Commit graph

43836 commits

Author SHA1 Message Date
CrazyMax
1efda78f2b
use go-winres for windows build and cleanup autogen and winresources
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-14 19:52:36 +02:00
CrazyMax
fd2143e0b0
use go-winres for cross to create Windows resources
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-14 19:52:35 +02:00
Sebastiaan van Stijn
61404de7df
Merge pull request #43474 from crazy-max/fix-cross
fix cross compilation for arm platforms
2022-04-14 18:40:44 +02:00
Tianon Gravi
c110770e08
Merge pull request #43485 from thaJeztah/fix_dco_check
Jenkinsfile: add workaround for CVE-2022-24765
2022-04-13 11:38:31 -07:00
Sebastiaan van Stijn
538f5338e0
Merge pull request #43477 from thaJeztah/deprecate_urlutil
pkg/urlutil: deprecate, and move to builder/remotecontext/urlutil
2022-04-13 17:16:15 +02:00
Sebastiaan van Stijn
efe03aa2d8
Jenkinsfile: add workaround for CVE-2022-24765
git published an advisory Yesterday, which (as a counter-measure)
requires the git repository's directory to be owned by the current
user, and otherwise produce an error:

    fatal: unsafe repository ('/workspace' is owned by someone else)
    To add an exception for this directory, call:

        git config --global --add safe.directory /workspace

The DCO check is run within a container, which is running as `root`
(to allow packages to be installed), but because of this, the user
does not match the files that are bind-mounted from the host (as they
are checked out by Jenkins, using a different user).

To work around this issue, this patch configures git to consider the
`/workspace` directory as "safe". We configure it in the `--system`
configuration so that it takes effect for "all users" inside the
container.

More details on the advisory can be found on GitHub's blog:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-13 15:58:55 +02:00
Sebastiaan van Stijn
449250994f
builder/remotecontext/urlutil: simplify and improve documentation
Simplify some of the logic, and add documentation about the package,
as well as warnings that this package should not be used as a general-
purpose utility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-12 19:58:09 +02:00
Sebastiaan van Stijn
5f89a6a78e
pkg/urlutil: deprecate, and move to builder/remotecontext/urlutil
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.

- IsURL() only does a very rudimentary check for http(s):// prefixes, without any
  other validation, but due to its name may give incorrect expectations.
- IsGitURL() is written specifically with docker build remote git contexts in
  mind, and has handling for backward-compatibility, where strings that are
  not URLs, but start with "github.com/" are accepted.

Because of the above, this patch:

- moves the package inside builder/remotecontext, close to where it's intended
  to be used (ideally this would be part of build/remotecontext itself, but this
  package imports many other dependencies, which would introduce those as extra
  dependencies in the CLI).
- deprecates pkg/urlutil, but adds aliases as there are some external consumers.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-12 19:58:05 +02:00
Sebastiaan van Stijn
074bc1c3ab
pkg/urlutil: remove unused IsTransportURL()
This function is no longer used (either internally, or externally), so
can be removed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-12 19:57:32 +02:00
Sebastiaan van Stijn
bca8d9f2ce
Merge pull request #43463 from thaJeztah/httputils_readjson
api/server/httputils: add ReadJSON() utility and fix handling of invalid JSON
2022-04-11 23:23:15 +02:00
Sebastiaan van Stijn
6f8bc7e553
Merge pull request #43476 from thaJeztah/split_urlutil
daemon/logger: remove uses of pkg/urlutil, fix fluentd validation and parsing
2022-04-11 21:51:25 +02:00
Sebastiaan van Stijn
b6d58d749c
runconfig: ContainerDecoder(): fix handling of invalid JSON
Implement similar logic as is used in httputils.ReadJSON(). Before
this patch, endpoints using the ContainerDecoder would incorrectly
return a 500 (internal server error) status.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:44:45 +02:00
Sebastiaan van Stijn
ff5f70e55f
api/server/httputils: move WriteJSON() together with ReadJSON()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:37:57 +02:00
Sebastiaan van Stijn
0c9ff0b45a
api/server/httputils: add ReadJSON() utility
Implement a ReadJSON() utility to help reduce some code-duplication,
and to make sure we handle JSON requests consistently (e.g. always
check for the content-type).

Differences compared to current handling:

- prevent possible panic if request.Body is nil ("should never happen")
- always require Content-Type to be "application/json"
- be stricter about additional content after JSON (previously ignored)
- but, allow the body to be empty (an empty body is not invalid);
  update TestContainerInvalidJSON accordingly, which was testing the
  wrong expectation.
- close body after reading (some code did this)

We should consider to add a "max body size" on this function, similar to
7b9275c0da/api/server/middleware/debug.go (L27-L40)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:37:51 +02:00
Sebastiaan van Stijn
ef490cae45
api/server/httputils: matchesContentType(): return error instead of logging
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 21:37:00 +02:00
Sebastiaan van Stijn
3e47a7505e
daemon/logger/fluentd: remove udp, tcp+tls, unixgram, add tls scheme
unix and unixgram were added in cb176c848e, but at
the time, the driver only supported "tcp" and "unix":
cb176c848e/vendor/src/github.com/fluent/fluent-logger-golang/fluent/fluent.go (L243-L261)

support for tls was added in github.com/fluent/fluent-logger-golang v1.8.0, which
was vendored in e24d61b7ef.

the list of currently supported schemes by the driver is: tcp, tls and unix:
5179299b98/vendor/github.com/fluent/fluent-logger-golang/fluent/fluent.go (L435-L463)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 18:02:13 +02:00
Sebastiaan van Stijn
12424cfa6f
daemon/logger/fluentd: fix missing host, remove urlutil.IsTransportURL()
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.

This patch:

- fix some cases where the host was ignored for valid addresses.
- removes a redundant use of urlutil.IsTransportURL(); instead adding code to
  check if the given scheme (protocol) is supported.
- improve port validation for out of range ports.
- fix some missing validation: the driver was silently ignoring path elements,
  but expected a host (not an URL)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 18:02:05 +02:00
Sebastiaan van Stijn
0f40aefccd
daemon/logger/fluentd: validate path element
fix some missing validation: the driver was silently ignoring path elements
in some cases, and expecting a host (not an URL), and for unix sockets did
not validate if a path was specified.

For the latter case, we should have a fix in the upstream driver, as it
uses an empty path as default path for the socket (`defaultSocketPath`),
and performs no validation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:58:51 +02:00
Sebastiaan van Stijn
b161616202
daemon/logger/fluentd: make error-handling less DRY
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:55:48 +02:00
Sebastiaan van Stijn
0dd2b4d577
daemon/logger/fluentd: rename var that collided with import
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:55:46 +02:00
Sebastiaan van Stijn
40182954fa
daemon/logger/fluentd: add coverage for ValidateLogOpt(), parseAddress()
This exposed a bug where host is ignored on some valid cases (to be fixed).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:55:31 +02:00
Sebastiaan van Stijn
c2ca3e1118
daemon/logger/syslog: remove uses of pkg/urlutil.IsTransportURL()
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.

This patch:

- removes a redundant use of urlutil.IsTransportURL(); instead adding some code
  to check if the given scheme (protocol) is supported.
- define a `defaultPort` const for the default port.
- use `net.JoinHostPort()` instead of string concatenating, to account for possible
  issues with IPv6 addresses.
- renames a variable that collided with an imported package.
- improves test coverage, and moves an integration test.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:48:40 +02:00
Sebastiaan van Stijn
87206a10b9
daemon/logger/splunk: remove uses of pkg/urlutil.IsURL()
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.

This patch removes the use of urlutil.IsURL(), in favor of just checking if the
provided scheme (protocol) is supported.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:42:50 +02:00
Sebastiaan van Stijn
2e831c76c2
daemon/logger/gelf: remove uses of pkg/urlutil.IsTransportURL()
pkg/urlutil (despite its poorly chosen name) is not really intended as a generic
utility to handle URLs, and should only be used by the builder to handle (remote)
build contexts.

This patch:

- removes a redundant use of urlutil.IsTransportURL(); code further below already
  checked if the given scheme (protocol) was supported.
- renames some variables that collided with imported packages.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-11 17:42:41 +02:00
CrazyMax
170049225c
ci: add cross job in ci workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:03:54 +02:00
CrazyMax
12558c8d6e
fix cross compilation for arm platforms
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:03:31 +02:00
CrazyMax
d730d550e2
ci: set shorter retention period for artifacts
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:01:24 +02:00
CrazyMax
c2dfb60e31
ci: update upload-artifact and download-artifact actions to v3
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:01:24 +02:00
Sebastiaan van Stijn
c6872980bb
Merge pull request #43475 from crazy-max/win-arm64
missing windows arm64 arch detection
2022-04-10 20:46:26 +02:00
CrazyMax
5d9e99ead3
missing windows arm64 arch detection
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-09 16:10:42 +02:00
Samuel Karp
5179299b98
Merge pull request #43457 from thaJeztah/daemon_fix_hosts_validation_step1 2022-04-09 00:55:40 -07:00
Sebastiaan van Stijn
eda65622e8
Merge pull request #43473 from samuelkarp/samuelkarp-maintainer-metadata
maintainers: update metadata for samuelkarp
2022-04-08 23:47:52 +02:00
Samuel Karp
eb4c6d8316
maintainers: update metadata for samuelkarp
Signed-off-by: Samuel Karp <skarp@amazon.com>
2022-04-08 14:27:34 -07:00
Sebastiaan van Stijn
7ea283fd91
Merge pull request #43458 from thaJeztah/fix_daemon_config_test
daemon/config: fix TestReloadDefaultConfigNotExist if file exists
2022-04-08 12:34:30 +02:00
Sebastiaan van Stijn
62ea92ba14
Merge pull request #43472 from thaJeztah/no_more_no_d_type
remove deprecated support for overlay(2) on backing FS without d_type (fstype=1)
2022-04-08 09:22:57 +02:00
Sebastiaan van Stijn
63a9e3cc93
Merge pull request #43448 from thaJeztah/daemon_config_group_proxies
daemon/config: move proxy settings to "proxies" struct within daemon.json
2022-04-07 22:00:20 +02:00
Brian Goff
67ee9839fe
Merge pull request #43438 from thaJeztah/no_default_limit
client: container ps: don't set "limit" if none was set
2022-04-07 11:57:20 -07:00
Sebastiaan van Stijn
101dafd049
daemon/config: move proxy settings to "proxies" struct within daemon.json
This is a follow-up to 427c7cc5f8, which added
proxy-configuration options ("http-proxy", "https-proxy", "no-proxy") to the
dockerd cli and in `daemon.json`.

While working on documentation changes for this feature, I realised that those
options won't be "next" to each-other when formatting the daemon.json JSON, for
example using `jq` (which sorts the fields alphabetically). As it's possible that
additional proxy configuration options are added in future, I considered that
grouping these options in a struct within the JSON may help setting these options,
as well as discovering related options.

This patch introduces a "proxies" field in the JSON, which includes the
"http-proxy", "https-proxy", "no-proxy" options.

Conflict detection continues to work as before; with this patch applied:

    mkdir -p /etc/docker/
    echo '{"proxies":{"http-proxy":"http-config", "https-proxy":"https-config", "no-proxy": "no-proxy-config"}}' > /etc/docker/daemon.json

    dockerd --http-proxy=http-flag --https-proxy=https-flag --no-proxy=no-proxy-flag --validate

    unable to configure the Docker daemon with file /etc/docker/daemon.json:
    the following directives are specified both as a flag and in the configuration file:
    http-proxy: (from flag: http-flag, from file: http-config),
    https-proxy: (from flag: https-flag, from file: https-config),
    no-proxy: (from flag: no-proxy-flag, from file: no-proxy-config)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 19:43:02 +02:00
Sebastiaan van Stijn
2bc07370ec
daemon/graphdriver: remove unused graphdriver.IsInitialized()
It's no longer used, and has no external consumers.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 16:21:31 +02:00
Sebastiaan van Stijn
d570bc4922
remove deprecated support for overlay(2) on backing FS without d_type (fstype=1)
Support for overlay on a backing filesystem without d_type was deprecated in
0abb8dec3f (Docker 17.12), with an exception
for existing installations (0a4e793a3d).

That deprecation was nearly 5 years ago, and running without d_type is known to
cause serious issues (so users will likely already have run into other problems).

This patch removes support for running overlay and overlay2 on these filesystems,
returning the error instead of logging it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 16:15:26 +02:00
Sebastiaan van Stijn
a461373146
Merge pull request #43453 from thaJeztah/bump_buildx_0.8.2
Makefile: update buildx to v0.8.2
2022-04-07 10:45:57 +02:00
Sebastiaan van Stijn
39e52b0b6d
Merge pull request #43467 from thaJeztah/jenkinsfile_enable_all_s390_and_power
Jenkinsfile: allow all ppc64le / s390x stages through checkbox
2022-04-06 22:13:27 +02:00
Sebastiaan van Stijn
87948c7892
Jenkinsfile: allow all ppc64le / s390x stages through checkbox
Previously, the ppc64ls and s390x stages only ran on non-PR commits,
but the unit-tests and integration/xx tests could be enabled with
a checkbox.

This patch changes the Jenkinsfile to also allow the integration-cli
tests to be run on pull requests if the checkbox is enabled.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-06 15:40:47 +02:00
Akihiro Suda
7691d17a37
Merge pull request #43455 from thaJeztah/daemon_add_experimental_note
cmd/dockerd: update --ip6tables description to include "experimental"
2022-04-05 12:13:20 +09:00
Akihiro Suda
f1b52b5c1a
Merge pull request #43462 from thaJeztah/carry_43155_update_authors
Updated AUTHORS and .mailmap files
2022-04-05 12:12:42 +09:00
Gabriel Goller
2ff043c9fe
Updated AUTHORS and .mailmap files
Updated the list of AUTHORS using the generate-authors.sh script.

Also updating the .mailmap file to prevent some duplicates, and
to include some updates from containerd, which had a more up-to-date
list of author's preferred e-mail addresses.

Signed-off-by: Gabriel Goller <gabrielgoller123@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 20:33:51 +02:00
Sebastiaan van Stijn
a35b4ac54a
daemon/config: Validate(): validate hosts
The config.Validate() function did not validate hosts that were configured in
the daemon.json configuration file, resulting in `--validate` to pass, but the
daemon failing to start.

before this patch:

    echo '{"hosts":["127.0.0.1:2375/path"]}' > /etc/docker/daemon.json

    dockerd --validate
    configuration OK

    dockerd
    INFO[2022-04-03T11:42:22.162366200Z] Starting up
    failed to load listeners: error parsing -H 127.0.0.1:2375/path: invalid bind address (127.0.0.1:2375/path): should not contain a path element

with this patch:

    echo '{"hosts":["127.0.0.1:2375/path"]}' > /etc/docker/daemon.json

    dockerd --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: configuration validation from file failed: invalid bind address (127.0.0.1:2375/path): should not contain a path element

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 15:18:01 +02:00
Sebastiaan van Stijn
5cfcd88d57
daemon/config: fix TestReloadDefaultConfigNotExist if file exists
The TestReloadDefaultConfigNotExist() test assumed it was running in a clean
environment, in which the `/etc/docker/daemon.json` file doesn't exist, and
would fail if that was not the case.

This patch updates the test to override the default location to a a non-existing
path, to allow running the test in an environment where `/etc/docker/daemon.json`
is present.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 15:07:05 +02:00
Sebastiaan van Stijn
ecbfe73193
opts: ParseTCPAddr(): fix validation of hosts to not ignore path elements
There was a discrepancy between what `ParseTCPAddr()` accepted, and what the
daemon was able to use, resulting in the daemon to start, but fail to create
listeners for the specified host.

Before this patch:

    dockerd -H tcp://127.0.0.1:2375/
    INFO[2022-04-03T10:18:06.417502600Z] Starting up
    ...
    failed to load listeners: listen tcp: address tcp/2375/: unknown port

    dockerd -H 127.0.0.1:2375/path
    INFO[2022-04-03T10:18:06.417502600Z] Starting up
    ...
    failed to load listeners: listen tcp: address tcp/5555/path: unknown port

After this patch:

    dockerd -H tcp://127.0.0.1:2375/
    Status: invalid argument "tcp://127.0.0.1:2375/" for "-H, --host" flag: invalid bind address (127.0.0.1:2375/): should not contain a path element
    See 'dockerd --help'., Code: 125

    dockerd -H 127.0.0.1:2375/path
    Status: invalid argument "127.0.0.1:2375/path" for "-H, --host" flag: invalid bind address (127.0.0.1:2375/path): should not contain a path element
    See 'dockerd --help'., Code: 125

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 12:50:45 +02:00
Sebastiaan van Stijn
846af8e413
cmd/dockerd: update --ip6tables description to include "experimental"
This feature requires experimental mode to be enabled, so mentioning that
in the flag description.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:54:01 +02:00