Commit graph

46525 commits

Author SHA1 Message Date
Akihiro Suda
f1ef52f46b
Merge pull request #47094 from thaJeztah/24.0_backport_bump_golangci_lint
[24.0 backport] update golangci-lint to v1.55.2
2024-01-18 18:11:20 +09:00
Sebastiaan van Stijn
293a701da6
update golangci-lint to v1.55.2
- full diff: https://github.com/golangci/golangci-lint/compare/v1.54.2...v1.55.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d5a3fccb06)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-17 22:20:21 +01:00
Sebastiaan van Stijn
854ca341c0
Merge pull request #47047 from thaJeztah/24.0_backport_bump_rootlesskit
[24.0 backport] Dockerfile: update rootlesskit to v1.1.1, and use tags as reference
2024-01-09 13:28:56 +01:00
Sebastiaan van Stijn
d052b06a73
Dockerfile: update rootlesskit to v1.1.1, and use tags as reference
Commit 0b1c1877c5 updated the version in
hack/dockerfile/install/rootlesskit.installer, but forgot to update the
version in Dockerfile.

Also updating both to use a tag, instead of commit. While it's good to pin by
an immutable reference, I think it's reasonably safe to use the tag, which is
easier to use, and what we do for other binaries, such as runc as well.

Full diff: https://github.com/rootless-containers/rootlesskit/compare/v1.1.0...v1.1.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e27ffdab0f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-09 09:58:47 +01:00
Sebastiaan van Stijn
dfcd445ce6
Merge pull request #47010 from thaJeztah/24.0_backport_bump_runc_binary
[24.0 backport] update runc binary to v1.1.11
2024-01-03 19:12:20 +01:00
Sebastiaan van Stijn
5331e7a65c
update runc binary to v1.1.11
This is the eleventh patch release in the 1.1.z release branch of runc.
It primarily fixes a few issues with runc's handling of containers that
are configured to join existing user namespaces, as well as improvements
to cgroupv2 support.

- Fix several issues with userns path handling.
- Support memory.peak and memory.swap.peak in cgroups v2.
  Add swapOnlyUsage in MemoryStats. This field reports swap-only usage.
  For cgroupv1, Usage and Failcnt are set by subtracting memory usage
  from memory+swap usage. For cgroupv2, Usage, Limit, and MaxUsage
  are set.
- build(deps): bump github.com/cyphar/filepath-securejoin.

- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.11
- full diff: https://github.com/opencontainers/runc/compare/v1.1.10...v1.1.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5fa4cfcabf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-01-02 23:43:12 +01:00
Sebastiaan van Stijn
1c9cd6a5f8
Merge pull request #46993 from thaJeztah/24.0_backport_46621-container_wait
[24.0 backport] Ensure that non-JSON-parsing errors are returned to the caller
2023-12-28 19:40:17 +01:00
Stefan Gehrig
083ef6617b
Ensure that non-JSON-parsing errors are returned to the caller
Signed-off-by: Stefan Gehrig <stefan.gehrig.hn@googlemail.com>
Co-authored-by: Cory Snider <corhere@gmail.com>
(cherry picked from commit 0d27579fc7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-27 14:18:13 +01:00
Sebastiaan van Stijn
4d14c7db67
Merge pull request #46945 from thaJeztah/24.0_backport_gha_fixes
[24.0 backport] ci(bin-image fixes
2023-12-19 10:42:14 +01:00
Akihiro Suda
56c010e607
Merge pull request #46960 from thaJeztah/24.0_backport_vendor_runc
[24.0 backport] vendor: github.com/opencontainers/runc v1.1.10
2023-12-18 23:41:46 +09:00
Sebastiaan van Stijn
ca7e071d6e
vendor: github.com/opencontainers/runc v1.1.10
- full diff: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.10

This is the tenth (and most likely final) patch release in the 1.1.z
release branch of runc. It mainly fixes a few issues in cgroups, and a
umask-related issue in tmpcopyup.

- Add support for `hugetlb.<pagesize>.rsvd` limiting and accounting.
  Fixes the issue of postgres failing when hugepage limits are set.
- Fixed permissions of a newly created directories to not depend on the value
  of umask in tmpcopyup feature implementation.
- libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
  (fixes the compatibility with Linux kernel 6.1+).
- Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
  configuration. This issue is not a security issue because it requires a
  malicious config.json, which is outside of our threat model.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fb53da508f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-18 14:30:51 +01:00
Akihiro Suda
214fcf4fa7
vendor.mod: github.com/opencontainers/runc v1.1.9
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 79b467808e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-18 14:28:36 +01:00
Sebastiaan van Stijn
99dfa74582
Merge pull request #46947 from thaJeztah/24.0_backport_gc_time_filter
[24.0 backport] builder-next: fix timing filter for default policy
2023-12-17 13:08:42 +01:00
Sebastiaan van Stijn
6da9a14f9a
Merge pull request #46949 from thaJeztah/24.0_backport_fix_redirects
[24.0 backport] docs/api: update redirect metadata for hugo
2023-12-17 13:07:08 +01:00
Sebastiaan van Stijn
7960922b15
Merge pull request #46950 from thaJeztah/24.0_backport_local_logs_timezone
[24.0 backport] daemon/logger/local: always use UTC for timestamps
2023-12-17 13:06:34 +01:00
Sebastiaan van Stijn
cf66ca7f6a
Merge pull request #46952 from thaJeztah/24.0_backport_update_securejoin
[24.0 backport] vendor: github.com/cyphar/filepath-securejoin v0.2.4
2023-12-17 13:05:58 +01:00
Sebastiaan van Stijn
4976360dfc
Merge pull request #46946 from thaJeztah/24.0_backport_bump_containerd_binary
[24.0 backport] update containerd binary to 1.7.11
2023-12-16 12:00:16 +01:00
Sebastiaan van Stijn
b02250f248
Merge pull request #46944 from thaJeztah/24.0_backport_registry_mirror_path
[24.0 backport] registry: allow mirror path prefix in config
2023-12-15 20:30:54 +01:00
Sebastiaan van Stijn
20c3e748bd
vendor: github.com/cyphar/filepath-securejoin v0.2.4
update the dependency to v0.2.4 to prevent scanners from flagging the
vulnerability (GHSA-6xv5-86q9-7xr8 / GO-2023-2048). Note that that vulnerability
only affects Windows, and is currently only used in runc/libcontainer, so should
not impact our use (as that code is Linux-only).

full diff: https://github.com/cyphar/filepath-securejoin/compare/v0.2.3...v0.2.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 291eaf0a77)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 20:26:52 +01:00
Sebastiaan van Stijn
19266d1abb
daemon/logger/local: always use UTC for timestamps
When reading logs, timestamps should always be presented in UTC. Unlike
the "json-file" and other logging drivers, the "local" logging driver
was using local time.

Thanks to Roman Valov for reporting this issue, and locating the bug.

Before this change:

    echo $TZ
    Europe/Amsterdam

    docker run -d --log-driver=local nginx:alpine
    fc166c6b2c35c871a13247dddd95de94f5796459e2130553eee91cac82766af3

    docker logs --timestamps fc166c6b2c35c871a13247dddd95de94f5796459e2130553eee91cac82766af3
    2023-12-08T18:16:56.291023422+01:00 /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
    2023-12-08T18:16:56.291056463+01:00 /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
    2023-12-08T18:16:56.291890130+01:00 /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
    ...

With this patch:

    echo $TZ
    Europe/Amsterdam

    docker run -d --log-driver=local nginx:alpine
    14e780cce4c827ce7861d7bc3ccf28b21f6e460b9bfde5cd39effaa73a42b4d5

    docker logs --timestamps 14e780cce4c827ce7861d7bc3ccf28b21f6e460b9bfde5cd39effaa73a42b4d5
    2023-12-08T17:18:46.635967625Z /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
    2023-12-08T17:18:46.635989792Z /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
    2023-12-08T17:18:46.636897417Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
    ...

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit afe281964d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 20:12:02 +01:00
Sebastiaan van Stijn
fd1e5c8812
docs/api: update redirect metadata for hugo
docs.docker.com switched from Jekyll to Hugo, which uses "aliases"
instead of "redirect_from".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c1a289e05a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 20:03:51 +01:00
Tonis Tiigi
ca3fc36ac9
builder-next: fix timing filter for default policy
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 49d088d9ce)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:57:06 +01:00
Sebastiaan van Stijn
4ee6efffda
update containerd binary to 1.7.11
- full diff: https://github.com/containerd/containerd/compare/v1.7.10...v1.7.11
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.11

Welcome to the v1.7.11 release of containerd!

The eleventh patch release for containerd 1.7 contains various fixes and
updates including one security issue.

Notable Updates

- Fix Windows default path overwrite issue
- Update push to always inherit distribution sources from parent
- Update shim to use net dial for gRPC shim sockets
- Fix otel version incompatibility
- Fix Windows snapshotter blocking snapshot GC on remove failure
- Mask /sys/devices/virtual/powercap path in runtime spec and deny in
  default apparmor profile [GHSA-7ww5-4wqc-m92c]

Deprecation Warnings

- Emit deprecation warning for AUFS snapshotter
- Emit deprecation warning for v1 runtime
- Emit deprecation warning for deprecated CRI configs
- Emit deprecation warning for CRI v1alpha1 usage
- Emit deprecation warning for CRIU config in CRI

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 33d2ec08ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:47:46 +01:00
Sebastiaan van Stijn
47244dc581
update containerd binary to 1.7.10
- full diff: https://github.com/containerd/containerd/compare/v1.7.9...v1.7.10
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.10

Welcome to the v1.7.10 release of containerd!

The tenth patch release for containerd 1.7 contains various fixes and
updates.

Notable Updates

- Enhance container image unpack client logs
- cri: fix using the pinned label to pin image
- fix: ImagePull should close http connection if there is no available data to read.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c51a262e34)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:47:34 +01:00
CrazyMax
fac0982e6c
ci(bin-image): fix conditional run for skipped job
When the doc job is skipped, the dependent ones will be skipped
as well. To fix this issue we need to apply special conditions
to always run dependent jobs but not if canceled or failed.

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
(cherry picked from commit d91bf690ef)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:16:14 +01:00
CrazyMax
123b6d815f
ci(test): do not run on push tag events
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
(cherry picked from commit 61d5e5ca9a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:16:06 +01:00
CrazyMax
f766b33a59
ci(bin-image): skip dco on push tag events
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
(cherry picked from commit f4776ef9df)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:15:02 +01:00
Sebastiaan van Stijn
75a9dd1354
Merge pull request #46932 from thaJeztah/24.0_backport_logentries_docs_changes
[24.0 backport] api / docs: remove mentions of logentries logging driver
2023-12-15 19:08:00 +01:00
Régis Behmo
3d8f7d0683
registry: allow mirror path prefix in config
Path prefixes were originally disallowed in the `--registry-mirrors`
option because the /v1 endpoint was assumed to be at the root of the
URI. This is no longer the case in v2.

Close #36598

Signed-off-by: Régis Behmo <regis@behmo.com>
(cherry picked from commit c587ba3422)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-15 19:03:48 +01:00
Sebastiaan van Stijn
2961e8c00a
docs/api: remove logentries
The service was discontinued on November 15, 2022, so
remove mentions of this driver in the API docs.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3a14b1235c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-13 12:12:08 +01:00
Sebastiaan van Stijn
6d987381d5
api/swagger: remove logentries
The service was discontinued on November 15, 2022, so
remove mentions of this driver in the API docs.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 30f739db44)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-13 12:12:05 +01:00
Sebastiaan van Stijn
f5c7673ff8
Merge pull request #46899 from thaJeztah/24.0_update_golang_1.20.12
[24.0] update to go1.20.12
2023-12-06 12:36:34 +01:00
Sebastiaan van Stijn
9d596a1bfa
update to go1.20.12
go1.20.12 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler and the go command. See the Go 1.20.12 milestone on our issue
tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.11...go1.20.12

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:33:28 +01:00
Sebastiaan van Stijn
e6aa30b26e
update to go1.20.11
go1.20.11 (released 2023-11-07) includes security fixes to the path/filepath
package, as well as bug fixes to the linker and the net/http package. See the
Go 1.20.11 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.10...go1.20.11

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-06 01:32:45 +01:00
Sebastiaan van Stijn
afcd2cde95
Merge pull request #46869 from vvoland/liverestore-fix-46308-24
[24.0 backport] liverestore: Don't remove `--rm` containers on restart
2023-11-30 12:31:10 +01:00
Paweł Gronowski
d0b5a5a8a5
integration/TestLiveRestore: Wait for process to exit
Replace `time.Sleep` with a poll that checks if process no longer exists
to avoid possible race condition.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 3a0af5ad30)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-11-30 11:04:48 +01:00
Paweł Gronowski
f0b5ca47fb
liverestore: Don't remove --rm containers on restart
When live-restore is enabled, containers with autoremove enabled
shouldn't be forcibly killed when engine restarts.
They still should be removed if they exited while the engine was down
though.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit c5ea3d595c)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-11-30 11:04:43 +01:00
Akihiro Suda
7cbc844564
Merge pull request #46839 from thaJeztah/24.0_backport_containerd_binary_1.7.8
[24.0 backport] update containerd binary to v1.7.9, gowinres 0.3.1
2023-11-22 10:40:59 +09:00
Sebastiaan van Stijn
bfbb1dd890
update containerd binary to v1.7.9
full diff: https://github.com/containerd/containerd/compare/v1.7.8...v1.7.9
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.9

Notable Updates

- update runc binary to v1.1.10
- vendor: upgrade OpenTelemetry to v1.19.0 / v0.45.0
- Expose usage of cri-api v1alpha2
- integration: deflake TestIssue9103
- fix: shimv1 leak issue
- cri: add deprecation warnings for mirrors, auths, and configs
- Update hcsshim tag to v0.11.4
- Expose usage of deprecated features

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 68e73ceb67)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-21 16:08:48 +01:00
Sebastiaan van Stijn
8a9a6702d0
update containerd binary to v1.7.8
release notes: https://github.com/containerd/containerd/releases/tag/v1.7.8
full diff: https://github.com/containerd/containerd/compare/v1.7.6...v1.7.8

Notable Updates

- Fix ambiguous TLS fallback
- Update Go to 1.20.10
- Add a new image label on converted schema 1 images
- Fix handling for missing basic auth credentials
- Fix potential deadlock in create handler for containerd-shim-runc-v2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4356962c69)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-21 16:08:34 +01:00
Sebastiaan van Stijn
56d9d85c99
Dockerfile: update github.com/tc-hib/go-winres v0.3.1
Update the GOWINRES_VERSION to v0.3.1;

full diff: https://github.com/tc-hib/go-winres/compare/v0.3.0...v0.3.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a7b44ea10f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-21 16:08:28 +01:00
Sebastiaan van Stijn
cd849ff653
Merge pull request #46806 from thaJeztah/24.0_backport_bump_runc_binary_1.1.10
[24.0 backport] update runc binary to v1.1.10
2023-11-13 20:51:16 +01:00
Sebastiaan van Stijn
6d5c35c0ce
update runc binary to v1.1.10
- full diff: https://github.com/opencontainers/runc/compare/v1.1.9...v1.1.10
- release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.10

This is the tenth (and most likely final) patch release in the 1.1.z
release branch of runc. It mainly fixes a few issues in cgroups, and a
umask-related issue in tmpcopyup.

- Add support for `hugetlb.<pagesize>.rsvd` limiting and accounting.
  Fixes the issue of postgres failing when hugepage limits are set.
- Fixed permissions of a newly created directories to not depend on the value
  of umask in tmpcopyup feature implementation.
- libcontainer: cgroup v1 GetStats now ignores missing `kmem.limit_in_bytes`
  (fixes the compatibility with Linux kernel 6.1+).
- Fix a semi-arbitrary cgroup write bug when given a malicious hugetlb
  configuration. This issue is not a security issue because it requires a
  malicious config.json, which is outside of our threat model.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 15bcc707e6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-13 16:08:31 +01:00
Sebastiaan van Stijn
311b9ff0aa
Merge pull request #46697 from thaJeztah/24.0_backport_restart_nocancel
[24.0 backport] daemon: daemon.containerRestart: don't cancel restart on context cancel
2023-10-26 09:51:05 +02:00
Sebastiaan van Stijn
af608045ee
Merge pull request from GHSA-jq35-85cj-fj4p
[24.0 backport] deny /sys/devices/virtual/powercap
2023-10-25 23:57:51 +02:00
Sebastiaan van Stijn
3cf363e1ee
Merge pull request #46709 from thaJeztah/24.0_backport_bump_compress
[24.0 backport] vendor: github.com/klauspost/compress v1.17.2
2023-10-24 16:30:50 +02:00
Sebastiaan van Stijn
05d7386665
daemon: daemon.containerRestart: don't cancel restart on context cancel
commit def549c8f6 passed through the context
to the daemon.ContainerStart function. As a result, restarting containers
no longer is an atomic operation, because a context cancellation could
interrupt the restart (between "stopping" and "(re)starting"), resulting
in the container being stopped, but not restarted.

Restarting a container, or more factually; making a successful request on
the `/containers/{id]/restart` endpoint, should be an atomic operation.

This patch uses a context.WithoutCancel for restart requests.

It's worth noting that daemon.containerStop already uses context.WithoutCancel,
so in that function, we'll be wrapping the context twice, but this should
likely not cause issues (just redundant for this code-path).

Before this patch, starting a container that bind-mounts the docker socket,
then restarting itself from within the container would cancel the restart
operation. The container would be stopped, but not started after that:

    docker run -dit --name myself -v /var/run/docker.sock:/var/run/docker.sock docker:cli sh
    docker exec myself sh -c 'docker restart myself'

    docker ps -a
    CONTAINER ID   IMAGE         COMMAND                  CREATED          STATUS                       PORTS     NAMES
    3a2a741c65ff   docker:cli    "docker-entrypoint.s…"   26 seconds ago   Exited (128) 7 seconds ago             myself

With this patch: the stop still cancels the exec, but does not cancel the
restart operation, and the container is started again:

    docker run -dit --name myself -v /var/run/docker.sock:/var/run/docker.sock docker:cli sh
    docker exec myself sh -c 'docker restart myself'
    docker ps
    CONTAINER ID   IMAGE        COMMAND                  CREATED              STATUS         PORTS     NAMES
    4393a01f7c75   docker:cli   "docker-entrypoint.s…"   About a minute ago   Up 4 seconds             myself

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit aeb8972281)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-24 16:29:20 +02:00
Cory Snider
649c9440f2
Merge pull request #46703 from thaJeztah/24.0_backport_atomic-layer-data-write
[24.0 backport] daemon: overlay2: Write layer metadata atomically
2023-10-24 10:22:09 -04:00
Sebastiaan van Stijn
9b20b1a5fe
Merge pull request #46702 from thaJeztah/24.0_backport_releaseNetwork_NetworkDisabled
[24.0 backport] daemon: release sandbox even when NetworkDisabled
2023-10-24 16:10:17 +02:00
Sebastiaan van Stijn
dd37b0b960
vendor: github.com/klauspost/compress v1.17.2
fixes data corruption with zstd output in "best"

- 1.17.2 diff: https://github.com/klauspost/compress/compare/v1.17.1...v1.17.2
- full diff: https://github.com/klauspost/compress/compare/v1.16.5...v1.17.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f2c67ea82f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-24 12:38:21 +02:00