This removes the key generation for trust from main while it is not
being consumed. The problem is that because this is being set in main
if a user runs as root initially the files will be owned by root. Later
if the user sets up the docker group they are unable to read the keys.
This is half a user error and documentation problem and the other half
is management.
We decided to remove this code for now while it is not being used and
will revisit it later when the consuming features are added. A few
options are to generate lazily and provide a clear error message on an
EPERM so that the user knows what is wrong and can correct the
permissions.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
`${SOME_VAR%pattern}` was turning into `SOME_VAL%pattern}` which the shell would then balk at.
I've updated the `TOKEN_ENV_INTERPOLATION` regex to account for this (ie, if `${` is used, it _must_ also match the closing `}`), and renamed the variable to not be exported (since it's not used outside the function following it).
I also added comments for the bits of `tokenEnvInterpolation` so they're easier to follow. 😄
Signed-off-by: Andrew Page <admwiggin@gmail.com>
This fixes issues where the apparmor profile is not applied to processes
via docker exec. As a side effect the parent processes were unable to
kill the additional child processes because of the profile mismatch.
Easy way to reproduce on an apparmor system:
docker run -ti debian:jessie bash
ps auxZ
- look at the labels
- in another shell
docker exec <name> sleep 1000
- go back to the first container and
ps auxZ
- make sure all processes have the correct docker-default profile
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Because of the base image change, $HOME is not always / and we need to
write to the proper $HOME within the container to complete the release
process.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Add some information about the storage and execution driver choices
Docker-DCO-1.1-Signed-off-by: SvenDowideit <SvenDowideit@home.org.au> (github: SvenDowideit)
This makes it possible to make the Docker client "secure by default"
without wrapping the binary in a shell alias so that `--tlsverify` is
always passed.
Signed-off-by: Aanand Prasad <aanand.prasad@gmail.com>
and move the complicated discussion about branches lower down,
hopefully most won't need to know
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au> (github: SvenDowideit)
This uses @dnephin's changes to the base.html (thank you!)
and then adds the hide_toc: page meta
Docker-DCO-1.1-Signed-off-by: Sven Dowideit <SvenDowideit@docker.com> (github: SvenDowideit)
In the go stdlib net/http Transport, the used connections are cached
when idled. This behaviour is intended for TCP connections and does not
behave correctly for unix sockets. Despite the
DefaultMaxIdleConnsPerHost being 2, the idled connections are held open
during a session. For large sessions like `docker rm $(docker ps -a -q)`
of thousands of containers, it will cause the client _and_ the server to
open too many fails and have failures.
Having keep alives not used for only unix sockets is a work around for
this stdlib issue.
Also this includes disabling compression when communicating over the
local unix socket too.
Signed-off-by: Vincent Batts <vbatts@redhat.com>
