Commit graph

43525 commits

Author SHA1 Message Date
Sebastiaan van Stijn
8f4d85801f
Merge pull request #42874 from thaJeztah/fix_TestVerifyPlatformContainerResources
daemon: fix TestVerifyPlatformContainerResources not capturing variable
2021-10-21 21:12:33 +02:00
Sebastiaan van Stijn
4bc9b91704
Merge pull request #42940 from thaJeztah/update_docker_py
CI: update docker-py to 5.0.3
2021-10-21 21:10:26 +02:00
Sebastiaan van Stijn
872c64cd66
Merge pull request #42862 from dkkb/feature/zstd_with_skippable_frame
compression: support zstd with skippable frame
2021-10-21 20:29:12 +02:00
Sebastiaan van Stijn
693697bdda
Merge pull request #42951 from crazy-max/build-local-normalized
buildkit: normalize build target and local platform
2021-10-20 10:05:28 +02:00
Sebastiaan van Stijn
0c887404a8
daemon: fix TestVerifyPlatformContainerResources not capturing variable
This test runs with t.Parallel() _and_ uses subtests, but didn't capture
the `tc` variable, which potentialy (likely) makes it test the same testcase
multiple times.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-20 09:57:54 +02:00
Sebastiaan van Stijn
3e5e7a6de3
CI: update docker-py to 5.0.3
full diff: https://github.com/docker/docker-py/compare/5.0.0...5.0.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-20 09:57:11 +02:00
Sebastiaan van Stijn
c87b9416df
Merge pull request #42933 from thaJeztah/limit_caps_to_environment
oci/caps: limit available capabilities to current environment
2021-10-20 09:55:08 +02:00
CrazyMax
b4e056d556 buildkit: normalize build target and local platform
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2021-10-19 17:11:06 +02:00
Sebastiaan van Stijn
6f6b9d2e67
Merge pull request #42903 from akhramov/feature/port-testutil-daemon
Port testutil/daemon to FreeBSD
2021-10-19 13:05:02 +02:00
Sebastiaan van Stijn
9f5490dfd1
Merge pull request #42943 from kevpar/update-winio
vendor: Update go-winio to v0.5.1
2021-10-18 17:02:53 +02:00
Sebastiaan van Stijn
921658af95
Merge pull request #42946 from uddmorningsun/master
dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior
2021-10-18 09:41:18 +02:00
Chenyang Yan
a8ce4d47c3 dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior
```
$ cat test.sh

echo "orign value=$XDG_RUNTIME_DIR"

echo "1. with [ ] not quote ..."
[ -w $XDG_RUNTIME_DIR ]
echo "get 1 ret_code: $?"

echo "2. with [ ] and quote ..."
[ -w "$XDG_RUNTIME_DIR" ]
echo "get 2 ret_code: $?"

$ sh ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1

$ bash ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1
```

Signed-off-by: Chenyang Yan <memory.yancy@gmail.com>
2021-10-18 00:11:03 +08:00
Artem Khramov
8f1b2a0fd3
Port testutil/daemon to FreeBSD
testutil/daemon uses a generic unix implementation that assumes that
the host OS supports cgroups & network namespaces, which is not the
case for FreeBSD.

This change adds a FreeBSD-specific implementation for
`testutil/daemon`, namely for `cleanupNetworkNamespace` and
`CgroupNamespace` functions.

Signed-off-by: Artem Khramov <akhramov@pm.me>
2021-10-16 09:51:55 +03:00
Kevin Parsons
59511e1234 vendor: Update go-winio to v0.5.1
Updates go-winio to the latest version. The main important fix here is
to go-winio's backuptar package. This is needed to fix a bug in sparse
file handling in container layers, which was exposed by a recent change
in Windows.

go-winio v0.5.1: https://github.com/microsoft/go-winio/releases/tag/v0.5.1

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
2021-10-15 14:33:34 -07:00
Sebastiaan van Stijn
311ec0d77f
Merge pull request #42932 from thaJeztah/resolver_cleanup
libnetwork: some cleanup and logging improvements in resolver
2021-10-15 17:15:10 +02:00
Sebastiaan van Stijn
39b7b32706
Merge pull request #42902 from thaJeztah/update_containerd_1.5.6
Update containerd binary to v1.5.7
2021-10-15 17:13:47 +02:00
Sebastiaan van Stijn
485cf38d48
oci/caps: limit available capabilities to current environment
In situations where docker runs in an environment where capabilities are limited,
sucn as docker-in-docker in a container created by older versions of docker, or
in a container where some capabilities have been disabled, starting a privileged
container may fail, because even though the _kernel_ supports a capability, the
capability is not available.

This patch attempts to address this problem by limiting the list of "known" capa-
bilities on the set of effective capabilties for the current process. This code
is based on the code in containerd's "caps" package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 16:12:26 +02:00
Sebastiaan van Stijn
79d6e935ad
libnetwork: some minor refactoring / cleanup
- don't pass the query's quetion.name separately, as we're already
  passing the query itself.
- remove a "fallthrough" in favor of combining the cases in the switch

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 15:26:15 +02:00
Sebastiaan van Stijn
d86a331fa4
libnetwork: improve consistency in log messages
- Make sure all log messages have the `[resolver]` prefix
- Use `logrus.WithError()` consistently
- Improve information included in some logs

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 12:51:02 +02:00
Sebastiaan van Stijn
fa4a9702be
Update containerd binary to v1.5.7
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103.

Notable Updates:

- Fix insufficiently restricted permissions on container root and plugin directories
  GHSA-c2h3-6mxw-7mvq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 12:48:29 +02:00
Sebastiaan van Stijn
b746a2bf9b
Update containerd binary to v1.5.6
- Install apparmor parser for arm64 and update seccomp to 2.5.1
- Update runc binary to 1.0.2
- Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019
- Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled
- Add image config labels in CRI container creation
- Fix panic in metadata content writer on copy error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 12:48:26 +02:00
Sebastiaan van Stijn
a80c450fb3
Merge pull request #41935 from alexisries/Issue-41871-Restore-healthcheck-at-dockerd-restart
Resume healthcheck when daemon restarts
2021-10-15 12:46:43 +02:00
Sebastiaan van Stijn
3e152513b2
Merge pull request #42931 from thaJeztah/dont_panic_on_resolv
libnetwork: ServeDNS(): don't panic on unsupported query types
2021-10-15 12:45:31 +02:00
Sebastiaan van Stijn
c6f951681f
Merge pull request #42888 from thaJeztah/update_criu_bullseye
Dockerfile: switch CRIU install to Debian 11 "bullseye" packages
2021-10-15 12:43:51 +02:00
Da McGrady
23abee412b
compression: support zstd with skippable frame
As a matter of fact, there are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.
So we should probably support zstd algorithms with skippable frames.
See https://tools.ietf.org/id/draft-kucherawy-dispatch-zstd-00.html#rfc.section.2 for more details.

Signed-off-by: Da McGrady <dabkb@aol.com>
2021-10-15 17:23:55 +08:00
Sebastiaan van Stijn
1c7a47f709
Dockerfile: switch CRIU install to Debian 11 "bullseye" packages
There's a package repository for Debian 11 "bullseye" now.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-15 10:43:15 +02:00
Sebastiaan van Stijn
c01917acf3
Merge pull request #42936 from thaJeztah/revert_fix_criu_install
revert Dockerfile: CRIU: disable GPG validation, due to expired signing key
2021-10-15 10:32:07 +02:00
Sebastiaan van Stijn
971e03d9bb
Merge pull request #42915 from thaJeztah/registry_cleanup
registry: clean up some v1 code
2021-10-15 10:01:22 +02:00
Sebastiaan van Stijn
13adcfafde
Revert "Dockerfile: CRIU: disable GPG validation, due to expired signing key"
This reverts commit 089a33e7c5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-14 21:13:06 +02:00
Sebastiaan van Stijn
1d8c3c3cfb
Merge pull request #42922 from thaJeztah/bump_go_1.17.2
Update Go to 1.17.2
2021-10-14 20:48:36 +02:00
Sebastiaan van Stijn
ba16293330
Merge pull request #42907 from thaJeztah/master_forward_port_security_fixes
[master] forward-port security fixes from 20.10.9
2021-10-14 20:43:01 +02:00
Sebastiaan van Stijn
9a09448540
libnetwork: ServeDNS(): don't panic on unsupported query types
This was added in b3c883bb2f, but resulted
in a panic if the embedded DNS had to handle an unsupported query-type,
such as ANY.

This patch adds a debug log for this case (to better describe how it's
handled.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-14 20:17:39 +02:00
Sebastiaan van Stijn
4e6dbb3f5c
Merge pull request #42935 from thaJeztah/fix_criu_install
Dockerfile: CRIU: disable GPG validation, due to expired signing key
2021-10-14 20:08:25 +02:00
Sebastiaan van Stijn
089a33e7c5
Dockerfile: CRIU: disable GPG validation, due to expired signing key
This is a horrible thing to do, but CRIU installed here is only used as
part of our CI / integration tests. We should of course remove this
hack ASAP once the opensuse packagers have set up a new key, but at
least this allows us to unblock CI, which is currently completely
broken:

    ADD --chmod=0644 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/Release.key /etc/apt/trusted.gpg.d/criu.gpg.asc
    RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
        --mount=type=cache,sharing=locked,id=moby-criu-aptcache,target=/var/cache/apt \
             echo 'deb https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10/ /' > /etc/apt/sources.list.d/criu.list \
             && apt-get update \
             && apt-get install -y --no-install-recommends criu \
             && install -D /usr/sbin/criu /build/criu

    Hit:1 http://cdn-fastly.deb.debian.org/debian bullseye InRelease
    Hit:2 http://cdn-fastly.deb.debian.org/debian-security bullseye-security InRelease
    Hit:3 http://cdn-fastly.deb.debian.org/debian bullseye-updates InRelease
    Get:4 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10  InRelease [1540 B]
    Err:4 https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10  InRelease
      The following signatures were invalid: EXPKEYSIG 30A8343A498D5A23 devel:tools OBS Project <devel:tools@build.opensuse.org>
    Reading package lists...
    W: GPG error: https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10  InRelease: The following signatures were invalid: EXPKEYSIG 30A8343A498D5A23 devel:tools OBS Project <devel:tools@build.opensuse.org>
    E: The repository 'https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_10  InRelease' is not signed.

And, checking the signing key (with `apt-key list`):

    /etc/apt/trusted.gpg.d/criu.gpg.asc
    -----------------------------------
    pub   rsa2048 2015-05-03 [SC] [expired: 2021-10-13]
          428E 4E34 8405 CE79 00DB  99C2 30A8 343A 498D 5A23
    uid           [ expired] devel:tools OBS Project <devel:tools@build.opensuse.org>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-14 18:25:22 +02:00
James Sanders
68e3034322 Add an option to specify log format for awslogs driver
Added an option 'awslogs-format' to allow specifying
a log format for the logs sent CloudWatch from the aws log driver.
For now, only the 'json/emf' format is supported.
If no option is provided, the log format header in the
request to CloudWatch will be omitted as before.

Signed-off-by: James Sanders <james3sanders@gmail.com>
2021-10-13 07:38:54 -07:00
Sebastiaan van Stijn
e7fb0c8201
Update Go to 1.17.2
go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm
directory, as well as bug fixes to the compiler, the runtime, the go command, and
to the time and text/template packages. See the Go 1.17.2 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.2+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-08 15:12:36 +02:00
Alexis Ries
9f39889dee Fixes #41871: Update daemon/daemon.go: resume healthcheck on restore
Call updateHealthMonitor for alive non-paused containers

Signed-off-by: Alexis Ries <alexis.ries.ext@orange.com>
2021-10-07 21:23:27 +02:00
Sebastiaan van Stijn
9dbec13362
registry: EndPointV1.Ping() remove redundant "Standalone" and cleanup logs
Standalone is a boolean, so false by default; also cleanup some debug logs
(probably more logs can be removed)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-07 16:26:39 +02:00
Tianon Gravi
1430d849a4
Merge pull request #42878 from thaJeztah/daemon_check_cd_once
daemon.UsingSystemd(): don't call getCD() multiple times
2021-10-06 17:28:35 -07:00
Tianon Gravi
9dd248a9e6
Merge pull request #42908 from thaJeztah/remove_unused_error
registry: remove unused registry.ErrAlreadyExists
2021-10-06 10:07:55 -07:00
Sebastiaan van Stijn
37dc2582d1
registry: remove use of iota for consts
I think it's a bit more readable to just use a literal value
for these; this also prevents having to use `_` to skip zero.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 21:14:17 +02:00
Sebastiaan van Stijn
4a52c46e37
registry: trimV1Address(): simplify trimming trailing slash
strings.TrimSuffix() does exactly the same as this code, but is
a bit more readable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 21:12:10 +02:00
Sebastiaan van Stijn
542edf0c21
registry: inline newV1Endpoint() into newV1EndpointFromStr()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 20:49:33 +02:00
Sebastiaan van Stijn
c8754f44d7
registry: remove unused ToV1Endpoint()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 14:43:58 +02:00
Sebastiaan van Stijn
afbeec8bda
registry: remove tlsConfigForMirror()
This function was just a shallow wrapper around tlsConfig(), so remove
the abstraction.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 14:37:53 +02:00
Sebastiaan van Stijn
9f874e53b9
registry: remove unused registry.ErrAlreadyExists
This error was no longer in use after the v1 push code was removed
in 53dad9f027.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 14:15:32 +02:00
Tonis Tiigi
cec4e69813
chrootarchive: don't create parent dirs outside of chroot
If chroot is used with a special root directory then create
destination directory within chroot. This works automatically
already due to extractor creating parent paths and is only
used currently with cp where parent paths are actually required
and error will be shown to user before reaching this point.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 80f1169eca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 09:57:04 +02:00
Brian Goff
03f1c3d78f
Lock down docker root dir perms.
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 93ac040bf0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-05 09:57:00 +02:00
Akihiro Suda
306fa44b7c
Merge pull request #42881 from thaJeztah/dockerfile_rewrite
Dockerfile: move installers into Dockerfile, and update registry versions
2021-09-27 20:32:40 +09:00
Sebastiaan van Stijn
4145c81d82
Merge pull request #42880 from thaJeztah/makefile_proxy_vars
Makefile: remove passing proxy env-vars
2021-09-27 13:30:39 +02:00