The vfs storage driver currently shells out to the `cp` binary on the host
system to perform an 'archive' copy of the base image to a new directory.
The archive option preserves the modified time of the files which are created
but there was an issue where it was unable to preserve the modified time of
copied symbolic links on some host systems with an outdated version of `cp`.
This change no longer relies on the host system implementation and instead
utilizes the `CopyWithTar` function found in `pkg/archive` which is used
to copy from source to destination directory using a Tar archive, which
should correctly preserve file attributes.
Docker-DCO-1.1-Signed-off-by: Josh Hawn <josh.hawn@docker.com> (github: jlhawn)
Upstream-commit: 3ab5251f5620e7b8b052ee331f9ac1fbdbb725b1
Component: engine
These settings need to be in the HostConfig so that they are not
committed to an image and cannot introduce a security issue.
We can safely move this field from the Config to the HostConfig
without any regressions because these settings are consumed at container
created and used to populate fields on the Container struct. Because of
this, existing settings will be honored for containers already created
on a daemon with custom security settings and prevent values being
consumed via an Image.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: c9379eb3fbbc484c056f5a5e49d8d0b755a29c45
Component: engine
Stable IPs causes some regressions in the way people use Docker, see GH#8493.
Reverting it for 1.3, we'll enable it back for the next release.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: 5b8379a4349105eb387a4b9836bbd1d83ebe6928
Component: engine
When a container is restarted all the volume configs are parsed again.
Even if the volume was already handled in a previous start it was still
calling "FindOrCreateVolume" on the volume repo causing a new volume to
be created.
This wasn't being detected because as part of the mount initialization
it checks to see if the the _mount_ was already initialized, but this
happens after the parsing of the configs.
So a check is added during parsing to skip a volume which was already
created for that container.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: c985302c5c2fb6d922acf29106b550cb36faaab6
Component: engine
Volume refs were not being restored on daemon restart.
This made it possible to remove a volume being used by other containers
after a daemon restart.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: 9acf7c765c7e074f6c75eaf162ca06ecfe40d692
Component: engine
When stdout/stderr is closed prematurely, the proxy's writes to stdout/stderr
(i.e. `log.Errorf/log.Printf`) will returns with EPIPE error, and go runtime
will terminate the proxy when stdout/stderr writes trigger 10 EPIPE errors.
instead of using stdout/stderr as the status handler, we pass an extra file to
the child process and write `0\n` or `1\nerror message` to it and close it
after. This allow the child process to handle stdout/stderr as normal.
Docker-DCO-1.1-Signed-off-by: Daniel, Dao Quang Minh <dqminh89@gmail.com> (github: dqminh)
Upstream-commit: 3b9d88210e763bebdfd7badb6ed3fd507d0f6513
Component: engine
Currently if you start the docker -d on a system with 127.0.0.1 in /etc/resolv.conf
It will set the default dns to 8.8.8.8 8.8.4.4 permanently.
This causes a problem at boot on Fedora machines where NetworkManager has not
populated /etc/resolv.conf before docker gets started.
This fix checks /etc/resolv.conf on every docker run. And only populates
daemon.config.Dns if the user specified it on the command line.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 9ced509e6d89d1ab4e0c4b49485be7931b505354
Component: engine
The defer logic was a little tricky and was hiding one bug: `err` was
being redefined (with `:=`) and thus it escaped the defer error checking
logic.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: 300c51c3a4ca47b022eb2efb75d1e8cf7736b0ff
Component: engine
Prior to the volumes re-factor, data was not being copied on
volumes-from or host-mounted volumes.
After the re-factor, data was being copied for volumes-from.
This reverts this unintentional change in behavior.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Upstream-commit: e95b6fb648ab6301b556192a9730a843fab7209f
Component: engine
Stable Networking: Keep the same network settings during the entire container lifecycle.
Upstream-commit: d152a93b5f3acbd14e9176169934b83963f3ab61
Component: engine
Needed to check if the mode was invalid and return error, not valid and
return error.
This didn't get picked up because the existing integration-cli tests
were all either expecting errors when a valid mode was passed in (e.g.
"ro" passed in, we expected an error because it was testing write). So
modified a test which was testing for "rw" to actually pass in "rw"
instead of assuming the "rw"
Docker-DCO-1.1-Signed-off-by: Brian Goff <bgoff@cpuguy83-mbp.home> (github: cpuguy83)
Upstream-commit: 007b4f63409c6c642fb075640a8ec7d58825edc8
Component: engine
This change will allocate network settings (IP and public ports) at
container creation rather than start and keep them throughout the
lifetime of the container (i.e. until it gets destroyed) instead of
discarding them when the container is stopped.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: a4875937293f3b0a8ffc569608bbca40a456e9c8
Component: engine
RestoreNetwork() allows the container to restore its NetworkSettings (IP
and public ports).
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: deffc572ced3909c0ecd77dd21686e0e67c0ea33
Component: engine
Since we are moving network allocation outside of container scope (it
will be managed by create/destroy), those functions need to be
accessible from the outside.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: ab4188c08d9eb63c84c461a9b922f2af479b5a04
Component: engine
Right now, MAC addresses are randomly generated by the kernel when
creating the veth interfaces.
This causes different issues related to ARP, such as #4581, #5737 and #8269.
This change adds support for consistent MAC addresses, guaranteeing that
an IP address will always end up with the same MAC address, no matter
what.
Since IP addresses are already guaranteed to be unique by the
IPAllocator, MAC addresses will inherit this property as well for free.
Consistent mac addresses is also a requirement for stable networking (#8297)
since re-using the same IP address on a different MAC address triggers the ARP
issue.
Finally, this change makes the MAC address accessible through docker
inspect, which fixes#4033.
Signed-off-by: Andrea Luzzardi <aluzzardi@gmail.com>
Upstream-commit: 88e21c6a75310da158bbee3a5fdc135697c93ba1
Component: engine
Add support for pulling signed images from a version 2 registry.
Only official images within the library namespace will be pull from the
new registry and check the build signature.
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Upstream-commit: 7c88e8f13d9f0c68de6da0cd467a541231304dd5
Component: engine
Add --security-opts options to allow user to customize container labels and apparmor profile
Upstream-commit: d40ab6f1238c78ea84645e516f1f24d7991798b0
Component: engine
Now that the archive package does not depend on any docker-specific
packages, only those in pkg and vendor, it can be safely moved into pkg.
Signed-off-by: Rafe Colton <rafael.colton@gmail.com>
Upstream-commit: 30d5a42c1f24e26f681b7330249f04fec891aee9
Component: engine
This is the first of two steps to break the archive package's dependence
on utils so that archive may be moved into pkg. Also, the `Go()`
function is small, concise, and not specific to the docker internals, so
it is a good candidate for pkg.
Signed-off-by: Rafe Colton <rafael.colton@gmail.com>
Upstream-commit: b845a62149d5f4990462ac6c9167c5cfaa0e66cb
Component: engine
security-opts will allow you to customise the security subsystem.
For example the labeling system like SELinux will run on a container.
--security-opt="label:user:USER" : Set the label user for the container
--security-opt="label:role:ROLE" : Set the label role for the container
--security-opt="label:type:TYPE" : Set the label type for the container
--security-opt="label:level:LEVEL" : Set the label level for the container
--security-opt="label:disabled" : Turn off label confinement for the container
Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels. Genlabels interface is Depracated.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 87e732a0f3503517d7a66804bb9a7f74977347e5
Component: engine
This also removes dead code in the native driver for a past feature that
was never fully implemented.
Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
Upstream-commit: 32dca1a7b0e800d796e54fc8f253818ba64fa075
Component: engine
