Commit graph

46888 commits

Author SHA1 Message Date
Sebastiaan van Stijn
077208287b
Merge pull request #46106 from thaJeztah/fix_filter_errors
api/types/filters: fix errors not being matched by errors.Is()
2023-07-29 03:20:01 +02:00
Sebastiaan van Stijn
9200c6be90
Merge pull request #46108 from thaJeztah/driver_scopes
libnetwork: move datastore Scope consts to libnetwork/scope
2023-07-28 23:40:32 +02:00
Sebastiaan van Stijn
6ec03d6745
libnetwork: move datastore Scope consts to libnetwork/scope
The "Capability" type defines DataScope and ConnectivityScope fields,
but their value was set from consts in the datastore package, which
required importing that package and its dependencies for the consts
only.

This patch:

- Moves the consts to a separate "scope" package
- Adds aliases for the consts in the datastore package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 21:56:48 +02:00
Sebastiaan van Stijn
6f2e0fac19
Merge pull request #46086 from thaJeztah/split_discoverapi
libnetwork/driverapi: make discoverAPI an optional part of the interface
2023-07-28 18:09:52 +02:00
Sebastiaan van Stijn
fca38bcd0a
libnetwork/driverapi: make discoverAPI an optional part of the interface
Most drivers do not implement this, so detect if a driver implements
the discoverAPI, and remove the implementation from drivers that do
not support it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 17:16:00 +02:00
Sebastiaan van Stijn
70e620f791
Merge pull request #46101 from thaJeztah/libnetwork_remote_concrete_type
libnetwork/remote: newDriver(): return concrete type
2023-07-28 17:14:52 +02:00
Sebastiaan van Stijn
490fee7d45
api/types/filters: fix errors not being matched by errors.Is()
I found that the errors returned weren't matched with `errors.Is()` when
wrapped.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 17:07:41 +02:00
Sebastiaan van Stijn
0d76fc431a
libnetwork/remote: newDriver(): return concrete type
Interface matching will happen on the receiver side.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 12:52:38 +02:00
Sebastiaan van Stijn
b2bde4a7d8
Merge pull request #46090 from thaJeztah/cleanup_TestLinuxParseMountRawSplit
volume/mounts: cleanup tests
2023-07-28 11:12:04 +02:00
Sebastiaan van Stijn
0e0c725224
Merge pull request #45511 from xpivarc/capabilites
Do not drop effective&permitted set
2023-07-28 01:17:43 +02:00
Sebastiaan van Stijn
ed9cd96bdb
Merge pull request #46083 from akerouanton/move-libnet-testutils
tests: Move libnetwork/testutils to internal/testutils/netnsutils
2023-07-27 20:35:42 +02:00
Bjorn Neergaard
1bbc9d1ae4
Merge pull request #46091 from thaJeztah/windows_fix_service_register
windows: fix --register-service when executed from within binary directory
2023-07-27 12:04:02 -06:00
Albin Kerouanton
2870559b2c
Merge pull request #45649 from akerouanton/allow-all-ipv6-icc
libnet/d/bridge: Allow IPv6 ICC from any IP address
2023-07-27 19:41:55 +02:00
Sebastiaan van Stijn
597ab901b9
Merge pull request #46079 from vvoland/c8d-missing-config
c8d/container: Follow snapshot parents for size calculation
2023-07-27 18:08:56 +02:00
Sebastiaan van Stijn
3e8fda0a70
windows: fix --register-service when executed from within binary directory
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows.

This issue was not limited to the go command itself, and could also affect binaries
that use `os.Command`, `os.LookPath`, etc.

From the related blogpost (https://blog.golang.org/path-security):

> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing

At time of the go1.15 release, the Go team considered changing the behavior of
`os.LookPath()` and `exec.LookPath()` to be a breaking change, and made the
behavior "opt-in" by providing the `golang.org/x/sys/execabs` package as a
replacement.

However, for the go1.19 release, this changed, and the default behavior of
`os.LookPath()` and `exec.LookPath()` was changed. From the release notes:
https://go.dev/doc/go1.19#os-exec-path

> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe)
> in the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.

A result of this change was that registering the daemon as a Windows service
no longer worked when done from within the directory of the binary itself:

    C:\> cd "Program Files\Docker\Docker\resources"
    C:\Program Files\Docker\Docker\resources> dockerd --register-service
    exec: "dockerd": cannot run executable found relative to current directory

Note that using an absolute path would work around the issue:

    C:\Program Files\Docker\Docker>resources\dockerd.exe --register-service

This patch changes `registerService()` to use `os.Executable()`, instead of
depending on `os.Args[0]` and `exec.LookPath()` for resolving the absolute
path of the binary.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-27 16:20:49 +02:00
Sebastiaan van Stijn
d69b1fdb72
volume/mounts: cleanup tests
- don't use un-keyed structs
- user assert.Check where possible
- use consts for fixed values

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-27 15:00:13 +02:00
Sebastiaan van Stijn
10aff57b26
Merge pull request #46037 from AkihiroSuda/rro-remove-short
volume: remove the short RRO forms in favor of the long forms
2023-07-27 14:11:30 +02:00
Sebastiaan van Stijn
198ba185c7
Merge pull request #46081 from vvoland/c8d-refreshimage-refactor
daemon/list: Refactor refreshImage and make `readConfig` return errdefs
2023-07-27 13:52:51 +02:00
Albin Kerouanton
da9e44a620
libnet/d/bridge: Allow IPv6 ICC from any IP address
IPv6 ipt rules are exactly the same as IPv4 rules, although both
protocol don't use the same networking model. This has bad consequences,
for instance: 1. the current v6 rules disallow Neighbor
Solication/Advertisement ; 2. multicast addresses can't be used ; 3.
link-local addresses are blocked too.

To solve this, this commit changes the following rules:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
```

into:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c   -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64   -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP
```

These rules only limit the traffic ingressing/egressing the bridge, but
not traffic between veth on the same bridge.

Note that, the Kernel takes care of dropping invalid IPv6 packets, eg.
loopback spoofing, thus these rules don't need to be more specific.

Solve #45460.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-27 10:56:08 +02:00
Sebastiaan van Stijn
c30c3f94c7
Merge pull request #46041 from thaJeztah/datastore_remove_libkv
libnetwork: remove most of kvstore
2023-07-26 22:27:28 +02:00
Albin Kerouanton
31d09f6ee9
testutils: move Logger interface to testutils
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-26 21:16:09 +02:00
Albin Kerouanton
492c09276d
tests: Move libnetwork/testutils to internal/testutils/netnsutils
We don't want to maintain backward compatibility for this package, so
better make it an internal.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-26 21:06:36 +02:00
Paweł Gronowski
13180c1c49
daemon/list: Drop unused arg from containerReducer
refreshImage is the only function used as a reducer and it doesn't use
the `filter *listContext`.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-26 17:28:12 +02:00
Paweł Gronowski
68991ae240
daemon/list: Refactor refreshImage
Add context comments and make it a bit more readable.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-26 17:28:10 +02:00
Sebastiaan van Stijn
7a44e4cde0
Merge pull request #46034 from rumpl/c8d-image-list
c8d: Various images/json API fixes
2023-07-26 16:50:27 +02:00
Djordje Lukic
e5cffc07b3
c8d: Fix TestImagesFilterMultiReference
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-07-26 14:34:42 +02:00
Djordje Lukic
1d8108b009
c8d: images/json, add image labels to the response
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-07-26 14:33:22 +02:00
Djordje Lukic
a0bba26919
c8d: Populate RepoTags instead of adding a new image to the list
Aggregate same images into one object and add the list of tags pointing
to it to the RepoTags array

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-07-26 14:33:20 +02:00
Djordje Lukic
ad2760ec80
integration: Move image filter tests to integration
- use assert.Check to continue the test even if a check fails
- assert the total number of images returned, not only their RepoTags
- use subtests

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-07-26 14:33:16 +02:00
Paweł Gronowski
4d8e3f54cc
c8d/container: Follow snapshot parents for size calculation
Refactor GetContainerLayerSize to calculate unpacked image size only by
following the snapshot parent tree directly instead of following it by
using diff ids from image config.

This works even if the original manifest/config used to create that
container is no longer present in the content store.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-26 14:15:15 +02:00
Bjorn Neergaard
427f95c4e6
Merge pull request #45978 from thaJeztah/client_docs_touch_up
client: touch-up docs, cleanup some tests, and minor refactoring
2023-07-26 05:55:46 -06:00
Paweł Gronowski
5a39bee635
daemon/list: Replace ErrImageDoesNotExist check
Check for generic `errdefs.NotFound` rather than specific error helper
struct when checking if the error is caused by the image not being
present.
It still works for `ErrImageDoesNotExist` because it
implements the NotFound errdefs interface too.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-26 13:40:04 +02:00
Paweł Gronowski
7379d18018
c8d/readConfig: Translate c8d NotFound to errdefs
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-26 13:40:02 +02:00
Sebastiaan van Stijn
536e3692c6
Merge pull request #46017 from thaJeztah/pkg_plugin_cleanup
pkg/plugins: some cleaning up (step 1)
2023-07-26 02:10:36 +02:00
Sebastiaan van Stijn
5fe05d3eeb
Merge pull request #46053 from thaJeztah/network_backend_remove_FindNetwork
api/server/router/network: remove unused Backend.FindNetwork
2023-07-25 23:16:02 +02:00
Sebastiaan van Stijn
02dc5ea720
libnetwork/datastore: remove Store.KVStore()
It's no longer used, so we can remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:42:17 +02:00
Sebastiaan van Stijn
0f7bf67f83
pkg/plugins: TestGet(): use sub-tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:38 +02:00
Sebastiaan van Stijn
e1ad4aa002
pkg/plugins: make package-level socketsPath var a LocalRegistry field
This variable was only accessed from within LocalRegistry methods, but
due to being a package-level variable, tests had to deal with setting
and resetting it.

Move it to be a field scoped to the LocalRegistry. This simplifies the
tests, and to make this more transparent, also removing the "Setup()"
helper (which, wasn't marked as a t.Helper()).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
5bd44cf3c4
pkg/plugins: remove "load()" function
It was used in a single place and was abstracting "loadWithRetry";
let's just inline it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
77c03221c9
pkg/plugins/transport: remove RequestFactory interface
The client's transport can only be set by newClientWithTransport, which
is not exported, and always uses a transport.HTTPTransport.

However, requestFactory is mocked in one of the tests, so keep the interface,
but make it a local, non-exported one.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
d12ec5f796
pkg/plugins/transport: remove unused Transport interface
The interface is not consumed anywhere, and only non-exported functions
produced one, so we can remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
dfd331b2c8
pkg/plugins/transport: export httpTransport, and return concrete type
Make NewHTTPTransport return a concrete type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
77103c7c03
pkg/plugins/transport: inline newHTTPRequest
It was only used in a single location; just inline the code

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:37 +02:00
Sebastiaan van Stijn
4af4adc7ba
pkg/plugins: remove LocalRegistry.SpecsPaths()
This field was exported, but never mutated outside of the package, and
effectively a rather "creative" way to define a method on LocalRegistry.

While un-exporting also store these paths in a field, instead of constructing
them on every call, as the results won't change during the lifecycle of the
LocalRegistry.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:36 +02:00
Sebastiaan van Stijn
a44c25c2f1
pkg/plugins: split exported from implementation
Split the exported SpecsPaths from the platform-specific implementations,
so that documentation can be maintained in a single location.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:38:11 +02:00
Sebastiaan van Stijn
954d50b88a
plg/plugins: rename vars that collided, or poorly cased
Reduce some noise while reading the code in my IDE :)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:35:43 +02:00
Sebastiaan van Stijn
20889dbac6
pkg/plugins: move Plugin.ScopedPath to platform-agnostic file
Since 0e5eaf8ee3, these implementations
were fully identical, so removing the duplicate, and move it to a
platform-agnostic file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:35:40 +02:00
Sebastiaan van Stijn
a5ee0d6af8
libnetwork: don't access KVStore directly in tests
Test the datastore, not the KVStore backing it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:21:03 +02:00
Sebastiaan van Stijn
b378669836
libnetwork/datastore: don't access KVStore directly in tests
Test the datastore, not the KVStore backing it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:20:21 +02:00
Sebastiaan van Stijn
65978e6982
libnetwork/datastore: cleanup tests
- use gotest.tools assertions
- use consts and struct-literals where possible
- use assert.Check instead of t.Fatal() where possible
- fix some unhandled errors

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 22:20:21 +02:00