When linking, position of `-l` flags is important since
they muse come _after_ any object files which uses symbols
from a specified library, that is due to --as-needed binutils
ld flag enabled by default
Signed-off-by: Maxim Ivanov <ivanov.maxim@gmail.com>
(cherry picked from commit 24152a4231)
When the value for a configuration option in the file is `false`,
and the default value for a flag is `true`, we should not
take the value from the later as final value for the option,
because the user explicitly set `false`.
This change overrides the default value in the flagSet with
the value in the configuration file so we get the correct
result when we merge the two configurations together.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 31cb96dcfa)
This corrects `docker cp` behavior when user namespaces are enabled.
Instead of chown'ing copied-in files to real root (0,0), the code
queries for the remapped root uid & gid and sets the chown option
properly.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit 40be5dba47)
This includes the fix for moving the process out of the name=systemd
cgroup so that systemd does not delete the container's cgroups when its
configuration is reloaded.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
There is a missing call to Close on the gzip.Writer that is used to
compress newly created tar-split files during layer migration. This can
result in corrupt tar-split files that later cause docker push and
docker save to fail. The Close call is necessary to flush buffered data
to the stream.
Fixes: #20104
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 1c05c65f6f)
If user specifies --read-only flag it should not effect /dev/mqueue.
This is causing SELinux issues in docker-1.10. --read-only blows up
on SELinux enabled machines. Mounting /dev/mqueue read/only would also
blow up any tool that was going to use /dev/mqueue.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
(cherry picked from commit adb2e3fedc)
Filters should not include stopped container if `-a` is not specified.
Right now, before and since filter are acting as --before and --since
deprecated flags. This commit is fixing that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit b41dba58a0)
From PR #20135
Since we now automatically mount the mqueue device inside the
container (instead of bind mounting the one from the host), when
trying to start a container with --ipc=host, the mount will fail with
EPERM.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit dba5a7f243)
From PR #20133
Currently, when running a container with --ipc=host, if /dev/mqueue is
a standard directory on the hos the daemon will bind mount it allowing
the container to create/modify files on the host.
This commit forces /dev/mqueue to always be of type mqueue except when
the user explicitely requested something to be bind mounted to
/dev/mqueue.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit f7d4abdc00)
From PR #20133
To support the requirement of blocking the request after the daemon
responded the authorization plugin use a `response recorder` that replay
the response after the flow ends.
This commit adds support for commands that hijack the connection and
flushes data via the http.Flusher interface. This resolves the error
with the event endpoint.
Signed-off-by: Liron Levin <liron@twistlock.com>
(cherry picked from commit 5ffc810df2)
From PR #20002
Divide event matching into two functions, a matcher and
a processor. That way, the error handling doesn't call
the channel closing logic at all.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 27b060492c)
From PR #19519
mqueue can not be mounted on the host os and then shared into the container.
There is only one mqueue per mount namespace, so current code ends up leaking
the /dev/mqueue from the host into ALL containers. Since SELinux changes the
label of the mqueue, only the last container is able to use the mqueue, all
other containers will get a permission denied. If you don't have SELinux protections
sharing of the /dev/mqueue allows one container to interact in potentially hostile
ways with other containers.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
(cherry picked from commit ba38d58659)
From PR #19876
Fix root directory of the mountpoint being owned by real root. This is
unique to ZFS because of the way file mountpoints are created using the
ZFS tooling, and the remapping that happens at layer unpack doesn't
impact this root (already created) holding directory for the layer.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit aef0995b02)
From PR #20045
On migration 2 different images can end up with same
content addressable ID, meaning `SetParent` will be called
multiple times. Previous version did not clear the old
in-memory reference.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 4852932494)
From PR #20058
In the NAME section: "confg.json" -> "config.json"
Signed-off-by: Tom X. Tobin <tomxtobin@tomxtobin.com>
(cherry picked from commit c75581c855)
From PR #20028
