Commit Graph

46 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 190c64b415
Service cap-add/cap-drop: improve handling of combinations and special "ALL" value
When creating and updating services, we need to avoid unneeded service churn.

The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.

This patch updates how we handle `--cap-add` / `--cap-drop` when  _creating_ as
well as _updating_, with the following rules/assumptions applied:

- both existing (service spec) and new (values passed through flags or in
  the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
  into account when normalizing capabilities. Combining "ALL" capabilities
  and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
  a capability is both set to be "dropped" and to be "added", it is removed
  from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
  delegated to the daemon/server.

When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 14:38:35 +02:00
Olli Janatuinen 0db61ff6da
stack: Support cap_add and cap_drop on services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
2020-09-08 14:24:52 +02:00
Sebastiaan van Stijn 851eeb9639
Add support for pids limit in stacks (swarm)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-18 21:25:08 +02:00
Sebastiaan van Stijn 0d57a400b3
vendor: docker/docker aaf470eca7b588aa19e6681bff8bf08d17be1bf2
full diff: 41ac6bef8d...aaf470eca7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-15 13:32:53 +02:00
Silvin Lubecki d640f44df3
cli/compose/convert: result 1 (error) is always nil (unparam)
cli/compose/convert/service.go:592:76: convertDNSConfig - result 1 (error) is always nil (unparam)
cli/compose/convert/service.go:538:110: convertEndpointSpec - result 1 (error) is always nil (unparam)

Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-31 19:22:20 +01:00
Drew Erny 42ec51e1ae add support for config credentialspecs to compose
Signed-off-by: Drew Erny <drew.erny@docker.com>
2019-04-12 11:17:34 -05:00
Sebastiaan van Stijn 6511da877f Add support for using Configs as CredentialSpecs in services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-12 11:17:29 -05:00
Sebastiaan van Stijn f620349837
Add systctl support for services
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-19 13:33:32 +01:00
Olli Janatuinen 6347ab315b Add maximum replicas per node support to stack version 3.8
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2019-02-19 11:25:12 +02:00
Joffrey F e7788d6f9a Allow marshalling of Compose config to JSON
Signed-off-by: Joffrey F <joffrey@docker.com>
2018-09-10 11:16:05 -07:00
Arash Deshmeh 71d650ee17 refactored cli/compose and cli/command/trust to use sort.Slice and removed custom types used for sorting
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
2018-07-08 15:08:17 -04:00
Vincent Demeester cc26da94ed Add `init` support in 3.7 schema
> Run an init inside the container that forwards signals and reaps
  processes

This is supported on `run` and now on Swarm services too, so it's also
possible to have in on a composefile :).

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-25 11:13:32 +02:00
Vincent Demeester 4e6e5d583c
Support for rollback config in compose 3.7
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-05-29 11:37:51 +02:00
Daniel Nephin b4c108a385 Fix named network in compose file
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-12 15:15:27 -04:00
Daniel Nephin 9da2602f38 Fix external networks
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-12-11 11:29:49 -05:00
Renaud Gaubert 1ff73f867d Added support of Generic resources in compose file
Signed-off-by: Renaud Gaubert <renaud.gaubert@gmail.com>
2017-11-28 21:52:09 +01:00
Ilya Sotkov 4f7f3d2f61 Add secret.name and config.name in compose.
Signed-off-by: Ilya Sotkov <ilya@sotkov.com>
2017-11-22 13:18:05 +02:00
Simon Ferquel 47cf2ea683 Add isolation mode on service update/create and compose files
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2017-11-17 15:31:13 +01:00
Daniel Nephin a68c940f1a Remove duplication in compose/convert
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-11-10 15:56:11 -05:00
Sebastiaan van Stijn dbdf8f6468
Preserve sort-order of extra hosts, and allow duplicate entries
Extra hosts (`extra_hosts` in compose-file, or `--hosts` in services) adds
custom host/ip mappings to the container's `/etc/hosts`.

The current implementation used a `map[string]string{}` as intermediate
storage, and sorted the results alphabetically when converting to a service-spec.

As a result, duplicate hosts were removed, and order of host/ip mappings was not
preserved (in case the compose-file used a list instead of a map).

According to the **host.conf(5)** man page (http://man7.org/linux/man-pages/man5/host.conf.5.html)

    multi  Valid values are on and off.  If set to on, the resolver
      library will return all valid addresses for a host that
      appears in the /etc/hosts file, instead of only the first.
      This is off by default, as it may cause a substantial
      performance loss at sites with large hosts files.

Multiple entries for a host are allowed, and even required for some situations,
for example, to add mappings for IPv4 and IPv6 addreses for a host, as illustrated
by the example hosts file in the **hosts(5)** man page (http://man7.org/linux/man-pages/man5/hosts.5.html):

    # The following lines are desirable for IPv4 capable hosts
    127.0.0.1       localhost

    # 127.0.1.1 is often used for the FQDN of the machine
    127.0.1.1       thishost.mydomain.org  thishost
    192.168.1.10    foo.mydomain.org       foo
    192.168.1.13    bar.mydomain.org       bar
    146.82.138.7    master.debian.org      master
    209.237.226.90  www.opensource.org

    # The following lines are desirable for IPv6 capable hosts
    ::1             localhost ip6-localhost ip6-loopback
    ff02::1         ip6-allnodes
    ff02::2         ip6-allrouters

This patch changes the intermediate storage format to use a `[]string`, and only
sorts entries if the input format in the compose file is a mapping. If the input
format is a list, the original sort-order is preserved.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-10-30 01:48:09 +01:00
pnagy 27e8bdf32b sort secrets and configs to ensure idempotence
`docker stack deploy` keeps restarting services it doesn't need to (no changes)
because the entries' order gets randomized at some previous (de)serialization.
Maybe it would be worth looking into this at a higher level and ensure
all (de)serialization happens in an ordered collection.

This quick fix sorts secrets and configs (in place, mutably) which ensures the
same order for each run.

Based on
https://github.com/moby/moby/pull/30506

Fixes
https://github.com/moby/moby/issues/34746

Signed-off-by: Peter Nagy <xificurC@gmail.com>
2017-09-08 16:09:48 +02:00
Simon Ferquel a0113c3a44 updated vendoring
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
2017-09-01 19:41:06 -04:00
Li Yi e02fcfd34e Change the type of interval, timeout and start_period of healthcheck from string to * time.Duration
Signed-off-by: Li Yi <denverdino@gmail.com>
2017-08-30 23:39:12 +08:00
Sebastiaan van Stijn 1cd402b192 Merge pull request #360 from akalipetis/compose-update-order
Add support for update order in compose deployments
2017-08-01 22:24:48 +02:00
Antonis Kalipetis 2950667f07
Support the "order" key in "update_config" for compose
Signed-off-by: Antonis Kalipetis <akalipetis@gmail.com>
2017-07-28 22:50:55 +03:00
Christophe Robin b129a70b5c
Add support for stop-signal in stack command
Signed-off-by: Christophe Robin <crobin@nekoo.com>
2017-07-27 13:18:05 +09:00
Daniel Nephin 3724fb7f37 Add gosimple lint
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-06-14 16:55:08 -07:00
Aaron Lehmann 4d980880f3 Merge pull request #121 from nishanttotla/digest-pinning-stack-deploy
Enable client side digest pinning for stack deploy
2017-06-08 23:20:02 +03:00
Vincent Demeester 96dc07a8cf Update ConvertService for external usage 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-08 10:44:05 +02:00
Nishant Totla f790e839fc
Change --no-resolve-image flag to --resolve-image string flag
Signed-off-by: Nishant Totla <nishanttotla@gmail.com>
2017-06-07 12:30:11 -07:00
Nishant Totla 9f1bea2657
Enable client side digest pinning for stack deploy
Signed-off-by: Nishant Totla <nishanttotla@gmail.com>
2017-06-07 12:30:11 -07:00
Vincent Demeester 44ac80881f
Update vendoring of docker/docker
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-06 00:23:21 +02:00
Vincent Demeester efaadcf465 Merge pull request #132 from mavenugo/stack-host
Host and Bridge network support in docker stack deploy
2017-05-31 15:07:56 -07:00
John Stephens b7cac96f69
Include stack service configs in service specs
Signed-off-by: John Stephens <johnstep@docker.com>
2017-05-26 21:41:04 -07:00
Daniel Nephin d5b505ee8c Only set default aliases when the network is user defined.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-05-26 14:25:20 -04:00
Madhu Venugopal 123f0bfd98 With the introduction of node-local network support, docker services can
be attached to special networks such as host and bridge. This fix brings
in the required changes to make sure the stack file accepts these
networks as well.

Signed-off-by: Madhu Venugopal <madhu@docker.com>
2017-05-25 19:50:08 -07:00
Brian Goff e574286ba2 Add support for configs to compose format
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-05-16 17:10:14 -04:00
Daniel Nephin 90809f8fd9 Merge pull request #71 from thaJeztah/add-credspec-to-compose
add credential-spec to compose
2017-05-16 16:45:06 -04:00
Sebastiaan van Stijn 4e7943646b add credential-spec to compose
Signed-off-by: Michael Friis <friism@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-05-15 15:00:26 -04:00
Vincent Demeester d7f6563efc
Update cli imports to using local package
Also, rename a bunch of variable to not *shadow* the `opts` package
name.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-15 14:45:19 +02:00
Vincent Demeester 0ab760a136
Add support for `read_only` services in stack deploy
The `read_only` key in a composefile is not taken into account right
now. Now that services support `--read-only`, so should `stack deploy`

Ref: moby/moby#32994

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-05-11 17:32:52 +02:00
Li Yi b3459936db Support placement preferences in stack deployment
Move of moby/moby#32743

Signed-off-by: Li Yi <denverdino@gmail.com>
2017-05-09 07:00:45 +08:00
Gaetan de Villele 295140edf2 cli: gofmt + goimports
Signed-off-by: Gaetan de Villele <gdevillele@gmail.com>
2017-05-08 10:51:30 -07:00
Tibor Vass 57230a7212 rm client and vendor it instead
Signed-off-by: Tibor Vass <tibor@docker.com>
2017-05-08 10:33:56 -07:00
Daniel Nephin 10641c2aae Update imports.
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-04-17 18:07:56 -04:00
Daniel Nephin 1630fc40f8 Import docker/docker/cli
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2017-04-17 17:40:59 -04:00