This also makes sure that we can test all functionality of the
daemon, because some features are not available on static binaries.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- SC2006: use $(...) notation instead of legacy backticked `...`
- SC2086: double quote to prevent globbing and word splitting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
New features
- build CRIU with Android NDK
- C/R of
- IP RAW sockets
- lsm: dump and restore any SELinux process label
- support restoring ghost files on readonly mounts
Bugfixes
- Do not lock network if running in the host network namespace
- Fix RPC configuration file handling
- util: don't leak file descriptors to third-party tools
- small fixes here and there
Improvements
- travis: switch to the Ubuntu Xenial
- travis-ci: Enable ia32 tests
- Many improvements and bug fixes in the libcriu
- Changes in the API and ABI (SONAME increased from 1 to 2)
full diff: https://github.com/checkpoint-restore/criu/compare/v3.11...v3.12
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1.This commit replaces serviceRunningCount with
swarm.RunningTasksCount to accurately check if the
service is running with the accurate number of instances
or not. serviceRunningCount was only checking the ServiceList
and was not checking if the tasks were running or not
This adds a safe barrier to execute docker network inspect
commands for overlay networks which get created
asynchronously via Swarm
2. Make sure client connections are closed
3. Make sure every service and network name is unique
4. Make sure services and networks are cleaned up
Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.12.8 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.12.8
- net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
clients could be remotely made to allocate an unlimited amount of memory, until the program
crashes. Servers will now close connections if the send queue accumulates too many control
messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
net/url: parsing validation issue
- url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
in certain applications. Note that URLs with invalid, not numeric ports will now return an error
from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
and reporting this issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This will run the DCO check in a lightweight alpine container, before
running other stages, and before building the development image/container
(which can take a long time).
A Jenkins parameter was added to optionally skip the DCO check (skip_dco)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Jenkins groups them per stage, so collecting them for all architectures
is possible (without them conflicting or becoming ambiguous)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The z-master stage will just run the integration-cli tests. The
existing z stage will run the unit tests and the integration
tests. In this way, PR check jobs will be shorter, but all
integration tests will run after PR is merged to master.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
The powerpc-master stage will just run the integration-cli tests. The
existing powerpc stage will run the unit tests and the integration
tests. In this way, PR check jobs will be shorter, but all integration
tests will run after PR is merged to master.
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Using a build-arg so that we don't have to specify it for each
`apt-get install`, and to preserve that the `DEBIAN_FRONTEND` is
preserved in the image itself (which changes the default behavior,
and can be surprising if the image is run interactively).`
With this patch, some (harmless, but possibly confusing) errors
are no longer printed during build, for example:
```patch
Unpacking libgcc1:armhf (1:6.3.0-18+deb9u1) ...
Selecting previously unselected package libc6:armhf.
Preparing to unpack .../04-libc6_2.24-11+deb9u4_armhf.deb ...
-debconf: unable to initialize frontend: Dialog
-debconf: (TERM is not set, so the dialog frontend is not usable.)
-debconf: falling back to frontend: Readline
Unpacking libc6:armhf (2.24-11+deb9u4) ...
Selecting previously unselected package libgcc1:arm64.
Preparing to unpack .../05-libgcc1_1%3a6.3.0-18+deb9u1_arm64.deb ...
Unpacking libgcc1:arm64 (1:6.3.0-18+deb9u1) ...
Selecting previously unselected package libc6:arm64.
Preparing to unpack .../06-libc6_2.24-11+deb9u4_arm64.deb ...
-debconf: unable to initialize frontend: Dialog
-debconf: (TERM is not set, so the dialog frontend is not usable.)
-debconf: falling back to frontend: Readline
```
Looks like some output is now also printed on stdout instead of stderr
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
and remove `PullImageTest::test_build_invalid_platform` from the list,
which was a copy/paste error in f8cde0b32d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There are many errors like this one:
> 01:39:28.750 find: ‘bundles/test-integration/dbc77018d39a5/root/overlay2/f49953a883daceee60a481dd8e1e37b0f806d309258197d6ba0f6871236d3d47/work/work’: Permission denied
(probably caused by bad permissions)
These directories are not to be looked at when we search for logs, so
let's exclude them. It's not super easy to do in find, here is some
kind of an explanation for find arguments
```
PATTERN ACTION OR PATTERN ACTION
-path X -prune -o -type f [AND] (-name A -o name B) -print
```
(here -o means OR, while AND is implicit)
While at it,
- let the find know we're only looking for files, not directories
- remove a subshell and || true
- remove `-name integration.test` (there are no such files)
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
All tests that require experimental either spin up a separate daemon,
or use the main daemon if experimental is enabled.
This patch
- allows enabling "experimental" for stages through an environment variable
- enables experimental by default on all stages, so that some of these tests
don't have to start a new daemon.
- removes the seaprate "experimental" stage, because it was running exactly
the same tests as the "janky" stage.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
