Merge pull request #35389 from thaJeztah/improve-containerd-version-parsing
Use containerd API to get version
diff --git a/Dockerfile b/Dockerfile
index bf86bdb..25da313 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -133,7 +133,7 @@
&& rm -rf "$GOPATH"
# Get the "docker-py" source so we can run their integration tests
-ENV DOCKER_PY_COMMIT a962578e515185cf06506050b2200c0b81aa84ef
+ENV DOCKER_PY_COMMIT ca7a6132a418c32df6bb11ba9b2a8b9b2727227a
# To run integration tests docker-pycreds is required.
RUN git clone https://github.com/docker/docker-py.git /docker-py \
&& cd /docker-py \
diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64
index 4a4c635..97dff46 100644
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@@ -105,7 +105,7 @@
&& rm -rf "$GOPATH"
# Get the "docker-py" source so we can run their integration tests
-ENV DOCKER_PY_COMMIT a962578e515185cf06506050b2200c0b81aa84ef
+ENV DOCKER_PY_COMMIT ca7a6132a418c32df6bb11ba9b2a8b9b2727227a
# To run integration tests docker-pycreds is required.
RUN git clone https://github.com/docker/docker-py.git /docker-py \
&& cd /docker-py \
diff --git a/Dockerfile.armhf b/Dockerfile.armhf
index e64bfd7..30ddf8c 100644
--- a/Dockerfile.armhf
+++ b/Dockerfile.armhf
@@ -103,7 +103,7 @@
&& rm -rf "$GOPATH"
# Get the "docker-py" source so we can run their integration tests
-ENV DOCKER_PY_COMMIT a962578e515185cf06506050b2200c0b81aa84ef
+ENV DOCKER_PY_COMMIT ca7a6132a418c32df6bb11ba9b2a8b9b2727227a
# To run integration tests docker-pycreds is required.
RUN git clone https://github.com/docker/docker-py.git /docker-py \
&& cd /docker-py \
diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le
index c95b68b..709a6e6 100644
--- a/Dockerfile.ppc64le
+++ b/Dockerfile.ppc64le
@@ -101,7 +101,7 @@
&& rm -rf "$GOPATH"
# Get the "docker-py" source so we can run their integration tests
-ENV DOCKER_PY_COMMIT a962578e515185cf06506050b2200c0b81aa84ef
+ENV DOCKER_PY_COMMIT ca7a6132a418c32df6bb11ba9b2a8b9b2727227a
# To run integration tests docker-pycreds is required.
RUN git clone https://github.com/docker/docker-py.git /docker-py \
&& cd /docker-py \
diff --git a/Dockerfile.s390x b/Dockerfile.s390x
index b438a5d..752d052 100644
--- a/Dockerfile.s390x
+++ b/Dockerfile.s390x
@@ -95,7 +95,7 @@
&& rm -rf "$GOPATH"
# Get the "docker-py" source so we can run their integration tests
-ENV DOCKER_PY_COMMIT a962578e515185cf06506050b2200c0b81aa84ef
+ENV DOCKER_PY_COMMIT ca7a6132a418c32df6bb11ba9b2a8b9b2727227a
# To run integration tests docker-pycreds is required.
RUN git clone https://github.com/docker/docker-py.git /docker-py \
&& cd /docker-py \
diff --git a/api/common.go b/api/common.go
index d0229e0..af34d0b 100644
--- a/api/common.go
+++ b/api/common.go
@@ -3,7 +3,7 @@
// Common constants for daemon and client.
const (
// DefaultVersion of Current REST API
- DefaultVersion string = "1.34"
+ DefaultVersion string = "1.35"
// NoBaseImageSpecifier is the symbol used by the FROM
// command to specify that no base image is to be used.
diff --git a/daemon/volumes_unix.go b/daemon/volumes_unix.go
index 0ab0c6d..bee1fb1 100644
--- a/daemon/volumes_unix.go
+++ b/daemon/volumes_unix.go
@@ -84,8 +84,13 @@
// remapped root (user namespaces)
rootIDs := daemon.idMappings.RootPair()
for _, mount := range netMounts {
- if err := os.Chown(mount.Source, rootIDs.UID, rootIDs.GID); err != nil {
- return nil, err
+ // we should only modify ownership of network files within our own container
+ // metadata repository. If the user specifies a mount path external, it is
+ // up to the user to make sure the file has proper ownership for userns
+ if strings.Index(mount.Source, daemon.repository) == 0 {
+ if err := os.Chown(mount.Source, rootIDs.UID, rootIDs.GID); err != nil {
+ return nil, err
+ }
}
}
return append(mounts, netMounts...), nil
diff --git a/hack/ci/janky b/hack/ci/janky
index fe04908..180f8c60 100755
--- a/hack/ci/janky
+++ b/hack/ci/janky
@@ -8,6 +8,6 @@
hack/make.sh \
binary-daemon \
dynbinary \
- test-integration \
test-docker-py \
+ test-integration \
cross
diff --git a/integration-cli/docker_api_containers_unix_test.go b/integration-cli/docker_api_containers_unix_test.go
new file mode 100644
index 0000000..4964f52
--- /dev/null
+++ b/integration-cli/docker_api_containers_unix_test.go
@@ -0,0 +1,77 @@
+// +build !windows
+
+package main
+
+import (
+ "io/ioutil"
+ "os"
+ "path/filepath"
+
+ "github.com/docker/docker/api/types"
+ containertypes "github.com/docker/docker/api/types/container"
+ mounttypes "github.com/docker/docker/api/types/mount"
+ networktypes "github.com/docker/docker/api/types/network"
+ "github.com/docker/docker/client"
+ "github.com/docker/docker/integration-cli/checker"
+ "github.com/docker/docker/pkg/ioutils"
+ "github.com/docker/docker/pkg/system"
+ "github.com/go-check/check"
+ "github.com/stretchr/testify/assert"
+ "golang.org/x/net/context"
+)
+
+func (s *DockerSuite) TestContainersAPINetworkMountsNoChown(c *check.C) {
+ // chown only applies to Linux bind mounted volumes; must be same host to verify
+ testRequires(c, DaemonIsLinux, SameHostDaemon)
+
+ tmpDir, err := ioutils.TempDir("", "test-network-mounts")
+ c.Assert(err, checker.IsNil)
+ defer os.RemoveAll(tmpDir)
+
+ // make tmp dir readable by anyone to allow userns process to mount from
+ err = os.Chmod(tmpDir, 0755)
+ c.Assert(err, checker.IsNil)
+ // create temp files to use as network mounts
+ tmpNWFileMount := filepath.Join(tmpDir, "nwfile")
+
+ err = ioutil.WriteFile(tmpNWFileMount, []byte("network file bind mount"), 0644)
+ c.Assert(err, checker.IsNil)
+
+ config := containertypes.Config{
+ Image: "busybox",
+ }
+ hostConfig := containertypes.HostConfig{
+ Mounts: []mounttypes.Mount{
+ {
+ Type: "bind",
+ Source: tmpNWFileMount,
+ Target: "/etc/resolv.conf",
+ },
+ {
+ Type: "bind",
+ Source: tmpNWFileMount,
+ Target: "/etc/hostname",
+ },
+ {
+ Type: "bind",
+ Source: tmpNWFileMount,
+ Target: "/etc/hosts",
+ },
+ },
+ }
+
+ cli, err := client.NewEnvClient()
+ c.Assert(err, checker.IsNil)
+ defer cli.Close()
+
+ ctrCreate, err := cli.ContainerCreate(context.Background(), &config, &hostConfig, &networktypes.NetworkingConfig{}, "")
+ c.Assert(err, checker.IsNil)
+ // container will exit immediately because of no tty, but we only need the start sequence to test the condition
+ err = cli.ContainerStart(context.Background(), ctrCreate.ID, types.ContainerStartOptions{})
+ c.Assert(err, checker.IsNil)
+
+ // check that host-located bind mount network file did not change ownership when the container was started
+ statT, err := system.Stat(tmpNWFileMount)
+ c.Assert(err, checker.IsNil)
+ assert.Equal(c, uint32(0), statT.UID(), "bind mounted network file should not change ownership from root")
+}
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 6ac10e7..6722523 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -3115,6 +3115,11 @@
filename := createTmpFile(c, expected)
defer os.Remove(filename)
+ // for user namespaced test runs, the temp file must be accessible to unprivileged root
+ if err := os.Chmod(filename, 0646); err != nil {
+ c.Fatalf("error modifying permissions of %s: %v", filename, err)
+ }
+
nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
for i := range nwfiles {
@@ -3132,6 +3137,11 @@
filename := createTmpFile(c, "test123")
defer os.Remove(filename)
+ // for user namespaced test runs, the temp file must be accessible to unprivileged root
+ if err := os.Chmod(filename, 0646); err != nil {
+ c.Fatalf("error modifying permissions of %s: %v", filename, err)
+ }
+
nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
for i := range nwfiles {
@@ -3149,6 +3159,11 @@
filename := createTmpFile(c, "test123")
defer os.Remove(filename)
+ // for user namespaced test runs, the temp file must be accessible to unprivileged root
+ if err := os.Chmod(filename, 0646); err != nil {
+ c.Fatalf("error modifying permissions of %s: %v", filename, err)
+ }
+
nwfiles := []string{"/etc/resolv.conf", "/etc/hosts", "/etc/hostname"}
for i := range nwfiles {