From 00bc43b1672e662e5e3b8cecd79e67fc968fa246 Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Tue, 14 May 2019 13:43:22 -0700
Subject: [PATCH] unique debugger pin in Docker containers

---
 CHANGES.rst                    |  2 ++
 src/werkzeug/debug/__init__.py | 13 +++++++++++++
 2 files changed, 15 insertions(+)

diff --git a/CHANGES.rst b/CHANGES.rst
index 87033da6a..70dbab9da 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -20,6 +20,8 @@ Unreleased
     (:issue:`1510`)
 -   The debugger detects cycles in chained exceptions and does not time
     out in that case. (:issue:`1536`)
+-   When running the development server in Docker, the debugger security
+    pin is now unique per container.
 
 
 Version 0.15.2
diff --git a/src/werkzeug/debug/__init__.py b/src/werkzeug/debug/__init__.py
index c5e4d2d5b..9195c79aa 100644
--- a/src/werkzeug/debug/__init__.py
+++ b/src/werkzeug/debug/__init__.py
@@ -67,6 +67,19 @@ def get_machine_id():
         return rv
 
     def _generate():
+        # docker containers share the same machine id, get the
+        # container id instead
+        try:
+            with open("/proc/self/cgroup") as f:
+                value = f.readline()
+        except IOError:
+            pass
+        else:
+            value = value.strip().partition("/docker/")[2]
+
+            if value:
+                return value
+
         # Potential sources of secret information on linux.  The machine-id
         # is stable across boots, the boot id is not
         for filename in "/etc/machine-id", "/proc/sys/kernel/random/boot_id":