The security infomation has already been added to `GET /info` in #21172.
However, it is not part of the output of `docker info` yet.
This fix adds the security information to `docker info`.
Additional tests has been added to cover changes.
This fix fixes#23500. This fix is related to #20909, #21172.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
As described in our ROADMAP.md, introduce new Swarm management commands
to call to the corresponding API endpoints.
This PR is fully backward compatible (joining a Swarm is an optional
feature of the Engine, and existing commands are not impacted).
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
As described in our ROADMAP.md, introduce new Swarm management API
endpoints relying on swarmkit to deploy services. It currently vendors
docker/engine-api changes.
This PR is fully backward compatible (joining a Swarm is an optional
feature of the Engine, and existing commands are not impacted).
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Victor Vieux <vieux@docker.com>
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This fix tries to fix logrus formatting by removing `f` from
`logrus.[Error|Warn|Debug|Fatal|Panic|Info]f` when formatting string
is not present.
This fix fixes#23459.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Also moves some common stuff around :
- `api/client/registry.go` for registry related
method (`ElectAuthServer`, …)
- `api/client/credentials.go` to interact with credentials
Migrate logout command to cobra
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker commit` to use spf13/cobra
NOTE: `RequiresMinMaxArgs()` has been renamed to `RequiresRangeArgs()`.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Windows is now built using Go 1.6, so we no longer
need to have a fallback for Go 1.4.
This removes the fallback that was introduced in
6df3fc5175 /
https://github.com/docker/docker/pull/18553
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker tag` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker version` to use spf13/cobra
NOTE: Most of the commands like `run`, `images` etc. goes to packages of
`container`, `image`, `network`, etc. Didn't find a good place for
`docker version` so just use the package `client` for now.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker images` to use spf13/cobra
NOTE: As part of this fix, a new function `RequiresMaxArgs()`
has been defined in `cli/required.go`. This func returns an
error if there is not at most max args
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Any command that expects extra flags after positional args needs to set flags.SetInterspersed(false).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker rename` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker pause` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker history` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker top` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker port` to use spf13/cobra
Note: As part of this fix, a new function `RequiresMinMaxArgs(min int, max int)`
has been added in cli/required.go. This function restrict the args
to be at least min and at most max.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker wait` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
- Migrates network command and subcommands (connect, create, disconnect,
inspect, list and remove) to spf13/cobra
- Create a RequiredExactArgs helper function for command that require an
exact number of arguments.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
e.g.
```
$ docker run -i --restart always busybox sh
pwd
/
exit 11
<...hang...>
```
This is because Attach(daemon side) and Run(client side) both hangs on
WaitStop, if container is restarted too quickly, wait won't have chance
to get exit signal.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
Currently `start` will hide some errors and throw a consolidated error,
which will make it hard to debug because developer can't find the
original error.
This commit allow daemon to log original errors first.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker unpause` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker logs` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker diff` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This fix is part of the effort to convert commands to spf13/cobra #23211.
Thif fix coverted command `docker stop` to use spf13/cobra
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Move container options into a struct so that tests should pass.
Remove unused FlagSet arg from Parse
Disable interspersed args on docker run
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This fix addresses an issue where including the `{{.Size}}` format
field in conjunction with `docker ps --format`, without the `--size`
flag, would not correctly display the size of containers.
This is done by doing a check on the custom format string, and setting
the size flag on the options struct if the field is found. This struct
gets passed to the engine API which then generates the correct query.
An integration test is included which runs `docker ps --format "table
{{.Size}}"` without `--size`, and checks that the returned output is
not `0 B`.
Fixes#21991
As suggested by @cpuguy83, a parser is implemented to process the format
string as a template, and then traverses the template tree to determine
if `.Size` was called.
This was then reworked by making use of template execution with a
pre-processor struct that will set the `--size` option if the template
calls for the field.
The pre-processor now also sets a boolean in the context passed to the
writer. There is an integration test for this that calls `docker ps
--size --format "{{.Size}}"` and then checks that `size: {{.Size}}` is
not appended, as it would with previous behavior.
Finally, a change was made to the formatter to not automatically
add a `{{.Size}}` if a custom format is provided.
Signed-off-by: Paulo Ribeiro <paigr.io@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This endpoint has been deprecated since 1.8. Return an error starting
from this API version (1.24) in order to make sure it's not used for the
next API version and so that we can remove it some times later.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This fix tries to address the issue raised in #23055.
Currently `docker search` result caps at 25 and there is
no way to allow getting more results (if exist).
This fix adds the flag `--limit` so that it is possible
to return more results from the `docker search`.
Related documentation has been updated.
Additional tests have been added to cover the changes.
This fix fixes#23055.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
This PR adds support for user-defined health-check probes for Docker
containers. It adds a `HEALTHCHECK` instruction to the Dockerfile syntax plus
some corresponding "docker run" options. It can be used with a restart policy
to automatically restart a container if the check fails.
The `HEALTHCHECK` instruction has two forms:
* `HEALTHCHECK [OPTIONS] CMD command` (check container health by running a command inside the container)
* `HEALTHCHECK NONE` (disable any healthcheck inherited from the base image)
The `HEALTHCHECK` instruction tells Docker how to test a container to check that
it is still working. This can detect cases such as a web server that is stuck in
an infinite loop and unable to handle new connections, even though the server
process is still running.
When a container has a healthcheck specified, it has a _health status_ in
addition to its normal status. This status is initially `starting`. Whenever a
health check passes, it becomes `healthy` (whatever state it was previously in).
After a certain number of consecutive failures, it becomes `unhealthy`.
The options that can appear before `CMD` are:
* `--interval=DURATION` (default: `30s`)
* `--timeout=DURATION` (default: `30s`)
* `--retries=N` (default: `1`)
The health check will first run **interval** seconds after the container is
started, and then again **interval** seconds after each previous check completes.
If a single run of the check takes longer than **timeout** seconds then the check
is considered to have failed.
It takes **retries** consecutive failures of the health check for the container
to be considered `unhealthy`.
There can only be one `HEALTHCHECK` instruction in a Dockerfile. If you list
more than one then only the last `HEALTHCHECK` will take effect.
The command after the `CMD` keyword can be either a shell command (e.g. `HEALTHCHECK
CMD /bin/check-running`) or an _exec_ array (as with other Dockerfile commands;
see e.g. `ENTRYPOINT` for details).
The command's exit status indicates the health status of the container.
The possible values are:
- 0: success - the container is healthy and ready for use
- 1: unhealthy - the container is not working correctly
- 2: starting - the container is not ready for use yet, but is working correctly
If the probe returns 2 ("starting") when the container has already moved out of the
"starting" state then it is treated as "unhealthy" instead.
For example, to check every five minutes or so that a web-server is able to
serve the site's main page within three seconds:
HEALTHCHECK --interval=5m --timeout=3s \
CMD curl -f http://localhost/ || exit 1
To help debug failing probes, any output text (UTF-8 encoded) that the command writes
on stdout or stderr will be stored in the health status and can be queried with
`docker inspect`. Such output should be kept short (only the first 4096 bytes
are stored currently).
When the health status of a container changes, a `health_status` event is
generated with the new status. The health status is also displayed in the
`docker ps` output.
Signed-off-by: Thomas Leonard <thomas.leonard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The -f flag on docker tag has been deprecated in docker 1.10 and
is expected to be removed in docker 1.12.
This fix removed the -f flag on docker tag and also updated
deprecated.md.
NOTE: A separate pull request for engine-api has been opened to
cover the related changes.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Since 1.9, the following short variant options have been
deprecated in favor of their long variants:
`docker run -c (--cpu-shares)`
`docker build -c (--cpu-shares)`
`docker create -c (--cpu-shares)`
`docker update -c (--cpu-shares)`
However, `-c` is still widely used and is considered as
a convenient option for swarm (see #16271).
This fix undeprecated the command line short
variant options of `-c` and updated the deprecated.md.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
… and refactor a little bit some daemon on the way.
- Move `SearchRegistryForImages` to a new file (`daemon/search.go`) as
`daemon.go` is getting pretty big.
- `registry.Service` is now an interface (allowing us to decouple it a
little bit and thus unit test easily).
- Add some unit test for `SearchRegistryForImages`.
- Use UniqueExactMatch for search filters
- And use empty restore id for now in client.ContainerStart.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Make better default usage on context.Context on the `api/client` package
to share the context (it is useless if not shared, which was the case
for a lot of commands).
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
The filtering is made server-side, and the following filters are
supported:
* is-official (boolean)
* is-automated (boolean)
* has-stars (integer)
Signed-off-by: Fabrizio Soppelsa <fsoppelsa@mirantis.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Since 1.9, Docker Content Trust Offline key has been renamed to
Root key and the Tagging key has been renamed to Repository key.
The corresponding environment variables
`DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE`
`DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE`
have also been deprecated and renamed to
`DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE`
`DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE`
This fix removed the deprecated ENV passphrase variables for
1.12 and updated the docs.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The jsonlog logger currently allows specifying envs and labels that
should be propagated to the log message, however there has been no way
to read that back.
This adds a new API option to enable inserting these attrs back to the
log reader.
With timestamps, this looks like so:
```
92016-04-08T15:28:09.835913720Z foo=bar,hello=world hello
```
The extra attrs are comma separated before the log message but after
timestamps.
Without timestaps it looks like so:
```
foo=bar,hello=world hello
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Update now returns only an error
- NewNotaryRepository now takes a trustpinning configuration - we will provide an empty one for now.
Signed-off-by: cyli <cyli@twistedmatrix.com>
before:
```
$ time docker --help
real 0m0.177s
user 0m0.000s
sys 0m0.040s
```
after:
```
$ time docker --help
real 0m0.010s
user 0m0.000s
sys 0m0.000s
```
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
When exec a non-exist command, it should print a newline at last.
Currently:
```
$ docker exec -ti f5f703ea2c0a144 bash
rpc error: code = 2 desc = "oci runtime error: exec failed: exec:
\"bash\": executable file not found in $PATH"$
```
Signed-off-by: Feng Yan <fy2462@gmail.com>
This functionality has been fixed by
7bca932182 but then it has been broken
again by a793564b25 and finally refixed
here.
Basically the functionality was to prompt for login when trying to pull
from the official docker hub.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Using new methods from engine-api, that make it clearer which element is
required when consuming the API.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
This change allow to filter events that happened in the past
without waiting for future events. Example:
docker events --since -1h --until -30m
Signed-off-by: David Calavera <david.calavera@gmail.com>
Before this patch, containers are silently removed from the stats list
on error. This patch instead will display `--` for all fields for the
container that had the error, allowing it to recover from errors.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This makes separating middlewares from the core api easier.
As an example, the authorization middleware is moved to
it's own package.
Initialize all static middlewares when the server is created, reducing
allocations every time a route is wrapper with the middlewares.
Signed-off-by: David Calavera <david.calavera@gmail.com>
This fix tries to fix the discrepancy between `docker stats` and
`docker run` where `docker run` uses RAMInBytes for all memory
related inputs but `docker stats` uses HumanSize for all memory
related outputs.
To be consistent, `docker stats` needs to use BytesSize for all
memory related outputs to conform to RAMInBytes in `docker run`.
This fix addresses this issue. As BytesSize is used, the test
cases needs to be adjusted to match `KiB/MiB/GiB` instead of
`KB/MB/GB`.
The documentation has also been updated.
This fix fixes#21765.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Currently Docker authorization framework does not use any user
information, which already available in the Docker context for TLS
connection.
The purpose of this CR is to complete the existing authz work by adding
the basic client certificate details (SUBJECT_NAME) and authentication
method (TLS) to the authz request.
We think this should be the default behavior when no extended
authorization module is specified (currently WIP under #20883).
Signed-off-by: Liron Levin <liron@twistlock.com>
In this way, we can restore the Terminal as soon as possible once the hijacked
connection end. This not only fix weird output if cli enable -D, but also
remove duplicate code.
Signed-off-by: Lei Jitang <leijitang@huawei.com>
The server configuration already keeps the current version
if the daemon. This patch changes the middleware logic
to use it rather than using the global value.
This removes the dockerversion package dependency from the api.
Signed-off-by: David Calavera <david.calavera@gmail.com>
it's concurrent streams and should be synchronized before writing to response.
Otherwise there will be race in writing to *bufio.Writer in
net/http.response.
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
This adds support for the passthrough on build, push, login, and search.
Revamp the integration test to cover these cases and make it more
robust.
Use backticks instead of quoted strings for backslash-heavy string
contstands.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
so that the user knows what's not in the container but should be.
Its not always easy for the user to know what exact command is being run
when the 'docker run' is embedded deep in something else, like a Makefile.
Saw this while dealing with the containerd migration.
Signed-off-by: Doug Davis <dug@us.ibm.com>
Changes how the Engine interacts with Registry servers on image pull.
Previously, Engine sent a User-Agent string to the Registry server
that included only the Engine's version information. This commit
appends to that string the fields from the User-Agent sent by the
client (e.g., Compose) of the Engine. This allows Registry server
operators to understand what tools are actually generating pulls on
their registries.
Signed-off-by: Mike Goelzer <mgoelzer@docker.com>
Prior to this change, the "docker network inspect" contains only the
endpoints that have active local container. This excludes all the remote
and stale endpoints. By including all the endpoints, it makes debugging
much simpler and also allows the user to cleanup any stale endpoints
using "docker network disconnect -f {network} {endpoint-name}".
Signed-off-by: Madhu Venugopal <madhu@docker.com>
This code was lost in a rebase in the PIDs cgroup merge, fix it so that
`docker stats` actually shows statistics from the PIDs cgroup.
Signed-off-by: Aleksa Sarai <asarai@suse.com>
This change centralizes the template manipulation in a single package
and adds basic string functions to their execution.
Signed-off-by: David Calavera <david.calavera@gmail.com>
Update unit test and documentation to handle the new case where Username
is set to <token> to indicate an identity token is involved.
Change the "Password" field in communications with the credential helper
to "Secret" to make clear it has a more generic purpose.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
This mechanism exchanges basic auth credentials for an identity token.
The identity token is used going forward to request scoped-down tokens
to use for registry operations.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Use token handler options for initialization.
Update auth endpoint to set identity token in response.
Update credential store to match distribution interface changes.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
`docker stats --no-stream` always print zero values.
```
$ docker stats --no-stream
CONTAINER CPU % MEM USAGE / LIMIT MEM %
NET I/O BLOCK I/O
7f4ef234ca8c 0.00% 0 B / 0 B 0.00%
0 B / 0 B 0 B / 0 B
f05bd18819aa 0.00% 0 B / 0 B 0.00%
0 B / 0 B 0 B / 0 B
```
This commit will let docker client wait until it gets correct stat
data before print it on screen.
Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
This change adds "KernelMemory" to the /info endpoint and
shows a warning if KernelMemory is not supported by the kernel.
This makes it more consistent with the other memory-limit
options.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make sure credentials are removed from the store at logout (not only
in the config file). Remove not needed error check and auth erasing
at login (auths aren't stored anywhere at that point).
Add regression test.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
docker build is broken because it sends to the daemon the full
cliconfig file which has only Email(s). This patch retrieves all auth
configs from the credentials store.
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
This removes the email prompt when you use docker login, and also removes the ability to register via the docker cli. Docker login, will strictly be used for logging into a registry server.
Signed-off-by: Ken Cochrane <kencochrane@gmail.com>
In situations where a client is called like `docker stats` with no
arguments or flags, if a container which was already created but not
started yet is then subsequently started it will not be added to the
stats list as expected.
Also splits some of the stats helpers to a separate file from the stats
CLI which is already quite long.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Yong Tang
Daniel Nephin
Michael Crosby
Brian Goff
Victor Vieux
Vincent Demeester
Kenfe-Mickael Laventure
Tonis Tiigi
Tianyi Wang
Alexander Morozov
Antonio Murdaca
Zhang Wei
Jannick Fahlbusch
Pierre Dal-Pra
Ben Firshman
Sebastiaan van Stijn
Sebastiaan van Stijn
Kai Qiang Wu(Kennan)
Paulo Ribeiro
Sven Dowideit
Thomas Leonard
allencloud
Shijiang Wei
John Howard
Fabrizio Soppelsa
Wang Xing
Arnaud Porterie
cyli
Mrunal Patel
David Calavera
fy2462
Antonio Murdaca
Wen Cheng Ma
Doug Davis
Tibor Vass
Lei Jitang
Robin Naundorf
Tomasz Kopczynski
Alexander Morozov
Liron Levin
Tibor Vass
Riyaz Faizullabhoy
Evan Hazlett
Aaron Lehmann
Doug Davis
Mike Goelzer
Jess Frazelle
Jessica Frazelle
Madhu Venugopal
Aleksa Sarai
Derek McGowan
Qiang Huang
Ken Cochrane