Commit graph

58 commits

Author SHA1 Message Date
CrazyMax
6d59619d6e
ci: reduce cache throttling limits
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-21 22:41:45 +02:00
Sebastiaan van Stijn
6d20ea5c38
Merge pull request #44134 from crazy-max/test-summary
ci(test): report summary output
2022-09-21 18:07:58 +02:00
CrazyMax
5e50d002f1
ci: fix branch filter pattern
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-20 21:17:29 +02:00
CrazyMax
7b9877bd8a
ci(test): report summary output
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-12 15:20:32 +02:00
CrazyMax
7602edfd06
ci: reusable dco workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-10 15:10:51 +02:00
CrazyMax
5a98363a92
ci(test): dynamic validate matrix
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-10 15:10:51 +02:00
CrazyMax
a73d78f8d5
ci(test): validate job matrix
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-09 02:24:17 +02:00
CrazyMax
36688496ca
ci: fix .windows workflow name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-08 12:12:03 +02:00
CrazyMax
807c849431
ci(test): send coverage to codecov
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-08 12:12:03 +02:00
CrazyMax
4c8af0e2f9
ci(test): upload reports
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-08 12:12:02 +02:00
CrazyMax
2e04be3fb9
ci: gha test workflow for integration and unit test
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-07 22:52:34 +02:00
Sebastiaan van Stijn
1eadbdd9fa
Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 15:27:19 +02:00
Sebastiaan van Stijn
58413c15cb
update to golang 1.19
also ran gofmt with go1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 15:27:16 +02:00
Sebastiaan van Stijn
cba36a064d
Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:23:40 +02:00
CrazyMax
a4d081cc17
ci: move buildkit tests to a dedicated workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-29 22:52:34 +02:00
CrazyMax
65fdd10d4e
ci(windows): move windows-2019 to another workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-26 14:25:09 +02:00
CrazyMax
8e8d9a3650
ci: fix broken workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-26 04:30:04 +02:00
Sebastiaan van Stijn
6217f8001e
gha: temporarily pin BuildKit integration test version
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-25 21:32:05 +02:00
Cory Snider
23b8fcc74d ci: print Windows daemon event log timestamps
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-23 14:16:21 -04:00
CrazyMax
e05f614267
vendor buildkit 8e2d9b9 (v0.10 branch)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-05 14:40:46 +02:00
Sebastiaan van Stijn
f1d71f7cc3
Update golang to 1.18.5
Update Go runtime to 1.18.5 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-03 20:08:21 +02:00
Sebastiaan van Stijn
34b8670b1a
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 10:42:27 +02:00
Brian Goff
ab6b40e5a9 Add github issue forms
This uses the newer github issues forms to create bug reports and
feature requests.

It also makes it harder for people to accidentally open a blank issue
since there are required fields that must be filled in.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-07-06 18:16:53 +00:00
CrazyMax
15716fc9ae
ci(windows): test report summary output
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-17 10:59:05 +02:00
CrazyMax
ca8b659a06
ci(integration-cli): move integration-cli run to make script
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-17 10:59:05 +02:00
CrazyMax
1887d85e21
ci(integration-cli): dynamically split tests in matrix
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-17 10:59:04 +02:00
Sebastiaan van Stijn
6f1cefe385
Merge pull request #43678 from crazy-max/ci-concurrency
ci: add concurrency check
2022-06-02 21:22:01 +02:00
CrazyMax
a0a6b82a0d
ci: add concurrency check
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-06-02 15:21:05 +02:00
Sebastiaan van Stijn
c1a9ffc97a
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:16:46 +02:00
CrazyMax
6ecbd078c2
ci(windows): upload test reports with logs
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-31 22:19:23 +02:00
Sebastiaan van Stijn
235f86270d
Merge pull request #43479 from crazy-max/gha-win-tests
ci: github action workflow for windows
2022-05-23 11:54:32 +02:00
CrazyMax
15ed58ffb5
ci(windows): upload coverage to codecov
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-20 10:12:10 +02:00
Sebastiaan van Stijn
80862d61d0
gha: temporarily override buildkit version for tests
This includes a single fix that only affects the tests, so using
a temporary override to update the tests to make CI pass, but keeping
the module version to the tagged release.

https://github.com/moby/buildkit/compare/v0.10.3..0da740f7d4f782a52b416a44f564ac37504b9ee1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-20 00:32:07 +02:00
CrazyMax
890de00f02
ci: windows gha workflow (integration test)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-19 21:19:09 +02:00
CrazyMax
71ba8cf24f
ci: windows gha workflow (unit test)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-19 21:19:09 +02:00
CrazyMax
958fa08711
ci: windows gha workflow (build)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-05-19 21:19:09 +02:00
CrazyMax
fd2143e0b0
use go-winres for cross to create Windows resources
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-14 19:52:35 +02:00
CrazyMax
170049225c
ci: add cross job in ci workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:03:54 +02:00
CrazyMax
d730d550e2
ci: set shorter retention period for artifacts
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:01:24 +02:00
CrazyMax
c2dfb60e31
ci: update upload-artifact and download-artifact actions to v3
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-04-10 21:01:24 +02:00
CrazyMax
32f0561715
ci: buildkit integration test
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-03-23 16:07:04 +01:00
CrazyMax
da068165f6
ci: simple gha workflow to build docker daemon
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-03-14 06:33:50 +01:00
Sebastiaan van Stijn
e047d984dc
Remove LCOW code (step 1)
The LCOW implementation in dockerd has been deprecated in favor of re-implementation
in containerd (in progress). Microsoft started removing the LCOW V1 code from the
build dependencies we use in Microsoft/opengcs (soon to be part of Microsoft/hcshhim),
which means that we need to start removing this code.

This first step removes the lcow graphdriver, the LCOW initialization code, and
some LCOW-related utilities.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-03 21:16:21 +02:00
John Howard
8988448729 Remove refs to jhowardmsft from .go code
Signed-off-by: John Howard <jhoward@microsoft.com>
2019-09-25 10:51:18 -07:00
Akihiro Suda
e7fbe8e457 hack: remove integration-cli-on-swarm
integration-on-swarm had unnecessary complexity and was too hard to
maintain. Also, it didn't support the new non-CLI integration test suite.

I'm now doing some experiments out of the repo using Kubernetes:
https://github.com/AkihiroSuda/kube-moby-integration

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-06-01 04:45:26 +09:00
Vincent Demeester
4627bc8a26
Remove myself from codeowners 😅
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2019-01-10 17:32:26 +01:00
Daniel Nephin
60db693e48 Remove myself from codeowners of client/**
Signed-off-by: Daniel Nephin <dnephin@gmail.com>
2018-11-02 21:00:39 -04:00
Daniel Nephin
92dfe76911 Remove myself from CODEOWNERS
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-03-26 13:45:05 -04:00
Vincent Demeester
d040d637a9
Rename a few docker to moby
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2017-10-25 13:56:12 +02:00
Frieder Bluemle
b80472cef4
Fix GitHub spelling
Signed-off-by: Frieder Bluemle <frieder.bluemle@gmail.com>
2017-10-07 00:10:24 +08:00