Commit graph

1982 commits

Author SHA1 Message Date
Sebastiaan van Stijn
ecbc27aa22
vendor: github.com/docker/distribution v2.8.2
CI

- Dockerfile: fix filenames of artifacts

Bugfixes

-  Fix panic in inmemory driver
-  Add code to handle pagination of parts. Fixes max layer size of 10GB bug
-  Parse http forbidden as denied
-  Revert "registry/client: set Accept: identity header when getting layers

Runtime

- Update to go1.19.9
- Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))

Security

- Fix [CVE-2022-28391](https://www.cve.org/CVERecord?id=CVE-2022-28391) by bumping alpine from 3.14 to 3.16
- Fix [CVE-2023-2253](https://www.cve.org/CVERecord?id=CVE-2023-2253) runaway allocation on /v2/_catalog [`521ea3d9`](521ea3d973)

full diff: https://github.com/docker/distribution/compare/v2.8.1...v2.8.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

bump to release/2.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7821d2d788)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-11 16:26:51 +02:00
Sebastiaan van Stijn
a87313497b
vendor: github.com/containerd/containerd v1.6.21
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21

Notable Updates

- update runc binary to v1.1.7
- Remove entry for container from container store on error
- oci: partially restore comment on read-only mounts for uid/gid uses
- windows: Add ArgsEscaped support for CRI
- oci: Use WithReadonlyTempMount when adding users/groups
- archive: consistently respect value of WithSkipDockerManifest

full diff: https://github.com/containerd/containerd/compare/c0efc63d3907...v1.6.21

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 19:52:17 +02:00
Sebastiaan van Stijn
1c2d8c8663
Merge pull request #45441 from thaJeztah/vendor_runtime_spec_v1.1.0-rc.2
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
2023-05-03 02:45:06 +02:00
Sebastiaan van Stijn
bf3c156654
vendor: github.com/moby/term v0.5.0
- split exported functions from implementation
- windows: IsConsole(): fix deprecation comment
- deprecate Termios in favor of unix.Termios
- windows: keyToString(): fix string conversion
- gha: update actions, add macOS, and add Go1.20
- gha: add windows

full diff: 1aeaba8785...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-02 14:14:17 +02:00
Sebastiaan van Stijn
c1d420ec60
vendor: github.com/moby/term v0.0.0-20221205130635-1aeaba878587
term: remove interrupt handler on termios

On termios platforms, interrupt signals are not generated in raw mode
terminals as the ISIG setting is not enabled. Remove interrupt handler
as it does nothing for raw mode and prevents other uses of INT signal
with this library.

This code seems to go back all the way to moby/moby#214 where signal
handling was improved for monolithic docker repository. Raw mode -ISIG
got reintroduced in moby/moby@3f63b87807, but the INT handler was left
behind.

full diff: abb19827d3...1aeaba8785

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-30 20:44:17 +02:00
Sebastiaan van Stijn
0df38c3e2b
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
release notes: https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.2

Additions

- config-linux: add support for rsvd hugetlb cgroup
- features: add features.md to formalize the runc features JSON
- config-linux: add support for time namespace

Minor fixes and documentation

- config-linux: clarify where device nodes can be created
- runtime: remove When serialized in JSON, the format MUST adhere to the following pattern
- Update CI to Go 1.20
- config: clarify Linux mount options
- config-linux: fix url error
- schema: fix schema for timeOffsets
- schema: remove duplicate keys

full diff: https://github.com/opencontainers/runtime-spec/compare/v1.1.0-rc.1...v1.1.0-rc.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-30 19:54:38 +02:00
Sebastiaan van Stijn
0ffd3225d2
vendor: github.com/opencontainers/runc v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-27 12:19:33 +02:00
Tianon Gravi
3eca54384d
Merge pull request #45291 from thaJeztah/bump_swarmkit
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7
2023-04-26 22:54:21 +00:00
Sebastiaan van Stijn
18a0ab6b3b
Merge pull request #45382 from wojiushixiaobai/patch-pty
build(deps): bump github.com/creack/pty from v1.1.11 to v1.1.18
2023-04-26 16:54:03 +02:00
吴小白
4876c09b2a build(deps): bump github.com/creack/pty from v1.1.11 to v1.1.18
Signed-off-by: 吴小白 <296015668@qq.com>
2023-04-24 11:11:40 +08:00
Tonis Tiigi
38e791fb2f
vendor: update buildkit to v0.11.6
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-04-20 11:17:25 -07:00
Sebastiaan van Stijn
e6ac640d2e
vendor: github.com/opencontainers/runc v1.1.6
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:55:23 +02:00
Sebastiaan van Stijn
f531e3cf69
vendor: golang.org/x/net v0.8.0
full diff: https://github.com/golang/net/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:54:33 +02:00
Sebastiaan van Stijn
3886faced8
vendor: golang.org/x/text v0.8.0
full diff: https://github.com/golang/text/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:53:50 +02:00
Sebastiaan van Stijn
8cf66ed732
Merge pull request #45301 from thaJeztah/vendor_sctp
vendor: github.com/ishidawataru/sctp v0.0.0-20230406120618-7ff4192f6ff2
2023-04-12 12:41:44 +02:00
Sebastiaan van Stijn
893d28469f
vendor: github.com/ishidawataru/sctp v0.0.0-20230406120618-7ff4192f6ff2
- Prevent from descriptor leak
- Fixes optlen in getsockopt() for s390x

full diff: 9a39160e90...7ff4192f6f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-08 22:34:51 +02:00
Djordje Lukic
be4abf9d6e
Vendor containerd 1.6.x with the readonly mount fix
Uses containerd from release/1.6 commit c0efc63d39

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-04-07 10:57:48 +02:00
Sebastiaan van Stijn
70229b55ec
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230406225228-75e92ce14ff7
- update various dependencies
- Windows: Support local drivers internal, l2bridge and nat

full diff: e28e8ba9bc...75e92ce14f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 03:06:25 +02:00
Sebastiaan van Stijn
3f09316e3b
vendor: re-vendor to add missing file
When running hack/vendor.sh, I noticed this file was added to vendor.
I suspect this should've been part of 0233029d5a,
but the vendor check doesn't appear to be catching this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 01:01:13 +02:00
Sebastiaan van Stijn
61a0e79ad6
vendor: github.com/containerd/containerd v1.6.20
full diff: https://github.com/containerd/containerd/compare/de33abf0547c...v1.6.20

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-31 00:44:31 +02:00
Sebastiaan van Stijn
0233029d5a
vendor: opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
full diff: 02efb9a75e...3a7f492d3f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-31 00:42:36 +02:00
Sebastiaan van Stijn
c733cf223d
vendor: github.com/containerd/ttrpc v1.1.1
- server: Fix connection leak when receiving ECONNRESET

full diff: https://github.com/containerd/ttrpc/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-31 00:39:50 +02:00
Sebastiaan van Stijn
ea13744e53
Merge pull request #45239 from thaJeztah/vendor_runc_1.1.5
vendor: github.com/opencontainers/runc v1.1.5
2023-03-30 21:01:19 +02:00
Sebastiaan van Stijn
a17029ba49
vendor: github.com/opencontainers/runc v1.1.5
no changes in vendored code, just keeping scanners happy :)

release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5
diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
  <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1).
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7.
* nsexec: Check for errors in `write_log()`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 14:43:21 +02:00
Laura Brehm
e85c69e1b7
Update github.com/containerd/containerd to the HEAD of release/1.6 and vendor
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-03-30 10:29:01 +01:00
Cory Snider
9e3a6ccf69 libn/i/setmatrix: make generic and constructorless
Allow SetMatrix to be used as a value type with a ready-to-use zero
value. SetMatrix values are already non-copyable by virtue of having a
mutex field so there is no harm in allowing non-pointer values to be
used as local variables or struct fields. Any attempts to pass around
by-value copies, e.g. as function arguments, will be flagged by go vet.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-29 13:31:12 -04:00
Sebastiaan van Stijn
988d26afe4
vendor: github.com/moby/buildkit v0.11.5
full diff: https://github.com/moby/buildkit/compare/v0.11.4...v0.11.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-25 14:37:07 +01:00
Sebastiaan van Stijn
72dc7a0f7b
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83
- CSI: Manager PublishVolume verify CSI node ID is not empty

full diff: a745a8755c...e28e8ba9bc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-22 11:56:28 +01:00
Sebastiaan van Stijn
0ac02ba342
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.1
full diff: https://github.com/opencontainers/runtime-spec/compare/1c3f411f0417...v1.1.0-rc.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:50 +01:00
Sebastiaan van Stijn
ab131642a1
vendor: github.com/opencontainers/runc v1.1.4
no changes in vendored files

full diff: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:50 +01:00
Sebastiaan van Stijn
b98c05dc50
vendor: github.com/klauspost/compress v1.16.3
full diff: https://github.com/klauspost/compress/compare/v1.15.12...v1.16.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:06:12 +01:00
Sebastiaan van Stijn
664c0d3201
vendor: github.com/godbus/dbus/v5 v5.1.0
full diff: https://github.com/godbus/dbus/compare/v5.0.6...v5.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
3e4ce10342
vendor: github.com/coreos/go-systemd/v22 v22.5.0
full diff: https://github.com/coreos/go-systemd/compare/v22.4.0...v22.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
0a2e3f14e7
vendor: github.com/opencontainers/selinux v1.11.0
full diff: https://github.com/opencontainers/selinux/compare/v1.10.2...v1.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
bc1dec71c5
vendor: github.com/imdario/mergo v0.3.13
full diff: https://github.com/imdario/mergo/compare/v0.3.12...v0.3.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:55 +01:00
Sebastiaan van Stijn
9752e43644
vendor: golang.org/x/sys v0.6.0
full diff: https://github.com/golang/sys/compare/v0.5.0...v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-16 00:05:52 +01:00
Sebastiaan van Stijn
3bbffe96e1
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
no changes in vendored code; only aligning dependencies

full diff: 80a528a868...a745a8755c

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-09 22:20:59 +01:00
Sebastiaan van Stijn
ad9d70b0e6
Merge pull request #45106 from thaJeztah/bump_swarmkit
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230302163403-80a528a86877
2023-03-08 15:08:43 +01:00
Akihiro Suda
e807ae4f2e
vendor: github.com/containerd/cgroups/v3 v3.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-08 20:15:17 +09:00
Paweł Gronowski
a8f5c524a0
libcontainerd: Upgrade to typeurl/v2
In preparation for containerd v1.7 which migrates off gogo/protobuf
and changes the protobuf Any type to one that's not supported by our
vendored version of typeurl.

This fixes a compile error on usages of `typeurl.UnmarshalAny` when
upgrading to containerd v1.7.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-08 11:26:32 +01:00
Sebastiaan van Stijn
088aff1620
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230302163403-80a528a86877
- fix docker service create doesn't work when network and generic-resource are both attached
- Fix removing tasks when a jobs service is removed
- CSI: Allow NodePublishVolume even when plugin does not support staging

full diff: 904c221ac2...80a528a868

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-07 12:08:27 +01:00
Tonis Tiigi
f8b468fda2
builder-next: enable more cache backends
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-07 10:32:40 +01:00
Djordje Lukic
bba77163ff
c8d: Make build and buildx work
- Only use the image exporter in build if we don't use containerd
  Without this "docker build" fails with:

    Error response from daemon: exporter "image" could not be found

- let buildx know we support containerd snapshotter
- Pass the current snapshotter to the buildkit worker

  If buildkit uses a different snapshotter we can't list the images any
  more because we can't find the snapshot.

builder/builder-next: make ContainerdWorker a minimal wrapper

Note that this makes "Worker" a public field, so technically one could
overwrite it.

builder-next: reenable runc executor

Currently, without special CNI config the builder would
only create host network containers that is a security issue.

Using runc directly instead of shim is faster as well
as builder doesn’t need anything from shim. The overhead
of setting up network sandbox is much slower of course.

builder/builder-next: simplify options handling

Trying to simplify the logic;

- Use an early return if multiple outputs are provided
- Only construct the list of tags if we're using an image (or moby) exporter
- Combine some logic for snapshotter and non-snapshotter handling

Create a constant for the moby exporter

Pass a context when creating a router

The context has a 10 seconds timeout which should be more than enough to
get the answer from containerd.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Co-authored-by: Tonis Tiigi <tonistiigi@gmail.com>
Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-07 10:01:47 +01:00
Sebastiaan van Stijn
b0b3c62a84
vendor: github.com/moby/buildkit v0.11.4
- provenance: ensure URLs are redacted before written (fixes CVE-2023-26054)

full diff: https://github.com/moby/buildkit/compare/218e934edfba...v0.11.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-06 17:21:15 +01:00
Paweł Gronowski
324290a5eb
vendor: buildkit v0.11.4-0.20230228113103-218e934edfba
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-03 11:05:05 +01:00
Sebastiaan van Stijn
11261594d8
Merge pull request #45032 from corhere/shim-opts
daemon: allow shimv2 runtimes to be configured
2023-03-02 21:45:05 +01:00
Sebastiaan van Stijn
ef6f5367dc
vendor: github.com/containerd/containerd v1.6.19
Update hcsshim to v0.9.7 to include fix for graceful termination and pause containers

full diff: https://github.com/containerd/containerd/compare/v1.6.18...v1.6.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-28 23:27:11 +01:00
Sebastiaan van Stijn
5997ad8512
vendor: github.com/Microsoft/hcsshim v0.9.7
- Retain pause.exe as entrypoint for default pause images
- wcow: support graceful termination of servercore containers

full diff: https://github.com/Microsoft/hcsshim/compare/v0.9.6...v0.9.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-28 23:25:58 +01:00
Bjorn Neergaard
855c684708
Merge pull request #44664 from corhere/embedded-resolver-fixes
libnetwork: improve embedded DNS resolver
2023-02-23 12:25:58 -07:00
Bjorn Neergaard
5c1d6c957b
Merge pull request #44810 from rumpl/containerd-lazy-snapshotters
c8d/pull: Add CRI-compatible annotation of pulled content
2023-02-21 16:30:35 -07:00