Commit graph

591 commits

Author SHA1 Message Date
Michael Crosby
b0dfd5c5d9 Use apparmor_parser directly
The current load script does alot of things.  If it does not find the
parser loaded on the system it will just exit 0 and not load the
profile.  We think it should fail loudly if it cannot load the profile
and apparmor is enabled on the system.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-13 23:31:10 +00:00
Alexander Larsson
e5ba166e75 Join memory and cpu cgroup in systemd too
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: crosbymichael)
2014-04-11 17:29:40 +00:00
Michael Crosby
1dd3c38cb5 Join cpuacct, freezer, perf_event, and blkio groups
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-11 17:28:27 +00:00
Michael Crosby
27ceac34af Setup cgroups for all subsystems
Fixes #5117
Fixes #5118
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-11 17:28:27 +00:00
Victor Vieux
0fe679322b Merge pull request #5143 from kzys/ns-nil
Avoid "invalid memory address or nil pointer dereference" panic
2014-04-10 11:07:35 -07:00
Guillaume J. Charmes
eb0ec63b59 Merge pull request #5131 from crosbymichael/shm-mode
Change shm mode to 1777
2014-04-10 07:50:32 -07:00
Guillaume J. Charmes
8a64aa8f4b Merge pull request #5115 from alexlarsson/fix-libcontainer-network-rhel6
Fix libcontainer network support on rhel6
2014-04-10 07:45:12 -07:00
Kato Kazuyoshi
8dc1d8b6c0 Avoid "invalid memory address or nil pointer dereference" panic
libcontainer.GetNamespace returns nil on FreeBSD because
libcontainer.namespaceList is empty. In this case, Namespaces#Get should
return nil instead of being panic.

Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
2014-04-10 22:07:29 +09:00
Kato Kazuyoshi
6b292bf034 Support FreeBSD on pkg/system/utimes_*.go
Implement system.LUtimesNano and system.UtimesNano. The latter might be
removed in future because it's basically same as os.Chtimes. That's why
the test is mainly focusing LUtimesNano.

Docker-DCO-1.1-Signed-off-by: Kato Kazuyoshi <kato.kazuyoshi@gmail.com> (github: kzys)
2014-04-10 07:34:37 +09:00
Alexander Larsson
db1a117450 Fix libcontainer network support on rhel6
It seems that netlink in older kernels, including RHEL6, does not
support RTM_SETLINK with IFLA_MASTER. It just silently ignores it, reporting
no error, causing netlink.NetworkSetMaster() to not do anything yet
return no error.

We fix this by introducing and using AddToBridge() in a very similar manner
to CreateBridge(), which use the old ioctls directly.

This fixes https://github.com/dotcloud/docker/issues/4668

Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
2014-04-09 15:44:18 +02:00
Michael Crosby
1df38475cd Revert "Support hairpin NAT without going through docker server"
This reverts commit b39d02b611f1cc0af283f417b73bf0d36f26277a.

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 11:55:08 +00:00
Michael Crosby
6b4ca764f0 Change shm mode to 1777
Fixes #5126
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 10:53:32 +00:00
Michael Crosby
4b3bfc742b Check for apparmor enabled on host to populate profile
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-09 10:22:17 +00:00
Guillaume J. Charmes
2538689b31 Backup current docker apparmor profile and replace it with the new one
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-08 11:09:31 -07:00
Guillaume J. Charmes
908be5a3d9 Merge pull request #5049 from Supermathie/aa-fix
apparmor: docker-default: Include base abstraction
2014-04-07 21:34:01 -07:00
Guillaume J. Charmes
23ce43ac20 Merge pull request #5025 from dstine/readme-fix
fixed two readme typos
2014-04-07 19:31:16 -07:00
Dan Stine
3a7b63669c fixed three more typos 2014-04-07 22:09:15 -04:00
Michael Crosby
8824b08802 Ensure that ro mounts are remounted
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-07 18:23:22 -07:00
Michael Crosby
1adf0ae8a4 Remove and unexport selinux functions
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-07 14:59:44 -07:00
Michael Crosby
bcd17c6fdc Ensure that selinux is disabled by default
This also includes some portability changes so that the package can be
imported with the top level runtime.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-07 14:44:53 -07:00
Michael Crosby
08ed0c8761 Add more label checks for selinux enabled
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-07 14:44:53 -07:00
Michael Brown
7c63627a7f apparmor: pull in variables from tunables/global
The variables that were defined at the top of the apparmor profile are best
pulled in via the <tunables/global> include.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
2014-04-07 03:04:27 -04:00
Michael Brown
0bcebe0347 apparmor: abstractions/base expects pid variable
Add 'pid' variable pointing to 'self' to allow parsing of profile to succeed

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
2014-04-07 02:47:43 -04:00
Michael Brown
264a89788c apparmor: docker-default: Include base abstraction
Encountered problems on 14.04 relating to signals between container
processes being blocked by apparmor. The base abstraction contains
appropriate rules to allow this communication.

Docker-DCO-1.1-Signed-off-by: Michael Brown <michael.brown@discourse.org> (github: Supermathie)
2014-04-07 02:19:38 -04:00
Dan Stine
e59092b62c fixed two readme typos 2014-04-04 08:12:17 -04:00
unclejack
c05f329be8 Merge pull request #5002 from crosbymichael/rhatdan-selinux
Improve selinux label handling
2014-04-04 04:43:16 +03:00
Victor Vieux
1999505cc5 Merge pull request #4991 from ruphin/fix_name_typo
Fix typo in names-generator
2014-04-03 16:24:14 -07:00
Goffert van Gool
5754752556 Fix typo in names-generator
Docker-DCO-1.1-Signed-off-by: Goffert van Gool <ruphin@ruphin.net> (github: ruphin)
2014-04-04 00:57:43 +02:00
Victor Vieux
534990bda9 Merge pull request #4953 from rhatdan/selinux
These two patches should fix problems we see with running docker in the wild.
2014-04-02 16:36:41 -07:00
Michael Crosby
de5d0ed979 Fix lxc label handleing
This also improves the logic around formatting the labels for selinux
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-02 16:52:49 +00:00
Michael Crosby
bdea26ea08 Merge branch 'selinux' of https://github.com/rhatdan/docker into rhatdan-selinux
Conflicts:
	pkg/selinux/selinux.go
	runtime/execdriver/lxc/lxc_template.go

Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-02 16:11:35 +00:00
Dan Walsh
eab8c83391 In certain cases, setting the process label will not happen.
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled.  We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled.  Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-04-03 09:32:29 -04:00
Dan Walsh
c250bdad25 Remove hard coding of SELinux labels on systems without proper selinux policy.
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work.  Hard coding
the labels causes docker to break on older Fedora and RHEL systems

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-04-03 09:32:29 -04:00
Michael Crosby
f1e3abf694 Remove loopback setup for native driver
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-02 13:12:52 +00:00
Kevin Wallace
cba2eef566 Allow non-privileged containers to create device nodes.
Such nodes could already be created by importing a tarball to a container; now
they can be created from within the container itself.

This gives non-privileged containers the mknod kernel capability, and modifies
their cgroup settings to allow creation of *any* node, not just whitelisted
ones.  Use of such nodes is still controlled by the existing cgroup whitelist.

Docker-DCO-1.1-Signed-off-by: Kevin Wallace <kevin@pentabarf.net> (github: kevinwallace)
2014-04-03 18:44:13 +00:00
Victor Vieux
76283c03ad Merge pull request #4961 from creack/update_version_pkg
Update Version to not use string anymore
2014-04-01 18:37:25 -07:00
Victor Vieux
99d4d5eb9f Merge pull request #4902 from shykes/wozniak_is_not_boring
Steve Wozniak is not boring.
2014-04-01 16:49:56 -07:00
unclejack
2780a7e2ba Merge pull request #4931 from crosbymichael/gen-mac-addr-for-bridge
Set bridge mac addr on supported kernels
2014-04-02 02:47:56 +03:00
unclejack
879855ec98 Merge pull request #4867 from crosbymichael/clean-shutdown
Cleanly shutdown docker
2014-04-02 01:48:03 +03:00
Guillaume J. Charmes
d5795681d4 Update Version to not use string anymore
Docker-DCO-1.1-Signed-off-by: Guillaume J. Charmes <guillaume@charmes.net> (github: creack)
2014-04-01 15:46:52 -07:00
Michael Crosby
9bf96eece4 Merge pull request #4942 from vieux/cleanup_dev_libcontainer
remove setupDev from libcontainer
2014-04-01 14:28:17 -07:00
Guillaume J. Charmes
345365e7b0 Merge pull request #4833 from crosbymichael/pluginflag
Add opts flag for fine grained control over drivers
2014-04-01 13:34:08 -07:00
Dan Walsh
f71121b1fa In certain cases, setting the process label will not happen.
When the code attempts to set the ProcessLabel, it checks if SELinux Is
enabled.  We have seen a case with some of our patches where the code
is fooled by the container to think that SELinux is not enabled.  Calling
label.Init before setting up the rest of the container, tells the library that
SELinux is enabled and everything works fine.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-04-01 13:30:10 -04:00
Dan Walsh
cecd7a37bf Remove hard coding of SELinux labels on systems without proper selinux policy.
If a system is configured for SELinux but does not know about docker or
containers, then we want the transitions of the policy to work.  Hard coding
the labels causes docker to break on older Fedora and RHEL systems

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
2014-04-01 13:29:54 -04:00
Michael Crosby
6a7bbbdddc Don't send prctl to be consistent with other drivers
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-01 07:12:50 +00:00
Michael Crosby
b16b1a04ff Ensure a reliable way to kill ghost containers on reboot
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-04-01 07:11:41 +00:00
Victor Vieux
fdcc31546e remove setupDev from libcontainer
Docker-DCO-1.1-Signed-off-by: Victor Vieux <victor.vieux@docker.com> (github: vieux)
2014-04-01 00:28:44 +00:00
Michael Crosby
ba89d04fbc Set bridge mac addr on supported kernels
Fixes #3200
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
2014-03-31 22:56:23 +00:00
Vincent Batts
a031814bc4 --env-file: simple line-delimited
match dock functionality, and not try to achieve shell-sourcing compatibility

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-31 14:45:13 -04:00
Vincent Batts
e659708bcc env-file: update functionality and docs
Multiple flags allowed. Order prescribed. Examples provided. Multiline
accounted for.

Docker-DCO-1.1-Signed-off-by: Vincent Batts <vbatts@redhat.com> (github: vbatts)
2014-03-31 14:45:13 -04:00