Commit Graph

1045 Commits

Author SHA1 Message Date
Liron Levin 67d3265c4b Docker authorization plug-in infrastructure enables extending the functionality of the Docker daemon with respect to user authorization. The infrastructure enables registering a set of external authorization plug-in. Each plug-in receives information about the user and the request and decides whether to allow or deny the request. Only in case all plug-ins allow accessing the resource the access is granted.
Each plug-in operates as a separate service, and registers with Docker
through general (plug-ins API)
[https://blog.docker.com/2015/06/extending-docker-with-plugins/]. No
Docker daemon recompilation is required in order to add / remove an
authentication plug-in. Each plug-in is notified twice for each
operation: 1) before the operation is performed and, 2) before the
response is returned to the client. The plug-ins can modify the response
that is returned to the client.

The authorization depends on the authorization effort that takes place
in parallel [https://github.com/docker/docker/issues/13697].

This is the official issue of the authorization effort:
https://github.com/docker/docker/issues/14674

(Here)[https://github.com/rhatdan/docker-rbac] you can find an open
document that discusses a default RBAC plug-in for Docker.

Signed-off-by: Liron Levin <liron@twistlock.com>
Added container create flow test and extended the verification for ps
2017-06-02 00:07:20 +00:00
Dima Stopel 87f1223216 Adding authorization subsystem documentation
Signed-off-by: Dima Stopel <dima@twistlock.com>
2017-06-02 00:07:20 +00:00
Aaron Lehmann fa96356872 Update docs for addition of transfer manager
Closing the HTTP connection requesting a push or pull will cancel the
push or pull. This behavior also applies to the CLI.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2017-06-02 00:07:19 +00:00
Qiang Huang d9278dd4a8 Check minimum kernel memory limit to be 4M
Fixes: #18405

Signed-off-by: Qiang Huang <h.huangqiang@huawei.com>
2017-06-02 00:07:19 +00:00
Sambuddha Basu 93ce6fd9f5 The docs now explain that images with repo:tag as <none>:<none> are dangling images.
Signed-off-by: Sambuddha Basu <sambuddhabasu1@gmail.com>
2017-06-02 00:07:19 +00:00
Harald Albers b4a012656c Improve bash completion for `docker network disconnect`
Signed-off-by: Harald Albers <github@albersweb.de>
2017-06-02 00:07:19 +00:00
Sebastiaan van Stijn 7071c15b5f docs: markdown and textual fixups in reference/run.md
This fixes markdown formatting, and formatting of tables;

 - Our markdown engine doesn't support spanning rows, so
   re-wrapped table contents.
 - Added a CSS-styles to prevent "code" blocks in tables
   from wrapping
 - The "logging drivers" table didn't have a header
 - Aligned table borders in source code for better readability.
 - Standardize on using `-it` in stead of -i -t or -ti
 - Some markup issues
 - Some minor textual fixups

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:19 +00:00
Jessica Frazelle ac40ecf711 update bash completion for seccomp
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
2017-06-02 00:07:19 +00:00
Chris Weyl 66eef79e58 newtork -> network (minor spelling correction)
...yeah, that was bugging me. :)

Signed-off-by: Chris Weyl <cweyl@alumni.drew.edu>
2017-06-02 00:07:19 +00:00
Ma Shimiao 9480c4763d Add support for blkio read/write bps device
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2017-06-02 00:07:19 +00:00
Ma Shimiao 7880dcf5f2 docs: fix weight-deivce option args
Signed-off-by: Ma Shimiao <mashimiao.fnst@cn.fujitsu.com>
2017-06-02 00:07:19 +00:00
Vincent Demeester c6162061d9 Add format flag to network inspect
…for consistency as docker inspect and docker volume inspect supports it too

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-02 00:07:19 +00:00
Sebastiaan van Stijn c5f725e1c7 Address review comments.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:19 +00:00
Ben Firshman 22ce4b4448 Add docs and man page entry for --volume-driver
Signed-off-by: Ben Firshman <ben@firshman.co.uk>
2017-06-02 00:07:19 +00:00
Wen Cheng Ma deae0706ea Add NETWORK_NAME_or_ID value for --net= option
Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
2017-06-02 00:07:19 +00:00
Sebastiaan van Stijn 178a2cfe7c update order and address review notes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:19 +00:00
gwx296173 01c09480dc add examples in search.md
Signed-off-by: gwx296173 <gaojing3@huawei.com>
2017-06-02 00:07:19 +00:00
Antonio Murdaca e9287cd43a Add OomScoreAdj to configure container oom killer preferences
libcontainer v0.0.4 introduces setting `/proc/self/oom_score_adj` to
better tune oom killing preferences for container process. This patch
simply integrates OomScoreAdj libcontainer's config option and adjust
the cli with this new option.

Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2017-06-02 00:07:19 +00:00
Dan Walsh 65120e8851 This patch adds --tmpfs as a option for mounting tmpfs on directories
It will Tar up contents of child directory onto tmpfs if mounted over

This patch will use the new PreMount and PostMount hooks to "tar"
up the contents of the base image on top of tmpfs mount points.

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-02 00:07:18 +00:00
Pavel Pospisil 70efcb00b4 Improvement of docker top Man Page
Some users expect that the `docker top $CONT` command displays information from the inside container perspective.
They expect that the `docker top $CONT` command displays same information as the `docker exec $CONT ps -ef` command. But it does not.

That's why the `docker top` man page shall explicitly state that the `docker top $CONT` displays information from the host's point of view.

Signed-off-by: Pavel Pospisil <pospispa@gmail.com>
2017-06-02 00:07:18 +00:00
Doug Davis ecfc3613b2 Deprecate -f flag from docker tag
Closes #9798

@maintainers please note that this is a change to the UX. We no longer
require the -f flag on `docker tag` to move a tag from an existing image.
However, this does make us more consistent across our commands,
see https://github.com/docker/docker/issues/9798 for the history.

Signed-off-by: Doug Davis <dug@us.ibm.com>
2017-06-02 00:07:18 +00:00
Zhang Wei 67eea4d814 Add docs for option `--isolation`
Add docs for `run`/`create`/`build` command option `isolation`

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-06-02 00:07:18 +00:00
Madhu Venugopal c072458308 Make discovery ttl and heartbeat configurable
Docker daemon uses kv-store as the host-discovery backend.
Discovery module tracks the liveness of a node through a simple
keepalive mechanism.  The keepalive mechanism depends on every
node performing heartbeat by registering itself with the discovery
module (via KV-Store Put operation). And for every Put operation,
the discovery module in all other nodes will receive a Watch
notification. That keeps the node alive.
Any node that fails to register itself within the TTL timer is
considered dead and removed from the discovery database.

The default timer (heartbeat = 20 seconds & ttl = 60 seconds)
works fine for small clusters.  But for large clusters, these
default timers are extremely aggressive and that causes high CPU
& most of the processing is spent managing the node discovery
and that impacts normal daemon operation.

Hence we need a way to make the discovery ttl and heartbeat
configurable.  As the cluster size grows, the user can change
these timers to make sure the daemon scales.

Signed-off-by: Madhu Venugopal <madhu@docker.com>
2017-06-02 00:07:18 +00:00
Kai Qiang Wu(Kennan) 4fbaeb5f25 Fixing the volume options doc
Fixes #15896
Signed-off-by: Kai Qiang Wu(Kennan) <wkqwu@cn.ibm.com>
2017-06-02 00:07:18 +00:00
Sebastiaan van Stijn 41afe87367 docs: fixups for plugin drivers in docker info
Plugin drivers were added to docker info in
https://github.com/docker/docker/pull/17300

but not added to the example output in the online
docs.

Also fixed mixed tabs/spaces in the API documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2017-06-02 00:07:18 +00:00
Christopher Jones 0f6787a636 Fixed broken links, and updated some to https
Signed-off-by: Christopher Jones <tophj@linux.vnet.ibm.com>
2017-06-02 00:07:18 +00:00
Doug Davis a7eb9308d5 Add more to tag's -f flag's help
Was noticed in #9798

Signed-off-by: Doug Davis <dug@us.ibm.com>
2017-06-02 00:07:18 +00:00
Zhang Wei 87ba148cab Add API change to docs
Add API change description to docs due to `docker network inspect`
returns different data structure.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-06-02 00:07:18 +00:00
Doug Davis ec3aa7ede2 Add some docs about build-arg's impact on the cache
Closes #18017

Signed-off-by: Doug Davis <dug@us.ibm.com>
2017-06-02 00:07:18 +00:00
Zhang Wei 007df1d494 Enhance `docker network rm` to delete multi net
This commit enhance `docker network rm` command to allow user to delete
multi networks at the same time.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-06-02 00:07:18 +00:00
Sven Dowideit d63c19c4ea Fixes found by docs validation tool
Signed-off-by: Sven Dowideit <SvenDowideit@home.org.au>
2017-06-02 00:07:18 +00:00
Zhang Wei 92d0c4bc45 Add '-L' option for `cp`
Fixes #16555

Original docker `cp` always copy symbol link itself instead of target,
now we provide '-L' option to allow docker to follow symbol link to real
target.

Signed-off-by: Zhang Wei <zhangwei555@huawei.com>
2017-06-02 00:07:18 +00:00
Mike Brown 0eb79491dd modifying docker --since and --until to support nanoseconds and time zones
Signed-off-by: Mike Brown <brownwm@us.ibm.com>
2017-06-02 00:07:18 +00:00
Wen Cheng Ma 562c2df97d Re-implement --before and --since as options for --filter
* This commit will mark --before and --since as deprecated, but leave their behavior
  unchanged until they are removed, then re-implement them as options for --filter.

* And update the related docs.

* Update the integration tests.

Fixes issue #17716

Signed-off-by: Wen Cheng Ma <wenchma@cn.ibm.com>
2017-06-02 00:07:18 +00:00
NIWA Hideyuki fa2f024bc6 Addition of "--shm-size" to which size of /dev/shm is changed.
- Optional "--shm-size=" was added to the sub-command(run, create,and build).
- The size of /dev/shm in the container can be changed
  when container is made.
- Being able to specify is a numerical value that applies number,
  b, k, m, and g.
- The default value is 64MB, when this option is not set.
- It deals with both native and lxc drivers.

Signed-off-by: NIWA Hideyuki <niwa.hiedyuki@jp.fujitsu.com>
2017-06-02 00:07:18 +00:00
Mary Anthony cd4fc83dd1 Small changes to storage driver/commands ref
Entering V's comments

Signed-off-by: Mary Anthony <mary@docker.com>
2017-06-02 00:07:17 +00:00
Alexander Morozov 941952972e Use fs cgroups by default
Our implementation of systemd cgroups is mixture of systemd api and
plain filesystem api. It's hard to keep it up to date with systemd and
it already contains some nasty bugs with new versions. Ideally it should
be replaced with some daemon flag which will allow to set parent systemd
slice.

Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2017-06-02 00:07:17 +00:00
Vincent Demeester 3317b8b16d Fix a small typo in volume_inspect.md
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-02 00:07:17 +00:00
Vincent Bernat 00ea341609 zsh: ensure we have enough commands to store in the cache
Otherwise, the cache would be invalid and won't be refreshed soon. This
can happen when the user has the completion installed before docker is
installed.

Signed-off-by: Vincent Bernat <vincent@bernat.im>
2017-06-02 00:07:17 +00:00
Vincent Bernat 7eac998e7d zsh: remove lxc-related completion
LXC support has been deprecated and the related completion has been
removed in #17700 but was added back in #17334.

Signed-off-by: Vincent Bernat <vincent@bernat.im>
2017-06-02 00:07:17 +00:00
Steve Durrheimer 2788cfa614 Add zsh completion for log options
Signed-off-by: Steve Durrheimer <s.durrheimer@gmail.com>
2017-06-02 00:07:17 +00:00
Vincent Demeester 8ab8a0f3c5 Add pkg/parsers/architecture and pkg/platform
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-06-02 00:07:17 +00:00
Olle Jonsson 1de6fda301 /info: Add keys Architecture, OSType
- introduces Swarm-relevant keys, see #13634
  - docs updated

Signed-off-by: Olle Jonsson <olle.jonsson@gmail.com>
2017-06-02 00:07:17 +00:00
Dan Walsh 212fe5f2d0 Relabel BTRFS Content on container Creation
This change will allow us to run SELinux in a container with
BTRFS back end.  We continue to work on fixing the kernel/BTRFS
but this change will allow SELinux Security separation on BTRFS.

It basically relabels the content on container creation.

Just relabling -init directory in BTRFS use case. Everything looks like it
works. I don't believe tar/achive stores the SELinux labels, so we are good
as far as docker commit.

Tested Speed on startup with BTRFS on top of loopback directory. BTRFS
not on loopback should get even better perfomance on startup time.  The
more inodes inside of the container image will increase the relabel time.

This patch will give people who care more about security the option of
runnin BTRFS with SELinux.  Those who don't want to take the slow down
can disable SELinux either in individual containers or for all containers
by continuing to disable SELinux in the daemon.

Without relabel:

> time docker run --security-opt label:disable fedora echo test
test

real    0m0.918s
user    0m0.009s
sys    0m0.026s

With Relabel

test

real    0m1.942s
user    0m0.007s
sys    0m0.030s

Signed-off-by: Dan Walsh <dwalsh@redhat.com>

Signed-off-by: Dan Walsh <dwalsh@redhat.com>
2017-06-02 00:07:17 +00:00
Kunal Kushwaha b1287de07b Supported added for reterving Plugin list for Network and Volume.
Also, plugin information in docker info output.

Signed-off-by: Kunal Kushwaha <kushwaha_kunal_v7@lab.ntt.co.jp>
2017-06-02 00:07:17 +00:00
Denis Gladkikh a148373062 Allow configurable metadata for Splunk log driver
Add support of `tag`, `env` and `labels` for Splunk logging driver.
Removed from message `containerId` as it is the same as `tag`.

Signed-off-by: Denis Gladkikh <denis@gladkikh.email>
2017-06-02 00:07:17 +00:00
Zhang Kun e71bd977cf fix doc
Signed-off-by: Zhang Kun <zkazure@gmail.com>

fix doc

Signed-off-by: Zhang Kun <zkazure@gmail.com>
2017-06-02 00:07:17 +00:00
Harald Albers d998542977 bash completion for `docker {run,create} --volume-driver`
Signed-off-by: Harald Albers <github@albersweb.de>
2017-06-02 00:07:17 +00:00
Doug Davis 4978171903 Support multi-dir wildcards in .dockerignore
Closes #13113

Signed-off-by: Doug Davis <dug@us.ibm.com>
2017-06-02 00:07:17 +00:00
pidster 564b68091e Add Weave Network Plugin to docs/extend/plugins.md
Signed-off-by: pidster <pid@pidster.com>
2017-06-02 00:07:17 +00:00