Commit graph

44662 commits

Author SHA1 Message Date
Bjorn Neergaard
98cad005ca
Merge pull request #44631 from neersighted/23.0_vendor_improvements
[23.0 backport] vendor tooling improvements
2022-12-13 18:40:23 -07:00
Bjorn Neergaard
a6818fd4cb
hack: introduce validate/no-module
Moby is not a Go module; to prevent anyone from mistakenly trying to
convert it to one before we are ready, introduce a check (usable in CI
and locally) for a go.mod file.

This is preferable to trying to .gitignore the file as we can ensure
that a mistakenly created go.mod is surfaced by Git-based tooling and is
less likely to surprise a contributor.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit 25c3421802)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:42:07 -07:00
Bjorn Neergaard
45fe08c93c
hack: replace go-mod-prepare.sh with wrapper script
To make the local build environment more correct and consistent, we
should never leave an uncommitted go.mod in the tree; however, we need a
go.mod for certain commands to work properly. Use a wrapper script to
create and destroy the go.mod as needed instead of potentially changing
tooling behavior by leaving it.

If a go.mod already exists, this script will warn and call the wrapped
command with GO111MODULE=on.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit a449f77774)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:42:05 -07:00
Bjorn Neergaard
c508d13372
hack/go-mod-prepare.sh: find root robustly; make steps transparent
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit af8e955e8f)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:41:28 -07:00
Bjorn Neergaard
036398f512
hack/validate/vendor: clean up license validation step
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit 9f004830a5)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:41:27 -07:00
Bjorn Neergaard
a4957d2585
hack/validate/vendor: split tidy from vendor
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit dbd76848ca)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:41:25 -07:00
Bjorn Neergaard
394eaa8495
hack/vendor.sh: allow running tidy & vendor separately
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit 72568286ab)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-13 14:41:23 -07:00
Tianon Gravi
abcb4c556c
Merge pull request #44616 from thaJeztah/23.0_backport_bump_golang_net
[23.0 backport] update dependencies
2022-12-09 13:06:42 -08:00
Sebastiaan van Stijn
47069ae18c
Merge pull request #44617 from thaJeztah/23.0_backport_images_errdefs
[23.0 backport] image/store: Use errdefs for errors
2022-12-09 21:31:25 +01:00
Paweł Gronowski
ffa2c0b517
image/store: Use errdefs for errors
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit e214503789)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:17:57 +01:00
Sebastiaan van Stijn
c0c146fc82
Remove uses of deprecated go-digest.NewDigestFromHex, go-digest.Digest.Hex
Both of these were deprecated in 55f675811a,
but the format of the GoDoc comments didn't follow the correct format, which
caused them not being picked up by tools as "deprecated".

This patch updates uses in the codebase to use the alternatives.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0f7c9cd27e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:17:18 +01:00
Sebastiaan van Stijn
6295320d91
use consistent alias for gotest.tools/v3/assert/cmp
Make sure we use the same alias everywhere for easier finding,
and to prevent accidentally introducing duplicate imports with
different aliases for the same package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f6b695d2fb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:15:26 +01:00
Sebastiaan van Stijn
1cc1395fae
vendor: golang.org/x/net v0.4.0
golang.org/x/net contains a fix for CVE-2022-41717, which was addressed
in stdlib in go1.19.4 and go1.18.9;

> net/http: limit canonical header cache by bytes, not entries
>
> An attacker can cause excessive memory growth in a Go server accepting
> HTTP/2 requests.
>
> HTTP/2 server connections contain a cache of HTTP header keys sent by
> the client. While the total number of entries in this cache is capped,
> an attacker sending very large keys can cause the server to allocate
> approximately 64 MiB per open connection.
>
> This issue is also fixed in golang.org/x/net/http2 v0.4.0,
> for users manually configuring HTTP/2.

full diff: https://github.com/golang/net/compare/v0.2.0...v0.4.0

other dependency updates (due to circular dependencies):

- golang.org/x/sys v0.3.0: https://github.com/golang/sys/compare/v0.2.0...v0.3.0
- golang.org/x/text v0.5.0: https://github.com/golang/text/compare/v0.4.0...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4bbc37687e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:01:27 +01:00
Sebastiaan van Stijn
0163808dbe
vendor: github.com/prometheus/client_golang v1.14.0
full diff: https://github.com/prometheus/client_golang/compare/v1.13.0...v1.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dc52e08bb5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:01:16 +01:00
Sebastiaan van Stijn
9b62b83429
vendor: github.com/go-logr/logr v1.2.3
full diff: https://github.com/go-logr/logr/compare/v1.2.2...v1.2.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b2fe29ba79)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:01:07 +01:00
Sebastiaan van Stijn
d5ffdeb76c
vendor: golang.org/x/crypto v0.2.0
- all: use math/bits.RotateLeft

full diff: https://github.com/golang/crypto/compare/v0.1.0...v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7c1b7842c6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:00:58 +01:00
Sebastiaan van Stijn
4da8dedaab
vendor: golang.org/x/net v0.2.0
- http2/hpack: build static table with go generate

full diff: https://github.com/golang/net/compare/v0.1.0...v0.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit efe17dbdb4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:00:49 +01:00
Sebastiaan van Stijn
b14ffffffd
vendor: github.com/opencontainers/runc v1.1.3
no changes in vendored code

full diff: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0588a83380)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:00:39 +01:00
Sebastiaan van Stijn
173df30ac5
vendor: github.com/klauspost/compress v1.15.12
full diff: https://github.com/klauspost/compress/compare/v1.15.9...v1.15.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 38adf7a694)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:00:31 +01:00
Sebastiaan van Stijn
fe62290eed
go.mod: github.com/miekg/dns v1.1.43
This update:

- removes support for go1.11
- removes the use of "golang.org/x/crypto/ed25519", which is now part of stdlib:
  > Beginning with Go 1.13, the functionality of this package was moved to the
  > standard library as crypto/ed25519. This package only acts as a compatibility
  > wrapper.

Note that this is not the latest release; version v1.1.44 introduced a tools.go
file, which added golang.org/x/tools to the dependency tree (but only used for
"go:generate") see commit:
df84acab71

full diff: https://github.com/miekg/dns/compare/v1.1.27...v1.1.43

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bbb1b82232)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-09 00:00:18 +01:00
Sebastiaan van Stijn
3083236871
Merge pull request #44566 from thaJeztah/23.0_backport_remove_trustkey_id_migration
[23.0 backport] use ad-hoc libtrust trustkey
2022-12-08 23:54:09 +01:00
Bjorn Neergaard
2abf4d763b
Merge pull request #44612 from thaJeztah/23.0_backport_vendor_containerd_1.6.11
[23.0 backport] vendor: github.com/containerd/containerd v1.6.12
2022-12-08 13:47:01 -07:00
Sebastiaan van Stijn
3fd34324a8
Merge pull request #44608 from thaJeztah/23.0_containerd_binary_1.6.12
[23.0] update containerd binary to v1.6.12 (addresses CVE-2022-23471)
2022-12-08 20:33:46 +01:00
Sebastiaan van Stijn
4ee3cc2531
vendor: github.com/containerd/containerd v1.6.12
no changes in vendored code, but containerd v1.6.12 is a security release,
so updating, to prevent scanners marking the dependency to have a vulnerability.

full diff: https://github.com/containerd/containerd/compare/v1.6.11...v1.6.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 12c76d4a15)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 14:11:35 +01:00
Sebastiaan van Stijn
48a0d8a8d1
[23.0] update containerd binary to v1.6.12 (addresses CVE-2022-23471)
The twelfth patch release for containerd 1.6 contains a fix for CVE-2022-23471.

Notable Updates

- Fix goroutine leak during Exec in CRI plugin (GHSA-2qjp-425j-52j9)

full diff: https://github.com/containerd/containerd/compare/v1.6.11...v1.6.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 00:51:01 +01:00
Sebastiaan van Stijn
a122104327
Merge pull request #44596 from thaJeztah/23.0_containerd_1.6.11
[23.0] update containerd binary to v1.6.11
2022-12-07 13:48:39 +01:00
Sebastiaan van Stijn
a74f0c2483
Merge pull request #44595 from thaJeztah/23.0_backport_vendor_containerd_1.6.11
[23.0 backport] vendor: github.com/containerd/containerd v1.6.11
2022-12-07 13:26:56 +01:00
Sebastiaan van Stijn
4f6786d861
Merge pull request #44592 from thaJeztah/23.0_backport_update_go_1.19.4
[23.0 backport] update to go1.19.4
2022-12-07 13:21:15 +01:00
Sebastiaan van Stijn
3d902fe719
[23.0] update containerd binary to v1.6.11
Welcome to the v1.6.11 release of containerd!

The eleventh patch release for containerd 1.6 contains a various fixes and updates.

Notable Updates

- Add pod UID annotation in CRI plugin
- Fix nil pointer deference for Windows containers in CRI plugin
- Fix lease labels unexpectedly overwriting expiration
- Fix for simultaneous diff creation using the same parent snapshot

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 23:33:27 +01:00
Sebastiaan van Stijn
0da8917add
vendor: github.com/containerd/containerd v1.6.11
- Fix nil pointer deference for Windows containers in CRI plugin
- Fix lease labels unexpectedly overwriting expiration
- Fix for simultaneous diff creation using the same parent snapshot

full diff: https://github.com/containerd/containerd/v1.6.10...v1.6.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d331bc3b03)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 23:30:24 +01:00
Sebastiaan van Stijn
623f6f7702
update to go1.19.4
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).

These minor releases include 2 security fixes following the security policy:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.
  Both os.DirFS and http.Dir only provide read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \(the root of the
  current drive) can permit a maliciously crafted path to escape from the
  drive and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
  path "/tmp". This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting
  HTTP/2 requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by
  the client. While the total number of entries in this cache is capped,
  an attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
  manually configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.4

And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4

The golang.org/x/net fix is in 1e63c2f08a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 52bc1ad744)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 22:58:19 +01:00
Sebastiaan van Stijn
e57c432eff
Merge pull request #44574 from thaJeztah/23.0_backport_builder_host_gateway
[23.0 backport] builder: handle host-gateway with extra hosts
2022-12-04 18:49:19 +01:00
Sebastiaan van Stijn
4952dc2844
distribution: remove unused RequireSchema2
It's never set, so we can remove it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 85fddc0081)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 18:09:17 +01:00
Sebastiaan van Stijn
e7b26fa1b1
use ad-hoc libtrust key
This is only used for tests, and the key is not verified anymore, so
instead of creating a key and storing it, we can just use an ad-hoc
one.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8feeaecb84)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 18:09:16 +01:00
Sebastiaan van Stijn
f2463e1e86
distribution: use ad-hoc trustkey for tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e854b2a459)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 18:09:16 +01:00
Sebastiaan van Stijn
139080d093
daemon/config: remove and local trustkey utilities
Turned out that the loadOrCreateTrustKey() utility was doing exactly the
same as libtrust.LoadOrCreateTrustKey(), so making it a thin wrapped. I kept
the tests to verify the behavior, but we could remove them as we only need this
for our integration tests.

The storage location for the generated key was changed (again as we only need
this for some integration tests), so we can remove the TrustKeyPath from the
config.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5cdd6ab7cd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 18:09:16 +01:00
Sebastiaan van Stijn
46e0317bc1
[23.0] remove libtrust tests
This is a subset of 1981706196 on master,
preserving the tests for migrating the key to engine-id.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 18:08:29 +01:00
CrazyMax
1da1a3ea87
builder: handle host-gateway with extra hosts
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 521b8c02cc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-03 14:39:41 +01:00
Sebastiaan van Stijn
bdf9baa207
Merge pull request #44568 from thaJeztah/23.0_backport_relax_checkSupportedMediaType
[23.0 backport] distribution: checkSupportedMediaType: allow additional media-types
2022-12-03 14:37:34 +01:00
Sebastiaan van Stijn
99d5b53b99
Merge pull request #44572 from crazy-max/23.0_backport_ci-buildkit-fix
[23.0 backport] ci(buildkit): update buildkit ref to fix issue with alpine image
2022-12-02 21:24:42 +01:00
Kevin Alvarez
7620f72fb8
ci(buildkit): update buildkit ref to fix issue with alpine image
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 381fa4afca)
2022-12-02 18:52:33 +01:00
Sebastiaan van Stijn
304c56f7f5
distribution: checkSupportedMediaType: allow additional media-types
This addresses a regression introduced in 407e3a4552,
which turned out to be "too strict", as there's old images that use, for example;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    unsupported media type application/octet-stream

Before 407e3a4552, such mediatypes were accepted;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    e110a4a17941: Pull complete
    30dac23631f0: Pull complete
    202fc3980a36: Pull complete
    Digest: sha256:f88925c97b9709dd6da0cb2f811726da9d724464e9be17a964c70f067d2aa64a
    Status: Downloaded newer image for python:3.5.1-alpine
    docker.io/library/python:3.5.1-alpine

This patch copies the additional media-types, using the list of types that
were added in a215e15cb1, which fixed a
similar issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a6a539497a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-02 01:31:51 +01:00
Sebastiaan van Stijn
b21e8f72f2
Merge pull request #44563 from thaJeztah/23.0_backport_seccomp_block_af_vsock
[23.0 backport] seccomp: block socket calls to AF_VSOCK in default profile
2022-12-01 21:39:46 +01:00
Sebastiaan van Stijn
6875e7f1be
seccomp: block socket calls to AF_VSOCK in default profile
This syncs the seccomp-profile with the latest changes in containerd's
profile, applying the same changes as 17a9324035

Some background from the associated ticket:

> We want to use vsock for guest-host communication on KubeVirt
> (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.
>
> However since anyone can just connect from any pod to any VM with the
> default seccomp settings, we cannot limit connection attempts to our
> privileged node-agent.
>
> ### Describe the solution you'd like
> We want to deny the `socket` syscall for the `AF_VSOCK` family by default.
>
> I see in [1] and [2] that AF_VSOCK was actually already blocked for some
> time, but that got reverted since some architectures support the `socketcall`
> syscall which can't be restricted properly. However we are mostly interested
> in `arm64` and `amd64` where limiting `socket` would probably be enough.
>
> ### Additional context
> I know that in theory we could use our own seccomp profiles, but we would want
> to provide security for as many users as possible which use KubeVirt, and there
> it would be very helpful if this protection could be added by being part of the
> DefaultRuntime profile to easily ensure that it is active for all pods [3].
>
> Impact on existing workloads: It is unlikely that this will disturb any existing
> workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
> However if someone would still use it: Privileged pods would still be able to
> use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too.
> Further it was already blocked for quite some time and the blockade got lifted
> due to reasons not related to AF_VSOCK.
>
> The PR in KubeVirt which adds VSOCK support for additional context: [4]
>
> [1]: https://github.com/moby/moby/pull/29076#commitcomment-21831387
> [2]: dcf2632945
> [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
> [4]: https://github.com/kubevirt/kubevirt/pull/8546

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 57b229012a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-01 14:09:46 +01:00
Sebastiaan van Stijn
bb2eab21c6
Merge pull request #44560 from vvoland/client-sharedsize-2206
[22.06 backport] client/list: Handle SharedSize
2022-12-01 09:16:40 +01:00
Sebastiaan van Stijn
cfc4677f62
Merge pull request #44557 from thaJeztah/22.06_backport_generate_authors
[22.06 backport] AUTHORS: regenerate, cleanup, refactor
2022-12-01 00:52:00 +01:00
Paweł Gronowski
978690e4f9
client/list: Handle SharedSize
This makes the `ImageList` function to add `shared-size=1` to the url
query when user caller sets the SharedSize.
SharedSize support was introduced in API version 1.42. This field was
added to the options struct, but client wasn't adjusted.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 3d97f1e22d)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2022-11-30 17:14:21 +01:00
Sebastiaan van Stijn
44eb640a1b
Merge pull request #44556 from thaJeztah/22.06_backport_ci_fixes
[22.06 backport] assorted CI and packaging fixes
2022-11-30 14:58:52 +01:00
Akihiro Suda
69ef0358c3
Merge pull request #44555 from thaJeztah/22.06_backport_remove_outdated_comment
[22.06 backport] vendor.mod: remove outdated comment about replaced module
2022-11-30 22:46:07 +09:00
Sebastiaan van Stijn
fc72ed9760
Merge pull request #44549 from thaJeztah/22.06_backport_search_remove_id
[22.06 backport] registry: session: remove unused id
2022-11-30 12:09:01 +01:00