Commit graph

4412 commits

Author SHA1 Message Date
John Howard
ffbe4b6ff1 Windows: Test for run as local system
Signed-off-by: John Howard <jhoward@microsoft.com>
2017-02-01 18:37:44 -08:00
Brian Goff
bb0a532fc2 Merge pull request #30203 from allencloud/validate-healthcheck-params-in-daemon-side
validate healthcheck params in daemon side
2017-02-01 21:19:30 -05:00
Daniel Nephin
dd1d35c269 Add missing build tag for stack tests.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-02-01 13:25:37 -05:00
Vincent Demeester
354bd4aadd Merge pull request #29692 from yongtang/29492-daemon-shm-size
Add daemon option `--default-shm-size`
2017-02-01 16:56:10 +01:00
Vincent Demeester
4c1b40b9d4 Merge pull request #28627 from yongtang/28624-docker-plugin-ls
Add `--filter enabled=true` for `docker plugin ls`
2017-02-01 16:52:00 +01:00
Vincent Demeester
1b6a15eedc Merge pull request #27557 from yongtang/27178-ps-filter-publish-expose
Add `publish` and `expose` filter for `docker ps --filter`
2017-02-01 16:32:28 +01:00
Vincent Demeester
27f90acd61 Merge pull request #22563 from mlaventure/cgroup-devices
Allow adding rules to cgroup devices.allow on container create/run
2017-02-01 16:29:34 +01:00
Vincent Demeester
e66717e9f8 Merge pull request #30537 from DiSiqueira/asserting_error
Underscoring an unused var in tests
2017-02-01 16:08:20 +01:00
DiSiqueira
4bd1895241 I found out this err var isn't being used, so underscoring it to preserve resources
Signed-off-by: DiSiqueira <dieg0@live.com>
2017-01-31 19:48:15 -02:00
Alexander Morozov
1d2f5de49a Merge pull request #30162 from yongtang/29972-service-read-only
Add `--read-only` for `service create` and `service update`
2017-01-31 13:20:00 -08:00
Alexander Morozov
cdc79c54ec Merge pull request #28968 from darrenstahlmsft/TestEventsLimit
Limit TestEventsLimit to 4 concurrent containers on Windows
2017-01-30 15:09:54 -08:00
Yong Tang
499a0dd43e Add --read-only for service create and service update
This fix tries to address the issue raised in 29972 where
it was not possible to specify `--read-only` for `docker service create`
and `docker service update`, in order to have the container's root file
system to be read only.

This fix adds `--read-only` and update the `ReadonlyRootfs` in `HostConfig`
through `service create` and `service update`.

Related docs has been updated.

Integration test has been added.

This fix fixes 29972.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-30 12:47:26 -08:00
Darren Stahl
2ec808ec08 Limit TestEventsLimit to 4 concurrent containers on Windows
Signed-off-by: Darren Stahl <darst@microsoft.com>
2017-01-30 11:04:52 -08:00
Alexander Morozov
61198b5ea3 Merge pull request #30548 from yongtang/vendor-swarmkit
Update SwarmKit to 78ae345f449ac69aa741c762df7e5f0020f70275
2017-01-30 09:41:08 -08:00
Vincent Demeester
ecbb0e62f6 Remove most of the runCommandWithOutput from integration tests
There is 5 calls left, that use StdinPipe that is not yet supported by
icmd.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-30 10:54:06 +01:00
Yong Tang
2cc2d059de Update TestSwarmNetworkPlugin test
This commit updates TestSwarmNetworkPlugin, similiar to
changes in https://github.com/docker/docker/pull/30332

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-29 10:57:58 -08:00
allencloud
e399c558e6 validate healthcheck params in daemon side
Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-01-29 13:35:32 +08:00
Yong Tang
743943f636 Add publish and expose filter for docker ps --filter
This fix tries to address the enhancement proposal raised in
27178 for filtering based on published or exposed ports of
`docker ps --filter`.

In this fix, two filter options, `publish` and `expose` have
been added to take either `<port>[/<protocol>]` or `<from>-<to>[/<protocol>]`
and filtering on containers.

An integration test has been added to cover the changes.

This fix fixes 27178.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 13:25:32 -08:00
Yong Tang
d1982862ca Update opts.MemBytes to disable default, and move docker run/create/build to use opts.MemBytes
This fix made several updates:
1. Update opts.MemBytes so that default value will not show up.
   The reason is that in case a default value is decided by daemon,
   instead of client, we actually want to not show default value.
2. Move `docker run/create/build` to use opts.MemBytes for `--shm-size`
   This is to bring consistency between daemon and docker run
3. docs updates.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 12:17:06 -08:00
Yong Tang
db575ef626 Add daemon option --default-shm-size
This fix fixes issue raised in 29492 where it was not
possible to specify a default `--default-shm-size` in daemon
configuration for each `docker run``.

The flag `--default-shm-size` which is reloadable, has been
added to the daemon configuation.
Related docs has been updated.

This fix fixes 29492.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 12:17:06 -08:00
Yong Tang
fa358a8757 Move secret name or ID prefix resolving from client to daemon
This fix is a follow up for comment:
https://github.com/docker/docker/pull/28896#issuecomment-265392703

Currently secret name or ID prefix resolving is done at the client
side, which means different behavior of API and CMD.

This fix moves the resolving from client to daemon, with exactly the
same rule:
- Full ID
- Full Name
- Partial ID (prefix)

All existing tests should pass.

This fix is related to #288896, #28884 and may be related to #29125.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 10:40:05 -08:00
Yong Tang
99d91ada97 Add capability filter to docker plugin ls
This fix adds `--filter capability=[volumedriver|authz]` to `docker plugin ls`.

The related docs has been updated.

An integration test has been added.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 07:32:22 -08:00
Tibor Vass
43544cf2b4 Merge pull request #30157 from aboch/att
Remove attachable network on swarm leave
2017-01-26 17:03:23 -08:00
Victor Vieux
5706d8206b Merge pull request #30144 from dnephin/add-secrets-to-stack-deploy
Add secrets to stack deploy
2017-01-26 14:54:04 -08:00
Yong Tang
a66e0dc349 Add --filter enabled=true for docker plugin ls
This fix adds `--filter enabled=true` to `docker plugin ls`,
as was specified in 28624.

The related API and docs has been updated.

An integration test has been added.

This fix fixes 28624.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-26 13:16:11 -08:00
Alessandro Boch
3cedca5d53 Remove attachable network on swarm leave
- When the node leaves the cluster, if any user run
  container(s) is connected to the swarm network,
  then daemon needs to detach the container(s) and
  remove the network.

Signed-off-by: Alessandro Boch <aboch@docker.com>
2017-01-26 11:16:07 -08:00
Alexander Morozov
a69c4129e0 Merge pull request #28409 from dnephin/swagger-gen-more
Generate more types from the swagger spec
2017-01-26 10:35:34 -08:00
Daniel Nephin
f0a5531c46 Remove secrets as part of stack remove.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-01-26 11:33:15 -05:00
Daniel Nephin
b3427e43ed Test and fix external secrets in stack deploy.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-01-26 11:33:15 -05:00
Daniel Nephin
6ec84ef76d Add integration test for stack deploy with secrets.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-01-26 11:33:15 -05:00
Kenfe-Mickael Laventure
1756af6faf Allow adding rules to cgroup devices.allow on container create/run
This introduce a new `--device-cgroup-rule` flag that allow a user to
add one or more entry to the container cgroup device `devices.allow`

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2017-01-26 07:20:45 -08:00
Yong Tang
05a831a775 Fix incorrect Scope in network ls/inspect with duplicate network names
This fix tries to address the issue raised in 30242 where the `Scope`
field always changed to `swarm` in the ouput of `docker network ls/inspect`
when duplicate networks name exist.

The reason for the issue was that `buildNetworkResource()` use network name
(which may not be unique) to check for the scope.

This fix fixes the issue by always use network ID in `buildNetworkResource()`.

A test has been added. The test fails before the fix and passes after the fix.

This fix fixes 30242.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-25 09:39:55 -08:00
Aaron Lehmann
e9c0de0de6 Merge pull request #30043 from dmcgowan/distribution-reference-update-1
Distribution reference update
2017-01-24 20:38:20 -08:00
Sebastiaan van Stijn
d4cd4b2164 Merge pull request #30182 from AkihiroSuda/validate-tmpfs
validate mount path for tmpfs
2017-01-25 03:08:17 +01:00
Victor Vieux
42d25de1b7 Merge pull request #30291 from yongtang/30279-ps-format
Fix failure in `docker ps --format` when `.Label` has args
2017-01-24 17:55:52 -08:00
Sebastiaan van Stijn
9b2dabbf18 Merge pull request #30227 from thaJeztah/fix-ineffectual-assignments
fix some ineffectual assignments (and minor fixes)
2017-01-25 02:49:57 +01:00
Sebastiaan van Stijn
089e1c1c5b Minor GoDoc fixup in integration-cli
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-01-24 18:03:30 +01:00
Sebastiaan van Stijn
ba0afd70e8 fix some ineffectual assignments
to make goreportcard a bit happier
https://goreportcard.com/report/github.com/docker/docker

also found that `TestCpToErrDstParentNotExists()` was
partially broken, because a `runDockerCp()` was inadvertently
removed in f26a31e80c

`TestDaemonRestartSaveContainerExitCode()` didn't verify
the actual _Error_ message, so added that to the test,
and updated the test to take into account that the
"experimental" CI enables `--init` on containers.

`TestVolumeCLICreateOptionConflict()` only checked
for an error to occur, but didn't validate if the
error was due to conflicting options.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-01-24 11:16:19 +01:00
Yanqiang Miao
cc9ed0a31b Improve the error print of image inspect
Signed-off-by: Yanqiang Miao <miao.yanqiang@zte.com.cn>
2017-01-24 11:07:20 +08:00
Yong Tang
2cd4ba1e56 Fix failure in docker ps --format when .Label has args
This fix tries to fix the issue in 30279 where  `docker ps --format`
fails if `.Label` has args. For example:
```
docker ps --format '{{.ID}}\t{{.Names}}\t{{.Label "some.label"}}'
```

The reason for the failure is that during the preprocessing phase
to detect the existance of `.Size`, the `listOptionsProcessor`
does not has a method of `Label(name string) string`.

This results in the failure of
```
template: :1:24: executing "" at <.Label>: Label is not a method but has arguments
```

This fix fixes the issue by adding needed method of `Label(name string) string`.

This fix fixes 30279.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-23 09:31:48 -08:00
Yong Tang
1c0d37fa7f Add --format flag for docker plugin ls
This fix tries to address the enhancement discussed in 28735 to add
`--format` for the output of `docker plugin ls`.

This fix
1. Add `--format` and `--quiet` flags to `docker plugin ls`
2. Convert the current implementation to use `formatter`, consistent with
   other docker list commands.
3. Add `pluginsFormat` for config.json.

Related docs has been updated.

Several unit tests have been added to cover the changes.

This fix is related to 28708 and 28735.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-20 15:59:44 -08:00
Vincent Demeester
e47c46c713
Run TestBuildCopyWilcardInName only on linux daemon and unix client
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-01-20 16:10:28 +01:00
Akihiro Suda
4a8799dc0a validate mount path for tmpfs
There was no validation for `docker run --tmpfs foo`.

In this PR, only two obvious rules are implemented:
 - path must be absolute
 - path must not be "/"
We should add more rules carefully.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2017-01-20 06:01:48 +00:00
Derek McGowan
0421f5173d
Remove use of forked reference package for cli
Use resolving to repo info as the split point between the
legitimate reference package and forked reference package.

Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2017-01-19 16:04:50 -08:00
Sebastiaan van Stijn
de0328560b Merge pull request #30165 from xulike666/fix-typo-6/36
[combined] fix typo
2017-01-19 17:21:22 +01:00
Aaron.L.Xu
40af569164 fix typo
fix typo I found AMAP in integration-cli/*

fix typo mentioned by Allencloud

Signed-off-by: Aaron.L.Xu <likexu@harmonycloud.cn>
2017-01-19 15:52:28 +08:00
Sebastiaan van Stijn
e1c5e72902 Merge pull request #30185 from vdemeester/integration-build-cmd-cleanup-take2
[test-integration] Clean more build utils
2017-01-18 15:12:03 +01:00
Tõnis Tiigi
56b951fbe5 Merge pull request #30219 from tonistiigi/test-port-leak
Switch TestSwarmPublishDuplicatePorts to different ports
2017-01-17 17:16:14 -08:00
Tonis Tiigi
24cd5444f9 Switch TestSwarmPublishDuplicatePorts to different ports
There is an issue with the ports leaking to other tests.
This is a workaround until the actual problem is addressed.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2017-01-17 10:54:22 -08:00
Justin Cormack
7e3a596a63 Block obsolete socket families in the default seccomp profile
Linux supports many obsolete address families, which are usually available in
common distro kernels, but they are less likely to be properly audited and
may have security issues

This blocks all socket families in the socket (and socketcall where applicable) syscall
except
- AF_UNIX - Unix domain sockets
- AF_INET - IPv4
- AF_INET6 - IPv6
- AF_NETLINK - Netlink sockets for communicating with the ekrnel
- AF_PACKET - raw sockets, which are only allowed with CAP_NET_RAW

All other socket families are blocked, including Appletalk (native, not
over IP), IPX (remember that!), VSOCK and HVSOCK, which should not generally
be used in containers, etc.

Note that users can of course provide a profile per container or in the daemon
config if they have unusual use cases that require these.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
2017-01-17 17:50:44 +00:00