Currently the plugins pkg allows a single handler. This assumption
breaks down if there are mutiple listeners to a plugin of a certain
Manifest such as NetworkDriver or IpamDriver when swarm-mode is enabled.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This performs a similar check to the `"ConEmuANSI"` check that was recently
added to enable arrow keys navigation in docker container terminals.
Signed-off-by: Josh Wilson <josh.wilson@fivestars.com>
plugingetter is indepedent of docker/docker packages, so it can be
moved to pkg. This is also necessary for authorization plugins (part of
pkg) to use pluginv2. The original path at plugin/getter will be
eventually removed, when external repos (eg. libnetwork) update their
import paths.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Fixes#26823
Fixes an issue where apparmor was not loaded into the kernel, because
apparmor_parser was being called incorrectly.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
To use a deferred func to overwrite the returned error requires using
the 'named' error. So reuse err, instead of pipelineError. Also, the old
pipelineError will never be nil, since its executed before the error can
be set.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
As part of making graphdrivers support pluginv2, a PluginGetter
interface was necessary for cleaner separation and avoiding import
cycles.
This commit creates a PluginGetter interface and makes pluginStore
implement it. Then the pluginStore object is created in the daemon
(rather than by the plugin manager) and passed to plugin init as
well as to the different subsystems (eg. graphdrivers, volumedrivers).
A side effect of this change was that some code was moved out of
experimental. This is good, since plugin support will be stable soon.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
ProgressReader outputs progress information every 500 KB. This could be
excessive if something is being transfered at a fast rate. Rate-limit
progress output to 10 per second.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Writing the profile to /etc/apparmor.d, while also manually loading it
into the kernel results in quite a bit of confusion. In addition, it
means that people using apparmor but have /etc mounted read-only cannot
use apparmor at all on a Docker host.
Fix this by writing the profile to a temporary directory and deleting it
after it's been inserted.
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Also consolidate the leftover packages under cli.
Remove pkg/mflag.
Make manpage generation work with new cobra layout.
Remove remaining mflag and fix tests after rebase with master.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Warn the user and fail daemon start if the graphdir path has any
elements which will deny access to the remapped root uid/gid.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.
This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.
This fix fixes the issue by placing `WriteHeader` after.
A test has been added to cover the changes.`
This fix fixes 25927
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Fix delete containers and make sure it prints errors correctly.
Rename Result.Fails to Result.Assert()
Create a constant for the default expected.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Remove some run functions and replace them with the unified run command.
Remove DockerCmdWithStdoutStderr
Remove many duplicate runCommand functions.
Also add dockerCmdWithResult()
Allow Result.Assert() to ignore the error message if an exit status is expected.
Fix race in DockerSuite.TestDockerInspectMultipleNetwork
Fix flaky test DockerSuite.TestRunInteractiveWithRestartPolicy
Signed-off-by: Daniel Nephin <dnephin@docker.com>
if there is no cookie set in dm task, or flag DM_UDEV_DISABLE_LIBRARY_FALLBACK
is cleared for a DM_DEV_REMOVE task, libdevmapper will fallback to clean up the
symlink under /dev/mapper by itself, no matter the device removal is executed
immediately or deferred by the kernel.In some cases, the removal is deferred by the
kernel, while the symlink is deleted directly by libdevmapper, when docker tries to
activate the device again, the deferred removal will be canceld, but the symlink will
not show up again, so docker's attempt to mount the device by the symlink will fail,
and it will eventually leads to a `docker start/diff` error.
Fixes#24671
Signed-off-by: Ji.Zhilong <zhilongji@gmail.com>
Plugin discovery on Windows is not possible using named pipes. However,
it is possible using spec file (tcp based). This adds Windows specific
paths for discovery.
Fixes#23605
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
The namespace unshare+pivot root is not possible when running inside a
user namespace, so fallback to the original "real" chroot code.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
If we are running in a user namespace, don't try to mknod as
it won't be allowed. libcontainer will bind-mount the host's
devices over files in the container anyway, so it's not needed.
The chrootarchive package does a chroot (without mounting /proc) before
its work, so we cannot check /proc/self/uid_map when we need to. So
compute it in advance and pass it along with the tar options.
Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
This patch implements an Ellipsis utility to
append an ellipsis (...) when truncating
strings in output.
It also fixes the existing Truncate() utility
to be compatible with unicode/multibyte characters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes case where shutdown occurs before content is synced to disked
on layer creation. This case can leave the layer store in an bad
state and require manual recovery. This change ensures all files
are synced to disk before a layer is committed. Any shutdown that
occurs will only cause the layer to not show up but will allow it to
be repulled or recreated without error.
Added generic io logic to ioutils package to abstract it out of
the layer store package.
Signed-off-by: Derek McGowan <derek@mcgstyle.net>
Problem Description:
An example scenario that involves deferred removal
1. A new base image gets created (e.g. 'docker load -i'). The base device is activated and
mounted at some point in time during image creation.
2. While image creation is in progress, a privileged container is started
from another image and the host's mount name space is shared with this
container ('docker run --privileged -v /:/host').
3. Image creation completes and the base device gets unmounted. However,
as the privileged container still holds a reference on the base image
mount point, the base device cannot be removed right away. So it gets
flagged for deferred removal.
4. Next, the privileged container terminates and thus its reference to the
base image mount point gets released. The base device (which is flagged
for deferred removal) may now be cleaned up by the device-mapper. This
opens up an opportunity for a race between a 'kworker' thread (executing
the do_deferred_remove() function) and the Docker daemon (executing the
CreateSnapDevice() function).
This PR cancel the deferred removal, if the device is marked for it. And reschedule the
deferred removal later after the device is resumed successfully.
Signed-off-by: Shishir Mahajan <shishir.mahajan@redhat.com>
Fixes: #25073
Update kernel memory on running containers without initialized
is forbidden only on kernel version older than 4.6.
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
Following #22729, enable to dynamically reload/remove the daemon
authorization plugins (via standard reloading mechanism).
https://docs.docker.com/engine/reference/commandline/daemon/#daemon-
configuration-file
Daemon must store a reference to the authorization middleware to refresh
the plugin on configuration changes.
Signed-off-by: Liron Levin <liron@twistlock.com>
