Commit graph

1987 commits

Author SHA1 Message Date
Sebastiaan van Stijn
404d87ec69
AppArmor: add missing rules for running in userns
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-30 16:17:13 +02:00
Sebastiaan van Stijn
e553a03627
AppArmor: remove rules for linkgraph.db SQLite database
Commit 0f9f99500c removed the
use of SQLite for managing container links, and commit
f8119bb7a7 removed the migration
tool, and SQLite dependency.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 17:19:21 +02:00
Kir Kolyshkin
7b0e0335bc
Fix some inefassign warnings
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2019-09-18 12:57:29 +02:00
Akihiro Suda
e20b7323fb rootless: harden slirp4netns with mount namespace and seccomp
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.

bump up rootlesskit: 2fcff6ceae...791ac8cb20

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-09-02 14:58:58 +09:00
Amit Bakshi
19a3ddf8bb
mkimage-yum.sh: Fix install of additional packages
The mkimage-yum.sh script fails to install additional
packages (passed with -p package-name), because the
package names get quoted twice.

Signed-off-by: Amit Bakshi <ambakshi@gmail.com>
2019-08-17 12:18:58 -07:00
Sebastiaan van Stijn
08191c3b90
Merge pull request #39165 from stafwag/master
Updated mkimage-arch.sh
2019-07-18 00:44:28 +02:00
Staf Wagemakers
0a1947cb9f spaces to tabs
Signed-off-by: Staf Wagemakers <staf@wagemakers.be>
2019-07-17 19:48:13 +02:00
Pascal Bach
78405559cf
Check for BRIDGE_VLAN_FILTERING in overlay section
Overlay networking in docker stack does not work correctly if this option is missing, docker will output the following error:

```
enabling default vlan on bridge br0 failed open /sys/class/net/br0/bridge/default_pvdi: permission denied
```

This because `default_pvdi` does not exist without this option.

Signed-off-by: Pascal Bach <pascal.bach@siemens.com>
Signed-off-by: Simon Ausserlechner <simon.ausserlechner@siemens.com>
2019-07-16 17:32:51 +02:00
Tim
1ba4e69601 shellcheck
https://www.shellcheck.net/
Signed-off-by: Tim <elatllat@gmail.com>
2019-06-04 09:34:39 -04:00
Wiktor Kwapisiewicz
8abf26dbfb
Change docker socket location to /run/docker.sock
This change resolves the following systemd warning:

```
/usr/lib/systemd/system/docker.socket:5: ListenStream= references a path below legacy directory /var/run/, updating /var/run/docker.sock → /run/docker.sock; please update the unit file accordingly.
```

Signed-off-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
2019-05-28 23:22:54 +02:00
Akihiro Suda
34cc5c24d0 dockerd-rootless.sh: use exec
Killing the shell script process does not kill the forked process.

This commit switches to `exec` so that the executed process can be
easily killed.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-05-15 20:52:59 +09:00
Staf Wagemakers
74e3edc7d1
Updated mkimage-arch.sh
* reset umask to 022
* introduced PKGREQUIRED
* introduced PKGREMOVE
  - to be able to remove linux etc on Parabola GNU/Linux
* updated PKGIGNORE
  - cryptsetup & device-mapper removed to not break the installation
  - added not required packages
* force link /etc/localtime
* install pacman-mirrorlist

Signed-off-by: Staf Wagemakers <staf@wagemakers.be>
2019-05-01 12:17:04 +02:00
Akihiro Suda
63a66b0eb0 rootless: optional support for lxc-user-nic SUID binary
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user.

To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set.

This commit also bumps up RootlessKit from v0.3.0 to v0.4.0:
70e0502f32...e92d5e772e

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-04-25 23:54:30 +09:00
Sebastiaan van Stijn
0ac8cbf747
Merge pull request #39000 from mrueg/openrc-set
openrc: Modernize and sync settings
2019-04-05 19:51:37 +02:00
Tibor Vass
a0d64a3093
Merge pull request #38913 from AkihiroSuda/rootlesskit-docker-proxy
rootless: expose ports automatically
2019-04-02 19:51:15 -07:00
Manuel Rüger
275677e94f openrc: Modernize and sync settings
* Use rc_ulimit for ulimit constraints
* Synchronize ulimit settings to systemd's
* Add support for reload command
* Add support for retry settings for docker stop/restart

Signed-off-by: Manuel Rüger <manuel@rueg.eu>
2019-04-02 15:06:49 +02:00
Ankit Jain
eb13758057 Default to Core group only if no groups specified
Signed-off-by: Ankit Jain <ajatkj@yahoo.co.in>
2019-03-29 20:21:33 +05:30
Ankit Jain
8233910503 mkimage-yum.sh: handle spaces properly & allow mutiple packages & groups
Signed-off-by: Ankit Jain <ajatkj@yahoo.co.in>
2019-03-28 20:47:47 +05:30
Akihiro Suda
f0b405fbda rootless: expose ports automatically
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.

The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.

RootlessKit changes: 7bbbc48a6f...ed26714429

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-03-21 02:44:08 +09:00
Noriki Nakamura
57c2228cc1 Add new option to specify tag information
Previously, tag information automatically is added from
/etc/{redhat,system}-release in image (target directory).

But I want to specify any tag informtion when using mkimage-yum.sh.
Because a Linux distribution based RHEL (It's Asianux Server) uses
SPn notation (e.g. SP3) instead of period notaion (e.g. 7.6).

Signed-off-by: Noriki Nakamura <noriki.nakamura@miraclelinux.com>
2019-03-06 07:06:40 +09:00
Akihiro Suda
ec87479b7e allow running dockerd in an unprivileged user namespace (rootless mode)
Please refer to `docs/rootless.md`.

TLDR:
 * Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
 * `dockerd-rootless.sh --experimental`
 * `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-02-04 00:24:27 +09:00
Mattias Jernberg
8db540370c mkimage: Fix Debian security presence check
Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.

Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
2018-12-05 19:35:17 +01:00
Sebastiaan van Stijn
44e1c6ce81
Add CONFIG_IP_VS_PROTO_TCP, CONFIG_IP_VS_PROTO_UDP, IP_NF_TARGET_REDIRECT to check-config.sh
On kernels without this options set, publishing ports for swarm
services does not work, making the published port not accessible
("connection refused")

Thanks to Wenbo Wang for reporting, and Tianon for finding this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-11-15 11:11:48 +01:00
Mark Jeromin
60ec93f7c2 Fix error handling when go command is missing
Signed-off-by: Mark Jeromin <mark.jeromin@sysfrog.net>
2018-11-04 23:34:03 -05:00
Sebastiaan van Stijn
ce1ee59166
Merge pull request #37589 from danihodovic/update-vim-plugin-readme
README: Update Github url for vim syntax plugin
2018-10-16 14:07:52 +02:00
Tibor Vass
34eede0296 Remove 'docker-' prefix for containerd and runc binaries
This allows to run the daemon in environments that have upstream containerd installed.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-09-24 21:49:03 +00:00
Dani Hodovic
adaed9b6f7
Update Github url for vim syntax plugin
Signed-off-by: Dani Hodovic <dani.hodovic@gmail.com>
2018-08-04 13:42:43 +07:00
Mickaël Remars
2137e866b9 Removed the "-i -t" arguments from the smoke test calling printf (these flags seem not really needed, and break jenkins builds with error "the input device is not a TTY")
Signed-off-by: Mickaël Remars <github@remars.com>
2018-07-05 17:29:17 +02:00
Vincent Demeester
06dee4cc27
Merge pull request #37393 from mykeul/master
Added "--no-cache" to apk call to reduce alpine base image by 10-12% …
2018-07-05 15:06:21 +02:00
Mickaël Remars
e72047a375 Replaced "--update-cache" argument with "--no-cache" in apk call to reduce alpine base image by 10-12% (avoid useless indexes in /var/cache/apk)
Signed-off-by: Mickaël Remars <github@remars.com>
2018-07-04 23:34:30 +02:00
Ian Chen
a765210718 add vim-plug setting
this should work ( tried on my machine)

Signed-off-by: Ian Chen <ianre657@gmail.com>
2018-07-04 15:54:19 +08:00
Kunal Tyagi
6b8dab2181 Allow vim be case insensitive for D in dockerfile
Signed-off-by: Kunal Tyagi <tyagi.kunal@live.com>
2018-06-08 10:30:40 +09:00
Brian Goff
ddb01ee1e0 Remove contrib/project-stats.sh
This is an old script using tools that are no longer maintained or
recommended (and don't even work anymore).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:44 -04:00
Brian Goff
eeea1e37a1 Removes custom selinux policies.
These are no longer used and instead users should use the
`container-selinux` package on their distribution. Additionally, these
are unmaintained and untested.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:44 -04:00
Brian Goff
1b7fe816e8 Remove unused/unmaintained package builder stuff
This is left-over stuff from building Docker pacakges. These aren't
really maintained outside of bumping the golang version, and are never
tested.

These builders can be found at
https://github.com/docker/docker-ce-packaging where they are kept up to
date.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2018-05-04 16:33:40 -04:00
Sebastiaan van Stijn
be8885525c
Bump Golang to 1.10.1, alpine 3.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-04-12 13:30:01 -07:00
Sebastiaan van Stijn
0b6f8a7eff
Update Golang to 1.9.5
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go
command, and net/http/pprof package. See the Go 1.9.5 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.9.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-04-04 06:59:53 -07:00
Sebastiaan van Stijn
caeab26843
Bump Golang to 1.9.4
This fixes a vulnerability in `go get` (CVE-2018-6574, http://golang.org/issue/23672),
but shouldn't really affect our code, but it's good to keep in sync.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-02-07 14:49:51 -08:00
Sebastiaan van Stijn
3cc13511f0
Bump Go to 1.9.3
release notes: https://golang.org/doc/devel/release.html#go1.9.minor

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-01-22 13:40:19 -08:00
Christopher Jones
24da8a0ed4
[ci] use alternate bash comparison
The pattern `echo str | grep -qE pattern` likes to fail on the z CI here for
an unknown reason. Use `grep -qE pattern <<< str` instead.

Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2018-01-12 11:05:20 -05:00
Dennis Chen
0af5db511e Download support of images with multi-arch manifest
Currently we only support 'application/vnd.docker.distribution.manifest.v2+json'
manifest images download, with more multi-arch images used, we need to support
download images with 'application/vnd.docker.distribution.manifest.list.v2+json'
format(aka "fat manifest"), else we will fail to download those multi-arch ones.

This PR adds 'application/vnd.docker.distribution.manifest.list.v2+json' manifest
support, thus we can download both multi-arch and legacy images.

Signed-off-by: Dennis Chen <dennis.chen@arm.com>
2017-12-14 05:37:22 +00:00
Sebastiaan van Stijn
d6e1cc32d3
Bump Go to 1.9.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-11-21 20:57:02 +01:00
Yong Tang
4785f1a7ab Remove solaris build tag and `contrib/mkimage/solaris
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-11-02 00:01:46 +00:00
Sebastiaan van Stijn
503fe408da
Bump Golang to 1.8.5
go1.8.5 (released 2017/10/25) includes fixes to the compiler, linker, runtime,
documentation, go command, and the crypto/x509 and net/smtp packages. It
includes a fix to a bug introduced in Go 1.8.4 that broke go get of non-Git
repositories under certain conditions. See the Go 1.8.5 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.8.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-10-27 01:18:00 +02:00
Michael Crosby
5a9b5f10cf Remove solaris files
For obvious reasons that it is not really supported now.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2017-10-24 15:39:34 -04:00
Andrew Pennebaker
2f5146ba1d support *.Dockerfile
Probably a good idea to treat `*.Dockerfile` as dockerfile format as well. In general, it's better to use the `Dockerfile` part as an extension rather than a basename.

Signed-off-by: Andrew Pennebaker <andrew.pennebaker@gmail.com>
2017-10-22 11:16:06 -05:00
Andreas Elvers
547dd4f95d fixing return value
Signed-off-by: Andreas Elvers <andreas@work.de>
2017-10-13 13:59:48 +02:00
Sebastiaan van Stijn
33e8141f63
Bump Go to 1.8.4
Bumps the Go version used to 1.8.4, which contains
security fixes; https://groups.google.com/forum/#!topic/golang-announce/1hZYiemnkdE

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-10-04 23:22:23 +02:00
Daniel Nephin
f7f101d57e Add gosimple linter
Update gometalinter

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-09-12 12:09:59 -04:00
Remy Suen
abd39744c6 Update tmLanguage file to not be case sensitive
While convention states that Dockerfile instructions should be
written in uppercase, the engine allows them to be mixed case or in
lowercase. The tmLanguage file should tolerate this and provide
highlighting support even if instructions are not written in
uppercase.

Signed-off-by: Remy Suen <remy.suen@gmail.com>
2017-08-05 19:45:54 +09:00