Commit graph

1970 commits

Author SHA1 Message Date
Liron Levin
ccdb366aa5 Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.
Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [https://github.com/docker/docker/issues/13697].

This is the official issue of the authorization effort:
https://github.com/docker/docker/issues/14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
2015-12-08 17:34:15 +02:00
Aaron Lehmann
6e9a3453f7 Fix the scoping of "diff" so its value doesn't leak between loop iterations
In the existing code, "diff" has function scope and the value from the
previous iteration may be used if it is not reset. This appears to be an
oversight. This commit changes its scope to the for loop body.

One confusing point is that the cursor movement escape sequences appear
to be necessary even if the requested movement is 0. I haven't been able
to figure out why this makes a difference.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-07 17:01:47 -08:00
Aaron Lehmann
5821bbd01d Don't update lines on the terminal from a previous operation
When we handle a message that isn't tracked in the "line" map (for
example, one with no ID), clear the line map. This means we won't update
lines that were part of a previous, completed set of operations when
doing something like pull -a. It also has the beneficial side effect
of avoiding terminal glitching in these types of situations, since
messages that don't get tracked in the "line" map cause the count of the
number of lines to get out of sync.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-07 16:04:42 -08:00
Sebastiaan van Stijn
cd655d8b48 Merge pull request #18449 from coolljt0725/plugins_cleanup
pkg/plugins/client.go: don't try to encode os decode if it's nil
2015-12-07 16:03:28 +01:00
Tibor Vass
cf5299f8bc Merge pull request #18123 from aidanhs/aphs-fail-on-broken-tar
Ensure adding a broken tar doesn't silently fail
2015-12-07 14:38:21 +01:00
Lei Jitang
a1a4101b73 pkg/plugins/client.go: don't try to encode os decode if it's nil
When user call the `Call()` method, they don't always want to sent
some args or get the return value, so they use `nil` when call `Call()`
method and this will casue an error. It's better to not trying to
encode or decode if it's nil.

Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-12-05 02:55:50 -05:00
Sebastiaan van Stijn
92079d14e1 Merge pull request #14466 from Mashimiao/add-support-blkio_throtte_bps
Add support for blkio read/write bps device
2015-12-04 12:29:58 +01:00
Alexander Morozov
b4547e38b1 Merge pull request #18412 from aaronlehmann/runcommand-race
Fix race in RunCommandWithOutputForDuration
2015-12-03 19:35:04 -08:00
Ma Shimiao
6986fd5e3d Add support for blkio read/write bps device
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-12-04 09:26:03 +08:00
Alexander Morozov
f9baa50548 Merge pull request #18411 from aaronlehmann/unit-test-timing
Adjust TestDockerCmdWithTimeout timeout to improve reliability
2015-12-03 16:34:36 -08:00
Aaron Lehmann
eb7916eb53 Fix race in RunCommandWithOutputForDuration
This function was starting a goroutine that modifies one of its return
values. The intent is for the goroutine to only influence the return
value when it's causing the function to return, but it's racy and can
also modify the return value when the function is returning due to the
timeout. Fix the goroutine to not modify return values directly.

Also, give the channel a buffer so that the goroutine doesn't block
forever after a timeout.

Fixes #18305

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-03 16:34:01 -08:00
Aaron Lehmann
6ba6058477 Adjust TestDockerCmdWithTimeout timeout to improve reliability
I saw a failure of TestDockerCmdWithTimeout. This test starts a command
that produces output after 10 ms, but uses a 5 ms timeout, so normally
the command will be killed before the output. The time intervals are so
small that the timeout may not reliably trigger before the output, which
can cause the test to fail.

This commit changes the test to only fail if the process is still alive
after 10 seconds. This means the test will confirm that the timeouts are
happening, but not attempt to gauge that the timeouts are happening
within milliseconds of when they are expected (which can't be done
reliably).

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-03 14:42:32 -08:00
Tibor Vass
de5a23ebff Merge pull request #18266 from calavera/events_pub_sub
Event PubSub topics + linear filtering.
2015-12-03 17:11:40 +01:00
David Calavera
a72c316bf4 Add PubSub topics.
A TopicFunc is an interface to let the pubisher decide whether it needs
to send a message to a subscriber or not. It returns true if the
publisher must send the message and false otherwise.

Users of the pubsub package can create a subscriber with a topic
function by calling `pubsub.SubscribeTopic`.

Message delivery has also been modified to use concurrent channels per
subscriber. That way, topic verification and message delivery is not
o(N+M) anymore, based on the number of subscribers and topic verification
complexity.

Using pubsub topics, the API stops controlling the message delivery,
delegating that function to a topic generated with the filtering
provided by the user. The publisher sends every message to the
subscriber if there is no filter, but the api doesn't have to select
messages to return anymore.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-02 16:43:49 -05:00
David Calavera
be362ef8ed Make filtering a linear operation.
Improves the current filtering implementation complixity.
Currently, the best case is O(N) and worst case O(N^2) for key-value filtering.
In the new implementation, the best case is O(1) and worst case O(N), again for key-value filtering.

Signed-off-by: David Calavera <david.calavera@gmail.com>
2015-12-02 11:12:42 -05:00
Dan Walsh
bd052b6116 This patch adds --tmpfs as a option for mounting tmpfs on directories
It will Tar up contents of child directory onto tmpfs if mounted over

This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2015-12-02 10:06:59 -05:00
David Calavera
c631a9bec7 Merge pull request #17438 from pmalmgren/17037-systemd226-cgroup
Fix docker status incorrectly reports containerized
2015-11-30 11:47:16 -08:00
Phil Estes
e868bb4183 Merge pull request #18241 from LK4D4/remove_listenbuffer
Remove listenbuffer
2015-11-30 14:37:14 -05:00
Jess Frazelle
f3d7ffb0f5 Merge pull request #18178 from jfrazelle/apparmor-we-meet-again
Fix docker-default profile handing signals
2015-11-30 11:34:34 -08:00
Jessica Frazelle
e9a1a9a9ec check version for docker-default aa profile
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-11-30 10:18:12 -08:00
David Calavera
92cfb73a9d Merge pull request #18296 from jfrazelle/add-james
add james golick to names generator
2015-11-30 10:00:21 -08:00
Alexander Morozov
26710b1734 Remove listenbuffer package
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-30 09:04:59 -08:00
Alexander Morozov
9e281d40d0 Remove usage of listenbuffer package
It actually adds nothing to queuing requests.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-30 09:04:55 -08:00
e345d791f4 Merge pull request #18226 from duglin/Issue18170
Fix for zero-sized layers
2015-11-30 09:57:37 -06:00
Jessica Frazelle
853a164ef8 add james golick to names generator
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2015-11-29 10:40:12 -08:00
Doug Davis
baafebd598 Fix for zero-sized layers
Moved a defer up to a better spot.

Fixed TestUntarPathWithInvalidDest to actually fail for the right reason

Closes #18170

Signed-off-by: Doug Davis <dug@us.ibm.com>
2015-11-25 18:02:03 -08:00
Bryan Boreham
49dc2e55d9 Fix spelling of 'existent'
Signed-off-by: Bryan Boreham <bjboreham@gmail.com>
2015-11-25 13:45:37 +00:00
David Calavera
5ca1b7ff65 Merge pull request #17924 from aaronlehmann/content-addressability
Content addressability
2015-11-24 11:01:33 -08:00
Tonis Tiigi
2c84dccd2d Update daemon and docker core to use new content addressable storage
Add distribution package for managing pulls and pushes. This is based on
the old code in the graph package, with major changes to work with the
new image/layer model.

Add v1 migration code.

Update registry, api/*, and daemon packages to use the reference
package's types where applicable.

Update daemon package to use image/layer/tag stores instead of the graph
package

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2015-11-24 09:40:25 -08:00
Brian Goff
058c4dfc3e Fix race in locker call to dec()
Can't safely use uint32 for locker since we need to decrement the count,
which requires loading the unit and doing some math, which is inherintly
racey.
Instead use Int32 which we can safely use with atomic and AddInt32 with
`-1`

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2015-11-24 11:59:09 -05:00
Aidan Hobson Sayers
12fc11efd0 Ensure adding a broken tar doesn't silently fail
Signed-off-by: Aidan Hobson Sayers <aidanhs@cantab.net>
2015-11-23 14:18:58 +00:00
Brian Goff
0fb39140d9 Merge pull request #18146 from JamesKyburz/random-additions
Random additions
2015-11-21 13:18:09 -05:00
Antonio Murdaca
4fc5c55a7b Merge pull request #16613 from WeiZhang555/docker-cp-symlink
Add option `-L` to allow `docker cp` follow symbol link
2015-11-21 17:03:24 +01:00
James Kyburz
4b3978329c Add nauseous and pedantic
Signed-off-by: James Kyburz <james.kyburz@gmail.com>
2015-11-21 16:23:07 +01:00
Antonio Murdaca
8bf21d0dfa Merge pull request #17495 from mikebrow/docker-tz-and-nanosecond-updates
modifying docker --since and --until to support nanoseconds and time …
2015-11-20 23:37:44 +01:00
Tibor Vass
d84ce62a25 Merge pull request #17456 from Microsoft/TestChtimesFix
Fix ChTimes to prevent setting times past the Unix Max Time
2015-11-20 18:07:09 +01:00
Zhang Wei
b4340e2b6c Add '-L' option for cp
Fixes #16555

Original docker `cp` always copy symbol link itself instead of target,
now we provide '-L' option to allow docker to follow symbol link to real
target.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2015-11-21 00:36:56 +08:00
Michael Crosby
688bb55544 Merge pull request #17459 from brahmaroutu/Power_Z_CI
Build and test Docker on IBM Power and Z using gccgo. Enable CI on Po…
2015-11-19 15:50:07 -08:00
Alexander Morozov
db8e84e124 Merge pull request #18082 from MHBauer/gh9406
Remove defaults for flags/options that expect no value
2015-11-19 15:06:21 -08:00
Darren Stahl
17d202b021 This fixes Chtimes on systems with 32 bit Timespec
Signed-off-by: Darren Stahl <darst@microsoft.com>
2015-11-19 11:08:29 -08:00
David Calavera
d178946c78 Merge pull request #18090 from vdemeester/17478-follow-up-cleanup-pkg-platform
Follow-up of 17478, unexport runtimeArchitecture method
2015-11-19 14:00:23 -05:00
Stefan Scherer
0c54d58fea Move charsToString to architecture dependent source to fix casting problem
Signed-off-by: Stefan Scherer <scherer_stefan@icloud.com>
2015-11-19 18:09:08 +01:00
Morgan Bauer
47a077d28c Remove defaults for flags/options that expect no value
- isZeroValue function from upstream go
 - covers booleans, strings and numbers
 - change integration to reflect new behavior
 - resolves #9406

Signed-off-by: Morgan Bauer <mbauer@us.ibm.com>
2015-11-19 08:37:51 -08:00
Vincent Demeester
6b16247685 Follow-up of 17478, unexport private method
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-11-19 14:55:57 +01:00
moxiegirl
5edb94d724 Merge pull request #17986 from bogdangrigg/master
Fix small typos in documentation files
2015-11-17 16:45:38 -08:00
Michael Crosby
0e3ab50833 Merge pull request #17434 from little-arhat/fix/newlines-in-json-status
Add newlines to FormatProgress for JSON as well
2015-11-17 15:52:31 -08:00
Michael Crosby
f65e3827fc Merge pull request #17478 from vdemeester/pr-13921
Carry#13921 : Expand /info: Expose OSType (GOOS), Architecture (GOARCH)
2015-11-17 15:44:57 -08:00
Alexander Morozov
2f11790e60 Use /usr/lib/os-release if /etc/os-release is missing.
As per os-release spec, /usr/lib/os-release file should be tried if
/etc/os-release is missing.

http://www.freedesktop.org/software/systemd/man/os-release.html

Thanks James Hunt <james.o.hunt@intel.com> and
Dimitri John Ledkov <dimitri.j.ledkov@intel.com> for contribution.

Close #17174

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-11-16 16:21:31 -08:00
Luca-Bogdan Grigorescu
cddf99001f Fix small typos in documentation files
Signed-off-by: Luca-Bogdan Grigorescu <bogdan@gmail.com>
2015-11-15 00:53:27 +02:00
Vincent Demeester
4ee0608373 Add pkg/parsers/architecture and pkg/platform
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-11-14 23:03:02 +01:00