Commit graph

39422 commits

Author SHA1 Message Date
Tibor Vass
59f10e3435
quota: adjust build-tags to allow build without CGO
This is to allow quota package (without tests) to be built without cgo.
makeBackingFsDev was used in helpers but not defined in projectquota_unsupported.go

Also adjust some GoDoc to follow the standard format.

Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7cf079acdb)
Signed-off-by: Pete Woods <pete.woods@circleci.com>
2021-09-20 14:19:22 +01:00
Sebastiaan van Stijn
d24c6dc5cf
Merge pull request #42721 from thaJeztah/20.10_backport_bump_go_1.16.7
[20.10 backport] Update Go to 1.16.7
2021-08-17 14:12:42 +02:00
Sebastiaan van Stijn
decb56ac89
Update Go to 1.16.7
go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil
package, as well as bug fixes to the compiler, the linker, the runtime, the go
command, and the net/http package. See the Go 1.16.7 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.7+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b1f7ffea9f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 18:16:20 +02:00
Sebastiaan van Stijn
75249d88bc
Merge pull request #42695 from thaJeztah/20.10_update_containerd_1.4.9
[20.10] update containerd binary to v1.4.9
2021-07-30 03:30:57 +02:00
Brian Goff
af8e58faef
Merge pull request #42659 from AkihiroSuda/runc-v1.0.1-2010
[20.10 backport] update runc binary to v1.0.1
2021-07-29 10:48:18 -07:00
Sebastiaan van Stijn
e8fb8f7acd
[20.10] update containerd binary to v1.4.9
Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

- Update runc binary to 1.0.1
- Update pull authorization logic on redirect
- Fix user agent used for fetching registry authentication tokens

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 19:43:43 +02:00
Akihiro Suda
4cfeb27f78
update runc binary to v1.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f50c7644cf)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-20 13:51:38 +09:00
Brian Goff
013d6655bb
Merge pull request #42657 from thaJeztah/20.10_containerd_1.4.8 2021-07-19 16:46:25 -07:00
Sebastiaan van Stijn
067918a8c3
[20.10] update containerd binary v1.4.8
Update to containerd 1.4.8 to address [CVE-2021-32760][1].

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-19 21:21:53 +02:00
Akihiro Suda
e7bf9923d4
Merge pull request #42643 from thaJeztah/20.10_backport_bump_go116 2021-07-18 18:50:31 +09:00
Sebastiaan van Stijn
b0da207af4
Bump go 1.16.6 (addresses CVE-2021-34558)
This addresses CVE-2021-34558: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34558

go1.16.6 (released 2021-07-12) includes a security fix to the crypto/tls package,
as well as bug fixes to the compiler, and the net and net/http packages. See the
Go 1.16.6 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe6f1a4067)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:20 +02:00
Sebastiaan van Stijn
abe8c4e80d
updated vendored archive/tar to go1.16.5
result of: `hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ed804aeca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:18 +02:00
Sebastiaan van Stijn
7c6645b32b
update archive/tar patch for go 1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f400e84a43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:14 +02:00
Sebastiaan van Stijn
55c363ef48
Bump go 1.16.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae5ddd257c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:10 +02:00
Tianon Gravi
0fbb0f869a
Merge pull request #42642 from thaJeztah/20.10_backport_test_changes_for_go116
[20.10 backport] various test-changes for Go 1.16
2021-07-16 17:32:35 +00:00
Sebastiaan van Stijn
8b0913935c
integration: ensurePlugin: disable go modules when building plugin
=== RUN   TestServicePlugin
        plugin_test.go:42: assertion failed: error is not nil: error building basic plugin bin: no required module provides package github.com/docker/docker/testutil/fixtures/plugin/basic: go.mod file not found in current directory or any parent directory; see 'go help modules'
            : exit status 1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7070df3a3e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:29 +02:00
Sebastiaan van Stijn
09a7efb1f7
hack/ci/windows.ps1: disable go modules
INFO: Running integration tests at 05/17/2021 12:54:50...
    INFO: DOCKER_HOST at tcp://127.0.0.1:2357
    INFO: Integration API tests being run from the host:
    INFO: make.ps1 starting at 05/17/2021 12:54:50
    powershell.exe : go: cannot find main module, but found vendor.conf in D:\gopath\src\github.com\docker\docker
    At D:\gopath\src\github.com\docker\docker@tmp\durable-1ed00396\powershellWrapper.ps1:3 char:1
    + & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (go: cannot find...m\docker\docker:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

    	to create a module there, run:
    	go mod init
    INFO: make.ps1 ended at 05/17/2021 12:54:51

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8bae2278ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:18 +02:00
Sebastiaan van Stijn
6793ff26d8
pkg/fileutils: TestMatches: remove cases no longer valid for go1.16
These tests were no longer valid on Go 1.16; related to https://tip.golang.org/doc/go1.16#path/filepath

> The Match and Glob functions now return an error if the unmatched part of
> the pattern has a syntax error. Previously, the functions returned early on
> a failed match, and thus did not report any later syntax error in the pattern.

Causing the test to fail:

    === RUN   TestMatches
        fileutils_test.go:388: assertion failed: error is not nil: syntax error in pattern: pattern="a\\" text="a"
    --- FAIL: TestMatches (0.00s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2842639e0e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:50 +02:00
Sebastiaan van Stijn
ab9a92f79c
Update test certificates
Updates the certificates to account for current versions of Go expecting
SANs to be used instead of the Common Name field:

    FAIL: s390x.integration.plugin.authz TestAuthZPluginTLS (0.53s)
    [2020-07-26T09:36:58.638Z]     authz_plugin_test.go:132: assertion failed:
        error is not nil: error during connect: Get "https://localhost:4271/v1.41/version":
        x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe54215fb3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:21 +02:00
Sebastiaan van Stijn
1d4a06e610
hack: add script to regenerate certificates
Certificates were originally added in c000cb6471,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

    x509: certificate relies on legacy Common Name field, use SANs or temporarily
    enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2fea30f146)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:23:47 +02:00
moby
feaca9816a
hack/vendor: add check for vendored archive/tar
Also allow re-vendoring using `./hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31b2c3bbd9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:23:01 +02:00
Sebastiaan van Stijn
cc5a381cbc
Merge pull request #42633 from thaJeztah/20.10_backport_warn_on_non_matching_platform
[20.10 backport] docker pull: warn when pulled single-arch image does not match --platform
2021-07-15 20:46:08 +02:00
Sebastiaan van Stijn
8b224ca06c
Merge pull request #42462 from AkihiroSuda/cherrypick-rootless-selinux-42334
[20.10 backport] rootless:  avoid /run/xtables.lock EACCES on SELinux hosts  ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
2021-07-15 20:45:36 +02:00
Sebastiaan van Stijn
a5044765b9
Merge pull request #42479 from AkihiroSuda/cherrypick-42071
[20.10 backport] Fix setting swaplimit=true without checking
2021-07-15 20:44:23 +02:00
Sebastiaan van Stijn
8a2af96969
Merge pull request #42591 from thaJeztah/20.10_backport_update_s390x_ubuntu_2004
[20.10 backport] Run s390x tests on Ubuntu 20.04
2021-07-15 20:42:09 +02:00
Sebastiaan van Stijn
c37c7b5c95
Merge pull request #42613 from thaJeztah/20.10_update_hcsshim
[20.10] vendor github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c (moby branch)
2021-07-15 20:39:53 +02:00
Brian Goff
883cc3682d
Merge pull request #42602 from thaJeztah/20.10_backport_swagger_404
[20.10 backport] API: fix 404 status description on container create
2021-07-15 11:34:29 -07:00
Brian Goff
a1a73d1477
Merge pull request #42568 from thaJeztah/20.10_backport_runc_v1.0.0
[20.10 backport] update runc binary to v1.0.0 GA
2021-07-15 11:32:20 -07:00
Brian Goff
555bf586c7
Merge pull request #42637 from thaJeztah/20.10_update_containerd
[20.10] update containerd binary to v1.4.7
2021-07-15 11:30:13 -07:00
Sebastiaan van Stijn
4b407e4140
Merge pull request #42595 from thaJeztah/20.10_backport_update_swagger_fork
[20.10 backport] Dockerfile: update go-swagger to fix validation on Go1.16
2021-07-14 10:11:59 +02:00
Sebastiaan van Stijn
793340a33a
[20.10] update containerd binary to v1.4.7
full diff: https://github.com/containerd/containerd/compare/v1.4.6...v1.4.7

Welcome to the v1.4.7 release of containerd!

The seventh patch release for containerd 1.4 updates runc to 1.0.0 and contains
various other fixes.

Notable Updates

- Update runc binary to 1.0.0
- Fix invalid validation error checking
- Fix error on image pull resume
- Fix symlink resolution for disk mounts on Windows

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-13 23:41:22 +02:00
Sebastiaan van Stijn
7429792eed
docker pull: warn when pulled single-arch image does not match --platform
This takes the same approach as was implemented on `docker build`, where a warning
is printed if `FROM --platform=...` is used (added in 399695305c)

Before:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

With this change:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    WARNING: image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64
    docker.io/armhf/busybox:latest

And daemon logs print:

   WARN[2021-04-26T11:19:37.153572667Z] ignoring platform mismatch on single-arch image  error="image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64" image=armhf/busybox

When pulling without specifying `--platform, no warning is currently printed (but we can add a warning in future);

    docker rmi armhf/busybox
    docker pull armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 424c0eb3c0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-13 17:06:58 +02:00
Sebastiaan van Stijn
72b66d56a5
[20.10] vendor github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c (moby branch)
Brings in microsoft/hcsshim#1065, which fixes #42610.

full diff: 89a9a3b524...64a2b71405

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-09 20:06:40 +02:00
Sebastiaan van Stijn
50c392c9ff
API: fix 404 status description on container create
This updates the current swagger file, and all docs versions
with the same fix as ff1d9a3ec5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 68b095d4df)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-07 11:50:43 +02:00
Matt Morrison
025e3a7898
Update v1.41.yaml
fix containers/create 404 response description

Signed-off-by: Matt Morrison <3241034+Emdot@users.noreply.github.com>
(cherry picked from commit ff1d9a3ec5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-07 11:50:26 +02:00
Akihiro Suda
b9cf7b7db5
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8610d8ce4c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:43 +09:00
Akihiro Suda
869b50e10b
rootless: disable overlay2 if running with SELinux
Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux.

On the other hand, fuse-overlayfs is compatible.

Close issue 42333

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 4300a52606)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:39 +09:00
Akihiro Suda
44f95c7126
dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

e6fc34b71a/libpod/networking_linux.go (L396-L401)

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cdaf82ba3f)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:38 +09:00
Sebastiaan van Stijn
78bb0f445a
Dockerfile: update go-swagger to fix validation on Go1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 42d2048b9d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-03 17:23:07 +02:00
Stefan Scherer
618f6a79ab
Run s390x tests on Ubuntu 20.04
Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit 7a6cac2b23)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 14:41:13 +02:00
Akihiro Suda
872cb16edb
update runc binary to v1.0.0 GA
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 64badfc018)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-24 22:19:37 +02:00
Sebastiaan van Stijn
46a7ebc540
Merge pull request #42561 from ameyag/20.10-logbroker
[20.10] vendor: swarmkit to fix deadlock in log broker (bump_20.10)
2021-06-24 15:23:30 +02:00
Ameya Gawde
4d42e18c05
vendor: swarmkit to fix deadlock in log broker
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2021-06-23 16:45:51 -07:00
Akihiro Suda
87e28a6171
Merge pull request #42538 from ameyag/20.10-overlap-ip
[20.10 backport] Fix possible overlapping IPs
2021-06-19 18:05:46 +09:00
Drew Erny
89edb68e89
Fix possible overlapping IPs
A node is no longer using its load balancer IP address when it no longer
has tasks that use the network that requires that load balancer. When
this occurs, the swarmkit manager will free that IP in IPAM, and may
reaassign it.

When a task shuts down cleanly, it attempts removal of the networks it
uses, and if it is the last task using those networks, this removal
succeeds, and the load balancer IP is freed.

However, this behavior is absent if the container fails. Removal of the
networks is never attempted.

To address this issue, I amend the executor. Whenever a node load
balancer IP is removed or changed, that information is passedd to the
executor by way of the Configure method. By keeping track of the set of
node NetworkAttachments from the previous call to Configure, we can
determine which, if any, have been removed or changed.

At first, this seems to create a race, by which a task can be attempting
to start and the network is removed right out from under it. However,
this is already addressed in the controller. The controller will attempt
to recreate missing networks before starting a task.

Signed-off-by: Drew Erny <derny@mirantis.com>
(cherry picked from commit 0d9b0ed678)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2021-06-18 10:13:59 -07:00
Tianon Gravi
4d29d58a65
Merge pull request #42507 from thaJeztah/20.10_backport_disable_power_z
[20.10 backport] Jenkinsfile: skip ppc64le and s390x by default on pull requests
2021-06-10 12:06:52 -07:00
Sebastiaan van Stijn
523f8b397c
Jenkinsfile: skip ppc64le and s390x by default on pull requests
This changes CI to skip these platforms by default. The ppc64le and s390x
machines are "pet machines", configuration may be outdated, and these
machines are known to be flaky.

Building and verifying packages for these platforms is being handed
over to the IBM team.

We can still run these platforms for specific pull requests by selecting
the checkboxes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 82c7e906ea)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 14:05:07 +02:00
Jakub Guzik
a57fc0eb15
Fix setting swaplimit=true without checking
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
(cherry picked from commit 7ef6ece774)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-07 17:27:35 +09:00
Brian Goff
b0f5bc36fe
Merge pull request #42352 from AkihiroSuda/cherrypick-41724
[20.10 backport] Use v2 capabilities in layer archives
2021-06-01 15:34:42 -07:00
Brian Goff
497c50a575
Merge pull request #42448 from thaJeztah/20.10_backport_update_buildkit
[20.10 backport] vendor: github.com/moby/buildkit v0.8.3-3-g244e8cde
2021-06-01 15:13:27 -07:00