Commit graph

46566 commits

Author SHA1 Message Date
Sebastiaan van Stijn
b38e74c4e0
Merge pull request #47276 from thaJeztah/24.0_backport_bump_runc_1.1.12
[24.0 backport] vendor: github.com/opencontainers/runc v1.1.12
2024-01-31 22:14:37 +01:00
Sebastiaan van Stijn
20e1af3616
vendor: github.com/opencontainers/runc v1.1.12
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.12
- full diff: https://github.com/opencontainers/runc/compare/v1.1.11...v1.1.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b20dccba5e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-31 21:21:21 +01:00
Sebastiaan van Stijn
141ad39e38
Merge pull request #47266 from vvoland/ci-fix-makeps1-templatefail-24
[24.0 backport] hack/make.ps1: Fix go list pattern
2024-01-31 21:02:50 +01:00
Paweł Gronowski
db968c672b
hack/make.ps1: Fix go list pattern
The double quotes inside a single quoted string don't need to be
escaped.
Looks like different Powershell versions are treating this differently
and it started failing unexpectedly without any changes on our side.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ecb217cf69)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-01-31 19:57:19 +01:00
Sebastiaan van Stijn
61c51fbb5a
Merge pull request #47221 from vvoland/pkg-pools-close-noop-24
[24.0 backport] pkg/ioutils: Make subsequent Close attempts noop
2024-01-25 16:38:51 +01:00
Sebastiaan van Stijn
70d91b6799
Merge pull request #47219 from thaJeztah/24.0_backport_gocompat
[24.0 backport] add //go:build directives to prevent downgrading to go1.16 language
2024-01-25 15:40:21 +01:00
Paweł Gronowski
2918d5869c
pkg/ioutils: Make subsequent Close attempts noop
Turn subsequent `Close` calls into a no-op and produce a warning with an
optional stack trace (if debug mode is enabled).

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 585d74bad1)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-01-25 15:24:37 +01:00
Sebastiaan van Stijn
73e729ff16
add more //go:build directives to prevent downgrading to go1.16 language
This is a follow-up to 2cf230951f, adding
more directives to adjust for some new code added since:

Before this patch:

    make -C ./internal/gocompat/
    GO111MODULE=off go generate .
    GO111MODULE=on go mod tidy
    GO111MODULE=on go test -v

    # github.com/docker/docker/internal/sliceutil
    internal/sliceutil/sliceutil.go:3:12: type parameter requires go1.18 or later (-lang was set to go1.16; check go.mod)
    internal/sliceutil/sliceutil.go:3:14: predeclared comparable requires go1.18 or later (-lang was set to go1.16; check go.mod)
    internal/sliceutil/sliceutil.go:4:19: invalid map key type T (missing comparable constraint)

    # github.com/docker/docker/libnetwork
    libnetwork/endpoint.go:252:17: implicit function instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)

    # github.com/docker/docker/daemon
    daemon/container_operations.go:682:9: implicit function instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)
    daemon/inspect.go:42:18: implicit function instantiation requires go1.18 or later (-lang was set to go1.16; check go.mod)

With this patch:

    make -C ./internal/gocompat/
    GO111MODULE=off go generate .
    GO111MODULE=on go mod tidy
    GO111MODULE=on go test -v
    === RUN   TestModuleCompatibllity
        main_test.go:321: all packages have the correct go version specified through //go:build
    --- PASS: TestModuleCompatibllity (0.00s)
    PASS
    ok  	gocompat	0.031s
    make: Leaving directory '/go/src/github.com/docker/docker/internal/gocompat'

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bd4ff31775)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-25 14:39:49 +01:00
Sebastiaan van Stijn
8b38739e3f
add //go:build directives to prevent downgrading to go1.16 language
This repository is not yet a module (i.e., does not have a `go.mod`). This
is not problematic when building the code in GOPATH or "vendor" mode, but
when using the code as a module-dependency (in module-mode), different semantics
are applied since Go1.21, which switches Go _language versions_ on a per-module,
per-package, or even per-file base.

A condensed summary of that logic [is as follows][1]:

- For modules that have a go.mod containing a go version directive; that
  version is considered a minimum _required_ version (starting with the
  go1.19.13 and go1.20.8 patch releases: before those, it was only a
  recommendation).
- For dependencies that don't have a go.mod (not a module), go language
  version go1.16 is assumed.
- Likewise, for modules that have a go.mod, but the file does not have a
  go version directive, go language version go1.16 is assumed.
- If a go.work file is present, but does not have a go version directive,
  language version go1.17 is assumed.

When switching language versions, Go _downgrades_ the language version,
which means that language features (such as generics, and `any`) are not
available, and compilation fails. For example:

    # github.com/docker/cli/cli/context/store
    /go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/storeconfig.go:6:24: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
    /go/pkg/mod/github.com/docker/cli@v25.0.0-beta.2+incompatible/cli/context/store/store.go:74:12: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)

Note that these fallbacks are per-module, per-package, and can even be
per-file, so _(indirect) dependencies_ can still use modern language
features, as long as their respective go.mod has a version specified.

Unfortunately, these failures do not occur when building locally (using
vendor / GOPATH mode), but will affect consumers of the module.

Obviously, this situation is not ideal, and the ultimate solution is to
move to go modules (add a go.mod), but this comes with a non-insignificant
risk in other areas (due to our complex dependency tree).

We can revert to using go1.16 language features only, but this may be
limiting, and may still be problematic when (e.g.) matching signatures
of dependencies.

There is an escape hatch: adding a `//go:build` directive to files that
make use of go language features. From the [go toolchain docs][2]:

> The go line for each module sets the language version the compiler enforces
> when compiling packages in that module. The language version can be changed
> on a per-file basis by using a build constraint.
>
> For example, a module containing code that uses the Go 1.21 language version
> should have a `go.mod` file with a go line such as `go 1.21` or `go 1.21.3`.
> If a specific source file should be compiled only when using a newer Go
> toolchain, adding `//go:build go1.22` to that source file both ensures that
> only Go 1.22 and newer toolchains will compile the file and also changes
> the language version in that file to Go 1.22.

This patch adds `//go:build` directives to those files using recent additions
to the language. It's currently using go1.19 as version to match the version
in our "vendor.mod", but we can consider being more permissive ("any" requires
go1.18 or up), or more "optimistic" (force go1.21, which is the version we
currently use to build).

For completeness sake, note that any file _without_ a `//go:build` directive
will continue to use go1.16 language version when used as a module.

[1]: 58c28ba286/src/cmd/go/internal/gover/version.go (L9-L56)
[2]: https://go.dev/doc/toolchain

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2cf230951f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-25 14:39:49 +01:00
Akihiro Suda
3205a51dc5
Merge pull request #47206 from thaJeztah/24.0_backport_vendor_runc_1.1.11
[24.0 backport] vendor: github.com/opencontainers/runc v1.1.11
2024-01-25 13:32:42 +09:00
Sebastiaan van Stijn
2c69aba317
vendor: github.com/opencontainers/runc v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fc8fcf85a2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 19:55:19 +01:00
Sebastiaan van Stijn
825d37b4c8
Merge pull request #47203 from thaJeztah/24.0_backport_idtools_preserve_error
[24.0 backport] pkg/idtools: remove sync.Once, and include lookup error
2024-01-24 16:29:48 +01:00
Sebastiaan van Stijn
0bd850e91d
Merge pull request #47054 from thaJeztah/24.0_update_golang_1.20.13
[24.0] update to go1.20.13
2024-01-24 12:09:58 +01:00
Sebastiaan van Stijn
7e8b823636
Merge pull request #47200 from thaJeztah/24.0_backport_test_fixes
[24.0 backport] assorted test- and CI fixes
2024-01-24 11:59:40 +01:00
Sebastiaan van Stijn
f483457e62
pkg/idtools: remove sync.Once, and include lookup error
When running a `docker cp` to copy files to/from a container, the
lookup of the `getent` executable happens within the container's
filesystem, so we cannot re-use the results.

Unfortunately, that also means we can't preserve the results for
any other uses of these functions, but probably the lookup should not
be "too" costly.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b5376c7cec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 10:30:09 +01:00
Brian Goff
97433635a6
De-flake TestSwarmClusterRotateUnlockKey... again... maybe?
This hopefully makes the test less flakey (or removes any flake that
would be caused by the test itself).

1. Adds tail of cluster daemon logs when there is a test failure so we
   can more easily see what may be happening
2. Scans the daemon logs to check if the key is rotated before
   restarting the daemon. This is a little hacky but a little better
   than assuming it is done after a hard-coded 3 seconds.
3. Cleans up the `node ls` check such that it uses a poll function

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit fbdc02534a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 10:25:12 +01:00
CrazyMax
811585331c
ci(bin-image): fix merge job run condition
All underlying jobs inherit from the status of all parent jobs
in the tree, not just the very parent. We need to apply the same
kind of special condition.

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
(cherry picked from commit 0252a6f475)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:57:58 +01:00
CrazyMax
b5b8d18b44
ci: do not run ci workflow on push tag events
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
(cherry picked from commit 1ea1d561c7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:57:57 +01:00
Sebastiaan van Stijn
fa9203d106
quota: increase sparse test-image to 300MB
Starting with [6e0ed3d19c54603f0f7d628ea04b550151d8a262], the minimum
allowed size is now 300MB. Given that this is a sparse image, and
the size of the image is irrelevant to the test (we check for
limits defined through project-quotas, not the size of the
device itself), we can raise the size of this image.

[6e0ed3d19c54603f0f7d628ea04b550151d8a262]: https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/commit/?id=6e0ed3d19c54603f0f7d628ea04b550151d8a262

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9709b7e458)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:57:41 +01:00
Djordje Lukic
9e5b86f647
Use process substitution to redirect to tee
In some cases, when the daemon launched by a test panics and quits, the
cleanup code would end with an error when trying to kill it by its pid.
In those cases the whole suite will end up waiting for the daemon that
we start in .integration-daemon-start to finish and we end up waiting 2
hours for the CI to cancel after a timeout.

Using process substitution makes the integration tests quit.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 3d8b8dc09a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:57:27 +01:00
Sebastiaan van Stijn
d49e068e55
client: TestImageTagInvalidSourceImageName remove invalid test-case
The test considered `Foo/bar` to be an invalid name, with the assumption
that it was `[docker.io]/Foo/bar`. However, this was incorrect, and the
test passed because the reference parsing had a bug; if the first element
(`Foo`) is not lowercase (so not a valid namespace /  "path element"), then
it *should* be considered a domain (as uppercase domain names are valid).

The reference parser did not account for this, and running the test with
a version of the parser with a fix caused the test to fail:

    === Failed
    === FAIL: client TestImageTagInvalidSourceImageName/invalidRepo/FOO/bar (0.00s)
        image_tag_test.go:54: assertion failed: expected error to contain "not a valid repository/tag", got "Error response from daemon: client should not have made an API call"
            Error response from daemon: client should not have made an API call

    === FAIL: client TestImageTagInvalidSourceImageName (0.00s)

This patch removes the faulty test-case.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c243efb0cd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:57:13 +01:00
Sebastiaan van Stijn
aaff302323
integration/tag: Move to client unit test
This test was testing the client-side validation, so might as well
move it there, and validate that the client invalidates before
trying to make an API call.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 3d3ce9812f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:56:40 +01:00
Paweł Gronowski
0269da5c4e
integration/tag: Use subtests and make parallel
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 71da8c13e1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:55:31 +01:00
Djordje Lukic
f928838f31
test: use info from the version endpoint for arch checks
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 84a4f37cf7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:50:19 +01:00
Djordje Lukic
6af38fa650
test/integration: Remove checks for "not arm" in tests
We no longer have any arm (not 64) CI.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 159b168eea)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:48:38 +01:00
Djordje Lukic
40948c0c0e
makefile: use info -f to get the current storage driver
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit ebb9fade23)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 09:45:45 +01:00
Sebastiaan van Stijn
542fc0b225
update to go1.20.13
go1.20.13 (released 2024-01-09) includes fixes to the runtime and the crypto/tls
package. See the Go 1.20.13 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.12...go1.20.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 02:31:31 +01:00
Sebastiaan van Stijn
4eb67b8666
update buildkit and set ALPINE_VERSION=3.18
full diff: d3e6c1360f...435cb77e36

The 0.11 branch of buildkit defaults to go1.19 (EOL), and
Alpine 3.17 (EOL).

We already set GO_VERSION to override the go version to
use go1.20, but the Dockerfile also has a ALPINE_VERSION
build-arg, so let's override that as well to prevent the
build from failing:

    Dockerfile:39
    --------------------
      37 |
      38 |     # go base image
      39 | >>> FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golatest
      40 |
      41 |     # git stage is used for checking out remote repository sources
    --------------------
    ERROR: failed to solve: golang:1.20.13-alpine3.17: docker.io/library/golang:1.20.13-alpine3.17: not found
    Error: Process completed with exit code 1.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-24 02:31:25 +01:00
Sebastiaan van Stijn
511d1ff9e4
Merge pull request #47097 from thaJeztah/24.0_backport_fix_systemdind_apparmor
[24.0 backport] hack/dind-systemd: make AppArmor work with systemd enabled
2024-01-18 18:36:06 +01:00
Sebastiaan van Stijn
eb6829fbe1
Merge pull request #47098 from thaJeztah/24.0_backport_update_docker_py
[24.0 backport] testing: update docker-py to 7.0.0
2024-01-18 10:35:38 +01:00
Sebastiaan van Stijn
bb380809cf
Merge pull request #47096 from thaJeztah/24.0_backport_bump_containerd_binary
[24.0 backport] update containerd binary to v1.7.12
2024-01-18 10:34:51 +01:00
Akihiro Suda
f1ef52f46b
Merge pull request #47094 from thaJeztah/24.0_backport_bump_golangci_lint
[24.0 backport] update golangci-lint to v1.55.2
2024-01-18 18:11:20 +09:00
Sebastiaan van Stijn
73f189766e
testing: update docker-py to 7.0.0
full diff: https://github.com/docker/docker-py/compare/7.0.0b1...7.0.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b524ed2dda)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:45:44 +01:00
Sebastiaan van Stijn
4b404144d2
Revert "testing: temporarily pin docker-py tests to use "bullseye""
This reverts commit 19d860fa9d.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7786f8512b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:44:18 +01:00
Sebastiaan van Stijn
77127f73e8
testing: update docker-py to 7.0.0b1
https://github.com/docker/docker-py/compare/6.1.3...7.0.0b1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4394c61e6c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:44:02 +01:00
Sebastiaan van Stijn
9322bca5da
testing: update docker-py 6.1.3
full diff: https://github.com/docker/docker-py/compare/6.0.1...6.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a9a0ffaf51)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:43:39 +01:00
Sebastiaan van Stijn
31c1dbc320
test-docker-py: skip AttachContainerTest::test_run_container_reading_socket_ws
Tests are failing with this error:

    E   ValueError: scheme http+docker is invalid

Which is reported in docker-py in https://github.com/docker/docker-py/issues/1478.
Not sure what changed in the tests, but could be due to updated Python
version or dependencies, but let's skip it for now.

Test failure:

    ___________ AttachContainerTest.test_run_container_reading_socket_ws ___________
    tests/integration/api_container_test.py:1245: in test_run_container_reading_socket_ws
        pty_stdout = self.client.attach_socket(container, opts, ws=True)
    docker/utils/decorators.py:19: in wrapped
        return f(self, resource_id, *args, **kwargs)
    docker/api/container.py:98: in attach_socket
        return self._attach_websocket(container, params)
    docker/utils/decorators.py:19: in wrapped
        return f(self, resource_id, *args, **kwargs)
    docker/api/client.py:312: in _attach_websocket
        return self._create_websocket_connection(full_url)
    docker/api/client.py:315: in _create_websocket_connection
        return websocket.create_connection(url)
    /usr/local/lib/python3.7/site-packages/websocket/_core.py:601: in create_connection
        websock.connect(url, **options)
    /usr/local/lib/python3.7/site-packages/websocket/_core.py:245: in connect
        options.pop('socket', None))
    /usr/local/lib/python3.7/site-packages/websocket/_http.py:117: in connect
        hostname, port, resource, is_secure = parse_url(url)
    /usr/local/lib/python3.7/site-packages/websocket/_url.py:62: in parse_url
        raise ValueError("scheme %s is invalid" % scheme)
    E   ValueError: scheme http+docker is invalid
    ------- generated xml file: /src/bundles/test-docker-py/junit-report.xml -------

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f6959bc597)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:43:23 +01:00
Sebastiaan van Stijn
e7c3374177
testing: update docker-py 6.0.1
release notes: https://github.com/docker/docker-py/releases/tag/6.0.1

full diff: https://github.com/docker/docker-py/compare/5.0.3...6.0.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e0f171f342)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:40:57 +01:00
Sebastiaan van Stijn
2262f18df9
test-docker-py: remove comment about docker 17.06 limitations
Our dev-container now has buildx installed, so we're no longer
limited to 17.06.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 79a0f82ca1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:37:49 +01:00
Sebastiaan van Stijn
f35f4fd251
hack/dind: update comments around AppArmor
Provide more context to the steps we're doing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 65cfcc28ab)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:32:48 +01:00
Sebastiaan van Stijn
c174407f95
hack/dind-systemd: make AppArmor work with systemd enabled
On bookworm, AppArmor failed to start inside the container, which can be
seen at startup of the dev-container:

    Created symlink /etc/systemd/system/systemd-firstboot.service → /dev/null.
    Created symlink /etc/systemd/system/systemd-udevd.service → /dev/null.
    Created symlink /etc/systemd/system/multi-user.target.wants/docker-entrypoint.service → /etc/systemd/system/docker-entrypoint.service.
    hack/dind-systemd: starting /lib/systemd/systemd --show-status=false --unit=docker-entrypoint.target
    systemd 252.17-1~deb12u1 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -BPF_FRAMEWORK -XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
    Detected virtualization docker.
    Detected architecture x86-64.
    modprobe@configfs.service: Deactivated successfully.
    modprobe@dm_mod.service: Deactivated successfully.
    modprobe@drm.service: Deactivated successfully.
    modprobe@efi_pstore.service: Deactivated successfully.
    modprobe@fuse.service: Deactivated successfully.
    modprobe@loop.service: Deactivated successfully.
    apparmor.service: Starting requested but asserts failed.
    proc-sys-fs-binfmt_misc.automount: Got automount request for /proc/sys/fs/binfmt_misc, triggered by 49 (systemd-binfmt)
    + source /etc/docker-entrypoint-cmd
    ++ hack/make.sh dynbinary test-integration

When checking "aa-status", an error was printed that the filesystem was
not mounted:

    aa-status
    apparmor filesystem is not mounted.
    apparmor module is loaded.

Checking if "local-fs.target" was loaded, that seemed to be the case;

    systemctl status local-fs.target
    ● local-fs.target - Local File Systems
         Loaded: loaded (/lib/systemd/system/local-fs.target; static)
         Active: active since Mon 2023-11-27 10:48:38 UTC; 18s ago
           Docs: man:systemd.special(7)

However, **on the host**, "/sys/kernel/security" has a mount, which was not
present inside the container:

    mount | grep securityfs
    securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)

Interestingly, on `debian:bullseye`, this was not the case either; no
`securityfs` mount was present inside the container, and apparmor actually
failed to start, but succeeded silently:

    mount | grep securityfs
    systemctl start apparmor
    systemctl status apparmor
    ● apparmor.service - Load AppArmor profiles
         Loaded: loaded (/lib/systemd/system/apparmor.service; enabled; vendor preset: enabled)
         Active: active (exited) since Mon 2023-11-27 11:59:09 UTC; 44s ago
           Docs: man:apparmor(7)
                 https://gitlab.com/apparmor/apparmor/wikis/home/
        Process: 43 ExecStart=/lib/apparmor/apparmor.systemd reload (code=exited, status=0/SUCCESS)
       Main PID: 43 (code=exited, status=0/SUCCESS)
            CPU: 10ms

    Nov 27 11:59:09 9519f89cade1 apparmor.systemd[43]: Not starting AppArmor in container

Same, using the `/etc/init.d/apparmor` script:

    /etc/init.d/apparmor start
    Starting apparmor (via systemctl): apparmor.service.
    echo $?
    0

And apparmor was not actually active:

    aa-status
    apparmor module is loaded.
    apparmor filesystem is not mounted.

    aa-enabled
    Maybe - policy interface not available.

After further investigating, I found that the non-systemd dind script
had a mount for AppArmor, which was added in 31638ab2ad

The systemd variant was missing this mount, which may have gone unnoticed
because `debian:bullseye` was silently ignoring this when starting the
apparmor service.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cfb8ca520a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:32:48 +01:00
Sebastiaan van Stijn
fda3acd7a6
update containerd binary to v1.7.12
- full diff: https://github.com/containerd/containerd/compare/v1.7.11...v1.7.12
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.12

Welcome to the v1.7.12 release of containerd!

The twelfth patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

- Fix on dialer function for Windows
- Improve `/etc/group` handling when appending groups
- Update shim pidfile permissions to 0644
- Update runc binary to v1.1.11
- Allow import and export to reference missing content
- Remove runc import
- Update Go version to 1.20.13

Deprecation Warnings

- Emit deprecation warning for `containerd.io/restart.logpath` label usage

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cd1709b0d4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:26:28 +01:00
Sebastiaan van Stijn
293a701da6
update golangci-lint to v1.55.2
- full diff: https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d5a3fccb06)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:20:21 +01:00
Sebastiaan van Stijn
854ca341c0
Merge pull request #47047 from thaJeztah/24.0_backport_bump_rootlesskit
[24.0 backport] Dockerfile: update rootlesskit to v1.1.1, and use tags as reference
2024-01-09 13:28:56 +01:00
Sebastiaan van Stijn
d052b06a73
Dockerfile: update rootlesskit to v1.1.1, and use tags as reference
Commit 0b1c1877c5 updated the version in
hack/dockerfile/install/rootlesskit.installer, but forgot to update the
version in Dockerfile.

Also updating both to use a tag, instead of commit. While it's good to pin by
an immutable reference, I think it's reasonably safe to use the tag, which is
easier to use, and what we do for other binaries, such as runc as well.

Full diff: https://github.com/rootless-containers/rootlesskit/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e27ffdab0f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-09 09:58:47 +01:00
Sebastiaan van Stijn
dfcd445ce6
Merge pull request #47010 from thaJeztah/24.0_backport_bump_runc_binary
[24.0 backport] update runc binary to v1.1.11
2024-01-03 19:12:20 +01:00
Sebastiaan van Stijn
5331e7a65c
update runc binary to v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5fa4cfcabf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 23:43:12 +01:00
Sebastiaan van Stijn
1c9cd6a5f8
Merge pull request #46993 from thaJeztah/24.0_backport_46621-container_wait
[24.0 backport] Ensure that non-JSON-parsing errors are returned to the caller
2023-12-28 19:40:17 +01:00
Stefan Gehrig
083ef6617b
Ensure that non-JSON-parsing errors are returned to the caller
Signed-off-by: Stefan Gehrig <stefan.gehrig.hn@googlemail.com>
Co-authored-by: Cory Snider <corhere@gmail.com>
(cherry picked from commit 0d27579fc7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 14:18:13 +01:00
Sebastiaan van Stijn
4d14c7db67
Merge pull request #46945 from thaJeztah/24.0_backport_gha_fixes
[24.0 backport] ci(bin-image fixes
2023-12-19 10:42:14 +01:00