buildCmd) + errorOut(err, t, fmt.Sprintf("build failed to complete: %v %v", out, err)) + if err != nil || exitCode != 0 { + t.Fatal("failed to build the image") + } + + out, exitCode, err = runCommandWithOutput(exec.Command(dockerBinary, "history", "testbuildhistory")) + errorOut(err, t, fmt.Sprintf("image history failed: %v %v", out, err)) + if err != nil || exitCode != 0 { + t.Fatal("failed to get image history") + } + + actual_values := strings.Split(out, "\n")[1:27] + expected_values := [26]string{"Z", "Y", "X", "W", "V", "U", "T", "S", "R", "Q", "P", "O", "N", "M", "L", "K", "J", "I", "H", "G", "F", "E", "D", "C", "B", "A"} + + for i := 0; i < 26; i++ { + echo_value := fmt.Sprintf("echo \"%s\"", expected_values[i]) + actual_value := actual_values[i] + + if !strings.Contains(actual_value, echo_value) { + t.Fatalf("Expected layer \"%s\", but was: %s", expected_values[i], actual_value) + } + } + + deleteImages("testbuildhistory") +} diff --git a/integration-cli/docker_cli_images_test.go b/integration-cli/docker_cli_images_test.go index 82b70bab40..b27bc870fe 100644 --- a/integration-cli/docker_cli_images_test.go +++ b/integration-cli/docker_cli_images_test.go @@ -27,14 +27,14 @@ func TestCLIImageTagRemove(t *testing.T) { { imagesAfter, _, _ := cmd(t, "images", "-a") if nLines(imagesAfter) != nLines(imagesBefore)+3 { - t.Fatalf("before: %#s\n\nafter: %#s\n", imagesBefore, imagesAfter) + t.Fatalf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter) } } cmd(t, "rmi", "utest/docker:tag2") { imagesAfter, _, _ := cmd(t, "images", "-a") if nLines(imagesAfter) != nLines(imagesBefore)+2 { - t.Fatalf("before: %#s\n\nafter: %#s\n", imagesBefore, imagesAfter) + t.Fatalf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter) } } @@ -42,7 +42,7 @@ func TestCLIImageTagRemove(t *testing.T) { { imagesAfter, _, _ := cmd(t, "images", "-a") if nLines(imagesAfter) != nLines(imagesBefore)+1 { - t.Fatalf("before: %#s\n\nafter: %#s\n", imagesBefore, imagesAfter) + t.Fatalf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter) } } @@ -50,7 +50,7 @@ func TestCLIImageTagRemove(t *testing.T) { { imagesAfter, _, _ := cmd(t, "images", "-a") if nLines(imagesAfter) != nLines(imagesBefore)+0 { - t.Fatalf("before: %#s\n\nafter: %#s\n", imagesBefore, imagesAfter) + t.Fatalf("before: %q\n\nafter: %q\n", imagesBefore, imagesAfter) } } diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index 545ad371ee..fc71f01820 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -4,7 +4,6 @@ import ( "fmt" "os" "os/exec" - "path/filepath" "reflect" "regexp" "sort" @@ -444,44 +443,75 @@ func TestCreateVolume(t *testing.T) { // Test that creating a volume with a symlink in its path works correctly. Test for #5152. // Note that this bug happens only with symlinks with a target that starts with '/'. -func TestVolumeWithSymlink(t *testing.T) { - buildDirectory := filepath.Join(workingDirectory, "run_tests", "TestVolumeWithSymlink") - buildCmd := exec.Command(dockerBinary, "build", "-t", "docker-test-volumewithsymlink", ".") - buildCmd.Dir = buildDirectory +func TestCreateVolumeWithSymlink(t *testing.T) { + buildCmd := exec.Command(dockerBinary, "build", "-t", "docker-test-createvolumewithsymlink", "-") + buildCmd.Stdin = strings.NewReader(`FROM busybox + RUN mkdir /foo && ln -s /foo /bar`) + buildCmd.Dir = workingDirectory err := buildCmd.Run() if err != nil { - t.Fatal("could not build 'docker-test-volumewithsymlink': %v", err) + t.Fatalf("could not build 'docker-test-createvolumewithsymlink': %v", err) } - cmd := exec.Command(dockerBinary, "run", "-v", "/bar/foo", "--name", "test-volumewithsymlink", "docker-test-volumewithsymlink", "sh", "-c", "mount | grep -q /foo/foo") + cmd := exec.Command(dockerBinary, "run", "-v", "/bar/foo", "--name", "test-createvolumewithsymlink", "docker-test-createvolumewithsymlink", "sh", "-c", "mount | grep -q /foo/foo") exitCode, err := runCommand(cmd) if err != nil || exitCode != 0 { - t.Fatal("[run] err: %v, exitcode: %d", err, exitCode) + t.Fatalf("[run] err: %v, exitcode: %d", err, exitCode) } var volPath string - cmd = exec.Command(dockerBinary, "inspect", "-f", "{{range .Volumes}}{{.}}{{end}}", "test-volumewithsymlink") + cmd = exec.Command(dockerBinary, "inspect", "-f", "{{range .Volumes}}{{.}}{{end}}", "test-createvolumewithsymlink") volPath, exitCode, err = runCommandWithOutput(cmd) if err != nil || exitCode != 0 { - t.Fatal("[inspect] err: %v, exitcode: %d", err, exitCode) + t.Fatalf("[inspect] err: %v, exitcode: %d", err, exitCode) } - cmd = exec.Command(dockerBinary, "rm", "-v", "test-volumewithsymlink") + cmd = exec.Command(dockerBinary, "rm", "-v", "test-createvolumewithsymlink") exitCode, err = runCommand(cmd) if err != nil || exitCode != 0 { - t.Fatal("[rm] err: %v, exitcode: %d", err, exitCode) + t.Fatalf("[rm] err: %v, exitcode: %d", err, exitCode) } f, err := os.Open(volPath) defer f.Close() if !os.IsNotExist(err) { - t.Fatal("[open] (expecting 'file does not exist' error) err: %v, volPath: %s", err, volPath) + t.Fatalf("[open] (expecting 'file does not exist' error) err: %v, volPath: %s", err, volPath) } - deleteImages("docker-test-volumewithsymlink") + deleteImages("docker-test-createvolumewithsymlink") deleteAllContainers() - logDone("run - volume with symlink") + logDone("run - create volume with symlink") +} + +// Tests that a volume path that has a symlink exists in a container mounting it with `--volumes-from`. +func TestVolumesFromSymlinkPath(t *testing.T) { + buildCmd := exec.Command(dockerBinary, "build", "-t", "docker-test-volumesfromsymlinkpath", "-") + buildCmd.Stdin = strings.NewReader(`FROM busybox + RUN mkdir /baz && ln -s /baz /foo + VOLUME ["/foo/bar"]`) + buildCmd.Dir = workingDirectory + err := buildCmd.Run() + if err != nil { + t.Fatalf("could not build 'docker-test-volumesfromsymlinkpath': %v", err) + } + + cmd := exec.Command(dockerBinary, "run", "--name", "test-volumesfromsymlinkpath", "docker-test-volumesfromsymlinkpath") + exitCode, err := runCommand(cmd) + if err != nil || exitCode != 0 { + t.Fatalf("[run] (volume) err: %v, exitcode: %d", err, exitCode) + } + + cmd = exec.Command(dockerBinary, "run", "--volumes-from", "test-volumesfromsymlinkpath", "busybox", "sh", "-c", "ls /foo | grep -q bar") + exitCode, err = runCommand(cmd) + if err != nil || exitCode != 0 { + t.Fatalf("[run] err: %v, exitcode: %d", err, exitCode) + } + + deleteImages("docker-test-volumesfromsymlinkpath") + deleteAllContainers() + + logDone("run - volumes-from symlink path") } func TestExitCode(t *testing.T) { @@ -885,3 +915,34 @@ func TestRunUnprivilegedWithChroot(t *testing.T) { logDone("run - unprivileged with chroot") } + +func TestModeHostname(t *testing.T) { + cmd := exec.Command(dockerBinary, "run", "-h=testhostname", "busybox", "cat", "/etc/hostname") + + out, _, err := runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err, out) + } + + if actual := strings.Trim(out, "\r\n"); actual != "testhostname" { + t.Fatalf("expected 'testhostname', but says: '%s'", actual) + } + + cmd = exec.Command(dockerBinary, "run", "--net=host", "busybox", "cat", "/etc/hostname") + + out, _, err = runCommandWithOutput(cmd) + if err != nil { + t.Fatal(err, out) + } + hostname, err := os.Hostname() + if err != nil { + t.Fatal(err) + } + if actual := strings.Trim(out, "\r\n"); actual != hostname { + t.Fatalf("expected '%s', but says: '%s'", hostname, actual) + } + + deleteAllContainers() + + logDone("run - hostname and several network modes") +} diff --git a/integration-cli/run_tests/TestVolumeWithSymlink/Dockerfile b/integration-cli/run_tests/TestVolumeWithSymlink/Dockerfile deleted file mode 100644 index 46bed8540b..0000000000 --- a/integration-cli/run_tests/TestVolumeWithSymlink/Dockerfile +++ /dev/null @@ -1,3 +0,0 @@ -FROM busybox - -RUN mkdir /foo && ln -s /foo /bar diff --git a/integration/api_test.go b/integration/api_test.go index 969e0fbaf2..103df949e6 100644 --- a/integration/api_test.go +++ b/integration/api_test.go @@ -16,7 +16,6 @@ import ( "github.com/dotcloud/docker/api" "github.com/dotcloud/docker/api/server" - "github.com/dotcloud/docker/daemon" "github.com/dotcloud/docker/engine" "github.com/dotcloud/docker/image" "github.com/dotcloud/docker/runconfig" @@ -502,37 +501,6 @@ func TestGetContainersTop(t *testing.T) { } } -func TestGetContainersByName(t *testing.T) { - eng := NewTestEngine(t) - defer mkDaemonFromEngine(eng, t).Nuke() - - // Create a container and remove a file - containerID := createTestContainer(eng, - &runconfig.Config{ - Image: unitTestImageID, - Cmd: []string{"echo", "test"}, - }, - t, - ) - - r := httptest.NewRecorder() - req, err := http.NewRequest("GET", "/containers/"+containerID+"/json", nil) - if err != nil { - t.Fatal(err) - } - if err := server.ServeRequest(eng, api.APIVERSION, r, req); err != nil { - t.Fatal(err) - } - assertHttpNotError(r, t) - outContainer := &daemon.Container{} - if err := json.Unmarshal(r.Body.Bytes(), outContainer); err != nil { - t.Fatal(err) - } - if outContainer.ID != containerID { - t.Fatalf("Wrong containers retrieved. Expected %s, received %s", containerID, outContainer.ID) - } -} - func TestPostCommit(t *testing.T) { eng := NewTestEngine(t) defer mkDaemonFromEngine(eng, t).Nuke() diff --git a/integration/buildfile_test.go b/integration/buildfile_test.go index 8c02cf043c..147ae353a2 100644 --- a/integration/buildfile_test.go +++ b/integration/buildfile_test.go @@ -14,7 +14,6 @@ import ( "github.com/dotcloud/docker/archive" "github.com/dotcloud/docker/engine" "github.com/dotcloud/docker/image" - "github.com/dotcloud/docker/nat" "github.com/dotcloud/docker/server" "github.com/dotcloud/docker/utils" ) @@ -413,267 +412,3 @@ func buildImage(context testContextTemplate, t *testing.T, eng *engine.Engine, u err = json.NewDecoder(buffer).Decode(image) return image, err } - -// testing #1405 - config.Cmd does not get cleaned up if -// utilizing cache -func TestBuildEntrypointRunCleanup(t *testing.T) { - eng := NewTestEngine(t) - defer nuke(mkDaemonFromEngine(eng, t)) - - img, err := buildImage(testContextTemplate{` - from {IMAGE} - run echo "hello" - `, - nil, nil}, t, eng, true) - if err != nil { - t.Fatal(err) - } - - img, err = buildImage(testContextTemplate{` - from {IMAGE} - run echo "hello" - add foo /foo - entrypoint ["/bin/echo"] - `, - [][2]string{{"foo", "HEYO"}}, nil}, t, eng, true) - if err != nil { - t.Fatal(err) - } - - if len(img.Config.Cmd) != 0 { - t.Fail() - } -} - -func TestForbiddenContextPath(t *testing.T) { - eng := NewTestEngine(t) - defer nuke(mkDaemonFromEngine(eng, t)) - srv := mkServerFromEngine(eng, t) - - context := testContextTemplate{` - from {IMAGE} - maintainer dockerio - add ../../ test/ - `, - [][2]string{{"test.txt", "test1"}, {"other.txt", "other"}}, nil} - - httpServer, err := mkTestingFileServer(context.remoteFiles) - if err != nil { - t.Fatal(err) - } - defer httpServer.Close() - - idx := strings.LastIndex(httpServer.URL, ":") - if idx < 0 { - t.Fatalf("could not get port from test http server address %s", httpServer.URL) - } - port := httpServer.URL[idx+1:] - - iIP := eng.Hack_GetGlobalVar("httpapi.bridgeIP") - if iIP == nil { - t.Fatal("Legacy bridgeIP field not set in engine") - } - ip, ok := iIP.(net.IP) - if !ok { - panic("Legacy bridgeIP field in engine does not cast to net.IP") - } - dockerfile := constructDockerfile(context.dockerfile, ip, port) - - buildfile := server.NewBuildFile(srv, ioutil.Discard, ioutil.Discard, false, true, false, false, ioutil.Discard, utils.NewStreamFormatter(false), nil, nil) - _, err = buildfile.Build(context.Archive(dockerfile, t)) - - if err == nil { - t.Log("Error should not be nil") - t.Fail() - } - - if err.Error() != "Forbidden path outside the build context: ../../ (/)" { - t.Logf("Error message is not expected: %s", err.Error()) - t.Fail() - } -} - -func TestBuildADDFileNotFound(t *testing.T) { - eng := NewTestEngine(t) - defer nuke(mkDaemonFromEngine(eng, t)) - - context := testContextTemplate{` - from {IMAGE} - add foo /usr/local/bar - `, - nil, nil} - - httpServer, err := mkTestingFileServer(context.remoteFiles) - if err != nil { - t.Fatal(err) - } - defer httpServer.Close() - - idx := strings.LastIndex(httpServer.URL, ":") - if idx < 0 { - t.Fatalf("could not get port from test http server address %s", httpServer.URL) - } - port := httpServer.URL[idx+1:] - - iIP := eng.Hack_GetGlobalVar("httpapi.bridgeIP") - if iIP == nil { - t.Fatal("Legacy bridgeIP field not set in engine") - } - ip, ok := iIP.(net.IP) - if !ok { - panic("Legacy bridgeIP field in engine does not cast to net.IP") - } - dockerfile := constructDockerfile(context.dockerfile, ip, port) - - buildfile := server.NewBuildFile(mkServerFromEngine(eng, t), ioutil.Discard, ioutil.Discard, false, true, false, false, ioutil.Discard, utils.NewStreamFormatter(false), nil, nil) - _, err = buildfile.Build(context.Archive(dockerfile, t)) - - if err == nil { - t.Log("Error should not be nil") - t.Fail() - } - - if err.Error() != "foo: no such file or directory" { - t.Logf("Error message is not expected: %s", err.Error()) - t.Fail() - } -} - -func TestBuildInheritance(t *testing.T) { - eng := NewTestEngine(t) - defer nuke(mkDaemonFromEngine(eng, t)) - - img, err := buildImage(testContextTemplate{` - from {IMAGE} - expose 2375 - `, - nil, nil}, t, eng, true) - - if err != nil { - t.Fatal(err) - } - - img2, _ := buildImage(testContextTemplate{fmt.Sprintf(` - from %s - entrypoint ["/bin/echo"] - `, img.ID), - nil, nil}, t, eng, true) - - if err != nil { - t.Fatal(err) - } - - // from child - if img2.Config.Entrypoint[0] != "/bin/echo" { - t.Fail() - } - - // from parent - if _, exists := img.Config.ExposedPorts[nat.NewPort("tcp", "2375")]; !exists { - t.Fail() - } -} - -func TestBuildFails(t *testing.T) { - _, err := buildImage(testContextTemplate{` - from {IMAGE} - run sh -c "exit 23" - `, - nil, nil}, t, nil, true) - - if err == nil { - t.Fatal("Error should not be nil") - } - - sterr, ok := err.(*utils.JSONError) - if !ok { - t.Fatalf("Error should be utils.JSONError") - } - if sterr.Code != 23 { - t.Fatalf("StatusCode %d unexpected, should be 23", sterr.Code) - } -} - -func TestBuildFailsDockerfileEmpty(t *testing.T) { - _, err := buildImage(testContextTemplate{``, nil, nil}, t, nil, true) - - if err != server.ErrDockerfileEmpty { - t.Fatal("Expected: %v, got: %v", server.ErrDockerfileEmpty, err) - } -} - -func TestBuildOnBuildTrigger(t *testing.T) { - _, err := buildImage(testContextTemplate{` - from {IMAGE} - onbuild run echo here is the trigger - onbuild run touch foobar - `, - nil, nil, - }, - t, nil, true, - ) - if err != nil { - t.Fatal(err) - } - // FIXME: test that the 'foobar' file was created in the final build. -} - -func TestBuildOnBuildForbiddenChainedTrigger(t *testing.T) { - _, err := buildImage(testContextTemplate{` - from {IMAGE} - onbuild onbuild run echo test - `, - nil, nil, - }, - t, nil, true, - ) - if err == nil { - t.Fatal("Error should not be nil") - } -} - -func TestBuildOnBuildForbiddenFromTrigger(t *testing.T) { - _, err := buildImage(testContextTemplate{` - from {IMAGE} - onbuild from {IMAGE} - `, - nil, nil, - }, - t, nil, true, - ) - if err == nil { - t.Fatal("Error should not be nil") - } -} - -func TestBuildOnBuildForbiddenMaintainerTrigger(t *testing.T) { - _, err := buildImage(testContextTemplate{` - from {IMAGE} - onbuild maintainer test - `, - nil, nil, - }, - t, nil, true, - ) - if err == nil { - t.Fatal("Error should not be nil") - } -} - -// gh #2446 -func TestBuildAddToSymlinkDest(t *testing.T) { - eng := NewTestEngine(t) - defer nuke(mkDaemonFromEngine(eng, t)) - - _, err := buildImage(testContextTemplate{` - from {IMAGE} - run mkdir /foo - run ln -s /foo /bar - add foo /bar/ - run stat /bar/foo - `, - [][2]string{{"foo", "HEYO"}}, nil}, t, eng, true) - if err != nil { - t.Fatal(err) - } -} diff --git a/pkg/beam/MAINTAINERS b/pkg/beam/MAINTAINERS deleted file mode 100644 index aee10c8421..0000000000 --- a/pkg/beam/MAINTAINERS +++ /dev/null @@ -1 +0,0 @@ -Solomon Hykes (@shykes) diff --git a/pkg/beam/beam.go b/pkg/beam/beam.go deleted file mode 100644 index 2e8895a153..0000000000 --- a/pkg/beam/beam.go +++ /dev/null @@ -1,166 +0,0 @@ -package beam - -import ( - "fmt" - "io" - "os" -) - -type Sender interface { - Send([]byte, *os.File) error -} - -type Receiver interface { - Receive() ([]byte, *os.File, error) -} - -type ReceiveCloser interface { - Receiver - Close() error -} - -type SendCloser interface { - Sender - Close() error -} - -type ReceiveSender interface { - Receiver - Sender -} - -const ( - R = iota - W -) - -func sendPipe(dst Sender, data []byte, mode int) (*os.File, error) { - r, w, err := os.Pipe() - if err != nil { - return nil, err - } - var ( - remote *os.File - local *os.File - ) - if mode == R { - remote = r - local = w - } else if mode == W { - remote = w - local = r - } - if err := dst.Send(data, remote); err != nil { - local.Close() - remote.Close() - return nil, err - } - return local, nil - -} - -// SendRPipe create a pipe and sends its *read* end attached in a beam message -// to `dst`, with `data` as the message payload. -// It returns the *write* end of the pipe, or an error. -func SendRPipe(dst Sender, data []byte) (*os.File, error) { - return sendPipe(dst, data, R) -} - -// SendWPipe create a pipe and sends its *read* end attached in a beam message -// to `dst`, with `data` as the message payload. -// It returns the *write* end of the pipe, or an error. -func SendWPipe(dst Sender, data []byte) (*os.File, error) { - return sendPipe(dst, data, W) -} - -func SendConn(dst Sender, data []byte) (conn *UnixConn, err error) { - local, remote, err := SocketPair() - if err != nil { - return nil, err - } - defer func() { - if err != nil { - local.Close() - remote.Close() - } - }() - conn, err = FileConn(local) - if err != nil { - return nil, err - } - local.Close() - if err := dst.Send(data, remote); err != nil { - return nil, err - } - return conn, nil -} - -func ReceiveConn(src Receiver) ([]byte, *UnixConn, error) { - for { - data, f, err := src.Receive() - if err != nil { - return nil, nil, err - } - if f == nil { - // Skip empty attachments - continue - } - conn, err := FileConn(f) - if err != nil { - // Skip beam attachments which are not connections - // (for example might be a regular file, directory etc) - continue - } - return data, conn, nil - } - panic("impossibru!") - return nil, nil, nil -} - -func Copy(dst Sender, src Receiver) (int, error) { - var n int - for { - payload, attachment, err := src.Receive() - if err == io.EOF { - return n, nil - } else if err != nil { - return n, err - } - if err := dst.Send(payload, attachment); err != nil { - if attachment != nil { - attachment.Close() - } - return n, err - } - n++ - } - panic("impossibru!") - return n, nil -} - -// MsgDesc returns a human readable description of a beam message, usually -// for debugging purposes. -func MsgDesc(payload []byte, attachment *os.File) string { - var filedesc string = "" - if attachment != nil { - filedesc = fmt.Sprintf("%d", attachment.Fd()) - } - return fmt.Sprintf("'%s'[%s]", payload, filedesc) -} - -type devnull struct{} - -func Devnull() ReceiveSender { - return devnull{} -} - -func (d devnull) Send(p []byte, a *os.File) error { - if a != nil { - a.Close() - } - return nil -} - -func (d devnull) Receive() ([]byte, *os.File, error) { - return nil, nil, io.EOF -} diff --git a/pkg/beam/beam_test.go b/pkg/beam/beam_test.go deleted file mode 100644 index 2822861a37..0000000000 --- a/pkg/beam/beam_test.go +++ /dev/null @@ -1,39 +0,0 @@ -package beam - -import ( - "github.com/dotcloud/docker/pkg/beam/data" - "testing" -) - -func TestSendConn(t *testing.T) { - a, b, err := USocketPair() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - go func() { - conn, err := SendConn(a, data.Empty().Set("type", "connection").Bytes()) - if err != nil { - t.Fatal(err) - } - if err := conn.Send(data.Empty().Set("foo", "bar").Bytes(), nil); err != nil { - t.Fatal(err) - } - conn.CloseWrite() - }() - payload, conn, err := ReceiveConn(b) - if err != nil { - t.Fatal(err) - } - if val := data.Message(string(payload)).Get("type"); val == nil || val[0] != "connection" { - t.Fatalf("%v != %v\n", val, "connection") - } - msg, _, err := conn.Receive() - if err != nil { - t.Fatal(err) - } - if val := data.Message(string(msg)).Get("foo"); val == nil || val[0] != "bar" { - t.Fatalf("%v != %v\n", val, "bar") - } -} diff --git a/pkg/beam/data/data.go b/pkg/beam/data/data.go deleted file mode 100644 index e205fe43f4..0000000000 --- a/pkg/beam/data/data.go +++ /dev/null @@ -1,115 +0,0 @@ -package data - -import ( - "fmt" - "strconv" - "strings" -) - -func Encode(obj map[string][]string) string { - var msg string - msg += encodeHeader(0) - for k, values := range obj { - msg += encodeNamedList(k, values) - } - return msg -} - -func encodeHeader(msgtype int) string { - return fmt.Sprintf("%03.3d;", msgtype) -} - -func encodeString(s string) string { - return fmt.Sprintf("%d:%s,", len(s), s) -} - -var EncodeString = encodeString -var DecodeString = decodeString - -func encodeList(l []string) string { - values := make([]string, 0, len(l)) - for _, s := range l { - values = append(values, encodeString(s)) - } - return encodeString(strings.Join(values, "")) -} - -func encodeNamedList(name string, l []string) string { - return encodeString(name) + encodeList(l) -} - -func Decode(msg string) (map[string][]string, error) { - msgtype, skip, err := decodeHeader(msg) - if err != nil { - return nil, err - } - if msgtype != 0 { - // FIXME: use special error type so the caller can easily ignore - return nil, fmt.Errorf("unknown message type: %d", msgtype) - } - msg = msg[skip:] - obj := make(map[string][]string) - for len(msg) > 0 { - k, skip, err := decodeString(msg) - if err != nil { - return nil, err - } - msg = msg[skip:] - values, skip, err := decodeList(msg) - if err != nil { - return nil, err - } - msg = msg[skip:] - obj[k] = values - } - return obj, nil -} - -func decodeList(msg string) ([]string, int, error) { - blob, skip, err := decodeString(msg) - if err != nil { - return nil, 0, err - } - var l []string - for len(blob) > 0 { - v, skipv, err := decodeString(blob) - if err != nil { - return nil, 0, err - } - l = append(l, v) - blob = blob[skipv:] - } - return l, skip, nil -} - -func decodeString(msg string) (string, int, error) { - parts := strings.SplitN(msg, ":", 2) - if len(parts) != 2 { - return "", 0, fmt.Errorf("invalid format: no column") - } - var length int - if l, err := strconv.ParseUint(parts[0], 10, 64); err != nil { - return "", 0, err - } else { - length = int(l) - } - if len(parts[1]) < length+1 { - return "", 0, fmt.Errorf("message '%s' is %d bytes, expected at least %d", parts[1], len(parts[1]), length+1) - } - payload := parts[1][:length+1] - if payload[length] != ',' { - return "", 0, fmt.Errorf("message is not comma-terminated") - } - return payload[:length], len(parts[0]) + 1 + length + 1, nil -} - -func decodeHeader(msg string) (int, int, error) { - if len(msg) < 4 { - return 0, 0, fmt.Errorf("message too small") - } - msgtype, err := strconv.ParseInt(msg[:3], 10, 32) - if err != nil { - return 0, 0, err - } - return int(msgtype), 4, nil -} diff --git a/pkg/beam/data/data_test.go b/pkg/beam/data/data_test.go deleted file mode 100644 index 9059922b3b..0000000000 --- a/pkg/beam/data/data_test.go +++ /dev/null @@ -1,129 +0,0 @@ -package data - -import ( - "strings" - "testing" -) - -func TestEncodeHelloWorld(t *testing.T) { - input := "hello world!" - output := encodeString(input) - expectedOutput := "12:hello world!," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeEmptyString(t *testing.T) { - input := "" - output := encodeString(input) - expectedOutput := "0:," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeEmptyList(t *testing.T) { - input := []string{} - output := encodeList(input) - expectedOutput := "0:," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeEmptyMap(t *testing.T) { - input := make(map[string][]string) - output := Encode(input) - expectedOutput := "000;" - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncode1Key1Value(t *testing.T) { - input := make(map[string][]string) - input["hello"] = []string{"world"} - output := Encode(input) - expectedOutput := "000;5:hello,8:5:world,," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncode1Key2Value(t *testing.T) { - input := make(map[string][]string) - input["hello"] = []string{"beautiful", "world"} - output := Encode(input) - expectedOutput := "000;5:hello,20:9:beautiful,5:world,," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeEmptyValue(t *testing.T) { - input := make(map[string][]string) - input["foo"] = []string{} - output := Encode(input) - expectedOutput := "000;3:foo,0:," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeBinaryKey(t *testing.T) { - input := make(map[string][]string) - input["foo\x00bar\x7f"] = []string{} - output := Encode(input) - expectedOutput := "000;8:foo\x00bar\x7f,0:," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestEncodeBinaryValue(t *testing.T) { - input := make(map[string][]string) - input["foo\x00bar\x7f"] = []string{"\x01\x02\x03\x04"} - output := Encode(input) - expectedOutput := "000;8:foo\x00bar\x7f,7:4:\x01\x02\x03\x04,," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestDecodeString(t *testing.T) { - validEncodedStrings := []struct { - input string - output string - skip int - }{ - {"3:foo,", "foo", 6}, - {"5:hello,", "hello", 8}, - {"5:hello,5:world,", "hello", 8}, - } - for _, sample := range validEncodedStrings { - output, skip, err := decodeString(sample.input) - if err != nil { - t.Fatalf("error decoding '%v': %v", sample.input, err) - } - if skip != sample.skip { - t.Fatalf("invalid skip: %v!=%v", skip, sample.skip) - } - if output != sample.output { - t.Fatalf("invalid output: %v!=%v", output, sample.output) - } - } -} - -func TestDecode1Key1Value(t *testing.T) { - input := "000;3:foo,6:3:bar,," - output, err := Decode(input) - if err != nil { - t.Fatal(err) - } - if v, exists := output["foo"]; !exists { - t.Fatalf("wrong output: %v\n", output) - } else if len(v) != 1 || strings.Join(v, "") != "bar" { - t.Fatalf("wrong output: %v\n", output) - } -} diff --git a/pkg/beam/data/message.go b/pkg/beam/data/message.go deleted file mode 100644 index 0ebe90295a..0000000000 --- a/pkg/beam/data/message.go +++ /dev/null @@ -1,103 +0,0 @@ -package data - -import ( - "fmt" - "strings" -) - -type Message string - -func Empty() Message { - return Message(Encode(nil)) -} - -func Parse(args []string) Message { - data := make(map[string][]string) - for _, word := range args { - if strings.Contains(word, "=") { - kv := strings.SplitN(word, "=", 2) - key := kv[0] - var val string - if len(kv) == 2 { - val = kv[1] - } - data[key] = []string{val} - } - } - return Message(Encode(data)) -} - -func (m Message) Add(k, v string) Message { - data, err := Decode(string(m)) - if err != nil { - return m - } - if values, exists := data[k]; exists { - data[k] = append(values, v) - } else { - data[k] = []string{v} - } - return Message(Encode(data)) -} - -func (m Message) Set(k string, v ...string) Message { - data, err := Decode(string(m)) - if err != nil { - panic(err) - return m - } - data[k] = v - return Message(Encode(data)) -} - -func (m Message) Del(k string) Message { - data, err := Decode(string(m)) - if err != nil { - panic(err) - return m - } - delete(data, k) - return Message(Encode(data)) -} - -func (m Message) Get(k string) []string { - data, err := Decode(string(m)) - if err != nil { - return nil - } - v, exists := data[k] - if !exists { - return nil - } - return v -} - -// GetOne returns the last value added at the key k, -// or an empty string if there is no value. -func (m Message) GetOne(k string) string { - var v string - if vals := m.Get(k); len(vals) > 0 { - v = vals[len(vals)-1] - } - return v -} - -func (m Message) Pretty() string { - data, err := Decode(string(m)) - if err != nil { - return "" - } - entries := make([]string, 0, len(data)) - for k, values := range data { - entries = append(entries, fmt.Sprintf("%s=%s", k, strings.Join(values, ","))) - } - return strings.Join(entries, " ") -} - -func (m Message) String() string { - return string(m) -} - -func (m Message) Bytes() []byte { - return []byte(m) -} diff --git a/pkg/beam/data/message_test.go b/pkg/beam/data/message_test.go deleted file mode 100644 index 7224f33d11..0000000000 --- a/pkg/beam/data/message_test.go +++ /dev/null @@ -1,61 +0,0 @@ -package data - -import ( - "testing" -) - -func TestEmptyMessage(t *testing.T) { - m := Empty() - if m.String() != Encode(nil) { - t.Fatalf("%v != %v", m.String(), Encode(nil)) - } -} - -func TestSetMessage(t *testing.T) { - m := Empty().Set("foo", "bar") - output := m.String() - expectedOutput := "000;3:foo,6:3:bar,," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } - decodedOutput, err := Decode(output) - if err != nil { - t.Fatal(err) - } - if len(decodedOutput) != 1 { - t.Fatalf("wrong output data: %#v\n", decodedOutput) - } -} - -func TestSetMessageTwice(t *testing.T) { - m := Empty().Set("foo", "bar").Set("ga", "bu") - output := m.String() - expectedOutput := "000;3:foo,6:3:bar,,2:ga,5:2:bu,," - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } - decodedOutput, err := Decode(output) - if err != nil { - t.Fatal(err) - } - if len(decodedOutput) != 2 { - t.Fatalf("wrong output data: %#v\n", decodedOutput) - } -} - -func TestSetDelMessage(t *testing.T) { - m := Empty().Set("foo", "bar").Del("foo") - output := m.String() - expectedOutput := Encode(nil) - if output != expectedOutput { - t.Fatalf("'%v' != '%v'", output, expectedOutput) - } -} - -func TestGetOne(t *testing.T) { - m := Empty().Set("shadok words", "ga", "bu", "zo", "meu") - val := m.GetOne("shadok words") - if val != "meu" { - t.Fatalf("%#v", val) - } -} diff --git a/pkg/beam/data/netstring.txt b/pkg/beam/data/netstring.txt deleted file mode 100644 index 17560929b6..0000000000 --- a/pkg/beam/data/netstring.txt +++ /dev/null @@ -1,92 +0,0 @@ -## -## Netstrings spec copied as-is from http://cr.yp.to/proto/netstrings.txt -## - -Netstrings -D. J. Bernstein, djb@pobox.com -19970201 - - -1. Introduction - - A netstring is a self-delimiting encoding of a string. Netstrings are - very easy to generate and to parse. Any string may be encoded as a - netstring; there are no restrictions on length or on allowed bytes. - Another virtue of a netstring is that it declares the string size up - front. Thus an application can check in advance whether it has enough - space to store the entire string. - - Netstrings may be used as a basic building block for reliable network - protocols. Most high-level protocols, in effect, transmit a sequence - of strings; those strings may be encoded as netstrings and then - concatenated into a sequence of characters, which in turn may be - transmitted over a reliable stream protocol such as TCP. - - Note that netstrings can be used recursively. The result of encoding - a sequence of strings is a single string. A series of those encoded - strings may in turn be encoded into a single string. And so on. - - In this document, a string of 8-bit bytes may be written in two - different forms: as a series of hexadecimal numbers between angle - brackets, or as a sequence of ASCII characters between double quotes. - For example, <68 65 6c 6c 6f 20 77 6f 72 6c 64 21> is a string of - length 12; it is the same as the string "hello world!". - - Although this document restricts attention to strings of 8-bit bytes, - netstrings could be used with any 6-bit-or-larger character set. - - -2. Definition - - Any string of 8-bit bytes may be encoded as [len]":"[string]",". - Here [string] is the string and [len] is a nonempty sequence of ASCII - digits giving the length of [string] in decimal. The ASCII digits are - <30> for 0, <31> for 1, and so on up through <39> for 9. Extra zeros - at the front of [len] are prohibited: [len] begins with <30> exactly - when [string] is empty. - - For example, the string "hello world!" is encoded as <31 32 3a 68 - 65 6c 6c 6f 20 77 6f 72 6c 64 21 2c>, i.e., "12:hello world!,". The - empty string is encoded as "0:,". - - [len]":"[string]"," is called a netstring. [string] is called the - interpretation of the netstring. - - -3. Sample code - - The following C code starts with a buffer buf of length len and - prints it as a netstring. - - if (printf("%lu:",len) < 0) barf(); - if (fwrite(buf,1,len,stdout) < len) barf(); - if (putchar(',') < 0) barf(); - - The following C code reads a netstring and decodes it into a - dynamically allocated buffer buf of length len. - - if (scanf("%9lu",&len) < 1) barf(); /* >999999999 bytes is bad */ - if (getchar() != ':') barf(); - buf = malloc(len + 1); /* malloc(0) is not portable */ - if (!buf) barf(); - if (fread(buf,1,len,stdin) < len) barf(); - if (getchar() != ',') barf(); - - Both of these code fragments assume that the local character set is - ASCII, and that the relevant stdio streams are in binary mode. - - -4. Security considerations - - The famous Finger security hole may be blamed on Finger's use of the - CRLF encoding. In that encoding, each string is simply terminated by - CRLF. This encoding has several problems. Most importantly, it does - not declare the string size in advance. This means that a correct - CRLF parser must be prepared to ask for more and more memory as it is - reading the string. In the case of Finger, a lazy implementor found - this to be too much trouble; instead he simply declared a fixed-size - buffer and used C's gets() function. The rest is history. - - In contrast, as the above sample code shows, it is very easy to - handle netstrings without risking buffer overflow. Thus widespread - use of netstrings may improve network security. diff --git a/pkg/beam/examples/beamsh/beamsh b/pkg/beam/examples/beamsh/beamsh deleted file mode 100755 index 9bfe78ef4a..0000000000 Binary files a/pkg/beam/examples/beamsh/beamsh and /dev/null differ diff --git a/pkg/beam/examples/beamsh/beamsh.go b/pkg/beam/examples/beamsh/beamsh.go deleted file mode 100644 index 808f038c68..0000000000 --- a/pkg/beam/examples/beamsh/beamsh.go +++ /dev/null @@ -1,542 +0,0 @@ -package main - -import ( - "bufio" - "flag" - "fmt" - "github.com/dotcloud/docker/pkg/beam" - "github.com/dotcloud/docker/pkg/beam/data" - "github.com/dotcloud/docker/pkg/dockerscript" - "github.com/dotcloud/docker/pkg/term" - "io" - "net" - "net/url" - "os" - "path" - "strings" - "sync" -) - -var rootPlugins = []string{ - "stdio", -} - -var ( - flX bool - flPing bool - introspect beam.ReceiveSender = beam.Devnull() -) - -func main() { - fd3 := os.NewFile(3, "beam-introspect") - if introsp, err := beam.FileConn(fd3); err == nil { - introspect = introsp - Logf("introspection enabled\n") - } else { - Logf("introspection disabled\n") - } - fd3.Close() - flag.BoolVar(&flX, "x", false, "print commands as they are being executed") - flag.Parse() - if flag.NArg() == 0 { - if term.IsTerminal(0) { - // No arguments, stdin is terminal --> interactive mode - input := bufio.NewScanner(os.Stdin) - for { - fmt.Printf("[%d] beamsh> ", os.Getpid()) - if !input.Scan() { - break - } - line := input.Text() - if len(line) != 0 { - cmd, err := dockerscript.Parse(strings.NewReader(line)) - if err != nil { - fmt.Fprintf(os.Stderr, "error: %v\n", err) - continue - } - if err := executeRootScript(cmd); err != nil { - Fatal(err) - } - } - if err := input.Err(); err == io.EOF { - break - } else if err != nil { - Fatal(err) - } - } - } else { - // No arguments, stdin not terminal --> batch mode - script, err := dockerscript.Parse(os.Stdin) - if err != nil { - Fatal("parse error: %v\n", err) - } - if err := executeRootScript(script); err != nil { - Fatal(err) - } - } - } else { - // 1+ arguments: parse them as script files - for _, scriptpath := range flag.Args() { - f, err := os.Open(scriptpath) - if err != nil { - Fatal(err) - } - script, err := dockerscript.Parse(f) - if err != nil { - Fatal("parse error: %v\n", err) - } - if err := executeRootScript(script); err != nil { - Fatal(err) - } - } - } -} - -func executeRootScript(script []*dockerscript.Command) error { - if len(rootPlugins) > 0 { - // If there are root plugins, wrap the script inside them - var ( - rootCmd *dockerscript.Command - lastCmd *dockerscript.Command - ) - for _, plugin := range rootPlugins { - pluginCmd := &dockerscript.Command{ - Args: []string{plugin}, - } - if rootCmd == nil { - rootCmd = pluginCmd - } else { - lastCmd.Children = []*dockerscript.Command{pluginCmd} - } - lastCmd = pluginCmd - } - lastCmd.Children = script - script = []*dockerscript.Command{rootCmd} - } - handlers, err := Handlers(introspect) - if err != nil { - return err - } - defer handlers.Close() - var tasks sync.WaitGroup - defer func() { - Debugf("Waiting for introspection...\n") - tasks.Wait() - Debugf("DONE Waiting for introspection\n") - }() - if introspect != nil { - tasks.Add(1) - go func() { - Debugf("starting introspection\n") - defer Debugf("done with introspection\n") - defer tasks.Done() - introspect.Send(data.Empty().Set("cmd", "log", "stdout").Set("message", "introspection worked!").Bytes(), nil) - Debugf("XXX starting reading introspection messages\n") - r := beam.NewRouter(handlers) - r.NewRoute().All().Handler(func(p []byte, a *os.File) error { - Logf("[INTROSPECTION] %s\n", beam.MsgDesc(p, a)) - return handlers.Send(p, a) - }) - n, err := beam.Copy(r, introspect) - Debugf("XXX done reading %d introspection messages: %v\n", n, err) - }() - } - if err := executeScript(handlers, script); err != nil { - return err - } - return nil -} - -func executeScript(out beam.Sender, script []*dockerscript.Command) error { - Debugf("executeScript(%s)\n", scriptString(script)) - defer Debugf("executeScript(%s) DONE\n", scriptString(script)) - var background sync.WaitGroup - defer background.Wait() - for _, cmd := range script { - if cmd.Background { - background.Add(1) - go func(out beam.Sender, cmd *dockerscript.Command) { - executeCommand(out, cmd) - background.Done() - }(out, cmd) - } else { - if err := executeCommand(out, cmd); err != nil { - return err - } - } - } - return nil -} - -// 1) Find a handler for the command (if no handler, fail) -// 2) Attach new in & out pair to the handler -// 3) [in the background] Copy handler output to our own output -// 4) [in the background] Run the handler -// 5) Recursively executeScript() all children commands and wait for them to complete -// 6) Wait for handler to return and (shortly afterwards) output copy to complete -// 7) Profit -func executeCommand(out beam.Sender, cmd *dockerscript.Command) error { - if flX { - fmt.Printf("+ %v\n", strings.Replace(strings.TrimRight(cmd.String(), "\n"), "\n", "\n+ ", -1)) - } - Debugf("executeCommand(%s)\n", strings.Join(cmd.Args, " ")) - defer Debugf("executeCommand(%s) DONE\n", strings.Join(cmd.Args, " ")) - if len(cmd.Args) == 0 { - return fmt.Errorf("empty command") - } - Debugf("[executeCommand] sending job '%s'\n", strings.Join(cmd.Args, " ")) - job, err := beam.SendConn(out, data.Empty().Set("cmd", cmd.Args...).Set("type", "job").Bytes()) - if err != nil { - return fmt.Errorf("%v\n", err) - } - var tasks sync.WaitGroup - tasks.Add(1) - Debugf("[executeCommand] spawning background copy of the output of '%s'\n", strings.Join(cmd.Args, " ")) - go func() { - if out != nil { - Debugf("[executeCommand] background copy of the output of '%s'\n", strings.Join(cmd.Args, " ")) - n, err := beam.Copy(out, job) - if err != nil { - Fatalf("[executeCommand] [%s] error during background copy: %v\n", strings.Join(cmd.Args, " "), err) - } - Debugf("[executeCommand] background copy done of the output of '%s': copied %d messages\n", strings.Join(cmd.Args, " "), n) - } - tasks.Done() - }() - // depth-first execution of children commands - // executeScript() blocks until all commands are completed - Debugf("[executeCommand] recursively running children of '%s'\n", strings.Join(cmd.Args, " ")) - executeScript(job, cmd.Children) - Debugf("[executeCommand] DONE recursively running children of '%s'\n", strings.Join(cmd.Args, " ")) - job.CloseWrite() - Debugf("[executeCommand] closing the input of '%s' (all children are completed)\n", strings.Join(cmd.Args, " ")) - Debugf("[executeCommand] waiting for background copy of '%s' to complete...\n", strings.Join(cmd.Args, " ")) - tasks.Wait() - Debugf("[executeCommand] background copy of '%s' complete! This means the job completed.\n", strings.Join(cmd.Args, " ")) - return nil -} - -type Handler func([]string, io.Writer, io.Writer, beam.Receiver, beam.Sender) - -func Handlers(sink beam.Sender) (*beam.UnixConn, error) { - var tasks sync.WaitGroup - pub, priv, err := beam.USocketPair() - if err != nil { - return nil, err - } - go func() { - defer func() { - Debugf("[handlers] closewrite() on endpoint\n") - // FIXME: this is not yet necessary but will be once - // there is synchronization over standard beam messages - priv.CloseWrite() - Debugf("[handlers] done closewrite() on endpoint\n") - }() - r := beam.NewRouter(sink) - r.NewRoute().HasAttachment().KeyIncludes("type", "job").Handler(func(payload []byte, attachment *os.File) error { - conn, err := beam.FileConn(attachment) - if err != nil { - attachment.Close() - return err - } - // attachment.Close() - tasks.Add(1) - go func() { - defer tasks.Done() - defer func() { - Debugf("[handlers] '%s' closewrite\n", payload) - conn.CloseWrite() - Debugf("[handlers] '%s' done closewrite\n", payload) - }() - cmd := data.Message(payload).Get("cmd") - Debugf("[handlers] received %s\n", strings.Join(cmd, " ")) - if len(cmd) == 0 { - return - } - handler := GetHandler(cmd[0]) - if handler == nil { - return - } - stdout, err := beam.SendRPipe(conn, data.Empty().Set("cmd", "log", "stdout").Set("fromcmd", cmd...).Bytes()) - if err != nil { - return - } - defer stdout.Close() - stderr, err := beam.SendRPipe(conn, data.Empty().Set("cmd", "log", "stderr").Set("fromcmd", cmd...).Bytes()) - if err != nil { - return - } - defer stderr.Close() - Debugf("[handlers] calling %s\n", strings.Join(cmd, " ")) - handler(cmd, stdout, stderr, beam.Receiver(conn), beam.Sender(conn)) - Debugf("[handlers] returned: %s\n", strings.Join(cmd, " ")) - }() - return nil - }) - beam.Copy(r, priv) - Debugf("[handlers] waiting for all tasks\n") - tasks.Wait() - Debugf("[handlers] all tasks returned\n") - }() - return pub, nil -} - -func GetHandler(name string) Handler { - if name == "logger" { - return CmdLogger - } else if name == "render" { - return CmdRender - } else if name == "devnull" { - return CmdDevnull - } else if name == "prompt" { - return CmdPrompt - } else if name == "stdio" { - return CmdStdio - } else if name == "echo" { - return CmdEcho - } else if name == "pass" { - return CmdPass - } else if name == "in" { - return CmdIn - } else if name == "exec" { - return CmdExec - } else if name == "trace" { - return CmdTrace - } else if name == "emit" { - return CmdEmit - } else if name == "print" { - return CmdPrint - } else if name == "multiprint" { - return CmdMultiprint - } else if name == "listen" { - return CmdListen - } else if name == "beamsend" { - return CmdBeamsend - } else if name == "beamreceive" { - return CmdBeamreceive - } else if name == "connect" { - return CmdConnect - } else if name == "openfile" { - return CmdOpenfile - } else if name == "spawn" { - return CmdSpawn - } else if name == "chdir" { - return CmdChdir - } - return nil -} - -// VARIOUS HELPER FUNCTIONS: - -func connToFile(conn net.Conn) (f *os.File, err error) { - if connWithFile, ok := conn.(interface { - File() (*os.File, error) - }); !ok { - return nil, fmt.Errorf("no file descriptor available") - } else { - f, err = connWithFile.File() - if err != nil { - return nil, err - } - } - return f, err -} - -type Msg struct { - payload []byte - attachment *os.File -} - -func Logf(msg string, args ...interface{}) (int, error) { - if len(msg) == 0 || msg[len(msg)-1] != '\n' { - msg = msg + "\n" - } - msg = fmt.Sprintf("[%v] [%v] %s", os.Getpid(), path.Base(os.Args[0]), msg) - return fmt.Printf(msg, args...) -} - -func Debugf(msg string, args ...interface{}) { - if os.Getenv("BEAMDEBUG") != "" { - Logf(msg, args...) - } -} - -func Fatalf(msg string, args ...interface{}) { - Logf(msg, args...) - os.Exit(1) -} - -func Fatal(args ...interface{}) { - Fatalf("%v", args[0]) -} - -func scriptString(script []*dockerscript.Command) string { - lines := make([]string, 0, len(script)) - for _, cmd := range script { - line := strings.Join(cmd.Args, " ") - if len(cmd.Children) > 0 { - line += fmt.Sprintf(" { %s }", scriptString(cmd.Children)) - } else { - line += " {}" - } - lines = append(lines, line) - } - return fmt.Sprintf("'%s'", strings.Join(lines, "; ")) -} - -func dialer(addr string) (chan net.Conn, error) { - u, err := url.Parse(addr) - if err != nil { - return nil, err - } - connections := make(chan net.Conn) - go func() { - defer close(connections) - for { - conn, err := net.Dial(u.Scheme, u.Host) - if err != nil { - return - } - connections <- conn - } - }() - return connections, nil -} - -func listener(addr string) (chan net.Conn, error) { - u, err := url.Parse(addr) - if err != nil { - return nil, err - } - l, err := net.Listen(u.Scheme, u.Host) - if err != nil { - return nil, err - } - connections := make(chan net.Conn) - go func() { - defer close(connections) - for { - conn, err := l.Accept() - if err != nil { - return - } - Logf("new connection\n") - connections <- conn - } - }() - return connections, nil -} - -func SendToConn(connections chan net.Conn, src beam.Receiver) error { - var tasks sync.WaitGroup - defer tasks.Wait() - for { - payload, attachment, err := src.Receive() - if err == io.EOF { - return nil - } else if err != nil { - return err - } - conn, ok := <-connections - if !ok { - break - } - Logf("Sending %s\n", msgDesc(payload, attachment)) - tasks.Add(1) - go func(payload []byte, attachment *os.File, conn net.Conn) { - defer tasks.Done() - if _, err := conn.Write([]byte(data.EncodeString(string(payload)))); err != nil { - return - } - if attachment == nil { - conn.Close() - return - } - var iotasks sync.WaitGroup - iotasks.Add(2) - go func(attachment *os.File, conn net.Conn) { - defer iotasks.Done() - Debugf("copying the connection to [%d]\n", attachment.Fd()) - io.Copy(attachment, conn) - attachment.Close() - Debugf("done copying the connection to [%d]\n", attachment.Fd()) - }(attachment, conn) - go func(attachment *os.File, conn net.Conn) { - defer iotasks.Done() - Debugf("copying [%d] to the connection\n", attachment.Fd()) - io.Copy(conn, attachment) - conn.Close() - Debugf("done copying [%d] to the connection\n", attachment.Fd()) - }(attachment, conn) - iotasks.Wait() - }(payload, attachment, conn) - } - return nil -} - -func msgDesc(payload []byte, attachment *os.File) string { - return beam.MsgDesc(payload, attachment) -} - -func ReceiveFromConn(connections chan net.Conn, dst beam.Sender) error { - for conn := range connections { - err := func() error { - Logf("parsing message from network...\n") - defer Logf("done parsing message from network\n") - buf := make([]byte, 4098) - n, err := conn.Read(buf) - if n == 0 { - conn.Close() - if err == io.EOF { - return nil - } else { - return err - } - } - Logf("decoding message from '%s'\n", buf[:n]) - header, skip, err := data.DecodeString(string(buf[:n])) - if err != nil { - conn.Close() - return err - } - pub, priv, err := beam.SocketPair() - if err != nil { - return err - } - Logf("decoded message: %s\n", data.Message(header).Pretty()) - go func(skipped []byte, conn net.Conn, f *os.File) { - // this closes both conn and f - if len(skipped) > 0 { - if _, err := f.Write(skipped); err != nil { - Logf("ERROR: %v\n", err) - f.Close() - conn.Close() - return - } - } - bicopy(conn, f) - }(buf[skip:n], conn, pub) - if err := dst.Send([]byte(header), priv); err != nil { - return err - } - return nil - }() - if err != nil { - Logf("Error reading from connection: %v\n", err) - } - } - return nil -} - -func bicopy(a, b io.ReadWriteCloser) { - var iotasks sync.WaitGroup - oneCopy := func(dst io.WriteCloser, src io.Reader) { - defer iotasks.Done() - io.Copy(dst, src) - dst.Close() - } - iotasks.Add(2) - go oneCopy(a, b) - go oneCopy(b, a) - iotasks.Wait() -} diff --git a/pkg/beam/examples/beamsh/builtins.go b/pkg/beam/examples/beamsh/builtins.go deleted file mode 100644 index 3242237cc1..0000000000 --- a/pkg/beam/examples/beamsh/builtins.go +++ /dev/null @@ -1,441 +0,0 @@ -package main - -import ( - "bufio" - "fmt" - "github.com/dotcloud/docker/pkg/beam" - "github.com/dotcloud/docker/pkg/beam/data" - "github.com/dotcloud/docker/pkg/term" - "github.com/dotcloud/docker/utils" - "io" - "net" - "net/url" - "os" - "os/exec" - "path" - "strings" - "sync" - "text/template" -) - -func CmdLogger(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if err := os.MkdirAll("logs", 0700); err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } - var tasks sync.WaitGroup - defer tasks.Wait() - var n int = 1 - r := beam.NewRouter(out) - r.NewRoute().HasAttachment().KeyStartsWith("cmd", "log").Handler(func(payload []byte, attachment *os.File) error { - tasks.Add(1) - go func(n int) { - defer tasks.Done() - defer attachment.Close() - var streamname string - if cmd := data.Message(payload).Get("cmd"); len(cmd) == 1 || cmd[1] == "stdout" { - streamname = "stdout" - } else { - streamname = cmd[1] - } - if fromcmd := data.Message(payload).Get("fromcmd"); len(fromcmd) != 0 { - streamname = fmt.Sprintf("%s-%s", strings.Replace(strings.Join(fromcmd, "_"), "/", "_", -1), streamname) - } - logfile, err := os.OpenFile(path.Join("logs", fmt.Sprintf("%d-%s", n, streamname)), os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0700) - if err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } - defer logfile.Close() - io.Copy(logfile, attachment) - logfile.Sync() - }(n) - n++ - return nil - }).Tee(out) - if _, err := beam.Copy(r, in); err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } -} - -func CmdRender(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) != 2 { - fmt.Fprintf(stderr, "Usage: %s FORMAT\n", args[0]) - out.Send(data.Empty().Set("status", "1").Bytes(), nil) - return - } - txt := args[1] - if !strings.HasSuffix(txt, "\n") { - txt += "\n" - } - t := template.Must(template.New("render").Parse(txt)) - for { - payload, attachment, err := in.Receive() - if err != nil { - return - } - msg, err := data.Decode(string(payload)) - if err != nil { - fmt.Fprintf(stderr, "decode error: %v\n") - } - if err := t.Execute(stdout, msg); err != nil { - fmt.Fprintf(stderr, "rendering error: %v\n", err) - out.Send(data.Empty().Set("status", "1").Bytes(), nil) - return - } - if err := out.Send(payload, attachment); err != nil { - return - } - } -} - -func CmdDevnull(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - for { - _, attachment, err := in.Receive() - if err != nil { - return - } - if attachment != nil { - attachment.Close() - } - } -} - -func CmdPrompt(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) < 2 { - fmt.Fprintf(stderr, "usage: %s PROMPT...\n", args[0]) - return - } - if !term.IsTerminal(0) { - fmt.Fprintf(stderr, "can't prompt: no tty available...\n") - return - } - fmt.Printf("%s: ", strings.Join(args[1:], " ")) - oldState, _ := term.SaveState(0) - term.DisableEcho(0, oldState) - line, _, err := bufio.NewReader(os.Stdin).ReadLine() - if err != nil { - fmt.Fprintln(stderr, err.Error()) - return - } - val := string(line) - fmt.Printf("\n") - term.RestoreTerminal(0, oldState) - out.Send(data.Empty().Set("fromcmd", args...).Set("value", val).Bytes(), nil) -} - -func CmdStdio(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - var tasks sync.WaitGroup - defer tasks.Wait() - - r := beam.NewRouter(out) - r.NewRoute().HasAttachment().KeyStartsWith("cmd", "log").Handler(func(payload []byte, attachment *os.File) error { - tasks.Add(1) - go func() { - defer tasks.Done() - defer attachment.Close() - io.Copy(os.Stdout, attachment) - attachment.Close() - }() - return nil - }).Tee(out) - - if _, err := beam.Copy(r, in); err != nil { - Fatal(err) - fmt.Fprintf(stderr, "%v\n", err) - return - } -} - -func CmdEcho(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - fmt.Fprintln(stdout, strings.Join(args[1:], " ")) -} - -func CmdPass(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - for { - payload, attachment, err := in.Receive() - if err != nil { - return - } - if err := out.Send(payload, attachment); err != nil { - if attachment != nil { - attachment.Close() - } - return - } - } -} - -func CmdSpawn(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - c := exec.Command(utils.SelfPath()) - r, w, err := os.Pipe() - if err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } - c.Stdin = r - c.Stdout = stdout - c.Stderr = stderr - go func() { - fmt.Fprintf(w, strings.Join(args[1:], " ")) - w.Sync() - w.Close() - }() - if err := c.Run(); err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } -} - -func CmdIn(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - os.Chdir(args[1]) - GetHandler("pass")([]string{"pass"}, stdout, stderr, in, out) -} - -func CmdExec(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - cmd := exec.Command(args[1], args[2:]...) - cmd.Stdout = stdout - cmd.Stderr = stderr - //cmd.Stdin = os.Stdin - local, remote, err := beam.SocketPair() - if err != nil { - fmt.Fprintf(stderr, "%v\n", err) - return - } - child, err := beam.FileConn(local) - if err != nil { - local.Close() - remote.Close() - fmt.Fprintf(stderr, "%v\n", err) - return - } - local.Close() - cmd.ExtraFiles = append(cmd.ExtraFiles, remote) - - var tasks sync.WaitGroup - tasks.Add(1) - go func() { - defer Debugf("done copying to child\n") - defer tasks.Done() - defer child.CloseWrite() - beam.Copy(child, in) - }() - - tasks.Add(1) - go func() { - defer Debugf("done copying from child %d\n") - defer tasks.Done() - r := beam.NewRouter(out) - r.NewRoute().All().Handler(func(p []byte, a *os.File) error { - return out.Send(data.Message(p).Set("pid", fmt.Sprintf("%d", cmd.Process.Pid)).Bytes(), a) - }) - beam.Copy(r, child) - }() - execErr := cmd.Run() - // We can close both ends of the socket without worrying about data stuck in the buffer, - // because unix socket writes are fully synchronous. - child.Close() - tasks.Wait() - var status string - if execErr != nil { - status = execErr.Error() - } else { - status = "ok" - } - out.Send(data.Empty().Set("status", status).Set("cmd", args...).Bytes(), nil) -} - -func CmdTrace(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - r := beam.NewRouter(out) - r.NewRoute().All().Handler(func(payload []byte, attachment *os.File) error { - var sfd string = "nil" - if attachment != nil { - sfd = fmt.Sprintf("%d", attachment.Fd()) - } - fmt.Printf("===> %s [%s]\n", data.Message(payload).Pretty(), sfd) - out.Send(payload, attachment) - return nil - }) - beam.Copy(r, in) -} - -func CmdEmit(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - out.Send(data.Parse(args[1:]).Bytes(), nil) -} - -func CmdPrint(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - for { - payload, a, err := in.Receive() - if err != nil { - return - } - // Skip commands - if a != nil && data.Message(payload).Get("cmd") == nil { - dup, err := beam.SendRPipe(out, payload) - if err != nil { - a.Close() - return - } - io.Copy(io.MultiWriter(os.Stdout, dup), a) - dup.Close() - } else { - if err := out.Send(payload, a); err != nil { - return - } - } - } -} - -func CmdMultiprint(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - var tasks sync.WaitGroup - defer tasks.Wait() - r := beam.NewRouter(out) - multiprint := func(p []byte, a *os.File) error { - tasks.Add(1) - go func() { - defer tasks.Done() - defer a.Close() - msg := data.Message(string(p)) - input := bufio.NewScanner(a) - for input.Scan() { - fmt.Printf("[%s] %s\n", msg.Pretty(), input.Text()) - } - }() - return nil - } - r.NewRoute().KeyIncludes("type", "job").Passthrough(out) - r.NewRoute().HasAttachment().Handler(multiprint).Tee(out) - beam.Copy(r, in) -} - -func CmdListen(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) != 2 { - out.Send(data.Empty().Set("status", "1").Set("message", "wrong number of arguments").Bytes(), nil) - return - } - u, err := url.Parse(args[1]) - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - l, err := net.Listen(u.Scheme, u.Host) - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - for { - conn, err := l.Accept() - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - f, err := connToFile(conn) - if err != nil { - conn.Close() - continue - } - out.Send(data.Empty().Set("type", "socket").Set("remoteaddr", conn.RemoteAddr().String()).Bytes(), f) - } -} - -func CmdBeamsend(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) < 2 { - if err := out.Send(data.Empty().Set("status", "1").Set("message", "wrong number of arguments").Bytes(), nil); err != nil { - Fatal(err) - } - return - } - var connector func(string) (chan net.Conn, error) - connector = dialer - connections, err := connector(args[1]) - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - // Copy in to conn - SendToConn(connections, in) -} - -func CmdBeamreceive(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) != 2 { - if err := out.Send(data.Empty().Set("status", "1").Set("message", "wrong number of arguments").Bytes(), nil); err != nil { - Fatal(err) - } - return - } - var connector func(string) (chan net.Conn, error) - connector = listener - connections, err := connector(args[1]) - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - // Copy in to conn - ReceiveFromConn(connections, out) -} - -func CmdConnect(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - if len(args) != 2 { - out.Send(data.Empty().Set("status", "1").Set("message", "wrong number of arguments").Bytes(), nil) - return - } - u, err := url.Parse(args[1]) - if err != nil { - out.Send(data.Empty().Set("status", "1").Set("message", err.Error()).Bytes(), nil) - return - } - var tasks sync.WaitGroup - for { - _, attachment, err := in.Receive() - if err != nil { - break - } - if attachment == nil { - continue - } - Logf("connecting to %s/%s\n", u.Scheme, u.Host) - conn, err := net.Dial(u.Scheme, u.Host) - if err != nil { - out.Send(data.Empty().Set("cmd", "msg", "connect error: "+err.Error()).Bytes(), nil) - return - } - out.Send(data.Empty().Set("cmd", "msg", "connection established").Bytes(), nil) - tasks.Add(1) - go func(attachment *os.File, conn net.Conn) { - defer tasks.Done() - // even when successful, conn.File() returns a duplicate, - // so we must close the original - var iotasks sync.WaitGroup - iotasks.Add(2) - go func(attachment *os.File, conn net.Conn) { - defer iotasks.Done() - io.Copy(attachment, conn) - }(attachment, conn) - go func(attachment *os.File, conn net.Conn) { - defer iotasks.Done() - io.Copy(conn, attachment) - }(attachment, conn) - iotasks.Wait() - conn.Close() - attachment.Close() - }(attachment, conn) - } - tasks.Wait() -} - -func CmdOpenfile(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - for _, name := range args { - f, err := os.Open(name) - if err != nil { - continue - } - if err := out.Send(data.Empty().Set("path", name).Set("type", "file").Bytes(), f); err != nil { - f.Close() - } - } -} - -func CmdChdir(args []string, stdout, stderr io.Writer, in beam.Receiver, out beam.Sender) { - os.Chdir(args[1]) -} diff --git a/pkg/beam/examples/beamsh/scripts/bug0.ds b/pkg/beam/examples/beamsh/scripts/bug0.ds deleted file mode 100755 index 89b75230be..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug0.ds +++ /dev/null @@ -1,3 +0,0 @@ -#!/usr/bin/env beamsh - -exec ls -l diff --git a/pkg/beam/examples/beamsh/scripts/bug1.ds b/pkg/beam/examples/beamsh/scripts/bug1.ds deleted file mode 100755 index 2d8a9e2ed9..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug1.ds +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env beamsh - -trace { - exec ls -l -} diff --git a/pkg/beam/examples/beamsh/scripts/bug2.ds b/pkg/beam/examples/beamsh/scripts/bug2.ds deleted file mode 100755 index 08f0431f68..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug2.ds +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env beamsh - -trace { - stdio { - exec ls -l - } -} diff --git a/pkg/beam/examples/beamsh/scripts/bug3.ds b/pkg/beam/examples/beamsh/scripts/bug3.ds deleted file mode 100755 index 7bb8694d49..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug3.ds +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env beamsh -x - -trace outer { - # stdio fails - stdio { - trace inner { - exec ls -l - } - } -} diff --git a/pkg/beam/examples/beamsh/scripts/bug4.ds b/pkg/beam/examples/beamsh/scripts/bug4.ds deleted file mode 100755 index b7beedbae2..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug4.ds +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env beamsh - -stdio { - trace { - stdio { - exec ls -l - } - } -} diff --git a/pkg/beam/examples/beamsh/scripts/bug5.ds b/pkg/beam/examples/beamsh/scripts/bug5.ds deleted file mode 100755 index 9f9a85515d..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug5.ds +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env beamsh - -stdio { - # exec fails - exec ls -l -} diff --git a/pkg/beam/examples/beamsh/scripts/bug6.ds b/pkg/beam/examples/beamsh/scripts/bug6.ds deleted file mode 100755 index 90281401cd..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug6.ds +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env beamsh - -stdio { - trace { - echo hello - } -} diff --git a/pkg/beam/examples/beamsh/scripts/bug7.ds b/pkg/beam/examples/beamsh/scripts/bug7.ds deleted file mode 100755 index b6e7bd9201..0000000000 --- a/pkg/beam/examples/beamsh/scripts/bug7.ds +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env beamsh - -stdio { - # exec fails - echo hello world -} diff --git a/pkg/beam/examples/beamsh/scripts/demo1.ds b/pkg/beam/examples/beamsh/scripts/demo1.ds deleted file mode 100755 index 20a3359f3a..0000000000 --- a/pkg/beam/examples/beamsh/scripts/demo1.ds +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env beamsh - -devnull { - multiprint { - exec tail -f /var/log/system.log & - exec ls -l - exec ls ksdhfkjdshf jksdfhkjsdhf - } -} diff --git a/pkg/beam/examples/beamsh/scripts/helloworld.ds b/pkg/beam/examples/beamsh/scripts/helloworld.ds deleted file mode 100755 index 32e59b062e..0000000000 --- a/pkg/beam/examples/beamsh/scripts/helloworld.ds +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env beamsh - -print { - trace { - emit msg=hello - emit msg=world - } -} diff --git a/pkg/beam/examples/beamsh/scripts/logdemo.ds b/pkg/beam/examples/beamsh/scripts/logdemo.ds deleted file mode 100755 index 8b729a966f..0000000000 --- a/pkg/beam/examples/beamsh/scripts/logdemo.ds +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env beamsh - -trace { - log { - exec ls -l - exec ls /tmp/jhsdfkjhsdjkfhsdjkfhsdjkkhsdjkf - echo hello world - } -} diff --git a/pkg/beam/examples/beamsh/scripts/miniserver.ds b/pkg/beam/examples/beamsh/scripts/miniserver.ds deleted file mode 100755 index 9707477ee0..0000000000 --- a/pkg/beam/examples/beamsh/scripts/miniserver.ds +++ /dev/null @@ -1,9 +0,0 @@ -#!/usr/bin/env beamsh - -multiprint { - trace { - listen tcp://localhost:7676 & - listen tcp://localhost:8787 & - } -} - diff --git a/pkg/beam/router.go b/pkg/beam/router.go deleted file mode 100644 index 15910e95b1..0000000000 --- a/pkg/beam/router.go +++ /dev/null @@ -1,184 +0,0 @@ -package beam - -import ( - "fmt" - "github.com/dotcloud/docker/pkg/beam/data" - "io" - "os" -) - -type Router struct { - routes []*Route - sink Sender -} - -func NewRouter(sink Sender) *Router { - return &Router{sink: sink} -} - -func (r *Router) Send(payload []byte, attachment *os.File) (err error) { - //fmt.Printf("Router.Send(%s)\n", MsgDesc(payload, attachment)) - defer func() { - //fmt.Printf("DONE Router.Send(%s) = %v\n", MsgDesc(payload, attachment), err) - }() - for _, route := range r.routes { - if route.Match(payload, attachment) { - return route.Handle(payload, attachment) - } - } - if r.sink != nil { - // fmt.Printf("[%d] [Router.Send] no match. sending %s to sink %#v\n", os.Getpid(), MsgDesc(payload, attachment), r.sink) - return r.sink.Send(payload, attachment) - } - //fmt.Printf("[Router.Send] no match. return error.\n") - return fmt.Errorf("no matching route") -} - -func (r *Router) NewRoute() *Route { - route := &Route{} - r.routes = append(r.routes, route) - return route -} - -type Route struct { - rules []func([]byte, *os.File) bool - handler func([]byte, *os.File) error -} - -func (route *Route) Match(payload []byte, attachment *os.File) bool { - for _, rule := range route.rules { - if !rule(payload, attachment) { - return false - } - } - return true -} - -func (route *Route) Handle(payload []byte, attachment *os.File) error { - if route.handler == nil { - return nil - } - return route.handler(payload, attachment) -} - -func (r *Route) HasAttachment() *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - return attachment != nil - }) - return r -} - -func (route *Route) Tee(dst Sender) *Route { - inner := route.handler - route.handler = func(payload []byte, attachment *os.File) error { - if inner == nil { - return nil - } - if attachment == nil { - return inner(payload, attachment) - } - // Setup the tee - w, err := SendRPipe(dst, payload) - if err != nil { - return err - } - teeR, teeW, err := os.Pipe() - if err != nil { - w.Close() - return err - } - go func() { - io.Copy(io.MultiWriter(teeW, w), attachment) - attachment.Close() - w.Close() - teeW.Close() - }() - return inner(payload, teeR) - } - return route -} - -func (r *Route) Filter(f func([]byte, *os.File) bool) *Route { - r.rules = append(r.rules, f) - return r -} - -func (r *Route) KeyStartsWith(k string, beginning ...string) *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - values := data.Message(payload).Get(k) - if values == nil { - return false - } - if len(values) < len(beginning) { - return false - } - for i, v := range beginning { - if v != values[i] { - return false - } - } - return true - }) - return r -} - -func (r *Route) KeyEquals(k string, full ...string) *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - values := data.Message(payload).Get(k) - if len(values) != len(full) { - return false - } - for i, v := range full { - if v != values[i] { - return false - } - } - return true - }) - return r -} - -func (r *Route) KeyIncludes(k, v string) *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - for _, val := range data.Message(payload).Get(k) { - if val == v { - return true - } - } - return false - }) - return r -} - -func (r *Route) NoKey(k string) *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - return len(data.Message(payload).Get(k)) == 0 - }) - return r -} - -func (r *Route) KeyExists(k string) *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - return data.Message(payload).Get(k) != nil - }) - return r -} - -func (r *Route) Passthrough(dst Sender) *Route { - r.handler = func(payload []byte, attachment *os.File) error { - return dst.Send(payload, attachment) - } - return r -} - -func (r *Route) All() *Route { - r.rules = append(r.rules, func(payload []byte, attachment *os.File) bool { - return true - }) - return r -} - -func (r *Route) Handler(h func([]byte, *os.File) error) *Route { - r.handler = h - return r -} diff --git a/pkg/beam/router_test.go b/pkg/beam/router_test.go deleted file mode 100644 index f7f7bf1d2d..0000000000 --- a/pkg/beam/router_test.go +++ /dev/null @@ -1,95 +0,0 @@ -package beam - -import ( - "fmt" - "io/ioutil" - "os" - "sync" - "testing" -) - -type msg struct { - payload []byte - attachment *os.File -} - -func (m msg) String() string { - return MsgDesc(m.payload, m.attachment) -} - -type mockReceiver []msg - -func (r *mockReceiver) Send(p []byte, a *os.File) error { - (*r) = append((*r), msg{p, a}) - return nil -} - -func TestSendNoSinkNoRoute(t *testing.T) { - r := NewRouter(nil) - if err := r.Send([]byte("hello"), nil); err == nil { - t.Fatalf("error expected") - } - a, b, err := os.Pipe() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - if err := r.Send([]byte("foo bar baz"), a); err == nil { - t.Fatalf("error expected") - } -} - -func TestSendSinkNoRoute(t *testing.T) { - var sink mockReceiver - r := NewRouter(&sink) - if err := r.Send([]byte("hello"), nil); err != nil { - t.Fatal(err) - } - a, b, err := os.Pipe() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - if err := r.Send([]byte("world"), a); err != nil { - t.Fatal(err) - } - if len(sink) != 2 { - t.Fatalf("%#v\n", sink) - } - if string(sink[0].payload) != "hello" { - t.Fatalf("%#v\n", sink) - } - if sink[0].attachment != nil { - t.Fatalf("%#v\n", sink) - } - if string(sink[1].payload) != "world" { - t.Fatalf("%#v\n", sink) - } - if sink[1].attachment == nil || sink[1].attachment.Fd() > 42 || sink[1].attachment.Fd() < 0 { - t.Fatalf("%v\n", sink) - } - var tasks sync.WaitGroup - tasks.Add(2) - go func() { - defer tasks.Done() - fmt.Printf("[%d] Reading from '%d'\n", os.Getpid(), sink[1].attachment.Fd()) - data, err := ioutil.ReadAll(sink[1].attachment) - if err != nil { - t.Fatal(err) - } - if string(data) != "foo bar\n" { - t.Fatalf("%v\n", string(data)) - } - }() - go func() { - defer tasks.Done() - fmt.Printf("[%d] writing to '%d'\n", os.Getpid(), a.Fd()) - if _, err := fmt.Fprintf(b, "foo bar\n"); err != nil { - t.Fatal(err) - } - b.Close() - }() - tasks.Wait() -} diff --git a/pkg/beam/service.go b/pkg/beam/service.go deleted file mode 100644 index 8e117059cb..0000000000 --- a/pkg/beam/service.go +++ /dev/null @@ -1,85 +0,0 @@ -package beam - -import ( - "net" -) - -// Listen is a convenience interface for applications to create service endpoints -// which can be easily used with existing networking code. -// -// Listen registers a new service endpoint on the beam connection `conn`, using the -// service name `name`. It returns a listener which can be used in the usual -// way. Calling Accept() on the listener will block until a new connection is available -// on the service endpoint. The endpoint is then returned as a regular net.Conn and -// can be used as a regular network connection. -// -// Note that if the underlying file descriptor received in attachment is nil or does -// not point to a connection, that message will be skipped. -// -func Listen(conn Sender, name string) (net.Listener, error) { - endpoint, err := SendConn(conn, []byte(name)) - if err != nil { - return nil, err - } - return &listener{ - name: name, - endpoint: endpoint, - }, nil -} - -func Connect(ctx *UnixConn, name string) (net.Conn, error) { - l, err := Listen(ctx, name) - if err != nil { - return nil, err - } - conn, err := l.Accept() - if err != nil { - return nil, err - } - return conn, nil -} - -type listener struct { - name string - endpoint ReceiveCloser -} - -func (l *listener) Accept() (net.Conn, error) { - for { - _, f, err := l.endpoint.Receive() - if err != nil { - return nil, err - } - if f == nil { - // Skip empty attachments - continue - } - conn, err := net.FileConn(f) - if err != nil { - // Skip beam attachments which are not connections - // (for example might be a regular file, directory etc) - continue - } - return conn, nil - } - panic("impossibru!") - return nil, nil -} - -func (l *listener) Close() error { - return l.endpoint.Close() -} - -func (l *listener) Addr() net.Addr { - return addr(l.name) -} - -type addr string - -func (a addr) Network() string { - return "beam" -} - -func (a addr) String() string { - return string(a) -} diff --git a/pkg/beam/unix.go b/pkg/beam/unix.go deleted file mode 100644 index b2d0d94150..0000000000 --- a/pkg/beam/unix.go +++ /dev/null @@ -1,317 +0,0 @@ -package beam - -import ( - "bufio" - "fmt" - "net" - "os" - "syscall" -) - -func debugCheckpoint(msg string, args ...interface{}) { - if os.Getenv("DEBUG") == "" { - return - } - os.Stdout.Sync() - tty, _ := os.OpenFile("/dev/tty", os.O_RDWR, 0700) - fmt.Fprintf(tty, msg, args...) - bufio.NewScanner(tty).Scan() - tty.Close() -} - -type UnixConn struct { - *net.UnixConn - fds []*os.File -} - -// Framing: -// In order to handle framing in Send/Recieve, as these give frame -// boundaries we use a very simple 4 bytes header. It is a big endiand -// uint32 where the high bit is set if the message includes a file -// descriptor. The rest of the uint32 is the length of the next frame. -// We need the bit in order to be able to assign recieved fds to -// the right message, as multiple messages may be coalesced into -// a single recieve operation. -func makeHeader(data []byte, fds []int) ([]byte, error) { - header := make([]byte, 4) - - length := uint32(len(data)) - - if length > 0x7fffffff { - return nil, fmt.Errorf("Data to large") - } - - if len(fds) != 0 { - length = length | 0x80000000 - } - header[0] = byte((length >> 24) & 0xff) - header[1] = byte((length >> 16) & 0xff) - header[2] = byte((length >> 8) & 0xff) - header[3] = byte((length >> 0) & 0xff) - - return header, nil -} - -func parseHeader(header []byte) (uint32, bool) { - length := uint32(header[0])<<24 | uint32(header[1])<<16 | uint32(header[2])<<8 | uint32(header[3]) - hasFd := length&0x80000000 != 0 - length = length & ^uint32(0x80000000) - - return length, hasFd -} - -func FileConn(f *os.File) (*UnixConn, error) { - conn, err := net.FileConn(f) - if err != nil { - return nil, err - } - uconn, ok := conn.(*net.UnixConn) - if !ok { - conn.Close() - return nil, fmt.Errorf("%d: not a unix connection", f.Fd()) - } - return &UnixConn{UnixConn: uconn}, nil - -} - -// Send sends a new message on conn with data and f as payload and -// attachment, respectively. -// On success, f is closed -func (conn *UnixConn) Send(data []byte, f *os.File) error { - { - var fd int = -1 - if f != nil { - fd = int(f.Fd()) - } - debugCheckpoint("===DEBUG=== about to send '%s'[%d]. Hit enter to confirm: ", data, fd) - } - var fds []int - if f != nil { - fds = append(fds, int(f.Fd())) - } - if err := conn.sendUnix(data, fds...); err != nil { - return err - } - - if f != nil { - f.Close() - } - return nil -} - -// Receive waits for a new message on conn, and receives its payload -// and attachment, or an error if any. -// -// If more than 1 file descriptor is sent in the message, they are all -// closed except for the first, which is the attachment. -// It is legal for a message to have no attachment or an empty payload. -func (conn *UnixConn) Receive() (rdata []byte, rf *os.File, rerr error) { - defer func() { - var fd int = -1 - if rf != nil { - fd = int(rf.Fd()) - } - debugCheckpoint("===DEBUG=== Receive() -> '%s'[%d]. Hit enter to continue.\n", rdata, fd) - }() - - // Read header - header := make([]byte, 4) - nRead := uint32(0) - - for nRead < 4 { - n, err := conn.receiveUnix(header[nRead:]) - if err != nil { - return nil, nil, err - } - nRead = nRead + uint32(n) - } - - length, hasFd := parseHeader(header) - - if hasFd { - if len(conn.fds) == 0 { - return nil, nil, fmt.Errorf("No expected file descriptor in message") - } - - rf = conn.fds[0] - conn.fds = conn.fds[1:] - } - - rdata = make([]byte, length) - - nRead = 0 - for nRead < length { - n, err := conn.receiveUnix(rdata[nRead:]) - if err != nil { - return nil, nil, err - } - nRead = nRead + uint32(n) - } - - return -} - -func (conn *UnixConn) receiveUnix(buf []byte) (int, error) { - oob := make([]byte, syscall.CmsgSpace(4)) - bufn, oobn, _, _, err := conn.ReadMsgUnix(buf, oob) - if err != nil { - return 0, err - } - fd := extractFd(oob[:oobn]) - if fd != -1 { - f := os.NewFile(uintptr(fd), "") - conn.fds = append(conn.fds, f) - } - - return bufn, nil -} - -func (conn *UnixConn) sendUnix(data []byte, fds ...int) error { - header, err := makeHeader(data, fds) - if err != nil { - return err - } - - // There is a bug in conn.WriteMsgUnix where it doesn't correctly return - // the number of bytes writte (http://code.google.com/p/go/issues/detail?id=7645) - // So, we can't rely on the return value from it. However, we must use it to - // send the fds. In order to handle this we only write one byte using WriteMsgUnix - // (when we have to), as that can only ever block or fully suceed. We then write - // the rest with conn.Write() - // The reader side should not rely on this though, as hopefully this gets fixed - // in go later. - written := 0 - if len(fds) != 0 { - oob := syscall.UnixRights(fds...) - wrote, _, err := conn.WriteMsgUnix(header[0:1], oob, nil) - if err != nil { - return err - } - written = written + wrote - } - - for written < len(header) { - wrote, err := conn.Write(header[written:]) - if err != nil { - return err - } - written = written + wrote - } - - written = 0 - for written < len(data) { - wrote, err := conn.Write(data[written:]) - if err != nil { - return err - } - written = written + wrote - } - - return nil -} - -func extractFd(oob []byte) int { - // Grab forklock to make sure no forks accidentally inherit the new - // fds before they are made CLOEXEC - // There is a slight race condition between ReadMsgUnix returns and - // when we grap the lock, so this is not perfect. Unfortunately - // There is no way to pass MSG_CMSG_CLOEXEC to recvmsg() nor any - // way to implement non-blocking i/o in go, so this is hard to fix. - syscall.ForkLock.Lock() - defer syscall.ForkLock.Unlock() - scms, err := syscall.ParseSocketControlMessage(oob) - if err != nil { - return -1 - } - - foundFd := -1 - for _, scm := range scms { - fds, err := syscall.ParseUnixRights(&scm) - if err != nil { - continue - } - - for _, fd := range fds { - if foundFd == -1 { - syscall.CloseOnExec(fd) - foundFd = fd - } else { - syscall.Close(fd) - } - } - } - - return foundFd -} - -func socketpair() ([2]int, error) { - return syscall.Socketpair(syscall.AF_LOCAL, syscall.SOCK_STREAM|syscall.FD_CLOEXEC, 0) -} - -// SocketPair is a convenience wrapper around the socketpair(2) syscall. -// It returns a unix socket of type SOCK_STREAM in the form of 2 file descriptors -// not bound to the underlying filesystem. -// Messages sent on one end are received on the other, and vice-versa. -// It is the caller's responsibility to close both ends. -func SocketPair() (a *os.File, b *os.File, err error) { - defer func() { - var ( - fdA int = -1 - fdB int = -1 - ) - if a != nil { - fdA = int(a.Fd()) - } - if b != nil { - fdB = int(b.Fd()) - } - debugCheckpoint("===DEBUG=== SocketPair() = [%d-%d]. Hit enter to confirm: ", fdA, fdB) - }() - pair, err := socketpair() - if err != nil { - return nil, nil, err - } - return os.NewFile(uintptr(pair[0]), ""), os.NewFile(uintptr(pair[1]), ""), nil -} - -func USocketPair() (*UnixConn, *UnixConn, error) { - debugCheckpoint("===DEBUG=== USocketPair(). Hit enter to confirm: ") - defer debugCheckpoint("===DEBUG=== USocketPair() returned. Hit enter to confirm ") - a, b, err := SocketPair() - if err != nil { - return nil, nil, err - } - defer a.Close() - defer b.Close() - uA, err := FileConn(a) - if err != nil { - return nil, nil, err - } - uB, err := FileConn(b) - if err != nil { - uA.Close() - return nil, nil, err - } - return uA, uB, nil -} - -// FdConn wraps a file descriptor in a standard *net.UnixConn object, or -// returns an error if the file descriptor does not point to a unix socket. -// This creates a duplicate file descriptor. It's the caller's responsibility -// to close both. -func FdConn(fd int) (n *net.UnixConn, err error) { - { - debugCheckpoint("===DEBUG=== FdConn([%d]) = (unknown fd). Hit enter to confirm: ", fd) - } - f := os.NewFile(uintptr(fd), fmt.Sprintf("%d", fd)) - conn, err := net.FileConn(f) - if err != nil { - return nil, err - } - uconn, ok := conn.(*net.UnixConn) - if !ok { - conn.Close() - return nil, fmt.Errorf("%d: not a unix connection", fd) - } - return uconn, nil -} diff --git a/pkg/beam/unix_test.go b/pkg/beam/unix_test.go deleted file mode 100644 index 976f089c23..0000000000 --- a/pkg/beam/unix_test.go +++ /dev/null @@ -1,237 +0,0 @@ -package beam - -import ( - "fmt" - "io/ioutil" - "testing" -) - -func TestSocketPair(t *testing.T) { - a, b, err := SocketPair() - if err != nil { - t.Fatal(err) - } - go func() { - a.Write([]byte("hello world!")) - fmt.Printf("done writing. closing\n") - a.Close() - fmt.Printf("done closing\n") - }() - data, err := ioutil.ReadAll(b) - if err != nil { - t.Fatal(err) - } - fmt.Printf("--> %s\n", data) - fmt.Printf("still open: %v\n", a.Fd()) -} - -func TestUSocketPair(t *testing.T) { - a, b, err := USocketPair() - if err != nil { - t.Fatal(err) - } - - data := "hello world!" - go func() { - a.Write([]byte(data)) - a.Close() - }() - res := make([]byte, 1024) - size, err := b.Read(res) - if err != nil { - t.Fatal(err) - } - if size != len(data) { - t.Fatal("Unexpected size") - } - if string(res[0:size]) != data { - t.Fatal("Unexpected data") - } -} - -func TestSendUnixSocket(t *testing.T) { - a1, a2, err := USocketPair() - if err != nil { - t.Fatal(err) - } - // defer a1.Close() - // defer a2.Close() - b1, b2, err := USocketPair() - if err != nil { - t.Fatal(err) - } - // defer b1.Close() - // defer b2.Close() - glueA, glueB, err := SocketPair() - if err != nil { - t.Fatal(err) - } - // defer glueA.Close() - // defer glueB.Close() - go func() { - err := b2.Send([]byte("a"), glueB) - if err != nil { - t.Fatal(err) - } - }() - go func() { - err := a2.Send([]byte("b"), glueA) - if err != nil { - t.Fatal(err) - } - }() - connAhdr, connA, err := a1.Receive() - if err != nil { - t.Fatal(err) - } - if string(connAhdr) != "b" { - t.Fatalf("unexpected: %s", connAhdr) - } - connBhdr, connB, err := b1.Receive() - if err != nil { - t.Fatal(err) - } - if string(connBhdr) != "a" { - t.Fatalf("unexpected: %s", connBhdr) - } - fmt.Printf("received both ends: %v <-> %v\n", connA.Fd(), connB.Fd()) - go func() { - fmt.Printf("sending message on %v\n", connA.Fd()) - connA.Write([]byte("hello world")) - connA.Sync() - fmt.Printf("closing %v\n", connA.Fd()) - connA.Close() - }() - data, err := ioutil.ReadAll(connB) - if err != nil { - t.Fatal(err) - } - fmt.Printf("---> %s\n", data) - -} - -// Ensure we get proper segmenting of messages -func TestSendSegmenting(t *testing.T) { - a, b, err := USocketPair() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - - extrafd1, extrafd2, err := SocketPair() - if err != nil { - t.Fatal(err) - } - extrafd2.Close() - - go func() { - a.Send([]byte("message 1"), nil) - a.Send([]byte("message 2"), extrafd1) - a.Send([]byte("message 3"), nil) - }() - - msg1, file1, err := b.Receive() - if err != nil { - t.Fatal(err) - } - if string(msg1) != "message 1" { - t.Fatal("unexpected msg1:", string(msg1)) - } - if file1 != nil { - t.Fatal("unexpectedly got file1") - } - - msg2, file2, err := b.Receive() - if err != nil { - t.Fatal(err) - } - if string(msg2) != "message 2" { - t.Fatal("unexpected msg2:", string(msg2)) - } - if file2 == nil { - t.Fatal("didn't get file2") - } - file2.Close() - - msg3, file3, err := b.Receive() - if err != nil { - t.Fatal(err) - } - if string(msg3) != "message 3" { - t.Fatal("unexpected msg3:", string(msg3)) - } - if file3 != nil { - t.Fatal("unexpectedly got file3") - } - -} - -// Test sending a zero byte message -func TestSendEmpty(t *testing.T) { - a, b, err := USocketPair() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - go func() { - a.Send([]byte{}, nil) - }() - - msg, file, err := b.Receive() - if err != nil { - t.Fatal(err) - } - if len(msg) != 0 { - t.Fatalf("unexpected non-empty message: %v", msg) - } - if file != nil { - t.Fatal("unexpectedly got file") - } - -} - -func makeLarge(size int) []byte { - res := make([]byte, size) - for i := range res { - res[i] = byte(i % 255) - } - return res -} - -func verifyLarge(data []byte, size int) bool { - if len(data) != size { - return false - } - for i := range data { - if data[i] != byte(i%255) { - return false - } - } - return true -} - -// Test sending a large message -func TestSendLarge(t *testing.T) { - a, b, err := USocketPair() - if err != nil { - t.Fatal(err) - } - defer a.Close() - defer b.Close() - go func() { - a.Send(makeLarge(100000), nil) - }() - - msg, file, err := b.Receive() - if err != nil { - t.Fatal(err) - } - if !verifyLarge(msg, 100000) { - t.Fatalf("unexpected message (size %d)", len(msg)) - } - if file != nil { - t.Fatal("unexpectedly got file") - } -} diff --git a/pkg/graphdb/graphdb.go b/pkg/graphdb/graphdb.go index 46a23b1e7b..d0e049b07f 100644 --- a/pkg/graphdb/graphdb.go +++ b/pkg/graphdb/graphdb.go @@ -64,6 +64,11 @@ func IsNonUniqueNameError(err error) bool { if strings.Contains(str, "UNIQUE constraint failed") && strings.Contains(str, "edge.name") { return true } + // sqlite-3.6.20-1.el6 returns: + // Set failure: Abort due to constraint violation: constraint failed + if strings.HasSuffix(str, "constraint failed") { + return true + } return false } diff --git a/pkg/graphdb/graphdb_test.go b/pkg/graphdb/graphdb_test.go index 0c3e8670e0..8cddd0bf48 100644 --- a/pkg/graphdb/graphdb_test.go +++ b/pkg/graphdb/graphdb_test.go @@ -1,13 +1,14 @@ package graphdb import ( - _ "code.google.com/p/gosqlite/sqlite3" "database/sql" "fmt" "os" "path" "strconv" "testing" + + _ "code.google.com/p/gosqlite/sqlite3" ) func newTestDb(t *testing.T) (*Database, string) { @@ -535,6 +536,6 @@ func TestConcurrentWrites(t *testing.T) { } } if any { - t.Fatal() + t.Fail() } } diff --git a/pkg/libcontainer/MAINTAINERS b/pkg/libcontainer/MAINTAINERS deleted file mode 100644 index 41f04602ee..0000000000 --- a/pkg/libcontainer/MAINTAINERS +++ /dev/null @@ -1,4 +0,0 @@ -Michael Crosby (@crosbymichael) -Guillaume J. Charmes (@creack) -Rohit Jnagal (@rjnagal) -Victor Marmol (@vmarmol) diff --git a/pkg/libcontainer/TODO.md b/pkg/libcontainer/TODO.md deleted file mode 100644 index 87224db85d..0000000000 --- a/pkg/libcontainer/TODO.md +++ /dev/null @@ -1,11 +0,0 @@ -#### goals -* small and simple - line count is not everything but less code is better -* provide primitives for working with namespaces not cater to every option -* extend via configuration not by features - host networking, no networking, veth network can be accomplished via adjusting the container.json, nothing to do with code - -#### tasks -* reexec or raw syscalls for new process in existing container -* example configs for different setups (host networking, boot init) -* improve pkg documentation with comments -* testing - this is hard in a low level pkg but we could do some, maybe -* selinux diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json deleted file mode 100644 index 7448a077e0..0000000000 --- a/pkg/libcontainer/container.json +++ /dev/null @@ -1,107 +0,0 @@ -{ - "namespaces": { - "NEWNET": true, - "NEWPID": true, - "NEWIPC": true, - "NEWUTS": true, - "NEWNS": true - }, - "networks": [ - { - "gateway": "localhost", - "type": "loopback", - "address": "127.0.0.1/0", - "mtu": 1500 - }, - { - "gateway": "172.17.42.1", - "context": { - "prefix": "veth", - "bridge": "docker0" - }, - "type": "veth", - "address": "172.17.42.2/16", - "mtu": 1500 - } - ], - "routes": [ - { - "gateway": "172.17.42.1", - "interface_name": "eth0" - }, - { - "destination": "192.168.0.0/24", - "interface_name": "eth0" - } - ], - "capabilities": [ - "MKNOD" - ], - "cgroups": { - "name": "docker-koye", - "parent": "docker" - }, - "hostname": "koye", - "environment": [ - "HOME=/", - "PATH=PATH=$PATH:/bin:/usr/bin:/sbin:/usr/sbin", - "container=docker", - "TERM=xterm-256color" - ], - "tty": true, - "mounts": [ - { - "type": "devtmpfs" - } - ], - "device_nodes": [ - { - "path": "/dev/null", - "type": 99, - "major_number": 1, - "minor_number": 3, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/zero", - "type": 99, - "major_number": 1, - "minor_number": 5, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/full", - "type": 99, - "major_number": 1, - "minor_number": 7, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/tty", - "type": 99, - "major_number": 5, - "minor_number": 0, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/urandom", - "type": 99, - "major_number": 1, - "minor_number": 9, - "cgroup_permissions": "rwm", - "file_mode": 438 - }, - { - "path": "/dev/random", - "type": 99, - "major_number": 1, - "minor_number": 8, - "cgroup_permissions": "rwm", - "file_mode": 438 - } - ] -} diff --git a/pkg/mflag/example/example.go b/pkg/mflag/example/example.go index 2d78baa172..8af8ff9cf4 100644 --- a/pkg/mflag/example/example.go +++ b/pkg/mflag/example/example.go @@ -28,8 +28,8 @@ func main() { flag.PrintDefaults() } else { fmt.Printf("s/#hidden/-string: %s\n", str) - fmt.Printf("b: %b\n", b) - fmt.Printf("-bool: %b\n", b2) + fmt.Printf("b: %t\n", b) + fmt.Printf("-bool: %t\n", b2) fmt.Printf("s/#hidden/-string(via lookup): %s\n", flag.Lookup("s").Value.String()) fmt.Printf("ARGS: %v\n", flag.Args()) } diff --git a/pkg/mflag/flag.go b/pkg/mflag/flag.go index 2cfef331f6..ad23e540fb 100644 --- a/pkg/mflag/flag.go +++ b/pkg/mflag/flag.go @@ -778,6 +778,9 @@ func (f *FlagSet) usage() { } func trimQuotes(str string) string { + if len(str) == 0 { + return str + } type quote struct { start, end byte } diff --git a/pkg/signal/MAINTAINERS b/pkg/signal/MAINTAINERS deleted file mode 100644 index acf6f21b63..0000000000 --- a/pkg/signal/MAINTAINERS +++ /dev/null @@ -1 +0,0 @@ -Guillaume J. Charmes (@creack) diff --git a/pkg/sysinfo/MAINTAINERS b/pkg/sysinfo/MAINTAINERS index dcc038e7f3..1e998f8ac1 100644 --- a/pkg/sysinfo/MAINTAINERS +++ b/pkg/sysinfo/MAINTAINERS @@ -1,2 +1 @@ Michael Crosby (@crosbymichael) -Guillaume J. Charmes (@creack) diff --git a/pkg/sysinfo/sysinfo.go b/pkg/sysinfo/sysinfo.go index bdc192b913..0c28719f61 100644 --- a/pkg/sysinfo/sysinfo.go +++ b/pkg/sysinfo/sysinfo.go @@ -6,7 +6,7 @@ import ( "os" "path" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type SysInfo struct { diff --git a/pkg/system/MAINTAINERS b/pkg/system/MAINTAINERS index 1cb551364d..1e998f8ac1 100644 --- a/pkg/system/MAINTAINERS +++ b/pkg/system/MAINTAINERS @@ -1,2 +1 @@ Michael Crosby (@crosbymichael) -Guillaume J. Charmes (@creack) diff --git a/pkg/system/calls_linux.go b/pkg/system/calls_linux.go index 6986051e1d..125fd25956 100644 --- a/pkg/system/calls_linux.go +++ b/pkg/system/calls_linux.go @@ -116,6 +116,13 @@ func Mknod(path string, mode uint32, dev int) error { return syscall.Mknod(path, mode, dev) } +func Prctl(option int, arg2, arg3, arg4, arg5 uintptr) error { + if _, _, err := syscall.Syscall6(syscall.SYS_PRCTL, uintptr(option), arg2, arg3, arg4, arg5, 0); err != 0 { + return err + } + return nil +} + func ParentDeathSignal(sig uintptr) error { if _, _, err := syscall.RawSyscall(syscall.SYS_PRCTL, syscall.PR_SET_PDEATHSIG, sig, 0); err != 0 { return err diff --git a/pkg/system/unsupported.go b/pkg/system/unsupported.go index 96ebc858f5..aea4b69f97 100644 --- a/pkg/system/unsupported.go +++ b/pkg/system/unsupported.go @@ -28,3 +28,11 @@ func GetClockTicks() int { func CreateMasterAndConsole() (*os.File, string, error) { return nil, "", ErrNotSupportedPlatform } + +func SetKeepCaps() error { + return ErrNotSupportedPlatform +} + +func ClearKeepCaps() error { + return ErrNotSupportedPlatform +} diff --git a/pkg/system/utimes_darwin.go b/pkg/system/utimes_darwin.go new file mode 100644 index 0000000000..4c6002fe8e --- /dev/null +++ b/pkg/system/utimes_darwin.go @@ -0,0 +1,11 @@ +package system + +import "syscall" + +func LUtimesNano(path string, ts []syscall.Timespec) error { + return ErrNotSupportedPlatform +} + +func UtimesNano(path string, ts []syscall.Timespec) error { + return syscall.UtimesNano(path, ts) +} diff --git a/pkg/system/utimes_linux.go b/pkg/system/utimes_linux.go index c00f4026a5..8f90298271 100644 --- a/pkg/system/utimes_linux.go +++ b/pkg/system/utimes_linux.go @@ -24,8 +24,5 @@ func LUtimesNano(path string, ts []syscall.Timespec) error { } func UtimesNano(path string, ts []syscall.Timespec) error { - if err := syscall.UtimesNano(path, ts); err != nil { - return err - } - return nil + return syscall.UtimesNano(path, ts) } diff --git a/pkg/system/utimes_unsupported.go b/pkg/system/utimes_unsupported.go index 9a8cf9cd4a..adf2734f27 100644 --- a/pkg/system/utimes_unsupported.go +++ b/pkg/system/utimes_unsupported.go @@ -1,4 +1,4 @@ -// +build !linux,!freebsd +// +build !linux,!freebsd,!darwin package system diff --git a/pkg/term/MAINTAINERS b/pkg/term/MAINTAINERS index 15b8ac3729..1887dfc232 100644 --- a/pkg/term/MAINTAINERS +++ b/pkg/term/MAINTAINERS @@ -1,2 +1 @@ -Guillaume J. Charmes (@creack) Solomon Hykes (@shykes) diff --git a/registry/registry.go b/registry/registry.go index e91e7d12ba..24c55125ce 100644 --- a/registry/registry.go +++ b/registry/registry.go @@ -37,12 +37,12 @@ func pingRegistryEndpoint(endpoint string) (RegistryInfo, error) { } httpDial := func(proto string, addr string) (net.Conn, error) { // Set the connect timeout to 5 seconds - conn, err := net.DialTimeout(proto, addr, time.Duration(5)*time.Second) + conn, err := net.DialTimeout(proto, addr, 5*time.Second) if err != nil { return nil, err } // Set the recv timeout to 10 seconds - conn.SetDeadline(time.Now().Add(time.Duration(10) * time.Second)) + conn.SetDeadline(time.Now().Add(10 * time.Second)) return conn, nil } httpTransport := &http.Transport{ @@ -801,7 +801,7 @@ func NewRegistry(authConfig *AuthConfig, factory *utils.HTTPRequestFactory, inde if err != nil { return nil, err } - conn = utils.NewTimeoutConn(conn, time.Duration(1)*time.Minute) + conn = utils.NewTimeoutConn(conn, 1*time.Minute) return conn, nil } } diff --git a/registry/registry_test.go b/registry/registry_test.go index 2aae80edac..5cec059505 100644 --- a/registry/registry_test.go +++ b/registry/registry_test.go @@ -264,7 +264,7 @@ func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) { AddRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom}) if len(reqTo.Header) != 1 { - t.Fatal("Expected 1 headers, got %d", len(reqTo.Header)) + t.Fatalf("Expected 1 headers, got %d", len(reqTo.Header)) } if reqTo.Header.Get("Content-Type") != "application/json" { @@ -288,7 +288,7 @@ func TestAddRequiredHeadersToRedirectedRequests(t *testing.T) { AddRequiredHeadersToRedirectedRequests(reqTo, []*http.Request{reqFrom}) if len(reqTo.Header) != 2 { - t.Fatal("Expected 2 headers, got %d", len(reqTo.Header)) + t.Fatalf("Expected 2 headers, got %d", len(reqTo.Header)) } if reqTo.Header.Get("Content-Type") != "application/json" { diff --git a/runconfig/parse.go b/runconfig/parse.go index 0fa287adb1..5bb065421c 100644 --- a/runconfig/parse.go +++ b/runconfig/parse.go @@ -18,7 +18,7 @@ var ( ErrInvalidWorkingDirectory = fmt.Errorf("The working directory is invalid. It needs to be an absolute path.") ErrConflictAttachDetach = fmt.Errorf("Conflicting options: -a and -d") ErrConflictDetachAutoRemove = fmt.Errorf("Conflicting options: --rm and -d") - ErrConflictNetworkHostname = fmt.Errorf("Conflicting options: -h and --net") + ErrConflictNetworkHostname = fmt.Errorf("Conflicting options: -h and the network mode (--net)") ) //FIXME Only used in tests @@ -65,7 +65,7 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf flWorkingDir = cmd.String([]string{"w", "-workdir"}, "", "Working directory inside the container") flCpuShares = cmd.Int64([]string{"c", "-cpu-shares"}, 0, "CPU shares (relative weight)") flCpuset = cmd.String([]string{"-cpuset"}, "", "CPUs in which to allow execution (0-3, 0,1)") - flNetMode = cmd.String([]string{"-net"}, "bridge", "Set the Network mode for the container\n'bridge': creates a new network stack for the container on the docker bridge\n'none': no networking for this container\n'container:': reuses another container network stack\n'host': use the host network stack inside the contaner") + flNetMode = cmd.String([]string{"-net"}, "bridge", "Set the Network mode for the container\n'bridge': creates a new network stack for the container on the docker bridge\n'none': no networking for this container\n'container:': reuses another container network stack\n'host': use the host network stack inside the contaner. Note: the host mode gives the container full access to local system services such as D-bus and is therefore considered insecure.") // For documentation purpose _ = cmd.Bool([]string{"#sig-proxy", "-sig-proxy"}, true, "Proxify all received signal to the process (even in non-tty mode)") _ = cmd.String([]string{"#name", "-name"}, "", "Assign a name to the container") @@ -104,7 +104,7 @@ func parseRun(cmd *flag.FlagSet, args []string, sysInfo *sysinfo.SysInfo) (*Conf return nil, nil, cmd, ErrConflictDetachAutoRemove } - if *flNetMode != "bridge" && *flHostname != "" { + if *flNetMode != "bridge" && *flNetMode != "none" && *flHostname != "" { return nil, nil, cmd, ErrConflictNetworkHostname } diff --git a/runconfig/parse_test.go b/runconfig/parse_test.go index 8ad40b9d2d..88fa0dd542 100644 --- a/runconfig/parse_test.go +++ b/runconfig/parse_test.go @@ -22,3 +22,29 @@ func TestParseLxcConfOpt(t *testing.T) { } } } + +func TestNetHostname(t *testing.T) { + if _, _, _, err := Parse([]string{"-h=name", "img", "cmd"}, nil); err != nil { + t.Fatal("Unexpected error: %s", err) + } + + if _, _, _, err := Parse([]string{"--net=host", "img", "cmd"}, nil); err != nil { + t.Fatal("Unexpected error: %s", err) + } + + if _, _, _, err := Parse([]string{"-h=name", "--net=bridge", "img", "cmd"}, nil); err != nil { + t.Fatal("Unexpected error: %s", err) + } + + if _, _, _, err := Parse([]string{"-h=name", "--net=none", "img", "cmd"}, nil); err != nil { + t.Fatal("Unexpected error: %s", err) + } + + if _, _, _, err := Parse([]string{"-h=name", "--net=host", "img", "cmd"}, nil); err != ErrConflictNetworkHostname { + t.Fatal("Expected error ErrConflictNetworkHostname, got: %s", err) + } + + if _, _, _, err := Parse([]string{"-h=name", "--net=container:other", "img", "cmd"}, nil); err != ErrConflictNetworkHostname { + t.Fatal("Expected error ErrConflictNetworkHostname, got: %s", err) + } +} diff --git a/server/buildfile.go b/server/buildfile.go index 26fc49890a..5b94c9423a 100644 --- a/server/buildfile.go +++ b/server/buildfile.go @@ -123,7 +123,12 @@ func (b *buildFile) CmdFrom(name string) error { if nTriggers := len(b.config.OnBuild); nTriggers != 0 { fmt.Fprintf(b.errStream, "# Executing %d build triggers\n", nTriggers) } - for n, step := range b.config.OnBuild { + + // Copy the ONBUILD triggers, and remove them from the config, since the config will be commited. + onBuildTriggers := b.config.OnBuild + b.config.OnBuild = []string{} + + for n, step := range onBuildTriggers { splitStep := strings.Split(step, " ") stepInstruction := strings.ToUpper(strings.Trim(splitStep[0], " ")) switch stepInstruction { @@ -136,7 +141,6 @@ func (b *buildFile) CmdFrom(name string) error { return err } } - b.config.OnBuild = []string{} return nil } diff --git a/server/server.go b/server/server.go index af62db879d..d28059fe56 100644 --- a/server/server.go +++ b/server/server.go @@ -117,7 +117,6 @@ func InitServer(job *engine.Job) engine.Status { job.Eng.Hack_SetGlobalVar("httpapi.server", srv) job.Eng.Hack_SetGlobalVar("httpapi.daemon", srv.daemon) - // FIXME: 'insert' is deprecated and should be removed in a future version. for name, handler := range map[string]engine.Handler{ "export": srv.ContainerExport, "create": srv.ContainerCreate, @@ -248,85 +247,63 @@ func (srv *Server) ContainerKill(job *engine.Job) engine.Status { return engine.StatusOK } -func (srv *Server) EvictListener(from int64) { - srv.Lock() - if old, ok := srv.listeners[from]; ok { - delete(srv.listeners, from) - close(old) - } - srv.Unlock() -} - func (srv *Server) Events(job *engine.Job) engine.Status { if len(job.Args) != 0 { return job.Errorf("Usage: %s", job.Name) } var ( - from = time.Now().UTC().UnixNano() since = job.GetenvInt64("since") until = job.GetenvInt64("until") timeout = time.NewTimer(time.Unix(until, 0).Sub(time.Now())) ) - sendEvent := func(event *utils.JSONMessage) error { - b, err := json.Marshal(event) - if err != nil { - return fmt.Errorf("JSON error") - } - _, err = job.Stdout.Write(b) - return err + + // If no until, disable timeout + if until == 0 { + timeout.Stop() } listener := make(chan utils.JSONMessage) - srv.Lock() - if old, ok := srv.listeners[from]; ok { - delete(srv.listeners, from) - close(old) + srv.eventPublisher.Subscribe(listener) + defer srv.eventPublisher.Unsubscribe(listener) + + // When sending an event JSON serialization errors are ignored, but all + // other errors lead to the eviction of the listener. + sendEvent := func(event *utils.JSONMessage) error { + if b, err := json.Marshal(event); err == nil { + if _, err = job.Stdout.Write(b); err != nil { + return err + } + } + return nil } - srv.listeners[from] = listener - srv.Unlock() - job.Stdout.Write(nil) // flush + + job.Stdout.Write(nil) + + // Resend every event in the [since, until] time interval. if since != 0 { - // If since, send previous events that happened after the timestamp and until timestamp for _, event := range srv.GetEvents() { if event.Time >= since && (event.Time <= until || until == 0) { - err := sendEvent(&event) - if err != nil && err.Error() == "JSON error" { - continue - } - if err != nil { - // On error, evict the listener - srv.EvictListener(from) + if err := sendEvent(&event); err != nil { return job.Error(err) } } } } - // If no until, disable timeout - if until == 0 { - timeout.Stop() - } for { select { case event, ok := <-listener: - if !ok { // Channel is closed: listener was evicted + if !ok { return engine.StatusOK } - err := sendEvent(&event) - if err != nil && err.Error() == "JSON error" { - continue - } - if err != nil { - // On error, evict the listener - srv.EvictListener(from) + if err := sendEvent(&event); err != nil { return job.Error(err) } case <-timeout.C: return engine.StatusOK } } - return engine.StatusOK } func (srv *Server) ContainerExport(job *engine.Job) engine.Status { @@ -797,7 +774,7 @@ func (srv *Server) DockerInfo(job *engine.Job) engine.Status { v.SetInt("NFd", utils.GetTotalUsedFds()) v.SetInt("NGoroutines", runtime.NumGoroutine()) v.Set("ExecutionDriver", srv.daemon.ExecutionDriver().Name()) - v.SetInt("NEventsListener", len(srv.listeners)) + v.SetInt("NEventsListener", srv.eventPublisher.SubscribersCount()) v.Set("KernelVersion", kernelVersion) v.Set("IndexServerAddress", registry.IndexServerAddress()) v.Set("InitSha1", dockerversion.INITSHA1) @@ -840,7 +817,6 @@ func (srv *Server) ImageHistory(job *engine.Job) engine.Status { outs.Add(out) return nil }) - outs.ReverseSort() if _, err := outs.WriteListTo(job.Stdout); err != nil { return job.Error(err) } @@ -2387,12 +2363,12 @@ func NewServer(eng *engine.Engine, config *daemonconfig.Config) (*Server, error) return nil, err } srv := &Server{ - Eng: eng, - daemon: daemon, - pullingPool: make(map[string]chan struct{}), - pushingPool: make(map[string]chan struct{}), - events: make([]utils.JSONMessage, 0, 64), //only keeps the 64 last events - listeners: make(map[int64]chan utils.JSONMessage), + Eng: eng, + daemon: daemon, + pullingPool: make(map[string]chan struct{}), + pushingPool: make(map[string]chan struct{}), + events: make([]utils.JSONMessage, 0, 64), //only keeps the 64 last events + eventPublisher: utils.NewJSONMessagePublisher(), } daemon.SetServer(srv) return srv, nil @@ -2402,12 +2378,7 @@ func (srv *Server) LogEvent(action, id, from string) *utils.JSONMessage { now := time.Now().UTC().Unix() jm := utils.JSONMessage{Status: action, ID: id, From: from, Time: now} srv.AddEvent(jm) - for _, c := range srv.listeners { - select { // non blocking channel - case c <- jm: - default: - } - } + srv.eventPublisher.Publish(jm) return &jm } @@ -2459,12 +2430,12 @@ func (srv *Server) Close() error { type Server struct { sync.RWMutex - daemon *daemon.Daemon - pullingPool map[string]chan struct{} - pushingPool map[string]chan struct{} - events []utils.JSONMessage - listeners map[int64]chan utils.JSONMessage - Eng *engine.Engine - running bool - tasks sync.WaitGroup + daemon *daemon.Daemon + pullingPool map[string]chan struct{} + pushingPool map[string]chan struct{} + events []utils.JSONMessage + eventPublisher *utils.JSONMessagePublisher + Eng *engine.Engine + running bool + tasks sync.WaitGroup } diff --git a/server/server_unit_test.go b/server/server_unit_test.go index 47e4be8280..e6c5d49b82 100644 --- a/server/server_unit_test.go +++ b/server/server_unit_test.go @@ -47,16 +47,14 @@ func TestPools(t *testing.T) { func TestLogEvent(t *testing.T) { srv := &Server{ - events: make([]utils.JSONMessage, 0, 64), - listeners: make(map[int64]chan utils.JSONMessage), + events: make([]utils.JSONMessage, 0, 64), + eventPublisher: utils.NewJSONMessagePublisher(), } srv.LogEvent("fakeaction", "fakeid", "fakeimage") listener := make(chan utils.JSONMessage) - srv.Lock() - srv.listeners[1337] = listener - srv.Unlock() + srv.eventPublisher.Subscribe(listener) srv.LogEvent("fakeaction2", "fakeid", "fakeimage") diff --git a/utils/jsonmessage.go b/utils/jsonmessage.go index d6546e3ee6..66fdcae5a8 100644 --- a/utils/jsonmessage.go +++ b/utils/jsonmessage.go @@ -87,7 +87,7 @@ func (jm *JSONMessage) Display(out io.Writer, isTerminal bool) error { return jm.Error } var endl string - if isTerminal && jm.Stream == "" { + if isTerminal && jm.Stream == "" && jm.Progress != nil { // [2K = erase entire current line fmt.Fprintf(out, "%c[2K\r", 27) endl = "\r" diff --git a/utils/jsonmessagepublisher.go b/utils/jsonmessagepublisher.go new file mode 100644 index 0000000000..659e6c8304 --- /dev/null +++ b/utils/jsonmessagepublisher.go @@ -0,0 +1,61 @@ +package utils + +import ( + "sync" + "time" +) + +func NewJSONMessagePublisher() *JSONMessagePublisher { + return &JSONMessagePublisher{} +} + +type JSONMessageListener chan<- JSONMessage + +type JSONMessagePublisher struct { + m sync.RWMutex + subscribers []JSONMessageListener +} + +func (p *JSONMessagePublisher) Subscribe(l JSONMessageListener) { + p.m.Lock() + p.subscribers = append(p.subscribers, l) + p.m.Unlock() +} + +func (p *JSONMessagePublisher) SubscribersCount() int { + p.m.RLock() + count := len(p.subscribers) + p.m.RUnlock() + return count +} + +// Unsubscribe closes and removes the specified listener from the list of +// previously registed ones. +// It returns a boolean value indicating if the listener was successfully +// found, closed and unregistered. +func (p *JSONMessagePublisher) Unsubscribe(l JSONMessageListener) bool { + p.m.Lock() + defer p.m.Unlock() + + for i, subscriber := range p.subscribers { + if subscriber == l { + close(l) + p.subscribers = append(p.subscribers[:i], p.subscribers[i+1:]...) + return true + } + } + return false +} + +func (p *JSONMessagePublisher) Publish(m JSONMessage) { + p.m.RLock() + for _, subscriber := range p.subscribers { + // We give each subscriber a 100ms time window to receive the event, + // after which we move to the next. + select { + case subscriber <- m: + case <-time.After(100 * time.Millisecond): + } + } + p.m.RUnlock() +} diff --git a/utils/jsonmessagepublisher_test.go b/utils/jsonmessagepublisher_test.go new file mode 100644 index 0000000000..2e1a820ca3 --- /dev/null +++ b/utils/jsonmessagepublisher_test.go @@ -0,0 +1,73 @@ +package utils + +import ( + "testing" + "time" +) + +func assertSubscribersCount(t *testing.T, q *JSONMessagePublisher, expected int) { + if q.SubscribersCount() != expected { + t.Fatalf("Expected %d registered subscribers, got %d", expected, q.SubscribersCount()) + } +} + +func TestJSONMessagePublisherSubscription(t *testing.T) { + q := NewJSONMessagePublisher() + l1 := make(chan JSONMessage) + l2 := make(chan JSONMessage) + + assertSubscribersCount(t, q, 0) + q.Subscribe(l1) + assertSubscribersCount(t, q, 1) + q.Subscribe(l2) + assertSubscribersCount(t, q, 2) + + q.Unsubscribe(l1) + q.Unsubscribe(l2) + assertSubscribersCount(t, q, 0) +} + +func TestJSONMessagePublisherPublish(t *testing.T) { + q := NewJSONMessagePublisher() + l1 := make(chan JSONMessage) + l2 := make(chan JSONMessage) + + go func() { + for { + select { + case <-l1: + close(l1) + l1 = nil + case <-l2: + close(l2) + l2 = nil + case <-time.After(1 * time.Second): + q.Unsubscribe(l1) + q.Unsubscribe(l2) + t.Fatal("Timeout waiting for broadcasted message") + } + } + }() + + q.Subscribe(l1) + q.Subscribe(l2) + q.Publish(JSONMessage{}) +} + +func TestJSONMessagePublishTimeout(t *testing.T) { + q := NewJSONMessagePublisher() + l := make(chan JSONMessage) + q.Subscribe(l) + + c := make(chan struct{}) + go func() { + q.Publish(JSONMessage{}) + close(c) + }() + + select { + case <-c: + case <-time.After(time.Second): + t.Fatal("Timeout publishing message") + } +} diff --git a/utils/random.go b/utils/random.go index d4d33c690a..907f28eec3 100644 --- a/utils/random.go +++ b/utils/random.go @@ -8,8 +8,8 @@ import ( func RandomString() string { id := make([]byte, 32) - _, err := io.ReadFull(rand.Reader, id) - if err != nil { + + if _, err := io.ReadFull(rand.Reader, id); err != nil { panic(err) // This shouldn't happen } return hex.EncodeToString(id) diff --git a/utils/stdcopy.go b/utils/stdcopy.go index 8b43386140..ab8759f4ee 100644 --- a/utils/stdcopy.go +++ b/utils/stdcopy.go @@ -82,13 +82,14 @@ func StdCopy(dstout, dsterr io.Writer, src io.Reader) (written int64, err error) for nr < StdWriterPrefixLen { var nr2 int nr2, er = src.Read(buf[nr:]) - if er == io.EOF { - return written, nil - } - if er != nil { + // Don't exit on EOF, because we can have some more input + if er != nil && er != io.EOF { return 0, er } nr += nr2 + if nr == 0 { + return written, nil + } } // Check the first byte to know where to write diff --git a/utils/tarsum_test.go b/utils/tarsum_test.go index 52ddd64590..e84abde916 100644 --- a/utils/tarsum_test.go +++ b/utils/tarsum_test.go @@ -4,11 +4,12 @@ import ( "bytes" "crypto/rand" "fmt" - "github.com/dotcloud/docker/vendor/src/code.google.com/p/go/src/pkg/archive/tar" "io" "io/ioutil" "os" "testing" + + "github.com/dotcloud/docker/vendor/src/code.google.com/p/go/src/pkg/archive/tar" ) type testLayer struct { @@ -109,7 +110,7 @@ func TestTarSums(t *testing.T) { fh = sizedTar(*layer.options) } else { // What else is there to test? - t.Errorf("what to do with %#V", layer) + t.Errorf("what to do with %#v", layer) continue } if file, ok := fh.(*os.File); ok { diff --git a/utils/timeoutconn_test.go b/utils/timeoutconn_test.go new file mode 100644 index 0000000000..d07b96cc06 --- /dev/null +++ b/utils/timeoutconn_test.go @@ -0,0 +1,33 @@ +package utils + +import ( + "bufio" + "fmt" + "net" + "net/http" + "net/http/httptest" + "testing" + "time" +) + +func TestTimeoutConnRead(t *testing.T) { + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + fmt.Fprintln(w, "hello") + })) + defer ts.Close() + conn, err := net.Dial("tcp", ts.URL[7:]) + if err != nil { + t.Fatalf("failed to create connection to %q: %v", ts.URL, err) + } + tconn := NewTimeoutConn(conn, 1*time.Second) + + if _, err = bufio.NewReader(tconn).ReadString('\n'); err == nil { + t.Fatalf("expected timeout error, got none") + } + if _, err := fmt.Fprintf(tconn, "GET / HTTP/1.0\r\n\r\n"); err != nil { + t.Errorf("unexpected error: %v", err) + } + if _, err = bufio.NewReader(tconn).ReadString('\n'); err != nil { + t.Errorf("unexpected error: %v", err) + } +} diff --git a/vendor/src/github.com/docker/libcontainer/.travis.yml b/vendor/src/github.com/docker/libcontainer/.travis.yml new file mode 100644 index 0000000000..94dc5ac7c8 --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/.travis.yml @@ -0,0 +1,12 @@ +language: go + +install: + - go get -d ./... + - go get -d github.com/dotcloud/docker # just to be sure + - DOCKER_PATH="${GOPATH%%:*}/src/github.com/dotcloud/docker" + - sed -i 's!dotcloud/docker!docker/libcontainer!' "$DOCKER_PATH/hack/make/.validate" + +script: + - bash "$DOCKER_PATH/hack/make/validate-dco" + - bash "$DOCKER_PATH/hack/make/validate-gofmt" + - go test diff --git a/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md b/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md new file mode 100644 index 0000000000..f02689625c --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/CONTRIBUTORS_GUIDE.md @@ -0,0 +1,204 @@ +# The libcontainer Contributors' Guide + +Want to hack on libcontainer? Awesome! Here are instructions to get you +started. They are probably not perfect, please let us know if anything +feels wrong or incomplete. + +## Reporting Issues + +When reporting [issues](https://github.com/docker/libcontainer/issues) +on GitHub please include your host OS (Ubuntu 12.04, Fedora 19, etc), +the output of `uname -a`. Please include the steps required to reproduce +the problem if possible and applicable. +This information will help us review and fix your issue faster. + +## Development Environment + +*Add instructions on setting up the development environment.* + +## Contribution Guidelines + +### Pull requests are always welcome + +We are always thrilled to receive pull requests, and do our best to +process them as fast as possible. Not sure if that typo is worth a pull +request? Do it! We will appreciate it. + +If your pull request is not accepted on the first try, don't be +discouraged! If there's a problem with the implementation, hopefully you +received feedback on what to improve. + +We're trying very hard to keep libcontainer lean and focused. We don't want it +to do everything for everybody. This means that we might decide against +incorporating a new feature. However, there might be a way to implement +that feature *on top of* libcontainer. + +### Discuss your design on the mailing list + +We recommend discussing your plans [on the mailing +list](https://groups.google.com/forum/?fromgroups#!forum/libcontainer) +before starting to code - especially for more ambitious contributions. +This gives other contributors a chance to point you in the right +direction, give feedback on your design, and maybe point out if someone +else is working on the same thing. + +### Create issues... + +Any significant improvement should be documented as [a GitHub +issue](https://github.com/docker/libcontainer/issues) before anybody +starts working on it. + +### ...but check for existing issues first! + +Please take a moment to check that an issue doesn't already exist +documenting your bug report or improvement proposal. If it does, it +never hurts to add a quick "+1" or "I have this problem too". This will +help prioritize the most common problems and requests. + +### Conventions + +Fork the repo and make changes on your fork in a feature branch: + +- If it's a bugfix branch, name it XXX-something where XXX is the number of the + issue +- If it's a feature branch, create an enhancement issue to announce your + intentions, and name it XXX-something where XXX is the number of the issue. + +Submit unit tests for your changes. Go has a great test framework built in; use +it! Take a look at existing tests for inspiration. Run the full test suite on +your branch before submitting a pull request. + +Update the documentation when creating or modifying features. Test +your documentation changes for clarity, concision, and correctness, as +well as a clean documentation build. See ``docs/README.md`` for more +information on building the docs and how docs get released. + +Write clean code. Universally formatted code promotes ease of writing, reading, +and maintenance. Always run `gofmt -s -w file.go` on each changed file before +committing your changes. Most editors have plugins that do this automatically. + +Pull requests descriptions should be as clear as possible and include a +reference to all the issues that they address. + +Pull requests must not contain commits from other users or branches. + +Commit messages must start with a capitalized and short summary (max. 50 +chars) written in the imperative, followed by an optional, more detailed +explanatory text which is separated from the summary by an empty line. + +Code review comments may be added to your pull request. Discuss, then make the +suggested modifications and push additional commits to your feature branch. Be +sure to post a comment after pushing. The new commits will show up in the pull +request automatically, but the reviewers will not be notified unless you +comment. + +Before the pull request is merged, make sure that you squash your commits into +logical units of work using `git rebase -i` and `git push -f`. After every +commit the test suite should be passing. Include documentation changes in the +same commit so that a revert would remove all traces of the feature or fix. + +Commits that fix or close an issue should include a reference like `Closes #XXX` +or `Fixes #XXX`, which will automatically close the issue when merged. + +### Testing + +Make sure you include suitable tests, preferably unit tests, in your pull request +and that all the tests pass. + +*Instructions for running tests to be added.* + +### Merge approval + +libcontainer maintainers use LGTM (looks good to me) in comments on the code review +to indicate acceptance. + +A change requires LGTMs from at lease two maintainers. One of those must come from +a maintainer of the component affected. For example, if a change affects `netlink/` +and `security`, it needs at least one LGTM from a maintainer of each. Maintainers +only need one LGTM as presumably they LGTM their own change. + +For more details see [MAINTAINERS.md](MAINTAINERS.md) + +### Sign your work + +The sign-off is a simple line at the end of the explanation for the +patch, which certifies that you wrote it or otherwise have the right to +pass it on as an open-source patch. The rules are pretty simple: if you +can certify the below (from +[developercertificate.org](http://developercertificate.org/)): + +``` +Developer Certificate of Origin +Version 1.1 + +Copyright (C) 2004, 2006 The Linux Foundation and its contributors. +660 York Street, Suite 102, +San Francisco, CA 94110 USA + +Everyone is permitted to copy and distribute verbatim copies of this +license document, but changing it is not allowed. + + +Developer's Certificate of Origin 1.1 + +By making a contribution to this project, I certify that: + +(a) The contribution was created in whole or in part by me and I + have the right to submit it under the open source license + indicated in the file; or + +(b) The contribution is based upon previous work that, to the best + of my knowledge, is covered under an appropriate open source + license and I have the right under that license to submit that + work with modifications, whether created in whole or in part + by me, under the same open source license (unless I am + permitted to submit under a different license), as indicated + in the file; or + +(c) The contribution was provided directly to me by some other + person who certified (a), (b) or (c) and I have not modified + it. + +(d) I understand and agree that this project and the contribution + are public and that a record of the contribution (including all + personal information I submit with it, including my sign-off) is + maintained indefinitely and may be redistributed consistent with + this project or the open source license(s) involved. +``` + +then you just add a line to every git commit message: + + Docker-DCO-1.1-Signed-off-by: Joe Smith (github: github_handle) + +using your real name (sorry, no pseudonyms or anonymous contributions.) + +One way to automate this, is customise your get ``commit.template`` by adding +a ``prepare-commit-msg`` hook to your libcontainer checkout: + +``` +curl -o .git/hooks/prepare-commit-msg https://raw.githubusercontent.com/dotcloud/docker/master/contrib/prepare-commit-msg.hook && chmod +x .git/hooks/prepare-commit-msg +``` + +* Note: the above script expects to find your GitHub user name in ``git config --get github.user`` + +#### Small patch exception + +There are several exceptions to the signing requirement. Currently these are: + +* Your patch fixes spelling or grammar errors. +* Your patch is a single line change to documentation contained in the + `docs` directory. +* Your patch fixes Markdown formatting or syntax errors in the + documentation contained in the `docs` directory. + +If you have any questions, please refer to the FAQ in the [docs](to be written) + +### How can I become a maintainer? + +* Step 1: learn the component inside out +* Step 2: make yourself useful by contributing code, bugfixes, support etc. +* Step 3: volunteer on the irc channel (#libcontainer@freenode) + +Don't forget: being a maintainer is a time investment. Make sure you will have time to make yourself available. +You don't have to be a maintainer to make a difference on the project! + diff --git a/vendor/src/github.com/docker/libcontainer/LICENSE b/vendor/src/github.com/docker/libcontainer/LICENSE new file mode 100644 index 0000000000..27448585ad --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2014 Docker, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/src/github.com/docker/libcontainer/MAINTAINERS b/vendor/src/github.com/docker/libcontainer/MAINTAINERS new file mode 100644 index 0000000000..8c36d096c1 --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/MAINTAINERS @@ -0,0 +1,4 @@ +Michael Crosby (@crosbymichael) +Rohit Jnagal (@rjnagal) +Victor Marmol (@vmarmol) +.travis.yml: Tianon Gravi (@tianon) diff --git a/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md b/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md new file mode 100644 index 0000000000..2ac9ca21f4 --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/MAINTAINERS_GUIDE.md @@ -0,0 +1,99 @@ +# The libcontainer Maintainers' Guide + +## Introduction + +Dear maintainer. Thank you for investing the time and energy to help +make libcontainer as useful as possible. Maintaining a project is difficult, +sometimes unrewarding work. Sure, you will get to contribute cool +features to the project. But most of your time will be spent reviewing, +cleaning up, documenting, answering questions, justifying design +decisions - while everyone has all the fun! But remember - the quality +of the maintainers work is what distinguishes the good projects from the +great. So please be proud of your work, even the unglamourous parts, +and encourage a culture of appreciation and respect for *every* aspect +of improving the project - not just the hot new features. + +This document is a manual for maintainers old and new. It explains what +is expected of maintainers, how they should work, and what tools are +available to them. + +This is a living document - if you see something out of date or missing, +speak up! + +## What are a maintainer's responsibility? + +It is every maintainer's responsibility to: + +* 1) Expose a clear roadmap for improving their component. +* 2) Deliver prompt feedback and decisions on pull requests. +* 3) Be available to anyone with questions, bug reports, criticism etc. + on their component. This includes IRC, GitHub requests and the mailing + list. +* 4) Make sure their component respects the philosophy, design and + roadmap of the project. + +## How are decisions made? + +Short answer: with pull requests to the libcontainer repository. + +libcontainer is an open-source project with an open design philosophy. This +means that the repository is the source of truth for EVERY aspect of the +project, including its philosophy, design, roadmap and APIs. *If it's +part of the project, it's in the repo. It's in the repo, it's part of +the project.* + +As a result, all decisions can be expressed as changes to the +repository. An implementation change is a change to the source code. An +API change is a change to the API specification. A philosophy change is +a change to the philosophy manifesto. And so on. + +All decisions affecting libcontainer, big and small, follow the same 3 steps: + +* Step 1: Open a pull request. Anyone can do this. + +* Step 2: Discuss the pull request. Anyone can do this. + +* Step 3: Accept (`LGTM`) or refuse a pull request. The relevant maintainers do +this (see below "Who decides what?") + + +## Who decides what? + +All decisions are pull requests, and the relevant maintainers make +decisions by accepting or refusing the pull request. Review and acceptance +by anyone is denoted by adding a comment in the pull request: `LGTM`. +However, only currently listed `MAINTAINERS` are counted towards the required +two LGTMs. + +libcontainer follows the timeless, highly efficient and totally unfair system +known as [Benevolent dictator for life](http://en.wikipedia.org/wiki/Benevolent_Dictator_for_Life), with Michael Crosby in the role of BDFL. +This means that all decisions are made by default by Michael. Since making +every decision himself would be highly un-scalable, in practice decisions +are spread across multiple maintainers. + +The relevant maintainers for a pull request can be worked out in two steps: + +* Step 1: Determine the subdirectories affected by the pull request. This + might be `netlink/` and `security/`, or any other part of the repo. + +* Step 2: Find the `MAINTAINERS` file which affects this directory. If the + directory itself does not have a `MAINTAINERS` file, work your way up + the repo hierarchy until you find one. + +### I'm a maintainer, and I'm going on holiday + +Please let your co-maintainers and other contributors know by raising a pull +request that comments out your `MAINTAINERS` file entry using a `#`. + +### I'm a maintainer, should I make pull requests too? + +Yes. Nobody should ever push to master directly. All changes should be +made through a pull request. + +### Who assigns maintainers? + +Michael has final `LGTM` approval for all pull requests to `MAINTAINERS` files. + +### How is this process changed? + +Just like everything else: by making a pull request :) diff --git a/vendor/src/github.com/docker/libcontainer/NOTICE b/vendor/src/github.com/docker/libcontainer/NOTICE new file mode 100644 index 0000000000..ca1635f896 --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/NOTICE @@ -0,0 +1,16 @@ +libcontainer +Copyright 2012-2014 Docker, Inc. + +This product includes software developed at Docker, Inc. (http://www.docker.com). + +The following is courtesy of our legal counsel: + + +Use and transfer of Docker may be subject to certain restrictions by the +United States and other governments. +It is your responsibility to ensure that your use and/or transfer does not +violate applicable laws. + +For more information, please see http://www.bis.doc.gov + +See also http://www.apache.org/dev/crypto.html and/or seek legal counsel. diff --git a/vendor/src/github.com/docker/libcontainer/PRINCIPLES.md b/vendor/src/github.com/docker/libcontainer/PRINCIPLES.md new file mode 100644 index 0000000000..42396c0eec --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/PRINCIPLES.md @@ -0,0 +1,19 @@ +# libcontainer Principles + +In the design and development of libcontainer we try to follow these principles: + +(Work in progress) + +* Don't try to replace every tool. Instead, be an ingredient to improve them. +* Less code is better. +* Fewer components are better. Do you really need to add one more class? +* 50 lines of straightforward, readable code is better than 10 lines of magic that nobody can understand. +* Don't do later what you can do now. "//FIXME: refactor" is not acceptable in new code. +* When hesitating between two options, choose the one that is easier to reverse. +* "No" is temporary; "Yes" is forever. If you're not sure about a new feature, say no. You can change your mind later. +* Containers must be portable to the greatest possible number of machines. Be suspicious of any change which makes machines less interchangeable. +* The fewer moving parts in a container, the better. +* Don't merge it unless you document it. +* Don't document it unless you can keep it up-to-date. +* Don't merge it unless you test it! +* Everyone's problem is slightly different. Focus on the part that is the same for everyone, and solve that. diff --git a/pkg/libcontainer/README.md b/vendor/src/github.com/docker/libcontainer/README.md similarity index 76% rename from pkg/libcontainer/README.md rename to vendor/src/github.com/docker/libcontainer/README.md index 8e89153bd7..068c66e6cf 100644 --- a/pkg/libcontainer/README.md +++ b/vendor/src/github.com/docker/libcontainer/README.md @@ -1,16 +1,16 @@ ## libcontainer - reference implementation for containers -#### background +#### Background libcontainer specifies configuration options for what a container is. It provides a native Go implementation for using Linux namespaces with no external dependencies. libcontainer provides many convenience functions for working with namespaces, networking, and management. -#### container +#### Container A container is a self contained directory that is able to run one or more processes without affecting the host system. The directory is usually a full system tree. Inside the directory a `container.json` file is placed with the runtime configuration for how the processes -should be contained and ran. Environment, networking, and different capabilities for the +should be contained and run. Environment, networking, and different capabilities for the process are specified in this file. The configuration is used for each process executed inside the container. See the `container.json` file for what the configuration should look like. @@ -35,3 +35,19 @@ If you wish to spawn another process inside the container while your current bas running just run the exact same command again to get another bash shell or change the command. If the original process dies, PID 1, all other processes spawned inside the container will also be killed and the namespace will be removed. You can identify if a process is running in a container by looking to see if `pid` is in the root of the directory. +#### Future +See the [roadmap](ROADMAP.md). + +## Copyright and license + +Code and documentation copyright 2014 Docker, inc. Code released under the Apache 2.0 license. +Docs released under Creative commons. + +## Hacking on libcontainer + +First of all, please familiarise yourself with the [libcontainer Principles](PRINCIPLES.md). + +If you're a *contributor* or aspiring contributor, you should read the [Contributors' Guide](CONTRIBUTORS_GUIDE.md). + +If you're a *maintainer* or aspiring maintainer, you should read the [Maintainers' Guide](MAINTAINERS_GUIDE.md) and +"How can I become a maintainer?" in the Contributors' Guide. diff --git a/vendor/src/github.com/docker/libcontainer/ROADMAP.md b/vendor/src/github.com/docker/libcontainer/ROADMAP.md new file mode 100644 index 0000000000..08deb9adaf --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/ROADMAP.md @@ -0,0 +1,16 @@ +# libcontainer: what's next? + +This document is a high-level overview of where we want to take libcontainer next. +It is a curated selection of planned improvements which are either important, difficult, or both. + +For a more complete view of planned and requested improvements, see [the Github issues](https://github.com/docker/libcontainer/issues). + +To suggest changes to the roadmap, including additions, please write the change as if it were already in effect, and make a pull request. + +## Broader kernel support + +Our goal is to make libcontainer run everywhere, but currently libcontainer requires Linux version 3.8 or higher. If you’re deploying new machines for the purpose of running libcontainer, this is a fairly easy requirement to meet. However, if you’re adding libcontainer to an existing deployment, you may not have the flexibility to update and patch the kernel. + +## Cross-architecture support + +Our goal is to make libcontainer run everywhere. However currently libcontainer only runs on x86_64 systems. We plan on expanding architecture support, so that libcontainer containers can be created and used on more architectures. diff --git a/pkg/apparmor/apparmor.go b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go similarity index 100% rename from pkg/apparmor/apparmor.go rename to vendor/src/github.com/docker/libcontainer/apparmor/apparmor.go diff --git a/pkg/apparmor/apparmor_disabled.go b/vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go similarity index 100% rename from pkg/apparmor/apparmor_disabled.go rename to vendor/src/github.com/docker/libcontainer/apparmor/apparmor_disabled.go diff --git a/pkg/apparmor/gen.go b/vendor/src/github.com/docker/libcontainer/apparmor/gen.go similarity index 100% rename from pkg/apparmor/gen.go rename to vendor/src/github.com/docker/libcontainer/apparmor/gen.go diff --git a/pkg/apparmor/setup.go b/vendor/src/github.com/docker/libcontainer/apparmor/setup.go similarity index 100% rename from pkg/apparmor/setup.go rename to vendor/src/github.com/docker/libcontainer/apparmor/setup.go diff --git a/pkg/libcontainer/cgroups/cgroups.go b/vendor/src/github.com/docker/libcontainer/cgroups/cgroups.go similarity index 97% rename from pkg/libcontainer/cgroups/cgroups.go rename to vendor/src/github.com/docker/libcontainer/cgroups/cgroups.go index 85607b548a..64ece568c3 100644 --- a/pkg/libcontainer/cgroups/cgroups.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/cgroups.go @@ -3,7 +3,7 @@ package cgroups import ( "errors" - "github.com/dotcloud/docker/pkg/libcontainer/devices" + "github.com/docker/libcontainer/devices" ) var ( diff --git a/pkg/libcontainer/cgroups/cgroups_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/cgroups_test.go similarity index 100% rename from pkg/libcontainer/cgroups/cgroups_test.go rename to vendor/src/github.com/docker/libcontainer/cgroups/cgroups_test.go diff --git a/pkg/libcontainer/cgroups/fs/apply_raw.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go similarity index 98% rename from pkg/libcontainer/cgroups/fs/apply_raw.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go index 2231ab9a38..1a0323f442 100644 --- a/pkg/libcontainer/cgroups/fs/apply_raw.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/apply_raw.go @@ -7,7 +7,7 @@ import ( "path/filepath" "strconv" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) var ( diff --git a/pkg/libcontainer/cgroups/fs/blkio.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio.go similarity index 98% rename from pkg/libcontainer/cgroups/fs/blkio.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio.go index 0c7a4e7b39..0e0a198de6 100644 --- a/pkg/libcontainer/cgroups/fs/blkio.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio.go @@ -8,7 +8,7 @@ import ( "strconv" "strings" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type blkioGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/blkio_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio_test.go similarity index 99% rename from pkg/libcontainer/cgroups/fs/blkio_test.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio_test.go index d91a6479a9..c916c86bba 100644 --- a/pkg/libcontainer/cgroups/fs/blkio_test.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/blkio_test.go @@ -3,7 +3,7 @@ package fs import ( "testing" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) const ( diff --git a/pkg/libcontainer/cgroups/fs/cpu.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu.go similarity index 96% rename from pkg/libcontainer/cgroups/fs/cpu.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu.go index 2e9d588f4f..1c692fd550 100644 --- a/pkg/libcontainer/cgroups/fs/cpu.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu.go @@ -7,7 +7,7 @@ import ( "strconv" "syscall" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type cpuGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/cpu_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu_test.go similarity index 96% rename from pkg/libcontainer/cgroups/fs/cpu_test.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu_test.go index c5bfc50409..ebdb6a5757 100644 --- a/pkg/libcontainer/cgroups/fs/cpu_test.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpu_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) func TestCpuStats(t *testing.T) { diff --git a/pkg/libcontainer/cgroups/fs/cpuacct.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go similarity index 97% rename from pkg/libcontainer/cgroups/fs/cpuacct.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go index 5ea01dc94a..a3d22c9f74 100644 --- a/pkg/libcontainer/cgroups/fs/cpuacct.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuacct.go @@ -11,7 +11,7 @@ import ( "strings" "time" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" "github.com/dotcloud/docker/pkg/system" ) @@ -84,6 +84,7 @@ func (s *cpuacctGroup) GetStats(d *data, stats *cgroups.Stats) error { if err != nil { return err } + stats.CpuStats.CpuUsage.TotalUsage = lastUsage stats.CpuStats.CpuUsage.PercpuUsage = percpuUsage stats.CpuStats.CpuUsage.UsageInKernelmode = (kernelModeUsage * nanosecondsInSecond) / clockTicks stats.CpuStats.CpuUsage.UsageInUsermode = (userModeUsage * nanosecondsInSecond) / clockTicks diff --git a/pkg/libcontainer/cgroups/fs/cpuset.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go similarity index 97% rename from pkg/libcontainer/cgroups/fs/cpuset.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go index c0b03c559e..094e8b382d 100644 --- a/pkg/libcontainer/cgroups/fs/cpuset.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/cpuset.go @@ -7,7 +7,7 @@ import ( "path/filepath" "strconv" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type cpusetGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/devices.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/devices.go similarity index 90% rename from pkg/libcontainer/cgroups/fs/devices.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/devices.go index 45c3b48530..675cef3fb2 100644 --- a/pkg/libcontainer/cgroups/fs/devices.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/devices.go @@ -1,6 +1,6 @@ package fs -import "github.com/dotcloud/docker/pkg/libcontainer/cgroups" +import "github.com/docker/libcontainer/cgroups" type devicesGroup struct { } diff --git a/pkg/libcontainer/cgroups/fs/freezer.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go similarity index 96% rename from pkg/libcontainer/cgroups/fs/freezer.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go index 5c9ba5b543..f6a1044af6 100644 --- a/pkg/libcontainer/cgroups/fs/freezer.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/freezer.go @@ -6,7 +6,7 @@ import ( "strings" "time" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type freezerGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/memory.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/memory.go similarity index 97% rename from pkg/libcontainer/cgroups/fs/memory.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/memory.go index 202ddc8ede..b4453f4e71 100644 --- a/pkg/libcontainer/cgroups/fs/memory.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/memory.go @@ -6,7 +6,7 @@ import ( "path/filepath" "strconv" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type memoryGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/memory_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/memory_test.go similarity index 98% rename from pkg/libcontainer/cgroups/fs/memory_test.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/memory_test.go index 29aea1f219..8307482bce 100644 --- a/pkg/libcontainer/cgroups/fs/memory_test.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/memory_test.go @@ -3,7 +3,7 @@ package fs import ( "testing" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) const ( diff --git a/pkg/libcontainer/cgroups/fs/perf_event.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/perf_event.go similarity index 89% rename from pkg/libcontainer/cgroups/fs/perf_event.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/perf_event.go index 1eb4df11b5..b834c3ecae 100644 --- a/pkg/libcontainer/cgroups/fs/perf_event.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/perf_event.go @@ -1,7 +1,7 @@ package fs import ( - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) type perfEventGroup struct { diff --git a/pkg/libcontainer/cgroups/fs/stats_test_util.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/stats_test_util.go similarity index 97% rename from pkg/libcontainer/cgroups/fs/stats_test_util.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/stats_test_util.go index bebd0cb3e3..7e7da754d0 100644 --- a/pkg/libcontainer/cgroups/fs/stats_test_util.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/stats_test_util.go @@ -5,7 +5,7 @@ import ( "log" "testing" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) func blkioStatEntryEquals(expected, actual []cgroups.BlkioStatEntry) error { diff --git a/pkg/libcontainer/cgroups/fs/test_util.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/test_util.go similarity index 100% rename from pkg/libcontainer/cgroups/fs/test_util.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/test_util.go diff --git a/pkg/libcontainer/cgroups/fs/utils.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/utils.go similarity index 100% rename from pkg/libcontainer/cgroups/fs/utils.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/utils.go diff --git a/pkg/libcontainer/cgroups/fs/utils_test.go b/vendor/src/github.com/docker/libcontainer/cgroups/fs/utils_test.go similarity index 91% rename from pkg/libcontainer/cgroups/fs/utils_test.go rename to vendor/src/github.com/docker/libcontainer/cgroups/fs/utils_test.go index 4dd2243efa..63d743f06e 100644 --- a/pkg/libcontainer/cgroups/fs/utils_test.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/fs/utils_test.go @@ -31,7 +31,7 @@ func TestGetCgroupParamsInt(t *testing.T) { if err != nil { t.Fatal(err) } else if value != floatValue { - t.Fatalf("Expected %f to equal %f", value, floatValue) + t.Fatalf("Expected %d to equal %f", value, floatValue) } // Success with new line. @@ -43,7 +43,7 @@ func TestGetCgroupParamsInt(t *testing.T) { if err != nil { t.Fatal(err) } else if value != floatValue { - t.Fatalf("Expected %f to equal %f", value, floatValue) + t.Fatalf("Expected %d to equal %f", value, floatValue) } // Not a float. diff --git a/pkg/libcontainer/cgroups/stats.go b/vendor/src/github.com/docker/libcontainer/cgroups/stats.go similarity index 92% rename from pkg/libcontainer/cgroups/stats.go rename to vendor/src/github.com/docker/libcontainer/cgroups/stats.go index 20a5f00a37..2640245e51 100644 --- a/pkg/libcontainer/cgroups/stats.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/stats.go @@ -13,8 +13,10 @@ type CpuUsage struct { // percentage of available CPUs currently being used. PercentUsage uint64 `json:"percent_usage,omitempty"` // nanoseconds of cpu time consumed over the last 100 ms. - CurrentUsage uint64 `json:"current_usage,omitempty"` - PercpuUsage []uint64 `json:"percpu_usage,omitempty"` + CurrentUsage uint64 `json:"current_usage,omitempty"` + // total nanoseconds of cpu time consumed + TotalUsage uint64 `json:"total_usage,omitempty"` + PercpuUsage []uint64 `json:"percpu_usage,omitempty"` // Time spent by tasks of the cgroup in kernel mode. Units: nanoseconds. UsageInKernelmode uint64 `json:"usage_in_kernelmode"` // Time spent by tasks of the cgroup in user mode. Units: nanoseconds. diff --git a/pkg/libcontainer/cgroups/systemd/apply_nosystemd.go b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_nosystemd.go similarity index 88% rename from pkg/libcontainer/cgroups/systemd/apply_nosystemd.go rename to vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_nosystemd.go index c72bb11611..6dcfdffd48 100644 --- a/pkg/libcontainer/cgroups/systemd/apply_nosystemd.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_nosystemd.go @@ -5,7 +5,7 @@ package systemd import ( "fmt" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" ) func UseSystemd() bool { diff --git a/pkg/libcontainer/cgroups/systemd/apply_systemd.go b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go similarity index 99% rename from pkg/libcontainer/cgroups/systemd/apply_systemd.go rename to vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go index c486dbeb9c..6a0ce950c1 100644 --- a/pkg/libcontainer/cgroups/systemd/apply_systemd.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/systemd/apply_systemd.go @@ -14,7 +14,7 @@ import ( "time" systemd1 "github.com/coreos/go-systemd/dbus" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups" "github.com/dotcloud/docker/pkg/systemd" "github.com/godbus/dbus" ) diff --git a/pkg/libcontainer/cgroups/utils.go b/vendor/src/github.com/docker/libcontainer/cgroups/utils.go similarity index 54% rename from pkg/libcontainer/cgroups/utils.go rename to vendor/src/github.com/docker/libcontainer/cgroups/utils.go index 111c871477..0d19b3eaae 100644 --- a/pkg/libcontainer/cgroups/utils.go +++ b/vendor/src/github.com/docker/libcontainer/cgroups/utils.go @@ -2,6 +2,7 @@ package cgroups import ( "bufio" + "fmt" "io" "os" "path/filepath" @@ -30,6 +31,80 @@ func FindCgroupMountpoint(subsystem string) (string, error) { return "", ErrNotFound } +type Mount struct { + Mountpoint string + Subsystems []string +} + +func (m Mount) GetThisCgroupDir() (string, error) { + if len(m.Subsystems) == 0 { + return "", fmt.Errorf("no subsystem for mount") + } + + return GetThisCgroupDir(m.Subsystems[0]) +} + +func GetCgroupMounts() ([]Mount, error) { + mounts, err := mount.GetMounts() + if err != nil { + return nil, err + } + + all, err := GetAllSubsystems() + if err != nil { + return nil, err + } + + allMap := make(map[string]bool) + for _, s := range all { + allMap[s] = true + } + + res := []Mount{} + for _, mount := range mounts { + if mount.Fstype == "cgroup" { + m := Mount{Mountpoint: mount.Mountpoint} + + for _, opt := range strings.Split(mount.VfsOpts, ",") { + if strings.HasPrefix(opt, "name=") { + m.Subsystems = append(m.Subsystems, opt) + } + if allMap[opt] { + m.Subsystems = append(m.Subsystems, opt) + } + } + res = append(res, m) + } + } + return res, nil +} + +// Returns all the cgroup subsystems supported by the kernel +func GetAllSubsystems() ([]string, error) { + f, err := os.Open("/proc/cgroups") + if err != nil { + return nil, err + } + defer f.Close() + + subsystems := []string{} + + s := bufio.NewScanner(f) + for s.Scan() { + if err := s.Err(); err != nil { + return nil, err + } + text := s.Text() + if text[0] != '#' { + parts := strings.Fields(text) + if len(parts) > 4 && parts[3] != "0" { + subsystems = append(subsystems, parts[0]) + } + } + } + return subsystems, nil +} + // Returns the relative path to the cgroup docker is running in. func GetThisCgroupDir(subsystem string) (string, error) { f, err := os.Open("/proc/self/cgroup") diff --git a/pkg/libcontainer/console/console.go b/vendor/src/github.com/docker/libcontainer/console/console.go similarity index 97% rename from pkg/libcontainer/console/console.go rename to vendor/src/github.com/docker/libcontainer/console/console.go index 79a480418f..519b5644cd 100644 --- a/pkg/libcontainer/console/console.go +++ b/vendor/src/github.com/docker/libcontainer/console/console.go @@ -8,7 +8,7 @@ import ( "path/filepath" "syscall" - "github.com/dotcloud/docker/pkg/label" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/pkg/system" ) diff --git a/pkg/libcontainer/container.go b/vendor/src/github.com/docker/libcontainer/container.go similarity index 97% rename from pkg/libcontainer/container.go rename to vendor/src/github.com/docker/libcontainer/container.go index c5864e948a..be72d92eee 100644 --- a/pkg/libcontainer/container.go +++ b/vendor/src/github.com/docker/libcontainer/container.go @@ -1,8 +1,8 @@ package libcontainer import ( - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" - "github.com/dotcloud/docker/pkg/libcontainer/devices" + "github.com/docker/libcontainer/cgroups" + "github.com/docker/libcontainer/devices" ) // Context is a generic key value pair that allows arbatrary data to be sent diff --git a/vendor/src/github.com/docker/libcontainer/container.json b/vendor/src/github.com/docker/libcontainer/container.json new file mode 100644 index 0000000000..da138d173f --- /dev/null +++ b/vendor/src/github.com/docker/libcontainer/container.json @@ -0,0 +1,213 @@ +{ + "capabilities": [ + "CHOWN", + "DAC_OVERRIDE", + "FOWNER", + "MKNOD", + "NET_RAW", + "SETGID", + "SETUID", + "SETFCAP", + "SETPCAP", + "NET_BIND_SERVICE", + "SYS_CHROOT", + "KILL" + ], + "cgroups": { + "allowed_devices": [ + { + "cgroup_permissions": "m", + "major_number": -1, + "minor_number": -1, + "type": 99 + }, + { + "cgroup_permissions": "m", + "major_number": -1, + "minor_number": -1, + "type": 98 + }, + { + "cgroup_permissions": "rwm", + "major_number": 5, + "minor_number": 1, + "path": "/dev/console", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 4, + "path": "/dev/tty0", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 4, + "minor_number": 1, + "path": "/dev/tty1", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 136, + "minor_number": -1, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 5, + "minor_number": 2, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "major_number": 10, + "minor_number": 200, + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 3, + "path": "/dev/null", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 5, + "path": "/dev/zero", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 7, + "path": "/dev/full", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 5, + "path": "/dev/tty", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 9, + "path": "/dev/urandom", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 8, + "path": "/dev/random", + "type": 99 + } + ], + "name": "docker-koye", + "parent": "docker" + }, + "context": { + "mount_label": "", + "process_label": "", + "restrictions": "true" + }, + "device_nodes": [ + { + "cgroup_permissions": "rwm", + "major_number": 10, + "minor_number": 229, + "path": "/dev/fuse", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 3, + "path": "/dev/null", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 5, + "path": "/dev/zero", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 7, + "path": "/dev/full", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 5, + "path": "/dev/tty", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 9, + "path": "/dev/urandom", + "type": 99 + }, + { + "cgroup_permissions": "rwm", + "file_mode": 438, + "major_number": 1, + "minor_number": 8, + "path": "/dev/random", + "type": 99 + } + ], + "environment": [ + "HOME=/", + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "HOSTNAME=2d388ea3bd92", + "TERM=xterm" + ], + "hostname": "koye", + "namespaces": { + "NEWIPC": true, + "NEWNET": true, + "NEWNS": true, + "NEWPID": true, + "NEWUTS": true + }, + "networks": [ + { + "address": "127.0.0.1/0", + "gateway": "localhost", + "mtu": 1500, + "type": "loopback" + }, + { + "address": "172.17.0.101/16", + "context": { + "bridge": "docker0", + "prefix": "veth" + }, + "gateway": "172.17.42.1", + "mtu": 1500, + "type": "veth" + } + ], + "tty": true +} diff --git a/pkg/libcontainer/container_test.go b/vendor/src/github.com/docker/libcontainer/container_test.go similarity index 86% rename from pkg/libcontainer/container_test.go rename to vendor/src/github.com/docker/libcontainer/container_test.go index 838281833f..deb65aa835 100644 --- a/pkg/libcontainer/container_test.go +++ b/vendor/src/github.com/docker/libcontainer/container_test.go @@ -37,11 +37,6 @@ func TestContainerJsonFormat(t *testing.T) { t.Fail() } - if len(container.Routes) != 2 { - t.Log("should have found 2 routes") - t.Fail() - } - if !container.Namespaces["NEWNET"] { t.Log("namespaces should contain NEWNET") t.Fail() @@ -62,8 +57,8 @@ func TestContainerJsonFormat(t *testing.T) { t.Fail() } - if contains("SYS_CHROOT", container.Capabilities) { - t.Log("capabilities mask should not contain SYS_CHROOT") + if !contains("SYS_CHROOT", container.Capabilities) { + t.Log("capabilities mask should contain SYS_CHROOT") t.Fail() } } diff --git a/pkg/libcontainer/devices/defaults.go b/vendor/src/github.com/docker/libcontainer/devices/defaults.go similarity index 100% rename from pkg/libcontainer/devices/defaults.go rename to vendor/src/github.com/docker/libcontainer/devices/defaults.go diff --git a/pkg/libcontainer/devices/devices.go b/vendor/src/github.com/docker/libcontainer/devices/devices.go similarity index 96% rename from pkg/libcontainer/devices/devices.go rename to vendor/src/github.com/docker/libcontainer/devices/devices.go index f6bee56df2..727a5bdfaf 100644 --- a/pkg/libcontainer/devices/devices.go +++ b/vendor/src/github.com/docker/libcontainer/devices/devices.go @@ -39,8 +39,8 @@ func (device *Device) GetCgroupAllowString() string { } // Given the path to a device and it's cgroup_permissions(which cannot be easilly queried) look up the information about a linux device and return that information as a Device struct. -func GetDevice(path string, cgroupPermissions string) (*Device, error) { - fileInfo, err := os.Stat(path) +func GetDevice(path, cgroupPermissions string) (*Device, error) { + fileInfo, err := os.Lstat(path) if err != nil { return nil, err } diff --git a/pkg/libcontainer/devices/number.go b/vendor/src/github.com/docker/libcontainer/devices/number.go similarity index 100% rename from pkg/libcontainer/devices/number.go rename to vendor/src/github.com/docker/libcontainer/devices/number.go diff --git a/pkg/label/label.go b/vendor/src/github.com/docker/libcontainer/label/label.go similarity index 100% rename from pkg/label/label.go rename to vendor/src/github.com/docker/libcontainer/label/label.go diff --git a/pkg/label/label_selinux.go b/vendor/src/github.com/docker/libcontainer/label/label_selinux.go similarity index 97% rename from pkg/label/label_selinux.go rename to vendor/src/github.com/docker/libcontainer/label/label_selinux.go index 926f7fffa8..0452144482 100644 --- a/pkg/label/label_selinux.go +++ b/vendor/src/github.com/docker/libcontainer/label/label_selinux.go @@ -6,7 +6,7 @@ import ( "fmt" "strings" - "github.com/dotcloud/docker/pkg/selinux" + "github.com/docker/libcontainer/selinux" ) func GenLabels(options string) (string, string, error) { diff --git a/pkg/libcontainer/mount/init.go b/vendor/src/github.com/docker/libcontainer/mount/init.go similarity index 97% rename from pkg/libcontainer/mount/init.go rename to vendor/src/github.com/docker/libcontainer/mount/init.go index af7a521c46..4e913ad1e4 100644 --- a/pkg/libcontainer/mount/init.go +++ b/vendor/src/github.com/docker/libcontainer/mount/init.go @@ -8,9 +8,9 @@ import ( "path/filepath" "syscall" - "github.com/dotcloud/docker/pkg/label" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/mount/nodes" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/label" + "github.com/docker/libcontainer/mount/nodes" "github.com/dotcloud/docker/pkg/symlink" "github.com/dotcloud/docker/pkg/system" ) diff --git a/pkg/libcontainer/mount/msmoveroot.go b/vendor/src/github.com/docker/libcontainer/mount/msmoveroot.go similarity index 100% rename from pkg/libcontainer/mount/msmoveroot.go rename to vendor/src/github.com/docker/libcontainer/mount/msmoveroot.go diff --git a/pkg/libcontainer/mount/nodes/nodes.go b/vendor/src/github.com/docker/libcontainer/mount/nodes/nodes.go similarity index 95% rename from pkg/libcontainer/mount/nodes/nodes.go rename to vendor/src/github.com/docker/libcontainer/mount/nodes/nodes.go index dd67ae2d58..e3420b48bd 100644 --- a/pkg/libcontainer/mount/nodes/nodes.go +++ b/vendor/src/github.com/docker/libcontainer/mount/nodes/nodes.go @@ -8,7 +8,7 @@ import ( "path/filepath" "syscall" - "github.com/dotcloud/docker/pkg/libcontainer/devices" + "github.com/docker/libcontainer/devices" "github.com/dotcloud/docker/pkg/system" ) diff --git a/pkg/libcontainer/mount/nodes/nodes_unsupported.go b/vendor/src/github.com/docker/libcontainer/mount/nodes/nodes_unsupported.go similarity index 61% rename from pkg/libcontainer/mount/nodes/nodes_unsupported.go rename to vendor/src/github.com/docker/libcontainer/mount/nodes/nodes_unsupported.go index 0e5d12c73e..3811a1d739 100644 --- a/pkg/libcontainer/mount/nodes/nodes_unsupported.go +++ b/vendor/src/github.com/docker/libcontainer/mount/nodes/nodes_unsupported.go @@ -3,8 +3,8 @@ package nodes import ( - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/devices" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/devices" ) func CreateDeviceNodes(rootfs string, nodesToCreate []*devices.Device) error { diff --git a/pkg/libcontainer/mount/pivotroot.go b/vendor/src/github.com/docker/libcontainer/mount/pivotroot.go similarity index 89% rename from pkg/libcontainer/mount/pivotroot.go rename to vendor/src/github.com/docker/libcontainer/mount/pivotroot.go index 447f5904b2..ffd6051367 100644 --- a/pkg/libcontainer/mount/pivotroot.go +++ b/vendor/src/github.com/docker/libcontainer/mount/pivotroot.go @@ -4,17 +4,18 @@ package mount import ( "fmt" - "github.com/dotcloud/docker/pkg/system" "io/ioutil" "os" "path/filepath" "syscall" + + "github.com/dotcloud/docker/pkg/system" ) func PivotRoot(rootfs string) error { pivotDir, err := ioutil.TempDir(rootfs, ".pivot_root") if err != nil { - return fmt.Errorf("can't create pivot_root dir %s", pivotDir, err) + return fmt.Errorf("can't create pivot_root dir %s, error %v", pivotDir, err) } if err := system.Pivotroot(rootfs, pivotDir); err != nil { return fmt.Errorf("pivot_root %s", err) diff --git a/pkg/libcontainer/mount/ptmx.go b/vendor/src/github.com/docker/libcontainer/mount/ptmx.go similarity index 90% rename from pkg/libcontainer/mount/ptmx.go rename to vendor/src/github.com/docker/libcontainer/mount/ptmx.go index f6ca534637..32c025202e 100644 --- a/pkg/libcontainer/mount/ptmx.go +++ b/vendor/src/github.com/docker/libcontainer/mount/ptmx.go @@ -4,7 +4,7 @@ package mount import ( "fmt" - "github.com/dotcloud/docker/pkg/libcontainer/console" + "github.com/docker/libcontainer/console" "os" "path/filepath" ) diff --git a/pkg/libcontainer/mount/readonly.go b/vendor/src/github.com/docker/libcontainer/mount/readonly.go similarity index 100% rename from pkg/libcontainer/mount/readonly.go rename to vendor/src/github.com/docker/libcontainer/mount/readonly.go diff --git a/pkg/libcontainer/mount/remount.go b/vendor/src/github.com/docker/libcontainer/mount/remount.go similarity index 100% rename from pkg/libcontainer/mount/remount.go rename to vendor/src/github.com/docker/libcontainer/mount/remount.go diff --git a/pkg/libcontainer/namespaces/create.go b/vendor/src/github.com/docker/libcontainer/namespaces/create.go similarity index 80% rename from pkg/libcontainer/namespaces/create.go rename to vendor/src/github.com/docker/libcontainer/namespaces/create.go index 60b2a2db02..20bef20459 100644 --- a/pkg/libcontainer/namespaces/create.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/create.go @@ -4,7 +4,7 @@ import ( "os" "os/exec" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) type CreateCommand func(container *libcontainer.Container, console, rootfs, dataPath, init string, childPipe *os.File, args []string) *exec.Cmd diff --git a/pkg/libcontainer/namespaces/exec.go b/vendor/src/github.com/docker/libcontainer/namespaces/exec.go similarity index 94% rename from pkg/libcontainer/namespaces/exec.go rename to vendor/src/github.com/docker/libcontainer/namespaces/exec.go index 288205ea60..31d5ba21d8 100644 --- a/pkg/libcontainer/namespaces/exec.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/exec.go @@ -7,11 +7,11 @@ import ( "os/exec" "syscall" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups/fs" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups/systemd" - "github.com/dotcloud/docker/pkg/libcontainer/network" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/cgroups" + "github.com/docker/libcontainer/cgroups/fs" + "github.com/docker/libcontainer/cgroups/systemd" + "github.com/docker/libcontainer/network" "github.com/dotcloud/docker/pkg/system" ) diff --git a/pkg/libcontainer/namespaces/execin.go b/vendor/src/github.com/docker/libcontainer/namespaces/execin.go similarity index 69% rename from pkg/libcontainer/namespaces/execin.go rename to vendor/src/github.com/docker/libcontainer/namespaces/execin.go index 4d5671e778..f44e92abe5 100644 --- a/pkg/libcontainer/namespaces/execin.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/execin.go @@ -7,8 +7,8 @@ import ( "os" "strconv" - "github.com/dotcloud/docker/pkg/label" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/label" "github.com/dotcloud/docker/pkg/system" ) @@ -21,14 +21,8 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error { return err } - // TODO(vmarmol): Move this to the container JSON. - processLabel, err := label.GetPidCon(nspid) - if err != nil { - return err - } - // Enter the namespace and then finish setup - finalArgs := []string{os.Args[0], "nsenter", strconv.Itoa(nspid), processLabel, string(containerJson)} + finalArgs := []string{os.Args[0], "nsenter", "--nspid", strconv.Itoa(nspid), "--containerjson", string(containerJson), "--"} finalArgs = append(finalArgs, args...) if err := system.Execv(finalArgs[0], finalArgs[0:], os.Environ()); err != nil { return err @@ -37,7 +31,7 @@ func ExecIn(container *libcontainer.Container, nspid int, args []string) error { } // NsEnter is run after entering the namespace. -func NsEnter(container *libcontainer.Container, processLabel string, nspid int, args []string) error { +func NsEnter(container *libcontainer.Container, nspid int, args []string) error { // clear the current processes env and replace it with the environment // defined on the container if err := LoadContainerEnvironment(container); err != nil { @@ -46,9 +40,13 @@ func NsEnter(container *libcontainer.Container, processLabel string, nspid int, if err := FinalizeNamespace(container); err != nil { return err } - if err := label.SetProcessLabel(processLabel); err != nil { - return err + + if process_label, ok := container.Context["process_label"]; ok { + if err := label.SetProcessLabel(process_label); err != nil { + return err + } } + if err := system.Execv(args[0], args[0:], container.Env); err != nil { return err } diff --git a/pkg/libcontainer/namespaces/init.go b/vendor/src/github.com/docker/libcontainer/namespaces/init.go similarity index 91% rename from pkg/libcontainer/namespaces/init.go rename to vendor/src/github.com/docker/libcontainer/namespaces/init.go index b53c56668d..e89afdb47e 100644 --- a/pkg/libcontainer/namespaces/init.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/init.go @@ -9,16 +9,16 @@ import ( "strings" "syscall" - "github.com/dotcloud/docker/pkg/apparmor" - "github.com/dotcloud/docker/pkg/label" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/console" - "github.com/dotcloud/docker/pkg/libcontainer/mount" - "github.com/dotcloud/docker/pkg/libcontainer/network" - "github.com/dotcloud/docker/pkg/libcontainer/security/capabilities" - "github.com/dotcloud/docker/pkg/libcontainer/security/restrict" - "github.com/dotcloud/docker/pkg/libcontainer/utils" - "github.com/dotcloud/docker/pkg/netlink" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/apparmor" + "github.com/docker/libcontainer/console" + "github.com/docker/libcontainer/label" + "github.com/docker/libcontainer/mount" + "github.com/docker/libcontainer/netlink" + "github.com/docker/libcontainer/network" + "github.com/docker/libcontainer/security/capabilities" + "github.com/docker/libcontainer/security/restrict" + "github.com/docker/libcontainer/utils" "github.com/dotcloud/docker/pkg/system" "github.com/dotcloud/docker/pkg/user" ) @@ -185,7 +185,10 @@ func setupRoute(container *libcontainer.Container) error { // and working dir, and closes any leaky file descriptors // before execing the command inside the namespace func FinalizeNamespace(container *libcontainer.Container) error { - if err := system.CloseFdsFrom(3); err != nil { + // Ensure that all non-standard fds we may have accidentally + // inherited are marked close-on-exec so they stay out of the + // container + if err := utils.CloseExecFrom(3); err != nil { return fmt.Errorf("close open file descriptors %s", err) } @@ -217,6 +220,7 @@ func FinalizeNamespace(container *libcontainer.Container) error { return fmt.Errorf("chdir to %s %s", container.WorkingDir, err) } } + return nil } diff --git a/pkg/libcontainer/namespaces/nsenter.go b/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go similarity index 69% rename from pkg/libcontainer/namespaces/nsenter.go rename to vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go index d5c2e761b7..d5eaa27143 100644 --- a/pkg/libcontainer/namespaces/nsenter.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/nsenter.go @@ -1,9 +1,12 @@ +// +build linux + package namespaces /* #include #include #include +#include #include #include #include @@ -12,6 +15,7 @@ package namespaces #include #include #include +#include static const kBufSize = 256; @@ -49,6 +53,22 @@ void get_args(int *argc, char ***argv) { (*argv)[*argc] = NULL; } +// Use raw setns syscall for versions of glibc that don't include it (namely glibc-2.12) +#if __GLIBC__ == 2 && __GLIBC_MINOR__ < 14 +#define _GNU_SOURCE +#include +#include "syscall.h" +#ifdef SYS_setns +int setns(int fd, int nstype) { + return syscall(SYS_setns, fd, nstype); +} +#endif +#endif + +void print_usage() { + fprintf(stderr, " nsenter --nspid --containerjson -- cmd1 arg1 arg2...\n"); +} + void nsenter() { int argc; char **argv; @@ -64,21 +84,47 @@ void nsenter() { fprintf(stderr, "nsenter: Incorrect usage, not enough arguments\n"); exit(1); } - pid_t init_pid = strtol(argv[2], NULL, 10); - if (errno != 0 || init_pid <= 0) { - fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", argv[2], strerror(errno)); + + static const struct option longopts[] = { + { "nspid", required_argument, NULL, 'n' }, + { "containerjson", required_argument, NULL, 'c' }, + { NULL, 0, NULL, 0 } + }; + + int c; + pid_t init_pid = -1; + char *init_pid_str = NULL; + char *container_json = NULL; + while ((c = getopt_long_only(argc, argv, "n:s:c:", longopts, NULL)) != -1) { + switch (c) { + case 'n': + init_pid_str = optarg; + break; + case 'c': + container_json = optarg; + break; + } + } + + if (container_json == NULL || init_pid_str == NULL) { + print_usage(); exit(1); } + + init_pid = strtol(init_pid_str, NULL, 10); + if (errno != 0 || init_pid <= 0) { + fprintf(stderr, "nsenter: Failed to parse PID from \"%s\" with error: \"%s\"\n", init_pid_str, strerror(errno)); + print_usage(); + exit(1); + } + argc -= 3; argv += 3; // Setns on all supported namespaces. - char ns_dir[kBufSize]; - memset(ns_dir, 0, kBufSize); - if (snprintf(ns_dir, kBufSize - 1, "/proc/%d/ns/", init_pid) < 0) { - fprintf(stderr, "nsenter: Error getting ns dir path with error: \"%s\"\n", strerror(errno)); - exit(1); - } + char ns_dir[PATH_MAX]; + memset(ns_dir, 0, PATH_MAX); + snprintf(ns_dir, PATH_MAX - 1, "/proc/%d/ns/", init_pid); struct dirent *dent; DIR *dir = opendir(ns_dir); if (dir == NULL) { @@ -92,10 +138,9 @@ void nsenter() { } // Get and open the namespace for the init we are joining.. - char buf[kBufSize]; - memset(buf, 0, kBufSize); - strncat(buf, ns_dir, kBufSize - 1); - strncat(buf, dent->d_name, kBufSize - 1); + char buf[PATH_MAX]; + memset(buf, 0, PATH_MAX); + snprintf(buf, PATH_MAX - 1, "%s%s", ns_dir, dent->d_name); int fd = open(buf, O_RDONLY); if (fd == -1) { fprintf(stderr, "nsenter: Failed to open ns file \"%s\" for ns \"%s\" with error: \"%s\"\n", buf, dent->d_name, strerror(errno)); diff --git a/pkg/libcontainer/namespaces/pid.go b/vendor/src/github.com/docker/libcontainer/namespaces/pid.go similarity index 100% rename from pkg/libcontainer/namespaces/pid.go rename to vendor/src/github.com/docker/libcontainer/namespaces/pid.go diff --git a/pkg/libcontainer/namespaces/std_term.go b/vendor/src/github.com/docker/libcontainer/namespaces/std_term.go similarity index 100% rename from pkg/libcontainer/namespaces/std_term.go rename to vendor/src/github.com/docker/libcontainer/namespaces/std_term.go diff --git a/pkg/libcontainer/namespaces/sync_pipe.go b/vendor/src/github.com/docker/libcontainer/namespaces/sync_pipe.go similarity index 97% rename from pkg/libcontainer/namespaces/sync_pipe.go rename to vendor/src/github.com/docker/libcontainer/namespaces/sync_pipe.go index e12ed447fa..6fa8465790 100644 --- a/pkg/libcontainer/namespaces/sync_pipe.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/sync_pipe.go @@ -6,7 +6,7 @@ import ( "io/ioutil" "os" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) // SyncPipe allows communication to and from the child processes diff --git a/pkg/libcontainer/namespaces/term.go b/vendor/src/github.com/docker/libcontainer/namespaces/term.go similarity index 100% rename from pkg/libcontainer/namespaces/term.go rename to vendor/src/github.com/docker/libcontainer/namespaces/term.go diff --git a/pkg/libcontainer/namespaces/tty_term.go b/vendor/src/github.com/docker/libcontainer/namespaces/tty_term.go similarity index 100% rename from pkg/libcontainer/namespaces/tty_term.go rename to vendor/src/github.com/docker/libcontainer/namespaces/tty_term.go diff --git a/pkg/libcontainer/namespaces/unsupported.go b/vendor/src/github.com/docker/libcontainer/namespaces/unsupported.go similarity index 88% rename from pkg/libcontainer/namespaces/unsupported.go rename to vendor/src/github.com/docker/libcontainer/namespaces/unsupported.go index b459b4d2f5..a0653ee8ad 100644 --- a/pkg/libcontainer/namespaces/unsupported.go +++ b/vendor/src/github.com/docker/libcontainer/namespaces/unsupported.go @@ -3,8 +3,8 @@ package namespaces import ( - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/cgroups" ) func Exec(container *libcontainer.Container, term Terminal, rootfs, dataPath string, args []string, createCommand CreateCommand, startCallback func()) (int, error) { diff --git a/pkg/netlink/MAINTAINERS b/vendor/src/github.com/docker/libcontainer/netlink/MAINTAINERS similarity index 100% rename from pkg/netlink/MAINTAINERS rename to vendor/src/github.com/docker/libcontainer/netlink/MAINTAINERS diff --git a/pkg/netlink/netlink.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink.go similarity index 100% rename from pkg/netlink/netlink.go rename to vendor/src/github.com/docker/libcontainer/netlink/netlink.go diff --git a/pkg/netlink/netlink_linux.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go similarity index 100% rename from pkg/netlink/netlink_linux.go rename to vendor/src/github.com/docker/libcontainer/netlink/netlink_linux.go diff --git a/pkg/netlink/netlink_unsupported.go b/vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go similarity index 100% rename from pkg/netlink/netlink_unsupported.go rename to vendor/src/github.com/docker/libcontainer/netlink/netlink_unsupported.go diff --git a/pkg/libcontainer/network/loopback.go b/vendor/src/github.com/docker/libcontainer/network/loopback.go similarity index 92% rename from pkg/libcontainer/network/loopback.go rename to vendor/src/github.com/docker/libcontainer/network/loopback.go index 6215061dc2..218d1959be 100644 --- a/pkg/libcontainer/network/loopback.go +++ b/vendor/src/github.com/docker/libcontainer/network/loopback.go @@ -2,7 +2,7 @@ package network import ( "fmt" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) // Loopback is a network strategy that provides a basic loopback device diff --git a/pkg/libcontainer/network/netns.go b/vendor/src/github.com/docker/libcontainer/network/netns.go similarity index 95% rename from pkg/libcontainer/network/netns.go rename to vendor/src/github.com/docker/libcontainer/network/netns.go index 7e311f22d8..e8a9188ddb 100644 --- a/pkg/libcontainer/network/netns.go +++ b/vendor/src/github.com/docker/libcontainer/network/netns.go @@ -5,7 +5,7 @@ import ( "os" "syscall" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" "github.com/dotcloud/docker/pkg/system" ) diff --git a/pkg/libcontainer/network/network.go b/vendor/src/github.com/docker/libcontainer/network/network.go similarity index 97% rename from pkg/libcontainer/network/network.go rename to vendor/src/github.com/docker/libcontainer/network/network.go index 85a28dc37c..94cd711d2f 100644 --- a/pkg/libcontainer/network/network.go +++ b/vendor/src/github.com/docker/libcontainer/network/network.go @@ -1,7 +1,7 @@ package network import ( - "github.com/dotcloud/docker/pkg/netlink" + "github.com/docker/libcontainer/netlink" "net" ) diff --git a/pkg/libcontainer/network/strategy.go b/vendor/src/github.com/docker/libcontainer/network/strategy.go similarity index 94% rename from pkg/libcontainer/network/strategy.go rename to vendor/src/github.com/docker/libcontainer/network/strategy.go index e41ecc3ea6..321cf58e3d 100644 --- a/pkg/libcontainer/network/strategy.go +++ b/vendor/src/github.com/docker/libcontainer/network/strategy.go @@ -3,7 +3,7 @@ package network import ( "errors" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) var ( diff --git a/pkg/libcontainer/network/veth.go b/vendor/src/github.com/docker/libcontainer/network/veth.go similarity index 96% rename from pkg/libcontainer/network/veth.go rename to vendor/src/github.com/docker/libcontainer/network/veth.go index d3be221c60..4dad4aa20a 100644 --- a/pkg/libcontainer/network/veth.go +++ b/vendor/src/github.com/docker/libcontainer/network/veth.go @@ -2,8 +2,8 @@ package network import ( "fmt" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/utils" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/utils" ) // Veth is a network strategy that uses a bridge and creates diff --git a/pkg/libcontainer/nsinit/exec.go b/vendor/src/github.com/docker/libcontainer/nsinit/exec.go similarity index 94% rename from pkg/libcontainer/nsinit/exec.go rename to vendor/src/github.com/docker/libcontainer/nsinit/exec.go index d4ce1ca8c4..5bbfd088d4 100644 --- a/pkg/libcontainer/nsinit/exec.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/exec.go @@ -8,8 +8,8 @@ import ( "os/signal" "github.com/codegangsta/cli" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/namespaces" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/namespaces" ) var execCommand = cli.Command{ diff --git a/pkg/libcontainer/nsinit/init.go b/vendor/src/github.com/docker/libcontainer/nsinit/init.go similarity index 93% rename from pkg/libcontainer/nsinit/init.go rename to vendor/src/github.com/docker/libcontainer/nsinit/init.go index 20096f0218..eedb961054 100644 --- a/pkg/libcontainer/nsinit/init.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/init.go @@ -6,7 +6,7 @@ import ( "strconv" "github.com/codegangsta/cli" - "github.com/dotcloud/docker/pkg/libcontainer/namespaces" + "github.com/docker/libcontainer/namespaces" ) var ( diff --git a/pkg/libcontainer/nsinit/main.go b/vendor/src/github.com/docker/libcontainer/nsinit/main.go similarity index 100% rename from pkg/libcontainer/nsinit/main.go rename to vendor/src/github.com/docker/libcontainer/nsinit/main.go diff --git a/pkg/libcontainer/nsinit/nsenter.go b/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go similarity index 53% rename from pkg/libcontainer/nsinit/nsenter.go rename to vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go index 54644282d4..faa61315e0 100644 --- a/pkg/libcontainer/nsinit/nsenter.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/nsenter.go @@ -2,39 +2,39 @@ package main import ( "log" - "strconv" "github.com/codegangsta/cli" - "github.com/dotcloud/docker/pkg/libcontainer/namespaces" + "github.com/docker/libcontainer/namespaces" ) var nsenterCommand = cli.Command{ Name: "nsenter", Usage: "init process for entering an existing namespace", Action: nsenterAction, + Flags: []cli.Flag{ + cli.IntFlag{Name: "nspid"}, + cli.StringFlag{Name: "containerjson"}, + }, } func nsenterAction(context *cli.Context) { args := context.Args() - if len(args) < 4 { - log.Fatalf("incorrect usage: ...") + + if len(args) == 0 { + args = []string{"/bin/bash"} } - container, err := loadContainerFromJson(args.Get(2)) + container, err := loadContainerFromJson(context.String("containerjson")) if err != nil { log.Fatalf("unable to load container: %s", err) } - nspid, err := strconv.Atoi(args.Get(0)) - if err != nil { - log.Fatalf("unable to read pid: %s from %q", err, args.Get(0)) - } - + nspid := context.Int("nspid") if nspid <= 0 { log.Fatalf("cannot enter into namespaces without valid pid: %q", nspid) } - if err := namespaces.NsEnter(container, args.Get(1), nspid, args[3:]); err != nil { + if err := namespaces.NsEnter(container, nspid, args); err != nil { log.Fatalf("failed to nsenter: %s", err) } } diff --git a/pkg/libcontainer/nsinit/spec.go b/vendor/src/github.com/docker/libcontainer/nsinit/spec.go similarity index 93% rename from pkg/libcontainer/nsinit/spec.go rename to vendor/src/github.com/docker/libcontainer/nsinit/spec.go index 2eb4da9fc5..24294ff378 100644 --- a/pkg/libcontainer/nsinit/spec.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/spec.go @@ -6,7 +6,7 @@ import ( "log" "github.com/codegangsta/cli" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) var specCommand = cli.Command{ diff --git a/pkg/libcontainer/nsinit/stats.go b/vendor/src/github.com/docker/libcontainer/nsinit/stats.go similarity index 88% rename from pkg/libcontainer/nsinit/stats.go rename to vendor/src/github.com/docker/libcontainer/nsinit/stats.go index 023b40a822..ff6a1ce535 100644 --- a/pkg/libcontainer/nsinit/stats.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/stats.go @@ -6,8 +6,8 @@ import ( "log" "github.com/codegangsta/cli" - "github.com/dotcloud/docker/pkg/libcontainer" - "github.com/dotcloud/docker/pkg/libcontainer/cgroups/fs" + "github.com/docker/libcontainer" + "github.com/docker/libcontainer/cgroups/fs" ) var statsCommand = cli.Command{ diff --git a/pkg/libcontainer/nsinit/utils.go b/vendor/src/github.com/docker/libcontainer/nsinit/utils.go similarity index 95% rename from pkg/libcontainer/nsinit/utils.go rename to vendor/src/github.com/docker/libcontainer/nsinit/utils.go index 9926e2721f..bd49434e44 100644 --- a/pkg/libcontainer/nsinit/utils.go +++ b/vendor/src/github.com/docker/libcontainer/nsinit/utils.go @@ -8,7 +8,7 @@ import ( "path/filepath" "strconv" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" ) func loadContainer() (*libcontainer.Container, error) { diff --git a/pkg/libcontainer/security/capabilities/capabilities.go b/vendor/src/github.com/docker/libcontainer/security/capabilities/capabilities.go similarity index 96% rename from pkg/libcontainer/security/capabilities/capabilities.go rename to vendor/src/github.com/docker/libcontainer/security/capabilities/capabilities.go index 64ea961a18..ef872178f6 100644 --- a/pkg/libcontainer/security/capabilities/capabilities.go +++ b/vendor/src/github.com/docker/libcontainer/security/capabilities/capabilities.go @@ -3,7 +3,7 @@ package capabilities import ( "os" - "github.com/dotcloud/docker/pkg/libcontainer" + "github.com/docker/libcontainer" "github.com/syndtr/gocapability/capability" ) diff --git a/pkg/libcontainer/security/restrict/restrict.go b/vendor/src/github.com/docker/libcontainer/security/restrict/restrict.go similarity index 95% rename from pkg/libcontainer/security/restrict/restrict.go rename to vendor/src/github.com/docker/libcontainer/security/restrict/restrict.go index 2dadc4fff6..ff7ae2fec6 100644 --- a/pkg/libcontainer/security/restrict/restrict.go +++ b/vendor/src/github.com/docker/libcontainer/security/restrict/restrict.go @@ -15,13 +15,14 @@ const defaultMountFlags = syscall.MS_NOEXEC | syscall.MS_NOSUID | syscall.MS_NOD func mountReadonly(path string) error { for i := 0; i < 5; i++ { - if err := system.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil { + if err := system.Mount("", path, "", syscall.MS_REMOUNT|syscall.MS_RDONLY, ""); err != nil && !os.IsNotExist(err) { switch err { case syscall.EINVAL: // Probably not a mountpoint, use bind-mount if err := system.Mount(path, path, "", syscall.MS_BIND, ""); err != nil { return err } + return system.Mount(path, path, "", syscall.MS_BIND|syscall.MS_REMOUNT|syscall.MS_RDONLY|syscall.MS_REC|defaultMountFlags, "") case syscall.EBUSY: time.Sleep(100 * time.Millisecond) @@ -30,15 +31,16 @@ func mountReadonly(path string) error { return err } } + return nil } + return fmt.Errorf("unable to mount %s as readonly max retries reached", path) } // This has to be called while the container still has CAP_SYS_ADMIN (to be able to perform mounts). // However, afterwards, CAP_SYS_ADMIN should be dropped (otherwise the user will be able to revert those changes). func Restrict(mounts ...string) error { - // remount proc and sys as readonly for _, dest := range mounts { if err := mountReadonly(dest); err != nil { return fmt.Errorf("unable to remount %s readonly: %s", dest, err) @@ -48,5 +50,6 @@ func Restrict(mounts ...string) error { if err := system.Mount("/dev/null", "/proc/kcore", "", syscall.MS_BIND, ""); err != nil && !os.IsNotExist(err) { return fmt.Errorf("unable to bind-mount /dev/null over /proc/kcore: %s", err) } + return nil } diff --git a/pkg/libcontainer/security/restrict/unsupported.go b/vendor/src/github.com/docker/libcontainer/security/restrict/unsupported.go similarity index 100% rename from pkg/libcontainer/security/restrict/unsupported.go rename to vendor/src/github.com/docker/libcontainer/security/restrict/unsupported.go diff --git a/pkg/selinux/selinux.go b/vendor/src/github.com/docker/libcontainer/selinux/selinux.go similarity index 100% rename from pkg/selinux/selinux.go rename to vendor/src/github.com/docker/libcontainer/selinux/selinux.go diff --git a/pkg/selinux/selinux_test.go b/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go similarity index 96% rename from pkg/selinux/selinux_test.go rename to vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go index 9a3a5525e4..40ed70d166 100644 --- a/pkg/selinux/selinux_test.go +++ b/vendor/src/github.com/docker/libcontainer/selinux/selinux_test.go @@ -1,7 +1,7 @@ package selinux_test import ( - "github.com/dotcloud/docker/pkg/selinux" + "github.com/docker/libcontainer/selinux" "os" "testing" ) diff --git a/pkg/libcontainer/types.go b/vendor/src/github.com/docker/libcontainer/types.go similarity index 100% rename from pkg/libcontainer/types.go rename to vendor/src/github.com/docker/libcontainer/types.go diff --git a/pkg/libcontainer/types_linux.go b/vendor/src/github.com/docker/libcontainer/types_linux.go similarity index 100% rename from pkg/libcontainer/types_linux.go rename to vendor/src/github.com/docker/libcontainer/types_linux.go diff --git a/pkg/libcontainer/types_test.go b/vendor/src/github.com/docker/libcontainer/types_test.go similarity index 100% rename from pkg/libcontainer/types_test.go rename to vendor/src/github.com/docker/libcontainer/types_test.go diff --git a/pkg/libcontainer/utils/utils.go b/vendor/src/github.com/docker/libcontainer/utils/utils.go similarity index 52% rename from pkg/libcontainer/utils/utils.go rename to vendor/src/github.com/docker/libcontainer/utils/utils.go index 0d919bc43d..76184ce00b 100644 --- a/pkg/libcontainer/utils/utils.go +++ b/vendor/src/github.com/docker/libcontainer/utils/utils.go @@ -4,7 +4,10 @@ import ( "crypto/rand" "encoding/hex" "io" + "io/ioutil" "path/filepath" + "strconv" + "syscall" ) // GenerateRandomName returns a new name joined with a prefix. This size @@ -26,3 +29,27 @@ func ResolveRootfs(uncleanRootfs string) (string, error) { } return filepath.EvalSymlinks(rootfs) } + +func CloseExecFrom(minFd int) error { + fdList, err := ioutil.ReadDir("/proc/self/fd") + if err != nil { + return err + } + for _, fi := range fdList { + fd, err := strconv.Atoi(fi.Name()) + if err != nil { + // ignore non-numeric file names + continue + } + + if fd < minFd { + // ignore descriptors lower than our specified minimum + continue + } + + // intentionally ignore errors from syscall.CloseOnExec + syscall.CloseOnExec(fd) + // the cases where this might fail are basically file descriptors that have already been closed (including and especially the one that was created when ioutil.ReadDir did the "opendir" syscall) + } + return nil +}