Commit graph

231 commits

Author SHA1 Message Date
Sebastiaan van Stijn
0233029d5a
vendor: opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
full diff: 02efb9a75e...3a7f492d3f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-31 00:42:36 +02:00
Sebastiaan van Stijn
c733cf223d
vendor: github.com/containerd/ttrpc v1.1.1
- server: Fix connection leak when receiving ECONNRESET

full diff: https://github.com/containerd/ttrpc/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-31 00:39:50 +02:00
Sebastiaan van Stijn
ea13744e53
Merge pull request #45239 from thaJeztah/vendor_runc_1.1.5
vendor: github.com/opencontainers/runc v1.1.5
2023-03-30 21:01:19 +02:00
Sebastiaan van Stijn
a17029ba49
vendor: github.com/opencontainers/runc v1.1.5
no changes in vendored code, just keeping scanners happy :)

release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5
diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
  <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1).
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7.
* nsexec: Check for errors in `write_log()`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 14:43:21 +02:00
Laura Brehm
e85c69e1b7
Update github.com/containerd/containerd to the HEAD of release/1.6 and vendor
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-03-30 10:29:01 +01:00
Cory Snider
9e3a6ccf69 libn/i/setmatrix: make generic and constructorless
Allow SetMatrix to be used as a value type with a ready-to-use zero
value. SetMatrix values are already non-copyable by virtue of having a
mutex field so there is no harm in allowing non-pointer values to be
used as local variables or struct fields. Any attempts to pass around
by-value copies, e.g. as function arguments, will be flagged by go vet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-29 13:31:12 -04:00
Sebastiaan van Stijn
988d26afe4
vendor: github.com/moby/buildkit v0.11.5
full diff: https://github.com/moby/buildkit/compare/v0.11.4...v0.11.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-25 14:37:07 +01:00
Sebastiaan van Stijn
72dc7a0f7b
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83
- CSI: Manager PublishVolume verify CSI node ID is not empty

full diff: a745a8755c...e28e8ba9bc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-22 11:56:28 +01:00
Sebastiaan van Stijn
0ac02ba342
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.1
full diff: https://github.com/opencontainers/runtime-spec/compare/1c3f411f0417...v1.1.0-rc.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:50 +01:00
Sebastiaan van Stijn
ab131642a1
vendor: github.com/opencontainers/runc v1.1.4
no changes in vendored files

full diff: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:50 +01:00
Sebastiaan van Stijn
b98c05dc50
vendor: github.com/klauspost/compress v1.16.3
full diff: https://github.com/klauspost/compress/compare/v1.15.12...v1.16.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:12 +01:00
Sebastiaan van Stijn
664c0d3201
vendor: github.com/godbus/dbus/v5 v5.1.0
full diff: https://github.com/godbus/dbus/compare/v5.0.6...v5.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
3e4ce10342
vendor: github.com/coreos/go-systemd/v22 v22.5.0
full diff: https://github.com/coreos/go-systemd/compare/v22.4.0...v22.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
0a2e3f14e7
vendor: github.com/opencontainers/selinux v1.11.0
full diff: https://github.com/opencontainers/selinux/compare/v1.10.2...v1.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
bc1dec71c5
vendor: github.com/imdario/mergo v0.3.13
full diff: https://github.com/imdario/mergo/compare/v0.3.12...v0.3.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
9752e43644
vendor: golang.org/x/sys v0.6.0
full diff: https://github.com/golang/sys/compare/v0.5.0...v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:52 +01:00
Sebastiaan van Stijn
3bbffe96e1
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
no changes in vendored code; only aligning dependencies

full diff: 80a528a868...a745a8755c

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-09 22:20:59 +01:00
Sebastiaan van Stijn
ad9d70b0e6
Merge pull request #45106 from thaJeztah/bump_swarmkit
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230302163403-80a528a86877
2023-03-08 15:08:43 +01:00
Akihiro Suda
e807ae4f2e
vendor: github.com/containerd/cgroups/v3 v3.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-08 20:15:17 +09:00
Paweł Gronowski
a8f5c524a0
libcontainerd: Upgrade to typeurl/v2
In preparation for containerd v1.7 which migrates off gogo/protobuf
and changes the protobuf Any type to one that's not supported by our
vendored version of typeurl.

This fixes a compile error on usages of `typeurl.UnmarshalAny` when
upgrading to containerd v1.7.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-08 11:26:32 +01:00
Sebastiaan van Stijn
088aff1620
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230302163403-80a528a86877
- fix docker service create doesn't work when network and generic-resource are both attached
- Fix removing tasks when a jobs service is removed
- CSI: Allow NodePublishVolume even when plugin does not support staging

full diff: 904c221ac2...80a528a868

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-07 12:08:27 +01:00
Tonis Tiigi
f8b468fda2
builder-next: enable more cache backends
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-07 10:32:40 +01:00
Djordje Lukic
bba77163ff
c8d: Make build and buildx work
- Only use the image exporter in build if we don't use containerd
  Without this "docker build" fails with:

    Error response from daemon: exporter "image" could not be found

- let buildx know we support containerd snapshotter
- Pass the current snapshotter to the buildkit worker

  If buildkit uses a different snapshotter we can't list the images any
  more because we can't find the snapshot.

builder/builder-next: make ContainerdWorker a minimal wrapper

Note that this makes "Worker" a public field, so technically one could
overwrite it.

builder-next: reenable runc executor

Currently, without special CNI config the builder would
only create host network containers that is a security issue.

Using runc directly instead of shim is faster as well
as builder doesn’t need anything from shim. The overhead
of setting up network sandbox is much slower of course.

builder/builder-next: simplify options handling

Trying to simplify the logic;

- Use an early return if multiple outputs are provided
- Only construct the list of tags if we're using an image (or moby) exporter
- Combine some logic for snapshotter and non-snapshotter handling

Create a constant for the moby exporter

Pass a context when creating a router

The context has a 10 seconds timeout which should be more than enough to
get the answer from containerd.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Co-authored-by: Tonis Tiigi <tonistiigi@gmail.com>
Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-07 10:01:47 +01:00
Sebastiaan van Stijn
b0b3c62a84
vendor: github.com/moby/buildkit v0.11.4
- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054)

full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-06 17:21:15 +01:00
Paweł Gronowski
324290a5eb
vendor: buildkit v0.11.4-0.20230228113103-218e934edfba
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-03 11:05:05 +01:00
Sebastiaan van Stijn
ef6f5367dc
vendor: github.com/containerd/containerd v1.6.19
Update hcsshim to v0.9.7 to include fix for graceful termination and pause containers

full diff: https://github.com/containerd/containerd/compare/v1.6.18...v1.6.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-28 23:27:11 +01:00
Sebastiaan van Stijn
5997ad8512
vendor: github.com/Microsoft/hcsshim v0.9.7
- Retain pause.exe as entrypoint for default pause images
- wcow: support graceful termination of servercore containers

full diff: https://github.com/Microsoft/hcsshim/compare/v0.9.6...v0.9.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-28 23:25:58 +01:00
Bjorn Neergaard
855c684708
Merge pull request #44664 from corhere/embedded-resolver-fixes
libnetwork: improve embedded DNS resolver
2023-02-23 12:25:58 -07:00
Bjorn Neergaard
bc0392af66
Merge pull request #45047 from thaJeztah/update_buildkit_0.11.3
vendor: github.com/moby/buildkit v0.11.3
2023-02-21 15:01:27 -07:00
Cory Snider
d6c4e17411 Upgrade containerd/fifo to v1.1.0
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-21 12:29:46 -05:00
Bjorn Neergaard
a4a3efb75b
Merge pull request #44982 from neersighted/containerd_1.6.18
daemon: fully resolve `apparmor_parser` regression
2023-02-21 08:19:02 -07:00
Sebastiaan van Stijn
9104cd5441
vendor: github.com/moby/buildkit v0.11.3
full diff: https://github.com/moby/buildkit/compare/49992f513921...v0.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-21 12:17:33 +01:00
Benjamin Wang
4a886a3e8f dependency: bump go.etcd.io/bbolt to v1.3.7
Please refer to link below to get more detailed info on bbolt@v1.3.7,
- https://github.com/etcd-io/bbolt/blob/master/CHANGELOG/CHANGELOG-1.3.md#v1372023-01-31

Signed-off-by: Benjamin Wang <wachao@vmware.com>
2023-02-17 16:51:15 +08:00
Cory Snider
25b51cad3d libnetwork: replace ad-hoc semaphore implementation
...for limiting concurrent external DNS requests with
"golang.org/x/sync/semaphore".Weighted. Replace the ad-hoc rate limiter
for when the concurrency limit is hit (which contains a data-race bug)
with "golang.org/x/time/rate".Sometimes.

Immediately retrying with the next server if the concurrency limit has
been hit just further compounds the problem. Wait on the semaphore and
refuse the query if it could not be acquired in a reasonable amount of
time.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-16 19:05:59 -05:00
Bjorn Neergaard
174802e15f
vendor: github.com/containerd/containerd v1.6.18
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-02-16 08:26:13 -07:00
Sebastiaan van Stijn
a36286cf89
vendor: golang.org/x/net v0.7.0
This addresses the same CVE as is patched in go1.19.6. From that announcement:

> net/http: avoid quadratic complexity in HPACK decoding
>
> A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
> in the HPACK decoder, sufficient to cause a denial of service from a small
> number of small requests.
>
> This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
> configuring HTTP/2.
>
> This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

full diff: https://github.com/golang/net/compare/v0.5.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-14 21:00:09 +01:00
Sebastiaan van Stijn
c7de76569e
vendor: golang.org/x/text v0.7.0
full diff: https://github.com/golang/text/compare/v0.6.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-14 20:59:33 +01:00
Sebastiaan van Stijn
a53b44a266
vendor: golang.org/x/sys v0.5.0
full diff: https://github.com/golang/sys/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-14 20:58:24 +01:00
Tonis Tiigi
eaeaa7b7fd
vendor: update buildkit to latest v0.11
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-02-07 10:24:43 -08:00
Tonis Tiigi
666334bd48
vendor: update buildkit to v0.11.2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-02-01 23:29:10 -08:00
Sebastiaan van Stijn
85169a04cf
vendor: github.com/tonistiigi/fsutil v0.0.0-20221114235510-0127568185cf
full diff: 9ed612626d...0127568185

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-02-01 23:10:39 -08:00
Sebastiaan van Stijn
c41c8c2f86
vendor: github.com/containerd/containerd v1.6.16
Notable Updates

- Fix push error propagation
- Fix slice append error with HugepageLimits for Linux
- Update default seccomp profile for PKU and CAP_SYS_NICE
- Fix overlayfs error when upperdirlabel option is set

full diff: https://github.com/containerd/containerd/compare/v1.6.15...v1.6.16

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-30 09:07:59 +01:00
Sebastiaan van Stijn
22098745e7
vendor: github.com/pelletier/go-toml v1.9.5
Contains a fix that prevents a panic on an invalid toml file.

full diff: https://github.com/pelletier/go-toml/compare/v1.9.4...v1.9.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-30 09:05:04 +01:00
Sebastiaan van Stijn
25f95b0000
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230119195359-904c221ac281
full diff: 0da442b278...904c221ac2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-19 23:36:45 +01:00
Sebastiaan van Stijn
65c6ba1fc4
vendor: golang.org/x/net v0.5.0
contains a fix for CVE-2022-41721, although it probably does not affect us.

full diff: https://github.com/golang/net/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-17 14:34:05 +01:00
Sebastiaan van Stijn
824dc51341
vendor: golang.org/x/text v0.6.0
full diff: https://github.com/golang/text/compare/v0.5.0...v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-17 14:16:10 +01:00
Sebastiaan van Stijn
e66e6bb28a
vendor: golang.org/x/sys v0.4.0
full diff: https://github.com/golang/sys/compare/v0.3.0...v0.4.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-17 14:09:18 +01:00
Sebastiaan van Stijn
af6b5d55db
vendor: github.com/moby/ipvs v1.1.0
full diff: https://github.com/moby/ipvs/compare/v1.0.2...v1.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-14 17:25:22 +01:00
Sebastiaan van Stijn
f53feeea8b
vendor: github.com/vishvananda/netns v0.0.2
full diff: https://github.com/vishvananda/netns/compare/v0.0.1...v0.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-14 17:23:50 +01:00
Sebastiaan van Stijn
bb5cae2c94
vendor: github.com/vishvananda/netns v0.0.1
The project started tagging releases for go modules.

full diff: https://github.com/vishvananda/netns/compare/2eb08e3e575f...v0.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-13 14:55:18 +01:00