Commit graph

44570 commits

Author SHA1 Message Date
CrazyMax
df731c745a
integration: TestNetworkLoopbackNat is broken on GitHub Runner
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-07 22:52:34 +02:00
CrazyMax
2e04be3fb9
ci: gha test workflow for integration and unit test
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-09-07 22:52:34 +02:00
Sebastiaan van Stijn
a0a16bbed6
Merge pull request #43746 from thaJeztah/bump_go_1.19
update to golang 1.19.1
2022-09-07 22:44:45 +02:00
Sebastiaan van Stijn
f3e6b7065a
Merge pull request #44083 from thaJeztah/archive_cachebust
pkg/archive: remove backward compat hack for go < 1.9
2022-09-07 21:28:40 +02:00
Sebastiaan van Stijn
105eee7e24
Merge pull request #43939 from thaJeztah/containerd_contexts_step1
containerd integration: imageservice: add contexts to various methods (step 1)
2022-09-07 19:31:27 +02:00
Sebastiaan van Stijn
779a5b3029 ImageService.GetImage(): pass context
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-09-07 16:53:45 +02:00
Sebastiaan van Stijn
1eadbdd9fa
Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 15:27:19 +02:00
Sebastiaan van Stijn
58413c15cb
update to golang 1.19
also ran gofmt with go1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 15:27:16 +02:00
Sebastiaan van Stijn
9dab00a76e daemon/images: manifestMatchesPlatform() punch through context
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-07 10:49:10 +02:00
Samuel Karp
a9fe88e395
Merge pull request #44102 from thaJeztah/bump_x_net 2022-09-06 20:49:55 -07:00
Samuel Karp
96929d406f
Merge pull request #44099 from thaJeztah/bump_golang_1.18.6 2022-09-06 20:43:46 -07:00
Sebastiaan van Stijn
518179f63e
vendor: golang.org/x/net v0.0.0-20220906165146-f3363e06e74c
Update to the latest version that contains a fix for CVE-2022-27664;
f3363e06e7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:50:51 +02:00
Sebastiaan van Stijn
cba36a064d
Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:23:40 +02:00
Sebastiaan van Stijn
ff76e05913
Merge pull request #44092 from thaJeztah/remove_tereshkova
namesgenerator: remove Valentina Tereshkova
2022-09-06 21:57:25 +02:00
Sebastiaan van Stijn
670ce6785d
Merge pull request #44091 from rumpl/fix-local-context
Wrap local calls to the content and lease service
2022-09-06 18:49:43 +02:00
Sebastiaan van Stijn
5ba4ba0baf
Merge pull request #44077 from thaJeztah/c8d_default_snapshotter
daemon: set containerd default snapshotter if none is configured
2022-09-06 17:33:40 +02:00
Djordje Lukic
878906630b Wrap local calls to the content and lease service
The wrapper sets the default namespace in the context if none is
provided, this is needed because we are calling these services directly
and not trough GRPC that has an interceptor to set the default namespace
to all calls.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-09-06 17:33:19 +02:00
Sebastiaan van Stijn
0f052eb4f5
namesgenerator: remove Valentina Tereshkova
While the name generator has been frozen for new additions in 624b3cfbe8,
this person has become controversial. Our intent is for this list to be inclusive
and non-controversial.

This patch removes the name from the list.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 13:37:32 +02:00
Sebastiaan van Stijn
609d87003a
pkg/archive: strip "write" bits again on Windows
1. Commit 1a22418f9f changed permissions to `0700`
   on Windows, or more factually, it removed `rw` (`chmod g-rw,o-rw`) and added
   executable bits (`chmod u+x`).
2. This was too restrictive, and b7dc9040f0 changed
   permissions to only remove the group- and world-writable bits to give read and
  execute access to everyone, but setting execute permissions for everyone.
3. However, this also removed the non-permission bits, so 41eb61d5c2
   updated the code to preserve those, and keep parity with Linux.

This changes it back to `2.`. I wonder (_think_) _permission_ bits (read, write)
can be portable, except for the _executable_ bit (which is not present on Windows).
The alternative could be to keep the permission bits, and only set the executable
bit (`perm | 0111`) for everyone (equivalent of `chmod +x`), but that likely would
be a breaking change.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-05 10:50:10 +02:00
Sebastiaan van Stijn
cddaa84777
pkg/archive: remove backward compat hack for go < 1.9
The fillGo18FileTypeBits func was added in 1a451d9a7b
to keep the tar headers consistent with headers created with go1.8 and older.

go1.8 and older incorrectly preserved all file-mode bits, including file-type,
instead of stripping those bits and only preserving the _permission_ bits, as
defined in;

- the GNU tar spec: https://www.gnu.org/software/tar/manual/html_node/Standard.html
- and POSIX: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/tar.h.html

We decided at the time to copy the "wrong" behavior to prevent a cache-bust and
to keep the archives identical, however:

- It's not matching the standards, which causes differences between our tar
  implementation and the standard tar implementations, as well as implementations
  in other languages, such as Python (see docker/compose#883).
- BuildKit does not implement this hack.
- We don't _need_ this extra information (as it's already preserved in the
  type header; https://pkg.go.dev/archive/tar#pkg-constants

In short; let's remove this hack.

This reverts commit 1a451d9a7b.
This reverts commit 41eb61d5c2.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-04 21:44:02 +02:00
Sebastiaan van Stijn
0670621291
Merge pull request #43997 from thaJeztah/healthcheck_capture_logs
daemon: capture output of killed health checks
2022-09-02 10:48:22 +02:00
Sebastiaan van Stijn
c9c55df1f2
Merge pull request #44054 from thaJeztah/json_stream_export
pkg/jsonmessage: export "Stream" interface
2022-09-01 19:38:59 +02:00
Sebastiaan van Stijn
de4af86e98
daemon: set containerd default snapshotter if none is configured
This is a temporary workaround for the daemon not yet having automatic
selection of snapshotters.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-01 14:18:37 +02:00
Sebastiaan van Stijn
0db50996b7
Merge pull request #44043 from thaJeztah/bump_klauspost_compress
vendor: github.com/klauspost/compress v1.15.9
2022-08-31 16:11:17 +02:00
Akihiro Suda
52f8a4283e
Merge pull request #44021 from thaJeztah/client_remove_deprecated_errorutils
client: remove deprecated error-utilities
2022-08-31 17:01:56 +09:00
Brian Goff
c543c39692
Merge pull request #44051 from thaJeztah/migrate_sequential
replace pkg/system Sequential funcs with moby/sys/sequential
2022-08-30 10:11:14 -07:00
Sebastiaan van Stijn
509f19f611
replace pkg/system Sequential funcs with moby/sys/sequential
Migrating these functions to allow them being shared between moby, docker/cli,
and containerd, and to allow using them without importing all of sys / system,
which (in containerd) also depends on hcsshim and more.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-30 09:33:49 +02:00
Sebastiaan van Stijn
18bb8fee3c
Merge pull request #44058 from crazy-max/ci-buildkit
ci: move buildkit tests to a dedicated workflow
2022-08-30 08:39:22 +02:00
Cory Snider
e8c4740108
Merge pull request #44014 from corhere/healthcheck-kill-timeout
Un-skip TestHealthCheckProcessKilled on Windows+containerd and stop health checks earlier upon container exit.
2022-08-29 18:09:02 -04:00
Brian Goff
5b9492a58e
Merge pull request #44052 from thaJeztah/simplify_isabs
pkg/system: make IsAbs() platform-agnostic
2022-08-29 13:57:51 -07:00
CrazyMax
a4d081cc17
ci: move buildkit tests to a dedicated workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-29 22:52:34 +02:00
Sebastiaan van Stijn
1ac44105f9
Merge pull request #44047 from thaJeztah/validate_yaml
validate: add additional validation on YAML files
2022-08-29 21:57:55 +02:00
Sebastiaan van Stijn
5cfc9c374c
validate: address SC2155 (shellcheck)
see https://github.com/koalaman/shellcheck/wiki/SC2155

Looking at how these were used, I don't think we even need to
export them, so removing that.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:53:04 +02:00
Sebastiaan van Stijn
b9fd2cf605
validate: format vendor script with shfmt
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:53:02 +02:00
Sebastiaan van Stijn
6cef06b940
validate: add yamllint validation
validate other YAML files, such as the ones used in the documentation,
and GitHub actions workflows, to prevent issues such as;

- 30295c1750
- 8e8d9a3650

With this patch:

    hack/validate/yamllint
    Congratulations! yamllint config file formatted correctly
    Congratulations! YAML files are formatted correctly

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:52:56 +02:00
Sebastiaan van Stijn
91bb776bb8
validate: yamllint: ignore "truthy value should be one of" warnings
Suppresses warnings like:

    LANG=C.UTF-8 yamllint -c hack/validate/yamllint.yaml -f parsable .github/workflows/*.yml
    .github/workflows/ci.yml:7:1: [warning] truthy value should be one of [false, true] (truthy)
    .github/workflows/windows.yml:7:1: [warning] truthy value should be one of [false, true] (truthy)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:51:43 +02:00
Sebastiaan van Stijn
cc2134ea83
validate: yamllint: set locale in config file
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:51:41 +02:00
Sebastiaan van Stijn
f679d8c821
validate: yamllint: use "parsable" output
Before:

    10030:81  error    line too long (89 > 80 characters)  (line-length)

After:

    api/swagger.yaml:10030:81: [error] line too long (89 > 80 characters) (line-length)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:51:39 +02:00
Sebastiaan van Stijn
5f114b65b4
validate: yamllint rename config-file
Don't make the file hidden, and add .yaml extension, so that editors
pick up the right formatting :)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:51:38 +02:00
Sebastiaan van Stijn
1d7cd76ee9
Dockerfile: update yamllint to v1.27.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 19:51:35 +02:00
Sebastiaan van Stijn
939451554f
Merge pull request #44035 from crazy-max/ci-rm-win-2019
ci(windows): move windows-2019 to another workflow
2022-08-29 18:18:33 +02:00
Sebastiaan van Stijn
5e0599cb6e
pkg/jsonmessage: export "Stream" interface
This interface is used as part of an exported function's signature,
so exporting the interface as well for callers to know what the argument
must have implemented.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-29 16:15:37 +02:00
Sebastiaan van Stijn
2640aec0d7
pkg/system: make IsAbs() platform-agnostic
filepath.IsAbs() will short-circuit on Linux/Unix, so having a single
implementation should not affect those platforms.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-27 15:11:27 +02:00
CrazyMax
65fdd10d4e
ci(windows): move windows-2019 to another workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-26 14:25:09 +02:00
Sebastiaan van Stijn
3e8573a85a
Merge pull request #44040 from thaJeztah/containerd_binary_1.6.8
update containerd binary to v1.6.8
2022-08-26 13:06:29 +02:00
Sebastiaan van Stijn
cefc89e5a5
Merge pull request #44037 from thaJeztah/update_runc_1.1.4
update runc to v1.1.4
2022-08-26 13:05:17 +02:00
Sebastiaan van Stijn
80e0fc4901
Merge pull request #44045 from crazy-max/fix-ci-workflow
ci: fix broken workflow
2022-08-26 08:27:40 +02:00
CrazyMax
8e8d9a3650
ci: fix broken workflow
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2022-08-26 04:30:04 +02:00
Sebastiaan van Stijn
6373de3304
Merge pull request #44036 from benlangfeld/patch-1
Upgrades buildx to 0.9.1
2022-08-26 02:23:23 +02:00
Cory Snider
8b748bd326 daemon: stop health checks before deleting task
Prevent new health check probes from racing the task deletion. This may
have been a root cause of containers taking so long to stop on Windows.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-08-25 20:03:42 -04:00