This is an attempt to fix the flaky test of TestSwarmNodeTaskListFilter in 25029.
Basically this fix adds a check to wait until 3 containers has already up,
before processing `node tasks ...`.
This might fix 25029.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 63c0366bc9)
Signed-off-by: Tibor Vass <tibor@docker.com>
These flags were not supported (daemon returns an error), and it was an
oversight. They were not present in completion scripts.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 3a7e90c743)
Signed-off-by: Tibor Vass <tibor@docker.com>
/proc/timer_list seems to leak information about the host. Here is
an example from a busybox container running on docker+kubernetes.
# cat /proc/timer_list | grep -i -e kube
<ffff8800b8cc3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2497
<ffff880129ac3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3478
<ffff8800b1b77db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3470
<ffff8800bb6abdb0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2499
Signed-Off-By: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
(cherry picked from commit 03bd00b68f)
Signed-off-by: Tibor Vass <tibor@docker.com>
With the latest OL7.2, selinux policy that is shipped
might not be the latest for it to work or build with
selinux policy for docker-1.12.
To be able to achieve that here is what is done:
1. Added systemd_machined policy which is part of systemd.
2. Temporarily comment out unconfined_typebounds because the
current OL7's selinux doesn't have unconfineduser selinux policy,
to include this will be too much. Will revisit this once we have
updated the selinux policy.
Fixes: #24612
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
(cherry picked from commit d6cae872c7)
Signed-off-by: Tibor Vass <tibor@docker.com>
This patch allows to only release the packages that were built and are
present under the bundles/ directory instead of assuming packages exist
for all distros enumerated in the contrib/builder/ directory.
It also now adds support for armhf architecture for apt repositories.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 2ff2e9a730)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b487497cd2)
Signed-off-by: Tibor Vass <tibor@docker.com>
Docker 1.12 ships with an updated unit file on RPM
based distros. Users that have local modifications
to the unit file, or have a drop-in file installed
may not automatically get the updated unit file,
or get an error when starting docker.
This adds a warning to the changelog, and instructions
on how to resolve the issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 66b656684e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.
This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit c1ca124682)
Signed-off-by: Tibor Vass <tibor@docker.com>
In cases there are failures in task start, swarmkit might be trying to
restart the task again in the same node which might keep failing. This
creates a race where when a failed task is getting removed it might
remove the associated network while another task for the same service
or a different service but connected to the same network is proceeding
with starting the container knowing that the network is still
present. Fix this by reacting to `ErrNoSuchNetwork` error during
container start by trying to recreate the managed networks. If they
have been removed it will be recreated. If they are already present
nothing bad will happen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 117cef5e97)
Signed-off-by: Tibor Vass <tibor@docker.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 32b1f26c51)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue in 25404 where updating environmental
variable in `service update --env-add` will not work.
The issue is because `--env-add` will only append the env, not update if
the same env already exist.
This fix tracks the env variable with a map and update if the variable
is the same.
An integration test has been added.
This fix fixes 25404.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit c6de8add5f)
Signed-off-by: Tibor Vass <tibor@docker.com>
Unlike `docker run -v..`, `docker service create --mount`
does not allow bind-mounting non-existing host paths.
This adds validation for the specified `source`, and
produces an error if the path is not found on the
host.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 84d5ab96ef)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25374 where the
output of `docker ps --filter` is in random order and
not deterministic.
This fix sorts the list of containers by creation time so that the
output is deterministic.
An integration test has been added.
This fix fixes 25374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3f97133546)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is intended as a minor fix for 1.12.1 so that task creation doesn't
do unexpected things when the user supplies erroneous paths.
In particular, because we're currently using hostConfig.Binds to setup
mounts, if a user uses an absolute path for a volume mount source, or a
non-absolute path for a bind mount source, the engine will do the
opposite of what the user requested since all absolute paths are
treated as binds and all non-absolute paths are treated as named
volumes.
Fixes#25253
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 38f8b0eb10)
Signed-off-by: Tibor Vass <tibor@docker.com>
Printing off networks as part of --pretty was missing a newline, causing
the next thing printed to be concatenated onto the end of the line.
Added an empty println after all networks are printed.
Signed-off-by: Drew Erny <drew.erny@docker.com>
(cherry picked from commit 02ebaf364f)
Signed-off-by: Tibor Vass <tibor@docker.com>
this change improves the instructions for
swarm join-token and swarm init;
- only print the join-token command for workers
instead of for both managers and workers, to
prevent users from copying the wrong command.
An extra line is added to explain how to obtain
the manager token.
- print a message that a token was rotated
sucesfully if '--rotate' is used.
- add some extra white-space before / after
the join commands, to make copy/pasting
easier.
this change also does some refactoring of join-token;
- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
to prevent checking for them multiple times, and to
keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
this makes it easier to copy, and cleans up the
code a tiny bit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ebebd41769)
Signed-off-by: Tibor Vass <tibor@docker.com>
On daemon restart the local volume driver will read options that it
persisted to disk, however it was reading an incorrect path, causing
volume options to be silently ignored after a daemon restart.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit c560dd9686)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25195 where external
CA configurations are not present in `docker info`.
This fix adds the output of external CAs in `docker info` in swarm
mode.
The test is done manually with:
```
docker run -p 8888:8888 -e CXFSSL_ADDRESS=0.0.0.0 -d fabric8/cfssl
docker swarm init --external-ca protocol=cfssl,url=http://172.17.0.2:8888
```
The `docker info` output:
```
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot interval: 10000
Heartbeat tick: 1
Election tick: 3
Dispatcher:
Heartbeat period: 5 seconds
CA configuration:
Expiry duration: 3 months
External CAs:
cfssl: https://172.17.0.2:8888
```
This fix fixes 25195.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 995128e9eb)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to improve error messages when IP address
autodetection fails, as is specified in 25141.
Previously, error messages only indicate that multiple IPs
exist when autodetection fails. In this fix, if one
interface consists of multiple addresses or multiple
interfaces consist of addresses, the error messages output
the address names and interface names so that end user could
take notice.
This fix is verified manually.
When multiple addresses exist on multiple interfaces:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses on different
interfaces (192.168.186.128 on ens33 and 192.168.100.199 on eth10)
- specify one with --advertise-addr
```
When multiple addresses exist on single interface:
```
$ sudo docker swarm init
Error response from daemon: could not choose an IP address
to advertise since this system has multiple addresses
on interface ens33 (192.168.186.128 and 192.168.55.199)
- specify one with --advertise-addr
```
This fix fixes 25141.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 59db01049a)
Signed-off-by: Tibor Vass <tibor@docker.com>
