Merge pull request #1464 from dotcloud/bump_0.5.2

Bump to 0.5.2

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 0.5.2 (2013-08-08)
+ * Builder: Forbid certain paths within docker build ADD
+ - Runtime: Change network range to avoid conflict with EC2 DNS
+ * API: Change daemon to listen on unix socket by default
+
 ## 0.5.1 (2013-07-30)
  + API: Docker client now sets useragent (RFC 2616)
  + Runtime: Add `ps` args to `docker top`

api.go

@@ -18,8 +18,9 @@ import (
 )
 
 const APIVERSION = 1.4
-const DEFAULTHTTPHOST string = "127.0.0.1"
+const DEFAULTHTTPHOST = "127.0.0.1"
-const DEFAULTHTTPPORT int = 4243
+const DEFAULTHTTPPORT = 4243
+const DEFAULTUNIXSOCKET = "/var/run/docker.sock"
 
 func hijackServer(w http.ResponseWriter) (io.ReadCloser, io.Writer, error) {
 	conn, _, err := w.(http.Hijacker).Hijack()
@@ -972,9 +973,8 @@ func ListenAndServe(proto, addr string, srv *Server, logging bool) error {
 	if e != nil {
 		return e
 	}
-	//as the daemon is launched as root, change to permission of the socket to allow non-root to connect
 	if proto == "unix" {
-		os.Chmod(addr, 0777)
+		os.Chmod(addr, 0700)
 	}
 	httpSrv := http.Server{Addr: addr, Handler: r}
 	return httpSrv.Serve(l)

buildfile.go

@@ -273,6 +273,9 @@ func (b *buildFile) addContext(container *Container, orig, dest string) error {
 	if strings.HasSuffix(dest, "/") {
 		destPath = destPath + "/"
 	}
+	if !strings.HasPrefix(origPath, b.context) {
+		return fmt.Errorf("Forbidden path: %s", origPath)
+	}
 	fi, err := os.Stat(origPath)
 	if err != nil {
 		return err

buildfile_test.go

@@ -325,3 +325,52 @@ func TestBuildEntrypoint(t *testing.T) {
 	if img.Config.Entrypoint[0] != "/bin/echo" {
 	}
 }
+
+func TestForbiddenContextPath(t *testing.T) {
+	runtime, err := newTestRuntime()
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer nuke(runtime)
+
+	srv := &Server{
+		runtime:     runtime,
+		pullingPool: make(map[string]struct{}),
+		pushingPool: make(map[string]struct{}),
+	}
+
+	context := testContextTemplate{`
+        from {IMAGE}
+        maintainer dockerio
+        add ../../ test/
+        `,
+		[][2]string{{"test.txt", "test1"}, {"other.txt", "other"}}, nil}
+
+	httpServer, err := mkTestingFileServer(context.remoteFiles)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer httpServer.Close()
+
+	idx := strings.LastIndex(httpServer.URL, ":")
+	if idx < 0 {
+		t.Fatalf("could not get port from test http server address %s", httpServer.URL)
+	}
+	port := httpServer.URL[idx+1:]
+
+	ip := srv.runtime.networkManager.bridgeNetwork.IP
+	dockerfile := constructDockerfile(context.dockerfile, ip, port)
+
+	buildfile := NewBuildFile(srv, ioutil.Discard, false)
+	_, err = buildfile.Build(mkTestContext(dockerfile, context.files, t))
+
+	if err == nil {
+		t.Log("Error should not be nil")
+		t.Fail()
+	}
+
+	if err.Error() != "Forbidden path: /" {
+		t.Logf("Error message is not expected: %s", err.Error())
+		t.Fail()
+	}
+}

commands.go

@@ -27,7 +27,7 @@ import (
 	"unicode"
 )
 
-const VERSION = "0.5.1"
+const VERSION = "0.5.2"
 
 var (
 	GITCOMMIT string

docker/docker.go

@@ -33,7 +33,7 @@ func main() {
 	flGraphPath := flag.String("g", "/var/lib/docker", "Path to graph storage base dir.")
 	flEnableCors := flag.Bool("api-enable-cors", false, "Enable CORS requests in the remote api.")
 	flDns := flag.String("dns", "", "Set custom dns servers")
-	flHosts := docker.ListOpts{fmt.Sprintf("tcp://%s:%d", docker.DEFAULTHTTPHOST, docker.DEFAULTHTTPPORT)}
+	flHosts := docker.ListOpts{fmt.Sprintf("unix://%s", docker.DEFAULTUNIXSOCKET)}
 	flag.Var(&flHosts, "H", "tcp://host:port to bind/connect to or unix://path/to/socket to use")
 	flag.Parse()
 	if len(flHosts) > 1 {

docs/sources/api/docker_remote_api.rst

@@ -15,7 +15,7 @@ Docker Remote API
 =====================
 
 - The Remote API is replacing rcli
-- Default port in the docker deamon is 4243 
+- By default the Docker daemon listens on unix:///var/run/docker.sock and the client must have root access to interact with the daemon
 - The API tends to be REST, but for some complex commands, like attach
   or pull, the HTTP connection is hijacked to transport stdout stdin
   and stderr

network.go

@@ -122,8 +122,8 @@ func CreateBridgeIface(ifaceName string) error {
 		// In theory this shouldn't matter - in practice there's bound to be a few scripts relying
 		// on the internal addressing or other stupid things like that.
 		// The shouldn't, but hey, let's not break them unless we really have to.
-		"172.16.42.1/16",
+		"172.17.42.1/16", // Don't use 172.16.0.0/16, it conflicts with EC2 DNS 172.16.0.23
-		"10.0.42.1/16", // Don't even try using the entire /8, that's too intrusive
+		"10.0.42.1/16",   // Don't even try using the entire /8, that's too intrusive
 		"10.1.42.1/16",
 		"10.42.42.1/16",
 		"172.16.42.1/24",