Volumes and other content created under a bind mount should be
recursively propagated using rshared, not shared. This could be
the reason for EBUSY during removal. Override options with rbind,
rshared and see if CI errors are fixed.
May fix#25511
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
(cherry picked from commit e58028d078)
Signed-off-by: Tibor Vass <tibor@docker.com>
- Fixes a SNAT issue in loadbalancer when multiple networks are involved
- Fixes an issue with SRV query forwarding in DNS
- Fixes a map race
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 56c9822695)
Signed-off-by: Tibor Vass <tibor@docker.com>
This is an attempt to fix the flaky test of TestSwarmNodeTaskListFilter in 25029.
Basically this fix adds a check to wait until 3 containers has already up,
before processing `node tasks ...`.
This might fix 25029.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit 63c0366bc9)
Signed-off-by: Tibor Vass <tibor@docker.com>
These flags were not supported (daemon returns an error), and it was an
oversight. They were not present in completion scripts.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 3a7e90c743)
Signed-off-by: Tibor Vass <tibor@docker.com>
/proc/timer_list seems to leak information about the host. Here is
an example from a busybox container running on docker+kubernetes.
# cat /proc/timer_list | grep -i -e kube
<ffff8800b8cc3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2497
<ffff880129ac3db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3478
<ffff8800b1b77db0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kube-proxy/3470
<ffff8800bb6abdb0>, hrtimer_wakeup, S:01, futex_wait_queue_me, kubelet/2499
Signed-Off-By: Davanum Srinivas <davanum@gmail.com>
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
(cherry picked from commit 03bd00b68f)
Signed-off-by: Tibor Vass <tibor@docker.com>
With the latest OL7.2, selinux policy that is shipped
might not be the latest for it to work or build with
selinux policy for docker-1.12.
To be able to achieve that here is what is done:
1. Added systemd_machined policy which is part of systemd.
2. Temporarily comment out unconfined_typebounds because the
current OL7's selinux doesn't have unconfineduser selinux policy,
to include this will be too much. Will revisit this once we have
updated the selinux policy.
Fixes: #24612
Signed-off-by: Thomas Tanaka <thomas.tanaka@oracle.com>
(cherry picked from commit d6cae872c7)
Signed-off-by: Tibor Vass <tibor@docker.com>
This patch allows to only release the packages that were built and are
present under the bundles/ directory instead of assuming packages exist
for all distros enumerated in the contrib/builder/ directory.
It also now adds support for armhf architecture for apt repositories.
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 2ff2e9a730)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit b487497cd2)
Signed-off-by: Tibor Vass <tibor@docker.com>
Docker 1.12 ships with an updated unit file on RPM
based distros. Users that have local modifications
to the unit file, or have a drop-in file installed
may not automatically get the updated unit file,
or get an error when starting docker.
This adds a warning to the changelog, and instructions
on how to resolve the issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 66b656684e)
Signed-off-by: Tibor Vass <tibor@docker.com>
Only open_by_handle_at requires CAP_DAC_READ_SEARCH.
This allows systemd to run with only `--cap-add SYS_ADMIN`
rather than having to also add `--cap-add DAC_READ_SEARCH`
as well which it does not really need.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
(cherry picked from commit c1ca124682)
Signed-off-by: Tibor Vass <tibor@docker.com>
In cases there are failures in task start, swarmkit might be trying to
restart the task again in the same node which might keep failing. This
creates a race where when a failed task is getting removed it might
remove the associated network while another task for the same service
or a different service but connected to the same network is proceeding
with starting the container knowing that the network is still
present. Fix this by reacting to `ErrNoSuchNetwork` error during
container start by trying to recreate the managed networks. If they
have been removed it will be recreated. If they are already present
nothing bad will happen.
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
(cherry picked from commit 117cef5e97)
Signed-off-by: Tibor Vass <tibor@docker.com>
This adds the ability to have different profiles for individual distros
and versions of the distro because they all ship with and depend on
different versions of policy packages.
The `selinux` dir contains the unmodified policy that is being used
today. The `selinux-fedora` dir contains the new policy for fedora 24
with the changes for it to compile and work on the system.
The fedora policy is from commit
4a6ce94da5
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
(cherry picked from commit 32b1f26c51)
Signed-off-by: Tibor Vass <tibor@docker.com>
This fix tries to address the issue in 25404 where updating environmental
variable in `service update --env-add` will not work.
The issue is because `--env-add` will only append the env, not update if
the same env already exist.
This fix tracks the env variable with a map and update if the variable
is the same.
An integration test has been added.
This fix fixes 25404.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
(cherry picked from commit c6de8add5f)
Signed-off-by: Tibor Vass <tibor@docker.com>
Unlike `docker run -v..`, `docker service create --mount`
does not allow bind-mounting non-existing host paths.
This adds validation for the specified `source`, and
produces an error if the path is not found on the
host.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 84d5ab96ef)
Signed-off-by: Tibor Vass <tibor@docker.com>
