Commit graph

52 commits

Author SHA1 Message Date
Kenfe-Mickael Laventure
1aec3bacfd Vendor in new runc binary with userns fix
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-06-14 07:47:31 -07:00
Kenfe-Mickael Laventure
2e9ea5c194 Update containerd and runc vendoring
containerd: 860f3a94940894ac0a106eff4bd1616a67407ee2
runc: 85873d917e86676e44ccb80719fcb47a794676a1
runtime-specs: v1.0.0-rc1

Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
2016-06-14 07:47:31 -07:00
Michael Holzheu
e6e51d37f7 Dockerfile.s390x: Remove 'seccomp' again from DOCKER_BUILDTAGS
We have to wait until runc version (RUNC_COMMIT) is bumped.
Otherwise we get the following error:

 oci runtime error: string SCMP_ARCH_S390 is not a valid
 arch for seccomp

Fixes: bf2a577c13 ("Enable seccomp for s390x")
Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-10 15:18:58 -04:00
Michael Crosby
d17b9f3da0 Update containerd to cf554d59dd96e459544748290eb91
This bumps containerd to cf554d59dd96e459544748290eb9167f4bcde509 and
includes various fixes and updates the grpc package and types generated
for use.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-06-07 15:27:23 -07:00
Michael Holzheu
bf2a577c13 Enable seccomp for s390x
To implement seccomp for s390x the following changes are required:

1) seccomp_default: Add s390 compat mode

   On s390x (64 bit) we can run s390 (32 bit) programs in 32 bit
   compat mode. Therefore add this information to arches().

2) seccomp_default: Use correct flags parameter for sys_clone on s390x

   On s390x the second parameter for the clone system call is the flags
   parameter. On all other architectures it is the first one.

   See kernel code kernel/fork.c:

   #elif defined(CONFIG_CLONE_BACKWARDS2)
   SYSCALL_DEFINE5(clone, unsigned long, newsp, unsigned long, clone_flags,
                   int __user *, parent_tidptr,

   So fix the docker default seccomp rule and check for the second
   parameter on s390/s390x.

3) seccomp_default: Add s390 specific syscalls

  For s390 we currently have three additional system calls that should
  be added to the seccomp whitelist:

  - Other architectures can read/write unprivileged from/to PCI MMIO memory.
    On s390 the instructions are privileged and therefore we need system
    calls for that purpose:

    * s390_pci_mmio_write()
    * s390_pci_mmio_read()

  - Runtime instrumentation:

    * s390_runtime_instr()

4) test_integration: Do not run seccomp default profile test on s390x

   The generated profile that we check in is for amd64 and i386
   architectures and does not work correctly on s390x.

   See also: 75385dc216 ("Do not run the seccomp tests that use
   default.json on non x86 architectures")

5) Dockerfile.s390x: Add "seccomp" to DOCKER_BUILDTAGS

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-06-06 08:13:22 -04:00
Michael Holzheu
b5490d4897 Dockerfile.s390x: Move to gcc 6.1 (go 1.6.1)
Pull request #22840 and commit 40b21745cc ("Upgrade to golang 1.6.2")
introduces gcc 6.1 for Dockerfile.gccgo and Dockerfile.ppc64le.
So do this also for s390x and use "s390x/gcc:6.1" as base image.

In addition to this use "GO15VENDOREXPERIMENT=0" for notary build
as a workaround for:

 * golang/go#15814
 * golang/go#15628

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-05-31 04:39:20 -04:00
Christy Perez
d864a14620 Bump the seccomp versions to pull in fixes and new commits
enabling s390 and ppc64le function

Signed-off-by: Christy Perez <christy@linux.vnet.ibm.com>
2016-05-27 11:12:47 -04:00
cyli
6094be63ac Bump notary version up to 0.3.0 and re-vendor.
Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-05-11 22:57:51 -07:00
Michael Crosby
cfb9764386 Update runc and containerd deps
containerd:     57b7c3da915ebe943bd304c00890959b191e5264
runc:           d49ece5a83da3dcb820121d6850e2b61bd0a5fbe

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-05-09 15:05:44 -07:00
cyli
4710ed6304 Remove the pkcs11 build tag from the s390x Dockerfile, since it is using GCCGo 5.3, which
is still on the Go 1.4 library, whereas the Notary Yubikey library needs interfaces from
Go 1.5

Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-05-06 10:59:28 -07:00
cyli
88c6675ed2 Bump notary version to v0.3.0-RC1
Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-05-06 10:59:26 -07:00
Shijiang Wei
e6590b5fa2 vendor docker-py 7befe694bd21e3c54bb1d7825270ea4bd6864c13
Signed-off-by: Shijiang Wei <mountkin@gmail.com>
2016-05-02 23:04:04 +08:00
Michael Holzheu
6e4c87c06e Dockerfile.s390x: Build correct registries and notary client
Sync with other Dockerfiles:

 1) Adjust REGISTRY_COMMIT
 2) Add old shema1 registry
 3) Install notary client

This fixes the following testcases:

 DockerSchema1RegistrySuite:
  - SetUpTest
 DockerTrustSuite:
  - TestTrustedBuildTagFromReleasesRole
  - TestTrustedBuildTagIgnoresOtherDelegationRoles
  - TestTrustedPullReadsFromReleasesRole
  - TestTrustedPullIgnoresOtherDelegationRoles
  - TestTrustedPushWithReleasesDelegationOnly
  - TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor
  - TestTrustedPushSignsForRolesWithKeysAndValidPaths
  - TestTrustedPushDoesntSignTargetsIfDelegationsExist
 DockerRegistrySuite:
  - TestPullManifestList
  - TestCrossRepositoryLayerPush
 DockerHubPullSuite:
  - TestPullAllTagsFromCentralRegistry

v2: Sync comments on all architectures

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-04-29 19:24:49 +02:00
Michael Holzheu
97f45bd629 Dockerfile.s390x: Add upstream libseccomp to compile runc
The runc compile currently fails on s390x:

 Step 35 : RUN set -x    && export GOPATH="$(mktemp -d)" && git clone
 https://github.com/opencontainers/runc.git
 "$GOPATH/src/github.com/opencontainers/runc"       && cd
 "$GOPATH/src/github.com/opencontainers/runc"      && git checkout -q
 "$RUNC_COMMIT"  && make static BUILDTAGS="seccomp apparmor selinux"     &&
 cp runc /usr/local/bin/docker-runc

 [snip]

 # github.com/seccomp/libseccomp-golang
 Godeps/_workspace/src/github.com/seccomp/libseccomp-golang/seccomp.go:25:22:
 fatal error: seccomp.h: No such file or directory
  // #include <seccomp.h>

The problem is that the installed libseccomp version in trusty is too old.

Fix this and install version 2.3.0 of libseccomp like it is done in the
x86 Dockerfile.

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-04-27 18:57:15 +02:00
John Howard
78895c92c2 Merge pull request #22275 from Microsoft/jstarks/no_rsrc
Windows: Add file version information
2016-04-25 20:53:19 -07:00
Mrunal Patel
e0f98c698b Update runc and spec dependencies for mount label
Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

Set up the mount label in the spec for a container

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>
2016-04-25 14:26:49 -07:00
Doug Davis
d03ba27b76 Merge pull request #22118 from michael-holzheu/22007-s390x-fix-notary-build-for-gcc-v2
Create "src" symlink for building notary with gcc 5
2016-04-25 11:50:00 -04:00
John Starks
4677f8036e Windows: Add file version information
This change adds file version information to docker.exe and dockerd.exe by
adding a Windows version resource with the windres tool.

This change adds a dependency to binutils-mingw-w64 on Linux, but removes
a dependency on rsrc. Most Windows build environments should already have
windres if they have gcc (which is necessary to build dockerd).

Signed-off-by: John Starks <jostarks@microsoft.com>
2016-04-24 10:55:51 -07:00
Michael Holzheu
241898d136 Create "src" symlink for building notary with gcc 5
With gcc 5 version 1.4.2 of go is included. This version does not support
go's "native vendoring" which is needed to build notary since git commit
51dc1747e4ab5 ("Move the godeps workspace to the vendor directory to be
compliant with Go 1.6").

As a workaround create a symlink "vendor/src" that points to "vendor/".
This allows to compile notary with gcc 5.

Closes #22007

Signed-off-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
2016-04-22 19:28:08 +02:00
Michael Crosby
199472c75a Bump containerd to v0.2.1
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-04-22 09:39:02 -07:00
Qiang Huang
e67c758ec3 Remove template code for runc and containerd
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2016-04-15 12:45:35 +08:00
Tibor Vass
c3fe4226f3 vendor runc to fix issue#21808
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-04-12 15:35:43 -04:00
Tonis Tiigi
3f81b49352 Define readonly/mask paths in spec
This vendors in new spec/runc that supports
setting readonly and masked paths in the 
configuration. Using this allows us to make an
exception for `—-privileged`.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-04-04 18:55:55 -07:00
Tonis Tiigi
8a4225cd5a Bring back support for DOCKER_RAMDISK
Fixes #21631

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-31 10:29:32 -07:00
Sebastiaan van Stijn
71cab5b0dc Merge pull request #21629 from thaJeztah/bump-runc
Bump runC to 40f4e7873d88a4f4d12c15d9536bb1e34aa2b7fa
2016-03-29 23:07:12 -07:00
Tibor Vass
d800be743d Merge pull request #21591 from riyazdf/hardware-signing-non-experimental
move hardware signing out of experimental, remove yubico-piv-tool deps
2016-03-30 00:09:22 -04:00
Sebastiaan van Stijn
752b31d3fe Bump runC to 40f4e7873d88a4f4d12c15d9536bb1e34aa2b7fa
This includes fixes for;

- outputing errors for missing seccomp options on seccomp versions < 2.3
- cap set apply EPERM errors on ARM systems

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-03-29 17:10:05 -07:00
David Calavera
99adcaebc0 Merge pull request #21592 from anusha-ragunathan/docker-systemd
When using systemd, pass expected cgroupsPath and cli options to runc.
2016-03-29 17:00:10 -07:00
Anusha Ragunathan
7ed3d265a4 When using systemd, pass expected cgroupsPath and cli options to runc.
runc expects a systemd cgroupsPath to be in slice:scopePrefix:containerName
format and the "--systemd-cgroup" option to be set. Update docker accordingly.

Fixes 21475

Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-03-29 14:20:10 -07:00
Harald Albers
a7e9bf6cb7 Use https for git clone in build
Signed-off-by: Harald Albers <github@albersweb.de>
2016-03-29 09:35:42 +02:00
Riyaz Faizullabhoy
8d18e6b30f move hardware signing out of experimental, remove dependencies to yubico-piv-tool
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-28 14:33:06 -07:00
Alexander Morozov
d5019972e5 Merge pull request #21499 from cyli/hardware-signing-experimental-again
Move hardware signing back to experimental again
2016-03-24 23:03:13 -07:00
cyli
dd33d18045 Revert "Merge pull request #21003 from riyazdf/hardware-signing-ga"
This reverts commit e6d3a9849c, reversing
changes made to d3afe34b51.

Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-03-24 21:12:52 -07:00
David Calavera
3e0bd74a3d Downgrade to Go 1.5.3.
To not hit the issue with the request Host header.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-24 19:15:10 -04:00
Tonis Tiigi
22d997b374 Update runc/containerd
Contains fixes for:
- pid.max fix that is causing hang on network stats test.
- fix for early stdin close containerd-shim
- better logging for `could not synchronise with container process`

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-03-23 15:38:33 -07:00
Tibor Vass
009399dc8e Add docker- prefix to runc and containerd binaries
Signed-off-by: Tibor Vass <tibor@docker.com>
2016-03-23 00:52:16 -04:00
Riyaz Faizullabhoy
ab3772f72f vendor notary for docker1.11
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-22 11:28:19 -07:00
Tonis Tiigi
9c4570a958 Replace execdrivers with containerd implementation
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-03-18 13:38:32 -07:00
Riyaz Faizullabhoy
37fa75b344 Move pkcs11 out of experimental, into GA
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-03-07 10:07:40 -08:00
Riyaz Faizullabhoy
84dc2d9e70 Vendor in notary v0.2.0
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-02-25 13:40:00 -08:00
Tibor Vass
f27b5dda4a Switch Dockerfile to debian:jessie
Fixes broken-pipe issue when piping s3cmd to grep -q, by removing the -q
flag and redirecting to /dev/null instead.

Add net-tools for ifconfig, because some tests rely on ifconfig.

Harmonize all Dockerfiles in this direction.

Signed-off-by: Tibor Vass <tibor@docker.com>
2016-02-12 21:49:54 -05:00
Srini Brahmaroutu
6b09413f6b Need -lpthread to compile Notary
Signed-off-by: Srini Brahmaroutu <srbrahma@us.ibm.com>
2016-01-29 19:52:39 +00:00
cyli
71a1caddf0 Include a new version of notary with less verbose INFO+ logging
Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-01-27 09:46:26 -08:00
cyli
8fd2c8791d Re-vendor notary, as well as change jfrazelle/go to docker/go.
Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-01-26 18:02:00 -08:00
Sebastiaan van Stijn
589c8a879f Update notary to 1.10-3 in all Dockerfiles
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2016-01-26 11:51:22 -08:00
Tianon Gravi
9b2aab3fc8 Switch "syscall-test" image from "debian:jessie" to "buildpack-deps:jessie" so that "gcc" is already included
This results in a significant time savings during repeated builds (since we don't have to re-download gcc for every test run).

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2016-01-14 13:51:30 -08:00
David Calavera
db41c5f5a5 Update docker-py commit to the latest HEAD.
To fix issues with IPAM options.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-01-12 13:19:17 -05:00
Tianon Gravi
91201678c6 Refactor multi-arch support (especially for new mostly-official multi-arch official images)
See 99433d2ca2/README.md (architectures-other-than-amd64) for some context of where these images come from.

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2016-01-06 14:34:29 -08:00
Christopher Jones
52e53814ea Add unshare image to s390x Dockerfile
This adds unshare image to Dockerfile.s390x

Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2015-12-14 12:16:18 -06:00
Christopher Jones
03fc212b6d Fixes for ppc64le and 390x frozen-images
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2015-12-08 14:26:34 -05:00