Commit graph

3017 commits

Author SHA1 Message Date
Sebastiaan van Stijn
056be8b7b0
Merge pull request #46473 from thaJeztah/c8d_logs
migrate to github.com/containerd/log v0.1.0
2023-10-12 10:35:02 +02:00
Sebastiaan van Stijn
bb8bc1ffc8
update to go1.21.3
go1.21.3 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.21.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.2...go1.21.3

From the security mailing:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:01:17 +02:00
Sebastiaan van Stijn
3bc45d78c9
update to go1.21.2
go1.21.2 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the compiler, the go command, the linker, the runtime,
and the runtime/metrics package. See the Go 1.21.2 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.21.2+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.21.1...go1.21.2

From the security mailing:

[security] Go 1.21.2 and Go 1.20.9 are released

Hello gophers,

We have just released Go versions 1.21.2 and 1.20.9, minor point releases.

These minor releases include 1 security fixes following the security policy:

- cmd/go: line directives allows arbitrary execution during build

  "//line" directives can be used to bypass the restrictions on "//go:cgo_"
  directives, allowing blocked linker and compiler flags to be passed during
  compliation. This can result in unexpected execution of arbitrary code when
  running "go build". The line directive requires the absolute path of the file in
  which the directive lives, which makes exploting this issue significantly more
  complex.

  This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 20:01:05 +02:00
Sebastiaan van Stijn
cff4f20c44
migrate to github.com/containerd/log v0.1.0
The github.com/containerd/containerd/log package was moved to a separate
module, which will also be used by upcoming (patch) releases of containerd.

This patch moves our own uses of the package to use the new module.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:52:23 +02:00
Sebastiaan van Stijn
a293cd6ab9
vendor: github.com/containerd/containerd v1.7.7
full diff: https://github.com/containerd/containerd/compare/v1.7.6...v1.7.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-10 14:47:44 +02:00
Sebastiaan van Stijn
e2c23ed57d
Merge pull request #46069 from thaJeztah/update_to_go1.21
update to go1.21.1, default to GOTOOLCHAIN=local
2023-09-28 20:24:21 +02:00
Bjorn Neergaard
16063c7456
vendor.mod: bump go line to 1.20
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-09-28 10:01:25 -06:00
Sebastiaan van Stijn
e465ebf2f3
update to go1.21.1, and fix download-URL
This required changes to the download-URL, as downloads are now provided
using the full version (including the `.0` patch version);

    curl -sI https://go.dev/dl/go1.21.windows-amd64.zip | grep 'location'
    location: https://dl.google.com/go/go1.21.windows-amd64.zip

    curl -sI https://dl.google.com/go/go1.21.windows-amd64.zip
    HTTP/2 404
    # ...

    curl -sI https://dl.google.com/go/go1.21.0.windows-amd64.zip
    HTTP/2 200
    # ...

Unfortunately this also means that the GO_VERSION can no longer be set to
versions lower than 1.21.0 (without additional changes), because older
versions do NOT provide the `.0` version, and Go 1.21.0 and up, no longer
provides URLs _without_ the `.0` version.

Co-authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:51:34 +02:00
Sebastiaan van Stijn
aa282973d4
Dockerfile: use GOTOOLCHAIN=local
Related discussion in https://github.com/docker-library/golang/issues/472

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-28 00:51:18 +02:00
Albin Kerouanton
41c186c344
hack: Run integration tests through Delve
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-26 15:42:11 +02:00
Sebastiaan van Stijn
24102aa8ca
update containerd binary to v1.7.6
Update the version used in testing;

full diff: https://github.com/containerd/containerd/compare/v1.7.3...v1.7.6

v1.7.6 release notes:

full diff: https://github.com/containerd/containerd/compare/v1.7.5...v1.7.6

The sixth patch release for containerd 1.7 contains various fixes and updates.

- Fix log package for clients overwriting the global logger
- Fix blockfile snapshotter copy on Darwin
- Add support for Linux usernames on non-Linux platforms
- Update Windows platform matcher to invoke stable ABI compability function
- Update Golang to 1.20.8
- Update push to inherit distribution sources from parent

v1.7.5 release notes:

full diff: https://github.com/containerd/containerd/compare/v1.7.4...v1.7.5

The fifth patch release for containerd 1.7 fixes a versioning issue from
the previous release and includes some internal logging API changes.

v1.7.4 release notes:

full diff: https://github.com/containerd/containerd/compare/v1.7.3...v1.7.4

The fourth patch release for containerd 1.7 contains remote differ plugin support,
a new block file based snapshotter, and various fixes and updates.

Notable Updates

- Add blockfile snapshotter
- Add remote/proxy differ
- Update runc binary to v1.1.9
- Cri: Don't use rel path for image volumes
- Allow attaching to any combination of stdin/out/err
- Fix ro mount option being passed
- Fix leaked shim caused by high IO pressure
- Add configurable mount options to overlay snapshotter

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-15 12:21:07 +02:00
Sebastiaan van Stijn
3b04fd10e8
Merge pull request #46251 from akerouanton/libnet-forbid-duplicated-network-names
libnet: Make sure network names are unique
2023-09-12 16:53:14 +02:00
Albin Kerouanton
78479b1915
libnet: Make sure network names are unique
Fixes #18864, #20648, #33561, #40901.

[This GH comment][1] makes clear network name uniqueness has never been
enforced due to the eventually consistent nature of Classic Swarm
datastores:

> there is no guaranteed way to check for duplicates across a cluster of
> docker hosts.

And this is further confirmed by other comments made by @mrjana in that
same issue, eg. [this one][2]:

> we want to adopt a schema which can pave the way in the future for a
> completely decentralized cluster of docker hosts (if scalability is
> needed).

This decentralized model is what Classic Swarm was trying to be. It's
been superseded since then by Docker Swarm, which has a centralized
control plane.

To circumvent this drawback, the `NetworkCreate` endpoint accepts a
`CheckDuplicate` flag. However it's not perfectly reliable as it won't
catch concurrent requests.

Due to this design decision, API clients like Compose have to implement
workarounds to make sure names are really unique (eg.
docker/compose#9585). And the daemon itself has seen a string of issues
due to that decision, including some that aren't fixed to this day (for
instance moby/moby#40901):

> The problem is, that if you specify a network for a container using
> the ID, it will add that network to the container but it will then
> change it to reference the network by using the name.

To summarize, this "feature" is broken, has no practical use and is a
source of pain for Docker users and API consumers. So let's just remove
it for _all_ API versions.

[1]: https://github.com/moby/moby/issues/18864#issuecomment-167201414
[2]: https://github.com/moby/moby/issues/18864#issuecomment-167202589

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-12 10:40:13 +02:00
Sebastiaan van Stijn
c41121cc48
update to go1.20.8
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-11 15:47:00 +02:00
Sebastiaan van Stijn
6ce5aa1cd5
Merge pull request #46434 from vvoland/test-ignore-cgroup-check
hack: Add TEST_IGNORE_CGROUP_CHECK
2023-09-08 23:23:18 +02:00
Sebastiaan van Stijn
d582a26107
Merge pull request #46439 from akerouanton/no-optimizations
hack: compile w/o optimizations & inlining when debugging
2023-09-08 23:09:33 +02:00
Albin Kerouanton
820f37b1a6
hack: compile w/o optimizations & inlining when debugging
Without these compile flags, Delve is unable to report the value of some
variables and it's not possible to jump into inlined code.

As the contributing docs already mention that `DOCKER_DEBUG` should
disable "build optimizations", the env var is reused here instead of
introducing a new one.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-08 17:16:58 +02:00
Sebastiaan van Stijn
6dcefa3739
Merge pull request #46431 from rumpl/fix-ci-timeout
Use process substitution to redirect to tee
2023-09-08 15:28:09 +02:00
Paweł Gronowski
c2004fb8c4
hack: Add TEST_IGNORE_CGROUP_CHECK
Add env variable that allows to run integration-cli tests with cgroup v2 enabled.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-09-08 13:41:03 +02:00
Djordje Lukic
3d8b8dc09a
Use process substitution to redirect to tee
In some cases, when the daemon launched by a test panics and quits, the
cleanup code would end with an error when trying to kill it by its pid.
In those cases the whole suite will end up waiting for the daemon that
we start in .integration-daemon-start to finish and we end up waiting 2
hours for the CI to cancel after a timeout.

Using process substitution makes the integration tests quit.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-09-08 10:56:21 +02:00
Brian Goff
e8dc902781 Wire up tests to support otel tracing
Integration tests will now configure clients to propagate traces as well
as create spans for all tests.

Some extra changes were needed (or desired for trace propagation) in the
test helpers to pass through tracing spans via context.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-09-07 18:38:22 +00:00
Djordje Lukic
75097cf09a
test: remove platform related timeout values
These were dependent on the DOCKER_ENGINE_GOARCH environment variable
but this var was no longer set. There was also some weird check to see
if the architecture is "windows" which doesn't make sense. Seeing how
nothing failed ever since the TIMEOUT was no longer platform-dependent
we can safely remove this check.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-08-31 10:39:28 +02:00
Sebastiaan van Stijn
a9a0ffaf51
testing: update docker-py 6.1.3
full diff: https://github.com/docker/docker-py/compare/6.0.1...6.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 17:31:33 +02:00
Sebastiaan van Stijn
f6959bc597
test-docker-py: skip AttachContainerTest::test_run_container_reading_socket_ws
Tests are failing with this error:

    E   ValueError: scheme http+docker is invalid

Which is reported in docker-py in https://github.com/docker/docker-py/issues/1478.
Not sure what changed in the tests, but could be due to updated Python
version or dependencies, but let's skip it for now.

Test failure:

    ___________ AttachContainerTest.test_run_container_reading_socket_ws ___________
    tests/integration/api_container_test.py:1245: in test_run_container_reading_socket_ws
        pty_stdout = self.client.attach_socket(container, opts, ws=True)
    docker/utils/decorators.py:19: in wrapped
        return f(self, resource_id, *args, **kwargs)
    docker/api/container.py:98: in attach_socket
        return self._attach_websocket(container, params)
    docker/utils/decorators.py:19: in wrapped
        return f(self, resource_id, *args, **kwargs)
    docker/api/client.py:312: in _attach_websocket
        return self._create_websocket_connection(full_url)
    docker/api/client.py:315: in _create_websocket_connection
        return websocket.create_connection(url)
    /usr/local/lib/python3.7/site-packages/websocket/_core.py:601: in create_connection
        websock.connect(url, **options)
    /usr/local/lib/python3.7/site-packages/websocket/_core.py:245: in connect
        options.pop('socket', None))
    /usr/local/lib/python3.7/site-packages/websocket/_http.py:117: in connect
        hostname, port, resource, is_secure = parse_url(url)
    /usr/local/lib/python3.7/site-packages/websocket/_url.py:62: in parse_url
        raise ValueError("scheme %s is invalid" % scheme)
    E   ValueError: scheme http+docker is invalid
    ------- generated xml file: /src/bundles/test-docker-py/junit-report.xml -------

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 17:31:09 +02:00
Sebastiaan van Stijn
e0f171f342
testing: update docker-py 6.0.1
release notes: https://github.com/docker/docker-py/releases/tag/6.0.1

full diff: https://github.com/docker/docker-py/compare/5.0.3...6.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 17:31:07 +02:00
Sebastiaan van Stijn
79a0f82ca1
test-docker-py: remove comment about docker 17.06 limitations
Our dev-container now has buildx installed, so we're no longer
limited to 17.06.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 17:29:49 +02:00
Sebastiaan van Stijn
12d1f4f385
hack: remove devicemapper leftovers and build-tags
This check was added in 98fe4bd8f1, to check
whether dm_task_deferred_remove could be removed, and to conditionally set
the corresponding build-tags. Now that the devicemapper graphdriver has been
removed in dc11d2a2d8, we no longer need this.

This patch:

- removes uses of the (no longer used) `libdm`, `dlsym_deferred_remove`,
  and `libdm_no_deferred_remove` build-tags.
- removes the `add_buildtag` utility, which is now unused.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 16:39:33 +02:00
Sebastiaan van Stijn
2aabd64477
hack: update link to GOPATH documentation
This documentation moved to a different page, and the Go documentation
moved to the https://go.dev/ domain.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 12:53:19 +02:00
Sebastiaan van Stijn
cd49f9affd
update golangci-lint to v1.54.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 02:19:35 +02:00
Sebastiaan van Stijn
2b583c0923
daemon: cleanupContainer: slightly cleanup error messages
Also remove integration-cli: `DockerAPISuite.TestContainerAPIDeleteConflict`,
which was testing the same conditions as `TestRemoveContainerRunning` in
integration/container.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 15:50:43 +02:00
Bjorn Neergaard
8383430946
Merge pull request #45759 from akerouanton/validate-ipam-config
Validate IPAM config before handing it over to libnetwork
2023-08-22 13:58:28 -06:00
Albin Kerouanton
4f47013feb
api: Validate IPAM config before creating a network
Currently, IPAM config is never validated by the API. Some checks
are done by the CLI, but they're not exhaustive. And some of these
misconfigurations might be caught early by libnetwork (ie. when the
network is created), and others only surface when connecting a container
to a misconfigured network. In both cases, the API would return a 500.

Although the `NetworkCreate` endpoint might already return warnings,
these are never displayed by the CLI. As such, it was decided during a
maintainer's call to return validation errors _for all API versions_.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-22 17:11:54 +02:00
Bjorn Neergaard
d125823d3f
hack: use long SHA for DOCKER_GITCOMMIT
This better aligns to GHA/CI settings, and is in general a better
practice in the year 2023.

We also drop the 'unsupported' fallback for `git rev-parse` in the
Makefile; we have a better fallback behavior for an empty
DOCKER_GITCOMMIT in `hack/make.sh`.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-08-18 14:42:51 -06:00
Akihiro Suda
b039bbc678
update runc binary to v1.1.9
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-08-11 21:29:53 +09:00
Sebastiaan van Stijn
cfc117826a
Merge pull request #46168 from vvoland/hack-integrationcli-dont-failfast
hack/test: Don't fail-fast before integration-cli
2023-08-09 13:43:43 +02:00
Paweł Gronowski
43956e1b71
hack/test: Don't exit early when all tests are filtered out
Don't exit immediately (due to `set -e` bash behavior) when grep returns
with a non-zero exit code. Use empty dirs instead and let it print
messages about all tests being filtered out.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-09 09:47:02 +02:00
Paweł Gronowski
ae008570ff
hack/test: Split -test.run for integration and integration-cli
To avoid passing the `/` prefix in the -test.run to the integration test
suite, which for some reason executes all tests, but works fine with
integration-cli.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-09 09:47:01 +02:00
Paweł Gronowski
510cac5f5b
hack/test: Fix checking if integration-cli are filtered out
Previous check checked if ANY of the test directories isn't
integration-cli. This means it was true if TEST_FILTER matched multiple
tests from both integration and integration-cli suite.

Remove the grep `-v` inversion and replace it with a bash negation, so
it actually checks if there is no `integration-cli` in test dirs.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-09 09:47:00 +02:00
Paweł Gronowski
6841a53d17
hack/test: Don't fail-fast before integration-cli
If TEST_INTEGRATION_FAIL_FAST is not set, run the integration-cli tests
even if integration tests failed.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-08 13:29:54 +02:00
Sebastiaan van Stijn
d5cb7cdeae
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:46:01 +02:00
Sebastiaan van Stijn
935c04f33a
Merge pull request #46117 from thaJeztah/bump_gotest_tools
vendor: gotest.tools/v3 v3.5.0
2023-07-30 15:59:33 +02:00
Sebastiaan van Stijn
ce053a14aa
vendor: gotest.tools/v3 v3.5.0
- go.mod: update dependencies and go version by
- Use Go1.20
- Fix couple of typos
- Added `WithStdout` and `WithStderr` helpers
- Moved `cmdOperators` handling from `RunCmd` to `StartCmd`
- Deprecate `assert.ErrorType`
- Remove outdated Dockerfile
- add godoc links

full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.4.0...v3.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-29 19:51:21 +02:00
Sebastiaan van Stijn
bf48d3ec29
update containerd binary to v1.7.3
- full diff: https://github.com/containerd/containerd/compare/v1.7.2...v1.7.3
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.3

----

Welcome to the v1.7.3 release of containerd!

The third patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`,`RunAsUsername` are empty
- CRI: write generated CNI config atomically
- Port-Forward: Correctly handle known errors
- Resolve docker.NewResolver race condition
- Fix `net.ipv4.ping_group_range` with userns
- Runtime/V2/RunC: handle early exits w/o big locks
- SecComp: always allow `name_to_handle_at`
- CRI: Windows Pod Stats: Add a check to skip stats for containers that
  are not running
- Task: don't `close()` io before cancel()
- Remove CNI conf_template deprecation
- Fix issue for HPC pod metrics

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 13:21:20 +02:00
Sebastiaan van Stijn
a78381c399
update containerd binary to v1.7.2
- full diff: https://github.com/containerd/containerd/compare/v1.7.1...v1.7.2
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.2

----

Welcome to the v1.7.2 release of containerd!

The second patch release for containerd 1.7 includes enhancements to CRI
sandbox mode, Windows snapshot mounting support, and CRI and container IO
bug fixes.

CRI/Sandbox Updates

- Publish sandbox events
- Make stats respect sandbox's platform

Other Notable Updates

- Mount snapshots on Windows
- Notify readiness when registered plugins are ready
- Fix `cio.Cancel()` should close pipes
- CDI: Use CRI `Config.CDIDevices` field for CDI injection

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 13:20:34 +02:00
Paweł Gronowski
48cc28e4ef
hack/integration: Add TEST_INTEGRATION_FAIL_FAST
Before this change, integration test would fail fast and not execute all
test suites when one suite fails.
Change this behavior into opt-in enabled by TEST_INTEGRATION_FAIL_FAST
variable.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-24 16:54:31 +02:00
Sebastiaan van Stijn
6b2ee07a26
Merge pull request #45929 from neersighted/with-go-mod_ROOTDIR
hack: use Git-free ROOTDIR
2023-07-19 19:23:00 +02:00
Sebastiaan van Stijn
df86d855f5
Dockerfile: update runc binary to v1.1.8
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.8
full diff: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.9

This is the eighth patch release of the 1.1.z release branch of runc.
The most notable change is the addition of RISC-V support, along with a
few bug fixes.

- Support riscv64.
- init: do not print environment variable value.
- libct: fix a race with systemd removal.
- tests/int: increase num retries for oom tests.
- man/runc: fixes.
- Fix tmpfs mode opts when dir already exists.
- docs/systemd: fix a broken link.
- ci/cirrus: enable some rootless tests on cs9.
- runc delete: call systemd's reset-failed.
- libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed.
- CI: bump Fedora, Vagrant, bats.
- .codespellrc: update for 2.2.5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 18:22:03 +02:00
Bjorn Neergaard
7310a7cd0c
ci(buildkit): remove early-return from buildkit-ref
This doesn't really make sense now that this script returns a
$GITHUB_ENV snippet.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:42 -06:00
Bjorn Neergaard
4ecc01f3ad
ci(buildkit): remove misleading code from buildkit-ref
Post-f8c0d92a22bad004cb9cbb4db704495527521c42, BUILDKIT_REPO doesn't
really do what it claims to. Instead, don't allow overloading since the
import path for BuildKit is always the same, and make clear the
provenance of values when generating the final variable definitions.

We also better document the script, and follow some best practices for
both POSIX sh and Bash.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:40 -06:00
Bjorn Neergaard
48ff8a95cc
hack/with-go-mod.sh: warn on stderr
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:39 -06:00
Sebastiaan van Stijn
058a6e94a1
Merge pull request #45994 from jedevc/buildkit-ref-replace
ci: extract buildkit version correctly with replace-d modules
2023-07-18 15:22:38 +02:00
Bjorn Neergaard
a972dbd682
hack/make/.binary: use with-go-mod.sh
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:38:12 -06:00
Bjorn Neergaard
5563b09ac2
hack: use Git-free ROOTDIR convention
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:38:10 -06:00
Bjorn Neergaard
780e8b2332
hack/d/cli.sh: properly handle errors in curl
Add `-f` to output nothing to tar if the curl fails, and `-S` to report
errors if they happen.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:18:19 -06:00
Bjorn Neergaard
37dcdac218
Merge pull request #40751 from cpuguy83/tmpfs_for_main_test_daemon
Put integration daemon socket in /run
2023-07-17 10:17:54 -06:00
Justin Chadwell
f8c0d92a22 ci: extract buildkit version correctly with replace-d modules
Signed-off-by: Justin Chadwell <me@jedevc.com>
2023-07-17 14:17:49 +01:00
Sebastiaan van Stijn
1ead2dd35d
update go to go1.20.6
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6

These minor releases include 1 security fixes following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 22:36:46 +02:00
Albin Kerouanton
6b1b71ced4
Disable tls when launching dockerd through hack/make.sh
The daemon sleeps for 15 seconds at start up when the API binds to a TCP
socket with no TLS certificate set. That's what the hack/make/run script
does, but it doesn't explicitly disable tls, thus we're experiencing
this annoying delay every time we use this script.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-09 22:26:07 +02:00
Brian Goff
2ab2503b6c Put integration daemon socket in /run
This fixes a case where on Docker For Mac if you need to bind mount the
bundles dir (e.g. to get test results back).
The unix socket does not work over oxsfs, so instead we put it in a
tmpfs.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-07-05 23:13:08 +00:00
Sebastiaan van Stijn
19d860fa9d
testing: temporarily pin docker-py tests to use "bullseye"
The official Python images on Docker Hub switched to debian bookworm,
which is now the current stable version of Debian.

However, the location of the apt repository config file changed, which
causes the Dockerfile build to fail;

    Loaded image: emptyfs:latest
    Loaded image ID: sha256:0df1207206e5288f4a989a2f13d1f5b3c4e70467702c1d5d21dfc9f002b7bd43
    INFO: Building docker-sdk-python3:5.0.3...
    tests/Dockerfile:6
    --------------------
       5 |     ARG APT_MIRROR
       6 | >>> RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
       7 | >>>     && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
       8 |
    --------------------
    ERROR: failed to solve: process "/bin/sh -c sed -ri \"s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g\" /etc/apt/sources.list     && sed -ri \"s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g\" /etc/apt/sources.list" did not complete successfully: exit code: 2

This needs to be fixed in docker-py, but in the meantime, we can pin to
the bullseye variant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-20 10:48:42 +02:00
Sebastiaan van Stijn
98a44bb18e
update go to go1.20.5
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 12:47:05 +02:00
Brian Goff
e1c92184f0
Merge pull request #44526 from crazy-max/rm-dockerfile-e2e
remove Dockerfile.e2e
2023-06-10 10:53:51 -07:00
Jan Garcia
0b1c1877c5 update RootlessKit to v1.1.1
Signed-off-by: Jan Garcia <github-public@n-garcia.com>
2023-06-06 09:26:27 +02:00
Paweł Gronowski
5433b88e2d
hack/cli.sh: Quiet origin cleanup
Don't show `error: No such remote: 'origin'` error when building for the
first time and the cached git repository doesn't a remote yet.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-06-05 17:02:46 +02:00
Paweł Gronowski
17c99f7164
Dockerfile: Use separate cli for shell and integration-cli
Use separate cli for integration-cli to allow use newer CLI for
interactive dev shell usage.

Both versions can be overriden with DOCKERCLI_VERSION or
DOCKERCLI_INTEGRATION_VERSION. Binary is downloaded from
download.docker.com if it's available, otherwise it's built from the
source.

For backwards compatibility DOCKER_CLI_PATH overrides BOTH clis.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-06-05 15:25:21 +02:00
sebthom
d58df1fc6c Update blogpost URL
Signed-off-by: sebthom <sebthom@users.noreply.github.com>
2023-05-29 22:37:09 +02:00
CrazyMax
5efe72415d
remove Dockerfile.e2e
Dockerfile.e2e is not used anymore. Integration tests run
through the main Dockerfile.

Also removes the daemon OS/Arch detection script that is not
necessary anymore. It was used to select the Dockerfile based
on the arch like Dockerfile.arm64 but we don't have those
anymore. Was also used to check referenced frozen images
in the Dockerfile.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-05-29 11:03:48 +02:00
CrazyMax
735537d6b1
replace gogofast with gogofaster extension
gogofaster is identical as gogofast but removes XXX_unrecognized

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-05-29 03:28:35 +02:00
Kevin Alvarez
7daaa00120
hack: generated files update and validation
Adds a Dockerfile and make targets to update and validate
generated files (proto, seccomp default profile)

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-05-29 03:28:35 +02:00
Sebastiaan van Stijn
7e01865fb6
Merge pull request #45592 from vvoland/dangling-image-repotagsdigests-test
integration: Add TestImageInspectEmptyTagsAndDigests
2023-05-24 19:18:56 +02:00
Sebastiaan van Stijn
53d1b12bc0
hack/make/.binary: don't use "netgo" when building Windows binaries
Starting with go1.19, the Go runtime on Windows now supports the `netgo` build-
flag to use a native Go DNS resolver. Prior to that version, the build-flag
only had an effect on non-Windows platforms. When using the `netgo` build-flag,
the Windows's host resolver is not used, and as a result, custom entries in
`etc/hosts` are ignored, which is a change in behavior from binaries compiled
with older versions of the Go runtime.

From the go1.19 release notes: https://go.dev/doc/go1.19#net

> Resolver.PreferGo is now implemented on Windows and Plan 9. It previously
> only worked on Unix platforms. Combined with Dialer.Resolver and Resolver.Dial,
> it's now possible to write portable programs and be in control of all DNS name
> lookups when dialing.
>
> The net package now has initial support for the netgo build tag on Windows.
> When used, the package uses the Go DNS client (as used by Resolver.PreferGo)
> instead of asking Windows for DNS results. The upstream DNS server it discovers
> from Windows may not yet be correct with complex system network configurations,
> however.

Our Windows binaries are compiled with the "static" (`make/binary-daemon`)
script, which has the `netgo` option set by default. This patch unsets the
`netgo` option when cross-compiling for Windows.

Co-authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-05-24 09:16:41 -06:00
Paweł Gronowski
a93aadc2e6
hack: Rename .ensure-emptyfs to .build-empty-images
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-05-23 15:50:35 +02:00
Paweł Gronowski
3a31f81838
hack/ensure-emptyfs: Create dangling image
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-05-23 15:50:33 +02:00
Sebastiaan van Stijn
484785456c
update containerd binary to v1.7.1
full diff: https://github.com/containerd/containerd/compare/v1.7.0...v1.7.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-15 12:52:50 +01:00
Brian Goff
e58c267d66
Merge pull request #45304 from crazy-max/buildkit-version-buildinfo
Set BuildKit version using buildinfo
2023-05-10 16:58:18 -07:00
Jeyanthinath Muthuram
71d7908656
added alias validation
Signed-off-by: Jeyanthinath Muthuram <jeyanthinath10@gmail.com>
2023-05-08 19:03:44 +05:30
Sebastiaan van Stijn
8a4b095a94
Merge pull request #45353 from thaJeztah/api_container_change_type
api/types/container: create type for changes endpoint
2023-05-04 19:48:40 +02:00
Sebastiaan van Stijn
dbb48e4b29
api/types/container: create type for changes endpoint
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 21:23:42 +02:00
Sebastiaan van Stijn
2d0e899819
update runc binary to v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-27 12:17:14 +02:00
Kevin Alvarez
7665feeb52
hack: enable Go modules when building dockerd and docker-proxy
This is a workaround to have buildinfo with deps embedded in the
binary. We need to create a go.mod file before building with
-modfile=vendor.mod, otherwise it fails with:
"-modfile cannot be used to set the module root directory."

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-04-25 12:30:52 +02:00
Sebastiaan van Stijn
d0efca893b
update runc binary to v1.1.6
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 19:43:05 +02:00
Sebastiaan van Stijn
f66374f6a8
golangci-lint: enable importas linter to force consistent aliases
This enforces the github.com/containerd/containerd/errdefs package to
be aliased as "cerrdefs". Any other alias (or no alias used) results
in a linting failure:

    integration/container/pause_test.go:9:2: import "github.com/containerd/containerd/errdefs" imported as "c8derrdefs" but must be "cerrdefs" according to config (importas)
        c8derrdefs "github.com/containerd/containerd/errdefs"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-08 20:03:27 +02:00
Sebastiaan van Stijn
77be7b777c
update runc binary to v1.1.5
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5
diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
  <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1).
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7.
* nsexec: Check for errors in `write_log()`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 14:43:55 +02:00
Sebastiaan van Stijn
a2c29e9128
update containerd binary to v1.7.0
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0
- full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.4...v1.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-12 16:09:33 +01:00
Bjorn Neergaard
d4e7a87b96 Upgrade to Go 1.20
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-22 16:37:59 -05:00
Sebastiaan van Stijn
e40c4c997e
update containerd binary to v1.7.0-beta.4
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.4
full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.3...v1.7.0-beta.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-17 01:28:29 +01:00
Sebastiaan van Stijn
31f4ec92f6
update containerd binary to v1.7.0-beta.3
full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.2...v1.7.0-beta.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-30 09:13:07 +01:00
Sebastiaan van Stijn
abdf23c6c0
Merge pull request #44853 from crazy-max/rm-install-suffix
hack: remove -installsuffix build flag
2023-01-20 18:25:50 +01:00
CrazyMax
67aa86f1e0
hack: check if cross-compiling before setting ARM target name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-20 15:13:11 +01:00
CrazyMax
170a1c4709
hack: display build cmd when DOCKER_DEBUG set
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:39 +01:00
CrazyMax
877baae03e
hack: remove unnecessary vars in make.sh script
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
CrazyMax
b80f16157e
hack: remove ORIG_BUILDFLAGS var
This var was used for the cross target but it has been removed
in 8086f40123 so not necessary anymore

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
CrazyMax
0c008cc4f8
hack: remove -installsuffix build flag
Has been introduced in 232d59baeb to work around a bug with
"go build" but not required anymore since go 1.5: 4dab6d01f1

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-19 21:33:38 +01:00
Kevin Alvarez
945704208a
hack: name for target ARM architecture not specified
Build currently doesn't set the right name for target ARM
architecture through switches in CGO_CFLAGS and CGO_CXXFLAGS
when doing cross-compilation. This was previously fixed in https://github.com/moby/moby/pull/43474

Also removes the toolchain configuration. Following changes for
cross-compilation in https://github.com/moby/moby/pull/44546,
we forgot to remove the toolchain configuration that is
not used anymore as xx already sets correct cc/cxx envs already.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-16 11:40:47 +01:00
CrazyMax
94639eb66f
hack: typo in displayed platform name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-16 11:40:47 +01:00
Sebastiaan van Stijn
57af88a654
Merge pull request #44748 from vvoland/buildflags-nopie-whenrace
hack/make: Don't add -buildmode=pie with -race
2023-01-05 20:24:21 +01:00
Paweł Gronowski
bbe6e9e8d1
hack/make: Don't add -buildmode=pie with -race
Make it possible to add `-race` to the BUILDFLAGS without making the
build fail with error:
"-buildmode=pie not supported when -race is enabled"

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-01-05 15:28:03 +01:00
CrazyMax
7e7b0622a6
hack: restore copy_binaries func
This function is still useful for the dev environment.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-05 13:21:28 +01:00
CrazyMax
27ba1766e7
ci: use GITHUB_REF and GITHUB_SHA to set version and commit
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:03 +01:00
CrazyMax
491467b0b9
hack: update buildmode pie condition
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-01-01 18:03:02 +01:00