Commit graph

45133 commits

Author SHA1 Message Date
CrazyMax
8d9a357a67
Dockerfile: registry cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:21 +01:00
CrazyMax
a4bc2922c2
Dockerfile: dockercli cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:21 +01:00
CrazyMax
420591c4a2
Dockerfile: rootlesskit cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:21 +01:00
CrazyMax
f0307892ea
Dockerfile: tini cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:21 +01:00
CrazyMax
5e19d7ec54
Dockerfile: runc cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:21 +01:00
Kevin Alvarez
81d704d15d
Dockerfile: containerd cross build with TARGETPLATFORM
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:20 +01:00
CrazyMax
b19c11621a
Dockerfile: DOCKER_STATIC arg
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:20 +01:00
CrazyMax
69c9dfd6d5
Dockerfile: add dummy stage
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:20 +01:00
CrazyMax
6cba7d22e9
Dockerfile: add cross compilation helper
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-12-15 15:02:20 +01:00
Sebastiaan van Stijn
aac5e5906d
Merge pull request #44625 from thaJeztah/update_fluent_deps
vendor: update dependencies for fluentd
2022-12-15 10:54:51 +01:00
Sebastiaan van Stijn
07387913a8
Merge pull request #44642 from thaJeztah/remote_cli_package_step1
Remove "cli" package (step 1)
2022-12-15 09:41:23 +01:00
Sebastiaan van Stijn
ef7ab7bde8
cli: remove cli/config package, integrate into cmd/dockerd
The configDir (and "DOCKER_CONFIG" environment variable) is now only used
for the default location for TLS certificates to secure the daemon API.
It is a leftover from when the "docker" and "dockerd" CLI shared the same
binary, allowing the DOCKER_CONFIG environment variable to set the location
for certificates to be used by both.

This patch merges it into cmd/dockerd, which is where it was used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-14 12:52:40 +01:00
Sebastiaan van Stijn
6a90113e68
cli: move cobra customizations into cmd/dockerd
The cli package is a leftover from when the "docker" and "dockerd" cli
were both maintained in this repository; the only consumer of this is
now the dockerd CLI, so we can move this code (it should not be imported
by anyone).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-14 11:37:51 +01:00
Sebastiaan van Stijn
3d58b43efe
cli: remove unused Errors type
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-14 11:30:54 +01:00
Brian Goff
44a4ffd96f
Merge pull request #44629 from corhere/fix-44512
Prevent containers from being included in List API before they are registered
2022-12-13 14:57:30 -08:00
Bjorn Neergaard
186d3ba70e
Merge pull request #44503 from corhere/image-ls-before-after-filters
List images with multiple since/before filters
2022-12-13 14:55:07 -07:00
Sebastiaan van Stijn
a4cbaa958d
Merge pull request #44497 from neersighted/no_uncommitted_go_mod
hack: replace go-mod-prepare.sh with wrapper script
2022-12-13 17:09:50 +01:00
Bjorn Neergaard
25c3421802 hack: introduce validate/no-module
Moby is not a Go module; to prevent anyone from mistakenly trying to
convert it to one before we are ready, introduce a check (usable in CI
and locally) for a go.mod file.

This is preferable to trying to .gitignore the file as we can ensure
that a mistakenly created go.mod is surfaced by Git-based tooling and is
less likely to surprise a contributor.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-12 18:39:06 -07:00
Bjorn Neergaard
a449f77774 hack: replace go-mod-prepare.sh with wrapper script
To make the local build environment more correct and consistent, we
should never leave an uncommitted go.mod in the tree; however, we need a
go.mod for certain commands to work properly. Use a wrapper script to
create and destroy the go.mod as needed instead of potentially changing
tooling behavior by leaving it.

If a go.mod already exists, this script will warn and call the wrapped
command with GO111MODULE=on.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-12 18:39:06 -07:00
Cory Snider
388fe4aea8 daemon: drop side effect from registerLinks()
(*Daemon).registerLinks() calling the WriteHostConfig() method of its
container argument is a vestigial behaviour. In the distant past,
registerLinks() would persist the container links in an SQLite database
and drop the link config from the container's persisted HostConfig. This
changed in Docker v1.10 (#16032) which migrated away from SQLite and
began using the link config in the container's HostConfig as the
persistent source of truth. registerLinks() no longer mutates the
HostConfig at all so persisting the HostConfig to disk falls outside of
its scope of responsibilities.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-12-12 16:04:09 -05:00
Cory Snider
0141c6db81 daemon: don't checkpoint container until registered
(*Container).CheckpointTo() upserts a snapshot of the container to the
daemon's in-memory ViewDB and also persists the snapshot to disk. It
does not register the live container object with the daemon's container
store, however. The ViewDB and container store are used as the source of
truth for different operations, so having a container registered in one
but not the other can result in inconsistencies. In particular, the List
Containers API uses the ViewDB as its source of truth and the Container
Inspect API uses the container store.

The (*Daemon).setHostConfig() method is called fairly early in the
process of creating a container, long before the container is registered
in the daemon's container store. Due to a rogue CheckpointTo() call
inside setHostConfig(), there is a window of time where a container can
be included in a List Containers API response but "not exist" according
to the Container Inspect API and similar endpoints which operate on a
particular container. Remove the rogue call so that the caller has full
control over when the container is checkpointed and update callers to
checkpoint explicitly. No changes to (*Daemon).create() are needed as it
checkpoints the fully-created container via (*Daemon).Register().

Fixes #44512.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-12-12 15:53:49 -05:00
Cory Snider
00157a42d3 daemon: fix GetContainer() returning (nil, nil)
GetContainer() would return (nil, nil) when looking up a container
if the container was inserted into the containersReplica ViewDB but not
the containers Store at the time of the lookup. Callers which reasonably
assume that the returned err == nil implies returned container != nil
would dereference a nil pointer and panic. Change GetContainer() so that
it always returns a container or an error.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-12-12 14:39:10 -05:00
Sebastiaan van Stijn
487fa4a469
Merge pull request #44622 from thaJeztah/image_inspect_step1a
manage image inspect data in backend
2022-12-12 20:05:46 +01:00
Sebastiaan van Stijn
7b0d2464ff
Merge pull request #44459 from neersighted/validate_always_tidy
validate/vendor: always tidy
2022-12-12 18:49:42 +01:00
Sebastiaan van Stijn
389dacd6e2
vendor: github.com/tinylib/msgp v1.1.6
This is a dependency of github.com/fluent/fluent-logger-golang, which
currently does not provide a go.mod, but tests against the latest
versions of its dependencies.

Updating this dependency to the latest version.

Notable changes:

- all: implement omitempty
- fix: JSON encoder may produce invalid utf-8 when provided invalid utf-8 message pack string.
- added Unwrap method to errWrapped plus tests; switched travis to go 1.14
- CopyToJSON: fix bitSize for floats
- Add Reader/Writer constructors with custom buffer
- Add missing bin header functions
- msgp/unsafe: bring code in line with unsafe guidelines
- msgp/msgp: fix ReadMapKeyZC (fix "Fail to decode string encoded as bin type")

full diff: https://github.com/tinylib/msgp/compare/v1.1.0...v1.1.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-12 11:35:03 +01:00
Sebastiaan van Stijn
24496fe097
vendor: github.com/philhofer/fwd v1.1.2
This is an (indirect) dependency of github.com/fluent/fluent-logger-golang,
which currently does not provide a go.mod, but tests against the latest
versions of its dependencies.

Updating this dependency to the latest version.

full diff: https://github.com/philhofer/fwd/compare/v1.0.0...v1.1.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-12 11:34:18 +01:00
Nicolas De Loof
8fb71ce208
manage image inspect data in backend
This allows differentiating how the detailed data is collected between
the containerd-integration code and the existing implementation.

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 19:02:12 +01:00
Sebastiaan van Stijn
a8eb15eafb
ImageService.ImageHistory(): pass context
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 19:00:49 +01:00
Sebastiaan van Stijn
77f9c550bd
Merge pull request #44605 from thaJeztah/bump_golang_net
vendor: golang.org/x/net v0.4.0
2022-12-09 00:03:14 +01:00
Sebastiaan van Stijn
3cfd3e626c
Merge pull request #44611 from thaJeztah/remove_stray_import
libcontainerd/remote: remove stray import comment
2022-12-08 23:53:24 +01:00
Cory Snider
0426c76142 List images with multiple since/before filters
The List Images API endpoint has accepted multiple values for the
`since` and `before` filter predicates, but thanks to Go's randomizing
of map iteration order, it would pick an arbitrary image to compare
created timestamps against. In other words, the behaviour was undefined.
Change these filter predicates to have well-defined semantics: the
logical AND of all values for each of the respective predicates. As
timestamps are a totally-ordered relation, this is exactly equivalent to
applying the newest and oldest creation timestamps for the `since` and
`before` predicates, respectively.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-12-08 16:36:57 -05:00
Sebastiaan van Stijn
18ef26761d
Merge pull request #44603 from vvoland/images-errdefs
image/store: Use errdefs for errors
2022-12-08 22:06:13 +01:00
Paweł Gronowski
e214503789
image/store: Use errdefs for errors
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-12-08 17:17:07 +01:00
Sebastiaan van Stijn
d9694c27c2
Merge pull request #44606 from thaJeztah/bump_containerd_1.6.12
vendor: github.com/containerd/containerd v1.6.12
2022-12-08 14:07:52 +01:00
Sebastiaan van Stijn
200edf8030
libcontainerd/remote: remove stray import comment
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 13:27:50 +01:00
Sebastiaan van Stijn
12c76d4a15
vendor: github.com/containerd/containerd v1.6.12
no changes in vendored code, but containerd v1.6.12 is a security release,
so updating, to prevent scanners marking the dependency to have a vulnerability.

full diff: https://github.com/containerd/containerd/compare/v1.6.11...v1.6.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 00:42:46 +01:00
Sebastiaan van Stijn
4bbc37687e
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to circular dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-07 22:25:49 +01:00
Sebastiaan van Stijn
0ff5ce825c
Merge pull request #44594 from thaJeztah/vendor_containerd_1.6.11
vendor: github.com/containerd/containerd v1.6.11
2022-12-07 13:25:18 +01:00
Sebastiaan van Stijn
84f64925bc
Merge pull request #44591 from thaJeztah/update_go_1.19.4
update to go1.19.4
2022-12-07 13:20:41 +01:00
Sebastiaan van Stijn
d331bc3b03
vendor: github.com/containerd/containerd v1.6.11
- Fix nil pointer deference for Windows containers in CRI plugin
- Fix lease labels unexpectedly overwriting expiration
- Fix for simultaneous diff creation using the same parent snapshot

full diff: https://github.com/containerd/containerd/v1.6.10...v1.6.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 23:26:25 +01:00
Sebastiaan van Stijn
52bc1ad744
update to go1.19.4
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).

These minor releases include 2 security fixes following the security policy:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.
  Both os.DirFS and http.Dir only provide read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \(the root of the
  current drive) can permit a maliciously crafted path to escape from the
  drive and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
  path "/tmp". This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting
  HTTP/2 requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by
  the client. While the total number of entries in this cache is capped,
  an attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
  manually configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.4

And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4

The golang.org/x/net fix is in 1e63c2f08a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 22:57:25 +01:00
Sebastiaan van Stijn
0200623ef7
Merge pull request #44587 from thaJeztah/bjorn_maintainer
Add Bjorn Neergaard to maintainers
2022-12-06 21:26:32 +01:00
Sebastiaan van Stijn
f577f31f50
Add Bjorn Neergaard to maintainers
I nominated Bjorn as maintainer, and votes passed; welcome Bjorn!

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 21:26:03 +01:00
Sebastiaan van Stijn
a7b2b29b79
Merge pull request #44590 from ndeloof/master
Better not pretend to be an active currator
2022-12-06 19:53:24 +01:00
Nicolas De Loof
9da935629e
Better not pretend to be an active currator
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2022-12-06 17:18:40 +01:00
Sebastiaan van Stijn
42053a0fc3
Merge pull request #44588 from thaJeztah/kevin_curator
Add Kevin Alvarez ("crazy-max") to curators
2022-12-06 17:14:57 +01:00
Sebastiaan van Stijn
383e23fd61
Add Kevin Alvarez ("crazy-max") to curators
Kevin has been doing a lot of work helping modernize our CI, and helping
with BuildKit-related changes. Being our "resident GitHub actions expert",
I think it make sense to add him to the maintainers list as a curator (for
starters), to grant him permissions on the repository.

Perhaps we should nominate him to become a maintainer (with a focus on his
area of expertise) :)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 15:28:03 +01:00
Sebastiaan van Stijn
cc1884dc04
Merge pull request #44501 from tiborvass/immutable_radix
libnetwork: use go-immutable-radix instead of radix
2022-12-06 12:46:53 +01:00
Brian Goff
1523c78c34
Merge pull request #44458 from AdamKorcz/fuzzmigration
testing: move fuzzers over from OSS-Fuzz
2022-12-05 09:41:46 -08:00
Sebastiaan van Stijn
683b076a6e
Merge pull request #44537 from crazy-max/builder-host-gateway
builder: handle host-gateway with extra hosts
2022-12-03 14:38:31 +01:00