beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
20926 commits 14 branches 412 tags 338 MiB
Commit graph

20926 commits

This branch
This branch
All branches
Author SHA1 Message Date
David Calavera
acffc79fe4 Merge pull request #18965 from duglin/FixError 
Fix error messages
 2015-12-29 14:12:22 -08:00
Jess Frazelle
abc695d9d5 Merge pull request #18974 from jfrazelle/remove-seccomp-from-seccomp-profile 
remove seccomp from seccomp profile
 2015-12-29 13:15:14 -08:00
Arnaud Porterie
7b540ee653 Merge pull request #18877 from dnephin/move_graph_driver_to_layer_store 
Move graph driver to layer store
 2015-12-29 12:19:02 -08:00
Arnaud Porterie
a81e438544 Merge pull request #18969 from justincormack/vm86 
Block vm86 syscalls in default seccomp profile
 2015-12-29 11:57:35 -08:00
Arnaud Porterie
2307f47fdd Merge pull request #18972 from justincormack/bpf 
Block bpf syscall from default seccomp profile
 2015-12-29 11:57:07 -08:00
Arnaud Porterie
e01cab1cc5 Merge pull request #18971 from justincormack/ptrace 
Block additional ptrace related syscalls in default seccomp profile
 2015-12-29 11:56:51 -08:00
Arnaud Porterie
3858027e27 Merge pull request #18933 from coolljt0725/always_build 
Add DOCKER_BUILD_ARGS env to pass build-arg for building deb and rpm
 2015-12-29 11:53:06 -08:00
Jessica Frazelle
b610fc226a
remove seccomp from seccomp profile 
This can be allowed because it should only restrict more per the seccomp docs, and multiple apps use it today.

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-29 11:21:33 -08:00
Jess Frazelle
194e69507b Merge pull request #18949 from jfrazelle/fix-libseccomp-version 
fix libseccomp where version < 2.2.1
 2015-12-29 10:58:10 -08:00
Arnaud Porterie
94e0760868 Merge pull request #18947 from jfrazelle/fix-seccomp-unsupported 
fix default profile where unsupported
 2015-12-29 10:21:07 -08:00
Arnaud Porterie
afdc4747dc Merge pull request #18953 from justincormack/robust_list 
Allow use of robust list syscalls in default seccomp policy
 2015-12-29 10:19:41 -08:00
Arnaud Porterie
a32b06b067 Merge pull request #18956 from justincormack/umount 
Block original umount syscall in default seccomp filter
 2015-12-29 10:19:04 -08:00
Justin Cormack
a0a8ca0ae0 Block additional ptrace related syscalls in default seccomp profile 
Block kcmp, procees_vm_readv, process_vm_writev.
All these require CAP_PTRACE, and are only used for ptrace related
actions, so are not useful as we block ptrace.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 18:17:28 +00:00
David Calavera
3ec3597d58 Merge pull request #18950 from zhanghuanzhong/docker-fix-pull-image-log-info 
Print the registry name while pulling an image
 2015-12-29 10:16:05 -08:00
Arnaud Porterie
ad8bce2ce4 Merge pull request #18959 from justincormack/finit_module 
Deny finit_module in default seccomp profile
 2015-12-29 10:12:50 -08:00
Arnaud Porterie
8ac3d083a8 Merge pull request #18961 from justincormack/clock_adjtime 
Block clock_adjtime in default seccomp config
 2015-12-29 10:08:45 -08:00
Arnaud Porterie
294336a1af Merge pull request #18968 from justincormack/stime 
Block stime in default seccomp profile
 2015-12-29 10:07:40 -08:00
Justin Cormack
33568405f3 Block bpf syscall from default seccomp profile 
The bpf syscall can load code into the kernel which may
persist beyond container lifecycle. Requires CAP_SYS_ADMIN
already.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 17:28:30 +00:00
Tianon Gravi
31bd242cba Merge pull request #18728 from hypriot/update-dockerfile-for-arm 
update Dockerfile.arm to reflect latest changes in main Dockerfile
 2015-12-29 09:24:29 -08:00
Jessica Frazelle
35667c3826
add note to packagers.md about libseccomp version 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-29 08:47:20 -08:00
Justin Cormack
6c3ea7a511 Block vm86 syscalls in default seccomp profile 
These provide an in kernel virtual machine for x86 real mode on x86
used by one very early DOS emulator. Not required for any normal use.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 15:47:23 +00:00
Justin Cormack
6300a08be9 Block stime in default seccomp profile 
The stime syscall is a legacy syscall on some architectures
to set the clock, should be blocked as time is not namespaced.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 15:28:05 +00:00
Doug Davis
b3e1178ad0 Fix error messages 
`docker kill 123` will show something like:
`Error response from daemon: Cannot kill container 123: nosuchcontainer: No such container: 123`
Notice the `nosuchcontainer` text, that should not be there as that's an internal ID that means nothing to the end user.
This PR fixes this by using `util.GetErrorMessage()` to extract just the message.

While in that dir I found a couple of other spots that could use the same call, just to be safe.

Signed-off-by: Doug Davis <dug@us.ibm.com>
 2015-12-29 06:08:52 -08:00
Justin Cormack
0e5c43cdda Block clock_adjtime in default seccomp config 
clock_adjtime is the new posix style version of adjtime allowing
a specific clock to be specified. Time is not namespaced, so do
not allow.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 12:48:16 +00:00
Justin Cormack
0d5306a0b6 Deny finit_module in default seccomp profile 
This is a new version of init_module that takes a file descriptor
rather than a file name.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 12:31:33 +00:00
Justin Cormack
9be0d93cf7 Block original umount syscall in default seccomp filter 
The original umount syscall without flags argument needs to
be blocked too.

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 11:57:16 +00:00
Vincent Demeester
eb551baf6f Merge pull request #18951 from jfrazelle/fix-code-comment 
fix code comment
 2015-12-29 12:00:37 +01:00
Justin Cormack
7b133e7235 Allow use of robust list syscalls 
The set_robust_list syscall sets the list of futexes which are
cleaned up on thread exit, and are needed to avoid mutexes
being held forever on thread exit.

See for example in Musl libc mutex handling:
http://git.musl-libc.org/cgit/musl/tree/src/thread/pthread_mutex_trylock.c#n22

Signed-off-by: Justin Cormack <justin.cormack@unikernel.com>
 2015-12-29 10:22:05 +00:00
Lei Jitang
82051ab996 Add DOCKER_BUILD_ARGS env to pass build-arg for building deb and rpm 
Signed-off-by: Lei Jitang <leijitang@huawei.com>
 2015-12-29 04:09:44 -05:00
Jessica Frazelle
b4c14a0bb8
fix code comment 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 22:36:54 -08:00
Huanzhong Zhang
85e355605a print the registry name. 
Signed-off-by: Huanzhong Zhang <zhanghuanzhong90@gmail.com>
 2015-12-29 13:33:04 +08:00
Jessica Frazelle
ae54e39c80
fix libseccomp where version < 2.2.1 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 21:30:49 -08:00
Jessica Frazelle
94b45310f4
fix default profile where unsupported 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 20:42:15 -08:00
David Calavera
78ce43bad8 Merge pull request #18780 from jfrazelle/seccomp-default 
set default seccomp profile
 2015-12-28 16:46:30 -08:00
Sebastiaan van Stijn
a3ca176e3c Merge pull request #18945 from jbruni/patch-2 
Fixed /etc/defaults/docker to /etc/default/docker
 2015-12-29 00:05:45 +01:00
J Bruni
153948ac46 Fixed /etc/defaults/docker to /etc/default/docker 
/etc/default/docker is the correct file location in my system, and also according Docker's own documentation at https://github.com/docker/docker/blob/master/docs/articles/configuring.md#configuring-docker

Signed-off-by: J Bruni <contato@jbruni.com.br>
 2015-12-28 20:57:36 -02:00
Vincent Demeester
6cd167386b Merge pull request #18835 from dnephin/move_validate_context_dir 
Move utils.ValidateContextDirectory to the one package that uses it
 2015-12-28 22:06:13 +01:00
Sebastiaan van Stijn
8c6ad0991e Merge pull request #18899 from cpswan/18898-fix-storage-driver-example 
Fix --storage-driver example
 2015-12-28 21:58:43 +01:00
Jess Frazelle
8b68853ef5 Merge pull request #18937 from cbalducci/patch-1 
[mkimage-alpine.sh] Additional repo and container cleanup
 2015-12-28 12:51:31 -08:00
David Calavera
1d4306d2fa Merge pull request #18905 from coolljt0725/fix_disconnect_not_save 
Fix network disconnect does not save the config to disk
 2015-12-28 12:38:16 -08:00
David Calavera
b6a251a551 Merge pull request #18942 from thaJeztah/move-vish-to-alumni 
Move Vishnu to alumni
 2015-12-28 12:31:18 -08:00
Arnaud Porterie
baee7ae045 Merge pull request #18715 from calavera/remove_is_paused_from_interface 
Remove `IsPaused` from backend interface.
 2015-12-28 11:25:11 -08:00
Jess Frazelle
38440cadf3 Merge pull request #18897 from runcom/fix-net-none-build 
integration-cli: fix --net=none build
 2015-12-28 10:51:18 -08:00
Jessica Frazelle
d34bbb66d5
bump docker-py 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 10:26:52 -08:00
Jessica Frazelle
15674c5fb7
add docs and unconfined to run a container without the default seccomp profile 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 10:26:51 -08:00
Jessica Frazelle
a48fe62384
add default seccomp profile tests 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 10:26:48 -08:00
Jessica Frazelle
947293a280
set default seccomp profile 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
 2015-12-28 10:18:47 -08:00
Jess Frazelle
00362f8ea2 Merge pull request #18923 from albers/completion-network-ls--filter 
bash completion for `docker network ls --filter`
 2015-12-28 10:16:17 -08:00
Daniel Nephin
91154e9235 Move graph driver registration out of the daemon package. 
Signed-off-by: Daniel Nephin <dnephin@docker.com>
 2015-12-28 13:02:24 -05:00
Daniel Nephin
f5916b10ae Remove the graph driver from the daemon, move it into the layer store. 
Support restoreCustomImage for windows with a new interface to extract
the graph driver from the LayerStore.

Signed-off-by: Daniel Nephin <dnephin@docker.com>
 2015-12-28 12:55:48 -05:00