Commit graph

48522 commits

Author SHA1 Message Date
Sebastiaan van Stijn
1f6c42c678
Merge pull request #47006 from thaJeztah/deprecate_ResolveScopedPath
pkg/containerfs: unify CleanScopedPath implementation, and deprecate ResolveScopedPath
2024-01-03 15:38:52 +01:00
Sebastiaan van Stijn
f8159163c1
Merge pull request #47014 from thaJeztah/daemon_deadcode
daemon: remove dead code relying on SecondaryIPAddress
2024-01-03 14:20:46 +01:00
Sebastiaan van Stijn
d5a3fccb06
update golangci-lint to v1.55.2
- full diff: https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-03 13:41:37 +01:00
Sebastiaan van Stijn
7ad5396f79
Merge pull request #47013 from thaJeztah/update_authors
update AUTHORS
2024-01-03 13:16:40 +01:00
Albin Kerouanton
9b184e1268
daemon: remove dead code relying on SecondaryIPAddress
Since commit d0e0c13b60, `NetworkSettings.SecondaryAddress` is never
written.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-01-03 10:19:21 +01:00
Sebastiaan van Stijn
7b0f8122b2
update AUTHORS
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-03 10:12:37 +01:00
Akihiro Suda
b7ba0615d0
Merge pull request #47005 from thaJeztah/remove_pkg_aaparser
remove pkg/aaparser, and inline remaining functionality in profiles/apparmor
2024-01-03 03:43:25 +09:00
Akihiro Suda
dbe86d9d37
Merge pull request #47007 from thaJeztah/bump_runc_binary
update runc binary to v1.1.11
2024-01-03 03:42:02 +09:00
Sebastiaan van Stijn
0be7a1e33b
Merge pull request #47004 from thaJeztah/portmapper_rm_err_return
libnetwork/portallocator: PortAllocator.ReleasePort: remove unused err-return
2024-01-02 18:20:35 +01:00
Sebastiaan van Stijn
8fa736945a
Merge pull request #47008 from thaJeztah/vendor_runc_1.1.11
vendor: github.com/opencontainers/runc v1.1.11
2024-01-02 17:59:31 +01:00
Sebastiaan van Stijn
fc8fcf85a2
vendor: github.com/opencontainers/runc v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 16:29:43 +01:00
Sebastiaan van Stijn
5fa4cfcabf
update runc binary to v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 16:09:16 +01:00
Sebastiaan van Stijn
84ba2558e2
Merge pull request #46976 from robmry/bridge_todos
Validate IPv6 address in libnetwork's bridge driver, remove unused error types.
2024-01-02 16:03:16 +01:00
Sebastiaan van Stijn
b8f2caa80a
pkg/containerfs: deprecate ResolveScopedPath
If was a very shallow wrapper around symlink.FollowSymlinkInScope, so inline
that code instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 15:32:31 +01:00
Sebastiaan van Stijn
90f37f48e2
pkg/containerfs: unify CleanScopedPath implementation
Use stdlib's filepath.VolumeName to get the volume-name (if present) instead
of a self-crafted implementation, and unify the implementations for Windows
and Unix.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 15:26:29 +01:00
Sebastiaan van Stijn
6fae583dba
pkg/aaparser: remove, and integrate into profiles/apparmor
This package provided utilities to obtain the apparmor_parser version, as well
as loading a profile.

Commit e3e715666f (included in v24.0.0 through
bfffb0974e) deprecated GetVersion, as it was no
longer used, which made LoadProfile the only utility remaining in this package.

LoadProfile appears to have no external consumers, and the only use in our code
is "profiles/apparmor".

This patch moves the remaining code (LoadProfile) to profiles/apparmor as a
non-exported function, and deletes the package.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 15:15:49 +01:00
Sebastiaan van Stijn
53d405c37f
pkg/aaparser: remove deprecated GetVersion utility
Commit e3e715666f (included in v24.0.0 through
bfffb0974e) deprecated GetVersion, as it was no
longer used.

This patch removes the deprecated utility, and inlines the remaining code into
the LoadProfile function.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 14:10:37 +01:00
Sebastiaan van Stijn
f714730c40
libnetwork/portallocator: PortAllocator.ReleasePort: remove unused err-return
This function never returned an error, and was not matching an interface, so
remove the error-return.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 11:00:22 +01:00
Sebastiaan van Stijn
a5b4670c79
Merge pull request #47001 from thaJeztah/portmapper_fix_release
portmapper: fix defers to prevent potentially unreleased ports
2024-01-02 10:58:24 +01:00
Sebastiaan van Stijn
abdaf7c2b5
Merge pull request #47000 from thaJeztah/userland_proxy_validation
portmapper: move userland-proxy lookup to daemon config
2024-01-02 10:55:13 +01:00
Sebastiaan van Stijn
4f9db655ed
portmapper: move userland-proxy lookup to daemon config
When mapping a port with the userland-proxy enabled, the daemon would
perform an "exec.LookPath" for every mapped port (which, in case of
a range of ports, would be for every port in the range).

This was both inefficient (looking up the binary for each port), inconsistent
(when running in rootless-mode, the binary was looked-up once), as well as
inconvenient, because a missing binary, or a mis-configureed userland-proxy-path
would not be detected daeemon startup, and not produce an error until starting
the container;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

However, the container would still be created (but invalid);

    docker ps -a
    CONTAINER ID   IMAGE          COMMAND                  CREATED          STATUS    PORTS     NAMES
    869f41d7e94f   nginx:alpine   "/docker-entrypoint.…"   10 seconds ago   Created             romantic_wiles

This patch changes how the userland-proxy is configured;

- The path of the userland-proxy is now looked up / configured at daemon
  startup; this is similar to how the proxy is configured in rootless-mode.
- A warning is logged when failing to lookup the binary.
- If the daemon is configured with "userland-proxy" enabled, an error is
  produced, and the daemon will refuse to start.
- The "proxyPath" argument for newProxyCommand() (in libnetwork/portmapper)
  is now required to be set. It no longer looks up the executable, and
  produces an error if no path was provided. While this change was not
  required, it makes the daemon config the canonical source of truth, instead
  of logic spread accross multiplee locations.

Some of this logic is a change of behavior, but these changes were made with
the assumption that we don't want to support;

- installing the userland proxy _after_ the daemon was started
- moving the userland proxy (or installing a proxy with a higher
  preference in PATH)

With this patch:

Validating the config produces an error if the binary is not found:

    dockerd --validate
    WARN[2023-12-29T11:36:39.748699591Z] failed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    userland-proxy is enabled, but userland-proxy-path is not set

Disabling userland-proxy prints a warning, but validates as "OK":

    dockerd --userland-proxy=false --validate
    WARN[2023-12-29T11:38:30.752523879Z] ffailed to lookup default userland-proxy binary       error="exec: \"docker-proxy\": executable file not found in $PATH"
    configuration OK

Speficying a non-absolute path produces an error:

    dockerd --userland-proxy-path=docker-proxy --validate
    invalid userland-proxy-path: must be an absolute path: docker-proxy

Befor this patch, we would not validate this path, which would allow the daemon
to start, but fail to map a port;

    docker run -d -P nginx:alpine
    4f7b6589a1680f883d98d03db12203973387f9061e7a963331776170e4414194
    docker: Error response from daemon: driver failed programming external connectivity on endpoint romantic_wiles (7cfdc361821f75cbc665564cf49856cf216a5b09046d3c22d5b9988836ee088d): fork/exec docker-proxy: no such file or directory.

Specifying an invalid userland-proxy-path produces an error as well:

    dockerd --userland-proxy-path=/usr/local/bin/no-such-binary --validate
    userland-proxy-path is invalid: stat /usr/local/bin/no-such-binary: no such file or directory

    mkdir -p /usr/local/bin/not-a-file
    dockerd --userland-proxy-path=/usr/local/bin/not-a-file --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-a-file": is a directory

    touch /usr/local/bin/not-an-executable
    dockerd --userland-proxy-path=/usr/local/bin/not-an-executable --validate
    userland-proxy-path is invalid: exec: "/usr/local/bin/not-an-executable": permission denied

Same when using the daemon.json config-file;

    echo '{"userland-proxy-path":"no-such-binary"}' > /etc/docker/daemon.json
    dockerd --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: merged configuration validation from file and command line flags failed: invalid userland-proxy-path: must be an absolute path: no-such-binary

    dockerd --userland-proxy-path=hello --validate
    unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: userland-proxy-path: (from flag: hello, from file: /usr/local/bin/docker-proxy)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 16:23:18 +01:00
Sebastiaan van Stijn
488f2bd141
Merge pull request #46998 from deciduously/update-manifest-v2-urls
Updated manifest v2 URLs in image spec README
2023-12-29 15:23:11 +01:00
Sebastiaan van Stijn
214ab2caef
libnetwork/portmapper: PortMapper.MapRange: inline "cleanup" closure
The cleanup function never returns an error, so didn't add much value. This
patch removes the closure, and calls it inline to remove the extra
indirection, and removes the error which would never be returned.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:30:42 +01:00
Sebastiaan van Stijn
6ae6dcfc53
libnetwork/portmapper: PortMapper.MapRange: fix defer
The defer was set after the switch, but various code-paths inside the switch
could return with an error after the port was allocated / reserved, which
could result in those ports not being released.

This patch moves the defer into each individual branch of the switch to set
it immediately after succesfully reserving the port.

We can also remove a redundant ReleasePort from the cleanup function, as
it's only called if an error occurs, and the defers already take care of
that.

Note that the cleanup function was handling errors returned by ReleasePort,
but this function never returns an error, so it was fully redundant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:26:56 +01:00
Sebastiaan van Stijn
8712c6df22
libnetwork/portmapper: PortMapper.MapRange: rename err-return
Prevent accidentally shadowing the error, which is used in a defer.
Also re-format the code to make it more clear we're not acting on
a locally-scoped "allocatedHostPort" variable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-29 14:26:06 +01:00
Ben Lovy
341e7b35a6 Updated manifest v2 URLs in image spec README
Signed-off-by: Ben Lovy <ben@deciduously.com>
2023-12-28 16:13:26 -05:00
Sebastiaan van Stijn
60b7e2bbbe
Merge pull request #46997 from thaJeztah/bump_crun
Dockerfile: update crun to 1.12
2023-12-28 21:06:51 +01:00
Sebastiaan van Stijn
882b79b254
Dockerfile: update crun to 1.12
full diff: https://github.com/containers/crun/compare/1.8.7...1.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-28 10:50:28 +01:00
Sebastiaan van Stijn
1ffc120558
Merge pull request #46991 from thaJeztah/bump_compress
vendor: github.com/klauspost/compress v1.17.4
2023-12-28 10:14:35 +01:00
Sebastiaan van Stijn
dc23efd3a2
vendor: github.com/klauspost/compress v1.17.4
full diff: https://github.com/klauspost/compress/compare/v1.17.2...v1.17.4

v1.17.4:

- huff0: Speed up symbol counting
- huff0: Remove byteReader
- gzhttp: Allow overriding decompression on transport
- gzhttp: Clamp compression level
- gzip: Error out if reserved bits are set

v1.17.3:

- fse: Fix max header size
- zstd: Improve better/best compression
- gzhttp: Fix missing content type on Close

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 10:23:44 +01:00
Derek McGowan
f74ca4ed36
Update commit id unmap to directly use active mounts
Signed-off-by: Derek McGowan <derek@mcg.dev>
2023-12-22 10:14:44 -08:00
Sebastiaan van Stijn
46f7ab808b
Merge pull request #46977 from crazy-max/fix-push-tag
ci(bin-image): fix merge job run condition
2023-12-21 22:35:40 +01:00
CrazyMax
0252a6f475
ci(bin-image): fix merge job run condition
All underlying jobs inherit from the status of all parent jobs
in the tree, not just the very parent. We need to apply the same
kind of special condition.

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2023-12-21 16:58:36 +01:00
CrazyMax
1ea1d561c7
ci: do not run ci workflow on push tag events
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2023-12-21 16:53:46 +01:00
Rob Murray
141cb65e51 Check, then assume an IPv6 bridge has a subnet.
If IPv6 is enabled for a bridge network, by the time configuration
is applied, the bridge will always have an address. Assert that, by
raising an error when the configuration is validated.

Use that to simplify the logic used to calculate which addresses
should be assigned to a bridge. Also remove a redundant check in
setupGatewayIPv6() and the error associated with it.

Fix unit tests that enabled IPv6, but didn't supply an IPv6 IPAM
address/pool. Before this change, these tests passed but silently
left the bridge without an IPv6 address.

(The daemon already ensured there was an IPv6 address, this change
does not add a new restriction on config at that level.)

Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-12-21 15:26:34 +00:00
Rob Murray
437bc829bf Don't try to validate incomplete network config.
Some checks in 'networkConfiguration.Validate()' were not running as
expected, they'd always pass - because 'parseNetworkOptions()' called
it before 'config.processIPAM()' had added IP addresses and gateways.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-12-21 15:16:26 +00:00
Rob Murray
52d9b0cb56 Remove unused error types.
Signed-off-by: Rob Murray <rob.murray@docker.com>
2023-12-21 12:47:59 +00:00
Albin Kerouanton
f9135cdeb5
libnet: Improve the debug log written when the extKeyListener is stopped
This log message was quite spreading FUD whereas it's absolutely benign.
Reword it.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-21 12:38:08 +01:00
Sebastiaan van Stijn
7bc56c5365
Merge pull request #46853 from akerouanton/libnet-ep-dns-names
libnet: Endpoint: remove isAnonymous & myAliases
2023-12-20 19:53:16 +01:00
Albin Kerouanton
13915f6521
libnet: document what Network.networkType represents
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-20 19:04:37 +01:00
Albin Kerouanton
6a2542dacf
libnet: remove Endpoint.anonymous
No more concept of "anonymous endpoints". The equivalent is now an
endpoint with no DNSNames set.

Some of the code removed by this commit was mutating user-supplied
endpoint's Aliases to add container's short ID to that list. In order to
preserve backward compatibility for the ContainerInspect endpoint, this
commit also takes care of adding that short ID (and the container
hostname) to `EndpointSettings.Aliases` before returning the response.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-12-20 19:04:37 +01:00
Djordje Lukic
cf5a3bc531
c8d: Fix image commit with userns mapping
The remapping in the commit code was in the wrong place, we would create
a diff and then remap the snapshot, but the descriptor created in
"CreateDiff" was still pointing to the old snapshot, we now remap the
snapshot before creating a diff. Also make sure we don't lose any
capabilities, they used to be lost after the chown.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2023-12-20 17:30:57 +01:00
Sebastiaan van Stijn
388216fc45
Merge pull request #46850 from robmry/46829-allow_ipv6_subnet_change
Allow overlapping change in bridge's IPv6 network.
2023-12-19 18:35:13 +01:00
Sebastiaan van Stijn
69b7952b8b
Merge pull request #46963 from corhere/libn/resolver-pack-servfail
libnetwork: write ServFail if DNS reply msg is bad
2023-12-19 18:33:27 +01:00
Sebastiaan van Stijn
43a82dab90
Merge pull request #46840 from dmcgowan/c8d-rmi-cleanup
containerd: Image delete fixes and cleanup
2023-12-19 18:07:16 +01:00
Sebastiaan van Stijn
c378b1bf4c
Merge pull request #46966 from vvoland/c8d-dockerpy-skip-commit
c8d/docker-py: Temporarily skip test_commit_*
2023-12-19 17:52:05 +01:00
Cory Snider
5eaf898fcb libnetwork: write ServFail if DNS reply msg is bad
If the resolver's DNSBackend returns a name that cannot be marshaled
into a well-formed DNS message, the resolver will only discover this
when it attempts to write the reply message and it fails with an error.
No reply message is sent, leaving the client to wait out its timeout and
the user in the dark about what went wrong.

When writing the intended reply message fails, retry once with a
ServFail response to inform the client and user that the DNS query was
not resolved due to a problem with to the resolver, not the network.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-19 11:24:33 -05:00
Cory Snider
1da85f7bdc libnetwork: assert DNS replies are well-formed
The well-formedness of a DNS message is only checked when it is
serialized, through the (*dns.Msg).Pack() method. Add a call to Pack()
to our tstwriter mock to mirror the behaviour of the real
dns.ResponseWriter implementation. And fix tests which generated
ill-formed DNS query messages.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-12-19 11:13:35 -05:00
Paweł Gronowski
f6a160d34e
c8d/docker-py: Temporarily skip test_commit_*
These tests check deprecated fields. Reenable them once a new docker-py
is released.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-12-19 16:28:20 +01:00
Sebastiaan van Stijn
ae726dcd2b
Merge pull request #46965 from vvoland/c8d-dockerpy-skip-imagesaveload
c8d/docker-py: Temporarily skip test_save_and_load*
2023-12-19 14:58:48 +01:00