Support cgroup as in Rootless Podman.
Requires cgroup v2 host with crun.
Tested with Ubuntu 19.10 (kernel 5.3, systemd 242), crun v0.12.1.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The documentation for validate_vendor_used in hack/validate/vendor states
that a warning will be emitted if license information cannot be found in
a vendored package. However, because the script is run with pipefail set
(owing to the inclusion of the common validation script .validate) and
`grep -c` is used, the entire script will fail whenever license information
cannot be found in a vendored package.
Signed-off-by: Chris Price <cprice@mirantis.com>
This test was disabled in the past, but re-enabled when we upgraded
docker-py to 4.2.0.
The test looks to be still flaky though, so skipping it again:
```
[2020-02-10T23:40:44.429Z] =================================== FAILURES ===================================
[2020-02-10T23:40:44.429Z] __________________ AttachContainerTest.test_attach_no_stream ___________________
[2020-02-10T23:40:44.429Z] tests/integration/api_container_test.py:1250: in test_attach_no_stream
[2020-02-10T23:40:44.429Z] assert output == 'hello\n'.encode(encoding='ascii')
[2020-02-10T23:40:44.429Z] E AssertionError: assert b'' == b'hello\n'
[2020-02-10T23:40:44.429Z] E Right contains more items, first extra item: 104
[2020-02-10T23:40:44.429Z] E Use -v to get the full diff
[2020-02-10T23:40:44.429Z] ------- generated xml file: /src/bundles/test-docker-py/junit-report.xml -------
````
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Otherwise some tests are skipped with the default API version
used:
SKIPPED [1] tests/integration/api_service_test.py:882: API version is too low (< 1.38)
SKIPPED [1] tests/integration/api_swarm_test.py:59: API version is too low (< 1.39)
SKIPPED [1] tests/integration/api_swarm_test.py:38: API version is too low (< 1.39)
SKIPPED [1] tests/integration/api_swarm_test.py:45: API version is too low (< 1.39)
SKIPPED [1] tests/integration/api_swarm_test.py:52: API version is too low (< 1.39)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Windows still writes to the autogen directory, but the source code is
mounted in as read-only.
In order to do enable this without taking a massive hit in doing an rw
mount (for the source code) we mount a tmpfs into the build at the
autogen dir.
In order for this to work the directory must alreay exist, so we create
it before entering the build.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.
For example:
```
github.com/coreos/go-systemd/v22 v22.0.0
```
will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.
full diff: f5ab8fc5fb...v0.1.0
- LK4D4/vndr#83 migrate bitbucket to api 2.0
- fixesLK4D4/vndr#82https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The makefile for this binary has version 6.3 hardcoded,
which causes compilation on 8.3 to fail:
```
Building: bundles/cross/windows/amd64/containerutility.exe
In file included from /usr/x86_64-w64-mingw32/include/minwindef.h:163,
from /usr/x86_64-w64-mingw32/include/windef.h:8,
from /usr/x86_64-w64-mingw32/include/windows.h:69,
from containerutility.h:3,
from argumentstream.cpp:1:
/usr/x86_64-w64-mingw32/include/winnt.h:1554:11: fatal error: x86intrin.h: No such file or directory
# include <x86intrin.h>
^~~~~~~~~~~~~
compilation terminated.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
++++ cat bundles/test-integration/docker.pid
+++ kill 13137
+++ /etc/init.d/apparmor stop
Leaving: AppArmorNo profiles have been unloaded.
Unloading profiles will leave already running processes permanently
unconfined, which can lead to unexpected situations.
To set a process to complain mode, use the command line tool
'aa-complain'. To really tear down all profiles, run 'aa-teardown'."
script returned exit code 255
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The ImageCollectionTest.test_pull_multiple test performs a `docker pull` without
a `:tag` specified) to pull all tags of the given repository (image).
After pulling the image, the image(s) pulled are checked to verify if the list
of images contains the `:latest` tag.
However, the test assumes that all tags of the image are tags for the same
version of the image (same digest), and thus a *single* image is returned, which
is not always the case.
Currently, the `hello-world:latest` and `hello-world:linux` tags point to a
different digest, therefore the `client.images.pull()` returns multiple images:
one image for digest, making the test fail:
=================================== FAILURES ===================================
____________________ ImageCollectionTest.test_pull_multiple ____________________
tests/integration/models_images_test.py:90: in test_pull_multiple
assert len(images) == 1
E AssertionError: assert 2 == 1
E + where 2 = len([<Image: 'hello-world:linux'>, <Image: 'hello-world:latest'>])
This patch temporarily skips the broken test until it is fixed upstream.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Dockerfile.Windows modified to build gotestsum.exe
2. Use gotestsum.exe in invoking the execution of:
(a) Unit tests (run in containers),
(b) Integration tests (run outside containers)
(c) Integration-cli (run outside containers)
No changes made to other categories of tests (e.g.
LCOW).
3. Copy .xml files produced by gotestsum in
appropriate paths where Jenkins can ingest them
4. Modify Jenkinsfile to mark results output as
being jUnit "type" as well as to archive the
.xml test result files as artifacts.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The intent of this check is to not add integration tests that use the
CLI to test API functionality, so check for changes in "API" tests as
well, now that the `integration/` suite has matured enough to develop
new tests, or migrate existing ones.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The golang-ci-lint takes longest to run, so do the other
checks first; this also makes the output a bit more readable.
While at it, fix some consistency issues in the output of the
other checks.
Before this change:
TEST_FORCE_VALIDATE=1 hack/validate/default
Congratulations! All commits are properly signed with the DCO!
Congratulations! Seccomp profile generation is done correctly.
INFO [config_reader] Used config file hack/validate/golangci-lint.yml
INFO [lintersdb] Active 15 linters: [deadcode gofmt goimports golint gosec gosimple govet ineffassign misspell staticcheck structcheck typecheck unconvert unused varcheck]
...
INFO Execution took 2m12.4287302s
Congratulations! "./pkg/..." is safely isolated from internal code.
The swagger spec at "api/swagger.yaml" is valid against swagger specification 2.0
Congratulations! All api changes are done the right way.
Congratulations! All toml source files changed here have valid syntax.
Congratulations! Changelog CHANGELOG.md is well-formed.
Congratulations! Changelog CHANGELOG.md dates are in descending order.
After this change:
TEST_FORCE_VALIDATE=1 hack/validate/default
Congratulations! All commits are properly signed with the DCO!
Congratulations! Seccomp profile generation is done correctly.
Congratulations! Packages in "./pkg/..." are safely isolated from internal code.
Congratulations! The swagger spec at "api/swagger.yaml" is valid against swagger specification 2.0
Congratulations! All API changes are done the right way.
Congratulations! All TOML source files changed here have valid syntax.
Congratulations! Changelog CHANGELOG.md is well-formed.
Congratulations! Changelog CHANGELOG.md dates are in descending order.
Congratulations! No new tests were added to integration-cli.
INFO Start validation with golang-ci-lint
INFO [config_reader] Used config file hack/validate/golangci-lint.yml
INFO [lintersdb] Active 15 linters: [deadcode gofmt goimports golint gosec gosimple govet ineffassign misspell staticcheck structcheck typecheck unconvert unused varcheck]
...
INFO Execution took 2m12.4287302s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This introduces a FORCE_VALIDATE environment variable, which allows
forcing some validation steps, even if no changes were detected.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `hack/validate/deprecate-integration-cli` script exited on
success. As a result, validation steps to run afterwards would
not be executed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This eliminates the need to lay down an auto-generated file.
IIRC this was originally hadded for gccgo which we no longer support.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
full diff: 0025177e3d...90afbb01e1
includes:
- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request #2339 from phyber/iptables-check"
- reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- re-opens docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- re-opens moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As described in https://golang.org/s/generatedcode, Go has
a formalized format that should be used to indicate that a
file is generated.
Matching that format helps linters to skip generated files;
From https://golang.org/s/generatedcode (https://github.com/golang/go/issues/13560#issuecomment-288457920);
> Generated files are marked by a line of text that matches the regular expression, in Go syntax:
>
> ^// Code generated .* DO NOT EDIT\.$
>
> The `.*` means the tool can put whatever folderol it wants in there, but the comment
> must be a single line and must start with `Code generated` and end with `DO NOT EDIT.`,
> with a period.
>
> The text may appear anywhere in the file.
This patch updates the autogenerated code to match that format.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When trying to build with some pretty typical version strings this was
causing failures trying to generate the windows resource file.
The resource file is already gated by an `ifdef` for this var, so
instead of blindly setting based on "VERSION", which can contain some
characters which are incompatible (e.g. 1.2.3.rc.0 will fail due to the
".rc").
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
It was suggested that we use '.*\(COPYING\|LICENSE\|COPYRIGHT\).*'
as an argument to `find -iregex`, and this is how it all started.
Next thing, there is no COPYRIGHT in any of the vendored packages,
so it can be removed for good.
Next, we should not look too deep inside the package directory, as
the license should be in its root directory, so add `-maxdepth 1`
to `find`. This should also speed things up.
Finally, since we're not using the recursion feature of `find`,
it can be replaced with `echo | grep`.
While at it,
* avoid temporary $pkgs variable as it is only used once;
* replace `ls -d "vendor/$f" > /dev/null 2>&1` with `test -d`.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The export statement is definitely not needed. The rest is obvious.
> In hack/validate/vendor line 3:
> export SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
> ^-- SC2155: Declare and assign separately to avoid masking return values.
>
>
> In hack/validate/vendor line 43:
> if ls -d vendor/$f > /dev/null 2>&1; then
> ^-- SC2086: Double quote to prevent globbing and word splitting.
>
>
> In hack/validate/vendor line 44:
> found=$(find vendor/$f -iregex '.*LICENSE.*' -or -iregex '.*COPYRIGHT.*' -or -iregex '.*COPYING.*' | wc -l)
> ^-- SC2086: Double quote to prevent globbing and word splitting.
>
>
> In hack/validate/vendor line 45:
> if [ $found -eq 0 ]; then
> ^-- SC2086: Double quote to prevent globbing and word splitting.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In case some files were modified (rather than merely added
or removed), we're curious to see the diff for those.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Rewrite sockRequestHijack to requestHijack which use writable
Transport's Response.Body to replace deprecated hijacked httputil.ClientConn.
```
// As of Go 1.12, the Body will also implement io.Writer
// on a successful "101 Switching Protocols" response,
// as used by WebSockets and HTTP/2's "h2c" mode.
Body io.ReadCloser
```.
TestPostContainersAttach and TestExecResizeImmediatelyAfterExecStart
replace all sockRequestHijack to requestHijack.
Signed-off-by: HuanHuan Ye <logindaveye@gmail.com>
The TEST_FILTER variable allows running a single integration or integration-cli
test. However, it failed to work properly for integration-cli tests.
Before:
-----------
# Filtering "integration" tests works:
make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
...
DONE 1 tests in 18.331s
# But running a single test in "integration-cli" did not:
make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
...
DONE 0 tests in 17.314s
Trying to manually add the `/` prefix, didn't work either, because that made the
"grep" fail to find which test-suites to run/skip:
make TEST_FILTER=/TestSwarmNetworkCreateIssue27866 test-integration
---> Making bundle: test-integration (in bundles/test-integration)
make: *** [test-integration] Error 1
After:
-----------
make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
...
DONE 1 tests in 18.331s
make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
...
DONE 12 tests in 26.527s
Note that the `12` tests is still a bit misleading, because every _suite_ is
started (which is counted as a test), but no tests are run. This is still
something that could be improved on.
This patch also makes a small modification to the code that's setting
`integration_api_dirs`, and no longer runs `go list` if not needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes it clearer from the configuration what linters
are enabled.
Also disables the `gofmt` linter, because it's superseded
by the `goimports` linter.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The default exclusion rules were too permissive; disable
them, but copy the relevant ones to the configuation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before:
DONE 2 tests in 12.272s
---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
umount: bundles/test-integration/root: mountpoint not found
After:
DONE 2 tests in 14.650s
---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The docker-py tests were broken, because the version of
py-test that was used, used a dependency that had a new
major release with a breaking change.
Unfortunately, it was not pinned to a specific version,
so when the dependency did the release, py-test broke;
```
22:16:47 Traceback (most recent call last):
22:16:47 File "/usr/local/bin/pytest", line 10, in <module>
22:16:47 sys.exit(main())
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 61, in main
22:16:47 config = _prepareconfig(args, plugins)
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 182, in _prepareconfig
22:16:47 config = get_config()
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 156, in get_config
22:16:47 pluginmanager.import_plugin(spec)
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 530, in import_plugin
22:16:47 __import__(importspec)
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/tmpdir.py", line 25, in <module>
22:16:47 class TempPathFactory(object):
22:16:47 File "/usr/local/lib/python3.6/site-packages/_pytest/tmpdir.py", line 35, in TempPathFactory
22:16:47 lambda p: Path(os.path.abspath(six.text_type(p)))
22:16:47 TypeError: attrib() got an unexpected keyword argument 'convert'
```
docker-py master has a fix for this (bumping the version of
`py-test`), but it's not in a release yet, and the docker cli that's used
in our CI is pinned to 17.06, which doesn't support building from a remote
git repository from a specific git commit.
To fix the immediate situation, this patch switches the docker-py
tests to run from the master branch.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1.Change base.Dial to base.DailContext.
2.Remove proxyDialer that was previously used to configure a
net.Dialer to route proxy.Dialer which will route the connections
through the proxy using the connections through a SOCKS proxy.
SOCKS proxies are now supported by configuring only http.Transport.Proxy,
and no longer require changing http.Transport.Dial.
Signed-off-by: HuanHuan Ye <logindaveye@gmail.com>
```
distribution/registry.go:84:3: SA1019: base.Dial is deprecated: Use DialContext instead, which allows the transport to cancel dials as soon as they are no longer needed. If both are set, DialContext takes priority. (staticcheck)
registry/registry.go:188:3: SA1019: base.Dial is deprecated: Use DialContext instead, which allows the transport to cancel dials as soon as they are no longer needed. If both are set, DialContext takes priority. (staticcheck)
client/hijack.go:85:16: SA1019: httputil.NewClientConn is deprecated: Use the Client or Transport in package net/http instead. (staticcheck)
integration-cli/docker_api_attach_test.go:245:12: SA1019: httputil.NewClientConn is deprecated: Use the Client or Transport in package net/http instead. (staticcheck)
integration/plugin/authz/authz_plugin_test.go:180:7: SA1019: httputil.NewClientConn is deprecated: Use the Client or Transport in package net/http instead. (staticcheck)
integration/plugin/authz/authz_plugin_test.go:479:12: SA1019: httputil.NewClientConn is deprecated: Use the Client or Transport in package net/http instead. (staticcheck)
integration-cli/docker_api_attach_test.go:239:134: SA1019: httputil.ClientConn is deprecated: Use Client or Transport in package net/http instead. (staticcheck)
daemon/daemon.go:885:3: SA1019: grpc.WithDialer is deprecated: use WithContextDialer instead. Will be supported throughout 1.x. (staticcheck)
pkg/authorization/response.go:18:2: SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead. (staticcheck)
pkg/authorization/response.go:160:30: SA1019: http.CloseNotifier is deprecated: the CloseNotifier interface predates Go's context package. New code should use Request.Context instead. (staticcheck)
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
pkg/archive/archive.go:407:3: SA1019: hdr.Xattrs is deprecated: Use PAXRecords instead. (staticcheck)
pkg/archive/archive.go:408:3: SA1019: hdr.Xattrs is deprecated: Use PAXRecords instead. (staticcheck)
pkg/archive/archive.go:661:26: SA1019: hdr.Xattrs is deprecated: Use PAXRecords instead. (staticcheck)
pkg/archive/archive_linux.go:47:7: SA1019: hdr.Xattrs is deprecated: Use PAXRecords instead. (staticcheck)
pkg/archive/archive_linux.go:48:12: SA1019: hdr.Xattrs is deprecated: Use PAXRecords instead. (staticcheck)
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `-test.timeout=5m` was glued directly after the current `TESTFLAGS`,
causing them to be non-functional;
Before:
make TESTDEBUG=1 TESTDIRS='github.com/docker/docker/pkg/filenotify' TESTFLAGS='-test.run TestPollerEvent' test-unit
+ mkdir -p bundles
+ gotestsum --format=standard-quiet --jsonfile=bundles/go-test-report.json --junitfile=bundles/junit-report.xml -- -tags 'netgo seccomp libdm_no_deferred_remove' -cover -coverprofile=bundles/profile.out -covermode=atomic -test.run TestPollerEvent-test.timeout=5m github.com/docker/docker/pkg/filenotify
testing: warning: no tests to run
ok github.com/docker/docker/pkg/filenotify 0.003s coverage: 0.0% of statements [no tests to run]
DONE 0 tests in 0.298s
After:
make TESTDEBUG=1 TESTDIRS='github.com/docker/docker/pkg/filenotify' TESTFLAGS='-test.run TestPollerEvent' test-unit
+ mkdir -p bundles
+ gotestsum --format=standard-quiet --jsonfile=bundles/go-test-report.json --junitfile=bundles/junit-report.xml -- -tags 'netgo seccomp libdm_no_deferred_remove' -cover -coverprofile=bundles/profile.out -covermode=atomic -test.run TestPollerEvent -test.timeout=5m github.com/docker/docker/pkg/filenotify
ok github.com/docker/docker/pkg/filenotify 0.608s coverage: 44.7% of statements
DONE 1 tests in 0.922s
This was introduced in 42f0a0db75
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Generate more unique names, based on architecture and test-suite name.
Clean up the path to this integration test to create a useful package name.
"$dir" can be either absolute (/go/src/github.com/docker/docker/integration/foo)
or relative (./integration/foo). To account for both, first we strip the
absolute path, then any leading periods and slashes.
For the package-name, we use periods as separator instead of slashes, to be more
in-line with Java package names (which is what junit.xml was originally designed
for).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Without these options set, test2json does not include a `Time`
field in the generated JSON;
{"Action":"run","Test":"TestCgroupNamespacesBuild"}
{"Action":"output","Test":"TestCgroupNamespacesBuild","Output":"=== RUN TestCgroupNamespacesBuild\n"}
{"Action":"output","Test":"TestCgroupNamespacesBuild","Output":"--- PASS: TestCgroupNamespacesBuild (1.70s)\n"}
...
{"Action":"pass","Test":"TestCgroupNamespacesBuild"}
As a result, `gotestsum` was not able to calculate test-duration, and
reported `time="0.000000"` for all tests;
<testcase classname="amd64.integration.build" name="TestCgroupNamespacesBuild" time="0.000000"></testcase>
With this patch applied:
{"Time":"2019-08-23T22:42:41.644361357Z","Action":"run","Package":"amd64.integration.build","Test":"TestCgroupNamespacesBuild"}
{"Time":"2019-08-23T22:42:41.644367647Z","Action":"output","Package":"amd64.integration.build","Test":"TestCgroupNamespacesBuild","Output":"=== RUN TestCgroupNamespacesBuild\n"}
{"Time":"2019-08-23T22:42:44.926933252Z","Action":"output","Package":"amd64.integration.build","Test":"TestCgroupNamespacesBuild","Output":"--- PASS: TestCgroupNamespacesBuild (3.28s)\n"}
...
{"Time":"2019-08-23T22:42:44.927003836Z","Action":"pass","Package":"amd64.integration.build","Test":"TestCgroupNamespacesBuild","Elapsed":3.28}
Which now correctly reports the test's duration:
<testcase classname="amd64.integration.build" name="TestCgroupNamespacesBuild" time="3.280000"></testcase>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
'Namespace' parallel runs by bind-mounting a different directory
in the container, instead of making the tests running inside
the container aware of the namespaced location.
This makes it transparent to the tests, and slightly reduces
complexity.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the files used by the docker cli were moved to the docker/cli repository,
so are no longer needed here.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This `ENV` was added to the Dockerfile in b96093fa56,
when the repository used per-architecture Dockerfiles, and some architectures needed
a different configuration.
Now that we use a multi-arch Dockerfile, and CI uses a Jenkinsfile, we can remove
this `ENV` from the Dockerfile, and set it in CI instead if needed.
Also updated the wording and fixed linting issues in hack/validate/gometalinter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Unlike Linux which uses a temp dir as GOPATH, Windows
uses c:\go. Among other things, this blocks go get.
Moving GOPATH to c:\gopath and updating references in
comments and documentation.
Currently the change is being scoped narrowly. In the
future GOPATH value could be passed as a parameter to
the ps1 scripts.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
The Windows Dockerfile downloads the Go binaries, which (unlike
the Golang images) do not have a trailing `.0` in their version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- remove -check.* flags
- use (per-test) -timeout flag
- allow user to override TEST_SKIP_* regardless of TESTFLAGS
- remove test-imports validation
Signed-off-by: Tibor Vass <tibor@docker.com>
Trying to see if this helps with the cleanup step exiting in CI, but
Jenkins continuing to wait for the script to end afterwards.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CI already stores the logs of the test daemon, so we might as well
store them as artifacts
```
[2019-09-03T12:49:39.835Z] INFO: Tidying up at end of run
[2019-09-03T12:49:39.835Z] INFO: Saving daemon under test log (d:\CI-2\CI-3593e7622\dut.out) to C:\windows\TEMP\CIDUT.out
[2019-09-03T12:49:39.835Z] INFO: Saving daemon under test log (d:\CI-2\CI-3593e7622\dut.err) to C:\windows\TEMP\CIDUT.err
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Seen failing a couple of times:
```
[2019-09-02T08:40:15.796Z] =================================== FAILURES ===================================
[2019-09-02T08:40:15.796Z] __________________ AttachContainerTest.test_attach_no_stream ___________________
[2019-09-02T08:40:15.796Z] tests/integration/api_container_test.py:1250: in test_attach_no_stream
[2019-09-02T08:40:15.796Z] assert output == 'hello\n'.encode(encoding='ascii')
[2019-09-02T08:40:15.796Z] E AssertionError: assert b'' == b'hello\n'
[2019-09-02T08:40:15.796Z] E Right contains more items, first extra item: 104
[2019-09-02T08:40:15.796Z] E Use -v to get the full diff
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.
bump up rootlesskit: 2fcff6ceae...791ac8cb20
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- Add quotes to prevent word splitting in `cp` statement (SC2046)
- Replace legacy back tics with `$()`
- Replace `which` with `command -v` (SC2230)
- Fix incorrect (`==`) comparison
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Windows RS1 has problems with leaking NdisAdapters during the integration
tests; the windows.ps1 script has a cleanup stesp to remove those
leaked adapters.
For internal testing at Microsoft on internal builds, this cleanup step
was skipped, and only ran on the CI machines in our Jenkins.
Due to the move to our new Jenkins, the names of Windows machines changed,
and because of that, the cleanup step was never executed, resulting in the
leaked adapters not being cleaned up:
```
20:32:23 WARNING: There are 608 NdisAdapters leaked under Psched\Parameters
20:32:23 WARNING: Not cleaning as not a production RS1 server
20:32:24 WARNING: There are 608 NdisAdapters leaked under WFPLWFS\Parameters
20:32:24 WARNING: Not cleaning as not a production RS1 server
```
```
22:01:31 WARNING: There are 1209 NdisAdapters leaked under Psched\Parameters
22:01:31 WARNING: Not cleaning as not a production RS1 server
22:01:31 WARNING: There are 1209 NdisAdapters leaked under WFPLWFS\Parameters
22:01:31 WARNING: Not cleaning as not a production RS1 server
```
This patch removes the check for non-production builds, and unconditionally
cleans up leaked adapters if they are found.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some integration tests are known to fail if Windows Defender is
enabled. On the machines that run our CI, defender is disabled
for that reason.
Contributors likely will have defender enabled, and because of
that are currently not able to run the integration tests.
This patch changes the ERROR into a WARNING, so that contributors
can still run (a limited set of) the integration tests, but get
informed that some may fail.
We should make this requirement more specific, and only skip
tests that are known to require defender to be disabled, but
while that's not yet in place, let's print a warning instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This symlink was added in d42753485b,
to allow finding the path to the latest built binary, because at the time,
those paths were prefixed with the version or commit (e.g. `bundles/1.5.0-dev`).
Commit bac2447964 removed the version-prefix in
paths, but kept the old symlink for backward compatiblity. However, many
things were moved since then (e.g. paths were renamed to `binary-daemon`,
and various other changes). With the symlink pointing to the symlink's parent
directory, following the symlink may result into an infinite recursion,
which can happen if scripts using wildcards / globbing to find files.
With this symlink no longer serving a real purpose, we can probably safely
remove this symlink now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- SC2006: use $(...) notation instead of legacy backticked `...`
- SC2086: double quote to prevent globbing and word splitting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
and remove `PullImageTest::test_build_invalid_platform` from the list,
which was a copy/paste error in f8cde0b32d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function changed to the correct working directory before starting the tests
(which is the same as on Linux), however the `ProcessStartInfo` process does
not inherit this working directory, which caused Windows tests to be running
with a different working directory as Linux (causing files used in tests to not
be found).
From the documentation; https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.processstartinfo.workingdirectory?view=netframework-4.8
> When `UseShellExecute` is `true`, the fully qualified name of the directory that contains
> the process to be started. When the `UseShellExecute` property is `false`, the working
> directory for the process to be started. The default is an empty string (`""`).
This patch sets the `ProcessStartInfo.WorkingDirectory` to the correct working
directory before starting the process.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "new test" detector in test-integration-flaky was a bit flaky since
it would detect function signatures that are not new tests.
In addition, the test calls `return` outside of a function which is not
allowed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
btrfs_noversion was added in d7c37b5a28
for distributions that did not have the `btrfs/version.h` header file.
Seeing how all of the distributions we currently support do have the
`btrfs/version.h` file we should probably just remove this build flag
altogether.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Attempting to fix;
```
21:16:00 Traceback (most recent call last):
21:16:00 File "/usr/local/bin/yamllint", line 11, in <module>
21:16:00 sys.exit(run())
21:16:00 File "/usr/local/lib/python3.5/dist-packages/yamllint/cli.py", line 170, in run
21:16:00 problems = linter.run(f, conf, filepath)
21:16:00 File "/usr/local/lib/python3.5/dist-packages/yamllint/linter.py", line 233, in run
21:16:00 content = input.read()
21:16:00 File "/usr/lib/python3.5/encodings/ascii.py", line 26, in decode
21:16:00 return codecs.ascii_decode(input, self.errors)[0]
21:16:00 UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 123522: ordinal not in range(128)
21:16:00 Build step 'Execute shell' marked build as failure
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is basically taking some stuff that make a custom shell function
for.
This takes a test filter, builds the appropriate TESTFLAGS, and sets the
integration API test dirs that match the given filter to avoid building
all test dirs.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
1. Use `go list` to get list of integration dirs to build. This means we
do not need to have a valid `.go` in every subdirectory and also
filters out other dirs like "bundles" which may have been created.
2. Add option to specify custom flags for integration and
integration-cli. This is needed so both suites can be run AND set
custom flags... since the cli suite does not support standard go
flags.
3. Add options to skip an entire integration suite.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The inContainer check isn't really useful anymore.
Even though it was said that we shouldn't rely on its existence back in
2016, we're now in 2019 and this thing still exists so we should just
rely on it now to check whether or not we're in a container.
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
This check was used to make sure we don't bump Go versions independently
(Linux/Windows). The Dockerfile switched to using a build-arg to allow
overriding the Go version, which rendered this check non-functional.
It also fails if Linux versions use a specific variant of the image;
08:41:31 ERROR: Failed 'ERROR: Mismatched GO versions between Dockerfile and Dockerfile.windows. Update your PR to ensure that both files are updated and in sync. ${GO_VERSION}-stretch ${GO_VERSION}' at 07/20/2019 08:41:31
08:41:31 At C:\gopath\src\github.com\docker\docker\hack\ci\windows.ps1:448 char:9
08:41:31 + Throw "ERROR: Mismatched GO versions between Dockerfile and D ...
08:41:31 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This patch fixes the check by looking for the value of `GO_VERSION` instead
of looking at the `FROM` line (which is harder to parse).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows overriding the version of Go without making modifications in the
source code, which can be useful to test against multiple versions.
For example:
make GO_VERSION=1.13beta1 shell
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since commit applied in moby [61a3285 Support cross-compile for arm]
it hardcoded var-CC to support cross-compile for arm
Correct it with "${parameter:-word}" format, it is helpful for user
define toolchains
(Use Default Values. If parameter is unset or null, the expansion of
word is substituted. Otherwise, the value of parameter is substituted.)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
When building this image docker-in-docker, the DNS in the environment
may not be usable for the build-container, causing resolution to fail:
```
02:35:31 W: Failed to fetch http://deb.debian.org/debian/dists/jessie/Release.gpg Temporary failure resolving 'deb.debian.org'
```
This patch detects if we're building from within a container, and if
so, skips creating a networking namespace for the build by using
`--network=host`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This removes all the installation steps for docker-py from the
Dockerfile, and instead builds the upstream Dockerfile, and runs
docker-py tests in a container.
To test;
```
make test-docker-py
...
Removing bundles/
---> Making bundle: dynbinary (in bundles/dynbinary)
Building: bundles/dynbinary-daemon/dockerd-dev
Created binary: bundles/dynbinary-daemon/dockerd-dev
---> Making bundle: test-docker-py (in bundles/test-docker-py)
---> Making bundle: .integration-daemon-start (in bundles/test-docker-py)
Using test binary docker
Starting dockerd
INFO: Waiting for daemon to start...
.
INFO: Building docker-sdk-python3:3.7.0...
sha256:686428ae28479e9b5c8fdad1cadc9b7a39b462e66bd13a7e35bd79c6a152a402
INFO: Starting docker-py tests...
============================= test session starts ==============================
platform linux -- Python 3.6.8, pytest-4.1.0, py-1.8.0, pluggy-0.9.0
rootdir: /src, inifile: pytest.ini
plugins: timeout-1.3.3, cov-2.6.1
collected 359 items
tests/integration/api_build_test.py .......s....
....
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Codecov has shown to be flaky, and calculate the wrong diff, in
addition, it doesn't show coverage for integration tests, which
makes the coverage report not useful.
Removing it for now, while we look at alternatives.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diffs:
- fc5a7d91d5...62a13ae87c
- b2de5d10e3...v1.0.0
- 604eaf189e...13995c7128ccc8e51e9a6bd2b551020a27180abd
notable changes in libnetwork:
- docker/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- docker/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- addresses docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- docker/libnetwork#2394 Make DNS records and queries case-insensitive
- addresses moby/moby#28689 Embedded DNS is case-sensitive
- addresses moby/moby#21169 hostnames with new networking are case-sensitive
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
From the release notes: https://github.com/containerd/containerd/releases/tag/v1.2.7
> Welcome to the v1.2.7 release of containerd!
>
> The seventh patch release for containerd 1.2 introduces OCI image
> descriptor annotation support and contains fixes for containerd shim logs,
> container stop/deletion, cri plugin and selinux.
>
> It also contains several important bug fixes for goroutine and file
> descriptor leakage in containerd and containerd shims.
>
> Notable Updates
>
> - Support annotations in the OCI image descriptor, and filtering image by annotations. containerd/containerd#3254
> - Support context timeout in ttrpc which can help avoid containerd hangs when a shim is unresponsive. containerd/ttrpc#31
> - Fix a bug that containerd shim leaks goroutine and file descriptor after containerd restarts. containerd/ttrpc#37
> - Fix a bug that a container can't be deleted if first deletion attempt is canceled or timeout. containerd/containerd#3264
> - Fix a bug that containerd leaks file descriptor when using v2 containerd shims, e.g. containerd-shim-runc-v1. containerd/containerd#3273
> - Fix a bug that a container with lingering processes can't terminate when it shares pid namespace with another container. moby/moby#38978
> - Fix a bug that containerd can't read shim logs after restart. containerd/containerd#3282
> - Fix a bug that shim_debug option is not honored for existing containerd shims after containerd restarts. containerd/containerd#3283
> - cri: Fix a bug that a container can't be stopped when the exit event is not successfully published by the containerd shim. containerd/containerd#3125, containerd/containerd#3177
> - cri: Fix a bug that exec process is not cleaned up if grpc context is canceled or timeout. contaienrd/cri#1159
> - Fix a selinux keyring labeling issue by updating runc to v1.0.0-rc.8 and selinux library to v1.2.2. opencontainers/selinux#50
> - Update ttrpc to f82148331ad2181edea8f3f649a1f7add6c3f9c2. containerd/containerd#3316
> - Update cri to 49ca74043390bc2eeea7a45a46005fbec58a3f88. containerd/containerd#3330
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
integration-on-swarm had unnecessary complexity and was too hard to
maintain. Also, it didn't support the new non-CLI integration test suite.
I'm now doing some experiments out of the repo using Kubernetes:
https://github.com/AkihiroSuda/kube-moby-integration
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 9ff9b57c34...5ac07abef4
brings in:
- docker/libnetwork#2376 Forcing a nil IP specified in PortBindings to IPv4zero (0.0.0.0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
lxc-user-nic can eliminate slirp overhead but needs /etc/lxc/lxc-usernet to be configured for the current user.
To use lxc-user-nic, $DOCKERD_ROOTLESS_ROOTLESSKIT_NET=lxc-user-nic also needs to be set.
This commit also bumps up RootlessKit from v0.3.0 to v0.4.0:
70e0502f32...e92d5e772e
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
full diff: 48f846327b...9ff9b57c34
- docker/libnetwork#2368 (windows) Pick a random host port if the user does not specify a host port
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Checks for environment variable VERSION if it exists then it sets dockerVersion to VERSION
Signed-off-by: corbin-coleman <corbin.coleman@docker.com>
Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
Pretty much cross-compile doesn't work because of this:
> profiles/seccomp/seccomp.go:13:2: build constraints exclude all Go files in /go/src/github.com/docker/docker/vendor/github.com/seccomp/libseccomp-golang
This changes adds a new Dockerfile target for cross compilation with the
neccesary arch specific libseccomp packages and CC toolchains.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests have bad output and its hard to figure out what went wrong
when one of them fails. Move them to the end to atleast get the real
test output first and better debug things.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Now `docker run -p` ports can be exposed to the host namespace automatically when `dockerd-rootless.sh` is launched with
`--userland-proxy --userland-proxy-path $(which rootlesskit-docker-proxy)`.
This is akin to how Docker for Mac/Win works with `--userland-proxy-path=/path/to/vpnkit-expose-port`.
The port number on the host namespace needs to be set to >= 1024.
SCTP ports are currently unsupported.
RootlessKit changes: 7bbbc48a6f...ed26714429
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Notable Updates
- Fix an issue that non-existent parent directory in image layers is created with permission 0700. containerd#3017
- Fix an issue that snapshots of the base image can be deleted by mistake, when images built on top of it are deleted. containerd#3087
- Support for GC references to content from snapshot and container objects. containerd#3080
- cgroups updated to dbea6f2bd41658b84b00417ceefa416b97 to fix issues for systemd 420 and non-existent cgroups. containerd#3079
- runc updated to 2b18fe1d885ee5083ef9f0838fee39b62d653e30 to include the improved fix for CVE-2019-5736. containerd#3082
- cri: Fix a bug that pod can't get started when the same volume is defined differently in the image and the pod spec. cri#1059
- cri: Fix a bug that causes container start failure after in-place upgrade containerd to 1.2.4+ or 1.1.6+. cri#1082
- cri updated to a92c40017473cbe0239ce180125f12669757e44f. containerd#3084
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It has been declared deprecated by the author, and has a knack for
false-positives (as well as giving bad advice when it comes to APIs --
which is quite clear when looking at "nolint: interfacer" comments).
Signed-off-by: Aleksa Sarai <asarai@suse.de>
Here's what happens:
1. One runs `make binary` once
2. Days go by...
3. One makes changes to dockerd sources
4. One runs `make test-integration` to test the changes
5. One spends a long time figuring out why on Earth
those changes in step 3 are ignored by step 4.
6. One writes this patch
7. ...
8. PROFIT!!
OK, so `make test-integration` builds a dockerd binary
in bundles/dynbinary-daemon/, when starts a daemon instance
for testing. The problem is, the script that starts the
daemon sets PATH to try `bundles/binary-daemon/` first,
and `bundles/dynbinary-daemon/` second.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
- Fixes a vulnerability in runc that allows a container escape (CVE-2019-5736)
6635b4f0c6,
- Includes security fix for `runc run --no-pivot` (`DOCKER_RAMDISK=1`):
28a697cce3
(NOTE: the vuln is attackable only when `DOCKER_RAMDISK=1` is set && seccomp is disabled)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CIs are assumed to do a git fetch and git merge before running tests.
Therefore, no need for a git fetch inside our validate scripts in CI.
If VALIDATE_ORIGIN_BRANCH is set, then git fetch is skipped and
VALIDATE_ORIGIN_BRANCH is used in validate scripts.
Otherwise, behavior is unchanged.
Signed-off-by: Tibor Vass <tibor@docker.com>
Please refer to `docs/rootless.md`.
TLDR:
* Make sure `/etc/subuid` and `/etc/subgid` contain the entry for you
* `dockerd-rootless.sh --experimental`
* `docker -H unix://$XDG_RUNTIME_DIR/docker.sock run ...`
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>