Commit graph

2097 commits

Author SHA1 Message Date
Sebastiaan van Stijn
e3feb05175
vendor: github.com/opencontainers/image-spec v1.1.0-rc5
full diff: https://github.com/opencontainers/image-spec/compare/v1.1.0-rc4...v1.1.0-rc5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-17 14:03:41 +02:00
Sebastiaan van Stijn
26730c891a
vendor: google.golang.org/grpc v1.56.3
server: prohibit more than MaxConcurrentStreams handlers from running at once
(CVE-2023-44487).

In addition to this change, applications should ensure they do not leave running
tasks behind related to the RPC before returning from method handlers, or should
enforce appropriate limits on any such work.

- https://github.com/grpc/grpc-go/compare/v1.56.2...v1.56.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 20:37:51 +02:00
Sebastiaan van Stijn
25fb4dd50d
switch to go.opentelemetry.io/otel/semconv/v1.17.0
While updating the docker/docker dependency in BuildKit, I noticed that the
dependency tree showed _two_ separate versions of the semconv package;
BuildKit and containerd were using the v1.17.0 version and docker/docker was
using v1.7.0.

This patch updates the version we use to align with BuildKit and containerd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-16 10:28:54 +02:00
Sebastiaan van Stijn
919fe72f60
vendor: github.com/moby/buildkit v0.12.3-dev
update buildkit to the latest code in the v0.12 branch:

full diff: f94ed7cec3...6560bb937e

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2023-10-13 17:05:56 -07:00
Sebastiaan van Stijn
80a9fc6d36
Merge pull request #46565 from vvoland/c8d-mirrors-fix
daemon/RegistryHosts: Don't lose mirrors
2023-10-13 22:31:24 +02:00
Paweł Gronowski
c5389354ac
Merge pull request #46542 from thaJeztah/update_distribution_2.8.3
vendor: github.com/docker/distribution v2.8.3
2023-10-12 12:13:15 +02:00
Sebastiaan van Stijn
1800dd0876
vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/v0.13.0...v0.17.0

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:58:01 +02:00
Sebastiaan van Stijn
1946aead21
vendor: golang.org/x/crypto v0.14.0
full diff: https://github.com/golang/crypto/compare/v0.11.0...v0.14.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:57:10 +02:00
Sebastiaan van Stijn
0679ae984b
vendor: golang.org/x/text v0.13.0
full diff: https://github.com/golang/text/compare/v0.11.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:56:07 +02:00
Sebastiaan van Stijn
bc33c27796
vendor: golang.org/x/sys v0.13.0
full diff: https://github.com/golang/sys/compare/v0.10.0...v0.13.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 18:55:24 +02:00
Sebastiaan van Stijn
e1d0aacb6a
vendor: github.com/docker/distribution v2.8.3
- Fix storageDriver gcs not registered in binaries
- reference: replace uses of deprecated function SplitHostname
- Dont parse errors as JSON unless Content-Type is set to JSON
- update to go1.20.8
- Set Content-Type header in registry client ReadFrom
- deprecate reference package, migrate to github.com/distribution/reference
- digestset: deprecate package in favor of go-digest/digestset
- Do not close HTTP request body in HTTP handler

full diff: https://github.com/distribution/distribution/compare/v2.8.2...v2.8.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-11 17:11:25 +02:00
Paweł Gronowski
aca9ea42bd
vendor: github.com/moby/buildkit 0.12.3-dev
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-10-11 11:44:03 +02:00
Sebastiaan van Stijn
a293cd6ab9
vendor: github.com/containerd/containerd v1.7.7
full diff: https://github.com/containerd/containerd/compare/v1.7.6...v1.7.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-10 14:47:44 +02:00
Sebastiaan van Stijn
2edb858b18
vendor: golang.org/x/net v0.13.0, golang.org/x/crypto v0.11.0
full diff: https://github.com/golang/net/compare/v0.10.0...v0.13.0
full diff: https://github.com/golang/crypto/compare/v0.9.0...v0.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-10 12:35:40 +02:00
Sebastiaan van Stijn
87de23a6cd
vendor: golang.org/x/text v0.11.0
full diff: https://github.com/golang/text/compare/v0.9.0...v0.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-10 12:31:52 +02:00
Drew Erny
42a51cb285 Add support for swarm seccomp and apparmor
And also no-new-privileges

Signed-off-by: Drew Erny <derny@mirantis.com>
2023-09-25 12:38:26 -05:00
Bjorn Neergaard
c217e3c87a
vendor: github.com/moby/buildkit v0.12.2
The following changes were required:
* integration/build: progressui's signature changed in 6b8fbed01e
* builder-next: flightcontrol.Group has become a generic type in 8ffc03b8f0
* builder-next/executor: add github.com/moby/buildkit/executor/resources types, necessitated by 6e87e4b455
* builder-next: stub util/network/Namespace.Sample(), necessitated by 963f16179f

Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-09-21 14:18:45 -06:00
Bjorn Neergaard
fd6dd6935b
vendor: github.com/containerd/containerd v1.7.6
The DeepEqual ignore required in the daemon tests is a bit ugly, but it
works given the new protoc output.

We also have to ignore lints related to schema1 deprecations; these do
not apply as we must continue to support this schema version.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-09-21 14:18:40 -06:00
Sebastiaan van Stijn
e852ba55a5
vendor: github.com/Microsoft/hcsshim v0.11.1
full diff: https://github.com/Microsoft/hcsshim/compare/v0.9.10...v0.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-21 08:37:39 +02:00
Sebastiaan van Stijn
554036040b
vendor: github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24
full diff: 43070de90f...ced1acdcaa

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:18:49 +02:00
Sebastiaan van Stijn
6fc3ead321
vendor: google.golang.org/grpc v1.56.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:30 +02:00
Sebastiaan van Stijn
73041028b6
vendor: google.golang.org/protobuf v1.31.0
full diff: https://github.com/protocolbuffers/protobuf-go/compare/v1.30.0...v1.31.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:30 +02:00
Sebastiaan van Stijn
54dc8d2968
vendor: github.com/cenkalti/backoff/v4 v4.2.1
no local changes

full diff: https://github.com/cenkalti/backoff/compare/v4.2.0...v4.2.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:30 +02:00
Sebastiaan van Stijn
d97e4300ee
vendor: google.golang.org/api v0.114.0
full diff:

- https://github.com/googleapis/google-api-go-client/compare/v0.110.0...v0.114.0
- https://github.com/googleapis/gax-go/compare/v2.7.0...v2.7.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:30 +02:00
Sebastiaan van Stijn
d50585b05b
vendor: golang.org/x/tools v0.8.0
full diff: https://github.com/golang/tools/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:29 +02:00
Sebastiaan van Stijn
51d8a975ab
vendor: golang.org/x/oauth2 v0.7.0
full diff: https://github.com/golang/oauth2/compare/v0.6.0...v0.7.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:29 +02:00
Sebastiaan van Stijn
9670db3904
vendor: golang.org/x/crypto v0.9.0
full diff: https://github.com/golang/crypto/compare/v0.3.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:29 +02:00
Sebastiaan van Stijn
a046616249
vendor: golang.org/x/sys v0.10.0
full diff: https://github.com/golang/sys/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:29 +02:00
Sebastiaan van Stijn
f29155950f
vendor: golang.org/x/sync v0.3.0
full diff: https://github.com/golang/sync/compare/v0.1.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:29 +02:00
Sebastiaan van Stijn
0354791147
vendor: github.com/klauspost/compress v1.16.5
full diff: https://github.com/klauspost/compress/compare/v1.16.3...v1.16.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:28 +02:00
Sebastiaan van Stijn
87dd1de046
vendor: github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531
fix possible panix on fast resizing

full diff: 8066bb9726...f9a4f7ef65

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:17:01 +02:00
Sebastiaan van Stijn
bd6cadffb0
vendor: github.com/containerd/continuity v0.4.2
full diff: https://github.com/containerd/continuity/compare/v0.4.1...v0.4.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:05:35 +02:00
Sebastiaan van Stijn
6d93db06db
vendor: github.com/vbatts/tar-split v0.11.3
full diff: https://github.com/vbatts/tar-split/compare/v0.11.2...v0.11.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:04:26 +02:00
Sebastiaan van Stijn
171ecf8cf2
vendor: github.com/vishvananda/netns v0.0.4
full diff: https://github.com/vishvananda/netns/compare/v0.0.2...v0.0.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-18 18:03:23 +02:00
Sebastiaan van Stijn
1ffbbe798a
vendor: github.com/containerd/containerd v1.6.24
full diff: https://github.com/containerd/containerd/compare/v1.6.22...v1.6.24

v1.6.24 release notes:

full diff: https://github.com/containerd/containerd/compare/v1.6.23...v1.6.24

The twenty-fourth patch release for containerd 1.6 contains various fixes
and updates.

Notable Updates

- CRI: fix leaked shim caused by high IO pressure
- Update to go1.20.8
- Update runc to v1.1.9
- Backport: add configurable mount options to overlay snapshotter
- log: cleanups and improvements to decouple more from logrus

v1.6.23 release notes:

full diff: https://github.com/containerd/containerd/compare/v1.6.22...v1.6.23

The twenty-third patch release for containerd 1.6 contains various fixes
and updates.

Notable Updates

- Add stable ABI support in windows platform matcher + update hcsshim tag
- cri: Don't use rel path for image volumes
- Upgrade GitHub actions packages in release workflow
- update to go1.19.12
- backport: ro option for userxattr mount check + cherry-pick: Fix ro mount option being passed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-15 17:34:58 +02:00
Sebastiaan van Stijn
cc9c930e29
vendor: github.com/Microsoft/hcsshim v0.9.10
Add support for platform compatibility check for windows + add windows builds

full diff: https://github.com/Microsoft/hcsshim/compare/v0.9.8...v0.9.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-15 12:52:02 +02:00
Sebastiaan van Stijn
9641c90eaf
Merge pull request #46458 from vvoland/vendor-resenje-singleflight-4.0.0
vendor: resenje.org/singleflight v0.4.0
2023-09-12 14:40:05 +02:00
Paweł Gronowski
5fa011dc0c
vendor: resenje.org/singleflight v0.4.0
Fixes the context aware singleflight not preserving context values.

full diff: https://github.com/janos/singleflight/compare/v0.3.0...v0.4.0

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-09-12 09:34:03 +02:00
Sebastiaan van Stijn
c44f8958f6
vendor: github.com/cncf-tags/container-device-interface v0.6.1
Removes uses of the github.com/opencontainers/runc/libcontainer/devices
package.

full diff: https://github.com/cncf-tags/container-device-interface/compare/v0.6.0...v0.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-08 16:01:56 +02:00
Brian Goff
9b7784781d Add test for buildkit history trace propagation
This test ensures that we are able to propagate traces into buildkit's
history API.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-09-07 18:38:22 +00:00
Brian Goff
642e9917ff Add otel support
This uses otel standard environment variables to configure tracing in
the daemon.
It also adds support for propagating trace contexts in the client and
reading those from the API server.

See
https://opentelemetry.io/docs/specs/otel/configuration/sdk-environment-variables/
for details on otel environment variables.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-09-07 18:38:19 +00:00
Sebastiaan van Stijn
1148a24e64
migrate to new github.com/distribution/reference module
The "reference" package was moved to a separate module, which was extracted
from b9b19409cf

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-05 12:09:26 +02:00
Sebastiaan van Stijn
3553b4c684
replace dockerfile/dockerignore with patternmatcher/ignorefile
The BuildKit dockerignore package was integrated in the patternmatcher
repository / module. This patch updates our uses of the BuildKit package
with its new location.

A small local change was made to keep the format of the existing error message,
because the "ignorefile" package is slightly more agnostic in that respect
and doesn't include ".dockerignore" in the error message.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 00:53:18 +02:00
Sebastiaan van Stijn
a479b287c7
vendor: github.com/moby/patternmatcher v0.6.0
- integrate frontend/dockerfile/dockerignore from buildkit

full diff: https://github.com/moby/patternmatcher/compare/v0.5.0...v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 00:50:05 +02:00
Sebastiaan van Stijn
cff341e5e6
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230815220644-3f2e40b3ed51
Remove uses of deprecated datastore.LocalScope const

full diff: 60421a63a7...3f2e40b3ed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-16 14:49:13 +02:00
Sebastiaan van Stijn
b9d9504df5
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230808164555-1983e41a9fff
notable changes:

- Free unused volumes in more cases
- Convert BasicKeyRequest to KeyRequest to use cloudflare/cfssl 1.x.x
- reduce direct imports of logrus

diffs:

- github.com/cloudflare/cfssl v1.6.4; full diff: https://github.com/cloudflare/cfssl/compare/5d63dbd981b5...v1.6.4
- github.com/moby/swarmkit/v2; full diff: https://github.com/moby/swarmkit/compare/bc71908479e5...60421a63a7f148ba1ec7d35c55e4cf9ac03d6b78

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-14 18:39:57 +02:00
Sebastiaan van Stijn
7b66ae1531
vendor: golang.org/x/crypto v0.3.0
full diff: https://github.com/golang/crypto/compare/v0.2.0...v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-14 18:38:35 +02:00
Akihiro Suda
79b467808e
vendor.mod: github.com/opencontainers/runc v1.1.9
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2023-08-11 21:29:16 +09:00
Sebastiaan van Stijn
4d674897f3
vendor: github.com/containerd/containerd v1.6.22
- full diff: https://github.com/containerd/containerd/compare/v1.6.21...v1.6.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.6.22

---

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`, `RunAsUsername` are empty
- CRI: Write generated CNI config atomically
- Fix concurrent writes for `UpdateContainerStats`
- Make `checkContainerTimestamps` less strict on Windows
- Port-Forward: Correctly handle known errors
- Resolve `docker.NewResolver` race condition
- SecComp: Always allow `name_to_handle_at`
- Adding support to run hcsshim from local clone
- Pinned image support
- Runtime/V2/RunC: Handle early exits w/o big locks
- CRITool: Move up to CRI-TOOLS v1.27.0
- Fix cpu architecture detection issue on emulated ARM platform
- Task: Don't `close()` io before `cancel()`
- Fix panic when remote differ returns empty result
- Plugins: Notify readiness when registered plugins are ready
- Unwrap io errors in server connection receive error handling

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-30 15:59:52 +02:00
Sebastiaan van Stijn
935c04f33a
Merge pull request #46117 from thaJeztah/bump_gotest_tools
vendor: gotest.tools/v3 v3.5.0
2023-07-30 15:59:33 +02:00