Commit graph

2511 commits

Author SHA1 Message Date
Sebastiaan van Stijn
8f1ab4e612
Fix bug in gotestsum installer causing dependencies to not be downloaded
Building gotestsum started to fail after the repository removed some
dependencies on master.

What happens is that first, we `go get` the package (with go modules disabled);

    GO111MODULE=off go get -d gotest.tools/gotestsum

Which gets the latest version from master, and fetches the dependencies used
on master. Then we checkout the version we want to install (for example `v0.3.5`)
and run go build.

However, `v0.3.5` depends on logrus, and given that we ran `go get` for `master`,
that dependency was not fetched, and build fails.

This patch modifies the installer to use go modules (alternatively we could
probably run `go get .` after checking out the `v0.3.5` version),

We need to modify all installers, as it looks like this is a standard pattern
we use, but other dependencies were not failing (yet), so this patch only
addresses the immediate failure.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1d9da1b233)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-05-17 22:52:54 +02:00
Akihiro Suda
706008a1da bump up rootlesskit to v0.9.5
Supports numeric ID in /etc/subuid and /etc/subgid .
Fix #40926

Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.9.4...v0.9.5

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 17bb5f4b15)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-05-11 23:53:21 +09:00
Akihiro Suda
946d0ff67e bump up rootlesskit to v0.9.4
Now `rootlesskit-docker-proxy` returns detailed error message on
exposing privileged ports: https://github.com/rootless-containers/rootlesskit/pull/136

Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.7.1...v0.9.4

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f6ac841633)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-04-28 05:18:11 +09:00
Sebastiaan van Stijn
9d8eccec8e
Fix TEST_FILTER to work for both "integration" and "integration-cli"
The TEST_FILTER variable allows running a single integration or integration-cli
test. However, it failed to work properly for integration-cli tests.

Before:
-----------

    # Filtering "integration" tests works:
    make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
    ...
    DONE 1 tests in 18.331s

    # But running a single test in "integration-cli" did not:

    make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
    ...
    DONE 0 tests in 17.314s

Trying to manually add the `/` prefix, didn't work either, because that made the
"grep" fail to find which test-suites to run/skip:

    make TEST_FILTER=/TestSwarmNetworkCreateIssue27866 test-integration
    ---> Making bundle: test-integration (in bundles/test-integration)
    make: *** [test-integration] Error 1

After:
-----------

    make TEST_FILTER=TestInspectCpusetInConfigPre120 test-integration
    ...
    DONE 1 tests in 18.331s

    make TEST_FILTER=TestSwarmNetworkCreateIssue27866 test-integration
    ...
    DONE 12 tests in 26.527s

Note that the `12` tests is still a bit misleading, because every _suite_ is
started (which is counted as a test), but no tests are run. This is still
something that could be improved on.

This patch also makes a small modification to the code that's setting
`integration_api_dirs`, and no longer runs `go list` if not needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e7805653b8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-04-09 13:46:15 +02:00
Sam Whited
021258661b Update libnetwork and DNS library
This makes sure that we don't become vulnerable to CVE-2018-17419 or
CVE-2019-19794 in the future. While we are not currently vulnerable to
either, there is a risk that a PR could be made which uses one of the
vulnerable methods in the future, so it's worth going ahead and updating
to ensure that a simple PR that would easily pass code review doesn't
lead to a vulnerability.

Signed-off-by: Sam Whited <sam@samwhited.com>
2020-03-27 09:53:11 -04:00
Sebastiaan van Stijn
57d5105759
bump windows-container-utility aa1ba87e99b68e0113bd27ec26c60b88f9d4ccd9
full diff: e004a1415a...aa1ba87e99

changes:

- Use standard include paths instead of hard-coding

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5125f8b304)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:49:21 +01:00
Sebastiaan van Stijn
a070874828
hack/make: ignore failure to stop apparmor
```
 ---> Making bundle: .integration-daemon-stop (in bundles/test-integration)
 ++++ cat bundles/test-integration/docker.pid
 +++ kill 13137
 +++ /etc/init.d/apparmor stop
 Leaving: AppArmorNo profiles have been unloaded.

 Unloading profiles will leave already running processes permanently
 unconfined, which can lead to unexpected situations.

 To set a process to complain mode, use the command line tool
 'aa-complain'. To really tear down all profiles, run 'aa-teardown'."

script returned exit code 255
```

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5dbfae6949)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:49:15 +01:00
Sebastiaan van Stijn
c6511ee4db
bump vndr v0.1.1
full diff: https:/github.com/LK4D4/vndr/compare/v0.1.0...v0.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 486161a63a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:49:01 +01:00
Sebastiaan van Stijn
0fa8a0c575
bump vndr v0.1.0 to support versioned import paths
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.

For example:

```
github.com/coreos/go-systemd/v22 v22.0.0
```

will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.

full diff: f5ab8fc5fb...v0.1.0

- LK4D4/vndr#83 migrate bitbucket to api 2.0
    - fixes LK4D4/vndr#82 https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d4f05c168d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:48:59 +01:00
Justen Martin
f3009e2f51
Use build args to override binary commits in dockerfile
Signed-off-by: Justen Martin <jmart@the-coder.com>
(cherry picked from commit 095ca77f48)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:48:57 +01:00
Sebastiaan van Stijn
92ca652fc9
Revert "dockerfile: update vndr to 85886e1a"
This reverts commit 0d4f412ecd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-03-12 18:48:50 +01:00
Tonis Tiigi
aa6a9891b0 vendor: add local copy of archive/tar
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-03-09 21:45:05 +00:00
Tonis Tiigi
0d4f412ecd dockerfile: update vndr to 85886e1a
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-03-09 21:45:05 +00:00
Sebastiaan van Stijn
c6afabf3b3
update containerd runtime v1.2.13
The thirteenth patch release for `containerd` 1.2 fixes a regression introduced
in v1.2.12 that caused container/shim to hang on single core machines, fixes an
issue with blkio, and updates the Golang runtime to 1.12.17.

* Fix container pid race condition
* Update containerd/cgroups dependency to address blkio issue
* Set octet-stream content-type on PUT request
* Pin to libseccomp 2.3.3 to preserve compatibility with hosts that do not have libseccomp 2.4 or higher installed
* Update Golang runtime to 1.12.17, which includes a fix to the runtime

full diff: https://github.com/containerd/containerd/compare/v1.2.12...v1.2.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-18 21:33:19 +01:00
Akihiro Suda
3bd1759f80
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): https://github.com/opencontainers/runc/pull/2207
* Fix exec FIFO race: https://github.com/opencontainers/runc/pull/2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also https://github.com/opencontainers/runc/issues/2209 for the known issues.

Full changes: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cd43c1d1ac)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 18:41:00 +01:00
Sebastiaan van Stijn
f8cfa7947c
[19.03] Update containerd binary to v1.2.12
full diff: https://github.com/containerd/containerd/compare/v1.2.11...v1.2.12

Welcome to the v1.2.12 release of containerd!

The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.

Notable Updates

- Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921.
- Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884.
- Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification
  bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.
- Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14,
  Go 1.12.15) and and the net/http package (Go 1.12.15)
- A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960
- Fixes to exec containerd/containerd#3755
    - Prevent docker exec hanging if an earlier docker exec left a zombie process
    - Prevent High system load/CPU utilization with liveness and readiness probes
    - Prevent Docker healthcheck causing high CPU utilization

CRI fixes:

- Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253

API

- Fix API filters to properly handle and return parse errors containerd/containerd#3950

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 18:40:40 +01:00
Sebastiaan van Stijn
78571e9049
Merge pull request #439 from arkodg/19.03
[19.03] Bump 19.03 libnetwork refpoint
2020-01-23 20:23:38 +01:00
Sebastiaan van Stijn
b645c8c70e
Merge pull request #449 from thaJeztah/19.03_backport_move_windows_gopath_out_of_goroot
[19.03 backport] Move GOPATH out from under the GO source tree
2020-01-23 20:21:56 +01:00
Sebastiaan van Stijn
facfb9e1b0
Merge pull request #450 from thaJeztah/19.03_backport_bump_docker_py_4.1.0
[19.03 backport] bump docker-py to 4.1.0
2020-01-23 20:15:36 +01:00
Akihiro Suda
325e889ba3 rootless: fix proxying UDP packets
UDP reply packets were not proxied: https://github.com/rootless-containers/rootlesskit/issues/86

The issue was fixed in RootlessKit v0.7.1: https://github.com/rootless-containers/rootlesskit/pull/87

Full changes since v0.7.0: https://github.com/rootless-containers/rootlesskit/compare/v0.7.0...v0.7.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 658723badd)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-20 13:15:51 +09:00
Sebastiaan van Stijn
cc0416d0eb
bump docker-py to 4.1.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5a703ccb46)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-17 10:53:40 +01:00
Vikram bir Singh
bbd22fb5d9
Move GOPATH out from under the GO source tree
Unlike Linux which uses a temp dir as GOPATH, Windows
uses c:\go. Among other things, this blocks go get.

Moving GOPATH to c:\gopath and updating references in
comments and documentation.

Currently the change is being scoped narrowly. In the
future GOPATH value could be passed as a parameter to
the ps1 scripts.

Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
(cherry picked from commit ecf91f0d7f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-17 10:47:18 +01:00
Eli Uriegas
b1798d895a
daemon: Remove btrfs_noversion build flag
btrfs_noversion was added in d7c37b5a28
for distributions that did not have the `btrfs/version.h` header file.

Seeing how all of the distributions we currently support do have the
`btrfs/version.h` file we should probably just remove this build flag
altogether.

Signed-off-by: Eli Uriegas <eli.uriegas@docker.com>
(cherry picked from commit e665263b10)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-17 10:22:07 +01:00
Arko Dasgupta
89c5fbacfd Bump 19.03 libnetwork refpoint
[19.03 backport] bridge: Fix hwaddr set race between us and udev

Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
2020-01-16 16:54:52 -08:00
Sebastiaan van Stijn
9077436e6e
Merge pull request #424 from thaJeztah/19.03_backport_39608_short_libnetwork_id
[19.03 backport] daemon: Use short libnetwork ID in exec-root & update libnetwork
2020-01-16 22:15:04 +01:00
Sebastiaan van Stijn
f6398c1f07
Merge pull request #425 from cpuguy83/backport_40169_windows_version_quad
[19.03] Windows: Only set VERSION_QUAD if unset
2020-01-16 21:06:58 +01:00
Sebastiaan van Stijn
c4dbf36951
Merge pull request #428 from thaJeztah/19.03_bump_containerd_1.2.11
[19.03] Update containerd to v1.2.11, runc v1.0.0-rc9
2020-01-16 20:58:28 +01:00
Sebastiaan van Stijn
8e57214487
docker-py: skip broken ImageCollectionTest::test_pull_multiple
The ImageCollectionTest.test_pull_multiple test performs a `docker pull` without
a `:tag` specified) to pull all tags of the given repository (image).

After pulling the image, the image(s) pulled are checked to verify if the list
of images contains the `:latest` tag.

However, the test assumes that all tags of the image are tags for the same
version of the image (same digest), and thus a *single* image is returned, which
is not always the case.

Currently, the `hello-world:latest` and `hello-world:linux` tags point to a
different digest, therefore the `client.images.pull()` returns multiple images:
one image for digest, making the test fail:

    =================================== FAILURES ===================================
    ____________________ ImageCollectionTest.test_pull_multiple ____________________
    tests/integration/models_images_test.py:90: in test_pull_multiple
        assert len(images) == 1
    E   AssertionError: assert 2 == 1
    E    +  where 2 = len([<Image: 'hello-world:linux'>, <Image: 'hello-world:latest'>])

This patch temporarily skips the broken test until it is fixed upstream.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f2b25e498f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 13:43:37 +01:00
Sebastiaan van Stijn
b617355190
docker-py: re-enable tests that were fixed in v4.1.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6bc45b09e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-06 13:43:28 +01:00
Sebastiaan van Stijn
cfcf25bb54
[19.03] Update containerd binary to v1.2.11
full diff: https://github.com/containerd/containerd/compare/v1.2.10...v1.2.11

The eleventh patch release for containerd 1.2 includes an updated runc with
an additional fix for CVE-2019-16884 and a Golang update.

Notable Updates
-----------------------

- Update the runc vendor to v1.0.0-rc9 which includes an additional mitigation
  for CVE-2019-16884.
  More details on the runc CVE in opencontainers/runc#2128, and the additional
  mitigations in opencontainers/runc#2130.
- Add local-fs.target to service file to fix corrupt image after unexpected host
  reboot. Reported in containerd/containerd#3671, and fixed by containerd/containerd#3746.
- Update Golang runtime to 1.12.13, which includes security fixes to the crypto/dsa
  package made in Go 1.12.11 (CVE-2019-17596), and fixes to the go command, runtime,
  syscall and net packages (Go 1.12.12).

CRI fixes:
-----------------------

- Fix shim delete error code to avoid unnecessary retries in the CRI plugin. Discovered
  in containerd/cri#1309, and fixed by containerd/containerd#3732 and containerd/containerd#3739.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-28 10:56:28 +01:00
Sebastiaan van Stijn
efcd84e47c
[19.03] Update to runc v1.0.0-rc9
full diff: 3e425f80a8...v1.0.0-rc9

- opencontainers/runc#1951 Add SCMP_ACT_LOG as a valid Seccomp action
- opencontainers/runc#2130 *: verify operations on /proc/... are on procfs
  This is an additional mitigation for CVE-2019-16884. The primary problem
  is that Docker can be coerced into bind-mounting a file system on top of
  /proc (resulting in label-related writes to /proc no longer happening).

  While we are working on mitigations against permitting the mounts, this
  helps avoid our code from being tricked into writing to non-procfs
  files. This is not a perfect solution (after all, there might be a
  bind-mount of a different procfs file over the target) but in order to
  exploit that you would need to be able to tweak a config.json pretty
  specifically (which thankfully Docker doesn't allow).

  Specifically this stops AppArmor from not labeling a process silently
  due to /proc/self/attr/... being incorrectly set, and stops any
  accidental fd leaks because /proc/self/fd/... is not real.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-28 10:56:06 +01:00
Grant Millar
d3d724e45a
daemon: Use short libnetwork ID in exec-root & update libnetwork
also updates libnetwork to d9a6682a4dbb13b1f0d8216c425fe9ae010a0f23
full diff:

3eb39382bf...d9a6682a4d

- docker/libnetwork#2482 [19.03 backport] Shorten controller ID in exec-root to not hit UNIX_PATH_MAX
- docker/libnetwork#2483 [19.03 backport] Fix panic in drivers/overlay/encryption.go

Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit df7b8f458a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-11-21 14:30:33 +01:00
Brian Goff
d699e3de12 Windows: Only set VERSION_QUAD if unset
When trying to build with some pretty typical version strings this was
causing failures trying to generate the windows resource file.

The resource file is already gated by an `ifdef` for this var, so
instead of blindly setting based on "VERSION", which can contain some
characters which are incompatible (e.g. 1.2.3.rc.0 will fail due to the
".rc").

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ce931f28ea)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2019-11-15 16:16:00 -08:00
Andrew Hsu
d91a85a9b5
Merge pull request #397 from thaJeztah/19.03_backport_slirp4netns_sandbox
[19.03 backport] rootless: harden slirp4netns with mount namespace and seccomp
2019-10-28 10:45:18 -07:00
Sebastiaan van Stijn
54a58760b6
[19.03 backport] revert controller: Check if IPTables is enabled for arrangeUserFilterRule
This change caused a regression, causing the DOCKER-USER chain
to not be created, despite iptables being enabled on the daemon.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-11 21:10:48 +02:00
Andrew Hsu
5787ef7e9c
Merge pull request #396 from thaJeztah/19.03_backport_update_moved_repositories
[19.03 backport] Update links/references to transferred repositories
2019-10-10 10:58:11 -07:00
Sebastiaan van Stijn
fb0fca8607
[19.03] roll-back libnetwork iptables forward policy change
The patch made in  docker/libnetwork#2450 caused a breaking change in the
networking behaviour, causing Kubernetes installations on Docker Desktop
(and possibly other setups) to fail.

Rolling back this change in the 19.03 branch while we investigate if there
are alternatives.

diff: 45c710223c...96bcc0dae8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-07 18:11:13 +02:00
Akihiro Suda
5bd4233d7b
rootless: harden slirp4netns with mount namespace and seccomp
When slirp4netns v0.4.0+ is used, now slirp4netns is hardened using
mount namespace ("sandbox") and seccomp to mitigate potential
vulnerabilities.

bump up rootlesskit: 2fcff6ceae...791ac8cb20

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit e20b7323fb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-05 10:54:26 +02:00
Sebastiaan van Stijn
3472e441c5
hack/ci/windows.ps1 update references to repositories that were moved
Also updated the related docs.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5175ed54e5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-10-03 15:37:56 +02:00
Sebastiaan van Stijn
ec0e20a9eb Temporarily switch docker-py to "master"
The docker-py tests were broken, because the version of
py-test that was used, used a dependency that had a new
major release with a breaking change.

Unfortunately, it was not pinned to a specific version,
so when the dependency did the release, py-test broke;

```
22:16:47  Traceback (most recent call last):
22:16:47    File "/usr/local/bin/pytest", line 10, in <module>
22:16:47      sys.exit(main())
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 61, in main
22:16:47      config = _prepareconfig(args, plugins)
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 182, in _prepareconfig
22:16:47      config = get_config()
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 156, in get_config
22:16:47      pluginmanager.import_plugin(spec)
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/config/__init__.py", line 530, in import_plugin
22:16:47      __import__(importspec)
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/tmpdir.py", line 25, in <module>
22:16:47      class TempPathFactory(object):
22:16:47    File "/usr/local/lib/python3.6/site-packages/_pytest/tmpdir.py", line 35, in TempPathFactory
22:16:47      lambda p: Path(os.path.abspath(six.text_type(p)))
22:16:47  TypeError: attrib() got an unexpected keyword argument 'convert'
```

docker-py master has a fix for this (bumping the version of
`py-test`), but it's not in a release yet, and the docker cli that's used
in our CI is pinned to 17.06, which doesn't support building from a remote
git repository from a specific git commit.

To fix the immediate situation, this patch switches the docker-py
tests to run from the master branch.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 48353e16fe)
Signed-off-by: Andrew Hsu <andrewhsu@docker.com>
2019-10-02 17:42:41 +00:00
Andrew Hsu
b6a7124855
Merge pull request #383 from thaJeztah/19.03_backport_test_fixes_2
[19.03 backport] Testing and Jenkinsfile changes [step 2]
2019-09-27 16:58:30 -07:00
Sebastiaan van Stijn
b4c03dd633
update runc to v1.0.0-rc8-92-g84373aaa (CVE-2019-16884)
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc8...3e425f80a8c931f88e6d94a8c831b9d5aa481657

  - opencontainers/runc#2010 criu image path permission error when checkpoint rootless container
  - opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions
  - opencontainers/runc#2029 Update dependencies
  - opencontainers/runc#2034 Support for logging from children processes
  - opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND
  - opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method
  - opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone
  - opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func
  - opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module
  - opencontainers/runc#2057 main: not reopen /dev/stderr
      - closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr
      - closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver)
      - closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address"
  - opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP
  - opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB
  - opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall
  - opencontainers/runc#2074 Update dependency libseccomp-golang
  - opencontainers/runc#2081 Bump CRIU to 3.12
  - opencontainers/runc#2089 doc: First process in container needs `Init: true`
  - opencontainers/runc#2094 Skip searching /dev/.udev for device nodes
      - closes opencontainers/runc#2093 HostDevices() race with older udevd versions
  - opencontainers/runc#2098 man: fix man-pages
  - opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager
  - opencontainers/runc#2107 Make get devices function public
  - opencontainers/runc#2113 libcontainer: initial support for cgroups v2
  - opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package
      - removes github.com/coreos/pkg as dependency
  - opencontainers/runc#2117 Remove libcontainer detection for systemd features
      - fixes opencontainers/runc#2117 Cache the systemd detection results
  - opencontainers/runc#2119 libcontainer: update masked paths of /proc
      - relates to moby/moby#36368 Add /proc/keys to masked paths
      - relates to moby/moby#38299 Masked /proc/asound
      - relates to moby/moby#37404 Add /proc/acpi to masked paths (CVE-2018-10892)
  - opencontainers/runc#2122 nsenter: minor fixes
  - opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support
  - opencontainers/runc#2125 cgroup: support mount of cgroup2
  - opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file
  - opencontainers/runc#2129 Only allow proc mount if it is procfs
      - addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bc9a7ec898)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-27 16:25:39 +02:00
Jintao Zhang
65a6d9d9eb
Update containerd to v1.2.10
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit c4ec02b0af)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-27 16:25:20 +02:00
Sebastiaan van Stijn
50cee7c48d
hack/test/unit: fix custom TESTFLAGS not working
The `-test.timeout=5m` was glued directly after the current `TESTFLAGS`,
causing them to be non-functional;

Before:

    make TESTDEBUG=1 TESTDIRS='github.com/docker/docker/pkg/filenotify' TESTFLAGS='-test.run TestPollerEvent' test-unit
    + mkdir -p bundles
    + gotestsum --format=standard-quiet --jsonfile=bundles/go-test-report.json --junitfile=bundles/junit-report.xml -- -tags 'netgo seccomp libdm_no_deferred_remove' -cover -coverprofile=bundles/profile.out -covermode=atomic -test.run TestPollerEvent-test.timeout=5m github.com/docker/docker/pkg/filenotify
    testing: warning: no tests to run
    ok  	github.com/docker/docker/pkg/filenotify	0.003s	coverage: 0.0% of statements [no tests to run]

    DONE 0 tests in 0.298s

After:

    make TESTDEBUG=1 TESTDIRS='github.com/docker/docker/pkg/filenotify' TESTFLAGS='-test.run TestPollerEvent' test-unit
    + mkdir -p bundles
    + gotestsum --format=standard-quiet --jsonfile=bundles/go-test-report.json --junitfile=bundles/junit-report.xml -- -tags 'netgo seccomp libdm_no_deferred_remove' -cover -coverprofile=bundles/profile.out -covermode=atomic -test.run TestPollerEvent -test.timeout=5m github.com/docker/docker/pkg/filenotify
    ok  	github.com/docker/docker/pkg/filenotify	0.608s	coverage: 44.7% of statements

    DONE 1 tests in 0.922s

This was introduced in 42f0a0db75

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0620990307)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 23:52:52 +02:00
Tibor Vass
682a46189b
integration-cli: move each test suite to its own TestX testing function
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit f1c1cd436a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 23:52:51 +02:00
Tibor Vass
e1c5cdf14d
hack: have integration-cli use gotestsum codepath
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 84928be605)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 23:52:50 +02:00
Tibor Vass
15aa73ea4c
remove per-test -timeout logic because it does not work
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 8bffe9524d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 23:52:45 +02:00
Tibor Vass
df569fd54c
hack: update scripts
- remove -check.* flags
- use (per-test) -timeout flag
- allow user to override TEST_SKIP_* regardless of TESTFLAGS
- remove test-imports validation

Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 7cd028f2d0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-26 23:52:44 +02:00
Kirill Kolyshkin
9eec36e483
Merge pull request #382 from thaJeztah/19.03_backport_test_fixes
[19.03 backport] Testing and Jenkinsfile changes [step 1]
2019-09-26 10:43:26 -07:00
Stefan Scherer
168e23a2f5
Zap a fixed folder, add build number to folder inside
Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit 4866207543)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-09-25 21:36:13 +02:00