delta/docker.git/daemon/container_linux.go, branch master github.com: dotcloud/docker.git container: split security options to a SecurityOptions struct 2023-04-28T22:03:37+00:00 Sebastiaan van Stijn github@gone.nl 2023-04-14T07:27:20+00:00 3eebf4d1622a0d8fc60f30694ee99d2130db1f4b - Split these options to a separate struct, so that we can handle them in isolation. - Change some tests to use subtests, and improve coverage Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
- Split these options to a separate struct, so that we can handle them in isolation.
- Change some tests to use subtests, and improve coverage

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon: load and cache sysInfo on initialization 2022-01-12T17:28:15+00:00 Sebastiaan van Stijn github@gone.nl 2022-01-07T11:54:47+00:00 483aa6294b457ad4f60df91e46c0038a0e953dad The `daemon.RawSysInfo()` function can be a heavy operation, as it collects information about all cgroups on the host, networking, AppArmor, Seccomp, etc. While looking at our code, I noticed that various parts in the code call this function, potentially even _multiple times_ per container, for example, it is called from: - `verifyPlatformContainerSettings()` - `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured - in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit` Given that this information is not expected to change during the daemon's lifecycle, and various information coming from this (such as seccomp and apparmor status) was already cached, we may as well load it once, and cache the results in the daemon instance. This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that it's only executed once for the daemon's lifecycle. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
The `daemon.RawSysInfo()` function can be a heavy operation, as it collects
information about all cgroups on the host, networking, AppArmor, Seccomp, etc.

While looking at our code, I noticed that various parts in the code call this
function, potentially even _multiple times_ per container, for example, it is
called from:

- `verifyPlatformContainerSettings()`
- `oci.WithCgroups()` if the daemon has `cpu-rt-period` or `cpu-rt-runtime` configured
- in `ContainerDecoder.DecodeConfig()`, which is called on boith `container create` and `container commit`

Given that this information is not expected to change during the daemon's
lifecycle, and various information coming from this (such as seccomp and
apparmor status) was already cached, we may as well load it once, and cache
the results in the daemon instance.

This patch updates `daemon.RawSysInfo()` to use a `sync.Once()` so that
it's only executed once for the daemon's lifecycle.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update to Go 1.17.0, and gofmt with Go 1.17 2021-08-24T21:33:27+00:00 Sebastiaan van Stijn github@gone.nl 2021-08-23T13:14:53+00:00 686be57d0a6e514c0cddb2f3ac9cbb3cbef87f5f Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon: fix capitalization of some functions 2020-04-14T15:22:19+00:00 Sebastiaan van Stijn github@gone.nl 2019-08-09T10:33:15+00:00 5d040cbd163a8c5b78ac7fa08bbd2d9df6b4790e Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon: normalize comment formatting 2019-11-27T14:43:53+00:00 Sebastiaan van Stijn github@gone.nl 2019-11-27T14:43:53+00:00 f4f56b1197934858b15d7b0548b2821a8e1322e2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
daemon: use constants for AppArmor profiles 2019-10-13T17:16:12+00:00 Sebastiaan van Stijn github@gone.nl 2019-10-12T22:04:44+00:00 a33cf495f2f0ef0b30b943fc9a7e54ec2aaa4c1e Signed-off-by: Sebastiaan van Stijn <github@gone.nl> 
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add canonical import comment 2018-02-05T21:51:57+00:00 Daniel Nephin dnephin@docker.com 2018-02-05T21:05:59+00:00 4f0d95fa6ee7f865597c03b9e63702cdcb0f7067 Signed-off-by: Daniel Nephin <dnephin@docker.com> 
Signed-off-by: Daniel Nephin <dnephin@docker.com>
Move api/errdefs to errdefs 2018-01-12T02:21:43+00:00 Brian Goff cpuguy83@gmail.com 2018-01-11T19:53:06+00:00 d453fe35b9b8b52d0677fe0c3cc8373f2f5d30d0 Signed-off-by: Brian Goff <cpuguy83@gmail.com> 
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Add helpers to create errdef errors 2018-01-12T02:21:43+00:00 Brian Goff cpuguy83@gmail.com 2017-11-29T04:09:37+00:00 87a12421a94faac294079bebc97c8abb4180dde5 Instead of having to create a bunch of custom error types that are doing nothing but wrapping another error in sub-packages, use a common helper to create errors of the requested type. e.g. instead of re-implementing this over and over: ```go type notFoundError struct { cause error } func(e notFoundError) Error() string { return e.cause.Error() } func(e notFoundError) NotFound() {} func(e notFoundError) Cause() error { return e.cause } ``` Packages can instead just do: ``` errdefs.NotFound(err) ``` Signed-off-by: Brian Goff <cpuguy83@gmail.com> 
Instead of having to create a bunch of custom error types that are doing
nothing but wrapping another error in sub-packages, use a common helper
to create errors of the requested type.

e.g. instead of re-implementing this over and over:

```go
type notFoundError struct {
  cause error
}

func(e notFoundError) Error() string {
  return e.cause.Error()
}

func(e notFoundError) NotFound() {}

func(e notFoundError) Cause() error {
  return e.cause
}
```

Packages can instead just do:

```
  errdefs.NotFound(err)
```

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Remove string checking in API error handling 2017-08-15T20:01:11+00:00 Brian Goff cpuguy83@gmail.com 2017-07-19T14:20:13+00:00 ebcb7d6b406fe50ea9a237c73004d75884184c33 Use strongly typed errors to set HTTP status codes. Error interfaces are defined in the api/errors package and errors returned from controllers are checked against these interfaces. Errors can be wraeped in a pkg/errors.Causer, as long as somewhere in the line of causes one of the interfaces is implemented. The special error interfaces take precedence over Causer, meaning if both Causer and one of the new error interfaces are implemented, the Causer is not traversed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> 
Use strongly typed errors to set HTTP status codes.
Error interfaces are defined in the api/errors package and errors
returned from controllers are checked against these interfaces.

Errors can be wraeped in a pkg/errors.Causer, as long as somewhere in the
line of causes one of the interfaces is implemented. The special error
interfaces take precedence over Causer, meaning if both Causer and one
of the new error interfaces are implemented, the Causer is not
traversed.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>