diff --git a/CHANGELOG.md b/CHANGELOG.md index cdfb27b2d5bb4..4fb49a8cc2a36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,76 @@ information on the list of deprecated flags and APIs please have a look at https://docs.docker.com/engine/deprecated/ where target removal dates can also be found. +## 1.12.6 (2017-01-10) + +**IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm +based installs (which includes RHEL, Fedora, CentOS, and Oracle Linux 7). When +upgrading from an older version of docker, the upgrade process may not +automatically install the updated version of the unit file, or fail to start +the docker service if; + +- the systemd unit file (`/usr/lib/systemd/system/docker.service`) contains local changes, or +- a systemd drop-in file is present, and contains `-H fd://` in the `ExecStart` directive + +Starting the docker service will produce an error: + + Failed to start docker.service: Unit docker.socket failed to load: No such file or directory. + +or + + no sockets found via socket activation: make sure the service was started by systemd. + +To resolve this: + +- Backup the current version of the unit file, and replace the file with the + [version that ships with docker 1.12](https://raw.githubusercontent.com/docker/docker/v1.12.0/contrib/init/systemd/docker.service.rpm) +- Remove the `Requires=docker.socket` directive from the `/usr/lib/systemd/system/docker.service` file if present +- Remove `-H fd://` from the `ExecStart` directive (both in the main unit file, and in any drop-in files present). + +After making those changes, run `sudo systemctl daemon-reload`, and `sudo +systemctl restart docker` to reload changes and (re)start the docker daemon. + +**NOTE**: Docker 1.12.5 will correctly validate that either an IPv6 subnet is provided or +that the IPAM driver can provide one when you specify the `--ipv6` option. + +If you are currently using the `--ipv6` option _without_ specifying the +`--fixed-cidr-v6` option, the Docker daemon will refuse to start with the +following message: + +```none +Error starting daemon: Error initializing network controller: Error creating + default "bridge" network: failed to parse pool request + for address space "LocalDefault" pool " subpool ": + could not find an available, non-overlapping IPv6 address + pool among the defaults to assign to the network +``` + +To resolve this error, either remove the `--ipv6` flag (to preserve the same +behavior as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the +value of the `--fixed-cidr-v6` flag. + +In a similar way, if you specify the `--ipv6` flag when creating a network +with the default IPAM driver, without providing an IPv6 `--subnet`, network +creation will fail with the following message: + +```none +Error response from daemon: failed to parse pool request for address space + "LocalDefault" pool "" subpool "": could not find an + available, non-overlapping IPv6 address pool among + the defaults to assign to the network +``` + +To resolve this, either remove the `--ipv6` flag (to preserve the same behavior +as in Docker 1.12.3 and earlier), or provide an IPv6 subnet as the value of the +`--subnet` flag. + +The network network creation will instead succeed if you use an external IPAM driver +which supports automatic allocation of IPv6 subnets. + +### Runtime + +- Fix runC privilege escalation (CVE-2016-9962) + ## 1.12.5 (2016-12-15) **IMPORTANT**: Docker 1.12 ships with an updated systemd unit file for rpm diff --git a/Dockerfile b/Dockerfile index ea15ae46c49db..40ab8ffbd659d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -242,7 +242,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index 6e5f48307e828..abbb71ab917f4 100644 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -181,7 +181,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index aa587a75b57d5..a1269c83d9e20 100644 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -190,7 +190,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.gccgo b/Dockerfile.gccgo index a032c51304d6a..9f79ce45501ea 100644 --- a/Dockerfile.gccgo +++ b/Dockerfile.gccgo @@ -74,7 +74,7 @@ WORKDIR /go/src/github.com/docker/docker ENV DOCKER_BUILDTAGS apparmor seccomp selinux # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.ppc64le b/Dockerfile.ppc64le index 746344730f8cb..fdce4eb649a3d 100644 --- a/Dockerfile.ppc64le +++ b/Dockerfile.ppc64le @@ -195,7 +195,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.s390x b/Dockerfile.s390x index 6382c82c7cf3a..346afa839356b 100644 --- a/Dockerfile.s390x +++ b/Dockerfile.s390x @@ -197,7 +197,7 @@ RUN set -x \ && rm -rf "$GOPATH" # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/Dockerfile.simple b/Dockerfile.simple index 07edadd0ce65c..8aeb6e681c193 100644 --- a/Dockerfile.simple +++ b/Dockerfile.simple @@ -57,7 +57,7 @@ ENV GOPATH /go:/go/src/github.com/docker/docker/vendor ENV CGO_LDFLAGS -L/lib # Install runc -ENV RUNC_COMMIT f59ba3cdd76fdc08c004f42aa915996f6f420899 +ENV RUNC_COMMIT 50a19c6ff828c58e5dab13830bd3dacde268afe5 RUN set -x \ && export GOPATH="$(mktemp -d)" \ && git clone https://github.com/docker/runc.git "$GOPATH/src/github.com/opencontainers/runc" \ diff --git a/VERSION b/VERSION index e0a6b34fb0aa0..456e5c4ad803e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.12.5 +1.12.6 diff --git a/docs/reference/commandline/deploy.md b/docs/reference/commandline/deploy.md index 34cf39882f310..b0aed6f6eb0f8 100644 --- a/docs/reference/commandline/deploy.md +++ b/docs/reference/commandline/deploy.md @@ -52,4 +52,3 @@ axqh55ipl40h vossibility-stack_vossibility-collector 1 icecrime/vossibility-co * [stack config](stack_config.md) * [stack deploy](stack_deploy.md) * [stack rm](stack_rm.md) -* [stack tasks](stack_tasks.md) diff --git a/docs/reference/commandline/login.md b/docs/reference/commandline/login.md index 7fe8d6a43e1ac..647284636722d 100644 --- a/docs/reference/commandline/login.md +++ b/docs/reference/commandline/login.md @@ -29,7 +29,7 @@ adding the server name. `docker login` requires user to use `sudo` or be `root`, except when: 1. connecting to a remote daemon, such as a `docker-machine` provisioned `docker engine`. -2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](/security/security/#docker-daemon-attack-surface) for details. +2. user is added to the `docker` group. This will impact the security of your system; the `docker` group is `root` equivalent. See [Docker Daemon Attack Surface](/engine/security/security/#docker-daemon-attack-surface) for details. You can log into any public or private repository for which you have credentials. When you log in, the command stores encoded credentials in diff --git a/docs/reference/commandline/stack_config.md b/docs/reference/commandline/stack_config.md index bc759c163e661..88b716242a7e6 100644 --- a/docs/reference/commandline/stack_config.md +++ b/docs/reference/commandline/stack_config.md @@ -26,4 +26,3 @@ Displays the configuration of a stack. * [stack rm](stack_rm.md) * [stack services](stack_services.md) * [stack ps](stack_ps.md) -* [stack ls](stack_ls.md) diff --git a/docs/reference/commandline/stack_deploy.md b/docs/reference/commandline/stack_deploy.md index 51b3e1fc5879c..36bdace74c939 100644 --- a/docs/reference/commandline/stack_deploy.md +++ b/docs/reference/commandline/stack_deploy.md @@ -55,4 +55,3 @@ axqh55ipl40h vossibility-stack_vossibility-collector 1 icecrime/vossibility-co * [stack rm](stack_rm.md) * [stack services](stack_services.md) * [stack ps](stack_ps.md) -* [stack ls](stack_ls.md) diff --git a/docs/reference/commandline/stack_rm.md b/docs/reference/commandline/stack_rm.md index 60aca06f9d171..361c0b3c32ca9 100644 --- a/docs/reference/commandline/stack_rm.md +++ b/docs/reference/commandline/stack_rm.md @@ -29,4 +29,3 @@ a manager node. * [stack deploy](stack_deploy.md) * [stack services](stack_services.md) * [stack ps](stack_ps.md) -* [stack ls](stack_ls.md) diff --git a/docs/reference/commandline/stack_services.md b/docs/reference/commandline/stack_services.md index a1a2ec07ef7a4..032f816529633 100644 --- a/docs/reference/commandline/stack_services.md +++ b/docs/reference/commandline/stack_services.md @@ -60,4 +60,3 @@ The currently supported filters are: * [stack deploy](stack_deploy.md) * [stack rm](stack_rm.md) * [stack ps](stack_ps.md) -* [stack ls](stack_ls.md) diff --git a/docs/understanding-docker.md b/docs/understanding-docker.md index 08efa688f848d..ea758261509b4 100644 --- a/docs/understanding-docker.md +++ b/docs/understanding-docker.md @@ -208,8 +208,8 @@ existing images and pull them from the registry to a host. [Docker Hub](http://hub.docker.com) is a public Docker registry which serves a huge collection of existing images and allows you to contribute your own. For more information, go to -[Docker Registry](https://docs.docker.com/registry/overview/) and -[Docker Trusted Registry](https://docs.docker.com/docker-trusted-registry/overview/). +[Docker Registry](https://docs.docker.com/registry/) and +[Docker Trusted Registry](https://docs.docker.com/datacenter/dtr/2.0/). [Docker store](http://store.docker.com) allows you to buy and sell Docker images. For image, you can buy a Docker image containing an application or service from diff --git a/hack/vendor.sh b/hack/vendor.sh index a6fc6d29cb913..8ff5972f800a4 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -102,7 +102,7 @@ clone git github.com/miekg/pkcs11 df8ae6ca730422dba20c768ff38ef7d79077a59f clone git github.com/docker/go v1.5.1-1-1-gbaf439e clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c -clone git github.com/opencontainers/runc f59ba3cdd76fdc08c004f42aa915996f6f420899 https://github.com/docker/runc.git # libcontainer +clone git github.com/opencontainers/runc 50a19c6ff828c58e5dab13830bd3dacde268afe5 https://github.com/docker/runc.git # libcontainer clone git github.com/opencontainers/specs 1c7c27d043c2a5e513a44084d2b10d77d1402b8c # specs clone git github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0 # libcontainer deps (see src/github.com/opencontainers/runc/Godeps/Godeps.json) diff --git a/integration-cli/docker_cli_daemon_test.go b/integration-cli/docker_cli_daemon_test.go index 7508f9fc678f6..1fd35e2842633 100644 --- a/integration-cli/docker_cli_daemon_test.go +++ b/integration-cli/docker_cli_daemon_test.go @@ -2717,3 +2717,35 @@ func (s *DockerDaemonSuite) TestRunWithRuntimeFromCommandLine(c *check.C) { out, err = s.d.Cmd("run", "--rm", "--runtime=runc", "busybox", "ls") c.Assert(err, check.IsNil, check.Commentf(out)) } + +// #29598 +func (s *DockerDaemonSuite) TestRestartPolicyWithLiveRestore(c *check.C) { + testRequires(c, SameHostDaemon, DaemonIsLinux) + c.Assert(s.d.StartWithBusybox("--live-restore"), check.IsNil) + + out, err := s.d.Cmd("run", "-d", "--restart", "always", "busybox", "top") + c.Assert(err, check.IsNil, check.Commentf("Output: %s", out)) + id := strings.TrimSpace(out) + + c.Assert(s.d.Restart("--live-restore"), check.IsNil) + + c.Assert(s.d.waitRun(id), check.IsNil) + + pid, err := s.d.Cmd("inspect", "-f", "{{.State.Pid}}", id) + c.Assert(err, check.IsNil) + pidint, err := strconv.Atoi(strings.TrimSpace(pid)) + c.Assert(err, check.IsNil) + c.Assert(syscall.Kill(pidint, syscall.SIGKILL), check.IsNil) + + // This test is only for v1.12 and only checks that killing of a process + // doesn't cause a panic. Actual issue is fixed in v1.13 with a proper test. + calls := 0 + for range time.NewTicker(500 * time.Millisecond).C { + out, err := s.d.inspectFilter(id, "json .Id") + c.Assert(err, checker.IsNil, check.Commentf(out)) + calls++ + if calls >= 10 { + break + } + } +} diff --git a/libcontainerd/client_linux.go b/libcontainerd/client_linux.go index 39b0999d3f4ec..1ea8922020bf4 100644 --- a/libcontainerd/client_linux.go +++ b/libcontainerd/client_linux.go @@ -424,6 +424,7 @@ func (clnt *client) restore(cont *containerd.Container, lastEvent *containerd.Ev container := clnt.newContainer(cont.BundlePath, options...) container.systemPid = systemPid(cont) + container.attachStdio = attachStdio var terminal bool for _, p := range cont.Processes { @@ -596,6 +597,7 @@ func (clnt *client) Restore(containerID string, attachStdio StdioCallback, optio w := clnt.getOrCreateExitNotifier(containerID) clnt.lock(cont.Id) container := clnt.newContainer(cont.BundlePath) + container.attachStdio = attachStdio container.systemPid = systemPid(cont) clnt.appendContainer(container) clnt.unlock(cont.Id)