Commit graph

1835 commits

Author SHA1 Message Date
Michael Crosby
6c996d544f Merge pull request #12900 from gaurav-gosec/master
Make use of iptablesPath variable which has the path of iptables, instea...
2015-04-30 16:12:03 -07:00
jhowardmsft
aa589b5288 Windows: mkdirall volume path aware
Signed-off-by: jhowardmsft <jhoward@microsoft.com>
2015-04-30 11:59:42 -07:00
Tibor Vass
2bbd2f8dd0 Merge pull request #12771 from runcom/say-bye-to-engine
Remove engine
2015-04-30 12:18:16 -04:00
Brian Goff
d461ce8fc7 Merge pull request #12664 from Mashimiao/sysinfo-support-ipv4_forward-check
sysinfo: add IPv4Forwarding check
2015-04-30 11:44:44 -04:00
Gaurav
23db1c36a6 Make use of iptablesPath variable which has the path of iptables, instead of using string iptables directly
Signed-off-by: Gaurav <gaurav.gosec@gmail.com>
2015-04-30 18:22:12 +05:30
Antonio Murdaca
1bf50b564c Remove engine mechanism
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-30 01:35:16 +02:00
Aaron Davidson
81e1cdca21 Do our best not to invoke iptables concurrently if --wait is unsupported
We encountered a situation where concurrent invocations of the docker daemon on a machine with an older version of iptables led to nondeterministic errors related to simultaenous invocations of iptables.

While this is best resolved by upgrading iptables itself, the particular situation would have been avoided if the docker daemon simply took care not to concurrently invoke iptables. Of course, external processes could also cause iptables to fail in this way, but invoking docker in parallel seems like a pretty common case.

Signed-off-by: Aaron Davidson <aaron@databricks.com>
2015-04-29 14:40:25 -07:00
Vincent Demeester
861cba008d Add coverage on pkg/fileutils
Should fix #11598

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-29 16:27:12 +02:00
Ma Shimiao
57ef2a843d use CustomSize replace intToString
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-29 08:30:25 +08:00
buddhamagnet
c09e1131bc add support for exclusion rules in dockerignore
Signed-off-by: Dave Goodchild <buddhamagnet@gmail.com>
2015-04-28 18:56:45 +01:00
Burke Libbey
a423e54ba4 archive: Optimize ChangesDirs on Linux
If we tear through a few layers of abstraction, we can get at the inodes
contained in a directory without having to stat all the files. This
allows us to eliminate identical files much earlier in the changelist
generation process.

Signed-off-by: Burke Libbey <burke@libbey.me>
2015-04-27 21:26:13 -04:00
Brian Goff
f71e128a11 Merge pull request #11882 from hqhq/hq_warn_device_cg
add devices cgroup check as hard requirement
2015-04-27 18:42:57 -04:00
Phil Estes
af12b74084 Merge pull request #12828 from tdmackey/trivial-spelling
trivial: typo cleanup
2015-04-27 17:05:46 -04:00
David Mackey
b590208498 trivial: typo cleanup
Signed-off-by: David Mackey <tdmackey@booleanhaiku.com>
2015-04-27 13:35:08 -07:00
Antonio Murdaca
2026dbd41d Small if err cleaning
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-27 21:50:33 +02:00
Antonio Murdaca
f023195a1e Replace json.Unmarshal with json.Decoder().Decode()
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-26 15:02:01 +02:00
Vincent Demeester
bf4bc7f97f Add coverage on pkg/archive
Add tests on:
- changes.go
- archive.go
- wrap.go

Should fix #11603 as the coverage is now 81.2% on the ``pkg/archive``
package. There is still room for improvement though :).

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-24 17:03:33 +02:00
Qiang Huang
4f08c0481c simplify memory limit check
If memory cgroup is mounted, memory limit is always supported,
no need to check if these files are exist.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-24 08:43:44 +08:00
Qiang Huang
c0dc426757 add devices cgroup check and errors
Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-24 08:37:59 +08:00
Tibor Vass
1ad5a79e51 Merge pull request #9397 from jpopelka/9395-firewalld
Firewalld support
2015-04-23 16:58:08 -04:00
Ma Shimiao
533ef6cee7 sysinfo: add IPv4Forwarding check
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-23 12:19:46 +08:00
Brian Goff
5ee10f9ad5 Merge pull request #12543 from vdemeester/11584-pkg-stdcopy-test-coverage
Add some stdcopy_test (coverage)
2015-04-22 22:03:15 -04:00
Qiang Huang
456cb5df54 remove redundant warning
And warning is not supposed to have a prefix WARNING.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-22 08:15:00 +08:00
Vivek Goyal
e2bca8900c devicemapper: Create a method to get device info with deferred remove field
Deferred reove functionality was added to library later. So in old version
of library it did not report deferred_remove field. 

Create a new function which also gets deferred_remove field and it will be
called only on newer version of library. 

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Vivek Goyal
48536e29e5 devicemapper: Create helpers to cancel deferred deactivation
If a device has been scheduled for deferred deactivation and container
is started again and we need to activate device again, we need to cancel
the deferred deactivation which is already scheduled on the device.

Create a method for the same.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Vivek Goyal
64ffdbc701 devicemapper: Add helper functions to allow deferred device removal
A lot of time device mapper devices leak across mount namespace which docker
does not know about and when docker tries to deactivate/delete device,
operation fails as device is open in some mount namespace.

Create a mechanism where one can defer the device deactivation/deletion
so that docker operation does not fail and device automatically goes
away when last reference to it is dropped.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Jessie Frazelle
1b9b5095ac Merge pull request #10736 from coolljt0725/add_cpu_limit
Add support cpu cfs_quota
2015-04-20 17:55:01 -07:00
Jessie Frazelle
e0f512d938 Merge pull request #12566 from fntlnz/remove-go1.3.3-support
Removed go1.3.3 support
2015-04-20 17:01:57 -07:00
Jessie Frazelle
501c2916c4 Merge pull request #12471 from coolljt0725/fix_weird_output_format
Fix weird terminal output format
2015-04-20 17:01:02 -07:00
Lorenzo Fontana
f4a7450f74 Removed go1.3.3 support
Signed-off-by: Lorenzo Fontana <fontanalorenzo@me.com>
2015-04-20 23:09:08 +02:00
Vincent Demeester
3cc15b53e7 Add some stdcopy_test (coverage)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-20 22:58:22 +02:00
Alexander Morozov
9f94dd0a5f Merge pull request #12453 from runcom/style-minor-fixes
Add minor stylistic fixes
2015-04-20 11:51:04 -07:00
Lei Jitang
f28ded09c3 Add support cpu cfs quota
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-20 08:16:47 -07:00
Alexander Morozov
d6a49e79ac Make API server datastructure
Added daemon field to it, will use it later for acces to daemon from
handlers

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-20 08:13:39 -07:00
Jiri Popelka
4bc66e193f Firewalld tests
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:09 +02:00
Jiri Popelka
bc71145164 React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.

With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].

Libvirt has been doing this for quite a long time now.

Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
   Portmapper fortunatelly keeps list of mapped ports,
   so we can easily recreate firewall rules on firewalld restart/reload
   New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
   When setting a bridge, basic firewall rules are created.
   This is done at once during start, it's parametrized and nowhere
   tracked so how can one know what and how to set it again when
   there's been firewalld restart/reload ?
   The only solution that came to my mind is using of closures [4],
   i.e. I keep list of references to closures (anonymous functions
   together with a referencing environment) and when there's firewalld
   restart/reload I re-call them in the same order.
3) links/links.go - linking containers
   Link is added in Enable() and removed in Disable().
   In Enable() we add a callback function, which creates the link,
   that's OK so far.
   It'd be ideal if we could remove the same function from
   the list in Disable(). Unfortunatelly that's not possible AFAICT,
   because we don't know the reference to that function
   at that moment, so we can only add a reference to function,
   which removes the link. That means that after creating and
   removing a link there are 2 functions in the list,
   one adding and one removing the link and after
   firewalld restart/reload both are called.
   It works, but it's far from ideal.

[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:09 +02:00
Jiri Popelka
5e167a6493 Support for Firewalld
Firewalld [1] is a firewall managing daemon with D-Bus interface.

What sort of problem are we trying to solve with this ?

Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4
b3b451d6f8
But it'd still be better if docker used firewalld when it's running.

Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.

This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.

[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChain
    https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:03 +02:00
Doug Davis
b140321e2e Merge pull request #12438 from ourcolorfuldays/fixtypo
fix some typos
2015-04-18 07:17:55 -04:00
bin liu
34fbb6c622 fix some typos
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-17 08:12:13 +00:00
Lei Jitang
c9f6e6de37 Fix weird terminal output format
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-17 15:28:12 +08:00
Antonio Murdaca
221acfd266 Add minor stylistic fixes
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-16 21:22:32 +02:00
Jason Smith
7b823090ed added documentation for functions
Signed-off-by: Jason Smith <jasonrichardsmith@gmail.com>
2015-04-15 19:28:01 -07:00
Alexander Morozov
6a30cca4ed Merge pull request #12369 from runcom/fix-links-graph-ref
Fix wrong graphdb refs paths purging
2015-04-15 11:34:58 -07:00
Phil Estes
1a59c1698e Merge pull request #12360 from yestin/11601-supplement-tests-part-2
Improve test accuracy for pkg/chrootarchive (part 2)
2015-04-14 21:00:12 -04:00
Antonio Murdaca
b12971703d Fix wrong graphdb refs paths purging
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 23:10:43 +02:00
Brian Goff
504425a9ff Merge pull request #12214 from ahmetalpbalkan/namesgenerator/localrand
names-generator: use local random instance
2015-04-14 13:10:26 -04:00
Alexander Morozov
8005f59382 Merge pull request #12374 from kostickm/12343-fix-vet-warning-archive
Fix vet warning in archive.go
2015-04-14 10:06:04 -07:00
Megan Kostick
967f4dc067 Fix vet warning in archive.go
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
2015-04-14 09:13:50 -07:00
Yestin Sun
6ae14a2625 Improve test accuracy for pkg/chrootarchive (part 2)
Check test correctness of untar by comparing destination with
source. For part 2, it checkes hashes of source and destination
files or the target files of symbolic links.

This is a supplement to the #11601 fix.

Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
2015-04-13 21:46:14 -07:00
Ahmet Alp Balkan
627d5ea83b names-generator: use local random instance
Instead of seeding/polluting the global random instance,
creating a local `rand.Random` instance which provides the same
level of randomness.

Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-14 02:35:16 +00:00