Commit graph

3309 commits

Author SHA1 Message Date
Akihiro Suda
58c1c7b8dc
Limit OOMScoreAdj when running in UserNS ("Rootful-in-Rootless")
Fix issue 46563 "Rootful-in-Rootless dind doesn't work since systemd v250 (due to oom score adj)"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit ad877271f3)
> Conflicts:
>	daemon/oci_linux.go
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-10-12 07:29:15 +09:00
Sebastiaan van Stijn
4e11c149d1
pkg/tailfile: rename max/min as it collides with go1.21 builtin
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 79495c5b6a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:20:39 +02:00
Sebastiaan van Stijn
0b97ecddb0
pkg/plugins: rename max/min as it collides with go1.21 builtin
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit df2f25a977)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:20:31 +02:00
Sebastiaan van Stijn
710c748801
pkg/sysinfo: rename max/min as it collides with go1.21 builtin
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6c036f267f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:20:23 +02:00
Sebastiaan van Stijn
b340a777c0
pkg/archive: rename max/min as it collides with go1.21 builtin
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55192de9e3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 14:20:16 +02:00
Paweł Gronowski
49671250f6
c8d/commit: Don't produce an empty layer
If the diff is empty and don't produce an empty layer.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit eb56493f4e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 18:59:27 +02:00
Sebastiaan van Stijn
deea880581
pkg/jsonmessage: use string-literals for easier grep'ing
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ec11aea880)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:51:38 +02:00
Sebastiaan van Stijn
962a4f434f
pkg/ioutils: use string-literals for easier grep'ing
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fded42c3bd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:51:28 +02:00
Sebastiaan van Stijn
cea5829402
pkg/idtools: use string-literals for easier grep'ing
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1da079f211)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:51:19 +02:00
Sebastiaan van Stijn
547ea18fbb
pkg/plugins: use a dummy hostname for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the socket path as hostname, which gets rejected by
go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

Before this patch, tests would fail on go1.20.6:

    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6b7705d5b2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 20:36:44 +02:00
Cory Snider
a3049653c1 pkg/plugins: make unit test less time sensitive
TestClientWithRequestTimeout has been observed to flake in CI. The
timing in the test is quite tight, only giving the client a 10ms window
to time out, which could potentially be missed if the host is under
load and the goroutine scheduling is unlucky. Give the client a full
five seconds of grace to time out before failing the test.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 9cee34bc94)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-07 15:42:59 -04:00
Sebastiaan van Stijn
aace62f6d3
pkg/fileutils: GetTotalUsedFds(): use fast-path for Kernel 6.2 and up
Linux 6.2 and up (commit [f1f1f2569901ec5b9d425f2e91c09a0e320768f3][1])
provides a fast path for the number of open files for the process.

From the [Linux docs][2]:

> The number of open files for the process is stored in 'size' member of
> `stat()` output for /proc/<pid>/fd for fast access.

[1]: f1f1f25699
[2]: https://docs.kernel.org/filesystems/proc.html#proc-pid-fd-list-of-symlinks-to-open-files

This patch adds a fast-path for Kernels that support this, and falls back
to the slow path if the Size fields is zero.

Comparing on a Fedora 38 (kernel 6.2.9-300.fc38.x86_64):

Before/After:

    go test -bench ^BenchmarkGetTotalUsedFds$ -run ^$ ./pkg/fileutils/
    BenchmarkGetTotalUsedFds        57264     18595 ns/op     408 B/op      10 allocs/op
    BenchmarkGetTotalUsedFds       370392      3271 ns/op      40 B/op       3 allocs/op

Note that the slow path has 1 more file-descriptor, due to the open
file-handle for /proc/<pid>/fd during the calculation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ec79d0fc05)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 18:30:34 +02:00
Sebastiaan van Stijn
bb50485dfd
pkg/fileutils: GetTotalUsedFds: reduce allocations
Use File.Readdirnames instead of os.ReadDir, as we're only interested in
the number of files, and results don't have to be sorted.

Before:

    BenchmarkGetTotalUsedFds-5   	  149272	      7896 ns/op	     945 B/op	      20 allocs/op

After:

    BenchmarkGetTotalUsedFds-5   	  153517	      7644 ns/op	     408 B/op	      10 allocs/op

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit eaa9494b71)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 18:30:24 +02:00
Sebastiaan van Stijn
5dcea89ce1
pkg/fileutils: add BenchmarkGetTotalUsedFds
go test -bench ^BenchmarkGetTotalUsedFds$ -run ^$ ./pkg/fileutils/
    goos: linux
    goarch: arm64
    pkg: github.com/docker/docker/pkg/fileutils
    BenchmarkGetTotalUsedFds-5   	  149272	      7896 ns/op	     945 B/op	      20 allocs/op

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 03390be5fa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 18:29:27 +02:00
Sebastiaan van Stijn
01eb4835c9
pkg/fileutils: GetTotalUsedFds(): don't pretend to support FreeBSD
Commit 8d56108ffb moved this function from
the generic (no build-tags) fileutils.go to a unix file, adding "freebsd"
to the build-tags.

This likely was a wrong assumption (as other files had freebsd build-tags).
FreeBSD's procfs does not mention `/proc/<pid>/fd` in the manpage, and
we don't test FreeBSD in CI, so let's drop it, and make this a Linux-only
file.

While updating also dropping the import-tag, as we're planning to move
this file internal to the daemon.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 252e94f499)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 18:29:17 +02:00
Sebastiaan van Stijn
cd44aba8db
[24.0] pkg/fileutils: switch to use containerd log pkg
(very) partial backport of 74da6a6363
and ab35df454d

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 18:28:55 +02:00
Cory Snider
210c4d6f4b
daemon: ensure OCI options play nicely together
Audit the OCI spec options used for Linux containers to ensure they are
less order-dependent. Ensure they don't assume that any pointer fields
are non-nil and that they don't unintentionally clobber mutations to the
spec applied by other options.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 8a094fe609)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-21 22:16:28 +02:00
Nicolas De Loof
789a8755b8
run getent with a noop stdin
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
(cherry picked from commit 3cc5d62f8a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 13:12:00 +02:00
Cory Snider
f77a3274b4
[chore] clean up reexec.Init() calls
Now that most uses of reexec have been replaced with non-reexec
solutions, most of the reexec.Init() calls peppered throughout the test
suites are unnecessary. Furthermore, most of the reexec.Init() calls in
test code neglects to check the return value to determine whether to
exit, which would result in the reexec'ed subprocesses proceeding to run
the tests, which would reexec another subprocess which would proceed to
run the tests, recursively. (That would explain why every reexec
callback used to unconditionally call os.Exit() instead of returning...)

Remove unneeded reexec.Init() calls from test and example code which no
longer needs it, and fix the reexec.Init() calls which are not inert to
exit after a reexec callback is invoked.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 4e0319c878)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-11 16:31:41 +02:00
Sebastiaan van Stijn
bfffb0974e
pkg/aaparser: deprecate GetVersion, as it's no longer used
Our templates no longer contain version-specific rules, so this function
is no longer used. This patch deprecates it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e3e715666f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 16:49:45 +02:00
Sebastiaan van Stijn
3e6092f5b2
pkg/jsonmessage: touch-up GoDoc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:11 +02:00
Sebastiaan van Stijn
05cb0e5a7d
pkg/jsonmessage: JSONProgress.String(), JSONProgress.now(): simplify
- inline an intermediate variable
- remove a redundant intermediate function

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:10 +02:00
Sebastiaan van Stijn
4cadee65b3
pkg/jsonmessage: JSONMessage.Display(): remove special case for 401 errors
This special case was added in 3043c26419 as
a sentinel error (`AuthRequiredError`) to check whether authentication
is required (and to prompt the users to authenticate). A later refactor
(946bbee39a) removed the `AuthRequiredError`,
but kept the error-message and logic.

Starting with fcee6056dc, it looks like we
no longer depend on this specific error, so we can return the registry's
error message instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:10 +02:00
Sebastiaan van Stijn
c80f205f86
Merge pull request #45298 from thaJeztah/pkg_pkatform_cleanup
pkg/platform: cleanup, and deprecate OSType
2023-04-27 02:02:41 +02:00
Tobias Klauser
4ec063fade
pkg/sysinfo: omit Getpid call in numCPU
The man page for sched_setaffinity(2) states the following about the pid
argument [1]:

> If pid is zero, then the mask of the calling thread is returned.

Thus the additional call to unix.Getpid can be omitted and pid = 0
passed to unix.SchedGetaffinity.

[1] https://man7.org/linux/man-pages/man2/sched_setaffinity.2.html#DESCRIPTION

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
2023-04-25 10:05:20 +02:00
Sebastiaan van Stijn
5c78cbd3be
pkg/platform: deprecate OSType in favor or runtime.GOOS
This const looks to only be there for "convenience", or _possibly_ was created
with future normalization or special handling in mind.

In either case, currently it is just a direct copy (alias) for runtime.GOOS,
and defining our own type for this gives the impression that it's more than
that. It's only used in a single place, and there's no external consumers, so
let's deprecate this const, and use runtime.GOOS instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-08 14:57:33 +02:00
Sebastiaan van Stijn
cf9a76fe8f
pkg/platform: un-export consts that are only for internal use
These consts are only used internally, and never returned to the user.
Un-export to make it clear these are not for external consumption.

While looking at the code, I also noticed that we may be using the wrong
Windows API to collect this information (and found an implementation elsewhere
that does use the correct API). I did not yet update the code, in cases there
are specific reasons.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-08 14:57:30 +02:00
Sebastiaan van Stijn
790dd8cc92
pkg/platform: use const for OSType, improve GoDoc
It was not immediately clear why we were not using runtime.GOARCH for
these (with a conversion to other formats, such as x86_64). These docs
are based on comments that were posted when implementing this package;

- https://github.com/moby/moby/pull/13921#issuecomment-130106474
- https://github.com/moby/moby/pull/13921#issuecomment-140270124

Some links were now redirecting to a new location, so updated them to
not depend on the redirect.

While at it, also updated a call to logrus to use structured formatting
(WithError()).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 23:06:56 +02:00
Sebastiaan van Stijn
87019144f6
pkg/platform: replace use of deprecated syscall.Syscall
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 22:53:42 +02:00
Sebastiaan van Stijn
7ca38d64d2
pkg/platform: move package doc to platform-agnostic file
Make sure the package's documentation is available for any platform,
not just "unix".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 22:49:39 +02:00
Sebastiaan van Stijn
9434919f76
pkg/platform: rename files for consistency
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-07 22:43:54 +02:00
Sebastiaan van Stijn
e59f7fba6a
pkg/fileutils: remove aliases for deprecated functions and types
commit 3c69b9f2c5 replaced these functions
and types with github.com/moby/patternmatcher. That commit has shipped with
docker 23.0, and BuildKit v0.11 no longer uses the old functions, so we can
remove these.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-03 15:00:51 +02:00
Sebastiaan van Stijn
2d49080056
pkg/sysinfo: move MemInfo and ReadMemInfo to a separate package
Commit 6a516acb2e moved the MemInfo type and
ReadMemInfo() function into the pkg/sysinfo package. In an attempt to assist
consumers of these to migrate to the new location, an alias was added.

Unfortunately, the side effect of this alias is that pkg/system now depends
on pkg/sysinfo, which means that consumers of this (such as docker/cli) now
get all (indirect) dependencies of that package as dependency, which includes
many dependencies that should only be needed for the daemon / runtime;

- github.com/cilium/ebpf
- github.com/containerd/cgroups
- github.com/coreos/go-systemd/v22
- github.com/godbus/dbus/v5
- github.com/moby/sys/mountinfo
- github.com/opencontainers/runtime-spec

This patch moves the MemInfo related code to its own package. As the previous move
was not yet part of a release, we're not adding new aliases in pkg/sysinfo.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-15 17:52:45 +01:00
Akihiro Suda
e807ae4f2e
vendor: github.com/containerd/cgroups/v3 v3.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-03-08 20:15:17 +09:00
Cory Snider
dea3f2b417 Migrate away from things deprecated in Go 1.20
"math/rand".Seed
  - Migrate to using local RNG instances.

"archive/tar".TypeRegA
  - The deprecated constant tar.TypeRegA is the same value as
    tar.TypeReg and so is not needed at all.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-15 12:30:32 -05:00
Akihiro Suda
b3c5352386
rootless: support --ipc=host
Fix issue 44294

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-01-21 01:00:27 +09:00
Bjorn Neergaard
b34ffc99b8
Merge pull request #43112 from ningmingxiao/dev1
fix blockThreshold full deadlock bug
2023-01-19 14:23:44 -07:00
Gabriel Adrian Samfira
f49c88f1c4
Disable chrootarchive.init() on Windows
Disables user.Lookup() and net.LookupHost() in the init() function on Windows.

Any package that simply imports pkg/chrootarchive will panic on Windows
Nano Server, due to missing netapi32.dll. While docker itself is not
meant to run on Nano Server, binaries that may import this package and
run on Nano server, will fail even if they don't really use any of the
functionality in this package while running on Nano.

Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
2023-01-18 16:34:13 +02:00
Roy Reznik
ff14f8ef16 Add GetLibHome stub for non-linux OS
Signed-off-by: Roy Reznik <roy@wiz.io>
2023-01-17 15:28:08 +02:00
ningmingxiao
dcfe23a038 fix blockThreshold full bug
Signed-off-by: ningmingxiao <ning.mingxiao@zte.com.cn>
2023-01-17 12:56:43 +08:00
Cory Snider
0b83fd3217 ioutils: add regression test for bytespipe deadlock
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-01-16 14:27:44 -05:00
Bjorn Neergaard
eb20ed1f69
Merge pull request #44789 from jg-public/specspath-to-registry
plugins: Move SpecPaths into LocalRegistry
2023-01-14 15:09:12 -07:00
Jan Garcia
833096ce42 homedir: fallback to user.Current().homeDir if XDG_DATA_HOME/XDG_CONFIG_HOME and HOME are unset
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-01-14 17:38:34 +01:00
Jan Garcia
1e1d326b50 plugins: Move GlobalSpecPaths into LocalRegistry
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-01-10 21:33:49 +01:00
Jan Garcia
6ab12ec8f4 rootless: move ./rootless to ./pkg/rootless
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-01-09 16:26:06 +01:00
Jan Garcia
c1bd5e9144 Use user paths for plugin discovery in rootless mode
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-01-09 16:26:06 +01:00
Sebastiaan van Stijn
937491288e
Merge pull request #43818 from thaJeztah/image_inspect
add support for image inspect with containerd-integration
2023-01-06 17:40:15 +01:00
Nicolas De Loof
1616a09b61 add support for image inspect with containerd-integration
This is a squashed version of various PRs (or related code-changes)
to implement image inspect with the containerd-integration;

- add support for image inspect
- introduce GetImageOpts to manage image inspect data in backend
- GetImage to return image tags with details
- list images matching digest to discover all tags
- Add ExposedPorts and Volumes to the image returned
- Refactor resolving/getting images
- Return the image ID on inspect
- consider digest and ignore tag when both are set
- docker run --platform

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-05 16:20:41 +01:00
Sebastiaan van Stijn
c4ed09ad4e
Merge pull request #44663 from thaJeztah/move_meminfo
pkg/system: move memory-info types to pkg/systeminfo, and minor refactor
2022-12-27 13:07:09 +01:00
Sebastiaan van Stijn
6a91e09218
pkg/parsers: use strings.Cut(), and cleanup error-messages
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-21 11:09:03 +01:00