To load an image from a tar file, you can specify
the tar file in the -i/--input option:
docker load -i image_1.tar
or using stdin:
docker load < image_1.tar
cat image_1.tat | docker load
If the image file isn't given the `docker load`
command gets stuck.
To avoid that, the load makes sure the CLI input is
not a terminal or the `--input` option was set.
If not then an error message is shown.
Signed-off-by: Boaz Shuster <ripcurld.github@gmail.com>
When a container is run on a --attachable network, the endpoint
configs passed by the user were incorrectly overwritten.
Copy the relevant configs instead of overwriting the entire configs.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
--group-add was used for specifying groups for both service create
and service update. For create it was confusing since we don't have
an existing set of groups. Instead I added --group to create, and
moved --group-add to service update only, like --group-rm
This deals with issue 27646
Signed-off-by: Lily Guo <lily.guo@docker.com>
Update flag documentation
Specify that --group, --group-add and --groupd-rm refers to
supplementary user groups
Signed-off-by: Lily Guo <lily.guo@docker.com>
Fix docs for groups and update completion scripts
Signed-off-by: Lily Guo <lily.guo@docker.com>
Make it possible to use health_status, exec_start and exec_create as
is in event filter. This way, using `health_status` as filter will allow
to get all health_status events (healthy, unhealthy, …) instead of
having to us all combination (`health_status: healthy`, `health_status:
unhealthy`, …). Same goes for `exec_start` and `exec_create`.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue in 24712 and add
`--env-file` file to `docker create service`.
Related documentation has been updated.
An additional integration has been added.
This fix fixes 24712.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to fix the bug reported by #24693 where an empty
line after escape will not be stopped by the parser.
This fix addresses this issue by stop the parser from continue
with an empty line after escape.
An additional integration test has been added.
This fix fixes#24693.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This adds a metrics packages that creates additional metrics. Add the
metrics endpoint to the docker api server under `/metrics`.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add metrics to daemon package
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
api: use standard way for metrics route
Also add "type" query parameter
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
Convert timers to ms
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
`docker network prune` prunes unused networks, including overlay ones.
`docker system prune` also prunes unused networks.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
A recent change fixed integration tests to use "API" in test names
instead of "Api". A new test was added in a PR opened before this
change, and didn't benefit from the cleanup. Fix its name.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
The `archive` package defines aliases for `io.ReadCloser` and
`io.Reader`. These don't seem to provide an benefit other than type
decoration. Per this change, several unnecessary type cases were
removed.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to address the issue raised in 25545 where
volume options at the creation time is not showed up
in `docker volume inspect`.
This fix adds the field `Options` in `Volume` type and
persist the options in volume db so that `volume inspect`
could display the options.
This fix adds a couple of test cases to cover the changes.
This fix fixes 25545.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Keeping the current behavior for exec, i.e., inheriting
variables from main process. New variables will be added
to current ones. If there's already a variable with that
name it will be overwritten.
Example of usage: docker exec -it -e TERM=vt100 <container> top
Closes#24355.
Signed-off-by: Jonh Wendell <jonh.wendell@redhat.com>
This adds support for two enhancements to swarm service rolling updates:
- Failure thresholds: In Docker 1.12, a service update could be set up
to either pause or continue after a single failure occurs. This adds
an --update-max-failure-ratio flag that controls how many tasks need to
fail to update for the update as a whole to be considered a failure. A
counterpart flag, --update-monitor, controls how long to monitor each
task for a failure after starting it during the update.
- Rollback flag: service update --rollback reverts the service to its
previous version. If a service update encounters task failures, or
fails to function properly for some other reason, the user can roll back
the update.
SwarmKit also has the ability to roll back updates automatically after
hitting the failure thresholds, but we've decided not to expose this in
the Docker API/CLI for now, favoring a workflow where the decision to
roll back is always made by an admin. Depending on user feedback, we may
add a "rollback" option to --update-failure-action in the future.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This fix tries to add a daemon config parameter `--shutdown-timeout`
that specifies the timeout value to stop containers gracefully
(before SIGKILL). The default value is 15s.
The `--shutdown-timeout` parameter is added to daemon options and
config file. It will also be updated during daemon reload.
Additional test cases have been added to cover the change.
This fix fixes#22471.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24392 where
labels with duplicate keys exist in `docker info`, which
contradicts with the specifications in the docs.
The reason for duplicate keys is that labels are stored as
slice of strings in the format of `A=B` (and the input/output).
This fix tries to address this issue by checking conflict
labels when daemon started, and remove duplicate labels (K-V).
The existing `/info` API has not been changed.
An additional integration test has been added to cover the
changes in this fix.
This fix fixes 24392.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to add a flag `--stop-timeout` to specify the timeout value
(in seconds) for the container to stop before SIGKILL is issued. If stop timeout
is not specified then the default timeout (10s) is used.
Additional test cases have been added to cover the change.
This fix is related to #22471. Another pull request will add `--shutdown-timeout`
to daemon for #22471.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
As of https://github.com/docker/swarmkit/pull/1607, swarmkit honors
global network plugins while allocating network resources.
This IT covers the e2e integration between libnetwork, swarmkit and
docker engine to support global network-plugins for swarm-mode
Signed-off-by: Madhu Venugopal <madhu@docker.com>
TestBuildLabelsOverride was consistently failing due to "Windows does not support FROM scratch" error
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
- some function signatures have changed - use the new ones
- re-generate the notary delegation key certs, since notary doesn't allow SHA1
- fix some error message mapping because now if a root rotation fails to validate trusted operations will fail
Signed-off-by: cyli <cyli@twistedmatrix.com>
This fix tries to address the issue raised in 25855 where the command
`docker deploy` can only accept a STACK without extension of `.dab`.
In other words, `docker deploy hellojavaee.dab` gives an error:
```
Bundle hellojavaee.dab.dab not found. Specify the path with --file
```
This fix updates the way namespace STACK is taken so that in case
`STACK.dab` is provided with `docker deploy`:
```
$ docker deploy STACK.dab
```
The `STACK` is used as namespace (instead of `STACK.dab`).
NOTE: This fix will only allows `.dab` extension in namespace, because
it is not possible to have a namespace with `.` in the middle. In other
words, a namespace `hello.java.ee` will not work anyway (whether the file
`hello.java.ee` exists or not).
An additional integration test has been added to cover the changes.
This fix fixes 25855.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Linux kernel 4.3 and later supports "ambient capabilities" which are the
only way to pass capabilities to containers running as a non root uid.
Previously there was no way to allow containers not running as root
capabilities in a useful way.
Fix#8460
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
While look at #27039 I noticed that we allow for whitespace after
the continuation char (\\) which is wrong. It needs to be the very
last char in the line.
Signed-off-by: Doug Davis <dug@us.ibm.com>
No substantial code change.
- Api --> API
- Cli --> CLI
- Http, Https --> HTTP, HTTPS
- Id --> ID
- Uid,Gid,Pid --> UID,PID,PID
- Ipam --> IPAM
- Tls --> TLS (TestDaemonNoTlsCliTlsVerifyWithEnv --> TestDaemonTLSVerifyIssue13964)
Didn't touch in this commit:
- Git: because it is officially "Git": https://git-scm.com/
- Tar: because it is officially "Tar": https://www.gnu.org/software/tar/
- Cpu, Nat, Mac, Ipc, Shm: for keeping a consistency with existing production code (not changable, for compatibility)
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This fix tries to address the issue raised in 27021 where
HTML strings like (`&, >, <, etc`) in environmental variables
are escaped for JSON output for `docker inspect`. For example,
`TEST_ENV="soanni&rtr"` has been escaped to `TEST_ENV="soanni\u0026rtr"`
This fix disabled HTML escaping with `SetEscapeHTML`, which is available
since golang 1.7.0. This changes will be applied to all JSON output
that utilize `httputils.WriteJSON`.
An integration test has been added to cover the changes.
This fix fixes 27021.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Under the convoluted code path for the transport configuration,
TLSConfig was being set even though the socket type is unix. This caused
other code detecting the TLSConfig to assume https, rather than using
the http scheme. This led to a situation where if `DOCKER_CERT_PATH` is
set, unix sockets start reverting to https. There is other odd behavior
from go-connections that is also reproduced here.
For the most part, we try to reproduce the side-effecting behavior from
go-connections to retain the current docker behavior. This whole mess
needs to ripped out and fixed, as this pile spaghetti is unnacceptable.
This code is way to convoluted for an http client. We'll need to fix
this but the Go API will break to do it.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to address the issue related to 24108 and 24790, and
also the case from 24620#issuecomment-233715656
The reason for the failure case in the above mentioned issues is that
currently Task names are actually indexed by Service Name
(`e.ServiceAnnotations.Name`)
To fix it, a pull request in swarmkit (swarmkit/pull/1193) has been
opened separately.
This fix adds the integration tests for the above mentioned issues.
Swarmkit revendoring is needed to completely fix the issues.
This fix fixes 24108.
This fix fixes 24790.
This fix is related to 24620.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 24538
where the error message is unclear when removing pre-defined networks:
```
docker network rm ingress
Error response from daemon: rpc error: code = 7 desc = 4vlxuzpk8bxdsxpyvkxluol5g is a pre-defined network and cannot be removed
```
This fix improve the error message so that if network's name is specified
in the `RemoveNetwork`, then error message will contain the name and the ID
(instead of just an ID):
```
docker network rm ingress
Error response from daemon: rpc error: code = 7 desc = ingress (4vlxuzpk8bxdsxpyvkxluol5g) is a pre-defined network and cannot be removed
```
An integration test has been added to cover the changes.
This fix fixes 24538.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The daemon is in a separate (dockerd) binary
since docker 1.12, so should no longer be
used.
This marks the command as deprecated, and
adds it to the deprecated features list.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
TestBuildApiDockerFileRemote has been consistently failing (EPERM) on the host
with #26618, which prohibits /sys/firmware from being accessed using apparmor.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
This adds a small C binary for fighting zombies. It is mounted under
`/dev/init` and is prepended to the args specified by the user. You
enable it via a daemon flag, `dockerd --init`, as it is disable by
default for backwards compat.
You can also override the daemon option or specify this on a per
container basis with `docker run --init=true|false`.
You can test this by running a process like this as the pid 1 in a
container and see the extra zombie that appears in the container as it
is running.
```c
int main(int argc, char ** argv) {
pid_t pid = fork();
if (pid == 0) {
pid = fork();
if (pid == 0) {
exit(0);
}
sleep(3);
exit(0);
}
printf("got pid %d and exited\n", pid);
sleep(20);
}
```
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Test is testing that a user can disconnect from the default network
before it is started (#26220).
This test does not need to use `--rm`, which is never aken into account
since the container is never started.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fix tries to address the issue raised in 26453 where bad syntax
on dockerfile is not checked before building, thus user has to wait
before seeing error in dockerfile.
This fix fixes the issue by evaluating all the instructions and check
syntax before dockerfile is invoked actually.
All existing tests pass.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The swarm scope network connected containers with autostart enabled
there was a dependency problem with the cluster to be initialized before
we can autostart them. With the current container restart code happening
before cluster init, these containers were not getting autostarted
properly. Added a fix to delay the container start of those containers
which has atleast one swarm scope endpoint to until after the cluster is
initialized.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
`Mounts` allows users to specify in a much safer way the volumes they
want to use in the container.
This replaces `Binds` and `Volumes`, which both still exist, but
`Mounts` and `Binds`/`Volumes` are exclussive.
The CLI will continue to use `Binds` and `Volumes` due to concerns with
parsing the volume specs on the client side and cross-platform support
(for now).
The new API follows exactly the services mount API.
Example usage of `Mounts`:
```
$ curl -XPOST localhost:2375/containers/create -d '{
"Image": "alpine:latest",
"HostConfig": {
"Mounts": [{
"Type": "Volume",
"Target": "/foo"
},{
"Type": "bind",
"Source": "/var/run/docker.sock",
"Target": "/var/run/docker.sock",
},{
"Type": "volume",
"Name": "important_data",
"Target": "/var/data",
"ReadOnly": true,
"VolumeOptions": {
"DriverConfig": {
Name: "awesomeStorage",
Options: {"size": "10m"},
Labels: {"some":"label"}
}
}]
}
}'
```
There are currently 2 types of mounts:
- **bind**: Paths on the host that get mounted into the
container. Paths must exist prior to creating the container.
- **volume**: Volumes that persist after the
container is removed.
Not all fields are available in each type, and validation is done to
ensure these fields aren't mixed up between types.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
A test failed expecting 200, but received -1, which is an err rc,
not an HTTP status code, so move these checks up.
Also log the output an not just check for a nil err.
Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
When the `-t` flag is passed on exec make sure to add the TERM env var
to mirror the expected configuration from run.
Fixes#9299
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
daemon/events/testutils: rename eventstestutils to testutils
volume/testutils: rename volumetestutils to testutils
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
The restriction is no longer necessary given changes at the runc layer
related to mount options of the rootfs. Also cleaned up the docs on
restrictions left for userns enabled mode. Re-enabled tests related to
--read-only when testing a userns-enabled daemon in integration-cli.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Instead of reformatting error from the request action, we wrap it,
allowing the cause to be recovered. This is important for consumers that
need to be able to detect context errors, such as `Cancelled` and
`DeadlineExceeded`.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to fix 26326 where `docker inspect` will not show
ulimit even when daemon default ulimit has been set.
This fix merge the HostConfig's ulimit with daemon default in
`docker inspect`, so that when daemon is started with `default-ulimit`
and HostConfig's ulimit is not set, `docker inspect` will output
the daemon default.
An integration test has been added to cover the changes.
This fix fixes 26326.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds support for running regular containers to be connected to
swarm mode multi-host network so that:
- containers connected to the same network across the cluster can
discover and connect to each other.
- Get access to services(and their associated loadbalancers)
connected to the same network
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
moves ensure-frozen-images to go
moves ensure-syscall-test to go
moves ensure-nnp-test to go
moves ensure-httpserver to go
Also makes some of the fixtures load only for the required tests.
This makes sure that fixtures that won't be needed for a test run such as
`make TESTFLAGS='-check.f Swarm' test-integration-cli` (for example)
aren't loaded... like the syscall tests.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
