Commit graph

1266 commits

Author SHA1 Message Date
Tibor Vass
1ad5a79e51 Merge pull request #9397 from jpopelka/9395-firewalld
Firewalld support
2015-04-23 16:58:08 -04:00
Ma Shimiao
533ef6cee7 sysinfo: add IPv4Forwarding check
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2015-04-23 12:19:46 +08:00
Brian Goff
5ee10f9ad5 Merge pull request #12543 from vdemeester/11584-pkg-stdcopy-test-coverage
Add some stdcopy_test (coverage)
2015-04-22 22:03:15 -04:00
Qiang Huang
456cb5df54 remove redundant warning
And warning is not supposed to have a prefix WARNING.

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2015-04-22 08:15:00 +08:00
Vivek Goyal
e2bca8900c devicemapper: Create a method to get device info with deferred remove field
Deferred reove functionality was added to library later. So in old version
of library it did not report deferred_remove field. 

Create a new function which also gets deferred_remove field and it will be
called only on newer version of library. 

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Vivek Goyal
48536e29e5 devicemapper: Create helpers to cancel deferred deactivation
If a device has been scheduled for deferred deactivation and container
is started again and we need to activate device again, we need to cancel
the deferred deactivation which is already scheduled on the device.

Create a method for the same.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Vivek Goyal
64ffdbc701 devicemapper: Add helper functions to allow deferred device removal
A lot of time device mapper devices leak across mount namespace which docker
does not know about and when docker tries to deactivate/delete device,
operation fails as device is open in some mount namespace.

Create a mechanism where one can defer the device deactivation/deletion
so that docker operation does not fail and device automatically goes
away when last reference to it is dropped.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
2015-04-21 18:14:59 -04:00
Jessie Frazelle
1b9b5095ac Merge pull request #10736 from coolljt0725/add_cpu_limit
Add support cpu cfs_quota
2015-04-20 17:55:01 -07:00
Jessie Frazelle
e0f512d938 Merge pull request #12566 from fntlnz/remove-go1.3.3-support
Removed go1.3.3 support
2015-04-20 17:01:57 -07:00
Jessie Frazelle
501c2916c4 Merge pull request #12471 from coolljt0725/fix_weird_output_format
Fix weird terminal output format
2015-04-20 17:01:02 -07:00
Lorenzo Fontana
f4a7450f74 Removed go1.3.3 support
Signed-off-by: Lorenzo Fontana <fontanalorenzo@me.com>
2015-04-20 23:09:08 +02:00
Vincent Demeester
3cc15b53e7 Add some stdcopy_test (coverage)
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-20 22:58:22 +02:00
Alexander Morozov
9f94dd0a5f Merge pull request #12453 from runcom/style-minor-fixes
Add minor stylistic fixes
2015-04-20 11:51:04 -07:00
Lei Jitang
f28ded09c3 Add support cpu cfs quota
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-20 08:16:47 -07:00
Alexander Morozov
d6a49e79ac Make API server datastructure
Added daemon field to it, will use it later for acces to daemon from
handlers

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-20 08:13:39 -07:00
Jiri Popelka
4bc66e193f Firewalld tests
Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:09 +02:00
Jiri Popelka
bc71145164 React to firewalld's reload/restart
When firewalld (or iptables service) restarts/reloads,
all previously added docker firewall rules are flushed.

With firewalld we can react to its Reloaded() [1]
D-Bus signal and recreate the firewall rules.
Also when firewalld gets restarted (stopped & started)
we can catch the NameOwnerChanged signal [2].
To specify which signals we want to react to we use AddMatch [3].

Libvirt has been doing this for quite a long time now.

Docker changes firewall rules on basically 3 places.
1) daemon/networkdriver/portmapper/mapper.go - port mappings
   Portmapper fortunatelly keeps list of mapped ports,
   so we can easily recreate firewall rules on firewalld restart/reload
   New ReMapAll() function does that
2) daemon/networkdriver/bridge/driver.go
   When setting a bridge, basic firewall rules are created.
   This is done at once during start, it's parametrized and nowhere
   tracked so how can one know what and how to set it again when
   there's been firewalld restart/reload ?
   The only solution that came to my mind is using of closures [4],
   i.e. I keep list of references to closures (anonymous functions
   together with a referencing environment) and when there's firewalld
   restart/reload I re-call them in the same order.
3) links/links.go - linking containers
   Link is added in Enable() and removed in Disable().
   In Enable() we add a callback function, which creates the link,
   that's OK so far.
   It'd be ideal if we could remove the same function from
   the list in Disable(). Unfortunatelly that's not possible AFAICT,
   because we don't know the reference to that function
   at that moment, so we can only add a reference to function,
   which removes the link. That means that after creating and
   removing a link there are 2 functions in the list,
   one adding and one removing the link and after
   firewalld restart/reload both are called.
   It works, but it's far from ideal.

[1] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.Signals.Reloaded
[2] http://dbus.freedesktop.org/doc/dbus-specification.html#bus-messages-name-owner-changed
[3] http://dbus.freedesktop.org/doc/dbus-specification.html#message-bus-routing-match-rules
[4] https://en.wikipedia.org/wiki/Closure_%28computer_programming%29

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:09 +02:00
Jiri Popelka
5e167a6493 Support for Firewalld
Firewalld [1] is a firewall managing daemon with D-Bus interface.

What sort of problem are we trying to solve with this ?

Firewalld internally also executes iptables/ip6tables to change firewall settings.
It might happen on systems where both docker and firewalld are running
concurrently, that both of them try to call iptables at the same time.
The result is that the second one fails because the first one is holding a xtables lock.
One workaround is to use --wait/-w option in both
docker & firewalld when calling iptables.
It's already been done in both upstreams:
b315c380f4
b3b451d6f8
But it'd still be better if docker used firewalld when it's running.

Other problem the firewalld support would solve is that
iptables/firewalld service's restart flushes all firewall rules
previously added by docker.
See next patch for possible solution.

This patch utilizes firewalld's D-Bus interface.
If firewalld is running, we call direct.passthrough() [2] method instead
of executing iptables directly.
direct.passthrough() takes the same arguments as iptables tool itself
and passes them through to iptables tool.
It might be better to use other methods, like direct.addChain and
direct.addRule [3] so it'd be more intergrated with firewalld, but
that'd make the patch much bigger.
If firewalld is not running, everything works as before.

[1] http://www.firewalld.org/
[2] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.passthrough
[3] https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addChain
    https://jpopelka.fedorapeople.org/firewalld/doc/firewalld.dbus.html#FirewallD1.direct.Methods.addRule

Signed-off-by: Jiri Popelka <jpopelka@redhat.com>
2015-04-20 13:02:03 +02:00
Doug Davis
b140321e2e Merge pull request #12438 from ourcolorfuldays/fixtypo
fix some typos
2015-04-18 07:17:55 -04:00
bin liu
34fbb6c622 fix some typos
Signed-off-by: bin liu <liubin0329@gmail.com>
2015-04-17 08:12:13 +00:00
Lei Jitang
c9f6e6de37 Fix weird terminal output format
Signed-off-by: Lei Jitang <leijitang@huawei.com>
2015-04-17 15:28:12 +08:00
Antonio Murdaca
221acfd266 Add minor stylistic fixes
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-16 21:22:32 +02:00
Jason Smith
7b823090ed added documentation for functions
Signed-off-by: Jason Smith <jasonrichardsmith@gmail.com>
2015-04-15 19:28:01 -07:00
Alexander Morozov
6a30cca4ed Merge pull request #12369 from runcom/fix-links-graph-ref
Fix wrong graphdb refs paths purging
2015-04-15 11:34:58 -07:00
Phil Estes
1a59c1698e Merge pull request #12360 from yestin/11601-supplement-tests-part-2
Improve test accuracy for pkg/chrootarchive (part 2)
2015-04-14 21:00:12 -04:00
Antonio Murdaca
b12971703d Fix wrong graphdb refs paths purging
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 23:10:43 +02:00
Brian Goff
504425a9ff Merge pull request #12214 from ahmetalpbalkan/namesgenerator/localrand
names-generator: use local random instance
2015-04-14 13:10:26 -04:00
Alexander Morozov
8005f59382 Merge pull request #12374 from kostickm/12343-fix-vet-warning-archive
Fix vet warning in archive.go
2015-04-14 10:06:04 -07:00
Megan Kostick
967f4dc067 Fix vet warning in archive.go
Signed-off-by: Megan Kostick <mkostick@us.ibm.com>
2015-04-14 09:13:50 -07:00
Yestin Sun
6ae14a2625 Improve test accuracy for pkg/chrootarchive (part 2)
Check test correctness of untar by comparing destination with
source. For part 2, it checkes hashes of source and destination
files or the target files of symbolic links.

This is a supplement to the #11601 fix.

Signed-off-by: Yestin Sun <sunyi0804@gmail.com>
2015-04-13 21:46:14 -07:00
Ahmet Alp Balkan
627d5ea83b names-generator: use local random instance
Instead of seeding/polluting the global random instance,
creating a local `rand.Random` instance which provides the same
level of randomness.

Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-14 02:35:16 +00:00
Antonio Murdaca
d7a5d5b94c Refactor utils/utils, fixes #11923
Signed-off-by: Antonio Murdaca <me@runcom.ninja>
2015-04-14 01:37:36 +02:00
Michael Crosby
b15e56b3ef Merge pull request #12044 from reteptilian/11721-remove-randomstring-3
fixes 11721 replace stringutils.GenerateRandomString with stringid.GenerateRandomID
2015-04-13 13:47:50 -07:00
Evan Hazlett
86168f3594 Merge pull request #12204 from yestin/11601-supplement-tests-part-1
Improve test accuracy for pkg/chrootarchive (part 1)
2015-04-13 16:14:18 -04:00
Michael Crosby
08ddc4edc5 Merge pull request #12342 from LK4D4/fix_vet_warn
Fix vet warning
2015-04-13 12:56:47 -07:00
Evan Hazlett
347857acba Merge pull request #12276 from estesp/10246-really-fix-arg-list
Send archive options via pipe in chrootarchive
2015-04-13 14:44:47 -04:00
Alexander Morozov
2f1072efe0 Fix vet warning
pkg/archive/archive_test.go:496: arg changes for printf verb %s of wrong type: []archive.Change

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2015-04-13 11:43:30 -07:00
Michael Crosby
a07cb3c4e6 Merge pull request #12297 from vdemeester/11603-pkg-archive-test-coverage
Add test on archive.go (#11603)
2015-04-13 10:54:21 -07:00
Deshi Xiao
3aad0991ea correct pkg/stdcopy NewStdWriter function comments
pkg/stdcopy NewStdWriter function has wrong doc comment,
utils is not correct, it should be stdcopy

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2015-04-13 17:21:27 +08:00
Phil Estes
70210e11f2 Send archive options via pipe in chrootarchive
After finding our initial thinking on env. space versus arg list space
was wrong, we need to solve this by using a pipe between the caller and
child to marshall the (potentially very large) options array to the
archiver.

Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-04-12 21:16:54 -04:00
Vincent Demeester
2fd964cc1d Add test on archive.go (#11603)
- Trying to add or complete unit test to each ``func``
- Removing dead code (``escapeName``)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2015-04-11 23:21:37 +02:00
Brendan Dixon
a15746e7cf Turned off Ctrl+C processing by Windows shell
Signed-off-by: Brendan Dixon <brendand@microsoft.com>
2015-04-10 15:43:35 -07:00
Tibor Vass
34332b8151 Merge pull request #12238 from brendandixon/win-cli/fixes
Corrected int16 overflow and buffer sizes
2015-04-10 13:36:23 -04:00
Richard Burnison
a513a8b8e0 Only use fallback to short IDs when obvious.
As reported in #11294, the Docker daemon will execute contains it
shouldn't run in the event that a requested tag is present in an image's
ID. This leads to the wrong image being started up silently.

This change reduces the risk of such a collision by using the short ID
iff the actual revOrTag looks like a short ID (not that it necessarily
is).

Signed-off-by: Richard Burnison <rburnison@ebay.com>
2015-04-10 13:20:44 -04:00
WiseTrem
fb7d4d784e Remove pools_nopool.go & build tag from pools.go
Fix #11576

Signed-off-by: Gleb Shepelev <shepelyov.g@gmail.com>
2015-04-10 02:32:55 +03:00
Brendan Dixon
06eb6c91a0 Corrected int16 overflow and buffer sizes
Signed-off-by: Brendan Dixon <brendand@microsoft.com>
2015-04-09 09:03:04 -07:00
Ahmet Alp Balkan
b4cd20a3ad namesgenerator: Proposing Kilby/Noyce
Signed-off-by: Ahmet Alp Balkan <ahmetalpbalkan@gmail.com>
2015-04-09 04:11:06 -07:00
Yestin Sun
f16c4275d2 Improve test accuracy for pkg/chrootarchive (part 1)
Check test correctness of untar by comparing destination with
source. For part one, it only compares the directories.

This is a supplement to the #11601 fix.

Signed-off-by: Yestin Sun <yestin.sun@polyera.com>
2015-04-08 14:07:31 -07:00
Chris Stivers
4f5c0ee46d Proposing Seymour Cray
Signed-off-by: Chris Stivers <chris@stivers.us>
2015-04-08 13:17:22 -07:00
Jessie Frazelle
ecea125be8 Merge pull request #11909 from runcom/11908-refactor-utils-utils-daemon
Refactor utils/utils_daemon
2015-04-07 13:24:24 -07:00