Commit graph

666 commits

Author SHA1 Message Date
Bjorn Neergaard
85fa72c599 chore: update supported go version to 1.18+
The 1.16 `io/fs` compatibility code was being built on 1.18 and 1.19.
Drop it completely as 1.16 is long EOL, and additionally drop 1.17 as it
has been EOL for a month and 1.18 is both the minimum Go supported by
the 20.10 branch, as well as a very easy jump from 1.17.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-15 13:52:39 -06:00
Cory Snider
e9bbc41dd1 Remove local fork of archive/tar package
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.

glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.

The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.

Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.

Fixes #42402

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-02-18 13:40:19 -05:00
Sebastiaan van Stijn
325c3a457b
hack/vendor.sh: run "go mod tidy" before vendoring
The hack/vendor.sh script is used to (re)vendor dependencies. However, it did
not run `go mod tidy` before doing so, wheras the vendor _validation_ script
did.

This could result in vendor validation failing if go mod tidy resulted in
changes (which could be in `vendor.sum`).

In "usual" situations, this could be easily done by the user (`go mod tidy`
before running `go mod vendor`), but due to our (curent) uses of `vendor.mod`,
and having to first set up a (dummy) `go.mod`, this is more complicated.

Instead, just make the script do this, so that `hack/vendor.sh` will always
produce the expected result.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-05 11:25:23 +01:00
Ilya Dmitrichenko
a46f968229
vendor: replace vndr with go mod vendor
- use `vendor.mod` instead of `go.mod` to avoid issues to do with
  use of CalVer, not SemVer
- ensure most of the dependency versions do not change
  - only zookeeper client has to change (via docker/libkv#218) as
    previously used version is no longer maintained and has missing
    dependencies

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-18 15:46:00 +01:00
Sebastiaan van Stijn
9ed88a0801
hack/vendor.sh: allow go version to be specified with .0
Golang '.0' releases are released without a trailing .0 (i.e. go1.17
is equal to go1.17.0). For the base image, we want to specify the go
version including their patch release (golang:1.17 is equivalent to
go1.17.x), so adjust the script to also accept the trailing .0, because
otherwise the download-URL is not found:

    hack/vendor.sh archive/tar
    update vendored copy of archive/tar
    downloading: https://golang.org/dl/go1.17.0.src.tar.gz
    curl: (22) The requested URL returned error: 404

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-23 17:55:07 +02:00
Kevin Parsons
3334fb9af1 Fix up vndr tooling
- Fix the error message in hack/validate/vendor to specify that
  hack/vendor.sh should be run instead of vndr.
- Fix hack/vendor.sh to also match on Windows paths for the whitelist.
  This allows the script to be run on Windows via Git Bash.

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
2021-07-13 09:45:07 -07:00
moby
31b2c3bbd9
hack/vendor: add check for vendored archive/tar
Also allow re-vendoring using `./hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 18:57:52 +02:00
Tonis Tiigi
7260adfff9 vendor: add local copy of archive/tar
This version avoids doing name lookups on creating tarball that
should be avoided in to not hit loading glibc shared libraries.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit aa6a9891b0)
Signed-off-by: Tibor Vass <tibor@docker.com>
2020-04-24 11:22:24 -07:00
Tianon Gravi
52379fa76d Convert script shebangs from "#!/bin/bash" to "#!/usr/bin/env bash"
This is especially important for distributions like NixOS where `/bin/bash` doesn't exist, or for MacOS users who've installed a newer version of Bash than the one that comes with their OS.

Signed-off-by: Andrew "Tianon" Page <admwiggin@gmail.com>
2017-02-13 11:01:54 -08:00
Alexander Morozov
f2614f2107 project: use vndr for vendoring
Signed-off-by: Alexander Morozov <lk4d4@docker.com>
2016-11-03 15:31:46 -07:00
Madhu Venugopal
2d676d38a0 Merge pull request #28019 from sanimej/vendor
Vendoring libnetwork @9ab6e13
2016-11-03 14:35:28 -07:00
Santhosh Manohar
8479a765dd Vendoring libnetwork @9ab6e13
Signed-off-by: Santhosh Manohar <santhosh@docker.com>
2016-11-03 10:58:47 -07:00
John Howard
3b6cd20b0b Vendor davecgh/gospew @ 6d212880
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-11-03 09:35:58 -07:00
Tibor Vass
1e51f99684 Merge pull request #27918 from dmcgowan/use-system-certs
Merge system certificate pool with custom certificates
2016-11-02 13:51:58 -07:00
Vincent Demeester
cff3cdd35a
Update swarmkit to 4dfc88ccce14ced6f0a6ea82d46dca004c6de0e2
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-11-02 19:43:27 +01:00
Derek McGowan
fd82240e0a
Update go connections vendor
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
2016-10-31 13:38:40 -07:00
Laura Frank
ba4e0c328f Updating aws-sdk-go to version 1.4.22
Signed-off-by: Laura Frank <ljfrank@gmail.com>
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-10-31 09:23:45 -07:00
Vincent Demeester
f860289131 Merge pull request #27369 from cezarsa/hc
Add --health-* flags to service create and update
2016-10-28 21:59:52 +02:00
Brian Goff
f391f9c3b9 Merge pull request #27860 from vdemeester/update-go-connections-vendor
Update go-connections vendoring
2016-10-28 12:01:59 -07:00
Michael Crosby
1e989abefb Merge pull request #26659 from yongtang/26341-fixed-cidr-multiple-addresses-bridge
Fix issue for `--fixed-cidr` when bridge has multiple addresses
2016-10-28 11:05:01 -07:00
Vincent Demeester
609c183ae7
Update go-connections vendoring
This makes possible to use IPv6 addresses in the `--publish` flag of
docker (`run`, …)

Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-10-28 09:35:30 -07:00
Cezar Sa Espinola
fd657a10d0
vendor: update swarmkit
Signed-off-by: Cezar Sa Espinola <cezarsa@gmail.com>
2016-10-28 00:37:39 -02:00
Tibor Vass
4e6cb66ecc Merge pull request #27774 from runcom/vendor-distr
vendor docker/distribution fbb70dc3a14ca65cdac3aaf5e5122b03b42f6fbc
2016-10-27 17:07:03 -07:00
Sebastiaan van Stijn
33474a11fe Merge pull request #25820 from crosbymichael/prom
Add metrics output to docker
2016-10-27 16:44:26 -07:00
Michael Crosby
3343d234f3 Add basic prometheus support
This adds a metrics packages that creates additional metrics.  Add the
metrics endpoint to the docker api server under `/metrics`.

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

Add metrics to daemon package

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>

api: use standard way for metrics route

Also add "type" query parameter

Signed-off-by: Alexander Morozov <lk4d4@docker.com>

Convert timers to ms

Signed-off-by: Michael Crosby <crosbymichael@gmail.com>
2016-10-27 10:34:38 -07:00
Yong Tang
fc62ad6b95 Vendor libnetwork to f4338b6f1085ccfe5972e655cca8a1d15d73439d
This fix updates libnetwork to f4338b6f1085ccfe5972e655cca8a1d15d73439d.

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-10-27 09:13:25 -07:00
Darren Stahl
f9adce18c7 Update hcsshim to v0.5.2
Signed-off-by: Darren Stahl <darst@microsoft.com>
2016-10-26 15:39:35 -07:00
Yong Tang
bb568f8097 Revendor swarmkit to 0ec7c6ee4b3185ec4e3d6bd65f8f5542b1761421
This fix revendor swarmkit to 0ec7c6ee4b3185ec4e3d6bd65f8f5542b1761421.

Related docker PR and issues:
(#27567)
(#25437)
(#26988)
(#25644)

Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
2016-10-26 06:49:39 -07:00
Antonio Murdaca
78a429a97a
vendor docker/distribution fbb70dc3a14ca65cdac3aaf5e5122b03b42f6fbc
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-26 10:55:50 +02:00
Amit Krishnan
16db092af2 Uprev google/certificate-transparency to include Solaris support
Signed-off-by: Amit Krishnan <krish.amit@gmail.com>
2016-10-25 13:14:57 -07:00
Vincent Demeester
67b85f9d26 Merge pull request #26354 from KingEmet/fixbranch
make GetAll use client.List as the source of truth
2016-10-24 14:25:24 -07:00
Sebastiaan van Stijn
32b541e443 Merge pull request #27405 from tonistiigi/fix-fifo2
Fix issues with fifos blocking on open
2016-10-21 09:44:33 -07:00
allencloud
3cff9e0267 revendor go-units to update more accurate time display
Signed-off-by: allencloud <allen.sun@daocloud.io>
2016-10-21 11:05:11 +08:00
Tonis Tiigi
6d26464502 Fix issues with fifos blocking on open
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2016-10-20 17:02:02 -07:00
Aaron Lehmann
12a4ed0317 Vendor swarmkit in master
Also, update libnetwork and grpc.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-10-20 13:49:22 -07:00
Aaron Lehmann
2c620d0aa2 Merge pull request #27287 from mavenugo/pluginv2-sk2
Allow multiple handlers to support network plugins in swarm-mode
2016-10-20 13:43:04 -07:00
Antonio Murdaca
1808348136
record pid of exec'd process
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
2016-10-20 17:06:11 +02:00
Tõnis Tiigi
9f30c28d21 Merge pull request #26983 from aaronlehmann/logrus-wrapped-errors
Fix problems with wrapped errors in logrus
2016-10-19 10:16:01 -07:00
Daniel Nephin
4e4da146ec Update sfp13/pflag
Signed-off-by: Daniel Nephin <dnephin@docker.com>
2016-10-18 17:17:22 -07:00
Aaron Lehmann
738131faae Fix problems with wrapped errors in logrus
This vendors a fork of logrus with fixes to deal with errors generated
by the github.com/pkg/errors package. Without these fixes, the errors
are mishandled when passed to WithError:

- When printing to a terminal (colors enabled), stack traces are
  included in the error fields on a log line.

- When printing to a file (or with colors disabled), the error value is
  missing entirely.

Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2016-10-18 17:14:59 -07:00
Alexander Morozov
329f272fd5 Merge pull request #27474 from tagomoris/identify-fluentd-driver-stops-after-restarts
Update fluent-logger-golang to v1.2.1
2016-10-18 12:47:13 -07:00
Sebastiaan van Stijn
24582e8153 Merge pull request #27471 from caarlos0/logentries
Added Logentries Driver
2016-10-18 01:33:28 -07:00
Satoshi Tagomori
53ed17449e Update fluent-logger-golang to v1.2.1
This fixes a regression bug not to connect the destination node twice or more.
That regression was brought by v1.2.0, and it also makes many goroutines for
first reconnection (these will finish after first reconnection established).

Signed-off-by: Satoshi Tagomori <tagomoris@gmail.com>
2016-10-18 11:26:32 +09:00
Carlos Alexandro Becker
0f4db1cc59
Added logentries dependency to vendor
Signed-off-by: Carlos Alexandro Becker <caarlos0@gmail.com>
2016-10-17 22:06:39 -02:00
Madhu Venugopal
88cae7412d Vendoring Swarmkit 1fed8d2a2ccd2a9b6d6fb864d4ad3461fc6dc3eb
Signed-off-by: Madhu Venugopal <madhu@docker.com>
2016-10-15 08:49:55 -07:00
cyli
5f4dcd8252 Bump vendored and dockerfile notary version to v0.4.2
Signed-off-by: cyli <cyli@twistedmatrix.com>
2016-10-14 17:52:56 -07:00
Jana Radhakrishnan
9ae9f9812b Vendoring libnetwork @04025f2a2eebb
Fixes #27323

Signed-off-by: Jana Radhakrishnan <mrjana@docker.com>
2016-10-14 11:12:24 -07:00
Anusha Ragunathan
1845f506e4 Vendor libnetwork.
This is primarily for plugingetter import path change.

Signed-off-by: Anusha Ragunathan <anusha@docker.com>
2016-10-11 13:09:01 -07:00
Madhu Venugopal
5ff17cb4aa Merge pull request #26954 from mrjana/net
Vendoring libnetwork @7b74403
2016-10-11 05:59:35 -07:00
John Howard
97ac469934 Windows: Update go-winio to 0.3.5
Signed-off-by: John Howard <jhoward@microsoft.com>
2016-10-10 15:08:17 -07:00