rebase docs

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.5.3 (2013-08-13)
+* Runtime: Use docker group for socket permissions
+- Runtime: Spawn shell within upstart script
+- Builder: Make sure ENV instruction within build perform a commit each time
+- Runtime: Handle ip route showing mask-less IP addresses
+- Runtime: Add hostname to environment
+
 ## 0.5.2 (2013-08-08)
  * Builder: Forbid certain paths within docker build ADD
  - Runtime: Change network range to avoid conflict with EC2 DNS

Dockerfile

@@ -15,6 +15,7 @@ run	cd /tmp && echo 'package main' > t.go && go test -a -i -v
 run	PKG=github.com/kr/pty REV=27435c699;		 git clone http://$PKG /go/src/$PKG && cd /go/src/$PKG && git checkout -f $REV
 run	PKG=github.com/gorilla/context/ REV=708054d61e5; git clone http://$PKG /go/src/$PKG && cd /go/src/$PKG && git checkout -f $REV
 run	PKG=github.com/gorilla/mux/ REV=9b36453141c;	 git clone http://$PKG /go/src/$PKG && cd /go/src/$PKG && git checkout -f $REV
+run	PKG=github.com/dotcloud/tar/ REV=d06045a6d9;	 git clone http://$PKG /go/src/$PKG && cd /go/src/$PKG && git checkout -f $REV
 # Run dependencies
 run	apt-get install -y iptables
 # lxc requires updating ubuntu sources
@@ -22,6 +23,9 @@ run	echo 'deb http://archive.ubuntu.com/ubuntu precise main universe' > /etc/apt
 run	apt-get update
 run	apt-get install -y lxc
 run	apt-get install -y aufs-tools
+# Docker requires code.google.com/p/go.net/websocket
+run	apt-get install -y -q mercurial
+run	PKG=code.google.com/p/go.net REV=78ad7f42aa2e;	 hg clone https://$PKG /go/src/$PKG && cd /go/src/$PKG && hg checkout -r $REV
 # Upload docker source
 add	.       /go/src/github.com/dotcloud/docker
 # Build the binary

README.md

@@ -147,7 +147,7 @@ Quick install on Ubuntu 12.04 and 12.10
 ---------------------------------------
 
 ```bash
-curl get.docker.io | sudo sh -x
+curl https://get.docker.io | sudo sh -x
 ```
 
 Binary installs
@@ -166,8 +166,12 @@ supported.
 Installing from source
 ----------------------
 
-1. Make sure you have a [Go language](http://golang.org/doc/install)
-compiler >= 1.1 and [git](http://git-scm.com) installed.
+1. Install Dependencies
+    * [Go language 1.1.x](http://golang.org/doc/install)
+    * [git](http://git-scm.com)
+    * [lxc](http://lxc.sourceforge.net)
+    * [aufs-tools](http://aufs.sourceforge.net)
+
 2. Checkout the source code
 
    ```bash

api_test.go

@@ -97,8 +97,8 @@ func TestGetEvents(t *testing.T) {
 		listeners: make(map[string]chan utils.JSONMessage),
 	}
 
-	srv.LogEvent("fakeaction", "fakeid")
-	srv.LogEvent("fakeaction2", "fakeid")
+	srv.LogEvent("fakeaction", "fakeid", "fakeimage")
+	srv.LogEvent("fakeaction2", "fakeid", "fakeimage")
 
 	req, err := http.NewRequest("GET", "/events?since=1", nil)
 	if err != nil {

auth/auth.go

@@ -80,7 +80,7 @@ func LoadConfig(rootPath string) (*ConfigFile, error) {
 	}
 	b, err := ioutil.ReadFile(confFile)
 	if err != nil {
-		return nil, err
+		return &configFile, err
 	}
 
 	if err := json.Unmarshal(b, &configFile.Configs); err != nil {

buildfile.go

@@ -227,6 +227,11 @@ func (b *buildFile) CmdEntrypoint(args string) error {
 	return nil
 }
 
+func (b *buildFile) CmdWorkdir(workdir string) error {
+	b.config.WorkingDir = workdir
+	return b.commit("", b.config.Cmd, fmt.Sprintf("WORKDIR %v", workdir))
+}
+
 func (b *buildFile) CmdVolume(args string) error {
 	if args == "" {
 		return fmt.Errorf("Volume cannot be empty")

commands.go

@@ -27,7 +27,7 @@ import (
 	"unicode"
 )
 
-const VERSION = "0.5.2-dev"
+const VERSION = "0.5.3-dev"
 
 var (
 	GITCOMMIT string
@@ -857,10 +857,12 @@ func (cli *DockerCli) CmdPush(args ...string) error {
 	}
 
 	if err := push(); err != nil {
-		if err == fmt.Errorf("Authentication is required.") {
-			if err = cli.checkIfLogged("push"); err == nil {
-				return push()
+		if err.Error() == "Authentication is required." {
+			fmt.Fprintln(cli.out, "\nPlease login prior to push:")
+			if err := cli.CmdLogin(""); err != nil {
+				return err
 			}
+			return push()
 		}
 		return err
 	}
@@ -1400,6 +1402,13 @@ func (cli *DockerCli) CmdRun(args ...string) error {
 	body, statusCode, err := cli.call("POST", "/containers/create", config)
 	//if image not found try to pull it
 	if statusCode == 404 {
+		_, tag := utils.ParseRepositoryTag(config.Image)
+		if tag == "" {
+			tag = DEFAULTTAG
+		}
+
+		fmt.Printf("Unable to find image '%s' (tag: %s) locally\n", config.Image, tag)
+
 		v := url.Values{}
 		repos, tag := utils.ParseRepositoryTag(config.Image)
 		v.Set("fromImage", repos)
@@ -1469,6 +1478,17 @@ func (cli *DockerCli) CmdRun(args ...string) error {
 			v.Set("stderr", "1")
 		}
 
+		signals := make(chan os.Signal, 1)
+		signal.Notify(signals, syscall.SIGINT, syscall.SIGTERM)
+		go func() {
+			for sig := range signals {
+				fmt.Printf("\nReceived signal: %s; cleaning up\n", sig)
+				if err := cli.CmdStop("-t", "4", runResult.ID); err != nil {
+					fmt.Printf("failed to stop container: %v", err)
+				}
+			}
+		}()
+
 		if err := cli.hijack("POST", "/containers/"+runResult.ID+"/attach?"+v.Encode(), config.Tty, cli.in, cli.out); err != nil {
 			utils.Debugf("Error hijack: %s", err)
 			return err
@@ -1512,19 +1532,6 @@ func (cli *DockerCli) CmdCp(args ...string) error {
 	return nil
 }
 
-func (cli *DockerCli) checkIfLogged(action string) error {
-	// If condition AND the login failed
-	if cli.configFile.Configs[auth.IndexServerAddress()].Username == "" {
-		if err := cli.CmdLogin(""); err != nil {
-			return err
-		}
-		if cli.configFile.Configs[auth.IndexServerAddress()].Username == "" {
-			return fmt.Errorf("Please login prior to %s. ('docker login')", action)
-		}
-	}
-	return nil
-}
-
 func (cli *DockerCli) call(method, path string, data interface{}) ([]byte, int, error) {
 	var params io.Reader
 	if data != nil {
@@ -1548,6 +1555,9 @@ func (cli *DockerCli) call(method, path string, data interface{}) ([]byte, int,
 	}
 	dial, err := net.Dial(cli.proto, cli.addr)
 	if err != nil {
+		if strings.Contains(err.Error(), "connection refused") {
+			return nil, -1, fmt.Errorf("Can't connect to docker daemon. Is 'docker -d' running on this host?")
+		}
 		return nil, -1, err
 	}
 	clientconn := httputil.NewClientConn(dial, nil)
@@ -1588,6 +1598,9 @@ func (cli *DockerCli) stream(method, path string, in io.Reader, out io.Writer) e
 	}
 	dial, err := net.Dial(cli.proto, cli.addr)
 	if err != nil {
+		if strings.Contains(err.Error(), "connection refused") {
+			return fmt.Errorf("Can't connect to docker daemon. Is 'docker -d' running on this host?")
+		}
 		return err
 	}
 	clientconn := httputil.NewClientConn(dial, nil)
@@ -1634,6 +1647,9 @@ func (cli *DockerCli) hijack(method, path string, setRawTerminal bool, in io.Rea
 
 	dial, err := net.Dial(cli.proto, cli.addr)
 	if err != nil {
+		if strings.Contains(err.Error(), "connection refused") {
+			return fmt.Errorf("Can't connect to docker daemon. Is 'docker -d' running on this host?")
+		}
 		return err
 	}
 	clientconn := httputil.NewClientConn(dial, nil)
@@ -1762,7 +1778,10 @@ func NewDockerCli(in io.ReadCloser, out, err io.Writer, proto, addr string) *Doc
 		err = out
 	}
 
-	configFile, _ := auth.LoadConfig(os.Getenv("HOME"))
+	configFile, e := auth.LoadConfig(os.Getenv("HOME"))
+	if e != nil {
+		fmt.Fprintf(err, "WARNING: %s\n", e)
+	}
 	return &DockerCli{
 		proto:      proto,
 		addr:       addr,

commands_test.go

@@ -90,6 +90,69 @@ func TestRunHostname(t *testing.T) {
 
 }
 
+// TestRunWorkdir checks that 'docker run -w' correctly sets a custom working directory
+func TestRunWorkdir(t *testing.T) {
+	stdout, stdoutPipe := io.Pipe()
+
+	cli := NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)
+	defer cleanup(globalRuntime)
+
+	c := make(chan struct{})
+	go func() {
+		defer close(c)
+		if err := cli.CmdRun("-w", "/foo/bar", unitTestImageID, "pwd"); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	setTimeout(t, "Reading command output time out", 2*time.Second, func() {
+		cmdOutput, err := bufio.NewReader(stdout).ReadString('\n')
+		if err != nil {
+			t.Fatal(err)
+		}
+		if cmdOutput != "/foo/bar\n" {
+			t.Fatalf("'pwd' should display '%s', not '%s'", "/foo/bar\n", cmdOutput)
+		}
+	})
+
+	setTimeout(t, "CmdRun timed out", 5*time.Second, func() {
+		<-c
+	})
+
+}
+
+// TestRunWorkdirExists checks that 'docker run -w' correctly sets a custom working directory, even if it exists
+func TestRunWorkdirExists(t *testing.T) {
+	stdout, stdoutPipe := io.Pipe()
+
+	cli := NewDockerCli(nil, stdoutPipe, ioutil.Discard, testDaemonProto, testDaemonAddr)
+	defer cleanup(globalRuntime)
+
+	c := make(chan struct{})
+	go func() {
+		defer close(c)
+		if err := cli.CmdRun("-w", "/proc", unitTestImageID, "pwd"); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	setTimeout(t, "Reading command output time out", 2*time.Second, func() {
+		cmdOutput, err := bufio.NewReader(stdout).ReadString('\n')
+		if err != nil {
+			t.Fatal(err)
+		}
+		if cmdOutput != "/proc\n" {
+			t.Fatalf("'pwd' should display '%s', not '%s'", "/proc\n", cmdOutput)
+		}
+	})
+
+	setTimeout(t, "CmdRun timed out", 5*time.Second, func() {
+		<-c
+	})
+
+}
+
+
 func TestRunExit(t *testing.T) {
 	stdin, stdinPipe := io.Pipe()
 	stdout, stdoutPipe := io.Pipe()

container.go

@@ -2,6 +2,7 @@ package docker
 
 import (
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"github.com/dotcloud/docker/term"
@@ -76,8 +77,10 @@ type Config struct {
 	Image           string // Name of the image as it was passed by the operator (eg. could be symbolic)
 	Volumes         map[string]struct{}
 	VolumesFrom     string
+	WorkingDir      string
 	Entrypoint      []string
 	NetworkDisabled bool
+	Privileged      bool
 }
 
 type HostConfig struct {
@@ -91,6 +94,10 @@ type BindMap struct {
 	Mode    string
 }
 
+var (
+	ErrInvaidWorikingDirectory = errors.New("The working directory is invalid. It needs to be an absolute path.")
+)
+
 func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig, *flag.FlagSet, error) {
 	cmd := Subcmd("run", "[OPTIONS] IMAGE [COMMAND] [ARG...]", "Run a command in a new container")
 	if len(args) > 0 && args[0] != "--help" {
@@ -99,6 +106,7 @@ func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig,
 	}
 
 	flHostname := cmd.String("h", "", "Container host name")
+	flWorkingDir := cmd.String("w", "", "Working directory inside the container")
 	flUser := cmd.String("u", "", "Username or UID")
 	flDetach := cmd.Bool("d", false, "Detached mode: Run container in the background, print new container id")
 	flAttach := NewAttachOpts()
@@ -108,6 +116,7 @@ func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig,
 	flMemory := cmd.Int64("m", 0, "Memory limit (in bytes)")
 	flContainerIDFile := cmd.String("cidfile", "", "Write the container ID to the file")
 	flNetwork := cmd.Bool("n", true, "Enable networking for this container")
+	flPrivileged := cmd.Bool("privileged", false, "Give extended privileges to this container")
 
 	if capabilities != nil && *flMemory > 0 && !capabilities.MemoryLimit {
 		//fmt.Fprintf(stdout, "WARNING: Your kernel does not support memory limit capabilities. Limitation discarded.\n")
@@ -137,6 +146,9 @@ func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig,
 	if *flDetach && len(flAttach) > 0 {
 		return nil, nil, cmd, fmt.Errorf("Conflicting options: -a and -d")
 	}
+	if *flWorkingDir != "" && !path.IsAbs(*flWorkingDir) {
+		return nil, nil, cmd, ErrInvaidWorikingDirectory
+	}
 	// If neither -d or -a are set, attach to everything by default
 	if len(flAttach) == 0 && !*flDetach {
 		if !*flDetach {
@@ -194,6 +206,8 @@ func ParseRun(args []string, capabilities *Capabilities) (*Config, *HostConfig,
 		Volumes:         flVolumes,
 		VolumesFrom:     *flVolumesFrom,
 		Entrypoint:      entrypoint,
+		Privileged:      *flPrivileged,
+		WorkingDir:      *flWorkingDir,
 	}
 	hostConfig := &HostConfig{
 		Binds:           binds,
@@ -574,40 +588,12 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 		binds[path.Clean(dst)] = bindMap
 	}
 
-	// FIXME: evaluate volumes-from before individual volumes, so that the latter can override the former.
-	// Create the requested volumes volumes
 	if container.Volumes == nil || len(container.Volumes) == 0 {
 		container.Volumes = make(map[string]string)
 		container.VolumesRW = make(map[string]bool)
-
-		for volPath := range container.Config.Volumes {
-			volPath = path.Clean(volPath)
-			// If an external bind is defined for this volume, use that as a source
-			if bindMap, exists := binds[volPath]; exists {
-				container.Volumes[volPath] = bindMap.SrcPath
-				if strings.ToLower(bindMap.Mode) == "rw" {
-					container.VolumesRW[volPath] = true
-				}
-				// Otherwise create an directory in $ROOT/volumes/ and use that
-			} else {
-				c, err := container.runtime.volumes.Create(nil, container, "", "", nil)
-				if err != nil {
-					return err
-				}
-				srcPath, err := c.layer()
-				if err != nil {
-					return err
-				}
-				container.Volumes[volPath] = srcPath
-				container.VolumesRW[volPath] = true // RW by default
-			}
-			// Create the mountpoint
-			if err := os.MkdirAll(path.Join(container.RootfsPath(), volPath), 0755); err != nil {
-				return nil
-			}
-		}
 	}
 
+	// Apply volumes from another container if requested
 	if container.Config.VolumesFrom != "" {
 		c := container.runtime.Get(container.Config.VolumesFrom)
 		if c == nil {
@@ -615,7 +601,7 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 		}
 		for volPath, id := range c.Volumes {
 			if _, exists := container.Volumes[volPath]; exists {
-				return fmt.Errorf("The requested volume %s overlap one of the volume of the container %s", volPath, c.ID)
+				continue
 			}
 			if err := os.MkdirAll(path.Join(container.RootfsPath(), volPath), 0755); err != nil {
 				return nil
@@ -627,6 +613,38 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 		}
 	}
 
+	// Create the requested volumes if they don't exist
+	for volPath := range container.Config.Volumes {
+		volPath = path.Clean(volPath)
+		// Skip existing volumes
+		if _, exists := container.Volumes[volPath]; exists {
+			continue
+		}
+		// If an external bind is defined for this volume, use that as a source
+		if bindMap, exists := binds[volPath]; exists {
+			container.Volumes[volPath] = bindMap.SrcPath
+			if strings.ToLower(bindMap.Mode) == "rw" {
+				container.VolumesRW[volPath] = true
+			}
+			// Otherwise create an directory in $ROOT/volumes/ and use that
+		} else {
+			c, err := container.runtime.volumes.Create(nil, container, "", "", nil)
+			if err != nil {
+				return err
+			}
+			srcPath, err := c.layer()
+			if err != nil {
+				return err
+			}
+			container.Volumes[volPath] = srcPath
+			container.VolumesRW[volPath] = true // RW by default
+		}
+		// Create the mountpoint
+		if err := os.MkdirAll(path.Join(container.RootfsPath(), volPath), 0755); err != nil {
+			return nil
+		}
+	}
+
 	if err := container.generateLXCConfig(); err != nil {
 		return err
 	}
@@ -659,6 +677,18 @@ func (container *Container) Start(hostConfig *HostConfig) error {
 		"-e", "container=lxc",
 		"-e", "HOSTNAME="+container.Config.Hostname,
 	)
+	if container.Config.WorkingDir != "" {
+		workingDir := path.Clean(container.Config.WorkingDir)
+		utils.Debugf("[working dir] working dir is %s", workingDir)
+
+		if err := os.MkdirAll(path.Join(container.RootfsPath(), workingDir), 0755); err != nil {
+			return nil
+		}
+
+		params = append(params,
+			"-w", workingDir,
+		)
+	}
 
 	for _, elem := range container.Config.Env {
 		params = append(params, "-e", elem)
@@ -813,7 +843,7 @@ func (container *Container) monitor() {
 	}
 	utils.Debugf("Process finished")
 	if container.runtime != nil && container.runtime.srv != nil {
-		container.runtime.srv.LogEvent("die", container.ShortID())
+		container.runtime.srv.LogEvent("die", container.ShortID(), container.runtime.repositories.ImageName(container.Image))
 	}
 	exitCode := -1
 	if container.cmd != nil {

container_test.go

@@ -1283,6 +1283,71 @@ func TestRestartWithVolumes(t *testing.T) {
 	}
 }
 
+// Test for #1351
+func TestVolumesFromWithVolumes(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+
+	container, err := NewBuilder(runtime).Create(&Config{
+		Image:   GetTestImage(runtime).ID,
+		Cmd:     []string{"sh", "-c", "echo -n bar > /test/foo"},
+		Volumes: map[string]struct{}{"/test": {}},
+	},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer runtime.Destroy(container)
+
+	for key := range container.Config.Volumes {
+		if key != "/test" {
+			t.Fail()
+		}
+	}
+
+	_, err = container.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expected := container.Volumes["/test"]
+	if expected == "" {
+		t.Fail()
+	}
+
+	container2, err := NewBuilder(runtime).Create(
+		&Config{
+			Image:       GetTestImage(runtime).ID,
+			Cmd:         []string{"cat", "/test/foo"},
+			VolumesFrom: container.ID,
+			Volumes:     map[string]struct{}{"/test": {}},
+		},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer runtime.Destroy(container2)
+
+	output, err := container2.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if string(output) != "bar" {
+		t.Fail()
+	}
+
+	if container.Volumes["/test"] != container2.Volumes["/test"] {
+		t.Fail()
+	}
+
+	// Ensure it restarts successfully
+	_, err = container2.Output()
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestOnlyLoopbackExistsWhenUsingDisableNetworkOption(t *testing.T) {
 	runtime := mkRuntime(t)
 	defer nuke(runtime)
@@ -1320,3 +1385,35 @@ func TestOnlyLoopbackExistsWhenUsingDisableNetworkOption(t *testing.T) {
 	}
 
 }
+
+func TestPrivilegedCanMknod(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+	if output, _ := runContainer(runtime, []string{"-privileged", "_", "sh", "-c", "mknod /tmp/sda b 8 0 && echo ok"}, t); output != "ok\n" {
+		t.Fatal("Could not mknod into privileged container")
+	}
+}
+
+func TestPrivilegedCanMount(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+	if output, _ := runContainer(runtime, []string{"-privileged", "_", "sh", "-c", "mount -t tmpfs none /tmp && echo ok"}, t); output != "ok\n" {
+		t.Fatal("Could not mount into privileged container")
+	}
+}
+
+func TestPrivilegedCannotMknod(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+	if output, _ := runContainer(runtime, []string{"_", "sh", "-c", "mknod /tmp/sda b 8 0 || echo ok"}, t); output != "ok\n" {
+		t.Fatal("Could mknod into secure container")
+	}
+}
+
+func TestPrivilegedCannotMount(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+	if output, _ := runContainer(runtime, []string{"_", "sh", "-c", "mount -t tmpfs none /tmp || echo ok"}, t); output != "ok\n" {
+		t.Fatal("Could mount into secure container")
+	}
+}

contrib/brew/brew/brew.py

@@ -14,6 +14,7 @@ logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',
                     level='INFO')
 client = docker.Client()
 processed = {}
+processed_folders = []
 
 
 def build_library(repository=None, branch=None, namespace=None, push=False,
@@ -31,19 +32,34 @@ def build_library(repository=None, branch=None, namespace=None, push=False,
         logger.info('Repository provided assumed to be a local path')
         dst_folder = repository
 
+    try:
+        client.version()
+    except Exception as e:
+        logger.error('Could not reach the docker daemon. Please make sure it '
+            'is running.')
+        logger.warning('Also make sure you have access to the docker UNIX '
+            'socket (use sudo)')
+        return
+
     #FIXME: set destination folder and only pull latest changes instead of
     # cloning the whole repo everytime
     if not dst_folder:
         logger.info('Cloning docker repo from {0}, branch: {1}'.format(
             repository, branch))
         try:
-            dst_folder = git.clone_branch(repository, branch)
+            rep, dst_folder = git.clone_branch(repository, branch)
         except Exception as e:
             logger.exception(e)
             logger.error('Source repository could not be fetched. Check '
                 'that the address is correct and the branch exists.')
             return
-    for buildfile in os.listdir(os.path.join(dst_folder, 'library')):
+    try:
+        dirlist = os.listdir(os.path.join(dst_folder, 'library'))
+    except OSError as e:
+        logger.error('The path provided ({0}) could not be found or didn\'t'
+            'contain a library/ folder.'.format(dst_folder))
+        return
+    for buildfile in dirlist:
         if buildfile == 'MAINTAINERS':
             continue
         f = open(os.path.join(dst_folder, 'library', buildfile))
@@ -92,20 +108,27 @@ def build_library(repository=None, branch=None, namespace=None, push=False,
         f.close()
     if dst_folder != repository:
         rmtree(dst_folder, True)
+    for d in processed_folders:
+        rmtree(d, True)
     summary.print_summary(logger)
 
 
 def build_repo(repository, ref, docker_repo, docker_tag, namespace, push, registry):
     docker_repo = '{0}/{1}'.format(namespace or 'library', docker_repo)
     img_id = None
+    dst_folder = None
     if '{0}@{1}'.format(repository, ref) not in processed.keys():
         logger.info('Cloning {0} (ref: {1})'.format(repository, ref))
-        dst_folder = git.clone(repository, ref)
+        if repository not in processed:
+            rep, dst_folder = git.clone(repository, ref)
+            processed[repository] = rep
+            processed_folders.append(dst_folder)
+        else:
+            dst_folder = git.checkout(processed[repository], ref)
         if not 'Dockerfile' in os.listdir(dst_folder):
             raise RuntimeError('Dockerfile not found in cloned repository')
         logger.info('Building using dockerfile...')
         img_id, logs = client.build(path=dst_folder, quiet=True)
-        rmtree(dst_folder, True)
     else:
         img_id = processed['{0}@{1}'.format(repository, ref)]
     logger.info('Committing to {0}:{1}'.format(docker_repo,
@@ -159,4 +182,4 @@ class Summary(object):
         if logger:
             logger.info(s + success + details)
         else:
-            print s, success, details
+            print s, success, details

contrib/brew/brew/git.py

@@ -16,6 +16,21 @@ def clone_tag(repo_url, tag, folder=None):
     return clone(repo_url, 'refs/tags/' + tag, folder)
 
 
+def checkout(rep, ref=None):
+    is_commit = False
+    if ref is None:
+        ref = 'refs/heads/master'
+    elif not ref.startswith('refs/'):
+        is_commit = True
+    if is_commit:
+        rep['HEAD'] = rep.commit(ref)
+    else:
+        rep['HEAD'] = rep.refs[ref]
+    indexfile = rep.index_path()
+    tree = rep["HEAD"].tree
+    index.build_index_from_tree(rep.path, indexfile, rep.object_store, tree)
+    return rep.path
+
 def clone(repo_url, ref=None, folder=None):
     is_commit = False
     if ref is None:
@@ -45,4 +60,4 @@ def clone(repo_url, ref=None, folder=None):
     tree = rep["HEAD"].tree
     index.build_index_from_tree(rep.path, indexfile, rep.object_store, tree)
     logger.debug("done")
-    return folder
+    return rep, folder

contrib/brew/requirements.txt

@@ -1,2 +1,2 @@
 dulwich==0.9.0
-docker-py==0.1.3
+-e git://github.com/dotcloud/docker-py.git#egg=docker-py

contrib/docker.bash

@@ -22,13 +22,27 @@
 # must have access to the socket for the completions to function correctly
 
 have docker && {
-__docker_containers()
+__docker_containers_all()
 {
 	local containers
 	containers="$( docker ps -a -q )"
 	COMPREPLY=( $( compgen -W "$containers" -- "$cur" ) )
 }
 
+__docker_containers_running()
+{
+	local containers
+	containers="$( docker ps -q )"
+	COMPREPLY=( $( compgen -W "$containers" -- "$cur" ) )
+}
+
+__docker_containers_stopped()
+{
+	local containers
+	containers="$( comm -13 <(docker ps -q | sort -u) <(docker ps -a -q | sort -u) )"
+	COMPREPLY=( $( compgen -W "$containers" -- "$cur" ) )
+}
+
 __docker_image_repos()
 {
 	local repos
@@ -85,7 +99,7 @@ _docker_docker()
 _docker_attach()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_running
 	fi
 }
 
@@ -124,7 +138,7 @@ _docker_commit()
 			COMPREPLY=( $( compgen -W "-author -m -run" -- "$cur" ) )
 			;;
 		*)
-			__docker_containers
+			__docker_containers_all
 			;;
 	esac
 }
@@ -132,7 +146,7 @@ _docker_commit()
 _docker_diff()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_all
 	fi
 }
 
@@ -144,7 +158,7 @@ _docker_events()
 _docker_export()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_all
 	fi
 }
 
@@ -212,7 +226,7 @@ _docker_inspect()
 
 _docker_kill()
 {
-	__docker_containers
+	__docker_containers_running
 }
 
 _docker_login()
@@ -223,14 +237,14 @@ _docker_login()
 _docker_logs()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_all
 	fi
 }
 
 _docker_port()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_all
 	fi
 }
 
@@ -264,7 +278,7 @@ _docker_restart()
 			COMPREPLY=( $( compgen -W "-t" -- "$cur" ) )
 			;;
 		*)
-			__docker_containers
+			__docker_containers_all
 			;;
 	esac
 }
@@ -276,7 +290,7 @@ _docker_rm()
 			COMPREPLY=( $( compgen -W "-v" -- "$cur" ) )
 			;;
 		*)
-			__docker_containers
+			__docker_containers_stopped
 			;;
 	esac
 }
@@ -293,7 +307,7 @@ _docker_run()
 			_filedir
 			;;
 		-volumes-from)
-			__docker_containers
+			__docker_containers_all
 			;;
 		-a|-c|-dns|-e|-entrypoint|-h|-m|-p|-u|-v)
 			return
@@ -343,7 +357,7 @@ _docker_search()
 
 _docker_start()
 {
-	__docker_containers
+	__docker_containers_stopped
 }
 
 _docker_stop()
@@ -361,7 +375,7 @@ _docker_stop()
 			COMPREPLY=( $( compgen -W "-t" -- "$cur" ) )
 			;;
 		*)
-			__docker_containers
+			__docker_containers_running
 			;;
 	esac
 }
@@ -374,7 +388,7 @@ _docker_tag()
 _docker_top()
 {
 	if [ $cpos -eq $cword ]; then
-		__docker_containers
+		__docker_containers_running
 	fi
 }
 
@@ -385,7 +399,7 @@ _docker_version()
 
 _docker_wait()
 {
-	__docker_containers
+	__docker_containers_all
 }
 
 _docker()

docs/sources/api/docker_remote_api.rst

@@ -16,6 +16,7 @@ Docker Remote API
 
 - The Remote API is replacing rcli
 - By default the Docker daemon listens on unix:///var/run/docker.sock and the client must have root access to interact with the daemon
+- If a group named *docker* exists on your system, docker will apply ownership of the socket to the group
 - The API tends to be REST, but for some complex commands, like attach
   or pull, the HTTP connection is hijacked to transport stdout stdin
   and stderr
@@ -48,6 +49,10 @@ What's new
 
    **New!** You can now use ps args with docker top, like `docker top <container_id> aux`
 
+.. http:get:: /events:
+
+   **New!** Image's name added in the events
+
 :doc:`docker_remote_api_v1.3`
 *****************************
 

docs/sources/api/docker_remote_api_v1.4.rst

@@ -129,7 +129,9 @@ Create a container
 		"Dns":null,
 		"Image":"base",
 		"Volumes":{},
-		"VolumesFrom":""
+		"VolumesFrom":"",
+		"WorkingDir":""
+
 	   }
 	   
 	**Example response**:
@@ -195,7 +197,9 @@ Inspect a container
 				"Dns": null,
 				"Image": "base",
 				"Volumes": {},
-				"VolumesFrom": ""
+				"VolumesFrom": "",
+				"WorkingDir":""
+
 			},
 			"State": {
 				"Running": false,
@@ -746,7 +750,8 @@ Inspect an image
 				,"Dns":null,
 				"Image":"base",
 				"Volumes":null,
-				"VolumesFrom":""
+				"VolumesFrom":"",
+				"WorkingDir":""
 			},
 		"Size": 6824592
 	   }
@@ -1095,6 +1100,37 @@ Create a new image from a container's changes
 	:statuscode 404: no such container
         :statuscode 500: server error
 
+
+Monitor Docker's events
+***********************
+
+.. http:get:: /events
+
+	Get events from docker, either in real time via streaming, or via polling (using `since`)
+
+	**Example request**:
+
+	.. sourcecode:: http
+
+           POST /events?since=1374067924
+
+        **Example response**:
+
+        .. sourcecode:: http
+
+           HTTP/1.1 200 OK
+	   Content-Type: application/json
+
+	   {"status":"create","id":"dfdf82bd3881","from":"base:latest","time":1374067924}
+	   {"status":"start","id":"dfdf82bd3881","from":"base:latest","time":1374067924}
+	   {"status":"stop","id":"dfdf82bd3881","from":"base:latest","time":1374067966}
+	   {"status":"destroy","id":"dfdf82bd3881","from":"base:latest","time":1374067970}
+
+	:query since: timestamp used for polling
+        :statuscode 200: no error
+        :statuscode 500: server error
+
+
 3. Going further
 ================
 

docs/sources/api/registry_index_spec.rst

@@ -2,9 +2,10 @@
 :description: Documentation for docker Registry and Registry API
 :keywords: docker, registry, api, index
 
+.. _registryindexspec:
 
 =====================
-Registry & index Spec
+Registry & Index Spec
 =====================
 
 .. contents:: Table of Contents

docs/sources/commandline/cli.rst

@@ -13,7 +13,7 @@ Docker Usage
 To list available commands, either run ``docker`` with no parameters or execute
 ``docker help``::
 
-  $ docker
+  $ sudo docker
     Usage: docker [OPTIONS] COMMAND [arg...]
       -H=[tcp://127.0.0.1:4243]: tcp://host:port to bind/connect to or unix://path/to/socket to use
 

docs/sources/commandline/command/build.rst

@@ -21,32 +21,44 @@ Examples
 
 .. code-block:: bash
 
-    docker build .
+    sudo docker build .
 
-| This will read the Dockerfile from the current directory. It will also send any other files and directories found in the current directory to the docker daemon.
-| The contents of this directory would be used by ADD commands found within the Dockerfile.
-| This will send a lot of data to the docker daemon if the current directory contains a lot of data.
-| If the absolute path is provided instead of '.', only the files and directories required by the ADD commands from the Dockerfile will be added to the context and transferred to the docker daemon.
-|
+This will read the ``Dockerfile`` from the current directory. It will
+also send any other files and directories found in the current
+directory to the ``docker`` daemon.
+
+The contents of this directory would be used by ``ADD`` commands found
+within the ``Dockerfile``.  This will send a lot of data to the
+``docker`` daemon if the current directory contains a lot of data.  If
+the absolute path is provided instead of ``.`` then only the files and
+directories required by the ADD commands from the ``Dockerfile`` will be
+added to the context and transferred to the ``docker`` daemon.
 
 .. code-block:: bash
 
-   docker build -t vieux/apache:2.0 .
+   sudo docker build -t vieux/apache:2.0 .
 
-| This will build like the preview example, but it will then tag the resulting image, the repository name will be 'vieux/apache' and the tag will be '2.0'
+This will build like the previous example, but it will then tag the
+resulting image. The repository name will be ``vieux/apache`` and the
+tag will be ``2.0``
 
 
 .. code-block:: bash
 
-    docker build - < Dockerfile
+    sudo docker build - < Dockerfile
 
-| This will read a Dockerfile from Stdin without context. Due to the lack of a context, no contents of any local directory will be sent to the docker daemon.
-| ADD doesn't work when running in this mode due to the absence of the context, thus having no source files to copy to the container.
+This will read a ``Dockerfile`` from *stdin* without context. Due to
+the lack of a context, no contents of any local directory will be sent
+to the ``docker`` daemon.  ``ADD`` doesn't work when running in this
+mode because the absence of the context provides no source files to
+copy to the container.
 
 
 .. code-block:: bash
 
-    docker build github.com/creack/docker-firefox
+    sudo docker build github.com/creack/docker-firefox
 
-| This will clone the github repository and use it as context. The Dockerfile at the root of the repository is used as Dockerfile.
-| Note that you can specify an arbitrary git repository by using the 'git://' schema.
+This will clone the Github repository and use it as context. The
+``Dockerfile`` at the root of the repository is used as
+``Dockerfile``.  Note that you can specify an arbitrary git repository
+by using the ``git://`` schema.

docs/sources/commandline/command/commit.rst

@@ -14,7 +14,8 @@
 
       -m="": Commit message
       -author="": Author (eg. "John Hannibal Smith <hannibal@a-team.com>"
-      -run="": Config automatically applied when the image is run. "+`(ex: {"Cmd": ["cat", "/world"], "PortSpecs": ["22"]}')
+      -run="": Config automatically applied when the image is
+       run. "+`(ex: {"Cmd": ["cat", "/world"], "PortSpecs": ["22"]}')
 
 Full -run example::
 

docs/sources/commandline/command/images.rst

@@ -21,6 +21,6 @@ Displaying images visually
 
 ::
 
-    docker images -viz | dot -Tpng -o docker.png
+    sudo docker images -viz | dot -Tpng -o docker.png
 
 .. image:: images/docker_images.gif

docs/sources/commandline/command/import.rst

@@ -12,10 +12,11 @@
 
     Create a new filesystem image from the contents of a tarball
 
-At this time, the URL must start with ``http`` and point to a single file archive
-(.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz)
-containing a root filesystem. If you would like to import from a local directory or archive,
-you can use the ``-`` parameter to take the data from standard in.
+At this time, the URL must start with ``http`` and point to a single
+file archive (.tar, .tar.gz, .tgz, .bzip, .tar.xz, .txz) containing a
+root filesystem. If you would like to import from a local directory or
+archive, you can use the ``-`` parameter to take the data from
+standard in.
 
 Examples
 --------
@@ -23,19 +24,21 @@ Examples
 Import from a remote location
 .............................
 
-``$ docker import http://example.com/exampleimage.tgz exampleimagerepo``
+``$ sudo docker import http://example.com/exampleimage.tgz exampleimagerepo``
 
 Import from a local file
 ........................
 
 Import to docker via pipe and standard in
 
-``$ cat exampleimage.tgz | docker import - exampleimagelocal``
+``$ cat exampleimage.tgz | sudo docker import - exampleimagelocal``
 
 Import from a local directory
 .............................
 
 ``$ sudo tar -c . | docker import - exampleimagedir``
 
-Note the ``sudo`` in this example -- you must preserve the ownership of the files (especially root ownership)
-during the archiving with tar. If you are not root (or sudo) when you tar, then the ownerships might not get preserved.
+Note the ``sudo`` in this example -- you must preserve the ownership
+of the files (especially root ownership) during the archiving with
+tar. If you are not root (or sudo) when you tar, then the ownerships
+might not get preserved.

docs/sources/commandline/command/run.rst

@@ -19,6 +19,7 @@
       -e=[]: Set environment variables
       -h="": Container host name
       -i=false: Keep stdin open even if not attached
+      -privileged=false: Give extended privileges to this container
       -m=0: Memory limit (in bytes)
       -n=true: Enable networking for this container
       -p=[]: Map a network port to the container
@@ -28,6 +29,7 @@
       -v=[]: Create a bind mount with: [host-dir]:[container-dir]:[rw|ro]. If "host-dir" is missing, then docker creates a new volume.
       -volumes-from="": Mount all volumes from the given container.
       -entrypoint="": Overwrite the default entrypoint set by the image.
+      -w="": Working directory inside the container
 
 
 Examples
@@ -35,6 +37,48 @@ Examples
 
 .. code-block:: bash
 
-    docker run -cidfile /tmp/docker_test.cid ubuntu echo "test"
+    sudo docker run -cidfile /tmp/docker_test.cid ubuntu echo "test"
+
+This will create a container and print "test" to the console. The
+``cidfile`` flag makes docker attempt to create a new file and write the
+container ID to it. If the file exists already, docker will return an
+error. Docker will close this file when docker run exits.
+
+.. code-block:: bash
+
+   docker run mount -t tmpfs none /var/spool/squid
+
+This will *not* work, because by default, most potentially dangerous
+kernel capabilities are dropped; including ``cap_sys_admin`` (which is
+required to mount filesystems). However, the ``-privileged`` flag will
+allow it to run:
+
+.. code-block:: bash
+
+   docker run -privileged mount -t tmpfs none /var/spool/squid
+
+The ``-privileged`` flag gives *all* capabilities to the container,
+and it also lifts all the limitations enforced by the ``device``
+cgroup controller. In other words, the container can then do almost
+everything that the host can do. This flag exists to allow special
+use-cases, like running Docker within Docker.
+
+.. code-block:: bash
+
+   docker  run -w /path/to/dir/ -i -t  ubuntu pwd
+
+The ``-w`` lets the command beeing executed inside directory given, 
+here /path/to/dir/. If the path does not exists it is created inside the 
+container.
+
+.. code-block:: bash
+
+   docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
+
+The ``-v`` flag mounts the current working directory into the container. 
+The ``-w`` lets the command beeing executed inside the current 
+working directory, by changeing into the directory to the value
+returned by ``pwd``. So this combination executes the command
+using the container, but inside the current working directory.
+
 
-| This will create a container and print "test" to the console. The cidfile flag makes docker attempt to create a new file and write the container ID to it. If the file exists already, docker will return an error. Docker will close this file when docker run exits.

docs/sources/commandline/command/search.rst

@@ -10,5 +10,5 @@
 
     Usage: docker search TERM
 
-    Searches for the TERM parameter on the Docker index and prints out a list of repositories
-    that match.
+    Searches for the TERM parameter on the Docker index and prints out
+    a list of repositories that match.

docs/sources/conf.py

@@ -51,9 +51,7 @@ source_suffix = '.rst'
 # The encoding of source files.
 #source_encoding = 'utf-8-sig'
 
-#disable the permalinks on headers, I find them really annoying
-html_add_permalinks = None
-
+html_add_permalinks = u'¶'
 
 # The master toctree document.
 master_doc = 'toctree'

docs/sources/contributing/devenvironment.rst

@@ -5,18 +5,23 @@
 Setting Up a Dev Environment
 ============================
 
-To make it easier to contribute to Docker, we provide a standard development environment. It is important that
-the same environment be used for all tests, builds and releases. The standard development environment defines
-all build dependencies: system libraries and binaries, go environment, go dependencies, etc.
+To make it easier to contribute to Docker, we provide a standard
+development environment. It is important that the same environment be
+used for all tests, builds and releases. The standard development
+environment defines all build dependencies: system libraries and
+binaries, go environment, go dependencies, etc.
 
 
 Step 1: install docker
 ----------------------
 
-Docker's build environment itself is a docker container, so the first step is to install docker on your system.
+Docker's build environment itself is a Docker container, so the first
+step is to install docker on your system.
 
-You can follow the `install instructions most relevant to your system <https://docs.docker.io/en/latest/installation/>`.
-Make sure you have a working, up-to-date docker installation, then continue to the next step.
+You can follow the `install instructions most relevant to your system
+<https://docs.docker.io/en/latest/installation/>`_.  Make sure you have
+a working, up-to-date docker installation, then continue to the next
+step.
 
 
 Step 2: check out the source
@@ -35,24 +40,24 @@ When you are ready to build docker, run this command:
 
 ::
 
-    docker build -t docker .
+    sudo docker build -t docker .
 
-This will build the revision currently checked out in the repository. Feel free to check out the version
-of your choice.
+This will build the revision currently checked out in the
+repository. Feel free to check out the version of your choice.
 
-If the build is successful, congratulations! You have produced a clean build of docker, neatly encapsulated
-in a standard build environment.
+If the build is successful, congratulations! You have produced a clean
+build of docker, neatly encapsulated in a standard build environment.
 
 You can run an interactive session in the newly built container:
 
 ::
 
-    docker run -i -t docker bash
+    sudo docker run -i -t docker bash
 
 
 To extract the binaries from the container:
 
 ::
 
-    docker run docker sh -c 'cat $(which docker)' > docker-build && chmod +x docker-build
+    sudo docker run docker sh -c 'cat $(which docker)' > docker-build && chmod +x docker-build
 

docs/sources/examples/couchdb_data_volumes.rst

@@ -9,27 +9,29 @@ CouchDB Service
 
 .. include:: example_header.inc
 
-Here's an example of using data volumes to share the same data between 2 couchdb containers.
-This could be used for hot upgrades, testing different versions of couchdb on the same data, etc.
+Here's an example of using data volumes to share the same data between
+2 CouchDB containers.  This could be used for hot upgrades, testing
+different versions of CouchDB on the same data, etc.
 
 Create first database
 ---------------------
 
-Note that we're marking /var/lib/couchdb as a data volume.
+Note that we're marking ``/var/lib/couchdb`` as a data volume.
 
 .. code-block:: bash
 
-    COUCH1=$(docker run -d -v /var/lib/couchdb shykes/couchdb:2013-05-03)
+    COUCH1=$(sudo docker run -d -v /var/lib/couchdb shykes/couchdb:2013-05-03)
 
 Add data to the first database
 ------------------------------
 
-We're assuming your docker host is reachable at `localhost`. If not, replace `localhost` with the public IP of your docker host.
+We're assuming your docker host is reachable at `localhost`. If not,
+replace `localhost` with the public IP of your docker host.
 
 .. code-block:: bash
 
     HOST=localhost
-    URL="http://$HOST:$(docker port $COUCH1 5984)/_utils/"
+    URL="http://$HOST:$(sudo docker port $COUCH1 5984)/_utils/"
     echo "Navigate to $URL in your browser, and use the couch interface to add data"
 
 Create second database
@@ -39,7 +41,7 @@ This time, we're requesting shared access to $COUCH1's volumes.
 
 .. code-block:: bash
 
-    COUCH2=$(docker run -d -volumes-from $COUCH1 shykes/couchdb:2013-05-03)
+    COUCH2=$(sudo docker run -d -volumes-from $COUCH1 shykes/couchdb:2013-05-03)
 
 Browse data on the second database
 ----------------------------------
@@ -47,7 +49,8 @@ Browse data on the second database
 .. code-block:: bash
 
     HOST=localhost
-    URL="http://$HOST:$(docker port $COUCH2 5984)/_utils/"
+    URL="http://$HOST:$(sudo docker port $COUCH2 5984)/_utils/"
     echo "Navigate to $URL in your browser. You should see the same data as in the first database"'!'
 
-Congratulations, you are running 2 Couchdb containers, completely isolated from each other *except* for their data.
+Congratulations, you are running 2 Couchdb containers, completely
+isolated from each other *except* for their data.

docs/sources/examples/hello_world.rst

@@ -11,26 +11,28 @@ Hello World
 
 This is the most basic example available for using Docker.
 
-Download the base container
+Download the base image (named "ubuntu"):
 
 .. code-block:: bash
 
     # Download an ubuntu image
-    docker pull ubuntu
+    sudo docker pull ubuntu
 
-The *base* image is a minimal *ubuntu* based container, alternatively you can select *busybox*, a bare
-minimal linux system. The images are retrieved from the docker repository.
+Alternatively to the *ubuntu* image, you can select *busybox*, a bare
+minimal Linux system. The images are retrieved from the Docker
+repository.
 
 
 .. code-block:: bash
 
     #run a simple echo command, that will echo hello world back to the console over standard out.
-    docker run base /bin/echo hello world
+    sudo docker run ubuntu /bin/echo hello world
 
 **Explanation:**
 
+- **"sudo"** execute the following commands as user *root* 
 - **"docker run"** run a command in a new container 
-- **"base"** is the image we want to run the command inside of.
+- **"ubuntu"** is the image we want to run the command inside of.
 - **"/bin/echo"** is the command we want to run in the container
 - **"hello world"** is the input for the echo command
 

docs/sources/examples/hello_world_daemon.rst

@@ -11,27 +11,35 @@ Hello World Daemon
 
 The most boring daemon ever written.
 
-This example assumes you have Docker installed and with the ubuntu image already imported ``docker pull ubuntu``.
-We will use the ubuntu image to run a simple hello world daemon that will just print hello world to standard
-out every second. It will continue to do this until we stop it.
+This example assumes you have Docker installed and with the Ubuntu
+image already imported ``docker pull ubuntu``.  We will use the Ubuntu
+image to run a simple hello world daemon that will just print hello
+world to standard out every second. It will continue to do this until
+we stop it.
 
 **Steps:**
 
 .. code-block:: bash
 
-    CONTAINER_ID=$(docker run -d ubuntu /bin/sh -c "while true; do echo hello world; sleep 1; done")
+    CONTAINER_ID=$(sudo docker run -d ubuntu /bin/sh -c "while true; do echo hello world; sleep 1; done")
 
-We are going to run a simple hello world daemon in a new container made from the ubuntu image.
+We are going to run a simple hello world daemon in a new container
+made from the *ubuntu* image.
 
-- **"docker run -d "** run a command in a new container. We pass "-d" so it runs as a daemon.
+- **"docker run -d "** run a command in a new container. We pass "-d"
+  so it runs as a daemon.
 - **"ubuntu"** is the image we want to run the command inside of.
 - **"/bin/sh -c"** is the command we want to run in the container
-- **"while true; do echo hello world; sleep 1; done"** is the mini script we want to run, that will just print hello world once a second until we stop it.
-- **$CONTAINER_ID** the output of the run command will return a container id, we can use in future commands to see what is going on with this process.
+- **"while true; do echo hello world; sleep 1; done"** is the mini
+  script we want to run, that will just print hello world once a
+  second until we stop it.
+- **$CONTAINER_ID** the output of the run command will return a
+  container id, we can use in future commands to see what is going on
+  with this process.
 
 .. code-block:: bash
 
-    docker logs $CONTAINER_ID
+    sudo docker logs $CONTAINER_ID
 
 Check the logs make sure it is working correctly.
 
@@ -40,16 +48,17 @@ Check the logs make sure it is working correctly.
 
 .. code-block:: bash
 
-    docker attach $CONTAINER_ID
+    sudo docker attach $CONTAINER_ID
 
 Attach to the container to see the results in realtime.
 
-- **"docker attach**" This will allow us to attach to a background process to see what is going on.
+- **"docker attach**" This will allow us to attach to a background
+  process to see what is going on.
 - **$CONTAINER_ID** The Id of the container we want to attach too.
 
 .. code-block:: bash
 
-    docker ps
+    sudo docker ps
 
 Check the process list to make sure it is running.
 
@@ -57,7 +66,7 @@ Check the process list to make sure it is running.
 
 .. code-block:: bash
 
-    docker stop $CONTAINER_ID
+    sudo docker stop $CONTAINER_ID
 
 Stop the container, since we don't need it anymore.
 
@@ -66,7 +75,7 @@ Stop the container, since we don't need it anymore.
 
 .. code-block:: bash
 
-    docker ps
+    sudo docker ps
 
 Make sure it is really stopped.
 

docs/sources/examples/nodejs_web_app.rst

@@ -9,10 +9,11 @@ Node.js Web App
 
 .. include:: example_header.inc
 
-The goal of this example is to show you how you can build your own docker images
-from a parent image using a ``Dockerfile`` . We will do that by making a simple
-Node.js hello world web application running on CentOS. You can get the full
-source code at https://github.com/gasi/docker-node-hello.
+The goal of this example is to show you how you can build your own
+docker images from a parent image using a ``Dockerfile`` . We will do
+that by making a simple Node.js hello world web application running on
+CentOS. You can get the full source code at
+https://github.com/gasi/docker-node-hello.
 
 Create Node.js app
 ++++++++++++++++++
@@ -109,16 +110,17 @@ Install your app dependencies using npm:
     # Install app dependencies
     RUN cd /src; npm install
 
-Your app binds to port ``8080`` so you’ll use the ``EXPOSE`` command to have it
-mapped by the docker daemon:
+Your app binds to port ``8080`` so you’ll use the ``EXPOSE`` command
+to have it mapped by the docker daemon:
 
 .. code-block:: bash
 
     EXPOSE  8080
 
-Last but not least, define the command to run your app using ``CMD`` which
-defines your runtime, i.e. ``node``, and the path to our app, i.e.
-``src/index.js`` (see the step where we added the source to the container):
+Last but not least, define the command to run your app using ``CMD``
+which defines your runtime, i.e. ``node``, and the path to our app,
+i.e.  ``src/index.js`` (see the step where we added the source to the
+container):
 
 .. code-block:: bash
 
@@ -149,19 +151,20 @@ Your ``Dockerfile`` should now look like this:
 Building your image
 +++++++++++++++++++
 
-Go to the directory that has your ``Dockerfile`` and run the following command
-to build a docker image. The ``-t`` flag let’s you tag your image so it’s easier
-to find later using the ``docker images`` command:
+Go to the directory that has your ``Dockerfile`` and run the following
+command to build a docker image. The ``-t`` flag let’s you tag your
+image so it’s easier to find later using the ``docker images``
+command:
 
 .. code-block:: bash
 
-    docker build -t <your username>/centos-node-hello .
+    sudo docker build -t <your username>/centos-node-hello .
 
 Your image will now be listed by docker:
 
 .. code-block:: bash
 
-    docker images
+    sudo docker images
 
     > # Example
     > REPOSITORY                 TAG       ID              CREATED
@@ -177,17 +180,17 @@ container running in the background. Run the image you previously built:
 
 .. code-block:: bash
 
-    docker run -d <your username>/centos-node-hello
+    sudo docker run -d <your username>/centos-node-hello
 
 Print the output of your app:
 
 .. code-block:: bash
 
     # Get container ID
-    docker ps
+    sudo docker ps
 
     # Print app output
-    docker logs <container id>
+    sudo docker logs <container id>
 
     > # Example
     > Running on http://localhost:8080
@@ -225,8 +228,8 @@ Now you can call your app using ``curl`` (install if needed via:
     >
     > Hello World
 
-We hope this tutorial helped you get up and running with Node.js and CentOS on
-docker. You can get the full source code at
+We hope this tutorial helped you get up and running with Node.js and
+CentOS on docker. You can get the full source code at
 https://github.com/gasi/docker-node-hello.
 
 Continue to :ref:`running_redis_service`.

docs/sources/examples/postgresql_service.rst

@@ -31,7 +31,7 @@ Run an interactive shell in Docker container.
 
 .. code-block:: bash
 
-    docker run -i -t ubuntu /bin/bash
+    sudo docker run -i -t ubuntu /bin/bash
 
 Update its dependencies.
 
@@ -60,9 +60,9 @@ Finally, install PostgreSQL 9.2
 
     apt-get -y install postgresql-9.2 postgresql-client-9.2 postgresql-contrib-9.2
 
-Now, create a PostgreSQL superuser role that can create databases and other roles.
-Following Vagrant's convention the role will be named `docker` with `docker`
-password assigned to it.
+Now, create a PostgreSQL superuser role that can create databases and
+other roles.  Following Vagrant's convention the role will be named
+`docker` with `docker` password assigned to it.
 
 .. code-block:: bash
 
@@ -75,27 +75,27 @@ role.
 
     sudo -u postgres createdb -O docker docker
 
-Adjust PostgreSQL configuration so that remote connections to the database are
-possible. Make sure that inside ``/etc/postgresql/9.2/main/pg_hba.conf`` you have
-following line:
+Adjust PostgreSQL configuration so that remote connections to the
+database are possible. Make sure that inside
+``/etc/postgresql/9.2/main/pg_hba.conf`` you have following line:
 
 .. code-block:: bash
 
     host    all             all             0.0.0.0/0               md5
 
-Additionaly, inside ``/etc/postgresql/9.2/main/postgresql.conf`` uncomment
-``listen_address`` so it is as follows:
+Additionaly, inside ``/etc/postgresql/9.2/main/postgresql.conf``
+uncomment ``listen_addresses`` so it is as follows:
 
 .. code-block:: bash
 
-    listen_address='*'
+    listen_addresses='*'
 
-*Note:* this PostgreSQL setup is for development only purposes. Refer to
-PostgreSQL documentation how to fine-tune these settings so that it is enough
-secure.
+*Note:* this PostgreSQL setup is for development only purposes. Refer
+to PostgreSQL documentation how to fine-tune these settings so that it
+is enough secure.
 
-Create an image and assign it a name. ``<container_id>`` is in the Bash prompt;
-you can also locate it using ``docker ps -a``.
+Create an image and assign it a name. ``<container_id>`` is in the
+Bash prompt; you can also locate it using ``docker ps -a``.
 
 .. code-block:: bash
 
@@ -105,7 +105,7 @@ Finally, run PostgreSQL server via ``docker``.
 
 .. code-block:: bash
 
-    CONTAINER=$(docker run -d -p 5432 \
+    CONTAINER=$(sudo docker run -d -p 5432 \
       -t <your username>/postgresql \
       /bin/su postgres -c '/usr/lib/postgresql/9.2/bin/postgres \
         -D /var/lib/postgresql/9.2/main \
@@ -115,7 +115,7 @@ Connect the PostgreSQL server using ``psql``.
 
 .. code-block:: bash
 
-    CONTAINER_IP=$(docker inspect $CONTAINER | grep IPAddress | awk '{ print $2 }' | tr -d ',"')
+    CONTAINER_IP=$(sudo docker inspect $CONTAINER | grep IPAddress | awk '{ print $2 }' | tr -d ',"')
     psql -h $CONTAINER_IP -p 5432 -d docker -U docker -W
 
 As before, create roles or databases if needed.
@@ -132,13 +132,13 @@ Additionally, publish there your newly created image on Docker Index.
 
 .. code-block:: bash
 
-    docker login
+    sudo docker login
     Username: <your username>
     [...]
 
 .. code-block:: bash
 
-    docker push <your username>/postgresql
+    sudo docker push <your username>/postgresql
 
 PostgreSQL service auto-launch
 ------------------------------
@@ -149,10 +149,10 @@ container starts.
 
 .. code-block:: bash
 
-    docker commit <container_id> <your username>/postgresql -run='{"Cmd": \
+    sudo docker commit <container_id> <your username>/postgresql -run='{"Cmd": \
       ["/bin/su", "postgres", "-c", "/usr/lib/postgresql/9.2/bin/postgres -D \
       /var/lib/postgresql/9.2/main -c \
       config_file=/etc/postgresql/9.2/main/postgresql.conf"], PortSpecs": ["5432"]}
 
-From now on, just type ``docker run <your username>/postgresql`` and PostgreSQL
-should automatically start.
+From now on, just type ``docker run <your username>/postgresql`` and
+PostgreSQL should automatically start.

docs/sources/examples/python_web_app.rst

@@ -9,13 +9,16 @@ Python Web App
 
 .. include:: example_header.inc
 
-The goal of this example is to show you how you can author your own docker images using a parent image, making changes to it, and then saving the results as a new image. We will do that by making a simple hello flask web application image.
+The goal of this example is to show you how you can author your own
+docker images using a parent image, making changes to it, and then
+saving the results as a new image. We will do that by making a simple
+hello flask web application image.
 
 **Steps:**
 
 .. code-block:: bash
 
-    docker pull shykes/pybuilder
+    sudo docker pull shykes/pybuilder
 
 We are downloading the "shykes/pybuilder" docker image
 
@@ -27,52 +30,66 @@ We set a URL variable that points to a tarball of a simple helloflask web app
 
 .. code-block:: bash
 
-    BUILD_JOB=$(docker run -d -t shykes/pybuilder:latest /usr/local/bin/buildapp $URL)
+    BUILD_JOB=$(sudo docker run -d -t shykes/pybuilder:latest /usr/local/bin/buildapp $URL)
 
-Inside of the "shykes/pybuilder" image there is a command called buildapp, we are running that command and passing the $URL variable from step 2 to it, and running the whole thing inside of a new container. BUILD_JOB will be set with the new container_id.
+Inside of the "shykes/pybuilder" image there is a command called
+buildapp, we are running that command and passing the $URL variable
+from step 2 to it, and running the whole thing inside of a new
+container. BUILD_JOB will be set with the new container_id.
 
 .. code-block:: bash
 
-    docker attach $BUILD_JOB
+    sudo docker attach $BUILD_JOB
     [...]
 
-While this container is running, we can attach to the new container to see what is going on. Ctrl-C to disconnect.
+While this container is running, we can attach to the new container to
+see what is going on. Ctrl-C to disconnect.
 
 .. code-block:: bash
 
-    docker ps -a
+    sudo docker ps -a
     
-List all docker containers. If this container has already finished running, it will still be listed here.
+List all docker containers. If this container has already finished
+running, it will still be listed here.
 
 .. code-block:: bash
 
-    BUILD_IMG=$(docker commit $BUILD_JOB _/builds/github.com/shykes/helloflask/master)
+    BUILD_IMG=$(sudo docker commit $BUILD_JOB _/builds/github.com/shykes/helloflask/master)
 
-Save the changes we just made in the container to a new image called "_/builds/github.com/hykes/helloflask/master" and save the image id in the BUILD_IMG variable name.
+Save the changes we just made in the container to a new image called
+``_/builds/github.com/hykes/helloflask/master`` and save the image id in
+the BUILD_IMG variable name.
 
 .. code-block:: bash
 
-    WEB_WORKER=$(docker run -d -p 5000 $BUILD_IMG /usr/local/bin/runapp)
+    WEB_WORKER=$(sudo docker run -d -p 5000 $BUILD_IMG /usr/local/bin/runapp)
 
-- **"docker run -d "** run a command in a new container. We pass "-d" so it runs as a daemon.
-- **"-p 5000"** the web app is going to listen on this port, so it must be mapped from the container to the host system.
+- **"docker run -d "** run a command in a new container. We pass "-d"
+  so it runs as a daemon.
+- **"-p 5000"** the web app is going to listen on this port, so it
+  must be mapped from the container to the host system.
 - **"$BUILD_IMG"** is the image we want to run the command inside of.
 - **/usr/local/bin/runapp** is the command which starts the web app.
 
-Use the new image we just created and create a new container with network port 5000, and return the container id and store in the WEB_WORKER variable.
+Use the new image we just created and create a new container with
+network port 5000, and return the container id and store in the
+WEB_WORKER variable.
 
 .. code-block:: bash
 
-    docker logs $WEB_WORKER
+    sudo docker logs $WEB_WORKER
      * Running on http://0.0.0.0:5000/
 
-View the logs for the new container using the WEB_WORKER variable, and if everything worked as planned you should see the line "Running on http://0.0.0.0:5000/" in the log output.
+View the logs for the new container using the WEB_WORKER variable, and
+if everything worked as planned you should see the line "Running on
+http://0.0.0.0:5000/" in the log output.
 
 .. code-block:: bash
 
     WEB_PORT=$(docker port $WEB_WORKER 5000)
 
-Look up the public-facing port which is NAT-ed. Find the private port used by the container and store it inside of the WEB_PORT variable.
+Look up the public-facing port which is NAT-ed. Find the private port
+used by the container and store it inside of the WEB_PORT variable.
 
 .. code-block:: bash
 
@@ -80,7 +97,8 @@ Look up the public-facing port which is NAT-ed. Find the private port used by th
     curl http://127.0.0.1:$WEB_PORT
       Hello world!
 
-Access the web app using curl. If everything worked as planned you should see the line "Hello world!" inside of your console.
+Access the web app using curl. If everything worked as planned you
+should see the line "Hello world!" inside of your console.
 
 **Video:**
 

docs/sources/examples/running_examples.rst

@@ -7,16 +7,17 @@
 Running the Examples
 --------------------
 
-All the examples assume your machine is running the docker daemon. To run the docker daemon in the background, simply type:
+All the examples assume your machine is running the docker daemon. To
+run the docker daemon in the background, simply type:
 
    .. code-block:: bash
 
       sudo docker -d &
 
-Now you can run docker in client mode: all commands will be forwarded to the docker daemon, so the client
-can run from any account.
+Now you can run docker in client mode: by defalt all commands will be
+forwarded to the ``docker`` daemon via a protected Unix socket, so you
+must run as root.
 
    .. code-block:: bash
 
-      # now you can run docker commands from any account.
-      docker help
+      sudo docker help

docs/sources/examples/running_redis_service.rst

@@ -16,12 +16,13 @@ Open a docker container
 
 .. code-block:: bash
 
-    docker run -i -t base /bin/bash
+    sudo docker run -i -t ubuntu /bin/bash
 
 Building your image
 -------------------
 
-Update your docker container, install the redis server.  Once installed, exit out of docker.
+Update your Docker container, install the Redis server.  Once
+installed, exit out of the Docker container.
 
 .. code-block:: bash
 
@@ -45,7 +46,7 @@ container running in the background. Use your snapshot.
 
 .. code-block:: bash
 
-    docker run -d -p 6379 <your username>/redis /usr/bin/redis-server
+    sudo docker run -d -p 6379 <your username>/redis /usr/bin/redis-server
 
 Test 1
 ++++++
@@ -54,8 +55,8 @@ Connect to the container with the redis-cli.
 
 .. code-block:: bash
 
-    docker ps  # grab the new container id
-    docker inspect <container_id>    # grab the ipaddress of the container
+    sudo docker ps  # grab the new container id
+    sudo docker inspect <container_id>    # grab the ipaddress of the container
     redis-cli -h <ipaddress> -p 6379
     redis 10.0.3.32:6379> set docker awesome
     OK
@@ -70,8 +71,8 @@ Connect to the host os with the redis-cli.
 
 .. code-block:: bash
 
-    docker ps  # grab the new container id
-    docker port <container_id> 6379  # grab the external port
+    sudo docker ps  # grab the new container id
+    sudo docker port <container_id> 6379  # grab the external port
     ip addr show   # grab the host ip address
     redis-cli -h <host ipaddress> -p <external port>
     redis 192.168.0.1:49153> set docker awesome

docs/sources/examples/running_ssh_service.rst

@@ -12,8 +12,16 @@ SSH Daemon Service
 
 **Video:**
 
-I've create a little screencast to show how to create a sshd service and connect to it. It is something like 11
-minutes and not entirely smooth, but gives you a good idea.
+I've create a little screencast to show how to create a sshd service
+and connect to it. It is something like 11 minutes and not entirely
+smooth, but gives you a good idea.
+
+.. note::
+   This screencast was created before ``docker`` version 0.5.2, so the
+   daemon is unprotected and available via a TCP port. When you run
+   through the same steps in a newer version of ``docker``, you will
+   need to add ``sudo`` in front of each ``docker`` command in order
+   to reach the daemon over its protected Unix socket.
 
 .. raw:: html
 
@@ -24,7 +32,7 @@ minutes and not entirely smooth, but gives you a good idea.
 You can also get this sshd container by using
 ::
 
-    docker pull dhrp/sshd
+    sudo docker pull dhrp/sshd
 
 
 The password is 'screencast'

docs/sources/faq.rst

@@ -9,40 +9,140 @@ FAQ
 Most frequently asked questions.
 --------------------------------
 
-1. **How much does Docker cost?**
+How much does Docker cost?
+..........................
 
    Docker is 100% free, it is open source, so you can use it without paying.
 
-2. **What open source license are you using?**
-
-   We are using the Apache License Version 2.0, see it here: https://github.com/dotcloud/docker/blob/master/LICENSE
-
-3. **Does Docker run on Mac OS X or Windows?**
-
-   Not at this time, Docker currently only runs on Linux, but you can use VirtualBox to run Docker in a
-   virtual machine on your box, and get the best of both worlds. Check out the :ref:`install_using_vagrant` and :ref:`windows` installation guides.
-
-4. **How do containers compare to virtual machines?**
-
-   They are complementary. VMs are best used to allocate chunks of hardware resources. Containers operate at the process level, which makes them very lightweight and perfect as a unit of software delivery.
-
-5. **Can I help by adding some questions and answers?**
+What open source license are you using?
+.......................................
+
+   We are using the Apache License Version 2.0, see it here:
+   https://github.com/dotcloud/docker/blob/master/LICENSE
+
+Does Docker run on Mac OS X or Windows?
+.......................................
+
+   Not at this time, Docker currently only runs on Linux, but you can
+   use VirtualBox to run Docker in a virtual machine on your box, and
+   get the best of both worlds. Check out the
+   :ref:`install_using_vagrant` and :ref:`windows` installation
+   guides.
+
+How do containers compare to virtual machines?
+..............................................
+
+   They are complementary. VMs are best used to allocate chunks of
+   hardware resources. Containers operate at the process level, which
+   makes them very lightweight and perfect as a unit of software
+   delivery.
+
+What does Docker add to just plain LXC?
+.......................................
+
+   Docker is not a replacement for LXC. "LXC" refers to capabilities
+   of the Linux kernel (specifically namespaces and control groups)
+   which allow sandboxing processes from one another, and controlling
+   their resource allocations.  On top of this low-level foundation of
+   kernel features, Docker offers a high-level tool with several
+   powerful functionalities:
+
+   * *Portable deployment across machines.* 
+      Docker defines a format for bundling an application and all its
+      dependencies into a single object which can be transferred to
+      any Docker-enabled machine, and executed there with the
+      guarantee that the execution environment exposed to the
+      application will be the same. LXC implements process sandboxing,
+      which is an important pre-requisite for portable deployment, but
+      that alone is not enough for portable deployment. If you sent me
+      a copy of your application installed in a custom LXC
+      configuration, it would almost certainly not run on my machine
+      the way it does on yours, because it is tied to your machine's
+      specific configuration: networking, storage, logging, distro,
+      etc. Docker defines an abstraction for these machine-specific
+      settings, so that the exact same Docker container can run -
+      unchanged - on many different machines, with many different
+      configurations.
+
+   * *Application-centric.* 
+      Docker is optimized for the deployment of applications, as
+      opposed to machines. This is reflected in its API, user
+      interface, design philosophy and documentation. By contrast, the
+      ``lxc`` helper scripts focus on containers as lightweight
+      machines - basically servers that boot faster and need less
+      RAM. We think there's more to containers than just that.
+
+   * *Automatic build.* 
+      Docker includes :ref:`a tool for developers to automatically
+      assemble a container from their source code <dockerbuilder>`,
+      with full control over application dependencies, build tools,
+      packaging etc. They are free to use ``make, maven, chef, puppet,
+      salt,`` Debian packages, RPMs, source tarballs, or any
+      combination of the above, regardless of the configuration of the
+      machines.
+
+   * *Versioning.* 
+      Docker includes git-like capabilities for tracking successive
+      versions of a container, inspecting the diff between versions,
+      committing new versions, rolling back etc. The history also
+      includes how a container was assembled and by whom, so you get
+      full traceability from the production server all the way back to
+      the upstream developer. Docker also implements incremental
+      uploads and downloads, similar to ``git pull``, so new versions
+      of a container can be transferred by only sending diffs.
+
+   * *Component re-use.* 
+      Any container can be used as a :ref:`"base image"
+      <base_image_def>` to create more specialized components. This
+      can be done manually or as part of an automated build. For
+      example you can prepare the ideal Python environment, and use it
+      as a base for 10 different applications. Your ideal Postgresql
+      setup can be re-used for all your future projects. And so on.
+
+   * *Sharing.*
+      Docker has access to a `public registry
+      <http://index.docker.io>`_ where thousands of people have
+      uploaded useful containers: anything from Redis, CouchDB,
+      Postgres to IRC bouncers to Rails app servers to Hadoop to base
+      images for various Linux distros. The :ref:`registry
+      <registryindexspec>` also includes an official "standard
+      library" of useful containers maintained by the Docker team. The
+      registry itself is open-source, so anyone can deploy their own
+      registry to store and transfer private containers, for internal
+      server deployments for example.
+
+   * *Tool ecosystem.* 
+      Docker defines an API for automating and customizing the
+      creation and deployment of containers. There are a huge number
+      of tools integrating with Docker to extend its
+      capabilities. PaaS-like deployment (Dokku, Deis, Flynn),
+      multi-node orchestration (Maestro, Salt, Mesos, Openstack Nova),
+      management dashboards (docker-ui, Openstack Horizon, Shipyard),
+      configuration management (Chef, Puppet), continuous integration
+      (Jenkins, Strider, Travis), etc. Docker is rapidly establishing
+      itself as the standard for container-based tooling.
+
+Can I help by adding some questions and answers?
+................................................
 
    Definitely! You can fork `the repo`_ and edit the documentation sources.
 
 
-42. **Where can I find more answers?**
+Where can I find more answers?
+..............................
 
     You can find more answers on:
 
-    * `Docker club mailinglist`_
+    * `Docker user mailinglist`_
+    * `Docker developer mailinglist`_
     * `IRC, docker on freenode`_
     * `Github`_
     * `Ask questions on Stackoverflow`_
     * `Join the conversation on Twitter`_
 
 
-    .. _Docker club mailinglist: https://groups.google.com/d/forum/docker-club
+    .. _Docker user mailinglist: https://groups.google.com/d/forum/docker-user
+    .. _Docker developer mailinglist: https://groups.google.com/d/forum/docker-dev
     .. _the repo: http://www.github.com/dotcloud/docker
     .. _IRC, docker on freenode: irc://chat.freenode.net#docker
     .. _Github: http://www.github.com/dotcloud/docker

docs/sources/installation/amazon.rst

@@ -90,7 +90,7 @@ Docker can now be installed on Amazon EC2 with a single vagrant command. Vagrant
 
    .. code-block:: bash
 
-      docker
+      sudo docker
 
 
 Continue with the :ref:`hello_world` example.

docs/sources/installation/binaries.rst

@@ -56,10 +56,10 @@ Run your first container!
 .. code-block:: bash
 
     # check your docker version
-    ./docker version
+    sudo ./docker version
 
     # run a container and open an interactive shell in the container
-    ./docker run -i -t ubuntu /bin/bash
+    sudo ./docker run -i -t ubuntu /bin/bash
 
 
 

docs/sources/installation/ubuntulinux.rst

@@ -76,7 +76,7 @@ Verify it worked
 .. code-block:: bash
 
    # download the base 'ubuntu' container and run bash inside it while setting up an interactive shell
-   docker run -i -t ubuntu /bin/bash
+   sudo docker run -i -t ubuntu /bin/bash
 
    # type 'exit' to exit
 
@@ -138,7 +138,7 @@ Verify it worked
 .. code-block:: bash
 
    # download the base 'ubuntu' container and run bash inside it while setting up an interactive shell
-   docker run -i -t ubuntu /bin/bash
+   sudo docker run -i -t ubuntu /bin/bash
 
    # type exit to exit
 

docs/sources/installation/vagrant.rst

@@ -63,7 +63,7 @@ Now you are in the VM, run docker
 
 .. code-block:: bash
 
-   docker
+   sudo docker
 
 
 Continue with the :ref:`hello_world` example.

docs/sources/use/basics.rst

@@ -9,11 +9,13 @@ The Basics
 Starting Docker
 ---------------
 
-If you have used one of the quick install paths', Docker may have been installed with upstart, Ubuntu's
-system for starting processes at boot time. You should be able to run ``docker help`` and get output.
+If you have used one of the quick install paths', Docker may have been
+installed with upstart, Ubuntu's system for starting processes at boot
+time. You should be able to run ``sudo docker help`` and get output.
 
-If you get ``docker: command not found`` or something like ``/var/lib/docker/repositories: permission denied``
-you will need to specify the path to it and manually start it.
+If you get ``docker: command not found`` or something like
+``/var/lib/docker/repositories: permission denied`` you will need to
+specify the path to it and manually start it.
 
 .. code-block:: bash
 
@@ -27,45 +29,84 @@ Running an interactive shell
 .. code-block:: bash
 
   # Download an ubuntu image
-  docker pull ubuntu
+  sudo docker pull ubuntu
 
   # Run an interactive shell in the ubuntu image,
   # allocate a tty, attach stdin and stdout
-  docker run -i -t ubuntu /bin/bash
+  sudo docker run -i -t ubuntu /bin/bash
 
-Bind Docker to another host/port or a unix socket
+Why ``sudo``?
+-------------
+
+The ``docker`` daemon always runs as root, and since ``docker``
+version 0.5.2, ``docker`` binds to a Unix socket instead of a TCP
+port. By default that Unix socket is owned by the user *root*, and so,
+by default, you can access it with ``sudo``. 
+
+Starting in version 0.5.3, if you create a Unix group called *docker*
+and add users to it, then the ``docker`` daemon will make the
+ownership of the Unix socket read/writable by the *docker* group when
+the daemon starts. The ``docker`` daemon must always run as root, but
+if you run the ``docker`` client as a user in the *docker* group then
+you don't need to add ``sudo`` to all the client commands.
+
+.. code-block:: bash
+
+  # Add the docker group
+  sudo groupadd docker
+
+  # Add the ubuntu user to the docker group
+  sudo gpasswd -a ubuntu docker
+
+  # Restart the docker daemon
+  sudo service docker restart
+
+Bind Docker to another host/port or a Unix socket
 -------------------------------------------------
 
-With -H it is possible to make the Docker daemon to listen on a specific ip and port. By default, it will listen on 127.0.0.1:4243 to allow only local connections but you can set it to 0.0.0.0:4243 or a specific host ip to give access to everybody.
+.. DANGER:: Changing the default ``docker`` daemon binding to a TCP
+   port or Unix *docker* user group will increase your security risks
+   by allowing non-root users to potentially gain *root* access on the
+   host (`e.g. #1369
+   <https://github.com/dotcloud/docker/issues/1369>`_). Make sure you
+   control access to ``docker``.
+
+With -H it is possible to make the Docker daemon to listen on a
+specific ip and port. By default, it will listen on
+``unix:///var/run/docker.sock`` to allow only local connections by the
+*root* user.  You *could* set it to 0.0.0.0:4243 or a specific host ip to
+give access to everybody, but that is **not recommended** because then
+it is trivial for someone to gain root access to the host where the
+daemon is running.
 
-Similarly, the Docker client can use -H to connect to a custom port.
+Similarly, the Docker client can use ``-H`` to connect to a custom port.
+
+``-H`` accepts host and port assignment in the following format:
+``tcp://[host][:port]`` or ``unix://path``
 
--H accepts host and port assignment in the following format: tcp://[host][:port] or unix://path
 For example:
 
-* tcp://host -> tcp connection on host:4243
-* tcp://host:port -> tcp connection on host:port
-* tcp://:port -> tcp connection on 127.0.0.1:port
-* unix://path/to/socket -> unix socket located at path/to/socket
+* ``tcp://host:4243`` -> tcp connection on host:4243
+* ``unix://path/to/socket`` -> unix socket located at ``path/to/socket``
 
 .. code-block:: bash
 
    # Run docker in daemon mode
    sudo <path to>/docker -H 0.0.0.0:5555 -d &
    # Download an ubuntu image
-   docker -H :5555 pull ubuntu
+   sudo docker -H :5555 pull ubuntu
 
-You can use multiple -H, for example, if you want to listen
-on both tcp and a unix socket
+You can use multiple ``-H``, for example, if you want to listen on
+both TCP and a Unix socket
 
 .. code-block:: bash
 
    # Run docker in daemon mode
    sudo <path to>/docker -H tcp://127.0.0.1:4243 -H unix:///var/run/docker.sock -d &
-   # Download an ubuntu image
-   docker pull ubuntu
-   # OR
-   docker -H unix:///var/run/docker.sock pull ubuntu
+   # Download an ubuntu image, use default Unix socket
+   sudo docker pull ubuntu
+   # OR use the TCP port
+   sudo docker -H tcp://127.0.0.1:4243 pull ubuntu
 
 Starting a long-running worker process
 --------------------------------------
@@ -73,13 +114,13 @@ Starting a long-running worker process
 .. code-block:: bash
 
   # Start a very useful long-running process
-  JOB=$(docker run -d ubuntu /bin/sh -c "while true; do echo Hello world; sleep 1; done")
+  JOB=$(sudo docker run -d ubuntu /bin/sh -c "while true; do echo Hello world; sleep 1; done")
 
   # Collect the output of the job so far
-  docker logs $JOB
+  sudo docker logs $JOB
 
   # Kill the job
-  docker kill $JOB
+  sudo docker kill $JOB
 
 
 Listing all running containers
@@ -87,7 +128,7 @@ Listing all running containers
 
 .. code-block:: bash
 
-  docker ps
+  sudo docker ps
 
 Expose a service on a TCP port
 ------------------------------
@@ -95,10 +136,10 @@ Expose a service on a TCP port
 .. code-block:: bash
 
   # Expose port 4444 of this container, and tell netcat to listen on it
-  JOB=$(docker run -d -p 4444 ubuntu /bin/nc -l -p 4444)
+  JOB=$(sudo docker run -d -p 4444 ubuntu /bin/nc -l -p 4444)
 
   # Which public port is NATed to my container?
-  PORT=$(docker port $JOB 4444)
+  PORT=$(sudo docker port $JOB 4444)
 
   # Connect to the public port via the host's public address
   # Please note that because of how routing works connecting to localhost or 127.0.0.1 $PORT will not work.
@@ -107,7 +148,7 @@ Expose a service on a TCP port
   echo hello world | nc $IP $PORT
 
   # Verify that the network connection worked
-  echo "Daemon received: $(docker logs $JOB)"
+  echo "Daemon received: $(sudo docker logs $JOB)"
 
 
 Committing (saving) a container state
@@ -115,21 +156,23 @@ Committing (saving) a container state
 
 Save your containers state to a container image, so the state can be re-used.
 
-When you commit your container only the differences between the image the container was created from
-and the current state of the container will be stored (as a diff). See which images you already have
-using ``docker images``
+When you commit your container only the differences between the image
+the container was created from and the current state of the container
+will be stored (as a diff). See which images you already have using
+``sudo docker images``
 
 .. code-block:: bash
 
     # Commit your container to a new named image
-    docker commit <container_id> <some_name>
+    sudo docker commit <container_id> <some_name>
 
     # List your containers
-    docker images
+    sudo docker images
 
 You now have a image state from which you can create new instances.
 
 
 
-Read more about :ref:`working_with_the_repository` or continue to the complete :ref:`cli`
+Read more about :ref:`working_with_the_repository` or continue to the
+complete :ref:`cli`
 

docs/sources/use/builder.rst

@@ -2,6 +2,8 @@
 :description: Dockerfiles use a simple DSL which allows you to automate the steps you would normally manually take to create an image.
 :keywords: builder, docker, Dockerfile, automation, image creation
 
+.. _dockerbuilder:
+
 ==================
 Dockerfile Builder
 ==================
@@ -23,12 +25,12 @@ describe the steps to assemble the image.
 Then call ``docker build`` with the path of your source repository as
 argument:
 
-    ``docker build .``
+    ``sudo docker build .``
 
 You can specify a repository and tag at which to save the new image if the
 build succeeds:
 
-    ``docker build -t shykes/myapp .``
+    ``sudo docker build -t shykes/myapp .``
 
 Docker will run your steps one-by-one, committing the result if necessary,
 before finally outputting the ID of your new image.
@@ -211,6 +213,15 @@ container created from the image.
 The ``USER`` instruction sets the username or UID to use when running
 the image.
 
+3.11 WORKDIR
+------------
+
+    ``WORKDIR /path/to/workdir``
+
+The ``WORKDIR`` instruction sets the working directory in which
+the command given by ``CMD`` is executed.
+
+
 4. Dockerfile Examples
 ======================
 

docs/sources/use/port_redirection.rst

@@ -6,20 +6,23 @@
 Port redirection
 ================
 
-Docker can redirect public tcp ports to your container, so it can be reached over the network.
-Port redirection is done on ``docker run`` using the -p flag.
+Docker can redirect public TCP ports to your container, so it can be
+reached over the network.  Port redirection is done on ``docker run``
+using the -p flag.
 
-A port redirect is specified as PUBLIC:PRIVATE, where tcp port PUBLIC will be redirected to
-tcp port PRIVATE. As a special case, the public port can be omitted, in which case a random
-public port will be allocated.
+A port redirect is specified as *PUBLIC:PRIVATE*, where TCP port
+*PUBLIC* will be redirected to TCP port *PRIVATE*. As a special case,
+the public port can be omitted, in which case a random public port
+will be allocated.
 
 .. code-block:: bash
 
     # A random PUBLIC port is redirected to PRIVATE port 80 on the container
-    docker run -p 80 <image> <cmd>
+    sudo docker run -p 80 <image> <cmd>
 
     # PUBLIC port 80 is redirected to PRIVATE port 80
-    docker run -p 80:80 <image> <cmd>
+    sudo docker run -p 80:80 <image> <cmd>
 
 
-Default port redirects can be built into a container with the EXPOSE build command.
+Default port redirects can be built into a container with the
+``EXPOSE`` build command.

docs/sources/use/puppet.rst

@@ -9,28 +9,32 @@ Using Puppet
 
 .. note::
 
-   Please note this is a community contributed installation path. The only 'official' installation is using the
-   :ref:`ubuntu_linux` installation path. This version may sometimes be out of date.
+   Please note this is a community contributed installation path. The
+   only 'official' installation is using the :ref:`ubuntu_linux`
+   installation path. This version may sometimes be out of date.
 
 Requirements
 ------------
 
-To use this guide you'll need a working installation of Puppet from `Puppetlabs <https://www.puppetlabs.com>`_ .
+To use this guide you'll need a working installation of Puppet from
+`Puppetlabs <https://www.puppetlabs.com>`_ .
 
 The module also currently uses the official PPA so only works with Ubuntu.
 
 Installation
 ------------
 
-The module is available on the `Puppet Forge <https://forge.puppetlabs.com/garethr/docker/>`_
-and can be installed using the built-in module tool.
+The module is available on the `Puppet Forge
+<https://forge.puppetlabs.com/garethr/docker/>`_ and can be installed
+using the built-in module tool.
 
 .. code-block:: bash
 
    puppet module install garethr/docker
 
-It can also be found on `GitHub <https://www.github.com/garethr/garethr-docker>`_ 
-if you would rather download the source.
+It can also be found on `GitHub
+<https://www.github.com/garethr/garethr-docker>`_ if you would rather
+download the source.
 
 Usage
 -----

docs/sources/use/workingwithrepository.rst

@@ -57,10 +57,10 @@ address of the registry's host, like this:
     # Tag to create a repository with the full registry location.
     # The location (e.g. localhost.localdomain:5000) becomes
     # a permanent part of the repository name
-    docker tag 0u812deadbeef localhost.localdomain:5000/repo_name
+    sudo docker tag 0u812deadbeef localhost.localdomain:5000/repo_name
 
     # Push the new repository to its home location on localhost
-    docker push localhost.localdomain:5000/repo_name
+    sudo docker push localhost.localdomain:5000/repo_name
 
 Once a repository has your registry's host name as part of the tag,
 you can push and pull it like any other repository, but it will
@@ -75,14 +75,14 @@ Search by name, namespace or description
 
 .. code-block:: bash
 
-    docker search <value>
+    sudo docker search <value>
 
 
 Download them simply by their name
 
 .. code-block:: bash
 
-    docker pull <value>
+    sudo docker pull <value>
 
 
 Very similarly you can search for and browse the index online on
@@ -96,7 +96,7 @@ You can create a user on the central Docker Index online, or by running
 
 .. code-block:: bash
 
-    docker login
+    sudo docker login
 
 This will prompt you for a username, which will become a public
 namespace for your public repositories.
@@ -115,7 +115,7 @@ your container to an image within your username namespace.
 .. code-block:: bash
 
     # for example docker commit $CONTAINER_ID dhrp/kickassapp
-    docker commit <container_id> <username>/<repo_name>
+    sudo docker commit <container_id> <username>/<repo_name>
 
 
 Pushing a container to its repository
@@ -129,4 +129,4 @@ Now you can commit this image to the repository
 .. code-block:: bash
 
     # for example docker push dhrp/kickassapp
-    docker push <username>/<repo_name>
+    sudo docker push <username>/<repo_name>

docs/theme/docker/layout.html

@@ -70,8 +70,8 @@
                 <ul class="nav">
                     <li id="nav-introduction"><a href="http://www.docker.io/" title="Docker Homepage">Home</a></li>
                     <li id="nav-about"><a href="http://www.docker.io/about/" title="About">About</a></li>
-                    <li id="nav-community"><a href="http://www.docker.io/community/" title="Community">Community</a></li>
                     <li id="nav-gettingstarted"><a href="http://www.docker.io/gettingstarted/">Getting started</a></li>
+                    <li id="nav-community"><a href="http://www.docker.io/community/" title="Community">Community</a></li>
                     <li id="nav-documentation" class="active"><a href="http://docs.docker.io/en/latest/">Documentation</a></li>
                     <li id="nav-blog"><a href="http://blog.docker.io/" title="Docker Blog">Blog</a></li>
                     <li id="nav-index"><a href="http://index.docker.io/" title="Docker Image Index, find images here">INDEX <img class="inline-icon" src="{{ pathto('_static/img/external-link-icon.png', 1) }}" title="external link"> </a></li>
@@ -93,7 +93,7 @@
         <div class="span12 titlebar">
             <!--<span class="pull-right" style="margin-left: 20px; font-size: 20px">{{version}}</span>-->
             <div class="pull-right" id="fork-us" style="margin-top: 16px; margin-right: 16px;">
-                <a  href="http://github.com/dotcloud/docker/"><img src="{{ pathto('_static/img/fork-us.png', 1) }}"> Fork us on Github</a>
+                <a  href="https://github.com/dotcloud/docker/blob/master/docs/sources/{{ pagename }}.rst"><img src="{{ pathto('_static/img/fork-us.png', 1) }}"> Edit this page on Github</a>
             </div>
             <h1 class="pageheader"><a href="http://docs.docker.io/en/latest/" title="Documentation" style="color: white;">DOCUMENTATION</a></h1>
 

docs/theme/docker/static/css/main.css

@@ -375,3 +375,19 @@ section.header {
 table th {
   text-align: left;
 }
+h1:hover > a.headerlink,
+h2:hover > a.headerlink,
+h3:hover > a.headerlink,
+h4:hover > a.headerlink,
+h5:hover > a.headerlink,
+h6:hover > a.headerlink,
+dt:hover > a.headerlink {
+  visibility: visible;
+}
+.headerlink {
+  font-size: smaller;
+  color: #666;
+  font-weight: bold;
+  float: right;
+  visibility: hidden;
+}

docs/theme/docker/static/css/main.less

@@ -486,4 +486,22 @@ section.header {
 /* Misc fixes */
 table th {
   text-align: left;
+}
+
+h1:hover > a.headerlink,
+h2:hover > a.headerlink,
+h3:hover > a.headerlink,
+h4:hover > a.headerlink,
+h5:hover > a.headerlink,
+h6:hover > a.headerlink,
+dt:hover > a.headerlink {
+    visibility: visible;
+}
+
+.headerlink {
+  font-size: smaller;
+  color: #666;
+  font-weight: bold;
+  float: right;
+  visibility: hidden;
 }

graph.go

@@ -323,9 +323,9 @@ func (graph *Graph) ByParent() (map[string][]*Image, error) {
 			return
 		}
 		if children, exists := byParent[parent.ID]; exists {
-			byParent[parent.ID] = []*Image{image}
-		} else {
 			byParent[parent.ID] = append(children, image)
+		} else {
+			byParent[parent.ID] = []*Image{image}
 		}
 	})
 	return byParent, err

graph_test.go

@@ -234,6 +234,45 @@ func TestDelete(t *testing.T) {
 	assertNImages(graph, t, 1)
 }
 
+func TestByParent(t *testing.T) {
+	archive1, _ := fakeTar()
+	archive2, _ := fakeTar()
+	archive3, _ := fakeTar()
+
+	graph := tempGraph(t)
+	defer os.RemoveAll(graph.Root)
+	parentImage := &Image{
+		ID:      GenerateID(),
+		Comment: "parent",
+		Created: time.Now(),
+		Parent:  "",
+	}
+	childImage1 := &Image{
+		ID:      GenerateID(),
+		Comment: "child1",
+		Created: time.Now(),
+		Parent:  parentImage.ID,
+	}
+	childImage2 := &Image{
+		ID:      GenerateID(),
+		Comment: "child2",
+		Created: time.Now(),
+		Parent:  parentImage.ID,
+	}
+	_ = graph.Register(nil, archive1, parentImage)
+	_ = graph.Register(nil, archive2, childImage1)
+	_ = graph.Register(nil, archive3, childImage2)
+
+	byParent, err := graph.ByParent()
+	if err != nil {
+		t.Fatal(err)
+	}
+	numChildren := len(byParent[parentImage.ID])
+	if numChildren != 2 {
+		t.Fatalf("Expected 2 children, found %d", numChildren)
+	}
+}
+
 func assertNImages(graph *Graph, t *testing.T, n int) {
 	if images, err := graph.All(); err != nil {
 		t.Fatal(err)

hack/dockerbuilder/Dockerfile

@@ -23,7 +23,7 @@ run	add-apt-repository -y ppa:dotcloud/docker-golang/ubuntu
 run	apt-get update
 # Packages required to checkout, build and upload docker
 run	DEBIAN_FRONTEND=noninteractive apt-get install -y -q s3cmd curl
-run	curl -s -o /go.tar.gz https://go.googlecode.com/files/go1.1.1.linux-amd64.tar.gz
+run	curl -s -o /go.tar.gz https://go.googlecode.com/files/go1.1.2.linux-amd64.tar.gz
 run	tar -C /usr/local -xzf /go.tar.gz
 run	echo "export PATH=/usr/local/go/bin:$PATH" > /.bashrc
 run	echo "export PATH=/usr/local/go/bin:$PATH" > /.bash_profile

lxc_template.go

@@ -40,6 +40,9 @@ lxc.console = none
 # no controlling tty at all
 lxc.tty = 1
 
+{{if .Config.Privileged}}
+lxc.cgroup.devices.allow = a 
+{{else}}
 # no implicit access to devices
 lxc.cgroup.devices.deny = a
 
@@ -69,7 +72,7 @@ lxc.cgroup.devices.allow = c 10:200 rwm
 
 # rtc
 #lxc.cgroup.devices.allow = c 254:0 rwm
-
+{{end}}
 
 # standard mount point
 #  WARNING: procfs is a known attack vector and should probably be disabled
@@ -95,11 +98,15 @@ lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,{{ if ind
 {{end}}
 {{end}}
 
+{{if .Config.Privileged}}
+# retain all capabilities; no lxc.cap.drop line
+{{else}}
 # drop linux capabilities (apply mainly to the user root in the container)
 #  (Note: 'lxc.cap.keep' is coming soon and should replace this under the
 #         security principle 'deny all unless explicitly permitted', see
 #         http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
 lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config
+{{end}}
 
 # limits
 {{if .Config.Memory}}

registry/registry.go

@@ -162,7 +162,6 @@ func (r *Registry) GetRemoteHistory(imgID, registry string, token []string) ([]s
 // Check if an image exists in the Registry
 func (r *Registry) LookupRemoteImage(imgID, registry string, token []string) bool {
 
-
 	req, err := r.reqFactory.NewRequest("GET", registry+"images/"+imgID+"/json", nil)
 	if err != nil {
 		return false
@@ -230,7 +229,8 @@ func (r *Registry) GetRemoteTags(registries []string, repository string, token [
 	}
 	for _, host := range registries {
 		endpoint := fmt.Sprintf("%srepositories/%s/tags", host, repository)
-		req, err := r.opaqueRequest("GET", endpoint, nil)
+		req, err := r.reqFactory.NewRequest("GET", endpoint, nil)
+
 		if err != nil {
 			return nil, err
 		}
@@ -263,12 +263,11 @@ func (r *Registry) GetRemoteTags(registries []string, repository string, token [
 }
 
 func (r *Registry) GetRepositoryData(indexEp, remote string) (*RepositoryData, error) {
-
 	repositoryTarget := fmt.Sprintf("%srepositories/%s/images", indexEp, remote)
 
 	utils.Debugf("[registry] Calling GET %s", repositoryTarget)
 
-	req, err := r.opaqueRequest("GET", repositoryTarget, nil)
+	req, err := r.reqFactory.NewRequest("GET", repositoryTarget, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -426,22 +425,14 @@ func (r *Registry) PushImageLayerRegistry(imgID string, layer io.Reader, registr
 	return tarsumLayer.Sum(jsonRaw), nil
 }
 
-func (r *Registry) opaqueRequest(method, urlStr string, body io.Reader) (*http.Request, error) {
-	req, err := r.reqFactory.NewRequest(method, urlStr, body)
-	if err != nil {
-		return nil, err
-	}
-	req.URL.Opaque = strings.Replace(urlStr, req.URL.Scheme+":", "", 1)
-	return req, err
-}
-
 // push a tag on the registry.
 // Remote has the format '<user>/<repo>
 func (r *Registry) PushRegistryTag(remote, revision, tag, registry string, token []string) error {
 	// "jsonify" the string
 	revision = "\"" + revision + "\""
+	path := fmt.Sprintf("repositories/%s/tags/%s", remote, tag)
 
-	req, err := r.opaqueRequest("PUT", registry+"repositories/"+remote+"/tags/"+tag, strings.NewReader(revision))
+	req, err := r.reqFactory.NewRequest("PUT", registry+path, strings.NewReader(revision))
 	if err != nil {
 		return err
 	}
@@ -480,11 +471,10 @@ func (r *Registry) PushImageJSONIndex(indexEp, remote string, imgList []*ImgData
 	if validate {
 		suffix = "images"
 	}
-
 	u := fmt.Sprintf("%srepositories/%s/%s", indexEp, remote, suffix)
 	utils.Debugf("[registry] PUT %s", u)
 	utils.Debugf("Image list pushed to index:\n%s\n", imgListJSON)
-	req, err := r.opaqueRequest("PUT", u, bytes.NewReader(imgListJSON))
+	req, err := r.reqFactory.NewRequest("PUT", u, bytes.NewReader(imgListJSON))
 	if err != nil {
 		return nil, err
 	}
@@ -504,7 +494,7 @@ func (r *Registry) PushImageJSONIndex(indexEp, remote string, imgList []*ImgData
 	// Redirect if necessary
 	for res.StatusCode >= 300 && res.StatusCode < 400 {
 		utils.Debugf("Redirected to %s\n", res.Header.Get("Location"))
-		req, err = r.opaqueRequest("PUT", res.Header.Get("Location"), bytes.NewReader(imgListJSON))
+		req, err = r.reqFactory.NewRequest("PUT", res.Header.Get("Location"), bytes.NewReader(imgListJSON))
 		if err != nil {
 			return nil, err
 		}

registry/registry_mock_test.go

@@ -343,4 +343,4 @@ func TestWait(t *testing.T) {
 	<-c
 }
 
-//*/
+//*/

server.go

@@ -76,7 +76,7 @@ func (srv *Server) ContainerKill(name string) error {
 		if err := container.Kill(); err != nil {
 			return fmt.Errorf("Error killing container %s: %s", name, err)
 		}
-		srv.LogEvent("kill", name)
+		srv.LogEvent("kill", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 	} else {
 		return fmt.Errorf("No such container: %s", name)
 	}
@@ -95,7 +95,7 @@ func (srv *Server) ContainerExport(name string, out io.Writer) error {
 		if _, err := io.Copy(out, data); err != nil {
 			return err
 		}
-		srv.LogEvent("export", name)
+		srv.LogEvent("export", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 		return nil
 	}
 	return fmt.Errorf("No such container: %s", name)
@@ -241,6 +241,8 @@ func (srv *Server) Images(all bool, filter string) ([]APIImages, error) {
 			outs = append(outs, out)
 		}
 	}
+
+	sortImagesByCreationAndTag(outs)
 	return outs, nil
 }
 
@@ -828,11 +830,17 @@ func (srv *Server) ContainerCreate(config *Config) (string, error) {
 	container, err := b.Create(config)
 	if err != nil {
 		if srv.runtime.graph.IsNotExist(err) {
-			return "", fmt.Errorf("No such image: %s", config.Image)
+
+			_, tag := utils.ParseRepositoryTag(config.Image)
+			if tag == "" {
+				tag = DEFAULTTAG
+			}
+
+			return "", fmt.Errorf("No such image: %s (tag: %s)", config.Image, tag)
 		}
 		return "", err
 	}
-	srv.LogEvent("create", container.ShortID())
+	srv.LogEvent("create", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 	return container.ShortID(), nil
 }
 
@@ -841,7 +849,7 @@ func (srv *Server) ContainerRestart(name string, t int) error {
 		if err := container.Restart(t); err != nil {
 			return fmt.Errorf("Error restarting container %s: %s", name, err)
 		}
-		srv.LogEvent("restart", name)
+		srv.LogEvent("restart", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 	} else {
 		return fmt.Errorf("No such container: %s", name)
 	}
@@ -861,7 +869,7 @@ func (srv *Server) ContainerDestroy(name string, removeVolume bool) error {
 		if err := srv.runtime.Destroy(container); err != nil {
 			return fmt.Errorf("Error destroying container %s: %s", name, err)
 		}
-		srv.LogEvent("destroy", name)
+		srv.LogEvent("destroy", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 
 		if removeVolume {
 			// Retrieve all volumes from all remaining containers
@@ -928,7 +936,7 @@ func (srv *Server) deleteImageAndChildren(id string, imgs *[]APIRmi) error {
 			return err
 		}
 		*imgs = append(*imgs, APIRmi{Deleted: utils.TruncateID(id)})
-		srv.LogEvent("delete", utils.TruncateID(id))
+		srv.LogEvent("delete", utils.TruncateID(id), "")
 		return nil
 	}
 	return nil
@@ -955,11 +963,11 @@ func (srv *Server) deleteImage(img *Image, repoName, tag string) ([]APIRmi, erro
 	//If delete by id, see if the id belong only to one repository
 	if strings.Contains(img.ID, repoName) && tag == "" {
 		for _, repoAndTag := range srv.runtime.repositories.ByID()[img.ID] {
-			parsedRepo := strings.Split(repoAndTag, ":")[0]
+			parsedRepo, parsedTag := utils.ParseRepositoryTag(repoAndTag)
 			if strings.Contains(img.ID, repoName) {
 				repoName = parsedRepo
-				if len(srv.runtime.repositories.ByID()[img.ID]) == 1 && len(strings.Split(repoAndTag, ":")) > 1 {
-					tag = strings.Split(repoAndTag, ":")[1]
+				if len(srv.runtime.repositories.ByID()[img.ID]) == 1 && len(parsedTag) > 1 {
+					tag = parsedTag
 				}
 			} else if repoName != parsedRepo {
 				// the id belongs to multiple repos, like base:latest and user:test,
@@ -975,7 +983,7 @@ func (srv *Server) deleteImage(img *Image, repoName, tag string) ([]APIRmi, erro
 	}
 	if tagDeleted {
 		imgs = append(imgs, APIRmi{Untagged: img.ShortID()})
-		srv.LogEvent("untag", img.ShortID())
+		srv.LogEvent("untag", img.ShortID(), "")
 	}
 	if len(srv.runtime.repositories.ByID()[img.ID]) == 0 {
 		if err := srv.deleteImageAndChildren(img.ID, &imgs); err != nil {
@@ -1042,7 +1050,7 @@ func (srv *Server) ContainerStart(name string, hostConfig *HostConfig) error {
 		if err := container.Start(hostConfig); err != nil {
 			return fmt.Errorf("Error starting container %s: %s", name, err)
 		}
-		srv.LogEvent("start", name)
+		srv.LogEvent("start", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 	} else {
 		return fmt.Errorf("No such container: %s", name)
 	}
@@ -1054,7 +1062,7 @@ func (srv *Server) ContainerStop(name string, t int) error {
 		if err := container.Stop(t); err != nil {
 			return fmt.Errorf("Error stopping container %s: %s", name, err)
 		}
-		srv.LogEvent("stop", name)
+		srv.LogEvent("stop", container.ShortID(), srv.runtime.repositories.ImageName(container.Image))
 	} else {
 		return fmt.Errorf("No such container: %s", name)
 	}
@@ -1222,9 +1230,9 @@ func (srv *Server) HTTPRequestFactory() *utils.HTTPRequestFactory {
 	return srv.reqFactory
 }
 
-func (srv *Server) LogEvent(action, id string) {
+func (srv *Server) LogEvent(action, id, from string) {
 	now := time.Now().Unix()
-	jm := utils.JSONMessage{Status: action, ID: id, Time: now}
+	jm := utils.JSONMessage{Status: action, ID: id, From: from, Time: now}
 	srv.events = append(srv.events, jm)
 	for _, c := range srv.listeners {
 		select { // non blocking channel

server_test.go

@@ -206,6 +206,7 @@ func TestRunWithTooLowMemoryLimit(t *testing.T) {
 }
 
 func TestContainerTop(t *testing.T) {
+	t.Skip("Fixme. Skipping test for now. Reported error: 'server_test.go:236: Expected 2 processes, found 1.'")
 	runtime := mkRuntime(t)
 	srv := &Server{runtime: runtime}
 	defer nuke(runtime)
@@ -317,23 +318,23 @@ func TestLogEvent(t *testing.T) {
 		listeners: make(map[string]chan utils.JSONMessage),
 	}
 
-	srv.LogEvent("fakeaction", "fakeid")
+	srv.LogEvent("fakeaction", "fakeid", "fakeimage")
 
 	listener := make(chan utils.JSONMessage)
 	srv.Lock()
 	srv.listeners["test"] = listener
 	srv.Unlock()
 
-	srv.LogEvent("fakeaction2", "fakeid")
+	srv.LogEvent("fakeaction2", "fakeid", "fakeimage")
 
 	if len(srv.events) != 2 {
 		t.Fatalf("Expected 2 events, found %d", len(srv.events))
 	}
 	go func() {
 		time.Sleep(200 * time.Millisecond)
-		srv.LogEvent("fakeaction3", "fakeid")
+		srv.LogEvent("fakeaction3", "fakeid", "fakeimage")
 		time.Sleep(200 * time.Millisecond)
-		srv.LogEvent("fakeaction4", "fakeid")
+		srv.LogEvent("fakeaction4", "fakeid", "fakeimage")
 	}()
 
 	setTimeout(t, "Listening for events timed out", 2*time.Second, func() {

sorter.go

@@ -0,0 +1,36 @@
+package docker
+
+import "sort"
+
+type imageSorter struct {
+	images []APIImages
+	by     func(i1, i2 *APIImages) bool // Closure used in the Less method.
+}
+
+// Len is part of sort.Interface.
+func (s *imageSorter) Len() int {
+	return len(s.images)
+}
+
+// Swap is part of sort.Interface.
+func (s *imageSorter) Swap(i, j int) {
+	s.images[i], s.images[j] = s.images[j], s.images[i]
+}
+
+// Less is part of sort.Interface. It is implemented by calling the "by" closure in the sorter.
+func (s *imageSorter) Less(i, j int) bool {
+	return s.by(&s.images[i], &s.images[j])
+}
+
+// Sort []ApiImages by most recent creation date and tag name.
+func sortImagesByCreationAndTag(images []APIImages) {
+	creationAndTag := func(i1, i2 *APIImages) bool {
+		return i1.Created > i2.Created || (i1.Created == i2.Created && i2.Tag > i1.Tag)
+	}
+
+	sorter := &imageSorter{
+		images: images,
+		by:     creationAndTag}
+
+	sort.Sort(sorter)
+}

sorter_test.go

@@ -0,0 +1,57 @@
+package docker
+
+import (
+	"testing"
+)
+
+func TestServerListOrderedImagesByCreationDate(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+
+	archive, err := fakeTar()
+	if err != nil {
+		t.Fatal(err)
+	}
+	_, err = runtime.graph.Create(archive, nil, "Testing", "", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	srv := &Server{runtime: runtime}
+
+	images, err := srv.Images(true, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if images[0].Created < images[1].Created {
+		t.Error("Expected []APIImges to be ordered by most recent creation date.")
+	}
+}
+
+func TestServerListOrderedImagesByCreationDateAndTag(t *testing.T) {
+	runtime := mkRuntime(t)
+	defer nuke(runtime)
+
+	archive, err := fakeTar()
+	if err != nil {
+		t.Fatal(err)
+	}
+	image, err := runtime.graph.Create(archive, nil, "Testing", "", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	srv := &Server{runtime: runtime}
+	srv.ContainerTag(image.ID, "repo", "foo", false)
+	srv.ContainerTag(image.ID, "repo", "bar", false)
+
+	images, err := srv.Images(true, "")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if images[0].Created != images[1].Created || images[0].Tag >= images[1].Tag {
+		t.Error("Expected []APIImges to be ordered by most recent creation date and tag name.")
+	}
+}

sysinit.go

@@ -22,6 +22,15 @@ func setupNetworking(gw string) {
 	}
 }
 
+// Setup working directory
+func setupWorkingDirectory(workdir string) {
+	if workdir == "" {
+		return
+	}
+    syscall.Chdir(workdir)
+}
+
+
 // Takes care of dropping privileges to the desired user
 func changeUser(u string) {
 	if u == "" {
@@ -83,6 +92,7 @@ func SysInit() {
 	}
 	var u = flag.String("u", "", "username or uid")
 	var gw = flag.String("g", "", "gateway address")
+	var workdir = flag.String("w", "", "workdir")
 
 	var flEnv ListOpts
 	flag.Var(&flEnv, "e", "Set environment variables")
@@ -91,6 +101,7 @@ func SysInit() {
 
 	cleanupEnv(flEnv)
 	setupNetworking(*gw)
+	setupWorkingDirectory(*workdir)
 	changeUser(*u)
 	executeProgram(flag.Arg(0), flag.Args())
 }

testing/Vagrantfile

@@ -22,7 +22,10 @@ Vagrant::Config.run do |config|
 
   # Deploy buildbot and its dependencies if it was not done
   if Dir.glob("#{File.dirname(__FILE__)}/.vagrant/machines/default/*/id").empty?
-    pkg_cmd = "apt-get update -qq; apt-get install -q -y linux-image-generic-lts-raring; "
+    # Add memory limitation capabilities
+    pkg_cmd = 'sed -Ei \'s/^(GRUB_CMDLINE_LINUX_DEFAULT)=.+/\\1="cgroup_enable=memory swapaccount=1 quiet"/\' /etc/default/grub; '
+    # Install new kernel
+    pkg_cmd << "apt-get update -qq; apt-get install -q -y linux-image-generic-lts-raring; "
     # Deploy buildbot CI
     pkg_cmd << "apt-get install -q -y python-dev python-pip supervisor; " \
       "pip install -r #{CFG_PATH}/requirements.txt; " \
@@ -35,7 +38,7 @@ Vagrant::Config.run do |config|
     # Install docker dependencies
     pkg_cmd << "apt-get install -q -y python-software-properties; " \
       "add-apt-repository -y ppa:dotcloud/docker-golang/ubuntu; apt-get update -qq; " \
-      "DEBIAN_FRONTEND=noninteractive apt-get install -q -y lxc git golang-stable aufs-tools make; "
+      "DEBIAN_FRONTEND=noninteractive apt-get install -q -y lxc git mercurial golang-stable aufs-tools make; "
     # Activate new kernel
     pkg_cmd << "shutdown -r +1; "
     config.vm.provision :shell, :inline => pkg_cmd

testing/buildbot/master.cfg

@@ -66,8 +66,9 @@ c['builders'] = [BuilderConfig(name=BUILDER_NAME,slavenames=['buildworker'],
 # Docker coverage test
 coverage_cmd = ('GOPATH=`pwd` go get -d github.com/dotcloud/docker\n'
     'GOPATH=`pwd` go get github.com/axw/gocov/gocov\n'
-    'sudo -E GOPATH=`pwd` ./bin/gocov test github.com/dotcloud/docker | '
-    './bin/gocov report')
+    'sudo -E GOPATH=`pwd` ./bin/gocov test -deps -exclude-goroot -v'
+    ' -exclude github.com/gorilla/context,github.com/gorilla/mux,github.com/kr/pty,'
+    'code.google.com/p/go.net/websocket github.com/dotcloud/docker | ./bin/gocov report')
 factory = BuildFactory()
 factory.addStep(ShellCommand(description='Coverage',logEnviron=False,usePTY=True,
     command=coverage_cmd))

utils.go

@@ -132,6 +132,9 @@ func MergeConfig(userConf, imageConf *Config) {
 	if userConf.Entrypoint == nil || len(userConf.Entrypoint) == 0 {
 		userConf.Entrypoint = imageConf.Entrypoint
 	}
+	if userConf.WorkingDir == "" {
+		userConf.WorkingDir = imageConf.WorkingDir
+	}
 	if userConf.VolumesFrom == "" {
 		userConf.VolumesFrom = imageConf.VolumesFrom
 	}

utils/tarsum.go

@@ -1,11 +1,11 @@
 package utils
 
 import (
-	"archive/tar"
 	"bytes"
 	"compress/gzip"
 	"crypto/sha256"
 	"encoding/hex"
+	"github.com/dotcloud/tar"
 	"hash"
 	"io"
 	"sort"

utils/utils.go

@@ -622,6 +622,7 @@ type JSONMessage struct {
 	Progress     string     `json:"progress,omitempty"`
 	ErrorMessage string     `json:"error,omitempty"` //deprecated
 	ID           string     `json:"id,omitempty"`
+	From         string     `json:"from,omitempty"`
 	Time         int64      `json:"time,omitempty"`
 	Error        *JSONError `json:"errorDetail,omitempty"`
 }
@@ -644,14 +645,17 @@ func (jm *JSONMessage) Display(out io.Writer) error {
 		}
 		return jm.Error
 	}
+	fmt.Fprintf(out, "%c[2K\r", 27)
 	if jm.Time != 0 {
 		fmt.Fprintf(out, "[%s] ", time.Unix(jm.Time, 0))
 	}
 	if jm.ID != "" {
 		fmt.Fprintf(out, "%s: ", jm.ID)
 	}
+	if jm.From != "" {
+		fmt.Fprintf(out, "(from %s) ", jm.From)
+	}
 	if jm.Progress != "" {
-		fmt.Fprintf(out, "%c[2K", 27)
 		fmt.Fprintf(out, "%s %s\r", jm.Status, jm.Progress)
 	} else {
 		fmt.Fprintf(out, "%s\r\n", jm.Status)