Commit graph

46968 commits

Author SHA1 Message Date
Brennan Kinney
c8930105bc fix: Normalize RLIMIT_NOFILE to sensible defaults
During review, it was decided to remove `LimitNOFILE` from `docker.service` to rely on the systemd v240 implicit default of `1024:524288`. On supported platforms with systemd prior to v240, packagers will patch the service with an explicit `LimitNOFILE=1024:524288`.

- `1024` soft limit is an implicit default, avoiding unexpected breakage. Software that needs a higher limit should request to raise the soft limit for its process.
- `524288` hard limit is an implicit default since systemd v240 and is adequate for most processes (_half of the historical limit from `fs.nr_open` of `1048576`_), while 4096 is the implicit default from the kernel (often too low). Individual containers can be started with `--ulimit` when a larger hard limit is required.
- The hard limit may not exceed `fs.nr_open` (_which a value of `infinity` will resolve to_). On most systems with systemd v240 or newer, this will resolve to an excessive size of 2^30 (over 1 billion).
- When set to `infinity` (usually as the soft limit) software may experience significantly increased resource usage, resulting in a performance regression or runtime failures that are difficult to troubleshoot.
- OpenRC current config approach lacks support for different soft/hard limits being set as it adjusts additional limits and `ulimit` does not support mixed usage of `-H` + `-S`. A soft limit of `524288` is not ideal, but 2^19 is much less overhead than 2^30, whilst a hard limit of 4096 would be problematic for Docker.

Signed-off-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
2023-08-07 12:37:14 +12:00
Brian Goff
b1c112d35e
Merge pull request #46157 from vvoland/pkg-plugins-racy 2023-08-05 10:46:00 -07:00
Paweł Gronowski
0034a98eb1
pkg/plugins: Guard storage and unparallel racy tests
These tests were made parallel to speed up the execution, but this
turned out to be flaky, because they mutate some shared state.

The tests use shared `storage` variable without any synchronization.
However, adding synchronization is not enough in all cases, some tests
register the same plugin, so they can't be run in parallel to each
other.

This commit adds the synchronization around `storage` variable
modification and removes parallel from the tests where it's not enough.

Before:
```
$ go test -race -v . -count 1
...
--- FAIL: TestGet (15.02s)
    --- FAIL: TestGet/not_implemented (0.00s)
        testing.go:1446: race detected during execution of test
    testing.go:1446: race detected during execution of test
FAIL
FAIL    github.com/docker/docker/pkg/plugins    17.655s
FAIL
```

After:
```
$ go test -race -v . -count 1
ok      github.com/docker/docker/pkg/plugins    32.702s
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-04 11:22:41 +02:00
Brian Goff
eb3ace962d
Merge pull request #46130 from vvoland/ci-mobybin-sha 2023-08-03 11:25:49 -07:00
Brian Goff
25be5c9cfc
Merge pull request #46133 from thaJeztah/client_cleanup 2023-08-03 09:38:22 -07:00
Sebastiaan van Stijn
01a9c5b70e
Merge pull request #46144 from akerouanton/verifyNetworkingConfig-unneeded-error-wrapping
daemon: Remove unneeded error wrapping in verifyNetworkingConfig
2023-08-03 12:54:39 +02:00
Albin Kerouanton
f3e62199ea
daemon: Remove unneeded error wrapping in verifyNetworkingConfig
This function is called by `daemon.containerCreate()` which is already
wrapping errors coming from `verifyNetworkingConfig()` with
`errdefs.InvalidParameter()`. So `verifyNetworkingConfig()` should only
return standard errors.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-08-03 11:21:52 +02:00
Paweł Gronowski
d7a9f15775
bakefile: Remove default value of DOCKER_GITCOMMIT
"HEAD" will still be used as a version if no DOCKER_COMMIT is provided
(for example when not running via `make`), but it won't prevent it being
set to the GITHUB_SHA variable when it's present.

This should fix `Git commit` reported by `docker version` for the
binaries generated by `moby-bin`.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-03 10:23:05 +02:00
Sebastiaan van Stijn
f576f568a3
Merge pull request #46055 from thaJeztah/daemon_cleanup_buildCreateEndpointOptions
daemon: cleanup buildCreateEndpointOptions
2023-08-02 19:49:26 +02:00
Sebastiaan van Stijn
9249e0b3f8
Merge pull request #46143 from thaJeztah/nonderscore
docs/api: remove stray underscore in version-history.md
2023-08-02 16:34:52 +02:00
Sebastiaan van Stijn
07f2df69c7
daemon: buildCreateEndpointOptions: minor nits
- store network.Name() in a variable to reduce repeatedly locking/unlocking
  of the network (although this is very, very minimal in the grand scheme
  of things).
- un-wrap long conditions
- ever so slightly optimise some conditions by changeing the order of checks.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 16:12:36 +02:00
Sebastiaan van Stijn
5158a33f15
daemon: buildCreateEndpointOptions: use range when looping
Makes the code slightly more readable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:44 +02:00
Sebastiaan van Stijn
1c6dae1291
daemon: buildCreateEndpointOptions: don't use PortBinding.GetCopy()
This code was initializing a new PortBinding, and creating a deep copy
for each binding. It's unclear what the intent was here, but at least
PortBinding.GetCopy() wasn't adding much value, as it created a new
PortBinding, [copying all values from the original][1], which includes
a [copy of IPAddresses in it][2]. Our original "template" did not have any
of that, so let's forego that, and just create new PortBindings as we go.

[1]: 454b6a7cf5/libnetwork/types/types.go (L110-L120)
[2]: 454b6a7cf5/libnetwork/types/types.go (L236-L244)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:44 +02:00
Sebastiaan van Stijn
cc79024761
daemon: buildCreateEndpointOptions: remove intermediate vars
These were not adding much, so just getting rid of them. Also added a
TODO to move this code to the type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:43 +02:00
Sebastiaan van Stijn
45de99aa06
daemon: buildCreateEndpointOptions: don't parse empty vip
Also keep network.ID() in a local variable to prevent locking the network
twice.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:43 +02:00
Sebastiaan van Stijn
7d429125d2
daemon: buildCreateEndpointOptions: move vars to where they're used
Move variables closer to where they're used instead of defining them all
at the start of the function.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:43 +02:00
Sebastiaan van Stijn
6ce92aa523
daemon: buildCreateEndpointOptions: skip getPortMapInfo() if not needed
`getPortMapInfo` does many things; it creates a copy of all the sandbox
endpoints, gets the driver, endpoints, and network from store, and creates
port-bindings for all exposed and mapped ports.

We should look if we can create a more minimal implementation for this
purpose, but in the meantime, let's prevent it being called if we don't
need it by making it the second condition in the check.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:43 +02:00
Sebastiaan van Stijn
9e9a17950a
daemon: FindNetwork: minor cleanups
- don't initialize slices; it's not needed to append to them
- store network-ID in a var to prevent repeated lock/unlocking in nw.ID()

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 14:40:43 +02:00
Sebastiaan van Stijn
0eea8d69b2
Merge pull request #46052 from thaJeztah/refactor_buildNetworkResource
daemon: refactor buildNetworkResource
2023-08-02 14:40:16 +02:00
Sebastiaan van Stijn
9bd2b7e7af
Merge pull request #46138 from akerouanton/integration-run-attach
integration: Add RunAttach helper
2023-08-02 13:45:28 +02:00
Albin Kerouanton
5bd8aa5246
integration: Add RunAttach helper
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-08-02 10:23:32 +02:00
Albin Kerouanton
d7fb4dd170
integration: Extract stream demultiplexing from container.Exec
The original code in container.Exec was potentially leaking the copy
goroutine when the context was cancelled or timed out. The new
`demultiplexStreams()` function won't return until the goroutine has
finished its work, and to ensure that it takes care of closing the
hijacked connection.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-08-02 10:23:31 +02:00
Sebastiaan van Stijn
584f016e99
docs/api: remove stray underscore in version-history.md
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-02 09:12:19 +02:00
Akihiro Suda
0ac039f979
Merge pull request #46139 from thaJeztah/update_go1.20.7
update to go1.20.7
2023-08-02 14:49:29 +09:00
Sebastiaan van Stijn
d5cb7cdeae
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:46:01 +02:00
Sebastiaan van Stijn
69c9adb7d3
Merge pull request #45925 from thaJeztah/deprecate_is_automated
api: search: deprecate is_automated field, and is-automated filter
2023-08-01 16:27:00 +02:00
Sebastiaan van Stijn
fced566714
client: move resolveTLSConfig to a Client.tlsConfig()
This makes it slightly clearer what it does, as "resolve" may give the
impression it's doing more than just returning the TLS config configured
for the client.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 16:20:22 +02:00
Sebastiaan van Stijn
47af265234
client: Dialer: inline fallbackDial
fallbackDial was only used in a single place, and it was defined far away
from where it's used, so let's inline it, so that it's clear at a glance
what we're doing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 16:20:18 +02:00
Sebastiaan van Stijn
74d9850bb9
client/buildkit: ClientOpts: update docs to use doc-links, and inline
inline the closures, and update the GoDoc to use doc-links to the related
buildkit function.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 16:19:36 +02:00
Sebastiaan van Stijn
a1202648ff
Merge pull request #46100 from thaJeztah/libnetwork_var_collide
libnetwork: rename vars that collided with builtin and type
2023-08-01 15:59:04 +02:00
Sebastiaan van Stijn
8d482accd1
Merge pull request #46123 from thaJeztah/log_the_log
swap logrus types for their containerd/logs aliases
2023-08-01 14:38:39 +02:00
Sebastiaan van Stijn
971083d419
api: search: deprecate is_automated field, and is-automated filter
The is-automated field is being deprecated by Docker Hub's search API,
and will always be set to "false" in future.

This patch deprecates the field and related filter for the Engine's API.

In future, the `is-automated` filter will no longer yield any results
when searching for `is-automated=true`, and will be ignored when
searching for `is-automated=false`.

Given that this field is deprecated by an external API, the deprecation
will not be versioned, and will apply to any API version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:45:44 +02:00
Sebastiaan van Stijn
5e2a1195d7
swap logrus types for their containerd/logs aliases
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:02:55 +02:00
Sebastiaan van Stijn
39a13456c1
Merge pull request #46109 from thaJeztah/windows_remove_discoverapi
libnetwork/driver: remove discoverAPI from Windows and Windows overlay
2023-08-01 10:51:56 +02:00
Sebastiaan van Stijn
2f17d5fa8f
Merge pull request #46122 from thaJeztah/fix_daemon_integration_test
Fix TestDaemonProxy integration tests
2023-08-01 10:22:02 +02:00
Sebastiaan van Stijn
95bbbc0418
Merge pull request #46110 from thaJeztah/libnetwork_dead_code
libnetwork: remove some dead code, and un-export internal functions
2023-08-01 00:57:34 +02:00
Sebastiaan van Stijn
97daeb0020
Merge pull request #46131 from akerouanton/libnet-bridge-errors
Improve libnet/d/bridge errors
2023-08-01 00:15:21 +02:00
Brian Goff
1a51898d2e
TestDaemonProxy: use new scanners to check logs
Also fixes up some cleanup issues.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 00:13:50 +02:00
Brian Goff
476e788090
Fix daemon proxy test for "reload sanitized"
I noticed this was always being skipped because of race conditions
checking the logs.

This change adds a log scanner which will look through the logs line by
line rather than allocating a big buffer.
Additionally it adds a `poll.Check` which we can use to actually wait
for the desired log entry.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 00:11:28 +02:00
Albin Kerouanton
e2d400bea9
libnet/d/bridge: Inline InvalidLinkIPAddrError
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-31 21:33:02 +02:00
Albin Kerouanton
6df4a00bb9
libnet/d/bridge: Remove pointless BadRequestError impl
IPv4AddrNoMatchError and IPv6AddrNoMatchError are currently implementing
BadRequestError. They are returned in two cases, and none are due to a
bad user request:

- When calling daemon's CreateNetwork route, if the bridge's IPv4
  address or none of the bridge's IPv6 addresses match what's requested.
  If that happens, there's a big issue somewhere in libnetwork or the
  kernel.
- When restoring a network, for the same reason. In that case, the
  on-disk state drifted from the interface state.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-31 21:32:00 +02:00
Albin Kerouanton
7c13985fa1
libnet/d/bridge: Inline InvalidIPTablesCfgError
This error can only be reached because of an error in our code, so it's
not a "bad user request". As it's never type asserted, no need to keep
it around.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-31 21:30:46 +02:00
Albin Kerouanton
d8f42ee21a
libnet/d/bridge: Inline IPTableCfgError
This error is only used in defensive checks whereas the precondition is
already checked by caller. If we reach it, we messed something else. So
it's definitely not a BadRequest. Also, it's not type asserted anywhere,
so just inline it.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-07-31 21:30:20 +02:00
Sebastiaan van Stijn
a40d00c421
libnetwork: remove ErrDataStoreNotInitialized
If was not used as a sentinel error, so inline the error.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:33 +02:00
Sebastiaan van Stijn
66b379785e
libnetwork: remove unused InvalidContainerIDError
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:33 +02:00
Sebastiaan van Stijn
d8cd4f6421
libnetwork: remove unused UnknownEndpointError
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:33 +02:00
Sebastiaan van Stijn
fc5c16f491
libnetwork: remove unused NetworkTypeError
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:33 +02:00
Sebastiaan van Stijn
e9f1888560
libnetwork: remove unused ErrInvalidConfigFile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:32 +02:00
Sebastiaan van Stijn
eadaaa7f79
libnetwork: remove unused ErrNoContainer
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:32 +02:00
Sebastiaan van Stijn
99ab11bb90
libnetwork: remove unused ErrInvalidJoin
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-31 21:00:32 +02:00