The LCOW implementation in dockerd has been deprecated in favor of re-implementation
in containerd (in progress). Microsoft started removing the LCOW V1 code from the
build dependencies we use in Microsoft/opengcs (soon to be part of Microsoft/hcshhim),
which means that we need to start removing this code.
This first step removes the lcow graphdriver, the LCOW initialization code, and
some LCOW-related utilities.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: ab34263943...6772e930b6
- http/httpproxy: match http scheme when selecting http_proxy
- drop support for pre-1.12 direct syscalls on darwin
- x/net/http2: reject HTTP/2 Content-Length headers containing a sign
- http2/h2i: use x/term instead of x/crypto/ssh/terminal
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
After moving libnetwork we have a few extra cmd's.
Some of these are using urfave/cli so we need to vendor that in.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
full diff: https://github.com/moby/buildkit/compare/v0.8.2...v0.8.3
- vendor containerd (required for rootless overlayfs on kernel 5.11)
- not included to avoid depending on a fork
- Add retry on image push 5xx errors
- contenthash: include basename in content checksum for wildcards
- Fix missing mounts in execOp cache map
- Add regression test for run cache not considering mounts
- Add hack to preserve Dockerfile RUN cache compatibility after mount cache bugfix
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 6e2cb13661...f2269e66cd
- support SO_SNDBUF/SO_RCVBUF handling
- Support Go Modules
- license clarificaton
- ci: drop 1.6, 1.7, 1.8 support
- Add support for SocketConfig
- support goarch mips64le architecture.
- fix possible socket leak when bind fails
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update libnetwork to make `docker run -p 80:80` functional again on environments
with kernel boot parameter `ipv6.disable=1`.
full diff: b3507428be...64b7a4574d
- fix port forwarding with ipv6.disable=1
- fixes moby/moby/42288 Docker 20.10.6: all containers stopped and cannot start if ipv6 is disabled on host
- fixes docker/libnetwork/2629 Network issue with IPv6 following update to version 20.10.6
- fixesdocker/for-linux/1233 Since 20.10.6 it's not possible to run docker on a machine with disabled IPv6 interfaces
- vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
- Enforce order of lock acquisitions on network/controller, fixes#2632
- fixes docker/libnetwork/2632 Name resolution stuck due to deadlock between different network struct methods
- fixes moby/moby/42032 Docker deamon get's stuck, can't serve DNS requests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/sys/compare/symlink/v0.1.0...mountinfo/v0.4.1
github.com/moby/sys/mountinfo v0.4.1
----------------------------------------------
- Fix PrefixFilter() being too greedy
- TestMountedBy*: add missing pre-checks
- Documentation improvements
github.com/moby/sys/mount v0.2.0
----------------------------------------------
Breaking changes:
- Remove stub-implementations for Windows for `Mount()`, `Unmount()`,
`RecursiveUnmount()`, `MergeTmpfsOptions()`
Fixes and improvements:
- `go.mod`: update github.com/moby/sys/mountinfo to v0.4.0
- use `MNT_*` flags from golang.org/x/sys/unix on freebsd
- add support for OpenBSD in addition to FreeBSD
- fix package overview documentation not showing
- `RecursiveUnmount()`: minor improvements
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 55eda46b22...19ee068f93
brings in updated protobufs, generated with gogo/protobuf v1.3.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The runc/libcontainer apparmor package on master no longer checks if apparmor_parser
is enabled, or if we are running docker-in-docker.
While those checks are not relevant to runc (as it doesn't load the profile), these
checks _are_ relevant to us (and containerd). So switching to use the containerd
apparmor package, which does include the needed checks.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch picks the first commit in containerd that exports the AppArmor package
functions to keep the vendor diff small (there are some updates to that package
after this, but those will be included in other patches).
full diff: fbf1a72de7...55eda46b22
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the first commit after the containerd transition to go modules. Using this
as an intermediate version to allow us to track what dependency changes are
introduced in the containerd dependency since.
full diff: b9092fae15...fbf1a72de7
There were some fix-ups in the PR after adding go modules that updated dependencies,
which will be aligned in the next commit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is the last commit before containerd switched to using go modules. Using this
as an intermediate version to allow us to more easily track what dependency updates
containerd has.
full diff: 0edc412565...b9092fae15
relevant changes in vendored code:
- Do not hardcode "amd64" on LCOW and Windows-related files
- Optimize Windows and LCOW snapshotters to only create scratch layer on the final snapshot
- Add annotations to task update request api
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Taking the same approach as was taken in containerd
The new library has a slightly different output;
- keys at the same level are sorted alphabetically
- empty sections not omitted (`proxy_plugins`, `stream_processors`, `timeouts`),
which could possibly be be addressed with an "omitempty" in containerd's struct.
- empty slices are not omitted (`imports`, `required_plugins`)
After sorting the "before" configuration the diff looks like this:
```patch
diff --git a/config-before-sorted.toml b/config-after.toml
index cc771ce7ab..43a727f589 100644
--- a/config-before-sorted.toml
+++ b/config-after.toml
@@ -1,6 +1,8 @@
disabled_plugins = ["cri"]
+imports = []
oom_score = 0
plugin_dir = ""
+required_plugins = []
root = "/var/lib/docker/containerd/daemon"
state = "/var/run/docker/containerd/daemon"
version = 0
@@ -37,6 +39,12 @@ version = 0
shim = "containerd-shim"
shim_debug = true
+[proxy_plugins]
+
+[stream_processors]
+
+[timeouts]
+
[ttrpc]
address = ""
gid = 0
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: fa125a3512...b3507428be
- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
- fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
- introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
- fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
- fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
- fixes docker-proxy not being stopped correctly
Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 68bb095353...9065b18ba4
- fix seccomp compatibility in 32bit arm
- fixes Unable to build alpine:edge containers for armv7
- fixes Buildx failing to build for arm/v7 platform on arm64 machine
- resolver: avoid error caching on token fetch
- fixes "Error: i/o timeout should not be cached"
- fileop: fix checksum to contain indexes of inputs
- frontend/dockerfile: add RunCommand.FlagsUsed field
- relates to [20.10] Classic builder silently ignores unsupported Dockerfile command flags
- update qemu emulators
- relates to "Impossible to run git clone inside buildx with non x86 architecture"
- Fix reference count issues on typed errors with mount references
- fixes errors on releasing mounts with typed execerror refs
- fixes / addresses invalid mutable ref when using shared cache mounts
- dockerfile/docs: fix frontend image tags
- git: set token only for main remote access
- fixes "Loading repositories with submodules is repeated. Failed to clone submodule from googlesource"
- allow skipping empty layer detection on cache export
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tibor Vass <tibor@docker.com>
full diff: https://github.com/opencontainers/selinux/compare/v1.6.0...v1.7.0
- Implement get_default_context_with_level() from libselinux
- Wrap some syscalls (lgetattr, lsetattr, fstatfs, statfs) to retry on EINTR.
- Improve code quality by turning fixing many problems found by linters
- Use bufio.Scanner for parsing labels and policy confilabelg
- Cache the value for SELinux policy directory
- test on ppc64le and go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This dependency was added in 6cdbf07be9d0ad08776df0b65fb1b3e4e617c42a,
but looks like the code was vendored manually, or vendored, then removeed
from vendor.conf.
This commit removes the vendored files, as they are not needed to build
our binaries.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- assert: fixes a bug that would cause a panic if there were any
function calls before `assert.Check` on the same line
- golden: create the directory if it does not exist, when run with
`-test.update-golden`
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.2...v3.0.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 6861f17f15...v0.8.0-rc2
- dockerfile: rename experimental channel to labs
- dockerfile build: fix not exit when meet error in load config metadata
- copy containerd.UnknownExitStatus to local const to reduce dependency graph in client
- executor: switch to docker seccomp profile
- add retry handlers to push/pull
- SSH-based auth for llb.Git operations
- Allow gateway exec-ing into a failed solve with an exec op
- Fix parsing ssh-based git sources
- Fix sshkeyscan to work with ipv6
- fix assumption that ssh port must be 2 digits
- vendor: github.com/Microsoft/go-winio v0.4.15
- vendor: github.com/tonistiigi/fsutil v0.0.0-20201103201449-0834f99b7b85
- vendor: containerd v1.4.1-0.20201117152358-0edc412565dc
- vendor: golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 318312a373...0b889c03f1
- v1/stats: add all fields of memory.oom_control
- memory: remove wrong memory.kmem.limit_in_bytes check
- CI: test against Go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: f15a329036...0724c46b32
- Add OpenFifoDup2
- use golang.org/x/sys/unix for dup2 (fixes build on arm64)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/ttrpc/compare/v1.0.1...v1.0.2
- fix bug, failed to assert net error due to error wrap
- fixes: ttrpc client receive "read: connection reset by peer: unknown"
- client: add UserOnCloseWait function
- travis: add go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
c3ed55f3b4...0834f99b7b
- copy: use Clonefileat from golang.org/x/sys/unix on macOS
- go.mod: update opencontainers/go-digest v1.0.0
- Add github action CI
- github: test go1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 75b288015a...c1f2f97bff
relevant changes:
- pkcs12: document that we use the wrong PEM type
- pkcs12: drop PKCS#12 attributes with unknown OIDs
- ocsp: Improve documentation for ParseResponse and ParseResponseForCert
other changes (not in vendor);
- ssh: improve error message for KeyboardInteractiveChallenge
- ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
- ssh/terminal: replace with a golang.org/x/term wrapper
- Deprecates ssh/terminal in favor of golang.org/x/term
- ssh/terminal: add support for zos
- ssh/terminal: bump x/term dependency to fix js/nacl
- nacl/auth: use Size instead of KeySize for Sum output
- sha3: remove go:nocheckptr annotation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 7f0af18e79...bea5bbe245
- Fix windows integer overflow on GOOS=windows, GOARCH=arm
- go.mod: github.com/creack/pty v1.1.11
- v1.1.11: Add arm support for OpenBSD
- v1.1.10: Fix CTTY to work with go1.15
- CI: fix Go version matrix, and drop go 1.12, add go 1.15
- CI: remove "sudo" to fix incorrect Go versions (incorrect PATH, GOROOT)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This switches the hcsshim dependency back to tagged releases, instead of the special
"moby" branch. This makes the dependency align with both BuildKit and containerd,
which use these versions.
The switch to the "moby" branch was done in 2865478487,
to bring in a fix for image import, without having to bring in additional changes;
> We changed to the moby branch for a couple of reasons:
>
> - Allows us to take this important change without needing to also pull in all
> of the other work that has been going on in the repo.
> - moby uses an older set of APIs exposed from hcsshim, based on the HCS v1
> functionality. Going forwards, we have discussed deprecating/removing these
> APIs from the mainline branch in hcsshim, so our thinking was we could keep
> this moby branch around to ensure we don't break compatibility there.
>
> (...) Long term, the best path here is to get moby using containerd as the
> backend on Windows, which should alleviate these issues.
full diff: 9dcb42f100..v0.8.10
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/sys/compare/mountinfo/v0.1.3...mountinfo/v0.4.0
> Note that this dependency uses submodules, providing "github.com/moby/sys/mount"
> and "github.com/moby/sys/mountinfo". Our vendoring tool (vndr) currently doesn't
> support submodules, so we vendor the top-level moby/sys repository (which contains
> both) and pick the most recent tag, which could be either `mountinfo/vXXX` or
> `mount/vXXX`.
github.com/moby/sys/mountinfo v0.4.0
--------------------------------------------------------------------------------
Breaking changes:
- `PidMountInfo` is now deprecated and will be removed before v1.0; users should switch to `GetMountsFromReader`
Fixes and improvements:
- run filter after all fields are parsed
- correct handling errors from bufio.Scan
- documentation formatting fixes
github.com/moby/sys/mountinfo v0.3.1
--------------------------------------------------------------------------------
- mount: use MNT_* flags from golang.org/x/sys/unix on freebsd
- various godoc and CI fixes
- mountinfo: make GetMountinfoFromReader Linux-specific
- Add support for OpenBSD in addition to FreeBSD
- mountinfo: use idiomatic naming for fields
github.com/moby/sys/mountinfo v0.2.0
--------------------------------------------------------------------------------
Bug fixes:
- Fix path unescaping for paths with double quotes
Improvements:
- Mounted: speed up by adding fast paths using openat2 (Linux-only) and stat
- Mounted: relax path requirements (allow relative, non-cleaned paths, symlinks)
- Unescape fstype and source fields
- Documentation improvements
Testing/CI:
- Unit tests: exclude darwin
- CI: run tests under Fedora 32 to test openat2
- TestGetMounts: fix for Ubuntu build system
- Makefile: fix ignoring test failures
- CI: add cross build
github.com/moby/sys/mount v0.1.1
--------------------------------------------------------------------------------
https://github.com/moby/sys/releases/tag/mount%2Fv0.1.1
Improvements:
- RecursiveUnmount: add a fast path (#26)
- Unmount: improve doc
- fix CI linter warning on Windows
Testing/CI:
- Unit tests: exclude darwin
- Makefile: fix ignoring test failures
- CI: add cross build
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
aee5d888a8...eeed37f84f
- all: add GOOS=ios
- unix: add back IoctlCtlInfo on darwin
- windows: add SetConsoleCursorPosition
- unix: update Dockerfile to Linux 5.9 and Go 1.15.2 (adds `CAP_CHECKPOINT_RESTORE`)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.1.1
Notable changes:
- Extend Go completions and revamp zsh comp
- Add completion for help command
- Complete subcommands when TraverseChildren is set
- Fix stderr printing functions
- fix: fish output redirection
- fix manpage building with new go-md2man
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gofrs/flock/compare/v0.7.1...v0.7.3
Relevant changes:
- fix: close/Unlock won't close the file descriptor if not locked
- fix license text, update year
Note that there's also a v0.8.0 release; that release only adds aix support,
which is currently of no interest to us, so skipping that version for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0
removes dependency on github.com/konsorten/go-windows-terminal-sequences
Features:
* a new buffer pool management API has been added
* a set of `<LogLevel>Fn()` functions have been added
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This pulls in the migration of go-winio/backuptar from the bundled fork
of archive/tar from Go 1.6 to using Go's current archive/tar unmodified.
This fixes the failure to import an OCI layer (tar stream) containing a
file larger than 8gB.
Fixes: #40444
Signed-off-by: Paul "TBBle" Hampson <Paul.Hampson@Pobox.com>
full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1
Welcome to the v1.4.1 release of containerd!
The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging
on exit and exec when the log pipe fills up along with other minor changes.
Notable Updates:
* Always consume shim logs to prevent logs in the shim from blocking
* Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist`
* Fix metrics monitoring of v2 runtime tasks
* Fix incorrect stat for Windows containers
* Fix devmapper device deletion on rollback
* Update seccomp default profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 73f35e472e...7f0af18e79
- update gotest.tools to v3
- Use unix.Ioctl{Get,Set}Termios on all unix platforms
- Make Termios type alias, remove casts
vendor: golang.org/x/sys 196b9ba8737a10c9253b04174f25881e562da5b8
full diff: ed371f2e16...196b9ba873
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is just to align to a tagged version, but given that the containerd
go-api is not considered "stable", we may switch back to a commit from
"master" at some point if needed.
No local changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
github.com/prometheus/client_golang to v1.6.0
github.com/prometheus/client_model to v0.2.0
github.com/prometheus/common to v0.9.1
github.com/prometheus/procfs to v0.0.11
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
full diff: 0a2b9b5464...db3c7e526a
- Use golang.org/x/sys/unix instead of syscall
- Set O_CLOEXEC when opening a network namespace
- Fixes "the container‘s netns fds leak, causing the container netns to not
clean up successfully after the container stops"
- Allows to create and delete named network namespaces
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 26c1120b8d...efbc4488d8
Relevant changes:
- sysx/xattr: fix and improve
- fix getxattrAll: change initial buffer size to 128 to prevent unneeded
iterations and change the logic to get the real size in case we get ERANGE
rather than doubling the buffer)
- improve listxattrAll; refactor for readability, prevent calling `listxattr()`
twice. Handle condition when attributes size is changed in between the two
calls to listxattr().
- Remove Windows' Readlink fork
- Drops support for Go 1.12 and under
- Fix sameFile() to recognize empty files as the same
- fixes "Empty files can diff as "modified" even when they're not"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 2e24aed516...9e99af28df
- docker/libnetwork#2548 Add docker interfaces to firewalld docker zone
- fixesdocker/for-linux#957 DNS Not Resolving under Network [CentOS8]
- fixesdocker/libnetwork#2496 Port Forwarding does not work on RHEL 8 with Firewalld running with FirewallBackend=nftables
- store.getNetworksFromStore() remove unused error return
- docker/libnetwork#2554 Fix 'failed to get network during CreateEndpoint'
- fixes/addresses docker/for-linux#888 failed to get network during CreateEndpoint
- docker/libnetwork#2558 [master] bridge: disable IPv6 router advertisements
- docker/libnetwork#2563 log error instead if disabling IPv6 router advertisement failed
- fixesdocker/for-linux#1033 Shouldn't be fatal: Unable to disable IPv6 router advertisement: open /proc/sys/net/ipv6/conf/docker0/accept_ra: read-only file system
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This change brings in a single new commit from Microsoft/hcsshim. The
commit fixes an issue when unpacking a Windows container layer which
could result in incorrect directory timestamps.
This manifested most significantly in an impact to startup times of
some Windows container images (such as anything based on servercore).
Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
full diff: https://github.com/opencontainers/selinux/compare/v1.5.1...v1.5.2
- Implement FormatMountLabel unconditionally
Implementing FormatMountLabel on situations built without selinux
should be possible; the context will be ignored if no SELinux is available.
- Remote potential race condition, where mcs label is freed
Theorectially if you do not change the MCS Label then we free it and two
commands later reserve it. If some other process was grabbing MCS Labels
at the same time, the other process could get the same label.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gorilla/mux/compare/v1.7.3...v1.7.4
v1.7.4 addresses a number of performance improvements, bugs, and documentation
improvements.
- Reduce allocations in (*routeRegexp).getURLQuery
- Fixed golint warnings
- fix headers regexp test case
- Fix the CORSMethodMiddleware bug with subrouters
- Remove/cleanup request context helpers
- Guess the scheme if r.URL.Scheme is unset
- Added capacity to slice creation, when capacity is known
- Modified http status codes, using constants provided by the http package
- bugfix/subrouter custom methodNotAllowed handler returning 404
- Update README (self-host logo)
- Remove TravisCI badge
- Add documentation for using mux to serve a SPA
- Simplify code
- Avoid unnecessary conversion
- Update config.yml (#495) @elithrar
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/spf13/cobra/compare/v0.0.3...v1.0.0
Notable Changes
- Fish completion (including support for Go custom completion)
- API (urgent): Rename BashCompDirectives to ShellCompDirectives
- Remove/replace SetOutput on Command - deprecated
- Custom completions coded in Go (instead of Bash)
- Partial Revert of 922
- Correct documentation for InOrStdin
- Apply formatting to templates
- Revert change so help is printed on stdout again
- Update md2man to v2.0.0
- update viper to v1.4.0
- Update cmd/root.go example in README.md
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.4.2...v1.6.0
- Ability to DisableHTMLEscape when using the JSON formatter
- Support/fixes for go 1.14
- Many many bugfixes
- Add flag to disable quotes in TextFormatter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/ipvs/compare/v1.0.0...v1.0.1
- Fix compatibility issue on older kernels (< 3.18) where the address
family attribute for destination servers do not exist
- Fix the stats attribute check when parsing destination addresses
- NetlinkSocketsTimeout should be a constant
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit aa6a9891b0)
Signed-off-by: Tibor Vass <tibor@docker.com>
- relates to moby/buildkit 1111
- relates to moby/buildkit 1079
- relates to docker/buildx 129
full diff: 9461782956...e31b211e4f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This update is just adding some typo-fixes and adding a go.mod, but
pins it to a tagged release;
c2b33e8439...v0.3.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The following fields are unsupported:
* BlkioStats: all fields other than IoServiceBytesRecursive
* CPUStats: CPUUsage.PercpuUsage
* MemoryStats: MaxUsage and Failcnt
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Bumps swarmkit vendoring. Includes docker/swarmkit#2938, which fixes
tasks.db growing out of control on worker nodes.
Signed-off-by: Drew Erny <derny@mirantis.com>
full diff: https://github.com/opencontainers/selinux/compare/v1.3.1...v1.3.3
- go-selinux/SetKeyLabel: fix for RHEL7 kernels
- getSELinuxfs: optimize/simplify using sync.Once
- xattr: use x/sys/unix, simplify
- Use /proc/thread-self if available
- Fix EnforceMode, SetEnforceMode, and SecurityCheckContext
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.1...v3.0.2
- assert: Fix NilError, error non-nil type
- fixes: Typed nil errors should not pass "NilError"
- fixes: "reflect: call of reflect.Value.IsNil on struct Value" for struct error type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 88737f569e...69ecbb4d6d
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
See the commit message for the new swarmkit commit. That change fixes a
leaking goroutine related to service logs.
Signed-off-by: Drew Erny <derny@mirantis.com>
bump docker/go-metrics v0.0.1:
full diff: d466d4f6fd...v0.0.1
- docker/go-metrics#16 fix the compilation error against prometheus/client-golang master
- fixesdocker/go-metrics#12 No longer builds against Prom master
- docker/go-metrics#18 metrics: address compile error correctly
- fixesdocker/go-metrics#12 No longer builds against Prom master
- docker/go-metrics#15 Add functions that instruments http handler using promhttp
- docker/go-metrics#20 Rename LICENSE.code → LICENSE
- docker/go-metrics#22 Support Go Modules
bump prometheus/client_golang v0.9.4:
full diff: c5b7fccd20...v0.9.4
version v0.9.0 is the minimum required version to work with go-metrics v0.0.1,
as it depends on `prometheus.Observer`:
vendor/github.com/docker/go-metrics/timer.go:39:4: undefined: prometheus.Observer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds support for ReplicatedJob and GlobalJob service modes. These modes
allow running service which execute tasks that exit upon success,
instead of daemon-type tasks.
Signed-off-by: Drew Erny <drew.erny@docker.com>
full diff: 3bbb99cdbd...0f039a052c
- tonistiigi/fsutil#66 copy: add fast copy path for darwin
- tonistiigi/fsutil#67 Treat Unix sockets as regular files
- relates to moby/buildkit#1144 Fix socket handling
- tonistiigi/fsutil#68 fix gocrypto commit
- tonistiigi/fsutil#69 receive: use filter on receive diff
- prevents incremental transfers with userns because the metadata
on disk is always different than the one being transferred.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Bumps the vendoring of github.com/docker/swarmkit to the above commit,
which is the current master at commit time.
Most notably, this includes a change making the ingress network respect
the default address pool. Because of this change, a change to network
integration tests was needed.
Signed-off-by: Drew Erny <drew.erny@docker.com>
full diff: c990c680b6...6d18c012ae
execute "docker run -it {image name} /bin/sh" no response on mip64el platform;
EpollEvent struct define lack a field named PadFd;
add the field "PadFd";
execute docker run -it {image} /bin/sh for test after rebuilded.
Signed-off-by: liuxiaodong <liuxiaodong@loongson.cn>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Among other things, this is required to pull in
microsoft/hcsshim#718
Also fixesmicrosoft/hcsshim#737
which was caught by checks while attempting to bump
up hcsshim version.
Signed-off-by: Vikram bir Singh <vikrambir.singh@docker.com>
full diff: 0025177e3d...90afbb01e1
includes:
- docker/libnetwork#/2459 Fix Error Check in NewNetwork
- docker/libnetwork#/2466 Revert "Merge pull request #2339 from phyber/iptables-check"
- reverts docker/libnetwork#/2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- re-opens docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- re-opens moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- re-opens docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/grpc/grpc-go/compare/v1.23.0...v1.23.1
- grpc/grpc-go#3018 server: set and advertise max frame size of 16KB
- grpc/grpc-go#3017 grpclb: fix deadlock in grpclb connection cache
- Before the fix, if the timer to remove a SubConn fires at the
same time NewSubConn cancels the timer, it caused a mutex leak
and deadlock.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously we were re-using schema2.DeserializedManifest to handle oci
manifests. The issue lies in the fact that distribution started
validating the media type string during json deserialization. This
change broke our usage of that type.
Instead distribution now provides direct support for oci schemas, so use
that instead of our custom handlers.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
full diff: ed099d4238...00bdffe0f3
changes included:
- gorilla/mux#477 Improve CORS Method Middleware
- implements gorilla/mux#477 Make CORSMethodMiddleware actually make sense
- gorilla/mux#489 Fix nil panic in authentication middleware example
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Pull requests started failing because vendoring didn't match;
```
The result of vndr differs
D vendor/golang.org/x/sync/singleflight/singleflight.go
Please vendor your package with github.com/LK4D4/vndr.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diffs:
- fc5a7d91d5...62a13ae87c
- b2de5d10e3...v1.0.0
- 604eaf189e...13995c7128ccc8e51e9a6bd2b551020a27180abd
notable changes in libnetwork:
- docker/libnetwork#2366 Bump vishvananda/netlink to 1.0.0
- docker/libnetwork#2339 controller: Check if IPTables is enabled for arrangeUserFilterRule
- addresses docker/libnetwork#2158 dockerd when run with --iptables=false modifies iptables by adding DOCKER-USER
- addresses moby/moby#35777 With iptables=false dockerd still creates DOCKER-USER chain and rules
- addresses docker/for-linux#136 dockerd --iptables=false adds DOCKER-USER chain and modify FORWARD chain anyway
- docker/libnetwork#2394 Make DNS records and queries case-insensitive
- addresses moby/moby#28689 Embedded DNS is case-sensitive
- addresses moby/moby#21169 hostnames with new networking are case-sensitive
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 32f571b700...689e3c1541
Release notes:
* Version 0.9.1 - May 21, 2019
- Minimum supported version of libseccomp bumped to v2.2.0
- Use Libseccomp's `seccomp_version` API to retrieve library version
- Unconditionally set TSync attribute for filters, due to Go's heavily threaded nature
- Fix CVE-2017-18367 - Multiple syscall arguments were incorrectly combined with logical-OR, instead of logical-AND
- Fix a failure to build on Debian-based distributions due to CGo code
- Fix unit test failures on 32-bit architectures
- Improve several errors to be more verbose about their causes
- Add support for SCMP_ACT_LOG (with libseccomp versions 2.4.x and higher), permitting syscalls but logging their execution
- Add support for SCMP_FLTATR_CTL_LOG (with libseccomp versions 2.4.x and higher), logging not-allowed actions when they are denied
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
