1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Commit graph

24 commits

Author SHA1 Message Date
Yong Tang
dc35a8a5d2 Merge pull request #34821 from thaJeztah/remove-enable-api-cors
Remove deprecated --enable-api-cors flag
2017-09-13 20:10:27 -07:00
Daniel Nephin
f7f101d57e Add gosimple linter
Update gometalinter

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-09-12 12:09:59 -04:00
Sebastiaan van Stijn
7d4eab5543
Remove deprecated --enable-api-cors flag
The `--enable-api-cors` flag was deprecated in f3dd2db4ff,
and marked for removal in docker 17.09 through 85f92ef359.

This patch removes the deprecated flag.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-09-12 12:43:34 +02:00
Daniel Nephin
b68221c37e Fix bad import graph from opts/opts.go
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-29 15:32:43 -04:00
Daniel Nephin
e62b2d410c Move ErrorContains to an internal package.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-25 12:04:58 -04:00
Daniel Nephin
60672382c7 Update tests to use gotestyourself/fs
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-23 17:25:00 -04:00
Daniel Nephin
372670b507 Add goimports to linters.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-08-21 18:15:08 -04:00
Kir Kolyshkin
7120976d74 Implement none, private, and shareable ipc modes
Since the commit d88fe447df ("Add support for sharing /dev/shm/ and
/dev/mqueue between containers") container's /dev/shm is mounted on the
host first, then bind-mounted inside the container. This is done that
way in order to be able to share this container's IPC namespace
(and the /dev/shm mount point) with another container.

Unfortunately, this functionality breaks container checkpoint/restore
(even if IPC is not shared). Since /dev/shm is an external mount, its
contents is not saved by `criu checkpoint`, and so upon restore any
application that tries to access data under /dev/shm is severily
disappointed (which usually results in a fatal crash).

This commit solves the issue by introducing new IPC modes for containers
(in addition to 'host' and 'container:ID'). The new modes are:

 - 'shareable':	enables sharing this container's IPC with others
		(this used to be the implicit default);

 - 'private':	disables sharing this container's IPC.

In 'private' mode, container's /dev/shm is truly mounted inside the
container, without any bind-mounting from the host, which solves the
issue.

While at it, let's also implement 'none' mode. The motivation, as
eloquently put by Justin Cormack, is:

> I wondered a while back about having a none shm mode, as currently it is
> not possible to have a totally unwriteable container as there is always
> a /dev/shm writeable mount. It is a bit of a niche case (and clearly
> should never be allowed to be daemon default) but it would be trivial to
> add now so maybe we should...

...so here's yet yet another mode:

 - 'none':	no /dev/shm mount inside the container (though it still
		has its own private IPC namespace).

Now, to ultimately solve the abovementioned checkpoint/restore issue, we'd
need to make 'private' the default mode, but unfortunately it breaks the
backward compatibility. So, let's make the default container IPC mode
per-daemon configurable (with the built-in default set to 'shareable'
for now). The default can be changed either via a daemon CLI option
(--default-shm-mode) or a daemon.json configuration file parameter
of the same name.

Note one can only set either 'shareable' or 'private' IPC modes as a
daemon default (i.e. in this context 'host', 'container', or 'none'
do not make much sense).

Some other changes this patch introduces are:

1. A mount for /dev/shm is added to default OCI Linux spec.

2. IpcMode.Valid() is simplified to remove duplicated code that parsed
   'container:ID' form. Note the old version used to check that ID does
   not contain a semicolon -- this is no longer the case (tests are
   modified accordingly). The motivation is we should either do a
   proper check for container ID validity, or don't check it at all
   (since it is checked in other places anyway). I chose the latter.

3. IpcMode.Container() is modified to not return container ID if the
   mode value does not start with "container:", unifying the check to
   be the same as in IpcMode.IsContainer().

3. IPC mode unit tests (runconfig/hostconfig_test.go) are modified
   to add checks for newly added values.

[v2: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-51345997]
[v3: addressed review at https://github.com/moby/moby/pull/34087#pullrequestreview-53902833]
[v4: addressed the case of upgrading from older daemon, in this case
     container.HostConfig.IpcMode is unset and this is valid]
[v5: document old and new IpcMode values in api/swagger.yaml]
[v6: add the 'none' mode, changelog entry to docs/api/version-history.md]

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-08-14 10:50:39 +03:00
Derek McGowan
1009e6a40b
Update logrus to v1.0.1
Fixes case sensitivity issue

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2017-07-31 13:16:46 -07:00
Flavio Crisciani
f9f25ca5e4
Allow to set the control plane MTU
Add daemon config to allow the user to specify the MTU of the control plane network.
The first user of this new parameter is actually libnetwork that can seed the
gossip with the proper MTU value allowing to pack multiple messages per UDP packet sent.
If the value is not specified or is lower than 1500 the logic will set it to the default.

Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
2017-07-28 13:52:03 -07:00
Renaud Gaubert
87e1464c43 Added support for Generic Resources
Signed-off-by: Renaud Gaubert <rgaubert@nvidia.com>
2017-07-24 17:49:56 -07:00
allencloud
148f2711e8 add NamedUlimitOpt implement NamedOption to fix 32528
Signed-off-by: allencloud <allen.sun@daocloud.io>
2017-06-16 10:14:09 +08:00
Antonio Murdaca
858b4b44c8
daemon: correctly try to retrieve init/runtime versions
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-06 19:36:24 +02:00
Derek McGowan
e428c824c3
Expose trust key path in config
Allows storing key under any directory. In the case where the
"/etc/docker" directory is not preserved, this file can be
specified to a location where it will be preserved to ensure
the ID does not change across restarts.

Note this key is currently only used today to generate the ID
used in Docker info and for manifest schema v1 pushes. The key
signature and finger on these manifests are not checked or
used any longer for security, deprecated by notary.

Removes old key migration from a pre-release of Docker which put
the key under the home directory and was used to preserve ID used
for swarm v1 after the file moved.

closes #32135

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2017-05-10 14:16:27 -07:00
David Sheets
cfcf2a0cec daemon/info: don't sort authorization plugins as order matters
plugins exist in a chain that composes potentially mutating requests and
responses. This simply reverts the sorting of AuthZ plugins so that the
/info API endpoint returns the internal ordering used for AuthZ composition.

Volume driver plugins are not affected because they are just a set.

Signed-off-by: David Sheets <dsheets@docker.com>
2017-05-02 09:39:32 +01:00
Aaron Lehmann
6052f2b396 Remove pkg/testutil/assert in favor of testify
I noticed that we're using a homegrown package for assertions. The
functions are extremely similar to testify, but with enough slight
differences to be confusing (for example, Equal takes its arguments in a
different order). We already vendor testify, and it's used in a few
places by tests.

I also found some problems with pkg/testutil/assert. For example, the
NotNil function seems to be broken. It checks the argument against
"nil", which only works for an interface. If you pass in a nil map or
slice, the equality check will fail.

In the interest of avoiding NIH, I'm proposing replacing
pkg/testutil/assert with testify. The test code looks almost the same,
but we avoid the confusion of having two similar but slightly different
assertion packages, and having to maintain our own package instead of
using a commonly-used one.

In the process, I found a few places where the tests should halt if an
assertion fails, so I've made those cases (that I noticed) use "require"
instead of "assert", and I've vendored the "require" package from
testify alongside the already-present "assert" package.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-04-14 12:03:21 -07:00
Sunny Gogoi
17b1288760 Fix missing Init Binary in docker info output
- Moved DefaultInitBinary from daemon/daemon.go to
daemon/config/config.go since it's a daemon config and is referred in
config package files.
- Added condition in GetInitPath to check for any explicitly configured
DefaultInitBinary. If not, the default value of DefaultInitBinary is
returned.
- Changed all references of DefaultInitBinary to refer to the variable
from new location.
- Added TestCommonUnixGetInitPath to test for the various values of
GetInitPath.

Fixes #32314

Signed-off-by: Sunny Gogoi <indiasuny000@gmail.com>
2017-04-10 16:54:07 +05:30
Josh Hawn
261ef1fa27 Deprecate --graph flag; Replace with --data-root
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
2017-03-30 11:24:56 +02:00
Anusha Ragunathan
38de272bd4 When authz plugin is disabled, remove from authz middleware chain.
When the daemon is configured to run with an authorization-plugin and if
the plugin is disabled, the daemon continues to send API requests to the
plugin and expect it to respond. But the plugin has been disabled. As a
result, all API requests are blocked. Fix this behavior by removing the
disabled plugin from the authz middleware chain.

Tested using riyaz/authz-no-volume-plugin and observed that after
disabling the plugin, API request/response is functional.

Fixes #31836

Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
2017-03-22 12:07:39 -07:00
Vincent Demeester
dc1b0e1b2c Merge pull request #28279 from chchliang/updown
--max-concurrent-downloads,--max-concurrent-uploads must great than or equal to 0
2017-03-03 10:06:59 +01:00
yuexiao-wang
5a9cee7bb5 'docker daemon' deprecation message doesn't use the new versioning scheme
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2017-03-03 17:26:49 +08:00
chchliang
e59af2abe6 --max-concurrent-downloads,--max-concurrent-uploads must great than or equal to 0
Signed-off-by: chchliang <chen.chuanliang@zte.com.cn>
2017-03-02 09:23:01 +08:00
Daniel Zhang
d7fda019bb Add daemon flag to set no_new_priv as default for unprivileged containers.
Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
2017-02-16 19:05:14 +08:00
Vincent Demeester
db63f9370e
Extract daemon configuration and discovery to their own package
This also moves some cli specific in `cmd/dockerd` as it does not
really belong to the `daemon/config` package.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-02-08 09:53:38 +01:00