* Use rc_ulimit for ulimit constraints
* Synchronize ulimit settings to systemd's
* Add support for reload command
* Add support for retry settings for docker stop/restart
Signed-off-by: Manuel Rüger <manuel@rueg.eu>
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.
The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.
RootlessKit changes: 7bbbc48a6f...ed26714429
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Previously, tag information automatically is added from
/etc/{redhat,system}-release in image (target directory).
But I want to specify any tag informtion when using mkimage-yum.sh.
Because a Linux distribution based RHEL (It's Asianux Server) uses
SPn notation (e.g. SP3) instead of period notaion (e.g. 7.6).
Signed-off-by: Noriki Nakamura <noriki.nakamura@miraclelinux.com>
containerd is now running as a separate service, and should
no longer be started as a managed child-process of dockerd.
The dockerd service already specifies that it should be started
`After` the containerd.service, but there is still a race
condition, where containerd is started, but its socket is not yet
created.
In that situation, `dockerd` detects that the containerd socket
is missing, and will start a new instance of containerd (as a
managed child-process), which causes live-restore to fail.
This patch explicitly sets the `--containerd` daemon option.
If this option is set, `dockerd` will not start a new instance
of containerd.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Please refer to `docs/rootless.md`.
TLDR:
* Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
* `dockerd-rootless.sh --experimental`
* `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Add Location following since security redirects to security-cdn and caused the repository to be added on Debian unstable.
Signed-off-by: Mattias Jernberg <nostrad@gmail.com>
Without this the docker.socket would not start by default when starting
the docker.service leading to failures to start.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Removes the systemd drop-in unit file for socket activation and instead
prefers socket activation by default for both RHEL based and DEBIAN
based distributions.
Socket activation for RHEL based distributions was tested on CentOS 7 and Fedora 28.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
On kernels without this options set, publishing ports for swarm
services does not work, making the published port not accessible
("connection refused")
Thanks to Wenbo Wang for reporting, and Tianon for finding this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Set the PATH to what appears to be the standard on latest Ubuntu (18.04)
and Debian (9), fixing the following two issues:
1. PATH did not contain /bin (leading to ContainerTop/ps not working
on newer distros, among the other things).
2. $PATH can't be specified in Environment directives in .service files.
While at it, also:
3. Remove the comment about RPM as it looks misleading on deb-based
systems.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Removes the need for the offline installer to install the shim process
and instead installs the shim process as part of the packaging.
May be easier in the future to just package the shim process on it's own
but that'll come after this 18.09 release
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229
(6bf0f408e4)
both the old, and new location are accepted by systemd 229 and up, so using the old location
to make them work for either version of systemd.
StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230
(f0367da7d1)
both the old, and new name are accepted by systemd 230 and up, so using the old name to make
this option work for either version of systemd.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds support for reloading the docker daemon
(SIGHIUP) so that changes in '/etc/docker/daemon.json'
can be loaded at runtime by reloading the service
through systemd ('systemctl reload docker')
Before this change, systemd would output an error
that "reloading" is not supported for the docker
service;
systemctl reload docker
Failed to reload docker.service: Job type reload is not applicable for unit docker.service.
After this change, the docker daemon can be reloaded
through 'systemctl reload docker', which reloads
the configuration;
journalctl -f -u docker.service
May 02 03:49:20 testing systemd[1]: Reloading Docker Application Container Engine.
May 02 03:49:20 testing docker[28496]: time="2016-05-02T03:49:20.143964103-04:00" level=info msg="Got signal to reload configuration, reloading from: /etc/docker/daemon.json"
May 02 03:49:20 testing systemd[1]: Reloaded Docker Application Container Engine.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change the kill mode to process so that systemd does not kill container
processes when the daemon is shutdown but only the docker daemon
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We need to add delegate yes to docker's service file so that it can
manage the cgroups of the processes that it launches without systemd
interfering with them and moving the processes after it is reloaded.
Delegate=
Turns on delegation of further resource control partitioning to
processes of the unit. For unprivileged services (i.e. those
using the User= setting), this allows processes to create a
subhierarchy beneath its control group path. For privileged
services and scopes, this ensures the processes will have all
control group controllers enabled.
This is the proper fix for issue moby/moby#20152
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Systemd sets a default of 512 tasks, which is far
too low to run many containers.
Note that TasksMax is only supported on systemd 226
and above.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There is a not-insignificant performance overhead for all containers (if
containerd is a child of Docker, which is the current setup) if systemd
sets rlimits on the main Docker daemon process (because the limits
propogate to all children).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
set LimitCORE=infinity to ensure complete core creation,
allows extraction of as much information as possible.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
(cherry picked from commit 51879873897afe298cbb736acef34b5a0b500424)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
Old versions of things on CentOS 7 strike again!
infinity is not a thing for TimeoutSec on systemd < 229
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
PartOf deactivates the socket whenever the service get deactivated. The socket unit however should be active nevertheless.
Signed-off-by: Max Harmathy <max.harmathy@web.de>
This is an old script using tools that are no longer maintained or
recommended (and don't even work anymore).
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These are no longer used and instead users should use the
`container-selinux` package on their distribution. Additionally, these
are unmaintained and untested.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This is left-over stuff from building Docker pacakges. These aren't
really maintained outside of bumping the golang version, and are never
tested.
These builders can be found at
https://github.com/docker/docker-ce-packaging where they are kept up to
date.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
go1.9.5 (released 2018/03/28) includes fixes to the compiler, go
command, and net/http/pprof package. See the Go 1.9.5 milestone on
the issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.9.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes a vulnerability in `go get` (CVE-2018-6574, http://golang.org/issue/23672),
but shouldn't really affect our code, but it's good to keep in sync.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The pattern `echo str | grep -qE pattern` likes to fail on the z CI here for
an unknown reason. Use `grep -qE pattern <<< str` instead.
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
Currently we only support 'application/vnd.docker.distribution.manifest.v2+json'
manifest images download, with more multi-arch images used, we need to support
download images with 'application/vnd.docker.distribution.manifest.list.v2+json'
format(aka "fat manifest"), else we will fail to download those multi-arch ones.
This PR adds 'application/vnd.docker.distribution.manifest.list.v2+json' manifest
support, thus we can download both multi-arch and legacy images.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
go1.8.5 (released 2017/10/25) includes fixes to the compiler, linker, runtime,
documentation, go command, and the crypto/x509 and net/smtp packages. It
includes a fix to a bug introduced in Go 1.8.4 that broke go get of non-Git
repositories under certain conditions. See the Go 1.8.5 milestone on our issue
tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.8.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Probably a good idea to treat `*.Dockerfile` as dockerfile format as well. In general, it's better to use the `Dockerfile` part as an extension rather than a basename.
Signed-off-by: Andrew Pennebaker <andrew.pennebaker@gmail.com>
While convention states that Dockerfile instructions should be
written in uppercase, the engine allows them to be mixed case or in
lowercase. The tmLanguage file should tolerate this and provide
highlighting support even if instructions are not written in
uppercase.
Signed-off-by: Remy Suen <remy.suen@gmail.com>
If you want to makeimage using the group "Compute Node" and so on, you must add “ ” to include the $install_groups, or it will format the text as below:
yum -c /etc/yum.conf --installroot=/tmp/makeimage.sh.zOLs8y --releasever=/ --setopt=tsflags=nodocs --setopt=group_package_types=mandatory -y groupinstall Compute Node
That's absolutely incorrect.
Change-Id: I8b6b09f215aabd6b1f76c9365ba96c68722c47fd
Signed-off-by: dodia <tangwj2@lenovo.com>
When using a https proxy, an extra HTTP 200 header will be generated.
So we can't rely on detecting the first http header.
$curlHeaders with https proxy:
"HTTP/1.0 200 Connection established <-- the https proxy's response
HTTP/1.1 307 Temporary Redirect
...
"
See https://stackoverflow.com/a/34537988/889429Fixes#34131
Signed-off-by: Jacob Wen <jian.w.wen@oracle.com>
If the registry responds directly with blob contents, use them,
otherwise follow the redirect without Authorization headers (which
likely aren't valid for the server being redirected to).
This preserves the basic structure of the previous output with up to one
additional progress bar per-layer (for the redirect request and then the
following blob request).
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
The contrib/mkimage-busybox.sh, contrib/mkimage-debootstrap.sh,
and contrib/mkimage-rinse.sh were deprecated in commit
51f707cf9d, in favor of
their equivalents in contrib/mkimage/
Given that the deprecation warning has been in place
for over three years, it's save to now remove these.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The --allow-nondistributable-artifacts daemon option specifies
registries to which foreign layers should be pushed. (By default,
foreign layers are not pushed to registries.)
Additionally, to make this option effective, foreign layers are now
pulled from the registry if possible, falling back to the URLs in the
image manifest otherwise.
This option is useful when pushing images containing foreign layers to a
registry on an air-gapped network so hosts on that network can pull the
images without connecting to another server.
Signed-off-by: Noah Treuhaft <noah.treuhaft@docker.com>
This reverts commit 7e3a596a63.
Unfortunately, it was pointed out in https://github.com/moby/moby/pull/29076#commitcomment-21831387
that the `socketcall` syscall takes a pointer to a struct so it is not possible to
use seccomp profiles to filter it. This means these cannot be blocked as you can
use `socketcall` to call them regardless, as we currently allow 32 bit syscalls.
Users who wish to block these should use a seccomp profile that blocks all
32 bit syscalls and then just block the non socketcall versions.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
RH now provides `container-selinux` which provides everything we need
for docker's selinux policy. Rely on `container-selinux` where
available, and `docker-engine-selinux` when not.
This still builds the `docker-engine-selinux` package and presumably
makes it available, but is no longer a requirement in the
`docker-engine` package preferring `container-selinux` instead.
`container-selinux` is available on fedora24, however the version that
is available does not set the correct types on the `dockerd` binary. We
can use `container-selinux` and just supplement that with some of our
own policy, but for now just keep using `docker-engine-selinux` as is.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This new flag will allow the configuration of an interface that
can be used for data path traffic to be isolated from control
plane traffic. This flag is simply percolated down to libnetwork
and will be used by all the global scope drivers (today overlay)
Negative test added for invalid flag arguments
Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
Implements the following new CLI features:
- service logs is no longer experimental
- service logs also accepts task IDs
Signed-off-by: Harald Albers <github@albersweb.de>
bash-completion script for 'docker build --network' calls
__docker_plugins, the correct name for this function is
__docker_plugins_bundled.
Closes#32588
Signed-off-by: Corey Farrell <git@cfware.com>
Ubuntu 17.04 will be released soon http://releases.ubuntu.com/zesty/
Note that this is a short-term release, so will
EOL (and removed again) in 9 months
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
