Commit Graph

46 Commits

Author SHA1 Message Date
Sebastiaan van Stijn e628209d9b
linting: ignore some "G101: Potential hardcoded credentials" warnings
cli/config/credentials/native_store.go:10:2: G101: Potential hardcoded credentials (gosec)
        remoteCredentialsPrefix = "docker-credential-"
        ^
    cli/command/service/opts.go:917:2: G101: Potential hardcoded credentials (gosec)
        flagCredentialSpec          = "credential-spec"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d7c1fb9112)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:16:38 +02:00
Jim Lin 1fdf84b8e9
fix --update-order and --rollback-order flags
Signed-off-by: Jim Lin <b04705003@ntu.edu.tw>
(cherry picked from commit 26a6a724aa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:53:34 +01:00
Albin Kerouanton a9158bdc50
Add ulimits option to docker service create/update/inspect
This is related to moby/moby 40639.

Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 14:41:33 +02:00
Sebastiaan van Stijn 190c64b415
Service cap-add/cap-drop: improve handling of combinations and special "ALL" value
When creating and updating services, we need to avoid unneeded service churn.

The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.

This patch updates how we handle `--cap-add` / `--cap-drop` when  _creating_ as
well as _updating_, with the following rules/assumptions applied:

- both existing (service spec) and new (values passed through flags or in
  the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
  into account when normalizing capabilities. Combining "ALL" capabilities
  and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
  a capability is both set to be "dropped" and to be "added", it is removed
  from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
  delegated to the daemon/server.

When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 14:38:35 +02:00
Albin Kerouanton c6ec4e081e
service: Add --cap-add & --cap-drop to service cmds
Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
2020-09-08 14:24:55 +02:00
Sebastiaan van Stijn 395a6d560d
Add support for --limit-pids on service create / update (swarm)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-18 21:25:02 +02:00
Sebastiaan van Stijn 0d57a400b3
vendor: docker/docker aaf470eca7b588aa19e6681bff8bf08d17be1bf2
full diff: 41ac6bef8d...aaf470eca7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-15 13:32:53 +02:00
Drew Erny 9375644e34 Add jobs support to CLI
* Added two new modes accepted by the `--mode` flag
  * `replicated-job` creates a replicated job
  * `global-job` creates a global job.
* When using `replicated-job` mode, the `replicas` flag sets the
  `TotalCompletions` parameter of the job. This is the total number of
  tasks that will run
* Added a new flag, `max-concurrent`, for use with `replicated-job`
  mode. This flag sets the `MaxConcurrent` parameter of the job, which
  is the maximum number of replicas the job will run simultaneously.
* When using `replicated-job` or `global-job` mode, using any of the
  update parameter flags will result in an error, as jobs cannot be
  updated in the traditional sense.
* Updated the `docker service ls` UI to include the completion status
  (completed vs total tasks) if the service is a job.
* Updated the progress bars UI for service creation and update to
  support jobs. For jobs, there is displayed a bar covering the overall
  progress of the job (the number of tasks completed over the total
  number of tasks to complete).
* Added documentation explaining the use of the new flags, and of jobs
  in general.

Signed-off-by: Drew Erny <derny@mirantis.com>
2020-04-24 11:22:10 -05:00
Sebastiaan van Stijn acb24f5164
Switch to google/shlex
The github.com/flynn-archive/go-shlex package is a fork of Google/shlex,
and the repository is now archived, so let's switch to the maintained
version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-13 17:51:15 +02:00
Drew Erny 01f4f2e80a Update CredentialSpec code to allow using configs
Updates the CredentialSpec handling code for services to allow using
swarm Configs.

Additionally, fixes a bug where the `--credential-spec` flag would not
be respected on service updates.

Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-04-12 11:17:33 -05:00
Sebastiaan van Stijn 6511da877f Add support for using Configs as CredentialSpecs in services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-12 11:17:29 -05:00
Sebastiaan van Stijn f620349837
Add systctl support for services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-19 13:33:32 +01:00
Sebastiaan van Stijn f2424bd375
Fix labels copying value from environment variables
This patch fixes a bug where labels use the same behavior as `--env`, resulting
in a value to be copied from environment variables with the same name as the
label if no value is set (i.e. a simple key, no `=` sign, no value).

An earlier pull request addressed similar cases for `docker run`;
2b17f4c8a8, but this did not address the
same situation for (e.g.) `docker service create`.

Digging in history for this bug, I found that use of the `ValidateEnv`
function for  labels was added in the original implementation of the labels feature in
abb5e9a077 (diff-ae476143d40e21ac0918630f7365ed3cR34)

However, the design never intended it to expand environment variables,
and use of this function was either due to either a "copy/paste" of the
equivalent `--env` flags, or a misunderstanding (the name `ValidateEnv` does
not communicate that it also expands environment variables), and the existing
`ValidateLabel` was designed for _engine_ labels (which required a value to
be set).

Following the initial implementation, other parts of the code followed
the same (incorrect) approach, therefore leading the bug to be introduced
in services as well.

This patch:

- updates the `ValidateLabel` to match the expected validation
  rules (this function is no longer used since 31dc5c0a9a),
  and the daemon has its own implementation)
- corrects various locations in the code where `ValidateEnv` was used instead of `ValidateLabel`.

Before this patch:

```bash
export SOME_ENV_VAR=I_AM_SOME_ENV_VAR
docker service create --label SOME_ENV_VAR --tty --name test busybox

docker service inspect --format '{{json .Spec.Labels}}' test
{"SOME_ENV_VAR":"I_AM_SOME_ENV_VAR"}
```

After this patch:

```bash
export SOME_ENV_VAR=I_AM_SOME_ENV_VAR
docker service create --label SOME_ENV_VAR --tty --name test busybox

docker container inspect --format '{{json .Config.Labels}}' test
{"SOME_ENV_VAR":""}
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-19 03:01:57 +01:00
Olli Janatuinen f7f4d3bbb8 Add support for maximum replicas per node without stack
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2019-02-22 09:53:21 +02:00
Akihiro Suda a7b5f2df86 support --mount type=bind,bind-nonrecursive,...
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-01-10 12:07:46 +09:00
Arash Deshmeh ceed42217d refactored all commands under cli/command/ to use sort.Slice instead of declaring custom types for sorting
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
2018-07-06 15:49:32 -04:00
Vincent Demeester ff13f03def
Add --init option to `docker service create`
Signed-off-by: Timothy Higinbottom <timhigins@gmail.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-14 13:50:12 +02:00
Vincent Demeester 74d86d4b2e
Merge pull request #1052 from thaJeztah/fix-rollback-config
Fix service rollback options being cross-wired
2018-05-14 11:01:56 +02:00
Kir Kolyshkin 6f8070deb2 Switch from x/net/context to context
Since go 1.7, "context" is a standard package. Since go 1.9,
x/net/context merely provides some types aliased to those in
the standard context package.

The changes were performed by the following script:

for f in $(git ls-files \*.go | grep -v ^vendor/); do
	sed -i 's|golang.org/x/net/context|context|' $f
	goimports -w $f
	for i in 1 2; do
		awk '/^$/ {e=1; next;}
			/\t"context"$/ {e=0;}
			{if (e) {print ""; e=0}; print;}' < $f > $f.new && \
				mv $f.new $f
		goimports -w $f
	done
done

[v2: do awk/goimports fixup twice]
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-05-11 16:49:43 -07:00
Sebastiaan van Stijn f367aa9330
Fix service rollback options being cross-wired
The "update" and "rollback" configurations were cross-wired, as a result, setting
`--rollback-*` options would override the service's update-options.

Creating a service with both update, and rollback configuration:

    docker service create \
      --name=test \
      --update-failure-action=pause \
      --update-max-failure-ratio=0.6 \
      --update-monitor=3s \
      --update-order=stop-first \
      --update-parallelism=3 \
      --rollback-failure-action=continue \
      --rollback-max-failure-ratio=0.5 \
      --rollback-monitor=4s \
      --rollback-order=start-first \
      --rollback-parallelism=2 \
      --tty \
      busybox

Before this change:

    docker service inspect --format '{{json .Spec.UpdateConfig}}' test \
    && docker service inspect --format '{{json .Spec.RollbackConfig}}' test

Produces:

    {"Parallelism":3,"FailureAction":"pause","Monitor":3000000000,"MaxFailureRatio":0.6,"Order":"stop-first"}
    {"Parallelism":3,"FailureAction":"pause","Monitor":3000000000,"MaxFailureRatio":0.6,"Order":"stop-first"}

After this change:

    {"Parallelism":3,"FailureAction":"pause","Monitor":3000000000,"MaxFailureRatio":0.6,"Order":"stop-first"}
    {"Parallelism":2,"FailureAction":"continue","Monitor":4000000000,"MaxFailureRatio":0.5,"Order":"start-first"}

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-05-11 11:47:05 +02:00
Vincent Demeester 2b17f4c8a8
Fix `--label-file` weird behavior
`--label-file` has the exact same behavior as `--env-file`, meaning any
placeholder (i.e. a simple key, no `=` sign, no value), it will get the
value from the environment variable.

For `--label-file` it should just add an empty label.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-01-29 11:08:54 -08:00
Sebastiaan van Stijn e6ebaf55dd
Fix --network-add adding duplicate networks
When adding a network using `docker service update --network-add`,
the new network was added by _name_.

Existing entries in a service spec are listed by network ID, which
resulted in the CLI not detecting duplicate entries for the same
network.

This patch changes the behavior to always use the network-ID,
so that duplicate entries are correctly caught.

Before this change;

    $ docker network create -d overlay foo
    $ docker service create --name=test --network=foo nginx:alpine
    $ docker service update --network-add foo test
    $ docker service inspect --format '{{ json .Spec.TaskTemplate.Networks}}' test
    [
      {
        "Target": "9ot0ieagg5xv1gxd85m7y33eq"
      },
      {
        "Target": "9ot0ieagg5xv1gxd85m7y33eq"
      }
    ]

After this change:

    $ docker network create -d overlay foo
    $ docker service create --name=test --network=foo nginx:alpine
    $ docker service update --network-add foo test
    service is already attached to network foo

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-01-09 20:42:09 +01:00
Renaud Gaubert 20a6ff32ee Added support for generic resource update
Signed-off-by: Renaud Gaubert <renaud.gaubert@gmail.com>
2017-11-28 18:03:10 +01:00
Renaud Gaubert 7ddd5f3434 Updated GenericResource CLI
Signed-off-by: Renaud Gaubert <renaud.gaubert@gmail.com>
2017-11-28 18:03:10 +01:00
Simon Ferquel 47cf2ea683 Add isolation mode on service update/create and compose files
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2017-11-17 15:31:13 +01:00
Daniel Nephin c0d004f7cf Update gometalinter
and enable the new WarnUnmatchedDirective to warn if a nolint is unnecessary.
remove some unnecessary nolint

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-10-26 12:21:02 -04:00
Sebastiaan van Stijn 0c27355f7b
Use non-detached mode as default for service commands
Commit 330a0035334871d92207b583c1c36d52a244753f added a `--detach=false` option
to various service-related commands, with the intent to make this the default in
a future version (17.09).

This patch changes the default to use "interactive" (non-detached), allowing
users to override this by setting the `--detach` option.

To prevent problems when connecting to older daemon versions (17.05 and below,
see commit db60f25561), the detach option is
ignored for those versions, and detach is always true.

Before this change, a warning was printed to announce the upcoming default:

    $ docker service create nginx:alpine
    saxiyn3pe559d753730zr0xer
    Since --detach=false was not specified, tasks will be created in the background.
    In a future release, --detach=false will become the default.

After this change, no warning is printed, but `--detach` is disabled;

    $ docker service create nginx:alpine
    y9jujwzozi0hwgj5yaadzliq6
    overall progress: 1 out of 1 tasks
    1/1: running   [==================================================>]
    verify: Service converged

Setting the `--detach` flag makes the cli use the pre-17.06 behavior:

    $ docker service create --detach nginx:alpine
    280hjnzy0wzje5o56gr22a46n

Running against a 17.03 daemon, without specifying the `--detach` flag;

    $ docker service create nginx:alpine
    kqheg7ogj0kszoa34g4p73i8q

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-09-13 12:27:55 +02:00
Simon Ferquel a0113c3a44 updated vendoring
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2017-09-01 19:41:06 -04:00
Victor Vieux db60f25561 hide --detach for docker < 17.05
Signed-off-by: Victor Vieux <victorvieux@gmail.com>
2017-06-26 18:55:30 -07:00
Daniel Nephin b84e21cd05 Fix lint errors merged while new lint branch was in PR.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-21 00:11:59 -04:00
Daniel Nephin 3724fb7f37 Add gosimple lint
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-14 16:55:08 -07:00
Yong Tang 657457ee2c Use `scope=swarm` for service related network inspect.
This fix use `scope=swarm` for service related network inspect.
The purpose is that, in case multiple networks with the same
name exist in different scopes, it is still possible to obtain
the network for services.

This fix is related to moby/moby#33630 and docker/cli#167

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2017-06-13 20:26:12 +00:00
Vincent Demeester 44ac80881f
Update vendoring of docker/docker
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-06 00:23:21 +02:00
Sebastiaan van Stijn eea4a38cd6 Merge pull request #77 from vdemeester/move-duration-opts
Move duration opts into an opts package
2017-05-18 11:15:30 +02:00
Abhinandan Prativadi 40341ae089 Adding network options to service create/update
Changes added to accept network specific options in
docker service create/update

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
2017-05-17 21:07:48 -07:00
Nishant Totla 39d03bb2bd
Adding a flag to allow disabling registry lookup
Signed-off-by: Nishant Totla <nishanttotla@gmail.com>
2017-05-17 17:55:11 -07:00
Vincent Demeester b5182ba17f
Move duration opts into an opts package
They have nothing to do with service and could be used on their own.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-16 17:49:40 +02:00
Vincent Demeester d7f6563efc
Update cli imports to using local package
Also, rename a bunch of variable to not *shadow* the `opts` package
name.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-15 14:45:19 +02:00
Aaron Lehmann db5620026d Add support for configs
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-05-11 13:42:49 -07:00
Daniel Nephin c31d25653f Add line length linter
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-05-08 15:57:56 -04:00
Daniel Nephin 37ccc00d0e Add interfacer linter
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-05-08 15:57:50 -04:00
Gaetan de Villele 295140edf2 cli: gofmt + goimports
Signed-off-by: Gaetan de Villele <gdevillele@gmail.com>
2017-05-08 10:51:30 -07:00
Tibor Vass 57230a7212 rm client and vendor it instead
Signed-off-by: Tibor Vass <tibor@docker.com>
2017-05-08 10:33:56 -07:00
Dong Chen a316b380e7 do not allow duration less than 1 ms in healthcheck parameters
Signed-off-by: Dong Chen <dongluo.chen@docker.com>
2017-05-03 17:46:40 -07:00
Daniel Nephin 10641c2aae Update imports.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-04-17 18:07:56 -04:00
Daniel Nephin 1630fc40f8 Import docker/docker/cli
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2017-04-17 17:40:59 -04:00