note that the previous version we used was from the master branch, so some
changes, for example, replacing the deprecated `io/ioutil` package are reverted
in this update.
raw diff: https://github.com/moby/buildkit/compare/d7744bcb3532..v0.10.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 5770296d90...3147a52a75
This version contains a fix for CVE-2022-27191 (not sure if it affects us).
From the golang mailing list:
Hello gophers,
Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.
We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.
Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:
- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.
Alla prossima,
Filippo for the Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
updates the "logentries" dependency;
- checking error when calling output
- Support Go Modules
full diff: 7a984a84b5...fc06dab2ca
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This removes the plugin section from the containerd configuration file
(`/var/run/docker/containerd/containerd.toml`) that is generated when
starting containerd as child process;
```toml
[plugins]
[plugins.linux]
shim = "containerd-shim"
runtime = "runc"
runtime_root = "/var/lib/docker/runc"
no_shim = false
shim_debug = true
```
This configuration doesn't appear to be used since commit:
0b14c2b67a, which switched the default runtime
to to io.containerd.runc.v2.
Note that containerd itself uses `containerd-shim` and `runc` as default
for `shim` and `runtime` v1, so omitting that configuration doesn't seem
to make a difference.
I'm slightly confused if any of the other options in this configuration were
actually used: for example, even though `runtime_root` was configured to be
`/var/lib/docker/runc`, when starting a container with that coniguration set
on docker 19.03, `/var/lib/docker/runc` doesn't appear to exist:
```console
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
098baa4cb0e7 nginx:alpine "/docker-entrypoint.…" 59 minutes ago Up 59 minutes 80/tcp foo
$ ls /var/lib/docker/runc
ls: /var/lib/docker/runc: No such file or directory
$ ps auxf
PID USER TIME COMMAND
1 root 0:00 sh
16 root 0:11 dockerd --debug
26 root 0:09 containerd --config /var/run/docker/containerd/containerd.toml --log-level debug
234 root 0:00 containerd-shim -namespace moby -workdir /var/lib/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby/09
251 root 0:00 nginx: master process nginx -g daemon off;
304 101 0:00 nginx: worker process
...
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: db3c7e526a...2eb08e3e57
- Add support for detecting netns for all possible QoS in Kubernetes
- Add go1.10 build constraint
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.3...v3.1.0
noteworthy changes:
- ci: add go1.16
- ci: add go1.17, remove go1.13
- golden: only create dir if update flag is set
- icmd: replace all usages of os/exec with golang.org/x/sys/execabs
- assert: ErrorIs
- fs: add DirFromPath
- Stop creating directory outside of testdata
- fs: Fix comparing symlink permissions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/pelletier/go-toml/compare/v1.9.1...v1.9.4
- Add Encoder.CompactComments to omit extra new line
- Clarify license and comply with Apache 2.0
- feat(tomll): add multiLineArray flag to linter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/continuity/compare/v0.1.0...v0.2.2
- fs/stat: add FreeBSD, and cleanup some nolint-comments
- go.mod: bazil.org/fuse v0.0.0-20200407214033-5883e5a4b5125
- Fix darwin issues
- Remove direct dependency on github.com/pkg/errors
- Do not log errors before returning them
- Build containerd/continuity on multiple Unix OSes
- Update CI Go version to 1.17
- fs: use syscall.Timespec.Unix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/tools/compare/v0.1.0...v0.1.5
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/mod/compare/v0.4.1...v0.4.2
It's not used, but one of our dependencies has a `tools.go` file that forces
it to be vendored; vendor/cloud.google.com/go/tools.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.
glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.
The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.
Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.
Fixes#42402
Signed-off-by: Cory Snider <csnider@mirantis.com>
full diff: https://github.com/fsnotify/fsnotify/compare/v1.4.9...v1.5.1
Relevant changes:
- Fix unsafe pointer conversion
- Drop support/testing for Go 1.11 and earlier
- Update x/sys to latest
- add //go:build lines
- add go 1.17 to test matrix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: bf48bf16ab...f6687ab280
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like the `replace` rule was also matching what we're already vendoring,
so we can remove it:
github.com/containerd/containerd v1.5.8 => github.com/containerd/containerd v1.5.8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: e18ecbb051...69e39bad7d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the replace rule, and use the version as specified by (indirect) dependencies:
full diff: 3af7569d3a...f0f3c7e86c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- all changes here are attributed to difference in behaviour between,
namely:
- resolution of secondary test dependencies
- prunning of non-Go files
Signed-off-by: Ilya Dmitrichenko <errordeveloper@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/ttrpc/compare/v1.0.2...v1.1.0
- client: Handle sending/receiving in separate goroutines
- Return Unimplemented when services or methods are not implemented
- go.mod: sirupsen/logrus v1.7.0
- go.mod: update dependencies
- go.mod: github.com/gogo/protobuf v1.3.2
- go.mod: google.golang.org/grpc v1.27.1
- go.mod: google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63
- go.mod: github.com/prometheus/procfs v0.6.0
- replace pkg/errors
- Rename branch from master to main
- Use GitHub Actions for CI
- Make "go test" and "go build" work on macOS
- Add protoc-gen-go-ttrpc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Updates go-winio to the latest version. The main important fix here is
to go-winio's backuptar package. This is needed to fix a bug in sparse
file handling in container layers, which was exposed by a recent change
in Windows.
go-winio v0.5.1: https://github.com/microsoft/go-winio/releases/tag/v0.5.1
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
In situations where docker runs in an environment where capabilities are limited,
sucn as docker-in-docker in a container created by older versions of docker, or
in a container where some capabilities have been disabled, starting a privileged
container may fail, because even though the _kernel_ supports a capability, the
capability is not available.
This patch attempts to address this problem by limiting the list of "known" capa-
bilities on the set of effective capabilties for the current process. This code
is based on the code in containerd's "caps" package.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This replaces the local SeccompSupported() utility for the implementation in containerd,
which performs the same check.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.
full diff: d19ff857e8...63515b42dc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.5.4...v1.5.5
Welcome to the v1.5.5 release of containerd!
The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains
other minor updates.
Notable Updates
- Update runc binary to 1.0.1
- Update pull logic to try next mirror on non-404 response
- Update pull authorization logic on redirect
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.5.2...v1.5.3
- Fix User Agent sent to registry authentication server (changes default user-
agent from "Go-http-client/1.1" to "containerd/v1.5.3")
- Fix missing Body.Close() calls on push to docker remote
- Change Wrapf of non-error to an actual error
- fixes Failed to pull image (unexpected commit digest)
- fix invalid validation error checking
- Update hcsshim to 0.8.18
- Update Go to 1.16.6
- content/local: inline sys.StatATimeAsTime()
- windows: Use GetFinalPathNameByHandle for ResolveSymbolicLink
- Fix cleanup context of teardownPodNetwork
- fixes CRI fails to invoke CNI plugin to teardown network when RunPodSandbox times out
- sandbox: send pod UID to CNI plugins as K8S_POD_UID
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream update fixes the issue where left node would be marked as
failed, which caused `TestNetworkDBIslands` to occasionally fail.
Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
This was used for testing purposes when libnetwork was in a separate
repo.
Now that it is integrated we no longer need it since dockerd and docker
cli provide the same function.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- winterm: GetStdFile(): Added compatibility with "golang.org/x/sys/windows"
- winterm: fix GetStdFile() falltrough
- update deprecation message to refer to the correct replacement
- add go.mod
- Fix int overflow
- Convert int to string using rune()
full diff:
- bea5bbe245...3f7ff695ad
- d6e3b3328b...d185dfc1b5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The LCOW implementation in dockerd has been deprecated in favor of re-implementation
in containerd (in progress). Microsoft started removing the LCOW V1 code from the
build dependencies we use in Microsoft/opengcs (soon to be part of Microsoft/hcshhim),
which means that we need to start removing this code.
This first step removes the lcow graphdriver, the LCOW initialization code, and
some LCOW-related utilities.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: ab34263943...6772e930b6
- http/httpproxy: match http scheme when selecting http_proxy
- drop support for pre-1.12 direct syscalls on darwin
- x/net/http2: reject HTTP/2 Content-Length headers containing a sign
- http2/h2i: use x/term instead of x/crypto/ssh/terminal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
After moving libnetwork we have a few extra cmd's.
Some of these are using urfave/cli so we need to vendor that in.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
full diff: https://github.com/moby/buildkit/compare/v0.8.2...v0.8.3
- vendor containerd (required for rootless overlayfs on kernel 5.11)
- not included to avoid depending on a fork
- Add retry on image push 5xx errors
- contenthash: include basename in content checksum for wildcards
- Fix missing mounts in execOp cache map
- Add regression test for run cache not considering mounts
- Add hack to preserve Dockerfile RUN cache compatibility after mount cache bugfix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 6e2cb13661...f2269e66cd
- support SO_SNDBUF/SO_RCVBUF handling
- Support Go Modules
- license clarificaton
- ci: drop 1.6, 1.7, 1.8 support
- Add support for SocketConfig
- support goarch mips64le architecture.
- fix possible socket leak when bind fails
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update libnetwork to make `docker run -p 80:80` functional again on environments
with kernel boot parameter `ipv6.disable=1`.
full diff: b3507428be...64b7a4574d
- fix port forwarding with ipv6.disable=1
- fixes moby/moby/42288 Docker 20.10.6: all containers stopped and cannot start if ipv6 is disabled on host
- fixes docker/libnetwork/2629 Network issue with IPv6 following update to version 20.10.6
- fixesdocker/for-linux/1233 Since 20.10.6 it's not possible to run docker on a machine with disabled IPv6 interfaces
- vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
- Enforce order of lock acquisitions on network/controller, fixes#2632
- fixes docker/libnetwork/2632 Name resolution stuck due to deadlock between different network struct methods
- fixes moby/moby/42032 Docker deamon get's stuck, can't serve DNS requests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/sys/compare/symlink/v0.1.0...mountinfo/v0.4.1
github.com/moby/sys/mountinfo v0.4.1
----------------------------------------------
- Fix PrefixFilter() being too greedy
- TestMountedBy*: add missing pre-checks
- Documentation improvements
github.com/moby/sys/mount v0.2.0
----------------------------------------------
Breaking changes:
- Remove stub-implementations for Windows for `Mount()`, `Unmount()`,
`RecursiveUnmount()`, `MergeTmpfsOptions()`
Fixes and improvements:
- `go.mod`: update github.com/moby/sys/mountinfo to v0.4.0
- use `MNT_*` flags from golang.org/x/sys/unix on freebsd
- add support for OpenBSD in addition to FreeBSD
- fix package overview documentation not showing
- `RecursiveUnmount()`: minor improvements
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 55eda46b22...19ee068f93
brings in updated protobufs, generated with gogo/protobuf v1.3.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser
is enabled, or if we are running docker-in-docker.
While those checks are not relevant to runc (as it doesn't load the profile), these
checks _are_ relevant to us (and containerd). So switching to use the containerd
apparmor package, which does include the needed checks.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch picks the first commit in containerd that exports the AppArmor package
functions to keep the vendor diff small (there are some updates to that package
after this, but those will be included in other patches).
full diff: fbf1a72de7...55eda46b22
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the first commit after the containerd transition to go modules. Using this
as an intermediate version to allow us to track what dependency changes are
introduced in the containerd dependency since.
full diff: b9092fae15...fbf1a72de7
There were some fix-ups in the PR after adding go modules that updated dependencies,
which will be aligned in the next commit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the last commit before containerd switched to using go modules. Using this
as an intermediate version to allow us to more easily track what dependency updates
containerd has.
full diff: 0edc412565...b9092fae15
relevant changes in vendored code:
- Do not hardcode "amd64" on LCOW and Windows-related files
- Optimize Windows and LCOW snapshotters to only create scratch layer on the final snapshot
- Add annotations to task update request api
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Taking the same approach as was taken in containerd
The new library has a slightly different output;
- keys at the same level are sorted alphabetically
- empty sections not omitted (`proxy_plugins`, `stream_processors`, `timeouts`),
which could possibly be be addressed with an "omitempty" in containerd's struct.
- empty slices are not omitted (`imports`, `required_plugins`)
After sorting the "before" configuration the diff looks like this:
```patch
diff --git a/config-before-sorted.toml b/config-after.toml
index cc771ce7ab..43a727f589 100644
--- a/config-before-sorted.toml
+++ b/config-after.toml
@@ -1,6 +1,8 @@
disabled_plugins = ["cri"]
+imports = []
oom_score = 0
plugin_dir = ""
+required_plugins = []
root = "/var/lib/docker/containerd/daemon"
state = "/var/run/docker/containerd/daemon"
version = 0
@@ -37,6 +39,12 @@ version = 0
shim = "containerd-shim"
shim_debug = true
+[proxy_plugins]
+
+[stream_processors]
+
+[timeouts]
+
[ttrpc]
address = ""
gid = 0
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: fa125a3512...b3507428be
- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
- fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
- introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
- fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
- fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
- fixes docker-proxy not being stopped correctly
Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 68bb095353...9065b18ba4
- fix seccomp compatibility in 32bit arm
- fixes Unable to build alpine:edge containers for armv7
- fixes Buildx failing to build for arm/v7 platform on arm64 machine
- resolver: avoid error caching on token fetch
- fixes "Error: i/o timeout should not be cached"
- fileop: fix checksum to contain indexes of inputs
- frontend/dockerfile: add RunCommand.FlagsUsed field
- relates to [20.10] Classic builder silently ignores unsupported Dockerfile command flags
- update qemu emulators
- relates to "Impossible to run git clone inside buildx with non x86 architecture"
- Fix reference count issues on typed errors with mount references
- fixes errors on releasing mounts with typed execerror refs
- fixes / addresses invalid mutable ref when using shared cache mounts
- dockerfile/docs: fix frontend image tags
- git: set token only for main remote access
- fixes "Loading repositories with submodules is repeated. Failed to clone submodule from googlesource"
- allow skipping empty layer detection on cache export
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tibor Vass <tibor@docker.com>
full diff: https://github.com/opencontainers/selinux/compare/v1.6.0...v1.7.0
- Implement get_default_context_with_level() from libselinux
- Wrap some syscalls (lgetattr, lsetattr, fstatfs, statfs) to retry on EINTR.
- Improve code quality by turning fixing many problems found by linters
- Use bufio.Scanner for parsing labels and policy confilabelg
- Cache the value for SELinux policy directory
- test on ppc64le and go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This dependency was added in 6cdbf07be9d0ad08776df0b65fb1b3e4e617c42a,
but looks like the code was vendored manually, or vendored, then removeed
from vendor.conf.
This commit removes the vendored files, as they are not needed to build
our binaries.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- assert: fixes a bug that would cause a panic if there were any
function calls before `assert.Check` on the same line
- golden: create the directory if it does not exist, when run with
`-test.update-golden`
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.2...v3.0.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 6861f17f15...v0.8.0-rc2
- dockerfile: rename experimental channel to labs
- dockerfile build: fix not exit when meet error in load config metadata
- copy containerd.UnknownExitStatus to local const to reduce dependency graph in client
- executor: switch to docker seccomp profile
- add retry handlers to push/pull
- SSH-based auth for llb.Git operations
- Allow gateway exec-ing into a failed solve with an exec op
- Fix parsing ssh-based git sources
- Fix sshkeyscan to work with ipv6
- fix assumption that ssh port must be 2 digits
- vendor: github.com/Microsoft/go-winio v0.4.15
- vendor: github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
- vendor: containerd v1.4.1-0.20201117152358-0edc412565dc
- vendor: golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 318312a373...0b889c03f1
- v1/stats: add all fields of memory.oom_control
- memory: remove wrong memory.kmem.limit_in_bytes check
- CI: test against Go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: f15a329036...0724c46b32
- Add OpenFifoDup2
- use golang.org/x/sys/unix for dup2 (fixes build on arm64)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/ttrpc/compare/v1.0.1...v1.0.2
- fix bug, failed to assert net error due to error wrap
- fixes: ttrpc client receive "read: connection reset by peer: unknown"
- client: add UserOnCloseWait function
- travis: add go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
c3ed55f3b4...0834f99b7b
- copy: use Clonefileat from golang.org/x/sys/unix on macOS
- go.mod: update opencontainers/go-digest v1.0.0
- Add github action CI
- github: test go1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 75b288015a...c1f2f97bff
relevant changes:
- pkcs12: document that we use the wrong PEM type
- pkcs12: drop PKCS#12 attributes with unknown OIDs
- ocsp: Improve documentation for ParseResponse and ParseResponseForCert
other changes (not in vendor);
- ssh: improve error message for KeyboardInteractiveChallenge
- ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
- ssh/terminal: replace with a golang.org/x/term wrapper
- Deprecates ssh/terminal in favor of golang.org/x/term
- ssh/terminal: add support for zos
- ssh/terminal: bump x/term dependency to fix js/nacl
- nacl/auth: use Size instead of KeySize for Sum output
- sha3: remove go:nocheckptr annotation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 7f0af18e79...bea5bbe245
- Fix windows integer overflow on GOOS=windows, GOARCH=arm
- go.mod: github.com/creack/pty v1.1.11
- v1.1.11: Add arm support for OpenBSD
- v1.1.10: Fix CTTY to work with go1.15
- CI: fix Go version matrix, and drop go 1.12, add go 1.15
- CI: remove "sudo" to fix incorrect Go versions (incorrect PATH, GOROOT)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This switches the hcsshim dependency back to tagged releases, instead of the special
"moby" branch. This makes the dependency align with both BuildKit and containerd,
which use these versions.
The switch to the "moby" branch was done in 2865478487,
to bring in a fix for image import, without having to bring in additional changes;
> We changed to the moby branch for a couple of reasons:
>
> - Allows us to take this important change without needing to also pull in all
> of the other work that has been going on in the repo.
> - moby uses an older set of APIs exposed from hcsshim, based on the HCS v1
> functionality. Going forwards, we have discussed deprecating/removing these
> APIs from the mainline branch in hcsshim, so our thinking was we could keep
> this moby branch around to ensure we don't break compatibility there.
>
> (...) Long term, the best path here is to get moby using containerd as the
> backend on Windows, which should alleviate these issues.
full diff: 9dcb42f100..v0.8.10
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/sys/compare/mountinfo/v0.1.3...mountinfo/v0.4.0
> Note that this dependency uses submodules, providing "github.com/moby/sys/mount"
> and "github.com/moby/sys/mountinfo". Our vendoring tool (vndr) currently doesn't
> support submodules, so we vendor the top-level moby/sys repository (which contains
> both) and pick the most recent tag, which could be either `mountinfo/vXXX` or
> `mount/vXXX`.
github.com/moby/sys/mountinfo v0.4.0
--------------------------------------------------------------------------------
Breaking changes:
- `PidMountInfo` is now deprecated and will be removed before v1.0; users should switch to `GetMountsFromReader`
Fixes and improvements:
- run filter after all fields are parsed
- correct handling errors from bufio.Scan
- documentation formatting fixes
github.com/moby/sys/mountinfo v0.3.1
--------------------------------------------------------------------------------
- mount: use MNT_* flags from golang.org/x/sys/unix on freebsd
- various godoc and CI fixes
- mountinfo: make GetMountinfoFromReader Linux-specific
- Add support for OpenBSD in addition to FreeBSD
- mountinfo: use idiomatic naming for fields
github.com/moby/sys/mountinfo v0.2.0
--------------------------------------------------------------------------------
Bug fixes:
- Fix path unescaping for paths with double quotes
Improvements:
- Mounted: speed up by adding fast paths using openat2 (Linux-only) and stat
- Mounted: relax path requirements (allow relative, non-cleaned paths, symlinks)
- Unescape fstype and source fields
- Documentation improvements
Testing/CI:
- Unit tests: exclude darwin
- CI: run tests under Fedora 32 to test openat2
- TestGetMounts: fix for Ubuntu build system
- Makefile: fix ignoring test failures
- CI: add cross build
github.com/moby/sys/mount v0.1.1
--------------------------------------------------------------------------------
https://github.com/moby/sys/releases/tag/mount%2Fv0.1.1
Improvements:
- RecursiveUnmount: add a fast path (#26)
- Unmount: improve doc
- fix CI linter warning on Windows
Testing/CI:
- Unit tests: exclude darwin
- Makefile: fix ignoring test failures
- CI: add cross build
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
aee5d888a8...eeed37f84f
- all: add GOOS=ios
- unix: add back IoctlCtlInfo on darwin
- windows: add SetConsoleCursorPosition
- unix: update Dockerfile to Linux 5.9 and Go 1.15.2 (adds `CAP_CHECKPOINT_RESTORE`)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.1.1
Notable changes:
- Extend Go completions and revamp zsh comp
- Add completion for help command
- Complete subcommands when TraverseChildren is set
- Fix stderr printing functions
- fix: fish output redirection
- fix manpage building with new go-md2man
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gofrs/flock/compare/v0.7.1...v0.7.3
Relevant changes:
- fix: close/Unlock won't close the file descriptor if not locked
- fix license text, update year
Note that there's also a v0.8.0 release; that release only adds aix support,
which is currently of no interest to us, so skipping that version for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0
removes dependency on github.com/konsorten/go-windows-terminal-sequences
Features:
* a new buffer pool management API has been added
* a set of `<LogLevel>Fn()` functions have been added
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This pulls in the migration of go-winio/backuptar from the bundled fork
of archive/tar from Go 1.6 to using Go's current archive/tar unmodified.
This fixes the failure to import an OCI layer (tar stream) containing a
file larger than 8gB.
Fixes: #40444
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
