On 32 bit x86 this is a multiplexing syscall for the system V
ipc syscalls such as shmget, and so needs to be allowed for
shared memory access for 32 bit binaries.
Fixes#20733
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 31410a6d79)
Concurrent uploads which share layers worked correctly as of #18353,
but unfortunately #18785 caused a regression. This PR removed the logic
that shares digests between different push sessions. This overlooked the
case where one session was waiting for another session to upload a
layer.
This commit adds back the ability to propagate this digest information,
using the distribution.Descriptor type because this is what is received
from stats and uploads, and also what is ultimately needed for building
the manifest.
Surprisingly, there was no test covering this case. This commit adds
one. It fails without the fix.
See recent comments on #9132.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 5c99eebe81)
This improves on an earlier change by adding another keyserver and using a for loop instead of duplicating the command
Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
(cherry picked from commit adac575dd3)
Stop using global variables as prefixes to inject the writer header.
That can cause issues when two writers set the length of the buffer in
the same header concurrently.
Stop Writing to the internal buffer twice for each write. This could
mess up with the ordering information is written.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 443a5c2021)
The Releases file(s) and other bits for EOL-ed distros such as Ubuntu
Vivid should remain untouched when we are releasing debs.
However, few files in https://apt.dockerproject.org/repo/dists/ubuntu-vivid/
were being updated for the docker 1.10 release including the Release files.
This is due to apt-ftparchive generating index files for vivid as well,
due to the stale apt-ftparchive.conf
This change always creates config using suites in contrib/reprepro/suites.sh.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 204c7808f9)
Since Docker is already skipping newlines in /etc/sub{uid,gid},
this patch skips commented out lines - otherwise Docker fails to start.
Add unit test also.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
(cherry picked from commit bf04d68db2)
The execdriver pipes setup uses OS pipes with fds so that they can be
chown'ed to the remapped root user for proper access. Recent flakiness
in certain short-lived tests (usually via the "exec" path) reveals that
the copy routines are not completing before exit/tear-down.
This fix adds synchronization and proper closure such that these
routines exit successfully.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit 995386735c)
In cases where the a plugin responds with both a null or empty volume
and a null or empty Err, the daemon would panic.
This is because we assumed the idiom if `err` is nil, then `v` must not
be but in reality the plugin may return whatever it wants and we want to
make sure it doesn't harm the daemon.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 96c79a1934)
Because devices will be bind-mounted instead of using `mknod`, we need
to make sure the source exists and filter the list by only those whose
source is a valid path/current device entry.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit 9a554e8c37)
When linking, position of `-l` flags is important since
they muse come _after_ any object files which uses symbols
from a specified library, that is due to --as-needed binutils
ld flag enabled by default
Signed-off-by: Maxim Ivanov <ivanov.maxim@gmail.com>
(cherry picked from commit 24152a4231)
When the value for a configuration option in the file is `false`,
and the default value for a flag is `true`, we should not
take the value from the later as final value for the option,
because the user explicitly set `false`.
This change overrides the default value in the flagSet with
the value in the configuration file so we get the correct
result when we merge the two configurations together.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 31cb96dcfa)
This corrects `docker cp` behavior when user namespaces are enabled.
Instead of chown'ing copied-in files to real root (0,0), the code
queries for the remapped root uid & gid and sets the chown option
properly.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
(cherry picked from commit 40be5dba47)
This includes the fix for moving the process out of the name=systemd
cgroup so that systemd does not delete the container's cgroups when its
configuration is reloaded.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
There is a missing call to Close on the gzip.Writer that is used to
compress newly created tar-split files during layer migration. This can
result in corrupt tar-split files that later cause docker push and
docker save to fail. The Close call is necessary to flush buffered data
to the stream.
Fixes: #20104
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 1c05c65f6f)
If user specifies --read-only flag it should not effect /dev/mqueue.
This is causing SELinux issues in docker-1.10. --read-only blows up
on SELinux enabled machines. Mounting /dev/mqueue read/only would also
blow up any tool that was going to use /dev/mqueue.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
(cherry picked from commit adb2e3fedc)
Filters should not include stopped container if `-a` is not specified.
Right now, before and since filter are acting as --before and --since
deprecated flags. This commit is fixing that.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit b41dba58a0)
From PR #20135
Since we now automatically mount the mqueue device inside the
container (instead of bind mounting the one from the host), when
trying to start a container with --ipc=host, the mount will fail with
EPERM.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit dba5a7f243)
From PR #20133
Currently, when running a container with --ipc=host, if /dev/mqueue is
a standard directory on the hos the daemon will bind mount it allowing
the container to create/modify files on the host.
This commit forces /dev/mqueue to always be of type mqueue except when
the user explicitely requested something to be bind mounted to
/dev/mqueue.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
(cherry picked from commit f7d4abdc00)
From PR #20133
To support the requirement of blocking the request after the daemon
responded the authorization plugin use a `response recorder` that replay
the response after the flow ends.
This commit adds support for commands that hijack the connection and
flushes data via the http.Flusher interface. This resolves the error
with the event endpoint.
Signed-off-by: Liron Levin <liron@twistlock.com>
(cherry picked from commit 5ffc810df2)
From PR #20002
Divide event matching into two functions, a matcher and
a processor. That way, the error handling doesn't call
the channel closing logic at all.
Signed-off-by: David Calavera <david.calavera@gmail.com>
(cherry picked from commit 27b060492c)
From PR #19519
