Fix#24803 as this had been failing sometimes.
As the parallel tests are probably genuine failures, and
had already been cut down, I will re-create these specifically
as a parallel execution test with no seccomp to make the
cause clearer.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 84ec04306c)
Signed-off-by: Victor Vieux <vieux@docker.com>
This fix tries to address the issue raised in 25927 where
the HTTP headers have been chaged when AUthZ plugin is in
place.
This issue is that in `FlushAll` (`pkg/authorization/response.go`),
the headers have been written (with `WriteHeader`) before all the
headers have bee copied.
This fix fixes the issue by placing `WriteHeader` after.
A test has been added to cover the changes.`
This fix fixes 25927
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 9cb8fb6ea0)
Signed-off-by: Victor Vieux <vieux@docker.com>
We attached the JSON flag to the wrong AST node, causing Docker to treat
the exec form ["binary", "arg"] as if the shell form "binary arg" had
been used. This failed if "ls" was not present.
Added a test to detect this.
Fixes#26174
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
(cherry picked from commit e95b6b51da)
Signed-off-by: Victor Vieux <vieux@docker.com>
This is an attempt to fix the flaky test of TestSwarmNodeTaskListFilter in 25029.
Basically this fix adds a check to wait until 3 containers has already up,
before processing `node tasks ...`.
This might fix 25029.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 63c0366bc9)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b487497cd2)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25374 where the
output of `docker ps --filter` is in random order and
not deterministic.
This fix sorts the list of containers by creation time so that the
output is deterministic.
An integration test has been added.
This fix fixes 25374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 3f97133546)
Signed-off-by: Tibor Vass <tibor@docker.com>
This prevents unnecessary API call to containerd.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit b867f6c6e1)
Signed-off-by: Tibor Vass <tibor@docker.com>
It's too long to wait for reschedule.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
(cherry picked from commit 307b7b0d15)
Signed-off-by: Tibor Vass <tibor@docker.com>
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
(cherry picked from commit 0aa4e1e689)
Remove the swarm inspect command and use docker info instead to display
swarm information if the current node is a manager.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit e6923f6d75)
Signed-off-by: Tibor Vass <tibor@docker.com>
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 57ae29aa74)
Signed-off-by: Tibor Vass <tibor@docker.com>
When daemon has liveRestore set, daemon shutdown should not shutdown
plugins. Fixes#24759
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 4a44cf1d4c)
Signed-off-by: Tibor Vass <tibor@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit a0ccd0d42f)
Signed-off-by: Tibor Vass <tibor@docker.com>
This renames the `rotate_xxx` flags to camelBack, for
consistency with other API query-params, such as
`detachKeys`, `noOverwriteDirNonDir`, and `fromImage`.
Also makes this flag accept a wider range of boolean
values ("0", "1", "true", "false"), and throw an error
if an invalid value is passed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bd81df1278)
Signed-off-by: Tibor Vass <tibor@docker.com>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 2cc5bd33ee)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix is an extension to last commit to expand the partial
filter to node and task searches.
Additional integration tests have been added to cover the changes.
This fix fixes 24270.
This fix fixes 24112.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit e734fa58ea)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 24270 where it was
not possible to have a partial name match when list services
with name filter.
This fix updates swarmkit and allows prefix search when name is
provided as the filter for listing services.
An additional integration test is added to cover the changes.
This fix fixes 24270.
Note: A separate pull request will be opened on swarmkit.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 1d600ebcb5)
Signed-off-by: Tibor Vass <tibor@docker.com>
Unix sockets are limited to 108 bytes. As a result, we need to be
careful in not using exec-root as the parent directory for pluginID
(which is already 64 bytes), since it can result in socket path names
longer than 108 bytes. Use /tmp instead. Before this change, setting:
- dockerd --exec-root=/go/src/github.com/do passes
- dockerd --exec-root=/go/src/github.com/doc fails
After this change, there's no failure.
Also, write a volume plugins test to verify that the plugins socket
responds.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit 21ecd5a93d)
Signed-off-by: Tibor Vass <tibor@docker.com>
Add a `--network` flag which replaces `--net` without deprecating it
yet. The `--net` flag remains hidden and supported.
Add a `--network-alias` flag which replaces `--net-alias` without deprecating
it yet. The `--net-alias` flag remains hidden and supported.
Signed-off-by: Arnaud Porterie (icecrime) <arnaud.porterie@docker.com>
(cherry picked from commit c0c7d5e715)
Signed-off-by: Tibor Vass <tibor@docker.com>