This fix tries to address the issue raised in #24374 where
`docker info` outputs seccomp support in Ubuntu 14.04 but
the seccomp wass not actually supported.
The issue is that in the current docker implementation, seccomp
support is only checked against the kernel by inspect CONFIG_SECCOMP
and CONFIG_SECCOMP_FILTER. However, seccomp might not be enabled
when building docker (through golang build flag).
This fix adds a supportSeccomp boolean variable. The supportSeccomp
is only set to true when seccomp is enabled when building docker.
This fix fixes#24374.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit a3b9dd89a1)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix adds a couple of missed release tag reference links in deprecated.md
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit bc20354b09)
Signed-off-by: Tibor Vass <tibor@docker.com>
Fixes `make test` and fix#24380 on aarch64
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit d37a7394ac)
Signed-off-by: Tibor Vass <tibor@docker.com>
This patch makes sure daemon resources are cleaned up on shutdown if
there are no running containers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 2d5dc94b9b)
Signed-off-by: Tibor Vass <tibor@docker.com>
This was missed in #23312 even though the other parts of
this were fixed.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 47ace5cd98)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is now up to date with contents of 1.12 tgz
Also change usage to `dockerd` not `docker daemon`
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 7102e09f29)
Signed-off-by: Tibor Vass <tibor@docker.com>
Needed for libnetwork vendoring
Update Secret API name change correspondingly
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit d428a7a425)
Signed-off-by: Tibor Vass <tibor@docker.com>
Update now that the changes in https://github.com/docker/libnetwork/pull/1230
have been merged
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 3ae0c66450)
Signed-off-by: Tibor Vass <tibor@docker.com>
This reduces memory usage with a lot of docker proxy processes.
On Docker for Mac we are currently carrying a patch to replace
the binary as we modify it to forward ports to the Mac rather
than the Linux VM, this allows us to simply replace this binary
in our packaging with one that has a compatible interface. This
patch does not provide an easy way to substitute a binary as
the interface is complex and there are few use cases, but where
needed this can be done.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit 0682468431)
Signed-off-by: Tibor Vass <tibor@docker.com>
- Update ps with `--last` flag
- Update commands with current output
- Make sure hugo does not detect the wrong language
- Update usage for `tag` command to be more coherent with the other ones
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit f4cfc6b983)
Signed-off-by: Tibor Vass <tibor@docker.com>
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.
Closes#23785
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 7342e42fce)
Signed-off-by: Tibor Vass <tibor@docker.com>
In the API:
`Writable` changed to `ReadOnly`
`Populate` changed to `NoCopy`
Corresponding CLI options updated to:
`volume-writable` changed to `volume-readonly`
`volume-populate` changed to `volume-nocopy`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 56f3422468)
Signed-off-by: Tibor Vass <tibor@docker.com>
In #24159, the title field of `docker node ls` has been
changed from NAME to HOSTNAME. However, in the docs the
NAMEs are still used for the output of `docker node ls`.
This fix updates docs so that NAME field is changed to
HOSTNAME for all `docker node ls`.
This fix is related to #24159 and #24090.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 668b8a998f)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is done in a hacky way as currently there is no better way.
Uses known implementation details about how tasks are scheduled to be
able to operate on the underlying container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e5ec575b32)
Signed-off-by: Tibor Vass <tibor@docker.com>
In order to keep a little bit of "sanity" on the API side, validate
hostname only starting from v1.24 API version.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit 6daf3d2a78)
Signed-off-by: Tibor Vass <tibor@docker.com>
The image spec did not match the regexp that validates tags. It
neglected to mention that period and dash characters are allowed in
tags, as long as they are not the first character. It also did not
mention the length limit for tags.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
(cherry picked from commit 2f19e910bd)
Signed-off-by: Tibor Vass <tibor@docker.com>
* Detect name conflicts on network creation
* Detect and prevent network connect/disconnect for managed containers
Signed-off-by: Madhu Venugopal <madhu@docker.com>
(cherry picked from commit 0ce5158a2a)
Signed-off-by: Tibor Vass <tibor@docker.com>
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if systemd
sets rlimits on the main Docker daemon process (because the limits
propogate to all children).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 8db61095a3)
Signed-off-by: Tibor Vass <tibor@docker.com>
The libtrust keyfile which is used to set the "ID" property of a daemon must be generated or loaded on every startup.
If the process crashes during startup this could cause the file to be incomplete causing future startup errors.
Ensure that the file is written atomically to ensure the file is never in an incomplete state.
Fixes#23985
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
(cherry picked from commit 9836162446)
Signed-off-by: Tibor Vass <tibor@docker.com>
… on `docker node tasks` and `docker service tasks` commands.
This changes is mainly server-side (between engine api and
swarmkit). There is just a check in `api/client/service/tasks.go` to
handle the special *self* meaning.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
(cherry picked from commit b0fc5a21f1)
Signed-off-by: Tibor Vass <tibor@docker.com>