Commit graph

46084 commits

Author SHA1 Message Date
Sebastiaan van Stijn
8a4b095a94
Merge pull request #45353 from thaJeztah/api_container_change_type
api/types/container: create type for changes endpoint
2023-05-04 19:48:40 +02:00
Sebastiaan van Stijn
0e8eea5a70
Merge pull request #45338 from thaJeztah/split_securityoptions
container: split security options to a SecurityOptions struct
2023-05-04 19:47:24 +02:00
Cory Snider
2b6761fd3e d/graphdriver/copy: support src fs w/o xattr support
Treat copying extended attributes from a source filesystem which does
not support extended attributes as a no-op, same as if the file did not
possess the extended attribute. Only fail copying extended attributes if
the source file has the attribute and the destination filesystem does
not support xattrs.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-05-04 12:30:59 -04:00
Sebastiaan van Stijn
7d7749ee47
Merge pull request #45429 from thaJeztah/libnetwork_cleanup_buildtags_and_stubs
libnetwork: remove redundant init(), remove dead code, and fix stubs / build-tags
2023-05-04 17:48:15 +02:00
Sebastiaan van Stijn
5c052e6c04
Merge pull request #45456 from thaJeztah/update_go1.20.4
update go to go1.20.4
2023-05-04 15:27:53 +02:00
Sebastiaan van Stijn
506b86773d
Merge pull request #45442 from thaJeztah/jsonmessage_refactor
pkg/jsonmessage: JSONMessage.Display(): remove special case for 401 errors
2023-05-04 14:59:48 +02:00
Sebastiaan van Stijn
3e6092f5b2
pkg/jsonmessage: touch-up GoDoc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:11 +02:00
Sebastiaan van Stijn
05cb0e5a7d
pkg/jsonmessage: JSONProgress.String(), JSONProgress.now(): simplify
- inline an intermediate variable
- remove a redundant intermediate function

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:10 +02:00
Sebastiaan van Stijn
4cadee65b3
pkg/jsonmessage: JSONMessage.Display(): remove special case for 401 errors
This special case was added in 3043c26419 as
a sentinel error (`AuthRequiredError`) to check whether authentication
is required (and to prompt the users to authenticate). A later refactor
(946bbee39a) removed the `AuthRequiredError`,
but kept the error-message and logic.

Starting with fcee6056dc, it looks like we
no longer depend on this specific error, so we can return the registry's
error message instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-04 13:46:10 +02:00
Sebastiaan van Stijn
2adec6c8c0
Merge pull request #45438 from thaJeztah/c8d_fix_image_commit
c8d: commit: generateCommitImageConfig: don't merge image config
2023-05-04 11:28:43 +02:00
Sebastiaan van Stijn
66cf0e3f55
client: slightly improve ContainerDiff tests
- use gotest.tools for asserting
- check result returned

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 21:25:07 +02:00
Sebastiaan van Stijn
dbb48e4b29
api/types/container: create type for changes endpoint
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 21:23:42 +02:00
Sebastiaan van Stijn
b7e8868235
update go to go1.20.4
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle,
crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.20.4
full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4

from the announcement:

> These minor releases include 3 security fixes following the security policy:
>
> - html/template: improper sanitization of CSS values
>
>   Angle brackets (`<>`) were not considered dangerous characters when inserted
>   into CSS contexts. Templates containing multiple actions separated by a '/'
>   character could result in unexpectedly closing the CSS context and allowing
>   for injection of unexpected HMTL, if executed with untrusted input.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
>   Not all valid JavaScript whitespace characters were considered to be
>   whitespace. Templates containing whitespace characters outside of the character
>   set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
>   actions may not be properly sanitized during execution.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
>   Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
>   executed with empty input could result in output that would have unexpected
>   results when parsed due to HTML normalization rules. This may allow injection
>   of arbitrary attributes into tags.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 20:42:33 +02:00
Sebastiaan van Stijn
1c2d8c8663
Merge pull request #45441 from thaJeztah/vendor_runtime_spec_v1.1.0-rc.2
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
2023-05-03 02:45:06 +02:00
Brian Goff
ab0377746a
Merge pull request #44583 from thaJeztah/update_term
vendor: github.com/moby/term v0.5.0
2023-05-02 09:10:33 -07:00
Sebastiaan van Stijn
bf3c156654
vendor: github.com/moby/term v0.5.0
- split exported functions from implementation
- windows: IsConsole(): fix deprecation comment
- deprecate Termios in favor of unix.Termios
- windows: keyToString(): fix string conversion
- gha: update actions, add macOS, and add Go1.20
- gha: add windows

full diff: 1aeaba8785...v0.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-02 14:14:17 +02:00
Sebastiaan van Stijn
c1d420ec60
vendor: github.com/moby/term v0.0.0-20221205130635-1aeaba878587
term: remove interrupt handler on termios

On termios platforms, interrupt signals are not generated in raw mode
terminals as the ISIG setting is not enabled. Remove interrupt handler
as it does nothing for raw mode and prevents other uses of INT signal
with this library.

This code seems to go back all the way to moby/moby#214 where signal
handling was improved for monolithic docker repository. Raw mode -ISIG
got reintroduced in moby/moby@3f63b87807, but the INT handler was left
behind.

full diff: abb19827d3...1aeaba8785

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-30 20:44:17 +02:00
Sebastiaan van Stijn
0df38c3e2b
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
release notes: https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.2

Additions

- config-linux: add support for rsvd hugetlb cgroup
- features: add features.md to formalize the runc features JSON
- config-linux: add support for time namespace

Minor fixes and documentation

- config-linux: clarify where device nodes can be created
- runtime: remove When serialized in JSON, the format MUST adhere to the following pattern
- Update CI to Go 1.20
- config: clarify Linux mount options
- config-linux: fix url error
- schema: fix schema for timeOffsets
- schema: remove duplicate keys

full diff: https://github.com/opencontainers/runtime-spec/compare/v1.1.0-rc.1...v1.1.0-rc.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-30 19:54:38 +02:00
Sebastiaan van Stijn
0ea9305f99
Merge pull request #45423 from thaJeztah/vendor_runc_1.1.7
vendor: github.com/opencontainers/runc v1.1.7
2023-04-30 19:53:31 +02:00
Sebastiaan van Stijn
8d375b44eb
Merge pull request #45435 from thaJeztah/c8d_import_argsescaped
daemon/containerd: containerConfigToOciImageConfig: add ArgsEscaped
2023-04-30 19:51:01 +02:00
Sebastiaan van Stijn
167fa429f0
daemon: Daemon.CreateImageFromContainer(): remove intermediate vars
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-29 02:59:54 +02:00
Sebastiaan van Stijn
bf5ae17c16
api/server/router/container: containerRouter.postCommit: inline struct
Remove intermediate variable and inline the struct-literal.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-29 02:59:12 +02:00
Sebastiaan van Stijn
9613da63dc
c8d: commit: generateCommitImageConfig: don't merge image config
daemon.CreateImageFromContainer() already constructs a new config by taking
the image config, applying custom options (`docker commit --change ..`) (if
any), and merging those with the containers' configuration, so there is
no need to merge options again.

e22758bfb2/daemon/commit.go (L152-L158)

This patch removes the merge logic from generateCommitImageConfig, and
removes the unused arguments and error-return.

Co-authored-by: Djordje Lukic <djordje.lukic@docker.com>
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-29 02:53:54 +02:00
Sebastiaan van Stijn
e510abbc8c
daemon/containerd: containerConfigToOciImageConfig: add ArgsEscaped
The OCI image-spec now also provides ArgsEscaped for backward compatibility
with the option used by Docker.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-29 00:20:07 +02:00
Sebastiaan van Stijn
3eebf4d162
container: split security options to a SecurityOptions struct
- Split these options to a separate struct, so that we can handle them in isolation.
- Change some tests to use subtests, and improve coverage

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-29 00:03:37 +02:00
Sebastiaan van Stijn
e22758bfb2
Merge pull request #45314 from corhere/graceful-shutdown
cmd/dockerd: gracefully shut down the API server
2023-04-28 23:54:34 +02:00
Sebastiaan van Stijn
8142051a3b
libnetwork/osl: unify stubs for NeighOption
Use the same signature for all platforms, but stub the neigh type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Sebastiaan van Stijn
0ea41eaa51
libnetwork/osl: unify stubs for IfaceOption
Use the same signature for all platforms, but stub the nwIface type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Sebastiaan van Stijn
021e89d702
libnetwork/osl: rename var that collided with import
Also renaming another var for consistency ':-)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:20:58 +02:00
Brian Goff
dffad6b0b7
Merge pull request #45426 from vvoland/c8d-import-dangling
c8d/import: Don't gc unnamed images
2023-04-28 11:18:55 -07:00
Sebastiaan van Stijn
3a4158e4fa
libnetwork: add missing stub for getInitializers()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:33 +02:00
Sebastiaan van Stijn
939a4eb5c9
libnetwork: fix stubs
- sandbox, endpoint changed in c71555f030, but
  missed updating the stubs.
- add missing stub for Controller.cleanupServiceDiscovery()
- While at it also doing some minor (formatting) changes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:33 +02:00
Sebastiaan van Stijn
17feabcba0
libnetwork: overlayutils: remove redundant init()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 20:18:29 +02:00
Sebastiaan van Stijn
4e2f000b3c
Merge pull request #45422 from thaJeztah/runc_binary_1.1.7
update runc binary to v1.1.7
2023-04-28 19:57:07 +02:00
Sebastiaan van Stijn
3cad7f99e0
Merge pull request #45431 from laurazard/remove-dangling-pull
c8d: delete dangling image on pull
2023-04-28 19:52:55 +02:00
Sebastiaan van Stijn
04f21d86cf
Merge pull request #43506 from thaJeztah/libnetwork_fix_reexec_defer
libnetwork: processSetKeyReexec() remove defer(), and some refactoring
2023-04-28 19:35:49 +02:00
Laura Brehm
44a6587608
c8d: delete dangling image on pull
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-04-28 17:41:56 +01:00
Sebastiaan van Stijn
1e9ebfb00c
libnetwork: inline sendKey() into SetExternalKey()
This function included a defer to close the net.Conn if an error occurred,
but the calling function (SetExternalKey()) also had a defer to close it
unconditionally.

Rewrite it to use json.NewEncoder(), which accepts a writer, and inline
the code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
9d8fcb3296
libnetwork: setKey(): remove intermediate buffer
Use json.NewDecoder() instead, which accepts a reader.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
a813d7e961
libnetwork: don't register "libnetwork-setkey" re-exec on non-unix
It's a no-op on Windows and other non-Linux, non-FreeBSD platforms,
so there's no need to register the re-exec.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:54 +02:00
Sebastiaan van Stijn
881fff1a2f
libnetwork: processSetKeyReexec: don't use logrus.Fatal()
Just print the error and os.Exit() instead, which makes it more
explicit that we're exiting, and there's no need to decorate the
error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 16:44:40 +02:00
Sebastiaan van Stijn
e974599593
libnetwork: processSetKeyReexec() remove defer()
Split the function into a "backing" function that returns an error, and the
re-exec entrypoint, which handles the error to provide a more idiomatic approach.

This was part of a larger change accross multiple re-exec functions (now removed).

For history's sake; here's the description for that;

The `reexec.Register()` function accepts reexec entrypoints, which are a `func()`
without return (matching a binary's `main()` function). As these functions cannot
return an error, it's the entrypoint's responsibility to handle any error, and to
indicate failures through `os.Exit()`.

I noticed that some of these entrypoint functions had `defer()` statements, but
called `os.Exit()` either explicitly or implicitly (e.g. through `logrus.Fatal()`).
defer statements are not executed if `os.Exit()` is called, which rendered these
statements useless.

While I doubt these were problematic (I expect files to be closed when the process
exists, and `runtime.LockOSThread()` to not have side-effects after exit), it also
didn't seem to "hurt" to call these as was expected by the function.

This patch rewrites some of the entrypoints to split them into a "backing function"
that can return an error (being slightly more iodiomatic Go) and an wrapper function
to act as entrypoint (which can handle the error and exit the executable).

To some extend, I'm wondering if we should change the signatures of the entrypoints
to return an error so that `reexec.Init()` can handle (or return) the errors, so
that logging can be handled more consistently (currently, some some use logrus,
some just print); this would also keep logging out of some packages, as well as
allows us to provide more metadata about the error (which reexec produced the
error for example).

A quick search showed that there's some external consumers of pkg/reexec, so I
kept this for a future discussion / exercise.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 12:52:38 +02:00
Paweł Gronowski
1845a915b0
c8d/import: Don't gc unnamed images
Create dangling images for imported images which don't have a name
annotation attached. Previously the content got loaded, but no image
referencing it was created which caused it to be garbage collected
immediately.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-04-28 09:30:04 +02:00
Tianon Gravi
4597f50deb
Merge pull request #45392 from thaJeztah/filters_inline_and_simplify
inline filters.Args where possible, and use filters.Arg() when constructing
2023-04-27 23:31:59 +00:00
Tianon Gravi
751888979c
Merge pull request #44382 from thaJeztah/client_rewrite
client: defaultHTTPClient() accept URL
2023-04-27 23:27:59 +00:00
Sebastiaan van Stijn
0ffd3225d2
vendor: github.com/opencontainers/runc v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-27 12:19:33 +02:00
Sebastiaan van Stijn
2d0e899819
update runc binary to v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-27 12:17:14 +02:00
Sebastiaan van Stijn
f117aef2ea
Merge pull request #45361 from Flowdalic/do-not-check-for-rt-group-sched
check-config.sh: do not check for RT_GROUP_SCHED
2023-04-27 02:04:11 +02:00
Sebastiaan van Stijn
c80f205f86
Merge pull request #45298 from thaJeztah/pkg_pkatform_cleanup
pkg/platform: cleanup, and deprecate OSType
2023-04-27 02:02:41 +02:00
Sebastiaan van Stijn
31bf00d3ec
Merge pull request #44234 from thaJeztah/resolvconf_refactor_step1
libnetwork/resolvconf: some cleaning up and optimisations
2023-04-27 01:22:40 +02:00