Merge pull request #29425 from tophj-ibm/fix-ppc64le-gopath
[1.12.x] ppc64le, update gopath to include vendor
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62ee5b9..8a3ea6b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,49 @@
https://docs.docker.com/engine/deprecated/ where target removal dates can also
be found.
-## 1.12.4 (2016-12-06)
+## 1.12.5 (2016-12-15)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+ Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+ no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+ [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+### Runtime
+
+- Fix race on sending stdin close event [#29424](https://github.com/docker/docker/pull/29424)
+
+### Networking
+
+- Fix panic in docker network ls when a network was created with `--ipv6` and no ipv6 `--subnet` in older docker versions [#29416](https://github.com/docker/docker/pull/29416)
+
+### Contrib
+
+- Fix compilation on Darwin [#29370](https://github.com/docker/docker/pull/29370)
+- Use the selinux policy provided by docker-selinux on CentOS [#29377](https://github.com/docker/docker/pull/29377)
+
+## 1.12.4 (2016-12-12)
**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
@@ -46,6 +88,7 @@
- Fix volume store locking [#29151](https://github.com/docker/docker/pull/29151)
- Ensure consistent status code in API [#29150](https://github.com/docker/docker/pull/29150)
- Fix incorrect opaque directory permission in overlay2 [#29093](https://github.com/docker/docker/pull/29093)
+- Detect plugin content and error out on `docker pull` [#29297](https://github.com/docker/docker/pull/29297)
### Swarm Mode
@@ -77,7 +120,7 @@
- Run "dnf upgrade" before installing in fedora [#29150](https://github.com/docker/docker/pull/29150)
- Add build-date back to RPM packages [#29150](https://github.com/docker/docker/pull/29150)
-- Update selinux policy for distros based on RHEL7.3 [#29188](https://github.com/docker/docker/pull/29188)
+- deb package filename changed to include distro to distinguish between distro code names [#27829](https://github.com/docker/docker/pull/27829)
## 1.12.3 (2016-10-26)
diff --git a/VERSION b/VERSION
index ce1d504..3674cb5 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-1.12.4-rc1
+1.12.5-rc1
diff --git a/api/client/image/pull.go b/api/client/image/pull.go
index e5968db..159156f 100644
--- a/api/client/image/pull.go
+++ b/api/client/image/pull.go
@@ -77,9 +77,13 @@
if client.IsTrusted() && !registryRef.HasDigest() {
// Check if tag is digest
- return dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
+ err = dockerCli.TrustedPull(ctx, repoInfo, registryRef, authConfig, requestPrivilege)
+ } else {
+ err = dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
+ }
+ if err != nil {
+ return err
}
- return dockerCli.ImagePullPrivileged(ctx, authConfig, distributionRef.String(), requestPrivilege, opts.all)
-
+ return nil
}
diff --git a/api/server/router/network/network_routes.go b/api/server/router/network/network_routes.go
index 2688376..8981202 100644
--- a/api/server/router/network/network_routes.go
+++ b/api/server/router/network/network_routes.go
@@ -264,6 +264,9 @@
if !hasIpv6Conf {
for _, ip6Info := range ipv6Info {
+ if ip6Info.IPAMData.Pool == nil {
+ continue
+ }
iData := network.IPAMConfig{}
iData.Subnet = ip6Info.IPAMData.Pool.String()
iData.Gateway = ip6Info.IPAMData.Gateway.String()
diff --git a/container/container.go b/container/container.go
index 9e0f255..ebde058 100644
--- a/container/container.go
+++ b/container/container.go
@@ -16,6 +16,7 @@
"golang.org/x/net/context"
"github.com/Sirupsen/logrus"
+ "github.com/docker/docker/container/stream"
"github.com/docker/docker/daemon/exec"
"github.com/docker/docker/daemon/logger"
"github.com/docker/docker/daemon/logger/jsonfilelog"
@@ -59,7 +60,7 @@
// CommonContainer holds the fields for a container which are
// applicable across all platforms supported by the daemon.
type CommonContainer struct {
- *runconfig.StreamConfig
+ StreamConfig *stream.Config
// embed for Container to support states directly.
*State `json:"State"` // Needed for remote api version <= 1.11
Root string `json:"-"` // Path to the "home" of the container, including metadata.
@@ -102,7 +103,7 @@
ExecCommands: exec.NewStore(),
Root: root,
MountPoints: make(map[string]*volume.MountPoint),
- StreamConfig: runconfig.NewStreamConfig(),
+ StreamConfig: stream.NewConfig(),
attachContext: &attachContext{},
},
}
@@ -367,7 +368,7 @@
// AttachStreams connects streams to a TTY.
// Used by exec too. Should this move somewhere else?
-func AttachStreams(ctx context.Context, streamConfig *runconfig.StreamConfig, openStdin, stdinOnce, tty bool, stdin io.ReadCloser, stdout io.Writer, stderr io.Writer, keys []byte) chan error {
+func AttachStreams(ctx context.Context, streamConfig *stream.Config, openStdin, stdinOnce, tty bool, stdin io.ReadCloser, stdout io.Writer, stderr io.Writer, keys []byte) chan error {
var (
cStdout, cStderr io.ReadCloser
cStdin io.WriteCloser
@@ -997,6 +998,26 @@
return nil
}
+// StdinPipe gets the stdin stream of the container
+func (container *Container) StdinPipe() io.WriteCloser {
+ return container.StreamConfig.StdinPipe()
+}
+
+// StdoutPipe gets the stdout stream of the container
+func (container *Container) StdoutPipe() io.ReadCloser {
+ return container.StreamConfig.StdoutPipe()
+}
+
+// StderrPipe gets the stderr stream of the container
+func (container *Container) StderrPipe() io.ReadCloser {
+ return container.StreamConfig.StderrPipe()
+}
+
+// CloseStreams closes the container's stdio streams
+func (container *Container) CloseStreams() error {
+ return container.StreamConfig.CloseStreams()
+}
+
// InitializeStdio is called by libcontainerd to connect the stdio.
func (container *Container) InitializeStdio(iop libcontainerd.IOPipe) error {
if err := container.startLogging(); err != nil {
@@ -1006,7 +1027,7 @@
container.StreamConfig.CopyToPipe(iop)
- if container.Stdin() == nil && !container.Config.Tty {
+ if container.StreamConfig.Stdin() == nil && !container.Config.Tty {
if iop.Stdin != nil {
if err := iop.Stdin.Close(); err != nil {
logrus.Warnf("error closing stdin: %+v", err)
diff --git a/container/monitor.go b/container/monitor.go
index 6a7ece6..f05e72b 100644
--- a/container/monitor.go
+++ b/container/monitor.go
@@ -23,7 +23,7 @@
// Re-create a brand new stdin pipe once the container exited
if container.Config.OpenStdin {
- container.NewInputPipes()
+ container.StreamConfig.NewInputPipes()
}
if container.LogDriver != nil {
diff --git a/container/stream/streams.go b/container/stream/streams.go
new file mode 100644
index 0000000..a45e31f
--- /dev/null
+++ b/container/stream/streams.go
@@ -0,0 +1,143 @@
+package stream
+
+import (
+ "fmt"
+ "io"
+ "io/ioutil"
+ "strings"
+ "sync"
+
+ "github.com/Sirupsen/logrus"
+ "github.com/docker/docker/libcontainerd"
+ "github.com/docker/docker/pkg/broadcaster"
+ "github.com/docker/docker/pkg/ioutils"
+ "github.com/docker/docker/pkg/pools"
+)
+
+// Config holds information about I/O streams managed together.
+//
+// config.StdinPipe returns a WriteCloser which can be used to feed data
+// to the standard input of the streamConfig's active process.
+// config.StdoutPipe and streamConfig.StderrPipe each return a ReadCloser
+// which can be used to retrieve the standard output (and error) generated
+// by the container's active process. The output (and error) are actually
+// copied and delivered to all StdoutPipe and StderrPipe consumers, using
+// a kind of "broadcaster".
+type Config struct {
+ sync.WaitGroup
+ stdout *broadcaster.Unbuffered
+ stderr *broadcaster.Unbuffered
+ stdin io.ReadCloser
+ stdinPipe io.WriteCloser
+}
+
+// NewConfig creates a stream config and initializes
+// the standard err and standard out to new unbuffered broadcasters.
+func NewConfig() *Config {
+ return &Config{
+ stderr: new(broadcaster.Unbuffered),
+ stdout: new(broadcaster.Unbuffered),
+ }
+}
+
+// Stdout returns the standard output in the configuration.
+func (c *Config) Stdout() *broadcaster.Unbuffered {
+ return c.stdout
+}
+
+// Stderr returns the standard error in the configuration.
+func (c *Config) Stderr() *broadcaster.Unbuffered {
+ return c.stderr
+}
+
+// Stdin returns the standard input in the configuration.
+func (c *Config) Stdin() io.ReadCloser {
+ return c.stdin
+}
+
+// StdinPipe returns an input writer pipe as an io.WriteCloser.
+func (c *Config) StdinPipe() io.WriteCloser {
+ return c.stdinPipe
+}
+
+// StdoutPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new out pipe to the Stdout broadcaster.
+func (c *Config) StdoutPipe() io.ReadCloser {
+ bytesPipe := ioutils.NewBytesPipe()
+ c.stdout.Add(bytesPipe)
+ return bytesPipe
+}
+
+// StderrPipe creates a new io.ReadCloser with an empty bytes pipe.
+// It adds this new err pipe to the Stderr broadcaster.
+func (c *Config) StderrPipe() io.ReadCloser {
+ bytesPipe := ioutils.NewBytesPipe()
+ c.stderr.Add(bytesPipe)
+ return bytesPipe
+}
+
+// NewInputPipes creates new pipes for both standard inputs, Stdin and StdinPipe.
+func (c *Config) NewInputPipes() {
+ c.stdin, c.stdinPipe = io.Pipe()
+}
+
+// NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
+func (c *Config) NewNopInputPipe() {
+ c.stdinPipe = ioutils.NopWriteCloser(ioutil.Discard)
+}
+
+// CloseStreams ensures that the configured streams are properly closed.
+func (c *Config) CloseStreams() error {
+ var errors []string
+
+ if c.stdin != nil {
+ if err := c.stdin.Close(); err != nil {
+ errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
+ }
+ }
+
+ if err := c.stdout.Clean(); err != nil {
+ errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
+ }
+
+ if err := c.stderr.Clean(); err != nil {
+ errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
+ }
+
+ if len(errors) > 0 {
+ return fmt.Errorf(strings.Join(errors, "\n"))
+ }
+
+ return nil
+}
+
+// CopyToPipe connects streamconfig with a libcontainerd.IOPipe
+func (c *Config) CopyToPipe(iop libcontainerd.IOPipe) {
+ copyFunc := func(w io.Writer, r io.Reader) {
+ c.Add(1)
+ go func() {
+ if _, err := pools.Copy(w, r); err != nil {
+ logrus.Errorf("stream copy error: %+v", err)
+ }
+ c.Done()
+ }()
+ }
+
+ if iop.Stdout != nil {
+ copyFunc(c.Stdout(), iop.Stdout)
+ }
+ if iop.Stderr != nil {
+ copyFunc(c.Stderr(), iop.Stderr)
+ }
+
+ if stdin := c.Stdin(); stdin != nil {
+ if iop.Stdin != nil {
+ go func() {
+ pools.Copy(iop.Stdin, stdin)
+ if err := iop.Stdin.Close(); err != nil {
+ logrus.Errorf("failed to close stdin: %+v", err)
+ }
+ }()
+ }
+ }
+}
diff --git a/contrib/builder/rpm/amd64/centos-7/Dockerfile b/contrib/builder/rpm/amd64/centos-7/Dockerfile
index c31922e..79e9101 100644
--- a/contrib/builder/rpm/amd64/centos-7/Dockerfile
+++ b/contrib/builder/rpm/amd64/centos-7/Dockerfile
@@ -7,7 +7,6 @@
RUN yum groupinstall -y "Development Tools"
RUN yum -y swap -- remove systemd-container systemd-container-libs -- install systemd systemd-libs
RUN yum install -y btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel tar git
-RUN [ `rpm -q selinux-policy-devel | grep el7_3` ] || yum -y --enablerepo=cr install selinux-policy-devel
ENV GO_VERSION 1.6.4
RUN curl -fSL "https://storage.googleapis.com/golang/go${GO_VERSION}.linux-amd64.tar.gz" | tar xzC /usr/local
diff --git a/contrib/builder/rpm/amd64/generate.sh b/contrib/builder/rpm/amd64/generate.sh
index f6a5835..52d30b4 100755
--- a/contrib/builder/rpm/amd64/generate.sh
+++ b/contrib/builder/rpm/amd64/generate.sh
@@ -132,10 +132,6 @@
# use zypper
echo "RUN zypper --non-interactive install ${packages[*]}" >> "$version/Dockerfile"
;;
- centos:7)
- echo "RUN ${installer} install -y ${packages[*]}" >> "$version/Dockerfile"
- echo 'RUN [ `rpm -q selinux-policy-devel | grep el7_3` ] || yum -y --enablerepo=cr install selinux-policy-devel' >> "$version/Dockerfile"
- ;;
*)
echo "RUN ${installer} install -y ${packages[*]}" >> "$version/Dockerfile"
;;
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/LICENSE b/contrib/selinux-centos-7/docker-engine-selinux/LICENSE
deleted file mode 100644
index d511905..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/LICENSE
+++ /dev/null
@@ -1,339 +0,0 @@
- GNU GENERAL PUBLIC LICENSE
- Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
- Preamble
-
- The licenses for most software are designed to take away your
-freedom to share and change it. By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users. This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it. (Some other Free Software Foundation software is covered by
-the GNU Lesser General Public License instead.) You can apply it to
-your programs, too.
-
- When we speak of free software, we are referring to freedom, not
-price. Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
- To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
- For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have. You must make sure that they, too, receive or can get the
-source code. And you must show them these terms so they know their
-rights.
-
- We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
- Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software. If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
- Finally, any free program is threatened constantly by software
-patents. We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary. To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
- The precise terms and conditions for copying, distribution and
-modification follow.
-
- GNU GENERAL PUBLIC LICENSE
- TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
- 0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License. The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language. (Hereinafter, translation is included without limitation in
-the term "modification".) Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope. The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
- 1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
- 2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
- a) You must cause the modified files to carry prominent notices
- stating that you changed the files and the date of any change.
-
- b) You must cause any work that you distribute or publish, that in
- whole or in part contains or is derived from the Program or any
- part thereof, to be licensed as a whole at no charge to all third
- parties under the terms of this License.
-
- c) If the modified program normally reads commands interactively
- when run, you must cause it, when started running for such
- interactive use in the most ordinary way, to print or display an
- announcement including an appropriate copyright notice and a
- notice that there is no warranty (or else, saying that you provide
- a warranty) and that users may redistribute the program under
- these conditions, and telling the user how to view a copy of this
- License. (Exception: if the Program itself is interactive but
- does not normally print such an announcement, your work based on
- the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole. If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works. But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
- 3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
- a) Accompany it with the complete corresponding machine-readable
- source code, which must be distributed under the terms of Sections
- 1 and 2 above on a medium customarily used for software interchange; or,
-
- b) Accompany it with a written offer, valid for at least three
- years, to give any third party, for a charge no more than your
- cost of physically performing source distribution, a complete
- machine-readable copy of the corresponding source code, to be
- distributed under the terms of Sections 1 and 2 above on a medium
- customarily used for software interchange; or,
-
- c) Accompany it with the information you received as to the offer
- to distribute corresponding source code. (This alternative is
- allowed only for noncommercial distribution and only if you
- received the program in object code or executable form with such
- an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it. For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable. However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
- 4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License. Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
- 5. You are not required to accept this License, since you have not
-signed it. However, nothing else grants you permission to modify or
-distribute the Program or its derivative works. These actions are
-prohibited by law if you do not accept this License. Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
- 6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions. You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
- 7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License. If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all. For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices. Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
- 8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded. In such case, this License incorporates
-the limitation as if written in the body of this License.
-
- 9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time. Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number. If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation. If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
- 10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission. For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this. Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
- NO WARRANTY
-
- 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
- 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
- END OF TERMS AND CONDITIONS
-
- How to Apply These Terms to Your New Programs
-
- If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
- To do so, attach the following notices to the program. It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
- <one line to give the program's name and a brief idea of what it does.>
- Copyright (C) <year> <name of author>
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License along
- with this program; if not, write to the Free Software Foundation, Inc.,
- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
- Gnomovision version 69, Copyright (C) year name of author
- Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
- This is free software, and you are welcome to redistribute it
- under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License. Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary. Here is a sample; alter the names:
-
- Yoyodyne, Inc., hereby disclaims all copyright interest in the program
- `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
- <signature of Ty Coon>, 1 April 1989
- Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs. If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library. If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/Makefile b/contrib/selinux-centos-7/docker-engine-selinux/Makefile
deleted file mode 100644
index b9c3e99..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/Makefile
+++ /dev/null
@@ -1,27 +0,0 @@
-TARGETS?=docker
-MODULES?=${TARGETS:=.pp.bz2}
-SHAREDIR?=/usr/share
-
-all: ${TARGETS:=.pp.bz2}
-
-%.pp.bz2: %.pp
- @echo Compressing $^ -\> $@
- bzip2 -9 $^
-
-%.pp: %.te
- make -f ${SHAREDIR}/selinux/devel/Makefile $@
-
-clean:
- rm -f *~ *.tc *.pp *.pp.bz2
- rm -rf tmp *.tar.gz
-
-man: install-policy
- sepolicy manpage --path . --domain ${TARGETS}_t
-
-install-policy: all
- semodule -i ${TARGETS}.pp.bz2
-
-install: man
- install -D -m 644 ${TARGETS}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/docker.pp.bz2
- install -D -m 644 docker.if ${DESTDIR}${SHAREDIR}/selinux/devel/include/services/docker.if
- install -D -m 644 docker_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/README.md b/contrib/selinux-centos-7/docker-engine-selinux/README.md
deleted file mode 100644
index 7ea3117..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/README.md
+++ /dev/null
@@ -1 +0,0 @@
-SELinux policy for docker
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.fc b/contrib/selinux-centos-7/docker-engine-selinux/docker.fc
deleted file mode 100644
index d196d2b..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.fc
+++ /dev/null
@@ -1,42 +0,0 @@
-/root/\.docker gen_context(system_u:object_r:docker_home_t,s0)
-
-/usr/libexec/docker/docker.* -- gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker.* -- gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-latest -- gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-current -- gen_context(system_u:object_r:docker_exec_t,s0)
-/usr/bin/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
-/usr/lib/docker/docker-novolume-plugin -- gen_context(system_u:object_r:docker_auth_exec_t,s0)
-
-/usr/lib/systemd/system/docker.* -- gen_context(system_u:object_r:docker_unit_file_t,s0)
-
-/etc/docker(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
-/etc/docker-latest(/.*)? gen_context(system_u:object_r:docker_config_t,s0)
-
-/var/lib/docker(/.*)? gen_context(system_u:object_r:docker_var_lib_t,s0)
-/var/lib/docker/overlay(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/init(/.*)? gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/containers/.*/hosts gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/containers/.*/hostname gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/lib/docker/containers/.*/.*\.log gen_context(system_u:object_r:docker_log_t,s0)
-/var/lib/docker-latest/containers/.*/.*\.log gen_context(system_u:object_r:docker_log_t,s0)
-
-/var/lib/docker/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
-/var/lib/docker-latest/.*/config\.env gen_context(system_u:object_r:docker_share_t,s0)
-
-/var/run/docker(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/containerd(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker\.pid -- gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker\.sock -s gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker-client(/.*)? gen_context(system_u:object_r:docker_var_run_t,s0)
-/var/run/docker/plugins(/.*)? gen_context(system_u:object_r:docker_plugin_var_run_t,s0)
-
-/var/lock/lxc(/.*)? gen_context(system_u:object_r:docker_lock_t,s0)
-
-/var/log/lxc(/.*)? gen_context(system_u:object_r:docker_log_t,s0)
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.if b/contrib/selinux-centos-7/docker-engine-selinux/docker.if
deleted file mode 100644
index e087e8b..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.if
+++ /dev/null
@@ -1,523 +0,0 @@
-
-## <summary>The open-source application container engine.</summary>
-
-########################################
-## <summary>
-## Execute docker in the docker domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_domtrans',`
- gen_require(`
- type docker_t, docker_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, docker_exec_t, docker_t)
-')
-
-########################################
-## <summary>
-## Execute docker in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_exec',`
- gen_require(`
- type docker_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, docker_exec_t)
-')
-
-########################################
-## <summary>
-## Search docker lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_search_lib',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- allow $1 docker_var_lib_t:dir search_dir_perms;
- files_search_var_lib($1)
-')
-
-########################################
-## <summary>
-## Execute docker lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_exec_lib',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- allow $1 docker_var_lib_t:dir search_dir_perms;
- can_exec($1, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read docker lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_read_lib_files',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- files_search_var_lib($1)
- read_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-## Read docker share files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_read_share_files',`
- gen_require(`
- type docker_share_t;
- ')
-
- files_search_var_lib($1)
- list_dirs_pattern($1, docker_share_t, docker_share_t)
- read_files_pattern($1, docker_share_t, docker_share_t)
- read_lnk_files_pattern($1, docker_share_t, docker_share_t)
-')
-
-######################################
-## <summary>
-## Allow the specified domain to execute apache
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apache_exec',`
- gen_require(`
- type httpd_exec_t;
- ')
-
- can_exec($1, httpd_exec_t)
-')
-
-######################################
-## <summary>
-## Allow the specified domain to execute docker shared files
-## in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_exec_share_files',`
- gen_require(`
- type docker_share_t;
- ')
-
- can_exec($1, docker_share_t)
-')
-
-########################################
-## <summary>
-## Manage docker lib files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_manage_lib_files',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
- manage_lnk_files_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-## Manage docker lib directories.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_manage_lib_dirs',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_dirs_pattern($1, docker_var_lib_t, docker_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create objects in a docker var lib directory
-## with an automatic type transition to
-## a specified private type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="private_type">
-## <summary>
-## The type of the object to create.
-## </summary>
-## </param>
-## <param name="object_class">
-## <summary>
-## The class of the object to be created.
-## </summary>
-## </param>
-## <param name="name" optional="true">
-## <summary>
-## The name of the object being created.
-## </summary>
-## </param>
-#
-interface(`docker_lib_filetrans',`
- gen_require(`
- type docker_var_lib_t;
- ')
-
- filetrans_pattern($1, docker_var_lib_t, $2, $3, $4)
-')
-
-########################################
-## <summary>
-## Read docker PID files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_read_pid_files',`
- gen_require(`
- type docker_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, docker_var_run_t, docker_var_run_t)
-')
-
-########################################
-## <summary>
-## Execute docker server in the docker domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_systemctl',`
- gen_require(`
- type docker_t;
- type docker_unit_file_t;
- ')
-
- systemd_exec_systemctl($1)
- init_reload_services($1)
- systemd_read_fifo_file_passwd_run($1)
- allow $1 docker_unit_file_t:file read_file_perms;
- allow $1 docker_unit_file_t:service manage_service_perms;
-
- ps_process_pattern($1, docker_t)
-')
-
-########################################
-## <summary>
-## Read and write docker shared memory.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_rw_sem',`
- gen_require(`
- type docker_t;
- ')
-
- allow $1 docker_t:sem rw_sem_perms;
-')
-
-#######################################
-## <summary>
-## Read and write the docker pty type.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_use_ptys',`
- gen_require(`
- type docker_devpts_t;
- ')
-
- allow $1 docker_devpts_t:chr_file rw_term_perms;
-')
-
-#######################################
-## <summary>
-## Allow domain to create docker content
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_filetrans_named_content',`
-
- gen_require(`
- type docker_var_lib_t;
- type docker_share_t;
- type docker_log_t;
- type docker_var_run_t;
- type docker_home_t;
- ')
-
- files_pid_filetrans($1, docker_var_run_t, file, "docker.pid")
- files_pid_filetrans($1, docker_var_run_t, sock_file, "docker.sock")
- files_pid_filetrans($1, docker_var_run_t, dir, "docker-client")
- logging_log_filetrans($1, docker_log_t, dir, "lxc")
- files_var_lib_filetrans($1, docker_var_lib_t, dir, "docker")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "config.env")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hosts")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "hostname")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, file, "resolv.conf")
- filetrans_pattern($1, docker_var_lib_t, docker_share_t, dir, "init")
- userdom_admin_home_dir_filetrans($1, docker_home_t, dir, ".docker")
-')
-
-########################################
-## <summary>
-## Connect to docker over a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_stream_connect',`
- gen_require(`
- type docker_t, docker_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, docker_var_run_t, docker_var_run_t, docker_t)
-')
-
-########################################
-## <summary>
-## Connect to SPC containers over a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_spc_stream_connect',`
- gen_require(`
- type spc_t, spc_var_run_t;
- ')
-
- files_search_pids($1)
- files_write_all_pid_sockets($1)
- allow $1 spc_t:unix_stream_socket connectto;
-')
-
-########################################
-## <summary>
-## All of the rules required to administrate
-## an docker environment
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_admin',`
- gen_require(`
- type docker_t;
- type docker_var_lib_t, docker_var_run_t;
- type docker_unit_file_t;
- type docker_lock_t;
- type docker_log_t;
- type docker_config_t;
- ')
-
- allow $1 docker_t:process { ptrace signal_perms };
- ps_process_pattern($1, docker_t)
-
- admin_pattern($1, docker_config_t)
-
- files_search_var_lib($1)
- admin_pattern($1, docker_var_lib_t)
-
- files_search_pids($1)
- admin_pattern($1, docker_var_run_t)
-
- files_search_locks($1)
- admin_pattern($1, docker_lock_t)
-
- logging_search_logs($1)
- admin_pattern($1, docker_log_t)
-
- docker_systemctl($1)
- admin_pattern($1, docker_unit_file_t)
- allow $1 docker_unit_file_t:service all_service_perms;
-
- optional_policy(`
- systemd_passwd_agent_exec($1)
- systemd_read_fifo_file_passwd_run($1)
- ')
-')
-
-########################################
-## <summary>
-## Execute docker_auth_exec_t in the docker_auth domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`docker_auth_domtrans',`
- gen_require(`
- type docker_auth_t, docker_auth_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, docker_auth_exec_t, docker_auth_t)
-')
-
-######################################
-## <summary>
-## Execute docker_auth in the caller domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_auth_exec',`
- gen_require(`
- type docker_auth_exec_t;
- ')
-
- corecmd_search_bin($1)
- can_exec($1, docker_auth_exec_t)
-')
-
-########################################
-## <summary>
-## Connect to docker_auth over a unix stream socket.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`docker_auth_stream_connect',`
- gen_require(`
- type docker_auth_t, docker_plugin_var_run_t;
- ')
-
- files_search_pids($1)
- stream_connect_pattern($1, docker_plugin_var_run_t, docker_plugin_var_run_t, docker_auth_t)
-')
-
-########################################
-## <summary>
-## docker domain typebounds calling domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to be typebound.
-## </summary>
-## </param>
-#
-interface(`docker_typebounds',`
- gen_require(`
- type docker_t;
- ')
-
- typebounds docker_t $1;
-')
-
-########################################
-## <summary>
-## Allow any docker_exec_t to be an entrypoint of this domain
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`docker_entrypoint',`
- gen_require(`
- type docker_exec_t;
- ')
- allow $1 docker_exec_t:file entrypoint;
-')
diff --git a/contrib/selinux-centos-7/docker-engine-selinux/docker.te b/contrib/selinux-centos-7/docker-engine-selinux/docker.te
deleted file mode 100644
index 22fa91f..0000000
--- a/contrib/selinux-centos-7/docker-engine-selinux/docker.te
+++ /dev/null
@@ -1,425 +0,0 @@
-policy_module(docker, 1.0.0)
-
-########################################
-#
-# Declarations
-#
-
-## <desc>
-## <p>
-## Determine whether docker can
-## connect to all TCP ports.
-## </p>
-## </desc>
-gen_tunable(docker_connect_any, false)
-
-type docker_t;
-type docker_exec_t;
-init_daemon_domain(docker_t, docker_exec_t)
-domain_subj_id_change_exemption(docker_t)
-domain_role_change_exemption(docker_t)
-
-type spc_t;
-domain_type(spc_t)
-role system_r types spc_t;
-
-type docker_auth_t;
-type docker_auth_exec_t;
-init_daemon_domain(docker_auth_t, docker_auth_exec_t)
-
-type spc_var_run_t;
-files_pid_file(spc_var_run_t)
-
-type docker_var_lib_t;
-files_type(docker_var_lib_t)
-
-type docker_home_t;
-userdom_user_home_content(docker_home_t)
-
-type docker_config_t;
-files_config_file(docker_config_t)
-
-type docker_lock_t;
-files_lock_file(docker_lock_t)
-
-type docker_log_t;
-logging_log_file(docker_log_t)
-
-type docker_tmp_t;
-files_tmp_file(docker_tmp_t)
-
-type docker_tmpfs_t;
-files_tmpfs_file(docker_tmpfs_t)
-
-type docker_var_run_t;
-files_pid_file(docker_var_run_t)
-
-type docker_plugin_var_run_t;
-files_pid_file(docker_plugin_var_run_t)
-
-type docker_unit_file_t;
-systemd_unit_file(docker_unit_file_t)
-
-type docker_devpts_t;
-term_pty(docker_devpts_t)
-
-type docker_share_t;
-files_mountpoint(docker_share_t)
-
-type docker_port_t;
-corenet_port(docker_port_t)
-
-########################################
-#
-# docker local policy
-#
-allow docker_t self:capability { chown kill fowner fsetid mknod net_admin net_bind_service net_raw setfcap };
-allow docker_t self:tun_socket relabelto;
-allow docker_t self:process { getattr signal_perms setrlimit setfscreate };
-allow docker_t self:fifo_file rw_fifo_file_perms;
-allow docker_t self:unix_stream_socket create_stream_socket_perms;
-allow docker_t self:tcp_socket create_stream_socket_perms;
-allow docker_t self:udp_socket create_socket_perms;
-allow docker_t self:capability2 block_suspend;
-allow docker_t docker_port_t:tcp_socket name_bind;
-
-docker_auth_stream_connect(docker_t)
-
-manage_files_pattern(docker_t, docker_home_t, docker_home_t)
-manage_dirs_pattern(docker_t, docker_home_t, docker_home_t)
-manage_lnk_files_pattern(docker_t, docker_home_t, docker_home_t)
-userdom_admin_home_dir_filetrans(docker_t, docker_home_t, dir, ".docker")
-
-manage_dirs_pattern(docker_t, docker_config_t, docker_config_t)
-manage_files_pattern(docker_t, docker_config_t, docker_config_t)
-files_etc_filetrans(docker_t, docker_config_t, dir, "docker")
-
-manage_dirs_pattern(docker_t, docker_lock_t, docker_lock_t)
-manage_files_pattern(docker_t, docker_lock_t, docker_lock_t)
-files_lock_filetrans(docker_t, docker_lock_t, { dir file }, "lxc")
-
-manage_dirs_pattern(docker_t, docker_log_t, docker_log_t)
-manage_files_pattern(docker_t, docker_log_t, docker_log_t)
-manage_lnk_files_pattern(docker_t, docker_log_t, docker_log_t)
-logging_log_filetrans(docker_t, docker_log_t, { dir file lnk_file })
-allow docker_t docker_log_t:dir_file_class_set { relabelfrom relabelto };
-filetrans_pattern(docker_t, docker_var_lib_t, docker_log_t, file, "container-json.log")
-
-manage_dirs_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-manage_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-manage_lnk_files_pattern(docker_t, docker_tmp_t, docker_tmp_t)
-files_tmp_filetrans(docker_t, docker_tmp_t, { dir file lnk_file })
-
-manage_dirs_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_lnk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_fifo_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_chr_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-manage_blk_files_pattern(docker_t, docker_tmpfs_t, docker_tmpfs_t)
-allow docker_t docker_tmpfs_t:dir relabelfrom;
-can_exec(docker_t, docker_tmpfs_t)
-fs_tmpfs_filetrans(docker_t, docker_tmpfs_t, { dir file })
-allow docker_t docker_tmpfs_t:chr_file mounton;
-
-manage_dirs_pattern(docker_t, docker_share_t, docker_share_t)
-manage_chr_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_blk_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_files_pattern(docker_t, docker_share_t, docker_share_t)
-manage_lnk_files_pattern(docker_t, docker_share_t, docker_share_t)
-allow docker_t docker_share_t:dir_file_class_set { relabelfrom relabelto };
-can_exec(docker_t, docker_share_t)
-filetrans_pattern(docker_t, docker_var_lib_t, docker_share_t, dir, "overlay")
-
-#docker_filetrans_named_content(docker_t)
-
-manage_dirs_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_chr_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_blk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_sock_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-manage_lnk_files_pattern(docker_t, docker_var_lib_t, docker_var_lib_t)
-allow docker_t docker_var_lib_t:dir_file_class_set { relabelfrom relabelto };
-files_var_lib_filetrans(docker_t, docker_var_lib_t, { dir file lnk_file })
-
-manage_dirs_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_fifo_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_sock_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-manage_lnk_files_pattern(docker_t, docker_var_run_t, docker_var_run_t)
-files_pid_filetrans(docker_t, docker_var_run_t, { dir file lnk_file sock_file })
-
-allow docker_t docker_devpts_t:chr_file { relabelfrom rw_chr_file_perms setattr_chr_file_perms };
-term_create_pty(docker_t, docker_devpts_t)
-
-kernel_read_system_state(docker_t)
-kernel_read_network_state(docker_t)
-kernel_read_all_sysctls(docker_t)
-kernel_rw_net_sysctls(docker_t)
-kernel_setsched(docker_t)
-kernel_read_all_proc(docker_t)
-
-domain_use_interactive_fds(docker_t)
-domain_dontaudit_read_all_domains_state(docker_t)
-
-corecmd_exec_bin(docker_t)
-corecmd_exec_shell(docker_t)
-
-corenet_tcp_bind_generic_node(docker_t)
-corenet_tcp_sendrecv_generic_if(docker_t)
-corenet_tcp_sendrecv_generic_node(docker_t)
-corenet_tcp_sendrecv_generic_port(docker_t)
-corenet_tcp_bind_all_ports(docker_t)
-corenet_tcp_connect_http_port(docker_t)
-corenet_tcp_connect_commplex_main_port(docker_t)
-corenet_udp_sendrecv_generic_if(docker_t)
-corenet_udp_sendrecv_generic_node(docker_t)
-corenet_udp_sendrecv_all_ports(docker_t)
-corenet_udp_bind_generic_node(docker_t)
-corenet_udp_bind_all_ports(docker_t)
-
-files_read_config_files(docker_t)
-files_dontaudit_getattr_all_dirs(docker_t)
-files_dontaudit_getattr_all_files(docker_t)
-
-fs_read_cgroup_files(docker_t)
-fs_read_tmpfs_symlinks(docker_t)
-fs_search_all(docker_t)
-fs_getattr_all_fs(docker_t)
-
-storage_raw_rw_fixed_disk(docker_t)
-
-auth_use_nsswitch(docker_t)
-auth_dontaudit_getattr_shadow(docker_t)
-
-init_read_state(docker_t)
-init_status(docker_t)
-
-logging_send_audit_msgs(docker_t)
-logging_send_syslog_msg(docker_t)
-
-miscfiles_read_localization(docker_t)
-
-mount_domtrans(docker_t)
-
-seutil_read_default_contexts(docker_t)
-seutil_read_config(docker_t)
-
-sysnet_dns_name_resolve(docker_t)
-sysnet_exec_ifconfig(docker_t)
-
-optional_policy(`
- rpm_exec(docker_t)
- rpm_read_db(docker_t)
- rpm_exec(docker_t)
-')
-
-optional_policy(`
- fstools_domtrans(docker_t)
-')
-
-optional_policy(`
- iptables_domtrans(docker_t)
-')
-
-optional_policy(`
- openvswitch_stream_connect(docker_t)
-')
-
-#
-# lxc rules
-#
-
-allow docker_t self:capability { dac_override setgid setpcap setuid sys_admin sys_boot sys_chroot sys_ptrace };
-
-allow docker_t self:process { getcap setcap setexec setpgid setsched signal_perms };
-
-allow docker_t self:netlink_route_socket rw_netlink_socket_perms;;
-allow docker_t self:netlink_audit_socket create_netlink_socket_perms;
-allow docker_t self:unix_dgram_socket { create_socket_perms sendto };
-allow docker_t self:unix_stream_socket { create_stream_socket_perms connectto };
-
-allow docker_t docker_var_lib_t:dir mounton;
-allow docker_t docker_var_lib_t:chr_file mounton;
-can_exec(docker_t, docker_var_lib_t)
-
-kernel_dontaudit_setsched(docker_t)
-kernel_get_sysvipc_info(docker_t)
-kernel_request_load_module(docker_t)
-kernel_mounton_messages(docker_t)
-kernel_mounton_all_proc(docker_t)
-kernel_mounton_all_sysctls(docker_t)
-
-dev_getattr_all(docker_t)
-dev_getattr_sysfs_fs(docker_t)
-dev_read_urand(docker_t)
-dev_read_lvm_control(docker_t)
-dev_rw_sysfs(docker_t)
-dev_rw_loop_control(docker_t)
-dev_rw_lvm_control(docker_t)
-
-files_getattr_isid_type_dirs(docker_t)
-files_manage_isid_type_dirs(docker_t)
-files_manage_isid_type_files(docker_t)
-files_manage_isid_type_symlinks(docker_t)
-files_manage_isid_type_chr_files(docker_t)
-files_manage_isid_type_blk_files(docker_t)
-files_exec_isid_files(docker_t)
-files_mounton_isid(docker_t)
-files_mounton_non_security(docker_t)
-files_mounton_isid_type_chr_file(docker_t)
-
-fs_mount_all_fs(docker_t)
-fs_unmount_all_fs(docker_t)
-fs_remount_all_fs(docker_t)
-files_mounton_isid(docker_t)
-fs_manage_cgroup_dirs(docker_t)
-fs_manage_cgroup_files(docker_t)
-#fs_rw_nsfs_files(docker_t)
-# TODO Remove This block
-#########################
-gen_require(`
- type nsfs_t;
-')
-rw_files_pattern(docker_t, nsfs_t, nsfs_t)
-fs_relabelfrom_xattr_fs(docker_t)
-fs_relabelfrom_tmpfs(docker_t)
-fs_read_tmpfs_symlinks(docker_t)
-fs_list_hugetlbfs(docker_t)
-
-term_use_generic_ptys(docker_t)
-term_use_ptmx(docker_t)
-term_getattr_pty_fs(docker_t)
-term_relabel_pty_fs(docker_t)
-term_mounton_unallocated_ttys(docker_t)
-
-modutils_domtrans_insmod(docker_t)
-
-systemd_status_all_unit_files(docker_t)
-systemd_start_systemd_services(docker_t)
-
-userdom_stream_connect(docker_t)
-userdom_search_user_home_content(docker_t)
-userdom_read_all_users_state(docker_t)
-userdom_relabel_user_home_files(docker_t)
-userdom_relabel_user_tmp_files(docker_t)
-userdom_relabel_user_tmp_dirs(docker_t)
-
-optional_policy(`
- gpm_getattr_gpmctl(docker_t)
-')
-
-optional_policy(`
- dbus_system_bus_client(docker_t)
- init_dbus_chat(docker_t)
- init_start_transient_unit(docker_t)
-
- optional_policy(`
- systemd_dbus_chat_logind(docker_t)
- systemd_dbus_chat_machined(docker_t)
- ')
-
- optional_policy(`
- firewalld_dbus_chat(docker_t)
- ')
-')
-
-optional_policy(`
- lvm_domtrans(docker_t)
-')
-
-optional_policy(`
- udev_read_db(docker_t)
-')
-
-optional_policy(`
- unconfined_domain(docker_t)
-# unconfined_typebounds(docker_t)
-')
-
-optional_policy(`
- virt_read_config(docker_t)
- virt_exec(docker_t)
- virt_stream_connect(docker_t)
- virt_stream_connect_sandbox(docker_t)
- virt_exec_sandbox_files(docker_t)
- virt_manage_sandbox_files(docker_t)
- virt_relabel_sandbox_filesystem(docker_t)
- # for lxc
- virt_transition_svirt_sandbox(docker_t, system_r)
- allow svirt_sandbox_domain docker_t:fd use;
- virt_mounton_sandbox_file(docker_t)
-# virt_attach_sandbox_tun_iface(docker_t)
- allow docker_t svirt_sandbox_domain:tun_socket relabelfrom;
- virt_sandbox_entrypoint(docker_t)
-')
-
-tunable_policy(`docker_connect_any',`
- corenet_tcp_connect_all_ports(docker_t)
- corenet_sendrecv_all_packets(docker_t)
- corenet_tcp_sendrecv_all_ports(docker_t)
-')
-
-########################################
-#
-# spc local policy
-#
-allow spc_t { docker_var_lib_t docker_share_t }:file entrypoint;
-role system_r types spc_t;
-
-domtrans_pattern(docker_t, docker_share_t, spc_t)
-domtrans_pattern(docker_t, docker_var_lib_t, spc_t)
-allow docker_t spc_t:process { setsched signal_perms };
-ps_process_pattern(docker_t, spc_t)
-allow docker_t spc_t:socket_class_set { relabelto relabelfrom };
-
-optional_policy(`
- systemd_dbus_chat_machined(spc_t)
- systemd_dbus_chat_logind(spc_t)
-')
-
-optional_policy(`
- dbus_chat_system_bus(spc_t)
- dbus_chat_session_bus(spc_t)
-')
-
-optional_policy(`
- unconfined_domain_noaudit(spc_t)
-')
-
-optional_policy(`
- virt_stub_svirt_sandbox_file()
- virt_transition_svirt_sandbox(spc_t, system_r)
- virt_sandbox_entrypoint(spc_t)
- domtrans_pattern(docker_t,svirt_sandbox_file_t, spc_t)
-')
-
-########################################
-#
-# docker_auth local policy
-#
-allow docker_auth_t self:fifo_file rw_fifo_file_perms;
-allow docker_auth_t self:unix_stream_socket create_stream_socket_perms;
-dontaudit docker_auth_t self:capability net_admin;
-
-docker_stream_connect(docker_auth_t)
-
-manage_dirs_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_sock_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-manage_lnk_files_pattern(docker_auth_t, docker_plugin_var_run_t, docker_plugin_var_run_t)
-files_pid_filetrans(docker_auth_t, docker_plugin_var_run_t, { dir file lnk_file sock_file })
-
-domain_use_interactive_fds(docker_auth_t)
-
-kernel_read_net_sysctls(docker_auth_t)
-
-auth_use_nsswitch(docker_auth_t)
-
-files_read_etc_files(docker_auth_t)
-
-miscfiles_read_localization(docker_auth_t)
-
-sysnet_dns_name_resolve(docker_auth_t)
-
-kernel_unlabeled_domtrans(docker_t, spc_t)
-kernel_unlabeled_entry_type(spc_t)
diff --git a/contrib/selinux/docker-engine-selinux/LICENSE b/contrib/selinux-fedora-23/docker-engine-selinux/LICENSE
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/LICENSE
rename to contrib/selinux-fedora-23/docker-engine-selinux/LICENSE
diff --git a/contrib/selinux/docker-engine-selinux/Makefile b/contrib/selinux-fedora-23/docker-engine-selinux/Makefile
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/Makefile
rename to contrib/selinux-fedora-23/docker-engine-selinux/Makefile
diff --git a/contrib/selinux/docker-engine-selinux/docker.fc b/contrib/selinux-fedora-23/docker-engine-selinux/docker.fc
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.fc
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.fc
diff --git a/contrib/selinux/docker-engine-selinux/docker.if b/contrib/selinux-fedora-23/docker-engine-selinux/docker.if
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.if
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.if
diff --git a/contrib/selinux/docker-engine-selinux/docker.te b/contrib/selinux-fedora-23/docker-engine-selinux/docker.te
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker.te
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker.te
diff --git a/contrib/selinux/docker-engine-selinux/docker_selinux.8.gz b/contrib/selinux-fedora-23/docker-engine-selinux/docker_selinux.8.gz
similarity index 100%
rename from contrib/selinux/docker-engine-selinux/docker_selinux.8.gz
rename to contrib/selinux-fedora-23/docker-engine-selinux/docker_selinux.8.gz
Binary files differ
diff --git a/daemon/container.go b/daemon/container.go
index 21355ba..e86f904 100644
--- a/daemon/container.go
+++ b/daemon/container.go
@@ -89,9 +89,9 @@
func (daemon *Daemon) Register(c *container.Container) error {
// Attach to stdout and stderr
if c.Config.OpenStdin {
- c.NewInputPipes()
+ c.StreamConfig.NewInputPipes()
} else {
- c.NewNopInputPipe()
+ c.StreamConfig.NewNopInputPipe()
}
daemon.containers.Add(c.ID, c)
diff --git a/daemon/exec.go b/daemon/exec.go
index 5584f3b..a9bce3c 100644
--- a/daemon/exec.go
+++ b/daemon/exec.go
@@ -188,9 +188,9 @@
}
if ec.OpenStdin {
- ec.NewInputPipes()
+ ec.StreamConfig.NewInputPipes()
} else {
- ec.NewNopInputPipe()
+ ec.StreamConfig.NewNopInputPipe()
}
p := libcontainerd.Process{
diff --git a/daemon/exec/exec.go b/daemon/exec/exec.go
index da160d3..0bd7d8d 100644
--- a/daemon/exec/exec.go
+++ b/daemon/exec/exec.go
@@ -5,9 +5,9 @@
"sync"
"github.com/Sirupsen/logrus"
+ "github.com/docker/docker/container/stream"
"github.com/docker/docker/libcontainerd"
"github.com/docker/docker/pkg/stringid"
- "github.com/docker/docker/runconfig"
)
// Config holds the configurations for execs. The Daemon keeps
@@ -15,28 +15,28 @@
// examined both during and after completion.
type Config struct {
sync.Mutex
- *runconfig.StreamConfig
- ID string
- Running bool
- ExitCode *int
- OpenStdin bool
- OpenStderr bool
- OpenStdout bool
- CanRemove bool
- ContainerID string
- DetachKeys []byte
- Entrypoint string
- Args []string
- Tty bool
- Privileged bool
- User string
+ StreamConfig *stream.Config
+ ID string
+ Running bool
+ ExitCode *int
+ OpenStdin bool
+ OpenStderr bool
+ OpenStdout bool
+ CanRemove bool
+ ContainerID string
+ DetachKeys []byte
+ Entrypoint string
+ Args []string
+ Tty bool
+ Privileged bool
+ User string
}
// NewConfig initializes the a new exec configuration
func NewConfig() *Config {
return &Config{
ID: stringid.GenerateNonCryptoID(),
- StreamConfig: runconfig.NewStreamConfig(),
+ StreamConfig: stream.NewConfig(),
}
}
@@ -44,7 +44,7 @@
func (c *Config) InitializeStdio(iop libcontainerd.IOPipe) error {
c.StreamConfig.CopyToPipe(iop)
- if c.Stdin() == nil && !c.Tty && runtime.GOOS == "windows" {
+ if c.StreamConfig.Stdin() == nil && !c.Tty && runtime.GOOS == "windows" {
if iop.Stdin != nil {
if err := iop.Stdin.Close(); err != nil {
logrus.Errorf("error closing exec stdin: %+v", err)
@@ -55,6 +55,11 @@
return nil
}
+// CloseStreams closes the stdio streams for the exec
+func (c *Config) CloseStreams() error {
+ return c.StreamConfig.CloseStreams()
+}
+
// Store keeps track of the exec configurations.
type Store struct {
commands map[string]*Config
diff --git a/daemon/monitor.go b/daemon/monitor.go
index 542d6b3..90b910f 100644
--- a/daemon/monitor.go
+++ b/daemon/monitor.go
@@ -28,7 +28,7 @@
case libcontainerd.StateExit:
c.Lock()
defer c.Unlock()
- c.Wait()
+ c.StreamConfig.Wait()
c.Reset(false)
c.SetStopped(platformConstructExitStatus(e))
attributes := map[string]string{
@@ -63,7 +63,7 @@
defer execConfig.Unlock()
execConfig.ExitCode = &ec
execConfig.Running = false
- execConfig.Wait()
+ execConfig.StreamConfig.Wait()
if err := execConfig.CloseStreams(); err != nil {
logrus.Errorf("%s: %s", c.ID, err)
}
diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index c78e221..5a786fb 100644
--- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
@@ -9,6 +9,7 @@
"net/url"
"os"
"runtime"
+ "strings"
"github.com/Sirupsen/logrus"
"github.com/docker/distribution"
@@ -32,7 +33,11 @@
"golang.org/x/net/context"
)
-var errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
+var (
+ errRootFSMismatch = errors.New("layers from manifest don't match image configuration")
+ errMediaTypePlugin = errors.New("target is a plugin")
+ errRootFSInvalid = errors.New("invalid rootfs in image configuration")
+)
// ImageConfigPullError is an error pulling the image config blob
// (only applies to schema2).
@@ -356,6 +361,12 @@
return false, fmt.Errorf("image manifest does not exist for tag or digest %q", tagOrDigest)
}
+ if m, ok := manifest.(*schema2.DeserializedManifest); ok {
+ if strings.HasPrefix(m.Manifest.Config.MediaType, "application/vnd.docker.plugin") {
+ return false, errMediaTypePlugin
+ }
+ }
+
// If manSvc.Get succeeded, we can be confident that the registry on
// the other side speaks the v2 protocol.
p.confirmedV2 = true
@@ -583,6 +594,10 @@
}
}
+ if unmarshalledConfig.RootFS == nil {
+ return "", "", errRootFSInvalid
+ }
+
// The DiffIDs returned in rootFS MUST match those in the config.
// Otherwise the image config could be referencing layers that aren't
// included in the manifest.
diff --git a/docs/extend/index.md b/docs/extend/index.md
index f029ce0..90c4635 100644
--- a/docs/extend/index.md
+++ b/docs/extend/index.md
@@ -1,48 +1,50 @@
---
-redirect_from:
-- "/engine/extend/"
-title: "Docker Engine managed plugin system"
-description: "How develop and use a plugin with the managed plugin system"
-keywords: "API, Usage, plugins, documentation, developer"
-advisory: "experimental"
+advisory: experimental
+description: Develop and use a plugin with the managed plugin system
+keywords:
+- API, Usage, plugins, documentation, developer
+title: Managed plugin system
---
+<!-- This file is maintained within the docker/docker Github
+ repository at https://github.com/docker/docker/. Make all
+ pull requests against that repo. If you see this file in
+ another repository, consider it read-only there, as it will
+ periodically be overwritten by the definitive file. Pull
+ requests which include edits to this file in other repositories
+ will be rejected.
+-->
+
This document describes the plugin system available today in the **experimental
build** of Docker 1.12:
-* [How to operate an existing plugin](#how-to-operate-a-plugin)
-* [How to develop a plugin](#how-to-develop-a-plugin)
+* [Installing and using a plugin](index.md#installing-and-using-a-plugin)
+* [Developing a plugin](index.md#developing-a-plugin)
-Unlike the legacy plugin system, you now manage plugins using Docker Engine:
+Docker Engine's plugins system allows you to install, start, stop, and remove
+plugins using Docker Engine. This mechanism is currently only available for
+volume drivers, but more plugin driver types will be available in future releases.
-* install plugins
-* start plugins
-* stop plugins
-* remove plugins
+For information about the legacy plugin system available in Docker Engine 1.12
+and earlier, see [Understand legacy Docker Engine plugins](legacy_plugins.md).
-The current Docker Engine plugin system only supports volume drivers. We are
-adding more plugin driver types in the future releases.
+## Installing and using a plugin
-For information on Docker Engine plugins generally available in Docker Engine
-1.12 and earlier, refer to [Understand legacy Docker Engine plugins](legacy_plugins.md).
+Plugins are distributed as Docker images and can be hosted on Docker Hub or on
+a private registry.
-## How to operate a plugin
+To install a plugin, use the `docker plugin install` command, which pulls the
+plugin from Docker hub or your private registry, prompts you to grant
+permissions or capabilities if necessary, and enables the plugin.
-Plugins are distributed as Docker images, so develpers can host them on Docker
-Hub or on a private registry.
+To check the status of installed plugins, use the `docker plugin ls` command.
+Plugins that start successfully are listed as enabled in the output.
-You install the plugin using a single command: `docker plugin install <PLUGIN>`.
-The `plugin install` command pulls the plugin from the Docker Hub or private
-registry. If necessary the CLI prompts you to accept any privilige requriements.
-For example the plugin may require access to a device on the host system.
-Finally it enables the plugin.
+After a plugin is installed, you can use it as an option for another Docker
+operation, such as creating a volume.
-Run `docker plugin ls` to check the status of installed plugins. The Engine
-markes plugins that are started without issues as `ENABLED`.
-
-After you install a plugin, the plugin behavior is the same as legacy plugins.
-The following example demonstrates how to install the `sshfs` plugin and use it
-to create a volume.
+In the following example, you install the `sshfs` plugin, verify that it is
+enabled, and use it to create a volume.
1. Install the `sshfs` plugin.
@@ -57,11 +59,12 @@
vieux/sshfs
```
- The plugin requests 2 privileges, the `CAP_SYS_ADMIN` capability to be able
- to do mount inside the plugin and `host networking`.
+ The plugin requests 2 privileges:
+ - It needs access to the `host` network.
+ - It needs the `CAP_SYS_ADMIN` capability, which allows the plugin to run
+ the `mount` command.
-2. Check for a value of `true` the `ENABLED` column to verify the plugin
-started without error.
+2. Check that the plugin is enabled in the output of `docker plugin ls`.
```bash
$ docker plugin ls
@@ -70,7 +73,9 @@
vieux/sshfs latest true
```
-3. Create a volume using the plugin.
+3. Create a volume using the plugin.
+ This example mounts the `/remote` directory on host `1.2.3.4` into a
+ volume named `sshvolume`. This volume can now be mounted into containers.
```bash
$ docker volume create \
@@ -80,16 +85,7 @@
sshvolume
```
-
-4. Use the volume `sshvolume`.
-
- ```bash
- $ docker run -v sshvolume:/data busybox ls /data
-
- <content of /remote on machine 1.2.3.4>
- ```
-
-5. Verify the plugin successfully created the volume.
+4. Verify that the volume was created successfully.
```bash
$ docker volume ls
@@ -98,21 +94,30 @@
vieux/sshfs sshvolume
```
- You can stop a plugin with the `docker plugin disable`
- command or remove a plugin with `docker plugin remove`.
+5. Start a container that uses the volume `sshvolume`.
-See the [command line reference](../reference/commandline/index.md) for more
-information.
+ ```bash
+ $ docker run -v sshvolume:/data busybox ls /data
-## How to develop a plugin
+ <content of /remote on machine 1.2.3.4>
+ ```
-Plugin creation is currently a manual process. We plan to add automation in a
-future release with a command such as `docker plugin build`.
+To disable a plugin, use the `docker plugin disable` command. To completely
+remove it, use the `docker plugin remove` command. For other available
+commands and options, see the
+[command line reference](../reference/commandline/index.md).
-This section describes the format of an existing enabled plugin. You have to
-create and format the plugin files by hand.
+## Developing a plugin
-Plugins are stored in `/var/lib/docker/plugins`. For instance:
+Currently, there are no CLI commands available to help you develop a plugin.
+This is expected to change in a future release. The manual process for creating
+plugins is described in this section.
+
+### Plugin location and files
+
+Plugins are stored in `/var/lib/docker/plugins`. The `plugins.json` file lists
+each plugin's configuration, and each plugin is stored in a directory with a
+unique identifier.
```bash
# ls -la /var/lib/docker/plugins
@@ -123,9 +128,12 @@
-rw------- 1 root root 2107 Aug 8 18:03 plugins.json
```
-`plugins.json` is an inventory of all installed plugins. For example:
+### Format of plugins.json
-```bash
+The `plugins.json` is an inventory of all installed plugins. This example shows
+a `plugins.json` with a single plugin installed.
+
+```json
# cat plugins.json
{
"cd851ce43a403": {
@@ -176,7 +184,10 @@
}
```
-Each folder represents a plugin. For example:
+### Contents of a plugin directory
+
+Each directory within `/var/lib/docker/plugins/` contains a `rootfs` directory
+and two JSON files.
```bash
# ls -la /var/lib/docker/plugins/cd851ce43a403
@@ -186,28 +197,34 @@
-rw------- 1 root root 347 Aug 8 17:56 manifest.json
```
-`rootfs` represents the root filesystem of the plugin. In this example, it was
-created from a Dockerfile as follows:
+#### The rootfs directory
+The `rootfs` directory represents the root filesystem of the plugin. In this
+example, it was created from a Dockerfile:
->**Note:** `/run/docker/plugins` is mandatory for docker to communicate with
-the plugin._
+>**Note:** The `/run/docker/plugins` directory is mandatory for docker to communicate with
+the plugin.
```bash
$ git clone https://github.com/vieux/docker-volume-sshfs
$ cd docker-volume-sshfs
$ docker build -t rootfs .
$ id=$(docker create rootfs true) # id was cd851ce43a403 when the image was created
-$ mkdir -p /var/lib/docker/plugins/$id/rootfs
-$ docker export "$id" | tar -x -C /var/lib/docker/plugins/$id/rootfs
+$ sudo mkdir -p /var/lib/docker/plugins/$id/rootfs
+$ sudo docker export "$id" | sudo tar -x -C /var/lib/docker/plugins/$id/rootfs
+$ sudo chgrp -R docker /var/lib/docker/plugins/
$ docker rm -vf "$id"
$ docker rmi rootfs
```
-`manifest.json` describes the plugin and `plugin-config.json` contains some
-runtime parameters. [See the Plugins Manifest reference](manifest.md). For example:
+#### The manifest.json and plugin-config.json files
-```bash
-# cat manifest.json
+The `manifest.json` file describes the plugin. The `plugin-config.json` file
+contains runtime parameters and is only required if your plugin has runtime
+parameters. [See the Plugins Manifest reference](manifest.md).
+
+Consider the following `manifest.json` file.
+
+```json
{
"manifestVersion": "v0",
"description": "sshFS plugin for Docker",
@@ -224,13 +241,15 @@
}
```
-In this example, you can see the plugin is a volume driver, requires the
-`CAP_SYS_ADMIN` capability, `host networking`, `/go/bin/docker-volume-sshfs` as
-entrypoint and is going to use `/run/docker/plugins/sshfs.sock` to communicate
-with the Docker Engine.
+This plugin is a volume driver. It requires a `host` network and the
+`CAP_SYS_ADMIN` capability. It depends upon the `/go/bin/docker-volume-sshfs`
+entrypoint and uses the `/run/docker/plugins/sshfs.sock` socket to communicate
+with Docker Engine.
-```bash
-# cat plugin-config.json
+
+Consider the following `plugin-config.json` file.
+
+```json
{
"Devices": null,
"Args": null,
@@ -239,26 +258,42 @@
}
```
-This plugin doesn't require runtime parameters.
+This plugin has no runtime parameters.
-Both `manifest.json` and `plugin-config.json` are part of the `plugins.json`.
-`manifest.json` is read-only and `plugin-config.json` is read-write.
+Each of these JSON files is included as part of `plugins.json`, as you can see
+by looking back at the example above. After a plugin is installed, `manifest.json`
+is read-only, but `plugin-config.json` is read-write, and includes all runtime
+configuration options for the plugin.
-To summarize, follow the steps below to create a plugin:
+### Creating the plugin
-0. Choose a name for the plugin. Plugin name uses the same format as images,
-for example: `<repo_name>/<name>`.
-1. Create a rootfs in `/var/lib/docker/plugins/$id/rootfs`.
-2. Create manifest.json file in `/var/lib/docker/plugins/$id/`.
-3. Create a `plugin-config.json` if needed.
-4. Create or add a section to `/var/lib/docker/plugins/plugins.json`. Use
+Follow these steps to create a plugin:
+
+1. Choose a name for the plugin. Plugin name uses the same format as images,
+ for example: `<repo_name>/<name>`.
+
+2. Create a `rootfs` and export it to `/var/lib/docker/plugins/$id/rootfs`
+ using `docker export`. See [The rootfs directory](#the-rootfs-directory) for
+ an example of creating a `rootfs`.
+
+3. Create a `manifest.json` file in `/var/lib/docker/plugins/$id/`.
+
+4. Create a `plugin-config.json` file if needed.
+
+5. Create or add a section to `/var/lib/docker/plugins/plugins.json`. Use
`<user>/<name>` as “Name” and `$id` as “Id”.
-5. Restart the Docker Engine.
-6. Run `docker plugin ls`.
- * If your plugin is listed as `ENABLED=true`, you can push it to the
- registry.
- * If the plugin is not listed or if `ENABLED=false`, something went wrong.
- Check the daemon logs for errors.
-7. If you are not already logged in, use `docker login` to authenticate against
- a registry.
-8. Run `docker plugin push <repo_name>/<name>` to push the plugin.
+
+6. Restart the Docker Engine service.
+
+7. Run `docker plugin ls`.
+ * If your plugin is enabled, you can push it to the
+ registry.
+ * If the plugin is not listed or is disabled, something went wrong.
+ Check the daemon logs for errors.
+
+8. If you are not already logged in, use `docker login` to authenticate against
+ the registry so that you can push to it.
+
+9. Run `docker plugin push <repo_name>/<name>` to push the plugin.
+
+The plugin can now be used by any user with access to your registry.
diff --git a/docs/extend/plugin_api.md b/docs/extend/plugin_api.md
index ebc7a41..af84148 100644
--- a/docs/extend/plugin_api.md
+++ b/docs/extend/plugin_api.md
@@ -119,6 +119,7 @@
WantedBy=multi-user.target
```
The `socket` file (for example `/lib/systemd/system/your-plugin.socket`):
+
```
[Unit]
Description=Your plugin
diff --git a/docs/extend/plugins_network.md b/docs/extend/plugins_network.md
index 8a67893..54bfb2f 100644
--- a/docs/extend/plugins_network.md
+++ b/docs/extend/plugins_network.md
@@ -50,7 +50,7 @@
## Write a network plugin
Network plugins implement the [Docker plugin
-API](https://docs.docker.com/extend/plugin_api/) and the network plugin protocol
+API](plugin_api.md) and the network plugin protocol
## Network plugin protocol
diff --git a/docs/reference/api/docker_remote_api.md b/docs/reference/api/docker_remote_api.md
index 2b3c726..a7aab45 100644
--- a/docs/reference/api/docker_remote_api.md
+++ b/docs/reference/api/docker_remote_api.md
@@ -25,7 +25,17 @@
run `curl` against the daemon on the default socket, use the
following:
- curl --unix-socket /var/run/docker.sock http:/containers/json
+When using cUrl 7.50 or later:
+
+```console
+$ curl --unix-socket /var/run/docker.sock http://localhost/containers/json
+```
+
+When using cURL 7.40, `localhost` must be omitted:
+
+```console
+$ curl --unix-socket /var/run/docker.sock http://containers/json
+```
If you have bound the Docker daemon to a different socket path or TCP
port, you would reference that in your cURL rather than the
@@ -214,6 +224,7 @@
* `GET /info` now lists engine version information and return the information of `CPUShares` and `Cpuset`.
* `GET /containers/json` will return `ImageID` of the image used by container.
* `POST /exec/(name)/start` will now return an HTTP 409 when the container is either stopped or paused.
+* `POST /containers/create` now takes `KernelMemory` in HostConfig to specify kernel memory limit.
* `GET /containers/(name)/json` now accepts a `size` parameter. Setting this parameter to '1' returns container size information in the `SizeRw` and `SizeRootFs` fields.
* `GET /containers/(name)/json` now returns a `NetworkSettings.Networks` field,
detailing network settings per network. This field deprecates the
diff --git a/docs/reference/api/docker_remote_api_v1.18.md b/docs/reference/api/docker_remote_api_v1.18.md
index 91d6e32..2572459 100644
--- a/docs/reference/api/docker_remote_api_v1.18.md
+++ b/docs/reference/api/docker_remote_api_v1.18.md
@@ -211,8 +211,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.19.md b/docs/reference/api/docker_remote_api_v1.19.md
index e8ca7ee..407588d 100644
--- a/docs/reference/api/docker_remote_api_v1.19.md
+++ b/docs/reference/api/docker_remote_api_v1.19.md
@@ -216,8 +216,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.20.md b/docs/reference/api/docker_remote_api_v1.20.md
index df0fe68..04d8633 100644
--- a/docs/reference/api/docker_remote_api_v1.20.md
+++ b/docs/reference/api/docker_remote_api_v1.20.md
@@ -218,8 +218,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
diff --git a/docs/reference/api/docker_remote_api_v1.21.md b/docs/reference/api/docker_remote_api_v1.21.md
index 96efd0d..03572e5 100644
--- a/docs/reference/api/docker_remote_api_v1.21.md
+++ b/docs/reference/api/docker_remote_api_v1.21.md
@@ -227,8 +227,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
@@ -2786,8 +2786,10 @@
{
"Name":"isolated_nw",
+ "CheckDuplicate":true,
"Driver":"bridge",
"IPAM":{
+ "Driver": "default",
"Config":[
{
"Subnet":"172.20.0.0/16",
@@ -2820,10 +2822,13 @@
**JSON parameters**:
- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
- **IPAM** - Optional custom IP scheme for the network
+ - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+ - **Config** - List of IPAM configuration options, specified as a map:
+ `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
- **Options** - Network specific options to be used by the drivers
-- **CheckDuplicate** - Requests daemon to check for networks with same name
### Connect a container to a network
diff --git a/docs/reference/api/docker_remote_api_v1.22.md b/docs/reference/api/docker_remote_api_v1.22.md
index b613418..c52b009 100644
--- a/docs/reference/api/docker_remote_api_v1.22.md
+++ b/docs/reference/api/docker_remote_api_v1.22.md
@@ -251,6 +251,7 @@
"StopSignal": "SIGTERM",
"HostConfig": {
"Binds": ["/tmp:/tmp"],
+ "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
"Links": ["redis3:redis"],
"Memory": 0,
"MemorySwap": 0,
@@ -330,8 +331,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
@@ -358,6 +359,8 @@
_absolute_ path.
+ `volume-name:container-dest:ro` to mount the volume read-only
inside the container. `container-dest` must be an _absolute_ path.
+ - **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+ mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
- **Links** - A list of links for the container. Each link entry should be
in the form of `container_name:alias`.
- **Memory** - Memory limit in bytes.
@@ -3106,8 +3109,10 @@
{
"Name":"isolated_nw",
+ "CheckDuplicate":true,
"Driver":"bridge",
"IPAM":{
+ "Driver": "default",
"Config":[
{
"Subnet":"172.20.0.0/16",
@@ -3148,10 +3153,14 @@
**JSON parameters**:
- **Name** - The new network's name. this is a mandatory field
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
- **IPAM** - Optional custom IP scheme for the network
+ - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+ - **Config** - List of IPAM configuration options, specified as a map:
+ `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+ - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
- **Options** - Network specific options to be used by the drivers
-- **CheckDuplicate** - Requests daemon to check for networks with same name
### Connect a container to a network
diff --git a/docs/reference/api/docker_remote_api_v1.23.md b/docs/reference/api/docker_remote_api_v1.23.md
index 1c53164..04355b7 100644
--- a/docs/reference/api/docker_remote_api_v1.23.md
+++ b/docs/reference/api/docker_remote_api_v1.23.md
@@ -273,6 +273,7 @@
"StopSignal": "SIGTERM",
"HostConfig": {
"Binds": ["/tmp:/tmp"],
+ "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
"Links": ["redis3:redis"],
"Memory": 0,
"MemorySwap": 0,
@@ -353,8 +354,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
@@ -381,6 +382,8 @@
_absolute_ path.
+ `volume-name:container-dest:ro` to mount the volume read-only
inside the container. `container-dest` must be an _absolute_ path.
+ - **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+ mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
- **Links** - A list of links for the container. Each link entry should be
in the form of `container_name:alias`.
- **Memory** - Memory limit in bytes.
@@ -1799,7 +1802,7 @@
```
{
- "registrytoken": "9cbaf023786cd7..."
+ "identitytoken": "9cbaf023786cd7..."
}
```
@@ -3205,10 +3208,11 @@
{
"Name":"isolated_nw",
- "CheckDuplicate":false,
+ "CheckDuplicate":true,
"Driver":"bridge",
"EnableIPv6": true,
"IPAM":{
+ "Driver": "default",
"Config":[
{
"Subnet":"172.20.0.0/16",
@@ -3261,10 +3265,14 @@
**JSON parameters**:
- **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
- **Internal** - Restrict external access to the network
- **IPAM** - Optional custom IP scheme for the network
+ - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+ - **Config** - List of IPAM configuration options, specified as a map:
+ `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+ - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
- **EnableIPv6** - Enable IPv6 on the network
- **Options** - Network specific options to be used by the drivers
- **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
diff --git a/docs/reference/api/docker_remote_api_v1.24.md b/docs/reference/api/docker_remote_api_v1.24.md
index e9803f1..42a2bff 100644
--- a/docs/reference/api/docker_remote_api_v1.24.md
+++ b/docs/reference/api/docker_remote_api_v1.24.md
@@ -284,6 +284,7 @@
"StopSignal": "SIGTERM",
"HostConfig": {
"Binds": ["/tmp:/tmp"],
+ "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
"Links": ["redis3:redis"],
"Memory": 0,
"MemorySwap": 0,
@@ -370,8 +371,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings.
@@ -398,6 +399,8 @@
_absolute_ path.
+ `volume-name:container-dest:ro` to mount the volume read-only
inside the container. `container-dest` must be an _absolute_ path.
+ - **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+ mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
- **Links** - A list of links for the container. Each link entry should be
in the form of `container_name:alias`.
- **Memory** - Memory limit in bytes.
@@ -1798,7 +1801,7 @@
```
{
- "registrytoken": "9cbaf023786cd7..."
+ "identitytoken": "9cbaf023786cd7..."
}
```
@@ -3255,10 +3258,11 @@
{
"Name":"isolated_nw",
- "CheckDuplicate":false,
+ "CheckDuplicate":true,
"Driver":"bridge",
"EnableIPv6": true,
"IPAM":{
+ "Driver": "default",
"Config":[
{
"Subnet":"172.20.0.0/16",
@@ -3311,10 +3315,14 @@
**JSON parameters**:
- **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
- **Internal** - Restrict external access to the network
- **IPAM** - Optional custom IP scheme for the network
+ - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+ - **Config** - List of IPAM configuration options, specified as a map:
+ `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+ - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
- **EnableIPv6** - Enable IPv6 on the network
- **Options** - Network specific options to be used by the drivers
- **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
@@ -4100,7 +4108,7 @@
- **Annotations** – Optional medata to associate with the service.
- **Name** – User-defined name for the service.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Role** - Role of the node (worker/manager).
- **Availability** - Availability of the node (active/pause/drain).
@@ -4593,7 +4601,7 @@
**JSON Parameters**:
- **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
- **TaskTemplate** – Specification of the tasks to start as part of the new service.
- **ContainerSpec** - Container settings for containers started as part of this task.
- **Image** – A string specifying the image name to use for the container.
@@ -4603,7 +4611,7 @@
- **Dir** – A string specifying the working directory for commands to run in.
- **User** – A string value specifying the user inside the container.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Mounts** – Specification for mounts to be added to containers
created as part of the service.
- **Target** – Container path.
@@ -4833,7 +4841,7 @@
**JSON Parameters**:
- **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
- **TaskTemplate** – Specification of the tasks to start as part of the new service.
- **ContainerSpec** - Container settings for containers started as part of this task.
- **Image** – A string specifying the image name to use for the container.
@@ -4843,7 +4851,7 @@
- **Dir** – A string specifying the working directory for commands to run in.
- **User** – A string value specifying the user inside the container.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Mounts** – Specification for mounts to be added to containers created as part of the new
service.
- **Target** – Container path.
@@ -5103,7 +5111,7 @@
- `id=<task id>`
- `name=<task name>`
- `service=<service name>`
- - `node=<node id>`
+ - `node=<node id or name>`
- `label=key` or `label="key=value"`
- `desired-state=(running | shutdown | accepted)`
diff --git a/docs/reference/api/docker_remote_api_v1.25.md b/docs/reference/api/docker_remote_api_v1.25.md
index dce8a16..e0830a5 100644
--- a/docs/reference/api/docker_remote_api_v1.25.md
+++ b/docs/reference/api/docker_remote_api_v1.25.md
@@ -285,6 +285,7 @@
"StopSignal": "SIGTERM",
"HostConfig": {
"Binds": ["/tmp:/tmp"],
+ "Tmpfs": { "/run": "rw,noexec,nosuid,size=65536k" },
"Links": ["redis3:redis"],
"Memory": 0,
"MemorySwap": 0,
@@ -372,8 +373,8 @@
- **Tty** - Boolean value, Attach standard streams to a `tty`, including `stdin` if it is not closed.
- **OpenStdin** - Boolean value, opens `stdin`,
- **StdinOnce** - Boolean value, close `stdin` after the 1 attached client disconnects.
-- **Env** - A list of environment variables in the form of `["VAR=value"[,"VAR2=value2"]]`
-- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value"[,"key2":"value2"]}`
+- **Env** - A list of environment variables in the form of `["VAR=value", ...]`
+- **Labels** - Adds a map of labels to a container. To specify a map: `{"key":"value", ... }`
- **Cmd** - Command to run specified as a string or an array of strings.
- **Entrypoint** - Set the entry point for the container as a string or an array
of strings. If the array consists of exactly one empty string (`[""]`) then the entry point
@@ -402,6 +403,8 @@
_absolute_ path.
+ `volume-name:container-dest:ro` to mount the volume read-only
inside the container. `container-dest` must be an _absolute_ path.
+ - **Tmpfs** – A map of container directories which should be replaced by tmpfs mounts, and their corresponding
+ mount options. A JSON object in the form `{ "/run": "rw,noexec,nosuid,size=65536k" }`.
- **Links** - A list of links for the container. Each link entry should be
in the form of `container_name:alias`.
- **Memory** - Memory limit in bytes.
@@ -1814,7 +1817,7 @@
```
{
- "registrytoken": "9cbaf023786cd7..."
+ "identitytoken": "9cbaf023786cd7..."
}
```
@@ -3274,10 +3277,11 @@
{
"Name":"isolated_nw",
- "CheckDuplicate":false,
+ "CheckDuplicate":true,
"Driver":"bridge",
"EnableIPv6": true,
"IPAM":{
+ "Driver": "default",
"Config":[
{
"Subnet":"172.20.0.0/16",
@@ -3330,10 +3334,14 @@
**JSON parameters**:
- **Name** - The new network's name. this is a mandatory field
-- **CheckDuplicate** - Requests daemon to check for networks with same name
+- **CheckDuplicate** - Requests daemon to check for networks with same name. Defaults to `false`
- **Driver** - Name of the network driver plugin to use. Defaults to `bridge` driver
- **Internal** - Restrict external access to the network
- **IPAM** - Optional custom IP scheme for the network
+ - **Driver** - Name of the IPAM driver to use. Defaults to `default` driver
+ - **Config** - List of IPAM configuration options, specified as a map:
+ `{"Subnet": <CIDR>, "IPRange": <CIDR>, "Gateway": <IP address>, "AuxAddress": <device_name:IP address>}`
+ - **Options** - Driver-specific options, specified as a map: `{"option":"value" [,"option2":"value2"]}`
- **EnableIPv6** - Enable IPv6 on the network
- **Options** - Network specific options to be used by the drivers
- **Labels** - Labels to set on the network, specified as a map: `{"key":"value" [,"key2":"value2"]}`
@@ -4136,7 +4144,7 @@
- **Annotations** – Optional medata to associate with the service.
- **Name** – User-defined name for the service.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Role** - Role of the node (worker/manager).
- **Availability** - Availability of the node (active/pause/drain).
@@ -4629,7 +4637,7 @@
**JSON Parameters**:
- **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
- **TaskTemplate** – Specification of the tasks to start as part of the new service.
- **ContainerSpec** - Container settings for containers started as part of this task.
- **Image** – A string specifying the image name to use for the container.
@@ -4639,7 +4647,7 @@
- **Dir** – A string specifying the working directory for commands to run in.
- **User** – A string value specifying the user inside the container.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Mounts** – Specification for mounts to be added to containers
created as part of the service.
- **Target** – Container path.
@@ -4869,7 +4877,7 @@
**JSON Parameters**:
- **Name** – User-defined name for the service.
-- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value"[,"key2":"value2"]}`).
+- **Labels** – A map of labels to associate with the service (e.g., `{"key":"value", "key2":"value2"}`).
- **TaskTemplate** – Specification of the tasks to start as part of the new service.
- **ContainerSpec** - Container settings for containers started as part of this task.
- **Image** – A string specifying the image name to use for the container.
@@ -4879,7 +4887,7 @@
- **Dir** – A string specifying the working directory for commands to run in.
- **User** – A string value specifying the user inside the container.
- **Labels** – A map of labels to associate with the service (e.g.,
- `{"key":"value"[,"key2":"value2"]}`).
+ `{"key":"value", "key2":"value2"}`).
- **Mounts** – Specification for mounts to be added to containers created as part of the new
service.
- **Target** – Container path.
@@ -5139,7 +5147,7 @@
- `id=<task id>`
- `name=<task name>`
- `service=<service name>`
- - `node=<node id>`
+ - `node=<node id or name>`
- `label=key` or `label="key=value"`
- `desired-state=(running | shutdown | accepted)`
diff --git a/docs/reference/builder.md b/docs/reference/builder.md
index fd0ad3c..ee920fc 100644
--- a/docs/reference/builder.md
+++ b/docs/reference/builder.md
@@ -22,7 +22,7 @@
The [`docker build`](commandline/build.md) command builds an image from
a `Dockerfile` and a *context*. The build's context is the files at a specified
location `PATH` or `URL`. The `PATH` is a directory on your local filesystem.
-The `URL` is a the location of a Git repository.
+The `URL` is a Git repository location.
A context is processed recursively. So, a `PATH` includes any subdirectories and
the `URL` includes the repository and its submodules. A simple build command
@@ -513,13 +513,15 @@
In the *shell* form you can use a `\` (backslash) to continue a single
RUN instruction onto the next line. For example, consider these two lines:
+
```
-RUN /bin/bash -c 'source $HOME/.bashrc ;\
+RUN /bin/bash -c 'source $HOME/.bashrc; \
echo $HOME'
```
Together they are equivalent to this single line:
+
```
-RUN /bin/bash -c 'source $HOME/.bashrc ; echo $HOME'
+RUN /bin/bash -c 'source $HOME/.bashrc; echo $HOME'
```
> **Note**:
@@ -635,7 +637,7 @@
default specified in `CMD`.
> **Note**:
-> don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits
+> Don't confuse `RUN` with `CMD`. `RUN` actually runs a command and commits
> the result; `CMD` does not execute anything at build time, but specifies
> the intended command for the image.
@@ -731,7 +733,7 @@
ENV myDog Rex The Dog
ENV myCat fluffy
-will yield the same net results in the final container, but the first form
+will yield the same net results in the final image, but the first form
is preferred because it produces a single cache layer.
The environment variables set using `ENV` will persist when a container is run
@@ -753,7 +755,7 @@
whitespace)
The `ADD` instruction copies new files, directories or remote file URLs from `<src>`
-and adds them to the filesystem of the container at the path `<dest>`.
+and adds them to the filesystem of the image at the path `<dest>`.
Multiple `<src>` resource may be specified but if they are files or
directories then they must be relative to the source directory that is
@@ -786,7 +788,7 @@
> can only contain a URL based `ADD` instruction. You can also pass a
> compressed archive through STDIN: (`docker build - < archive.tar.gz`),
> the `Dockerfile` at the root of the archive and the rest of the
-> archive will get used at the context of the build.
+> archive will be used as the context of the build.
> **Note**:
> If your URL files are protected using authentication, you
@@ -828,7 +830,7 @@
- If `<src>` is a *local* tar archive in a recognized compression format
(identity, gzip, bzip2 or xz) then it is unpacked as a directory. Resources
from *remote* URLs are **not** decompressed. When a directory is copied or
- unpacked, it has the same behavior as `tar -x`: the result is the union of:
+ unpacked, it has the same behavior as `tar -x`, the result is the union of:
1. Whatever existed at the destination path and
2. The contents of the source tree, with conflicts resolved in favor
@@ -1660,7 +1662,7 @@
environment variable expansion semantics could be modified.
The `SHELL` instruction can also be used on Linux should an alternate shell be
-required such `zsh`, `csh`, `tcsh` and others.
+required such as `zsh`, `csh`, `tcsh` and others.
The `SHELL` feature was added in Docker 1.12.
diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md
index 3de313e..a515f6b 100644
--- a/docs/reference/commandline/dockerd.md
+++ b/docs/reference/commandline/dockerd.md
@@ -1270,10 +1270,14 @@
- `-p, --pidfile=/var/run/docker.pid` is the path where the process ID of the daemon is stored. Specify the path for your
pid file here.
- `--host=[]` specifies where the Docker daemon will listen for client connections. If unspecified, it defaults to `/var/run/docker.sock`.
-- `--iptables=false` prevents the Docker daemon from adding iptables rules. If
- multiple daemons manage iptables rules, they may overwrite rules set by
- another daemon. Be aware that disabling this option requires you to manually
- add iptables rules to expose container ports.
+- `--iptables=false` prevents the Docker daemon from adding iptables rules. If
+multiple daemons manage iptables rules, they may overwrite rules set by another
+daemon. Be aware that disabling this option requires you to manually add
+iptables rules to expose container ports. If you prevent Docker from adding
+iptables rules, Docker will also not add IP masquerading rules, even if you set
+`--ip-masq` to `true`. Without IP masquerading rules, Docker containers will not be
+able to connect to external hosts or the internet when using network other than
+default bridge.
- `--config-file=/etc/docker/daemon.json` is the path where configuration file is stored. You can use it instead of
daemon flags. Specify the path for each daemon.
- `--tls*` Docker daemon supports `--tlsverify` mode that enforces encrypted and authenticated remote connections.
diff --git a/docs/reference/commandline/logs.md b/docs/reference/commandline/logs.md
index 13bc2cd..40a5a08 100644
--- a/docs/reference/commandline/logs.md
+++ b/docs/reference/commandline/logs.md
@@ -26,8 +26,8 @@
> **Note**: this command is only functional for containers that are started with
> the `json-file` or `journald` logging driver.
-For more information about selecting and configuring login-drivers, refer to
-[Configure logging drivers](../../admin/logging/overview.md).
+For more information about selecting and configuring logging drivers, refer to
+[Configure logging drivers](https://docs.docker.com/engine/admin/logging/overview/).
The `docker logs --follow` command will continue streaming the new output from
the container's `STDOUT` and `STDERR`.
diff --git a/docs/reference/commandline/network_connect.md b/docs/reference/commandline/network_connect.md
index a4ef2eb..ce968d4 100644
--- a/docs/reference/commandline/network_connect.md
+++ b/docs/reference/commandline/network_connect.md
@@ -53,11 +53,8 @@
```bash
$ docker network connect --alias db --alias mysql multi-host-network container2
```
-
You can pause, restart, and stop containers that are connected to a network.
-Paused containers remain connected and can be revealed by a `network inspect`.
-When the container is stopped, it does not appear on the network until you restart
-it.
+A container connects to its configured networks when it runs.
If specified, the container's IP address(es) is reapplied when a stopped
container is restarted. If the IP address is no longer available, the container
diff --git a/docs/reference/commandline/network_inspect.md b/docs/reference/commandline/network_inspect.md
index 173dd9c..f051756 100644
--- a/docs/reference/commandline/network_inspect.md
+++ b/docs/reference/commandline/network_inspect.md
@@ -31,6 +31,9 @@
results. For networks backed by multi-host network driver, such as Overlay,
this command also shows the container endpoints in other hosts in the
cluster. These endpoints are represented as "ep-{endpoint-id}" in the output.
+However, for swarm-scoped networks, only the endpoints that are local to the
+node are shown.
+
You can specify an alternate format to execute a given
template for each result. Go's
[text/template](http://golang.org/pkg/text/template/) package describes all the
diff --git a/docs/reference/commandline/run.md b/docs/reference/commandline/run.md
index 3b5a28b..fac135a 100644
--- a/docs/reference/commandline/run.md
+++ b/docs/reference/commandline/run.md
@@ -237,7 +237,27 @@
you give the container the full access to create and manipulate the host's
Docker daemon.
-For in-depth information about volumes, refer to [manage data in containers](../../tutorials/dockervolumes.md)
+On Windows, the paths must be specified using Windows-style semantics.
+
+ PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
+ Contents of file
+
+ PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.txt
+ Contents of file
+
+The following examples will fail when using Windows-based containers, as the
+destination of a volume or bind-mount inside the container must be one of:
+a non-existing or empty directory; or a drive other than C:. Further, the source
+of a bind mount must be a local directory, not a file.
+
+ net use z: \\remotemachine\share
+ docker run -v z:\foo:c:\dest ...
+ docker run -v \\uncpath\to\directory:c:\dest ...
+ docker run -v c:\foo\somefile.txt:c:\dest ...
+ docker run -v c:\foo:c: ...
+ docker run -v c:\foo:c:\existing-directory-with-contents ...
+
+For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/engine/tutorials/dockervolumes/)
### Publish or expose port (-p, --expose)
diff --git a/docs/reference/commandline/search.md b/docs/reference/commandline/search.md
index 4c59b90..da21399 100644
--- a/docs/reference/commandline/search.md
+++ b/docs/reference/commandline/search.md
@@ -120,7 +120,7 @@
This example displays images with a name containing 'busybox', at least
3 stars and are official builds:
- $ docker search --filter "is-automated=true" --filter "stars=3" busybox
+ $ docker search --filter "is-official=true" --filter "stars=3" busybox
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
progrium/busybox 50 [OK]
radial/busyboxplus Full-chain, Internet enabled, busybox made... 8 [OK]
diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md
index 9a81e19..7d7554a 100644
--- a/docs/reference/commandline/service_create.md
+++ b/docs/reference/commandline/service_create.md
@@ -455,7 +455,36 @@
When you publish a service port, the swarm routing mesh makes the service
accessible at the target port on every node regardless if there is a task for
the service running on the node. For more information refer to
-[Use swarm mode routing mesh](../../swarm/ingress.md).
+[Use swarm mode routing mesh](https://docs.docker.com/engine/swarm/ingress/).
+
+### Publish a port for TCP only or UCP only
+
+By default, when you publish a port, it is a TCP port. You can
+specifically publish a UDP port instead of or in addition to a TCP port. When
+you publish both TCP and UDP ports, Docker 1.12.2 and earlier require you to
+add the suffix `/tcp` for TCP ports. Otherwise it is optional.
+
+#### TCP only
+
+The following two commands are equivalent.
+
+```bash
+$ docker service create --name dns-cache -p 53:53 dns-cache
+
+$ docker service create --name dns-cache -p 53:53/tcp dns-cache
+```
+
+#### TCP and UDP
+
+```bash
+$ docker service create --name dns-cache -p 53:53/tcp -p 53:53/udp dns-cache
+```
+
+#### UDP only
+
+```bash
+$ docker service create --name dns-cache -p 53:53/udp dns-cache
+```
## Related information
diff --git a/docs/reference/commandline/service_ps.md b/docs/reference/commandline/service_ps.md
index 65d4e60..ee22c22 100644
--- a/docs/reference/commandline/service_ps.md
+++ b/docs/reference/commandline/service_ps.md
@@ -60,6 +60,7 @@
* [id](service_ps.md#id)
* [name](service_ps.md#name)
+* [node](service_ps.md#node)
* [desired-state](service_ps.md#desired-state)
@@ -85,6 +86,20 @@
```
+#### Node
+
+The `node` filter matches on a node name or a node ID.
+
+```bash
+$ docker service ps -f "node=manager1" redis
+NAME IMAGE NODE DESIRED STATE CURRENT STATE
+redis.1.0qihejybwf1x5vqi8lgzlgnpq redis:3.0.6 manager1 Running Running 8 seconds
+redis.5.1x0v8yomsncd6sbvfn0ph6ogc redis:3.0.6 manager1 Running Running 8 seconds
+redis.9.3w1wu13yuplna8ri3fx47iwad redis:3.0.6 manager1 Running Running 8 seconds
+redis.10.8eaxrb2fqpbnv9x30vr06i6vt redis:3.0.6 manager1 Running Running 8 seconds
+```
+
+
#### desired-state
The `desired-state` filter can take the values `running`, `shutdown`, and `accepted`.
diff --git a/docs/reference/commandline/stack_config.md b/docs/reference/commandline/stack_config.md
index cf74f76..bc759c1 100644
--- a/docs/reference/commandline/stack_config.md
+++ b/docs/reference/commandline/stack_config.md
@@ -25,4 +25,5 @@
* [stack deploy](stack_deploy.md)
* [stack rm](stack_rm.md)
* [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_deploy.md b/docs/reference/commandline/stack_deploy.md
index bb72084..51b3e1f 100644
--- a/docs/reference/commandline/stack_deploy.md
+++ b/docs/reference/commandline/stack_deploy.md
@@ -54,4 +54,5 @@
* [stack config](stack_config.md)
* [stack rm](stack_rm.md)
* [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_tasks.md b/docs/reference/commandline/stack_ps.md
similarity index 76%
rename from docs/reference/commandline/stack_tasks.md
rename to docs/reference/commandline/stack_ps.md
index b0db9b8..d3c816b 100644
--- a/docs/reference/commandline/stack_tasks.md
+++ b/docs/reference/commandline/stack_ps.md
@@ -2,22 +2,22 @@
redirect_from:
- /reference/commandline/stack_tasks/
advisory: experimental
-description: The stack tasks command description and usage
+description: The stack ps command description and usage
keywords:
-- stack, tasks
-title: docker stack tasks (experimental)
+- stack, ps
+title: docker stack ps (experimental)
---
```markdown
-Usage: docker stack tasks [OPTIONS] STACK
+Usage: docker stack ps [OPTIONS] STACK
List the tasks in the stack
Options:
-a, --all Display all tasks
-f, --filter value Filter output based on conditions provided
- --help Print usage
--no-resolve Do not map IDs to Names
+ --no-trunc Do not truncate output
```
Lists the tasks that are running as part of the specified stack. This
@@ -32,9 +32,9 @@
The currently supported filters are:
-* [id](stack_tasks.md#id)
-* [name](stack_tasks.md#name)
-* [desired-state](stack_tasks.md#desired-state)
+* id
+* name
+* desired-state
## Related information
diff --git a/docs/reference/commandline/stack_rm.md b/docs/reference/commandline/stack_rm.md
index 0d28698..60aca06 100644
--- a/docs/reference/commandline/stack_rm.md
+++ b/docs/reference/commandline/stack_rm.md
@@ -28,4 +28,5 @@
* [stack config](stack_config.md)
* [stack deploy](stack_deploy.md)
* [stack services](stack_services.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/commandline/stack_services.md b/docs/reference/commandline/stack_services.md
index cbe8982..a1a2ec0 100644
--- a/docs/reference/commandline/stack_services.md
+++ b/docs/reference/commandline/stack_services.md
@@ -59,4 +59,5 @@
* [stack config](stack_config.md)
* [stack deploy](stack_deploy.md)
* [stack rm](stack_rm.md)
-* [stack tasks](stack_tasks.md)
+* [stack ps](stack_ps.md)
+* [stack ls](stack_ls.md)
diff --git a/docs/reference/run.md b/docs/reference/run.md
index 4a0d2db..41b8c6e 100644
--- a/docs/reference/run.md
+++ b/docs/reference/run.md
@@ -55,15 +55,15 @@
following options.
- [Detached vs foreground](run.md#detached-vs-foreground)
- - [Detached (-d)](run.md#detached-d)
+ - [Detached (-d)](run.md#detached--d)
- [Foreground](run.md#foreground)
- [Container identification](run.md#container-identification)
- - [Name (--name)](run.md#name-name)
+ - [Name (--name)](run.md#name---name)
- [PID equivalent](run.md#pid-equivalent)
- - [IPC settings (--ipc)](run.md#ipc-settings-ipc)
+ - [IPC settings (--ipc)](run.md#ipc-settings---ipc)
- [Network settings](run.md#network-settings)
- - [Restart policies (--restart)](run.md#restart-policies-restart)
- - [Clean up (--rm)](run.md#clean-up-rm)
+ - [Restart policies (--restart)](run.md#restart-policies---restart)
+ - [Clean up (--rm)](run.md#clean-up---rm)
- [Runtime constraints on resources](run.md#runtime-constraints-on-resources)
- [Runtime privilege and Linux capabilities](run.md#runtime-privilege-and-linux-capabilities)
@@ -235,7 +235,7 @@
Debug the redis container by running another container that has strace in it:
```bash
-$ docker run --it --pid=container:my-redis bash
+$ docker run -it --pid=container:my-redis my_strace_docker_image bash
$ strace -p 1
```
@@ -337,13 +337,13 @@
<td class="no-wrap"><strong>container</strong>:<name|id></td>
<td>
Use the network stack of another container, specified via
- its *name* or *id*.
+ its <i>name</i> or <i>id</i>.
</td>
</tr>
<tr>
<td class="no-wrap"><strong>NETWORK</strong></td>
<td>
- Connects the container to a user created network (using `docker network create` command)
+ Connects the container to a user created network (using <code>docker network create</code> command)
</td>
</tr>
</tbody>
@@ -616,15 +616,15 @@
with the same logic -- if the original volume was specified with a name it will **not** be removed.
## Security configuration
- --security-opt="label=user:USER" : Set the label user for the container
- --security-opt="label=role:ROLE" : Set the label role for the container
- --security-opt="label=type:TYPE" : Set the label type for the container
- --security-opt="label=level:LEVEL" : Set the label level for the container
- --security-opt="label=disable" : Turn off label confinement for the container
- --security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied to the container
- --security-opt="no-new-privileges" : Disable container processes from gaining new privileges
- --security-opt="seccomp=unconfined": Turn off seccomp confinement for the container
- --security-opt="seccomp=profile.json: White listed syscalls seccomp Json file to be used as a seccomp filter
+ --security-opt="label=user:USER" : Set the label user for the container
+ --security-opt="label=role:ROLE" : Set the label role for the container
+ --security-opt="label=type:TYPE" : Set the label type for the container
+ --security-opt="label=level:LEVEL" : Set the label level for the container
+ --security-opt="label=disable" : Turn off label confinement for the container
+ --security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied to the container
+ --security-opt="no-new-privileges" : Disable container processes from gaining new privileges
+ --security-opt="seccomp=unconfined" : Turn off seccomp confinement for the container
+ --security-opt="seccomp=profile.json": White listed syscalls seccomp Json file to be used as a seccomp filter
You can override the default labeling scheme for each container by specifying
@@ -726,7 +726,7 @@
<td class="no-wrap"><strong>memory=L<inf, memory-swap=2*L</strong></td>
<td>
(specify memory without memory-swap) The container is not allowed to
- use more than L bytes of memory, swap *plus* memory usage is double
+ use more than L bytes of memory, swap <i>plus</i> memory usage is double
of that.
</td>
</tr>
@@ -736,7 +736,7 @@
</td>
<td>
(specify both memory and memory-swap) The container is not allowed to
- use more than L bytes of memory, swap *plus* memory usage is limited
+ use more than L bytes of memory, swap <i>plus</i> memory usage is limited
by S.
</td>
</tr>
diff --git a/hack/make/.build-rpm/docker-engine.spec b/hack/make/.build-rpm/docker-engine.spec
index 88836f4..9dbdc91 100644
--- a/hack/make/.build-rpm/docker-engine.spec
+++ b/hack/make/.build-rpm/docker-engine.spec
@@ -86,7 +86,11 @@
# RE: rhbz#1195804 - ensure min NVR for selinux-policy
%if 0%{?with_selinux}
Requires: selinux-policy >= %{selinux_policyver}
+%if 0%{?centos} >= 7
+Requires(pre): docker-selinux
+%else
Requires(pre): %{name}-selinux >= %{version}-%{release}
+%endif # centos 7+
%endif # with_selinux
# conflicting packages
diff --git a/hack/make/build-deb b/hack/make/build-deb
index 5eedb29..74b46cb 100644
--- a/hack/make/build-deb
+++ b/hack/make/build-deb
@@ -88,7 +88,7 @@
fi
cat >> "$DEST/$version/Dockerfile.build" <<-EOF
RUN cp -aL hack/make/.build-deb debian
- RUN { echo '$debSource (${debVersion}-0~${suite}) $suite; urgency=low'; echo; echo ' * Version: $VERSION'; echo; echo " -- $debMaintainer $debDate"; } > debian/changelog && cat >&2 debian/changelog
+ RUN { echo '$debSource (${debVersion}-0~${version}) $suite; urgency=low'; echo; echo ' * Version: $VERSION'; echo; echo " -- $debMaintainer $debDate"; } > debian/changelog && cat >&2 debian/changelog
RUN dpkg-buildpackage -uc -us -I.git
EOF
tempImage="docker-temp/build-deb:$version"
diff --git a/hack/make/build-rpm b/hack/make/build-rpm
index 18ff488..69e20cb 100644
--- a/hack/make/build-rpm
+++ b/hack/make/build-rpm
@@ -132,13 +132,12 @@
--define '_experimental ${DOCKER_EXPERIMENTAL:-0}' \
${rpmName}.spec
EOF
- # selinux policy referencing systemd things won't work on non-systemd versions
- # of centos or rhel, which we don't support anyways
- if [ "${suite%.*}" -gt 6 ] && [[ "$version" != opensuse* ]]; then
- selinuxDir="selinux"
- if [ -d "./contrib/selinux-$version" ]; then
- selinuxDir="selinux-${version}"
- fi
+
+ # by default do not create selinux rpm
+ # if there exists a selinux policy dir specifically for distro version
+ # then build a selinux rpm with the policy in the policy dir
+ if [ -d "./contrib/selinux-$version" ]; then
+ selinuxDir="selinux-${version}"
cat >> "$DEST/$version/Dockerfile.build" <<-EOF
RUN tar -cz -C /usr/src/${rpmName}/contrib/${selinuxDir} -f /root/rpmbuild/SOURCES/${rpmName}-selinux.tar.gz ${rpmName}-selinux
RUN rpmbuild -ba \
@@ -149,6 +148,7 @@
${rpmName}-selinux.spec
EOF
fi
+
tempImage="docker-temp/build-rpm:$version"
( set -x && docker build -t "$tempImage" -f $DEST/$version/Dockerfile.build . )
docker run --rm "$tempImage" bash -c 'cd /root/rpmbuild && tar -c *RPMS' | tar -xvC "$DEST/$version"
diff --git a/hack/make/release-deb b/hack/make/release-deb
index 80a25c4..d8806f4 100755
--- a/hack/make/release-deb
+++ b/hack/make/release-deb
@@ -114,7 +114,7 @@
# if we have a $GPG_PASSPHRASE we may as well
# dpkg-sign before copying the deb into the pool
if [ ! -z "$GPG_PASSPHRASE" ]; then
- dpkg-sig -g "--no-tty --passphrase '$GPG_PASSPHRASE'" \
+ dpkg-sig -g "--no-tty --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE'" \
-k "$GPG_KEYID" --sign builder "$tempdir/$d"
fi
mv "$tempdir/$d" "$APTDIR/pool/$component/d/docker-engine/"
@@ -132,6 +132,7 @@
# update the filelist for this codename/component
find "$APTDIR/pool/$component" \
+ -name *~${codename}*.deb -o \
-name *~${codename#*-}*.deb > "$APTDIR/dists/$codename/$component/filelist"
done
diff --git a/hack/make/release-rpm b/hack/make/release-rpm
index 5c109d0..e1d41e4 100755
--- a/hack/make/release-rpm
+++ b/hack/make/release-rpm
@@ -59,7 +59,7 @@
--define "_gpg_name $GPG_KEYID" \
--define "_signature gpg" \
--define "__gpg_check_password_cmd /bin/true" \
- --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
+ --define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '$GPG_PASSPHRASE' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
--resign "${RPMFILE[@]}"
fi
diff --git a/hack/make/sign-repos b/hack/make/sign-repos
index e0cebc6..6ed1606 100755
--- a/hack/make/sign-repos
+++ b/hack/make/sign-repos
@@ -28,6 +28,7 @@
for F in $(find $APTDIR -name Release); do
if test "$F" -nt "$F.gpg" ; then
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+ --digest-algo "sha512" \
--armor --sign --detach-sign \
--batch --yes \
--output "$F.gpg" "$F"
@@ -35,6 +36,7 @@
inRelease="$(dirname "$F")/InRelease"
if test "$F" -nt "$inRelease" ; then
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+ --digest-algo "sha512" \
--clearsign \
--batch --yes \
--output "$inRelease" "$F"
@@ -51,6 +53,7 @@
for F in $(find $YUMDIR -name repomd.xml); do
if test "$F" -nt "$F.asc" ; then
gpg -u "$GPG_KEYID" --passphrase "$GPG_PASSPHRASE" \
+ --digest-algo "sha512" \
--armor --sign --detach-sign \
--batch --yes \
--output "$F.asc" "$F"
diff --git a/man/docker-network-connect.1.md b/man/docker-network-connect.1.md
index d6ee159..9cc012e 100644
--- a/man/docker-network-connect.1.md
+++ b/man/docker-network-connect.1.md
@@ -24,11 +24,8 @@
```bash
$ docker run -itd --net=multi-host-network --ip 172.20.88.22 --ip6 2001:db8::8822 busybox
```
-
You can pause, restart, and stop containers that are connected to a network.
-Paused containers remain connected and can be revealed by a `network inspect`.
-When the container is stopped, it does not appear on the network until you restart
-it.
+A container connects to its configured networks when it runs.
If specified, the container's IP address(es) is reapplied when a stopped
container is restarted. If the IP address is no longer available, the container
diff --git a/plugin/distribution/pull.go b/plugin/distribution/pull.go
index b8b3ebb..1bae8d4 100644
--- a/plugin/distribution/pull.go
+++ b/plugin/distribution/pull.go
@@ -143,8 +143,7 @@
logrus.Debugf("pull.go: error in json.Unmarshal(): %v", err)
return nil, err
}
- if m.Config.MediaType != MediaTypeConfig &&
- m.Config.MediaType != "application/vnd.docker.plugin.image.v0+json" {
+ if m.Config.MediaType != MediaTypeConfig {
return nil, ErrUnsupportedMediaType
}
diff --git a/runconfig/streams.go b/runconfig/streams.go
deleted file mode 100644
index 36d0810..0000000
--- a/runconfig/streams.go
+++ /dev/null
@@ -1,143 +0,0 @@
-package runconfig
-
-import (
- "fmt"
- "io"
- "io/ioutil"
- "strings"
- "sync"
-
- "github.com/Sirupsen/logrus"
- "github.com/docker/docker/libcontainerd"
- "github.com/docker/docker/pkg/broadcaster"
- "github.com/docker/docker/pkg/ioutils"
- "github.com/docker/docker/pkg/pools"
-)
-
-// StreamConfig holds information about I/O streams managed together.
-//
-// streamConfig.StdinPipe returns a WriteCloser which can be used to feed data
-// to the standard input of the streamConfig's active process.
-// streamConfig.StdoutPipe and streamConfig.StderrPipe each return a ReadCloser
-// which can be used to retrieve the standard output (and error) generated
-// by the container's active process. The output (and error) are actually
-// copied and delivered to all StdoutPipe and StderrPipe consumers, using
-// a kind of "broadcaster".
-type StreamConfig struct {
- sync.WaitGroup
- stdout *broadcaster.Unbuffered
- stderr *broadcaster.Unbuffered
- stdin io.ReadCloser
- stdinPipe io.WriteCloser
-}
-
-// NewStreamConfig creates a stream config and initializes
-// the standard err and standard out to new unbuffered broadcasters.
-func NewStreamConfig() *StreamConfig {
- return &StreamConfig{
- stderr: new(broadcaster.Unbuffered),
- stdout: new(broadcaster.Unbuffered),
- }
-}
-
-// Stdout returns the standard output in the configuration.
-func (streamConfig *StreamConfig) Stdout() *broadcaster.Unbuffered {
- return streamConfig.stdout
-}
-
-// Stderr returns the standard error in the configuration.
-func (streamConfig *StreamConfig) Stderr() *broadcaster.Unbuffered {
- return streamConfig.stderr
-}
-
-// Stdin returns the standard input in the configuration.
-func (streamConfig *StreamConfig) Stdin() io.ReadCloser {
- return streamConfig.stdin
-}
-
-// StdinPipe returns an input writer pipe as an io.WriteCloser.
-func (streamConfig *StreamConfig) StdinPipe() io.WriteCloser {
- return streamConfig.stdinPipe
-}
-
-// StdoutPipe creates a new io.ReadCloser with an empty bytes pipe.
-// It adds this new out pipe to the Stdout broadcaster.
-func (streamConfig *StreamConfig) StdoutPipe() io.ReadCloser {
- bytesPipe := ioutils.NewBytesPipe()
- streamConfig.stdout.Add(bytesPipe)
- return bytesPipe
-}
-
-// StderrPipe creates a new io.ReadCloser with an empty bytes pipe.
-// It adds this new err pipe to the Stderr broadcaster.
-func (streamConfig *StreamConfig) StderrPipe() io.ReadCloser {
- bytesPipe := ioutils.NewBytesPipe()
- streamConfig.stderr.Add(bytesPipe)
- return bytesPipe
-}
-
-// NewInputPipes creates new pipes for both standard inputs, Stdin and StdinPipe.
-func (streamConfig *StreamConfig) NewInputPipes() {
- streamConfig.stdin, streamConfig.stdinPipe = io.Pipe()
-}
-
-// NewNopInputPipe creates a new input pipe that will silently drop all messages in the input.
-func (streamConfig *StreamConfig) NewNopInputPipe() {
- streamConfig.stdinPipe = ioutils.NopWriteCloser(ioutil.Discard)
-}
-
-// CloseStreams ensures that the configured streams are properly closed.
-func (streamConfig *StreamConfig) CloseStreams() error {
- var errors []string
-
- if streamConfig.stdin != nil {
- if err := streamConfig.stdin.Close(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
- }
- }
-
- if err := streamConfig.stdout.Clean(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
- }
-
- if err := streamConfig.stderr.Clean(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
- }
-
- if len(errors) > 0 {
- return fmt.Errorf(strings.Join(errors, "\n"))
- }
-
- return nil
-}
-
-// CopyToPipe connects streamconfig with a libcontainerd.IOPipe
-func (streamConfig *StreamConfig) CopyToPipe(iop libcontainerd.IOPipe) {
- copyFunc := func(w io.Writer, r io.Reader) {
- streamConfig.Add(1)
- go func() {
- if _, err := pools.Copy(w, r); err != nil {
- logrus.Errorf("stream copy error: %+v", err)
- }
- streamConfig.Done()
- }()
- }
-
- if iop.Stdout != nil {
- copyFunc(streamConfig.Stdout(), iop.Stdout)
- }
- if iop.Stderr != nil {
- copyFunc(streamConfig.Stderr(), iop.Stderr)
- }
-
- if stdin := streamConfig.Stdin(); stdin != nil {
- if iop.Stdin != nil {
- go func() {
- pools.Copy(iop.Stdin, stdin)
- if err := iop.Stdin.Close(); err != nil {
- logrus.Errorf("failed to close stdin: %+v", err)
- }
- }()
- }
- }
-}