Commit graph

3454 commits

Author SHA1 Message Date
Sebastiaan van Stijn
ac058c1629
Merge pull request #40340 from thaJeztah/swagger_remove_classic_swarm_node
Swagger/API update "standalone" API fields
2020-01-23 20:45:46 +01:00
Drew Erny
30d9fe30b1 Add swarm jobs
Adds support for ReplicatedJob and GlobalJob service modes. These modes
allow running service which execute tasks that exit upon success,
instead of daemon-type tasks.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2020-01-13 13:21:12 -06:00
Sebastiaan van Stijn
cc26687c6a
Merge pull request #40341 from thaJeztah/restore_mount_options_info
swagger: restore bind options information
2020-01-09 21:06:51 +01:00
Sebastiaan van Stijn
954d729ab8
Merge pull request #40079 from thaJeztah/cleanup_build
API: cleanup build endpoint code
2020-01-09 21:05:19 +01:00
Sebastiaan van Stijn
9ae7196775
swagger: add missing container Health docs
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 16:45:25 +01:00
Sebastiaan van Stijn
79c877cfa7
swagger: restore bind options information
This information was added to an older version of the API
documentation (through 164ab2cfc9 and
5213a0a67e), but only added in the
"docs" branch.

This patch copies the information to the swagger file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 12:26:05 +01:00
Sebastiaan van Stijn
8311d6ba9f
API: omit classic swarm "SystemStatus" field if empty
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 12:25:05 +01:00
Sebastiaan van Stijn
78c86927ab
api/types: document classic swarm "Node" field
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 12:25:03 +01:00
Sebastiaan van Stijn
234d5a78fe
swagger: remove classic swarm "Node" field
This field is not part of the Docker API and only used
for classic (standalone) swarm.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 12:24:58 +01:00
Sebastiaan van Stijn
7e0afd4934
swagger: move ContainerState to definitions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 12:24:37 +01:00
Jan Chren
9608dc5470 Document message parameter to /images/create
This parameter was introduced 4 years ago in b857dadb33
as part of https://github.com/moby/moby/pull/15711, but has never made it to the API docs.

Signed-off-by: Jan Chren (rindeal) <dev.rindeal@gmail.com>
2019-12-27 17:05:16 +01:00
Tibor Vass
a9416c67da
Merge pull request #40259 from thaJeztah/more_constants
api/server/router: use consts for HTTP methods
2019-12-19 17:57:47 +01:00
Sebastiaan van Stijn
04203d13fb
api/server: build: refactor for better readability
- construct the initial options as a literal
- move validation for windows up, and fail early
- move all API-version handling together

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:19:01 +01:00
Sebastiaan van Stijn
9709f6b95e
api/server: build: use locally scoped variables
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:18:59 +01:00
Sebastiaan van Stijn
20e3b5ba2c
api/types: minor BuilderVersion refactor
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:18:51 +01:00
Sebastiaan van Stijn
c9b2a3cff5
api: normalize comment formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-27 15:37:30 +01:00
Sebastiaan van Stijn
90aa0901da
api/server/router: use consts for HTTP methods
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-26 21:55:29 +01:00
Sebastiaan van Stijn
c511db70ed
api/types: re-generate with new template
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-05 11:32:41 -08:00
Sebastiaan van Stijn
3df4f86f21
swagger: fix "generated code" comment not in correct format
As described in https://golang.org/s/generatedcode, Go has
a formalized format that should be used to indicate that a
file is generated.

Matching that format helps linters to skip generated files;

From https://golang.org/s/generatedcode (https://github.com/golang/go/issues/13560#issuecomment-288457920);

> Generated files are marked by a line of text that matches the regular expression, in Go syntax:
>
>     ^// Code generated .* DO NOT EDIT\.$
>
> The `.*` means the tool can put whatever folderol it wants in there, but the comment
> must be a single line and must start with `Code generated` and end with `DO NOT EDIT.`,
> with a period.
>
> The text may appear anywhere in the file.

This patch updates the template used for our generated types
to match that format.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-05 11:32:37 -08:00
Brian Goff
6f8c671d70
Merge pull request #39495 from hannseman/network-attachment-config-docs
Update service networks documentation
2019-11-05 11:24:47 -08:00
Sebastiaan van Stijn
a30990b3c8
Merge pull request #39820 from grooverdan/containers_json_with_platform
Add missing Platform to swagger definition for /containers/{id}/json
2019-10-22 15:02:47 +02:00
Sebastiaan van Stijn
9d726f1c18
Add GoDoc to fix linting validation
The validate step in CI was broken, due to a combination of
086b4541cf, fbdd437d29,
and 85733620eb being merged to master.

```
api/types/filters/parse.go:39:1: exported method `Args.Keys` should have comment or be unexported (golint)
func (args Args) Keys() []string {
^
daemon/config/builder.go:19:6: exported type `BuilderGCFilter` should have comment or be unexported (golint)
type BuilderGCFilter filters.Args
     ^
daemon/config/builder.go:21:1: exported method `BuilderGCFilter.MarshalJSON` should have comment or be unexported (golint)
func (x *BuilderGCFilter) MarshalJSON() ([]byte, error) {
^
daemon/config/builder.go:35:1: exported method `BuilderGCFilter.UnmarshalJSON` should have comment or be unexported (golint)
func (x *BuilderGCFilter) UnmarshalJSON(data []byte) error {
^
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-21 21:36:22 +02:00
Sebastiaan van Stijn
a8b04b17fd
Merge pull request #40028 from thaJeztah/session_endpoint_docs_updates
API: update docs that /session left experimental in V1.39
2019-10-19 01:18:21 +02:00
Sebastiaan van Stijn
4addf7ab1c
Merge pull request #39979 from tiborvass/fix-buildkit-prunegc-filter-config
daemon/config: fix filter type in BuildKit GC config
2019-10-18 22:44:48 +02:00
Justin Cormack
f681590a25
Merge pull request #40081 from thaJeztah/http_constants
Use http constants for HTTP methods and status codes
2019-10-17 11:30:26 -07:00
Drew Erny
f36042d259 Add support for sending down service Running and Desired task counts
Adds a new ServiceStatus field to the Service object, which includes the
running and desired task counts. This new field is gated behind a
"status" query parameter.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-10-14 10:43:00 -05:00
Sebastiaan van Stijn
93100adb69
api/server: use constants for http methods
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-13 17:30:19 +02:00
Tibor Vass
85733620eb daemon/config: add MarshalJSON for future proofing
If anything marshals the daemon config now or in the future
this commit ensures the correct canonical form for the builder
GC policies' filters.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-10-03 00:10:00 +00:00
Tibor Vass
6ca3ec88ae builder: remove legacy build's session handling
This feature was used by docker build --stream and it was kept experimental.

Users of this endpoint should enable BuildKit anyway by setting Version to BuilderBuildKit.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-10-02 20:29:15 +00:00
Sebastiaan van Stijn
6756f5f378
API: update docs that /session left experimental in V1.39
The `/session` endpoint left experimental in API V1.39 through
239047c2d3 and
01c9e7082e, but the API reference
was not updated accordingly.

This updates the API documentation to match the change.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-02 12:30:38 +02:00
Chris Price
c21a3cf432 Add variant to image.Image and legacy builder
This commit adds the image variant to the image.(Image) type and
updates related functionality. Images built from another will
inherit the OS, architecture and variant.

Note that if a base image does not specify an architecture, the
local machine's architecture is used for inherited images. On the
other hand, the variant is set equal to the parent image's variant,
even when the parent image's variant is unset.

The legacy builder is also updated to allow the user to specify
a '--platform' argument on the command line when creating an image
FROM scratch. A complete platform specification, including variant,
is supported. The built image will include the variant, as will any
derived images.

Signed-off-by: Chris Price <chris.price@docker.com>
2019-09-24 22:18:16 +00:00
Sebastiaan van Stijn
4e621a34ac
api/server: explicitly ignore unhandled errors (errcheck)
```
api/server/router/build/build_routes.go:309:41: Error return value of `(*encoding/json.Decoder).Decode` is not checked (errcheck)
api/server/router/build/build_routes.go:431:11: Error return value of `io.Copy` is not checked (errcheck)
api/server/router/container/container_routes.go:582:13: Error return value of `conn.Write` is not checked (errcheck)
api/server/router/grpc/grpc_routes.go:38:12: Error return value of `conn.Write` is not checked (errcheck)
api/server/router/grpc/grpc_routes.go:39:12: Error return value of `resp.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:94:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:139:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:164:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:180:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:126:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:165:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:273:15: Error return value of `output.Write` is not checked (errcheck)
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:57:46 +02:00
Sebastiaan van Stijn
6ff727b13c
TestWalkValues: add missing error-check (errcheck)
```
api/types/filters/parse_test.go:340:14: Error return value of `f.WalkValues` is not checked (errcheck)
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:57:45 +02:00
Kir Kolyshkin
d584242236
client: suppress filters.ToParamWithVersion lint warning
Add annotations to suppress warnings like this one:

> client/container_list.go:38:22: SA1019: filters.ToParamWithVersion is deprecated: Use ToJSON  (staticcheck)
> 		filterJSON, err := filters.ToParamWithVersion(cli.version, options.Filters)
>		                   ^

Modify the deprecation notice to specify it is applicable to new code
only.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-09-18 12:57:19 +02:00
Sebastiaan van Stijn
0507c358d9
API: explicitely ignore unhandled errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:57:13 +02:00
Sebastiaan van Stijn
07ff4f1de8
goimports: fix imports
Format the source according to latest goimports.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:56:54 +02:00
Derek McGowan
2816ec7b00
Remove unused router swapper
The router swapper was previously used to toggle
a debug mode, that code has since been removed.
Now this router is unnecessary.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2019-09-04 13:50:03 -07:00
Daniel Black
7b4b940470 /containers/{id}/json missing Platform
To match ContainerJSONBase api/types/types.go

Signed-off-by: Daniel Black <daniel@linux.ibm.com>
2019-08-29 14:02:57 +10:00
Jintao Zhang
9134130b39 Remove SystemInfo() error handling.
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
2019-08-29 07:44:39 +08:00
Hannes Ljungberg
4d09fab232 Update service networks documentation
The previous description stated that an array of names / ids could be passed when the API in reality expects objects in the form of NetworkAttachmentConfig. This is fixed by updating the description and adding a definition for NetworkAttachmentConfig.

Signed-off-by: Hannes Ljungberg <hannes@5monkeys.se>
2019-08-24 21:42:13 +02:00
Odin Ugedal
9c94e8260a
Fix phrasing when referring to the freezer cgroup
Signed-off-by: Odin Ugedal <odin@ugedal.com>
2019-08-16 20:39:30 +02:00
SataQiu
f6226a2a56 fix some spelling mistakes
Signed-off-by: SataQiu <qiushida@beyondcent.com>
2019-08-13 22:57:55 +08:00
Sebastiaan van Stijn
e4b9edd31f
Merge pull request from GHSA-99qr-h2rp-65rc
DebugRequestMiddleware: unconditionally scrub data field
2019-07-17 17:19:48 +02:00
Jérémy Leherpeur
cf315bedc5
Fix indentation in some description
Fix the indentation to allow jane-openapi generate to work

Signed-off-by: Jeremy Leherpeur <jeremy.leherpeur@yousign.fr>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-07-14 13:42:29 +02:00
skanehira
3afdc46314 fix swagger.yaml #39484
Signed-off-by: skanehira <sho19921005@gmail.com>
2019-07-11 09:33:32 +09:00
Sebastiaan van Stijn
f8a0f26843 DebugRequestMiddleware: Remove path handling
Path-specific rules were removed, so this is no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 530e63c1a61b105a6f7fc143c5acb9b5cd87f958)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
73db8c77bf DebugRequestMiddleware: unconditionally scrub data field
Commit 77b8465d7e added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).

When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.

The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:

1. Start the daemon in debug-mode

        dockerd --debug

2. Initialize swarm

        docker swarm init

3. Create a file containing a secret

        echo secret > my_secret.txt

4. Create a docker-compose file using that secret

        cat > docker-compose.yml <<'EOF'
        version: "3.3"
        services:
          web:
            image: nginx:alpine
            secrets:
              - my_secret
        secrets:
          my_secret:
            file: ./my_secret.txt
        EOF

5. Deploy the stack

        docker stack deploy -c docker-compose.yml test

6. Verify that the secret is scrubbed in the daemon logs

        DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
        DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

7. Re-deploy the stack to trigger an "update"

        docker stack deploy -c docker-compose.yml test

8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged

        DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
        DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.

If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.

This patch introduces some change in behavior:

- In addition to secrets, requests to create or update _configs_ will
  now have their `Data` field scrubbed. Generally, the actual data should
  not be interesting for debugging, so likely will not be problematic.
  In addition, scrubbing this data for configs may actually be desirable,
  because (even though they are not explicitely designed for this purpose)
  configs may contain sensitive data (credentials inside a configuration
  file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
  key named "data", will see the value of that field scrubbed. This
  means that (e.g.) setting a `label` named `data` on a config, will
  scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
  `password`, `secret`, `signingcakey`, or `unlockkey`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
ebb542b3f8 TestMaskSecretKeys: use subtests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 32d70c7e21631224674cd60021d3ec908c2d888c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
18dac2cf32 TestMaskSecretKeys: add more test-cases
Add tests for

- case-insensitive matching of fields
- recursive masking

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit db5f811216e70bcb4a10e477c1558d6c68f618c5)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Michael Crosby
fb459f6671
Merge pull request #38441 from sirlatrom/swarm_plugin_env
Allow specifying environment variables when installing an engine plugin as a Swarm service
2019-07-08 15:26:55 -04:00
Brian Goff
6ddd43b589 Make ErrorResponse implement Error
This allows an ErrorResponse to be used directly as an error type.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-07-02 10:17:03 -07:00
Sebastiaan van Stijn
28678f2226
Merge pull request #38349 from wk8/wk8/os_version
Adding OS version info to nodes' `Info` struct and to the system info's API
2019-06-07 14:54:51 +02:00
Sebastiaan van Stijn
c85fe2d224
Merge pull request #38522 from cpuguy83/fix_timers
Make sure timers are stopped after use.
2019-06-07 13:16:46 +02:00
Jean Rouge
d363a1881e Adding OS version info to the nodes' Info struct
This is needed so that we can add OS version constraints in Swarmkit, which
does require the engine to report its host's OS version (see
https://github.com/docker/swarmkit/issues/2770).

The OS version is parsed from the `os-release` file on Linux, and from the
`ReleaseId` string value of the `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
registry key on Windows.

Added unit tests when possible, as well as Prometheus metrics.

Signed-off-by: Jean Rouge <rougej+github@gmail.com>
2019-06-06 22:40:10 +00:00
Kirill Kolyshkin
1d5748d975
Merge pull request #39173 from olljanat/25885-capabilities-swarm
Add support for capabilities options in services
2019-06-06 15:03:46 -07:00
Sebastiaan van Stijn
71e00574c7
Merge pull request #39279 from ZYecho/fix-swagger-copy
fix: fix lack of copyUIDGID in swagger.yaml
2019-06-05 13:13:59 +02:00
zhangyue
a4f828cb89 fix: fix lack of copyUIDGID in swagger.yaml
Signed-off-by: Zhang Yue <zy675793960@yeah.net>
Signed-off-by: zhangyue <zy675793960@yeah.net>
2019-06-05 09:58:04 +08:00
Tibor Vass
6104eb1ae2 build: fix panic when exporting to tar
Fixes a panic on `docker build -t foo -o - . >/dev/null`

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-06-03 22:34:15 +00:00
Sebastiaan van Stijn
3d21b86e0a
Merge pull request #39299 from AkihiroSuda/ro-none-cgroupdriver
info: report cgroup driver as "none" when running rootless
2019-06-03 22:46:08 +02:00
Akihiro Suda
ca5aab19b4 rootless: update docker info docs
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-06-03 19:41:50 +09:00
Yong Tang
784bd2c883
Merge pull request #39248 from dontub/fix-api-operation-PutContainerArchive
API: Set format of body parameter in operation PutContainerArchive to "binary"
2019-06-02 12:56:15 -07:00
Olli Janatuinen
f787b235de Add support capabilities list on services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2019-05-28 19:52:36 +03:00
Sebastiaan van Stijn
752d78017a
Merge pull request #39264 from dontub/fix-api-type-PortMap
API: Move "x-nullable: true" from type PortBinding to type PortMap
2019-05-25 21:56:05 +02:00
Sebastiaan van Stijn
54872a8024
Merge pull request #39265 from ad-m/patch-1
Update docs to remove restriction of tty resize
2019-05-25 21:54:45 +02:00
Adam Dobrawy
4898f493d8 Update docs to remove restriction of tty resize
Signed-off-by: Adam Dobrawy <naczelnik@jawnosc.tk>
2019-05-23 19:16:59 +02:00
Dominic Tubach
32b5d296ea API: Move "x-nullable: true" from type PortBinding to type PortMap
Currently the API spec would allow `"443/tcp": [null]`, but what should
be allowed is `"443/tcp": null`
Signed-off-by: Dominic Tubach <dominic.tubach@to.com>
2019-05-23 16:03:48 +02:00
Dominic Tubach
d5f6bdb027 API: Change type of RemotrAddrs to array of strings in operation SwarmJoin
Signed-off-by: Dominic Tubach <dominic.tubach@to.com>
2019-05-23 15:14:34 +02:00
Dominic Tubach
fa6f63e79b API: Set format of body parameter in operation PutContainerArchive to "binary"
Signed-off-by: Dominic Tubach <dominic.tubach@to.com>
2019-05-21 17:09:18 +02:00
Sebastiaan van Stijn
7bacd1d6dc
Move CgroupnsMode feature to API v1.41
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 15:04:28 -07:00
Sebastiaan van Stijn
771fc7e7f8
Bump API version to v1.41
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 14:55:20 -07:00
Yong Tang
3042254a87
Merge pull request #38377 from rgulewich/38332-cgroup-ns
Start containers in their own cgroup namespaces
2019-05-11 20:18:31 -07:00
Rob Gulewich
072400fc4b Make cgroup namespaces configurable
This adds both a daemon-wide flag and a container creation property:
- Set the `CgroupnsMode: "host|private"` HostConfig property at
  container creation time to control what cgroup namespace the container
  is created in
- Set the `--default-cgroupns-mode=host|private` daemon flag to control
  what cgroup namespace containers are created in by default
- Set the default if the daemon flag is unset to "host", for backward
  compatibility
- Default to CgroupnsMode: "host" for client versions < 1.40

Signed-off-by: Rob Gulewich <rgulewich@netflix.com>
2019-05-07 10:22:16 -07:00
Yash Murty
a31a088665 Remove DiskQouta field.
Signed-off-by: Yash Murty <yashmurty@gmail.com>
2019-04-30 15:13:08 +07:00
Yong Tang
0c07dad66a
Merge pull request #39049 from thaJeztah/add_missing_import_aliases
Add "import" statement to generated API types
2019-04-28 10:45:59 -07:00
giovanism
65e68f6222 Update container name pattern in swagger.yaml
Signed-off-by: giovanism <giovanism@outlook.co.id>
2019-04-15 16:41:46 +07:00
Sebastiaan van Stijn
93886fcc5a
Add "import" statement to generated API types
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-10 14:07:55 +02:00
Sebastiaan van Stijn
2e1cfbca03
Merge pull request #39021 from imxyb/err-is-always-nil
Remove the "err == nil" because is always equal nil.
2019-04-09 02:48:36 +02:00
Sebastiaan van Stijn
c334a87aec
Remove deprecated filter functions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-08 15:46:45 +02:00
Xiao YongBiao
372b9f769e Remove the "err == nil" because is always equal nil.
Signed-off-by: Xiao YongBiao <xyb4638@gmail.com>
2019-04-08 12:28:43 +08:00
Sune Keller
fca5ee3bd5 Support environment vars in Swarm plugins services
Allow specifying environment variables when installing an engine plugin
as a Swarm service. Invalid environment variable entries (without an
equals (`=`) char) will be ignored.

Signed-off-by: Sune Keller <absukl@almbrand.dk>
2019-04-07 09:48:19 +02:00
Sebastiaan van Stijn
a2fdfaa830
Merge pull request #38819 from AkihiroSuda/fix-logs-docs
api: fix description about logs
2019-04-03 17:11:51 +02:00
Tibor Vass
05c5d20a2c grpc: register BuildKit controller to /grpc
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-04-02 19:57:59 +00:00
Tibor Vass
e8382ece65 api: add undocumented /grpc endpoint to talk to GRPC services
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-04-02 19:57:59 +00:00
Akihiro Suda
d2281bbfa3 api: fix description about logs
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-04-02 19:06:14 +09:00
Tõnis Tiigi
25661a3a04
Merge pull request #38793 from thaJeztah/pids_limit_improvements
Some refactoring on PidsLimit
2019-03-21 13:44:05 -07:00
Akihiro Suda
7fc0f820ea builder-next: fix squash
Tagger was not called for BuildKit-mode.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 01:08:55 +09:00
John Howard
a3eda72f71
Merge pull request #38541 from Microsoft/jjh/containerd
Windows: Experimental: ContainerD runtime
2019-03-19 21:09:19 -07:00
Sebastiaan van Stijn
e7b5f7dbe9
Merge pull request #38891 from thaJeztah/warn_manager_count
Return a warning when running in a two-manager setup
2019-03-19 22:54:53 +01:00
Tibor Vass
827cb09f87
Merge pull request #38898 from tonistiigi/build-outputs
builder-next: allow outputs configuration
2019-03-19 14:00:16 -07:00
Tonis Tiigi
768c6d7b29 builder-next: allow outputs configuration
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-03-19 10:28:30 -07:00
Tibor Vass
8f936ae8cf Add DeviceRequests to HostConfig to support NVIDIA GPUs
This patch hard-codes support for NVIDIA GPUs.
In a future patch it should move out into its own Device Plugin.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-03-18 17:19:45 +00:00
Sebastiaan van Stijn
81eef17e38
Return a warning when running in a two-manager setup
Running a cluster in a two-manager configuration effectively *doubles*
the chance of loosing control over the cluster (compared to running
in a single-manager setup). Users may have the assumption that having
two managers provides fault tolerance, so it's best to warn them if
they're using this configuration.

This patch adds a warning to the `info` response if Swarm is configured
with two managers:

    WARNING: Running Swarm in a two-manager configuration. This configuration provides
             no fault tolerance, and poses a high risk to loose control over the cluster.
             Refer to https://docs.docker.com/engine/swarm/admin_guide/ to configure the
             Swarm for fault-tolerance.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-18 14:36:00 +01:00
Sebastiaan van Stijn
2a9c987e5a
Move httputils error helpers to errdefs package
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-16 00:42:23 +01:00
Sebastiaan van Stijn
1af30c50ca
Add httputils.FromStatusCode()
This utility allows a client to convert an API response
back to a typed error; allowing the client to perform
different actions based on the type of error, without
having to resort to string-matching the error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-16 00:39:48 +01:00
Sebastiaan van Stijn
ca0b64ee3b
Merge pull request #35621 from kolyshkin/ipc-private
daemon: use 'private' ipc mode by default
2019-03-14 19:27:30 +01:00
Sebastiaan van Stijn
f73dd5fdad
Revert "Adding builder version"
This reverts commit f821f002e5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-14 00:18:46 +01:00
Vincent Demeester
46036c2308
Merge pull request #37534 from thaJeztah/fix-distribution-500
Fix error 500 on distribution endpoint
2019-03-13 08:29:16 +01:00
John Howard
20833b06a0 Windows: (WCOW) Generate OCI spec that remote runtime can escape
Signed-off-by: John Howard <jhoward@microsoft.com>

Also fixes https://github.com/moby/moby/issues/22874

This commit is a pre-requisite to moving moby/moby on Windows to using
Containerd for its runtime.

The reason for this is that the interface between moby and containerd
for the runtime is an OCI spec which must be unambigious.

It is the responsibility of the runtime (runhcs in the case of
containerd on Windows) to ensure that arguments are escaped prior
to calling into HCS and onwards to the Win32 CreateProcess call.

Previously, the builder was always escaping arguments which has
led to several bugs in moby. Because the local runtime in
libcontainerd had context of whether or not arguments were escaped,
it was possible to hack around in daemon/oci_windows.go with
knowledge of the context of the call (from builder or not).

With a remote runtime, this is not possible as there's rightly
no context of the caller passed across in the OCI spec. Put another
way, as I put above, the OCI spec must be unambigious.

The other previous limitation (which leads to various subtle bugs)
is that moby is coded entirely from a Linux-centric point of view.

Unfortunately, Windows != Linux. Windows CreateProcess uses a
command line, not an array of arguments. And it has very specific
rules about how to escape a command line. Some interesting reading
links about this are:

https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://stackoverflow.com/questions/31838469/how-do-i-convert-argv-to-lpcommandline-parameter-of-createprocess
https://docs.microsoft.com/en-us/cpp/cpp/parsing-cpp-command-line-arguments?view=vs-2017

For this reason, the OCI spec has recently been updated to cater
for more natural syntax by including a CommandLine option in
Process.

What does this commit do?

Primary objective is to ensure that the built OCI spec is unambigious.

It changes the builder so that `ArgsEscaped` as commited in a
layer is only controlled by the use of CMD or ENTRYPOINT.

Subsequently, when calling in to create a container from the builder,
if follows a different path to both `docker run` and `docker create`
using the added `ContainerCreateIgnoreImagesArgsEscaped`. This allows
a RUN from the builder to control how to escape in the OCI spec.

It changes the builder so that when shell form is used for RUN,
CMD or ENTRYPOINT, it builds (for WCOW) a more natural command line
using the original as put by the user in the dockerfile, not
the parsed version as a set of args which loses fidelity.
This command line is put into args[0] and `ArgsEscaped` is set
to true for CMD or ENTRYPOINT. A RUN statement does not commit
`ArgsEscaped` to the commited layer regardless or whether shell
or exec form were used.
2019-03-12 18:41:55 -07:00
Sebastiaan van Stijn
ffa1728d4b
Normalize values for pids-limit
- Don't set `PidsLimit` when creating a container and
  no limit was set (or the limit was set to "unlimited")
- Don't set `PidsLimit` if the host does not have pids-limit
  support (previously "unlimited" was set).
- Do not generate a warning if the host does not have pids-limit
  support, but pids-limit was set to unlimited (having no
  limit set, or the limit set to "unlimited" is equivalent,
  so no warning is nescessary in that case).
- When updating a container, convert `0`, and `-1` to
  "unlimited" (`0`).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-13 00:27:05 +01:00
Kir Kolyshkin
596ca142e0 daemon: use 'private' ipc mode by default
This changes the default ipc mode of daemon/engine to be private,
meaning the containers will not have their /dev/shm bind-mounted
from the host by default. The benefits of doing this are:

 1. No leaked mounts. Eliminate a possibility to leak mounts into
    other namespaces (and therefore unfortunate errors like "Unable to
    remove filesystem for <ID>: remove /var/lib/docker/containers/<ID>/shm:
    device or resource busy").

 2. Working checkpoint/restore. Make `docker checkpoint`
    not lose the contents of `/dev/shm`, but save it to
    the dump, and be restored back upon `docker start --checkpoint`
    (currently it is lost -- while CRIU handles tmpfs mounts,
    the "shareable" mount is seen as external to container,
    and thus rightfully ignored).

3. Better security. Currently any container is opened to share
   its /dev/shm with any other container.

Obviously, this change will break the following usage scenario:

 $ docker run -d --name donor busybox top
 $ docker run --rm -it --ipc container:donor busybox sh
 Error response from daemon: linux spec namespaces: can't join IPC
 of container <ID>: non-shareable IPC (hint: use IpcMode:shareable
 for the donor container)

The soution, as hinted by the (amended) error message, is to
explicitly enable donor sharing by using --ipc shareable:

 $ docker run -d --name donor --ipc shareable busybox top

Compatibility notes:

1. This only applies to containers created _after_ this change.
   Existing containers are not affected and will work fine
   as their ipc mode is stored in HostConfig.

2. Old backward compatible behavior ("shareable" containers
   by default) can be enabled by either using
   `--default-ipc-mode shareable` daemon command line option,
   or by adding a `"default-ipc-mode": "shareable"`
   line in `/etc/docker/daemon.json` configuration file.

3. If an older client (API < 1.40) is used, a "shareable" container
   is created. A test to check that is added.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-03-09 18:57:42 -08:00
Kir Kolyshkin
ce7528ebdf postContainersCreate: minor nitpick
There are two if statements checking for exactly same conditions:

> if hostConfig != nil && versions.LessThan(version, "1.40")

Merge these.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-03-09 18:57:42 -08:00
Sebastiaan van Stijn
ca91918dd4
docs follow-ups for networks "dangling" filter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-28 17:54:31 +01:00
Vincent Demeester
ba641fef28
Merge pull request #31551 from KarthikNayak/dry_run
Network: add support for 'dangling' filter
2019-02-28 08:14:45 +01:00
Sebastiaan van Stijn
91d934b41b
Merge pull request #38791 from thaJeztah/update_api_changes
Fix container update resetting pidslimit on older API clients
2019-02-27 23:30:18 +01:00
karthik nayak
131cbaf5b7 Network: add support for 'dangling' filter
Like its counterpart in images and volumes, introduce the dangling
filter while listing networks. When the filter value is set to true,
only networks which aren't attached to containers and aren't builtin
networks are shown. When set to false, all builtin networks and
networks which are attached to containers are shown.

Signed-off-by: Karthik Nayak <Karthik.188@gmail.com>
2019-02-27 15:08:44 -05:00
Sebastiaan van Stijn
5861a0db22
Fix container update resetting pidslimit on older API clients
Older API clients did not use a pointer for `PidsLimit`, so
API requests would always send `0`, resulting in any previous
value to be reset after an update:

Before this patch:

(using a 17.06 Docker CLI):

```bash
docker run -dit --name test --pids-limit=16 busybox
docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container update --memory=100M --memory-swap=200M test

docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
0

docker container exec test cat /sys/fs/cgroup/pids/pids.max
max
```

With this patch applied:

(using a 17.06 Docker CLI):

```bash
docker run -dit --name test --pids-limit=16 busybox
docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container update --memory=100M --memory-swap=200M test

docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container exec test cat /sys/fs/cgroup/pids/pids.max
16
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-24 16:32:32 +01:00
Sebastiaan van Stijn
fc77445147
Add new PidsLimit options to API version history
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-24 14:27:30 +01:00
Sebastiaan van Stijn
dd94555787
Merge pull request #32519 from darkowlzz/32443-docker-update-pids-limit
Add pids-limit support in docker update
2019-02-23 15:20:59 +01:00
Sunny Gogoi
74eb258ffb Add pids-limit support in docker update
- Adds updating PidsLimit in UpdateContainer().
- Adds setting PidsLimit in toContainerResources().

Signed-off-by: Sunny Gogoi <indiasuny000@gmail.com>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-02-21 14:17:38 -08:00
Brian Goff
cbb885b07a
Merge pull request #38632 from dperny/gmsa-support
Add support for GMSA CredentialSpecs from Swarmkit configs
2019-02-21 09:05:58 -08:00
Drew Erny
6f1d7ddfa4 Use Runtime target
The Swarmkit api specifies a target for configs called called "Runtime"
which indicates that the config is not mounted into the container but
has some other use. This commit updates the Docker api to reflect this.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-02-19 13:14:17 -06:00
Sebastiaan van Stijn
cdcea6f492
Handle correct status codes for distribution errors
This assists to address a regression where distribution errors were not properly
handled, resulting in a generic 500 (internal server error) to be returned for
`/distribution/name/json` if you weren't authenticated, whereas it should return
a 40x (401).

This patch attempts to extract the HTTP status-code that was returned by the
distribution code, and falls back to returning a 500 status if unable to match.

Before this change:

    curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
    *   Trying /var/run/docker.sock...
    * Connected to localhost (/var/run/docker.sock) port 80 (#0)
    > GET /distribution/name/json HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 500 Internal Server Error
    < Api-Version: 1.37
    < Content-Type: application/json
    < Docker-Experimental: false
    < Ostype: linux
    < Server: Docker/dev (linux)
    < Date: Tue, 03 Jul 2018 15:52:53 GMT
    < Content-Length: 115
    <
    {"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
    * Curl_http_done: called premature == 0
    * Connection #0 to host localhost left intact

daemon logs:

    DEBU[2018-07-03T15:52:51.424950601Z] Calling GET /distribution/name/json
    DEBU[2018-07-03T15:52:53.179895572Z] FIXME: Got an API for which error does not match any expected type!!!: errors:
    denied: requested access to the resource is denied
    unauthorized: authentication required
      error_type=errcode.Errors module=api
    ERRO[2018-07-03T15:52:53.179942783Z] Handler for GET /distribution/name/json returned error: errors:
    denied: requested access to the resource is denied
    unauthorized: authentication required

With this patch applied:

    curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
    *   Trying /var/run/docker.sock...
    * Connected to localhost (/var/run/docker.sock) port 80 (#0)
    > GET /distribution/name/json HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 403 Forbidden
    < Api-Version: 1.38
    < Content-Type: application/json
    < Docker-Experimental: false
    < Ostype: linux
    < Server: Docker/dev (linux)
    < Date: Fri, 03 Aug 2018 14:58:09 GMT
    < Content-Length: 115
    <
    {"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
    * Curl_http_done: called premature == 0
    * Connection #0 to host localhost left intact

daemon logs:

    DEBU[2018-08-03T14:58:08.018726228Z] Calling GET /distribution/name/json

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-08 10:35:36 +01:00
Sebastiaan van Stijn
d71ed3d326
Return "invalid parameter" (4xx) errors for distribution
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-08 10:35:26 +01:00
Justin Cormack
1603af9689
Merge pull request #38137 from tonistiigi/seccomp-ptrace
seccomp: allow ptrace(2) for 4.8+ kernels
2019-02-05 13:47:43 +00:00
Sebastiaan van Stijn
20383d504b Add support for using Configs as CredentialSpecs in services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-04 15:29:33 -06:00
Yong Tang
87903f2fb5
Merge pull request #38609 from kwojcicki/enhancement/38518-docker_info_builder_version
Adding builder version
2019-02-01 07:04:11 +08:00
Sebastiaan van Stijn
7e7e100be0
Add HEAD support for /_ping endpoint
Monitoring systems and load balancers are usually configured to use HEAD
requests for health monitoring. The /_ping endpoint currently does not
support this type of request, which means that those systems have fallback
to GET requests.

This patch adds support for HEAD requests on the /_ping endpoint.

Although optional, this patch also returns `Content-Type` and `Content-Length`
headers in case of a HEAD request; Refering to RFC 7231, section 4.3.2:

    The HEAD method is identical to GET except that the server MUST NOT
    send a message body in the response (i.e., the response terminates at
    the end of the header section).  The server SHOULD send the same
    header fields in response to a HEAD request as it would have sent if
    the request had been a GET, except that the payload header fields
    (Section 3.3) MAY be omitted.  This method can be used for obtaining
    metadata about the selected representation without transferring the
    representation data and is often used for testing hypertext links for
    validity, accessibility, and recent modification.

    A payload within a HEAD request message has no defined semantics;
    sending a payload body on a HEAD request might cause some existing
    implementations to reject the request.

    The response to a HEAD request is cacheable; a cache MAY use it to
    satisfy subsequent HEAD requests unless otherwise indicated by the
    Cache-Control header field (Section 5.2 of [RFC7234]).  A HEAD
    response might also have an effect on previously cached responses to
    GET; see Section 4.3.5 of [RFC7234].

With this patch applied, either `GET` or `HEAD` requests work; the only
difference is that the body is empty in case of a `HEAD` request;

    curl -i --unix-socket /var/run/docker.sock http://localhost/_ping
    HTTP/1.1 200 OK
    Api-Version: 1.40
    Cache-Control: no-cache, no-store, must-revalidate
    Docker-Experimental: false
    Ostype: linux
    Pragma: no-cache
    Server: Docker/dev (linux)
    Date: Mon, 14 Jan 2019 12:35:16 GMT
    Content-Length: 2
    Content-Type: text/plain; charset=utf-8

    OK

    curl --head -i --unix-socket /var/run/docker.sock http://localhost/_ping
    HTTP/1.1 200 OK
    Api-Version: 1.40
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Length: 0
    Content-Type: text/plain; charset=utf-8
    Docker-Experimental: false
    Ostype: linux
    Pragma: no-cache
    Server: Docker/dev (linux)
    Date: Mon, 14 Jan 2019 12:34:15 GMT

The client is also updated to use `HEAD` by default, but fallback to `GET`
if the daemon does not support this method.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-31 18:18:24 +01:00
Yong Tang
393838ca5e
Merge pull request #38569 from thaJeztah/forget_about_it
Add Cache-Control headers to disable caching /_ping endpoint
2019-01-31 23:59:11 +08:00
Olli Janatuinen
80d7bfd54d Capabilities refactor
- Add support for exact list of capabilities, support only OCI model
- Support OCI model on CapAdd and CapDrop but remain backward compatibility
- Create variable locally instead of declaring it at the top
- Use const for magic "ALL" value
- Rename `cap` variable as it overlaps with `cap()` built-in
- Normalize and validate capabilities before use
- Move validation for conflicting options to validateHostConfig()
- TweakCapabilities: simplify logic to calculate capabilities

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-22 21:50:41 +02:00
Krystian Wojcicki
f821f002e5 Adding builder version
Signed-off-by: Krystian Wojcicki <kwojcicki@sympatico.ca>
2019-01-21 19:02:16 -05:00
Brian Goff
eaad3ee3cf Make sure timers are stopped after use.
`time.After` keeps a timer running until the specified duration is
completed. It also allocates a new timer on each call. This can wind up
leaving lots of uneccessary timers running in the background that are
not needed and consume resources.

Instead of `time.After`, use `time.NewTimer` so the timer can actually
be stopped.
In some of these cases it's not a big deal since the duraiton is really
short, but in others it is much worse.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-01-16 14:32:53 -08:00
Sebastiaan van Stijn
5f788fbf56
Add Cache-Control headers to disable caching /_ping endpoint
The result of this endpoint should not be cached, so it's better to
explicitly disable caching.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-14 22:03:23 +01:00
Sebastiaan van Stijn
5ccc0714f7
Swagger: fix "task logs" outside of "tasks" section
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-14 17:04:16 +01:00
Tibor Vass
b4842cfe88
Merge pull request #38354 from thaJeztah/fix_ipam_swagger
Swagger: fix definition of IPAM driver options
2019-01-09 23:17:00 +01:00
Sebastiaan van Stijn
72b0b0387d
Replace deprecated grpc.ErrorDesc() and grpc.Code() calls
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-30 12:34:28 +01:00
Olli Janatuinen
153171e9dd Added support for maximum replicas per node to services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2018-12-24 02:04:15 +02:00
Sebastiaan van Stijn
c4c4963228
Unify API-version checks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 11:30:29 +01:00
Sebastiaan van Stijn
a5dd68186c
Swagger: fix definition of IPAM driver options
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-12 01:46:34 +01:00
Sebastiaan van Stijn
852542b397
Merge pull request #38284 from cpuguy83/context_in_api
Rely on request.Context() cancellation
2018-11-28 17:00:09 +01:00
Brian Goff
05390c4f6e Rely on request.Context() cancellation
The cancellable handler is no longer needed as the context that is
passed with the http request will be cancelled just like the close
notifier was doing.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-11-27 17:06:31 -08:00
Brian Goff
d5916f6393 Update gorilla/mux
This fixes an issue with mux usage of context for storing vars.
Also the old version is 2 years old.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-11-27 17:06:20 -08:00
Sebastiaan van Stijn
bb7de1f7cb
Minor docs touch-ups for KernelMemoryTCP support
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-27 22:54:20 +01:00
Yong Tang
ee74cd777a Skip KernelMemoryTCP if version is less than 1.40
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-11-26 21:04:27 +00:00
Yong Tang
f023816608 Add memory.kernelTCP support for linux
This fix tries to address the issue raised in 37038 where
there were no memory.kernelTCP support for linux.

This fix add MemoryKernelTCP to HostConfig, and pass
the config to runtime-spec.

Additional test case has been added.

This fix fixes 37038.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-11-26 21:03:08 +00:00
Vincent Demeester
c7a3c3cd94
Merge pull request #38239 from tiborvass/filters-clone
filters: add Clone() method
2018-11-26 20:11:50 +01:00
selansen
32180ac0c7 VXLAN UDP Port configuration support
This commit contains changes to configure DataPathPort
option. By default we use 4789 port number. But this commit
will allow user to configure port number during swarm init.
DataPathPort can't be modified after swarm init.
Signed-off-by: selansen <elango.siva@docker.com>
2018-11-22 17:35:02 -05:00
Tibor Vass
59eacf28d6 filters: add Clone() method
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-11-21 19:10:52 +00:00
Tibor Vass
369da264ba builder: deprecate prune filter unused-for in favor of until
This is to keep the UX consistent. `unused-for` is still accepted and a synonym.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-11-21 01:39:53 +00:00
Yong Tang
04287e4934
Merge pull request #38196 from thaJeztah/fence_default_addr_pools
Ignore default address-pools on API < 1.39
2018-11-19 20:23:09 -08:00
Sebastiaan van Stijn
2e8c913dbd
Add missing default address pool fields to swagger
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-18 01:52:28 +01:00
Sebastiaan van Stijn
7632ccbc66
Ignore default address-pools on API < 1.39
These options were added in API 1.39, so should be ignored
when using an older version of the API.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-13 14:04:06 +01:00
Sebastiaan van Stijn
06a4fd5009
Merge pull request #38141 from thaJeztah/handle_invalid_json
API: properly handle invalid JSON to return a 400 status
2018-11-08 12:22:02 +01:00
Sebastiaan van Stijn
c7b488fbc8
API: properly handle invalid JSON to return a 400 status
The API did not treat invalid JSON payloads as a 400 error, as a result
returning a 500 error;

Before this change, an invalid JSON body would return a 500 error;

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json" \
  -d '{invalid json'
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 13
>
* upload completely sent off: 13 out of 13 bytes
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:55:20 GMT
< Content-Length: 79
<
{"message":"invalid character 'i' looking for beginning of object key string"}
```

Empty request:

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json"
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.38
< Content-Length: 18
< Content-Type: application/json
< Date: Mon, 05 Nov 2018 12:00:18 GMT
< Docker-Experimental: true
< Ostype: linux
< Server: Docker/18.06.1-ce (linux)
<
{"message":"EOF"}
```

After this change, a 400 is returned;

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json" \
  -d '{invalid json'
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 13
>
* upload completely sent off: 13 out of 13 bytes
< HTTP/1.1 400 Bad Request
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:57:15 GMT
< Content-Length: 79
<
{"message":"invalid character 'i' looking for beginning of object key string"}
```

Empty request:

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json"
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 400 Bad Request
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:59:22 GMT
< Content-Length: 49
<
{"message":"got EOF while reading request body"}
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-06 21:30:44 +01:00
Akihiro Suda
596cdffb9f mount: add BindOptions.NonRecursive (API v1.40)
This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind".

Swarm-mode will be supported in a separate PR because of mutual vendoring.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-11-06 17:51:58 +09:00
Tonis Tiigi
1124543ca8 seccomp: allow ptrace for 4.8+ kernels
4.8+ kernels have fixed the ptrace security issues
so we can allow ptrace(2) on the default seccomp
profile if we do the kernel version check.

93e35efb8d

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-11-04 13:06:43 -08:00
Sebastiaan van Stijn
cb9d2cb71b
Move support for sysctl options in services to API v1.40
This feature was added in 14da20f5e7,
and was merged after API v1.39 shipped as part of the Docker 18.09
release candidates.

This commit moves the feature to the correct API version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-10-26 15:39:36 +02:00
Sebastiaan van Stijn
e238713cc9
Update API version to v1.40
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-10-26 15:34:27 +02:00
Brian Goff
5bdfa19b86 Add more API doc details on service update version.
Hopefully this removes some confusion as to what this version number
should be.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-10-15 08:31:31 -07:00
Tibor Vass
d6ac2b0db0 builder: treat unset keep-storage as 0
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-10-08 23:58:54 +00:00
Dani Louca
78fd978454 Masking credentials from proxy URL
Signed-off-by: Dani Louca <dani.louca@docker.com>
2018-10-01 14:06:00 -04:00