Commit graph

156 commits

Author SHA1 Message Date
Akihiro Suda
3518383ed9 dockerd: fix rootless detection (alternative to #39024)
The `--rootless` flag had a couple of issues:
* #38702: euid=0, $USER="root" but no access to cgroup ("rootful" Docker in rootless Docker)
* #39009: euid=0 but $USER="docker" (rootful boot2docker)

To fix #38702, XDG dirs are ignored as in rootful Docker, unless the
dockerd is directly running under RootlessKit namespaces.

RootlessKit detection is implemented by checking whether `$ROOTLESSKIT_STATE_DIR` is set.

To fix #39009, the non-robust `$USER` check is now completely removed.

The entire logic can be illustrated as follows:

```
withRootlessKit := getenv("ROOTLESSKIT_STATE_DIR")
rootlessMode := withRootlessKit || cliFlag("--rootless")
honorXDG := withRootlessKit
useRootlessKitDockerProxy := withRootlessKit
removeCgroupSpec := rootlessMode
adjustOOMScoreAdj := rootlessMode
```

Close #39024
Fix #38702 #39009

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-04-25 16:47:01 +09:00
Akihiro Suda
ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00
Kir Kolyshkin
9b0097a699 Format code with gofmt -s from go-1.11beta1
This should eliminate a bunch of new (go-1.11 related) validation
errors telling that the code is not formatted with `gofmt -s`.

No functional change, just whitespace (i.e.
`git show --ignore-space-change` shows nothing).

Patch generated with:

> git ls-files | grep -v ^vendor/ | grep .go$ | xargs gofmt -s -w

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-09-06 15:24:16 -07:00
Vincent Demeester
3845728524
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-13 09:04:30 +02:00
Sebastiaan van Stijn
f23c00d870
Various code-cleanup
remove unnescessary import aliases, brackets, and so on.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-05-23 17:50:54 +02:00
Alessandro Boch
173b3c364e Allow user to control the default address pools
- Via daemon flag --default-address-pools base=<CIDR>,size=<int>

Signed-off-by: Elango Siva  <elango@docker.com>
2018-04-30 11:14:08 -04:00
Daniel Nephin
6be0f70983 Automated migration using
gty-migrate-from-testify --ignore-build-tags

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-16 11:03:43 -04:00
Daniel Nephin
4f0d95fa6e Add canonical import comment
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:51:57 -05:00
Sebastiaan van Stijn
6ed1163c98
Remove redundant build-tags
Files that are suffixed with `_linux.go` or `_windows.go` are
already only built on Linux / Windows, so these build-tags
were redundant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-12-18 17:41:53 +01:00
Renaud Gaubert
ebe14310b7 Updated GenericResource CLI
Signed-off-by: Renaud Gaubert <renaud.gaubert@gmail.com>
2017-11-06 21:47:26 +01:00
Vincent Demeester
de5c80b4f3
Remove Docker from some functions
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-10-25 14:39:51 +02:00
Yong Tang
a301f96df6 Merge pull request #34689 from chchliang/envunitest
add an exception case
2017-09-01 10:53:42 -07:00
Yong Tang
cb952bf006 Merge pull request #34625 from dnephin/more-linters
Add interfacer and unconvert linters
2017-09-01 08:46:08 -07:00
chchliang
76e9f0d6d4 add an exception case and map changge to struct with expect error
Signed-off-by: chchliang <chen.chuanliang@zte.com.cn>

add an exception case and map changge to struct with expect error

Signed-off-by: chchliang <chen.chuanliang@zte.com.cn>
2017-09-01 15:49:56 +08:00
Daniel Nephin
b68221c37e Fix bad import graph from opts/opts.go
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-29 15:32:43 -04:00
Daniel Nephin
2f5f0af3fd Add unconvert linter
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-24 15:08:31 -04:00
Brian Goff
ebcb7d6b40 Remove string checking in API error handling
Use strongly typed errors to set HTTP status codes.
Error interfaces are defined in the api/errors package and errors
returned from controllers are checked against these interfaces.

Errors can be wraeped in a pkg/errors.Causer, as long as somewhere in the
line of causes one of the interfaces is implemented. The special error
interfaces take precedence over Causer, meaning if both Causer and one
of the new error interfaces are implemented, the Causer is not
traversed.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-08-15 16:01:11 -04:00
Renaud Gaubert
87e1464c43 Added support for Generic Resources
Signed-off-by: Renaud Gaubert <rgaubert@nvidia.com>
2017-07-24 17:49:56 -07:00
Josh Soref
39bcaee47b
Spelling fixes
* additional
* ambiguous
* anonymous
* anything
* application
* because
* before
* building
* capabilities
* circumstances
* commit
* committer
* compresses
* concatenated
* config
* container
* container's
* current
* definition
* delimiter
* disassociates
* discovery
* distributed
* doesnotexist
* downloads
* duplicates
* either
* enhancing
* enumerate
* escapable
* exactly
* expect
* expectations
* expected
* explicitly
* false
* filesystem
* following
* forbidden
* git with
* healthcheck
* ignore
* independent
* inheritance
* investigating
* irrelevant
* it
* logging
* looking
* membership
* mimic
* minimum
* modify
* mountpoint
* multiline
* notifier
* outputting
* outside
* overridden
* override
* parsable
* plugins
* precedence
* propagation
* provided
* provides
* registries
* repositories
* returning
* settings
* should
* signals
* someone
* something
* specifically
* successfully
* synchronize
* they've
* thinking
* uninitialized
* unintentionally
* unmarshaling
* unnamed
* unreferenced
* verify

Signed-off-by: Josh Soref <jsoref@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-07-03 13:13:09 -07:00
allencloud
148f2711e8 add NamedUlimitOpt implement NamedOption to fix 32528
Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-06-16 10:14:09 +08:00
Vincent Demeester
61e527f16c
Remove more opts unused in docker/docker
These are already present in `docker/cli` 👼

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-19 12:05:51 +02:00
Vincent Demeester
306074572c Remove unused opts (moved to docker/cli)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-15 14:38:58 +02:00
Aaron Lehmann
a58cc35ab8 Update CLI docs and add opts/config.go
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-05-11 10:08:21 -07:00
Evan Hazlett
67d282a5c9 support custom paths for secrets
This adds support to specify custom container paths for secrets.

Signed-off-by: Evan Hazlett <ejhazlett@gmail.com>
2017-05-10 10:23:07 -07:00
Aaron Lehmann
6052f2b396 Remove pkg/testutil/assert in favor of testify
I noticed that we're using a homegrown package for assertions. The
functions are extremely similar to testify, but with enough slight
differences to be confusing (for example, Equal takes its arguments in a
different order). We already vendor testify, and it's used in a few
places by tests.

I also found some problems with pkg/testutil/assert. For example, the
NotNil function seems to be broken. It checks the argument against
"nil", which only works for an interface. If you pass in a nil map or
slice, the equality check will fail.

In the interest of avoiding NIH, I'm proposing replacing
pkg/testutil/assert with testify. The test code looks almost the same,
but we avoid the confusion of having two similar but slightly different
assertion packages, and having to maintain our own package instead of
using a commonly-used one.

In the process, I found a few places where the tests should halt if an
assertion fails, so I've made those cases (that I noticed) use "require"
instead of "assert", and I've vendored the "require" package from
testify alongside the already-present "assert" package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-04-14 12:03:21 -07:00
Aaron Lehmann
bbe1202410 Make the CLI show defaults from the swarmkit defaults package
If no fields related to an update config or restart policy are
specified, these structs should not be created as part of the service,
to avoid hardcoding the current defaults.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-04-10 13:41:18 -07:00
Aaron Lehmann
e7c39f4d5d api: Remove SecretRequestOption type
This type is only used by CLI code. It duplicates SecretReference in the
types/swarm package. Change the CLI code to use that type instead.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-03-16 11:20:31 -07:00
Justin Cormack
49376cddab Merge pull request #30597 from dnephin/add-expanded-mount-format-to-stack-deploy
Add expanded mount format to stack deploy
2017-03-14 17:53:28 +00:00
Sebastiaan van Stijn
7f6e7088b7 Merge pull request #31047 from yallop/cli-v-state
Flags for specifying bind mount consistency
2017-03-13 11:36:10 +01:00
Daniel Nephin
afcaeedbd4 Use opts.MemBytes for flags.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-03-07 10:32:49 -05:00
Daniel Nephin
65c899bee5 Add expanded mount syntax to Compose schema and types.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-03-06 11:45:01 -05:00
David Sheets
f13297c0be Add 'consistent', 'cached', and 'delegated' mode flags
This adds 'consistency' mode flags to the mount command line argument.
Initially, the valid 'consistency' flags are 'consistent', 'cached',
'delegated', and 'default'.

Signed-off-by: David Sheets <dsheets@docker.com>
Signed-off-by: Jeremy Yallop <yallop@docker.com>
2017-03-01 18:13:47 +00:00
Vincent Demeester
aa4ecd153b
Make sure we validate simple syntax on service commands
We ignored errors for simple syntax in `PortOpt` (missed that in the
previous migration of this code). This make sure we don't ignore
`nat.Parse` errors.

Test has been migrate too (errors are not exactly the same as before
though -_-)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-02-07 12:45:47 +01:00
Yong Tang
d1982862ca Update opts.MemBytes to disable default, and move docker run/create/build to use opts.MemBytes
This fix made several updates:
1. Update opts.MemBytes so that default value will not show up.
   The reason is that in case a default value is decided by daemon,
   instead of client, we actually want to not show default value.
2. Move `docker run/create/build` to use opts.MemBytes for `--shm-size`
   This is to bring consistency between daemon and docker run
3. docs updates.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 12:17:06 -08:00
Yong Tang
db575ef626 Add daemon option --default-shm-size
This fix fixes issue raised in 29492 where it was not
possible to specify a default `--default-shm-size` in daemon
configuration for each `docker run``.

The flag `--default-shm-size` which is reloadable, has been
added to the daemon configuation.
Related docs has been updated.

This fix fixes 29492.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-01-27 12:17:06 -08:00
Sebastiaan van Stijn
950658bbb6
Add "src" alias for --secret
This patch adds a "src" alias for `--secret`
to be consistent with `--mount`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-01-24 15:41:45 +01:00
Tony Abboud
135f8f9674 Add error checking for hostPort range
This fix catches the case where there is a single container port
and a dynamic host port and will fail out gracefully
Example docker-compose.yml snippet:
    port:
        ports:
            - "8091-8093:8091"
            - "80:8080"

Signed-off-by: Tony Abboud <tdabboud@hotmail.com>
2017-01-13 18:05:51 -05:00
Sebastiaan van Stijn
f199fadc7a Merge pull request #29793 from thaJeztah/improve-run-usage-output
Improve usage output for docker run
2017-01-09 18:15:25 +01:00
Vincent Demeester
6129e6ce3e Merge pull request #29697 from yuexiao-wang/fix-docker-daemon
Update docker daemon to dockerd
2017-01-04 11:55:38 +01:00
Daniel Nephin
abe32de6b4 Trim quotes from TLS flags.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-01-03 15:58:41 -05:00
Daniel Nephin
e4c1f07729 Add quoted string flag Value.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-01-03 15:09:54 -05:00
Sebastiaan van Stijn
847ccd4867
Improve usage output for docker run
Commit a77f2450c7 switched `docker run`
to use the `pflags` package. Due to this change, the usage output for
the `--blkio-weight-device` and `--device-*` flags changed and now
showed `weighted-device`, and `throttled-device` as value type. As a
result, the output of `docker run --help` became a lot wider.

This patch changes the output to show `list` instead, which is
consistent with other options that allow to be set multiple times.

Output before this change;

    Usage:	docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

    Run a command in a new container

    Options:
          --blkio-weight uint16                   Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
          --blkio-weight-device weighted-device   Block IO weight (relative device weight) (default [])
          --device list                           Add a host device to the container (default [])
          --device-read-bps throttled-device      Limit read rate (bytes per second) from a device (default [])
          --device-read-iops throttled-device     Limit read rate (IO per second) from a device (default [])
          --device-write-bps throttled-device     Limit write rate (bytes per second) to a device (default [])
          --device-write-iops throttled-device    Limit write rate (IO per second) to a device (default [])
      -w, --workdir string                        Working directory inside the container

Output after this change;

    Usage:	docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

    Run a command in a new container

    Options:
          --blkio-weight uint16         Block IO (relative weight), between 10 and 1000, or 0 to disable (default 0)
          --blkio-weight-device list    Block IO weight (relative device weight) (default [])
          --device list                 Add a host device to the container (default [])
          --device-read-bps list        Limit read rate (bytes per second) from a device (default [])
          --device-read-iops list       Limit read rate (IO per second) from a device (default [])
          --device-write-bps list       Limit write rate (bytes per second) to a device (default [])
          --device-write-iops list      Limit write rate (IO per second) to a device (default [])
      -w, --workdir string              Working directory inside the container

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-12-30 17:35:46 +01:00
yuexiao-wang
62cc802f61 Update docker daemon to dockerd
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2016-12-27 17:32:15 +08:00
Vincent Demeester
c424be21b7
Clean some stuff from runconfig that are cli only…
… or could be in `opts` package. Having `runconfig/opts` and `opts`
doesn't really make sense and make it difficult to know where to put
some code.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-24 13:16:00 +01:00
yuexiao-wang
113cae5ba2 Change tls to TLS
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2016-12-20 22:08:07 +08:00
Vincent Demeester
9d4aa3621f Make --publish-rm precedes --publish-add, so that add wins
`--publish-add 8081:81 --publish-add 8082:82 --publish-rm 80
--publish-rm 81/tcp --publish-rm 82/tcp` would thus result in 81 and
82 to be published.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-11 23:14:54 +01:00
Vincent Demeester
75bf18c9f0 Remove --port and update --publish for services to support syntaxes
Add support for simple and complex syntax to `--publish` through the
use of `PortOpt`.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-12-11 23:14:54 +01:00
Yong Tang
c4d773cdfe Return error for incorrect argument of service update --publish-rm <TargetPort>
Currently `--publish-rm` only accepts `<TargetPort>` or `<TargetPort>[/Protocol]`
though there are some confusions.

Since `--publish-add` accepts `<PublishedPort>:<TargetPort>[/Protocol]`, some user
may provide `--publish-rm 80:80`. However, there is no error checking so the incorrect
provided argument is ignored silently.

This fix adds the check to make sure `--publish-rm` only accepts `<TargetPort>[/Protocol]`
and returns error if the format is invalid.

The `--publish-rm` itself may needs to be revisited to have a better UI/UX experience,
see discussions on:
https://github.com/docker/swarmkit/issues/1396
https://github.com/docker/docker/issues/25200#issuecomment-236213242
https://github.com/docker/docker/issues/25338#issuecomment-240787002

This fix is short term measure so that end users are not misled by the silently ignored error
of `--publish-rm`.

This fix is related to (but is not a complete fix):
https://github.com/docker/swarmkit/issues/1396

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-12-01 17:46:53 -08:00
Victor Vieux
9c559e6d0b fix a few golint errors
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2016-11-18 18:32:02 -08:00
wefine
f78f7de96a fix t.Errorf to t.Error in serveral _test.go
Signed-off-by: wefine <wang.xiaoren@zte.com.cn>
2016-11-14 17:54:43 +08:00