This includes fixes for;
- outputing errors for missing seccomp options on seccomp versions < 2.3
- cap set apply EPERM errors on ARM systems
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.
Fixes 21475
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
Add some missing dependencies in the Dockerfile:
- apt-utils for apt-ftparchive.conf
- bsdmainutils for our use of the column command in
hack/make/generate-index-listing
We also ensure that the docker daemon is started before calling
release-deb or release-rpm, since .detect-daemon-osarch, which is sourced
in each of them, requires the daemon to be running.
This commit also gets completely rid of s3cmd and fixes references to
AWS_* environment variables (changing from AWS_ACCESS_KEY to
AWS_ACCESS_KEY_ID and AWS_SECRET_KEY to AWS_SECRET_ACCESS_KEY) in order
to please awscli. Also AWS_DEFAULT_REGION is now important to specify,
the default has been set to the region used by get.docker.com and
test.docker.com.
Signed-off-by: Tibor Vass <tibor@docker.com>
Contains fixes for:
- pid.max fix that is causing hang on network stats test.
- fix for early stdin close containerd-shim
- better logging for `could not synchronise with container process`
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Fixes#20550
This update to libseccomp supports the new versions of socket
system calls that can be called directly rather than via the
socketcall syscall in kernel versions 4.3 or later with new glibc.
Note this library version now supports s390x and ppc64le, so
seccomp can be potentially be enabled for these architectures now.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Fixes broken-pipe issue when piping s3cmd to grep -q, by removing the -q
flag and redirecting to /dev/null instead.
Add net-tools for ifconfig, because some tests rely on ifconfig.
Harmonize all Dockerfiles in this direction.
Signed-off-by: Tibor Vass <tibor@docker.com>
dockerinit has been around for a very long time. It was originally used
as a way for us to do configuration for LXC containers once the
container had started. LXC is no longer supported, and /.dockerinit has
been dead code for quite a while. This removes all code and references
in code to dockerinit.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
Fixes#19400
Note that this introduces an incompatibility with Docker 1.10-rc1,
because the media type used for schema1 manifests has been corrected in
the upstream distribution code. Docker 1.10-rc1 won't be able to pull
old manifests from Registry 2.3-rc0 and up, but because of this vendor
update, Docker 1.10-rc2 won't have this problem.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This results in a significant time savings during repeated builds (since we don't have to re-download gcc for every test run).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Tracks source repository information for each blob in the blobsum
service, which is then used to attempt to mount blobs from another
repository when pushing instead of having to re-push blobs to the same
registry.
Signed-off-by: Brian Bland <brian.bland@docker.com>
Add DockerSchema1RegistrySuite which uses this registry, and make
applicable integration tests run as part of this suite.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Also, fix up some minor whitespace consistency issues, remove a little cruft, and update GOARM for armhf to 7 so that we're explicit.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
It will Tar up contents of child directory onto tmpfs if mounted over
This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
devmapper uses xfs by default now. So include xfsprogs in build
environment. Also update docs to reflect the new default.
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
The LXC driver was deprecated in Docker 1.8.
Following the deprecation rules, we can remove a deprecated feature
after two major releases. LXC won't be supported anymore starting on Docker 1.10.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Also requires some tests to be updated which relied on behavior
of a busybox image that wasn't actually "busybox:latest"; meaning these
tests were unable to be verified/run against a real busybox:latest image
on a daemon.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
If a logdriver doesn't register a callback function to validate log
options, it won't be usable. Fix the journald driver by adding a dummy
validator.
Teach the client and the daemon's "logs" logic that the server can also
supply "logs" data via the "journald" driver. Update documentation and
tests that depend on error messages.
Add support for reading log data from the systemd journal to the
journald log driver. The internal logic uses a goroutine to scan the
journal for matching entries after any specified cutoff time, formats
the messages from those entries as JSONLog messages, and stuffs the
results down a pipe whose reading end we hand back to the caller.
If we are missing any of the 'linux', 'cgo', or 'journald' build tags,
however, we don't implement a reader, so the 'logs' endpoint will still
return an error.
Make the necessary changes to the build setup to ensure that support for
reading container logs from the systemd journal is built.
Rename the Jmap member of the journald logdriver's struct to "vars" to
make it non-public, and to make it easier to tell that it's just there
to hold additional variable values that we want journald to record along
with log data that we're sending to it.
In the client, don't assume that we know which logdrivers the server
implements, and remove the check that looks at the server. It's
redundant because the server already knows, and the check also makes
using older clients with newer servers (which may have new logdrivers in
them) unnecessarily hard.
When we try to "logs" and have to report that the container's logdriver
doesn't support reading, send the error message through the
might-be-a-multiplexer so that clients which are expecting multiplexed
data will be able to properly display the error, instead of tripping
over the data and printing a less helpful "Unrecognized input header"
error.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
Added notary server to docker base image.
Created trust suite which runs trust server for running trusted commands.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
The docker-py commit used in the standard `Dockerfile` is from Feb. 2015
and is out of date with the current API level and has fixes for things
like the new docker cli config location and registry v2 changes/API
responses as well.
Also pass "NOT_ON_HOST=true" to docker-py test suite so that tests
relying on direct HOST interaction (versus running in a container) are
skipped.
Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
Add golint to the Dockerfile, and a `validate-lint` task to the
Makefile. Currently, the linter will process a harcoded list of packages
that will expand as we fix more warnings. Eventually, the linter should
process all subpackages of the repo (excluding vendored code).
Signed-off-by: Arnaud Porterie <arnaud.porterie@docker.com>
Fixes an issue with curly braces being escaped when they should not be.
This was particularly an issue in places where `--format '{{ ... }}'`
is used in the man docs.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These will create the apt & yum repos for the deb/rpms generated by build-deb
and build-rpm.
Adds sign-repo script which signs the repo metadata with a gpg key.
Signed-off-by: Jessica Frazelle <princess@docker.com>
These have both been updated to no longer include the empty "scratch" layer, and `hello-world` has a fix for http->https.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
We already vendor distribution under ./vendor, but
because the GOPATH is /go:/go/src/github.com/.../vendor
Go will always compile the source code at /go not in ./vendor.
Apart from the fact that it is very inconvenient during
development, it was also a time-bomb: someone vendors a fix
from upstream distribution, but forgets to update
REGISTRY_COMMIT in the Dockerfile, and the binary doesn't get
the fix.
Signed-off-by: Tibor Vass <tibor@docker.com>
When ever something vendor/ changes the go dependencies have to downloaded again,
which requires internet access and there for is potential slow. COPY and go install is much faster, while the git urls does not change not this often.
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
Installs and configures bash completion for Docker.
Note that bash completion still has to be initialized by a custom
.bashrc file.
Signed-off-by: Harald Albers <github@albersweb.de>
This addresses a subtle deadlock where an error during a copy prevented pipe
closure to propagate correctly. By closing down the read end of the pipe rather
than the write end, the waiting writer is properly signaled. A nice side-effect
of this change is that errors encountered by io.Copy are now propagated to the
verifier's Write method.
A test to ensure validation errors for unsupported digest types has been added,
as well.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Add ability to refer to an image by repository name and digest using the
format repository@digest. Works for pull, push, run, build, and rmi.
Signed-off-by: Andy Goldstein <agoldste@redhat.com>
Update pull code to consider any layer download or new tag as an update.
Update hello-world frozen image to be explicitly tagged as frozen, to not interfere with pull tests. The hello-world is used by pull tests because of its small size and there is no other official image with such a size.
fixes#11383
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
FROM scratch
ADD echo /
RUN [ "echo" ]
will die with
exec: "/bin/sh": stat /bin/sh: no such file or directory
Signed-off-by: Doug Davis <dug@us.ibm.com>
This makes it much simpler to add new "frozen" images -- simply add them to the `Dockerfile` and in `hack/make/.ensure-frozen-images` and you're off to the races.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This downloads a specific image ID of `busybox:latest` from the Hub directly (within the `Dockerfile`, ready for `docker load`) instead of grabbing the source from GitHub and doing a `docker build` at daemon start time. This ensures the test suite runs more consistently.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
If `.bashrc` exists at the root of the source tree, it will be used as the `~/.bashrc` inside the container.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Since `cirros.tar.gz` only existed to test `docker import`'s display and
presence in `docker events`, we can instead just use `docker export`
piped directly to `docker import` to achieve the same goal without
another external dependency besides `busybox` (which we already have).
While I was at it, I updated `TestImportDisplay` to also test that the
imported image actually runs successfully as well (so we're testing the
full import round-trip).
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Use `env -i` to very explicitly control exactly which environment variables leak into our tests. This enforces a clean separation of "build environment knobs" versus "test suite knobs".
This also includes a minor tweak to how we handle starting our integration daemon, especially to catch failure to start sooner than failing tests.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Update fixes some rendering issues, including improperly escaping '$' in
blocks, and actual parsing of blockcode.
`ID=$(sudo docker run -d fedora /usr/bin/top -b)` was being converted to
`ID=do docker run -d fedora/usr/bin/top -b)`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Since it can still be tested natively without this, this won't cause any harm while we fix the tests to actually work on Windows.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
Update our "registry" install to use the included Godeps libraries so that it
doesn't require anything from our current source (hence moving it up for
better caching too)
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
v2 ping now checks for a Docker-Distribution-API-Version
header that identifies the endpoint as "registry/2.0"
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Since "go test" doesn't seem to support "-installsuffix" as quite the same perfect solution that "go build" is happy to let it be, let's just switch those crappy old "integration/" tests to use our separate static dockerinit binary so we don't have to worry about compiling the entire test harness statically. 👍
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This refactors version number usage for several of our "download/install this exact version" bits so we have an easier time replacing the version numbers in Jenkins.
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
- move docker/docker-py clone to the Dockerfile
- put "integration test daemon startup" code in a separate file for both scripts to source
- add new test-docker-py Makefile target
- include "python-websocket" package in Dockerfile for running the tests
Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
This clones and run the integration tests for docker-py master as part
of the integration tests created on master. docker-py hits the api
directly and should be a good way to identify regressions in the api.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Since the build uses ubuntu 14.04, which has an old btrfs, include the
buildtags needed for this old version to not break the build.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
So far, it looks like the declarations are not used, and so its safer not to
confuse people into thinking they do something.
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@docker.com> (github: SvenDowideit)
Because of the base image change, $HOME is not always / and we need to
write to the proper $HOME within the container to complete the release
process.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
This changes the test TestBuildWithInaccessibleFilesInContext to not
add the user 'unprivilegeduser' and add it via the Dockerfile instead.
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
This patch just revs the Ubuntu release used for builds from 13.10
to 14.04.
Docker-DCO-1.1-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com> (github: cyphar)
This also removes all the old man pages, .gitignores their directory, and updates the md2man-all.sh script to be easier to read and more friendly to being called within hack/make/ubuntu.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
docker will run the process(es) within the container with an SELinux label and will label
all of the content within the container with mount label. Any temporary file systems
created within the container need to be mounted with the same mount label.
The user can override the process label by specifying
-Z With a string of space separated options.
-Z "user=unconfined_u role=unconfined_r type=unconfined_t level=s0"
Would cause the process label to run with unconfined_u:unconfined_r:unconfined_t:s0"
By default the processes will run execute within the container as svirt_lxc_net_t.
All of the content in the container as svirt_sandbox_file_t.
The process mcs level is based of the PID of the docker process that is creating the container.
If you run the container in --priv mode, the labeling will be disabled.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
These were found using `git grep -nE '[^-a-zA-Z0-9<>]-[a-zA-Z0-9]{2}'` (fair warning: _many_ false positives there).
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
Everyone probably wants to run `docker pull ubuntu` before building with this change.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
This fixes compilation issues when btrfs.h isn't available (because we just need the relevant structs, which for userspace programs are supposed to come from btrfs-progs instead of the kernel headers).
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
In addition, we've now hard-coded LXC version 0.8 compiled from source so that we can have the most stable dev environment possible.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
