Commit graph

39452 commits

Author SHA1 Message Date
Sebastiaan van Stijn
52f5b613ba
Merge pull request #42956 from cpuguy83/20.10-backport-kill-fixes
[20.10] Backport fixes for kill/stop handling
2021-10-21 20:10:22 +02:00
Sebastiaan van Stijn
a4b1ae5153
Merge pull request #42954 from crazy-max/20.10_build-local-normalized
[20.10 backport] buildkit: normalize build target and local platform
2021-10-21 20:07:21 +02:00
Cam
3285c27503 Fix log statement 'failed to exit' timeout accuracy
log statement should reflect how long it actually waited, not how long
it theoretically could wait based on the 'seconds' integer passed in.

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit d15ce134ef)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:35:44 +00:00
Cam
a4bcd4c64f docker daemon container stop refactor
this refactors the Stop command to fix a few issues and behaviors that
dont seem completely correct:

1. first it fixes a situation where stop could hang forever (#41579)
2. fixes a behavior where if sending the
stop signal failed, then the code directly sends a -9 signal. If that
fails, it returns without waiting for the process to exit or going
through the full docker kill codepath.
3. fixes a behavior where if sending the stop signal failed, then the
code sends a -9 signal. If that succeeds, then we still go through the
same stop waiting process, and may even go through the docker kill path
again, even though we've already sent a -9.
4. fixes a behavior where the code would wait the full 30 seconds after
sending a stop signal, even if we already know the stop signal failed.

fixes #41579

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit 8e362b75cb)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:35:40 +00:00
Cam
bed624fdc9 docker kill: fix bug where failed kills didnt fallback to unix kill
1. fixes #41587
2. removes potential infinite Wait and goroutine leak at end of kill
function

fixes #41587

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit e57a365ab1)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:33:15 +00:00
CrazyMax
80b7e8b5d7 buildkit: normalize build target and local platform
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit b4e056d556)
2021-10-20 12:47:07 +02:00
Sebastiaan van Stijn
9f5b26fb86
Merge pull request #42944 from kevpar/20.10_update-winio
[20.10] vendor: Update go-winio to v0.4.20
2021-10-18 14:50:48 +02:00
Kevin Parsons
c2b9a32875 vendor: Update go-winio to v0.4.20
Updates go-winio to the latest v0.4.x version. The main important fix
here is to go-winio's backuptar package. This is needed to fix a bug in
sparse file handling in container layers, which was exposed by a recent
change in Windows.

go-winio v0.4.20: https://github.com/microsoft/go-winio/releases/tag/v0.4.20

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
2021-10-15 15:24:08 -07:00
Sebastiaan van Stijn
dc084ac10e
Merge pull request #42923 from thaJeztah/20.10_bump_go_1.16.9
[20.10] Update Go to 1.16.9
2021-10-15 12:57:25 +02:00
Sebastiaan van Stijn
a8a4b81d6a
Merge pull request #42901 from thaJeztah/20.10_update_containerd_1.4.10
[20.10] update containerd binary to v1.4.11
2021-10-14 20:32:09 +02:00
Sebastiaan van Stijn
c580a02873
[20.10] Update Go to 1.16.9
go1.16.9 (released 2021-10-07) includes a security fix to the linker and misc/wasm
directory, as well as bug fixes to the runtime and to the text/template package.
See the Go 1.16.9 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.9+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-08 15:14:58 +02:00
Sebastiaan van Stijn
da3769688a
Merge pull request #42875 from awmirantis/bump_swarmkit_fix_rollback
[20.10] Bump swarmkit to get fix for rollback
2021-10-07 15:15:42 +02:00
Tianon Gravi
59beba295e
Merge pull request #42844 from AkihiroSuda/cherrypick-42764
[20.10 backport] update runc binary to v1.0.2
2021-10-06 17:33:46 -07:00
Tianon Gravi
e086edaadf
Merge pull request #42760 from AkihiroSuda/cherrypick-42708
[20.10 backport] bump up rootlesskit to v0.14.4
2021-10-06 17:32:53 -07:00
Sebastiaan van Stijn
129a2000cf
[20.10] update containerd binary to v1.4.11
The eleventh patch release for containerd 1.4 is a security release to fix CVE-2021-41103.

Notable Updates

- Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-04 21:15:47 +02:00
Sebastiaan van Stijn
6835d15f55
[20.10] update containerd binary to v1.4.10
- Update runc to v1.0.2
- Update hcsshim to v0.8.21
- Support "clone3" in default seccomp profile
- Fix panic in metadata content writer on copy error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-04 21:14:20 +02:00
Sebastiaan van Stijn
9cd3585bf5
Merge pull request #42843 from AkihiroSuda/cherrypick-42791
[20.10 backport] cmd/dockerd: add the link of "the documentation"
2021-10-04 21:10:52 +02:00
Sebastiaan van Stijn
1c2ca1f624
Merge pull request #42869 from pete-woods/backport-quota-package-cgo-fix
[20.10 backport] quota: adjust build-tags to allow build without CGO
2021-10-04 21:10:12 +02:00
Sebastiaan van Stijn
977283509f
Merge pull request #42836 from tianon/20.10-clone3
[20.10 backport] seccomp: add support for "clone3" syscall in default policy
2021-10-04 21:08:57 +02:00
Sebastiaan van Stijn
79ea9d3080
Merge pull request #5 from moby/20.10_bump_go_1.16.8
[20.10] Update Go to 1.16.8
2021-09-23 20:26:18 +02:00
Adam Williams
5730c139f7 Bump swarmkit to get fix for rollback
Signed-off-by: Adam Williams <awilliams@mirantis.com>
2021-09-22 11:21:01 -07:00
Tibor Vass
59f10e3435
quota: adjust build-tags to allow build without CGO
This is to allow quota package (without tests) to be built without cgo.
makeBackingFsDev was used in helpers but not defined in projectquota_unsupported.go

Also adjust some GoDoc to follow the standard format.

Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7cf079acdb)
Signed-off-by: Pete Woods <pete.woods@circleci.com>
2021-09-20 14:19:22 +01:00
Sebastiaan van Stijn
fa78afebcf
Update Go to 1.16.8
This includes additional fixes for CVE-2021-39293.

go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package,
as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template,
net/http, and runtime/pprof packages. See the Go 1.16.8 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.8+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-15 13:48:01 +02:00
Tianon Gravi
567c01f6d1 seccomp: add support for "clone3" syscall in default policy
This is a backport of 9f6b562dd1, adapted to avoid the refactoring that happened in d92739713c.

Original commit message is as follows:

> If no seccomp policy is requested, then the built-in default policy in
> dockerd applies. This has no rule for "clone3" defined, nor any default
> errno defined. So when runc receives the config it attempts to determine
> a default errno, using logic defined in its commit:
>
>   opencontainers/runc@7a8d716
>
> As explained in the above commit message, runc uses a heuristic to
> decide which errno to return by default:
>
> [quote]
>   The solution applied here is to prepend a "stub" filter which returns
>   -ENOSYS if the requested syscall has a larger syscall number than any
>   syscall mentioned in the filter. The reason for this specific rule is
>   that syscall numbers are (roughly) allocated sequentially and thus newer
>   syscalls will (usually) have a larger syscall number -- thus causing our
>   filters to produce -ENOSYS if the filter was written before the syscall
>   existed.
> [/quote]
>
> Unfortunately clone3 appears to one of the edge cases that does not
> result in use of ENOSYS, instead ending up with the historical EPERM
> errno.
>
> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
> clone3 by default. If it sees ENOSYS then it will automatically
> fallback to using clone. Any other errno is treated as a fatal
> error. Thus when docker seccomp policy triggers EPERM from clone3,
> no fallback occurs and programs are thus unable to spawn threads.
>
> The clone3 syscall is much more complicated than clone, most notably its
> flags are not exposed as a directly argument any more. Instead they are
> hidden inside a struct. This means that seccomp filters are unable to
> apply policy based on values seen in flags. Thus we can't directly
> replicate the current "clone" filtering for "clone3". We can at least
> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
> at which point we can filter on flags.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
2021-09-13 08:56:21 -07:00
Akihiro Suda
07728cd2bd
update runc binary to v1.0.2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 14189170d1)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-09-13 15:19:53 +09:00
Akihiro Suda
964768f200
cmd/dockerd: add the link of "the documentation"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 1a67e9572e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-09-13 15:17:42 +09:00
Sebastiaan van Stijn
bce32e5c93
Merge pull request #4 from moby/20.10-ghsa-v994-f8vw-g7j4-chroot-mkdir
[20.10] chrootarchive: don't create parent dirs outside of chroot
2021-09-09 20:50:12 +02:00
Sebastiaan van Stijn
f0ab919f51
Merge pull request #2 from moby/20.10-GHSA-3fwx-pjgw-3558_0701-perms
[20.10] Lock down docker root dir perms.
2021-09-09 20:45:08 +02:00
Tonis Tiigi
80f1169eca chrootarchive: don't create parent dirs outside of chroot
If chroot is used with a special root directory then create
destination directory within chroot. This works automatically
already due to extractor creating parent paths and is only
used currently with cp where parent paths are actually required
and error will be shown to user before reaching this point.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:49:31 +00:00
Brian Goff
93ac040bf0 Lock down docker root dir perms.
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:40:15 +00:00
Akihiro Suda
b0c0b73798
bump up rootlesskit to v0.14.4
Fixes `panic: tap2vif: read: read /dev/net/tun: not pollable` on early
start up of RootlessKit with VPNKit.

Changes:
- https://github.com/rootless-containers/rootlesskit/releases/tag/v0.14.4
- https://github.com/rootless-containers/rootlesskit/releases/tag/v0.14.3

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9499acc360)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-19 16:21:01 +09:00
Sebastiaan van Stijn
d24c6dc5cf
Merge pull request #42721 from thaJeztah/20.10_backport_bump_go_1.16.7
[20.10 backport] Update Go to 1.16.7
2021-08-17 14:12:42 +02:00
Sebastiaan van Stijn
decb56ac89
Update Go to 1.16.7
go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil
package, as well as bug fixes to the compiler, the linker, the runtime, the go
command, and the net/http package. See the Go 1.16.7 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.7+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b1f7ffea9f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 18:16:20 +02:00
Sebastiaan van Stijn
75249d88bc
Merge pull request #42695 from thaJeztah/20.10_update_containerd_1.4.9
[20.10] update containerd binary to v1.4.9
2021-07-30 03:30:57 +02:00
Brian Goff
af8e58faef
Merge pull request #42659 from AkihiroSuda/runc-v1.0.1-2010
[20.10 backport] update runc binary to v1.0.1
2021-07-29 10:48:18 -07:00
Sebastiaan van Stijn
e8fb8f7acd
[20.10] update containerd binary to v1.4.9
Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

- Update runc binary to 1.0.1
- Update pull authorization logic on redirect
- Fix user agent used for fetching registry authentication tokens

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 19:43:43 +02:00
Akihiro Suda
4cfeb27f78
update runc binary to v1.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f50c7644cf)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-20 13:51:38 +09:00
Brian Goff
013d6655bb
Merge pull request #42657 from thaJeztah/20.10_containerd_1.4.8 2021-07-19 16:46:25 -07:00
Sebastiaan van Stijn
067918a8c3
[20.10] update containerd binary v1.4.8
Update to containerd 1.4.8 to address [CVE-2021-32760][1].

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-19 21:21:53 +02:00
Akihiro Suda
e7bf9923d4
Merge pull request #42643 from thaJeztah/20.10_backport_bump_go116 2021-07-18 18:50:31 +09:00
Sebastiaan van Stijn
b0da207af4
Bump go 1.16.6 (addresses CVE-2021-34558)
This addresses CVE-2021-34558: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34558

go1.16.6 (released 2021-07-12) includes a security fix to the crypto/tls package,
as well as bug fixes to the compiler, and the net and net/http packages. See the
Go 1.16.6 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe6f1a4067)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:20 +02:00
Sebastiaan van Stijn
abe8c4e80d
updated vendored archive/tar to go1.16.5
result of: `hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ed804aeca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:18 +02:00
Sebastiaan van Stijn
7c6645b32b
update archive/tar patch for go 1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f400e84a43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:14 +02:00
Sebastiaan van Stijn
55c363ef48
Bump go 1.16.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae5ddd257c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:10 +02:00
Tianon Gravi
0fbb0f869a
Merge pull request #42642 from thaJeztah/20.10_backport_test_changes_for_go116
[20.10 backport] various test-changes for Go 1.16
2021-07-16 17:32:35 +00:00
Sebastiaan van Stijn
8b0913935c
integration: ensurePlugin: disable go modules when building plugin
=== RUN   TestServicePlugin
        plugin_test.go:42: assertion failed: error is not nil: error building basic plugin bin: no required module provides package github.com/docker/docker/testutil/fixtures/plugin/basic: go.mod file not found in current directory or any parent directory; see 'go help modules'
            : exit status 1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7070df3a3e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:29 +02:00
Sebastiaan van Stijn
09a7efb1f7
hack/ci/windows.ps1: disable go modules
INFO: Running integration tests at 05/17/2021 12:54:50...
    INFO: DOCKER_HOST at tcp://127.0.0.1:2357
    INFO: Integration API tests being run from the host:
    INFO: make.ps1 starting at 05/17/2021 12:54:50
    powershell.exe : go: cannot find main module, but found vendor.conf in D:\gopath\src\github.com\docker\docker
    At D:\gopath\src\github.com\docker\docker@tmp\durable-1ed00396\powershellWrapper.ps1:3 char:1
    + & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (go: cannot find...m\docker\docker:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

    	to create a module there, run:
    	go mod init
    INFO: make.ps1 ended at 05/17/2021 12:54:51

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8bae2278ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:18 +02:00
Sebastiaan van Stijn
6793ff26d8
pkg/fileutils: TestMatches: remove cases no longer valid for go1.16
These tests were no longer valid on Go 1.16; related to https://tip.golang.org/doc/go1.16#path/filepath

> The Match and Glob functions now return an error if the unmatched part of
> the pattern has a syntax error. Previously, the functions returned early on
> a failed match, and thus did not report any later syntax error in the pattern.

Causing the test to fail:

    === RUN   TestMatches
        fileutils_test.go:388: assertion failed: error is not nil: syntax error in pattern: pattern="a\\" text="a"
    --- FAIL: TestMatches (0.00s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2842639e0e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:50 +02:00
Sebastiaan van Stijn
ab9a92f79c
Update test certificates
Updates the certificates to account for current versions of Go expecting
SANs to be used instead of the Common Name field:

    FAIL: s390x.integration.plugin.authz TestAuthZPluginTLS (0.53s)
    [2020-07-26T09:36:58.638Z]     authz_plugin_test.go:132: assertion failed:
        error is not nil: error during connect: Get "https://localhost:4271/v1.41/version":
        x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe54215fb3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:21 +02:00
Sebastiaan van Stijn
1d4a06e610
hack: add script to regenerate certificates
Certificates were originally added in c000cb6471,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

    x509: certificate relies on legacy Common Name field, use SANs or temporarily
    enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2fea30f146)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:23:47 +02:00