microsoft
/
docker
зеркало из https://github.com/microsoft/docker.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
7 912 коммитов 243 Ветки 83 Теги 224 MiB
Граф коммитов

41 Коммитов

Автор SHA1 Сообщение Дата
Jérôme Petazzoni 1c4202a614 Mount /proc and /sys read-only, except in privileged containers. 
It has been pointed out that some files in /proc and /sys can be used
to break out of containers. However, if those filesystems are mounted
read-only, most of the known exploits are mitigated, since they rely
on writing some file in those filesystems.

This does not replace security modules (like SELinux or AppArmor), it
is just another layer of security. Likewise, it doesn't mean that the
other mitigations (shadowing parts of /proc or /sys with bind mounts)
are useless. Those measures are still useful. As such, the shadowing
of /proc/kcore is still enabled with both LXC and native drivers.

Special care has to be taken with /proc/1/attr, which still needs to
be mounted read-write in order to enable the AppArmor profile. It is
bind-mounted from a private read-write mount of procfs.

All that enforcement is done in dockerinit. The code doing the real
work is in libcontainer. The init function for the LXC driver calls
the function from libcontainer to avoid code duplication.

Docker-DCO-1.1-Signed-off-by: Jérôme Petazzoni <jerome@docker.com> (github: jpetazzo)
 2014-05-01 15:26:58 -07:00
Alexandr Morozov d1297feef8 Timestamps for docker logs. 
Fixes #1165
Docker-DCO-1.1-Signed-off-by: Alexandr Morozov <lk4d4math@gmail.com> (github: LK4D4)
 2014-05-01 20:40:36 +04:00
Michael Crosby e88ef454b7 Merge pull request #5464 from tianon/close-leftover-fds 2014-04-30 12:27:52 -07:00
Tianon Gravi d5d62ff955 Close extraneous file descriptors in containers 
Without this patch, containers inherit the open file descriptors of the daemon, so my "exec 42>&2" allows us to "echo >&42 some nasty error with some bad advice" directly into the daemon log. :)

Also, "hack/dind" was already doing this due to issues caused by the inheritance, so I'm removing that hack too since this patch obsoletes it by generalizing it for all containers.

Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
 2014-04-29 16:45:28 -06:00
Tibor Vass e9a42a45bf Fixes #5152 : symlink in volume path 
Docker-DCO-1.1-Signed-off-by: Tibor Vass <teabee89@gmail.com> (github: tiborvass)
 2014-04-28 13:18:12 -07:00
Michael Crosby 90678b3133 Update create with apparmor import 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
Michael Crosby 81e5026a6a No not mount sysfs by default for non privilged containers 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-24 10:35:20 -07:00
unclejack 2931979a5d Merge pull request #5304 from vieux/convert_rm_tests 
convert so rm tests to integration-cli
 2014-04-18 21:11:18 +03:00
Victor Vieux fcbc717f9a convert so rm tests to integration-cli 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
 2014-04-18 17:40:12 +00:00
Michael Crosby 296fcf331f Port privileged tests 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 03:20:17 +00:00
Michael Crosby caad45d0ed Port networking tests 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 03:12:27 +00:00
Michael Crosby 47510bd6eb Port environment test 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 02:53:08 +00:00
Michael Crosby e2ed4b9077 Port user tests and concurrent tests 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 02:47:39 +00:00
Michael Crosby 03993eb534 Port volumes and exit code tests 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 02:34:10 +00:00
Michael Crosby 6beb858fb0 Update commit test in cli 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 02:24:19 +00:00
Michael Crosby 72f49e554f Port multiple attach test to cli tests 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 02:14:00 +00:00
Michael Crosby 76a19bb3a9 Add test verify container ID 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-18 01:58:20 +00:00
Alexander Larsson 359b7df5d2 Rename runtime/* to daemon/* 
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-04-17 14:43:01 -07:00
Michael Crosby 8e67197267 Merge pull request #5248 from unclejack/more_info_testtop 
provide more information when TestTop tests fail
 2014-04-16 18:54:04 -07:00
unclejack 3ac90aeed5 provide more information when TestTop tests fail 
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
 2014-04-17 03:39:15 +03:00
Victor Vieux 925dfdb18a Merge pull request #5246 from crosbymichael/fix-mount 
Fix unmount when host volume is removed
 2014-04-16 17:28:37 -07:00
Guillaume J. Charmes 1775ed8c75
Add integration test for hairpin nat 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-04-16 14:50:11 -07:00
Michael Crosby 39103e72a3 Fix unmount when host volume is removed 
Fixes #5244
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-14 12:43:01 +00:00
Michael Crosby 031fcb31d3 Setup cgroups for all subsystems 
Fixes #5117
Fixes #5118
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-11 17:28:27 +00:00
Michael Crosby af9746412b Move volumesfrom to hostconfig 
This also migrates the volumes from integration tests into the new cli
integration test framework.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-08 21:45:06 +00:00
Michael Crosby b6042f252d Ensure that ro mounts are remounted 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-07 18:23:22 -07:00
Solomon Hykes 30f22ee9e3 Convert a legacy integration test to a clean v2 CLI integration test. 
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
 2014-04-07 20:34:21 +00:00
unclejack e09274476f cli integration: sync container & image deletion 
This makes container and image removal in the tests run synchronously.

Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
 2014-04-04 03:22:32 +03:00
Michael Crosby a9d6eef238 Remove racy test causing tests to stall 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-04-02 13:22:51 +00:00
Alexander Larsson bd94f84ded Fix --volumes-from mount failure 
As explained in https://github.com/dotcloud/docker/issues/4979
--volumes-from fails with ENOFILE errors.

This is because the code tries to look at the "from" volume without
ensuring that it is mounted yet. We fix this by mounting the containers
before stating in it.

Also includes a regression test.

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
 2014-04-03 19:33:20 +02:00
Guillaume J. Charmes b246fc33ae
Add API version to `docker version` 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-04-01 17:30:19 -07:00
Victor Vieux dcf2b72f5b add test 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
 2014-04-01 21:07:40 +00:00
Guillaume J. Charmes f6f059d99a Merge pull request #4929 from crosbymichael/volume-abs-path 
Force abs paths for host volumes
 2014-03-31 15:19:30 -07:00
unclejack e76113be6c Merge pull request #4925 from creack/fix_logs 
Fix expending buffer in StdCopy
 2014-03-31 23:15:07 +03:00
unclejack cd0a907325 Merge pull request #4930 from vieux/fix_regression_import 
Fix regression import
 2014-03-31 23:12:39 +03:00
Guillaume J. Charmes 5fb28eab3e
Add regression test 
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
 2014-03-31 13:12:22 -07:00
Victor Vieux b430f4f45b add test 
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
 2014-03-31 19:31:21 +00:00
Michael Crosby 904bf049c1 Force abs paths for host volumes 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-03-31 19:10:19 +00:00
Michael Crosby 51d9a04f17 Make sure to set error reguardless of attach or stdin 
Fixes #3364
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-03-31 18:33:14 +00:00
Michael Crosby 28015f8e57 Add integration test for volumes-from as file 
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
 2014-03-31 17:42:34 +00:00
unclejack 6db32fdefd initial version of cli integration tests 
Docker-DCO-1.1-Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> (github: unclejack)
 2014-03-29 23:09:40 +02:00