Commit Graph

8445 Commits

Author SHA1 Message Date
Sebastiaan van Stijn f19e31afe2
docs: add link to linux kernel source code for capabilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 16:22:41 +02:00
Sebastiaan van Stijn 72a357858c
docs: resize capabilities table
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 16:22:38 +02:00
Silvin Lubecki 3191903ca4
Merge pull request #2723 from thaJeztah/update_caps_docs_and_completion
Update documentation on capabilities, and add missing CAP_AUDIT_READ
2020-09-16 16:17:58 +02:00
Sebastiaan van Stijn 5b035964c4
Bash-completion: add CAP_AUDIT_READ
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:47:19 +02:00
Sebastiaan van Stijn 884a5ffbdf
docs: document CAP_AUDIT_READ
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:46:09 +02:00
Sebastiaan van Stijn 4e58c29513
docs: document optional "CAP_" prefix for capabilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:32:04 +02:00
Sebastiaan van Stijn 5bbdcd1c9d
docs: sort list of capabilities alphabetically
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-16 15:26:20 +02:00
Jennings Zhang 185d71262a
Subcommand `docker manifest rm`
Squashed commit of the following:

commit b9ef85e74833ba405f68cfc20989c69d64bac4e9
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Mon Sep 14 21:39:57 2020 -0400

    Fix bash completion

    https://github.com/docker/cli/pull/2449#pullrequestreview-488110510
    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit 8c46bd6e6ed151bb43865c8b1d79c00fd62e4345
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Sun Sep 13 01:48:12 2020 -0400

    Add tests for docker manifest rm

    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit 7e3d9a9bc60e44d96953093fa0b1bc3397ca7813
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Sun Sep 13 00:55:37 2020 -0400

    docker manifest rm multiple args

    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit 30466e28d28f6722053c5a232e99ddbae8222715
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Sun Sep 13 00:01:20 2020 -0400

    No need to search before Remove

    https://github.com/docker/cli/pull/2449#discussion_r485544044
    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit ccdc4ed0a620cf8c9ec6ecc6804d1a45f7c61be5
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Sat Sep 12 23:42:41 2020 -0400

    Completion should also handle --help

    https://github.com/docker/cli/pull/2449#discussion_r443140909
    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit ed260afa71a4f8feb6550f79692e47ad7430d786
Merge: 46c61d85e9 2955ece024
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Sat Sep 12 23:31:54 2020 -0400

    Merge branch 'master' into manifest-rm

commit 46c61d85e973cc9fdd28d42db9ecebe373e9b942
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Fri Apr 17 21:53:33 2020 -0400

    Remove extra space

    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit 6d31d26c10e8d395ab08561cdb9b29829bb4bd91
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Fri Apr 17 21:15:21 2020 -0400

    Bash completion for `docker manifest rm`

    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

commit 3c8c843deb2f751a5f51ee6fcaa75da2a4525d99
Author: Jennings Zhang <jenni_zh@protonmail.com>
Date:   Fri Apr 17 21:05:50 2020 -0400

    Frankenstein a `docker manifest rm` command

    Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>

Signed-off-by: Jennings Zhang <jenni_zh@protonmail.com>
2020-09-15 16:26:47 -04:00
Silvin Lubecki e0eba83bdd
Merge pull request #2714 from albers/completion-ulimits
Improve bash completion for ulimits
2020-09-14 14:02:55 +02:00
Silvin Lubecki dbb2a52a74
Merge pull request #2716 from thaJeztah/update_git_remote_description
docs/build: add note about git subdirectories with BuildKit
2020-09-14 12:24:57 +02:00
Sebastiaan van Stijn b4db7e38bc
docs/build: add note about git subdirectories with BuildKit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-14 11:36:55 +02:00
Harald Albers 1e864920ac Improve bash completion for ulimits
This adds bash completion for limits after

- docker service create --ulimit
- docker service update --ulimit-add
- docker service update --ulimit-rm
- docker container create --ulimit
- docker container run --ulimit
- docker build --ulimit
- dockerd --default-ulimit

Signed-off-by: Harald Albers <github@albersweb.de>
2020-09-12 16:04:24 +02:00
Silvin Lubecki 2955ece024
Merge pull request #2713 from thaJeztah/update_circleci
CircleCI: update to docker 19.03.12
2020-09-11 17:06:41 +02:00
Sebastiaan van Stijn 57326f5e6d
CircleCI: update to docker 19.03.12
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-11 16:44:02 +02:00
Tibor Vass cec8723d8c
Merge pull request #2656 from thaJeztah/bump_buildkit
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
2020-09-10 17:43:42 -04:00
Tibor Vass 7836597b3d
Merge pull request #2712 from thaJeztah/carry_2660_ulimits
Add ulimits support to docker service and docker stack deploy (carry 2660)
2020-09-10 15:40:25 -04:00
Sebastiaan van Stijn 1778ffbb18
Merge pull request #2709 from thaJeztah/service_caps_reset
Service cap-add/cap-drop: add special "RESET" value
2020-09-10 15:22:41 +02:00
Albin Kerouanton 940907951b
Support ulimits in docker stack deploy
This is related to moby/moby 40639.

Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 14:59:02 +02:00
Albin Kerouanton a9158bdc50
Add ulimits option to docker service create/update/inspect
This is related to moby/moby 40639.

Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 14:41:33 +02:00
Sebastiaan van Stijn 866e4b10a1
opts/UlimitOpt: sort lists by name
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 11:56:27 +02:00
Sebastiaan van Stijn 23660be600
Service cap-add/cap-drop: add special "RESET" value
This implements a special "RESET" value that can be used to reset the
list of capabilities to add/drop when updating a service.

Given the following service;

| CapDrop        | CapAdd        |
| -------------- | ------------- |
| CAP_SOME_CAP   |               |

When updating the service, and applying `--cap-drop RESET`, the "drop" list
is reset to its default:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
|                |               |

When updating the service, and applying `--cap-drop RESET`, combined with
`--cap-add CAP_SOME_CAP` and `--cap-drop CAP_SOME_OTHER_CAP`:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
| CAP_FOO_CAP    | CAP_SOME_CAP  |

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-10 11:14:38 +02:00
Sebastiaan van Stijn 7edc00d808
vendor: buildkit 4d1f260e8490ec438ab66e08bb105577aca0ce06
full diff: df35e9818d...4d1f260e84

- moby/buildkit#1551 session: track sessions with a group construct
- moby/buildkit#1534 secrets: allow providing secrets with env
- moby/buildkit#1533 git: support for token authentication
- moby/buildkit#1549 progressui: fix logs time formatting

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 15:19:02 +02:00
Silvin Lubecki 60abe967b5
Merge pull request #2711 from thaJeztah/bump_engine
vendor: bump docker/docker, docker/swarmkit, and dependencies
2020-09-09 15:08:53 +02:00
Sebastiaan van Stijn ed339fa5c1
vendor: update prometheus deps to match docker/docker
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:57:00 +02:00
Sebastiaan van Stijn 338e83837b
vendor: github.com/golang/protobuf v1.3.5
full diff: https://github.com/golang/protobuf/compare/v1.3.3...v1.3.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:09:42 +02:00
Sebastiaan van Stijn 038cc46f88
vendor: github.com/containerd/cgroups 318312a373405e5e91134d8063d04d59768a1bff
full diff: 44306b6a1d...318312a373

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:08:01 +02:00
Sebastiaan van Stijn 9968ccafe8
vendor: github.com/containerd/containerd v1.4.0-rc.1
full diff: c80284d4b5...v1.4.0-rc.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:58 +02:00
Sebastiaan van Stijn 5468092784
vendor: opencontainers/runc v1.0.0-rc92
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc10...v1.0.0-rc92

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:56 +02:00
Sebastiaan van Stijn dbe2f594ed
vendor: golang.org/x/sys ed371f2e16b4b305ee99df548828de367527b76b
full diff: 85ca7c5b95...ed371f2e16

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:54 +02:00
Sebastiaan van Stijn e70e756053
vendor golang.org/x/net v0.0.0-20200707034311-ab3426394381
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:52 +02:00
Sebastiaan van Stijn 1c3a97b0ff
vendor golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:50 +02:00
Sebastiaan van Stijn 9f0658fb02
vendor: github.com/gorilla/mux v1.8.0
full diff: https://github.com/gorilla/mux/compare/v1.7.4...v1.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:48 +02:00
Sebastiaan van Stijn 47980a7e49
vendor: github.com/docker/docker f50a40e889fdaeebf14fce1d494f95e60092d21d
full diff: 0f41a77c69...f50a40e889

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:46 +02:00
Sebastiaan van Stijn 0bb70223bd
vendor: github.com/docker/swarmkit d6592ddefd8a5319aadff74c558b816b1a0b2590
full diff: 035d564a36...d6592ddefd

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-09 14:07:44 +02:00
Silvin Lubecki c84ed28d44
Merge pull request #2703 from despreston/des/build-man-fixes
man/docker-build.1:fix --memory-swamp & --network, removing = b/w opts & values
2020-09-09 13:27:16 +02:00
Brian Goff 164802973e
Merge pull request #2687 from thaJeztah/carry_service_caps
[carry 2663] Add capabilities support to stack/service commands
2020-09-08 12:06:27 -07:00
Sebastiaan van Stijn 551ac136e0
Merge pull request #2706 from albers/completion-capabilities-variants
Complete capabilites with and without "CAP_" prefix.
2020-09-08 15:00:50 +02:00
Sebastiaan van Stijn 95037299cb
Service cap-add/cap-drop: handle updates as "tri-state"
Adding/removing capabilities when updating a service is considered a tri-state;

- if the capability was previously "dropped", then remove it from "CapabilityDrop",
  but do NOT add it to "CapabilityAdd". However, if the capability was not yet in
  the service's "CapabilityDrop", then simply add it to the service's "CapabilityAdd"
- likewise, if the capability was previously "added", then remove it from
  "CapabilityAdd", but do NOT add it to "CapabilityDrop". If the capability was
  not yet in the service's "CapabilityAdd", then simply add it to the service's
  "CapabilityDrop".

In other words, given a service with the following:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
| CAP_SOME_CAP   |               |

When updating the service, and applying `--cap-add CAP_SOME_CAP`, the previously
dropped capability is removed:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
|                |               |

When updating the service a second time, applying `--cap-add CAP_SOME_CAP`,
capability is now added:

| CapDrop        | CapAdd        |
| -------------- | ------------- |
|                | CAP_SOME_CAP  |

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 14:42:39 +02:00
Sebastiaan van Stijn 190c64b415
Service cap-add/cap-drop: improve handling of combinations and special "ALL" value
When creating and updating services, we need to avoid unneeded service churn.

The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.

This patch updates how we handle `--cap-add` / `--cap-drop` when  _creating_ as
well as _updating_, with the following rules/assumptions applied:

- both existing (service spec) and new (values passed through flags or in
  the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
  into account when normalizing capabilities. Combining "ALL" capabilities
  and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
  a capability is both set to be "dropped" and to be "added", it is removed
  from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
  delegated to the daemon/server.

When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 14:38:35 +02:00
Albin Kerouanton c6ec4e081e
service: Add --cap-add & --cap-drop to service cmds
Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
2020-09-08 14:24:55 +02:00
Olli Janatuinen 0db61ff6da
stack: Support cap_add and cap_drop on services
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
2020-09-08 14:24:52 +02:00
Silvin Lubecki ad16982544
Merge pull request #2696 from thaJeztah/multistage_dockerfile
Refactor / cleanup Dockerfile.dev
2020-09-08 11:07:25 +02:00
Sebastiaan van Stijn 01cd748eb6
Dockerfile: use experimental syntax and buildkit cache-mounts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:30:18 +02:00
Sebastiaan van Stijn 3aee35037a
Makefile: use --mount instead of -v for docker socket
The shorthand `-v` will auto-create the host-path as a directory if
the socket is not yet up, instead of failing the container. To prevent
accidental creation of `/var/run/docker.sock` as a directory, use
the `--mount` flag instead, which does not auto-create host-paths.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:27:14 +02:00
Sebastiaan van Stijn ab72cc923c
Dockerfile: use bash as default command, remove DOCKER_CLI_SHELL
Bash is installed already, so we might as well use it as a default.

This also removes the DOCKER_CLI_SHELL variable, which  was added
in  b039db985a to allow using bash
instead of (a)sh. Now that Bash is the default, there should be
no need to override, and we can keep things simple.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:27:12 +02:00
Sebastiaan van Stijn 7c66213f82
Dockerfile: build gotestsum from source
Building form source is slower, but will support other architectures, such as arm64

Before:

     => [gotestsum 1/2] ADD https://github.com/gotestyourself/gotestsum/releases/download/v0.4.0/gotestsum_0.4.0_linux_amd64.tar.gz gotestsum.tar.gz  2.3s
     => [gotestsum 2/2] RUN tar -xf gotestsum.tar.gz gotestsum -C /go/bin                                                                             1.8s

After:

    => [gotestsum 1/1] RUN go get gotest.tools/gotestsum@v0.4.0                                                                                       13.0s

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:27:06 +02:00
Sebastiaan van Stijn 01d6d2e7a7
Dockerfile: refactor to use multi-stage build
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-09-08 10:25:22 +02:00
Harald Albers 015cb98846 Complete capabilites with and without "CAP_" prefix.
Signed-off-by: Harald Albers <github@albersweb.de>
2020-09-04 11:09:16 +02:00
Des Preston 8df7a9364f man/docker-build.1:fix --memory-swamp and --network, removing = between long-form opts and values
Signed-off-by: Des Preston <despreston@gmail.com>
2020-09-01 12:11:21 -04:00
Silvin Lubecki ed8ce81d58
Merge pull request #2699 from thaJeztah/reduce_table_width
formatter: reduce minimum width for columns in table-view
2020-09-01 10:11:18 +02:00