full diff: 153d0769a1...026aabaa65
- Fix 'failed to get network during CreateEndpoint'
- log error instead if disabling IPv6 router advertisement failed
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- relates to moby/buildkit 1111
- relates to moby/buildkit 1079
- relates to docker/buildx 129
full diff: 9461782956...e31b211e4f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e7183dbfe9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes sure that we don't become vulnerable to CVE-2018-17419 or
CVE-2019-19794 in the future. While we are not currently vulnerable to
either, there is a risk that a PR could be made which uses one of the
vulnerable methods in the future, so it's worth going ahead and updating
to ensure that a simple PR that would easily pass code review doesn't
lead to a vulnerability.
Signed-off-by: Sam Whited <sam@samwhited.com>
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
full diff:
3eb39382bf...d9a6682a4d
- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX
- docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go
Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit df7b8f458a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously we were re-using schema2.DeserializedManifest to handle oci
manifests. The issue lies in the fact that distribution started
validating the media type string during json deserialization. This
change broke our usage of that type.
Instead distribution now provides direct support for oci schemas, so use
that instead of our custom handlers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e443512ce4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change caused a regression, causing the DOCKER-USER chain
to not be created, despite iptables being enabled on the daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The patch made in docker/libnetwork#2450 caused a breaking change in the
networking behaviour, causing Kubernetes installations on Docker Desktop
(and possibly other setups) to fail.
Rolling back this change in the 19.03 branch while we investigate if there
are alternatives.
diff: 45c710223c...96bcc0dae8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: bbe341867e...f35d9100f2
changes included:
- docker/swarmkit#2891 [19.03 backport] Remove hardcoded IPAM config subnet value for ingress network
- backport of docker/swarmkit#2890 Remove hardcoded IPAM config subnet value for ingress network
- fixes [ENGORC-2651] Specifying --default-addr-pool for docker swarm init is not picked up by ingress network
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 09cdcc8c0e...92d1fbe1eb
relevant changes included (omitting some changes that were added _and_ reverted in this bump):
- docker/libnetwork#2433 Fix parseIP error when parseIP before get AddressFamily
- fixesdocker/libnetwork#2431 parseIP Error ip=[172 17 0 2 0 0 0 0 0 0 0 0 0 0 0 0]
- https://github.com/docker/libnetwork/issues/2289
- this was a regression introduced in docker/libnetwork#2416 Fix hardcoded AF_INET for IPv6 address handling
- docker/libnetwork#2440 Bump hashicorp go-sockaddr v1.0.2, go-multierror v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bab58c1924)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diffs:
- fc5a7d91d5...62a13ae87c
- b2de5d10e3...v1.0.0
- 604eaf189e...13995c7128ccc8e51e9a6bd2b551020a27180abd
notable changes in libnetwork:
- docker/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- docker/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- addresses docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- docker/libnetwork#2394 Make DNS records and queries case-insensitive
- addresses moby/moby#28689 Embedded DNS is case-sensitive
- addresses moby/moby#21169 hostnames with new networking are case-sensitive
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 344b093258)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 961ec3a56b...4fb9e961ab
included:
- docker/swarmkit#2873 [19.03 backport] Only update non-terminal tasks on node removal
- backport of docker/swarmkit#2867 Only update non-terminal tasks on node removal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverts the change to swarmkit that made all updates set UpdateStatus to
Completed
Signed-off-by: Drew Erny <drew.erny@docker.com>
(cherry picked from commit c7d9599e3d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 9ff9b57c34...5ac07abef4
brings in:
- docker/libnetwork#2376 Forcing a nil IP specified in PortBindings to IPv4zero (0.0.0.0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a66ddd8ab8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 48f846327b...9ff9b57c34
- docker/libnetwork#2368 (windows) Pick a random host port if the user does not specify a host port
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 18e7e58ea1...59163bf75d
- Add missing return when configuring VXLAN port
- Prevent possible panic in cnmallocator.IsAttachmentAllocated()
- update github.com/pivotal-golang/clock
- new name for package: code.cloudfoundry.org/clock
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
relevant changes:
- swarmkit#2815 Extension and resource API declarations
- swarmkit#2816 Moving swap options into `ResourceRequirements` instead of `ContainerSpec`s
- relates to moby#37872
- swarmkit#2821 allocator: use a map for network-IDs to prevent O(n2)
- swarmkit#2832 [api] Add created object to return types for extension and resource create apis
- swarmkit#2831 [controlapi] Extension api implementation
- swarmkit#2835 Resource controlapi Implemetation
- swarmkit#2802 Use custom gRPC dialer to override default proxy dialer
- addresses moby#35395 Swarm worker cannot connect to master if proxy is configured
- addresses moby#issues/36951 Swarm nodes cannot join as masters if http proxy is set
- relates to swarmkit#2419 Provide custom gRPC dialer to override default proxy dialer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This brings in a single fix; swarmkit#2813 where a field inadvertedly
used incorrect capitalization.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Full diff: 8af8c420f4...1a0ebd43b2
relevant changes:
- swarmkit#2771 Allow using Configs as CredentialSpecs
- swarmkit#2804 Make Service.UpdateStatus non-ambiguous
- swarmkit#2805 Refactor condition in restart supervisor
- swarmkit#2780 api: add BindOptions.NonRecursive
- related to moby#38003
- swarmkit#2790 Fix possible panic if NetworkConfig is nil
- swarmkit#2797 Include old error-message for backward compatibility
- related to swarmkit#2779 / moby#38140 / moby#38142
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- DSR support for linux
- increase max DNS pending query from 100->1024
- DNs to handle NXDOMAIN, REFUSED
diff:
20461b8539...d7b61745d1
Signed-off-by: Flavio Crisciani <flavio.crisciani@docker.com>
