Merge pull request moby#1 from aliyun-fc/rebase-docker

Rebase docker

CHANGELOG.md

@@ -5,6 +5,76 @@ information on the list of deprecated flags and APIs please have a look at
 https://docs.docker.com/engine/deprecated/ where target removal dates can also
 be found.
 
+## 1.12.6 (2017-01-10)
+
+**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm
+based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When
+upgrading from an older version of docker, the upgrade process may not
+automatically install the updated version of the unit file, or fail to start
+the docker service if;
+
+- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or
+- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive
+
+Starting the docker service will produce an error:
+
+    Failed to start docker.service: Unit docker.socket failed to load: No such file or directory.
+
+or
+
+    no sockets found via socket activation: make sure the service was started by systemd.
+
+To resolve this:
+
+- Backup the current version of the unit file, and replace the file with the
+  [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm)
+- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present
+- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present).
+
+After making those changes, run `sudo systemctl daemon-reload`, and `sudo
+systemctl restart docker` to reload changes and (re)start the docker daemon.
+
+**NOTE**: Docker 1.12.5 will correctly validate that either an IPv6 subnet is provided or
+that the IPAM driver can provide one when you specify the `--ipv6` option.
+
+If you are currently using the `--ipv6` option _without_ specifying the
+`--fixed-cidr-v6` option, the Docker daemon will refuse to start with the
+following message:
+
+```none
+Error starting daemon: Error initializing network controller: Error creating
+                       default "bridge" network: failed to parse pool request
+                       for address space "LocalDefault" pool " subpool ":
+                       could not find an available, non-overlapping IPv6 address
+                       pool among the defaults to assign to the network
+```
+
+To resolve this error, either remove the `--ipv6` flag (to preserve the same
+behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the
+value of the `--fixed-cidr-v6` flag.
+
+In a similar way, if you specify the `--ipv6` flag when creating a network
+with the default IPAM driver, without providing an IPv6 `--subnet`, network
+creation will fail with the following message:
+
+```none
+Error response from daemon: failed to parse pool request for address space
+                            "LocalDefault" pool "" subpool "": could not find an
+                            available, non-overlapping IPv6 address pool among
+                            the defaults to assign to the network
+```
+
+To resolve this, either remove the `--ipv6` flag (to preserve the same behavior
+as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the
+`--subnet` flag.
+
+The network network creation will instead succeed if you use an external IPAM driver
+which supports automatic allocation of IPv6 subnets.
+
+### Runtime
+
+- Fix runC privilege escalation (CVE-2016-9962)
+
 ## 1.12.5 (2016-12-15)
 
 **IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm

Dockerfile

@@ -242,7 +242,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.aarch64

@@ -181,7 +181,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.armhf

@@ -190,7 +190,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.gccgo

@@ -74,7 +74,7 @@ WORKDIR /go/src/github.com/docker/docker
 ENV DOCKER_BUILDTAGS apparmor seccomp selinux
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
     && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.ppc64le

@@ -195,7 +195,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.s390x

@@ -197,7 +197,7 @@ RUN set -x \
 	&& rm -rf "$GOPATH"
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

Dockerfile.simple

@@ -57,7 +57,7 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor
 ENV CGO_LDFLAGS -L/lib
 
 # Install runc
-ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899
+ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5
 RUN set -x \
 	&& export GOPATH="$(mktemp -d)" \
 	&& git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \

VERSION

@@ -1 +1 @@
-1.12.5
+1.12.6

docs/reference/commandline/deploy.md

@@ -52,4 +52,3 @@ axqh55ipl40h  vossibility-stack_vossibility-collector  1 icecrime/vossibility-co
 * [stack config](stack_config.md)
 * [stack deploy](stack_deploy.md)
 * [stack rm](stack_rm.md)
-* [stack tasks](stack_tasks.md)

docs/reference/commandline/login.md

@@ -29,7 +29,7 @@ adding the server name.
 `docker login` requires user to use `sudo` or be `root`, except when:
 
 1.  connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`.
-2.  user is added to the `docker` group.  This will impact the security of your system; the `docker` group is `root` equivalent.  See [Docker Daemon Attack Surface](/security/security/#docker-daemon-attack-surface) for details.
+2.  user is added to the `docker` group.  This will impact the security of your system; the `docker` group is `root` equivalent.  See [Docker Daemon Attack Surface](/engine/security/security/#docker-daemon-attack-surface) for details.
 
 You can log into any public or private repository for which you have
 credentials.  When you log in, the command stores encoded credentials in

docs/reference/commandline/stack_config.md

@@ -26,4 +26,3 @@ Displays the configuration of a stack.
 * [stack rm](stack_rm.md)
 * [stack services](stack_services.md)
 * [stack ps](stack_ps.md)
-* [stack ls](stack_ls.md)

docs/reference/commandline/stack_deploy.md

@@ -55,4 +55,3 @@ axqh55ipl40h  vossibility-stack_vossibility-collector  1 icecrime/vossibility-co
 * [stack rm](stack_rm.md)
 * [stack services](stack_services.md)
 * [stack ps](stack_ps.md)
-* [stack ls](stack_ls.md)

docs/reference/commandline/stack_rm.md

@@ -29,4 +29,3 @@ a manager node.
 * [stack deploy](stack_deploy.md)
 * [stack services](stack_services.md)
 * [stack ps](stack_ps.md)
-* [stack ls](stack_ls.md)

docs/reference/commandline/stack_services.md

@@ -60,4 +60,3 @@ The currently supported filters are:
 * [stack deploy](stack_deploy.md)
 * [stack rm](stack_rm.md)
 * [stack ps](stack_ps.md)
-* [stack ls](stack_ls.md)

docs/understanding-docker.md

@@ -208,8 +208,8 @@ existing images and pull them from the registry to a host.
 [Docker Hub](http://hub.docker.com) is a public Docker
 registry which serves a huge collection of existing images and allows you to
 contribute your own. For more information, go to
-[Docker Registry](https://docs.docker.com/registry/overview/) and
-[Docker Trusted Registry](https://docs.docker.com/docker-trusted-registry/overview/).
+[Docker Registry](https://docs.docker.com/registry/) and
+[Docker Trusted Registry](https://docs.docker.com/datacenter/dtr/2.0/).
 
 [Docker store](http://store.docker.com) allows you to buy and sell Docker images.
 For image, you can buy a Docker image containing an application or service from

hack/vendor.sh

@@ -102,7 +102,7 @@ clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f
 clone git github.com/docker/go v1.5.1-1-1-gbaf439e
 clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
 
-clone git github.com/opencontainers/runc f59ba3cdd76fdc08c004f42aa915996f6f420899 https://github.com/docker/runc.git # libcontainer
+clone git github.com/opencontainers/runc 50a19c6ff828c58e5dab13830bd3dacde268afe5 https://github.com/docker/runc.git # libcontainer
 clone git github.com/opencontainers/specs 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs
 clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0
 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json)

integration-cli/docker_cli_daemon_test.go

@@ -2717,3 +2717,35 @@ func (s *DockerDaemonSuite) TestRunWithRuntimeFromCommandLine(c *check.C) {
 	out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls")
 	c.Assert(err, check.IsNil, check.Commentf(out))
 }
+
+// #29598
+func (s *DockerDaemonSuite) TestRestartPolicyWithLiveRestore(c *check.C) {
+	testRequires(c, SameHostDaemon, DaemonIsLinux)
+	c.Assert(s.d.StartWithBusybox("--live-restore"), check.IsNil)
+
+	out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top")
+	c.Assert(err, check.IsNil, check.Commentf("Output: %s", out))
+	id := strings.TrimSpace(out)
+
+	c.Assert(s.d.Restart("--live-restore"), check.IsNil)
+
+	c.Assert(s.d.waitRun(id), check.IsNil)
+
+	pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", id)
+	c.Assert(err, check.IsNil)
+	pidint, err := strconv.Atoi(strings.TrimSpace(pid))
+	c.Assert(err, check.IsNil)
+	c.Assert(syscall.Kill(pidint, syscall.SIGKILL), check.IsNil)
+
+	// This test is only for v1.12 and only checks that killing of a process
+	// doesn't cause a panic. Actual issue is fixed in v1.13 with a proper test.
+	calls := 0
+	for range time.NewTicker(500 * time.Millisecond).C {
+		out, err := s.d.inspectFilter(id, "json .Id")
+		c.Assert(err, checker.IsNil, check.Commentf(out))
+		calls++
+		if calls >= 10 {
+			break
+		}
+	}
+}

libcontainerd/client_linux.go

@@ -424,6 +424,7 @@ func (clnt *client) restore(cont *containerd.Container, lastEvent *containerd.Ev
 
 	container := clnt.newContainer(cont.BundlePath, options...)
 	container.systemPid = systemPid(cont)
+	container.attachStdio = attachStdio
 
 	var terminal bool
 	for _, p := range cont.Processes {
@@ -596,6 +597,7 @@ func (clnt *client) Restore(containerID string, attachStdio StdioCallback, optio
 	w := clnt.getOrCreateExitNotifier(containerID)
 	clnt.lock(cont.Id)
 	container := clnt.newContainer(cont.BundlePath)
+	container.attachStdio = attachStdio
 	container.systemPid = systemPid(cont)
 	clnt.appendContainer(container)
 	clnt.unlock(cont.Id)