Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Added an apparmorEnabled boolean in the Daemon struct to indicate if AppArmor is enabled or not. It is set in NewDaemon using sysInfo information.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
gofmt'd
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
change the function name to something more adequate and changed the behaviour to show empty value on an apparmor disabled system.
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
go fmt
Signed-off-by: Roberto Muñoz Fernández <robertomf@gmail.com>
Upstream-commit: d97a00dfd5ec884a98e087b1fc6e705459ca81e9
Component: engine
This fix tries to address the issue raised in 29344 where it was
not possible to create log group for awslogs (CloudWatch) on-demand.
Log group has to be created explicitly before container is running.
This behavior is inconsistent with AWS logs agent where log groups
are always created as needed.
There were several concerns previously (See comments in 19617 and 29344):
1. There is a limit of 500 log groups/account/region so resource might
be exhausted if there is any typo or incorrect region.
2. Logs are generated for every container so CreateLogGroup (or equally,
DescribeLogGroups) might be called every time, which is redundant and
potentially surprising.
3. CreateLogStream and CreateLogGroup have different IAM policies.
This fix addresses the issue by add `--log-opt awslogs-create-group`
which by default is `false`. It requires user to explicitly request
that log groups be created as needed.
Related unit test has been updated. And tests have also been done
manually in AWS.
This fix fixes 29334.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: 864b0c2e47e66e1037115b5d7267e641ba776d49
Component: engine
This fix is a follow up for comment:
https://github.com/docker/docker/pull/28896#issuecomment-265392703
Currently secret name or ID prefix resolving is done at the client
side, which means different behavior of API and CMD.
This fix moves the resolving from client to daemon, with exactly the
same rule:
- Full ID
- Full Name
- Partial ID (prefix)
All existing tests should pass.
This fix is related to #288896, #28884 and may be related to #29125.
Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
Upstream-commit: fa358a87571f9212f91d8fde6696926d76ecca64
Component: engine
- When the node leaves the cluster, if any user run
container(s) is connected to the swarm network,
then daemon needs to detach the container(s) and
remove the network.
Signed-off-by: Alessandro Boch <aboch@docker.com>
Upstream-commit: 3cedca5d532958ffc007d9b62cc871d3d113f054
Component: engine
Update swarmkit to 037b491.
As swarmkit switched to a newer gRPC version, this also involves
updating Docker's vendored gRPC, which in turn requires updating
containerd to a new version that has protobufs generated against this
gRPC version.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Upstream-commit: 3e987e1732ee5c51e95934afabba3fedfd16c4af
Component: engine
When Size was reverted to be equal to VirtualSize, the df command
formatter was not correctly updated to account for the change.
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: dcc1b4baf6d0eb068010d071bc44daf72b12cd4a
Component: engine
This cleans up attach a little bit, and moves it out of the container
package.
Really `AttachStream` is a method on `*stream.Config`, so moved if from
a package level function to one bound to `Config`.
In addition, uses a config struct rather than passing around tons and
tons of arguments.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 2ddec97545f4c5834cfbc163c0168ce1d5826ba2
Component: engine
There was no validation for `docker run --tmpfs foo`.
In this PR, only two obvious rules are implemented:
- path must be absolute
- path must not be "/"
We should add more rules carefully.
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
Upstream-commit: 4a8799dc0a000a74eae49a01b054ae687bc18f73
Component: engine
This is necessary for swarmkit to support cluster wide plugins, such as
globally scoped network plugins.
Signed-off-by: Anusha Ragunathan <anusha.ragunathan@docker.com>
Upstream-commit: fa784951ba0a29d436c60b7465167b5ef188d084
Component: engine
fix typo I found AMAP in integration-cli/*
fix typo mentioned by Allencloud
Signed-off-by: Aaron.L.Xu <likexu@harmonycloud.cn>
Upstream-commit: 40af5691648c5b9d07b1231e3ed3be29fd66521a
Component: engine
This commit addresses 2 issues:
1. in `tailfile()` if somehow the `logWatcher.Msg` were to become full and the watcher closed before space was made into it, we were getting stuck there forever since we were not checking for the watcher getting closed
2. when servicing `docker logs`, if the command was cancelled we were not closing the watcher (and hence notifying it to stop copying data)
Signed-off-by: Kenfe-Mickael Laventure <mickael.laventure@gmail.com>
Upstream-commit: fb2bb3653e2755d971f21debfecbd7c878a3c23f
Component: engine
Use quoted form of container name and container id to improve copy-paste avoiding the extra `.` that slips into the clipboard
Signed-off-by: Jorge Marin <chipironcin@users.noreply.github.com>
Upstream-commit: 2bee1cfd5a1af63d370a72d4558bb96f27762437
Component: engine
Commit b717de5153db503fae61c11e30f04f400f66a6fd
changed the name of the "size" argument to
"virtualSize", as the "VirtualSize" field
was re-used for calculating the size of all
layers _not_ used by other images.
be20dc15af0cb281bd6d11586cfcc96bd50d12ca reverted
the change in calculation, but did not change
the argument name back to "size".
This changes the name back to its original
name, because since the introduction of the
content-addressable store in docker 1.10,
there no longer is a "virtual" size, so
"size" is a better name for this argument.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 22c411517a4a203690edb52fa42f8d5b43252882
Component: engine
This patch fixed below 4 types of code line
1. Remove unnecessary variable assignment
2. Use variables declaration instead of explicit initial zero value
3. Change variable name to underbar when variable not used
4. Add erro check and return for ignored error
Signed-off-by: Daehyeok Mun <daehyeok@gmail.com>
Upstream-commit: 6306019d0bad9c4e60ee437e93f2450dfb0b68c0
Component: engine
If you created containers from pre-OCI docker (e.g. docker-1.10.x)
upgrade may fail when restarting containers if the new docker daemon
has `--default-runtime` set.
In Fedora, we ship docker 1.12.6 with:
```
--default-runtime=oci
--add-runtime oci=/usr/libexec/docker/docker-runc-current
```
That way we don't rely on `docker-runc` being in `$PATH`.
The issue is, on upgrade from docker 1.10.3 without this patch, the
default runtime in `daemon/start_linux.go` is unconditionally set to
`runc=docker-runc` without honoring the `--default-runtime` flag set in
the docker daemon.
Reproducer:
- (1.10.3) `docker run -d -p 5000:5000 --restart=always --name registry
registry:2`
- upgrade to docker 1.12.6 (1.11.x has likely the same issue)
- the registry container fails to restart on upgrade with the following
log message `error="exec: \"docker-runc\": executable file not
found in $PATH: \"\""`
That error comes from the fact that we're setting the runtime in the
container's HostConfig to `runc` where instead we should have honored
the `--default-runtime` flag (in our case that's set to `oci`).
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
Upstream-commit: 9391a822ea4bee60284b4b2eb3a6535e20492569
Component: engine
