Commit graph

46512 commits

Author SHA1 Message Date
Akihiro Suda
15bd07b4fd
update runc binary to v1.1.9
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit b039bbc678)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-14 17:34:23 +02:00
Luboslav Pivarc
cc39fb9f6b
Integration test for capabilities
Verify non-root containers are able to use file
capabilities.

Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Co-authored-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 42fa7a1951)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:28:00 +02:00
Luboslav Pivarc
bf2b8a05a0
Do not drop effective&permitted set
Currently moby drops ep sets before the entrypoint is executed.
This does mean that with combination of no-new-privileges the
file capabilities stops working with non-root containers.
This is undesired as the usability of such containers is harmed
comparing to running root containers.

This commit therefore sets the effective/permitted set in order
to allow use of file capabilities or libcap(3)/prctl(2) respectively
with combination of no-new-privileges and without respectively.

For no-new-privileges the container will be able to obtain capabilities
that are requested.

Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 3aef732e61)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:26:45 +02:00
Bjorn Neergaard
e67f9dadc6
hack/make/.binary: use with-go-mod.sh
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit a972dbd682)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:21:31 +02:00
Kevin Alvarez
314b84b023
hack: enable Go modules when building dockerd and docker-proxy
This is a workaround to have buildinfo with deps embedded in the
binary. We need to create a go.mod file before building with
-modfile=vendor.mod, otherwise it fails with:
"-modfile cannot be used to set the module root directory."

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 7665feeb52)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:21:31 +02:00
Bjorn Neergaard
72947f5022
hack: use Git-free ROOTDIR convention
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 5563b09ac2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:21:31 +02:00
Sebastiaan van Stijn
7e7bc0f1bc
vendor: github.com/containerd/containerd v1.6.22
- full diff: https://github.com/containerd/containerd/compare/v1.6.21...v1.6.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.6.22

---

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`, `RunAsUsername` are empty
- CRI: Write generated CNI config atomically
- Fix concurrent writes for `UpdateContainerStats`
- Make `checkContainerTimestamps` less strict on Windows
- Port-Forward: Correctly handle known errors
- Resolve `docker.NewResolver` race condition
- SecComp: Always allow `name_to_handle_at`
- Adding support to run hcsshim from local clone
- Pinned image support
- Runtime/V2/RunC: Handle early exits w/o big locks
- CRITool: Move up to CRI-TOOLS v1.27.0
- Fix cpu architecture detection issue on emulated ARM platform
- Task: Don't `close()` io before `cancel()`
- Fix panic when remote differ returns empty result
- Plugins: Notify readiness when registered plugins are ready
- Unwrap io errors in server connection receive error handling

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4d674897f3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:09:39 +02:00
Sebastiaan van Stijn
5f0df8c534
vendor github.com/containerd/ttrpc v1.1.2
full diff: https://github.com/containerd/ttrpc/compare/v1.1.1...v1.1.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 22:08:44 +02:00
Sebastiaan van Stijn
25b709df48
windows: fix --register-service when executed from within binary directory
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows.

This issue was not limited to the go command itself, and could also affect binaries
that use `os.Command`, `os.LookPath`, etc.

From the related blogpost (https://blog.golang.org/path-security):

> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing

At time of the go1.15 release, the Go team considered changing the behavior of
`os.LookPath()` and `exec.LookPath()` to be a breaking change, and made the
behavior "opt-in" by providing the `golang.org/x/sys/execabs` package as a
replacement.

However, for the go1.19 release, this changed, and the default behavior of
`os.LookPath()` and `exec.LookPath()` was changed. From the release notes:
https://go.dev/doc/go1.19#os-exec-path

> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe)
> in the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.

A result of this change was that registering the daemon as a Windows service
no longer worked when done from within the directory of the binary itself:

    C:\> cd "Program Files\Docker\Docker\resources"
    C:\Program Files\Docker\Docker\resources> dockerd --register-service
    exec: "dockerd": cannot run executable found relative to current directory

Note that using an absolute path would work around the issue:

    C:\Program Files\Docker\Docker>resources\dockerd.exe --register-service

This patch changes `registerService()` to use `os.Executable()`, instead of
depending on `os.Args[0]` and `exec.LookPath()` for resolving the absolute
path of the binary.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3e8fda0a70)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 21:58:08 +02:00
Albin Kerouanton
b7d1e98ae7
libnet/d/bridge: Allow IPv6 ICC from any IP address
IPv6 ipt rules are exactly the same as IPv4 rules, although both
protocol don't use the same networking model. This has bad consequences,
for instance: 1. the current v6 rules disallow Neighbor
Solication/Advertisement ; 2. multicast addresses can't be used ; 3.
link-local addresses are blocked too.

To solve this, this commit changes the following rules:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64 -i br-21502e5b2c6c -j DROP
```

into:

```
-A DOCKER-ISOLATION-STAGE-1 ! -s fdf1:a844:380c:b247::/64 ! -i br-21502e5b2c6c   -o br-21502e5b2c6c -j DROP
-A DOCKER-ISOLATION-STAGE-1 ! -d fdf1:a844:380c:b247::/64   -i br-21502e5b2c6c ! -o br-21502e5b2c6c -j DROP
```

These rules only limit the traffic ingressing/egressing the bridge, but
not traffic between veth on the same bridge.

Note that, the Kernel takes care of dropping invalid IPv6 packets, eg.
loopback spoofing, thus these rules don't need to be more specific.

Solve #45460.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
(cherry picked from commit da9e44a620)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 21:53:40 +02:00
Sebastiaan van Stijn
c370341900
Merge pull request #46179 from vvoland/windows-unskip-kill-tests-24
[24.0 backport] integration/windows: Unskip some kill tests
2023-08-09 18:12:08 +02:00
Sebastiaan van Stijn
ea0a6f7c33
Merge pull request #46177 from vvoland/hack-integrationcli-dont-failfast-24
[24.0 backport] hack/test: Don't fail-fast before integration-cli
2023-08-09 17:39:29 +02:00
Paweł Gronowski
749e687e1b
integration/windows: Unskip some kill tests
Unskip:
- TestKillWithStopSignalAndRestartPolicies
- TestKillStoppedContainer

integration tests on Windows.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit dd1c95edcd)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-09 14:29:06 +02:00
Paweł Gronowski
128838227e
hack/test: Don't fail-fast before integration-cli
If TEST_INTEGRATION_FAIL_FAST is not set, run the integration-cli tests
even if integration tests failed.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 6841a53d17)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-08-09 14:22:09 +02:00
Sebastiaan van Stijn
8895c32ba9
Merge pull request #46134 from thaJeztah/24.0_backport_fix_daemon_integration_test
[24.0 backport] Improve test daemon logging, and fix TestDaemonProxy integration tests
2023-08-04 18:06:26 +02:00
Akihiro Suda
00e46f85f6
Merge pull request #46140 from thaJeztah/24.0_backport_update_go1.20.7
[24.0 backport] update to go1.20.7
2023-08-02 14:49:45 +09:00
Sebastiaan van Stijn
b7c5385b81
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d5cb7cdeae)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:47:48 +02:00
Sebastiaan van Stijn
ba9875c2f5
Merge pull request #46120 from thaJeztah/24.0_backport_bump_gotest_tools
[24.0 backport] vendor: gotest.tools/v3 v3.5.0
2023-08-01 16:27:57 +02:00
Brian Goff
4cd50eb1ed
TestDaemonProxy: use new scanners to check logs
Also fixes up some cleanup issues.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1a51898d2e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:24:22 +02:00
Brian Goff
a49bca97df
Fix daemon proxy test for "reload sanitized"
I noticed this was always being skipped because of race conditions
checking the logs.

This change adds a log scanner which will look through the logs line by
line rather than allocating a big buffer.
Additionally it adds a `poll.Check` which we can use to actually wait
for the desired log entry.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 476e788090)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:24:21 +02:00
Brian Goff
d6536d44e9
TestDaemonProxy: check proxy settings early
Allows tests to report their proxy settings for easier troubleshooting
on failures.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 8197752d68)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:24:21 +02:00
Brian Goff
a6f8e97342
Improve test daemon logging
1. On failed start tail the daemon logs
2. Exposes generic tailing functions to make test debugging simpler

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 914888cf8b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 13:23:58 +02:00
Sebastiaan van Stijn
2ef88a3cbf
Merge pull request #46115 from thaJeztah/24.0_backport_fix_filter_errors
[24.0 backport] api/types/filters: fix errors not being matched by errors.Is()
2023-08-01 10:22:48 +02:00
Akihiro Suda
e426ae045b
Merge pull request #46103 from thaJeztah/24.0_backport_update_containerd_binary_1.7.3
[24.0 backport] update containerd binary to v1.7.3
2023-07-30 11:05:33 +09:00
Sebastiaan van Stijn
6be708aa7d
vendor: gotest.tools/v3 v3.5.0
- go.mod: update dependencies and go version by
- Use Go1.20
- Fix couple of typos
- Added `WithStdout` and `WithStderr` helpers
- Moved `cmdOperators` handling from `RunCmd` to `StartCmd`
- Deprecate `assert.ErrorType`
- Remove outdated Dockerfile
- add godoc links

full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.4.0...v3.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ce053a14aa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-29 20:53:54 +02:00
Sebastiaan van Stijn
b6568d2dd5
api/types/filters: fix errors not being matched by errors.Is()
I found that the errors returned weren't matched with `errors.Is()` when
wrapped.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 490fee7d45)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-29 16:25:07 +02:00
Sebastiaan van Stijn
02241b05fc
update containerd binary to v1.7.3
- full diff: https://github.com/containerd/containerd/compare/v1.7.2...v1.7.3
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.3

----

Welcome to the v1.7.3 release of containerd!

The third patch release for containerd 1.7 contains various fixes and updates.

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`,`RunAsUsername` are empty
- CRI: write generated CNI config atomically
- Port-Forward: Correctly handle known errors
- Resolve docker.NewResolver race condition
- Fix `net.ipv4.ping_group_range` with userns
- Runtime/V2/RunC: handle early exits w/o big locks
- SecComp: always allow `name_to_handle_at`
- CRI: Windows Pod Stats: Add a check to skip stats for containers that
  are not running
- Task: don't `close()` io before cancel()
- Remove CNI conf_template deprecation
- Fix issue for HPC pod metrics

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bf48d3ec29)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 13:24:19 +02:00
Sebastiaan van Stijn
3a6899c6fd
update containerd binary to v1.7.2
- full diff: https://github.com/containerd/containerd/compare/v1.7.1...v1.7.2
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.2

----

Welcome to the v1.7.2 release of containerd!

The second patch release for containerd 1.7 includes enhancements to CRI
sandbox mode, Windows snapshot mounting support, and CRI and container IO
bug fixes.

CRI/Sandbox Updates

- Publish sandbox events
- Make stats respect sandbox's platform

Other Notable Updates

- Mount snapshots on Windows
- Notify readiness when registered plugins are ready
- Fix `cio.Cancel()` should close pipes
- CDI: Use CRI `Config.CDIDevices` field for CDI injection

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a78381c399)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 13:24:18 +02:00
Sebastiaan van Stijn
77e2d29b8a
Merge pull request #46095 from vvoland/c8d-refreshimage-refactor-24
[24.0 backport] daemon/list: Refactor refreshImage and make `readConfig` return errdefs
2023-07-28 13:11:43 +02:00
Sebastiaan van Stijn
9e5726d3de
Merge pull request #46097 from vvoland/c8d-missing-config-24
[24.0 backport] c8d/container: Follow snapshot parents for size calculation
2023-07-28 11:50:19 +02:00
Paweł Gronowski
7927cae910
c8d/container: Follow snapshot parents for size calculation
Refactor GetContainerLayerSize to calculate unpacked image size only by
following the snapshot parent tree directly instead of following it by
using diff ids from image config.

This works even if the original manifest/config used to create that
container is no longer present in the content store.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 4d8e3f54cc)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-28 10:30:54 +02:00
Paweł Gronowski
45ba926c6d
daemon/list: Drop unused arg from containerReducer
refreshImage is the only function used as a reducer and it doesn't use
the `filter *listContext`.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 13180c1c49)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-28 10:21:04 +02:00
Paweł Gronowski
6c4121a943
daemon/list: Refactor refreshImage
Add context comments and make it a bit more readable.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 68991ae240)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-28 10:21:00 +02:00
Paweł Gronowski
fcb68e55fa
daemon/list: Replace ErrImageDoesNotExist check
Check for generic `errdefs.NotFound` rather than specific error helper
struct when checking if the error is caused by the image not being
present.
It still works for `ErrImageDoesNotExist` because it
implements the NotFound errdefs interface too.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 5a39bee635)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-28 09:49:06 +02:00
Paweł Gronowski
3029f554cc
c8d/readConfig: Translate c8d NotFound to errdefs
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 7379d18018)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-28 09:49:02 +02:00
Sebastiaan van Stijn
b76ffecee8
Merge pull request #46061 from vvoland/integration-no-fail-fast-24
[24.0 backport] hack/integration: Add TEST_INTEGRATION_FAIL_FAST
2023-07-24 20:54:12 +02:00
Bjorn Neergaard
96a2b214cb
Merge pull request #46045 from thaJeztah/24.0_backport_bump_buildkit_0.11
[24.0 backport] vendor: github.com/moby/buildkit v0.11.7-dev
2023-07-24 09:27:46 -06:00
Paweł Gronowski
35a8b00b18
hack/integration: Add TEST_INTEGRATION_FAIL_FAST
Before this change, integration test would fail fast and not execute all
test suites when one suite fails.
Change this behavior into opt-in enabled by TEST_INTEGRATION_FAIL_FAST
variable.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 48cc28e4ef)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-24 17:05:44 +02:00
Sebastiaan van Stijn
fed26d5b3c
vendor: github.com/moby/buildkit v0.11.7-dev
full diff: 0a15675913...616c3f613b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0ec73a7892)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-24 16:14:03 +02:00
Bjorn Neergaard
a61e2b4c9c
Merge pull request #46044 from neersighted/init_cleanup_24.0
[24.0 backport] Upstart & sysvinit cleanup
2023-07-21 12:06:26 -06:00
Tianon Gravi
eede7f09c7
Remove Upstart scripts
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit 0d8087fbbc)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 11:00:50 -06:00
Tianon Gravi
907f838603
Remove Upstart and cgroups bits from Debian sysvinit script
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Additionally, this removes the "cgroups v1" setup code because it's more reasonable now for us to expect something _else_ to have set up cgroups appropriately (especially cgroups v2).

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit ae737656f9)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 11:00:40 -06:00
Sebastiaan van Stijn
52c92be4c5
Merge pull request #46029 from thaJeztah/24.0_backport_bump_runc_binary_1.1.8
[24.0 backport] Dockerfile: update runc binary to v1.1.8
2023-07-19 19:18:38 +02:00
Sebastiaan van Stijn
f022632503
Dockerfile: update runc binary to v1.1.8
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.8
full diff: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.9

This is the eighth patch release of the 1.1.z release branch of runc.
The most notable change is the addition of RISC-V support, along with a
few bug fixes.

- Support riscv64.
- init: do not print environment variable value.
- libct: fix a race with systemd removal.
- tests/int: increase num retries for oom tests.
- man/runc: fixes.
- Fix tmpfs mode opts when dir already exists.
- docs/systemd: fix a broken link.
- ci/cirrus: enable some rootless tests on cs9.
- runc delete: call systemd's reset-failed.
- libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed.
- CI: bump Fedora, Vagrant, bats.
- .codespellrc: update for 2.2.5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit df86d855f5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 18:22:48 +02:00
Sebastiaan van Stijn
bd41493132
Merge pull request #46023 from thaJeztah/24.0_backport_bump_buildx
[24.0 backport] Dockerfile: update buildx to v0.11.2
2023-07-19 16:58:47 +02:00
Sebastiaan van Stijn
5164e5f6d6
Merge pull request #46025 from vvoland/c8d-inspect-variant-24
[24.0 backport] c8d/inspect: Include platform Variant
2023-07-19 15:33:46 +02:00
Sebastiaan van Stijn
2b2a72cc65
Merge pull request #46021 from thaJeztah/24.0_backport_c8d-image-save-lease
[24.0 backport] c8d: Make sure the content isn't removed while we export
2023-07-19 13:06:14 +02:00
Paweł Gronowski
98a6422cbc
c8d/inspect: Include platform Variant
Variant was mistakenly omitted in the returned V1Image.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 2659f7f740)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-19 13:06:11 +02:00
Sebastiaan van Stijn
aab94fb340
Dockerfile: update buildx to v0.11.2
Update the BUILDX_VERSION :)

release notes:

- https://github.com/docker/buildx/releases/tag/v0.11.1
- https://github.com/docker/buildx/releases/tag/v0.11.2

full diff: https://github.com/docker/buildx/compare/v0.11.0...v0.11.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d78893921a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 13:04:31 +02:00
Djordje Lukic
1be48ec553
c8d: Make sure the content isn't removed while we export
This change add leases for all the content that will be exported, once
the image(s) are exported the lease is removed, thus letting
containerd's GC to do its job if needed. This fixes the case where
someone would remove an image that is still being exported.

This fixes the TestAPIImagesSaveAndLoad cli integration test.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit f3a6b0fd08)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 11:57:49 +02:00