Commit graph

46739 commits

Author SHA1 Message Date
Sebastiaan van Stijn
f329397077
Merge pull request #46007 from vvoland/c8d-inspect-fix-duplicate-digested
c8d/inspect: Don't duplicate digested ref
2023-07-18 20:19:40 +02:00
Bjorn Neergaard
db7fef6e50
Merge pull request #46012 from neersighted/buildkit-ref_nits
ci(buildkit): remove misleading code from buildkit-ref
2023-07-18 11:33:38 -06:00
Paweł Gronowski
028eab9ebb
c8d/inspect: Don't duplicate digested ref
If image name is already an untagged digested reference, don't produce
additional digested ref.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-18 17:47:53 +02:00
Bjorn Neergaard
7310a7cd0c
ci(buildkit): remove early-return from buildkit-ref
This doesn't really make sense now that this script returns a
$GITHUB_ENV snippet.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:42 -06:00
Bjorn Neergaard
4ecc01f3ad
ci(buildkit): remove misleading code from buildkit-ref
Post-f8c0d92a22bad004cb9cbb4db704495527521c42, BUILDKIT_REPO doesn't
really do what it claims to. Instead, don't allow overloading since the
import path for BuildKit is always the same, and make clear the
provenance of values when generating the final variable definitions.

We also better document the script, and follow some best practices for
both POSIX sh and Bash.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:40 -06:00
Bjorn Neergaard
48ff8a95cc
hack/with-go-mod.sh: warn on stderr
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-18 09:30:39 -06:00
Sebastiaan van Stijn
8e51b8b59c
Merge pull request #46008 from thaJeztah/c8d_nits
c8d: some minor cleanups
2023-07-18 15:52:04 +02:00
Sebastiaan van Stijn
058a6e94a1
Merge pull request #45994 from jedevc/buildkit-ref-replace
ci: extract buildkit version correctly with replace-d modules
2023-07-18 15:22:38 +02:00
Sebastiaan van Stijn
750c441dfd
daemon: remove intermediate var
The imgSvcConfig is defined locally, and discarded if an error occurs,
so no need to use the intermediate vars here.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-18 14:25:41 +02:00
Sebastiaan van Stijn
468d6616bf
daemon: configureLocalContentStore: return concrete types
The interface is defined on the receiver-side, and returning concrete
types makes it more transparent what we're creating.

As these namespaced wrappers were not exported, let's inline them, so
that it's clear at a glance what it's doing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-18 14:18:42 +02:00
Sebastiaan van Stijn
375c4eb31c
daemon: rename vars that shadowed package-level types
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-18 14:06:33 +02:00
Sebastiaan van Stijn
034e7e153f
daemon: rename containerdCli to containerdClient
The containerdCli was somewhat confusing (is it the CLI?); let's rename
to make it match what it is :)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-18 13:57:27 +02:00
Bjorn Neergaard
0c6b616656
Merge pull request #45946 from thaJeztah/plugin_refactor_setupRemotePluginServer
pkg/plugins: don't share plugin server between tests and t.Parallel()
2023-07-17 17:51:04 -06:00
Sebastiaan van Stijn
79a198bc08
Merge pull request #46000 from thaJeztah/notestyourself
quota: remove gotest.tools from testhelpers
2023-07-18 00:29:48 +02:00
Sebastiaan van Stijn
7799f23627
Merge pull request #45979 from thaJeztah/hijack_share_request_builder
client: Client.postHijacked: use Client.buildRequest
2023-07-17 23:50:34 +02:00
Sebastiaan van Stijn
1aa17222e7
quota: remove gotest.tools from testhelpers
gotest.tools has an init() which registers a '-update' flag;
a80f057529/internal/source/update.go (L21-L23)

The quota helper contains a testhelpers file, which is meant for usage
in (integration) tests, but as it's in the same pacakge as production
code, would also trigger the gotest.tools init.

This patch removes the gotest.tools code from this file.

Before this patch:

    $ (exec -a libnetwork-setkey "$(which dockerd)" -help)
    Usage of libnetwork-setkey:
      -exec-root string
            docker exec root (default "/run/docker")
      -update
            update golden values

With this patch applied:

    $ (exec -a libnetwork-setkey "$(which dockerd)" -help)
    Usage of libnetwork-setkey:
      -exec-root string
            docker exec root (default "/run/docker")

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 23:05:09 +02:00
Akihiro Suda
29eb0be134
Merge pull request #45993 from thaJeztah/update_fsutils
vendor: github.com/containerd/continuity v0.4.1, tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb
2023-07-18 04:12:07 +09:00
Bjorn Neergaard
5491f9a9a9
Merge pull request #45997 from neersighted/build_tweaks
Build system grab-bag
2023-07-17 11:16:59 -06:00
Bjorn Neergaard
780e8b2332
hack/d/cli.sh: properly handle errors in curl
Add `-f` to output nothing to tar if the curl fails, and `-S` to report
errors if they happen.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:18:19 -06:00
Bjorn Neergaard
12a19dcd84
Dockerfile: improve CLI/rootlesskit caching
Use bind-mounts instead of a `COPY` for cli.sh, and use `COPY --link`
for rootlesskit's build stage.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:18:19 -06:00
Bjorn Neergaard
235cd6c6b2
Dockerfile(.simple): align APT_MIRROR support
Use a non-slash escape sequence to support mirrors with a path
component, and do not unconditionally replace the mirror in
Dockerfile.simple.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:18:18 -06:00
Bjorn Neergaard
bcea83ab9b
Makefile: pass through APT_MIRROR
This aligns `docker build` as invoked by the Makefile with both `docker
buildx bake` as invoked by the Makefile and directly by the user.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-17 10:18:14 -06:00
Bjorn Neergaard
37dcdac218
Merge pull request #40751 from cpuguy83/tmpfs_for_main_test_daemon
Put integration daemon socket in /run
2023-07-17 10:17:54 -06:00
Sebastiaan van Stijn
ba513805d0
Merge pull request #45983 from thaJeztah/libnetwork_bridge_error
libnetwork/drivers/bridge: setupBridgeNetFiltering: improve error handling
2023-07-17 16:23:49 +02:00
Justin Chadwell
f8c0d92a22 ci: extract buildkit version correctly with replace-d modules
Signed-off-by: Justin Chadwell <me@jedevc.com>
2023-07-17 14:17:49 +01:00
Bjorn Neergaard
75d7e053dc
Merge pull request #45984 from thaJeztah/libnetwork_cleanup_options
libnetwork/options: remove unused NewGeneric, and use map[string]any
2023-07-17 07:05:11 -06:00
Sebastiaan van Stijn
010c3718e3
vendor: github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb
- Fix copy on windows plus tests
- Fix follow symlinkResolver on Windows
- Implement proper renameFile on Windows
- Fix potential nil pointer dereference
- Use RunWithPrivileges
- Fix leaking file handle
- handle mkdir race for diskwriter
- walk: avoid stat()'ing files unnecessarily
- ci: fix freebsd workflow
- update to Go 1.20

full diff: fb433841cb...36ef4d8c0d

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 14:38:11 +02:00
Sebastiaan van Stijn
531dbd7af5
vendor: github.com/containerd/continuity v0.4.1
full diff: https://github.com/containerd/continuity/compare/v0.3.0...v0.4.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 14:37:20 +02:00
Bjorn Neergaard
3f8ca3553d
Merge pull request #45986 from thaJeztah/libnetwork_cleanup_config
libnetwork/config: add Config.DriverConfig() and un-export DriverCfg
2023-07-17 06:22:24 -06:00
Sebastiaan van Stijn
738b16d873
libnetwork/config: add Config.DriverConfig() and un-export DriverCfg
The driver-configurations are only set when creating a new controller,
using the `config.OptionDriverConfig()` option that can be passed to
`New()`, and used as "read-only" after that.

Taking away any other paths that set these options, the only type used
for per-driver options are a `map[string]interface{}`, so we can change
the type from `map[string]interface{}` to a `map[string]map[string]interface{}`,
(or its "modern" variant: `map[string]map[string]any`), so that it's
no longer needed to cast the type before use.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:57:14 +02:00
Sebastiaan van Stijn
82bb3d8d2b
libnetwork: TestUserChain: use assert.Check and is.ErrorContains
Don't fail early if we can still test more, and be slightly more strict
in what error we're looking for.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:53:13 +02:00
Sebastiaan van Stijn
4e709e75da
libnetwork: TestUserChain: re-use IPTables instances
The test already creates instances for each ip-version, so let's
re-use them. While changing, also use assert.Check to not fail early.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:53:13 +02:00
Sebastiaan van Stijn
c471255153
libnetwork: TestUserChain: don't manually manipulate Controller.cfg.DriverCfg
New() allows for driver-options to be passed using the config.OptionDriverConfig.
Update the test to not manually mutate the controller's configuration after
creating.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:53:10 +02:00
Sebastiaan van Stijn
ee79423124
Merge pull request #45985 from thaJeztah/libnetwork_remove_IsValidName
libnetwork/config: remove IsValidName utility
2023-07-17 09:33:45 +02:00
Sebastiaan van Stijn
0761240c43
Merge pull request #45988 from thaJeztah/libnetwork_drivers_clean
libnetwork, libnetwork/drivers: some minor cleanups
2023-07-17 09:32:33 +02:00
Sebastiaan van Stijn
9f9d57590b
libnetwork: getTestEnv(): use literals for options
Contructing these options was a bit convoluted; let's use literals
for these.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 20:29:50 +02:00
Sebastiaan van Stijn
534858aaed
libnetwork/drivers: rewrite some strings to reduce quote-escaping
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 20:05:36 +02:00
Sebastiaan van Stijn
7c360778bb
libnetwork/drivers/bridge: driver.configure: remove redundant err-check
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 20:05:36 +02:00
Sebastiaan van Stijn
e21ff6c0c9
libnetwork/config: remove IsValidName utility
This utility was not used for "Config", but for Networks and Endpoints.
Having this utility made it look like more than it was, and the related
test was effectively testing stdlib.

Abstracting the validation also was hiding that, while validation does
not allow "empty" names, it happily allows leading/trailing whitespace,
and does not remove that before creating networks or endpoints;

    docker network create "bridge "
    docker network create "bridge  "
    docker network create "bridge   "
    docker network create " bridge  "
    docker network create "  bridge "
    docker network create "   bridge"

    docker network ls --filter driver=bridge
    NETWORK ID     NAME        DRIVER    SCOPE
    d4d53210f185      bridge   bridge    local
    e9afba0d99de     bridge    bridge    local
    69fb7a7ba67c    bridge     bridge    local
    a452bf065403   bridge      bridge    local
    49d96c59061d   bridge      bridge    local
    8eae1c4be12c   bridge      bridge    local
    86dd65b881b9   bridge      bridge    local

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 19:42:44 +02:00
Sebastiaan van Stijn
948f55d0b7
libnetwork/options: remove unused NewGeneric, and use map[string]any
Remove the NewGeneric utility as it was not used anywhere, except for
in tests.

Also "modernize" the type, and use `any` instead of `interface{}`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 19:39:59 +02:00
Sebastiaan van Stijn
fa5c13542c
libnetwork/drivers/bridge: setupBridgeNetFiltering: improve error handling
- Use a more modern approach to check error-types
- Touch-up grammar of the error-message
- Remove redundant "nil" check for errors, as it's never nil at that point.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-16 12:50:03 +02:00
Sebastiaan van Stijn
c219b09d4a
client: Client.postHijacked: use Client.buildRequest
Use Client.buildRequest instead of a local copy of the same logic so
that we're using the same logic, and there's less chance of diverging.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 02:39:08 +02:00
Sebastiaan van Stijn
e11555218b
client: Client.setupHijackConn: explicitly ignore errors
Just making my IDE and some linters slightly happier.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 02:37:03 +02:00
Sebastiaan van Stijn
37b908aa62
Merge pull request #45965 from cpuguy83/swarm_health_start_interval
Add health start interval support to swarm mode
2023-07-15 00:36:06 +02:00
Sebastiaan van Stijn
96635e9e18
Merge pull request #45941 from thaJeztah/update_go_1.20.6
update go to go1.20.6
2023-07-14 23:59:48 +02:00
Sebastiaan van Stijn
41f235a2f8
gha: add note about buildkit using older go version
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 22:39:33 +02:00
Sebastiaan van Stijn
1ead2dd35d
update go to go1.20.6
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6

These minor releases include 1 security fixes following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 22:36:46 +02:00
Sebastiaan van Stijn
dab9ffb252
Merge pull request #45942 from thaJeztah/fix_host_header
client: define a "dummy" hostname to use for local connections
2023-07-14 21:58:12 +02:00
Sebastiaan van Stijn
e1db9e9848
testutil: use dummyhost for non-tcp connections
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 18:57:56 +02:00
Sebastiaan van Stijn
6b7705d5b2
pkg/plugins: use a dummy hostname for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the socket path as hostname, which gets rejected by
go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

Before this patch, tests would fail on go1.20.6:

    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 18:57:55 +02:00