Add golint to the Dockerfile, and a `validate-lint` task to the
Makefile. Currently, the linter will process a harcoded list of packages
that will expand as we fix more warnings. Eventually, the linter should
process all subpackages of the repo (excluding vendored code).
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Replaced github.com/docker/libcontainer with
github.com/opencontainers/runc/libcontaier.
Also I moved AppArmor profile generation to docker.
Main idea of this update is to fix mounting cgroups inside containers.
After updating docker on CI we can even remove dind.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
These will create the apt & yum repos for the deb/rpms generated by build-deb
and build-rpm.
Adds sign-repo script which signs the repo metadata with a gpg key.
Signed-off-by: Jessica Frazelle <princess@docker.com>
For hybrid cloud, some ubuntu vm images doesn't have the directory
`/etc/apt/sources.list.d` which cause failure on creating
`/etc/apt/sources.list.d/docker.list`.
To fix this issue, create this directory first (if it doesn't exist).
Signed-off-by: Penghan Wang <ph.wang@daocloud.io>
Add a few links to the release output that the release captain can use to announce the release.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Vendoring libnetwork commit: 8fb0a8bc9e3166216ca3da2d0bb15332f6685745
- Fixes breakage in k/v store handling logic in experimental
- Adds back all the fixes that went in 1.7.1 to master
- Change VXLAN port in overlay driver to IANA assigned port
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
When a container is started with `--net=host` with
a particular name and it is subsequently destroyed,
then all subsequent creations of the container with
the same name will fail. This is because in `--net=host`
the namespace is shared i.e the host namespace so
trying to destroy the host namespace by calling
`LeaveAll` will fail and the endpoint is left with
the dangling state. So the fix is, for this mode, do
not attempt to destroy the namespace but just cleanup
the endpoint state and return.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
- brings in vxlan based native multihost networking
- added a daemon flag required by libkv for dist kv operations
- moved the daemon flags to experimental
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This commit also brings in the ability to specify a default network and its
corresponding driver as daemon flags. This helps in existing clients to
make use of newer networking features provided by libnetwork.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
I ran a single integration test and got an error that the file
/sys/module/apparmor/parameters/enabled doesn't exist. I don't have
apparmor installed. So, just check the file first to avoid a confusing
error.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
