Commit graph

2136 commits

Author SHA1 Message Date
Sebastiaan van Stijn
22597efa06
vendor: github.com/docker/go-connections v0.5.0
no diff, as the tag is the same commit as we used already;
https://github.com/docker/go-connections/compare/fa09c952e3ea...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-05 18:20:12 +01:00
Sebastiaan van Stijn
fc8fcf85a2
vendor: github.com/opencontainers/runc v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 16:29:43 +01:00
Sebastiaan van Stijn
dc23efd3a2
vendor: github.com/klauspost/compress v1.17.4
full diff: https://github.com/klauspost/compress/compare/v1.17.2...v1.17.4

v1.17.4:

- huff0: Speed up symbol counting
- huff0: Remove byteReader
- gzhttp: Allow overriding decompression on transport
- gzhttp: Clamp compression level
- gzip: Error out if reserved bits are set

v1.17.3:

- fse: Fix max header size
- zstd: Improve better/best compression
- gzhttp: Fix missing content type on Close

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 10:23:44 +01:00
Sebastiaan van Stijn
43a82dab90
Merge pull request #46840 from dmcgowan/c8d-rmi-cleanup
containerd: Image delete fixes and cleanup
2023-12-19 18:07:16 +01:00
Sebastiaan van Stijn
c22fc41ddf
vendor: golang.org/x/crypto v0.17.0
update the package, which contains a fix in the ssh package.

full diff: https://github.com/golang/crypto/compare/v0.16.0...v0.17.0

from the security mailing:

> Hello gophers,
>
> Version v0.17.0 of golang.org/x/crypto fixes a protocol weakness in the
> golang.org/x/crypto/ssh package that allowed a MITM attacker to compromise
> the integrity of the secure channel before it was established, allowing
> them to prevent transmission of a number of messages immediately after
> the secure channel was established without either side being aware.
>
> The impact of this attack is relatively limited, as it does not compromise
> confidentiality of the channel. Notably this attack would allow an attacker
> to prevent the transmission of the SSH2_MSG_EXT_INFO message, disabling a
> handful of newer security features.
>
> This protocol weakness was also fixed in OpenSSH 9.6.
>
> Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr
> University Bochum for reporting this issue.
>
> This is CVE-2023-48795 and Go issue https://go.dev/issue/64784.
>
> Cheers,
> Roland on behalf of the Go team

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-19 00:30:17 +01:00
Derek McGowan
529d19bad8
Add resolve all images and unit test
Add single resolve function to get a consistent list of images matching
the same digest.

Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-12-18 14:04:46 -08:00
Sebastiaan van Stijn
e48b58e1be
vendor: golang.org/x/crypto v0.16.0
full diff: https://github.com/golang/crypto/compare/v0.14.0...v0.16.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-18 13:39:50 +01:00
Sebastiaan van Stijn
44511f9e43
vendor: golang.org/x/text v0.14.0
full diff: https://github.com/golang/text/compare/v0.13.0...v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-18 13:38:46 +01:00
Sebastiaan van Stijn
2cdd4906ac
vendor: golang.org/x/sys v0.15.0
full diff: https://github.com/golang/sys/compare/v0.13.0...v0.15.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-18 13:37:57 +01:00
Bjorn Neergaard
cd41f655f9
logger: remove logentries driver
The Logentries service will be discontinued next week:

> Dear Logentries user,
>
> We have identified you as the owner of, or collaborator of, a Logentries account.
>
> The Logentries service will be discontinued on November 15th, 2022. This means that your Logentries account access will be removed and all your log data will be permanently deleted on this date.
>
> Next Steps
> If you are interested in an alternative Rapid7 log management solution, InsightOps will be available for purchase through December 16th, 2022. Please note, there is no support to migrate your existing Logentries account to InsightOps.
>
> Thank you for being a valued user of Logentries.
>
> Thank you,
> Rapid7 Customer Success

There is no reason to preserve this code in Moby as a result.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 22:51:23 +01:00
Sebastiaan van Stijn
dbdfc71026
vendor: resenje.org/singleflight v0.4.1
- fix race when returning call.shared

full diff: https://github.com/janos/singleflight/compare/v0.4.0...v0.4.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 16:07:13 +01:00
Sebastiaan van Stijn
7d991b6e42
vendor: github.com/moby/buildkit v0.12.5-0.20231208203051-3b6880d2a00f
full diff: https://github.com/moby/buildkit/compare/v0.12.4...3b6880d2a00fd6080019118ef40515be905e58db

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 11:58:48 +01:00
Sebastiaan van Stijn
fcf03cdfa9
vendor: github.com/containerd/containerd v1.7.11
full diff: https://github.com/containerd/containerd/compare/v1.7.10...v1.7.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 11:58:47 +01:00
Sebastiaan van Stijn
7028a03ffa
vendor: github.com/containerd/containerd v1.7.10
full diff: https://github.com/containerd/containerd/compare/v1.7.9...v1.7.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 11:58:47 +01:00
Sebastiaan van Stijn
49ad10261e
vendor: github.com/containerd/containerd v1.7.9
full diff: https://github.com/containerd/containerd/compare/v1.7.8...v1.7.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 11:58:47 +01:00
Sebastiaan van Stijn
c14bd4f1ad
vendor: vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
Upgrade to the latest OpenTelemetry libraries; this will unblock a lot of
downstream projects in the ecosystem to upgrade, as some of the parts here
were pre-1.0/unstable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-12 11:58:44 +01:00
Sebastiaan van Stijn
291eaf0a77
vendor: github.com/cyphar/filepath-securejoin v0.2.4
update the dependency to v0.2.4 to prevent scanners from flagging the
vulnerability (GHSA-6xv5-86q9-7xr8 / GO-2023-2048). Note that that vulnerability
only affects Windows, and is currently only used in runc/libcontainer, so should
not impact our use (as that code is Linux-only).

full diff: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-11 13:59:37 +01:00
Sebastiaan van Stijn
12c70b4386
vendor: github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0
full diff: https://github.com/grpc-ecosystem/grpc-gateway/compare/v2.11.3...v2.16.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-08 18:59:40 +01:00
Sebastiaan van Stijn
a0615f6839
vendor: github.com/felixge/httpsnoop v1.0.4
full diff: https://github.com/felixge/httpsnoop/compare/v1.0.3...v1.0.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-08 18:59:36 +01:00
Paweł Gronowski
c8134fa046
vendor: github.com/moby/buildkit v0.12.4
full diff: https://github.com/moby/buildkit/compare/v0.12.3...v0.12.4

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-12-04 10:56:20 +01:00
Sebastiaan van Stijn
faa843fcef
vendor: github.com/gorilla/mux v1.8.1
full diff: https://github.com/gorilla/mux/compare/v1.8.0...v1.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 12:48:09 +01:00
Sebastiaan van Stijn
028ed1bb22
vendor: github.com/spf13/cobra v1.8.0
full diff: https://github.com/spf13/cobra/compare/v1.7.0...v1.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 11:01:59 +01:00
Sebastiaan van Stijn
2f28582b55
vendor: github.com/Microsoft/hcsshim v0.11.4
full diff: https://github.com/Microsoft/hcsshim/compare/v0.11.1...v0.11.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-19 13:12:22 +01:00
Sebastiaan van Stijn
fb53da508f
vendor: github.com/opencontainers/runc v1.1.10
- full diff: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.10

This is the tenth (and most likely final) patch release in the 1.1.z
release branch of runc. It mainly fixes a few issues in cgroups, and a
umask-related issue in tmpcopyup.

- Add support for `hugetlb.<pagesize>.rsvd` limiting and accounting.
  Fixes the issue of postgres failing when hugepage limits are set.
- Fixed permissions of a newly created directories to not depend on the value
  of umask in tmpcopyup feature implementation.
- libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
  (fixes the compatibility with Linux kernel 6.1+).
- Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
  configuration. This issue is not a security issue because it requires a
  malicious config.json, which is outside of our threat model.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-13 16:26:29 +01:00
Sebastiaan van Stijn
981a878cf5
vendor: github.com/docker/go-connections fa09c952e3ea (v0.5.0-dev)
0b8c1f4e07...fa09c952e3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-10 23:23:37 +01:00
Sam Whited
8074e7a437
Bump go-connections for TLS 1.3 support
Fixes 40495

Signed-off-by: Sam Whited <sam@samwhited.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-08 17:58:50 +01:00
Evan Lezar
49e04102c1 Update container-device-interface to v0.6.2
This includes migrating from the github.com/container-orchestrated-devices
repo to tags.cncf.io.

Signed-off-by: Evan Lezar <elezar@nvidia.com>
2023-11-04 01:00:19 +01:00
Sebastiaan van Stijn
38c4ceb00a
vendor: github.com/containerd/containerd v1.7.8
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8
full diff: https://github.com/containerd/containerd/compare/v1.7.7...v1.7.8

Notable Updates

- Fix ambiguous TLS fallback
- Update Go to 1.20.10
- Add a new image label on converted schema 1 images
- Fix handling for missing basic auth credentials
- Fix potential deadlock in create handler for containerd-shim-runc-v2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-27 00:44:49 +02:00
Sebastiaan van Stijn
34f5793521
vendor: google.golang.org/grpc v1.58.3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-27 00:43:19 +02:00
Sebastiaan van Stijn
bd23c7729e
vendor: golang.org/x/tools v0.10.0
full diff:  https://github.com/golang/tools/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-27 00:36:59 +02:00
Sebastiaan van Stijn
205e4de3fd
vendor: golang.org/x/mod v0.11.0
no changes in vendored files

full diff: https://github.com/golang/mod/compare/v0.10.0...v0.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-27 00:35:25 +02:00
Sebastiaan van Stijn
df3a321164
migrate to github.com/moby/sys/user
The github.com/opencontainers/runc/libcontainer/user package was moved
to a separate module. While there's still uses of the old module in
our code-base, runc itself is migrating to the new module, and deprecated
the old package (for runc 1.2).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-24 15:45:02 +02:00
Sebastiaan van Stijn
f2c67ea82f
vendor: github.com/klauspost/compress v1.17.2
fixes data corruption with zstd output in "best"

- 1.17.2 diff: https://github.com/klauspost/compress/compare/v1.17.1...v1.17.2
- full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-23 16:32:24 +02:00
Bjorn Neergaard
619d98ab49
vendor: github.com/moby/buildkit v0.12.3
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-20 12:01:52 -06:00
Sebastiaan van Stijn
7bb54c3dc5
vendor: gotest.tools/v3 v3.5.1
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.5.0..v3.5.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-18 14:37:07 +02:00
Sebastiaan van Stijn
70589b8548
Merge pull request #46665 from thaJeztah/update_image_spec
vendor: github.com/opencontainers/image-spec v1.1.0-rc5 and use OCI consts
2023-10-18 10:23:22 +02:00
Sebastiaan van Stijn
1f965317b6
Merge pull request #46457 from thaJeztah/bump_swarmkit
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230911190601-f082dd7a0cee
2023-10-18 10:20:38 +02:00
Sebastiaan van Stijn
e3feb05175
vendor: github.com/opencontainers/image-spec v1.1.0-rc5
full diff: https://github.com/opencontainers/image-spec/compare/v1.1.0-rc4...v1.1.0-rc5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-17 14:03:41 +02:00
Sebastiaan van Stijn
26730c891a
vendor: google.golang.org/grpc v1.56.3
server: prohibit more than MaxConcurrentStreams handlers from running at once
(CVE-2023-44487).

In addition to this change, applications should ensure they do not leave running
tasks behind related to the RPC before returning from method handlers, or should
enforce appropriate limits on any such work.

- https://github.com/grpc/grpc-go/compare/v1.56.2...v1.56.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 20:37:51 +02:00
Sebastiaan van Stijn
25fb4dd50d
switch to go.opentelemetry.io/otel/semconv/v1.17.0
While updating the docker/docker dependency in BuildKit, I noticed that the
dependency tree showed _two_ separate versions of the semconv package;
BuildKit and containerd were using the v1.17.0 version and docker/docker was
using v1.7.0.

This patch updates the version we use to align with BuildKit and containerd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 10:28:54 +02:00
Sebastiaan van Stijn
919fe72f60
vendor: github.com/moby/buildkit v0.12.3-dev
update buildkit to the latest code in the v0.12 branch:

full diff: f94ed7cec3...6560bb937e

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-10-13 17:05:56 -07:00
Sebastiaan van Stijn
80a9fc6d36
Merge pull request #46565 from vvoland/c8d-mirrors-fix
daemon/RegistryHosts: Don't lose mirrors
2023-10-13 22:31:24 +02:00
Paweł Gronowski
c5389354ac
Merge pull request #46542 from thaJeztah/update_distribution_2.8.3
vendor: github.com/docker/distribution v2.8.3
2023-10-12 12:13:15 +02:00
Sebastiaan van Stijn
1800dd0876
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.13.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:58:01 +02:00
Sebastiaan van Stijn
1946aead21
vendor: golang.org/x/crypto v0.14.0
full diff: https://github.com/golang/crypto/compare/v0.11.0...v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:57:10 +02:00
Sebastiaan van Stijn
0679ae984b
vendor: golang.org/x/text v0.13.0
full diff: https://github.com/golang/text/compare/v0.11.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:56:07 +02:00
Sebastiaan van Stijn
bc33c27796
vendor: golang.org/x/sys v0.13.0
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:55:24 +02:00
Sebastiaan van Stijn
db806533e6
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230911190601-f082dd7a0cee
full diff: 12f0c246fe...f082dd7a0c

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:54:24 +02:00
Sebastiaan van Stijn
b81b27c21f
vendor: github.com/go-logr/logr v1.2.4
full diff: https://github.com/go-logr/logr/compare/v1.2.3...v1.2.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:54:24 +02:00
Sebastiaan van Stijn
e1d0aacb6a
vendor: github.com/docker/distribution v2.8.3
- Fix storageDriver gcs not registered in binaries
- reference: replace uses of deprecated function SplitHostname
- Dont parse errors as JSON unless Content-Type is set to JSON
- update to go1.20.8
- Set Content-Type header in registry client ReadFrom
- deprecate reference package, migrate to github.com/distribution/reference
- digestset: deprecate package in favor of go-digest/digestset
- Do not close HTTP request body in HTTP handler

full diff: https://github.com/distribution/distribution/compare/v2.8.2...v2.8.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:11:25 +02:00