Commit graph

37437 commits

Author SHA1 Message Date
Sebastiaan van Stijn
b47f177f20
vendor: update buildkit v0.6.4
full diff: 57e8ad5217...v0.6.4

- buildkit#1374 [v0.6] ops: fix deadlock on releasing shared mounts
    - backport of buildkit#1355 ops: fix deadlock on releasing shared mounts
    - fixes buildkit#1322 Deadlock on cache mounts

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-22 12:28:37 +01:00
Sebastiaan van Stijn
1a7d601a15
Merge pull request #40549 from cpuguy83/19.03_stats_use_cond_var
[19.03 backport] Use condition variable to wake stats collector.
2020-02-22 02:29:23 +01:00
Tibor Vass
eee88a2a23
Merge pull request #40551 from thaJeztah/19.03_backport_jenkinsfile_pin_older_windows
[19.03 backport] Jenkinsfile: temporarily pin windows image to 10.0.17763.973
2020-02-21 15:45:04 -08:00
Sebastiaan van Stijn
c694d60364
Jenkinsfile: temporarily pin windows image to 10.0.17763.973
The latest `ltsc2019` image (`10.0.17763.1039`) appear to be broken,
and even a `RUN Write-Host hello` hangs.

Temporarily switching back to an older version so that CI doesn't fail.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fa2417984b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-21 09:25:09 +01:00
Brian Goff
0901d4ab31 Use condition variable to wake stats collector.
Before the collection goroutine wakes up every 1 second (as configured).
This sleep interval is in case there are no stats to collect we don't
end up in a tight loop.

Instead use a condition variable to signal that a collection is needed.
This prevents us from waking the goroutine needlessly when there is no
one looking for stats.

For now I've kept the sleep just moved it to the end of the loop, which
gives some space between collections.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e75e6b0e31)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2020-02-20 11:38:16 -08:00
Sebastiaan van Stijn
75fa1145da
Merge pull request #40490 from thaJeztah/19.03_backport_swagger_document_constraints
[19.03 backport] swagger: document "node.platform.(arch|os)" constraints
2020-02-20 20:31:51 +01:00
Brian Goff
d1cf6d1303
Merge pull request #40540 from thaJeztah/19.03_update_containerd_1.2.13
[19.03] update containerd runtime v1.2.13
2020-02-20 11:18:42 -08:00
Brian Goff
e145add0ef
Merge pull request #40533 from thaJeztah/19.03_update_golang_1.12.17
[19.03] Update Golang 1.12.17
2020-02-20 11:18:02 -08:00
Sebastiaan van Stijn
c6afabf3b3
update containerd runtime v1.2.13
The thirteenth patch release for `containerd` 1.2 fixes a regression introduced
in v1.2.12 that caused container/shim to hang on single core machines, fixes an
issue with blkio, and updates the Golang runtime to 1.12.17.

* Fix container pid race condition
* Update containerd/cgroups dependency to address blkio issue
* Set octet-stream content-type on PUT request
* Pin to libseccomp 2.3.3 to preserve compatibility with hosts that do not have libseccomp 2.4 or higher installed
* Update Golang runtime to 1.12.17, which includes a fix to the runtime

full diff: https://github.com/containerd/containerd/compare/v1.2.12...v1.2.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-18 21:33:19 +01:00
Akihiro Suda
4ac62b478d
Merge pull request #40462 from AkihiroSuda/cherrypick-40210-1903
[19.03 backport] overlay[2]: rm extra checks in init
2020-02-18 18:04:05 +09:00
Sebastiaan van Stijn
55af290462
Update Golang 1.12.17
full diff: https://github.com/golang/go/compare/go1.12.16...go1.12.17

go1.12.17 (released 2020/02/12) includes a fix to the runtime. See the Go 1.12.17
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.17+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-17 11:55:15 +01:00
Sebastiaan van Stijn
5e23653130
swagger: document "node.platform.(arch|os)" constraints
Support for these constraints was added in docker 1.13.0
(API v1.25), but never documented.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ed439e4a31)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-10 17:04:42 +01:00
Akihiro Suda
130ae89dab
Merge pull request #40460 from AkihiroSuda/cherrypick-40406-1903
[19.03 backport] dockerd-rootless.sh: remove confusing code comment
2020-02-09 04:23:57 +09:00
Kir Kolyshkin
5b6f2e1c59 overlay[2]: rm fs checks
Now that we do check if overlay is working by performing an actual
overlayfs mount, there's no need in extra checks for the kernel version
or the filesystem type. Actual mount check is sufficient.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit e226aea280)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-06 13:18:47 +09:00
Kir Kolyshkin
1b0edb155f Fix/improve overlay support check
Before this commit, overlay check was performed by looking for
`overlay` in /proc/filesystem. This obviously might not work
for rootless Docker (fs is there, but one can't use it as non-root).

This commit changes the check to perform the actual mount, by reusing
the code previously written to check for multiple lower dirs support.

The old check is removed from both drivers, as well as the additional
check for the multiple lower dirs support in overlay2 since it's now
a part of the main check.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 649e4c8889)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-06 13:18:41 +09:00
Kir Kolyshkin
5571ceb5ac overlay: move supportsMultipleLowerDir to utils
This moves supportsMultipleLowerDir() to overlayutils
so it can be used from both overlay and overlay2.

The only changes made were:
 * replace logger with logrus
 * don't use workDirName mergedDirName constants
 * add mnt var to improve readability a bit

This is a preparation for the next commit.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit d5687079ad)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-06 13:18:37 +09:00
Danny Milosavljevic
5e4574526d Use fewer modprobes
Signed-off-by: Danny Milosavljevic <dannym@scratchpost.org>
(cherry picked from commit 074eca1d79)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-06 13:18:23 +09:00
Akihiro Suda
9338d0a6b5 dockerd-rootless.sh: remove confusing code comment
`--userland-proxy-path` is automatically set by dockerd: e6c1820ef5/cmd/dockerd/config_unix.go (L46)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9bd1ae024a)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-02-06 13:08:08 +09:00
Brian Goff
5f6d6f3f22
Merge pull request #40453 from thaJeztah/19.03_bump_containerd
[19.03] update containerd 1.12.12, runc v1.0.0-rc10
2020-02-04 14:05:54 -08:00
Akihiro Suda
d3dab1f618
update runc library to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): https://github.com/opencontainers/runc/pull/2207
* Fix exec FIFO race: https://github.com/opencontainers/runc/pull/2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also https://github.com/opencontainers/runc/issues/2209 for the known issues.

Full changes: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Also updates go-selinux: 3a1f366feb...5215b1806f
(See https://github.com/containerd/cri/pull/1383#issuecomment-578227009)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6d68080907)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 18:41:02 +01:00
Akihiro Suda
3bd1759f80
update runc binary to v1.0.0-rc10 (CVE-2019-19921)
Notable changes:
* Fix CVE-2019-19921 (Volume mount race condition with shared mounts): https://github.com/opencontainers/runc/pull/2207
* Fix exec FIFO race: https://github.com/opencontainers/runc/pull/2185
* Basic support for cgroup v2.  Almost feature-complete, but still missing support for systemd mode in rootless.
  See also https://github.com/opencontainers/runc/issues/2209 for the known issues.

Full changes: https://github.com/opencontainers/runc/compare/v1.0.0-rc9...v1.0.0-rc10

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cd43c1d1ac)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 18:41:00 +01:00
Sebastiaan van Stijn
f8cfa7947c
[19.03] Update containerd binary to v1.2.12
full diff: https://github.com/containerd/containerd/compare/v1.2.11...v1.2.12

Welcome to the v1.2.12 release of containerd!

The twelfth patch release for containerd 1.2 includes an updated runc with
a fix for CVE-2019-19921, an updated version of the opencontainers/selinux
dependency, which includes a fix for CVE-2019-16884, an updated version of the
gopkg.in/yaml.v2 dependency to address CVE-2019-11253, and a Golang update.

Notable Updates

- Update the runc vendor to v1.0.0-rc10 which includes a mitigation for CVE-2019-19921.
- Update the opencontainers/selinux which includes a mitigation for CVE-2019-16884.
- Update Golang runtime to 1.12.16, mitigating the CVE-2020-0601 certificate verification
  bypass on Windows, and CVE-2020-7919, which only affects 32-bit architectures.
- Update Golang runtime to 1.12.15, which includes a fix to the runtime (Go 1.12.14,
  Go 1.12.15) and and the net/http package (Go 1.12.15)
- A fix to prevent SIGSEGV when starting containerd-shim containerd/containerd#3960
- Fixes to exec containerd/containerd#3755
    - Prevent docker exec hanging if an earlier docker exec left a zombie process
    - Prevent High system load/CPU utilization with liveness and readiness probes
    - Prevent Docker healthcheck causing high CPU utilization

CRI fixes:

- Update the gopkg.in/yaml.v2 vendor to v2.2.8 with a mitigation for CVE-2019-11253

API

- Fix API filters to properly handle and return parse errors containerd/containerd#3950

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 18:40:40 +01:00
Brian Goff
11665130f9 Merge pull request #40440 from tonistiigi/1903-update-buildkit
[19.03] vendor: update buildkit to ce88aa518
2020-02-04 17:15:20 +00:00
Brian Goff
3ba45cef16 Merge pull request #40432 from thaJeztah/19.03_bump_swarmkit
[19.03] vendor: bump swarmkit 062b694b46c0744d601eebef79f3f7433d808a04
2020-02-04 17:15:19 +00:00
Tonis Tiigi
a836daf6c5 vendor: update buildkit to 57e8ad5
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-02-04 17:15:19 +00:00
Brian Goff
e686f468f7 Merge pull request #40433 from thaJeztah/19.03_bump_golang_1.12.16
[19.03] Update Golang 1.12.16, golang.org/x/crypto (CVE-2020-0601, CVE-2020-7919)
2020-02-04 17:15:19 +00:00
Sebastiaan van Stijn
0dd0af939f [19.03] vendor: bump swarmkit 062b694b46c0744d601eebef79f3f7433d808a04
full diff: f35d9100f2...062b694b46

changes:

- docker/swarmkit#2927 [19.03 backport] Fix leaking subscription contexts
    - backport of docker/swarmkit#2926 Fix leaking log subscription contexts
    - addresses moby/moby#39916 Dockerd eats too much RAM

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 17:15:19 +00:00
Sebastiaan van Stijn
7b575f9813 vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1
full diff: 88737f569e...69ecbb4d6d

Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b606c8e440)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 17:15:19 +00:00
Sebastiaan van Stijn
acca30055a [19.03] Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)
full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

- X.509 certificate validation bypass on Windows 10
  A Windows vulnerability allows attackers to spoof valid certificate chains when
  the system root store is in use. These releases include a mitigation for Go
  applications, but it’s strongly recommended that affected users install the
  Windows security update to protect their system.
  This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
  This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-02-04 17:15:19 +00:00
Tõnis Tiigi
69098f05cf
Merge pull request #454 from thaJeztah/19.03_backport_lgetxattr_panic
[19.03 backport] Fix possible runtime panic in Lgetxattr
2020-01-23 15:03:16 -08:00
Sebastiaan van Stijn
6949793bb1
Merge pull request #429 from thaJeztah/19.03_backport_windows_1903_fixes
[19.03 backport] bump hcsshim to fix docker build failing on Windows 1903
2020-01-23 20:48:16 +01:00
Sebastiaan van Stijn
c030578fe4
Merge pull request #240 from thaJeztah/19.03_backport_lcowfromscratch
[19.03 backport] LCOW: Fix FROM scratch
2020-01-23 20:30:23 +01:00
Sebastiaan van Stijn
ef7b19365e
Merge pull request #443 from thaJeztah/19.03_backport_health_race
[19.03 backport] Avoid a data race in container/health.go
2020-01-23 20:24:16 +01:00
Sebastiaan van Stijn
c3936abb67
Merge pull request #441 from thaJeztah/19.03_backport_fix_double_host
[19.03 backport] daemon: don't listen on the same address multiple times
2020-01-23 20:23:52 +01:00
Sebastiaan van Stijn
78571e9049
Merge pull request #439 from arkodg/19.03
[19.03] Bump 19.03 libnetwork refpoint
2020-01-23 20:23:38 +01:00
Sebastiaan van Stijn
d2693998a6
Merge pull request #442 from thaJeztah/19.03_backport_errdefs_no_recurse
[19.03 backport] errdefs: remove unneeded recursive calls
2020-01-23 20:23:19 +01:00
Sebastiaan van Stijn
6def98ee7d
Merge pull request #444 from thaJeztah/19.03_backport_fix_unmount_ipc_ignore_enotexist
[19.03 backport] Fix "no such file or directory" warning when unmounting IPC mount
2020-01-23 20:23:02 +01:00
Sebastiaan van Stijn
60220a48b2
Merge pull request #446 from thaJeztah/19.03_backport_ctx_upload_cancel
[19.03 backport] builder-next: close build context upload on cancel
2020-01-23 20:22:41 +01:00
Sebastiaan van Stijn
efe241644b
Merge pull request #447 from thaJeztah/19.03_backport_fix_containerStart_unhandled_error
[19.03 backport] daemon:containerStart() fix unhandled error for saveApparmorConfig
2020-01-23 20:22:20 +01:00
Sebastiaan van Stijn
b645c8c70e
Merge pull request #449 from thaJeztah/19.03_backport_move_windows_gopath_out_of_goroot
[19.03 backport] Move GOPATH out from under the GO source tree
2020-01-23 20:21:56 +01:00
Sebastiaan van Stijn
dda9b3eced
Merge pull request #440 from thaJeztah/19.03_backport_remove_cocky
[19.03 backport] Remove cocky from names-generator
2020-01-23 20:21:27 +01:00
Sebastiaan van Stijn
8270df208b
Merge pull request #448 from thaJeztah/19.03_backport_gofmt_pkg_parsers
[19.03 backport] pkg/parsers/kernel: gofmt hex value (preparation for Go 1.13+)
2020-01-23 20:18:49 +01:00
Sebastiaan van Stijn
facfb9e1b0
Merge pull request #450 from thaJeztah/19.03_backport_bump_docker_py_4.1.0
[19.03 backport] bump docker-py to 4.1.0
2020-01-23 20:15:36 +01:00
Sebastiaan van Stijn
abfed203eb
Merge pull request #451 from thaJeztah/19.03_backport_swagger_fixes
[19.03 backport] assorted swagger / API docs fixes
2020-01-23 20:15:18 +01:00
Sebastiaan van Stijn
e6ba13d3b9
Merge pull request #452 from thaJeztah/19.03_bump_golang_1.12.15
[19.03] Bump Golang 1.12.15
2020-01-23 20:13:40 +01:00
Tibor Vass
bd9e7fca87
Merge pull request #453 from tonistiigi/1903-update-buildkit
[19.03] vendor: update buildkit to 926935b5
2020-01-22 15:04:35 -08:00
Tonis Tiigi
68b270b97c vendor: update buildkit to 926935b5
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-01-21 15:50:25 -08:00
Sebastiaan van Stijn
ec50d8f814
Merge pull request #434 from AkihiroSuda/bump-up-rootlesskit-1903
[19.03 backport] rootless: fix proxying UDP packets
2020-01-20 13:45:29 +01:00
Akihiro Suda
325e889ba3 rootless: fix proxying UDP packets
UDP reply packets were not proxied: https://github.com/rootless-containers/rootlesskit/issues/86

The issue was fixed in RootlessKit v0.7.1: https://github.com/rootless-containers/rootlesskit/pull/87

Full changes since v0.7.0: https://github.com/rootless-containers/rootlesskit/compare/v0.7.0...v0.7.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 658723badd)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-01-20 13:15:51 +09:00
Sebastiaan van Stijn
1984d8064b
Merge pull request #445 from thaJeztah/19.03_backport_only_add_btrfs_when_needed_please
[19.03 backport] Remove btrfs_noversion build tag, no longer needed
2020-01-17 18:29:30 +01:00