This PR adds support for running regular containers to be connected to
swarm mode multi-host network so that:
- containers connected to the same network across the cluster can
discover and connect to each other.
- Get access to services(and their associated loadbalancers)
connected to the same network
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
As is raised in 26312, in `docker network ls`, the help output was
mistaken to `volume names`:
```
-q, --quiet Only display volume names
```
This fix changes the help output to:
```
-q, --quiet Only display network IDs
```
This fix also updates the documentation in:
`docs/reference/commandline/network_ls.md`
This fix fixes 26312.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue in 26173 where `docker import -c`
with quoted flags returns an error.
The issue was that in `api/client/image/import.go` the flag
`--change/-c` was handled by `StringSliceVarP` which does not handle
the quote well.
The similiar issue was enountered for 23309 (`docker commit`).
This fix takes the same approach as 23309 where `StringSliceVarP`
was replaced with `VarP` and `opts.ListOpts`.
An integration test has been added to cover the changes.
This fix fixes 26173.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Before:
$ docker update --cpu-period
Status: flag needs an argument: --cpu-period
See 'docker update --help'., Code: 125
After:
$ docker update --cpu-period
flag needs an argument: --cpu-period
See 'docker update --help'.
Also remove flagErrorFunc function which isn't needed anymore.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This fix tries to add the registry mirrors information in the output
of `docker info`.
In our active deployment, we use registry mirrors to help speeding
up the `docker pull`. In the current output of `docker info`,
registry mirrors is not present though it is available in `/info` API.
I think it makes sense to add the registry mirrors to `docker info`,
similiar to insecure registries.
This fix adds the registry mirrors to the output of `docker info`:
```
Registry Mirrors:
https://192.168.1.2/http://registry.mirror.com:5000/
```
An integration test has been added to cover the changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 25304 to support
`--group-add` and `--group-rm` in `docker service create`.
This fix adds `--group-add` to `docker service create` and `docker service update`,
adds `--group-rm` to `docker service update`.
This fix updates docs for `docker service create` and `docker service update`:
1. Add `--group-add` to `docker service create` and `docker service update`
2. Add `--group-rm` to `docker service update`
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
There are cases such as migrating from classic overlay network to the
swarm-mode networking (without kv-store), such a mechanism to allow
disconnecting a container even when a network isnt available will be
useful.
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Also consolidate the leftover packages under cli.
Remove pkg/mflag.
Make manpage generation work with new cobra layout.
Remove remaining mflag and fix tests after rebase with master.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Cleanup cobra integration
Update windows files for cobra and pflags
Cleanup SetupRootcmd, and remove unnecessary SetFlagErrorFunc.
Use cobra command traversal
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Currently start command will invoke getExitCode - which is based on
Inspect API - to get returned exit code after container exits.
There's two race conditions here:
if container is started with Restart Policy, there's chance that the
container is restarted quickly before it calls getExitCode, under such
circumstance, the exit code is wrong.
if container is started with --rm, it's possible that container is
removed before getExitCode, in this situation, you can't get correct
exit code either.
Replace getExitCode with waitExitOrRemoved can solve this problem.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This flag has been deprecated in version below 1.10 so it's safe to
remove now, according to our deprecation policy.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue in raised #23367 where an out-of-band
volume driver deletion leaves some data in docker. This prevent the
reuse of deleted volume names (by out-of-band volume driver like flocker).
This fix adds a `--force` field in `docker volume rm` to forcefully purge
the data of the volume that has already been deleted.
Related documentations have been updated.
This fix is tested manually with flocker, as is specified in #23367.
An integration test has also been added for the scenario described.
This fix fixes#23367.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
"--restart" and "--rm" are conflict options, if a container is started
with AutoRemove flag, we should forbid the update action for its Restart
Policy.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to address the issue raised in 25661 where verbose
"Sending build context" messages were not suppressed in non tty (e.g. log file)
sencarios.
This fix suppress the "Sending build context" message (other than the last one)
if the output is not a tty. The last update of the "Sending build context"
message is still sent to the output.
This fix has been tested manually:
```
docker build -t tmp . > build.log
```
The output is (only one "Sending build context"):
```
Sending build context to Docker daemon 249.4 MB
Step 1 : FROM busybox
---> 2b8fd9751c4c
Step 2 : RUN echo 'test'
---> Using cache
---> 7db298b6c493
Successfully built 7db298b6c493
```
This fix fixes 25661.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
These flags were not supported (daemon returns an error), and it was an
oversight. They were not present in completion scripts.
Signed-off-by: Tibor Vass <tibor@docker.com>
This patch implements an Ellipsis utility to
append an ellipsis (...) when truncating
strings in output.
It also fixes the existing Truncate() utility
to be compatible with unicode/multibyte characters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address the issue raised in 25375 where
`service update --publish-add` returns an error if the exact
same value is repeated (idempotent).
This fix use a map to filter out repeated port configs so
that `--publish-add` does not error out.
An integration test has been added.
This fix fixes 25375.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
New codes introduced a new method to wait container's exit code and
removal via Events API, but it specified a "since" filter based on
client side clock, which sometimes isn't synced up with daemon's clock,
hence leads the client to hang on waiting container's exit status.
This commit brings the Events call before start, and removes the time
filter, so that it can catch daemon events correctly without care of the
clock issue.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix tries to address the issue raised in 25529 wehre the
image/load API returns `application/json` for quiet=0 and
`text/plain` for quite=1.
This fix makes the change so that `application/json` is returned
for both quiet=0 and quite=1.
This fix has been tested manually.
This fix fixes 25529.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue in 25404 where updating environmental
variable in `service update --env-add` will not work.
The issue is because `--env-add` will only append the env, not update if
the same env already exist.
This fix tracks the env variable with a map and update if the variable
is the same.
An integration test has been added.
This fix fixes 25404.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
If AutoRemove is set, wait until client get `destroy` events, or get
`detach` events that implies container is detached but not stopped.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
`--rm` is a client side flag which caused lots of problems:
1. if client lost connection to daemon, including client crash or be
killed, there's no way to clean garbage container.
2. if docker stop a `--rm` container, this container won't be
autoremoved.
3. if docker daemon restart, container is also left over.
4. bug: `docker run --rm busybox fakecmd` will exit without cleanup.
In a word, client side `--rm` flag isn't sufficient for garbage
collection. Move the `--rm` flag to daemon will be more reasonable.
What this commit do is:
1. implement a `--rm` on daemon side, adding one flag `AutoRemove` into
HostConfig.
2. Allow `run --rm -d`, no conflicting `--rm` and `-d` any more,
auto-remove can work on detach mode.
3. `docker restart` a `--rm` container will succeed, the container won't
be autoremoved.
This commit will help a lot for daemon to do garbage collection for
temporary containers.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
As of now promoting (or demoting) a node that has its role
left unchanged will always print a successful message.
This PR fixes the issue by matching the behavior on swarmkit's
swarmctl command and printing a message when desired role is
the current role of the node.
As a result this also avoids calling update when it is not
necessary.
Signed-off-by: Alexandre Beslic <alexandre.beslic@gmail.com>
- Create container.go and image.go for specific context code
- Keep common code in formatter.go and custom.go
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Printing off networks as part of --pretty was missing a newline, causing
the next thing printed to be concatenated onto the end of the line.
Added an empty println after all networks are printed.
Signed-off-by: Drew Erny <drew.erny@docker.com>
this change improves the instructions for
swarm join-token and swarm init;
- only print the join-token command for workers
instead of for both managers and workers, to
prevent users from copying the wrong command.
An extra line is added to explain how to obtain
the manager token.
- print a message that a token was rotated
sucesfully if '--rotate' is used.
- add some extra white-space before / after
the join commands, to make copy/pasting
easier.
this change also does some refactoring of join-token;
- move flagname-constants together with other constants
- use variables for selected role ("worker" / "manager")
to prevent checking for them multiple times, and to
keep the "worker" / "manager" sting centralized
- add an extra blank line after "join-token" instructions
this makes it easier to copy, and cleans up the
code a tiny bit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In `docker service create/update`, flag `--user` actually supports
`uid:gid` (same as `docker run`). However, this is not reflected
in the help and documentation yet.
This fix updates docs in `docker service create/update` to change
the description to `Username or UID (format: <name|uid>[:<group|gid>])`.
The help message output has also been updated.
This fix is related to 25304.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This is a minor fix that tries to replace `"workdir"` with const in `service create`.
Since `"workdir"` is the only string not defined as const in `func addServiceFlags()`,
I think it makes sense to replace `"workdir"` with a const to be consistent.
The flag `"workdir"` in `service update` has also been replaced.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix tries to address the issue raised in 25195 where external
CA configurations are not present in `docker info`.
This fix adds the output of external CAs in `docker info` in swarm
mode.
The test is done manually with:
```
docker run -p 8888:8888 -e CXFSSL_ADDRESS=0.0.0.0 -d fabric8/cfssl
docker swarm init --external-ca protocol=cfssl,url=http://172.17.0.2:8888
```
The `docker info` output:
```
Managers: 1
Nodes: 1
Orchestration:
Task History Retention Limit: 5
Raft:
Snapshot interval: 10000
Heartbeat tick: 1
Election tick: 3
Dispatcher:
Heartbeat period: 5 seconds
CA configuration:
Expiry duration: 3 months
External CAs:
cfssl: https://172.17.0.2:8888
```
This fix fixes 25195.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently, the counter only shows tasks on READY nodes. It's more
correct to also count nodes in the other states except DOWN, because
the tasks assocated with those nodes are still assumed to be running for
orchestration purposes. One example of when this could matter is during
a leader failover when agents are in the process of reconnecting.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Rather than conflict with the unexposed task model, change the names of
the object-oriented task display to `docker <object> ps`. The command
works identically to `docker service tasks`. This change is superficial.
This provides a more sensical docker experience while not trampling on
the task model that may be introduced as a top-level command at a later
date.
The following is an example of the display using `docker service ps`
with a service named `condescending_cori`:
```
$ docker service ps condescending_cori
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 13 minutes ago Running 6c6d232a5d0e
```
The following shows the output for the node on which the command is
running:
```console
$ docker node ps self
ID NAME SERVICE IMAGE LAST STATE DESIRED STATE NODE
b1tpbi43k1ibevg2e94bmqo0s mad_kalam.1 mad_kalam apline Accepted 2 seconds ago Accepted 6c6d232a5d0e
e2cd9vqb62qjk38lw65uoffd2 condescending_cori.1 condescending_cori alpine Running 12 minutes ago Running 6c6d232a5d0e
4x609m5o0qyn0kgpzvf0ad8x5 furious_davinci.1 furious_davinci redis Running 32 minutes ago Running 6c6d232a5d0e
```
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This fix tries to address the issue raised in 24881 where
the stack name is not visable when inspecting containers
deployed through stacks.
This fix adds `labelNamespace` (`com.docker.stack.namespace`)
to containers at the client side so that the stack name label
will show up after containers are deployed.
This fix is tested manually:
- Build the binary with `make DOCKER_EXPERIMENTAL=1`
- Create a bundle file and deploy with the `docker stack deploy`
- Verify that `com.docker.stack.namespace` has been
set properly by checking contaners with `docker inspect <ContainerID>`
This fix fixes 24881.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
When updating values in the spec according to CLI flags, don't write
into the existing pointers. They may be nil. Instead, update them to
point to the new value we're writing.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Remove the swarm inspect command and use docker info instead to display
swarm information if the current node is a manager.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Swarm mode makes it possible through the API to set labels to containers
but not through command line. This tries to fix it.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This changes the default behavior so that rolling updates will not
proceed once an updated task fails to start, or stops running during the
update. Users can use docker service inspect --pretty servicename to see
the update status, and if it pauses due to a failure, it will explain
that the update is paused, and show the task ID that caused it to pause.
It also shows the time since the update started.
A new --update-on-failure=(pause|continue) flag selects the
behavior. Pause means the update stops once a task fails, continue means
the old behavior of continuing the update anyway.
In the future this will be extended with additional behaviors like
automatic rollback, and flags controlling parameters like how many tasks
need to fail for the update to stop proceeding. This is a minimal
solution for 1.12.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There's existing code to generate these
kind of errors, so make the errors added
in commit cc493a52a4
less DRY.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit cc493a52a4 added
a constraint to network connect/disconnect operations
on "Swarm scoped" networks.
This adds those errors to the API documentation. Also
changes the error to lowercase for consistency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Swarm handles service updates quite differently and also it doesnt
support worker driver network operations. Hence prevent containers from
connecting to swarm scoped networks
Signed-off-by: Madhu Venugopal <madhu@docker.com>
Hostnames are not supported for now because libnetwork can't use them
for overlay networking yet.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
There are currently problems with "swarm init" and "swarm join" when an
explicit --listen-addr flag is not provided. swarmkit defaults to
finding the IP address associated with the default route, and in cloud
setups this is often the wrong choice.
Introduce a notion of "advertised address", with the client flag
--advertise-addr, and the daemon flag --swarm-default-advertise-addr to
provide a default. The default listening address is now 0.0.0.0, but a
valid advertised address must be detected or specified.
If no explicit advertised address is specified, error out if there is
more than one usable candidate IP address on the system. This requires a
user to explicitly choose instead of letting swarmkit make the wrong
choice. For the purposes of this autodetection, we ignore certain
interfaces that are unlikely to be relevant (currently docker*).
The user is also required to choose a listen address on swarm init if
they specify an explicit advertise address that is a hostname or an IP
address that's not local to the system. This is a requirement for
overlay networking.
Also support specifying interface names to --listen-addr,
--advertise-addr, and the daemon flag --swarm-default-advertise-addr.
This will fail if the interface has multiple IP addresses (unless it has
a single IPv4 address and a single IPv6 address - then we resolve the
tie in favor of IPv4).
This change also exposes the node's externally-reachable address in
docker info, as requested by #24017.
Make corresponding API and CLI docs changes.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
When updates happen, the current behavior is to kill all running
instances and dispatch new tasks. Common use cases for container updates
involve small numbers of containers, meaning the app will go down on
most updates. Setting parallelism to 1 ensures that at most one task
will go down during the update. Services with higher replica counts can
increase this number accordingly to meet their needs.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This renames the `rotate_xxx` flags to camelBack, for
consistency with other API query-params, such as
`detachKeys`, `noOverwriteDirNonDir`, and `fromImage`.
Also makes this flag accept a wider range of boolean
values ("0", "1", "true", "false"), and throw an error
if an invalid value is passed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Tasks will display all tasks (`-a` is the default and was removed)
- Nest tasks to help display history
- Display task errors inline
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Simplifies the mount option usage by providing common aliases for
`source` and `target`. The default mount type is now volume.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Implement the proposal from
https://github.com/docker/docker/issues/24430#issuecomment-233100121
Removes acceptance policy and secret in favor of an automatically
generated join token that combines the secret, CA hash, and
manager/worker role into a single opaque string.
Adds a docker swarm join-token subcommand to inspect and rotate the
tokens.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
these values were changed to lowercase in
690cb2d08c,
but not changed accordingly in docker/docker.
this changes the mounttypes to lowercase
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`volume-driver-opt` was too verbose for its own existence and the sanity
of those in the vicinity. The much better, sleeker `volume-opt` replaces
it. 7 bytes and a case of carpal tunnel syndrome are saved!
Signed-off-by: Stephen J Day <stephen.day@docker.com>
This renames the '--bundle' flag for docker (stack) deploy
to be consistent with 'docker build'.
Note that there's no shorthand '-f' added for now,
because this may be confusing on 'docker stack config',
which also takes a file, and for which we may want to
have a '--format' flag in future.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This removes the logic to automatically
add [OPTIONS] to the usage output.
The current logic was broken if a command
only has deprecated or hidden flags, and
in many cases put the [OPTIONS] in the
wrong location.
Requiring the usage string to be set
manually gives more predictable results,
and shouldn't require much to maintain.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds log driver support for service creation and update. Add flags
`--log-driver` and `--log-opt` to match `docker run`. Log drivers are
configured per service.
Signed-off-by: Stephen J Day <stephen.day@docker.com>
Using tabs here seems to cause copy/paste problems in some terminals.
Using spaces is safer.
Fixes#24609
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
improve help text for service update remove flags
implement proper merge update of placement flag
more code re-use in update functions using a toRemove set.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
- Update ps with `--last` flag
- Update commands with current output
- Make sure hugo does not detect the wrong language
- Update usage for `tag` command to be more coherent with the other ones
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
In the API:
`Writable` changed to `ReadOnly`
`Populate` changed to `NoCopy`
Corresponding CLI options updated to:
`volume-writable` changed to `volume-readonly`
`volume-populate` changed to `volume-nocopy`
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The current behavior of `docker swarm init` is to set up a swarm that
has no secret for joining, and does not require manual acceptance for
workers. Since workers may sometimes receive sensitive data such as pull
credentials, it makes sense to harden the defaults.
This change makes `docker swarm init` generate a random secret if none
is provided, and print it to the terminal. This secret will be needed to
join workers or managers to the swarm. In addition to improving access
control to the cluster, this setup removes an avenue for
denial-of-service attacks, since the secret is necessary to even create
an entry in the node list.
`docker swarm init --secret ""` will set up a swarm without a secret,
matching the old behavior. `docker swarm update --secret ""` removes the
automatically generated secret after `docker swarm init`.
Closes#23785
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
In order to keep a little bit of "sanity" on the API side, validate
hostname only starting from v1.24 API version.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
