Commit Graph

187 Commits

Author SHA1 Message Date
Sebastiaan van Stijn a51ea675b2
opts: fix potential panic in trimQuotes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-09 08:00:33 +02:00
Sebastiaan van Stijn a0f0578299
gofmt with go1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-26 20:21:00 +01:00
Djordje Lukic ab35e3fac3 Handle relative source mounts
With this change it is now possible to give a relative path to the --volume and
--mount flags.

$ docker run --mount type=bind,source=./,target=/test ...

$ docker run -v .:/test ...

Fixes #1203

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-03-14 15:18:48 +01:00
Sebastiaan van Stijn 38e62571fb
opts: remove deprecated io/ioutil and use t.Cleanup()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-25 15:42:23 +01:00
CrazyMax 6fef143dbc
Set buildx as default builder
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-02-03 10:38:05 +01:00
Sebastiaan van Stijn 168173a3f1
Use net.JoinHostPort() to fix formatting with IPv6 addresses
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-20 11:05:24 +02:00
Sebastiaan van Stijn 5cd19d1fec
opts: fix potential integer overflow CWE-190, CWE-681
Caught by CodeQL:

> Incorrect conversion of an integer with architecture-dependent bit size
> from strconv.ParseUint to a lower bit size type uint16 without an upper
> bound check.

fixes https://github.com/docker/cli/security/code-scanning/2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-24 01:30:42 +02:00
Tibor Vass 7836597b3d
Merge pull request #2712 from thaJeztah/carry_2660_ulimits
Add ulimits support to docker service and docker stack deploy (carry 2660)
2020-09-10 15:40:25 -04:00
Sebastiaan van Stijn 866e4b10a1
opts/UlimitOpt: sort lists by name
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 11:56:27 +02:00
Sebastiaan van Stijn 23660be600
Service cap-add/cap-drop: add special "RESET" value
This implements a special "RESET" value that can be used to reset the
list of capabilities to add/drop when updating a service.

Given the following service;

| CapDrop        | CapAdd        |
| -------------- | ------------- |
| CAP_SOME_CAP   |               |

When updating the service, and applying `--cap-drop RESET`, the "drop" list
is reset to its default:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
|                |               |

When updating the service, and applying `--cap-drop RESET`, combined with
`--cap-add CAP_SOME_CAP` and `--cap-drop CAP_SOME_OTHER_CAP`:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
| CAP_FOO_CAP    | CAP_SOME_CAP  |

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 11:14:38 +02:00
Sebastiaan van Stijn 190c64b415
Service cap-add/cap-drop: improve handling of combinations and special "ALL" value
When creating and updating services, we need to avoid unneeded service churn.

The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.

This patch updates how we handle `--cap-add` / `--cap-drop` when  _creating_ as
well as _updating_, with the following rules/assumptions applied:

- both existing (service spec) and new (values passed through flags or in
  the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
  into account when normalizing capabilities. Combining "ALL" capabilities
  and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
  a capability is both set to be "dropped" and to be "added", it is removed
  from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
  delegated to the daemon/server.

When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 14:38:35 +02:00
Sebastiaan van Stijn 83eda5313b
opts: simplify ValidateEnv to use os.LookupEnv
os.LookupEnv() was not available yet at the time this was
implemented, but now provides the functionality we need,
so replacing our custom handling.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-28 18:31:41 +02:00
Sebastiaan van Stijn 973713bc05
ReadKVEnvStrings/ReadKVStrings return nil if empty, and add tests
If no env-vars were loaded from "files", and "overrides" was nil,
the code returned an empty slice instead of a `nil` value.

Also add a test for this function, as no unit test was present yet.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-06-26 16:07:13 +02:00
Sebastiaan van Stijn f88ae74135
Add "host-gateway" to tests for extra_hosts / --add-host
67ebcd6dcf added an exception for
the "host-gateway" magic value to the validation rules, but didn't
add thise value to any of the tests.

This patch adds the magic value to tests, to verify the validation
is skipped for this magic value.

Note that validation on the client side is "optional" and mostly
done to provide a more user-friendly error message for regular
values (IP-addresses).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-15 09:52:55 +02:00
Sebastiaan van Stijn fa11032a33
opts: use constants instead of vars for defaults and un-export them
These options should never be changed, so using a const for them
instead of a var. Given that these are only used in the opt
package itself, they can be un-exported.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-10 16:22:21 +02:00
Arko Dasgupta 67ebcd6dcf
Skip IPAddr validation for "host-gateway" string
Relates to - moby/moby 40007
The above PR added support in moby, that detects if
a special string "host-gateway" is added to the IP
section of --add-host, and if true, replaces it with
a special IP value (value of --host-gateway-ip Daemon flag
which defaults to the IP of the default bridge).

This PR is needed to skip the validation for the above
feature

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-27 16:21:33 +01:00
Sebastiaan van Stijn 2c0e93063b
bump gotest.tools v3.0.1 for compatibility with Go 1.14
full diff: https://github.com/gotestyourself/gotest.tools/compare/v2.3.0...v3.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-23 00:28:55 +01:00
Sebastiaan van Stijn 1d6445dc99
opts: fix formatting of comments
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 12:48:09 +01:00
Nick Adcock 3baa6d57fa Refactor config and secret tests to table-driven
Refactors the config and secret unit tests to be table driven to remove
duplication

Signed-off-by: Nick Adcock <nick.adcock@docker.com>
2020-01-09 13:38:19 +00:00
Nick Adcock 9698b7a374 Default config/secret target to source name
When using advanced syntax for setting config and secret values, default
the target value to the source value when the user does not specify a
target.

Signed-off-by: Nick Adcock <nick.adcock@docker.com>
2020-01-09 13:38:19 +00:00
Nick Adcock 4c2d7b7f70 Detect single value advanced config/secret syntax
Allow the use of the advanced source=x syntax for config and secret values when there is no comma

Before this change the following would fail with config not found:
	docker service create --name hello1 --config source=myconfig nginx:alpine
And the following would fail with secret not found:
	docker service create --name hello2 --secret source=mysecret nginx:alpine

Signed-off-by: Nick Adcock <nick.adcock@docker.com>
2020-01-09 13:38:19 +00:00
Silvin Lubecki 8547dfcff7
Merge pull request #1803 from thaJeztah/add_ip_address_to_advanced_options
Add ip address to advanced options
2019-12-04 15:16:15 +01:00
Sebastiaan van Stijn c2b069f4db
opts: Using the variable on range scope `tc` in function literal (scopelint)
```
opts/network_test.go:74:35: Using the variable on range scope `tc` in function literal (scopelint)
			assert.NilError(t, network.Set(tc.value))
			                               ^
opts/network_test.go:102:40: Using the variable on range scope `tc` in function literal (scopelint)
			assert.ErrorContains(t, network.Set(tc.value), tc.expectedError)
			                                    ^
opts/opts_test.go:270:30: Using the variable on range scope `tc` in function literal (scopelint)
			val, err := ValidateLabel(tc.value)
			                          ^
opts/opts_test.go:271:7: Using the variable on range scope `tc` in function literal (scopelint)
			if tc.expectedErr != "" {
			   ^
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-31 19:22:41 +01:00
Silvin Lubecki b3d4c6aac7
opts/ulimit_test.go:11:13: composites: `*github.com/docker/cli/vendor/github.com/docker/go-units.Ulimit` composite literal uses unkeyed fields (govet)
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
2019-10-31 19:22:15 +01:00
Silvin Lubecki 296297190c
opts/throttledevice.go:51:5: SA4003: unsigned values are never < 0 (staticcheck)
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-31 19:21:55 +01:00
Sebastiaan van Stijn de1523d221
Adjust tests for changes in Go 1.12.8 / 1.11.13
For now, just verifying that an error is returned, but not checking the
error message itself, because those are not under our control, and may
change with different Go versions.

```
=== Failed
=== FAIL: opts TestParseDockerDaemonHost (0.00s)
    hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr
    hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr

=== FAIL: opts TestParseTCP (0.00s)
    hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr
    hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-14 10:04:43 +02:00
Sebastiaan van Stijn 70d8e0b867
Add ip and ip6 to advanced network syntax
This allows setting the ip/ipv6 address as an option in the
advanced `--network` syntax;

```
docker run --network name=mynetwork,ip=172.20.88.22,ip6=2001:db8::8822
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-03 17:03:34 +02:00
Sebastiaan van Stijn 5bc09639cc
Refactor network parsing, add preliminary support for multiple networks
This refactors the way networking options are parsed, and makes the
client able to pass options for multiple networks. Currently, the
daemon does not yet accept multiple networks when creating a container,
and will produce an error.

For backward-compatibility, the following global networking-related
options are associated with the first network (in case multiple
networks are set);

  - `--ip`
  - `--ip6`
  - `--link`
  - `--link-local-ip`
  - `--network-alias`

Not all of these options are supported yet in the advanced notation,
but for options that are supported, setting both the per-network option
and the global option will produce a "conflicting options" error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-03 16:42:57 +02:00
Sebastiaan van Stijn a88d17c2a4
Minor touch-ups in network-option tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-03 16:31:08 +02:00
Abhinandan Prativadi c4844b1fdd
Cli change to pass driver specific options to docker run
The commit contains cli changes to support driver options for a network in
docker run and docker network connect cli's. The driver-opt, aliases is now
supported in the form of csv as per network option in service commands in
swarm mode since docker/cli#62 . This commit extends this support to docker
run command as well.

For docker connect command `--driver-opt` is added to pass driver specific
options for the network the container is connecting to.

Signed-off-by: Abhinandan Prativadi <abhi@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-03 16:30:26 +02:00
Tibor Vass 1ba368a5ac container: --gpus support
Signed-off-by: Tibor Vass <tibor@docker.com>
2019-03-21 20:14:25 +00:00
Sebastiaan van Stijn e5702e000c
Tweak validation messages
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-19 03:17:02 +01:00
Sebastiaan van Stijn f2424bd375
Fix labels copying value from environment variables
This patch fixes a bug where labels use the same behavior as `--env`, resulting
in a value to be copied from environment variables with the same name as the
label if no value is set (i.e. a simple key, no `=` sign, no value).

An earlier pull request addressed similar cases for `docker run`;
2b17f4c8a8, but this did not address the
same situation for (e.g.) `docker service create`.

Digging in history for this bug, I found that use of the `ValidateEnv`
function for  labels was added in the original implementation of the labels feature in
abb5e9a077 (diff-ae476143d40e21ac0918630f7365ed3cR34)

However, the design never intended it to expand environment variables,
and use of this function was either due to either a "copy/paste" of the
equivalent `--env` flags, or a misunderstanding (the name `ValidateEnv` does
not communicate that it also expands environment variables), and the existing
`ValidateLabel` was designed for _engine_ labels (which required a value to
be set).

Following the initial implementation, other parts of the code followed
the same (incorrect) approach, therefore leading the bug to be introduced
in services as well.

This patch:

- updates the `ValidateLabel` to match the expected validation
  rules (this function is no longer used since 31dc5c0a9a),
  and the daemon has its own implementation)
- corrects various locations in the code where `ValidateEnv` was used instead of `ValidateLabel`.

Before this patch:

```bash
export SOME_ENV_VAR=I_AM_SOME_ENV_VAR
docker service create --label SOME_ENV_VAR --tty --name test busybox

docker service inspect --format '{{json .Spec.Labels}}' test
{"SOME_ENV_VAR":"I_AM_SOME_ENV_VAR"}
```

After this patch:

```bash
export SOME_ENV_VAR=I_AM_SOME_ENV_VAR
docker service create --label SOME_ENV_VAR --tty --name test busybox

docker container inspect --format '{{json .Config.Labels}}' test
{"SOME_ENV_VAR":""}
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-03-19 03:01:57 +01:00
Akihiro Suda a7b5f2df86 support --mount type=bind,bind-nonrecursive,...
Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2019-01-10 12:07:46 +09:00
Lifubang 2431dd1448 set default schema to tcp for docker host
Signed-off-by: Lifubang <lifubang@acmcoder.com>
2018-10-16 10:32:03 +08:00
Kir Kolyshkin 906c2d161a gofmt with go-1.11
gofmt/goimports changed some heuristics in 1.11 and the code is now
formatted slightly differently.

No functional change, just whitespace.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2018-10-11 01:54:38 -07:00
Tibor Vass faeb8bb571 build: change --console=[auto,false,true] to --progress=[auto,plain,tty]
This changes the experimental --console flag to --progress following
feedback indicating avoidable confusion.

In addition to naming changes, the help output now has an additional
clarification, specifically: container output during builds are only
shown when progress output is set to plain. Not mentioning this was also
a big cause of confusion.

Signed-off-by: Tibor Vass <tibor@docker.com>
2018-08-07 18:18:13 +00:00
Vincent Demeester 55edeb497a
Migrate to non-deprecated functions of `api/types/filters`
- Use `Contains` instead of `Include`
- Use `ToJSON` instead of `ToParam`
- Remove usage of `ParseFlag` as it is deprecated too

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-07-27 15:37:43 +02:00
Vincent Demeester 9e71207327
Merge pull request #1019 from ktomk/fix-env-file
import environment variables that are present
2018-07-16 13:41:29 +02:00
Vincent Demeester 2634562119
Merge pull request #1102 from sfluor/1074-fix-mapping-a-range-of-host-ports-to-a-single-container-port
Fix mapping a range of host ports to a single container port
2018-07-06 14:41:00 +02:00
Tom Klingenberg b91fd12996 add test for zero length variable name
parsing an environment file should give an error in case a zero-length
variable name (definition w/o a variable name) is encountered.

previously these lines went through unnoticed not informing the user about
a potential configuration error.

Signed-off-by: Tom Klingenberg <tklingenberg@lastflood.net>
2018-07-02 07:52:02 +02:00
Tom Klingenberg 96c026eb30 import environment variables that are present
previously docker did import environment variables if they were present
but created them if they were not when it was asked via a --env-file
cli option to import but not create them.

fix is to only import the variable into the environment if it is present.

additionally do not import variable names of zero-length (which are lines
w/ a potential variable definition w/o a variable name).

refs:

- https://github.com/docker/for-linux/issues/284

Signed-off-by: Tom Klingenberg <tklingenberg@lastflood.net>
2018-07-02 07:37:12 +02:00
Tom Klingenberg 1e89745704 add test for undefined variable environment file import
test to show current behavior is wrong at parsing an environment file
defining an undefined variable - it must not be defined!

NOTE: this test assume the $HOME variable is always set (see POSIX, this
      normally is the case, e.g. the test suite remains stable).

Signed-off-by: Tom Klingenberg <tklingenberg@lastflood.net>
2018-07-02 07:33:44 +02:00
Andrew Hsu 2daec78609
Merge pull request #1111 from tiborvass/experimental-buildkit
Support for experimental BuildKit
2018-06-13 18:21:41 -07:00
Tibor Vass 5a103e1844 build: change --no-console to --console=[true|false|auto]
Signed-off-by: Tibor Vass <tibor@docker.com>
2018-06-13 21:07:11 +00:00
Sami Tabet 63e5c29e00 Fix mapping a range of host ports to a single container port
Signed-off-by: Sami Tabet <salph.tabet@gmail.com>
2018-06-12 11:54:02 +02:00
Vincent Demeester 2c4de4fb5e
Update tests to use gotest.tools 👼
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2018-06-08 18:24:26 +02:00
Sebastiaan van Stijn 363335ec9b
Warn when using host-ip for published ports
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2018-04-21 12:49:47 -07:00
Daniel Nephin e15b208e96 Convert assert.Check(t, is.Error()) to assert.Error
git grep -l -P '^\s+assert\.Check\(t, is\.Error\(' | \
    xargs perl -pi -e 's/^(\s+assert\.)Check\(t, is\.Error\((.*)\)$/\1Error(t, \2/'

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 16:00:28 -05:00
Daniel Nephin 078cbc9c4b Convert assert.Check with
git grep -l -P '^\s+assert\.Check\(t, ' | \
    xargs perl -pi -e 's/^(\s+assert)\.Check(\(t, (?!is).*(\.Execute\(|\.Set\(|\.Write\(|\.Close\(|\.Untar\(|\.WriteFile\(|Validate\().*\)$)/\1.NilError\2/'

Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-06 15:43:53 -05:00