Commit graph

39801 commits

Author SHA1 Message Date
Sebastiaan van Stijn
17451d2fdc
Merge pull request #44593 from thaJeztah/20.10_update_go_1.18.9
[20.10] update to go1.18.9
2022-12-07 13:23:00 +01:00
Sebastiaan van Stijn
f8b0d77bfe
[20.10] update to go1.18.9
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).

These minor releases include 2 security fixes following the security policy:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.
  Both os.DirFS and http.Dir only provide read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \(the root of the
  current drive) can permit a maliciously crafted path to escape from the
  drive and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
  path "/tmp". This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting
  HTTP/2 requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by
  the client. While the total number of entries in this cache is capped,
  an attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
  manually configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.9

And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.9+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.18.8...go1.18.9

The golang.org/x/net fix is in 1e63c2f08a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 22:59:44 +01:00
Sebastiaan van Stijn
cfb3ebe96e
Merge pull request #44564 from thaJeztah/20.10_backport_seccomp_block_af_vsock
[20.10 backport] seccomp: block socket calls to AF_VSOCK in default profile
2022-12-05 13:31:18 +01:00
Sebastiaan van Stijn
a01576ec4a
seccomp: block socket calls to AF_VSOCK in default profile
This syncs the seccomp-profile with the latest changes in containerd's
profile, applying the same changes as 17a9324035

Some background from the associated ticket:

> We want to use vsock for guest-host communication on KubeVirt
> (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.
>
> However since anyone can just connect from any pod to any VM with the
> default seccomp settings, we cannot limit connection attempts to our
> privileged node-agent.
>
> ### Describe the solution you'd like
> We want to deny the `socket` syscall for the `AF_VSOCK` family by default.
>
> I see in [1] and [2] that AF_VSOCK was actually already blocked for some
> time, but that got reverted since some architectures support the `socketcall`
> syscall which can't be restricted properly. However we are mostly interested
> in `arm64` and `amd64` where limiting `socket` would probably be enough.
>
> ### Additional context
> I know that in theory we could use our own seccomp profiles, but we would want
> to provide security for as many users as possible which use KubeVirt, and there
> it would be very helpful if this protection could be added by being part of the
> DefaultRuntime profile to easily ensure that it is active for all pods [3].
>
> Impact on existing workloads: It is unlikely that this will disturb any existing
> workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
> However if someone would still use it: Privileged pods would still be able to
> use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too.
> Further it was already blocked for quite some time and the blockade got lifted
> due to reasons not related to AF_VSOCK.
>
> The PR in KubeVirt which adds VSOCK support for additional context: [4]
>
> [1]: https://github.com/moby/moby/pull/29076#commitcomment-21831387
> [2]: dcf2632945
> [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
> [4]: https://github.com/kubevirt/kubevirt/pull/8546

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 57b229012a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-01 14:32:05 +01:00
Sebastiaan van Stijn
6dfa15b24b
Merge pull request #44472 from thaJeztah/20.10_backport_containerd_v1.6.10
[20.10 backport] update containerd binary to v1.6.10
2022-11-17 10:46:40 +01:00
Jintao Zhang
7ebfee940f
update containerd binary to v1.6.10
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit a5979a2106)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 14:04:59 +01:00
Samuel Karp
4ed81ac0e2
Merge pull request #44412 from thaJeztah/20.10_bump_go_1.18.8
fixes https://github.com/golang/go/issues/56309
2022-11-08 19:13:48 -08:00
Sebastiaan van Stijn
5ea9cf68ae
Merge pull request #44413 from thaJeztah/20.10_backport_oci_artifacts_error
[20.10 backport] distribution: Error when pulling OCI artifacts
2022-11-07 14:27:34 +01:00
Paweł Gronowski
f292bf0f4f
distribution: Error when pulling OCI artifacts
Currently an attempt to pull a reference which resolves to an OCI
artifact (Helm chart for example), results in a bit unrelated error
message `invalid rootfs in image configuration`.

This provides a more meaningful error in case a user attempts to
download a media type which isn't image related.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 407e3a4552)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 18:20:18 +01:00
Sebastiaan van Stijn
0211f9e44d
[20.10] update to Go 1.18.8 to address CVE-2022-41716
On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 17:55:06 +01:00
Sebastiaan van Stijn
3056208812
Merge pull request #44358 from thaJeztah/20.10_backport_busybox_w32_img
[20.10 backport] integration: download busybox-w32 from GitHub Release
2022-10-25 07:44:15 -04:00
CrazyMax
f99cb8297b
integration: download busybox-w32 from GitHub Release
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 4f1d1422de)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 17:06:12 -04:00
Sebastiaan van Stijn
24aa4c9c43
Merge pull request #44353 from thaJeztah/20.10_backport_update_containerd_binary
[20.10 backport] update containerd binary to v1.6.9
2022-10-24 15:50:29 -04:00
Sebastiaan van Stijn
3f9dc25f5c
update containerd binary to v1.6.9
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.9

full diff: containerd/containerd@v1.6.8...v1.6.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ac79a02ace)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 13:58:16 -04:00
Tianon Gravi
753cd92a31
Merge pull request #44326 from thaJeztah/20.10_bump_term_ansiterm
[20.10 backport] vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compatibility
2022-10-22 00:28:04 +00:00
Sebastiaan van Stijn
82f583c8af
Merge pull request #44339 from crazy-max/20.10_update_buildkit
[20.10] vendor: github.com/moby/buildkit eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 (v0.8 branch)
2022-10-22 00:16:12 +02:00
Sebastiaan van Stijn
87ccd38cea
vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compatibility
- winterm: GetStdFile(): Added compatibility with "golang.org/x/sys/windows"
- winterm: fix GetStdFile() falltrough
- update deprecation message to refer to the correct replacement
- add go.mod
- Fix int overflow
- Convert int to string using rune()

full diff:

- bea5bbe245...3f7ff695ad
- d6e3b3328b...d185dfc1b5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit af1e74555a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 19:43:02 +02:00
CrazyMax
e83e465ae2
[20.10] vendor: github.com/moby/buildkit eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 (v0.8 branch)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 17:39:46 +02:00
Sebastiaan van Stijn
e3fef9aea9
Merge pull request #44340 from thaJeztah/20.10_backport_skip_tests
[20.10 backport] skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
2022-10-21 11:30:04 +02:00
Sebastiaan van Stijn
9c84417c1b
skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
- On Windows, we don't build and run a local  test registry (we're not running
  docker-in-docker), so we need to skip this test.
- On rootless, networking doesn't support this (currently)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4f43cb660a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 01:52:32 +02:00
Sebastiaan van Stijn
93c2c3bc60
Merge pull request #44332 from corhere/backport-20.10/fix-git-windows-environ
[20.10] builder: fix running git commands on Windows
2022-10-20 21:16:42 +02:00
Cory Snider
5b5b5c6f13 builder: add missing doc comment
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-20 14:03:36 -04:00
Cory Snider
05e25f7892 builder: fix running git commands on Windows
Setting cmd.Env overrides the default of passing through the parent
process' environment, which works out fine most of the time, except when
it doesn't. For whatever reason, leaving out all the environment causes
git-for-windows sh.exe subprocesses to enter an infinite loop of
access violations during Cygwin initialization in certain environments
(specifically, our very own dev container image).

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-20 13:41:42 -04:00
Sebastiaan van Stijn
2b7f97a974
Merge pull request #44313 from tianon/20.10-distributable
[20.10 backport] registry: allow "allow-nondistributable-artifacts" for Docker Hub
2022-10-19 23:27:58 +02:00
Sebastiaan van Stijn
03df974ae9
Merge pull request #6 from moby/ghsa-ambiguous-pull-by-digest
[20.10] Validate digest in repo for pull by digest
2022-10-18 19:26:23 +02:00
Sebastiaan van Stijn
3adff51f85
Merge pull request #9 from moby/update_buildkit
[20.10] vendor moby/buildkit v0.8.3-31-gc0149372
2022-10-18 19:17:40 +02:00
Sebastiaan van Stijn
d7c33ad827
Merge pull request #8 from moby/20.10_fix_git_file_leak
[20.10 backport] builder: Isolate Git from local system
2022-10-18 19:08:22 +02:00
Sebastiaan van Stijn
2f3bf18014
[20.10] vendor moby/buildkit v0.8.3-31-gc0149372
full diff: 3a1eeca59a...c014937225

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-18 10:12:37 +02:00
Sebastiaan van Stijn
6699afa549 registry: allow "allow-nondistributable-artifacts" for Docker Hub
Previously, Docker Hub was excluded when configuring "allow-nondistributable-artifacts".
With the updated policy announced by Microsoft, we can remove this restriction;
https://techcommunity.microsoft.com/t5/containers/announcing-windows-container-base-image-redistribution-rights/ba-p/3645201

There are plans to deprecated support for foreign layers altogether in the OCI,
and we should consider to make this option the default, but as that requires
deprecating the option (and possibly keeping an "opt-out" option), we can look
at that separately.

(cherry picked from commit 30e5333ce3)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2022-10-17 15:12:13 -07:00
Brian Goff
4b9902bad4
Validate digest in repo for pull by digest
This is accomplished by storing the distribution source in the content
labels. If the distribution source is not found then we check to the
registry to see if the digest exists in the repo, if it does exist then
the puller will use it.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 17:47:46 +02:00
Cory Snider
c0d1188c14 builder: make git config isolation opt-in
While it is undesirable for the system or user git config to be used
when the daemon clones a Git repo, it could break workflows if it was
unconditionally applied to docker/cli as well.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:23 -04:00
Cory Snider
9f5f3abcee builder: isolate git from local system
Prevent git commands we run from reading the user or system
configuration, or cloning submodules from the local filesystem.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Cory Snider
10db4c2db7 builder: explicitly set CWD for all git commands
Keep It Simple! Set the working directory for git commands by...setting
the git process's working directory. Git commands can be run in the
parent process's working directory by passing the empty string.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Cory Snider
8816c3c2aa builder: modernize TestCheckoutGit
Make the test more debuggable by logging all git command output and
running each table-driven test case as a subtest.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Sebastiaan van Stijn
c964641a0d
Merge pull request #44122 from thaJeztah/20.10_bump_buildkit
[20.10] vendor: github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d (v0.8 branch)
2022-10-06 20:53:28 +02:00
Brian Goff
3bb99735b6
Merge pull request #44127 from thaJeztah/20.10_backport_image_spec_no_literal
[20.10] Update uses of Image platform fields in OCI image-spec
2022-10-06 11:18:55 -07:00
Sebastiaan van Stijn
435c40ce15
Merge pull request #44247 from thaJeztah/20.10_bump_go_1.18.7
[20.10] Update to go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
2022-10-06 20:13:47 +02:00
Sebastiaan van Stijn
11bdbf40b9
[20.10] Update to go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
From the mailing list:

We have just released Go versions 1.19.2 and 1.18.7, minor point releases.

These minor releases include 3 security fixes following the security policy:

- archive/tar: unbounded memory consumption when reading headers

  Reader.Read did not set a limit on the maximum size of file headers.
  A maliciously crafted archive could cause Read to allocate unbounded
  amounts of memory, potentially causing resource exhaustion or panics.
  Reader.Read now limits the maximum size of header blocks to 1 MiB.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

- net/http/httputil: ReverseProxy should not forward unparseable query parameters

  Requests forwarded by ReverseProxy included the raw query parameters from the
  inbound request, including unparseable parameters rejected by net/http. This
  could permit query parameter smuggling when a Go proxy forwards a parameter
  with an unparseable value.

  ReverseProxy will now sanitize the query parameters in the forwarded query
  when the outbound request's Form field is set after the ReverseProxy.Director
  function returns, indicating that the proxy has parsed the query parameters.
  Proxies which do not parse query parameters continue to forward the original
  query parameters unchanged.

  Thanks to Gal Goldstein (Security Researcher, Oxeye) and
  Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

  This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

- regexp/syntax: limit memory used by parsing regexps

  The parsed regexp representation is linear in the size of the input,
  but in some cases the constant factor can be as high as 40,000,
  making relatively small regexps consume much larger amounts of memory.

  Each regexp being parsed is now limited to a 256 MB memory footprint.
  Regular expressions whose representation would use more space than that
  are now rejected. Normal use of regular expressions is unaffected.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

View the release notes for more information: https://go.dev/doc/devel/release#go1.18.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-04 22:20:50 +02:00
Sebastiaan van Stijn
35eaf7ecc4
Merge pull request #44238 from cpuguy83/20.10_fix_restore_volumerefs
[20.10] Fix live-restore w/ restart policies + volume refs
2022-10-03 23:32:53 +02:00
Brian Goff
66ddb7f91c Fix live-restore w/ restart policies + volume refs
Before this change restarting the daemon in live-restore with running
containers + a restart policy meant that volume refs were not restored.
This specifically happens when the container is still running *and*
there is a restart policy that would make sure the container was running
again on restart.

The bug allows volumes to be removed even though containers are
referencing them. 😱

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4c0e0979b4)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-10-03 18:41:34 +00:00
Sebastiaan van Stijn
f219cb5ded
Merge pull request #44218 from thaJeztah/20.10_backport_more_robust_rootless
[20.10 backport] docker-rootless-setuptools.sh fixes
2022-09-29 22:09:04 +02:00
Sebastiaan van Stijn
c003392582
contrib: make dockerd-rootless-setuptool.sh more robust
The `docker` CLI currently doesn't handle situations where the current context
(as defined in `~/.docker/config.json`) is invalid or doesn't exist. As loading
(and checking) the context happens during initialization of the CLI, this
prevents `docker context` commands from being used, which makes it complicated
to fix the situation. For example, running `docker context use <correct context>`
would fail, which makes it not possible to update the `~/.docker/config.json`,
unless doing so manually.

For example, given the following `~/.docker/config.json`:

```json
{
        "currentContext": "nosuchcontext"
}
```

All of the commands below fail:

```bash
docker context inspect rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context rm --force rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context use default
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json
```

While these things should be fixed, this patch updates the script to switch
the context using the `--context` flag; this flag is taken into account when
initializing the CLI, so that having an invalid context configured won't
block `docker context` commands from being executed. Given that all `context`
commands are local operations, "any" context can be used (it doesn't need to
make a connection with the daemon).

With this patch, those commands can now be run (and won't fail for the wrong
reason);

```bash
 docker --context=default context inspect -f "{{.Name}}" rootless
rootless

docker --context=default context inspect -f "{{.Name}}" rootless-doesnt-exist
context "rootless-doesnt-exist" does not exist
```

One other issue may also cause things to fail during uninstall; trying to remove
a context that doesn't exist will fail (even with the `-f` / `--force` option
set);

```bash
docker --context=default context rm blablabla
Error: context "blablabla": not found
```

While this is "ok" in most circumstances, it also means that (potentially) the
current context is not reset to "default", so this patch adds an explicit
`docker context use`, as well as unsetting the `DOCKER_HOST` and `DOCKER_CONTEXT`
environment variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e2114731e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 10:05:56 +02:00
Mathieu PATUREL
53313be0f3
docker-rootless-setuptools.sh: use context after install
Signed-off-by: Mathieu PATUREL <mathieu.paturel@gmail.com>
(cherry picked from commit 7c17ad8735)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 10:05:51 +02:00
Sebastiaan van Stijn
4163c55082
Merge pull request #44202 from crazy-max/20.10_backport_api-fix-logo
[20.10 backport] swagger: update links to logo
2022-09-27 17:54:20 +02:00
CrazyMax
9c486bd267
swagger: update links to logo
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 7f3602f1c9)
2022-09-27 11:57:16 +02:00
Sebastiaan van Stijn
956161115f
Merge pull request #44167 from thaJeztah/20.10_backport_update_containerd_console
[20.10 backport] vendor: github.com/containerd/console v1.0.2
2022-09-22 20:16:05 +02:00
Sebastiaan van Stijn
668ab11a67
Merge pull request #44145 from neersighted/bump_memberlist_20.10
[20.10] vendor: github.com/hashicorp/memberlist v0.4.0
2022-09-21 17:51:18 +02:00
Sebastiaan van Stijn
fa17fab895
vendor: github.com/containerd/console v1.0.2
Contains fix for s390x and support for FreeBSD

full diff: https://github.com/containerd/console/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 948e201c1c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-21 16:41:46 +02:00
Bjorn Neergaard
481bee51b5 vendor: github.com/armon/go-metrics v0.4.1
from github.com/hashicorp/memberlist v0.4.0 go.mod

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-21 08:12:24 -06:00
Bjorn Neergaard
39ba2873e8 vendor: github.com/google/btree v1.1.2
from github.com/hashicorp/memberlist v0.4.0 go.mod

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-21 08:12:24 -06:00