With content addressability update starting upgraded
daemon for the first time can take a long time if
graph dir was not prepared with a migration tool before.
This avoids systemd timeouts while the migration is
taking place.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
It will Tar up contents of child directory onto tmpfs if mounted over
This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.
Signed-off-by: Dan Walsh <dwalsh@redhat.com>
libcontainer v0.0.4 introduces setting `/proc/self/oom_score_adj` to
better tune oom killing preferences for container process. This patch
simply integrates OomScoreAdj libcontainer's config option and adjust
the cli with this new option.
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
On a ubuntu 15.04 machine with apparmor_parser version 2.10 I get
```
Syntax Error: Unknown line found in file:
/etc/apparmor.d/docker-engine line: 26
```
when running `aa-complain /etc/apparmor.d/docker-engine`.
It's super weird because ipc is documented in the apparmor manual, but it
doesnt seem to be working at all. Tested on a few servers.
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Add a flag to allow keeping bundles around (helps with CI)
Fix several problems in repo make targets
* quote DOCKER_EXPERIMENTAL variable
* pass-through arguments for gpg provided to dpkg-sig are now quoted
properly, so passphrases with shell-interpolated symbols can be used
* when determining deb suites, don't rely on 'origin' to be
github.com/docker/docker
Fix some issues with deb repository creation from scratch
* Don't add empty components to the repository configuration as they
will cause failure when generating.
Add old docker-engine-cs name to package conflicts
Signed-off-by: Mike Dougherty <mike.dougherty@docker.com>
A few additions to the policy when running with user namespaces enabled
and when running 'docker exec'.
Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
LXC support has been deprecated and the related completion has been
removed in #17700 but was added back in #17334.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Otherwise, the cache would be invalid and won't be refreshed soon. This
can happen when the user has the completion installed before docker is
installed.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
Add support of `tag`, `env` and `labels` for Splunk logging driver.
Removed from message `containerId` as it is the same as `tag`.
Signed-off-by: Denis Gladkikh <denis@gladkikh.email>
The LXC driver was deprecated in Docker 1.8.
Following the deprecation rules, we can remove a deprecated feature
after two major releases. LXC won't be supported anymore starting on Docker 1.10.
Signed-off-by: David Calavera <david.calavera@gmail.com>
mkimage-yum.sh has a lot in common with mkimage-rinse.sh, including extra
files clean up. Sync with mkimage-rinse.sh by removing yum cache to reduce
the image size.
Minor changes to reduce also the delta/diff and make it easier to sync with
mkimage-rinse.sh script.
Signed-off-by: Fathi Boudra <fathi.boudra@linaro.org>
This enables Zsh to understand commands like "docker run -it
ubuntu". However, by enabling this, this also makes Zsh completes
"docker run -u<tab>" with "docker run -uapprox" which is not valid. The
users have to put the space or the equal sign themselves before trying
to complete.
Therefore, this behavior is disabled by default. To enable it:
zstyle ':completion:*:*:docker:*' option-stacking yes
zstyle ':completion:*:*:docker-*:*' option-stacking yes
Signed-off-by: Vincent Bernat <vincent@bernat.im>
This is allowed by Docker and helps the completion to not get confused
when a user uses this notation. This will also help to enable stacking
of short options since Zsh needs that to not stack options with
arguments.
Signed-off-by: Vincent Bernat <vincent@bernat.im>
`docker network` is the second command with subcommands.
This refactoring pulls out parsing and processing of subcommands
from `docker volume` completion and thus makes its logic available
for other commands.
Also enables `__docker_pos_first_nonflag` for subcommand completion.
Signed-off-by: Harald Albers <github@albersweb.de>
- missing help option in `docs/reference/commandline/*.md` (some files
have it, the other I fixed didn't)
- missing `[OPTIONS]` in Usage description
- missing options
- formatting
- start/stop idempotence
Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Add 10 seconds timeout when running `sudo service docker stop`. This is
especially needed when running `sudo service docker restart`. Otherwise,
`restart` results in exitstatus 1, because `start` has nothing to do.
Signed-off-by: Ewa Czechowska <ewa@ai-traders.com>
On boot, the init script is invoked from `/etc/rcN.d/S20docker` (where N
is the runlevel). Consequently, the init script tried to find the
defaults at `/etc/defaults/S20docker` and the binary at
`/usr/bin/S20docker`. This causes the docker daemon to fail at boot with
the error
/usr/bin/S20docker not present or not executable
Starting it manually works because it invokes `/etc/init.d/docker` which
has the correct basename.
Fix this by hardcoding "docker" as the base name.
Signed-off-by: Matthias Rampke <mr@soundcloud.com>
The shell builtin `compopt` is not available on the outdated bash
version 3.2.57 that ships with Mac OS.
It is used in Docker's bash completion to suppress trailing spaces
in advanced completions of hash map options, e.g. `--log-opt`.
If `compopt` is not available, the new behavior is to do nothing,
i.e. the user will have to delete the additional space.
Signed-off-by: Harald Albers <github@albersweb.de>
If a logdriver doesn't register a callback function to validate log
options, it won't be usable. Fix the journald driver by adding a dummy
validator.
Teach the client and the daemon's "logs" logic that the server can also
supply "logs" data via the "journald" driver. Update documentation and
tests that depend on error messages.
Add support for reading log data from the systemd journal to the
journald log driver. The internal logic uses a goroutine to scan the
journal for matching entries after any specified cutoff time, formats
the messages from those entries as JSONLog messages, and stuffs the
results down a pipe whose reading end we hand back to the caller.
If we are missing any of the 'linux', 'cgo', or 'journald' build tags,
however, we don't implement a reader, so the 'logs' endpoint will still
return an error.
Make the necessary changes to the build setup to ensure that support for
reading container logs from the systemd journal is built.
Rename the Jmap member of the journald logdriver's struct to "vars" to
make it non-public, and to make it easier to tell that it's just there
to hold additional variable values that we want journald to record along
with log data that we're sending to it.
In the client, don't assume that we know which logdrivers the server
implements, and remove the check that looks at the server. It's
redundant because the server already knows, and the check also makes
using older clients with newer servers (which may have new logdrivers in
them) unnecessarily hard.
When we try to "logs" and have to report that the container's logdriver
doesn't support reading, send the error message through the
might-be-a-multiplexer so that clients which are expecting multiplexed
data will be able to properly display the error, instead of tripping
over the data and printing a less helpful "Unrecognized input header"
error.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> (github: nalind)
Allow to set the signal to stop a container in `docker run`:
- Use `--stop-signal` with docker-run to set the default signal the container will use to exit.
Signed-off-by: David Calavera <david.calavera@gmail.com>
The shebang for OpenRC init scripts is now #!/sbin/openrc-run, and we
can also use the default start and stop functions built into OpenRC.
Signed-off-by: William Hubbs <w.d.hubbs@gmail.com>
This option was incorrectly ported to the new `daemon` subcommand
structure.
Beside the obvious effect that completion of `docker daemon --log-opt`
did not work, this also caused completion of `docker` and `docker xxx`
to fail on macs with
> bash: words: bad array subscript
Signed-off-by: Harald Albers <github@albersweb.de>
Allow the user to configure how Docker's bash completion works for the
"events", "history", "inspect", "run", "rmi" and "save" commands through the
following environment variables:
DOCKER_COMPLETION_SHOW_IMAGE_IDS
"none" - Show names only (default)
"non-intermediate" - Show names and ids, but omit intermediate image IDs
"all" - Show names and ids, including intermediate image IDs
DOCKER_COMPLETION_SHOW_TAGS
"yes" - include tags in completion options (default)
"no" - don't include tags in completion options
Fixes#9474.
Signed-off-by: Rory Hunter <roryhunter2@gmail.com>
This reverts commit 40b71adee3.
Original commit (for which this is effectively a rebased version) is
72a500e9e5 and was provided by Lei Jitang
<leijitang@huawei.com>.
Signed-off-by: Tim Dettrick <t.dettrick@uq.edu.au>
All docker subcommands support `-h` as an alias for `--help`
unless they have `-h` aliased to something else like `docker run`,
which uses `-h` for `--hostname`.
`-h` is not included in the help messages of the commands, though.
It ist visible in
* reference: only in `docker daemon` reference,
see output of `grep -Rse --help=false docs`
* man pages: only in `docker` man page
see output of `grep -RF '**-h**' man`
For consistency reasons, this commit removes `-h` as an alias for
`--help` from the reference page, man page and the bash completion.
Signed-off-by: Harald Albers <github@albersweb.de>
The docker script in contrib/init/sysvinit-redhat will fail silently on
a start if Docker is not installed in the default /usr/bin/ location.
While a non-zero exit code is returned the user will receive no visible
indication (i.e. error message) as to why Docker was not started.
This commit changes the logic so that in the case that the docker
executable is not found in the expected location or the user does not
have execute permissions on the executable appropriate error messages
are now shown to the user as well as exiting with a non-zero exit code
Signed-off-by: Rob Vesse <rvesse@dotnetrdf.org>
The custom configuration will also be used in docker invocations made
by the completion script itself, just like `-H`.
Signed-off-by: Harald Albers <github@albersweb.de>
It's a bit confusing: the "global options" are valid as "global options"
for all client commands (i.e. all but daemon).
Example: `docker --log-level info run`
For `docker daemon`, these "global options" are only valid as "command
options".
Example: `docker daemon --log-level info`
As command completion cannot tell which command the user is going to
type next, completion for the daemon command has to allow illegal
syntaxes like
`docker --log-level info daemon --log-level info`
Signed-off-by: Harald Albers <github@albersweb.de>
Add tools to the apparmor profile that are needed when -s devicemapper is
in the docker daemon's command line.
Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
Currently the service type is 'simple', the default, meaning that
docker.service is considered to be started straight after
spawning. This is incorrect as there is significant amount of time
between spawning and docker ready to accept connections on the passed
sockets. Docker does implement systemd socket activate and
notification protocol, and send the ready signal to systemd, once it
is ready. However for systemd to take those notifications into
account, the service file type should be set to notify.
Signed-off-by: Dimitri John Ledkov <dimitri.j.ledkov@intel.com>
The engine policy will now only complain
as a temporary measure to ensure we do not
cause breakages while users exercise this
policy.
This is NOT the policy for containers, but
for the newly-introduced policy for the
daemon itself.
Signed-off-by: Eric Windisch <eric@windisch.us>
Implements the policies for the remaining binaries
called by the Docker engine and eliminates the
giant whitelisted 'all files' permission in favor
of granular whitelisting and child-specific policies.
It should be possible now to remove the 'file' permission,
but for the sake of keeping Docker unbroken, we'll try
to gradually tighten the policy.
Signed-off-by: Eric Windisch <eric@windisch.us>
Will attempt to load profiles automatically. If loading fails
but the profiles are already loaded, execution will continue.
A hard failure will only occur if Docker cannot load
the profiles *and* they have not already been loaded via
some other means.
Also introduces documentation for AppArmor.
Signed-off-by: Eric Windisch <eric@windisch.us>
A bash completion file shouldn't have a executable bit set.
Just change file mode to 644 (instead of 755).
Signed-off-by: Dieter Reuter <dieter.reuter@me.com>
Without this fix, `docker --log-opt ` would not complete anything
because the completions were driver specific.
Signed-off-by: Harald Albers <github@albersweb.de>
Without this fix, `docker --log-driver fluentd --log-opt fluentd-tag=b`
would complete `b` to `build`.
Completion of the commands has to be nailed to __docker_pos_first_nonflag
Signed-off-by: Harald Albers <github@albersweb.de>
If you have some kind of bogus `other_args` in `/etc/sysconfig/docker` the start script will report "started" but it's full of lies. This enhances the flow so that if the pidfile never shows up (failure to start) you get a proper failure message.
I also added dots for fun.
Signed-off-by: Jeff Minard <jeff.minard@creditkarma.com>
Wraps the engine itself with an AppArmor policy.
This restricts what may be done by applications
we call out to, such as 'xz'.
Significantly, this policy also restricts the policies
to which a container may be spawned into. By default,
users will be able to transition to an unconfined
policy or any policy prefaced with 'docker-'.
Local operators may add new local policies prefaced
with 'docker-' without needing to modify this policy.
Operators choosing to disable privileged containers
will need to modify this policy to remove access
to change_policy to unconfined.
Signed-off-by: Eric Windisch <eric@windisch.us>
By using the 'unconfined' policy for privileged
containers, we have inherited the host's apparmor
policies, which really make no sense in the
context of the container's filesystem.
For instance, policies written against
the paths of binaries such as '/usr/sbin/tcpdump'
can be easily circumvented by moving the binary
within the container filesystem.
Fixes GH#5490
Signed-off-by: Eric Windisch <eric@windisch.us>
The automatic installation of AppArmor policies prevents the
management of custom, site-specific apparmor policies for the
default container profile. Furthermore, this change will allow
a future policy for the engine itself to be written without demanding
the engine be able to arbitrarily create and manage AppArmor policies.
- Add deb package suggests for apparmor.
- Ubuntu postinst use aa-status & fix policy path
- Add the policies to the debian packages.
- Add apparmor tests for writing proc files
Additional restrictions against modifying files in proc
are enforced by AppArmor. Ensure that AppArmor is preventing
access to these files, not simply Docker's configuration of proc.
- Remove /proc/k?mem from AA policy
The path to mem and kmem are in /dev, not /proc
and cannot be restricted successfully through AppArmor.
The device cgroup will need to be sufficient here.
- Load contrib/apparmor during integration tests
Note that this is somewhat dirty because we
cannot restore the host to its original configuration.
However, it should be noted that prior to this patch
series, the Docker daemon itself was loading apparmor
policy from within the tests, so this is no dirtier or
uglier than the status-quo.
Signed-off-by: Eric Windisch <eric@windisch.us>
Steve Durrheimer
manchoz
Justas Brazauskas
Tibor Vass
Sebastiaan van Stijn
David Calavera
Harald Albers
John Howard
Jess Frazelle
Alexander Morozov
Ma Shimiao
Jessica Frazelle
Phil Estes
Tonis Tiigi
Vincent Demeester
Arnaud Porterie
Dan Walsh
Wen Cheng Ma
Antonio Murdaca
Avi Miller
Tianon Gravi
Mike Dougherty
Stefan Berger
Rui Lopes
Elvir Kuric
Vincent Bernat
Vincent Demeester
Denis Gladkikh
Guilhem Lettron
Solomon Hykes
Brian Goff
Julien Pervillé
Stefan Berger
Antonio Murdaca
Asbjørn Enge
Fathi Boudra
Alexander Morozov
Madhu Venugopal
Qiang Huang
Lei Jitang
Zhang Kun
Viktor Stanchev
Ewa Czechowska
Matthias Rampke
qhuang
Sally O'Malley
Tim Hockin
Nalin Dahyabhai
Joe Ferguson
Samuel Karp
William Hubbs
Rory Hunter
Tim Dettrick
Veres Lajos
Rob Vesse
Eric Windisch
Dimitri John Ledkov
Dieter Reuter
Jessica Frazelle
Jeff Minard