Commit graph

727 commits

Author SHA1 Message Date
Paweł Gronowski
46ca4a74b4
update containerd binary to v1.7.15
Update the containerd binary that's used in CI

- full diff: https://github.com/containerd/containerd/compare/v1.7.13...v1.7.15
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.15

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 3485cfbb1e)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-08 18:09:01 +02:00
Paweł Gronowski
e0815819de
update to go1.21.9
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved)
for more details.

These minor releases include 1 security fixes following the security policy:

- http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 329d403e20)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-04 10:15:00 +02:00
Paweł Gronowski
30e94dadbc
Dockerfile: update docker CLI to v26.0.0
Update the CLI that's used in the dev-container

- full diff: https://github.com/docker/cli/compare/v26.0.0-rc2...v26.0.0

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ea72f9f72c)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-27 13:17:05 +01:00
Sebastiaan van Stijn
7e56442cee
Merge pull request #47574 from thaJeztah/bump_tools
Dockerfile: update docker CLI to v26.0.0-rc2, docker compose v2.25.0
2024-03-18 13:59:42 +01:00
Sebastiaan van Stijn
fe8fb9b9a1
Dockerfile: update mvdan/shfmt to v3.8.0
- full diff: https://github.com/mvdan/sh/compare/v3.7.0...v3.8.0
- 3.7.0 release notes: https://github.com/mvdan/sh/releases/tag/v3.7.0
- 3.8.0 release notes: https://github.com/mvdan/sh/releases/tag/v3.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-17 13:36:43 +01:00
Sebastiaan van Stijn
4bd30829d1
Dockerfile: update docker compose to v2.25.0
Update the version of compose that's used in the dev-container.

- full diff: https://github.com/docker/compose/compare/v2.24.7...v2.25.0
- release notes: https://github.com/docker/compose/releases/tag/v2.25.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-16 14:22:42 +01:00
Sebastiaan van Stijn
971562b005
Dockerfile: update docker CLI to v26.0.0-rc2
Update the CLI that's used in the dev-container to the latest rc

- full diff: https://github.com/docker/cli/compare/v26.0.0-rc1...v26.0.0-rc2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-16 14:22:30 +01:00
Sebastiaan van Stijn
4f46c44725
Dockerfile: update xx to v1.4.0
full diff: https://github.com/tonistiigi/xx/compare/v1.2.1...v1.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-15 19:59:48 +01:00
Sebastiaan van Stijn
f40bdf5f63
Dockerfile: update compose to v2.24.7
full diff: https://github.com/docker/compose/compare/v2.24.5...v2.24.7

release notes:

- https://github.com/docker/compose/releases/tag/v2.24.6
- https://github.com/docker/compose/releases/tag/v2.24.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-14 12:40:26 +01:00
Sebastiaan van Stijn
3f73d23ea0
Dockerfile: update buildx to v0.13.1
release notes:

- https://github.com/docker/buildx/releases/tag/v0.13.1
- https://github.com/docker/buildx/releases/tag/v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-14 12:38:06 +01:00
Sebastiaan van Stijn
b8165a9cd1
Merge pull request #47494 from vvoland/devcontainer-golang
devcontainer: Add Golang extension
2024-03-11 17:50:13 +01:00
Paweł Gronowski
eef352b565
devcontainer: Use a separate devcontainer target
Use a separate `devcontainer` Dockerfile target, this allows to include
the `gopls` in the devcontainer so it doesn't have to be installed by
the Go vscode extension.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-07 20:39:56 +01:00
Akihiro Suda
49fd8df9b9
Dockerfile: update RootlessKit to v2.0.2
https://github.com/rootless-containers/rootlesskit/compare/v2.0.1...v2.0.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-06 07:38:55 +09:00
Paweł Gronowski
57b7ffa7f6
update to go1.21.8
go1.21.8 (released 2024-03-05) includes 5 security fixes

- crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783, https://go.dev/issue/65390)
- net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290, https://go.dev/issue/65383)
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289, https://go.dev/issue/65065)
- html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785, https://go.dev/issue/65697)
- net/mail: comments in display names are incorrectly handled (CVE-2024-24784, https://go.dev/issue/65083)

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.1

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.7...go1.21.8

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-05 19:17:18 +01:00
Paweł Gronowski
2af2496c8c
Dockerfile: Update dev cli to v26.0.0-rc1
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-02-29 12:45:17 +01:00
Sebastiaan van Stijn
7c2975d2df
update to go1.21.7
go1.21.7 (released 2024-02-06) includes fixes to the compiler, the go command,
the runtime, and the crypto/x509 package. See the Go 1.21.7 milestone on our
issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.6...go1.21.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-02-14 12:56:06 +01:00
Akihiro Suda
7f1b700227
Dockerfile: update RootlessKit to v2.0.1
https://github.com/rootless-containers/rootlesskit/releases/tag/v2.0.1

Fix issue 47327 (`rootless lxc-user-nic: /etc/resolv.conf missing ip`)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-02-06 11:51:47 +09:00
Sebastiaan van Stijn
10d6f5213a
Dockerfile: update docker compose to v2.24.5
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.24.3...v2.24.5
- release notes: https://github.com/docker/compose/releases/tag/v2.24.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-02-03 13:51:49 +01:00
Sebastiaan van Stijn
9c92c07acf
Dockerfile: update dev-shell version of the cli to v25.0.2
Update the docker CLI that's available for debugging in the dev-shell
to the v25 release.

full diff: https://github.com/docker/cli/compare/v25.0.1...v25.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-02-03 13:50:18 +01:00
Sebastiaan van Stijn
f42b8ae8db
Merge pull request #47278 from thaJeztah/bump_containerd_binary_1.7.13
update containerd binary to v1.7.13
2024-02-01 00:03:58 +01:00
Sebastiaan van Stijn
835cdcac95
update containerd binary to v1.7.13
Update the containerd binary that's used in CI

- full diff: https://github.com/containerd/containerd/compare/v1.7.12...v1.7.13
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-31 22:01:50 +01:00
Sebastiaan van Stijn
44bf407d4d
update runc binary to v1.1.12
Update the runc binary that's used in CI and for the static packages, which
includes a fix for [CVE-2024-21626].

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.12
- full diff: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12

[CVE-2024-21626]: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-31 21:05:31 +01:00
Sebastiaan van Stijn
388ba9a69c
Dockerfile: update docker compose to v2.24.3
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.24.2...v2.24.3
- release notes: https://github.com/docker/compose/releases/tag/v2.24.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-26 09:30:17 +01:00
Sebastiaan van Stijn
3eb1527fdb
Dockerfile: update dev-shell version of the cli to v25.0.1
Update the docker CLI that's available for debugging in the dev-shell
to the v25 release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-26 09:23:14 +01:00
Sebastiaan van Stijn
05d952b246
Dockerfile: update docker compose to v2.24.2
Update the version of compose used in CI to the latest version.

- full diff: docker/compose@v2.24.1...v2.24.2
- release notes: https://github.com/docker/compose/releases/tag/v2.24.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-23 09:51:41 +01:00
Sebastiaan van Stijn
307fe9c716
Dockerfile: update docker compose to v2.24.1
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.24.0...v2.24.1
- release notes: https://github.com/docker/compose/releases/tag/v2.24.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-19 23:27:59 +01:00
Sebastiaan van Stijn
dfced4b557
Dockerfile: update dev-shell version of the cli to v25.0.0
Update the docker CLI that's available for debugging in the dev-shell
to the v25 release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-19 23:25:12 +01:00
Akihiro Suda
f5d05b43d7
Dockerfile: update RootlessKit to v2.0.0
https://github.com/rootless-containers/rootlesskit/releases/tag/v2.0.0

=== Pasta ===
RootlessKit v2 adds the support for pasta (https://passt.top/passt/).
Pasta is similar to slirp4netns but its port forwarder achieves better
throughput than slirp4netns port driver.

It is still not faster than RootlessKit's `builtin` port driver, but unlike the
`builtin` port driver, pasta can retain source IP address information.

Network driver | Port driver    | Net throughput | Port throughput | Src IP | No SUID | Note
---------------|----------------|----------------|-----------------|--------|---------|--------------------------------------------
slirp4netns    | builtin        | Slow           | Fast          |      |       | Default in typical setup
vpnkit         | builtin        | Slow           | Fast          |      |       | Default when slirp4netns is not installed
slirp4netns    | slirp4netns    | Slow           | Slow            |      |       |
**pasta**      | **implicit**   | Slow           | Fast          |      |       | Experimental
lxc-user-nic   | builtin        | Fast         | Slow            |      |       | Experimental
(bypass4netns) | (bypass4netns) | Fast         | Fast          |      |       | (Not integrated to RootlessKit)

=== Detach-netns ===
Aside from pasta, RootlessKit v2 also brings the support for
"detach-netns" mode, which leaves the runtime in the host network namespace to
eliminate the slirp overhead for pull/push and to allow accessing the "real"
127.0.0.1.

See containerd/nerdctl PR 2723 for how detach-netns is being adopted in
nerdctl v2.

Integrating detach-netns into Docker/Moby will need an extra work and will be
deferred to Docker v26 (or later).

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-01-16 10:56:29 +09:00
Sebastiaan van Stijn
3a15c6c9d7
Merge pull request #47070 from thaJeztah/bump_containerd_binary
update containerd binary to v1.7.12
2024-01-12 21:14:07 +01:00
Sebastiaan van Stijn
cd1709b0d4
update containerd binary to v1.7.12
- full diff: https://github.com/containerd/containerd/compare/v1.7.11...v1.7.12
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.12

Welcome to the v1.7.12 release of containerd!

The twelfth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

- Fix on dialer function for Windows
- Improve `/etc/group` handling when appending groups
- Update shim pidfile permissions to 0644
- Update runc binary to v1.1.11
- Allow import and export to reference missing content
- Remove runc import
- Update Go version to 1.20.13

Deprecation Warnings

- Emit deprecation warning for `containerd.io/restart.logpath` label usage

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 17:56:37 +01:00
Sebastiaan van Stijn
0790864064
Dockerfile: update buildx to v0.12.1
Update the version of buildx used in CI to the latest version.

- full diff: https://github.com/docker/buildx/compare/v0.12.0...v0.12.1
- release notes: https://github.com/docker/buildx/releases/tag/v0.12.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 16:13:34 +01:00
Sebastiaan van Stijn
a9d0128bd7
Dockerfile: update docker compose to v2.24.0
Update the version of compose used in CI to the latest version.

- full diff: https://github.com/docker/compose/compare/v2.20.1...v2.24.0
- release notes: https://github.com/docker/compose/releases/tag/v2.24.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-12 14:43:40 +01:00
Sebastiaan van Stijn
d7141cfd06
update to go1.21.6
go1.21.6 (released 2024-01-09) includes fixes to the compiler, the runtime, and
the crypto/tls, maps, and runtime/pprof packages. See the Go 1.21.6 milestone on
our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.6+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.5...go1.21.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-10 09:46:37 +01:00
Sebastiaan van Stijn
e27ffdab0f
Dockerfile: update rootlesskit to v1.1.1, and use tags as reference
Commit 0b1c1877c5 updated the version in
hack/dockerfile/install/rootlesskit.installer, but forgot to update the
version in Dockerfile.

Also updating both to use a tag, instead of commit. While it's good to pin by
an immutable reference, I think it's reasonably safe to use the tag, which is
easier to use, and what we do for other binaries, such as runc as well.

Full diff: https://github.com/rootless-containers/rootlesskit/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-09 09:54:47 +01:00
Sebastiaan van Stijn
d5a3fccb06
update golangci-lint to v1.55.2
- full diff: https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-03 13:41:37 +01:00
Sebastiaan van Stijn
5fa4cfcabf
update runc binary to v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 16:09:16 +01:00
Sebastiaan van Stijn
882b79b254
Dockerfile: update crun to 1.12
full diff: https://github.com/containers/crun/compare/1.8.7...1.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-28 10:50:28 +01:00
Sebastiaan van Stijn
33d2ec08ba
update containerd binary to 1.7.11
- full diff: https://github.com/containerd/containerd/compare/v1.7.10...v1.7.11
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.11

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and
updates including one security issue.

Notable Updates

- Fix Windows default path overwrite issue
- Update push to always inherit distribution sources from parent
- Update shim to use net dial for gRPC shim sockets
- Fix otel version incompatibility
- Fix Windows snapshotter blocking snapshot GC on remove failure
- Mask /sys/devices/virtual/powercap path in runtime spec and deny in
  default apparmor profile [GHSA-7ww5-4wqc-m92c]

Deprecation Warnings

- Emit deprecation warning for AUFS snapshotter
- Emit deprecation warning for v1 runtime
- Emit deprecation warning for deprecated CRI configs
- Emit deprecation warning for CRI v1alpha1 usage
- Emit deprecation warning for CRIU config in CRI

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-09 01:26:44 +01:00
Sebastiaan van Stijn
c51a262e34
update containerd binary to 1.7.10
- full diff: https://github.com/containerd/containerd/compare/v1.7.9...v1.7.10
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.10

Welcome to the v1.7.10 release of containerd!

The tenth patch release for containerd 1.7 contains various fixes and
updates.

Notable Updates

- Enhance container image unpack client logs
- cri: fix using the pinned label to pin image
- fix: ImagePull should close http connection if there is no available data to read.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-09 01:25:57 +01:00
Sebastiaan van Stijn
862caf826c
update to go1.21.5
go1.21.5 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler, the go command, the runtime, and the crypto/rand, net, os, and
syscall packages. See the Go 1.21.5 milestone on our issue tracker for
details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.4...go1.21.5

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:27:58 +01:00
Sebastiaan van Stijn
0bf6ffba43
update to go1.21.4
go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker, the runtime, the compiler, and
the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone
on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:27:08 +01:00
Sebastiaan van Stijn
c786c3a974
Dockerfile: update criu stage to Debian 12 (Bookworm)
Follow-up to e72c4818c4, which updated the
Dockerfile to use Debian 12 "bookworm", but forgot to update the package
repository to use for the CRIU packages. Note that the criu stage is currently
not built by default (see d3d2823edf), so to
verify the stage, it needs to be built manually;

    docker build --target=criu .

This patch adds an extra `criu --version` to the build, so that it's verified
to be "functional".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 14:09:57 +01:00
Sebastiaan van Stijn
49f3e7d233
Dockerfile: remove APT_MIRROR build-arg
This option was originally added in 8ec8564691,
at which time the upstream debian package repositories were not always
reliable, so using a mirror helped with CI stability and performance.

Debian's package repositories are a lot more reliable now, so there's no
longer a need to use a mirror.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-04 13:52:58 +01:00
Sebastiaan van Stijn
3bfb6a9420
frozen images: update to debian:bookworm-slim
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-30 12:01:06 +01:00
Sebastiaan van Stijn
fd40dfaf58
Dockerfile: remove uses of DEBIAN_FRONTEND
We used DEBIAN_FRONTEND in some places to prevent installation of packages
from being blocked. However, debian bookworm now [includes a fix][1] for
situations like this (it was specifically reported for Docker situations <3),
so we can get rid of these.

Thanks to Tianon for noticing this, and for linking to the Debian ticket!

[1]: https://bugs.debian.org/929417

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-30 11:51:18 +01:00
Sebastiaan van Stijn
e72c4818c4
Dockerfile: update to Debian "bookworm" (current stable)
Also switch yamllint to be installed from debian's packages, which are
currently at v1.29.0.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-30 11:50:34 +01:00
Paweł Gronowski
681c94ca17
Dockerfile: update buildx to v0.12.0
Update the version of buildx we use in the dev-container to v0.12.0

Release notes: https://github.com/docker/buildx/releases/tag/v0.12.0

Full diff: https://github.com/docker/buildx/compare/v0.11.1...v0.12.0

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-11-20 16:03:41 +01:00
Sebastiaan van Stijn
68e73ceb67
update containerd binary to v1.7.9
full diff: https://github.com/containerd/containerd/compare/v1.7.8...v1.7.9
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.9

Notable Updates

- update runc binary to v1.1.10
- vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
- Expose usage of cri-api v1alpha2
- integration: deflake TestIssue9103
- fix: shimv1 leak issue
- cri: add deprecation warnings for mirrors, auths, and configs
- Update hcsshim tag to v0.11.4
- Expose usage of deprecated features

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-19 13:34:04 +01:00
Sebastiaan van Stijn
15bcc707e6
update runc binary to v1.1.10
- full diff: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.10

This is the tenth (and most likely final) patch release in the 1.1.z
release branch of runc. It mainly fixes a few issues in cgroups, and a
umask-related issue in tmpcopyup.

- Add support for `hugetlb.<pagesize>.rsvd` limiting and accounting.
  Fixes the issue of postgres failing when hugepage limits are set.
- Fixed permissions of a newly created directories to not depend on the value
  of umask in tmpcopyup feature implementation.
- libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
  (fixes the compatibility with Linux kernel 6.1+).
- Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
  configuration. This issue is not a security issue because it requires a
  malicious config.json, which is outside of our threat model.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-13 16:01:02 +01:00
Sebastiaan van Stijn
4356962c69
update containerd binary to v1.7.8
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8
full diff: https://github.com/containerd/containerd/compare/v1.7.6...v1.7.8

Notable Updates

- Fix ambiguous TLS fallback
- Update Go to 1.20.10
- Add a new image label on converted schema 1 images
- Fix handling for missing basic auth credentials
- Fix potential deadlock in create handler for containerd-shim-runc-v2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-27 00:48:26 +02:00