0ct0pu5/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #8861 from tiborvass/bump_v1.3.1

Browse source 
Bump v1.3.1
This commit is contained in:
Tibor Vass 2014-10-30 12:43:43 -04:00
commit 86292adbd9
37 changed files with 1107 additions and 170 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
CHANGELOG.md
View file

@ -1,5 +1,23 @@
# Changelog
## 1.3.1 (2014-10-28)
#### Security
* Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry
+ Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified
#### Runtime
- Fix issue where volumes would not be shared
#### Client
- Fix issue with `--iptables=false` not automatically setting `--ip-masq=false`
- Fix docker run output to non-TTY stdout
#### Builder
- Fix escaping `$` for environment variables
- Fix issue with lowercase `onbuild` Dockerfile instruction
- Restrict envrionment variable expansion to `ENV`, `ADD`, `COPY`, `WORKDIR`, `EXPOSE`, `VOLUME` and `USER`
## 1.3.0 (2014-10-14)
#### Notable features since 1.2.0

2
VERSION
View file

@ -1 +1 @@
1.3.0
1.3.1

9
api/client/commands.go
View file

@ -1986,6 +1986,10 @@ func (cli *DockerCli) CmdTag(args ...string) error {
}
func (cli *DockerCli) pullImage(image string) error {
return cli.pullImageCustomOut(image, cli.out)
}
func (cli *DockerCli) pullImageCustomOut(image string, out io.Writer) error {
v := url.Values{}
repos, tag := parsers.ParseRepositoryTag(image)
// pull only the image tagged 'latest' if no tag was specified
@ -2014,7 +2018,7 @@ func (cli *DockerCli) pullImage(image string) error {
registryAuthHeader := []string{
base64.URLEncoding.EncodeToString(buf),
}
if err = cli.stream("POST", "/images/create?"+v.Encode(), nil, cli.out, map[string][]string{"X-Registry-Auth": registryAuthHeader}); err != nil {
if err = cli.stream("POST", "/images/create?"+v.Encode(), nil, out, map[string][]string{"X-Registry-Auth": registryAuthHeader}); err != nil {
return err
}
return nil
@ -2081,7 +2085,8 @@ func (cli *DockerCli) createContainer(config *runconfig.Config, hostConfig *runc
if statusCode == 404 {
fmt.Fprintf(cli.err, "Unable to find image '%s' locally\n", config.Image)
if err = cli.pullImage(config.Image); err != nil {
// we don't want to write to stdout anything apart from container.ID
if err = cli.pullImageCustomOut(config.Image, cli.err); err != nil {
return nil, err
}
// Retry

2
api/server/server.go
View file

@ -1439,6 +1439,8 @@ func ListenAndServe(proto, addr string, job *engine.Job) error {
tlsConfig := &tls.Config{
NextProtos: []string{"http/1.1"},
Certificates: []tls.Certificate{cert},
// Avoid fallback on insecure SSL protocols
MinVersion: tls.VersionTLS10,
}
if job.GetenvBool("TlsVerify") {
certPool := x509.NewCertPool()

15
builder/dispatchers.go
View file

@ -11,6 +11,7 @@ import (
"fmt"
"io/ioutil"
"path/filepath"
"regexp"
"strings"
"github.com/docker/docker/nat"
@ -129,7 +130,7 @@ func onbuild(b *Builder, args []string, attributes map[string]bool, original str
return fmt.Errorf("%s isn't allowed as an ONBUILD trigger", triggerInstruction)
}
original = strings.TrimSpace(strings.TrimLeft(original, "ONBUILD"))
original = regexp.MustCompile(`(?i)^\s*ONBUILD\s*`).ReplaceAllString(original, "")
b.Config.OnBuild = append(b.Config.OnBuild, original)
return b.commit("", b.Config.Cmd, fmt.Sprintf("ONBUILD %s", original))
@ -194,7 +195,7 @@ func run(b *Builder, args []string, attributes map[string]bool, original string)
defer func(cmd []string) { b.Config.Cmd = cmd }(cmd)
log.Debugf("Command to be executed: %v", b.Config.Cmd)
log.Debugf("[BUILDER] Command to be executed: %v", b.Config.Cmd)
hit, err := b.probeCache()
if err != nil {
@ -233,7 +234,7 @@ func run(b *Builder, args []string, attributes map[string]bool, original string)
func cmd(b *Builder, args []string, attributes map[string]bool, original string) error {
b.Config.Cmd = handleJsonArgs(args, attributes)
if !attributes["json"] && len(b.Config.Entrypoint) == 0 {
if !attributes["json"] {
b.Config.Cmd = append([]string{"/bin/sh", "-c"}, b.Config.Cmd...)
}
@ -260,14 +261,14 @@ func entrypoint(b *Builder, args []string, attributes map[string]bool, original
parsed := handleJsonArgs(args, attributes)
switch {
case len(parsed) == 0:
// ENTYRPOINT []
b.Config.Entrypoint = nil
case attributes["json"]:
// ENTRYPOINT ["echo", "hi"]
b.Config.Entrypoint = parsed
case len(parsed) == 0:
// ENTRYPOINT []
b.Config.Entrypoint = nil
default:
// ENTYRPOINT echo hi
// ENTRYPOINT echo hi
b.Config.Entrypoint = []string{"/bin/sh", "-c", parsed[0]}
}

22
builder/evaluator.go
View file

@ -41,6 +41,17 @@ var (
ErrDockerfileEmpty = errors.New("Dockerfile cannot be empty")
)
// Environment variable interpolation will happen on these statements only.
var replaceEnvAllowed = map[string]struct{}{
"env": {},
"add": {},
"copy": {},
"workdir": {},
"expose": {},
"volume": {},
"user": {},
}
var evaluateTable map[string]func(*Builder, []string, map[string]bool, string) error
func init() {
@ -149,7 +160,7 @@ func (b *Builder) Run(context io.Reader) (string, error) {
b.dockerfile = ast
// some initializations that would not have been supplied by the caller.
b.Config = &runconfig.Config{Entrypoint: []string{}, Cmd: nil}
b.Config = &runconfig.Config{}
b.TmpContainers = map[string]struct{}{}
for i, n := range b.dockerfile.Children {
@ -196,13 +207,18 @@ func (b *Builder) dispatch(stepN int, ast *parser.Node) error {
if cmd == "onbuild" {
ast = ast.Next.Children[0]
strs = append(strs, b.replaceEnv(ast.Value))
strs = append(strs, ast.Value)
msg += " " + ast.Value
}
for ast.Next != nil {
ast = ast.Next
strs = append(strs, b.replaceEnv(ast.Value))
var str string
str = ast.Value
if _, ok := replaceEnvAllowed[cmd]; ok {
str = b.replaceEnv(ast.Value)
}
strs = append(strs, str)
msg += " " + ast.Value
}

5
builder/parser/parser.go
View file

@ -87,10 +87,11 @@ func parseLine(line string) (string, *Node, error) {
if sexp.Value != "" || sexp.Next != nil || sexp.Children != nil {
node.Next = sexp
node.Attributes = attrs
node.Original = line
}
node.Attributes = attrs
node.Original = line
return "", node, nil
}

15
builder/support.go
View file

@ -10,13 +10,26 @@ var (
// `\$` - match literal $
// `[[:alnum:]_]+` - match things like `$SOME_VAR`
// `{[[:alnum:]_]+}` - match things like `${SOME_VAR}`
tokenEnvInterpolation = regexp.MustCompile(`(\\\\+|[^\\]|\b|\A)\$([[:alnum:]_]+|{[[:alnum:]_]+})`)
tokenEnvInterpolation = regexp.MustCompile(`(\\|\\\\+|[^\\]|\b|\A)\$([[:alnum:]_]+|{[[:alnum:]_]+})`)
// this intentionally punts on more exotic interpolations like ${SOME_VAR%suffix} and lets the shell handle those directly
)
// handle environment replacement. Used in dispatcher.
func (b *Builder) replaceEnv(str string) string {
for _, match := range tokenEnvInterpolation.FindAllString(str, -1) {
idx := strings.Index(match, "\\$")
if idx != -1 {
if idx+2 >= len(match) {
str = strings.Replace(str, match, "\\$", -1)
continue
}
prefix := match[:idx]
stripped := match[idx+2:]
str = strings.Replace(str, match, prefix+"$"+stripped, -1)
continue
}
match = match[strings.Index(match, "$"):]
matchKey := strings.Trim(match, "${}")

4
builtins/builtins.go
View file

@ -10,7 +10,6 @@ import (
"github.com/docker/docker/engine"
"github.com/docker/docker/events"
"github.com/docker/docker/pkg/parsers/kernel"
"github.com/docker/docker/registry"
)
func Register(eng *engine.Engine) error {
@ -26,7 +25,8 @@ func Register(eng *engine.Engine) error {
if err := eng.Register("version", dockerVersion); err != nil {
return err
}
return registry.NewService().Install(eng)
return nil
}
// remote: a RESTful api for cross-docker communication

2
daemon/config.go
View file

@ -31,6 +31,7 @@ type Config struct {
BridgeIface string
BridgeIP string
FixedCIDR string
InsecureRegistries []string
InterContainerCommunication bool
GraphDriver string
GraphOptions []string
@ -55,6 +56,7 @@ func (config *Config) InstallFlags() {
flag.StringVar(&config.BridgeIP, []string{"#bip", "-bip"}, "", "Use this CIDR notation address for the network bridge's IP, not compatible with -b")
flag.StringVar(&config.BridgeIface, []string{"b", "-bridge"}, "", "Attach containers to a pre-existing network bridge\nuse 'none' to disable container networking")
flag.StringVar(&config.FixedCIDR, []string{"-fixed-cidr"}, "", "IPv4 subnet for fixed IPs (ex: 10.20.0.0/16)\nthis subnet must be nested in the bridge subnet (which is defined by -b or --bip)")
opts.ListVar(&config.InsecureRegistries, []string{"-insecure-registry"}, "Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback)")
flag.BoolVar(&config.InterContainerCommunication, []string{"#icc", "-icc"}, true, "Enable inter-container communication")
flag.StringVar(&config.GraphDriver, []string{"s", "-storage-driver"}, "", "Force the Docker runtime to use a specific storage driver")
flag.StringVar(&config.ExecDriver, []string{"e", "-exec-driver"}, "native", "Force the Docker runtime to use a specific exec driver")

4
daemon/daemon.go
View file

@ -731,7 +731,7 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)
return nil, fmt.Errorf("You specified --iptables=false with --icc=false. ICC uses iptables to function. Please set --icc or --iptables to true.")
}
if !config.EnableIptables && config.EnableIpMasq {
return nil, fmt.Errorf("You specified --iptables=false with --ipmasq=true. IP masquerading uses iptables to function. Please set --ipmasq to false or --iptables to true.")
config.EnableIpMasq = false
}
config.DisableNetwork = config.BridgeIface == disableNetworkBridge
@ -831,7 +831,7 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine) (*Daemon, error)
}
log.Debugf("Creating repository list")
repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, config.Mirrors)
repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, config.Mirrors, config.InsecureRegistries)
if err != nil {
return nil, fmt.Errorf("Couldn't create Tag store: %s", err)
}

3
daemon/volumes.go
View file

@ -133,6 +133,7 @@ func (container *Container) parseVolumeMountConfig() (map[string]*Mount, error)
// Get the rest of the volumes
for path := range container.Config.Volumes {
// Check if this is already added as a bind-mount
path = filepath.Clean(path)
if _, exists := mounts[path]; exists {
continue
}
@ -182,6 +183,8 @@ func parseBindMountSpec(spec string) (string, string, bool, error) {
return "", "", false, fmt.Errorf("cannot bind mount volume: %s volume paths must be absolute.", path)
}
path = filepath.Clean(path)
mountToPath = filepath.Clean(mountToPath)
return path, mountToPath, writable, nil
}

7
docker/daemon.go
View file

@ -14,6 +14,7 @@ import (
"github.com/docker/docker/engine"
flag "github.com/docker/docker/pkg/mflag"
"github.com/docker/docker/pkg/signal"
"github.com/docker/docker/registry"
)
const CanDaemon = true
@ -33,11 +34,17 @@ func mainDaemon() {
}
eng := engine.New()
signal.Trap(eng.Shutdown)
// Load builtins
if err := builtins.Register(eng); err != nil {
log.Fatal(err)
}
// load registry service
if err := registry.NewService(daemonCfg.InsecureRegistries).Install(eng); err != nil {
log.Fatal(err)
}
// load the daemon in the background so we can immediately start
// the http api so that connections don't fail while the daemon
// is booting

2
docker/docker.go
View file

@ -93,6 +93,8 @@ func main() {
}
tlsConfig.Certificates = []tls.Certificate{cert}
}
// Avoid fallback to SSL protocols < TLS1.0
tlsConfig.MinVersion = tls.VersionTLS10
}
if *flTls || *flTlsVerify {

1
docs/mkdocs.yml Executable file → Normal file
View file

@ -26,6 +26,7 @@ pages:
# Introduction:
- ['index.md', 'About', 'Docker']
- ['release-notes.md', 'About', 'Release Notes']
- ['introduction/index.md', '**HIDDEN**']
- ['introduction/understanding-docker.md', 'About', 'Understanding Docker']

38
docs/sources/index.md
View file

@ -88,40 +88,4 @@ implementation, check out the [Docker User Guide](/userguide/).
## Release Notes
**Version 1.3.0**
This version fixes a number of bugs and issues and adds new functions and other
improvements. These include:
*New command: `docker exec`*
The new `docker exec` command lets you run a process in an existing, active
container. The command has APIs for both the daemon and the client. With
`docker exec`, you'll be able to do things like add or remove devices from running containers, debug running containers, and run commands that are not
part of the container's static specification.
*New command: `docker create`*
Traditionally, the `docker run` command has been used to both create a
container and spawn a process to run it. The new `docker create` command breaks
this apart, letting you set up a container without actually starting it. This
provides more control over management of the container lifecycle, giving you the
ability to configure things like volumes or port mappings before the container
is started. For example, in a rapid-response scaling situation, you could use
`create` to prepare and stage ten containers in anticipation of heavy loads.
*New provenance features*
Official images are now signed by Docker, Inc. to improve your confidence and
security. Look for the blue ribbons on the [Docker Hub](https://hub.docker.com/).
The Docker Engine has been updated to automatically verify that a given Official
Repo has a current, valid signature. If no valid signature is detected, Docker
Engine will use a prior image.
*Other improvements & changes*
We've added a new security options flag that lets you set SELinux and AppArmor
labels and profiles. This means you'll longer have to use `docker run
--privileged on kernels that support SE Linux or AppArmor.
A summary of the changes in each release in the current series can now be found on the separate [Release Notes page](/release-notes/)

30
docs/sources/reference/api/hub_registry_spec.md
View file

@ -4,7 +4,9 @@ page_keywords: docker, registry, api, hub
# The Docker Hub and the Registry spec
## The 3 roles
## The three roles
There are three major components playing a role in the Docker ecosystem.
### Docker Hub
@ -21,13 +23,15 @@ The Docker Hub has different components:
- Authentication service
- Tokenization
The Docker Hub is authoritative for those information.
The Docker Hub is authoritative for that information.
We expect that there will be only one instance of the Docker Hub, run and
There is only one instance of the Docker Hub, run and
managed by Docker Inc.
### Registry
The registry has the following characteristics:
- It stores the images and the graph for a set of repositories
- It does not have user accounts data
- It has no notion of user accounts or authorization
@ -37,35 +41,35 @@ managed by Docker Inc.
- It doesn't have a local database
- [Source Code](https://github.com/docker/docker-registry)
We expect that there will be multiple registries out there. To help to
We expect that there will be multiple registries out there. To help you
grasp the context, here are some examples of registries:
- **sponsor registry**: such a registry is provided by a third-party
hosting infrastructure as a convenience for their customers and the
docker community as a whole. Its costs are supported by the third
Docker community as a whole. Its costs are supported by the third
party, but the management and operation of the registry are
supported by dotCloud. It features read/write access, and delegates
supported by Docker, Inc. It features read/write access, and delegates
authentication and authorization to the Docker Hub.
- **mirror registry**: such a registry is provided by a third-party
hosting infrastructure but is targeted at their customers only. Some
mechanism (unspecified to date) ensures that public images are
pulled from a sponsor registry to the mirror registry, to make sure
that the customers of the third-party provider can “docker pull”
that the customers of the third-party provider can `docker pull`
those images locally.
- **vendor registry**: such a registry is provided by a software
vendor, who wants to distribute docker images. It would be operated
vendor who wants to distribute docker images. It would be operated
and managed by the vendor. Only users authorized by the vendor would
be able to get write access. Some images would be public (accessible
for anyone), others private (accessible only for authorized users).
Authentication and authorization would be delegated to the Docker Hub.
The goal of vendor registries is to let someone do docker pull
basho/riak1.3 and automatically push from the vendor registry
(instead of a sponsor registry); i.e. get all the convenience of a
The goal of vendor registries is to let someone do `docker pull
basho/riak1.3` and automatically push from the vendor registry
(instead of a sponsor registry); i.e., vendors get all the convenience of a
sponsor registry, while retaining control on the asset distribution.
- **private registry**: such a registry is located behind a firewall,
or protected by an additional security layer (HTTP authorization,
SSL client-side certificates, IP address authorization...). The
registry is operated by a private entity, outside of dotCloud's
registry is operated by a private entity, outside of Docker's
control. It can optionally delegate additional authorization to the
Docker Hub, but it is not mandatory.
@ -77,7 +81,7 @@ grasp the context, here are some examples of registries:
> - local mount point;
> - remote docker addressed through SSH.
The latter would only require two new commands in docker, e.g.,
The latter would only require two new commands in Docker, e.g.,
`registryget` and `registryput`,
wrapping access to the local filesystem (and optionally doing
consistency checks). Authentication and authorization are then delegated

29
docs/sources/reference/api/registry_api.md
View file

@ -21,30 +21,30 @@ grasp the context, here are some examples of registries:
- **sponsor registry**: such a registry is provided by a third-party
hosting infrastructure as a convenience for their customers and the
docker community as a whole. Its costs are supported by the third
Docker community as a whole. Its costs are supported by the third
party, but the management and operation of the registry are
supported by dotCloud. It features read/write access, and delegates
supported by Docker. It features read/write access, and delegates
authentication and authorization to the Index.
- **mirror registry**: such a registry is provided by a third-party
hosting infrastructure but is targeted at their customers only. Some
mechanism (unspecified to date) ensures that public images are
pulled from a sponsor registry to the mirror registry, to make sure
that the customers of the third-party provider can “docker pull”
that the customers of the third-party provider can `docker pull`
those images locally.
- **vendor registry**: such a registry is provided by a software
vendor, who wants to distribute docker images. It would be operated
vendor, who wants to distribute Docker images. It would be operated
and managed by the vendor. Only users authorized by the vendor would
be able to get write access. Some images would be public (accessible
for anyone), others private (accessible only for authorized users).
Authentication and authorization would be delegated to the Index.
The goal of vendor registries is to let someone do docker pull
basho/riak1.3 and automatically push from the vendor registry
(instead of a sponsor registry); i.e. get all the convenience of a
The goal of vendor registries is to let someone do `docker pull
basho/riak1.3` and automatically push from the vendor registry
(instead of a sponsor registry); i.e., get all the convenience of a
sponsor registry, while retaining control on the asset distribution.
- **private registry**: such a registry is located behind a firewall,
or protected by an additional security layer (HTTP authorization,
SSL client-side certificates, IP address authorization...). The
registry is operated by a private entity, outside of dotCloud's
registry is operated by a private entity, outside of Docker's
control. It can optionally delegate additional authorization to the
Index, but it is not mandatory.
@ -52,7 +52,7 @@ grasp the context, here are some examples of registries:
> Mirror registries and private registries which do not use the Index
> don't even need to run the registry code. They can be implemented by any
> kind of transport implementing HTTP GET and PUT. Read-only registries
> can be powered by a simple static HTTP server.
> can be powered by a simple static HTTPS server.
> **Note**:
> The latter implies that while HTTP is the protocol of choice for a registry,
@ -60,13 +60,20 @@ grasp the context, here are some examples of registries:
>
> - HTTP with GET (and PUT for read-write registries);
> - local mount point;
> - remote docker addressed through SSH.
> - remote Docker addressed through SSH.
The latter would only require two new commands in docker, e.g.,
The latter would only require two new commands in Docker, e.g.,
`registryget` and `registryput`, wrapping access to the local filesystem
(and optionally doing consistency checks). Authentication and authorization
are then delegated to SSH (e.g., with public keys).
> **Note**:
> Private registry servers that expose an HTTP endpoint need to be secured with
> TLS (preferably TLSv1.2, but at least TLSv1.0). Make sure to put the CA
> certificate at /etc/docker/certs.d/my.registry.com:5000/ca.crt on the Docker
> host, so that the daemon can securely access the private registry.
> Support for SSLv3 and lower is not available due to security issues.
The default namespace for a private repository is `library`.
# Endpoints

18
docs/sources/reference/commandline/cli.md
View file

@ -70,6 +70,7 @@ expect an integer, and they can only be specified once.
-g, --graph="/var/lib/docker" Path to use as the root of the Docker runtime
-H, --host=[] The socket(s) to bind to in daemon mode or connect to in client mode, specified using one or more tcp://host:port, unix:///path/to/socket, fd://* or fd://socketfd.
--icc=true Enable inter-container communication
--insecure-registry=[] Enable insecure communication with specified registries (no certificate verification for HTTPS and enable HTTP fallback)
--ip=0.0.0.0 Default IP address to use when binding container ports
--ip-forward=true Enable net.ipv4.ip_forward
--ip-masq=true Enable IP masquerading for bridge's IP range
@ -111,7 +112,12 @@ direct access to the Docker daemon - and should be secured either using the
[built in https encrypted socket](/articles/https/), or by putting a secure web
proxy in front of it. You can listen on port `2375` on all network interfaces
with `-H tcp://0.0.0.0:2375`, or on a particular network interface using its IP
address: `-H tcp://192.168.59.103:2375`.
address: `-H tcp://192.168.59.103:2375`. It is conventional to use port `2375`
for un-encrypted, and port `2376` for encrypted communication with the daemon.
> **Note** If you're using an HTTPS encrypted socket, keep in mind that only TLS1.0
> and greater are supported. Protocols SSLv3 and under are not supported anymore
> for security reasons.
On Systemd based systems, you can communicate with the daemon via
[systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html), use
@ -194,6 +200,16 @@ to other machines on the Internet. This may interfere with some network topologi
can be disabled with --ip-masq=false.
By default, Docker will assume all registries are secured via TLS with certificate verification
enabled. Prior versions of Docker used an auto fallback if a registry did not support TLS
(or if the TLS connection failed). This introduced the opportunity for Man In The Middle (MITM)
attacks, so as of Docker 1.3.1, the user must now specify the `--insecure-registry` daemon flag
for each insecure registry. An insecure registry is either not using TLS (i.e. plain text HTTP),
or is using TLS with a CA certificate not known by the Docker daemon (i.e. certification
verification disabled). For example, if there is a registry listening for HTTP at 127.0.0.1:5000,
as of Docker 1.3.1 you are required to specify `--insecure-registry 127.0.0.1:5000` when starting
the Docker daemon.
Docker supports softlinks for the Docker data directory
(`/var/lib/docker`) and for `/var/lib/docker/tmp`. The `DOCKER_TMPDIR` and the data directory can be set like this:

291
docs/sources/release-notes.md Normal file
View file

@ -0,0 +1,291 @@
page_title: Docker 1.x Series Release Notes page_description: Release Notes for
Docker 1.x. page_keywords: docker, documentation, about, technology,
understanding, release
#Release Notes
##Version 1.3.1
(2014-10-28)
This release fixes some bugs and addresses some security issues.
*Security fixes*
Patches and changes were made to address CVE-2014-5277 and CVE-2014-3566. Specifically, changes were made to:
* Prevent fallback to SSL protocols < TLS 1.0 for client, daemon and registry
* Secure HTTPS connection to registries with certificate verification and without HTTP fallback unless `--insecure-registry` is specified.
*Runtime fixes*
* Fixed issue where volumes would not be shared
*Client fixes*
* Fixed issue with `--iptables=false` not automatically setting
`--ip-masq=false`
* Fixed docker run output to non-TTY stdout
*Builder fixes*
* Fixed escaping `$` for environment variables
* Fixed issue with lowercase `onbuild` Dockerfile instruction
##Version 1.3.0
This version fixes a number of bugs and issues and adds new functions and other
improvements. The [GitHub 1.3milestone](https://github.com/docker/docker/issues?q=milestone%3A1.3.0+) has
more detailed information. Major additions and changes include:
###New Features
*New command: `docker exec`*
The new `docker exec` command lets you run a process in an existing, active
container. The command has APIs for both the daemon and the client. With `docker
exec`, you'll be able to do things like add or remove devices from running
containers, debug running containers, and run commands that are not part of the
container's static specification. Details in the [command line reference](/reference/commandline/cli/#exec).
*New command: `docker create`*
Traditionally, the `docker run` command has been used to both create a container
and spawn a process to run it. The new `docker create` command breaks this
apart, letting you set up a container without actually starting it. This
provides more control over management of the container lifecycle, giving you the
ability to configure things like volumes or port mappings before the container
is started. For example, in a rapid-response scaling situation, you could use
`create` to prepare and stage ten containers in anticipation of heavy loads.
Details in the [command line reference](/reference/commandline/cli/#create).
*Tech preview of new provenance features*
This release offers a sneak peek at new image signing capabilities that are
currently under development. Soon, these capabilities will allow any image
author to sign their images to certify they have not been tampered with. For
this release, Official images are now signed by Docker, Inc. Not only does this
demonstrate the new functionality, we hope it will improve your confidence in
the security of Official images. Look for the blue ribbons denoting signed
images on the [Docker Hub](https://hub.docker.com/). The Docker Engine has been
updated to automatically verify that a given Official Repo has a current, valid
signature. When pulling a signed image, you'll see a message stating `the image
you are pulling has been verified`. If no valid signature is detected, Docker
Engine will fall back to pulling a regular, unsigned image.
###Other improvements & changes*
* We've added a new security options flag to the `docker run` command,
`--security-opt`, that lets you set SELinux and AppArmor labels and profiles.
This means you'll no longer have to use `docker run --privileged` on kernels
that support SE Linux or AppArmor. For more information, see the [command line
reference](/reference/commandline/cli/#run).
* A new flag, `--add-host`, has been added to `docker run` that lets you add
lines to `/etc/hosts`. This allows you to specify different name resolution for
the container than it would get via DNS. For more information, see the [command
line reference](/reference/commandline/cli/#run).
* You can now set a `DOCKER_TLS_VERIFY` environment variable to secure
connections by default (rather than having to pass the `--tlsverify` flag on
every call). For more information, see the [https guide](/articles/https).
* Three security issues have been addressed in this release: [CVE-2014-5280,
CVE-2014-5270, and
CVE-2014-5282](https://groups.google.com/forum/#!msg/docker-announce/aQoVmQlcE0A/smPuBNYf8VwJ).
##Version 1.2.0
This version fixes a number of bugs and issues and adds new functions and other
improvements. These include:
###New Features
*New restart policies*
We added a `--restart flag` to `docker run` to specify a restart policy for your
container. Currently, there are three policies available:
* `no` Do not restart the container if it dies. (default) * `on-failure`
Restart the container if it exits with a non-zero exit code. This can also
accept an optional maximum restart count (e.g. `on-failure:5`). * `always`
Always restart the container no matter what exit code is returned. This
deprecates the `--restart` flag on the Docker daemon.
*New flags for `docker run`: `--cap-add` and `-cap-drop`*
In previous releases, Docker containers could either be given complete
capabilities or they could all follow a whitelist of allowed capabilities while
dropping all others. Further, using `--privileged` would grant all capabilities
inside a container, rather than applying a whitelist. This was not recommended
for production use because its really unsafe; its as if you were directly in
the host.
This release introduces two new flags for `docker run`, `--cap-add` and
`--cap-drop`, that give you fine-grain control over the specific capabilities
you want grant to a particular container.
*New `-device` flag for `docker run`*
Previously, you could only use devices inside your containers by bind mounting
them (with `-v`) in a `--privileged` container. With this release, we introduce
the `--device flag` to `docker run` which lets you use a device without
requiring a privileged container.
*Writable `/etc/hosts`, `/etc/hostname` and `/etc/resolv.conf`*
You can now edit `/etc/hosts`, `/etc/hostname` and `/etc/resolve.conf` in a
running container. This is useful if you need to install BIND or other services
that might override one of those files.
Note, however, that changes to these files are not saved when running `docker
build` and so will not be preserved in the resulting image. The changes will
only “stick” in a running container.
*Docker proxy in a separate process*
The Docker userland proxy that routes outbound traffic to your containers now
has its own separate process (one process per connection). This greatly reduces
the load on the daemon, which increases stability and efficiency.
###Other improvements & changes
* When using `docker rm -f`, Docker now kills the container (instead of stopping
it) before removing it . If you intend to stop the container cleanly, you can
use `docker stop`.
* Added support for IPv6 addresses in `--dns`
* Added search capability in private registries
##Version 1.1.0
###New Features
*`.dockerignore` support*
You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
ignore files and directories specified in that file when sending the build
context to the daemon. Example:
https://github.com/docker/docker/blob/master/.dockerignore
*Pause containers during commit*
Doing a commit on a running container was not recommended because you could end
up with files in an inconsistent state (for example, if they were being written
during the commit). Containers are now paused when a commit is made to them. You
can disable this feature by doing a `docker commit --pause=false <container_id>`
*Tailing logs*
You can now tail the logs of a container. For example, you can get the last ten
lines of a log by using `docker logs --tail 10 <container_id>`. You can also
follow the logs of a container without having to read the whole log file with
`docker logs --tail 0 -f <container_id>`.
*Allow a tar file as context for docker build*
You can now pass a tar archive to `docker build` as context. This can be used to
automate docker builds, for example: `cat context.tar | docker build -` or
`docker run builder_image | docker build -`
*Bind mounting your whole filesystem in a container*
`/` is now allowed as source of `--volumes`. This means you can bind-mount your
whole system in a container if you need to. For example: `docker run -v
/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
###Other Improvements & Changes
* Port allocation has been improved. In the previous release, Docker could
prevent you from starting a container with previously allocated ports which
seemed to be in use when in fact they were not. This has been fixed.
* A bug in `docker save` was introduced in the last release. The `docker save`
command could produce images with invalid metadata. The command now produces
images with correct metadata.
* Running `docker inspect` in a container now returns which containers it is
linked to.
* Parsing of the `docker commit` flag has improved validation, to better prevent
you from committing an image with a name such as `-m`. Image names with dashes
in them potentially conflict with command line flags.
* The API now has Improved status codes for `start` and `stop`. Trying to start
a running container will now return a 304 error.
* Performance has been improved overall. Starting the daemon is faster than in
previous releases. The daemons performance has also been improved when it is
working with large numbers of images and containers.
* Fixed an issue with white-spaces and multi-lines in Dockerfiles.
##Version 1.1.0
###New Features
*`.dockerignore` support*
You can now add a `.dockerignore` file next to your `Dockerfile` and Docker will
ignore files and directories specified in that file when sending the build
context to the daemon. Example:
https://github.com/dotcloud/docker/blob/master/.dockerignore
*Pause containers during commit*
Doing a commit on a running container was not recommended because you could end
up with files in an inconsistent state (for example, if they were being written
during the commit). Containers are now paused when a commit is made to them. You
can disable this feature by doing a `docker commit --pause=false <container_id>`
*Tailing logs*
You can now tail the logs of a container. For example, you can get the last ten
lines of a log by using `docker logs --tail 10 <container_id>`. You can also
follow the logs of a container without having to read the whole log file with
`docker logs --tail 0 -f <container_id>`.
*Allow a tar file as context for docker build*
You can now pass a tar archive to `docker build` as context. This can be used to
automate docker builds, for example: `cat context.tar | docker build -` or
`docker run builder_image | docker build -`
*Bind mounting your whole filesystem in a container*
`/` is now allowed as source of `--volumes`. This means you can bind-mount your
whole system in a container if you need to. For example: `docker run -v
/:/my_host ubuntu:ro ls /my_host`. However, it is now forbidden to mount to /.
###Other Improvements & Changes
* Port allocation has been improved. In the previous release, Docker could
prevent you from starting a container with previously allocated ports which
seemed to be in use when in fact they were not. This has been fixed.
* A bug in `docker save` was introduced in the last release. The `docker save`
command could produce images with invalid metadata. The command now produces
images with correct metadata.
* Running `docker inspect` in a container now returns which containers it is
linked to.
* Parsing of the `docker commit` flag has improved validation, to better prevent
you from committing an image with a name such as `-m`. Image names with dashes
in them potentially conflict with command line flags.
* The API now has Improved status codes for `start` and `stop`. Trying to start
a running container will now return a 304 error.
* Performance has been improved overall. Starting the daemon is faster than in
previous releases. The daemons performance has also been improved when it is
working with large numbers of images and containers.
* Fixed an issue with white-spaces and multi-lines in Dockerfiles.
##Version 1.0.0
First production-ready release. Prior development history can be found by
searching in [GitHub](https://github.com/docker/docker).

4
graph/pull.go
View file

@ -113,7 +113,9 @@ func (s *TagStore) CmdPull(job *engine.Job) engine.Status {
return job.Error(err)
}
endpoint, err := registry.NewEndpoint(hostname)
secure := registry.IsSecure(hostname, s.insecureRegistries)
endpoint, err := registry.NewEndpoint(hostname, secure)
if err != nil {
return job.Error(err)
}

4
graph/push.go
View file

@ -214,7 +214,9 @@ func (s *TagStore) CmdPush(job *engine.Job) engine.Status {
return job.Error(err)
}
endpoint, err := registry.NewEndpoint(hostname)
secure := registry.IsSecure(hostname, s.insecureRegistries)
endpoint, err := registry.NewEndpoint(hostname, secure)
if err != nil {
return job.Error(err)
}

25
graph/tags.go
View file

@ -23,10 +23,11 @@ var (
)
type TagStore struct {
path string
graph *Graph
mirrors []string
Repositories map[string]Repository
path string
graph *Graph
mirrors []string
insecureRegistries []string
Repositories map[string]Repository
sync.Mutex
// FIXME: move push/pull-related fields
// to a helper type
@ -54,18 +55,20 @@ func (r Repository) Contains(u Repository) bool {
return true
}
func NewTagStore(path string, graph *Graph, mirrors []string) (*TagStore, error) {
func NewTagStore(path string, graph *Graph, mirrors []string, insecureRegistries []string) (*TagStore, error) {
abspath, err := filepath.Abs(path)
if err != nil {
return nil, err
}
store := &TagStore{
path: abspath,
graph: graph,
mirrors: mirrors,
Repositories: make(map[string]Repository),
pullingPool: make(map[string]chan struct{}),
pushingPool: make(map[string]chan struct{}),
path: abspath,
graph: graph,
mirrors: mirrors,
insecureRegistries: insecureRegistries,
Repositories: make(map[string]Repository),
pullingPool: make(map[string]chan struct{}),
pushingPool: make(map[string]chan struct{}),
}
// Load the json file if it exists, otherwise create it.
if err := store.reload(); os.IsNotExist(err) {

2
graph/tags_unit_test.go
View file

@ -53,7 +53,7 @@ func mkTestTagStore(root string, t *testing.T) *TagStore {
if err != nil {
t.Fatal(err)
}
store, err := NewTagStore(path.Join(root, "tags"), graph, nil)
store, err := NewTagStore(path.Join(root, "tags"), graph, nil, nil)
if err != nil {
t.Fatal(err)
}

6
hack/release.sh
View file

@ -270,7 +270,7 @@ EOF
done
# Upload keys
s3cmd sync /.gnupg/ s3://$BUCKET/ubuntu/.gnupg/
s3cmd sync $HOME/.gnupg/ s3://$BUCKET/ubuntu/.gnupg/
gpg --armor --export releasedocker > bundles/$VERSION/ubuntu/gpg
s3cmd --acl-public put bundles/$VERSION/ubuntu/gpg s3://$BUCKET/gpg
@ -355,8 +355,8 @@ release_test() {
setup_gpg() {
# Make sure that we have our keys
mkdir -p /.gnupg/
s3cmd sync s3://$BUCKET/ubuntu/.gnupg/ /.gnupg/ || true
mkdir -p $HOME/.gnupg/
s3cmd sync s3://$BUCKET/ubuntu/.gnupg/ $HOME/.gnupg/ || true
gpg --list-keys releasedocker >/dev/null || {
gpg --gen-key --batch <<EOF
Key-Type: RSA

435
integration-cli/docker_cli_build_test.go
View file

@ -2,6 +2,7 @@ package main
import (
"archive/tar"
"encoding/json"
"fmt"
"io/ioutil"
"os"
@ -15,6 +16,396 @@ import (
"github.com/docker/docker/pkg/archive"
)
func TestBuildShCmdJSONEntrypoint(t *testing.T) {
name := "testbuildshcmdjsonentrypoint"
defer deleteImages(name)
_, err := buildImage(
name,
`
FROM busybox
ENTRYPOINT ["/bin/echo"]
CMD echo test
`,
true)
if err != nil {
t.Fatal(err)
}
out, _, err := runCommandWithOutput(
exec.Command(
dockerBinary,
"run",
name))
if err != nil {
t.Fatal(err)
}
if strings.TrimSpace(out) != "/bin/sh -c echo test" {
t.Fatal("CMD did not contain /bin/sh -c")
}
logDone("build - CMD should always contain /bin/sh -c when specified without JSON")
}
func TestBuildEnvironmentReplacementUser(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
_, err := buildImage(name, `
FROM scratch
ENV user foo
USER ${user}
`, true)
if err != nil {
t.Fatal(err)
}
res, err := inspectFieldJSON(name, "Config.User")
if err != nil {
t.Fatal(err)
}
if res != `"foo"` {
t.Fatal("User foo from environment not in Config.User on image")
}
logDone("build - user environment replacement")
}
func TestBuildEnvironmentReplacementVolume(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
_, err := buildImage(name, `
FROM scratch
ENV volume /quux
VOLUME ${volume}
`, true)
if err != nil {
t.Fatal(err)
}
res, err := inspectFieldJSON(name, "Config.Volumes")
if err != nil {
t.Fatal(err)
}
var volumes map[string]interface{}
if err := json.Unmarshal([]byte(res), &volumes); err != nil {
t.Fatal(err)
}
if _, ok := volumes["/quux"]; !ok {
t.Fatal("Volume /quux from environment not in Config.Volumes on image")
}
logDone("build - volume environment replacement")
}
func TestBuildEnvironmentReplacementExpose(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
_, err := buildImage(name, `
FROM scratch
ENV port 80
EXPOSE ${port}
`, true)
if err != nil {
t.Fatal(err)
}
res, err := inspectFieldJSON(name, "Config.ExposedPorts")
if err != nil {
t.Fatal(err)
}
var exposedPorts map[string]interface{}
if err := json.Unmarshal([]byte(res), &exposedPorts); err != nil {
t.Fatal(err)
}
if _, ok := exposedPorts["80/tcp"]; !ok {
t.Fatal("Exposed port 80 from environment not in Config.ExposedPorts on image")
}
logDone("build - expose environment replacement")
}
func TestBuildEnvironmentReplacementWorkdir(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
_, err := buildImage(name, `
FROM busybox
ENV MYWORKDIR /work
RUN mkdir ${MYWORKDIR}
WORKDIR ${MYWORKDIR}
`, true)
if err != nil {
t.Fatal(err)
}
logDone("build - workdir environment replacement")
}
func TestBuildEnvironmentReplacementAddCopy(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
ctx, err := fakeContext(`
FROM scratch
ENV baz foo
ENV quux bar
ENV dot .
ADD ${baz} ${dot}
COPY ${quux} ${dot}
`,
map[string]string{
"foo": "test1",
"bar": "test2",
})
if err != nil {
t.Fatal(err)
}
if _, err := buildImageFromContext(name, ctx, true); err != nil {
t.Fatal(err)
}
logDone("build - add/copy environment replacement")
}
func TestBuildEnvironmentReplacementEnv(t *testing.T) {
name := "testbuildenvironmentreplacement"
defer deleteImages(name)
_, err := buildImage(name,
`
FROM scratch
ENV foo foo
ENV bar ${foo}
`, true)
if err != nil {
t.Fatal(err)
}
res, err := inspectFieldJSON(name, "Config.Env")
if err != nil {
t.Fatal(err)
}
envResult := []string{}
if err = unmarshalJSON([]byte(res), &envResult); err != nil {
t.Fatal(err)
}
found := false
for _, env := range envResult {
parts := strings.SplitN(env, "=", 2)
if parts[0] == "bar" {
found = true
if parts[1] != "foo" {
t.Fatal("Could not find replaced var for env `bar`: got %q instead of `foo`", parts[1])
}
}
}
if !found {
t.Fatal("Never found the `bar` env variable")
}
logDone("build - env environment replacement")
}
func TestBuildHandleEscapes(t *testing.T) {
name := "testbuildhandleescapes"
defer deleteImages(name)
_, err := buildImage(name,
`
FROM scratch
ENV FOO bar
VOLUME ${FOO}
`, true)
if err != nil {
t.Fatal(err)
}
var result map[string]map[string]struct{}
res, err := inspectFieldJSON(name, "Config.Volumes")
if err != nil {
t.Fatal(err)
}
if err = unmarshalJSON([]byte(res), &result); err != nil {
t.Fatal(err)
}
if _, ok := result["bar"]; !ok {
t.Fatal("Could not find volume bar set from env foo in volumes table")
}
_, err = buildImage(name,
`
FROM scratch
ENV FOO bar
VOLUME \${FOO}
`, true)
if err != nil {
t.Fatal(err)
}
res, err = inspectFieldJSON(name, "Config.Volumes")
if err != nil {
t.Fatal(err)
}
if err = unmarshalJSON([]byte(res), &result); err != nil {
t.Fatal(err)
}
if _, ok := result["${FOO}"]; !ok {
t.Fatal("Could not find volume ${FOO} set from env foo in volumes table")
}
// this test in particular provides *7* backslashes and expects 6 to come back.
// Like above, the first escape is swallowed and the rest are treated as
// literals, this one is just less obvious because of all the character noise.
_, err = buildImage(name,
`
FROM scratch
ENV FOO bar
VOLUME \\\\\\\${FOO}
`, true)
if err != nil {
t.Fatal(err)
}
res, err = inspectFieldJSON(name, "Config.Volumes")
if err != nil {
t.Fatal(err)
}
if err = unmarshalJSON([]byte(res), &result); err != nil {
t.Fatal(err)
}
if _, ok := result[`\\\\\\${FOO}`]; !ok {
t.Fatal(`Could not find volume \\\\\\${FOO} set from env foo in volumes table`)
}
logDone("build - handle escapes")
}
func TestBuildOnBuildLowercase(t *testing.T) {
name := "testbuildonbuildlowercase"
name2 := "testbuildonbuildlowercase2"
defer deleteImages(name, name2)
_, err := buildImage(name,
`
FROM busybox
onbuild run echo quux
`, true)
if err != nil {
t.Fatal(err)
}
_, out, err := buildImageWithOut(name2, fmt.Sprintf(`
FROM %s
`, name), true)
if err != nil {
t.Fatal(err)
}
if !strings.Contains(out, "quux") {
t.Fatalf("Did not receive the expected echo text, got %s", out)
}
if strings.Contains(out, "ONBUILD ONBUILD") {
t.Fatalf("Got an ONBUILD ONBUILD error with no error: got %s", out)
}
logDone("build - handle case-insensitive onbuild statement")
}
func TestBuildEnvEscapes(t *testing.T) {
name := "testbuildenvescapes"
defer deleteAllContainers()
defer deleteImages(name)
_, err := buildImage(name,
`
FROM busybox
ENV TEST foo
CMD echo \$
`,
true)
out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "-t", name))
if err != nil {
t.Fatal(err)
}
if strings.TrimSpace(out) != "$" {
t.Fatalf("Env TEST was not overwritten with bar when foo was supplied to dockerfile: was %q", strings.TrimSpace(out))
}
logDone("build - env should handle \\$ properly")
}
func TestBuildEnvOverwrite(t *testing.T) {
name := "testbuildenvoverwrite"
defer deleteAllContainers()
defer deleteImages(name)
_, err := buildImage(name,
`
FROM busybox
ENV TEST foo
CMD echo ${TEST}
`,
true)
if err != nil {
t.Fatal(err)
}
out, _, err := runCommandWithOutput(exec.Command(dockerBinary, "run", "-e", "TEST=bar", "-t", name))
if err != nil {
t.Fatal(err)
}
if strings.TrimSpace(out) != "bar" {
t.Fatalf("Env TEST was not overwritten with bar when foo was supplied to dockerfile: was %q", strings.TrimSpace(out))
}
logDone("build - env should overwrite builder ENV during run")
}
func TestBuildOnBuildForbiddenMaintainerInSourceImage(t *testing.T) {
name := "testbuildonbuildforbiddenmaintainerinsourceimage"
defer deleteImages(name)
@ -1272,6 +1663,49 @@ func TestBuildExpose(t *testing.T) {
logDone("build - expose")
}
func TestBuildEmptyEntrypointInheritance(t *testing.T) {
name := "testbuildentrypointinheritance"
name2 := "testbuildentrypointinheritance2"
defer deleteImages(name, name2)
_, err := buildImage(name,
`FROM busybox
ENTRYPOINT ["/bin/echo"]`,
true)
if err != nil {
t.Fatal(err)
}
res, err := inspectField(name, "Config.Entrypoint")
if err != nil {
t.Fatal(err)
}
expected := "[/bin/echo]"
if res != expected {
t.Fatalf("Entrypoint %s, expected %s", res, expected)
}
_, err = buildImage(name2,
fmt.Sprintf(`FROM %s
ENTRYPOINT []`, name),
true)
if err != nil {
t.Fatal(err)
}
res, err = inspectField(name2, "Config.Entrypoint")
if err != nil {
t.Fatal(err)
}
expected = "[]"
if res != expected {
t.Fatalf("Entrypoint %s, expected %s", res, expected)
}
logDone("build - empty entrypoint inheritance")
}
func TestBuildEmptyEntrypoint(t *testing.T) {
name := "testbuildentrypoint"
defer deleteImages(name)
@ -2328,6 +2762,7 @@ func TestBuildEnvUsage(t *testing.T) {
name := "testbuildenvusage"
defer deleteImages(name)
dockerfile := `FROM busybox
ENV HOME /root
ENV PATH $HOME/bin:$PATH
ENV PATH /tmp:$PATH
RUN [ "$PATH" = "/tmp:$HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ]

10
integration-cli/docker_cli_daemon_test.go
View file

@ -82,3 +82,13 @@ func TestDaemonRestartWithVolumesRefs(t *testing.T) {
logDone("daemon - volume refs are restored")
}
func TestDaemonStartIptablesFalse(t *testing.T) {
d := NewDaemon(t)
if err := d.Start("--iptables=false"); err != nil {
t.Fatalf("we should have been able to start the daemon with passing iptables=false: %v", err)
}
d.Stop()
logDone("daemon - started daemon with iptables=false")
}

66
integration-cli/docker_cli_run_test.go
View file

@ -2,6 +2,7 @@ package main
import (
"bufio"
"bytes"
"fmt"
"io/ioutil"
"net"
@ -2374,3 +2375,68 @@ func TestRunVolumesNotRecreatedOnStart(t *testing.T) {
logDone("run - volumes not recreated on start")
}
func TestRunNoOutputFromPullInStdout(t *testing.T) {
defer deleteAllContainers()
// just run with unknown image
cmd := exec.Command(dockerBinary, "run", "asdfsg")
stdout := bytes.NewBuffer(nil)
cmd.Stdout = stdout
if err := cmd.Run(); err == nil {
t.Fatal("Run with unknown image should fail")
}
if stdout.Len() != 0 {
t.Fatalf("Stdout contains output from pull: %s", stdout)
}
logDone("run - no output from pull in stdout")
}
func TestRunVolumesCleanPaths(t *testing.T) {
defer deleteAllContainers()
if _, err := buildImage("run_volumes_clean_paths",
`FROM busybox
VOLUME /foo/`,
true); err != nil {
t.Fatal(err)
}
defer deleteImages("run_volumes_clean_paths")
cmd := exec.Command(dockerBinary, "run", "-v", "/foo", "-v", "/bar/", "--name", "dark_helmet", "run_volumes_clean_paths")
if out, _, err := runCommandWithOutput(cmd); err != nil {
t.Fatal(err, out)
}
out, err := inspectFieldMap("dark_helmet", "Volumes", "/foo/")
if err != nil {
t.Fatal(err)
}
if out != "<no value>" {
t.Fatalf("Found unexpected volume entry for '/foo/' in volumes\n%q", out)
}
out, err = inspectFieldMap("dark_helmet", "Volumes", "/foo")
if err != nil {
t.Fatal(err)
}
if !strings.Contains(out, volumesStoragePath) {
t.Fatalf("Volume was not defined for /foo\n%q", out)
}
out, err = inspectFieldMap("dark_helmet", "Volumes", "/bar/")
if err != nil {
t.Fatal(err)
}
if out != "<no value>" {
t.Fatalf("Found unexpected volume entry for '/bar/' in volumes\n%q", out)
}
out, err = inspectFieldMap("dark_helmet", "Volumes", "/bar")
if err != nil {
t.Fatal(err)
}
if !strings.Contains(out, volumesStoragePath) {
t.Fatalf("Volume was not defined for /bar\n%q", out)
}
logDone("run - volume paths are cleaned")
}

6
integration-cli/docker_test_vars.go
View file

@ -16,8 +16,10 @@ var (
// the private registry to use for tests
privateRegistryURL = "127.0.0.1:5000"
execDriverPath = "/var/lib/docker/execdriver/native"
volumesConfigPath = "/var/lib/docker/volumes"
dockerBasePath = "/var/lib/docker"
execDriverPath = dockerBasePath + "/execdriver/native"
volumesConfigPath = dockerBasePath + "/volumes"
volumesStoragePath = dockerBasePath + "/vfs/dir"
workingDirectory string
)

10
integration-cli/docker_utils.go
View file

@ -507,6 +507,16 @@ func inspectFieldJSON(name, field string) (string, error) {
return strings.TrimSpace(out), nil
}
func inspectFieldMap(name, path, field string) (string, error) {
format := fmt.Sprintf("{{index .%s %q}}", path, field)
inspectCmd := exec.Command(dockerBinary, "inspect", "-f", format, name)
out, exitCode, err := runCommandWithOutput(inspectCmd)
if err != nil || exitCode != 0 {
return "", fmt.Errorf("failed to inspect %s: %s", name, out)
}
return strings.TrimSpace(out), nil
}
func getIDByName(name string) (string, error) {
return inspectField(name, "Id")
}

47
registry/endpoint.go
View file

@ -2,7 +2,6 @@ package registry
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"net/http"
@ -34,9 +33,9 @@ func scanForApiVersion(hostname string) (string, APIVersion) {
return hostname, DefaultAPIVersion
}
func NewEndpoint(hostname string) (*Endpoint, error) {
func NewEndpoint(hostname string, secure bool) (*Endpoint, error) {
var (
endpoint Endpoint
endpoint = Endpoint{secure: secure}
trimmedHostname string
err error
)
@ -49,14 +48,27 @@ func NewEndpoint(hostname string) (*Endpoint, error) {
return nil, err
}
// Try HTTPS ping to registry
endpoint.URL.Scheme = "https"
if _, err := endpoint.Ping(); err != nil {
log.Debugf("Registry %s does not work (%s), falling back to http", endpoint, err)
// TODO: Check if http fallback is enabled
endpoint.URL.Scheme = "http"
if _, err = endpoint.Ping(); err != nil {
return nil, errors.New("Invalid Registry endpoint: " + err.Error())
//TODO: triggering highland build can be done there without "failing"
if secure {
// If registry is secure and HTTPS failed, show user the error and tell them about `--insecure-registry`
// in case that's what they need. DO NOT accept unknown CA certificates, and DO NOT fallback to HTTP.
return nil, fmt.Errorf("Invalid registry endpoint %s: %v. If this private registry supports only HTTP or HTTPS with an unknown CA certificate, please add `--insecure-registry %s` to the daemon's arguments. In the case of HTTPS, if you have access to the registry's CA certificate, no need for the flag; simply place the CA certificate at /etc/docker/certs.d/%s/ca.crt", endpoint, err, endpoint.URL.Host, endpoint.URL.Host)
}
// If registry is insecure and HTTPS failed, fallback to HTTP.
log.Debugf("Error from registry %q marked as insecure: %v. Insecurely falling back to HTTP", endpoint, err)
endpoint.URL.Scheme = "http"
_, err2 := endpoint.Ping()
if err2 == nil {
return &endpoint, nil
}
return nil, fmt.Errorf("Invalid registry endpoint %q. HTTPS attempt: %v. HTTP attempt: %v", endpoint, err, err2)
}
return &endpoint, nil
@ -65,6 +77,7 @@ func NewEndpoint(hostname string) (*Endpoint, error) {
type Endpoint struct {
URL *url.URL
Version APIVersion
secure bool
}
// Get the formated URL for the root of this registry Endpoint
@ -88,7 +101,7 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
return RegistryInfo{Standalone: false}, err
}
resp, _, err := doRequest(req, nil, ConnectTimeout)
resp, _, err := doRequest(req, nil, ConnectTimeout, e.secure)
if err != nil {
return RegistryInfo{Standalone: false}, err
}
@ -127,3 +140,19 @@ func (e Endpoint) Ping() (RegistryInfo, error) {
log.Debugf("RegistryInfo.Standalone: %t", info.Standalone)
return info, nil
}
// IsSecure returns false if the provided hostname is part of the list of insecure registries.
// Insecure registries accept HTTP and/or accept HTTPS with certificates from unknown CAs.
func IsSecure(hostname string, insecureRegistries []string) bool {
if hostname == IndexServerAddress() {
return true
}
for _, h := range insecureRegistries {
if hostname == h {
return false
}
}
return true
}

106
registry/registry.go
View file

@ -14,6 +14,7 @@ import (
"strings"
"time"
"github.com/docker/docker/pkg/log"
"github.com/docker/docker/utils"
)
@ -35,13 +36,21 @@ const (
ConnectTimeout
)
func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType) *http.Client {
tlsConfig := tls.Config{RootCAs: roots}
func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate, timeout TimeoutType, secure bool) *http.Client {
tlsConfig := tls.Config{
RootCAs: roots,
// Avoid fallback to SSL protocols < TLS1.0
MinVersion: tls.VersionTLS10,
}
if cert != nil {
tlsConfig.Certificates = append(tlsConfig.Certificates, *cert)
}
if !secure {
tlsConfig.InsecureSkipVerify = true
}
httpTransport := &http.Transport{
DisableKeepAlives: true,
Proxy: http.ProxyFromEnvironment,
@ -78,69 +87,76 @@ func newClient(jar http.CookieJar, roots *x509.CertPool, cert *tls.Certificate,
}
}
func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType) (*http.Response, *http.Client, error) {
hasFile := func(files []os.FileInfo, name string) bool {
for _, f := range files {
if f.Name() == name {
return true
}
}
return false
}
hostDir := path.Join("/etc/docker/certs.d", req.URL.Host)
fs, err := ioutil.ReadDir(hostDir)
if err != nil && !os.IsNotExist(err) {
return nil, nil, err
}
func doRequest(req *http.Request, jar http.CookieJar, timeout TimeoutType, secure bool) (*http.Response, *http.Client, error) {
var (
pool *x509.CertPool
certs []*tls.Certificate
)
for _, f := range fs {
if strings.HasSuffix(f.Name(), ".crt") {
if pool == nil {
pool = x509.NewCertPool()
if secure && req.URL.Scheme == "https" {
hasFile := func(files []os.FileInfo, name string) bool {
for _, f := range files {
if f.Name() == name {
return true
}
}
data, err := ioutil.ReadFile(path.Join(hostDir, f.Name()))
if err != nil {
return nil, nil, err
}
pool.AppendCertsFromPEM(data)
return false
}
if strings.HasSuffix(f.Name(), ".cert") {
certName := f.Name()
keyName := certName[:len(certName)-5] + ".key"
if !hasFile(fs, keyName) {
return nil, nil, fmt.Errorf("Missing key %s for certificate %s", keyName, certName)
}
cert, err := tls.LoadX509KeyPair(path.Join(hostDir, certName), path.Join(hostDir, keyName))
if err != nil {
return nil, nil, err
}
certs = append(certs, &cert)
hostDir := path.Join("/etc/docker/certs.d", req.URL.Host)
log.Debugf("hostDir: %s", hostDir)
fs, err := ioutil.ReadDir(hostDir)
if err != nil && !os.IsNotExist(err) {
return nil, nil, err
}
if strings.HasSuffix(f.Name(), ".key") {
keyName := f.Name()
certName := keyName[:len(keyName)-4] + ".cert"
if !hasFile(fs, certName) {
return nil, nil, fmt.Errorf("Missing certificate %s for key %s", certName, keyName)
for _, f := range fs {
if strings.HasSuffix(f.Name(), ".crt") {
if pool == nil {
pool = x509.NewCertPool()
}
log.Debugf("crt: %s", hostDir+"/"+f.Name())
data, err := ioutil.ReadFile(path.Join(hostDir, f.Name()))
if err != nil {
return nil, nil, err
}
pool.AppendCertsFromPEM(data)
}
if strings.HasSuffix(f.Name(), ".cert") {
certName := f.Name()
keyName := certName[:len(certName)-5] + ".key"
log.Debugf("cert: %s", hostDir+"/"+f.Name())
if !hasFile(fs, keyName) {
return nil, nil, fmt.Errorf("Missing key %s for certificate %s", keyName, certName)
}
cert, err := tls.LoadX509KeyPair(path.Join(hostDir, certName), path.Join(hostDir, keyName))
if err != nil {
return nil, nil, err
}
certs = append(certs, &cert)
}
if strings.HasSuffix(f.Name(), ".key") {
keyName := f.Name()
certName := keyName[:len(keyName)-4] + ".cert"
log.Debugf("key: %s", hostDir+"/"+f.Name())
if !hasFile(fs, certName) {
return nil, nil, fmt.Errorf("Missing certificate %s for key %s", certName, keyName)
}
}
}
}
if len(certs) == 0 {
client := newClient(jar, pool, nil, timeout)
client := newClient(jar, pool, nil, timeout, secure)
res, err := client.Do(req)
if err != nil {
return nil, nil, err
}
return res, client, nil
}
for i, cert := range certs {
client := newClient(jar, pool, cert, timeout)
client := newClient(jar, pool, cert, timeout, secure)
res, err := client.Do(req)
// If this is the last cert, otherwise, continue to next cert if 403 or 5xx
if i == len(certs)-1 || err == nil && res.StatusCode != 403 && res.StatusCode < 500 {

4
registry/registry_test.go
View file

@ -18,7 +18,7 @@ var (
func spawnTestRegistrySession(t *testing.T) *Session {
authConfig := &AuthConfig{}
endpoint, err := NewEndpoint(makeURL("/v1/"))
endpoint, err := NewEndpoint(makeURL("/v1/"), false)
if err != nil {
t.Fatal(err)
}
@ -30,7 +30,7 @@ func spawnTestRegistrySession(t *testing.T) *Session {
}
func TestPingRegistryEndpoint(t *testing.T) {
ep, err := NewEndpoint(makeURL("/v1/"))
ep, err := NewEndpoint(makeURL("/v1/"), false)
if err != nil {
t.Fatal(err)
}

23
registry/service.go
View file

@ -13,12 +13,15 @@ import (
// 'pull': Download images from any registry (TODO)
// 'push': Upload images to any registry (TODO)
type Service struct {
insecureRegistries []string
}
// NewService returns a new instance of Service ready to be
// installed no an engine.
func NewService() *Service {
return &Service{}
func NewService(insecureRegistries []string) *Service {
return &Service{
insecureRegistries: insecureRegistries,
}
}
// Install installs registry capabilities to eng.
@ -32,15 +35,12 @@ func (s *Service) Install(eng *engine.Engine) error {
// and returns OK if authentication was sucessful.
// It can be used to verify the validity of a client's credentials.
func (s *Service) Auth(job *engine.Job) engine.Status {
var (
err error
authConfig = &AuthConfig{}
)
var authConfig = new(AuthConfig)
job.GetenvJson("authConfig", authConfig)
// TODO: this is only done here because auth and registry need to be merged into one pkg
if addr := authConfig.ServerAddress; addr != "" && addr != IndexServerAddress() {
endpoint, err := NewEndpoint(addr)
endpoint, err := NewEndpoint(addr, IsSecure(addr, s.insecureRegistries))
if err != nil {
return job.Error(err)
}
@ -49,11 +49,13 @@ func (s *Service) Auth(job *engine.Job) engine.Status {
}
authConfig.ServerAddress = endpoint.String()
}
status, err := Login(authConfig, HTTPRequestFactory(nil))
if err != nil {
return job.Error(err)
}
job.Printf("%s\n", status)
return engine.StatusOK
}
@ -89,7 +91,10 @@ func (s *Service) Search(job *engine.Job) engine.Status {
if err != nil {
return job.Error(err)
}
endpoint, err := NewEndpoint(hostname)
secure := IsSecure(hostname, s.insecureRegistries)
endpoint, err := NewEndpoint(hostname, secure)
if err != nil {
return job.Error(err)
}

2
registry/session.go
View file

@ -64,7 +64,7 @@ func NewSession(authConfig *AuthConfig, factory *utils.HTTPRequestFactory, endpo
}
func (r *Session) doRequest(req *http.Request) (*http.Response, *http.Client, error) {
return doRequest(req, r.jar, r.timeout)
return doRequest(req, r.jar, r.timeout, r.indexEndpoint.secure)
}
// Retrieve the history of a given image from the Registry.

5
runconfig/merge.go
View file

@ -88,7 +88,10 @@ func Merge(userConf, imageConf *Config) error {
if len(userConf.Cmd) == 0 {
userConf.Cmd = imageConf.Cmd
}
userConf.Entrypoint = imageConf.Entrypoint
if userConf.Entrypoint == nil {
userConf.Entrypoint = imageConf.Entrypoint
}
}
if userConf.WorkingDir == "" {
userConf.WorkingDir = imageConf.WorkingDir

5
volumes/repository.go
View file

@ -55,6 +55,7 @@ func (r *Repository) newVolume(path string, writable bool) (*Volume, error) {
return nil, err
}
}
path = filepath.Clean(path)
path, err = filepath.EvalSymlinks(path)
if err != nil {
@ -126,7 +127,7 @@ func (r *Repository) get(path string) *Volume {
if err != nil {
return nil
}
return r.volumes[path]
return r.volumes[filepath.Clean(path)]
}
func (r *Repository) Add(volume *Volume) error {
@ -160,7 +161,7 @@ func (r *Repository) Delete(path string) error {
if err != nil {
return err
}
volume := r.get(path)
volume := r.get(filepath.Clean(path))
if volume == nil {
return fmt.Errorf("Volume %s does not exist", path)
}