Commit graph

1192 commits

Author SHA1 Message Date
Sebastiaan van Stijn
cb3ec99b16
Merge pull request #40491 from thaJeztah/remove_deprecated_filters_opt
API: remove deprecated "filter" parameter for API v1.41 and up
2020-02-11 11:22:44 +01:00
Sebastiaan van Stijn
9f0b3f5609
bump gotest.tools v3.0.1 for compatibility with Go 1.14
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-11 00:06:42 +01:00
Sebastiaan van Stijn
4a1900915a
API: remove deprecated "filter" parameter for API v1.41 and up
This query-parameter was deprecated in docker 1.13 in commit
820b809e70, and scheduled for
removal in docker 17.12, so we should remove it for the next
API version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-10 17:21:01 +01:00
Drew Erny
30d9fe30b1 Add swarm jobs
Adds support for ReplicatedJob and GlobalJob service modes. These modes
allow running service which execute tasks that exit upon success,
instead of daemon-type tasks.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2020-01-13 13:21:12 -06:00
Sebastiaan van Stijn
954d729ab8
Merge pull request #40079 from thaJeztah/cleanup_build
API: cleanup build endpoint code
2020-01-09 21:05:19 +01:00
Tibor Vass
a9416c67da
Merge pull request #40259 from thaJeztah/more_constants
api/server/router: use consts for HTTP methods
2019-12-19 17:57:47 +01:00
Sebastiaan van Stijn
04203d13fb
api/server: build: refactor for better readability
- construct the initial options as a literal
- move validation for windows up, and fail early
- move all API-version handling together

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:19:01 +01:00
Sebastiaan van Stijn
9709f6b95e
api/server: build: use locally scoped variables
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:18:59 +01:00
Sebastiaan van Stijn
20e3b5ba2c
api/types: minor BuilderVersion refactor
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-04 16:18:51 +01:00
Sebastiaan van Stijn
c9b2a3cff5
api: normalize comment formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-27 15:37:30 +01:00
Sebastiaan van Stijn
90aa0901da
api/server/router: use consts for HTTP methods
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-26 21:55:29 +01:00
Justin Cormack
f681590a25
Merge pull request #40081 from thaJeztah/http_constants
Use http constants for HTTP methods and status codes
2019-10-17 11:30:26 -07:00
Drew Erny
f36042d259 Add support for sending down service Running and Desired task counts
Adds a new ServiceStatus field to the Service object, which includes the
running and desired task counts. This new field is gated behind a
"status" query parameter.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-10-14 10:43:00 -05:00
Sebastiaan van Stijn
93100adb69
api/server: use constants for http methods
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-13 17:30:19 +02:00
Tibor Vass
6ca3ec88ae builder: remove legacy build's session handling
This feature was used by docker build --stream and it was kept experimental.

Users of this endpoint should enable BuildKit anyway by setting Version to BuilderBuildKit.

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-10-02 20:29:15 +00:00
Sebastiaan van Stijn
4e621a34ac
api/server: explicitly ignore unhandled errors (errcheck)
```
api/server/router/build/build_routes.go:309:41: Error return value of `(*encoding/json.Decoder).Decode` is not checked (errcheck)
api/server/router/build/build_routes.go:431:11: Error return value of `io.Copy` is not checked (errcheck)
api/server/router/container/container_routes.go:582:13: Error return value of `conn.Write` is not checked (errcheck)
api/server/router/grpc/grpc_routes.go:38:12: Error return value of `conn.Write` is not checked (errcheck)
api/server/router/grpc/grpc_routes.go:39:12: Error return value of `resp.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:94:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:139:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:164:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/image/image_routes.go:180:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:126:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:165:15: Error return value of `output.Write` is not checked (errcheck)
api/server/router/plugin/plugin_routes.go:273:15: Error return value of `output.Write` is not checked (errcheck)
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:57:46 +02:00
Sebastiaan van Stijn
0507c358d9
API: explicitely ignore unhandled errors
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:57:13 +02:00
Sebastiaan van Stijn
07ff4f1de8
goimports: fix imports
Format the source according to latest goimports.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-18 12:56:54 +02:00
Derek McGowan
2816ec7b00
Remove unused router swapper
The router swapper was previously used to toggle
a debug mode, that code has since been removed.
Now this router is unnecessary.

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2019-09-04 13:50:03 -07:00
Jintao Zhang
9134130b39 Remove SystemInfo() error handling.
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
2019-08-29 07:44:39 +08:00
Sebastiaan van Stijn
f8a0f26843 DebugRequestMiddleware: Remove path handling
Path-specific rules were removed, so this is no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 530e63c1a61b105a6f7fc143c5acb9b5cd87f958)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
73db8c77bf DebugRequestMiddleware: unconditionally scrub data field
Commit 77b8465d7e added a secret update
endpoint to allow updating labels on existing secrets. However, when
implementing the endpoint, the DebugRequestMiddleware was not updated
to scrub the Data field (as is being done when creating a secret).

When updating a secret (to set labels), the Data field should be either
`nil` (not set), or contain the same value as the existing secret. In
situations where the Data field is set, and the `dockerd` daemon is
running with debugging enabled / log-level debug, the base64-encoded
value of the secret is printed to the daemon logs.

The docker cli does not have a `docker secret update` command, but
when using `docker stack deploy`, the docker cli sends the secret
data both when _creating_ a stack, and when _updating_ a stack, thus
leaking the secret data if the daemon runs with debug enabled:

1. Start the daemon in debug-mode

        dockerd --debug

2. Initialize swarm

        docker swarm init

3. Create a file containing a secret

        echo secret > my_secret.txt

4. Create a docker-compose file using that secret

        cat > docker-compose.yml <<'EOF'
        version: "3.3"
        services:
          web:
            image: nginx:alpine
            secrets:
              - my_secret
        secrets:
          my_secret:
            file: ./my_secret.txt
        EOF

5. Deploy the stack

        docker stack deploy -c docker-compose.yml test

6. Verify that the secret is scrubbed in the daemon logs

        DEBU[2019-07-01T22:36:08.170617400Z] Calling POST /v1.30/secrets/create
        DEBU[2019-07-01T22:36:08.171364900Z] form data: {"Data":"*****","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

7. Re-deploy the stack to trigger an "update"

        docker stack deploy -c docker-compose.yml test

8. Notice that this time, the Data field is not scrubbed, and the base64-encoded secret is logged

        DEBU[2019-07-01T22:37:35.828819400Z] Calling POST /v1.30/secrets/w3hgvwpzl8yooq5ctnyp71v52/update?version=34
        DEBU[2019-07-01T22:37:35.829993700Z] form data: {"Data":"c2VjcmV0Cg==","Labels":{"com.docker.stack.namespace":"test"},"Name":"test_my_secret"}

This patch modifies `maskSecretKeys` to unconditionally scrub `Data` fields.
Currently, only the `secrets` and `configs` endpoints use a field with this
name, and no other POST API endpoints use a data field, so scrubbing this
field unconditionally will only scrub requests for those endpoints.

If a new endpoint is added in future where this field should not be scrubbed,
we can re-introduce more fine-grained (path-specific) handling.

This patch introduces some change in behavior:

- In addition to secrets, requests to create or update _configs_ will
  now have their `Data` field scrubbed. Generally, the actual data should
  not be interesting for debugging, so likely will not be problematic.
  In addition, scrubbing this data for configs may actually be desirable,
  because (even though they are not explicitely designed for this purpose)
  configs may contain sensitive data (credentials inside a configuration
  file, e.g.).
- Requests that send key/value pairs as a "map" and that contain a
  key named "data", will see the value of that field scrubbed. This
  means that (e.g.) setting a `label` named `data` on a config, will
  scrub/mask the value of that label.
- Note that this is already the case for any label named `jointoken`,
  `password`, `secret`, `signingcakey`, or `unlockkey`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7ce4be93ae8edd2da62a588e01c67313a4aba0c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
ebb542b3f8 TestMaskSecretKeys: use subtests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 32d70c7e21631224674cd60021d3ec908c2d888c)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
18dac2cf32 TestMaskSecretKeys: add more test-cases
Add tests for

- case-insensitive matching of fields
- recursive masking

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit db5f811216e70bcb4a10e477c1558d6c68f618c5)
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-07-09 21:42:12 +00:00
Sebastiaan van Stijn
c85fe2d224
Merge pull request #38522 from cpuguy83/fix_timers
Make sure timers are stopped after use.
2019-06-07 13:16:46 +02:00
Kirill Kolyshkin
1d5748d975
Merge pull request #39173 from olljanat/25885-capabilities-swarm
Add support for capabilities options in services
2019-06-06 15:03:46 -07:00
Tibor Vass
6104eb1ae2 build: fix panic when exporting to tar
Fixes a panic on `docker build -t foo -o - . >/dev/null`

Signed-off-by: Tibor Vass <tibor@docker.com>
2019-06-03 22:34:15 +00:00
Olli Janatuinen
f787b235de Add support capabilities list on services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2019-05-28 19:52:36 +03:00
Sebastiaan van Stijn
7bacd1d6dc
Move CgroupnsMode feature to API v1.41
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-05-13 15:04:28 -07:00
Rob Gulewich
072400fc4b Make cgroup namespaces configurable
This adds both a daemon-wide flag and a container creation property:
- Set the `CgroupnsMode: "host|private"` HostConfig property at
  container creation time to control what cgroup namespace the container
  is created in
- Set the `--default-cgroupns-mode=host|private` daemon flag to control
  what cgroup namespace containers are created in by default
- Set the default if the daemon flag is unset to "host", for backward
  compatibility
- Default to CgroupnsMode: "host" for client versions < 1.40

Signed-off-by: Rob Gulewich <rgulewich@netflix.com>
2019-05-07 10:22:16 -07:00
Xiao YongBiao
372b9f769e Remove the "err == nil" because is always equal nil.
Signed-off-by: Xiao YongBiao <xyb4638@gmail.com>
2019-04-08 12:28:43 +08:00
Tibor Vass
05c5d20a2c grpc: register BuildKit controller to /grpc
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-04-02 19:57:59 +00:00
Tibor Vass
e8382ece65 api: add undocumented /grpc endpoint to talk to GRPC services
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-04-02 19:57:59 +00:00
Tõnis Tiigi
25661a3a04
Merge pull request #38793 from thaJeztah/pids_limit_improvements
Some refactoring on PidsLimit
2019-03-21 13:44:05 -07:00
Akihiro Suda
7fc0f820ea builder-next: fix squash
Tagger was not called for BuildKit-mode.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 01:08:55 +09:00
Sebastiaan van Stijn
e7b5f7dbe9
Merge pull request #38891 from thaJeztah/warn_manager_count
Return a warning when running in a two-manager setup
2019-03-19 22:54:53 +01:00
Tonis Tiigi
768c6d7b29 builder-next: allow outputs configuration
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2019-03-19 10:28:30 -07:00
Sebastiaan van Stijn
81eef17e38
Return a warning when running in a two-manager setup
Running a cluster in a two-manager configuration effectively *doubles*
the chance of loosing control over the cluster (compared to running
in a single-manager setup). Users may have the assumption that having
two managers provides fault tolerance, so it's best to warn them if
they're using this configuration.

This patch adds a warning to the `info` response if Swarm is configured
with two managers:

    WARNING: Running Swarm in a two-manager configuration. This configuration provides
             no fault tolerance, and poses a high risk to loose control over the cluster.
             Refer to https://docs.docker.com/engine/swarm/admin_guide/ to configure the
             Swarm for fault-tolerance.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-18 14:36:00 +01:00
Sebastiaan van Stijn
2a9c987e5a
Move httputils error helpers to errdefs package
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-16 00:42:23 +01:00
Sebastiaan van Stijn
1af30c50ca
Add httputils.FromStatusCode()
This utility allows a client to convert an API response
back to a typed error; allowing the client to perform
different actions based on the type of error, without
having to resort to string-matching the error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-16 00:39:48 +01:00
Sebastiaan van Stijn
ca0b64ee3b
Merge pull request #35621 from kolyshkin/ipc-private
daemon: use 'private' ipc mode by default
2019-03-14 19:27:30 +01:00
Sebastiaan van Stijn
f73dd5fdad
Revert "Adding builder version"
This reverts commit f821f002e5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-14 00:18:46 +01:00
Vincent Demeester
46036c2308
Merge pull request #37534 from thaJeztah/fix-distribution-500
Fix error 500 on distribution endpoint
2019-03-13 08:29:16 +01:00
Sebastiaan van Stijn
ffa1728d4b
Normalize values for pids-limit
- Don't set `PidsLimit` when creating a container and
  no limit was set (or the limit was set to "unlimited")
- Don't set `PidsLimit` if the host does not have pids-limit
  support (previously "unlimited" was set).
- Do not generate a warning if the host does not have pids-limit
  support, but pids-limit was set to unlimited (having no
  limit set, or the limit set to "unlimited" is equivalent,
  so no warning is nescessary in that case).
- When updating a container, convert `0`, and `-1` to
  "unlimited" (`0`).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-13 00:27:05 +01:00
Kir Kolyshkin
596ca142e0 daemon: use 'private' ipc mode by default
This changes the default ipc mode of daemon/engine to be private,
meaning the containers will not have their /dev/shm bind-mounted
from the host by default. The benefits of doing this are:

 1. No leaked mounts. Eliminate a possibility to leak mounts into
    other namespaces (and therefore unfortunate errors like "Unable to
    remove filesystem for <ID>: remove /var/lib/docker/containers/<ID>/shm:
    device or resource busy").

 2. Working checkpoint/restore. Make `docker checkpoint`
    not lose the contents of `/dev/shm`, but save it to
    the dump, and be restored back upon `docker start --checkpoint`
    (currently it is lost -- while CRIU handles tmpfs mounts,
    the "shareable" mount is seen as external to container,
    and thus rightfully ignored).

3. Better security. Currently any container is opened to share
   its /dev/shm with any other container.

Obviously, this change will break the following usage scenario:

 $ docker run -d --name donor busybox top
 $ docker run --rm -it --ipc container:donor busybox sh
 Error response from daemon: linux spec namespaces: can't join IPC
 of container <ID>: non-shareable IPC (hint: use IpcMode:shareable
 for the donor container)

The soution, as hinted by the (amended) error message, is to
explicitly enable donor sharing by using --ipc shareable:

 $ docker run -d --name donor --ipc shareable busybox top

Compatibility notes:

1. This only applies to containers created _after_ this change.
   Existing containers are not affected and will work fine
   as their ipc mode is stored in HostConfig.

2. Old backward compatible behavior ("shareable" containers
   by default) can be enabled by either using
   `--default-ipc-mode shareable` daemon command line option,
   or by adding a `"default-ipc-mode": "shareable"`
   line in `/etc/docker/daemon.json` configuration file.

3. If an older client (API < 1.40) is used, a "shareable" container
   is created. A test to check that is added.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-03-09 18:57:42 -08:00
Kir Kolyshkin
ce7528ebdf postContainersCreate: minor nitpick
There are two if statements checking for exactly same conditions:

> if hostConfig != nil && versions.LessThan(version, "1.40")

Merge these.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-03-09 18:57:42 -08:00
Sebastiaan van Stijn
5861a0db22
Fix container update resetting pidslimit on older API clients
Older API clients did not use a pointer for `PidsLimit`, so
API requests would always send `0`, resulting in any previous
value to be reset after an update:

Before this patch:

(using a 17.06 Docker CLI):

```bash
docker run -dit --name test --pids-limit=16 busybox
docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container update --memory=100M --memory-swap=200M test

docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
0

docker container exec test cat /sys/fs/cgroup/pids/pids.max
max
```

With this patch applied:

(using a 17.06 Docker CLI):

```bash
docker run -dit --name test --pids-limit=16 busybox
docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container update --memory=100M --memory-swap=200M test

docker container inspect --format '{{json .HostConfig.PidsLimit}}' test
16

docker container exec test cat /sys/fs/cgroup/pids/pids.max
16
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-24 16:32:32 +01:00
Drew Erny
6f1d7ddfa4 Use Runtime target
The Swarmkit api specifies a target for configs called called "Runtime"
which indicates that the config is not mounted into the container but
has some other use. This commit updates the Docker api to reflect this.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-02-19 13:14:17 -06:00
Sebastiaan van Stijn
cdcea6f492
Handle correct status codes for distribution errors
This assists to address a regression where distribution errors were not properly
handled, resulting in a generic 500 (internal server error) to be returned for
`/distribution/name/json` if you weren't authenticated, whereas it should return
a 40x (401).

This patch attempts to extract the HTTP status-code that was returned by the
distribution code, and falls back to returning a 500 status if unable to match.

Before this change:

    curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
    *   Trying /var/run/docker.sock...
    * Connected to localhost (/var/run/docker.sock) port 80 (#0)
    > GET /distribution/name/json HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 500 Internal Server Error
    < Api-Version: 1.37
    < Content-Type: application/json
    < Docker-Experimental: false
    < Ostype: linux
    < Server: Docker/dev (linux)
    < Date: Tue, 03 Jul 2018 15:52:53 GMT
    < Content-Length: 115
    <
    {"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
    * Curl_http_done: called premature == 0
    * Connection #0 to host localhost left intact

daemon logs:

    DEBU[2018-07-03T15:52:51.424950601Z] Calling GET /distribution/name/json
    DEBU[2018-07-03T15:52:53.179895572Z] FIXME: Got an API for which error does not match any expected type!!!: errors:
    denied: requested access to the resource is denied
    unauthorized: authentication required
      error_type=errcode.Errors module=api
    ERRO[2018-07-03T15:52:53.179942783Z] Handler for GET /distribution/name/json returned error: errors:
    denied: requested access to the resource is denied
    unauthorized: authentication required

With this patch applied:

    curl -v --unix-socket /var/run/docker.sock http://localhost/distribution/name/json
    *   Trying /var/run/docker.sock...
    * Connected to localhost (/var/run/docker.sock) port 80 (#0)
    > GET /distribution/name/json HTTP/1.1
    > Host: localhost
    > User-Agent: curl/7.52.1
    > Accept: */*
    >
    < HTTP/1.1 403 Forbidden
    < Api-Version: 1.38
    < Content-Type: application/json
    < Docker-Experimental: false
    < Ostype: linux
    < Server: Docker/dev (linux)
    < Date: Fri, 03 Aug 2018 14:58:09 GMT
    < Content-Length: 115
    <
    {"message":"errors:\ndenied: requested access to the resource is denied\nunauthorized: authentication required\n"}
    * Curl_http_done: called premature == 0
    * Connection #0 to host localhost left intact

daemon logs:

    DEBU[2018-08-03T14:58:08.018726228Z] Calling GET /distribution/name/json

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-08 10:35:36 +01:00
Sebastiaan van Stijn
d71ed3d326
Return "invalid parameter" (4xx) errors for distribution
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-08 10:35:26 +01:00
Sebastiaan van Stijn
20383d504b Add support for using Configs as CredentialSpecs in services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-02-04 15:29:33 -06:00
Yong Tang
87903f2fb5
Merge pull request #38609 from kwojcicki/enhancement/38518-docker_info_builder_version
Adding builder version
2019-02-01 07:04:11 +08:00
Sebastiaan van Stijn
7e7e100be0
Add HEAD support for /_ping endpoint
Monitoring systems and load balancers are usually configured to use HEAD
requests for health monitoring. The /_ping endpoint currently does not
support this type of request, which means that those systems have fallback
to GET requests.

This patch adds support for HEAD requests on the /_ping endpoint.

Although optional, this patch also returns `Content-Type` and `Content-Length`
headers in case of a HEAD request; Refering to RFC 7231, section 4.3.2:

    The HEAD method is identical to GET except that the server MUST NOT
    send a message body in the response (i.e., the response terminates at
    the end of the header section).  The server SHOULD send the same
    header fields in response to a HEAD request as it would have sent if
    the request had been a GET, except that the payload header fields
    (Section 3.3) MAY be omitted.  This method can be used for obtaining
    metadata about the selected representation without transferring the
    representation data and is often used for testing hypertext links for
    validity, accessibility, and recent modification.

    A payload within a HEAD request message has no defined semantics;
    sending a payload body on a HEAD request might cause some existing
    implementations to reject the request.

    The response to a HEAD request is cacheable; a cache MAY use it to
    satisfy subsequent HEAD requests unless otherwise indicated by the
    Cache-Control header field (Section 5.2 of [RFC7234]).  A HEAD
    response might also have an effect on previously cached responses to
    GET; see Section 4.3.5 of [RFC7234].

With this patch applied, either `GET` or `HEAD` requests work; the only
difference is that the body is empty in case of a `HEAD` request;

    curl -i --unix-socket /var/run/docker.sock http://localhost/_ping
    HTTP/1.1 200 OK
    Api-Version: 1.40
    Cache-Control: no-cache, no-store, must-revalidate
    Docker-Experimental: false
    Ostype: linux
    Pragma: no-cache
    Server: Docker/dev (linux)
    Date: Mon, 14 Jan 2019 12:35:16 GMT
    Content-Length: 2
    Content-Type: text/plain; charset=utf-8

    OK

    curl --head -i --unix-socket /var/run/docker.sock http://localhost/_ping
    HTTP/1.1 200 OK
    Api-Version: 1.40
    Cache-Control: no-cache, no-store, must-revalidate
    Content-Length: 0
    Content-Type: text/plain; charset=utf-8
    Docker-Experimental: false
    Ostype: linux
    Pragma: no-cache
    Server: Docker/dev (linux)
    Date: Mon, 14 Jan 2019 12:34:15 GMT

The client is also updated to use `HEAD` by default, but fallback to `GET`
if the daemon does not support this method.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-31 18:18:24 +01:00
Yong Tang
393838ca5e
Merge pull request #38569 from thaJeztah/forget_about_it
Add Cache-Control headers to disable caching /_ping endpoint
2019-01-31 23:59:11 +08:00
Olli Janatuinen
80d7bfd54d Capabilities refactor
- Add support for exact list of capabilities, support only OCI model
- Support OCI model on CapAdd and CapDrop but remain backward compatibility
- Create variable locally instead of declaring it at the top
- Use const for magic "ALL" value
- Rename `cap` variable as it overlaps with `cap()` built-in
- Normalize and validate capabilities before use
- Move validation for conflicting options to validateHostConfig()
- TweakCapabilities: simplify logic to calculate capabilities

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-22 21:50:41 +02:00
Krystian Wojcicki
f821f002e5 Adding builder version
Signed-off-by: Krystian Wojcicki <kwojcicki@sympatico.ca>
2019-01-21 19:02:16 -05:00
Brian Goff
eaad3ee3cf Make sure timers are stopped after use.
`time.After` keeps a timer running until the specified duration is
completed. It also allocates a new timer on each call. This can wind up
leaving lots of uneccessary timers running in the background that are
not needed and consume resources.

Instead of `time.After`, use `time.NewTimer` so the timer can actually
be stopped.
In some of these cases it's not a big deal since the duraiton is really
short, but in others it is much worse.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-01-16 14:32:53 -08:00
Sebastiaan van Stijn
5f788fbf56
Add Cache-Control headers to disable caching /_ping endpoint
The result of this endpoint should not be cached, so it's better to
explicitly disable caching.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-01-14 22:03:23 +01:00
Sebastiaan van Stijn
72b0b0387d
Replace deprecated grpc.ErrorDesc() and grpc.Code() calls
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-30 12:34:28 +01:00
Olli Janatuinen
153171e9dd Added support for maximum replicas per node to services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2018-12-24 02:04:15 +02:00
Sebastiaan van Stijn
c4c4963228
Unify API-version checks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-12-17 11:30:29 +01:00
Sebastiaan van Stijn
852542b397
Merge pull request #38284 from cpuguy83/context_in_api
Rely on request.Context() cancellation
2018-11-28 17:00:09 +01:00
Brian Goff
05390c4f6e Rely on request.Context() cancellation
The cancellable handler is no longer needed as the context that is
passed with the http request will be cancelled just like the close
notifier was doing.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-11-27 17:06:31 -08:00
Brian Goff
d5916f6393 Update gorilla/mux
This fixes an issue with mux usage of context for storing vars.
Also the old version is 2 years old.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-11-27 17:06:20 -08:00
Yong Tang
ee74cd777a Skip KernelMemoryTCP if version is less than 1.40
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2018-11-26 21:04:27 +00:00
selansen
32180ac0c7 VXLAN UDP Port configuration support
This commit contains changes to configure DataPathPort
option. By default we use 4789 port number. But this commit
will allow user to configure port number during swarm init.
DataPathPort can't be modified after swarm init.
Signed-off-by: selansen <elango.siva@docker.com>
2018-11-22 17:35:02 -05:00
Sebastiaan van Stijn
7632ccbc66
Ignore default address-pools on API < 1.39
These options were added in API 1.39, so should be ignored
when using an older version of the API.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-13 14:04:06 +01:00
Sebastiaan van Stijn
06a4fd5009
Merge pull request #38141 from thaJeztah/handle_invalid_json
API: properly handle invalid JSON to return a 400 status
2018-11-08 12:22:02 +01:00
Sebastiaan van Stijn
c7b488fbc8
API: properly handle invalid JSON to return a 400 status
The API did not treat invalid JSON payloads as a 400 error, as a result
returning a 500 error;

Before this change, an invalid JSON body would return a 500 error;

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json" \
  -d '{invalid json'
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 13
>
* upload completely sent off: 13 out of 13 bytes
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:55:20 GMT
< Content-Length: 79
<
{"message":"invalid character 'i' looking for beginning of object key string"}
```

Empty request:

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json"
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 500 Internal Server Error
< Api-Version: 1.38
< Content-Length: 18
< Content-Type: application/json
< Date: Mon, 05 Nov 2018 12:00:18 GMT
< Docker-Experimental: true
< Ostype: linux
< Server: Docker/18.06.1-ce (linux)
<
{"message":"EOF"}
```

After this change, a 400 is returned;

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json" \
  -d '{invalid json'
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
> Content-Length: 13
>
* upload completely sent off: 13 out of 13 bytes
< HTTP/1.1 400 Bad Request
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:57:15 GMT
< Content-Length: 79
<
{"message":"invalid character 'i' looking for beginning of object key string"}
```

Empty request:

```bash
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.30/networks/create" \
  -H "Content-Type: application/json"
```

```
> POST /v1.30/networks/create HTTP/1.1
> Host: localhost
> User-Agent: curl/7.52.1
> Accept: */*
> Content-Type: application/json
>
< HTTP/1.1 400 Bad Request
< Api-Version: 1.40
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/dev (linux)
< Date: Mon, 05 Nov 2018 11:59:22 GMT
< Content-Length: 49
<
{"message":"got EOF while reading request body"}
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-06 21:30:44 +01:00
Akihiro Suda
596cdffb9f mount: add BindOptions.NonRecursive (API v1.40)
This allows non-recursive bind-mount, i.e. mount(2) with "bind" rather than "rbind".

Swarm-mode will be supported in a separate PR because of mutual vendoring.

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-11-06 17:51:58 +09:00
Sebastiaan van Stijn
cb9d2cb71b
Move support for sysctl options in services to API v1.40
This feature was added in 14da20f5e7,
and was merged after API v1.39 shipped as part of the Docker 18.09
release candidates.

This commit moves the feature to the correct API version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-10-26 15:39:36 +02:00
Tibor Vass
d6ac2b0db0 builder: treat unset keep-storage as 0
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-10-08 23:58:54 +00:00
Drew Erny
14da20f5e7 Add support for sysctl options in services
Adds support for sysctl options in docker services.

* Adds API plumbing for creating services with sysctl options set.
* Adds swagger.yaml documentation for new API field.
* Updates the API version history document.
* Changes executor package to make use of the Sysctls field on objects
* Includes integration test to verify that new behavior works.

Essentially, everything needed to support the equivalent of docker run's
`--sysctl` option except the CLI.

Includes a vendoring of swarmkit for proto changes to support the new
behavior.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2018-09-20 10:51:56 -05:00
Sebastiaan van Stijn
3735ea7b76
Merge pull request #37741 from mooncak/fix_typos
fix typos in experimental.go and buildargs.go
2018-09-14 11:53:54 +02:00
Anda Xu
5d931705e3 always hornor client side to choose which builder to use with DOCKER_BUILDKIT env var regardless the server setup
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-09-11 17:19:51 -07:00
Sebastiaan van Stijn
f94eec2308
Merge pull request #37690 from KimMachineGun/modify-context-key
api/server, dockerversion: modify context key
2018-09-06 18:45:41 +01:00
Tibor Vass
6ba1e91877
Merge pull request #37651 from tiborvass/new-builder-prune
builder: add prune options to the API
2018-09-04 07:50:09 -07:00
Tibor Vass
8ff7847d1c builder: add prune options to the API
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-09-01 22:01:17 +00:00
mooncake
5160003b4d fix typos
Signed-off-by: mooncake <xcoder@tenxcloud.com>
Signed-off-by: Bily Zhang <xcoder@tenxcloud.com>
2018-09-01 21:26:38 +08:00
Anda Xu
58a75cebdd allow features option live reloadable
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-31 12:43:04 -07:00
KimMachineGun
1377a2ddee api/server, dockerversion: modify context key
Signed-off-by: KimMachineGun <geon0250@gmail.com>
2018-08-22 11:20:22 +09:00
Tibor Vass
c973cde760 Fix logic when enabling buildkit
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-08-21 23:49:08 +00:00
Andrew Hsu
01c9e7082e move /session api endpoint out of experimental
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-08-21 22:43:34 +00:00
Andrew Hsu
239047c2d3 remove experimental guard for buildkit
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2018-08-21 22:19:45 +00:00
Anda Xu
2be17666b4 add optional fields in daemon.json to enable buildkit
Signed-off-by: Anda Xu <anda.xu@docker.com>
2018-08-19 14:58:23 -07:00
Sebastiaan van Stijn
e6e8ab50fa
Do not return "<unknown>" in /info response
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-07-16 16:09:58 +02:00
Tonis Tiigi
ffa7233d15 builder: fix duplicate calls to mountable
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-07-10 15:21:29 -07:00
Tibor Vass
facad55744 api: Change Platform field back to string (temporary workaround)
This partially reverts https://github.com/moby/moby/pull/37350

Although specs.Platform is desirable in the API, there is more work
to be done on helper functions, namely containerd's platforms.Parse
that assumes the default platform of the Go runtime.

That prevents a client to use the recommended Parse function to
retrieve a specs.Platform object.

With this change, no parsing is expected from the client.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-07-03 22:33:42 +00:00
Tibor Vass
ca8022ec63 builder: return image ID in API when using buildkit
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-07-03 19:11:02 +00:00
Sebastiaan van Stijn
d912e9460e
Merge pull request #37156 from cpuguy83/networking_api_types_only
Move network conversions out of API router
2018-06-29 02:47:27 +02:00
Tibor Vass
1436dc8f8d
Merge pull request #37350 from tonistiigi/platform-support
Fix platform struct passing
2018-06-27 19:23:27 -07:00
Brian Goff
c0bc14e8dd Move network conversions out of API router
This stuff doesn't belong here and is causing imports of libnetwork into
the router, which is not what we want.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-06-27 17:11:29 -07:00
Tonis Tiigi
f099771665 system: add back lcow validation function
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-06-27 15:24:26 -07:00
Tonis Tiigi
337ba71fc1 distribution: fix passing platform struct to puller
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-06-27 14:59:31 -07:00
Tonis Tiigi
81f862a1fe api: fix platform type
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-06-26 22:59:17 -07:00
Yuichiro Kaneko
dbd4c290b7 Update comments about InitRouter
This is a follow-up of commit 408c7ad (PR: #32453)

Signed-off-by: Yuichiro Kaneko <spiketeika@gmail.com>
2018-06-27 09:45:06 +09:00
Dennis Chen
7f334d3acf Initial support for OCI multi-platform image
Add the OCI spec compatible image support in client side.

Signed-off-by: Dennis Chen <dennis.chen@arm.com>
2018-06-26 11:39:29 -07:00
Vincent Demeester
3845728524
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-13 09:04:30 +02:00
Tonis Tiigi
ab4cbe2c3f builder: correct output buffering order
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-06-10 10:05:31 -07:00
Tonis Tiigi
577732f655 builder: more experimental/windows validation
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2018-06-10 10:05:30 -07:00