Compare commits

...

789 commits

Author SHA1 Message Date
Sebastiaan van Stijn
b201b1b3d0
Merge pull request #46729 from thaJeztah/20.10_backport_remove-ibm-jenkins-jobs
[20.10 backport] Remove s390x and ppc64le Jenkins pipelines
2023-10-27 18:46:15 +02:00
Sam Thibault
79ae899640
remove s390x and ppc64ls pipelines
Signed-off-by: Sam Thibault <sam.thibault@docker.com>
(cherry picked from commit 59aa3dce8a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-26 10:39:04 +02:00
CrazyMax
f0e31a73fc
Makefile: remove unused BUILD_APT_MIRROR
BUILD_APT_MIRROR added in https://github.com/moby/moby/pull/26375
is not used anymore.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 7c697f58f2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-26 10:36:12 +02:00
CrazyMax
e019f78e83
Dockerfile: use default apt mirrors
Use default apt mirrors and also check APT_MIRROR
is set before updating mirrors.

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit a1d2132bf6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-26 10:33:05 +02:00
Sebastiaan van Stijn
81ebe71275
Merge pull request from GHSA-jq35-85cj-fj4p
[20.10 backport] deny /sys/devices/virtual/powercap
2023-10-25 23:57:51 +02:00
Cory Snider
fb636657a7
Merge pull request #46705 from thaJeztah/20.10_backport_atomic-layer-data-write
[20.10 backport] daemon: overlay2: Write layer metadata atomically
2023-10-24 10:22:46 -04:00
Sebastiaan van Stijn
b967d89758
Merge pull request #46692 from corhere/backport-20.10/update-x-net-v0.17
[20.10] Update to go1.20.10, golang/org/x/net v0.17.0
2023-10-24 12:51:13 +02:00
Cory Snider
2c22bd5280 vendor: golang.org/x/net v0.17.0
full diff: https://github.com/golang/net/compare/ab34263943818b32f575efc978

This fixes the same CVE as go1.21.3 and go1.20.10;

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

Dependency full diffs:
a3d24e80b04bd7...v0.17.0
https://github.com/golang/sys/compare/33da011f77ade50ff5b6a6fb4a
9a1e6d6b285809...v0.13.0
https://github.com/golang/text/compare/v0.3.3...v0.13.0
https://github.com/golang/crypto/compare/c1f2f97bffc9c53fc40a1a28a5
b460094c0050d9...v0.14.0

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-23 16:37:52 -04:00
Cory Snider
d862c21eb2 Update to go1.20.10
go1.20.10 (released 2023-10-10) includes a security fix to the net/http
package. See the Go 1.20.10 milestone on our issue tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.19.12...go1.20.10

From the mailing list announcement:

[security] Go 1.21.3 and Go 1.20.10 are released

Hello gophers,

We have just released Go versions 1.21.3 and 1.20.10, minor point releases.

These minor releases include 1 security fixes following the security policy:

- net/http: rapid stream resets can cause excessive work

  A malicious HTTP/2 client which rapidly creates requests and
  immediately resets them can cause excessive server resource consumption.
  While the total number of requests is bounded to the
  http2.Server.MaxConcurrentStreams setting, resetting an in-progress
  request allows the attacker to create a new request while the existing
  one is still executing.

  HTTP/2 servers now bound the number of simultaneously executing
  handler goroutines to the stream concurrency limit. New requests
  arriving when at the limit (which can only happen after the client
  has reset an existing, in-flight request) will be queued until a
  handler exits. If the request queue grows too large, the server
  will terminate the connection.

  This issue is also fixed in golang.org/x/net/http2 v0.17.0,
  for users manually configuring HTTP/2.

  The default stream concurrency limit is 250 streams (requests)
  per HTTP/2 connection. This value may be adjusted using the
  golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
  setting and the ConfigureServer function.

  This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
  This is also tracked by CVE-2023-44487.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.3

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-23 16:37:50 -04:00
Cory Snider
cb47414f41
Merge pull request #46696 from corhere/backport-20.10/go1.20-enablement
[20.10 backport] Go 1.20 Enablement
2023-10-23 16:36:49 -04:00
Cory Snider
ea4eb7398c
Merge pull request #46695 from corhere/backport-20.10/safer-fileinfo
[20.10 backport] Remove local fork of archive/tar package
2023-10-23 15:45:09 -04:00
Cory Snider
6c523aabae hack: fix suppressing Xattrs lint errors
Finish cherry-picking the remaining part of
65e1adc219 which was not included in
commit 432fbc8638.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-23 14:45:24 -04:00
Cory Snider
31b837499c pkg/archive: audit gosec file-traversal lints
The recently-upgraded gosec linter has a rule for archive extraction
code which may be vulnerable to directory traversal attacks, a.k.a. Zip
Slip. Gosec's detection is unfortunately prone to false positives,
however: it flags any filepath.Join call with an argument derived from a
tar.Header value, irrespective of whether the resultant path is used for
filesystem operations or if directory traversal attacks are guarded
against.

All of the lint errors reported by gosec appear to be false positives.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 833139f390)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-23 14:45:24 -04:00
Cory Snider
8e4485536b Remove local fork of archive/tar package
A copy of Go's archive/tar packge was vendored with a patch applied to
mitigate CVE-2019-14271. Vendoring standard library packages is not
supported by Go in module-aware mode, which is getting in the way of
maintenance. A different approach to mitigate the vulnerability is
needed which does not involve vendoring parts of the standard library.

glibc implements name service lookups such as users, groups and DNS
using a scheme known as Name Service Switch. The services are
implemented as modules, shared libraries which glibc dynamically links
into the process the first time a function requiring the module is
called. This is the crux of the vulnerability: if a process linked
against glibc chroots, then calls one of the functions implemented with
NSS for the first time, glibc may load NSS modules out of the chrooted
filesystem.

The API underlying the `docker cp` command is implemented by forking a
new process which chroots into the container's rootfs and writes a tar
stream of files from the container over standard output. It utilizes the
Go standard library's archive/tar package to write the tar stream. It
makes use of the tar.FileInfoHeader function to construct a tar.Header
value from an fs.FileInfo value. In modern versions of Go on *nix
platforms, FileInfoHeader will attempt to resolve the file's UID and GID
to their respective user and group names by calling the os/user
functions LookupId and LookupGroupId. The cgo implementation of os/user
on *nix performs lookups by calling the corresponding libc functions. So
when linked against glibc, calls to tar.FileInfoHeader after the
process has chrooted into the container's rootfs can have the side
effect of loading NSS modules from the container! Without any
mitigations, a malicious container image author can trivially get
arbitrary code execution by leveraging this vulnerability and escape the
chroot (which is not a sandbox) into the host.

Mitigate the vulnerability without patching or forking archive/tar by
hiding the OS-dependent file info from tar.FileInfoHeader which it needs
to perform the lookups. Without that information available it falls back
to populating the tar.Header with only the information obtainable
directly from the FileInfo value without making any calls into os/user.

Fixes #42402

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit e9bbc41dd1)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-23 14:45:24 -04:00
Mike Sul
2f98ada8b4
daemon: overlay2: Write layer metadata atomically
When the daemon process or the host running it is abruptly terminated,
the layer metadata file can become inconsistent on the file system.
Specifically, `link` and `lower` files may exist but be empty, leading
to overlay mounting errors during layer extraction, such as:
"failed to register layer: error creating overlay mount to <path>:
too many levels of symbolic links."

This commit introduces the use of `AtomicWriteFile` to ensure that the
layer metadata files contain correct data when they exist on the file system.

Signed-off-by: Mike <mike.sul@foundries.io>
(cherry picked from commit de2447c2ab)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-10-23 20:21:51 +02:00
Sebastiaan van Stijn
c31a50bf8c
Merge pull request #46694 from corhere/backport-20.10/runtime-eisdir
[20.10 backport] daemon: handle EISDIR error from runtime
2023-10-21 11:42:52 +02:00
Cory Snider
cf90912e90
Merge pull request #46693 from corhere/vendor-libnetwork-for-20.10.27
[20.10] vendor: github.com/docker/libnetwork 3797618f9a38372e8107d8c06f6ae199e1133ae8
2023-10-20 19:04:55 -04:00
Cory Snider
79d5066c80 Upgrade to golangci-lint v1.51.2
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Cory Snider
c322779dce distribution/xfer: make off-by-one error a feature
maxDownloadAttempts maps to the daemon configuration flag

    --max-download-attempts int
      Set the max download attempts for each pull (default 5)

and the daemon configuration machinery interprets a value of 0 as "apply
the default value" and not a valid user value (config validation/
normalization bugs notwithstanding). The intention is clearly that this
configuration value should be an upper limit on the number of times the
daemon should try to download a particular layer before giving up. So it
is surprising to have the configuration value interpreted as a _retry_
limit. The daemon will make up to N+1 attempts to download a layer! This
also means users cannot disable retries even if they wanted to.

As this is a longstanding bug, not a recent regression, it would not be
appropriate to backport the fix (97921915a8)
in a patch release. Update the test to assert on the buggy behaviour so
it passes again.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 938ed9a1ed)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Cory Snider
2a69cc6e75 Fix loop-closure bugs in tests
...which were flagged by golangci-lint v1.51.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 0c68b655f6)
Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit ca712d6947)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Cory Snider
a9485b75b1 d/l/awslogs: fix ineffective Add in test
...flagged by golangci-lint v1.51.1 (staticcheck).

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit e66995d840)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Cory Snider
134008381b Migrate away from things deprecated in Go 1.20
"archive/tar".TypeRegA
  - The deprecated constant tar.TypeRegA is the same value as
    tar.TypeReg and so is not needed at all.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit dea3f2b417)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Sebastiaan van Stijn
f98e22354f daemon: fix TestVerifyPlatformContainerResources not capturing variable
This test runs with t.Parallel() _and_ uses subtests, but didn't capture
the `tc` variable, which potentialy (likely) makes it test the same testcase
multiple times.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0c887404a8)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Roman Volosatovs
526d21449e integration: remove deprecated endpoint test
`/containers/<name>/copy` endpoint was deprecated in 1.8 and errors
since 1.12. See https://github.com/moby/moby/pull/22149 for more info.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
(cherry picked from commit a34d804572)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:17 -04:00
Roman Volosatovs
c643f0e48f integration: copy loop variable into parallel test closures
Discovered a few instances, where loop variable is incorrectly used
within a test closure, which is marked as parallel.
Few of these were actually loops over singleton slices, therefore the issue
might not have surfaced there (yet), but it is good to fix there as
well, as this is an incorrect pattern used across different tests.

Signed-off-by: Roman Volosatovs <roman.volosatovs@docker.com>
(cherry picked from commit dd01abf9bf)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 19:01:16 -04:00
Cory Snider
9794702db9 daemon: handle EISDIR error from runtime
Go 1.20 made a change to the behaviour of package "os/exec" which was
not mentioned in the release notes:
2b8f214094
Attempts to execute a directory now return syscall.EISDIR instead of
syscall.EACCESS. Check for EISDIR errors from the runtime and fudge the
returned error message to maintain compatibility with existing versions
of docker/cli when using a version of runc compiled with Go 1.20+.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 713e02e03e)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 18:56:37 -04:00
Cory Snider
0b2be686ea vendor: github.com/docker/libnetwork 3797618f9a38372e8107d8c06f6ae199e1133ae8
full diff: 3f0048413d...3797618f9a

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-10-20 17:57:51 -04:00
Cory Snider
d69ed28a75
Merge pull request #46674 from neersighted/backport/46667/20.10
[20.10 backport] Add IP_NF_MANGLE to check-config.sh
2023-10-19 13:08:33 -04:00
Stephan Henningsen
c18c3e27ac
Update check-config.sh
Add IP_NF_MANGLE to "Generally Required" kernel features, since it appears to be necessary for Docker Swarm to work.

Closes https://github.com/moby/moby/issues/46636

Signed-off-by: Stephan Henningsen <stephan-henningsen@users.noreply.github.com>
(cherry picked from commit cf9073397c)
Conflicts: contrib/check-config.sh
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-10-18 16:00:34 -06:00
Bjorn Neergaard
f0a196bf22
profiles/apparmor: deny /sys/devices/virtual/powercap
While this is not strictly necessary as the default OCI config masks this
path, it is possible that the user disabled path masking, passed their
own list, or is using a forked (or future) daemon version that has a
modified default config/allows changing the default config.

Add some defense-in-depth by also masking out this problematic hardware
device with the AppArmor LSM.

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit bddd826d7a)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-09-18 16:46:13 -06:00
Bjorn Neergaard
4b242784ca
oci/defaults: deny /sys/devices/virtual/powercap
The ability to read these files may offer a power-based sidechannel
attack against any workloads running on the same kernel.

This was originally [CVE-2020-8694][1], which was fixed in
[949dd0104c496fa7c14991a23c03c62e44637e71][2] by restricting read access
to root. However, since many containers run as root, this is not
sufficient for our use case.

While untrusted code should ideally never be run, we can add some
defense in depth here by masking out the device class by default.

[Other mechanisms][3] to access this hardware exist, but they should not
be accessible to a container due to other safeguards in the
kernel/container stack (e.g. capabilities, perf paranoia).

[1]: https://nvd.nist.gov/vuln/detail/CVE-2020-8694
[2]: 949dd0104c
[3]: https://web.eece.maine.edu/~vweaver/projects/rapl/

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 83cac3c3e3)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-09-18 16:46:09 -06:00
Bjorn Neergaard
29a0e76e64
Merge pull request #46424 from ameyag/20.10-uname-backslash
[20.10 backport] Fixing dockerd-rootless-setuptools.sh when user name contains a backslash
2023-09-18 08:08:11 -06:00
Jean-Michel Rouet
59e1e14929
more robust dockerd-rootless-setuptools.sh
Fixing case where username may contain a backslash.
This case can happen for winbind/samba active directory domain users.

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Use more meaningful variable name

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Update contrib/dockerd-rootless-setuptool.sh

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Use more meaningful variable name

Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>

Update contrib/dockerd-rootless-setuptool.sh

Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com>
Signed-off-by: Jean-Michel Rouet <jean-michel.rouet@philips.com>
(cherry picked from commit 2f0ba0a7e5)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2023-09-06 09:46:02 -07:00
Cory Snider
fdb9c710a7
Merge pull request #46217 from thaJeztah/20.10_backport_windows_fix_service_register
[20.10 backport] windows: fix --register-service when executed from within binary directory
2023-08-30 17:43:39 -04:00
Sebastiaan van Stijn
f3e6a0600d
windows: fix --register-service when executed from within binary directory
Go 1.15.7 contained a security fix for CVE-2021-3115, which allowed arbitrary
code to be executed at build time when using cgo on Windows.

This issue was not limited to the go command itself, and could also affect binaries
that use `os.Command`, `os.LookPath`, etc.

From the related blogpost (https://blog.golang.org/path-security):

> Are your own programs affected?
>
> If you use exec.LookPath or exec.Command in your own programs, you only need to
> be concerned if you (or your users) run your program in a directory with untrusted
> contents. If so, then a subprocess could be started using an executable from dot
> instead of from a system directory. (Again, using an executable from dot happens
> always on Windows and only with uncommon PATH settings on Unix.)
>
> If you are concerned, then we’ve published the more restricted variant of os/exec
> as golang.org/x/sys/execabs. You can use it in your program by simply replacing

At time of the go1.15 release, the Go team considered changing the behavior of
`os.LookPath()` and `exec.LookPath()` to be a breaking change, and made the
behavior "opt-in" by providing the `golang.org/x/sys/execabs` package as a
replacement.

However, for the go1.19 release, this changed, and the default behavior of
`os.LookPath()` and `exec.LookPath()` was changed. From the release notes:
https://go.dev/doc/go1.19#os-exec-path

> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe)
> in the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.

A result of this change was that registering the daemon as a Windows service
no longer worked when done from within the directory of the binary itself:

    C:\> cd "Program Files\Docker\Docker\resources"
    C:\Program Files\Docker\Docker\resources> dockerd --register-service
    exec: "dockerd": cannot run executable found relative to current directory

Note that using an absolute path would work around the issue:

    C:\Program Files\Docker\Docker>resources\dockerd.exe --register-service

This patch changes `registerService()` to use `os.Executable()`, instead of
depending on `os.Args[0]` and `exec.LookPath()` for resolving the absolute
path of the binary.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3e8fda0a70)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-13 21:59:26 +02:00
Akihiro Suda
791d8ab877
Merge pull request #46142 from thaJeztah/20.10_update_go1.19.12
[20.10] update to go1.19.12
2023-08-02 14:50:16 +09:00
Sebastiaan van Stijn
c42d7c7f6d
update to go1.19.12
Includes a fix for CVE-2023-29409

go1.19.12 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.19.12 milestone on our issue tracker for details.

- https://github.com/golang/go/issues?q=milestone%3AGo1.19.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.19.11...go1.19.12

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:51:38 +02:00
Akihiro Suda
0ad2952dc7
Merge pull request #46105 from thaJeztah/20.10_update_containerd_binary_1.6.22
[20.10] update containerd binary to v1.6.22
2023-07-30 11:06:12 +09:00
Sebastiaan van Stijn
b883976e4c
update containerd binary to v1.6.22
- full diff: https://github.com/containerd/containerd/compare/v1.6.21...v1.6.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.6.22

---

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`, `RunAsUsername` are empty
- CRI: Write generated CNI config atomically
- Fix concurrent writes for `UpdateContainerStats`
- Make `checkContainerTimestamps` less strict on Windows
- Port-Forward: Correctly handle known errors
- Resolve `docker.NewResolver` race condition
- SecComp: Always allow `name_to_handle_at`
- Adding support to run hcsshim from local clone
- Pinned image support
- Runtime/V2/RunC: Handle early exits w/o big locks
- CRITool: Move up to CRI-TOOLS v1.27.0
- Fix cpu architecture detection issue on emulated ARM platform
- Task: Don't `close()` io before `cancel()`
- Fix panic when remote differ returns empty result
- Plugins: Notify readiness when registered plugins are ready
- Unwrap io errors in server connection receive error handling

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-28 13:32:30 +02:00
Sebastiaan van Stijn
65849a573d
Merge pull request #46047 from neersighted/init_cleanup_20.10
[20.10 backport] Upstart & sysvinit cleanup
2023-07-21 22:08:59 +02:00
Tianon Gravi
da9f0732a4
Remove Upstart scripts
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit 0d8087fbbc)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 12:01:26 -06:00
Tianon Gravi
2ef669288a
Remove Upstart and cgroups bits from Debian sysvinit script
Upstart has been EOL for 8 years and isn't used by any distributions we support any more.

Additionally, this removes the "cgroups v1" setup code because it's more reasonable now for us to expect something _else_ to have set up cgroups appropriately (especially cgroups v2).

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit ae737656f9)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-07-21 12:01:19 -06:00
Sebastiaan van Stijn
b3d554724c
Merge pull request #46031 from thaJeztah/20.10_backport_bump_runc_binary_1.1.8
[20.10 backport] Dockerfile: update runc binary to v1.1.8
2023-07-20 20:16:34 +02:00
Sebastiaan van Stijn
0539294652
Dockerfile: update runc binary to v1.1.8
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.8
full diff: https://github.com/opencontainers/runc/compare/v1.1.7...v1.1.9

This is the eighth patch release of the 1.1.z release branch of runc.
The most notable change is the addition of RISC-V support, along with a
few bug fixes.

- Support riscv64.
- init: do not print environment variable value.
- libct: fix a race with systemd removal.
- tests/int: increase num retries for oom tests.
- man/runc: fixes.
- Fix tmpfs mode opts when dir already exists.
- docs/systemd: fix a broken link.
- ci/cirrus: enable some rootless tests on cs9.
- runc delete: call systemd's reset-failed.
- libct/cg/sd/v1: do not update non-frozen cgroup after frozen failed.
- CI: bump Fedora, Vagrant, bats.
- .codespellrc: update for 2.2.5.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit df86d855f5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 18:27:28 +02:00
Sebastiaan van Stijn
334576ebbd
Merge pull request #46003 from thaJeztah/20.10_backport_notestyourself
[20.10 backport] quota: remove gotest.tools from testhelpers
2023-07-18 13:00:53 +02:00
Sebastiaan van Stijn
7ed8ff084f
quota: remove gotest.tools from testhelpers
gotest.tools has an init() which registers a '-update' flag;
a80f057529/internal/source/update.go (L21-L23)

The quota helper contains a testhelpers file, which is meant for usage
in (integration) tests, but as it's in the same pacakge as production
code, would also trigger the gotest.tools init.

This patch removes the gotest.tools code from this file.

Before this patch:

    $ (exec -a libnetwork-setkey "$(which dockerd)" -help)
    Usage of libnetwork-setkey:
      -exec-root string
            docker exec root (default "/run/docker")
      -update
            update golden values

With this patch applied:

    $ (exec -a libnetwork-setkey "$(which dockerd)" -help)
    Usage of libnetwork-setkey:
      -exec-root string
            docker exec root (default "/run/docker")

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1aa17222e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 23:13:58 +02:00
Sebastiaan van Stijn
dc00abf07a
Merge pull request #45995 from thaJeztah/20.10_update_go_1.19.11
[20.10] update go to go1.19.11
2023-07-17 22:23:54 +02:00
Sebastiaan van Stijn
43fe787c23
[20.10] update go to go1.19.11
go1.19.11 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to cgo, the cover tool, the go command, the runtime, and
the go/printer package. See the Go 1.19.11 milestone on our issue tracker for
details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.11+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.19.10...go1.19.11

These minor releases include 1 security fixes following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 16:21:03 +02:00
Sebastiaan van Stijn
0d4b9ed98b
Merge pull request #45980 from thaJeztah/20.10_backport_vendor_distribution_v2.8.2
[20.10 backport] vendor: github.com/docker/distribution v2.8.2
2023-07-17 11:59:28 +02:00
Sebastiaan van Stijn
1bd0805099
vendor: github.com/docker/distribution v2.8.2
CI

- Dockerfile: fix filenames of artifacts

Bugfixes

-  Fix panic in inmemory driver
-  Add code to handle pagination of parts. Fixes max layer size of 10GB bug
-  Parse http forbidden as denied
-  Revert "registry/client: set Accept: identity header when getting layers

Runtime

- Update to go1.19.9
- Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))

Security

- Fix [CVE-2022-28391](https://www.cve.org/CVERecord?id=CVE-2022-28391) by bumping alpine from 3.14 to 3.16
- Fix [CVE-2023-2253](https://www.cve.org/CVERecord?id=CVE-2023-2253) runaway allocation on /v2/_catalog [`521ea3d9`](521ea3d973)

full diff: https://github.com/docker/distribution/compare/v2.8.1...v2.8.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

bump to release/2.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7821d2d788)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 19:20:47 +02:00
Sebastiaan van Stijn
f7a770ac61
Merge pull request #45972 from thaJeztah/20.10_backport_fix_host_header
[20.10 backport] client: define a "dummy" hostname to use for local connections
2023-07-15 02:57:34 +02:00
Sebastiaan van Stijn
e925a5d304
testutil: use dummyhost for non-tcp connections
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e1db9e9848)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:27:29 +02:00
Sebastiaan van Stijn
1603196c5b
pkg/plugins: use a dummy hostname for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the socket path as hostname, which gets rejected by
go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

Before this patch, tests would fail on go1.20.6:

    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6b7705d5b2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:27:29 +02:00
Sebastiaan van Stijn
74b4974cb7
client: define a "dummy" hostname to use for local connections
For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.

The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in  https://go.dev/issue/60374.

Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.

This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.

Before this patch (using go1.20.6):

    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
    === RUN   TestAttachWithTTY
        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
    --- FAIL: TestAttachWithTTY (0.11s)
    === RUN   TestAttachWithoutTTy
        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
    --- FAIL: TestAttachWithoutTTy (0.02s)
    FAIL

With this patch applied:

    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
    INFO: Testing against a local daemon
    === RUN   TestAttachWithTTY
    --- PASS: TestAttachWithTTY (0.12s)
    === RUN   TestAttachWithoutTTy
    --- PASS: TestAttachWithoutTTy (0.02s)
    PASS

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92975f0c11)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:27:29 +02:00
Sebastiaan van Stijn
cccf90f1d8
client: TestSetHostHeader: don't use un-keyed literals
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2a59188760)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:27:29 +02:00
Sebastiaan van Stijn
c0e3253214
Merge pull request #45973 from thaJeztah/20.10_fix_build
[20.10] integration/daemon: fix missing import
2023-07-15 01:26:54 +02:00
Sebastiaan van Stijn
763d117b4f
[20.10] integration/daemon: fix missing import
commit 44152f6fb6 backported a change
that added `os.TempDir()` to a test, but that import was not yet
in this file in the 20.10 branch.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-14 23:53:24 +02:00
Sebastiaan van Stijn
53e302dc7d
Merge pull request #45911 from corhere/backport-20.10/improve-test-flakiness
[20.10 backport] make tests less flaky
2023-07-08 17:59:23 +02:00
Brian Goff
b49bb5dcf8
Merge pull request #45913 from corhere/backport-20.10/fix-volume-npe 2023-07-07 16:30:18 -07:00
Sebastiaan van Stijn
44152f6fb6 daemon: daemon.prepareMountPoints(): fix panic if mount is not a volume
The daemon.lazyInitializeVolume() function only handles restoring Volumes
if a Driver is specified. The Container's MountPoints field may also
contain other kind of mounts (e.g., bind-mounts). Those were ignored, and
don't return an error; 1d9c8619cd/daemon/volumes.go (L243-L252C2)

However, the prepareMountPoints() assumed each MountPoint was a volume,
and logged an informational message about the volume being restored;
1d9c8619cd/daemon/mounts.go (L18-L25)

This would panic if the MountPoint was not a volume;

    github.com/docker/docker/daemon.(*Daemon).prepareMountPoints(0xc00054b7b8?, 0xc0007c2500)
            /root/rpmbuild/BUILD/src/engine/.gopath/src/github.com/docker/docker/daemon/mounts.go:24 +0x1c0
    github.com/docker/docker/daemon.(*Daemon).restore.func5(0xc0007c2500, 0x0?)
            /root/rpmbuild/BUILD/src/engine/.gopath/src/github.com/docker/docker/daemon/daemon.go:552 +0x271
    created by github.com/docker/docker/daemon.(*Daemon).restore
            /root/rpmbuild/BUILD/src/engine/.gopath/src/github.com/docker/docker/daemon/daemon.go:530 +0x8d8
    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x564e9be4c7c0]

This issue was introduced in 647c2a6cdd

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a490248f4d)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-07 16:02:17 -04:00
Cory Snider
492802acec integration: disable iptables in parallel tests
Multiple daemons starting/running concurrently can collide with each
other when editing iptables rules. Most integration tests which opt into
parallelism and start daemons work around this problem by starting the
daemon with the --iptables=false option. However, some of the tests
neglect to pass the option when starting or restarting the daemon,
resulting in those tests being flaky.

Audit the integration tests which call t.Parallel() and (*Daemon).Stop()
and add --iptables=false arguments where needed.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit cdcb7c28c5)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-07 15:54:00 -04:00
Cory Snider
30e297f664 pkg/plugins: make unit test less time sensitive
TestClientWithRequestTimeout has been observed to flake in CI. The
timing in the test is quite tight, only giving the client a 10ms window
to time out, which could potentially be missed if the host is under
load and the goroutine scheduling is unlucky. Give the client a full
five seconds of grace to time out before failing the test.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 9cee34bc94)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-07-07 15:53:17 -04:00
Sebastiaan van Stijn
bbae7f4319
Merge pull request #45840 from cpuguy83/20.10_fix_live_restore_local_vol_mounts
[20.10] Backport Restore active mount counts on live-restore
2023-06-29 01:04:06 +02:00
Brian Goff
b5fe60d3db [20.10] Backport Restore active mount counts on live-restore
Backporting commit 647c2a6cdd for 20.10

When live-restoring a container the volume driver needs be notified that
there is an active mount for the volume.
Before this change the count is zero until the container stops and the
uint64 overflows pretty much making it so the volume can never be
removed until another daemon restart.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-06-28 18:48:30 +00:00
Bjorn Neergaard
a3debeefd7
Merge pull request #45835 from neersighted/backport/45766/20.10
[20.10 backport] seccomp: always allow name_to_handle_at(2)
2023-06-28 10:36:49 -06:00
Bjorn Neergaard
a480b37621
seccomp: add name_to_handle_at to allowlist
Based on the analysis on [the previous PR][1].

  [1]: https://github.com/moby/moby/pull/45766#pullrequestreview-1493908145

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit b335e3d305)
Resolved conflicts:
	profiles/seccomp/default_linux.go
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-28 05:48:28 -06:00
Vitor Anjos
45a8248070
remove name_to_handle_at(2) from filtered syscalls
Signed-off-by: Vitor Anjos <bartier@users.noreply.github.com>
(cherry picked from commit fdc9b7cceb)
Resolved conflicts:
	profiles/seccomp/default_linux.go
Co-Authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-27 13:22:05 -06:00
Sebastiaan van Stijn
cf806e4436
Merge pull request #45773 from thaJeztah/20.10_backport_fix_docker_py
[20.10 backport] testing: temporarily pin docker-py tests to use "bullseye"
2023-06-20 23:43:01 +02:00
Sebastiaan van Stijn
6ee44341b0
testing: temporarily pin docker-py tests to use "bullseye"
The official Python images on Docker Hub switched to debian bookworm,
which is now the current stable version of Debian.

However, the location of the apt repository config file changed, which
causes the Dockerfile build to fail;

    Loaded image: emptyfs:latest
    Loaded image ID: sha256:0df1207206e5288f4a989a2f13d1f5b3c4e70467702c1d5d21dfc9f002b7bd43
    INFO: Building docker-sdk-python3:5.0.3...
    tests/Dockerfile:6
    --------------------
       5 |     ARG APT_MIRROR
       6 | >>> RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
       7 | >>>     && sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
       8 |
    --------------------
    ERROR: failed to solve: process "/bin/sh -c sed -ri \"s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g\" /etc/apt/sources.list     && sed -ri \"s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g\" /etc/apt/sources.list" did not complete successfully: exit code: 2

This needs to be fixed in docker-py, but in the meantime, we can pin to
the bullseye variant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 19d860fa9d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-20 11:42:21 +02:00
Bjorn Neergaard
2ae14baf02
Merge pull request #45750 from thaJeztah/20.10_update_go1.19.10
[20.10] update go to go1.19.10
2023-06-14 15:07:32 -06:00
Sebastiaan van Stijn
99f10dec91
[20.10] update go to go1.19.10
go1.19.10 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, and the
runtime. See the Go 1.19.10 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.19.9...go1.19.10

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 13:19:22 +02:00
Cory Snider
168fae3264
Merge pull request #45717 from ameyag/20.10-grpc-fix
[20.10 backport] grpc: make sure typed errors handler is installed
2023-06-09 15:07:05 -04:00
Cory Snider
1e57f01055
Merge pull request #45716 from ameyag/20.10-apparmor-template
[20.10 backport] Fix AppArmor profile docker-default /proc/sys rule
2023-06-09 15:05:45 -04:00
Bjorn Neergaard
c78a918e43
Merge pull request #45710 from neersighted/check_config_bpf/20.10
[20.10 backport] contrib/check-config: require xt_bpf for encrypted overlay
2023-06-09 07:06:06 -06:00
Sebastiaan van Stijn
50a03fdc6a
api/server/router/grpc: fix some nits in NewRouter()
These were changes I drafted when reviewing 7c731e02a9,
and had these stashed in my local git;

- rename receiver to prevent "unconsistent receiver name" warnings
- make NewRouter() slightly more idiomatic, and wrap the options,
  to make them easier to read.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 758714ed6d)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2023-06-08 11:58:20 -07:00
Tonis Tiigi
a222dbfd5c
grpc: make sure typed errors handler is installed
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 7c731e02a9)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2023-06-08 11:57:53 -07:00
Phil Sphicas
b1c04fc6cd
Fix AppArmor profile docker-default /proc/sys rule
The current docker-default AppArmor profile intends to block write
access to everything in `/proc`, except for `/proc/<pid>` and
`/proc/sys/kernel/shm*`.

Currently the rules block access to everything in `/proc/sys`, and do
not successfully allow access to `/proc/sys/kernel/shm*`. Specifically,
a path like /proc/sys/kernel/shmmax matches this part of the pattern:

    deny @{PROC}/{[^1-9][^0-9][^0-9][^0-9]*     }/** w,
         /proc  / s     y     s     /     kernel /shmmax

This patch updates the rule so that it works as intended.

Closes #39791

Signed-off-by: Phil Sphicas <phil.sphicas@att.com>
(cherry picked from commit 66f14e4ae9)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2023-06-08 10:23:22 -07:00
Bjorn Neergaard
a388019ce8
contrib/check-config: move xt_bpf check to overlay section
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 800ea039ec)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-06 16:53:50 -06:00
Bjorn Neergaard
d5515dc7e9
contrib/check-config: check for xt_bpf
We omit xt_u32 as it's optional; since we will remove support for this
module in the future, it's simpler to check for xt_bpf, which will
become the new baseline.

Related issues:
* https://github.com/microsoft/WSL/issues/10029#issuecomment-1574440255
* https://github.com/docker/for-win/issues/13450#issuecomment-1574443139

Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 1910fdde81)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-06-06 16:53:14 -06:00
Bjorn Neergaard
73854c21b6
Merge pull request #45615 from thaJeztah/20.10_backport_skip_criu
[20.10 backport] Dockerfile: temporarily skip CRIU stage
2023-05-25 13:27:13 -06:00
Sebastiaan van Stijn
af0477880c
Dockerfile: temporarily skip CRIU stage
The package repository currently has issues;

    => ERROR https://download.opensuse.org/repositories/devel:/tools:/criu/Debian_11/Release.key

The only test currently using this binary is currently skipped, as the test
was broken;
6e98a7f2c9/integration/container/checkpoint_test.go (L32-L33)

So let's disable this stage for the time being.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d3d2823edf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-25 12:23:03 +02:00
Sebastiaan van Stijn
0b2c7ae6cb
Merge pull request #45606 from neersighted/backport/45603/20.10
[20.10 backport] hack/make/.binary: don't use "netgo" when building Windows binaries
2023-05-25 01:49:54 +02:00
Sebastiaan van Stijn
3d5ebbecda
hack/make/.binary: don't use "netgo" when building Windows binaries
Starting with go1.19, the Go runtime on Windows now supports the `netgo` build-
flag to use a native Go DNS resolver. Prior to that version, the build-flag
only had an effect on non-Windows platforms. When using the `netgo` build-flag,
the Windows's host resolver is not used, and as a result, custom entries in
`etc/hosts` are ignored, which is a change in behavior from binaries compiled
with older versions of the Go runtime.

From the go1.19 release notes: https://go.dev/doc/go1.19#net

> Resolver.PreferGo is now implemented on Windows and Plan 9. It previously
> only worked on Unix platforms. Combined with Dialer.Resolver and Resolver.Dial,
> it's now possible to write portable programs and be in control of all DNS name
> lookups when dialing.
>
> The net package now has initial support for the netgo build tag on Windows.
> When used, the package uses the Go DNS client (as used by Resolver.PreferGo)
> instead of asking Windows for DNS results. The upstream DNS server it discovers
> from Windows may not yet be correct with complex system network configurations,
> however.

Our Windows binaries are compiled with the "static" (`make/binary-daemon`)
script, which has the `netgo` option set by default. This patch unsets the
`netgo` option when cross-compiling for Windows.

Co-authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
(cherry picked from commit 53d1b12bc0)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-05-24 11:01:55 -06:00
Akihiro Suda
0f8ffc4b89
Merge pull request #45406 from thaJeztah/20.10_backport_runc_binary_1.1.6
[20.10 backport] update runc binary to v1.1.7
2023-05-16 11:37:10 +09:00
Akihiro Suda
562e795bf2
Merge pull request #45479 from thaJeztah/20.10_containerd_binary_1.6.21
[20.10] update containerd binary to v1.6.21
2023-05-16 11:36:58 +09:00
Sebastiaan van Stijn
66ce8ec8e0
Merge pull request #45411 from thaJeztah/20.10_backport_jenkinsfile_ubuntu_2004
[20.10 backport] Jenkinsfile: use Ubuntu 20.04
2023-05-12 23:26:33 +01:00
Sebastiaan van Stijn
9b6ec6dbba
update containerd binary to v1.6.21
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21

Notable Updates

- update runc binary to v1.1.7
- Remove entry for container from container store on error
- oci: partially restore comment on read-only mounts for uid/gid uses
- windows: Add ArgsEscaped support for CRI
- oci: Use WithReadonlyTempMount when adding users/groups
- archive: consistently respect value of WithSkipDockerManifest

full diff: https://github.com/containerd/containerd/compare/c0efc63d3907...v1.6.21

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit edadebe177)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 21:04:03 +02:00
Sebastiaan van Stijn
db9ab6438d
update runc binary to v1.1.7
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7

This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).

- When used with systemd v240+, systemd cgroup drivers no longer skip
  DeviceAllow rules if the device does not exist (a regression introduced
  in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
  removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
  used to sign runc releases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2d0e899819)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 21:00:05 +02:00
Sebastiaan van Stijn
b73d5f066d
update runc binary to v1.1.6
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6
full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6

This is the sixth patch release in the 1.1.z series of runc, which fixes
a series of cgroup-related issues.

Note that this release can no longer be built from sources using Go
1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is
recommended. Go 1.17 can still be used.

- systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error
  from systemd while trying to create a systemd unit, which in some scenarios
  may result in a container not being added to the proper systemd unit and
  cgroup.
- systemd cgroup v2 driver was incorrectly translating cpuset range from spec's
  resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more
  than 8 CPUs, resulting in the wrong AllowedCPUs setting.
- systemd cgroup v1 driver was prefixing container's cgroup path with the path
  of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup.
- runc run/start may return "permission denied" error when starting a rootless
  container when the file to be executed does not have executable bit set for
  the user, not taking the CAP_DAC_OVERRIDE capability into account. This is
  a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1
- cgroup v1 drivers are now aware of misc controller.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d0efca893b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 20:59:10 +02:00
Sebastiaan van Stijn
db2f293976
[20.10] Jenkinsfile: update all stages to use ubuntu 20.04
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 01:18:42 +02:00
Sebastiaan van Stijn
575c0faa50
Jenkinsfile: use Ubuntu 20.04 for DCO stage
Also switching to use arm64, as all amd64 stages have moved to GitHub actions,
so using arm64 allows the same machine to be used for tests after the DCO check
completed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 419c47a80a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-05 01:18:41 +02:00
Sebastiaan van Stijn
3275e2a936
Merge pull request #45466 from corhere/backport-20.10/copy-xattr-enotsupp
[20.10 backport] d/graphdriver/copy: support src fs w/o xattr support
2023-05-05 01:13:00 +02:00
Cory Snider
14160332da d/graphdriver/copy: support src fs w/o xattr support
Treat copying extended attributes from a source filesystem which does
not support extended attributes as a no-op, same as if the file did not
possess the extended attribute. Only fail copying extended attributes if
the source file has the attribute and the destination filesystem does
not support xattrs.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 2b6761fd3e)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-05-04 15:28:49 -04:00
Sebastiaan van Stijn
5df983c7db
Merge pull request #45457 from thaJeztah/20.10_update_go_1.19.9
[20.10] update go to go1.19.9
2023-05-04 15:33:05 +02:00
Sebastiaan van Stijn
7f91a52b89
[20.10] update go to go1.19.9
go1.19.9 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/tls
and syscall packages. See the Go 1.19.9 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.19.9
full diff: https://github.com/golang/go/compare/go1.19.8...go1.19.9

from the announcement:

> These minor releases include 3 security fixes following the security policy:
>
>- html/template: improper sanitization of CSS values
>
>   Angle brackets (`<>`) were not considered dangerous characters when inserted
>   into CSS contexts. Templates containing multiple actions separated by a '/'
>   character could result in unexpectedly closing the CSS context and allowing
>   for injection of unexpected HMTL, if executed with untrusted input.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
>   Not all valid JavaScript whitespace characters were considered to be
>   whitespace. Templates containing whitespace characters outside of the character
>   set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
>   actions may not be properly sanitized during execution.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
>   Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
>   executed with empty input could result in output that would have unexpected
>   results when parsed due to HTML normalization rules. This may allow injection
>   of arbitrary attributes into tags.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 21:06:41 +02:00
Sebastiaan van Stijn
0fdb994c8e
Merge pull request #45424 from thaJeztah/20.10_update_containerd_1.6.20
[20.10] update containerd binary to v1.6.20
2023-04-28 02:33:45 +02:00
Sebastiaan van Stijn
4fc8f8b4d8
update containerd binary to v1.6.20
Notable Updates

- Disable looking up usernames and groupnames on host
- Add support for Windows ArgsEscaped images
- Update hcsshim to v0.9.8
- Fix debug flag in shim
- Add WithReadonlyTempMount to support readonly temporary mounts
- Update ttrpc to fix file descriptor leak
- Update runc binary to v1.1.5
= Update image config to support ArgsEscaped

full diff: https://github.com/containerd/containerd/compare/v1.6.19...v1.6.20

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 389e18081d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 00:57:43 +02:00
Sebastiaan van Stijn
bb3ba157db
[20.10] update containerd binary to v1.6.19
Update hcsshim to v0.9.7 to include fix for graceful termination and pause containers

- release notes: https://github.com/containerd/containerd/releases/tag/v1.6.19
- full diff: https://github.com/containerd/containerd/compare/v1.6.18...v1.6.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3125aa0aef)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 00:56:46 +02:00
Sebastiaan van Stijn
1176e7f90d
[20.10] update containerd binary to v1.6.18
update containerd binary to v1.6.18, which includes fixes for CVE-2023-25153
and CVE-2023-25173.

1.6.18 release notes: https://github.com/containerd/containerd/releases/tag/v1.6.18

> - Fix OCI image importer memory exhaustion (GHSA-259w-8hf6-59c2)
> - Fix supplementary groups not being set up properly (GHSA-hmfx-3pcx-653p)
> - Revert removal of /sbin/apparmor_parser check
> - Update Go to 1.19.6

full diff: https://github.com/containerd/containerd/compare/v1.6.17...v1.6.18

1.6.17 release notes: https://github.com/containerd/containerd/releases/tag/v1.6.17

> - Add network plugin metrics
> - Update mkdir permission on /etc/cni to 0755 instead of 0700
> - Export remote snapshotter label handler
> - Add support for default hosts.toml configuration

full diff: https://github.com/containerd/containerd/compare/v1.6.16...v1.6.17

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 52d667794f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-28 00:55:43 +02:00
Tianon Gravi
206d38a9c1
Merge pull request #45238 from thaJeztah/20.10_backport_update_runc_binary_1.1.5
[20.10 backport] update runc binary to v1.1.5
2023-04-27 22:43:36 +00:00
Cory Snider
19b062885b
Merge pull request #45398 from corhere/vendor-libnetwork-for-20.10.25
[20.10] vendor: github.com/docker/libnetwork 3f0048413d95802b9c6c836eba06bfc54f9dbd03
2023-04-25 20:07:52 +02:00
Cory Snider
6ff576e8ca vendor: github.com/docker/libnetwork 3f0048413d95802b9c6c836eba06bfc54f9dbd03
full diff: 05b93e0d3a...3f0048413d

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-04-25 12:16:45 -04:00
Sebastiaan van Stijn
7a778373c8
update runc binary to v1.1.5
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5
diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5

This is the fifth patch release in the 1.1.z series of runc, which fixes
three CVEs found in runc.

* CVE-2023-25809 is a vulnerability involving rootless containers where
  (under specific configurations), the container would have write access
  to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other
  hierarchies on the host were affected. This vulnerability was
  discovered by Akihiro Suda.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc>

* CVE-2023-27561 was a regression which effectively re-introduced
  CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This
  regression was discovered by @Beuc.
  <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm>

* CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same
  patch. This variant of the above vulnerability was reported by Lei
  Wang.
  <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c>

In addition, the following other fixes are included in this release:

* Fix the inability to use `/dev/null` when inside a container.
* Fix changing the ownership of host's `/dev/null` caused by fd redirection
  (a regression in 1.1.1).
* Fix rare runc exec/enter unshare error on older kernels, including
  CentOS < 7.7.
* nsexec: Check for errors in `write_log()`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 77be7b777c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-21 12:01:47 +02:00
Bjorn Neergaard
ac1cd0423f
Merge pull request #45349 from PettitWesley/awslogs-non-blocking-bug-20.10
[20.10 backport] awslogs: fix non-blocking log drop bug
2023-04-20 20:46:46 +02:00
Wesley Pettit
ad45ece6fe
awslogs: fix non-blocking log drop bug
Previously, the AWSLogs driver attempted to implement
non-blocking itself. Non-blocking is supposed to
implemented solely by the Docker RingBuffer that
wraps the log driver.

Please see issue and explanation here:
https://github.com/moby/moby/issues/45217

Signed-off-by: Wesley Pettit <wppttt@amazon.com>
(cherry picked from commit c8f8d11ac4)
2023-04-17 13:32:48 -07:00
Akihiro Suda
de57aecf4a
Merge pull request #45276 from thaJeztah/20.10_bump_go1.19.8
[20.10] update go to go1.19.8
2023-04-06 10:25:58 +09:00
Sebastiaan van Stijn
a09b3e9cf9
[20.10] update go to go1.19.8
go1.19.8 (released 2023-04-04) includes security fixes to the go/parser,
html/template, mime/multipart, net/http, and net/textproto packages, as well as
bug fixes to the linker, the runtime, and the time package. See the Go 1.19.8
milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.19.7...go1.19.8

Further details from the announcement on the mailing list:

We have just released Go versions 1.20.3 and 1.19.8, minor point releases.
These minor releases include 4 security fixes following the security policy:

- go/parser: infinite loop in parsing

  Calling any of the Parse functions on Go source code which contains `//line`
  directives with very large line numbers can cause an infinite loop due to
  integer overflow.
  Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
  This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.

- html/template: backticks not treated as string delimiters

  Templates did not properly consider backticks (`) as Javascript string
  delimiters, and as such did not escape them as expected. Backticks are
  used, since ES6, for JS template literals. If a template contained a Go
  template action within a Javascript template literal, the contents of the
  action could be used to terminate the literal, injecting arbitrary Javascript
  code into the Go template.

  As ES6 template literals are rather complex, and themselves can do string
  interpolation, we've decided to simply disallow Go template actions from being
  used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe
  way to allow this behavior. This takes the same approach as
  github.com/google/safehtml. Template.Parse will now return an Error when it
  encounters templates like this, with a currently unexported ErrorCode with a
  value of 12. This ErrorCode will be exported in the next major release.

  Users who rely on this behavior can re-enable it using the GODEBUG flag
  jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
  should be used with caution.

  Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue.

  This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.

- net/http, net/textproto: denial of service from excessive memory allocation

  HTTP and MIME header parsing could allocate large amounts of memory, even when
  parsing small inputs.

  Certain unusual patterns of input data could cause the common function used to
  parse HTTP and MIME headers to allocate substantially more memory than
  required to hold the parsed headers. An attacker can exploit this behavior to
  cause an HTTP server to allocate large amounts of memory from a small request,
  potentially leading to memory exhaustion and a denial of service.
  Header parsing now correctly allocates only the memory required to hold parsed
  headers.

  Thanks to Jakob Ackermann (@das7pad) for discovering this issue.

  This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.

- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption

  Multipart form parsing can consume large amounts of CPU and memory when
  processing form inputs containing very large numbers of parts. This stems from
  several causes:

  mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form
  can consume. ReadForm could undercount the amount of memory consumed, leading
  it to accept larger inputs than intended. Limiting total memory does not
  account for increased pressure on the garbage collector from large numbers of
  small allocations in forms with many parts. ReadForm could allocate a large
  number of short-lived buffers, further increasing pressure on the garbage
  collector. The combination of these factors can permit an attacker to cause an
  program that parses multipart forms to consume large amounts of CPU and
  memory, potentially resulting in a denial of service. This affects programs
  that use mime/multipart.Reader.ReadForm, as well as form parsing in the
  net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm now does a better job of estimating the memory consumption of parsed
  forms, and performs many fewer short-lived allocations.

  In addition, mime/multipart.Reader now imposes the following limits on the
  size of parsed forms:

  Forms parsed with ReadForm may contain no more than 1000 parts. This limit may
  be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form
  parts parsed with NextPart and NextRawPart may contain no more than 10,000
  header fields. In addition, forms parsed with ReadForm may contain no more
  than 10,000 header fields across all parts. This limit may be adjusted with
  the environment variable GODEBUG=multipartmaxheaders=.

  Thanks to Jakob Ackermann for discovering this issue.

  This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-05 15:58:33 +02:00
Sebastiaan van Stijn
5d6db84223
Merge pull request from GHSA-232p-vwff-86mp
[20.10] vendor: libnetwork c5aa85f9b25f0acaec8591ced679cb9fb5b9e32c
2023-04-04 20:03:51 +02:00
Sebastiaan van Stijn
d2bc43a75b
Merge pull request #45242 from neersighted/go1.19.7/20.10
[20.10 backport] update to go1.19.7
2023-03-30 22:43:46 +02:00
Sebastiaan van Stijn
9aa5d55a8b
update to go1.19.7
Includes a security fix for crypto/elliptic (CVE-2023-24532).

> go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic
> package, as well as bug fixes to the linker, the runtime, and the crypto/x509
> and syscall packages. See the Go 1.19.7 milestone on our issue tracker for
> details.

https://go.dev/doc/devel/release#go1.19.minor

From the announcement:

> We have just released Go versions 1.20.2 and 1.19.7, minor point releases.
>
> These minor releases include 1 security fixes following the security policy:
>
> - crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
    >
    >   The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
    >   incorrect result if called with some specific unreduced scalars (a scalar larger
    >   than the order of the curve).
    >
    >   This does not impact usages of crypto/ecdsa or crypto/ecdh.
>
> This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c48f7fd12c)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-03-30 13:00:44 -06:00
Sebastiaan van Stijn
83679bb638
Merge pull request #45216 from corhere/backport-20.10/containerd-fifo_v1.1
[20.10 backport] Upgrade containerd/fifo to v1.1.0
2023-03-30 00:46:19 +02:00
Sebastiaan van Stijn
b4f0442da2
Merge pull request #45219 from vvoland/test-windows-execstartfails-2010
[20.10 backport] integration-cli: Enable TestExecStartFails on Windows
2023-03-28 23:04:15 +02:00
Bjorn Neergaard
ba043e8691
Merge pull request #44990 from thaJeztah/20.10_backport_update_go1.19
[20.10 backport] update to go1.19.6
2023-03-28 11:16:50 -06:00
Paweł Gronowski
b56fe59505
integration-cli: Enable TestExecStartFails on Windows
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit be34e93f20)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-28 11:12:34 +02:00
Sebastiaan van Stijn
d9433ee096
Merge pull request #45197 from vvoland/integration-restart-race-2010
[backport 20.10] TestDaemonRestartKillContainers: Fix races
2023-03-27 23:38:23 +02:00
Cory Snider
a9c02c238f Upgrade containerd/fifo to v1.1.0
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-27 17:04:05 -04:00
Cory Snider
bbec6704dc [20.10] vendor: libnetwork c5aa85f9b25f0acaec8591ced679cb9fb5b9e32c
The commit used to build the docker-proxy binary is not updated as the
build script pulls from the public libnetwork repo but the
aforementioned commit only exists in a private fork until after the
security vulnerabilities being fixed have been publicly released. The
vulnerable code is not used in the proxy binary anyway.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-03-23 12:06:05 -04:00
Paweł Gronowski
e55d9b155d
StartWithLogFile: Fix d.cmd race
Use `exec.Command` created by this function instead of obtaining it from
daemon struct. This prevents a race condition where `daemon.Kill` is
called before the goroutine has the chance to call `cmd.Wait`.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 88992de283)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-22 15:43:20 +01:00
Paweł Gronowski
d26e4dab48
TestDaemonRestartKillContainers: Fix loop capture
TestDaemonRestartKillContainers test was always executing the last case
(`container created should not be restarted`) because the iterated
variables were not copied correctly.
Capture iterated values by value correctly and rename c to tc.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit fed1c96e10)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-03-22 15:43:19 +01:00
Sebastiaan van Stijn
98c9e3f438 update to go1.19.6
go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls,
mime/multipart, net/http, and path/filepath packages, as well as bug fixes to
the go command, the linker, the runtime, and the crypto/x509, net/http, and
time packages. See the Go 1.19.6 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved

From the announcement on the security mailing:

We have just released Go versions 1.20.1 and 1.19.6, minor point releases.

These minor releases include 4 security fixes following the security policy:

- path/filepath: path traversal in filepath.Clean on Windows

  On Windows, the filepath.Clean function could transform an invalid path such
  as a/../c:/b into the valid path c:\b. This transformation of a relative (if
  invalid) path into an absolute path could enable a directory traversal attack.
  The filepath.Clean function will now transform this path into the relative
  (but still invalid) path .\c:\b.

  This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.

- net/http, mime/multipart: denial of service from excessive resource
  consumption

  Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely
  unlimited amounts of memory and disk files. This also affects form parsing in
  the net/http package with the Request methods FormFile, FormValue,
  ParseMultipartForm, and PostFormValue.

  ReadForm takes a maxMemory parameter, and is documented as storing "up to
  maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
  which cannot be stored in memory are stored on disk in temporary files. The
  unconfigurable 10MB reserved for non-file parts is excessively large and can
  potentially open a denial of service vector on its own. However, ReadForm did
  not properly account for all memory consumed by a parsed form, such as map
  ntry overhead, part names, and MIME headers, permitting a maliciously crafted
  form to consume well over 10MB. In addition, ReadForm contained no limit on
  the number of disk files created, permitting a relatively small request body
  to create a large number of disk temporary files.

  ReadForm now properly accounts for various forms of memory overhead, and
  should now stay within its documented limit of 10MB + maxMemory bytes of
  memory consumption. Users should still be aware that this limit is high and
  may still be hazardous.

  ReadForm now creates at most one on-disk temporary file, combining multiple
  form parts into a single temporary file. The mime/multipart.File interface
  type's documentation states, "If stored on disk, the File's underlying
  concrete type will be an *os.File.". This is no longer the case when a form
  contains more than one file part, due to this coalescing of parts into a
  single file. The previous behavior of using distinct files for each form part
  may be reenabled with the environment variable
  GODEBUG=multipartfiles=distinct.

  Users should be aware that multipart.ReadForm and the http.Request methods
  that call it do not limit the amount of disk consumed by temporary files.
  Callers can limit the size of form data with http.MaxBytesReader.

  This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.

- crypto/tls: large handshake records may cause panics

  Both clients and servers may send large TLS handshake records which cause
  servers and clients, respectively, to panic when attempting to construct
  responses.

  This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
  session resumption (by setting Config.ClientSessionCache to a non-nil value),
  and TLS 1.3 servers which request client certificates (by setting
  Config.ClientAuth
  > = RequestClientCert).

  This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.

- net/http: avoid quadratic complexity in HPACK decoding

  A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
  in the HPACK decoder, sufficient to cause a denial of service from a small
  number of small requests.

  This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
  configuring HTTP/2.

  This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 94feb31516)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
5b48f300dd update to go1.19.5
go1.19.5 (released 2023-01-10) includes fixes to the compiler, the linker,
and the crypto/x509, net/http, sync/atomic, and syscall packages. See the
Go 1.19.5 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.19.4...go1.19.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 155e8d7d78)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
82b0ac1166 update to go1.19.4
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).

These minor releases include 2 security fixes following the security policy:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.
  Both os.DirFS and http.Dir only provide read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \(the root of the
  current drive) can permit a maliciously crafted path to escape from the
  drive and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
  path "/tmp". This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting
  HTTP/2 requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by
  the client. While the total number of entries in this cache is capped,
  an attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
  manually configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.4

And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4

The golang.org/x/net fix is in 1e63c2f08a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 52bc1ad744)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Cory Snider
4701ca9f71 Update to Go 1.19.3 to address CVE-2022-41716
On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit f9d4589976)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Cory Snider
091b8896be vendor: update stdlib archive/tar for go1.19.2
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
1c8c16524f Update to go 1.19.2 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
From the mailing list:

We have just released Go versions 1.19.2 and 1.18.7, minor point releases.

These minor releases include 3 security fixes following the security policy:

- archive/tar: unbounded memory consumption when reading headers

  Reader.Read did not set a limit on the maximum size of file headers.
  A maliciously crafted archive could cause Read to allocate unbounded
  amounts of memory, potentially causing resource exhaustion or panics.
  Reader.Read now limits the maximum size of header blocks to 1 MiB.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

- net/http/httputil: ReverseProxy should not forward unparseable query parameters

  Requests forwarded by ReverseProxy included the raw query parameters from the
  inbound request, including unparseable parameters rejected by net/http. This
  could permit query parameter smuggling when a Go proxy forwards a parameter
  with an unparseable value.

  ReverseProxy will now sanitize the query parameters in the forwarded query
  when the outbound request's Form field is set after the ReverseProxy.Director
  function returns, indicating that the proxy has parsed the query parameters.
  Proxies which do not parse query parameters continue to forward the original
  query parameters unchanged.

  Thanks to Gal Goldstein (Security Researcher, Oxeye) and
  Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

  This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

- regexp/syntax: limit memory used by parsing regexps

  The parsed regexp representation is linear in the size of the input,
  but in some cases the constant factor can be as high as 40,000,
  making relatively small regexps consume much larger amounts of memory.

  Each regexp being parsed is now limited to a 256 MB memory footprint.
  Regular expressions whose representation would use more space than that
  are now rejected. Normal use of regular expressions is unaffected.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

View the release notes for more information: https://go.dev/doc/devel/release#go1.19.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7b4e4c08b5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
6cc1ef32a2 Update to go 1.19.1 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1eadbdd9fa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
721358e0cb vendor: update stdlib archive/tar for go1.19
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Sebastiaan van Stijn
5091f13a5d update to golang 1.19
also ran gofmt with go1.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 58413c15cb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-27 11:28:45 -05:00
Cory Snider
dfd89ede4b
Merge pull request #45073 from corhere/20.10_go1.19_prereqs
[20.10 backport] Prepare for Go 1.19 upgrade
2023-02-27 11:27:41 -05:00
Sebastiaan van Stijn
6b1c02b983 golangci-lint: update to v1.49.0
Remove the "deadcode", "structcheck", and "varcheck" linters, as they are
deprecated:

    WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter.  Replaced by unused.
    WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the https://github.com/golangci/golangci-lint/issues/2649.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2f1c382a6d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ce520ec80)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:42 -05:00
Sebastiaan van Stijn
9d08a57a9c set ReadHeaderTimeout to address G112: Potential Slowloris Attack (gosec)
After discussing in the maintainers meeting, we concluded that Slowloris attacks
are not a real risk other than potentially having some additional goroutines
lingering around, so setting a long timeout to satisfy the linter, and to at
least have "some" timeout.

    api/server/server.go:60:10: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
                srv: &http.Server{
                    Addr: addr,
                },
    daemon/metrics_unix.go:34:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^
    cmd/dockerd/metrics.go:27:13: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
            if err := http.Serve(l, mux); err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 55fd77f724)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 997ec12ec8)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:42 -05:00
Sebastiaan van Stijn
d855447c46 linting: host:port in url should be constructed with net.JoinHostPort
integration-cli/docker_cli_daemon_test.go:545:54: host:port in url should be constructed with net.JoinHostPort and not directly with fmt.Sprintf (nosprintfhostport)
            cmdArgs = append(cmdArgs, "--tls=false", "--host", fmt.Sprintf("tcp://%s:%s", l.daemon, l.port))
                                                               ^
    opts/hosts_test.go:35:31: host:port in url should be constructed with net.JoinHostPort and not directly with fmt.Sprintf (nosprintfhostport)
            "tcp://:5555":              fmt.Sprintf("tcp://%s:5555", DefaultHTTPHost),
                                        ^
    opts/hosts_test.go:91:30: host:port in url should be constructed with net.JoinHostPort and not directly with fmt.Sprintf (nosprintfhostport)
            ":5555":                   fmt.Sprintf("tcp://%s:5555", DefaultHTTPHost),
                                       ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 306b8c89e8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e9e7491f2b)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:42 -05:00
Sebastiaan van Stijn
2ad43faba5 linting: gosec: fix or suppress G112, G114 in test code
Updating test-code only; set ReadHeaderTimeout for some, or suppress the linter
error for others.

     contrib/httpserver/server.go:11:12: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        log.Panic(http.ListenAndServe(":80", nil))
                  ^
     integration/plugin/logging/cmd/close_on_start/main.go:42:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/discard/main.go:17:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: mux,
        }
     integration/plugin/logging/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     integration/plugin/volumes/cmd/dummy/main.go:14:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     testutil/fixtures/plugin/basic/basic.go:25:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
        server := http.Server{
            Addr:    l.Addr().String(),
            Handler: http.NewServeMux(),
        }
     volume/testutils/testutils.go:170:5: G114: Use of net/http serve function that has no support for setting timeouts (gosec)
        go http.Serve(l, mux)
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31fb92c609)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2609d4e252)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:42 -05:00
Sebastiaan van Stijn
9a5d1b295e fix formatting of "nolint" tags for go1.19
The correct formatting for machine-readable comments is;

    //<some alphanumeric identifier>:<options>[,<option>...][ // comment]

Which basically means:

- MUST NOT have a space before `<identifier>` (e.g. `nolint`)
- Identified MUST be alphanumeric
- MUST be followed by a colon
- MUST be followed by at least one `<option>`
- Optionally additional `<options>` (comma-separated)
- Optionally followed by a comment

Any other format will not be considered a machine-readable comment by `gofmt`,
and thus formatted as a regular comment. Note that this also means that a
`//nolint` (without anything after it) is considered invalid, same for `//#nosec`
(starts with a `#`).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4f08346686)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e34ab5200d)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Sebastiaan van Stijn
c8c40abbba gofmt GoDoc comments with go1.19
Older versions of Go don't format comments, so committing this as
a separate commit, so that we can already make these changes before
we upgrade to Go 1.19.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 52c1a2fae8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cdbca4061b)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Sebastiaan van Stijn
78d8e65d2a replace golint with revive, as it's deprecated
WARN [runner] The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner.  Replaced by revive.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1cab8eda24)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Sebastiaan van Stijn
432fbc8638 hack: update golangci-lint to v1.46.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 65e1adc219)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Sebastiaan van Stijn
057ea3492e fix some minor linting issues
distribution/pull_v2_test.go:213:4: S1038: should use t.Fatalf(...) instead of t.Fatal(fmt.Sprintf(...)) (gosimple)
                t.Fatal(fmt.Sprintf("expected formatPlatform to show windows platform with a version, but got '%s'", result))
                ^
    integration-cli/docker_cli_build_test.go:5951:3: S1038: should use c.Skipf(...) instead of c.Skip(fmt.Sprintf(...)) (gosimple)
            c.Skip(fmt.Sprintf("Bug fixed in 18.06 or higher.Skipping it for %s", testEnv.DaemonInfo.ServerVersion))
            ^
    integration-cli/docker_cli_daemon_test.go:240:3: S1038: should use c.Skipf(...) instead of c.Skip(fmt.Sprintf(...)) (gosimple)
            c.Skip(fmt.Sprintf("New base device size (%v) must be greater than (%s)", units.HumanSize(float64(newBasesizeBytes)), units.HumanSize(float64(oldBasesizeBytes))))
            ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 968ff5ab44)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Sebastiaan van Stijn
2461d88305 linting: error strings should not be capitalized (revive)
client/request.go:183:28: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                    err = errors.Wrap(err, "In the default daemon configuration on Windows, the docker client must be run with elevated privileges to connect.")
                                           ^
    client/request.go:186:28: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
                    err = errors.Wrap(err, "This error may indicate that the docker daemon is not running.")
                                           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 10c56efa97)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 17:05:41 -05:00
Kazuyoshi Kato
063042449e hack: remove a workaround for go-tools
The false positive has been fixed.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit 4bdc208449)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 16:11:56 -05:00
Kazuyoshi Kato
7125951236 hack: do not exclude SQL-related checks
moby doesn't have SQLs right now.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit 22f19f8243)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 16:11:55 -05:00
Kazuyoshi Kato
ddae0d6381 hack: remove non-existent directories from golangci-lint's skip-dirs
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit 136f93ea05)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 16:11:55 -05:00
Eng Zer Jun
a916414b0b refactor: move from io/ioutil to io and os package
The io/ioutil package has been deprecated in Go 1.16. This commit
replaces the existing io/ioutil functions with their new definitions in
io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
(cherry picked from commit c55a4ac779)
Signed-off-by: Cory Snider <csnider@mirantis.com>
2023-02-24 16:11:55 -05:00
Sebastiaan van Stijn
9f156997b0
Merge pull request #44946 from thaJeztah/20.10_backport_dockerfile_git_dubious
[20.10 backport] Dockerfile: configure code dir as "safe" directory
2023-02-14 20:32:10 +01:00
Sebastiaan van Stijn
0312e468da
Dockerfile: configure code dir as "safe" directory
CI is failing when bind-mounting source from the host into the dev-container;

    fatal: detected dubious ownership in repository at '/go/src/github.com/docker/docker'
    To add an exception for this directory, call:

        git config --global --add safe.directory /go/src/github.com/docker/docker

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 21677816a0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-02-07 14:05:53 +01:00
Akihiro Suda
b3ff678200
Merge pull request #44882 from thaJeztah/20.10_containerd_binary_1.6.16
[20.10] update containerd binary to v1.6.16
2023-01-31 02:00:29 +09:00
Sebastiaan van Stijn
526ae907e2
[20.10] update containerd binary to v1.6.16
Notable Updates

- Fix push error propagation
- Fix slice append error with HugepageLimits for Linux
- Update default seccomp profile for PKU and CAP_SYS_NICE
- Fix overlayfs error when upperdirlabel option is set

full diff: https://github.com/containerd/containerd/compare/v1.6.15...v1.6.16

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-30 09:17:32 +01:00
Bjorn Neergaard
6051f14291
Merge pull request #44846 from thaJeztah/20.10_bump_libnetwork
[20.10] vendor: libnetwork 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7
2023-01-18 09:24:28 -07:00
Sebastiaan van Stijn
e3b9b535bd
[20.10] vendor: libnetwork 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7
full diff: 374259e831...05b93e0d3a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-18 13:25:55 +01:00
Sebastiaan van Stijn
d0a3f3a376
Merge pull request #44795 from thaJeztah/20.10_bump_go_1.18.10
[20.10] update to go1.18.10
2023-01-11 16:25:23 +01:00
Sebastiaan van Stijn
de10f917ea
Merge pull request #44797 from neersighted/libnetwork_revendor
[20.10] vendor: github.com/docker/libnetwork 374259e8316124ccf1fc38c0c0f3430f8d0e9c76
2023-01-11 09:41:28 +01:00
Bjorn Neergaard
26a4ccf99e
vendor: github.com/docker/libnetwork 374259e8316124ccf1fc38c0c0f3430f8d0e9c76
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2023-01-10 18:14:10 -07:00
Sebastiaan van Stijn
625903f3fd
[20.10] update to go1.18.10
go1.18.10 (released 2023-01-10) includes fixes to cgo, the compiler, the linker,
and the crypto/x509, net/http, and syscall packages. See the Go 1.18.10 milestone
on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.18.9...go1.18.10

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-11 00:21:42 +01:00
Sebastiaan van Stijn
864cc1c871
Merge pull request #44765 from vvoland/fix-test-race-logs-goroutines-20
[20.10 backport] integration-cli: Fix hanging TestLogsFollowGoroutines*
2023-01-10 15:30:39 +01:00
Samuel Karp
8771b4be5f
Merge pull request #44767 from thaJeztah/20.10_containerd_binary_1.6.15 2023-01-09 13:23:34 -08:00
Sebastiaan van Stijn
208fb1ca7b
Merge pull request #44755 from vvoland/buildflags-nopie-whenrace-2010
[20.10 backport] hack/make: Don't add -buildmode=pie with -race
2023-01-09 13:30:14 +01:00
Sebastiaan van Stijn
efbc878c47
[20.10] update containerd binary to v1.6.15
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.15

> Welcome to the v1.6.15 release of containerd!
>
> The fifteenth patch release for containerd 1.6 fixes an issue with CNI in the CRI plugin
>
> Notable Updates
>
> - Fix no CNI info for pod sandbox on restart in CRI plugin

full diff: https://github.com/containerd/containerd/compare/v1.6.14...v1.6.15

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-01-09 13:13:40 +01:00
Paweł Gronowski
91e767cc1e
integration-cli: Fix hanging TestLogsFollowGoroutines*
cmd.Wait is called twice from different goroutines which can cause the
test to hang completely. Fix by calling Wait only once and sending its
return value over a channel.

In TestLogsFollowGoroutinesWithStdout also added additional closes and
process kills to ensure that we don't leak anything in case test returns
early because of failed test assertion.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit deb4910c5b)
2023-01-09 10:31:06 +01:00
Paweł Gronowski
d645297358
hack/make: Don't add -buildmode=pie with -race
Make it possible to add `-race` to the BUILDFLAGS without making the
build fail with error:
"-buildmode=pie not supported when -race is enabled"

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-01-05 20:32:46 +01:00
Sebastiaan van Stijn
6ddb3ba414
Merge pull request #44718 from neersighted/backport/44668/20.10
[20.10 backport] api: can marshal and unmarshal when args.fields is empty
2023-01-02 18:29:02 +01:00
Yamazaki Masashi
ad703aa0ab
api: can marshal and unmarshal when args.fields is empty
Signed-off-by: Yamazaki Masashi <masi19bw@gmail.com>
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
(cherry picked from commit 5fed968b1d)
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-29 15:42:24 -07:00
Sebastiaan van Stijn
ae6a9319b0
Merge pull request #44712 from neersighted/20.10_revert_vsock_filter
[20.10] Revert "seccomp: block socket calls to AF_VSOCK in default profile"
2022-12-29 23:13:50 +01:00
Sebastiaan van Stijn
d46fe8029b
Merge pull request #44650 from thaJeztah/20.10_backport_builder_host_gateway
[20.10 backport] builder: handle host-gateway with extra hosts
2022-12-29 23:10:02 +01:00
Sebastiaan van Stijn
d3bf4595cd
Merge pull request #44682 from thaJeztah/20.10_update_libnetwork
[20.10] vendor: github.com/docker/libnetwork 1f3b98be6833a93f254aa0f765ff55d407dfdd69
2022-12-29 22:54:14 +01:00
Bjorn Neergaard
f91836cb26
Merge pull request #44709 from zhsj/20.10-btrfs-progs-6.1
[20.10 backport] daemon/graphdriver/btrfs: workaround field rename in btrfs-progs 6.1
2022-12-29 14:47:31 -07:00
Bjorn Neergaard
dcf27af59b
Revert "seccomp: block socket calls to AF_VSOCK in default profile"
This reverts commit 57b229012a.

This change, while favorable from a security standpoint, caused a
regression for users of the 20.10 branch of Moby. As such, we are
reverting it to ensure stability and compatibility for the affected
users.

However, users of AF_VSOCK in containers should recognize that this
(special) address family is not currently namespaced in any version of
the Linux kernel, and may result in unexpected behavior, like VMs
communicating directly with host hypervisors.

Future branches, including the 23.0 branch, will continue to filter
AF_VSOCK. Users who need to allow containers to communicate over the
unnamespaced AF_VSOCK will need to turn off seccomp confinement or set a
custom seccomp profile.

It is our hope that future mechanisms will make this more
ergonomic/maintainable for end users, and that future kernels will
support namespacing of AF_VSOCK.

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-12-29 13:16:57 -07:00
Sebastiaan van Stijn
7f3a95d360
vendor: github.com/docker/libnetwork 1f3b98be6833a93f254aa0f765ff55d407dfdd69
- fix linting issues
- update to go1.18.9, gofmt, and regenerate proto
- processEndpointCreate: Fix deadlock between getSvcRecords and processEndpointCreate

full diff: dcdf8f176d...1f3b98be68

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-29 19:50:39 +01:00
Sebastiaan van Stijn
313e53aafd
Merge pull request #44691 from thaJeztah/20.10_fix_vanity_url
[20.10] fix broken vanity-URL for code.cloudfoundry.org
2022-12-29 19:50:05 +01:00
Sebastiaan van Stijn
0c207b0516
[20.10] fix broken vanity-URL for code.cloudfoundry.org
The vanity URL looks to be misconfigured;

    2022-12-22T00:01:12.571Z] 2022/12/22 00:01:12 unrecognized import path "code.cloudfoundry.org/clock" (https fetch: Get "https://code.cloudfoundry.org/clock?go-get=1": x509: certificate is valid for *.de.a9sapp.eu, de.a9sapp.eu, not code.cloudfoundry.org)

This patch updates vendor.conf to fetch the code directly from GitHub.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-29 14:45:04 +01:00
Shengjing Zhu
97ae178741 daemon/graphdriver/btrfs: workaround field rename in btrfs-progs 6.1
Closes: #44698

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
(cherry picked from commit ffbbe3d103)
Signed-off-by: Shengjing Zhu <zhsj@debian.org>
2022-12-29 21:21:26 +08:00
Sebastiaan van Stijn
ddab6b3621
Merge pull request #44673 from thaJeztah/20.10_update_containerd_1.6.14
[20.10] update containerd binary to v1.6.14
2022-12-20 10:56:02 +01:00
Sebastiaan van Stijn
2f212873ac
update containerd binary to v1.6.14
Notable Updates

- Fix `memory.memsw.limit_in_bytes: no such file or directory` error in CRI plugin

full diff: https://github.com/containerd/containerd/compare/v1.6.13...v1.6.14

See the changelog for complete list of changes:
https://github.com/containerd/containerd/releases/tag/v1.6.14

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-19 18:35:28 +01:00
Sebastiaan van Stijn
42c8b31499
Merge pull request #44656 from thaJeztah/20.10_containerd_binary_1.6.13
[20.10] update containerd binary to v1.6.13
2022-12-15 23:17:04 +01:00
Sebastiaan van Stijn
ff29c403a3
update containerd binary to v1.6.13
Notable Updates

- Update overlay snapshotter to check for tmpfs when evaluating usage of userxattr
- Update hcsschim to v0.9.6 to fix resource leak on exec
- Make swapping disabled with memory limit in CRI plugin
- Allow clients to remove created tasks with PID 0
- Fix concurrent map iteration and map write in CRI port forwarding
- Check for nil HugepageLimits to avoid panic in CRI plugin

See the changelog for complete list of changes:
https://github.com/containerd/containerd/releases/tag/v1.6.13

full diff: https://github.com/containerd/containerd/compare/v1.6.12...v1.6.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-15 19:29:13 +01:00
Sebastiaan van Stijn
02343226e5
Merge pull request #44488 from thaJeztah/20.10_backport_update_gotestsum
[20.10] update gotestsum to v1.8.2
2022-12-15 15:13:54 +01:00
CrazyMax
877a5e6867
builder: handle host-gateway with extra hosts
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 521b8c02cc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-15 13:30:26 +01:00
Sebastiaan van Stijn
edca413033
[20.10] update gotestsum to v1.8.2
release notes: https://github.com/gotestyourself/gotestsum/releases/tag/v1.8.2

- Show shuffle seed
- Update tests, and cleanup formats
- Update dependencies
- Test against go1.19, remove go1.15
- Add project name to junit.xml output
- Adding in support for s390x and ppc64le

full diff: https://github.com/gotestyourself/gotestsum/compare/v1.7.0...v1.8.2

(adapted from commit 882ddf4b16)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 19:53:20 +01:00
Sebastiaan van Stijn
6112b23b36
Merge pull request #44476 from sbuckfelder/20.10_UPDATE
[20.10] vendor: github.com/moby/libnetwork dcdf8f176d1e13ad719e913e796fb698d846de98
2022-12-08 19:51:17 +01:00
Sebastiaan van Stijn
194e73feb9
Merge pull request #44607 from thaJeztah/20.10_containerd_binary_1.6.12
[20.10] update containerd binary to v1.6.12 (addresses CVE-2022-23471)
2022-12-08 10:32:35 +01:00
Sebastiaan van Stijn
a9fdcd577f
[20.10] update containerd binary to v1.6.12 (addresses CVE-2022-23471)
The twelfth patch release for containerd 1.6 contains a fix for CVE-2022-23471.

Notable Updates

- Fix goroutine leak during Exec in CRI plugin (GHSA-2qjp-425j-52j9)

full diff: https://github.com/containerd/containerd/compare/v1.6.11...v1.6.12

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-08 00:48:56 +01:00
Sebastiaan van Stijn
48f955ddb9
Merge pull request #44597 from thaJeztah/20.10_containerd_1.6.11
[20.10] update containerd binary to v1.6.11
2022-12-07 13:49:24 +01:00
Sebastiaan van Stijn
50d4d98737
Merge pull request #44569 from thaJeztah/20.10_backport_relax_checkSupportedMediaType
[20.10 backport] distribution: checkSupportedMediaType: allow additional media-types
2022-12-07 13:29:51 +01:00
Sebastiaan van Stijn
17451d2fdc
Merge pull request #44593 from thaJeztah/20.10_update_go_1.18.9
[20.10] update to go1.18.9
2022-12-07 13:23:00 +01:00
Sebastiaan van Stijn
565fcdd56c
[20.10] update containerd binary to v1.6.11
Welcome to the v1.6.11 release of containerd!

The eleventh patch release for containerd 1.6 contains a various fixes and updates.

Notable Updates

- Add pod UID annotation in CRI plugin
- Fix nil pointer deference for Windows containers in CRI plugin
- Fix lease labels unexpectedly overwriting expiration
- Fix for simultaneous diff creation using the same parent snapshot

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 23:35:20 +01:00
Sebastiaan van Stijn
f8b0d77bfe
[20.10] update to go1.18.9
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).

These minor releases include 2 security fixes following the security policy:

- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows

  The os.DirFS function and http.Dir type provide access to a tree of files
  rooted at a given directory. These functions permitted access to Windows
  device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
  would open the COM1 device.
  Both os.DirFS and http.Dir only provide read-only filesystem access.

  In addition, on Windows, an os.DirFS for the directory \(the root of the
  current drive) can permit a maliciously crafted path to escape from the
  drive and access any path on the system.

  The behavior of os.DirFS("") has changed. Previously, an empty root was
  treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
  path "/tmp". This now returns an error.

  This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.

- net/http: limit canonical header cache by bytes, not entries

  An attacker can cause excessive memory growth in a Go server accepting
  HTTP/2 requests.

  HTTP/2 server connections contain a cache of HTTP header keys sent by
  the client. While the total number of entries in this cache is capped,
  an attacker sending very large keys can cause the server to allocate
  approximately 64 MiB per open connection.

  This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
  manually configuring HTTP/2.

  Thanks to Josselin Costanzi for reporting this issue.

  This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.9

And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.9+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.18.8...go1.18.9

The golang.org/x/net fix is in 1e63c2f08a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-06 22:59:44 +01:00
Sebastiaan van Stijn
cfb3ebe96e
Merge pull request #44564 from thaJeztah/20.10_backport_seccomp_block_af_vsock
[20.10 backport] seccomp: block socket calls to AF_VSOCK in default profile
2022-12-05 13:31:18 +01:00
Sebastiaan van Stijn
966327c1e5
distribution: checkSupportedMediaType: allow additional media-types
This addresses a regression introduced in 407e3a4552,
which turned out to be "too strict", as there's old images that use, for example;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    unsupported media type application/octet-stream

Before 407e3a4552, such mediatypes were accepted;

    docker pull python:3.5.1-alpine
    3.5.1-alpine: Pulling from library/python
    e110a4a17941: Pull complete
    30dac23631f0: Pull complete
    202fc3980a36: Pull complete
    Digest: sha256:f88925c97b9709dd6da0cb2f811726da9d724464e9be17a964c70f067d2aa64a
    Status: Downloaded newer image for python:3.5.1-alpine
    docker.io/library/python:3.5.1-alpine

This patch copies the additional media-types, using the list of types that
were added in a215e15cb1, which fixed a
similar issue.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a6a539497a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-02 01:31:15 +01:00
Sebastiaan van Stijn
a01576ec4a
seccomp: block socket calls to AF_VSOCK in default profile
This syncs the seccomp-profile with the latest changes in containerd's
profile, applying the same changes as 17a9324035

Some background from the associated ticket:

> We want to use vsock for guest-host communication on KubeVirt
> (https://github.com/kubevirt/kubevirt). In KubeVirt we run VMs in pods.
>
> However since anyone can just connect from any pod to any VM with the
> default seccomp settings, we cannot limit connection attempts to our
> privileged node-agent.
>
> ### Describe the solution you'd like
> We want to deny the `socket` syscall for the `AF_VSOCK` family by default.
>
> I see in [1] and [2] that AF_VSOCK was actually already blocked for some
> time, but that got reverted since some architectures support the `socketcall`
> syscall which can't be restricted properly. However we are mostly interested
> in `arm64` and `amd64` where limiting `socket` would probably be enough.
>
> ### Additional context
> I know that in theory we could use our own seccomp profiles, but we would want
> to provide security for as many users as possible which use KubeVirt, and there
> it would be very helpful if this protection could be added by being part of the
> DefaultRuntime profile to easily ensure that it is active for all pods [3].
>
> Impact on existing workloads: It is unlikely that this will disturb any existing
> workload, becuase VSOCK is almost exclusively used for host-guest commmunication.
> However if someone would still use it: Privileged pods would still be able to
> use `socket` for `AF_VSOCK`, custom seccomp policies could be applied too.
> Further it was already blocked for quite some time and the blockade got lifted
> due to reasons not related to AF_VSOCK.
>
> The PR in KubeVirt which adds VSOCK support for additional context: [4]
>
> [1]: https://github.com/moby/moby/pull/29076#commitcomment-21831387
> [2]: dcf2632945
> [3]: https://kubernetes.io/docs/tutorials/security/seccomp/#enable-the-use-of-runtimedefault-as-the-default-seccomp-profile-for-all-workloads
> [4]: https://github.com/kubevirt/kubevirt/pull/8546

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 57b229012a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-12-01 14:32:05 +01:00
Scott Buckfelder
72b9ba4f24
[20.10] vendor: github.com/moby/libnetwork dcdf8f176d1e13ad719e913e796fb698d846de98
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Scott Buckfelder <buckscot@amazon.com>
2022-11-23 20:26:17 +01:00
Sebastiaan van Stijn
6dfa15b24b
Merge pull request #44472 from thaJeztah/20.10_backport_containerd_v1.6.10
[20.10 backport] update containerd binary to v1.6.10
2022-11-17 10:46:40 +01:00
Jintao Zhang
7ebfee940f
update containerd binary to v1.6.10
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit a5979a2106)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-16 14:04:59 +01:00
Samuel Karp
4ed81ac0e2
Merge pull request #44412 from thaJeztah/20.10_bump_go_1.18.8
fixes https://github.com/golang/go/issues/56309
2022-11-08 19:13:48 -08:00
Sebastiaan van Stijn
5ea9cf68ae
Merge pull request #44413 from thaJeztah/20.10_backport_oci_artifacts_error
[20.10 backport] distribution: Error when pulling OCI artifacts
2022-11-07 14:27:34 +01:00
Paweł Gronowski
f292bf0f4f
distribution: Error when pulling OCI artifacts
Currently an attempt to pull a reference which resolves to an OCI
artifact (Helm chart for example), results in a bit unrelated error
message `invalid rootfs in image configuration`.

This provides a more meaningful error in case a user attempts to
download a media type which isn't image related.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 407e3a4552)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 18:20:18 +01:00
Sebastiaan van Stijn
0211f9e44d
[20.10] update to Go 1.18.8 to address CVE-2022-41716
On Windows, syscall.StartProcess and os/exec.Cmd did not properly
    check for invalid environment variable values. A malicious
    environment variable value could exploit this behavior to set a
    value for a different environment variable. For example, the
    environment variable string "A=B\x00C=D" set the variables "A=B" and
    "C=D".

    Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
    issue.

    This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.

This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-11-05 17:55:06 +01:00
Sebastiaan van Stijn
3056208812
Merge pull request #44358 from thaJeztah/20.10_backport_busybox_w32_img
[20.10 backport] integration: download busybox-w32 from GitHub Release
2022-10-25 07:44:15 -04:00
CrazyMax
f99cb8297b
integration: download busybox-w32 from GitHub Release
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 4f1d1422de)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 17:06:12 -04:00
Sebastiaan van Stijn
24aa4c9c43
Merge pull request #44353 from thaJeztah/20.10_backport_update_containerd_binary
[20.10 backport] update containerd binary to v1.6.9
2022-10-24 15:50:29 -04:00
Sebastiaan van Stijn
3f9dc25f5c
update containerd binary to v1.6.9
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.9

full diff: containerd/containerd@v1.6.8...v1.6.9

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ac79a02ace)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-24 13:58:16 -04:00
Tianon Gravi
753cd92a31
Merge pull request #44326 from thaJeztah/20.10_bump_term_ansiterm
[20.10 backport] vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compatibility
2022-10-22 00:28:04 +00:00
Sebastiaan van Stijn
82f583c8af
Merge pull request #44339 from crazy-max/20.10_update_buildkit
[20.10] vendor: github.com/moby/buildkit eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 (v0.8 branch)
2022-10-22 00:16:12 +02:00
Sebastiaan van Stijn
87ccd38cea
vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compatibility
- winterm: GetStdFile(): Added compatibility with "golang.org/x/sys/windows"
- winterm: fix GetStdFile() falltrough
- update deprecation message to refer to the correct replacement
- add go.mod
- Fix int overflow
- Convert int to string using rune()

full diff:

- bea5bbe245...3f7ff695ad
- d6e3b3328b...d185dfc1b5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit af1e74555a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 19:43:02 +02:00
CrazyMax
e83e465ae2
[20.10] vendor: github.com/moby/buildkit eeb7b65ab7d651770a5ec52a06ea7c96eb97a249 (v0.8 branch)
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 17:39:46 +02:00
Sebastiaan van Stijn
e3fef9aea9
Merge pull request #44340 from thaJeztah/20.10_backport_skip_tests
[20.10 backport] skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
2022-10-21 11:30:04 +02:00
Sebastiaan van Stijn
9c84417c1b
skip TestImagePullStoredfDigestForOtherRepo() on Windows and rootless
- On Windows, we don't build and run a local  test registry (we're not running
  docker-in-docker), so we need to skip this test.
- On rootless, networking doesn't support this (currently)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4f43cb660a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-21 01:52:32 +02:00
Sebastiaan van Stijn
93c2c3bc60
Merge pull request #44332 from corhere/backport-20.10/fix-git-windows-environ
[20.10] builder: fix running git commands on Windows
2022-10-20 21:16:42 +02:00
Cory Snider
5b5b5c6f13 builder: add missing doc comment
Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-20 14:03:36 -04:00
Cory Snider
05e25f7892 builder: fix running git commands on Windows
Setting cmd.Env overrides the default of passing through the parent
process' environment, which works out fine most of the time, except when
it doesn't. For whatever reason, leaving out all the environment causes
git-for-windows sh.exe subprocesses to enter an infinite loop of
access violations during Cygwin initialization in certain environments
(specifically, our very own dev container image).

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-20 13:41:42 -04:00
Sebastiaan van Stijn
2b7f97a974
Merge pull request #44313 from tianon/20.10-distributable
[20.10 backport] registry: allow "allow-nondistributable-artifacts" for Docker Hub
2022-10-19 23:27:58 +02:00
Sebastiaan van Stijn
03df974ae9
Merge pull request #6 from moby/ghsa-ambiguous-pull-by-digest
[20.10] Validate digest in repo for pull by digest
2022-10-18 19:26:23 +02:00
Sebastiaan van Stijn
3adff51f85
Merge pull request #9 from moby/update_buildkit
[20.10] vendor moby/buildkit v0.8.3-31-gc0149372
2022-10-18 19:17:40 +02:00
Sebastiaan van Stijn
d7c33ad827
Merge pull request #8 from moby/20.10_fix_git_file_leak
[20.10 backport] builder: Isolate Git from local system
2022-10-18 19:08:22 +02:00
Sebastiaan van Stijn
2f3bf18014
[20.10] vendor moby/buildkit v0.8.3-31-gc0149372
full diff: 3a1eeca59a...c014937225

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-18 10:12:37 +02:00
Sebastiaan van Stijn
6699afa549 registry: allow "allow-nondistributable-artifacts" for Docker Hub
Previously, Docker Hub was excluded when configuring "allow-nondistributable-artifacts".
With the updated policy announced by Microsoft, we can remove this restriction;
https://techcommunity.microsoft.com/t5/containers/announcing-windows-container-base-image-redistribution-rights/ba-p/3645201

There are plans to deprecated support for foreign layers altogether in the OCI,
and we should consider to make this option the default, but as that requires
deprecating the option (and possibly keeping an "opt-out" option), we can look
at that separately.

(cherry picked from commit 30e5333ce3)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
2022-10-17 15:12:13 -07:00
Brian Goff
4b9902bad4
Validate digest in repo for pull by digest
This is accomplished by storing the distribution source in the content
labels. If the distribution source is not found then we check to the
registry to see if the digest exists in the repo, if it does exist then
the puller will use it.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-17 17:47:46 +02:00
Cory Snider
c0d1188c14 builder: make git config isolation opt-in
While it is undesirable for the system or user git config to be used
when the daemon clones a Git repo, it could break workflows if it was
unconditionally applied to docker/cli as well.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:23 -04:00
Cory Snider
9f5f3abcee builder: isolate git from local system
Prevent git commands we run from reading the user or system
configuration, or cloning submodules from the local filesystem.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Cory Snider
10db4c2db7 builder: explicitly set CWD for all git commands
Keep It Simple! Set the working directory for git commands by...setting
the git process's working directory. Git commands can be run in the
parent process's working directory by passing the empty string.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Cory Snider
8816c3c2aa builder: modernize TestCheckoutGit
Make the test more debuggable by logging all git command output and
running each table-driven test case as a subtest.

Signed-off-by: Cory Snider <csnider@mirantis.com>
2022-10-13 17:34:20 -04:00
Sebastiaan van Stijn
c964641a0d
Merge pull request #44122 from thaJeztah/20.10_bump_buildkit
[20.10] vendor: github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d (v0.8 branch)
2022-10-06 20:53:28 +02:00
Brian Goff
3bb99735b6
Merge pull request #44127 from thaJeztah/20.10_backport_image_spec_no_literal
[20.10] Update uses of Image platform fields in OCI image-spec
2022-10-06 11:18:55 -07:00
Sebastiaan van Stijn
435c40ce15
Merge pull request #44247 from thaJeztah/20.10_bump_go_1.18.7
[20.10] Update to go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
2022-10-06 20:13:47 +02:00
Sebastiaan van Stijn
11bdbf40b9
[20.10] Update to go 1.18.7 to address CVE-2022-2879, CVE-2022-2880, CVE-2022-41715
From the mailing list:

We have just released Go versions 1.19.2 and 1.18.7, minor point releases.

These minor releases include 3 security fixes following the security policy:

- archive/tar: unbounded memory consumption when reading headers

  Reader.Read did not set a limit on the maximum size of file headers.
  A maliciously crafted archive could cause Read to allocate unbounded
  amounts of memory, potentially causing resource exhaustion or panics.
  Reader.Read now limits the maximum size of header blocks to 1 MiB.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.

- net/http/httputil: ReverseProxy should not forward unparseable query parameters

  Requests forwarded by ReverseProxy included the raw query parameters from the
  inbound request, including unparseable parameters rejected by net/http. This
  could permit query parameter smuggling when a Go proxy forwards a parameter
  with an unparseable value.

  ReverseProxy will now sanitize the query parameters in the forwarded query
  when the outbound request's Form field is set after the ReverseProxy.Director
  function returns, indicating that the proxy has parsed the query parameters.
  Proxies which do not parse query parameters continue to forward the original
  query parameters unchanged.

  Thanks to Gal Goldstein (Security Researcher, Oxeye) and
  Daniel Abeles (Head of Research, Oxeye) for reporting this issue.

  This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.

- regexp/syntax: limit memory used by parsing regexps

  The parsed regexp representation is linear in the size of the input,
  but in some cases the constant factor can be as high as 40,000,
  making relatively small regexps consume much larger amounts of memory.

  Each regexp being parsed is now limited to a 256 MB memory footprint.
  Regular expressions whose representation would use more space than that
  are now rejected. Normal use of regular expressions is unaffected.

  Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

  This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.

View the release notes for more information: https://go.dev/doc/devel/release#go1.18.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-10-04 22:20:50 +02:00
Sebastiaan van Stijn
35eaf7ecc4
Merge pull request #44238 from cpuguy83/20.10_fix_restore_volumerefs
[20.10] Fix live-restore w/ restart policies + volume refs
2022-10-03 23:32:53 +02:00
Brian Goff
66ddb7f91c Fix live-restore w/ restart policies + volume refs
Before this change restarting the daemon in live-restore with running
containers + a restart policy meant that volume refs were not restored.
This specifically happens when the container is still running *and*
there is a restart policy that would make sure the container was running
again on restart.

The bug allows volumes to be removed even though containers are
referencing them. 😱

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4c0e0979b4)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2022-10-03 18:41:34 +00:00
Sebastiaan van Stijn
f219cb5ded
Merge pull request #44218 from thaJeztah/20.10_backport_more_robust_rootless
[20.10 backport] docker-rootless-setuptools.sh fixes
2022-09-29 22:09:04 +02:00
Sebastiaan van Stijn
c003392582
contrib: make dockerd-rootless-setuptool.sh more robust
The `docker` CLI currently doesn't handle situations where the current context
(as defined in `~/.docker/config.json`) is invalid or doesn't exist. As loading
(and checking) the context happens during initialization of the CLI, this
prevents `docker context` commands from being used, which makes it complicated
to fix the situation. For example, running `docker context use <correct context>`
would fail, which makes it not possible to update the `~/.docker/config.json`,
unless doing so manually.

For example, given the following `~/.docker/config.json`:

```json
{
        "currentContext": "nosuchcontext"
}
```

All of the commands below fail:

```bash
docker context inspect rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context rm --force rootless
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json

docker context use default
Current context "nosuchcontext" is not found on the file system, please check your config file at /Users/thajeztah/.docker/config.json
```

While these things should be fixed, this patch updates the script to switch
the context using the `--context` flag; this flag is taken into account when
initializing the CLI, so that having an invalid context configured won't
block `docker context` commands from being executed. Given that all `context`
commands are local operations, "any" context can be used (it doesn't need to
make a connection with the daemon).

With this patch, those commands can now be run (and won't fail for the wrong
reason);

```bash
 docker --context=default context inspect -f "{{.Name}}" rootless
rootless

docker --context=default context inspect -f "{{.Name}}" rootless-doesnt-exist
context "rootless-doesnt-exist" does not exist
```

One other issue may also cause things to fail during uninstall; trying to remove
a context that doesn't exist will fail (even with the `-f` / `--force` option
set);

```bash
docker --context=default context rm blablabla
Error: context "blablabla": not found
```

While this is "ok" in most circumstances, it also means that (potentially) the
current context is not reset to "default", so this patch adds an explicit
`docker context use`, as well as unsetting the `DOCKER_HOST` and `DOCKER_CONTEXT`
environment variables.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e2114731e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 10:05:56 +02:00
Mathieu PATUREL
53313be0f3
docker-rootless-setuptools.sh: use context after install
Signed-off-by: Mathieu PATUREL <mathieu.paturel@gmail.com>
(cherry picked from commit 7c17ad8735)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-29 10:05:51 +02:00
Sebastiaan van Stijn
4163c55082
Merge pull request #44202 from crazy-max/20.10_backport_api-fix-logo
[20.10 backport] swagger: update links to logo
2022-09-27 17:54:20 +02:00
CrazyMax
9c486bd267
swagger: update links to logo
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 7f3602f1c9)
2022-09-27 11:57:16 +02:00
Sebastiaan van Stijn
956161115f
Merge pull request #44167 from thaJeztah/20.10_backport_update_containerd_console
[20.10 backport] vendor: github.com/containerd/console v1.0.2
2022-09-22 20:16:05 +02:00
Sebastiaan van Stijn
668ab11a67
Merge pull request #44145 from neersighted/bump_memberlist_20.10
[20.10] vendor: github.com/hashicorp/memberlist v0.4.0
2022-09-21 17:51:18 +02:00
Sebastiaan van Stijn
fa17fab895
vendor: github.com/containerd/console v1.0.2
Contains fix for s390x and support for FreeBSD

full diff: https://github.com/containerd/console/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 948e201c1c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-21 16:41:46 +02:00
Bjorn Neergaard
481bee51b5 vendor: github.com/armon/go-metrics v0.4.1
from github.com/hashicorp/memberlist v0.4.0 go.mod

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-21 08:12:24 -06:00
Bjorn Neergaard
39ba2873e8 vendor: github.com/google/btree v1.1.2
from github.com/hashicorp/memberlist v0.4.0 go.mod

Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-21 08:12:24 -06:00
Bjorn Neergaard
c2755f40cd vendor: github.com/hasicorp/memberlist v0.4.0
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-09-21 08:12:24 -06:00
Sebastiaan van Stijn
cc3aa33f54
Merge pull request #44123 from linux-on-ibm-z/20.10-CI
[20.10] Dockerfile: switch to bullseye, add missing libseccomp-dev, remove build pack
2022-09-21 14:41:13 +02:00
Prabhav Thali
5ba3208ec7 Dockerfile: Update Dockerfile syntax, switch to bullseye, add missing libseccomp-dev, remove build pack
Signed-off-by: Prabhav Thali <Prabhav.Thali1@ibm.com>
2022-09-20 16:18:21 +05:30
Sebastiaan van Stijn
6d6a236286
[20.10] Update uses of Image platform fields in OCI image-spec
The OCI image spec is considering to change the Image struct and embedding the
Platform type (see opencontainers/image-spec#959) in the go implementation.
Moby currently uses some struct-literals to propagate the platform fields,
which will break once those changes in the OCI spec are merged.

Ideally (once that change arrives) we would update the code to set the Platform
information as a whole, instead of assigning related fields individually, but
in some cases in the code, image platform information is only partially set
(for example, OSVersion and OSFeatures are not preserved in all cases). This
may be on purpose, so needs to be reviewed.

This patch keeps the current behavior (assigning only specific fields), but
removes the use of struct-literals to make the code compatible with the
upcoming changes in the image-spec module.

(similar to commit 3cb933db9d)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-10 12:25:17 +02:00
Sebastiaan van Stijn
2570784169
[20.10] vendor: github.com/moby/buildkit 3a1eeca59a9263613d996ead67d53a4b7d45723d (v0.8 branch)
- update to go1.18
- metadata: hold lock on storageitem update
- cache: avoid concurrent maps write on prune
- update containerd to latest of docker-20.10 branch

full diff: bc07b2b81b...3a1eeca59a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-09 13:11:08 +02:00
Sebastiaan van Stijn
e42327a6d3
Merge pull request #44120 from thaJeztah/20.10_backport_update_tests
[20.10 backport] Update some tests for supplementary group permissions
2022-09-09 00:50:10 +02:00
Sebastiaan van Stijn
fcd4df906b
Update some tests for supplementary group permissions
Update tests checking for groups to adjust for new policy updated in
de7af816e7, which caused those tests
to fail:

    === FAIL: amd64.integration-cli TestDockerSwarmSuite/TestSwarmServiceWithGroup (1.94s)
    docker_cli_swarm_test.go:311: assertion failed: uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777 (string) != uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777
(string)
    --- FAIL: TestDockerSwarmSuite/TestSwarmServiceWithGroup (1.94s)

    === FAIL: amd64.integration-cli TestDockerCLIRunSuite/TestRunGroupAdd (0.41s)
    docker_cli_run_test.go:1091: expected output uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777 received uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777
    --- FAIL: TestDockerCLIRunSuite/TestRunGroupAdd (0.41s)

    === FAIL: amd64.integration-cli TestDockerCLIRunSuite/TestRunUserByIDZero (0.41s)
    docker_cli_run_test.go:790: expected daemon user got uid=0(root) gid=0(root) groups=0(root),10(wheel)
    --- FAIL: TestDockerCLIRunSuite/TestRunUserByIDZero (0.41s)

    === FAIL: amd64.integration-cli TestDockerCLIRunSuite (195.70s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c7e77dba7f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-08 23:29:34 +02:00
Sebastiaan van Stijn
bb0197c829
Merge pull request from GHSA-rc4r-wh2q-q6c4
[20.10 backport] AdditionalGids must include effective group ID
2022-09-08 21:29:35 +02:00
Brian Goff
d348775bd5
Merge pull request #44109 from rumpl/20.10-fix-local-context
[20.10 backport] fix local context
2022-09-08 11:11:32 -07:00
Djordje Lukic
6a0186b357 Wrap local calls to the content and lease service
The wrapper sets the default namespace in the context if none is
provided, this is needed because we are calling these services directly
and not trough GRPC that has an interceptor to set the default namespace
to all calls.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 878906630b)
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-09-08 16:56:51 +02:00
Sebastiaan van Stijn
b73e9c2c8a
Merge pull request #44098 from thaJeztah/20.10_backport_swagger_updates
[20.10 backport] assorted swagger updates in documentation
2022-09-07 20:47:06 +02:00
Samuel Karp
4855c28780
Merge pull request #44101 from thaJeztah/20.10_backport_bump_golang_1.18.6 2022-09-06 20:45:51 -07:00
Sebastiaan van Stijn
3d4616f943
Update to go 1.18.6 to address CVE-2022-27664, CVE-2022-32190
From the mailing list:

We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:

- net/http: handle server errors after sending GOAWAY
  A closing HTTP/2 server connection could hang forever waiting for a clean
  shutdown that was preempted by a subsequent fatal error. This failure mode
  could be exploited to cause a denial of service.

  Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
  and Kaan Onarlioglu for reporting this.

  This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.

- net/url: JoinPath does not strip relative path components in all circumstances
  JoinPath and URL.JoinPath would not remove `../` path components appended to a
  relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
  URL `https://go.dev/../go`, despite the JoinPath documentation stating that
  `../` path elements are cleaned from the result.

  Thanks to q0jt for reporting this issue.

  This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.

Release notes:

go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;

https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cba36a064d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 22:25:44 +02:00
Sebastiaan van Stijn
d56101e0d2
Merge pull request #44093 from thaJeztah/20.10_backport_remove_tereshkova
[20.10] cleanup namesgenerator
2022-09-06 21:57:49 +02:00
Niel Drummond
23c7d84b84
docs: api: adjust ContainerWaitResponse error as optional
Signed-off-by: Niel Drummond <niel@drummond.lu>
(cherry picked from commit 2359da802b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 17:07:53 +02:00
Sebastiaan van Stijn
3e9e79d134
docs: api: document ImageSummary fields (api v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b9de761c26)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 17:07:22 +02:00
Sebastiaan van Stijn
fdd438ae03
api: docs: improve documentation of ContainerConfig type (API v1.30-v1.41)
ContainerConfig is used in multiple locations (for example, both for
Image.Config and Image.ContainerConfig). Unfortunately, swagger does
not allow documenting individual uses if a type is used; for this type,
the content is _optional_ when used as Image.ContainerConfig (which is
set by the classic builder, which does a "commit" of a container, but
not used when building an image with BuildKit).

This patch attempts to address this confusion by documenting that
"it may be empty (or fields not propagated) if it's used for the
Image.ContainerConfig field".

Perhaps alternatives are possible (aliasing the type?) but we can
look at those in a follow-up.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 07dba5d9fe)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 17:06:55 +02:00
Sebastiaan van Stijn
97014a8db5
namesgenerator: remove Valentina Tereshkova
While the name generator has been frozen for new additions in 624b3cfbe8,
this person has become controversial. Our intent is for this list to be inclusive
and non-controversial.

This patch removes the name from the list.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0f052eb4f5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 13:57:50 +02:00
Nicolas De Loof
e44d7f735e
AdditionalGids must include effective group ID
otherwise this one won't be considered for permission checks

Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
(cherry picked from commit 25345f2c04)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-06 12:25:37 +02:00
Sebastiaan van Stijn
b0d57e0ed4
Merge pull request #44067 from thaJeztah/20.10_update_containerd_vendor
[20.10] vendor: update containerd to latest of docker-20.10 branch
2022-09-04 17:14:53 +02:00
Sebastiaan van Stijn
9e7662e4a7
[20.10] vendor: update containerd to latest of docker-20.10 branch
This brings the containerd vendoring up-to-date with the latest changes from
the docker-20.10 branch in our fork (https://github.com/moby/containerd). This
adds some fixes that were included in another fork that was used in the BuildKit
repository, which have now been ported to our fork as well.

Relevant changes:

- docker: avoid concurrent map access panic
- overlay: support "userxattr" option (kernel 5.11) (does not affect vendored code)

full diff: 7cfa023d95...96c5ae04b6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-02 02:14:23 +02:00
Akihiro Suda
f7f1f960ea
Merge pull request #44081 from thaJeztah/20.10_backport_tarsplit
[20.10 backport] vendor: update tar-split to v0.11.2
2022-09-02 01:40:47 +09:00
Tonis Tiigi
7dac25a3a9
vendor: update tar-split to v0.11.2
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 21faae85ee)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-09-01 17:11:09 +02:00
Sebastiaan van Stijn
d346080204
Merge pull request #44041 from thaJeztah/20.10_backport_ontainerd_binary_1.6.8
[20.10 backport] update containerd binary to v1.6.8
2022-08-26 13:07:00 +02:00
Sebastiaan van Stijn
1c7b0dabc5
Merge pull request #44038 from thaJeztah/20.10_backport_update_runc_1.1.4
[20.10 backport] update runc to v1.1.4
2022-08-26 13:06:03 +02:00
Sebastiaan van Stijn
8bd86a0699
update containerd binary to v1.6.8
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.8

full diff: https://github.com/containerd/containerd/compare/v1.6.7...v1.6.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d52ffce38f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 00:36:23 +02:00
Akihiro Suda
6c8dd6a6f2
update runc to v1.1.4
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.4

full diff: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.4

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bd98bf38e9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-26 00:25:00 +02:00
Samuel Karp
0bd91f300e
Merge pull request #44018 from thaJeztah/20.10_backport_healthcheck_timeout 2022-08-25 10:20:59 -07:00
Cory Snider
418c141e64
[20.10 backport] daemon: kill exec process on ctx cancel
Terminating the exec process when the context is canceled has been
broken since Docker v17.11 so nobody has been able to depend upon that
behaviour in five years of releases. We are thus free from backwards-
compatibility constraints.

conflicts:

- minor conflict in daemon/exec.go, as 2ec2b65e45
  is not in the 20.10 branch, so had to cast the signal to an int.
- minor conflict in daemon/health.go, where a comment was updated, which was
  added in bdc6473d2d, which is not in the
  20.10 branch
- remove the skip.If() from TestHealthCheckProcessKilled, as the 20.10 branch
  is not testing on Windows with containerd (and the RuntimeIsWindowsContainerd
  does not exist), but kept a "FIXME" comment.

Co-authored-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
Signed-off-by: Cory Snider <csnider@mirantis.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4b84a33217)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-23 22:30:01 +02:00
Sebastiaan van Stijn
62fd7187d0
Merge pull request #43991 from thaJeztah/20.10_seccomp_updates
[20.10 backport] seccomp updates
2022-08-18 21:28:19 +02:00
Sebastiaan van Stijn
7d4cc78c02
Merge pull request #43976 from thaJeztah/20.10_backport_bump_golang_1.18
[20.10 backport] update to golang 1.18.5
2022-08-18 21:27:25 +02:00
Djordje Lukic
d127287d92
Allow different syscalls from kernels 5.12 -> 5.16
Kernel 5.12:

    mount_setattr: needs CAP_SYS_ADMIN

Kernel 5.14:

    quotactl_fd: needs CAP_SYS_ADMIN
    memfd_secret: always allowed

Kernel 5.15:

    process_mrelease: always allowed

Kernel 5.16:

    futex_waitv: always allowed

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 7de9f4f82d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 18:58:09 +02:00
Tudor Brindus
57db169641
seccomp: add support for Landlock syscalls in default policy
This commit allows the Landlock[0] system calls in the default seccomp
policy.

Landlock was introduced in kernel 5.13, to fill the gap that inspecting
filepaths passed as arguments to filesystem system calls is not really
possible with pure `seccomp` (unless involving `ptrace`).

Allowing Landlock by default fits in with allowing `seccomp` for
containerized applications to voluntarily restrict their access rights
to files within the container.

[0]: https://www.kernel.org/doc/html/latest/userspace-api/landlock.html

Signed-off-by: Tudor Brindus <me@tbrindus.ca>
(cherry picked from commit af819bf623)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 18:55:16 +02:00
Sebastiaan van Stijn
7ba8ca042c
Update golang to 1.18.5
Update Go runtime to 1.18.5 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f1d71f7cc3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:55:28 +02:00
Sebastiaan van Stijn
f2a3c3bcef
update golang to 1.18.4
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 34b8670b1a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:55:27 +02:00
Sebastiaan van Stijn
a99c9cd852
update golang to 1.18.3
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c1a9ffc97a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:55:25 +02:00
Sebastiaan van Stijn
82939f536b
update golang to 1.18.2
go1.18.2 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509,
go/types, net/http/httptest, reflect, and sync/atomic packages. See the Go 1.18.2
milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.2+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.18.1...go1.18.2

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d294078dd0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:55:23 +02:00
Sebastiaan van Stijn
ecd1aa081f
update golang to 1.18.1
go1.18.1 (released 2022-04-12) includes security fixes to the crypto/elliptic,
crypto/x509, and encoding/pem packages, as well as bug fixes to the compiler,
linker, runtime, the go command, vet, and the bytes, crypto/x509, and go/types
packages. See the Go 1.18.1 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.18.1+label%3ACherryPickApproved

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-27536 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27536)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ef64db5021)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:55:21 +02:00
Sebastiaan van Stijn
7ba67d05a8
[20.10] vendor: update archive/tar for go 1.18
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 16:54:03 +02:00
Sebastiaan van Stijn
0bc432241e
update golang to 1.18.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 590e34eaf4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 08:44:23 +02:00
Sebastiaan van Stijn
bb95d09f9a
staticcheck: ignore "SA1019: strings.Title is deprecated"
This function is marked deprecated in Go 1.18; however, the suggested replacement
brings in a large amount of new code, and most strings we generate will be ASCII,
so this would only be in case it's used for some user-provided string. We also
don't have a language to use, so would be using the "default".

Adding a `//nolint` comment to suppress the linting failure instead.

    daemon/logger/templates/templates.go:23:14: SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck)
        "title":    strings.Title,
                    ^
    pkg/plugins/pluginrpc-gen/template.go:67:9: SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck)
        return strings.Title(s)
               ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4203a97aad)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 08:44:20 +02:00
Sebastiaan van Stijn
32debe0986
Merge pull request #43975 from thaJeztah/20.10_backport_update_golangci_lint
[20.10 backport] Dockerfile: update golangci-lint v1.44.0
2022-08-18 08:43:53 +02:00
Sebastiaan van Stijn
a7299ae72c
Dockerfile: update golangci-lint v1.44.0
Looks like this may be needed for Go 1.18

Also updating the golangci-lint configuration to account for updated
exclusion rules.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 646ace6ee3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:03:10 +02:00
Sebastiaan van Stijn
d97fd533cf
integration-cli: SA5011: possible nil pointer dereference (staticcheck)
I think the original intent here was to make passing t optional (62a856e912),
but it looks like that's not done anywhere, so let's remove it.

    integration-cli/docker_utils_test.go:81:2: SA5011: possible nil pointer dereference (staticcheck)
        c.Helper()
        ^
    integration-cli/docker_utils_test.go:84:5: SA5011(related information): this check suggests that the pointer can be nil (staticcheck)
        if c != nil {
           ^
    integration-cli/docker_utils_test.go:106:2: SA5011: possible nil pointer dereference (staticcheck)
        c.Helper()
        ^
    integration-cli/docker_utils_test.go:108:5: SA5011(related information): this check suggests that the pointer can be nil (staticcheck)
        if c != nil {
           ^
    integration-cli/docker_utils_test.go:116:2: SA5011: possible nil pointer dereference (staticcheck)
        c.Helper()
        ^
    integration-cli/docker_utils_test.go:118:5: SA5011(related information): this check suggests that the pointer can be nil (staticcheck)
        if c != nil {
           ^
    integration-cli/docker_utils_test.go:126:2: SA5011: possible nil pointer dereference (staticcheck)
        c.Helper()
        ^
    integration-cli/docker_utils_test.go:128:5: SA5011(related information): this check suggests that the pointer can be nil (staticcheck)
        if c != nil {
           ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 89f63f476b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:03:09 +02:00
Sebastiaan van Stijn
e6aee04a88
client.NewClientWithOpts(): remove redundant type assertion (gosimple)
As caught by gosimple:

    client/client.go:138:14: S1040: type assertion to the same type: c.client.Transport already has type http.RoundTripper (gosimple)
        if _, ok := c.client.Transport.(http.RoundTripper); !ok {
                    ^

This check was originally added in dc9f5c2ca3, to
check if the passed option was a `http.Transport`, and later changed in
e345cd12f9 to check for `http.RoundTripper` instead.

Client.client is a http.Client, for which the Transport field is a RoundTripper,
so this check is redundant.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 99935ff803)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:03:06 +02:00
Sebastiaan van Stijn
0523323c28
daemon/logger/awslogs: suppress false positive on hardcoded creds (gosec)
daemon/logger/awslogs/cloudwatchlogs.go:42:2: G101: Potential hardcoded credentials (gosec)
        credentialsEndpointKey = "awslogs-credentials-endpoint"
        ^
    daemon/logger/awslogs/cloudwatchlogs.go:67:2: G101: Potential hardcoded credentials (gosec)
        credentialsEndpoint = "http://169.254.170.2"
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b88f4e2604)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:03:04 +02:00
Sebastiaan van Stijn
adeb29c64c
client/request.go:157:8: SA1019: err.Temporary is deprecated (staticcheck)
It's deprecated in Go 1.18:

    client/request.go:157:8: SA1019: err.Temporary is deprecated: Temporary errors are not well-defined. Most "temporary" errors are timeouts, and the few exceptions are surprising. Do not use this method. (staticcheck)
        if !err.Temporary() {
            ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2cff05e960)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:03:02 +02:00
Sebastiaan van Stijn
50361d91a6
registry: trimV1Address(): simplify trimming trailing slash
strings.TrimSuffix() does exactly the same as this code, but is
a bit more readable.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4a52c46e37)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 19:02:54 +02:00
Sebastiaan van Stijn
ae3a9337dd
golangci.yml: do not limit max reported issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 594c972fc5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:18:38 +02:00
Sebastiaan van Stijn
9820255a1c
golangci.yml: skip some tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 22ce0f8faa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:16:06 +02:00
Sebastiaan van Stijn
d223f37300
golangci.yml: update regex for ignoring SA1019
The message changed from "is deprecated" to "has been deprecated":

    client/hijack.go:85:16: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
        clientconn := httputil.NewClientConn(conn, nil)
                      ^
    integration/plugin/authz/authz_plugin_test.go:180:7: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
        c := httputil.NewClientConn(conn, nil)
             ^
    integration/plugin/authz/authz_plugin_test.go:479:12: SA1019: httputil.NewClientConn has been deprecated since Go 1.0: Use the Client or Transport in package net/http instead. (staticcheck)
        client := httputil.NewClientConn(conn, nil)
                  ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ea74765a58)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:13:03 +02:00
Sebastiaan van Stijn
ec3bfba89d
graphdriver: temporarily ignore unsafeptr: possible misuse of reflect.SliceHeader
Probably needs a similar change as c208f03fbd,
but this code makes my head spin, so for now suppressing, and created a
tracking issue:

    daemon/graphdriver/graphtest/graphtest_unix.go:305:12: unsafeptr: possible misuse of reflect.SliceHeader (govet)
        header := *(*reflect.SliceHeader)(unsafe.Pointer(&buf))
                  ^
    daemon/graphdriver/graphtest/graphtest_unix.go:308:36: unsafeptr: possible misuse of reflect.SliceHeader (govet)
        data := *(*[]byte)(unsafe.Pointer(&header))
                                          ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e6dabfa977)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:12:51 +02:00
Sebastiaan van Stijn
f2f387b131
daemon: var-declaration: should omit type bool (revive)
daemon/list.go:556:18: var-declaration: should omit type bool from declaration of var shouldSkip; it will be inferred from the right-hand side (revive)
                shouldSkip    bool = true
                              ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d61b7c1211)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:12:41 +02:00
Sebastiaan van Stijn
2fb7c9fea7
daemon/config: error strings should not be capitalized
daemon/config/config_unix.go:92:21: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
            return fmt.Errorf("Default cgroup namespace mode (%v) is invalid. Use \"host\" or \"private\".", cm) // nolint: golint
                              ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 16ced7622b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:12:30 +02:00
Sebastiaan van Stijn
fa6954cb98
reformat "nolint" comments
Unlike regular comments, nolint comments should not have a leading space.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bb17074119)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:12:14 +02:00
Sebastiaan van Stijn
45fa675a35
if-return: redundant if ...; err != nil check (revive)
builder/builder-next/adapters/snapshot/snapshot.go:386:3: if-return: redundant if ...; err != nil check, just return error instead. (revive)
            if err := b.Put(keyIsCommitted, []byte{}); err != nil {
                return err
            }

    plugin/fetch_linux.go:112:2: if-return: redundant if ...; err != nil check, just return error instead. (revive)
        if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil {
            return err
        }

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dd1374f7b2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:12:02 +02:00
Sebastiaan van Stijn
9e88f8435a
daemon/splunk: ignore G402: TLS MinVersion too low for now
daemon/logger/splunk/splunk.go:173:16: G402: TLS MinVersion too low. (gosec)
    	tlsConfig := &tls.Config{}
    	              ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4004a39d53)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:11:52 +02:00
Sebastiaan van Stijn
2de90ebbe4
pkg/archive: RebaseArchiveEntries(): ignore G110
pkg/archive/copy.go:357:16: G110: Potential DoS vulnerability via decompression bomb (gosec)
                if _, err = io.Copy(rebasedTar, srcTar); err != nil {
                            ^

Ignoring GoSec G110. See https://github.com/securego/gosec/pull/433
and https://cure53.de/pentest-report_opa.pdf, which recommends to
replace io.Copy with io.CopyN7. The latter allows to specify the
maximum number of bytes that should be read. By properly defining
the limit, it can be assured that a GZip compression bomb cannot
easily cause a Denial-of-Service.
After reviewing, this should not affect us, because here we do not
read into memory.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7b071e0557)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:11:42 +02:00
Sebastiaan van Stijn
14b475d091
daemon/stats: fix notRunningErr / notFoundErr detected as unused (false positive)
Also looks like a false positive, but given that these were basically
testing for the `errdefs.Conflict` and `errdefs.NotFound` interfaces, I
replaced these with those;

    daemon/stats/collector.go:154:6: type `notRunningErr` is unused (unused)
    type notRunningErr interface {
         ^
    daemon/stats/collector.go:159:6: type `notFoundErr` is unused (unused)
    type notFoundErr interface {
         ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 09191c0936)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:11:31 +02:00
Sebastiaan van Stijn
db7b3f4737
unused: ignore false positives
integration/build/build_session_test.go:92:6: func `testBuildWithSession` is unused (unused)
    func testBuildWithSession(t *testing.T, client dclient.APIClient, daemonHost string, dir, dockerfile string) (outStr string) {
         ^
    integration/container/checkpoint_test.go:23:6: func `containerExec` is unused (unused)
    func containerExec(t *testing.T, client client.APIClient, cID string, cmd []string) {
         ^
    integration/network/service_test.go:295:6: func `swarmIngressReady` is unused (unused)
    func swarmIngressReady(client client.NetworkAPIClient) func(log poll.LogT) poll.Result {
         ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7c91fd4240)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:11:20 +02:00
Sebastiaan van Stijn
b6de0ca7c5
G601: Implicit memory aliasing in for loop
daemon/cluster/executor/container/adapter.go:446:42: G601: Implicit memory aliasing in for loop. (gosec)
            req := c.container.volumeCreateRequest(&mount)
                                                   ^
    daemon/network.go:577:10: G601: Implicit memory aliasing in for loop. (gosec)
                np := &n
                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b4c0c7c076)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:11:09 +02:00
Sebastiaan van Stijn
e8b838e99f
gosec: G601: Implicit memory aliasing in for loop
plugin/v2/plugin.go:141:50: G601: Implicit memory aliasing in for loop. (gosec)
                    updateSettingsEnv(&p.PluginObj.Settings.Env, &s)
                                                                 ^
    libcontainerd/remote/client.go:572:13: G601: Implicit memory aliasing in for loop. (gosec)
                cpDesc = &m
                         ^
    distribution/push_v2.go:400:34: G601: Implicit memory aliasing in for loop. (gosec)
                (metadata.CheckV2MetadataHMAC(&mountCandidate, pd.hmacKey) ||
                                              ^
    builder/dockerfile/builder.go:261:84: G601: Implicit memory aliasing in for loop. (gosec)
            currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &meta)
                                                                                             ^
    builder/dockerfile/builder.go:278:46: G601: Implicit memory aliasing in for loop. (gosec)
            if err := initializeStage(dispatchRequest, &stage); err != nil {
                                                       ^
    daemon/container.go:283:40: G601: Implicit memory aliasing in for loop. (gosec)
            if err := parser.ValidateMountConfig(&cfg); err != nil {
                                                 ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d13997b4ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:10:55 +02:00
Sebastiaan van Stijn
2ddf6e598a
gosimple: S1039: unnecessary use of fmt.Sprintf
pkg/devicemapper/devmapper.go:383:28: S1039: unnecessary use of fmt.Sprintf (gosimple)
        if err := task.setMessage(fmt.Sprintf("@cancel_deferred_remove")); err != nil {
                                  ^
    integration/plugin/graphdriver/external_test.go:321:18: S1039: unnecessary use of fmt.Sprintf (gosimple)
                http.Error(w, fmt.Sprintf("missing id"), 409)
                              ^
    integration-cli/docker_api_stats_test.go:70:31: S1039: unnecessary use of fmt.Sprintf (gosimple)
            _, body, err := request.Get(fmt.Sprintf("/info"))
                                        ^
    integration-cli/docker_cli_build_test.go:4547:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO1=fromcmd"),
                               ^
    integration-cli/docker_cli_build_test.go:4548:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO2="),
                               ^
    integration-cli/docker_cli_build_test.go:4549:19: S1039: unnecessary use of fmt.Sprintf (gosimple)
                "--build-arg", fmt.Sprintf("FOO3"), // set in env
                               ^
    integration-cli/docker_cli_build_test.go:4668:32: S1039: unnecessary use of fmt.Sprintf (gosimple)
            cli.WithFlags("--build-arg", fmt.Sprintf("tag=latest")))
                                         ^
    integration-cli/docker_cli_build_test.go:4690:32: S1039: unnecessary use of fmt.Sprintf (gosimple)
            cli.WithFlags("--build-arg", fmt.Sprintf("baz=abc")))
                                         ^
    pkg/jsonmessage/jsonmessage_test.go:255:4: S1039: unnecessary use of fmt.Sprintf (gosimple)
                fmt.Sprintf("ID: status\n"),
                ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f77213efc2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:10:32 +02:00
Sebastiaan van Stijn
fadf8bbdff
staticcheck: SA4001: &*x will be simplified to x. It will not copy x
daemon/volumes_unix_test.go:228:13: SA4001: &*x will be simplified to x. It will not copy x. (staticcheck)
                mp:      &(*c.MountPoints["/jambolan"]), // copy the mountpoint, expect no changes
                         ^
    daemon/logger/local/local_test.go:214:22: SA4001: &*x will be simplified to x. It will not copy x. (staticcheck)
            dst.PLogMetaData = &(*src.PLogMetaData)
                               ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f7433d6190)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:10:19 +02:00
Sebastiaan van Stijn
7573e32577
client: S1031: unnecessary nil check around range (gosimple)
client/request.go:245:2: S1031: unnecessary nil check around range (gosimple)
        if headers != nil {
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b92be7e297)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:10:06 +02:00
Sebastiaan van Stijn
e738a57a6d
daemon/logger/journald: fix linting errors
daemon/logger/journald/read.go:128:3 comment on exported function `CErr` should be of the form `CErr ...`

    daemon/logger/journald/read.go:131:36: unnecessary conversion (unconvert)
            return C.GoString(C.strerror(C.int(-ret)))
	                                  ^
    daemon/logger/journald/read.go:380:2: S1023: redundant `return` statement (gosimple)
        return
        ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d43bcc8974)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:09:54 +02:00
Sebastiaan van Stijn
34f6b94255
gosec: G404: Use of weak random number generator
These should be ok to ignore for the purpose they're used

    pkg/namesgenerator/names-generator.go:843:36: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
        name := fmt.Sprintf("%s_%s", left[rand.Intn(len(left))], right[rand.Intn(len(right))])
                                          ^
    pkg/namesgenerator/names-generator.go:849:36: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
            name = fmt.Sprintf("%s%d", name, rand.Intn(10))
                                             ^
    testutil/stringutils.go:11:18: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
            b[i] = letters[rand.Intn(len(letters))]
                           ^
    pkg/namesgenerator/names-generator.go:849:36: G404: Use of weak random number generator (math/rand instead of crypto/rand) (gosec)
            name = fmt.Sprintf("%s%d", name, rand.Intn(10))
                                             ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6b0ecacd92)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-17 18:09:41 +02:00
Sebastiaan van Stijn
a77093b4fe
Merge pull request #43911 from thaJeztah/20.10_backport_buildkit_api_docs
[20.10 backport] api: swagger: document BuildCache fields (API v1.39-v1.41)
2022-08-08 16:52:54 +02:00
Tianon Gravi
5e6d42aa9d
Merge pull request #43918 from thaJeztah/20.10_backport_bump_containerd_1.6.7_binary
[20.10 backport] update containerd binary to v1.6.7, runc to v1.3.1
2022-08-05 15:09:01 -07:00
Tianon Gravi
a345492301
Merge pull request #43859 from olljanat/20.10_backport_restore-custom-nat-networks
[20.10 backport] Windows: Re-create custom NAT networks after restart if missing from HNS
2022-08-05 09:22:11 -07:00
Sebastiaan van Stijn
a6d7b61c8b
update containerd binary to v1.6.7
full diff: https://github.com/containerd/containerd/v1.6.6...v1.6.7

Welcome to the v1.6.7 release of containerd!

The seventh patch release for containerd 1.6 contains various fixes,
includes a new version of runc and adds support for ppc64le and riscv64
(requires unreleased runc 1.2) builds.

Notable Updates

- Update runc to v1.1.3
- Seccomp: Allow clock_settime64 with CAP_SYS_TIME
- Fix WWW-Authenticate parsing
- Support RISC-V 64 and ppc64le builds
- Windows: Update hcsshim to v0.9.4 to fix regression with HostProcess stats
- Windows: Fix shim logs going to panic.log file
- Allow ptrace(2) by default for kernels >= 4.8

See the changelog for complete list of changes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4e46d9f963)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-05 00:20:28 +02:00
Sebastiaan van Stijn
b4ba1ee22f
update runc binary to v1.1.3
full diff: https://github.com/opencontainers/runc/compare/v1.1.2...v1.1.3

This is the third release of the 1.1.z series of runc, and contains
various minor improvements and bugfixes.

- Our seccomp `-ENOSYS` stub now correctly handles multiplexed syscalls on
  s390 and s390x. This solves the issue where syscalls the host kernel did not
  support would return `-EPERM` despite the existence of the `-ENOSYS` stub
  code (this was due to how s390x does syscall multiplexing).
- Retry on dbus disconnect logic in libcontainer/cgroups/systemd now works as
  intended; this fix does not affect runc binary itself but is important for
  libcontainer users such as Kubernetes.
- Inability to compile with recent clang due to an issue with duplicate
  constants in libseccomp-golang.
- When using systemd cgroup driver, skip adding device paths that don't exist,
  to stop systemd from emitting warnings about those paths.
- Socket activation was failing when more than 3 sockets were used.
- Various CI fixes.
- Allow to bind mount `/proc/sys/kernel/ns_last_pid` to inside container.
- runc static binaries are now linked against libseccomp v2.5.4.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2293de1c82)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-05 00:20:16 +02:00
Sebastiaan van Stijn
195761c1fa
Merge pull request #43889 from thaJeztah/20.10_backport_api_fix_missing_platform
[20.10 backport] api: swagger: add missing "platform" query-arg on create
2022-08-04 21:00:31 +02:00
Sebastiaan van Stijn
da8828c4b3
api: swagger: fix invalid example value (API v1.39-v1.41)
This was introduced in 43956c1bfc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 30295c1750)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-04 17:54:11 +02:00
Sebastiaan van Stijn
1c0ca366dd
Merge pull request #43905 from thaJeztah/20.10_bump_golang_1.17.13
[20.10] Update golang to 1.17.13
2022-08-04 16:53:43 +02:00
Sebastiaan van Stijn
9501d91e19
api: swagger: document BuildCache fields (API v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 43956c1bfc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-04 12:52:00 +02:00
Sebastiaan van Stijn
61fdea902b
api: swagger: document BuildCache fields.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dc2b34af6a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-04 12:51:56 +02:00
Sebastiaan van Stijn
c77432c889
[20.10] Update golang to 1.17.13
Update Go runtime to 1.17.13 to address CVE-2022-32189.

Full diff: https://github.com/golang/go/compare/go1.17.12...go1.17.13

--------------------------------------------------------

From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10

We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.

These minor releases include 1 security fixes following the security
policy:

encoding/gob & math/big: decoding big.Float and big.Rat can panic

Decoding big.Float and big.Rat types can panic if the encoded message is
too short.

This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.17.13

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-03 20:15:00 +02:00
Sebastiaan van Stijn
2833aa1e4b
docs: api: add missing "platform" query-arg on create (v1.41)
Commit 7a9cb29fb9 added a new "platform" query-
parameter to the `POST /containers/create` endpoint, but did not update the
swagger file and documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1000e4ee7d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-29 23:22:04 +02:00
Sebastiaan van Stijn
a8c28260ad
api: swagger: add missing "platform" query-arg on create
Commit 7a9cb29fb9 added a new "platform" query-
parameter to the `POST /containers/create` endpoint, but did not update the
swagger file and documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3dae8e9fc2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-29 23:22:00 +02:00
Akihiro Suda
a70ae13d3b
Merge pull request #43876 from thaJeztah/20.10_backport_42655_vfs_storage_driver
[20.10 backport] Fix file capabilities dropping in Dockerfile
2022-07-29 07:28:23 +09:00
Illo Abdulrahim
cfdc075b1c
Fix file capabilities droping in Dockerfile
doCopyXattrs() never reached due to copyXattrs boolean being false, as
a result file capabilities not being copied.

moved copyXattr() out of doCopyXattrs()

Signed-off-by: Illo Abdulrahim <abdulrahim.illo@nokia.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31f654a704)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-28 09:39:53 +02:00
Olli Janatuinen
2daa6bb6b3 Windows: Re-create custom NAT networks after restart if missing from HNS
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
(cherry picked from commit 67c36d5)
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-07-25 03:29:01 -07:00
Sebastiaan van Stijn
21b91d3fd5
Merge pull request #43824 from AkihiroSuda/libnetwork-20220716
[20.10] vendor: libnetwork 0dde5c895075df6e3630e76f750a447cf63f4789
2022-07-17 12:17:00 +02:00
Akihiro Suda
903cd53ce4
vendor: libnetwork 0dde5c895075df6e3630e76f750a447cf63f4789
f6ccccb1c0...0dde5c8950

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2022-07-16 22:29:27 +09:00
Akihiro Suda
55cbb2fc57
Merge pull request #43803 from thaJeztah/20.10_update_golang_1.17.12
[20.10] update golang to 1.17.12
2022-07-14 22:25:32 +09:00
Sebastiaan van Stijn
eccaf6d368
[20.10] update golang to 1.17.12
go1.17.12 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the runtime,
and the runtime/metrics package. See the Go 1.17.12 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.12+label%3ACherryPickApproved

This update addresses:

CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.

Full diff: https://github.com/golang/go/compare/go1.17.11...go1.17.12

From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE

We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:

- net/http: improper sanitization of Transfer-Encoding header

  The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
  a "chunked" encoding. This could potentially allow for request smuggling, but
  only if combined with an intermediate server that also improperly failed to
  reject the header as invalid.

  This is CVE-2022-1705 and https://go.dev/issue/53188.

- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
  containing a nil value for the X-Forwarded-For header, ReverseProxy would set
  the client IP as the value of the X-Forwarded-For header, contrary to its
  documentation. In the more usual case where a Director function set the
  X-Forwarded-For header value to nil, ReverseProxy would leave the header
  unmodified as expected.

  This is https://go.dev/issue/53423 and CVE-2022-32148.

  Thanks to Christian Mehlmauer for reporting this issue.

- compress/gzip: stack exhaustion in Reader.Read

  Calling Reader.Read on an archive containing a large number of concatenated
  0-length compressed files can cause a panic due to stack exhaustion.

  This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.

- encoding/xml: stack exhaustion in Unmarshal

  Calling Unmarshal on a XML document into a Go struct which has a nested field
  that uses the any field tag can cause a panic due to stack exhaustion.

  This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.

- encoding/xml: stack exhaustion in Decoder.Skip

  Calling Decoder.Skip when parsing a deeply nested XML document can cause a
  panic due to stack exhaustion. The Go Security team discovered this issue, and
  it was independently reported by Juho Nurminen of Mattermost.

  This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.

- encoding/gob: stack exhaustion in Decoder.Decode

  Calling Decoder.Decode on a message which contains deeply nested structures
  can cause a panic due to stack exhaustion.

  This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.

- path/filepath: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.

- io/fs: stack exhaustion in Glob

  Calling Glob on a path which contains a large number of path separators can
  cause a panic due to stack exhaustion.

  This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.

- go/parser: stack exhaustion in all Parse* functions

  Calling any of the Parse functions on Go source code which contains deeply
  nested types or declarations can cause a panic due to stack exhaustion.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-07-13 10:46:39 +02:00
Sebastiaan van Stijn
3949ff121e
Merge pull request #43770 from xinfengliu/20.10_backport_update_continuity
[20.10] vendor: github.com/containerd/continuity v0.3.0
2022-07-06 14:52:17 +02:00
Xinfeng Liu
ff7feeac37 vendor: github.com/containerd/continuity v0.3.0
Signed-off-by: Xinfeng Liu <Xinfeng.Liu@gmail.com>
2022-07-06 10:36:05 +08:00
Tianon Gravi
a89b84221c
Merge pull request #43701 from thaJeztah/20.10_backport_update_containerd_1.6.6
[20.10 backport] update containerd binary to v1.6.6
2022-06-06 15:32:38 -07:00
Sebastiaan van Stijn
6f3f2b6d08
update containerd binary to v1.6.6
Welcome to the v1.6.6 release of containerd!

The sixth patch release for containerd 1.6 includes a fix for
[CVE-2022-31030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030).

Notable Updates

- Fix ExecSync handler to cap console output size ([GHSA-5ffw-gxpp-mxpf](https://github.com/containerd/containerd/security/advisories/GHSA-5ffw-gxpp-mxpf))

full diff: https://github.com/containerd/containerd/compare/v1.6.5...v1.6.6

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a7e3182757)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-06 22:40:17 +02:00
Akihiro Suda
3fba09221e
Merge pull request #43692 from thaJeztah/20.0_backport_bump_containerd_binary_1.6.5
[20.10 backport] update containerd binary to v1.6.5
2022-06-05 13:39:45 +09:00
Sebastiaan van Stijn
678cc00583
Merge pull request #43589 from thaJeztah/20.10_backport_bump_runc
[20.10 backport] update runc binary to v1.1.2
2022-06-04 22:36:22 +02:00
Sebastiaan van Stijn
b3bcb15da8
update containerd binary to v1.6.5
Welcome to the v1.6.5 release of containerd!

The fifth patch release for containerd 1.6 includes a few fixes and updated
version of runc.

Notable Updates

- Fix for older CNI plugins not reporting version
- Fix mount path handling for CRI plugin on Windows

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a747cd3702)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-04 22:30:35 +02:00
Tianon Gravi
59d0ff35f8
Merge pull request #43686 from dfr/backport-freebsd-mknod
[20.10 backport] Merge fixes to pkg/system to support FreeBSD's mknod
2022-06-03 15:34:32 -07:00
Tianon Gravi
434eecd2cc
Merge pull request #43683 from neersighted/update-libnetwork
[20.10] Backport sysctl performance tuning in libnetwork sandboxes
2022-06-03 11:00:12 -07:00
Tonis Tiigi
f55b030fa0 system: unbreak build for darwin
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 26dafe43a4)
Signed-off-by: Doug Rabson <dfr@rabson.org>
2022-06-03 11:42:23 +01:00
Artem Khramov
63ab12cd3a Port pkg/system/mknod.go to FreeBSD
Because FreeBSD uses 64-bit device nodes (see
https://reviews.freebsd.org/rS318736), Linux implementation of
`system.Mknod` & `system.Mkdev` is not sufficient.

This change adds freebsd-specific implementations for `Mknod` and
Mkdev`.

Signed-off-by: Artem Khramov <akhramov@pm.me>
(cherry picked from commit f3d3994a4b)
Signed-off-by: Doug Rabson <dfr@rabson.org>
2022-06-03 11:42:12 +01:00
Bjorn Neergaard
081e538fbd vendor: libnetwork f6ccccb1c082a432c2a5814aaedaca56af33d9ea
Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
2022-06-02 13:37:46 -06:00
Sebastiaan van Stijn
4159fa6860
Merge pull request #43677 from thaJeztah/20.10_update_golang_1.17.11
[20.10] update golang to 1.17.11
2022-06-02 20:10:46 +02:00
Sebastiaan van Stijn
8e9d647c01
[20.10] update golang to 1.17.11
go1.17.11 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
crypto/tls package. See the Go 1.17.11 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.17.11+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:19:56 +02:00
Tianon Gravi
90033ab093
Merge pull request #43644 from ameyag/20.10-win-port-conflict
[20.10 backport] Fix for Windows port conflict with published ports in host mode for overlay.
2022-05-26 11:31:41 -07:00
Ameya Gawde
87ead7fd2a
vendor: hcsshim a11a2c44e8a4aa9d66314b1d759ef582df5ab5e8
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2022-05-25 15:33:23 -07:00
Ameya Gawde
27f8322324
vendor: libnetwork 2dab5620d4462865c6151e573b3e7fa5d3b8458b
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2022-05-25 15:28:25 -07:00
Sebastiaan van Stijn
506d28dca8
Merge pull request #43612 from thaJeztah/20.10_backport_websocket_streams_docs_touch_ups
[20.10 backport] docs: api: /containers/{id}/attach/ws: remove unsupported query-args < v1.42
2022-05-19 23:44:59 +02:00
Sebastiaan van Stijn
829951ec19
docs: api: /containers/{id}/attach/ws: remove unsupported query-args < v1.42
These query-args were documented, but not actually supported until
ea6760138c (API v1.42).

This removes them from the documentation, as these arguments were ignored
(and defaulted to `true` (enabled))

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a5a77979dd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-18 13:50:08 +02:00
Sebastiaan van Stijn
7307a0d583
Merge pull request #43606 from rumpl/20.10_backport_rename-reservation
[20.10 backport]  Rename Reservation to Reservations in the open API
2022-05-17 23:21:03 +02:00
Djordje Lukic
6cbe73bfc0
Rename Reservation to Reservations in the open API
The correct name for this property is, and always was "Reservations"

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2022-05-17 14:45:24 +02:00
Sebastiaan van Stijn
d9ed3d7e28
update runc binary to v1.1.2
This is the second patch release of the runc 1.1 release branch. It
fixes CVE-2022-29162, a minor security issue (which appears to not be
exploitable) related to process capabilities.

This is a similar bug to the ones found and fixed in Docker and
containerd recently (CVE-2022-24769).

- A bug was found in runc where runc exec --cap executed processes with
  non-empty inheritable Linux process capabilities, creating an atypical Linux
  environment. For more information, see GHSA-f3fp-gc8g-vw66 and CVE-2022-29162.
- runc spec no longer sets any inheritable capabilities in the created
  example OCI spec (config.json) file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bc0fd3f617)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-12 14:44:34 +02:00
Samuel Karp
f756502055
Merge pull request #43582 from thaJeztah/20.10_bump_golang_1.17.10 2022-05-12 00:33:06 -07:00
Sebastiaan van Stijn
a15acb4bd6
[20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

full diff: 63515b42dc...33da011f77

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:17:46 +02:00
Sebastiaan van Stijn
5f2e0b79ad
[20.10] update golang to 1.17.10
go1.17.10 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, and the crypto/x509 and net/http/httptest
packages. See the Go 1.17.10 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.10+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.17.9...go1.17.10

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:12:56 +02:00
Sebastiaan van Stijn
462cd7de50
Merge pull request #43567 from 42wim/fixstats
[20.10] vendor: update github.com/containerd/cgroups and github.com/cilium/ebpf (for fixing empty `docker stats`)
2022-05-10 09:17:07 +02:00
Wim
be7855fdbe
vendor: update github.com/containerd/cgroups and github.com/cilium/ebpf
Fixes
- https://github.com/docker/for-linux/issues/1284
- https://github.com/containerd/containerd/issues/6700
- https://github.com/moby/moby/issues/43387

Update to cgroups v1.0.1 which has the current proto for cgroupsv1
Need to update cilium/ebpf dependency to v0.4.0

Signed-off-by: Wim <wim@42.be>
2022-05-07 17:58:57 +02:00
Sebastiaan van Stijn
4433bf67ba
Merge pull request #43561 from thaJeztah/20.10_backport_bump_containerd_binary_1.6.4
[20.10 backport] update containerd binary to v1.6.4
2022-05-04 20:25:18 +02:00
Sebastiaan van Stijn
414a9e24a7
update containerd binary to v1.6.4
Notable Updates

- Update go-cni to fix teardown regression
- Fix broken SELinux relabeling for Kubernetes volume mounts

full diff: https://github.com/containerd/containerd/compare/v1.6.3...v1.6.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6e376e32d8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-04 11:02:22 +02:00
Akihiro Suda
0809f5fafb
Merge pull request #43433 from thaJeztah/20.10_backport_update_containerd_runc
[20.10 backport] update containerd binary to v1.6.3, runc v1.1.1
2022-04-28 13:11:49 +09:00
Sebastiaan van Stijn
47b6a924b6
update containerd binary to v1.6.3
Release notes:

Welcome to the v1.6.3 release of containerd!

The third patch release for containerd 1.6 includes various fixes and updates.

Notable Updates

- Fix panic when configuring tracing plugin
- Improve image pull performance in CRI plugin
- Check for duplicate nspath
- Fix deadlock in cgroup metrics collector
- Mount devmapper xfs file system with "nouuid" option
- Make the temp mount as ready only in container WithVolumes
- Fix deadlock from leaving transaction open in native snapshotter
- Monitor OOMKill events to prevent missing container events

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a9be008f00)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:59 +02:00
Sebastiaan van Stijn
6d7c2b2d26
update containerd binary to v1.6.2
The second patch release for containerd 1.6 includes a fix for
 [CVE-2022-24769](https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c).

Notable Updates

- **Fix the inheritable capability defaults** ([GHSA-c9cp-9c75-9v8c](https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c))

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e69529c94a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:57 +02:00
Sebastiaan van Stijn
91708bf704
update containerd binary to v1.6.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 06abe8dd2d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:55 +02:00
Sebastiaan van Stijn
53ae17008e
Revert "[20.10] update containerd binary to 1.5.11"
This reverts commit 7dfe7a1752.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:53 +02:00
Akihiro Suda
961b9a78d5
update runc binary to v1.1.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit ffc903d7a6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:51 +02:00
Akihiro Suda
97972dac5f
update runc binary to v1.1.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c55eb6b824)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-27 21:19:47 +02:00
Akihiro Suda
2929771a53
Merge pull request #43499 from thaJeztah/20.10_bump_golang_1.17.9
[20.10] update golang to 1.17.9
2022-04-20 09:37:53 +09:00
Sebastiaan van Stijn
033a819714
[20.10] update golang to 1.17.9
go1.17.9 (released 2022-04-12) includes security fixes to the crypto/elliptic
and encoding/pem packages, as well as bug fixes to the linker and runtime. See
the Go 1.17.9 milestone on the issue tracker for details:

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 09:16:33 +02:00
Tianon Gravi
ecf2eee0f6
Merge pull request #43486 from thaJeztah/20.10_backport_fix_dco_check
[20.10 backport] Jenkinsfile: add workaround for CVE-2022-24765
2022-04-13 11:39:23 -07:00
Sebastiaan van Stijn
a80884126b
Jenkinsfile: add workaround for CVE-2022-24765
git published an advisory Yesterday, which (as a counter-measure)
requires the git repository's directory to be owned by the current
user, and otherwise produce an error:

    fatal: unsafe repository ('/workspace' is owned by someone else)
    To add an exception for this directory, call:

        git config --global --add safe.directory /workspace

The DCO check is run within a container, which is running as `root`
(to allow packages to be installed), but because of this, the user
does not match the files that are bind-mounted from the host (as they
are checked out by Jenkins, using a different user).

To work around this issue, this patch configures git to consider the
`/workspace` directory as "safe". We configure it in the `--system`
configuration so that it takes effect for "all users" inside the
container.

More details on the advisory can be found on GitHub's blog:
https://github.blog/2022-04-12-git-security-vulnerability-announced/

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit efe03aa2d8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-13 16:07:32 +02:00
Brian Goff
086a3fa036
Merge pull request #43468 from thaJeztah/20.10_backport_update_go_1.17
[20.10 backport] update to go 1.17.8
2022-04-12 09:41:51 -07:00
Sebastiaan van Stijn
09d6fcdfec
update to go 1.17.8 to address CVE-2022-24921
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921)

go1.17.8 (released 2022-03-03) includes a security fix to the regexp/syntax package,
as well as bug fixes to the compiler, runtime, the go command, and the crypto/x509,
and net packages. See the Go 1.17.8 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.17.7...go1.17.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e781cf5f64)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:10 +02:00
Sebastiaan van Stijn
5957684b2c
Update Go to 1.17.7
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772),
and cmd/go (CVE-2022-23773).

go1.17.7 (released 2022-02-10) includes security fixes to the crypto/elliptic,
math/big packages and to the go command, as well as bug fixes to the compiler,
linker, runtime, the go command, and the debug/macho, debug/pe, and net/http/httptest
packages. See the Go 1.17.7 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.7+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.17.6...go1.17.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cad6c8f7f1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:08 +02:00
Sebastiaan van Stijn
55b72c70ba
Update Go to 1.17.6
go1.17.6 (released 2022-01-06) includes fixes to the compiler, linker, runtime,
and the crypto/x509, net/http, and reflect packages. See the Go 1.17.6 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f85ae526f0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:06 +02:00
Sebastiaan van Stijn
fdf3020bd5
Update Go to 1.17.5
go1.17.5 (released 2021-12-09) includes security fixes to the syscall and net/http
packages. See the Go 1.17.5 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.5+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d620cb6afc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:04 +02:00
Sebastiaan van Stijn
36e164ba80
Update Go to 1.17.4
go1.17.4 (released 2021-12-02) includes fixes to the compiler, linker, runtime,
and the go/types, net/http, and time packages. See the Go 1.17.4 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.4+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6bb3891c60)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:02 +02:00
Sebastiaan van Stijn
ecfba8f588
Update Go to 1.17.3
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
go command, the misc/wasm directory, and to the net/http and syscall packages.
See the Go 1.17.3 milestone on our issue tracker for details.

From the announcement e-mail:

[security] Go 1.17.3 and Go 1.16.10 are released

We have just released Go versions 1.17.3 and 1.16.10, minor point releases.
These minor releases include two security fixes following the security policy:

- archive/zip: don't panic on (*Reader).Open
  Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made
  to panic by an attacker providing either a crafted ZIP archive containing
  completely invalid names or an empty filename argument.
  Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code
  Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue
  golang.org/issue/48085.
- debug/macho: invalid dynamic symbol table command can cause panic
  Malformed binaries parsed using Open or OpenFat can cause a panic when calling
  ImportedSymbols, due to an out-of-bounds slice operation.
  Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this
  issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ce668d6c1e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:28:01 +02:00
Sebastiaan van Stijn
4e14dcc125
Update Go to 1.17.2
go1.17.2 (released 2021-10-07) includes a security fix to the linker and misc/wasm
directory, as well as bug fixes to the compiler, the runtime, the go command, and
to the time and text/template packages. See the Go 1.17.2 milestone on our issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.2+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e7fb0c8201)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:27:59 +02:00
Sebastiaan van Stijn
c32b5ece31
Update Go to 1.17.1
This includes additional fixes for CVE-2021-39293.

go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package,
as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand,
embed, go/types, html/template, and net/http packages. See the Go 1.17.1 milestone
on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.1+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0050ddd43b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:27:57 +02:00
Sebastiaan van Stijn
7096508811
vendor: update archive/tar to match Go 1.17.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit aa606307b7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:27:55 +02:00
Sebastiaan van Stijn
a1150245cc
Update to Go 1.17.0, and gofmt with Go 1.17
Movified from 686be57d0a, and re-ran
gofmt again to address for files not present in 20.10 and vice-versa.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 686be57d0a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:27:50 +02:00
Sebastiaan van Stijn
95cc7115fb
hack/vendor.sh: allow go version to be specified with .0
Golang '.0' releases are released without a trailing .0 (i.e. go1.17
is equal to go1.17.0). For the base image, we want to specify the go
version including their patch release (golang:1.17 is equivalent to
go1.17.x), so adjust the script to also accept the trailing .0, because
otherwise the download-URL is not found:

    hack/vendor.sh archive/tar
    update vendored copy of archive/tar
    downloading: https://golang.org/dl/go1.17.0.src.tar.gz
    curl: (22) The requested URL returned error: 404

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9ed88a0801)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:26:34 +02:00
Sebastiaan van Stijn
949c33b1c5
vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.

full diff: d19ff857e8...63515b42dc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d48c8b70a1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:26:32 +02:00
Sebastiaan van Stijn
8392285876
vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
full diff: b64e53b001...d19ff857e8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f0d3e905b6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 23:26:29 +02:00
Brian Goff
9ee5abed9c
Merge pull request #43470 from thaJeztah/20.10_backport_bump_buildx_0.8.2
[20.10 backport] testing: install buildx from binary, and update to v0.8.2
2022-04-07 12:36:23 -07:00
Sebastiaan van Stijn
4e81bcf380
Makefile: update buildx to v0.8.2
release notes: https://github.com/docker/buildx/releases/tag/v0.8.2

Notable changes:

- Update Compose spec used by buildx bake to v1.2.1 to fix parsing ports definition
- Fix possible crash on handling progress streams from BuildKit v0.10
- Fix parsing groups in buildx bake when already loaded by a parent group

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae7d3efafd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 10:56:43 +02:00
Sebastiaan van Stijn
74e699c8d3
Makefile: update buildx version to v0.6.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 22316ff1d8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 10:56:21 +02:00
Sebastiaan van Stijn
bc3cc2e7ac
Makefile: install buildx from binary release, instead of building
This was originally added in 833444c0d6,
at which time buildx did not yet have a release, so we had to build
from source.

Now that buildx has binary releases on GitHub, we should be able to
consume those binaries instead of building.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 151ec207b9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-07 10:55:22 +02:00
Sebastiaan van Stijn
811795ccd7
Merge pull request #43454 from thaJeztah/20.10_update_distribution
[20.10] vendor: github.com/docker/distribution v2.8.1
2022-04-05 13:44:22 +02:00
Sebastiaan van Stijn
ae7f230408
Merge pull request #43460 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] docs: assorted fixes in swagger files
2022-04-05 13:43:10 +02:00
Sebastiaan van Stijn
492fac20af
api: docs: fix indentation of HostConfig.SecurityOpt (v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0759f013a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:30:05 +02:00
Sebastiaan van Stijn
3cba2682d8
api: docs: move ContainerWaitResponse to definitions (v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 352d1bb8e0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:30:02 +02:00
Sebastiaan van Stijn
55e71450ae
api: docs: move VolumeCreateOptions to definitions (v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 444b27910c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:30:00 +02:00
Sebastiaan van Stijn
c54362cd64
api: docs: move Volume examples inline (v1.39-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5c0aae359f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:29:57 +02:00
Daniel Black
c60ff9b296
doc: server API Correct ImagesCreate - platform parameter added in 1.32
closes: docker/docker.github.io#9305

Signed-off-by: Daniel Black <daniel@linux.ibm.com>
(cherry picked from commit 521ac858e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:29:27 +02:00
Sebastiaan van Stijn
7a45f7a8cc
docs: cleanup swagger API with multiple examples (v1.25-v1.41)
Applies the changes from 3671cb90a3 to
the swagger files used for the documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8ac2f84f9a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:29:11 +02:00
Niel Drummond
29bb9204bf
api: docs: add IPAMConfig on IPAM (v1.41)
Signed-off-by: Niel Drummond <niel@drummond.lu>
(cherry picked from commit abc2f095ab)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:28:54 +02:00
Sebastiaan van Stijn
77f6564369
api: docs: document MountPoint fields (v1.25-v1.41)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0a438f2612)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:28:14 +02:00
Sebastiaan van Stijn
51ea235ab8
api: docs: remove deprecated RootFS.BaseLayer (API v1.25-v1.41)
This field was used when Windows did not yet support regular images, and required
the base-image to pre-exist on the Windows machine (as those layers were not yet
allowed to be distributed).

Commit f342b27145 (docker 1.13.0, API v1.25) removed
usage of the field. The field was not documented in the API, but because it was not
removed from the Golang structs in the API, ended up in the API documentation when
we switched to using Swagger instead of plain MarkDown for the API docs.

Given that the field was never set in any of these API versions, and had an "omitempty",
it was never actually returned in a response, so should be fine to remove from these
API docs.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8e9c8ff7f2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:27:54 +02:00
Sebastiaan van Stijn
3d6b4ae572
Correct type of Mounts in ContainerSummary in docs (v1.25-v1.40)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c04dff7623)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:27:27 +02:00
Michael Weidmann
6e8b9809b7
Correct type of Mounts in ContainerSummary in docs
Signed-off-by: Michael Weidmann <michaelweidmann@web.de>
(cherry picked from commit 16e3ca35eb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:27:24 +02:00
Sebastiaan van Stijn
621a98dac0
api: docs: fix warning about comment indentation (API v1.40-v1.41)
5428:7 warning comment not indented like content (comments-indentation)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d19dd22257)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:27:02 +02:00
Sebastiaan van Stijn
bb9ef98060
api: docs: update docs for /images/{name}/json (API v1.39-v1.41)
- rename definition in swagger from `Image` to `ImageInspect` to match the go type
- improve (or add) documentation for various fields
- move example values in-line in the "definitions" section
- remove the `required` fields from `ImageInspect`, as the type is only used as
  response type (not to make requests).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9565606222)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:26:59 +02:00
Sebastiaan van Stijn
88ca5cec4e
daemon: fix error-message for minimum allowed kernel-memory limit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3c44ade6d0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:26:18 +02:00
Sebastiaan van Stijn
3ea996abd7
docs: add missing KernelMemoryTCP to api v1.40 and v1.41
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9f3c238c29)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:26:16 +02:00
Sebastiaan van Stijn
b475bc95cd
docs/api: add missing 400 response for POST /containers/{id}/wait
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5e2b7dea02)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:26:14 +02:00
Sebastiaan van Stijn
ae07b3cc96
docs/api: update /containers/{id}/wait "condition" parameter (v1.30-v1.41)
This patch updates the swagger, and:

- adds an enum definition to document valid values (instead of describing them)
- updates the description to mention both "omitted" and "empty" values (although
  the former is already implicitly covered by the field being "optional" and
  having a default value).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 41b137962d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 19:26:12 +02:00
Sebastiaan van Stijn
19555fa92d
[20.10] vendor: github.com/docker/distribution v2.8.1
equivalent of b92af14a1c, for 20.10.x

no changes to code we use, but the v2.8.0 module was borked

full diff: https://github.com/docker/distribution/compare/v2.8.0...v2.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:17:29 +02:00
Tianon Gravi
4e188b8a49
Merge pull request #43426 from thaJeztah/20.10_backport_info_counters_rwmutex
[20.10 backport] daemon: use RWMutex for stateCounter
2022-03-25 15:49:29 -07:00
Sebastiaan van Stijn
339d7bdd7d
Merge pull request #43406 from dims/cherry-pick-thaJeztah-errdefs_reduce_client_deps_alternative
[20.10] errdefs: move GetHTTPErrorStatusCode to api/server/httpstatus
2022-03-25 14:52:59 +01:00
Sebastiaan van Stijn
32fe0bbb91
daemon: use RWMutex for stateCounter
Use an RWMutex to allow concurrent reads of these counters

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 699174347c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-25 09:38:53 +01:00
Tianon Gravi
1881be2de5
Merge pull request #43360 from Nossnevs/backport-21.x-linux-routeoverlaps-link-only-42598
[20.10 backport] Only check if route overlaps routes with scope: LINK
2022-03-24 16:54:51 -07:00
Sebastiaan van Stijn
af05807928
Merge pull request #43356 from awmirantis/20.10-bump-swarmkit-increase-config-size
[20.10] Bump swarmkit for change to max config size
2022-03-24 20:23:48 +01:00
Sebastiaan van Stijn
ed8fb00b65
errdefs: move GetHTTPErrorStatusCode to api/server/httpstatus
This reverts the changes made in 2a9c987e5a, which
moved the GetHTTPErrorStatusCode() utility to the errdefs package.

While it seemed to make sense at the time to have the errdefs package provide
conversion both from HTTP status codes errdefs and the reverse, a side-effect
of the move was that the errdefs package now had a dependency on various external
modules, to handle conversio of errors coming from those sub-systems, such as;

- github.com/containerd/containerd
- github.com/docker/distribution
- google.golang.org/grpc

This patch moves the conversion from (errdef-) errors to HTTP status-codes to a
 api/server/httpstatus package, which is only used by the API server, and should
not be needed by client-code using the errdefs package.

The MakeErrorHandler() utility was moved to the API server itself, as that's the
only place it's used. While the same applies to the GetHTTPErrorStatusCode func,
I opted for keeping that in its own package for a slightly cleaner interface.

Why not move it into the api/server/httputils package?

The api/server/httputils package is also imported in the client package, which
uses the httputils.ParseForm() and httputils.HijackConnection() functions as
part of the TestTLSCloseWriter() test. While this is only used in tests, I
wanted to avoid introducing the indirect depdencencies outside of the api/server
code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 85b7df5ead93a79ed6c8ef83535c153f65ef116d)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
(cherry picked from commit b9af850d5d232d2d8e0800f4f0d7ceceb5bf84ff)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-03-24 14:16:40 -04:00
tonic
3bd611d7a5
log error message when receiving an unexpected type error
Signed-off-by: tonic <tonicbupt@gmail.com>
(cherry picked from commit 24aaa7f8c9)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-03-24 14:16:29 -04:00
Sebastiaan van Stijn
66a96760b2
Merge pull request #43407 from dims/cherry-pick-remove_containerd_from_client
[20.10] Remove containerd "platform" dependency from client
2022-03-24 19:12:03 +01:00
Sebastiaan van Stijn
87a90dc786
Merge pull request #43417 from thaJeztah/20.10_update_containerd_binary_1.5.11
[20.10] update containerd binary to 1.5.11
2022-03-24 02:37:51 +01:00
Sebastiaan van Stijn
7dfe7a1752
[20.10] update containerd binary to 1.5.11
The eleventh patch release for containerd 1.5 includes a fix for
[CVE-2022-24769](https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c).

Notable Updates:

- **Fix the inheritable capability defaults** ([GHSA-c9cp-9c75-9v8c](https://github.com/containerd/containerd/security/advisories/GHSA-c9cp-9c75-9v8c))

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-24 00:50:43 +01:00
Sebastiaan van Stijn
7f375bcff4
Merge pull request from GHSA-2mm7-x5h6-5pvq
[20.10] oci: inheritable capability set should be empty
2022-03-23 22:10:17 +01:00
Sebastiaan van Stijn
cf0abad081
Merge pull request #43416 from thaJeztah/20.10_update_containerd2
[20.10] vendor: containerd 7cfa023d95d37076d5ab035003d4839f4b6ba791
2022-03-23 21:26:07 +01:00
Sebastiaan van Stijn
af953d2f38
[20.10] vendor: containerd 7cfa023d95d37076d5ab035003d4839f4b6ba791
updates the vendoring from the latest commit of the ambiguous-manifest-moby-20.10
branch in our fork.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-23 19:41:05 +01:00
Sebastiaan van Stijn
5f9753ae73
client: remove containerd "platform" dependency
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9d7495c2b3500565986e3ab8d571c57e296a980d)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-03-22 16:34:19 -04:00
Sebastiaan van Stijn
4df345e65d
client: remove unused Platform field from configWrapper
This field was added in 7a9cb29fb9,
but appears to be unused, so removing it.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3994e0ce7855b0dc845c558304e4c1e7a89f0929)
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-03-22 16:34:08 -04:00
Samuel Karp
dd38613d0c
oci: inheritable capability set should be empty
The Linux kernel never sets the Inheritable capability flag to anything
other than empty.  Moby should have the same behavior, and leave it to
userspace code within the container to set a non-empty value if desired.

Reported-by: Andrew G. Morgan <morgan@kernel.org>
Signed-off-by: Samuel Karp <skarp@amazon.com>
(cherry picked from commit 0d9a37d0c2)
Signed-off-by: Samuel Karp <skarp@amazon.com>
2022-03-17 14:17:00 -07:00
Mikael Svensson
2825bf7123
Only check if route overlaps routes with scope: LINK
Signed-off-by: Mikael Svensson <mikael.svensson@nasdaq.com>
2022-03-17 09:54:27 +01:00
Adam Williams
f5c56eaca8 [20.10] bump swarmkit for config size increase
Signed-off-by: Adam Williams <awilliams@mirantis.com>
2022-03-10 10:49:27 -08:00
Sebastiaan van Stijn
906f57ff5b
Merge pull request #43333 from pete-woods/20.10-backport-43291-schema-download-retry
[20.10 backport] distribution: retry downloading schema config on retryable error
2022-03-06 21:52:27 +01:00
Pete Woods
ce3b6d1ae9
distribution: retry downloading schema config on retryable error
fixes #43267

Signed-off-by: Pete Woods <pete.woods@circleci.com>

# Conflicts:
#	distribution/pull_v2.go
#	distribution/pull_v2_test.go
#	distribution/xfer/transfer.go
2022-03-05 20:29:10 +00:00
Sebastiaan van Stijn
c3dec607c3
Merge pull request #43329 from thaJeztah/20.10_backport_update_containerd_binary_1.5.10
[20.10 backport] update containerd binary to v1.5.10
2022-03-04 21:17:02 +01:00
Sebastiaan van Stijn
180f3b9cc7
update containerd binary to v1.5.10
Welcome to the v1.5.10 release of containerd!

The tenth patch release for containerd 1.5 includes a fix for [CVE-2022-23648][1]
and other issues.

Notable Updates

- Use fs.RootPath when mounting volumes (GHSA-crp2-qrr5-8pq7)
- Return init pid when clean dead shim in runc.v1/v2 shims
- Handle sigint/sigterm in shimv2
- Use readonly mount to read user/group info

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23648
[2]: https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2c8f0a0c99)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-04 19:36:34 +01:00
Samuel Karp
409d7ac7f2
Merge pull request #43326 from thaJeztah/20.10_bump_go_1.16.15 2022-03-04 10:09:10 -08:00
Sebastiaan van Stijn
0fa0d70489
[20.10] update to go 1.16.15 to address CVE-2022-24921
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921)

go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package,
as well as bug fixes to the compiler, runtime, the go command, and to the net package.
See the Go 1.16.15 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.16.14...go1.16.15

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-04 16:42:56 +01:00
Brian Goff
c4f6167be1
Merge pull request #43259 from thaJeztah/20.10_backport_fix_lock
[20.10 backport] vendor: bump etcd v3.3.27
2022-03-03 11:12:52 -08:00
Sebastiaan van Stijn
9a57c5c4c9
Merge pull request #43260 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] docs: assorted docs and swagger fixes
2022-03-03 20:10:01 +01:00
Sebastiaan van Stijn
4679ffd01c
docs: remove HostConfig.LxcConf field from API docs
Commit 3b5fac462d  / docker 1.10 removed support
for the LXC runtime, and removed the corresponding fields from the API (v1.22).

This patch removes the `HostConfig.LxcConf` field from the API documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 839e2ecc1b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:21:13 +01:00
Sebastiaan van Stijn
fbbe1fcfd8
api: remove HostConfig.LxcConf field
Commit 3b5fac462d  / docker 1.10 removed support
for the LXC runtime, and removed the corresponding fields from the API (v1.22).

This patch removes the `HostConfig.LxcConf` field from the swagger definition.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 75a1ad0c9f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:21:10 +01:00
Sebastiaan van Stijn
a5a697143d
docs: fixing /exec/{id}/resize response code in API documentation
This takes the changes from 1a933e113d and
834272f978, and applies them to older API
versions in the docs directory (which are used for the actual documentation).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2145f3ba2c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:20:25 +01:00
Thomas LEDOS
42b13c09a6
Added error codes for exec resize in API docs
Signed-off-by: Thomas LEDOS <thomas.ledos92@gmail.com>
(cherry picked from commit 834272f978)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:20:09 +01:00
Thomas LEDOS
aa69e8ed3f
Fixed exec resize success code in API docs
Signed-off-by: Thomas LEDOS <thomas.ledos92@gmail.com>
(cherry picked from commit 1a933e113d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:19:58 +01:00
Felipe Ruhland
ca5ba4890e
Fix typo on the v1.41 changelog
Signed-off-by: Felipe Ruhland <felipe.ruhland@gmail.com>
(cherry picked from commit eefb6c672a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 13:19:21 +01:00
Kir Kolyshkin
db214206e5
vendor: bump etcd v3.3.27
Bump etcd to v3.3.27, which includes https://github.com/etcd-io/etcd/pull/12552,
to fix https://github.com/moby/moby/issues/31182

Full diff: https://github.com/coreos/etcd/compare/v3.3.25...v3.3.27

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ffd5a20ab8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 12:55:15 +01:00
Sebastiaan van Stijn
df6a536193
vendor: github.com/coreos/etcd v3.3.25
full diff: https://github.com/coreos/etcd/compare/v3.3.12...v3.3.25

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2bef937507)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 12:54:48 +01:00
Sebastiaan van Stijn
3d5fb9425e
Merge pull request #43167 from thaJeztah/20.10_backport_jenkinsfile_remove_rs1
[20.10 backport] Jenkinsfile: remove Windows RS1 as it reached end of support
2022-02-17 20:10:45 +01:00
Sebastiaan van Stijn
1eef444005
Merge pull request #43171 from thaJeztah/20.10_backport_api_docs_fixes
[20.10 backport] docs: update API v1.41 and v1.40 docs with fixes from api/swagger
2022-02-17 20:10:26 +01:00
Brian Goff
7f44d606f9
Merge pull request #43166 from thaJeztah/20.10_backport_fix_update_sync
[20.10 backport] Fix for lack of syncronization in daemon/update.go
2022-02-17 11:08:56 -08:00
Tianon Gravi
c9e1608dd4
Merge pull request #43243 from thaJeztah/20.10_update_go_1.16.14
[20.10] Update Go to 1.16.14
2022-02-15 13:13:37 -08:00
Sebastiaan van Stijn
9502dec32f
[20.10] Update Go to 1.16.14
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772),
and cmd/go (CVE-2022-23773).

go1.16.14 (released 2022-02-10) includes security fixes to the crypto/elliptic,
math/big packages and to the go command, as well as bug fixes to the compiler,
linker, runtime, the go command, and the debug/macho, debug/pe, net/http/httptest,
and testing packages. See the Go 1.16.14 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.14+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.16.13...go1.16.14

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-15 16:22:00 +01:00
Akihiro Suda
879dd468dc
Merge pull request #43215 from thaJeztah/20.10_backport_fix_overlay_fuse_permissions
[20.10 backport] daemon/graphdriver/fuse-overlayfs: Init(): fix directory permissions (staticcheck)
2022-02-12 12:10:29 +09:00
Sebastiaan van Stijn
9edb93886a
Merge pull request #43151 from thaJeztah/20.10_backport_containerd_15
[20.10 backport] update containerd binary v1.5.9, runc v1.0.3, and some script changes
2022-02-10 20:36:31 +01:00
Sebastiaan van Stijn
878b9de935
daemon/graphdriver/fuse-overlayfs: Init(): fix directory permissions (staticcheck)
daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go:101:63: SA9002: file mode '700' evaluates to 01274; did you mean '0700'? (staticcheck)
        if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 700, currentID); err != nil {
                                                                     ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f9fb5d4f25)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-08 13:38:29 +01:00
Sebastiaan van Stijn
606c29418a
Merge pull request #43177 from thaJeztah/20.10_update_distribution
[20.10] vendor: github.com/docker/distribution v2.8.0
2022-02-08 09:40:46 +01:00
Sebastiaan van Stijn
d1b3497bfa
[20.10] vendor: github.com/docker/distribution v2.8.0
full diff: 58f99e93b7...distribution:v2.8.0

(taking my own fork for the diff link, as the samuelkarp fork didn't have a reference to the upstream)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-07 18:37:21 +01:00
Brian Goff
dd61d8dc4b
Merge pull request #43165 from thaJeztah/20.10_backport_logs_fixes
[20.10 backport] daemon/logger: read the length header correctly
2022-01-27 10:15:00 -08:00
Sebastiaan van Stijn
f9344b45fe
api/swagger: move DistributionInspect to definitions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 16cb04c2e8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:21 +01:00
Sebastiaan van Stijn
13cb9d9723
api/swagger: rename PluginPrivilegeItem to PluginPrivilege
To match the name in Go

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ebd709f80c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:19 +01:00
Sebastiaan van Stijn
7f9760e10c
api/swagger: fix up event-types and move to definitions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0b5a2e3c87)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:18 +01:00
Sebastiaan van Stijn
e6739a2884
api/swagger: move DistributionInspect to definitions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a65804adc4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:17 +01:00
Sebastiaan van Stijn
d445d24804
api/swagger: rename PluginPrivilegeItem to PluginPrivilege
To match the name in Go

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 24a43d934c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:16 +01:00
Sebastiaan van Stijn
5e38ae84b2
api/swagger: fix up event-types and move to definitions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92ed6ca356)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:14 +01:00
Tobias Gesellchen
012fdff916
Fix swagger docs to match the opencontainers image-spec
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 62cf748df9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:13 +01:00
Tobias Gesellchen
13cbf7fbb7
Extract PluginPrivilegeItem as explicit type definition
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6153c2f08d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:12 +01:00
Tobias Gesellchen
8fbcf0611b
Use explicit object names for improved swagger based code generation
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit be93e50a58)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:11 +01:00
Tobias Gesellchen
b8bee972c4
Fix ContainerSummary swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8168d1877d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:09 +01:00
Tobias Gesellchen
7092a6091c
Add "changes" query parameter for /image/create to swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0e719f8a00)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:08 +01:00
Tobias Gesellchen
adf1e470a1
Add RestartPolicy "no" to swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d3d78c1ae3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:07 +01:00
Tobias Gesellchen
b4b469eac2
Fix swagger docs to match the opencontainers image-spec
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c0bc82cef1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:06 +01:00
Tobias Gesellchen
2c38a2a635
Extract PluginPrivilegeItem as explicit type definition
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7248ebcd7e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:04 +01:00
Tobias Gesellchen
621bfddd6e
Use explicit object names for improved swagger based code generation
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6e421a1823)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:03 +01:00
Tobias Gesellchen
8a5240a8aa
Fix ContainerSummary swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9ac2d04617)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:02 +01:00
Tobias Gesellchen
751cf68e36
Add "changes" query parameter for /image/create to swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 050f5f29f7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:03:00 +01:00
Tobias Gesellchen
a961b76aef
Add RestartPolicy "no" to swagger docs
Signed-off-by: Tobias Gesellchen <tobias@gesellix.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 90294e9bdb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 16:02:49 +01:00
Sebastiaan van Stijn
ad21bcd94e
Jenkinsfile: remove Windows RS1 as it reached end of support
It was already disabled by default, but removing it now that it reached
end of the line.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9326ea5b99)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 10:14:29 +01:00
dmytro.iakovliev
b2684c1857
Fix for lack of syncromization in daemon/update.go
Signed-off-by: dmytro.iakovliev <dmytro.iakovliev@zodiacsystems.com>
(cherry picked from commit 58825ffc32)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:55:17 +01:00
Kazuyoshi Kato
8268f70ebb
daemon/logger: replace flaky TestFollowLogsHandleDecodeErr
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit c91e09bee2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:40:19 +01:00
Kazuyoshi Kato
78d0b936b8
daemon/logger: refactor followLogs to write more unit tests
followLogs() is getting really long (170+ lines) and complex.
The function has multiple inner functions that mutate its variables.

To refactor the function, this change introduces follow{} struct.
The inner functions are now defined as ordinal methods, which are
accessible from tests.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit 7a10f5a558)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:40:16 +01:00
Kazuyoshi Kato
39519221c2
daemon/logger: test followLogs' handleDecodeErr case
Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit f2e458ebc5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:38:36 +01:00
Kazuyoshi Kato
ada1b01de1
daemon/logger: read the length header correctly
Before this change, if Decode() couldn't read a log record fully,
the subsequent invocation of Decode() would read the record's non-header part
as a header and cause a huge heap allocation.

This change prevents such a case by having the intermediate buffer in
the decoder struct.

Fixes #42125.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit 48d387a757)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:38:32 +01:00
Sebastiaan van Stijn
829f071228
update containerd binary to v1.5.9
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit df3ea5da03)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:34 +01:00
Akihiro Suda
3e5eea4192
update runc binary to v1.0.3
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 53397ac539)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:32 +01:00
Sebastiaan van Stijn
bd42e17284
update containerd binary to v1.5.8
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190
as well as several fixes and updates.

Notable Updates

* Handle ambiguous OCI manifest parsing
* Filter selinux xattr for image volumes in CRI plugin
* Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter
* Fix pull failure on unexpected EOF
* Close task IO before waiting on delete
* Log a warning for ignored invalid image labels rather than erroring
* Update pull to handle of non-https urls in descriptors

See the changelog for complete list of changes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit aef782f348)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:30 +01:00
Sebastiaan van Stijn
3fd0b8d6eb
Update containerd binary to v1.5.7
The seventh patch release for containerd 1.5 is a security release to fix CVE-2021-41103.

Notable Updates:

- Fix insufficiently restricted permissions on container root and plugin directories
  GHSA-c2h3-6mxw-7mvq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fa4a9702be)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:28 +01:00
Sebastiaan van Stijn
3700adb70a
Update containerd binary to v1.5.6
- Install apparmor parser for arm64 and update seccomp to 2.5.1
- Update runc binary to 1.0.2
- Update hcsshim to v0.8.21 to fix layer issue on Windows Server 2019
- Add support for 'clone3' syscall to fix issue with certain images when seccomp is enabled
- Add image config labels in CRI container creation
- Fix panic in metadata content writer on copy error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b746a2bf9b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:26 +01:00
Sebastiaan van Stijn
0f37f2989b
Dockerfile: update gotestsum to v1.7.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1b8db06785)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:28:21 +01:00
Sebastiaan van Stijn
2716336abd
Dockerfile: use "go install" to install utilities
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 14ff070469)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:27:36 +01:00
Sebastiaan van Stijn
b35a1707e3
Dockerfile: use version for some utilities instead of commit-sha
The golangci-lint, gotestsum, shfmt, and vndr utilities should generally
be ok to be pinned by version instead of a specific sha. Also rename
the corresponding env-vars / build-args accordingly:

- GOLANGCI_LINT_COMMIT -> GOLANGCI_LINT_VERSION
- GOTESTSUM_COMMIT -> GOTESTSUM_VERSION
- SHFMT_COMMIT -> SHFMT_VERSION
- VNDR_COMMIT -> VNDR_VERSION
- CONTAINERD_COMMIT -> CONTAINERD_VERSION
- RUNC_COMMIT -> RUNC_VERSION
- ROOTLESS_COMMIT -> ROOTLESS_VERSION

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a7a7c732c0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:27:30 +01:00
Sebastiaan van Stijn
2a18825cdf
Dockerfile: remove GOPROXY override (was for go < 1.14)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3cec4b8cd4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:51 +01:00
Sebastiaan van Stijn
0f925d5d3d
remove deprecated "nokmem" build-tag for runc
This build-tag was removed in 52390d6804,
which is part of runc v1.0.0-rc94 and up, so no longer relevant.

the kmem options are now always disabled in runc.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3c7c18a499)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:49 +01:00
Sebastiaan van Stijn
fb45fe614d
info: remove "expected" check for tini version
These checks were added when we required a specific version of containerd
and runc (different versions were known to be incompatible). I don't think
we had a similar requirement for tini, so this check was redundant. Let's
remove the check altogether.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b585c64e2b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:48 +01:00
Sebastiaan van Stijn
fd32c70031
update containerd binary to v1.5.5
Welcome to the v1.5.5 release of containerd!

The fifth patch release for containerd 1.5 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

- Update runc binary to 1.0.1
- Update pull logic to try next mirror on non-404 response
- Update pull authorization logic on redirect

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4a07b89e9a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:46 +01:00
Sebastiaan van Stijn
302114634c
update containerd binary v1.4.8
Update to containerd 1.4.8 to address [CVE-2021-32760][1].

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cf1328cd46)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:44 +01:00
Sebastiaan van Stijn
1cd13dcb6c
Update containerd binary to v1.5.3
full diff: https://github.com/containerd/containerd/compare/v1.5.2...v1.5.3

Welcome to the v1.5.3 release of containerd!

The third patch release for containerd 1.5 updates runc to 1.0.0 and contains
various other fixes.

Notable Updates

- Update runc binary to 1.0.0
- Send pod UID to CNI plugins as K8S_POD_UID
- Fix invalid validation error checking
- Fix error on image pull resume
- Fix User Agent sent to registry authentication server
- Fix symlink resolution for disk mounts on Windows

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5ae2af41ee)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:42 +01:00
Sebastiaan van Stijn
5f09d5c76a
update containerd binary to v1.5.2
full diff: https://github.com/containerd/containerd/compare/v1.5.1...v1.5.2

The second patch release for containerd 1.5 is a security release to update
runc for CVE-2021-30465

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8e3186fc8f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:40 +01:00
Sebastiaan van Stijn
23f23c99ed
update containerd binary to v1.5.1
full diff: https://github.com/containerd/containerd/compare/v1.5.0...v1.5.1

Notable Updates

- Update runc to rc94
- Fix registry mirror authorization logic in CRI plugin
- Fix regression in cri-cni-release to include cri tools

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 22c0291333)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:38 +01:00
Sebastiaan van Stijn
f036a34c5b
update containerd binary to v1.5.0
Welcome to the v1.5.0 release of containerd!

The sixth major release of containerd includes many stability improvements
and code organization changes to make contribution easier and make future
features cleaner to develop. This includes bringing CRI development into the
main containerd repository and switching to Go modules. This release also
brings support for the Node Resource Interface (NRI).

Highlights
--------------------------------------------------------------------------------

*Project Organization*

- Merge containerd/cri codebase into containerd/containerd
- Move to Go modules
- Remove selinux build tag
- Add json log format output option for daemon log

*Snapshots*

- Add configurable overlayfs path
- Separate overlay implementation from plugin
- Native snapshotter configuration and plugin separation
- Devmapper snapshotter configuration and plugin separation
- AUFS snapshotter configuration and plugin separation
- ZFS snapshotter configuration and plugin separation
- Pass custom snapshot labels when creating snapshot
- Add platform check for snapshotter support when unpacking
- Handle loopback mounts
- Support userxattr mount option for overlay in user namespace
- ZFS snapshotter implementation of usage

*Distribution*

- Improve registry response errors
- Improve image pull performance over HTTP 1.1
- Registry configuration package
- Add support for layers compressed with zstd
- Allow arm64 to fallback to arm (v8, v7, v6, v5)

*Runtime*

- Add annotations to containerd task update API
- Add logging binary support when terminal is true
- Runtime support on FreeBSD

*Windows*

- Implement windowsDiff.Compare to allow outputting OCI images
- Optimize WCOW snapshotter to commit writable layers as read-only parent layers
- Optimize LCOW snapshotter use of scratch layers

*CRI*

- Add NRI injection points cri#1552
- Add support for registry host directory configuration
- Update privileged containers to use current capabilities instead of known capabilities
- Add pod annotations to CNI call
- Enable ocicrypt by default
- Support PID NamespaceMode_TARGET

Impactful Client Updates
--------------------------------------------------------------------------------

This release has changes which may affect projects which import containerd.

*Switch to Go modules*

containerd and all containerd sub-repositories are now using Go modules. This
should help make importing easier for handling transitive dependencies. As of
this release, containerd still does not guarantee client library compatibility
for 1.x versions, although best effort is made to minimize impact from changes
to exported Go packages.

*CRI plugin moved to main repository*

With the CRI plugin moving into the main repository, imports under github.com/containerd/cri/
can now be found github.com/containerd/containerd/pkg/cri/.
There are no changes required for end users of CRI.

*Library changes*

oci

The WithAllCapabilities has been removed and replaced with WithAllCurrentCapabilities
and WithAllKnownCapabilities. WithAllKnownCapabilities has similar
functionality to the previous WithAllCapabilities with added support for newer
capabilities. WithAllCurrentCapabilities can be used to give privileged
containers the same set of permissions as the calling process, preventing errors
when privileged containers attempt to get more permissions than given to the
caller.

*Configuration changes*

New registry.config_path for CRI plugin

registry.config_path specifies a directory to look for registry hosts
configuration. When resolving an image name during pull operations, the CRI
plugin will look in the <registry.config_path>/<image hostname>/ directory
for host configuration. An optional hosts.toml file in that directory may be
used to configure which hosts will be used for the pull operation as well
host-specific configurations. Updates under that directory do not require
restarting the containerd daemon.

Enable registry.config_path in the containerd configuration file.

    [plugins."io.containerd.grpc.v1.cri".registry]
       config_path = "/etc/containerd/certs.d"
    Configure registry hosts, such as /etc/containerd/certs.d/docker.io/hosts.toml
    for any image under the docker.io namespace (any image on Docker Hub).

    server = "https://registry-1.docker.io"

    [host."https://public-mirror.example.com"]
      capabilities = ["pull"]
    [host."https://docker-mirror.internal"]
      capabilities = ["pull", "resolve"]
      ca = "docker-mirror.crt"

If no hosts.toml configuration exists in the host directory, it will fallback
to check certificate files based on Docker's certificate file
pattern (".crt" files for CA certificates and ".cert"/".key" files for client
certificates).

*Deprecation of registry.mirrors and registry.configs in CRI plugin*

Mirroring and TLS can now be configured using the new registry.config_path
option. Existing configurations may be migrated to new host directory
configuration. These fields are only deprecated with no planned removal,
however, these configurations cannot be used while registry.config_path is
defined.

*Version 1 schema is deprecated*

Version 2 of the containerd configuration toml is recommended format and the
default. Starting this version, a deprecation warning will be logged when
version 1 is used.

To check version, see the version value in the containerd toml configuration.

    version=2

FreeBSD Runtime Support (Experimental)
--------------------------------------------------------------------------------

This release includes changes that allow containerd to run on FreeBSD with a
compatible runtime, such as runj. This
support should be considered experimental and currently there are no official
binary releases for FreeBSD. The runtimes used by containerd are maintained
separately and have their own stability guarantees. The containerd project
strives to be compatible with any runtime which aims to implement containerd's
shim API and OCI runtime specification.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9b2f55bc1c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:36 +01:00
Sebastiaan van Stijn
1dd37750a6
Revert "[20.10] update containerd binary to v1.4.5"
This reverts commit 01f734cb4f.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:34 +01:00
Sebastiaan van Stijn
b097d29705
Revert "[20.10] update containerd binary to v1.4.6"
This reverts commit 56541eca9a.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:32 +01:00
Sebastiaan van Stijn
de656f9da4
Revert "[20.10] update containerd binary to v1.4.7"
This reverts commit 793340a33a.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:30 +01:00
Sebastiaan van Stijn
9e36f77577
Revert "[20.10] update containerd binary v1.4.8"
This reverts commit 067918a8c3.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:28 +01:00
Sebastiaan van Stijn
eb2acf2fb3
Revert "[20.10] update containerd binary to v1.4.9"
This reverts commit e8fb8f7acd.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:26 +01:00
Sebastiaan van Stijn
4e838e50ea
Revert "[20.10] update containerd binary to v1.4.10"
This reverts commit 6835d15f55.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:24 +01:00
Sebastiaan van Stijn
79fd9c1541
Revert "[20.10] update containerd binary to v1.4.11"
This reverts commit 129a2000cf.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:22 +01:00
Sebastiaan van Stijn
13de46fd4b
Revert "[20.10] update containerd binary to v1.4.12"
This reverts commit d47de2a4c7.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-20 09:24:19 +01:00
Sebastiaan van Stijn
22ff2ed34b
Merge pull request #43147 from PettitWesley/backport-fluentd-fix
[20.10 backport] backport fluentd log driver async connect fix
2022-01-20 09:23:15 +01:00
Sebastiaan van Stijn
b106f7dfd0
Merge pull request #43153 from thaJeztah/20.10_bump_go_1.16.13
[20.10] update Go to 1.16.13
2022-01-18 17:37:54 +01:00
Sebastiaan van Stijn
aa92e697cb
[20.10] update Go to 1.16.13
go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker, runtime,
and the net/http package. See the Go 1.16.13 milestone on our issue tracker for
details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.13+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-13 16:44:11 +01:00
Albin Kerouanton
f9df098e76 fluentd: Turn ForceStopAsyncSend true when async connect is used
The flag ForceStopAsyncSend was added to fluent logger lib in v1.5.0 (at
this time named AsyncStop) to tell fluentd to abort sending logs
asynchronously as soon as possible, when its Close() method is called.
However this flag was broken because of the way the lib was handling it
(basically, the lib could be stucked in retry-connect loop without
checking this flag).

Since fluent logger lib v1.7.0, calling Close() (when ForceStopAsyncSend
is true) will really stop all ongoing send/connect procedure,
wherever it's stucked.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
(cherry picked from commit bd61629b6b)
Signed-off-by: Wesley <wppttt@amazon.com>
2022-01-13 01:06:12 +00:00
Albin Kerouanton
81fc02b7e1 vendor: github.com/fluent/fluent-logger-golang v1.8.0
Updates the fluent logger library to v1.8.0. Following PRs/commits were
merged since last bump:

* [Add callback for error handling when using
  async](https://github.com/fluent/fluent-logger-golang/pull/97)
* [Fix panic when accessing unexported struct
  field](https://github.com/fluent/fluent-logger-golang/pull/99)
* [Properly stop logger during (re)connect
  failure](https://github.com/fluent/fluent-logger-golang/pull/82)
* [Support a TLS-enabled connection](e5d6aa13b7)

See https://github.com/fluent/fluent-logger-golang/compare/v1.6.1..v1.8.0

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
(cherry picked from commit e24d61b7ef)
Signed-off-by: Wesley <wppttt@amazon.com>
2022-01-13 01:05:52 +00:00
Cam
d6f3add5c6 vendor: github.com/fluent/fluent-logger-golang 1.6.1
Updates the fluent logger library. Namely this fixes a couple places
where the library could panic when closing and writing to channels.

see https://github.com/fluent/fluent-logger-golang/pull/93 and
https://github.com/fluent/fluent-logger-golang/pull/95

closes #40829
closes #32567

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit a6a98d6928)
Signed-off-by: Wesley <wppttt@amazon.com>
2022-01-13 01:05:12 +00:00
Tianon Gravi
b1fc0c84de
Merge pull request #43084 from AkihiroSuda/cherrypick-42736
[20.10 backport] daemon.WithCommonOptions() fix detection of user-namespaces
2022-01-07 16:09:12 -08:00
Sebastiaan van Stijn
660b9962e4
daemon.WithCommonOptions() fix detection of user-namespaces
Commit dae652e2e5 added support for non-privileged
containers to use ICMP_PROTO (used for `ping`). This option cannot be set for
containers that have user-namespaces enabled.

However, the detection looks to be incorrect; HostConfig.UsernsMode was added
in 6993e891d1 / ee2183881b,
and the property only has meaning if the daemon is running with user namespaces
enabled. In other situations, the property has no meaning.
As a result of the above, the sysctl would only be set for containers running
with UsernsMode=host on a daemon running with user-namespaces enabled.

This patch adds a check if the daemon has user-namespaces enabled (RemappedRoot
having a non-empty value), or if the daemon is running inside a user namespace
(e.g. rootless mode) to fix the detection.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a826ca3aef)

---
The cherry-pick was almost clean but `userns.RunningInUserNS()` -> `sys.RunningInUserNS()`.

Fix docker/buildx issue 561
---

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-12-15 18:20:07 +09:00
Justin Cormack
459d0dfbbb
Merge pull request #43077 from thaJeztah/20.10_bump_go_1.16.12
[20.10] update Go to 1.16.12
2021-12-12 10:11:51 +00:00
Sebastiaan van Stijn
a621bc007b
[20.10] update Go to 1.16.12
go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http
packages. See the Go 1.16.12 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.12+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-12-12 01:15:00 +01:00
Brian Goff
4bed71ae9a
Merge pull request #43063 from thaJeztah/20.10_bump_go_1.16.11
[20.10] update Go to 1.16.11
2021-12-08 10:09:17 -08:00
Sebastiaan van Stijn
f4daf9dd08
[20.10] update Go to 1.16.11
go1.16.11 (released 2021-12-02) includes fixes to the compiler, runtime, and the
net/http, net/http/httptest, and time packages. See the Go 1.16.11 milestone on
the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.11+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-12-06 10:16:12 +01:00
Sebastiaan van Stijn
847da184ad
Merge pull request #43004 from AkihiroSuda/cherrypick-42152
[20.10 backport] info: unset cgroup-related fields when CgroupDriver == none
2021-11-18 01:21:59 +01:00
Sebastiaan van Stijn
4a27cd1a1b
Merge pull request #43027 from thaJeztah/20.10_backport_update_image_spec
[20.10 backport] vendor: github.com/opencontainers/image-spec v1.0.2
2021-11-18 01:16:31 +01:00
Sebastiaan van Stijn
7568123fc4
Merge pull request #43023 from thaJeztah/20.10_bump_buildkit
[20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8
2021-11-18 00:18:46 +01:00
Sebastiaan van Stijn
c98869341b
Merge pull request #43024 from thaJeztah/20.10_containerd_1.4.12
[20.10] update containerd binary to v1.4.12
2021-11-18 00:04:51 +01:00
Sebastiaan van Stijn
dc015972bb
vendor: github.com/opencontainers/image-spec v1.0.2
- Bring mediaType out of reserved status
- specs-go: adding mediaType to the index and manifest structures

full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit cef0a7c14e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-18 00:03:29 +01:00
Sebastiaan van Stijn
11b3bfee6c
Merge pull request #43028 from thaJeztah/20.10_fix_vendor_conf
[20.10] fix vendor validation
2021-11-17 23:08:36 +01:00
Sebastiaan van Stijn
e0108db2bd
[20.10] fix vendor validation
Looks like vndr didn't like the replace rule missing a scheme;

    github.com/docker/distribution: Err: exit status 128, out: fatal: repository 'github.com/samuelkarp/docker-distribution' does not exist
    github.com/containerd/containerd: Err: exit status 128, out: fatal: repository 'github.com/moby/containerd' does not exist

While at it, I also replaced the schem for go-immutable-radix, because GitHub
is deprecating the git:// protocol.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 22:13:44 +01:00
Sebastiaan van Stijn
d47de2a4c7
[20.10] update containerd binary to v1.4.12
The twelfth patch release for containerd 1.4 contains a few minor bug fixes
and an update to mitigate CVE-2021-41190.

Notable Updates

* Handle ambiguous OCI manifest parsing GHSA-5j5w-g665-5m35
* Update pull to try next mirror for non-404 errors
* Update pull to handle of non-https urls in descriptors

See the changelog for complete list of changes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 21:01:41 +01:00
Sebastiaan van Stijn
da9c983789
[20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8
imageutil: make mediatype detection more stricter to mitigate CVE-2021-41190.

full diff: 244e8cde63...bc07b2b81b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-17 20:40:17 +01:00
Sebastiaan van Stijn
10106a0f66
Merge pull request from GHSA-xmmx-7jpf-fx42
[20.10] vendor: update github.com/docker/distribution and github.com/containerd/containerd
2021-11-17 20:34:50 +01:00
Samuel Karp
c1f352c4b1
distribution: validate blob type
Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-11-15 14:25:52 -08:00
Samuel Karp
c96ed28f2f
vendor: update github.com/containerd/containerd
Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-11-15 14:25:52 -08:00
Akihiro Suda
7bd682c48c
Merge pull request #43008 from thaJeztah/20.10_backport_fix_TestBuildUserNamespaceValidateCapabilitiesAreV2
[20.10 backport] TestBuildUserNamespaceValidateCapabilitiesAreV2: cleanup daemon storage
2021-11-11 15:36:36 +09:00
Sebastiaan van Stijn
7677aeafd7
TestBuildUserNamespaceValidateCapabilitiesAreV2: cleanup daemon storage
This should help with Jenkins failing to clean up the Workspace:

- make sure "cleanup" is also called in the defer for all daemons. keeping
  the daemon's storage around prevented Jenkins from cleaning up.
- close client connections and some readers (just to be sure)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit eea2758761)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-10 14:12:12 +01:00
Sebastiaan van Stijn
34eb6fbe60
testutil: daemon.Cleanup(): cleanup more directories
The storage-driver directory caused Jenkins cleanup to fail. While at it, also
removing other directories that we do not include in the "bundles" that are
stored as Jenkins artifacts.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1a15a1a061)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-10 14:12:09 +01:00
Sebastiaan van Stijn
c7b97c306a
Merge pull request #42987 from thaJeztah/20.10_backport_create_panic_log_without_readonly
[20.10 backport] [Windows]] cmd/dockerd: create panic.log file without readonly flag
2021-11-09 22:05:55 +01:00
Akihiro Suda
0e76a0a418
info: unset cgroup-related fields when CgroupDriver == none
Fix issue 42151

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 039e9670cb)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-11-09 18:43:44 +09:00
Tianon Gravi
d9b2f4d0c8
Merge pull request #42989 from thaJeztah/20.10_bump_go_1.16.10
[20.10] Update Go to 1.16.10
2021-11-08 13:05:28 -08:00
Sebastiaan van Stijn
c7edd308ad
[20.10] Update Go to 1.16.10
go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
misc/wasm directory, and to the net/http package. See the Go 1.16.10 milestone
for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.10+label%3ACherryPickApproved

From the announcement e-mail:

[security] Go 1.17.3 and Go 1.16.10 are released

We have just released Go versions 1.17.3 and 1.16.10, minor point releases.
These minor releases include two security fixes following the security policy:

- archive/zip: don't panic on (*Reader).Open
  Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made
  to panic by an attacker providing either a crafted ZIP archive containing
  completely invalid names or an empty filename argument.
  Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code
  Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue
  golang.org/issue/48085.
- debug/macho: invalid dynamic symbol table command can cause panic
  Malformed binaries parsed using Open or OpenFat can cause a panic when calling
  ImportedSymbols, due to an out-of-bounds slice operation.
  Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this
  issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-05 11:10:49 +01:00
Samuel Karp
b3456925ca
vendor: update github.com/docker/distribution
Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-11-04 14:41:33 -07:00
Aleksandr Chebotov
6611c72b65
cmd/dockerd: create panic.log file without readonly flag
Signed-off-by: Aleksandr Chebotov <v-aleche@microsoft.com>
(cherry picked from commit b865204042)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-11-03 14:30:08 +01:00
Sebastiaan van Stijn
9a309c6165
Merge pull request #42971 from thaJeztah/20.10_backport_fix_TestCreateServiceSecretFileMode
[20.10 backport] Fix race in TestCreateServiceSecretFileMode, TestCreateServiceConfigFileMode
2021-11-03 14:29:53 +01:00
Sebastiaan van Stijn
4b9a3dac46
Fix race in TestCreateServiceSecretFileMode, TestCreateServiceConfigFileMode
Looks like this test was broken from the start, and fully relied on a race
condition. (Test was added in 65ee7fff02)

The problem is in the service's command: `ls -l /etc/config || /bin/top`, which
will either:

- exit immediately if the secret is mounted correctly at `/etc/config` (which it should)
- keep running with `/bin/top` if the above failed

After the service is created, the test enters a race-condition, checking for 1
task to be running (which it ocassionally is), after which it proceeds, and looks
up the list of tasks of the service, to get the log output of `ls -l /etc/config`.

This is another race: first of all, the original filter for that task lookup did
not filter by `running`, so it would pick "any" task of the service (either failed,
running, or "completed" (successfully exited) tasks).

In the meantime though, SwarmKit kept reconciling the service, and creating new
tasks, so even if the test was able to get the ID of the correct task, that task
may already have been exited, and removed (task-limit is 5 by default), so only
if the test was "lucky", it would be able to get the logs, but of course, chances
were likely that it would be "too late", and the task already gone.

The problem can be easily reproduced when running the steps manually:

    echo 'CONFIG' | docker config create myconfig -

    docker service create --config source=myconfig,target=/etc/config,mode=0777 --name myservice busybox sh -c 'ls -l /etc/config || /bin/top'

The above creates the service, but it keeps retrying, because each task exits
immediately (followed by SwarmKit reconciling and starting a new task);

    mjntpfkkyuuc1dpay4h00c4oo
    overall progress: 0 out of 1 tasks
    1/1: ready     [======================================>            ]
    verify: Detected task failure
    ^COperation continuing in background.
    Use `docker service ps mjntpfkkyuuc1dpay4h00c4oo` to check progress.

And checking the tasks for the service reveals that tasks exit cleanly (no error),
but _do exit_, so swarm just keeps up reconciling, and spinning up new tasks;

    docker service ps myservice --no-trunc
    ID                          NAME              IMAGE                                                                                    NODE             DESIRED STATE   CURRENT STATE                     ERROR     PORTS
    2wmcuv4vffnet8nybg3he4v9n   myservice.1       busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Ready           Ready less than a second ago
    5p8b006uec125iq2892lxay64    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete less than a second ago
    k8lpsvlak4b3nil0zfkexw61p    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 6 seconds ago
    vsunl5pi7e2n9ol3p89kvj6pn    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 11 seconds ago
    orxl8b6kt2l6dfznzzd4lij4s    \_ myservice.1   busybox:latest@sha256:f7ca5a32c10d51aeda3b4d01c61c6061f497893d7f6628b92f822f7117182a57   docker-desktop   Shutdown        Complete 17 seconds ago

This patch changes the service's command to `sleep`, so that a successful task
(after successfully performing `ls -l /etc/config`) continues to be running until
the service is deleted. With that change, the service should (usually) reconcile
immediately, which removes the race condition, and should also make it faster :)

This patch changes the tests to use client.ServiceLogs() instead of using the
service's tasklist to directly access container logs. This should also fix some
failures that happened if some tasks failed to start before reconciling, in which
case client.TaskList() (with the current filters), could return more tasks than
anticipated (as it also contained the exited tasks);

    === RUN   TestCreateServiceSecretFileMode
        create_test.go:291: assertion failed: 2 (int) != 1 (int)
    --- FAIL: TestCreateServiceSecretFileMode (7.88s)
    === RUN   TestCreateServiceConfigFileMode
        create_test.go:355: assertion failed: 2 (int) != 1 (int)
    --- FAIL: TestCreateServiceConfigFileMode (7.87s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 13cff6d583)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-27 12:30:35 +02:00
Sebastiaan van Stijn
e2f740de44
Merge pull request #42959 from thaJeztah/20.10_backport_fix_racey_health_test
[20.10 backport] Fix racey TestHealthKillContainer
2021-10-22 17:32:27 +02:00
Brian Goff
acb4f263b3
Fix racey TestHealthKillContainer
Before this change if you assume that things work the way the test
expects them to (it does not, but lets assume for now) we aren't really
testing anything because we are testing that a container is healthy
before and after we send a signal. This will give false positives even
if there is a bug in the underlying code. Sending a signal can take any
amount of time to cause a container to exit or to trigger healthchecks
to stop or whatever.

Now lets remove the assumption that things are working as expected,
because they are not.
In this case, `top` (which is what is running in the container) is
actually exiting when it receives `USR1`.
This totally invalidates the test.

We need more control and knowledge as to what is happening in the
container to properly test this.
This change introduces a custom script which traps `USR1` and flips the
health status each time the signal is received.
We then send the signal twice so that we know the change has occurred
and check that the value has flipped so that we know the change has
actually occurred.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 27ba755f70)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-22 09:30:08 +02:00
Sebastiaan van Stijn
8ab80e4a20
Merge pull request #42957 from thaJeztah/20.10_backport_rootless_quotes
[20.10 backport] rootless script fixes
2021-10-22 08:17:00 +02:00
Sebastiaan van Stijn
52f5b613ba
Merge pull request #42956 from cpuguy83/20.10-backport-kill-fixes
[20.10] Backport fixes for kill/stop handling
2021-10-21 20:10:22 +02:00
Sebastiaan van Stijn
a4b1ae5153
Merge pull request #42954 from crazy-max/20.10_build-local-normalized
[20.10 backport] buildkit: normalize build target and local platform
2021-10-21 20:07:21 +02:00
Chenyang Yan
59d2a2c397
dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior
```
$ cat test.sh

echo "orign value=$XDG_RUNTIME_DIR"

echo "1. with [ ] not quote ..."
[ -w $XDG_RUNTIME_DIR ]
echo "get 1 ret_code: $?"

echo "2. with [ ] and quote ..."
[ -w "$XDG_RUNTIME_DIR" ]
echo "get 2 ret_code: $?"

$ sh ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1

$ bash ./test.sh
orign value=
1. with [ ] not quote ...
get 1 ret_code: 0
2. with [ ] and quote ...
get 2 ret_code: 1
```

Signed-off-by: Chenyang Yan <memory.yancy@gmail.com>
(cherry picked from commit a8ce4d47c3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-21 19:51:55 +02:00
Hugo Barrera
2c6aa5aad9
Remove needless check
Starting `dockerd-rootless.sh` checks that `$HOME` is writeable, but does not
require it to be so.
Make the check more precise, and check that it actually exists and is a
directory.

Signed-off-by: Hugo Osvaldo Barrera <hugo@barrera.io>
(cherry picked from commit 3980d0462d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-21 19:51:49 +02:00
Cam
3285c27503 Fix log statement 'failed to exit' timeout accuracy
log statement should reflect how long it actually waited, not how long
it theoretically could wait based on the 'seconds' integer passed in.

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit d15ce134ef)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:35:44 +00:00
Cam
a4bcd4c64f docker daemon container stop refactor
this refactors the Stop command to fix a few issues and behaviors that
dont seem completely correct:

1. first it fixes a situation where stop could hang forever (#41579)
2. fixes a behavior where if sending the
stop signal failed, then the code directly sends a -9 signal. If that
fails, it returns without waiting for the process to exit or going
through the full docker kill codepath.
3. fixes a behavior where if sending the stop signal failed, then the
code sends a -9 signal. If that succeeds, then we still go through the
same stop waiting process, and may even go through the docker kill path
again, even though we've already sent a -9.
4. fixes a behavior where the code would wait the full 30 seconds after
sending a stop signal, even if we already know the stop signal failed.

fixes #41579

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit 8e362b75cb)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:35:40 +00:00
Cam
bed624fdc9 docker kill: fix bug where failed kills didnt fallback to unix kill
1. fixes #41587
2. removes potential infinite Wait and goroutine leak at end of kill
function

fixes #41587

Signed-off-by: Cam <gh@sparr.email>
(cherry picked from commit e57a365ab1)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-10-20 22:33:15 +00:00
CrazyMax
80b7e8b5d7 buildkit: normalize build target and local platform
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit b4e056d556)
2021-10-20 12:47:07 +02:00
Sebastiaan van Stijn
9f5b26fb86
Merge pull request #42944 from kevpar/20.10_update-winio
[20.10] vendor: Update go-winio to v0.4.20
2021-10-18 14:50:48 +02:00
Kevin Parsons
c2b9a32875 vendor: Update go-winio to v0.4.20
Updates go-winio to the latest v0.4.x version. The main important fix
here is to go-winio's backuptar package. This is needed to fix a bug in
sparse file handling in container layers, which was exposed by a recent
change in Windows.

go-winio v0.4.20: https://github.com/microsoft/go-winio/releases/tag/v0.4.20

Signed-off-by: Kevin Parsons <kevpar@microsoft.com>
2021-10-15 15:24:08 -07:00
Sebastiaan van Stijn
dc084ac10e
Merge pull request #42923 from thaJeztah/20.10_bump_go_1.16.9
[20.10] Update Go to 1.16.9
2021-10-15 12:57:25 +02:00
Sebastiaan van Stijn
a8a4b81d6a
Merge pull request #42901 from thaJeztah/20.10_update_containerd_1.4.10
[20.10] update containerd binary to v1.4.11
2021-10-14 20:32:09 +02:00
Sebastiaan van Stijn
c580a02873
[20.10] Update Go to 1.16.9
go1.16.9 (released 2021-10-07) includes a security fix to the linker and misc/wasm
directory, as well as bug fixes to the runtime and to the text/template package.
See the Go 1.16.9 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.9+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-08 15:14:58 +02:00
Sebastiaan van Stijn
da3769688a
Merge pull request #42875 from awmirantis/bump_swarmkit_fix_rollback
[20.10] Bump swarmkit to get fix for rollback
2021-10-07 15:15:42 +02:00
Tianon Gravi
59beba295e
Merge pull request #42844 from AkihiroSuda/cherrypick-42764
[20.10 backport] update runc binary to v1.0.2
2021-10-06 17:33:46 -07:00
Tianon Gravi
e086edaadf
Merge pull request #42760 from AkihiroSuda/cherrypick-42708
[20.10 backport] bump up rootlesskit to v0.14.4
2021-10-06 17:32:53 -07:00
Sebastiaan van Stijn
129a2000cf
[20.10] update containerd binary to v1.4.11
The eleventh patch release for containerd 1.4 is a security release to fix CVE-2021-41103.

Notable Updates

- Fix insufficiently restricted permissions on container root and plugin directories GHSA-c2h3-6mxw-7mvq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-04 21:15:47 +02:00
Sebastiaan van Stijn
6835d15f55
[20.10] update containerd binary to v1.4.10
- Update runc to v1.0.2
- Update hcsshim to v0.8.21
- Support "clone3" in default seccomp profile
- Fix panic in metadata content writer on copy error

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-04 21:14:20 +02:00
Sebastiaan van Stijn
9cd3585bf5
Merge pull request #42843 from AkihiroSuda/cherrypick-42791
[20.10 backport] cmd/dockerd: add the link of "the documentation"
2021-10-04 21:10:52 +02:00
Sebastiaan van Stijn
1c2ca1f624
Merge pull request #42869 from pete-woods/backport-quota-package-cgo-fix
[20.10 backport] quota: adjust build-tags to allow build without CGO
2021-10-04 21:10:12 +02:00
Sebastiaan van Stijn
977283509f
Merge pull request #42836 from tianon/20.10-clone3
[20.10 backport] seccomp: add support for "clone3" syscall in default policy
2021-10-04 21:08:57 +02:00
Sebastiaan van Stijn
79ea9d3080
Merge pull request #5 from moby/20.10_bump_go_1.16.8
[20.10] Update Go to 1.16.8
2021-09-23 20:26:18 +02:00
Adam Williams
5730c139f7 Bump swarmkit to get fix for rollback
Signed-off-by: Adam Williams <awilliams@mirantis.com>
2021-09-22 11:21:01 -07:00
Tibor Vass
59f10e3435
quota: adjust build-tags to allow build without CGO
This is to allow quota package (without tests) to be built without cgo.
makeBackingFsDev was used in helpers but not defined in projectquota_unsupported.go

Also adjust some GoDoc to follow the standard format.

Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7cf079acdb)
Signed-off-by: Pete Woods <pete.woods@circleci.com>
2021-09-20 14:19:22 +01:00
Sebastiaan van Stijn
fa78afebcf
Update Go to 1.16.8
This includes additional fixes for CVE-2021-39293.

go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package,
as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template,
net/http, and runtime/pprof packages. See the Go 1.16.8 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.8+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-09-15 13:48:01 +02:00
Tianon Gravi
567c01f6d1 seccomp: add support for "clone3" syscall in default policy
This is a backport of 9f6b562dd1, adapted to avoid the refactoring that happened in d92739713c.

Original commit message is as follows:

> If no seccomp policy is requested, then the built-in default policy in
> dockerd applies. This has no rule for "clone3" defined, nor any default
> errno defined. So when runc receives the config it attempts to determine
> a default errno, using logic defined in its commit:
>
>   opencontainers/runc@7a8d716
>
> As explained in the above commit message, runc uses a heuristic to
> decide which errno to return by default:
>
> [quote]
>   The solution applied here is to prepend a "stub" filter which returns
>   -ENOSYS if the requested syscall has a larger syscall number than any
>   syscall mentioned in the filter. The reason for this specific rule is
>   that syscall numbers are (roughly) allocated sequentially and thus newer
>   syscalls will (usually) have a larger syscall number -- thus causing our
>   filters to produce -ENOSYS if the filter was written before the syscall
>   existed.
> [/quote]
>
> Unfortunately clone3 appears to one of the edge cases that does not
> result in use of ENOSYS, instead ending up with the historical EPERM
> errno.
>
> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
> clone3 by default. If it sees ENOSYS then it will automatically
> fallback to using clone. Any other errno is treated as a fatal
> error. Thus when docker seccomp policy triggers EPERM from clone3,
> no fallback occurs and programs are thus unable to spawn threads.
>
> The clone3 syscall is much more complicated than clone, most notably its
> flags are not exposed as a directly argument any more. Instead they are
> hidden inside a struct. This means that seccomp filters are unable to
> apply policy based on values seen in flags. Thus we can't directly
> replicate the current "clone" filtering for "clone3". We can at least
> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
> at which point we can filter on flags.

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
2021-09-13 08:56:21 -07:00
Akihiro Suda
07728cd2bd
update runc binary to v1.0.2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 14189170d1)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-09-13 15:19:53 +09:00
Akihiro Suda
964768f200
cmd/dockerd: add the link of "the documentation"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 1a67e9572e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-09-13 15:17:42 +09:00
Sebastiaan van Stijn
bce32e5c93
Merge pull request #4 from moby/20.10-ghsa-v994-f8vw-g7j4-chroot-mkdir
[20.10] chrootarchive: don't create parent dirs outside of chroot
2021-09-09 20:50:12 +02:00
Sebastiaan van Stijn
f0ab919f51
Merge pull request #2 from moby/20.10-GHSA-3fwx-pjgw-3558_0701-perms
[20.10] Lock down docker root dir perms.
2021-09-09 20:45:08 +02:00
Tonis Tiigi
80f1169eca chrootarchive: don't create parent dirs outside of chroot
If chroot is used with a special root directory then create
destination directory within chroot. This works automatically
already due to extractor creating parent paths and is only
used currently with cp where parent paths are actually required
and error will be shown to user before reaching this point.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:49:31 +00:00
Brian Goff
93ac040bf0 Lock down docker root dir perms.
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:40:15 +00:00
Akihiro Suda
b0c0b73798
bump up rootlesskit to v0.14.4
Fixes `panic: tap2vif: read: read /dev/net/tun: not pollable` on early
start up of RootlessKit with VPNKit.

Changes:
- https://github.com/rootless-containers/rootlesskit/releases/tag/v0.14.4
- https://github.com/rootless-containers/rootlesskit/releases/tag/v0.14.3

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9499acc360)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-19 16:21:01 +09:00
Sebastiaan van Stijn
d24c6dc5cf
Merge pull request #42721 from thaJeztah/20.10_backport_bump_go_1.16.7
[20.10 backport] Update Go to 1.16.7
2021-08-17 14:12:42 +02:00
Sebastiaan van Stijn
decb56ac89
Update Go to 1.16.7
go1.16.7 (released 2021-08-05) includes a security fix to the net/http/httputil
package, as well as bug fixes to the compiler, the linker, the runtime, the go
command, and the net/http package. See the Go 1.16.7 milestone on the issue
tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.7+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b1f7ffea9f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-08-07 18:16:20 +02:00
Sebastiaan van Stijn
75249d88bc
Merge pull request #42695 from thaJeztah/20.10_update_containerd_1.4.9
[20.10] update containerd binary to v1.4.9
2021-07-30 03:30:57 +02:00
Brian Goff
af8e58faef
Merge pull request #42659 from AkihiroSuda/runc-v1.0.1-2010
[20.10 backport] update runc binary to v1.0.1
2021-07-29 10:48:18 -07:00
Sebastiaan van Stijn
e8fb8f7acd
[20.10] update containerd binary to v1.4.9
Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

- Update runc binary to 1.0.1
- Update pull authorization logic on redirect
- Fix user agent used for fetching registry authentication tokens

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 19:43:43 +02:00
Akihiro Suda
4cfeb27f78
update runc binary to v1.0.1
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f50c7644cf)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-20 13:51:38 +09:00
Brian Goff
013d6655bb
Merge pull request #42657 from thaJeztah/20.10_containerd_1.4.8 2021-07-19 16:46:25 -07:00
Sebastiaan van Stijn
067918a8c3
[20.10] update containerd binary v1.4.8
Update to containerd 1.4.8 to address [CVE-2021-32760][1].

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-19 21:21:53 +02:00
Akihiro Suda
e7bf9923d4
Merge pull request #42643 from thaJeztah/20.10_backport_bump_go116 2021-07-18 18:50:31 +09:00
Sebastiaan van Stijn
b0da207af4
Bump go 1.16.6 (addresses CVE-2021-34558)
This addresses CVE-2021-34558: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34558

go1.16.6 (released 2021-07-12) includes a security fix to the crypto/tls package,
as well as bug fixes to the compiler, and the net and net/http packages. See the
Go 1.16.6 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe6f1a4067)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:20 +02:00
Sebastiaan van Stijn
abe8c4e80d
updated vendored archive/tar to go1.16.5
result of: `hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ed804aeca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:18 +02:00
Sebastiaan van Stijn
7c6645b32b
update archive/tar patch for go 1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f400e84a43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:14 +02:00
Sebastiaan van Stijn
55c363ef48
Bump go 1.16.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae5ddd257c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-16 19:45:10 +02:00
Tianon Gravi
0fbb0f869a
Merge pull request #42642 from thaJeztah/20.10_backport_test_changes_for_go116
[20.10 backport] various test-changes for Go 1.16
2021-07-16 17:32:35 +00:00
Sebastiaan van Stijn
8b0913935c
integration: ensurePlugin: disable go modules when building plugin
=== RUN   TestServicePlugin
        plugin_test.go:42: assertion failed: error is not nil: error building basic plugin bin: no required module provides package github.com/docker/docker/testutil/fixtures/plugin/basic: go.mod file not found in current directory or any parent directory; see 'go help modules'
            : exit status 1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7070df3a3e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:29 +02:00
Sebastiaan van Stijn
09a7efb1f7
hack/ci/windows.ps1: disable go modules
INFO: Running integration tests at 05/17/2021 12:54:50...
    INFO: DOCKER_HOST at tcp://127.0.0.1:2357
    INFO: Integration API tests being run from the host:
    INFO: make.ps1 starting at 05/17/2021 12:54:50
    powershell.exe : go: cannot find main module, but found vendor.conf in D:\gopath\src\github.com\docker\docker
    At D:\gopath\src\github.com\docker\docker@tmp\durable-1ed00396\powershellWrapper.ps1:3 char:1
    + & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (go: cannot find...m\docker\docker:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

    	to create a module there, run:
    	go mod init
    INFO: make.ps1 ended at 05/17/2021 12:54:51

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8bae2278ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:25:18 +02:00
Sebastiaan van Stijn
6793ff26d8
pkg/fileutils: TestMatches: remove cases no longer valid for go1.16
These tests were no longer valid on Go 1.16; related to https://tip.golang.org/doc/go1.16#path/filepath

> The Match and Glob functions now return an error if the unmatched part of
> the pattern has a syntax error. Previously, the functions returned early on
> a failed match, and thus did not report any later syntax error in the pattern.

Causing the test to fail:

    === RUN   TestMatches
        fileutils_test.go:388: assertion failed: error is not nil: syntax error in pattern: pattern="a\\" text="a"
    --- FAIL: TestMatches (0.00s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2842639e0e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:50 +02:00
Sebastiaan van Stijn
ab9a92f79c
Update test certificates
Updates the certificates to account for current versions of Go expecting
SANs to be used instead of the Common Name field:

    FAIL: s390x.integration.plugin.authz TestAuthZPluginTLS (0.53s)
    [2020-07-26T09:36:58.638Z]     authz_plugin_test.go:132: assertion failed:
        error is not nil: error during connect: Get "https://localhost:4271/v1.41/version":
        x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe54215fb3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:24:21 +02:00
Sebastiaan van Stijn
1d4a06e610
hack: add script to regenerate certificates
Certificates were originally added in c000cb6471,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

    x509: certificate relies on legacy Common Name field, use SANs or temporarily
    enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2fea30f146)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:23:47 +02:00
moby
feaca9816a
hack/vendor: add check for vendored archive/tar
Also allow re-vendoring using `./hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31b2c3bbd9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-15 22:23:01 +02:00
Sebastiaan van Stijn
cc5a381cbc
Merge pull request #42633 from thaJeztah/20.10_backport_warn_on_non_matching_platform
[20.10 backport] docker pull: warn when pulled single-arch image does not match --platform
2021-07-15 20:46:08 +02:00
Sebastiaan van Stijn
8b224ca06c
Merge pull request #42462 from AkihiroSuda/cherrypick-rootless-selinux-42334
[20.10 backport] rootless:  avoid /run/xtables.lock EACCES on SELinux hosts  ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
2021-07-15 20:45:36 +02:00
Sebastiaan van Stijn
a5044765b9
Merge pull request #42479 from AkihiroSuda/cherrypick-42071
[20.10 backport] Fix setting swaplimit=true without checking
2021-07-15 20:44:23 +02:00
Sebastiaan van Stijn
8a2af96969
Merge pull request #42591 from thaJeztah/20.10_backport_update_s390x_ubuntu_2004
[20.10 backport] Run s390x tests on Ubuntu 20.04
2021-07-15 20:42:09 +02:00
Sebastiaan van Stijn
c37c7b5c95
Merge pull request #42613 from thaJeztah/20.10_update_hcsshim
[20.10] vendor github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c (moby branch)
2021-07-15 20:39:53 +02:00
Brian Goff
883cc3682d
Merge pull request #42602 from thaJeztah/20.10_backport_swagger_404
[20.10 backport] API: fix 404 status description on container create
2021-07-15 11:34:29 -07:00
Brian Goff
a1a73d1477
Merge pull request #42568 from thaJeztah/20.10_backport_runc_v1.0.0
[20.10 backport] update runc binary to v1.0.0 GA
2021-07-15 11:32:20 -07:00
Brian Goff
555bf586c7
Merge pull request #42637 from thaJeztah/20.10_update_containerd
[20.10] update containerd binary to v1.4.7
2021-07-15 11:30:13 -07:00
Sebastiaan van Stijn
4b407e4140
Merge pull request #42595 from thaJeztah/20.10_backport_update_swagger_fork
[20.10 backport] Dockerfile: update go-swagger to fix validation on Go1.16
2021-07-14 10:11:59 +02:00
Sebastiaan van Stijn
793340a33a
[20.10] update containerd binary to v1.4.7
full diff: https://github.com/containerd/containerd/compare/v1.4.6...v1.4.7

Welcome to the v1.4.7 release of containerd!

The seventh patch release for containerd 1.4 updates runc to 1.0.0 and contains
various other fixes.

Notable Updates

- Update runc binary to 1.0.0
- Fix invalid validation error checking
- Fix error on image pull resume
- Fix symlink resolution for disk mounts on Windows

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-13 23:41:22 +02:00
Sebastiaan van Stijn
7429792eed
docker pull: warn when pulled single-arch image does not match --platform
This takes the same approach as was implemented on `docker build`, where a warning
is printed if `FROM --platform=...` is used (added in 399695305c)

Before:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

With this change:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    WARNING: image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64
    docker.io/armhf/busybox:latest

And daemon logs print:

   WARN[2021-04-26T11:19:37.153572667Z] ignoring platform mismatch on single-arch image  error="image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64" image=armhf/busybox

When pulling without specifying `--platform, no warning is currently printed (but we can add a warning in future);

    docker rmi armhf/busybox
    docker pull armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 424c0eb3c0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-13 17:06:58 +02:00
Sebastiaan van Stijn
72b66d56a5
[20.10] vendor github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c (moby branch)
Brings in microsoft/hcsshim#1065, which fixes #42610.

full diff: 89a9a3b524...64a2b71405

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-09 20:06:40 +02:00
Sebastiaan van Stijn
50c392c9ff
API: fix 404 status description on container create
This updates the current swagger file, and all docs versions
with the same fix as ff1d9a3ec5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 68b095d4df)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-07 11:50:43 +02:00
Matt Morrison
025e3a7898
Update v1.41.yaml
fix containers/create 404 response description

Signed-off-by: Matt Morrison <3241034+Emdot@users.noreply.github.com>
(cherry picked from commit ff1d9a3ec5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-07 11:50:26 +02:00
Akihiro Suda
b9cf7b7db5
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8610d8ce4c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:43 +09:00
Akihiro Suda
869b50e10b
rootless: disable overlay2 if running with SELinux
Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux.

On the other hand, fuse-overlayfs is compatible.

Close issue 42333

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 4300a52606)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:39 +09:00
Akihiro Suda
44f95c7126
dockerd-rootless.sh: avoid /run/xtables.lock EACCES on SELinux hosts
Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

e6fc34b71a/libpod/networking_linux.go (L396-L401)

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cdaf82ba3f)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-07-06 18:57:38 +09:00
Sebastiaan van Stijn
78bb0f445a
Dockerfile: update go-swagger to fix validation on Go1.16
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 42d2048b9d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-03 17:23:07 +02:00
Stefan Scherer
618f6a79ab
Run s390x tests on Ubuntu 20.04
Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit 7a6cac2b23)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 14:41:13 +02:00
Akihiro Suda
872cb16edb
update runc binary to v1.0.0 GA
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 64badfc018)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-24 22:19:37 +02:00
Sebastiaan van Stijn
46a7ebc540
Merge pull request #42561 from ameyag/20.10-logbroker
[20.10] vendor: swarmkit to fix deadlock in log broker (bump_20.10)
2021-06-24 15:23:30 +02:00
Ameya Gawde
4d42e18c05
vendor: swarmkit to fix deadlock in log broker
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2021-06-23 16:45:51 -07:00
Akihiro Suda
87e28a6171
Merge pull request #42538 from ameyag/20.10-overlap-ip
[20.10 backport] Fix possible overlapping IPs
2021-06-19 18:05:46 +09:00
Drew Erny
89edb68e89
Fix possible overlapping IPs
A node is no longer using its load balancer IP address when it no longer
has tasks that use the network that requires that load balancer. When
this occurs, the swarmkit manager will free that IP in IPAM, and may
reaassign it.

When a task shuts down cleanly, it attempts removal of the networks it
uses, and if it is the last task using those networks, this removal
succeeds, and the load balancer IP is freed.

However, this behavior is absent if the container fails. Removal of the
networks is never attempted.

To address this issue, I amend the executor. Whenever a node load
balancer IP is removed or changed, that information is passedd to the
executor by way of the Configure method. By keeping track of the set of
node NetworkAttachments from the previous call to Configure, we can
determine which, if any, have been removed or changed.

At first, this seems to create a race, by which a task can be attempting
to start and the network is removed right out from under it. However,
this is already addressed in the controller. The controller will attempt
to recreate missing networks before starting a task.

Signed-off-by: Drew Erny <derny@mirantis.com>
(cherry picked from commit 0d9b0ed678)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>
2021-06-18 10:13:59 -07:00
Tianon Gravi
4d29d58a65
Merge pull request #42507 from thaJeztah/20.10_backport_disable_power_z
[20.10 backport] Jenkinsfile: skip ppc64le and s390x by default on pull requests
2021-06-10 12:06:52 -07:00
Sebastiaan van Stijn
523f8b397c
Jenkinsfile: skip ppc64le and s390x by default on pull requests
This changes CI to skip these platforms by default. The ppc64le and s390x
machines are "pet machines", configuration may be outdated, and these
machines are known to be flaky.

Building and verifying packages for these platforms is being handed
over to the IBM team.

We can still run these platforms for specific pull requests by selecting
the checkboxes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 82c7e906ea)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-10 14:05:07 +02:00
Jakub Guzik
a57fc0eb15
Fix setting swaplimit=true without checking
Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
(cherry picked from commit 7ef6ece774)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-06-07 17:27:35 +09:00
Brian Goff
b0f5bc36fe
Merge pull request #42352 from AkihiroSuda/cherrypick-41724
[20.10 backport] Use v2 capabilities in layer archives
2021-06-01 15:34:42 -07:00
Brian Goff
497c50a575
Merge pull request #42448 from thaJeztah/20.10_backport_update_buildkit
[20.10 backport] vendor: github.com/moby/buildkit v0.8.3-3-g244e8cde
2021-06-01 15:13:27 -07:00
Sebastiaan van Stijn
6474dada20
vendor: github.com/moby/buildkit v0.8.3-3-g244e8cde
full diff: https://github.com/moby/buildkit/compare/v0.8.3...v0.8.3-3-g244e8cde

- Transform relative mountpoints for exec mounts in the executor
- Add test for handling relative mountpoints

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 61b04b3a02)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-31 16:08:36 +02:00
Sebastiaan van Stijn
895eaacdd4
vendor: github.com/moby/buildkit v0.8.3
full diff: https://github.com/moby/buildkit/compare/v0.8.2...v0.8.3

- vendor containerd (required for rootless overlayfs on kernel 5.11)
    - not included to avoid depending on a fork
- Add retry on image push 5xx errors
- contenthash: include basename in content checksum for wildcards
- Fix missing mounts in execOp cache map
- Add regression test for run cache not considering mounts
- Add hack to preserve Dockerfile RUN cache compatibility after mount cache bugfix

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 79ee285d76)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-31 16:08:33 +02:00
Sebastiaan van Stijn
eab37e5676
Merge pull request #42413 from thaJeztah/20.10_backport_bump_libnetwork
[20.10 backport] vendor: github.com/docker/libnetwork 64b7a4574d1426139437d20e81c0b6d391130ec8
2021-05-27 10:44:33 +02:00
Akihiro Suda
d844987b77
Merge pull request #42421 from thaJeztah/20.10_backport_more_ignore 2021-05-27 02:46:50 +09:00
Sebastiaan van Stijn
003e3c0551
pkg/signal: ignore SIGURG on all platforms
Other Unix platforms (e.g. Darwin) are also affected by the Go
runtime sending SIGURG.

This patch changes how we match the signal by just looking for the
"URG" name, which should handle any platform that has this signal
defined in the SignalMap.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 05f520dd3c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 21:42:21 +02:00
Sebastiaan van Stijn
95551168ac
vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
full diff: 6e2cb13661...f2269e66cd

- support SO_SNDBUF/SO_RCVBUF handling
- Support Go Modules
- license clarificaton
- ci: drop 1.6, 1.7, 1.8 support
- Add support for SocketConfig
- support goarch mips64le architecture.
- fix possible socket leak when bind fails

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 22b9e2a7e5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 11:39:46 +02:00
Sebastiaan van Stijn
d29a55c6c3
vendor: github.com/docker/libnetwork 64b7a4574d1426139437d20e81c0b6d391130ec8
Update libnetwork to make `docker run -p 80:80` functional again on environments
with kernel boot parameter `ipv6.disable=1`.

full diff: b3507428be...64b7a4574d

- fix port forwarding with ipv6.disable=1
    - fixes moby/moby/42288 Docker 20.10.6: all containers stopped and cannot start if ipv6 is disabled on host
    - fixes docker/libnetwork/2629 Network issue with IPv6 following update to version 20.10.6
    - fixesdocker/for-linux/1233 Since 20.10.6 it's not possible to run docker on a machine with disabled IPv6 interfaces
- vendor: github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be
- Enforce order of lock acquisitions on network/controller, fixes #2632
    - fixes docker/libnetwork/2632 Name resolution stuck due to deadlock between different network struct methods
    - fixes moby/moby/42032 Docker deamon get's stuck, can't serve DNS requests

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e4109b3b6b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 11:39:44 +02:00
Brian Goff
3db8385b18
Merge pull request #42382 from thaJeztah/20.10_backport_schema1_cache_fix
[20.10 backport] builder-next: relax second cache key requirements for schema1
2021-05-20 12:08:53 -07:00
Brian Goff
df371af560
Merge pull request #42401 from thaJeztah/20.10_catch_almost_all
[20.10 backport] pkg/signal.CatchAll: ignore SIGURG on Linux
2021-05-20 11:08:47 -07:00
Sebastiaan van Stijn
c1ebb81514
Merge pull request #42398 from thaJeztah/20.10_update_containerd_1.4.6
[20.10] update containerd binary to v1.4.6
2021-05-20 12:33:05 +02:00
Sebastiaan van Stijn
41cf01fa93
pkg/signal.CatchAll: ignore SIGURG on Linux
Do not handle SIGURG on Linux, as in go1.14+, the go runtime issues
SIGURG as an interrupt to support preemptable system calls on Linux.

This issue was caught in TestCatchAll, which could fail when updating to Go 1.14 or above;

    === Failed
    === FAIL: pkg/signal TestCatchAll (0.01s)
        signal_linux_test.go:32: assertion failed: urgent I/O condition (string) != continued (string)
        signal_linux_test.go:32: assertion failed: continued (string) != hangup (string)
        signal_linux_test.go:32: assertion failed: hangup (string) != child exited (string)
        signal_linux_test.go:32: assertion failed: child exited (string) != illegal instruction (string)
        signal_linux_test.go:32: assertion failed: illegal instruction (string) != floating point exception (string)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b7ebf32ba3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-20 10:11:39 +02:00
Sebastiaan van Stijn
a23a880c6e
Merge pull request #42395 from thaJeztah/20.10_backport_runc_rc95
[20.10 backport] update runc binary to v1.0.0-rc95
2021-05-19 20:49:52 +02:00
Sebastiaan van Stijn
56541eca9a
[20.10] update containerd binary to v1.4.6
full diff: https://github.com/containerd/containerd/compare/v1.4.5...v1.4.6

The sixth patch release for containerd 1.4 is a security release to update
runc for CVE-2021-30465

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-19 20:43:04 +02:00
Sebastiaan van Stijn
fb179ff098
update runc binary to v1.0.0-rc95
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc94...v1.0.0-rc95

Release notes:

This release of runc contains a fix for CVE-2021-30465, and users are
strongly recommended to update (especially if you are providing
semi-limited access to spawn containers to untrusted users).

Aside from this security fix, only a few other changes were made since
v1.0.0-rc94 (the only user-visible change was the addition of support
for defaultErrnoRet in seccomp profiles).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit efec2bb368)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-19 13:20:30 +02:00
Akihiro Suda
989c08c367
Merge pull request #42388 from thaJeztah/20.10_backport_update_runc
[20.10 backport] Update runc binary to v1.0.0-rc94
2021-05-19 12:26:26 +09:00
Akihiro Suda
4c801fdb7d
integration: remove KernelMemory tests
Starting with runc v1.0.0-rc94, runc no longer supports KernelMemory.

52390d6804

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 2f0d6664a1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 09:25:38 +02:00
Jintao Zhang
6174e3cf22
Update runc binary to v1.0.0-rc94
Signed-off-by: Jintao Zhang <zhangjintao9020@gmail.com>
(cherry picked from commit 8c019e830a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 09:25:36 +02:00
Akihiro Suda
afbb1277a3
Swarm config: use absolute paths for mount destination strings
Needed for runc >= 1.0.0-rc94.

See runc issue 2928.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9303376242)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 09:25:34 +02:00
Tonis Tiigi
94c1890d39
builder-next: relax second cache key requirements for schema1
Schema1 images can not have a config based cache key
before the layers are pulled. Avoid validation and reuse
manifest digest as a second key.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 85167fc634)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-17 14:58:16 +02:00
Akihiro Suda
e4b9915803
Merge pull request #42372 from thaJeztah/20.10_containerd_1.4.5
[20.10] update containerd binary to v1.4.5
2021-05-13 12:51:54 +09:00
Sebastiaan van Stijn
01f734cb4f
[20.10] update containerd binary to v1.4.5
release notes: https://github.com/containerd/containerd/releases/tag/v1.4.5

- Update runc to rc94
- Fix leaking socket path in runc shim v2
- Fix cleanup logic in new container in runc shim v2
- Fix registry mirror authorization logic in CRI plugin
- Add support for userxattr in overlay snapshotter for kernel 5.11+

(Note that the update to runc is done separately)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 10:46:44 +02:00
Sebastiaan van Stijn
e3cb5adc0d
Merge pull request #42292 from cpuguy83/20.10_hcsshim_no_error_details
[20.10] Bump hcsshim for error details fix
2021-05-06 16:35:18 +02:00
Eric Mountain
2a0c446866
Use v2 capabilities in layer archives
When building images in a user-namespaced container, v3 capabilities are
stored including the root UID of the creator of the user-namespace.

This UID does not make sense outside the build environment however. If
the image is run in a non-user-namespaced runtime, or if a user-namespaced
runtime uses a different UID, the capabilities requested by the effective
bit will not be honoured by `execve(2)` due to this mismatch.

Instead, we convert v3 capabilities to v2, dropping the root UID on the
fly.

Signed-off-by: Eric Mountain <eric.mountain@datadoghq.com>
(cherry picked from commit 95eb490780)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-05-05 21:46:31 +09:00
Brian Goff
614a70a11b
Merge pull request #42294 from AkihiroSuda/rootlesskit-0.14.2-2010
[20.10 backport] bump up rootlesskit to v0.14.2 (Fix `Timed out proxy starting the userland proxy.` error with `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns`)
2021-04-30 09:18:11 -07:00
Tianon Gravi
114310d76a
Merge pull request #42342 from AkihiroSuda/dind-fix-cgroup2-evac-2010
[20.10 backport] hack/dind: fix cgroup v2 evacuation with `docker run --init`
2021-04-30 08:10:12 -07:00
Akihiro Suda
21391bb7f7
hack/dind: fix cgroup v2 evacuation with docker run --init
Evacuate all the processes in `/sys/fs/cgroup/cgroup.procs`, not just PID 1.

Before:
```console
$ docker run --rm --privileged --init $(docker build -q .) cat /sys/fs/cgroup/cgroup.subtree_control
sed: couldn't flush stdout: Device or resource busy
```

After:
```console
$ docker run --rm --privileged --init $(docker build -q .) cat /sys/fs/cgroup/cgroup.subtree_control
cpuset cpu io memory hugetlb pids rdma
```

Fix docker-library/docker issue 308

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 42b1175eda)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-30 19:08:07 +09:00
Brian Goff
12b03bcb27 Error string match: do not match command path
Whether or not the command path is in the error message is a an
implementation detail.
For example, on Windows the only reason this ever matched was because it
dumped the entire container config into the error message, but this had
nothing to do with the actual error.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 225e046d9d)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-04-27 18:46:33 +00:00
Tianon Gravi
ce82693823
Merge pull request #42324 from AkihiroSuda/whichless-2010
[20.10 backport] dockerd-rootless.sh: use `command -v` instead of `which`
2021-04-26 12:47:40 -07:00
Akihiro Suda
8a7f77cb2f
dockerd-rootless.sh: use command -v instead of which
`which` binary is often missing

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit e928692c69)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-26 16:04:08 +09:00
Tianon Gravi
4af54f15ed
Merge pull request #42297 from thaJeztah/20.10_backport_update_yamllint
[20.10 backport] Dockerfile: update yamllint to v1.26.1 to fix build
2021-04-23 11:47:44 -07:00
Akihiro Suda
9ca66776fa
bump up rootlesskit to v0.14.2
Fix `Timed out proxy starting the userland proxy.` error with `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns`.
(https://github.com/rootless-containers/rootlesskit/issues/250)

Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.14.1...v0.14.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 11bddf330d4fec818e17333c360c25e8641f221d)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-21 18:11:00 +09:00
Sebastiaan van Stijn
08b27e45d8
Dockerfile: update yamllint to v1.26.1 to fix build
Installation of yamllint started failing, on non-amd64 builds, which could
be if the version we were using wasn't specific enough about a dependency
to install.

    copying Cython/Utility/CppSupport.cpp -> build/lib.linux-aarch64-3.7/Cython/Utility
    running build_ext
    building 'Cython.Plex.Scanners' extension
    creating build/temp.linux-aarch64-3.7
    creating build/temp.linux-aarch64-3.7/tmp
    creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7
    creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython
    creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython
    creating build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython/Plex
    aarch64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/usr/include/python3.7m -c /tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.c -o build/temp.linux-aarch64-3.7/tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.o
         /tmp/pip-install-jasgbmp7/Cython/Cython/Plex/Scanners.c:21:10: fatal error: Python.h: No such file or directory
          #include "Python.h"
                   ^~~~~~~~~~
         compilation terminated.
         error: command 'aarch64-linux-gnu-gcc' failed with exit status 1

         ----------------------------------------
     Command "/usr/bin/python3 -u -c "import setuptools, tokenize;__file__='/tmp/pip-install-jasgbmp7/Cython/setup.py';f=getattr(tokenize, 'open', open)(__file__);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exec'))" install --record /tmp/pip-record-if5qclwe/install-record.txt --single-version-externally-managed --prefix /tmp/pip-build-env-_dtiuyfw --compile" failed with error code 1 in /tmp/pip-install-jasgbmp7/Cython/

      ----------------------------------------
    Command "/usr/bin/python3 -m pip install --ignore-installed --no-user --prefix /tmp/pip-build-env-_dtiuyfw --no-warn-script-location --no-binary :none: --only-binary :none: -i https://pypi.org/simple -- setuptools wheel Cython" failed with error code 1 in None
    #22 ERROR: executor failed running [/bin/sh -c pip3 install yamllint==1.16.0]: exit code: 1

Trying if updating to the latest version fixes this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c35cefb489)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-15 22:27:44 +02:00
Brian Goff
404ede5737 Bump hcsshim for error details fix
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-04-14 18:57:05 +00:00
Tibor Vass
8728dd246c
Merge pull request #42263 from AkihiroSuda/move-cgroup2-out-of-experimental-20.10
[20.10 backport] Move cgroup v2 out of experimental
2021-04-09 15:06:18 -07:00
Tibor Vass
94854bcbd6
Merge pull request #42109 from AkihiroSuda/rootless-add-context-2010
[20.10 backport] dockerd-rootless-setuptool.sh: create CLI context "rootless"
2021-04-07 16:58:09 -07:00
Tibor Vass
ffd037de36
Merge pull request #42253 from AkihiroSuda/btrfs-allow-unprivileged-20.10
[20.10 backport] btrfs: Allow unprivileged user to delete subvolumes (kernel >= 4.18)
2021-04-07 16:55:56 -07:00
Sebastiaan van Stijn
419b3706ea
Merge pull request #42256 from cpuguy83/20.10_plugin_layer_mediatype
[20.10 backport] Use docker media type for plugin layers
2021-04-07 21:26:18 +02:00
Tibor Vass
76b0df9b6e
Merge pull request #42257 from thaJeztah/20.10_backport_fix_testinspect
[20.10 backport] Fix TestInspect(), and pin arm64 machines to a specific Ubuntu version
2021-04-07 01:23:47 -07:00
Akihiro Suda
255c79a1e8
Move cgroup v2 out of experimental
We have upgraded runc to rc93 and added CI for cgroup 2.
So we can move cgroup v2 out of experimental.

Fix issue 41916

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 1d2a660093)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-07 13:55:48 +09:00
Stefan Scherer
f2c0b3688a
Pin arm64 machines to a specific Ubuntu version
Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit b7c3548c82)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-06 18:55:24 +02:00
Sebastiaan van Stijn
29ff2af2d3
Fix flaky TestInspect
This test has been flaky for a long time, failing with:

    --- FAIL: TestInspect (12.04s)
        inspect_test.go:39: timeout hit after 10s: waiting for tasks to enter run state. task failed with error: task: non-zero exit (1)

While looking through logs, noticed tasks were started, entering RUNNING stage,
and then exited, to be started again.

    state.transition="STARTING->RUNNING"
    ...
    msg="fatal task error" error="task: non-zero exit (1)"
    ...
    state.transition="RUNNING->FAILED"

Looking for possible reasons, first considering network issues (possibly we ran
out of IP addresses or networking not cleaned up), then I spotted the issue.

The service is started with;

    Command:         []string{"/bin/top"},
    Args:            []string{"-u", "root"},

The `-u root` is not an argument for the service, but for `/bin/top`. While the
Ubuntu/Debian/GNU version `top` has a -u/-U option;

    docker run --rm ubuntu:20.04 top -h 2>&1 | grep '\-u'
      top -hv | -bcEHiOSs1 -d secs -n max -u|U user -p pid(s) -o field -w [cols]

The *busybox* version of top does not:

    docker run --rm busybox top --help 2>&1 | grep '\-u'

So running `top -u root` would cause the task to fail;

    docker run --rm busybox top -u root
    top: invalid option -- u
    ...

    echo $?
    1

As a result, the service went into a crash-loop, and because the `poll.WaitOn()`
was running with a short interval, in many cases would _just_ find the RUNNING
state, perform the `service inspect`, and pass, but in other cases, it would not
be that lucky, and continue polling untill we reached the 10 seconds timeout,
and mark the test as failed.

Looking for history of this option (was it previously using a different image?) I
found this was added in 6cd6d8646a, but probably
just missed during review.

Given that the option is only set to have "something" to inspect, I replaced
the `-u root` with `-d 5`, which makes top refresh with a 5 second interval.

Note that there is another test (`TestServiceListWithStatuses) that uses the same
spec, however, that test is skipped based on API version of the test-daemon, and
(to be looked into), when performing that check, no API version is known, causing
the test to (always?) be skipped:

    === RUN   TestServiceListWithStatuses
        --- SKIP: TestServiceListWithStatuses (0.00s)
            list_test.go:34: versions.LessThan(testEnv.DaemonInfo.ServerVersion, "1.41")

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 00cb3073f4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-06 18:55:06 +02:00
Brian Goff
60310e2409 Use docker media type for plugin layers
This was changed as part of a refactor to use containerd dist code. The
problem is the OCI media types are not compatible with older versions of
Docker.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit a876ede24f)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-04-06 16:52:54 +00:00
Akihiro Suda
8088859bab
btrfs: Allow unprivileged user to delete subvolumes (kernel >= 4.18)
Fix issue 41762

Cherry-pick "drivers: btrfs: Allow unprivileged user to delete subvolumes" from containers/storage
831e32b6bd

> In btrfs, subvolume can be deleted by IOC_SNAP_DESTROY ioctl but there
> is one catch: unprivileged IOC_SNAP_DESTROY call is restricted by default.
>
> This is because IOC_SNAP_DESTROY only performs permission checks on
> the top directory(subvolume) and unprivileged user might delete dirs/files
> which cannot be deleted otherwise. This restriction can be relaxed if
> user_subvol_rm_allowed mount option is used.
>
> Although the above ioctl had been the only way to delete a subvolume,
> btrfs now allows deletion of subvolume just like regular directory
> (i.e. rmdir sycall) since kernel 4.18.
>
> So if we fail to cleanup subvolume in subvolDelete(), just fallback to
> system.EnsureRmoveall() to try to cleanup subvolumes again.
> (Note: quota needs privilege, so if quota is enabled we do not fallback)
>
> This fix will allow non-privileged container works with btrfs backend.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 62b5194f62)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-06 14:45:01 +09:00
Tibor Vass
88bd96d6e5
Merge pull request #42233 from AkihiroSuda/fix-rootless-bind-EPERM-20.10
[20.10 backport] rootless: bind mount: fix "operation not permitted"
2021-04-01 07:41:54 -07:00
Tibor Vass
b6f4e8ba12
Merge pull request #42235 from AkihiroSuda/fix-overlay2-nativediff-2010
[20.10 backport] rootless: overlay2: fix "createDirWithOverlayOpaque(...) ... input/output error"
2021-04-01 06:23:42 -07:00
Tibor Vass
d6ca8a8e16
Merge pull request #42236 from thaJeztah/20.10_backport_specconv_fix_trimspace
[20.10 backport] rootless: fix getCurrentOOMScoreAdj
2021-04-01 05:31:04 -07:00
Tibor Vass
3499626899
Merge pull request #42232 from AkihiroSuda/rootlesskit-0.14.1-20.10
[20.10 backport] bump up rootlesskit to v0.14.1 (Fix `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns` regression)
2021-04-01 04:08:47 -07:00
Akihiro Suda
d22dde8eb1
rootless: fix getCurrentOOMScoreAdj
`getCurrentOOMScoreAdj()` was broken because `strconv.Atoi()` was called
without trimming "\n".

Fix issue 40068: `rootless docker in kubernetes: "getting the final child's pid from
pipe caused \"EOF\": unknown"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit d6ddfb6118)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-01 12:11:27 +02:00
Akihiro Suda
c1e7924f7c
archive: do not use overlayWhiteoutConverter for UserNS
overlay2 no longer sets `archive.OverlayWhiteoutFormat` when
running in UserNS, so we can remove the complicated logic in the
archive package.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 6322dfc217)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-01 19:00:42 +09:00
Akihiro Suda
22dc1597b9
overlay2: doesSupportNativeDiff: add fast path for userns
When running in userns, returns error (i.e. "use naive, not native")
immediately.

No substantial change to the logic.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 67aa418df2)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-01 19:00:37 +09:00
Akihiro Suda
daae27bfce
overlay2: call d.naiveDiff.ApplyDiff when useNaiveDiff==true
Previously, `d.naiveDiff.ApplyDiff` was not used even when
`useNaiveDiff()==true`

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit dd97134232)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-01 19:00:32 +09:00
Akihiro Suda
e974cb638c
rootless: bind mount: fix "operation not permitted"
The following was failing previously, because `getUnprivilegedMountFlags()` was not called:
```console
$ sudo mount -t tmpfs -o noexec none /tmp/foo
$ $ docker --context=rootless run -it --rm -v /tmp/foo:/mnt:ro alpine
docker: Error response from daemon: OCI runtime create failed: container_linux.go:367: starting container process caused: process_linux.go:520: container init caused: rootfs_linux.go:60: mounting "/tmp/foo" to rootfs at "/home/suda/.local/share/docker/overlay2/b8e7ea02f6ef51247f7f10c7fb26edbfb308d2af8a2c77915260408ed3b0a8ec/merged/mnt" caused: operation not permitted: unknown.
```

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 248f98ef5e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-01 18:45:23 +09:00
Akihiro Suda
7022b1e12e
bump up rootlesskit to v0.14.1
Fix `DOCKERD_ROOTLESS_ROOTLESSKIT_PORT_DRIVER=slirp4netns` regression.

Full changes: https://github.com/rootless-containers/rootlesskit/compare/v0.14.0...v0.14.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 45021ee354)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-04-01 18:39:07 +09:00
Tibor Vass
cdd71c6736
Merge pull request #42205 from thaJeztah/20.10_backport_bump_libnetwork
[20.10 backport] vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46
2021-04-01 02:37:21 -07:00
Akihiro Suda
4ccd7382e0
Merge pull request #42141 from thaJeztah/20.10_backport_vpnkit_arm64 2021-03-26 09:15:42 +09:00
Sebastiaan van Stijn
88470052e7
vendor: docker/libnetwork b3507428be5b458cb0e2b4086b13531fb0706e46
full diff: fa125a3512...b3507428be

- fixed IPv6 iptables rules for enabled firewalld (libnetwork#2609)
    - fixes "Docker uses 'iptables' instead of 'ip6tables' for IPv6 NAT rule, crashes"
- Fix regression in docker-proxy
    - introduced in "Fix IPv6 Port Forwarding for the Bridge Driver" (libnetwork#2604)
    - fixes/addresses: "IPv4 and IPv6 addresses are not bound by default anymore" (libnetwork#2607)
    - fixes/addresses "IPv6 is no longer proxied by default anymore" (moby#41858)
- Use hostIP to decide on Portmapper version
    - fixes docker-proxy not being stopped correctly

Port mapping of containers now contain separatet mappings for IPv4 and IPv6 addresses, when
listening on "any" IP address. Various tests had to be updated to take multiple mappings into
account.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0450728267)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-25 22:29:47 +01:00
Sebastiaan van Stijn
d26ed2c33b
fix assertPortList normalizing being too strict
The normalizing was updated with the output of the "docker port" command
in mind, but we're normalizing the "expected" output, which is passed
without the "->" in front of the mapping, causing some tests to fail;

    === RUN   TestDockerSuite/TestPortHostBinding
        --- FAIL: TestDockerSuite/TestPortHostBinding (1.21s)
            docker_cli_port_test.go:324: assertion failed: error is not nil: |:::9876!=[::]:9876|
    === RUN   TestDockerSuite/TestPortList
        --- FAIL: TestDockerSuite/TestPortList (0.96s)
            docker_cli_port_test.go:25: assertion failed: error is not nil: |:::9876!=[::]:9876|

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c8599a6537)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-25 22:29:44 +01:00
Sebastiaan van Stijn
8926328927
Merge pull request #42197 from thaJeztah/20.10_backport_improve_build_errors
[20.10 backport] builder: produce error when using unsupported Dockerfile option
2021-03-25 21:27:00 +01:00
Sebastiaan van Stijn
eef17706da
Merge pull request #42194 from thaJeztah/20.10_backport_rootlesskit_goproxy
[20.10 backport] hack: use GOPROXY for rootlesskit to workaround issue with old git on CentOS/RHEL 7
2021-03-25 20:55:02 +01:00
Sebastiaan van Stijn
6b1da9492f
Merge pull request #42186 from thaJeztah/20.10_backport_update_rootlesskit
[20.10 backport] update rootlesskit to v0.14.0
2021-03-25 20:49:46 +01:00
Brian Goff
60aa0f2f6b
Merge pull request #42079 from thaJeztah/20.10_backport_update_docs_links
[20.10 backport] Update documentation links
2021-03-25 12:48:52 -07:00
Sebastiaan van Stijn
122ef5ce94
Merge pull request #42072 from AkihiroSuda/prohibit-rootless-as-root-2010
[20.10 backport] dockerd-rootless.sh: prohibit running as root
2021-03-25 20:46:59 +01:00
Akihiro Suda
7c84bf929b
Merge pull request #42196 from thaJeztah/20.10_backport_ci_fixes
[20.10 backport] CI: update tests to be more resilient against CLI output format and for libnetwork changes
2021-03-25 13:23:58 +09:00
Sebastiaan van Stijn
915b239519
builder: produce error when using unsupported Dockerfile option
With the promotion of the experimental Dockerfile syntax to "stable", the Dockerfile
syntax now includes some options that are supported by BuildKit, but not (yet)
supported in the classic builder.

As a result, parsing a Dockerfile may succeed, but any flag that's known to BuildKit,
but not supported by the classic builder is silently ignored;

    $ mkdir buildkit_flags && cd buildkit_flags
    $ touch foo.txt

For example, `RUN --mount`:

    DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<EOF
    FROM busybox
    RUN --mount=type=cache,target=/foo echo hello
    EOF

    Sending build context to Docker daemon  2.095kB
    Step 1/2 : FROM busybox
     ---> 219ee5171f80
    Step 2/2 : RUN --mount=type=cache,target=/foo echo hello
     ---> Running in 022fdb856bc8
    hello
    Removing intermediate container 022fdb856bc8
     ---> e9f0988844d1
    Successfully built e9f0988844d1

Or `COPY --chmod` (same for `ADD --chmod`):

    DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<EOF
    FROM busybox
    COPY --chmod=0777 /foo.txt /foo.txt
    EOF

    Sending build context to Docker daemon  2.095kB
    Step 1/2 : FROM busybox
     ---> 219ee5171f80
    Step 2/2 : COPY --chmod=0777 /foo.txt /foo.txt
     ---> 8b7117932a2a
    Successfully built 8b7117932a2a

Note that unknown flags still produce and error, for example, the below fails because `--hello` is an unknown flag;

    DOCKER_BUILDKIT=0 docker build -<<EOF
    FROM busybox
    RUN --hello echo hello
    EOF

    Sending build context to Docker daemon  2.048kB
    Error response from daemon: dockerfile parse error line 2: Unknown flag: hello

With this patch applied
----------------------------

With this patch applied, flags that are known in the Dockerfile spec, but are not
supported by the classic builder, produce an error, which includes a link to the
documentation how to enable BuildKit:

    DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<EOF
    FROM busybox
    RUN --mount=type=cache,target=/foo echo hello
    EOF

    Sending build context to Docker daemon  2.048kB
    Step 1/2 : FROM busybox
     ---> b97242f89c8a
    Step 2/2 : RUN --mount=type=cache,target=/foo echo hello
    the --mount option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled

    DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<EOF
    FROM busybox
    COPY --chmod=0777 /foo.txt /foo.txt
    EOF

    Sending build context to Docker daemon  2.095kB
    Step 1/2 : FROM busybox
     ---> b97242f89c8a
    Step 2/2 : COPY --chmod=0777 /foo.txt /foo.txt
    the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a09c0276a2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-24 23:57:54 +01:00
Sebastiaan van Stijn
ef2351b416
integration-cli: rely less on "docker port" output format
Also re-formatting some lines for readability.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c6038b4884)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-24 22:04:10 +01:00
Sebastiaan van Stijn
86d98f5711
integration: update getExternalAddress to prefer IPv4
Rootlesskit doesn't currently handle IPv6 addresses, causing TestNetworkLoopbackNat
and TestNetworkNat to fail;

    Error starting userland proxy:
    error while calling PortManager.AddPort(): listen tcp: address :::8080: too many colons in address

This patch:

- Updates `getExternalAddress()` to pick IPv4 address if both IPv6 and IPv4 are found
- Update TestNetworkNat to net.JoinHostPort(), so that square brackets are used for
  IPv6 addresses (e.g. `[::]:8080`)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f845b98ca6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-24 22:04:08 +01:00
Sebastiaan van Stijn
b41e2d4dc1
integration/container: wrap some long lines for readability
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 54ca929a70)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-24 22:04:06 +01:00
Tibor Vass
407a61cdb2
hack: use GOPROXY for rootlesskit to workaround issue with old git on CentOS/RHEL 7
Since rootlesskit removed vendor folder, building it has to rely on go mod.

Dockerfile in docker-ce-packaging uses GOPROXY=direct, which makes "go mod"
commands use git to fetch modules. "go mod" in Go versions before 1.14.1 are
incompatible with older git versions, including the version of git that ships
with CentOS/RHEL 7 (which have git 1.8), see golang/go#38373

This patch switches rootlesskit install script to set GOPROXY to
https://proxy.golang.org so that git is not required for downloading modules.

Once all our code has upgraded to Go 1.14+, this workaround should be
removed.

Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit cbc6cefdcb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-24 09:28:31 +01:00
Sebastiaan van Stijn
653b58cc8a
Merge pull request #42111 from thaJeztah/20.10_backport_dockerfile_stable
[20.10 backport] Dockerfile: switch to "stable" dockerfile front-end
2021-03-22 22:53:03 +01:00
Sebastiaan van Stijn
a35e1f451e
update rootlesskit to v0.14.0
full diff: https://github.com/rootless-containers/rootlesskit/compare/v0.13.1...v0.14.0

v0.14.0 Changes (since v0.13.2)
--------------------------------------

- CLI: improve --help output
- API: support GET /info
- Port API: support specifying IP version explicitly ("tcp4", "tcp6")
- rootlesskit-docker-proxy: support libnetwork >= 20201216 convention
- Allow vendoring with moby/sys/mountinfo@v0.1.3 as well as @v0.4.0
- Remove socat port driver
    - socat driver has been deprecated since v0.7.1 (Dec 2019)
- New experimental flag: --ipv6
    - Enables IPv6 routing (slirp4netns --enable-ipv6). Unrelated to port driver.

v0.13.2
--------------------------------------

- Fix cleaning up crashed state dir
- Update Go to 1.16
- Misc fixes

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e166af959d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-22 22:19:06 +01:00
Sebastiaan van Stijn
9f2f85c53b
Merge pull request #42176 from cpuguy83/20.10_testPushMultipleTags
[20.10] TestPushMultipleTags: Add support for 20.10 CLI
2021-03-22 15:31:21 +01:00
Akihiro Suda
257cf10ee1
Merge pull request #42175 from cpuguy83/20.10_TestDockerNetworkFlagAlias 2021-03-21 01:11:32 +09:00
Sebastiaan van Stijn
5a697ae130
Merge pull request #42174 from thaJeztah/20.10_backport_41820_fix_json_unexpected_eof
[20.10 backport] Fix handling for json-file io.UnexpectedEOF
2021-03-20 10:10:24 +01:00
Akihiro Suda
cdb77eca0e
Merge pull request #42168 from AkihiroSuda/ovl-k511-2010
[20.10 backport] overlay2: support "userxattr" option (kernel 5.11)
2021-03-20 12:31:02 +09:00
Brian Goff
9780942e20 Remove cli test for duplicate --net/--network opts
This seems to be testing a strange case, specifically that one can set
the `--net` and `--network` in the same command with the same network.

Indeed this used to work with older CLIs but newer ones error out when
validating the request before sending it to the daemon.

Opening this for discussion because:

1. This doesn't seem to be testing anything at all related to the rest
   of the test
2. Not really providing any value here.
3. Is testing that a technically invalid option is successful (whether
   the option should be valid as it relates to the CLI accepting it is
   debatable).
4. Such a case seems fringe and even a bug in whatever is calling the
   CLI with such options.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e31086320e)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-03-19 23:13:48 +00:00
Brian Goff
e1ee2823ec TestPushMultipleTags: Add support for 20.10 CLI
In 20.10 we no longer implicitly push all tags and require a
"--all-tags" flag, so add this to the test when the CLI is >= 20.10

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 601707a655)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-03-19 23:08:40 +00:00
Brian Goff
969bde2009
jsonfile: more defensive reader implementation
Tonis mentioned that we can run into issues if there is more error
handling added here. This adds a custom reader implementation which is
like io.MultiReader except it does not cache EOF's.
What got us into trouble in the first place is `io.MultiReader` will
always return EOF once it has received an EOF, however the error
handling that we are going for is to recover from an EOF because the
underlying file is a file which can have more data added to it after
EOF.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 5a664dc87d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-19 18:18:55 +01:00
Brian Goff
cb501700e8
Fix handling for json-file io.UnexpectedEOF
When the multireader hits EOF, we will always get EOF from it, so we
cannot store the multrireader fro later error handling, only for the
decoder.

Thanks @tobiasstadler for pointing this error out.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4be98a38e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-19 18:18:52 +01:00
Sebastiaan van Stijn
6d72bb6acf
Merge pull request #42147 from thaJeztah/20.10_backport_41704_update_libseccomp
[20.10 backport] Use buster backports to build with libseccomp-2.4.4
2021-03-19 13:51:56 +01:00
Akihiro Suda
2d39a44c1c
overlayutils/userxattr.go: add "fast path" for kernel >= 5.11.0
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit a8008f7313)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-19 03:36:07 +09:00
Akihiro Suda
95d2b686be
overlay2: support "userxattr" option (kernel 5.11)
The "userxattr" option is needed for mounting overlayfs inside a user namespace with kernel >= 5.11.

The "userxattr" option is NOT needed for the initial user namespace (aka "the host").

Also, Ubuntu (since circa 2015) and Debian (since 10) with kernel < 5.11 can mount the overlayfs in a user namespace without the "userxattr" option.

The corresponding kernel commit: 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1
> **ovl: user xattr**
>
> Optionally allow using "user.overlay." namespace instead of "trusted.overlay."
> ...
> Disable redirect_dir and metacopy options, because these would allow privilege escalation through direct manipulation of the
> "user.overlay.redirect" or "user.overlay.metacopy" xattrs.

Fix issue 42055

Related to containerd/containerd PR 5076

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 11ef8d3ba9)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-19 03:35:59 +09:00
Jeremy Huntwork
074270703c
Use buster backports to build with libseccomp-2.4.4
Fixes #41704

The latest released versions of the static binaries (20.10.3) are still unable
to use faccessat2 with musl-1.2.2 even though this was addressed in #41353 and
related issues. The underlying cause seems to be that the build system
here still uses the default version of libseccomp shipped with buster.
An updated version is available in buster backports:
https://packages.debian.org/buster-backports/libseccomp-dev

Signed-off-by: Jeremy Huntwork <jhuntwork@lightcubesolutions.com>
(cherry picked from commit 1600e851b5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-15 08:58:30 +01:00
Akihiro Suda
fed6ba2790
Include VPNkit binary for arm64
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 088e6ee790)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-12 09:02:45 +01:00
Tibor Vass
59ad0b6a86
Merge pull request #42124 from thaJeztah/20.10_backport_bump_containerd
[20.10 backport] update containerd binary to v1.4.4
2021-03-08 16:23:30 -08:00
Sebastiaan van Stijn
2ab3cd8c9e
update containerd binary to v1.4.4
full diff: https://github.com/containerd/containerd/compare/v1.4.3...v1.4.4

Release notes:

The fourth patch release for `containerd` 1.4 contains a fix for CVE-2021-21334
along with various other minor issues.
See [GHSA-36xw-fx78-c5r4](https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4)
for more details related to CVE-2021-21334.

Notable Updates

- Fix container create in CRI to prevent possible environment variable leak between containers
- Update shim server to return grpc NotFound error
- Add bounds on max `oom_score_adj` value for shim's AdjustOOMScore
- Update task manager to use fresh context when calling shim shutdown
- Update Docker resolver to avoid possible concurrent map access panic
- Update shim's log file open flags to avoid containerd hang on syscall open
- Fix incorrect usage calculation

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1a49393403)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-08 18:58:05 +01:00
Akihiro Suda
bc795b19bf
Merge pull request #42103 from thaJeztah/20.10_backport_skip_test 2021-03-04 00:23:01 +09:00
Sebastiaan van Stijn
d3188dc164
Dockerfile: switch to "stable" dockerfile front-end
The `RUN --mount` options have been promoted to the stable channel,
so we can switch from "experimental" to "stable".

Note that the syntax directive should no longer be needed now, but
it's good practice to add a syntax-directive, to allow building on
older versions of docker.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 083dbe9fcd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-03 11:11:54 +01:00
Akihiro Suda
98273a606a
dockerd-rootless-setuptool.sh: create CLI context "rootless"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f2f1c0fe38)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-03 13:51:28 +09:00
Shengjing Zhu
a0670c6d3d
pkg/archive: TestUntarParentPathPermissions requires root
=== RUN   TestUntarParentPathPermissions
    archive_unix_test.go:171: assertion failed: error is not nil: chown /tmp/TestUntarParentPathPermissions694189715/foo: operation not permitted

Signed-off-by: Shengjing Zhu <zhsj@debian.org>
(cherry picked from commit f23c1c297d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-01 22:05:09 +01:00
Sebastiaan van Stijn
04d9b581e9
Update documentation links
- Using "/go/" redirects for some topics, which allows us to
  redirect to new locations if topics are moved around in the
  documentation.
- Updated some old URLs to their new location.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 328de0b8d9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-25 21:54:39 +01:00
Tibor Vass
363e9a88a1
Merge pull request #42061 from thaJeztah/20.10_backport_bump_buildkit
[20.10 backport] vendor: github.com/moby/buildkit v0.8.2
2021-02-24 22:27:18 -08:00
Akihiro Suda
1015b5b438
dockerd-rootless.sh: prohibit running as root
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 9351e19658)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-25 13:33:15 +09:00
Tibor Vass
35f5f9e624 builder: fix incorrect cache match for inline cache with empty layers
See https://github.com/moby/buildkit/pull/1993

Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 9bf93e90fa)
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-02-25 01:50:37 +00:00
Tibor Vass
035cb276d9
Merge pull request #42070 from thaJeztah/20.10_backport_rootless_typo_guard
[20.10 backport] dockerd-rootless.sh: add typo guard
2021-02-24 17:42:50 -08:00
Sebastiaan van Stijn
3ce37a6aa4 vendor: github.com/moby/buildkit v0.8.2
full diff: 68bb095353...9065b18ba4

- fix seccomp compatibility in 32bit arm
    - fixes Unable to build alpine:edge containers for armv7
    - fixes Buildx failing to build for arm/v7 platform on arm64 machine
- resolver: avoid error caching on token fetch
    - fixes "Error: i/o timeout should not be cached"
- fileop: fix checksum to contain indexes of inputs
- frontend/dockerfile: add RunCommand.FlagsUsed field
    - relates to [20.10] Classic builder silently ignores unsupported Dockerfile command flags
- update qemu emulators
    - relates to "Impossible to run git clone inside buildx with non x86 architecture"
- Fix reference count issues on typed errors with mount references
    - fixes errors on releasing mounts with typed execerror refs
    - fixes / addresses invalid mutable ref when using shared cache mounts
- dockerfile/docs: fix frontend image tags
- git: set token only for main remote access
    - fixes "Loading repositories with submodules is repeated. Failed to clone submodule from googlesource"
- allow skipping empty layer detection on cache export

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 9962a3f74e)
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-02-25 01:41:11 +00:00
Akihiro Suda
5e8c1b4f7d
dockerd-rootless.sh: add typo guard
`dockerd-rootless.sh install` is a common typo of `dockerd-rootless-setuptool.sh install`.

Now `dockerd-rootless.sh install` shows human-readable error.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8dc6c109b5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-24 22:13:50 +01:00
Tibor Vass
7f547e15c7
Merge pull request #42060 from thaJeztah/20.10_backport_bump_swarmkit
[20.10 backport] Update Swarmkit to pick up fixes to heartbeat period and stalled tasks
2021-02-24 12:46:03 -08:00
Tibor Vass
830471acf5
Merge pull request #42066 from thaJeztah/20.10_backport_check_config
[20.10 backport] check-config.sh: add NETFILTER_XT_MARK
2021-02-24 12:45:33 -08:00
Tibor Vass
7ae42f5797
Merge pull request #42065 from thaJeztah/20.10_backport_lease_blobs_fixes
[20.10 backport] builder: fix blobs releasing via leases after pull
2021-02-24 12:44:51 -08:00
Sebastiaan van Stijn
f3d130d743
Merge pull request #42049 from thaJeztah/20.10_backport_builder_pull_fix
[20.10 backport] builder: fix pull synchronization regression
2021-02-23 21:15:32 +01:00
Piotr Karbowski
a24d92f95b
check-config.sh: add NETFILTER_XT_MARK
Points out another symbol that Docker might need. in this case Docker's
mesh network in swarm mode does not route Virtual IPs if it's unset.

From /var/logs/docker.log:
time="2021-02-19T18:15:39+01:00" level=error msg="set up rule failed, [-t mangle -A INPUT -d 10.0.1.2/32 -j MARK --set-mark 257]:  (iptables failed: iptables --wait -t mang
le -A INPUT
-d 10.0.1.2/32 -j MARK --set-mark 257: iptables v1.8.7 (legacy): unknown option \"--set-mark\"\nTry `iptables -h' or 'iptables --help' for more information.\n (exit status 2))"

Bug: https://github.com/moby/libnetwork/issues/2227
Bug: https://github.com/docker/for-linux/issues/644
Bug: https://github.com/docker/for-linux/issues/525
Signed-off-by: Piotr Karbowski <piotr.karbowski@protonmail.ch>
(cherry picked from commit e8ceb97646)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-23 19:25:47 +01:00
Tonis Tiigi
80019e1b0e
builder: fix blobs releasing via leases after pull
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 5c01d06f72)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-23 19:22:35 +01:00
Tibor Vass
dc1606ad79
Merge pull request #42046 from thaJeztah/20.10_labels_regex_length_check
[20.10 backport] Check the length of the correct variable #42039
2021-02-23 10:00:58 -08:00
Adam Williams
2a220f1f3d
Update Swarmkit to pick up fixes to heartbeat period and stalled tasks
Signed-off-by: Adam Williams <awilliams@mirantis.com>
(cherry picked from commit cbd2f726bf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-23 09:57:37 +01:00
Sebastiaan van Stijn
148e6c9514
Merge pull request #42017 from thaJeztah/20.10_backport_build_fixes
[20.10 backport]: avoid creating parent dirs for XGlobalHeader, and fix permissions
2021-02-22 20:04:04 +01:00
Tonis Tiigi
da1a672102
builder: fix pull synchronization regression
Config resolution was synchronized based on a wrong key as ref
variable is initialized only after in the same function. Using
the right key isn't fully correct either as the synchronized method
changes properties of the puller instance and can't be just skipped.
Added better error handling for the same case as well.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit b53ea19c49)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-19 10:08:04 +01:00
Nathan Carlson
0e001154f9
Check the length of the correct variable #42039
Signed-off-by: Nathan Carlson <carl4403@umn.edu>
(cherry picked from commit 8d73c1ad68)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-18 22:23:34 +01:00
Sebastiaan van Stijn
df2cfb4d33
Merge pull request #42045 from cpuguy83/20.10_fallback_manifest_on_bad_plat
[20.10] Fallback to manifest list when no platform match
2021-02-18 21:37:34 +01:00
Tibor Vass
7f6776fb5e
Merge pull request #41971 from thaJeztah/20.10_backport_seccomp_update
[20.10 backport] profiles: seccomp: update to Linux 5.11 syscall list
2021-02-18 12:36:47 -08:00
Tibor Vass
caa48de224
Merge pull request #41974 from thaJeztah/20.10_backport_for_linux_1169_plugins_custom_runtime-panic
[20.10 backport] Add shim config for custom runtimes for plugins
2021-02-18 12:36:21 -08:00
Tibor Vass
6a86c25cf0
Merge pull request #41972 from thaJeztah/20.10_backport_net_leak_fix
[20.10 backport] builder: ensure libnetwork state file do not leak
2021-02-18 12:34:14 -08:00
Tibor Vass
ff486ae873
Merge pull request #41973 from thaJeztah/20.10_backport_fix_builder_inconsisent_platform
[20.10 backport] Fix builder inconsistent error on buggy platform
2021-02-18 12:32:53 -08:00
Tibor Vass
b55d9e1b91
Merge pull request #41976 from thaJeztah/20.10_backport_reuse
[20.10 backport] replace json.Unmarshal with NewFromJSON in Create
2021-02-18 12:30:18 -08:00
Tibor Vass
b81e649d2b
Merge pull request #41977 from thaJeztah/20.10_backport_minor_fixes
[20.10 backport] assorted small fixes, docs changes, and contrib
2021-02-18 12:29:07 -08:00
Tibor Vass
5bb85a962a
Merge pull request #42001 from thaJeztah/20.10_backport_fix_cgroup_rule_panic
[20.10 backport] Fix daemon panic when starting container with invalid device cgroup rule
2021-02-18 12:27:38 -08:00
Tibor Vass
6de7dbd225
Merge pull request #42012 from thaJeztah/20.10_backport_fix_nanocpus_casing
[20.10 backport] api/docs: fix NanoCPUs casing in swagger
2021-02-18 12:26:04 -08:00
Tibor Vass
8e2c5fc178
Merge pull request #42013 from thaJeztah/20.10_backport_42003_fix_userns_uid_username_match
[20.10 backport] Fix userns-remap option when username & UID match
2021-02-18 12:25:13 -08:00
Tibor Vass
f88c4aeaa0
Merge pull request #42014 from thaJeztah/20.10_backport_bump_runc_binary
[20.10 backport] update runc binary to v1.0.0-rc93
2021-02-18 12:24:02 -08:00
Tibor Vass
c981698f9a
Merge pull request #42025 from thaJeztah/20.10_backport_bump_rootlesskit
[20.10 backport] Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses
2021-02-18 12:17:55 -08:00
Tibor Vass
d6ae06a70a
Merge pull request #42042 from thaJeztah/20.10_backport_docker_dind_integration_test_fix_subnet_missmatch
[20.10 backport] Update TestDaemonRestartWithLiveRestore: fix docker0 subnet missmatch
2021-02-18 12:15:05 -08:00
Brian Goff
3beb2e4422 Move cpu variant checks into platform matcher
Wrap platforms.Only and fallback to our ignore mismatches due to  empty
CPU variants. This just cleans things up and makes the logic re-usable
in other places.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 50f39e7247)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-02-18 20:12:07 +00:00
Brian Goff
0caf485abb Fallback to manifest list when no platform match
In some cases, in fact many in the wild, an image may have the incorrect
platform on the image config.
This can lead to failures to run an image, particularly when a user
specifies a `--platform`.
Typically what we see in the wild is a manifest list with an an entry
for, as an example, linux/arm64 pointing to an image config that has
linux/amd64 on it.

This change falls back to looking up the manifest list for an image to
see if the manifest list shows the image as the correct one for that
platform.

In order to accomplish this we need to traverse the leases associated
with an image. Each image, if pulled with Docker 20.10, will have the
manifest list stored in the containerd content store with the resource
assigned to a lease keyed on the image ID.
So we look up the lease for the image, then look up the assocated
resources to find the manifest list, then check the manifest list for a
platform match, then ensure that manifest referes to our image config.

This is only used as a fallback when a user specified they want a
particular platform and the image config that we have does not match
that platform.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 4be5453215)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-02-18 20:12:00 +00:00
Brian Goff
24e1d7fa59
Merge pull request #41975 from thaJeztah/20.10_backport_41794_sized_logger
[20.10 backport] Handle long log messages correctly on SizedLogger
2021-02-17 16:51:24 -08:00
Aleksa Sarai
a6a88b3145
profiles: seccomp: update to Linux 5.11 syscall list
These syscalls (some of which have been in Linux for a while but were
missing from the profile) fall into a few buckets:

 * close_range(2), epoll_pwait2(2) are just extensions of existing "safe
   for everyone" syscalls.

 * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are
   all equivalent to aspects of mount(2) and thus go into the
   CAP_SYS_ADMIN category.

 * process_madvise(2) is similar to the other process_*(2) syscalls and
   thus goes in the CAP_SYS_PTRACE category.

Signed-off-by: Aleksa Sarai <asarai@suse.de>
(cherry picked from commit 54eff4354b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:22:12 +01:00
Tonis Tiigi
e3750357a5
builder: ensure libnetwork state file do not leak
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 7c7e168902)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:21:25 +01:00
Brian Goff
ab5711e619
Fix builder inconsistent error on buggy platform
When pulling an image by platform, it is possible for the image's
configured platform to not match what was in the manifest list.
The image itself is buggy because either the manifest list is incorrect
or the image config is incorrect. In any case, this is preventing people
from upgrading because many times users do not have control over these
buggy images.

This was not a problem in 19.03 because we did not compare on platform
before. It just assumed if we had the image it was the one we wanted
regardless of platform, which has its own problems.

Example Dockerfile that has this problem:

```Dockerfile
FROM --platform=linux/arm64 k8s.gcr.io/build-image/debian-iptables:buster-v1.3.0
RUN echo hello
```

This fails the first time you try to build after it finishes pulling but
before performing the `RUN` command.
On the second attempt it works because the image is already there and
does not hit the code that errors out on platform mismatch (Actually it
ignores errors if an image is returned at all).

Must be run with the classic builder (DOCKER_BUILDKIT=0).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 399695305c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:20:46 +01:00
Brian Goff
df2a989769
Add shim config for custom runtimes for plugins
This fixes a panic when an admin specifies a custom default runtime,
when a plugin is started the shim config is nil.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 2903863a1d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:20:03 +01:00
Kazuyoshi Kato
d13e162a63
Handle long log messages correctly on SizedLogger
Loggers that implement BufSize() (e.g. awslogs) uses the method to
tell Copier about the maximum log line length. However loggerWithCache
and RingBuffer hide the method by wrapping loggers.

As a result, Copier uses its default 16KB limit which breaks log
lines > 16kB even the destinations can handle that.

This change implements BufSize() on loggerWithCache and RingBuffer to
make sure these logger wrappes don't hide the method on the underlying
loggers.

Fixes #41794.

Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com>
(cherry picked from commit bb11365e96)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:19:02 +01:00
Jim Lin
34446d0343
replace json.Unmarshal with NewFromJSON in Create
Signed-off-by: Jim Lin <b04705003@ntu.edu.tw>
(cherry picked from commit c9ec21e17a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:18:19 +01:00
Sebastiaan van Stijn
c00fb1383f
docs: fix double "the" in existing API versions
Backport of 2db5676c6e to the swagger files
used in the documentation

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 240d0b37bb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:42 +01:00
Frederico F. de Oliveira
b7e6803ec4
swagger.yaml: Remove extra 'the' wrapped by newline
This PR was originally proposed by @phillc here: https://github.com/docker/engine/pull/456

Signed-off-by: FreddieOliveira <fredf_oliveira@ufu.br>
(cherry picked from commit 2db5676c6e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:40 +01:00
Kir Kolyshkin
420de4c569
contrib/check-config.sh: fix INET_XFRM_MODE_TRANSPORT
This parameter was removed by kernel commit 4c145dce260137,
which made its way to kernel v5.3-rc1. Since that commit,
the functionality is built-in (i.e. it is available as long
as CONFIG_XFRM is on).

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 06d9020fac)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:39 +01:00
Kir Kolyshkin
8412078b1e
contrib/check-config.sh: fix IOSCHED_CFQ CFQ_GROUP_IOSCHED
These config options are removed by kernel commit f382fb0bcef4,
which made its way into kernel v5.0-rc1.

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 18e0543587)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:37 +01:00
Kir Kolyshkin
bb0866f04e
contrib/check-config.sh: fix MEMCG_SWAP_ENABLED
Kernel commit 2d1c498072de69e (which made its way into kernel v5.8-rc1)
removed CONFIG_MEMCG_SWAP_ENABLED Kconfig option, making swap accounting
always enabled (unless swapaccount=0 boot option is provided).

Make the check conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 070f9d9dd3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:35 +01:00
Kir Kolyshkin
db47bec3c7
contrib/check-config.sh: fix NF_NAT_NEEDED
CONFIG_NF_NAT_NEEDED was removed in kernel commit 4806e975729f99c7,
which made its way into v5.2-rc1. The functionality is now under
NF_NAT which we already check for.

Make the check for NF_NAT_NEEDED conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 03da41152a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:33 +01:00
Kir Kolyshkin
6bc47ca4b4
contrib/check-config.sh: fix NF_NAT_IPV4
CONFIG_NF_NAT_IPV4 was removed in kernel commit 3bf195ae6037e310,
which made its way into v5.1-rc1. The functionality is now under
NF_NAT which we already check for.

Make the check for NF_NAT_IPV4 conditional.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit eeb53c1f22)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:31 +01:00
Kir Kolyshkin
491642e696
contrib/check-config.sh: support for cgroupv2
Before:

> Generally Necessary:
> - cgroup hierarchy: nonexistent??
>     (see https://github.com/tianon/cgroupfs-mount)

After:

> Generally Necessary:
> - cgroup hierarchy: cgroupv2

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
(cherry picked from commit 76b59065ae)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:30 +01:00
gunadhya
cda6988478
Fix Error in daemon_unix.go and docker_cli_run_unit_test.go
Signed-off-by: gunadhya <6939749+gunadhya@users.noreply.github.com>
(cherry picked from commit 64465f3b5f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:17:28 +01:00
Sebastiaan van Stijn
18543cd8c8
Merge pull request #42000 from thaJeztah/20.10_backport_fix_dockerfile_simple
[20.10 backport] Dockerfile.simple: Fix compile docker binary error with btrfs
2021-02-17 21:17:02 +01:00
Sebastiaan van Stijn
1640d7b986
Fix daemon panic when starting container with invalid device cgroup rule
This fixes a panic when an invalid "device cgroup rule" is passed, resulting
in an "index out of range".

This bug was introduced in the original implementation in 1756af6faf,
but was not reproducible when using the CLI, because the same commit also added
client-side validation on the flag before making an API request. The following
example, uses an invalid rule (`c *:*  rwm` - two spaces before the permissions);

```console
$ docker run --rm --network=host --device-cgroup-rule='c *:*  rwm' busybox
invalid argument "c *:*  rwm" for "--device-cgroup-rule" flag: invalid device cgroup format 'c *:*  rwm'
```

Doing the same, but using the API results in a daemon panic when starting the container;

Create a container with an invalid device cgroup rule:

```console
curl -v \
  --unix-socket /var/run/docker.sock \
  "http://localhost/v1.41/containers/create?name=foobar" \
  -H "Content-Type: application/json" \
  -d '{"Image":"busybox:latest", "HostConfig":{"DeviceCgroupRules": ["c *:*  rwm"]}}'
```

Start the container:

```console
curl -v \
  --unix-socket /var/run/docker.sock \
  -X POST \
  "http://localhost/v1.41/containers/foobar/start"
```

Observe the daemon logs:

```
2021-01-22 12:53:03.313806 I | http: panic serving @: runtime error: index out of range [0] with length 0
goroutine 571 [running]:
net/http.(*conn).serve.func1(0xc000cb2d20)
	/usr/local/go/src/net/http/server.go:1795 +0x13b
panic(0x2f32380, 0xc000aebfc0)
	/usr/local/go/src/runtime/panic.go:679 +0x1b6
github.com/docker/docker/oci.AppendDevicePermissionsFromCgroupRules(0xc000175c00, 0x8, 0x8, 0xc0000bd380, 0x1, 0x4, 0x0, 0x0, 0xc0000e69c0, 0x0, ...)
	/go/src/github.com/docker/docker/oci/oci.go:34 +0x64f
```

This patch:

- fixes the panic, allowing the daemon to return an error on container start
- adds a unit-test to validate various permutations
- adds a "todo" to verify the regular expression (and handling) of the "a" (all) value

We should also consider performing this validation when _creating_ the container,
so that an error is produced early.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5cc1753f2c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:16:01 +01:00
Sebastiaan van Stijn
6e3f2acdac
docs: fix NanoCPUs casing
While the field in the Go struct is named `NanoCPUs`, it has a JSON label to
use `NanoCpus`, which was added in the original pull request (not clear what
the reason was); 846baf1fd3

Some notes:

- Golang processes field names case-insensitive, so when *using* the API,
  both cases should work, but when inspecting a container, the field is
  returned as `NanoCpus`.
- This only affects Containers.Resources. The `Limits` and `Reservation`
  for SwarmKit services and SwarmKit "nodes" do not override the name
  for JSON, so have the canonical (`NanoCPUs`) casing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8e2343ffd4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:15:21 +01:00
Sebastiaan van Stijn
ad777ff3bc
api: fix NanoCPUs casing in swagger
While the field in the Go struct is named `NanoCPUs`, it has a JSON label to
use `NanoCpus`, which was added in the original pull request (not clear what
the reason was); 846baf1fd3

Some notes:

- Golang processes field names case-insensitive, so when *using* the API,
  both cases should work, but when inspecting a container, the field is
  returned as `NanoCpus`.
- This only affects Containers.Resources. The `Limits` and `Reservation`
  for SwarmKit services and SwarmKit "nodes" do not override the name
  for JSON, so have the canonical (`NanoCPUs`) casing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2bd46ed7e5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:15:19 +01:00
Grant Millar
94d2467613
Fix userns-remap option when username & UID match
Signed-off-by: Grant Millar <rid@cylo.io>
(cherry picked from commit 2ad187fd4a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:14:40 +01:00
Sebastiaan van Stijn
acb8a48a3c
update runc binary to v1.0.0-rc93
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc92...v1.0.0-rc93
release notes: https://github.com/opencontainers/runc/releases/tag/v1.0.0-rc93

Release notes for runc v1.0.0-rc93
-------------------------------------------------

This is the last feature-rich RC release and we are in a feature-freeze until
1.0. 1.0.0~rc94 will be released in a few weeks with minimal bug fixes only,
and 1.0.0 will be released soon afterwards.

- runc's cgroupv2 support is no longer considered experimental. It is now
  believed to be fully ready for production deployments. In addition, runc's
  cgroup code has been improved:
    - The systemd cgroup driver has been improved to be more resilient and
      handle more systemd properties correctly.
    - We now make use of openat2(2) when possible to improve the security of
      cgroup operations (in future runc will be wholesale ported to libpathrs to
      get this protection in all codepaths).
- runc's mountinfo parsing code has been reworked significantly, making
  container startup times significantly faster and less wasteful in general.
- runc now has special handling for seccomp profiles to avoid making new
  syscalls unusable for glibc. This is done by installing a custom prefix to
  all seccomp filters which returns -ENOSYS for syscalls that are newer than
  any syscall in the profile (meaning they have a larger syscall number).

  This should not cause any regressions (because previously users would simply
  get -EPERM rather than -ENOSYS, and the rule applied above is the most
  conservative rule possible) but please report any regressions you find as a
  result of this change -- in particular, programs which have special fallback
  code that is only run in the case of -EPERM.
- runc now supports the following new runtime-spec features:
    - The umask of a container can now be specified.
    - The new Linux 5.9 capabilities (CAP_PERFMON, CAP_BPF, and
      CAP_CHECKPOINT_RESTORE) are now supported.
    - The "unified" cgroup configuration option, which allows users to explicitly
      specify the limits based on the cgroup file names rather than abstracting
      them through OCI configuration. This is currently limited in scope to
      cgroupv2.
- Various rootless containers improvements:
    - runc will no longer cause conflicts if a user specifies a custom device
      which conflicts with a user-configured device -- the user device takes
      precedence.
    - runc no longer panics if /sys/fs/cgroup is missing in rootless mode.
- runc --root is now always treated as local to the current working directory.
- The --no-pivot-root hardening was improved to handle nested mounts properly
  (please note that we still strongly recommend that users do not use
  --no-pivot-root -- it is still an insecure option).
- A large number of code cleanliness and other various cleanups, including
  fairly large changes to our tests and CI to make them all run more
  efficiently.

For packagers the following changes have been made which will have impact on
your packaging of runc:

- The "selinux" and "apparmor" buildtags have been removed, and now all runc
  builds will have SELinux and AppArmor support enabled. Note that "seccomp"
  is still optional (though we very highly recommend you enable it).
- make install DESTDIR= now functions correctly.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 28e5a3c5a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:13:50 +01:00
Sebastiaan van Stijn
5d442b1cb7
pkg/archive: Unpack() use 0755 permissions for missing directories
Commit edb62a3ace fixed a bug in MkdirAllAndChown()
that caused the specified permissions to not be applied correctly. As a result
of that bug, the configured umask would be applied.

When extracting archives, Unpack() used 0777 permissions when creating missing
parent directories for files that were extracted.
Before edb62a3ace, this resulted in actual
permissions of those directories to be 0755 on most configurations (using a
default 022 umask).

Creating these directories should not depend on the host's umask configuration.
This patch changes the permissions to 0755 to match the previous behavior,
and to reflect the original intent of using 0755 as default.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 25ada76437)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:12:57 +01:00
Tonis Tiigi
5db18e0aba
archive: avoid creating parent dirs for XGlobalHeader
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit ba7906aef3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:12:55 +01:00
Sebastiaan van Stijn
94feac18d2
Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses
v0.13.1

- Refactor `ParsePortSpec` to handle IPv6 addresses, and improve validation

v0.13.0

- `rootlesskit --pidns`: fix propagating exit status
- Support cgroup2 evacuation, e.g., `systemd-run -p Delegate=yes --user -t rootlesskit --cgroupns --pidns --evacuate-cgroup2=evac --net=slirp4netns bash`

v0.12.0

- Port forwarding API now supports setting `ChildIP`
- The `vendor` directory is no longer included in this repo. Run `go mod vendor` if you need

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e32ae1973a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:11:17 +01:00
Alexis Ries
cc377d27ac
Update TestDaemonRestartWithLiveRestore: fix docker0 subnet missmatch
Fix docker0 subnet missmatch when running from docker in docker (dind)

Signed-off-by: Alexis Ries <ries.alexis@gmail.com>
(cherry picked from commit 96e103feb1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-17 21:07:36 +01:00
Brian Goff
fae366b323
Merge pull request #41970 from thaJeztah/20.10_backport_testing_fixes 2021-02-17 09:37:19 -08:00
Brian Goff
dfce527001
Merge pull request #42030 from thaJeztah/20.10_backport_cgroup2ci_jenkins 2021-02-16 09:37:37 -08:00
Sebastiaan van Stijn
fc07fecfb5
TestBuildUserNamespaceValidateCapabilitiesAreV2: verify build completed
Check if the `docker build` completed successfully before continuing.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fa480403c7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-16 14:20:02 +01:00
Sebastiaan van Stijn
f7893961de
TestBuildUserNamespaceValidateCapabilitiesAreV2: use correct image name
This currently doesn't make a difference, because load.FrozenImagesLinux()
currently loads all frozen images, not just the specified one, but in case
that is fixed/implemented at some point.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 26965fbfa0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-16 14:20:00 +01:00
Akihiro Suda
d31b2141ae
Jenkinsfile: add cgroup2
Thanks to Stefan Scherer for setting up the Jenkins nodes.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c23b99f4db)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-16 09:22:30 +01:00
Akihiro Suda
5de9bc7e01
TestInspectOomKilledTrue: skip on cgroup v2
The test fails intermittently on cgroup v2.

```
=== FAIL: amd64.integration.container TestInspectOomKilledTrue (0.53s)
    kill_test.go:171: assertion failed: true (true bool) != false (inspect.State.OOMKilled bool)
```

Tracked in issue 41929

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit c316dd7cc5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-16 09:22:27 +01:00
Tibor Vass
11443bc681
Merge pull request #41957 from AkihiroSuda/cherrypick-41892-2010
[20.10 backport] pkg/archive: allow mknodding FIFO inside userns
2021-02-11 11:56:54 -08:00
Lei Jiang
ff49cb3e33
Dockerfile.simple: Fix compile docker binary error with btrfs
Use the image build from Dockerfile.simple to build docker binary failed
with not find <brtfs/ioctl.h>, we need to install libbtrfs-dev to fix this.
```
Building: bundles/dynbinary-daemon/dockerd-dev
GOOS="" GOARCH="" GOARM=""
.gopath/src/github.com/docker/docker/daemon/graphdriver/btrfs/btrfs.go:8:10: fatal error: btrfs/ioctl.h: No such file or directory
 #include <btrfs/ioctl.h>

```

Signed-off-by: Lei Jitang <leijitang@outlook.com>
(cherry picked from commit dd7ee8ea3e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-08 17:47:03 +01:00
Sebastiaan van Stijn
49e706e14c
Dockerfile.buildx: update buildx to v0.5.1
full diff: https://github.com/docker/buildx/compare/v0.3.1...v0.5.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 30b20a6bdd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-03 13:54:27 +01:00
Sebastiaan van Stijn
0211909bde
testing: update docker-py 4.4.1
run docker-py integration tests of the latest release;

full diff: https://github.com/docker/docker-py/compare/4.3.0...4.4.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 14fb165085)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-03 13:54:22 +01:00
Sebastiaan van Stijn
faf6442f80
integration: fix TestBuildUserNamespaceValidateCapabilitiesAreV2 not using frozen image
Commit f2f5106c92 added this test to verify loading
of images that were built with user-namespaces enabled.

However, because this test spins up a new daemon, not the daemon that's set up by
the test-suite's `TestMain()` (which loads the frozen images).

As a result, the `debian:bullseye` image was pulled from Docker Hub when running
the test;

    Calling POST /v1.41/images/load?quiet=1
    Applying tar in /go/src/github.com/docker/docker/bundles/test-integration/TestBuildUserNamespaceValidateCapabilitiesAreV2/d4d366b15997b/root/165536.165536/overlay2/3f7f9375197667acaf7bc810b34689c21f8fed9c52c6765c032497092ca023d6/diff" storage-driver=overlay
    Applied tar sha256:845f0e5159140e9dbcad00c0326c2a506fbe375aa1c229c43f082867d283149c to 3f7f9375197667acaf7bc810b34689c21f8fed9c52c6765c032497092ca023d6, size: 5922359
    Calling POST /v1.41/build?buildargs=null&cachefrom=null&cgroupparent=&cpuperiod=0&cpuquota=0&cpusetcpus=&cpusetmems=&cpushares=0&dockerfile=&labels=null&memory=0&memswap=0&networkmode=&rm=0&shmsize=0&t=capabilities%3A1.0&target=&ulimits=null&version=
    Trying to pull debian from https://registry-1.docker.io v2
    Fetching manifest from remote" digest="sha256:f169dbadc9021fc0b08e371d50a772809286a167f62a8b6ae86e4745878d283d" error="<nil>" remote="docker.io/library/debian:bullseye
    Pulling ref from V2 registry: debian:bullseye
    ...

This patch updates `TestBuildUserNamespaceValidateCapabilitiesAreV2` to load the
frozen image. `StartWithBusybox` is also changed to `Start`, because the test
is not using the busybox image, so there's no need to load it.

In a followup, we should probably add some utilities to make this easier to set up
(and to allow passing the list frozen images that we want to load, without having
to "hard-code" the image name to load).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 46dfc31342)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-03 13:54:16 +01:00
Brian Goff
f0e526f43e
Make test work with rootless mode
Using `d.Kill()` with rootless mode causes the restarted daemon to not
be able to start containerd (it times out).

Originally this was SIGKILLing the daemon because we were hoping to not
have to manipulate on disk state, but since we need to anyway we can
shut it down normally.

I also tested this to ensure the test fails correctly without the fix
that the test was added to check for.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e6591a9c7a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-03 13:54:09 +01:00
Brian Goff
11ecfe8a81
Merge pull request #41959 from AkihiroSuda/cherrypick-41917-2010
[20.10 backport] TestCgroupNamespacesRunOlderClient: support cgroup v2
2021-02-02 10:54:01 -08:00
Brian Goff
49df387b71
Merge pull request #41958 from AkihiroSuda/cherrypick-41894-2010 2021-02-02 10:52:42 -08:00
Brian Goff
54f561aeb9
Merge pull request #41956 from AkihiroSuda/cherrypick-41947-2010
[20.10 backport] rootless: prevent the service hanging when stopping (set systemd KillMode to mixed)
2021-02-02 10:51:08 -08:00
Akihiro Suda
519a55f491
TestCgroupNamespacesRunOlderClient: support cgroup v2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-02 14:34:08 +09:00
Akihiro Suda
b6a6a35684
docker info: adjust warning strings for cgroup v2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 00225e220f)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-02 14:32:13 +09:00
Akihiro Suda
25bd941ae4
docker info: silence unhandleable warnings
The following warnings in `docker info` are now discarded,
because there is no action user can actually take.

On cgroup v1:
- "WARNING: No blkio weight support"
- "WARNING: No blkio weight_device support"

On cgroup v2:
- "WARNING: No kernel memory TCP limit support"
- "WARNING: No oom kill disable support"

`docker run` still prints warnings when the missing feature is being attempted to use.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8086443a44)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-02 14:32:00 +09:00
Akihiro Suda
a287e76e15
pkg/archive: allow mknodding FIFO inside userns
Fix #41803

Also attempt to mknod devices.
Mknodding devices are likely to fail, but still worth trying when
running with a seccomp user notification.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit d5d5cccb7e)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-02 14:29:49 +09:00
Akihiro Suda
58283298d7
rootless: set systemd KillMode to mixed
Now `systemctl --user stop docker` completes just with in 1 or 2 seconds.

Fix issue 41944 ("Docker rootless does not exit properly if containers are running")

See systemd.kill(5) https://www.freedesktop.org/software/systemd/man/systemd.kill.html

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 05566adf71)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-02-02 14:26:47 +09:00
Tibor Vass
46229ca1d8 Use golang.org/x/sys/execabs
Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 7ca0cb7ffa)
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-28 21:33:12 +00:00
Brian Goff
a7d4af84bd pull: Validate layer digest format
Otherwise a malformed or empty digest may cause a panic.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-28 21:33:12 +00:00
Brian Goff
611eb6ffb3 buildkit: Apply apparmor profile
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-28 21:33:12 +00:00
Tibor Vass
4afe620fac vendor buildkit 68bb095353c65bc3993fd534c26cf77fe05e61b1
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-28 20:20:56 +00:00
Brian Goff
e908cc3901 Use real root with 0701 perms
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.

Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.

This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-26 17:23:32 +00:00
Brian Goff
bfedd27259 Do not set DOCKER_TMP to be owned by remapped root
The remapped root does not need access to this dir.
Having this owned by the remapped root opens the host up to an
uprivileged user on the host being able to escalate privileges.

While it would not be normal for the remapped UID to be used outside of
the container context, it could happen.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-26 17:23:32 +00:00
Brian Goff
edb62a3ace Ensure MkdirAllAndChown also sets perms
Generally if we ever need to change perms of a dir, between versions,
this ensures the permissions actually change when we think it should
change without having to handle special cases if it already existed.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-26 17:23:32 +00:00
2149 changed files with 146794 additions and 114155 deletions

View file

@ -1,21 +1,19 @@
# syntax=docker/dockerfile:1.1.7-experimental # syntax=docker/dockerfile:1
ARG CROSS="false" ARG CROSS="false"
ARG SYSTEMD="false" ARG SYSTEMD="false"
# IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored ARG GO_VERSION=1.20.10
ARG GO_VERSION=1.13.15
ARG DEBIAN_FRONTEND=noninteractive ARG DEBIAN_FRONTEND=noninteractive
ARG VPNKIT_VERSION=0.4.0 ARG VPNKIT_VERSION=0.5.0
ARG DOCKER_BUILDTAGS="apparmor seccomp" ARG DOCKER_BUILDTAGS="apparmor seccomp"
ARG BASE_DEBIAN_DISTRO="buster" ARG BASE_DEBIAN_DISTRO="bullseye"
ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}" ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
FROM ${GOLANG_IMAGE} AS base FROM ${GOLANG_IMAGE} AS base
RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
ARG APT_MIRROR ARG APT_MIRROR
RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \ RUN test -n "$APT_MIRROR" && sed -ri "s/(httpredir|deb|security).debian.org/${APT_MIRROR}/g" /etc/apt/sources.list || true
&& sed -ri "s/(security).debian.org/${APT_MIRROR:-security.debian.org}/g" /etc/apt/sources.list
ENV GO111MODULE=off ENV GO111MODULE=off
FROM base AS criu FROM base AS criu
@ -31,7 +29,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-criu-aptlib,target=/var/lib/apt \
libprotobuf-dev \ libprotobuf-dev \
protobuf-c-compiler \ protobuf-c-compiler \
protobuf-compiler \ protobuf-compiler \
python-protobuf python3-protobuf
# Install CRIU for checkpoint/restore support # Install CRIU for checkpoint/restore support
ARG CRIU_VERSION=3.14 ARG CRIU_VERSION=3.14
@ -72,7 +70,7 @@ WORKDIR $GOPATH/src/github.com/go-swagger/go-swagger
# Install go-swagger for validating swagger.yaml # Install go-swagger for validating swagger.yaml
# This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix # This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix
# TODO: move to under moby/ or fix upstream go-swagger to work for us. # TODO: move to under moby/ or fix upstream go-swagger to work for us.
ENV GO_SWAGGER_COMMIT 5e6cb12f7c82ce78e45ba71fa6cb1928094db050 ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=tmpfs,target=/go/src/ \ --mount=type=tmpfs,target=/go/src/ \
@ -93,10 +91,9 @@ RUN --mount=type=cache,sharing=locked,id=moby-frozen-images-aptlib,target=/var/l
COPY contrib/download-frozen-image-v2.sh / COPY contrib/download-frozen-image-v2.sh /
ARG TARGETARCH ARG TARGETARCH
RUN /download-frozen-image-v2.sh /build \ RUN /download-frozen-image-v2.sh /build \
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \
arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) # See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)
@ -108,12 +105,16 @@ ARG DEBIAN_FRONTEND
RUN dpkg --add-architecture arm64 RUN dpkg --add-architecture arm64
RUN dpkg --add-architecture armel RUN dpkg --add-architecture armel
RUN dpkg --add-architecture armhf RUN dpkg --add-architecture armhf
RUN dpkg --add-architecture ppc64el
RUN dpkg --add-architecture s390x
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
crossbuild-essential-arm64 \ crossbuild-essential-arm64 \
crossbuild-essential-armel \ crossbuild-essential-armel \
crossbuild-essential-armhf crossbuild-essential-armhf \
crossbuild-essential-ppc64el \
crossbuild-essential-s390x
FROM cross-${CROSS} as dev-base FROM cross-${CROSS} as dev-base
@ -134,18 +135,20 @@ RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib
FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true FROM --platform=linux/amd64 runtime-dev-cross-false AS runtime-dev-cross-true
ARG DEBIAN_FRONTEND ARG DEBIAN_FRONTEND
# These crossbuild packages rely on gcc-<arch>, but this doesn't want to install # These crossbuild packages rely on gcc-<arch>, but this doesn't want to install
# on non-amd64 systems. # on non-amd64 systems, so other architectures cannot crossbuild amd64.
# Additionally, the crossbuild-amd64 is currently only on debian:buster, so
# other architectures cannnot crossbuild amd64.
RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \ RUN --mount=type=cache,sharing=locked,id=moby-cross-true-aptlib,target=/var/lib/apt \
--mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \ --mount=type=cache,sharing=locked,id=moby-cross-true-aptcache,target=/var/cache/apt \
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
libapparmor-dev:arm64 \ libapparmor-dev:arm64 \
libapparmor-dev:armel \ libapparmor-dev:armel \
libapparmor-dev:armhf \ libapparmor-dev:armhf \
libapparmor-dev:ppc64el \
libapparmor-dev:s390x \
libseccomp-dev:arm64 \ libseccomp-dev:arm64 \
libseccomp-dev:armel \ libseccomp-dev:armel \
libseccomp-dev:armhf libseccomp-dev:armhf \
libseccomp-dev:ppc64el \
libseccomp-dev:s390x
FROM runtime-dev-cross-${CROSS} AS runtime-dev FROM runtime-dev-cross-${CROSS} AS runtime-dev
@ -157,7 +160,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
PREFIX=/build /tmp/install/install.sh tomlv PREFIX=/build /tmp/install/install.sh tomlv
FROM base AS vndr FROM base AS vndr
ARG VNDR_COMMIT ARG VNDR_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
@ -169,7 +172,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/
--mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \ --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
libbtrfs-dev libbtrfs-dev
ARG CONTAINERD_COMMIT ARG CONTAINERD_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
@ -183,21 +186,21 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
PREFIX=/build /tmp/install/install.sh proxy PREFIX=/build /tmp/install/install.sh proxy
FROM base AS golangci_lint FROM base AS golangci_lint
ARG GOLANGCI_LINT_COMMIT ARG GOLANGCI_LINT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
PREFIX=/build /tmp/install/install.sh golangci_lint PREFIX=/build /tmp/install/install.sh golangci_lint
FROM base AS gotestsum FROM base AS gotestsum
ARG GOTESTSUM_COMMIT ARG GOTESTSUM_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
PREFIX=/build /tmp/install/install.sh gotestsum PREFIX=/build /tmp/install/install.sh gotestsum
FROM base AS shfmt FROM base AS shfmt
ARG SHFMT_COMMIT ARG SHFMT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
@ -212,7 +215,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
PREFIX=/build /tmp/install/install.sh dockercli PREFIX=/build /tmp/install/install.sh dockercli
FROM runtime-dev AS runc FROM runtime-dev AS runc
ARG RUNC_COMMIT ARG RUNC_VERSION
ARG RUNC_BUILDTAGS ARG RUNC_BUILDTAGS
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
@ -221,7 +224,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
FROM dev-base AS tini FROM dev-base AS tini
ARG DEBIAN_FRONTEND ARG DEBIAN_FRONTEND
ARG TINI_COMMIT ARG TINI_VERSION
RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \ RUN --mount=type=cache,sharing=locked,id=moby-tini-aptlib,target=/var/lib/apt \
--mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \ --mount=type=cache,sharing=locked,id=moby-tini-aptcache,target=/var/cache/apt \
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
@ -233,7 +236,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
PREFIX=/build /tmp/install/install.sh tini PREFIX=/build /tmp/install/install.sh tini
FROM dev-base AS rootlesskit FROM dev-base AS rootlesskit
ARG ROOTLESSKIT_COMMIT ARG ROOTLESSKIT_VERSION
RUN --mount=type=cache,target=/root/.cache/go-build \ RUN --mount=type=cache,target=/root/.cache/go-build \
--mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/go/pkg/mod \
--mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \ --mount=type=bind,src=hack/dockerfile/install,target=/tmp/install \
@ -241,7 +244,13 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
COPY ./contrib/dockerd-rootless.sh /build COPY ./contrib/dockerd-rootless.sh /build
COPY ./contrib/dockerd-rootless-setuptool.sh /build COPY ./contrib/dockerd-rootless-setuptool.sh /build
FROM djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit FROM --platform=amd64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-amd64
FROM --platform=arm64 djs55/vpnkit:${VPNKIT_VERSION} AS vpnkit-arm64
FROM scratch AS vpnkit
COPY --from=vpnkit-amd64 /vpnkit /build/vpnkit.x86_64
COPY --from=vpnkit-arm64 /vpnkit /build/vpnkit.aarch64
# TODO: Some of this is only really needed for testing, it would be nice to split this up # TODO: Some of this is only really needed for testing, it would be nice to split this up
FROM runtime-dev AS dev-systemd-false FROM runtime-dev AS dev-systemd-false
@ -256,15 +265,19 @@ RUN ln -sfv /go/src/github.com/docker/docker/.bashrc ~/.bashrc
RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc RUN echo "source /usr/share/bash-completion/bash_completion" >> /etc/bash.bashrc
RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker RUN ln -s /usr/local/completion/bash/docker /etc/bash_completion.d/docker
RUN ldconfig RUN ldconfig
# Set dev environment as safe git directory to prevent "dubious ownership" errors
# when bind-mounting the source into the dev-container. See https://github.com/moby/moby/pull/44930
RUN git config --global --add safe.directory $GOPATH/src/github.com/docker/docker
# This should only install packages that are specifically needed for the dev environment and nothing else # This should only install packages that are specifically needed for the dev environment and nothing else
# Do you really need to add another package here? Can it be done in a different build stage? # Do you really need to add another package here? Can it be done in a different build stage?
RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
--mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \ --mount=type=cache,sharing=locked,id=moby-dev-aptcache,target=/var/cache/apt \
apt-get update && apt-get install -y --no-install-recommends \ apt-get update && apt-get install -y --no-install-recommends \
apparmor \ apparmor \
aufs-tools \
bash-completion \ bash-completion \
bzip2 \ bzip2 \
inetutils-ping \
iproute2 \
iptables \ iptables \
jq \ jq \
libcap2-bin \ libcap2-bin \
@ -272,6 +285,7 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
libnl-3-200 \ libnl-3-200 \
libprotobuf-c1 \ libprotobuf-c1 \
net-tools \ net-tools \
patch \
pigz \ pigz \
python3-pip \ python3-pip \
python3-setuptools \ python3-setuptools \
@ -292,7 +306,7 @@ RUN update-alternatives --set iptables /usr/sbin/iptables-legacy || true \
&& update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
&& update-alternatives --set arptables /usr/sbin/arptables-legacy || true && update-alternatives --set arptables /usr/sbin/arptables-legacy || true
RUN pip3 install yamllint==1.16.0 RUN pip3 install yamllint==1.26.1
COPY --from=dockercli /build/ /usr/local/cli COPY --from=dockercli /build/ /usr/local/cli
COPY --from=frozen-images /build/ /docker-frozen-images COPY --from=frozen-images /build/ /docker-frozen-images
@ -300,7 +314,12 @@ COPY --from=swagger /build/ /usr/local/bin/
COPY --from=tomlv /build/ /usr/local/bin/ COPY --from=tomlv /build/ /usr/local/bin/
COPY --from=tini /build/ /usr/local/bin/ COPY --from=tini /build/ /usr/local/bin/
COPY --from=registry /build/ /usr/local/bin/ COPY --from=registry /build/ /usr/local/bin/
COPY --from=criu /build/ /usr/local/
# Skip the CRIU stage for now, as the opensuse package repository is sometimes
# unstable, and we're currently not using it in CI.
#
# FIXME(thaJeztah): re-enable this stage when https://github.com/moby/moby/issues/38963 is resolved (see https://github.com/moby/moby/pull/38984)
# COPY --from=criu /build/ /usr/local/
COPY --from=vndr /build/ /usr/local/bin/ COPY --from=vndr /build/ /usr/local/bin/
COPY --from=gotestsum /build/ /usr/local/bin/ COPY --from=gotestsum /build/ /usr/local/bin/
COPY --from=golangci_lint /build/ /usr/local/bin/ COPY --from=golangci_lint /build/ /usr/local/bin/
@ -308,7 +327,7 @@ COPY --from=shfmt /build/ /usr/local/bin/
COPY --from=runc /build/ /usr/local/bin/ COPY --from=runc /build/ /usr/local/bin/
COPY --from=containerd /build/ /usr/local/bin/ COPY --from=containerd /build/ /usr/local/bin/
COPY --from=rootlesskit /build/ /usr/local/bin/ COPY --from=rootlesskit /build/ /usr/local/bin/
COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 COPY --from=vpnkit /build/ /usr/local/bin/
COPY --from=proxy /build/ /usr/local/bin/ COPY --from=proxy /build/ /usr/local/bin/
ENV PATH=/usr/local/cli:$PATH ENV PATH=/usr/local/cli:$PATH
ARG DOCKER_BUILDTAGS ARG DOCKER_BUILDTAGS
@ -356,7 +375,7 @@ COPY --from=runc /build/ /usr/local/bin/
COPY --from=containerd /build/ /usr/local/bin/ COPY --from=containerd /build/ /usr/local/bin/
COPY --from=rootlesskit /build/ /usr/local/bin/ COPY --from=rootlesskit /build/ /usr/local/bin/
COPY --from=proxy /build/ /usr/local/bin/ COPY --from=proxy /build/ /usr/local/bin/
COPY --from=vpnkit /vpnkit /usr/local/bin/vpnkit.x86_64 COPY --from=vpnkit /build/ /usr/local/bin/
WORKDIR /go/src/github.com/docker/docker WORKDIR /go/src/github.com/docker/docker
FROM binary-base AS build-binary FROM binary-base AS build-binary

View file

@ -1,26 +0,0 @@
ARG GO_VERSION=1.13.15
ARG BUILDX_COMMIT=v0.3.1
ARG BUILDX_REPO=https://github.com/docker/buildx.git
FROM golang:${GO_VERSION}-buster AS build
ARG BUILDX_REPO
RUN git clone "${BUILDX_REPO}" /buildx
WORKDIR /buildx
ARG BUILDX_COMMIT
RUN git fetch origin "${BUILDX_COMMIT}":build && git checkout build
ARG GOOS
ARG GOARCH
# Keep these essentially no-op var settings for debug purposes.
# It allows us to see what the GOOS/GOARCH that's being built for is.
RUN GOOS="${GOOS}" GOARCH="${GOARCH}" BUILDX_COMMIT="${BUILDX_COMMIT}"; \
pkg="github.com/docker/buildx"; \
ldflags="\
-X \"${pkg}/version.Version=$(git describe --tags)\" \
-X \"${pkg}/version.Revision=$(git rev-parse --short HEAD)\" \
-X \"${pkg}/version.Package=buildx\" \
"; \
go build -mod=vendor -ldflags "${ldflags}" -o /usr/bin/buildx ./cmd/buildx
FROM golang:${GO_VERSION}-buster
COPY --from=build /usr/bin/buildx /usr/bin/buildx
ENTRYPOINT ["/usr/bin/buildx"]

View file

@ -1,4 +1,4 @@
ARG GO_VERSION=1.13.15 ARG GO_VERSION=1.20.10
FROM golang:${GO_VERSION}-alpine AS base FROM golang:${GO_VERSION}-alpine AS base
ENV GO111MODULE=off ENV GO111MODULE=off
@ -18,10 +18,10 @@ FROM base AS frozen-images
# Get useful and necessary Hub images so we can "docker load" locally instead of pulling # Get useful and necessary Hub images so we can "docker load" locally instead of pulling
COPY contrib/download-frozen-image-v2.sh / COPY contrib/download-frozen-image-v2.sh /
RUN /download-frozen-image-v2.sh /build \ RUN /download-frozen-image-v2.sh /build \
buildpack-deps:buster@sha256:d0abb4b1e5c664828b93e8b6ac84d10bce45ee469999bef88304be04a2709491 \ busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \
busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \
debian:bullseye@sha256:7190e972ab16aefea4d758ebe42a293f4e5c5be63595f4d03a5b9bf6839a4344 \ debian:bullseye-slim@sha256:dacf278785a4daa9de07596ec739dbc07131e189942772210709c5c0777e8437 \
hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9
# See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list) # See also frozenImages in "testutil/environment/protect.go" (which needs to be updated when adding images to this list)

View file

@ -5,7 +5,7 @@
# This represents the bare minimum required to build and test Docker. # This represents the bare minimum required to build and test Docker.
ARG GO_VERSION=1.13.15 ARG GO_VERSION=1.20.10
FROM golang:${GO_VERSION}-buster FROM golang:${GO_VERSION}-buster
ENV GO111MODULE=off ENV GO111MODULE=off
@ -18,13 +18,13 @@ RUN sed -ri "s/(httpredir|deb).debian.org/$APT_MIRROR/g" /etc/apt/sources.list
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies # https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
btrfs-tools \
build-essential \ build-essential \
curl \ curl \
cmake \ cmake \
gcc \ gcc \
git \ git \
libapparmor-dev \ libapparmor-dev \
libbtrfs-dev \
libdevmapper-dev \ libdevmapper-dev \
libseccomp-dev \ libseccomp-dev \
ca-certificates \ ca-certificates \

View file

@ -165,8 +165,8 @@ FROM microsoft/windowsservercore
# Use PowerShell as the default shell # Use PowerShell as the default shell
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
ARG GO_VERSION=1.13.15 ARG GO_VERSION=1.20.10
ARG GOTESTSUM_COMMIT=v0.5.3 ARG GOTESTSUM_VERSION=v1.8.2
# Environment variable notes: # Environment variable notes:
# - GO_VERSION must be consistent with 'Dockerfile' used by Linux. # - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@ -176,7 +176,7 @@ ENV GO_VERSION=${GO_VERSION} `
GOPATH=C:\gopath ` GOPATH=C:\gopath `
GO111MODULE=off ` GO111MODULE=off `
FROM_DOCKERFILE=1 ` FROM_DOCKERFILE=1 `
GOTESTSUM_COMMIT=${GOTESTSUM_COMMIT} GOTESTSUM_VERSION=${GOTESTSUM_VERSION}
RUN ` RUN `
Function Test-Nano() { ` Function Test-Nano() { `
@ -261,21 +261,20 @@ RUN `
C:\git\cmd\git config --global core.autocrlf true; C:\git\cmd\git config --global core.autocrlf true;
RUN ` RUN `
Function Build-GoTestSum() { ` Function Install-GoTestSum() { `
Write-Host "INFO: Building gotestsum version $Env:GOTESTSUM_COMMIT in $Env:GOPATH"; `
$Env:GO111MODULE = 'on'; ` $Env:GO111MODULE = 'on'; `
$tmpGobin = "${Env:GOBIN_TMP}"; ` $tmpGobin = "${Env:GOBIN_TMP}"; `
$Env:GOBIN = """${Env:GOPATH}`\bin"""; ` $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
&go get -buildmode=exe "gotest.tools/gotestsum@${Env:GOTESTSUM_COMMIT}"; ` Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
&go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
$Env:GOBIN = "${tmpGobin}"; ` $Env:GOBIN = "${tmpGobin}"; `
$Env:GO111MODULE = 'off'; ` $Env:GO111MODULE = 'off'; `
if ($LASTEXITCODE -ne 0) { ` if ($LASTEXITCODE -ne 0) { `
Throw '"gotestsum build failed..."'; ` Throw '"gotestsum install failed..."'; `
} ` } `
Write-Host "INFO: Build done for gotestsum..."; `
} ` } `
` `
Build-GoTestSum Install-GoTestSum
# Make PowerShell the default entrypoint # Make PowerShell the default entrypoint
ENTRYPOINT ["powershell.exe"] ENTRYPOINT ["powershell.exe"]

416
Jenkinsfile vendored
View file

@ -12,10 +12,8 @@ pipeline {
booleanParam(name: 'validate_force', defaultValue: false, description: 'force validation steps to be run, even if no changes were detected') booleanParam(name: 'validate_force', defaultValue: false, description: 'force validation steps to be run, even if no changes were detected')
booleanParam(name: 'amd64', defaultValue: true, description: 'amd64 (x86_64) Build/Test') booleanParam(name: 'amd64', defaultValue: true, description: 'amd64 (x86_64) Build/Test')
booleanParam(name: 'rootless', defaultValue: true, description: 'amd64 (x86_64) Build/Test (Rootless mode)') booleanParam(name: 'rootless', defaultValue: true, description: 'amd64 (x86_64) Build/Test (Rootless mode)')
booleanParam(name: 'cgroup2', defaultValue: true, description: 'amd64 (x86_64) Build/Test (cgroup v2)')
booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test') booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test')
booleanParam(name: 's390x', defaultValue: true, description: 'IBM Z (s390x) Build/Test')
booleanParam(name: 'ppc64le', defaultValue: true, description: 'PowerPC (ppc64le) Build/Test')
booleanParam(name: 'windowsRS1', defaultValue: false, description: 'Windows 2016 (RS1) Build/Test')
booleanParam(name: 'windowsRS5', defaultValue: true, description: 'Windows 2019 (RS5) Build/Test') booleanParam(name: 'windowsRS5', defaultValue: true, description: 'Windows 2019 (RS5) Build/Test')
booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check') booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check')
} }
@ -23,7 +21,6 @@ pipeline {
DOCKER_BUILDKIT = '1' DOCKER_BUILDKIT = '1'
DOCKER_EXPERIMENTAL = '1' DOCKER_EXPERIMENTAL = '1'
DOCKER_GRAPHDRIVER = 'overlay2' DOCKER_GRAPHDRIVER = 'overlay2'
APT_MIRROR = 'cdn-fastly.deb.debian.org'
CHECK_CONFIG_COMMIT = '78405559cfe5987174aa2cb6463b9b2c1b917255' CHECK_CONFIG_COMMIT = '78405559cfe5987174aa2cb6463b9b2c1b917255'
TESTDEBUG = '0' TESTDEBUG = '0'
TIMEOUT = '120m' TIMEOUT = '120m'
@ -45,14 +42,14 @@ pipeline {
beforeAgent true beforeAgent true
expression { params.dco } expression { params.dco }
} }
agent { label 'amd64 && ubuntu-1804 && overlay2' } agent { label 'arm64 && ubuntu-2004' }
steps { steps {
sh ''' sh '''
docker run --rm \ docker run --rm \
-v "$WORKSPACE:/workspace" \ -v "$WORKSPACE:/workspace" \
-e VALIDATE_REPO=${GIT_URL} \ -e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \ -e VALIDATE_BRANCH=${CHANGE_TARGET} \
alpine sh -c 'apk add --no-cache -q bash git openssh-client && cd /workspace && hack/validate/dco' alpine sh -c 'apk add --no-cache -q bash git openssh-client && git config --system --add safe.directory /workspace && cd /workspace && hack/validate/dco'
''' '''
} }
} }
@ -63,7 +60,7 @@ pipeline {
beforeAgent true beforeAgent true
expression { params.unit_validate } expression { params.unit_validate }
} }
agent { label 'amd64 && ubuntu-1804 && overlay2' } agent { label 'amd64 && ubuntu-2004 && overlay2' }
environment { environment {
// On master ("non-pull-request"), force running some validation checks (vendor, swagger), // On master ("non-pull-request"), force running some validation checks (vendor, swagger),
// even if no files were changed. This allows catching problems caused by pull-requests // even if no files were changed. This allows catching problems caused by pull-requests
@ -249,7 +246,7 @@ pipeline {
beforeAgent true beforeAgent true
expression { params.amd64 } expression { params.amd64 }
} }
agent { label 'amd64 && ubuntu-1804 && overlay2' } agent { label 'amd64 && ubuntu-2004 && overlay2' }
stages { stages {
stage("Print info") { stage("Print info") {
@ -378,7 +375,7 @@ pipeline {
beforeAgent true beforeAgent true
expression { params.rootless } expression { params.rootless }
} }
agent { label 'amd64 && ubuntu-1804 && overlay2' } agent { label 'amd64 && ubuntu-2004 && overlay2' }
stages { stages {
stage("Print info") { stage("Print info") {
steps { steps {
@ -460,64 +457,40 @@ pipeline {
} }
} }
stage('s390x') { stage('cgroup2') {
when { when {
beforeAgent true beforeAgent true
expression { params.s390x } expression { params.cgroup2 }
} }
agent { label 's390x-ubuntu-1804' } agent { label 'amd64 && ubuntu-2004 && cgroup2' }
stages { stages {
stage("Print info") { stage("Print info") {
steps { steps {
sh 'docker version' sh 'docker version'
sh 'docker info' sh 'docker info'
sh '''
echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
&& bash ${WORKSPACE}/check-config.sh || true
'''
} }
} }
stage("Build dev image") { stage("Build dev image") {
steps { steps {
sh ''' sh '''
docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} . docker build --force-rm --build-arg APT_MIRROR --build-arg SYSTEMD=true -t docker:${GIT_COMMIT} .
''' '''
} }
} }
stage("Unit tests") {
steps {
sh '''
docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \
-e DOCKER_EXPERIMENTAL \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \
-e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
docker:${GIT_COMMIT} \
hack/test/unit
'''
}
post {
always {
junit testResults: 'bundles/junit-report.xml', allowEmptyResults: true
}
}
}
stage("Integration tests") { stage("Integration tests") {
environment { TEST_SKIP_INTEGRATION_CLI = '1' } environment {
DOCKER_SYSTEMD = '1' // recommended cgroup driver for v2
TEST_SKIP_INTEGRATION_CLI = '1' // CLI tests do not support v2
}
steps { steps {
sh ''' sh '''
docker run --rm -t --privileged \ docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \ -v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \ --name docker-pr$BUILD_NUMBER \
-e DOCKER_EXPERIMENTAL \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \ -e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \ -e DOCKER_GRAPHDRIVER \
-e TESTDEBUG \ -e DOCKER_EXPERIMENTAL \
-e DOCKER_SYSTEMD \
-e TEST_SKIP_INTEGRATION_CLI \ -e TEST_SKIP_INTEGRATION_CLI \
-e TIMEOUT \ -e TIMEOUT \
-e VALIDATE_REPO=${GIT_URL} \ -e VALIDATE_REPO=${GIT_URL} \
@ -550,7 +523,7 @@ pipeline {
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') { catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
sh ''' sh '''
bundleName=s390x-integration bundleName=amd64-cgroup2
echo "Creating ${bundleName}-bundles.tar.gz" echo "Creating ${bundleName}-bundles.tar.gz"
# exclude overlay2 directories # exclude overlay2 directories
find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
@ -565,297 +538,13 @@ pipeline {
} }
} }
} }
stage('s390x integration-cli') {
when {
beforeAgent true
not { changeRequest() }
expression { params.s390x }
}
agent { label 's390x-ubuntu-1804' }
stages {
stage("Print info") {
steps {
sh 'docker version'
sh 'docker info'
sh '''
echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
&& bash ${WORKSPACE}/check-config.sh || true
'''
}
}
stage("Build dev image") {
steps {
sh '''
docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
'''
}
}
stage("Integration-cli tests") {
environment { TEST_SKIP_INTEGRATION = '1' }
steps {
sh '''
docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \
-e TEST_SKIP_INTEGRATION \
-e TIMEOUT \
-e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
docker:${GIT_COMMIT} \
hack/make.sh \
dynbinary \
test-integration
'''
}
post {
always {
junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
}
}
}
}
post {
always {
sh '''
echo "Ensuring container killed."
docker rm -vf docker-pr$BUILD_NUMBER || true
'''
sh '''
echo "Chowning /workspace to jenkins user"
docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
'''
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
sh '''
bundleName=s390x-integration-cli
echo "Creating ${bundleName}-bundles.tar.gz"
# exclude overlay2 directories
find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
'''
archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
}
}
cleanup {
sh 'make clean'
deleteDir()
}
}
}
stage('ppc64le') {
when {
beforeAgent true
expression { params.ppc64le }
}
agent { label 'ppc64le-ubuntu-1604' }
// ppc64le machines run on Docker 18.06, and buildkit has some
// bugs on that version. Build and use buildx instead.
environment {
USE_BUILDX = '1'
DOCKER_BUILDKIT = '0'
}
stages {
stage("Print info") {
steps {
sh 'docker version'
sh 'docker info'
sh '''
echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
&& bash ${WORKSPACE}/check-config.sh || true
'''
}
}
stage("Build dev image") {
steps {
sh '''
make bundles/buildx
bundles/buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
'''
}
}
stage("Unit tests") {
steps {
sh '''
docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \
-e DOCKER_EXPERIMENTAL \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \
-e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
docker:${GIT_COMMIT} \
hack/test/unit
'''
}
post {
always {
junit testResults: 'bundles/junit-report.xml', allowEmptyResults: true
}
}
}
stage("Integration tests") {
environment { TEST_SKIP_INTEGRATION_CLI = '1' }
steps {
sh '''
docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \
-e DOCKER_EXPERIMENTAL \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \
-e TESTDEBUG \
-e TEST_SKIP_INTEGRATION_CLI \
-e TIMEOUT \
-e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
docker:${GIT_COMMIT} \
hack/make.sh \
dynbinary \
test-integration
'''
}
post {
always {
junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
}
}
}
}
post {
always {
sh '''
echo "Ensuring container killed."
docker rm -vf docker-pr$BUILD_NUMBER || true
'''
sh '''
echo "Chowning /workspace to jenkins user"
docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
'''
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
sh '''
bundleName=ppc64le-integration
echo "Creating ${bundleName}-bundles.tar.gz"
# exclude overlay2 directories
find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
'''
archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
}
}
cleanup {
sh 'make clean'
deleteDir()
}
}
}
stage('ppc64le integration-cli') {
when {
beforeAgent true
not { changeRequest() }
expression { params.ppc64le }
}
agent { label 'ppc64le-ubuntu-1604' }
// ppc64le machines run on Docker 18.06, and buildkit has some
// bugs on that version. Build and use buildx instead.
environment {
USE_BUILDX = '1'
DOCKER_BUILDKIT = '0'
}
stages {
stage("Print info") {
steps {
sh 'docker version'
sh 'docker info'
sh '''
echo "check-config.sh version: ${CHECK_CONFIG_COMMIT}"
curl -fsSL -o ${WORKSPACE}/check-config.sh "https://raw.githubusercontent.com/moby/moby/${CHECK_CONFIG_COMMIT}/contrib/check-config.sh" \
&& bash ${WORKSPACE}/check-config.sh || true
'''
}
}
stage("Build dev image") {
steps {
sh '''
make bundles/buildx
bundles/buildx build --load --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .
'''
}
}
stage("Integration-cli tests") {
environment { TEST_SKIP_INTEGRATION = '1' }
steps {
sh '''
docker run --rm -t --privileged \
-v "$WORKSPACE/bundles:/go/src/github.com/docker/docker/bundles" \
--name docker-pr$BUILD_NUMBER \
-e DOCKER_GITCOMMIT=${GIT_COMMIT} \
-e DOCKER_GRAPHDRIVER \
-e TEST_SKIP_INTEGRATION \
-e TIMEOUT \
-e VALIDATE_REPO=${GIT_URL} \
-e VALIDATE_BRANCH=${CHANGE_TARGET} \
docker:${GIT_COMMIT} \
hack/make.sh \
dynbinary \
test-integration
'''
}
post {
always {
junit testResults: 'bundles/**/*-report.xml', allowEmptyResults: true
}
}
}
}
post {
always {
sh '''
echo "Ensuring container killed."
docker rm -vf docker-pr$BUILD_NUMBER || true
'''
sh '''
echo "Chowning /workspace to jenkins user"
docker run --rm -v "$WORKSPACE:/workspace" busybox chown -R "$(id -u):$(id -g)" /workspace
'''
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
sh '''
bundleName=ppc64le-integration-cli
echo "Creating ${bundleName}-bundles.tar.gz"
# exclude overlay2 directories
find bundles -path '*/root/*overlay2' -prune -o -type f \\( -name '*-report.json' -o -name '*.log' -o -name '*.prof' -o -name '*-report.xml' \\) -print | xargs tar -czf ${bundleName}-bundles.tar.gz
'''
archiveArtifacts artifacts: '*-bundles.tar.gz', allowEmptyArchive: true
}
}
cleanup {
sh 'make clean'
deleteDir()
}
}
}
stage('arm64') { stage('arm64') {
when { when {
beforeAgent true beforeAgent true
expression { params.arm64 } expression { params.arm64 }
} }
agent { label 'arm64 && linux' } agent { label 'arm64 && ubuntu-2004' }
environment { environment {
TEST_SKIP_INTEGRATION_CLI = '1' TEST_SKIP_INTEGRATION_CLI = '1'
} }
@ -874,7 +563,7 @@ pipeline {
} }
stage("Build dev image") { stage("Build dev image") {
steps { steps {
sh 'docker build --force-rm --build-arg APT_MIRROR -t docker:${GIT_COMMIT} .' sh 'docker build --force-rm -t docker:${GIT_COMMIT} .'
} }
} }
stage("Unit tests") { stage("Unit tests") {
@ -956,73 +645,6 @@ pipeline {
} }
} }
} }
stage('win-RS1') {
when {
beforeAgent true
// Skip this stage on PRs unless the windowsRS1 checkbox is selected
anyOf {
not { changeRequest() }
expression { params.windowsRS1 }
}
}
environment {
DOCKER_BUILDKIT = '0'
DOCKER_DUT_DEBUG = '1'
SKIP_VALIDATION_TESTS = '1'
SOURCES_DRIVE = 'd'
SOURCES_SUBDIR = 'gopath'
TESTRUN_DRIVE = 'd'
TESTRUN_SUBDIR = "CI"
WINDOWS_BASE_IMAGE = 'mcr.microsoft.com/windows/servercore'
WINDOWS_BASE_IMAGE_TAG = 'ltsc2016'
}
agent {
node {
customWorkspace 'd:\\gopath\\src\\github.com\\docker\\docker'
label 'windows-2016'
}
}
stages {
stage("Print info") {
steps {
sh 'docker version'
sh 'docker info'
}
}
stage("Run tests") {
steps {
powershell '''
$ErrorActionPreference = 'Stop'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest https://github.com/moby/docker-ci-zap/blob/master/docker-ci-zap.exe?raw=true -OutFile C:/Windows/System32/docker-ci-zap.exe
./hack/ci/windows.ps1
exit $LastExitCode
'''
}
}
}
post {
always {
junit testResults: 'bundles/junit-report-*.xml', allowEmptyResults: true
catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE', message: 'Failed to create bundles.tar.gz') {
powershell '''
cd $env:WORKSPACE
$bundleName="windowsRS1-integration"
Write-Host -ForegroundColor Green "Creating ${bundleName}-bundles.zip"
# archiveArtifacts does not support env-vars to , so save the artifacts in a fixed location
Compress-Archive -Path "bundles/CIDUT.out", "bundles/CIDUT.err", "bundles/junit-report-*.xml" -CompressionLevel Optimal -DestinationPath "${bundleName}-bundles.zip"
'''
archiveArtifacts artifacts: '*-bundles.zip', allowEmptyArchive: true
}
}
cleanup {
sh 'make clean'
deleteDir()
}
}
}
stage('win-RS5') { stage('win-RS5') {
when { when {
beforeAgent true beforeAgent true

View file

@ -1,5 +1,7 @@
.PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate win .PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate win
BUILDX_VERSION ?= v0.8.2
ifdef USE_BUILDX ifdef USE_BUILDX
BUILDX ?= $(shell command -v buildx) BUILDX ?= $(shell command -v buildx)
BUILDX ?= $(shell command -v docker-buildx) BUILDX ?= $(shell command -v docker-buildx)
@ -44,7 +46,6 @@ export VALIDATE_ORIGIN_BRANCH
# #
DOCKER_ENVS := \ DOCKER_ENVS := \
-e DOCKER_CROSSPLATFORMS \ -e DOCKER_CROSSPLATFORMS \
-e BUILD_APT_MIRROR \
-e BUILDFLAGS \ -e BUILDFLAGS \
-e KEEPBUNDLE \ -e KEEPBUNDLE \
-e DOCKER_BUILD_ARGS \ -e DOCKER_BUILD_ARGS \
@ -122,8 +123,6 @@ DOCKER_IMAGE := docker-dev$(if $(GIT_BRANCH_CLEAN),:$(GIT_BRANCH_CLEAN))
DOCKER_PORT_FORWARD := $(if $(DOCKER_PORT),-p "$(DOCKER_PORT)",) DOCKER_PORT_FORWARD := $(if $(DOCKER_PORT),-p "$(DOCKER_PORT)",)
DOCKER_FLAGS := $(DOCKER) run --rm -i --privileged $(DOCKER_CONTAINER_NAME) $(DOCKER_ENVS) $(DOCKER_MOUNT) $(DOCKER_PORT_FORWARD) DOCKER_FLAGS := $(DOCKER) run --rm -i --privileged $(DOCKER_CONTAINER_NAME) $(DOCKER_ENVS) $(DOCKER_MOUNT) $(DOCKER_PORT_FORWARD)
BUILD_APT_MIRROR := $(if $(DOCKER_BUILD_APT_MIRROR),--build-arg APT_MIRROR=$(DOCKER_BUILD_APT_MIRROR))
export BUILD_APT_MIRROR
SWAGGER_DOCS_PORT ?= 9000 SWAGGER_DOCS_PORT ?= 9000
@ -147,7 +146,7 @@ ifdef DOCKER_SYSTEMD
DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true DOCKER_BUILD_ARGS += --build-arg=SYSTEMD=true
endif endif
BUILD_OPTS := ${BUILD_APT_MIRROR} ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} -f "$(DOCKERFILE)" BUILD_OPTS := ${DOCKER_BUILD_ARGS} ${DOCKER_BUILD_OPTS} -f "$(DOCKERFILE)"
ifdef USE_BUILDX ifdef USE_BUILDX
BUILD_OPTS += $(BUILDX_BUILD_EXTRA_OPTS) BUILD_OPTS += $(BUILDX_BUILD_EXTRA_OPTS)
BUILD_CMD := $(BUILDX) build BUILD_CMD := $(BUILDX) build
@ -273,22 +272,6 @@ buildx: bundles/buildx ## build buildx cli tool
endif endif
endif endif
# This intentionally is not using the `--output` flag from the docker CLI, which
# is a buildkit option. The idea here being that if buildx is being used, it's
# because buildkit is not supported natively
bundles/buildx: bundles ## build buildx CLI tool bundles/buildx: bundles ## build buildx CLI tool
docker build -f $${BUILDX_DOCKERFILE:-Dockerfile.buildx} -t "moby-buildx:$${BUILDX_COMMIT:-latest}" \ curl -fsSL https://raw.githubusercontent.com/moby/buildkit/70deac12b5857a1aa4da65e90b262368e2f71500/hack/install-buildx | VERSION="$(BUILDX_VERSION)" BINDIR="$(@D)" bash
--build-arg BUILDX_COMMIT \
--build-arg BUILDX_REPO \
--build-arg GOOS=$$(if [ -n "$(GOOS)" ]; then echo $(GOOS); else go env GOHOSTOS || uname | awk '{print tolower($$0)}' || true; fi) \
--build-arg GOARCH=$$(if [ -n "$(GOARCH)" ]; then echo $(GOARCH); else go env GOHOSTARCH || true; fi) \
.
id=$$(docker create moby-buildx:$${BUILDX_COMMIT:-latest}); \
if [ -n "$${id}" ]; then \
docker cp $${id}:/usr/bin/buildx $@ \
&& touch $@; \
docker rm -f $${id}; \
fi
$@ version $@ version

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package api // import "github.com/docker/docker/api" package api // import "github.com/docker/docker/api"

View file

@ -0,0 +1,34 @@
package server
import (
"net/http"
"github.com/docker/docker/api/server/httpstatus"
"github.com/docker/docker/api/server/httputils"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/versions"
"github.com/gorilla/mux"
"google.golang.org/grpc/status"
)
// makeErrorHandler makes an HTTP handler that decodes a Docker error and
// returns it in the response.
func makeErrorHandler(err error) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
statusCode := httpstatus.FromError(err)
vars := mux.Vars(r)
if apiVersionSupportsJSONErrors(vars["version"]) {
response := &types.ErrorResponse{
Message: err.Error(),
}
_ = httputils.WriteJSON(w, statusCode, response)
} else {
http.Error(w, status.Convert(err).Message(), statusCode)
}
}
}
func apiVersionSupportsJSONErrors(version string) bool {
const firstAPIVersionWithJSONErrors = "1.23"
return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
}

View file

@ -0,0 +1,150 @@
package httpstatus // import "github.com/docker/docker/api/server/httpstatus"
import (
"fmt"
"net/http"
containerderrors "github.com/containerd/containerd/errdefs"
"github.com/docker/distribution/registry/api/errcode"
"github.com/docker/docker/errdefs"
"github.com/sirupsen/logrus"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
type causer interface {
Cause() error
}
// FromError retrieves status code from error message.
func FromError(err error) int {
if err == nil {
logrus.WithFields(logrus.Fields{"error": err}).Error("unexpected HTTP error handling")
return http.StatusInternalServerError
}
var statusCode int
// Stop right there
// Are you sure you should be adding a new error class here? Do one of the existing ones work?
// Note that the below functions are already checking the error causal chain for matches.
switch {
case errdefs.IsNotFound(err):
statusCode = http.StatusNotFound
case errdefs.IsInvalidParameter(err):
statusCode = http.StatusBadRequest
case errdefs.IsConflict(err):
statusCode = http.StatusConflict
case errdefs.IsUnauthorized(err):
statusCode = http.StatusUnauthorized
case errdefs.IsUnavailable(err):
statusCode = http.StatusServiceUnavailable
case errdefs.IsForbidden(err):
statusCode = http.StatusForbidden
case errdefs.IsNotModified(err):
statusCode = http.StatusNotModified
case errdefs.IsNotImplemented(err):
statusCode = http.StatusNotImplemented
case errdefs.IsSystem(err) || errdefs.IsUnknown(err) || errdefs.IsDataLoss(err) || errdefs.IsDeadline(err) || errdefs.IsCancelled(err):
statusCode = http.StatusInternalServerError
default:
statusCode = statusCodeFromGRPCError(err)
if statusCode != http.StatusInternalServerError {
return statusCode
}
statusCode = statusCodeFromContainerdError(err)
if statusCode != http.StatusInternalServerError {
return statusCode
}
statusCode = statusCodeFromDistributionError(err)
if statusCode != http.StatusInternalServerError {
return statusCode
}
if e, ok := err.(causer); ok {
return FromError(e.Cause())
}
logrus.WithFields(logrus.Fields{
"module": "api",
"error_type": fmt.Sprintf("%T", err),
}).Debugf("FIXME: Got an API for which error does not match any expected type!!!: %+v", err)
}
if statusCode == 0 {
statusCode = http.StatusInternalServerError
}
return statusCode
}
// statusCodeFromGRPCError returns status code according to gRPC error
func statusCodeFromGRPCError(err error) int {
switch status.Code(err) {
case codes.InvalidArgument: // code 3
return http.StatusBadRequest
case codes.NotFound: // code 5
return http.StatusNotFound
case codes.AlreadyExists: // code 6
return http.StatusConflict
case codes.PermissionDenied: // code 7
return http.StatusForbidden
case codes.FailedPrecondition: // code 9
return http.StatusBadRequest
case codes.Unauthenticated: // code 16
return http.StatusUnauthorized
case codes.OutOfRange: // code 11
return http.StatusBadRequest
case codes.Unimplemented: // code 12
return http.StatusNotImplemented
case codes.Unavailable: // code 14
return http.StatusServiceUnavailable
default:
// codes.Canceled(1)
// codes.Unknown(2)
// codes.DeadlineExceeded(4)
// codes.ResourceExhausted(8)
// codes.Aborted(10)
// codes.Internal(13)
// codes.DataLoss(15)
return http.StatusInternalServerError
}
}
// statusCodeFromDistributionError returns status code according to registry errcode
// code is loosely based on errcode.ServeJSON() in docker/distribution
func statusCodeFromDistributionError(err error) int {
switch errs := err.(type) {
case errcode.Errors:
if len(errs) < 1 {
return http.StatusInternalServerError
}
if _, ok := errs[0].(errcode.ErrorCoder); ok {
return statusCodeFromDistributionError(errs[0])
}
case errcode.ErrorCoder:
return errs.ErrorCode().Descriptor().HTTPStatusCode
}
return http.StatusInternalServerError
}
// statusCodeFromContainerdError returns status code for containerd errors when
// consumed directly (not through gRPC)
func statusCodeFromContainerdError(err error) int {
switch {
case containerderrors.IsInvalidArgument(err):
return http.StatusBadRequest
case containerderrors.IsNotFound(err):
return http.StatusNotFound
case containerderrors.IsAlreadyExists(err):
return http.StatusConflict
case containerderrors.IsFailedPrecondition(err):
return http.StatusPreconditionFailed
case containerderrors.IsUnavailable(err):
return http.StatusServiceUnavailable
case containerderrors.IsNotImplemented(err):
return http.StatusNotImplemented
default:
return http.StatusInternalServerError
}
}

View file

@ -1,9 +0,0 @@
package httputils // import "github.com/docker/docker/api/server/httputils"
import "github.com/docker/docker/errdefs"
// GetHTTPErrorStatusCode retrieves status code from error message.
//
// Deprecated: use errdefs.GetHTTPErrorStatusCode
func GetHTTPErrorStatusCode(err error) int {
return errdefs.GetHTTPErrorStatusCode(err)
}

View file

@ -7,13 +7,9 @@ import (
"net/http" "net/http"
"strings" "strings"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/versions"
"github.com/docker/docker/errdefs" "github.com/docker/docker/errdefs"
"github.com/gorilla/mux"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
"google.golang.org/grpc/status"
) )
// APIVersionKey is the client's requested API version. // APIVersionKey is the client's requested API version.
@ -92,28 +88,6 @@ func VersionFromContext(ctx context.Context) string {
return "" return ""
} }
// MakeErrorHandler makes an HTTP handler that decodes a Docker error and
// returns it in the response.
func MakeErrorHandler(err error) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
statusCode := errdefs.GetHTTPErrorStatusCode(err)
vars := mux.Vars(r)
if apiVersionSupportsJSONErrors(vars["version"]) {
response := &types.ErrorResponse{
Message: err.Error(),
}
_ = WriteJSON(w, statusCode, response)
} else {
http.Error(w, status.Convert(err).Message(), statusCode)
}
}
}
func apiVersionSupportsJSONErrors(version string) bool {
const firstAPIVersionWithJSONErrors = "1.23"
return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
}
// matchesContentType validates the content type against the expected one // matchesContentType validates the content type against the expected one
func matchesContentType(contentType, expectedType string) bool { func matchesContentType(contentType, expectedType string) bool {
mimetype, _, err := mime.ParseMediaType(contentType) mimetype, _, err := mime.ParseMediaType(contentType)

View file

@ -10,6 +10,7 @@ import (
"syscall" "syscall"
"github.com/containerd/containerd/platforms" "github.com/containerd/containerd/platforms"
"github.com/docker/docker/api/server/httpstatus"
"github.com/docker/docker/api/server/httputils" "github.com/docker/docker/api/server/httputils"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/backend" "github.com/docker/docker/api/types/backend"
@ -626,7 +627,7 @@ func (s *containerRouter) postContainersAttach(ctx context.Context, w http.Respo
// Remember to close stream if error happens // Remember to close stream if error happens
conn, _, errHijack := hijacker.Hijack() conn, _, errHijack := hijacker.Hijack()
if errHijack == nil { if errHijack == nil {
statusCode := errdefs.GetHTTPErrorStatusCode(err) statusCode := httpstatus.FromError(err)
statusText := http.StatusText(statusCode) statusText := http.StatusText(statusCode)
fmt.Fprintf(conn, "HTTP/1.1 %d %s\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n%s\r\n", statusCode, statusText, err.Error()) fmt.Fprintf(conn, "HTTP/1.1 %d %s\r\nContent-Type: application/vnd.docker.raw-stream\r\n\r\n%s\r\n", statusCode, statusText, err.Error())
httputils.CloseStreams(conn) httputils.CloseStreams(conn)

View file

@ -2,6 +2,7 @@ package grpc // import "github.com/docker/docker/api/server/router/grpc"
import ( import (
"github.com/docker/docker/api/server/router" "github.com/docker/docker/api/server/router"
"github.com/moby/buildkit/util/grpcerrors"
"golang.org/x/net/http2" "golang.org/x/net/http2"
"google.golang.org/grpc" "google.golang.org/grpc"
) )
@ -15,8 +16,11 @@ type grpcRouter struct {
// NewRouter initializes a new grpc http router // NewRouter initializes a new grpc http router
func NewRouter(backends ...Backend) router.Router { func NewRouter(backends ...Backend) router.Router {
r := &grpcRouter{ r := &grpcRouter{
h2Server: &http2.Server{}, h2Server: &http2.Server{},
grpcServer: grpc.NewServer(), grpcServer: grpc.NewServer(
grpc.UnaryInterceptor(grpcerrors.UnaryServerInterceptor),
grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
),
} }
for _, b := range backends { for _, b := range backends {
b.RegisterGRPC(r.grpcServer) b.RegisterGRPC(r.grpcServer)
@ -26,12 +30,12 @@ func NewRouter(backends ...Backend) router.Router {
} }
// Routes returns the available routers to the session controller // Routes returns the available routers to the session controller
func (r *grpcRouter) Routes() []router.Route { func (gr *grpcRouter) Routes() []router.Route {
return r.routes return gr.routes
} }
func (r *grpcRouter) initRoutes() { func (gr *grpcRouter) initRoutes() {
r.routes = []router.Route{ gr.routes = []router.Route{
router.NewPostRoute("/grpc", r.serveGRPC), router.NewPostRoute("/grpc", gr.serveGRPC),
} }
} }

View file

@ -6,13 +6,14 @@ import (
"net" "net"
"net/http" "net/http"
"strings" "strings"
"time"
"github.com/docker/docker/api/server/httpstatus"
"github.com/docker/docker/api/server/httputils" "github.com/docker/docker/api/server/httputils"
"github.com/docker/docker/api/server/middleware" "github.com/docker/docker/api/server/middleware"
"github.com/docker/docker/api/server/router" "github.com/docker/docker/api/server/router"
"github.com/docker/docker/api/server/router/debug" "github.com/docker/docker/api/server/router/debug"
"github.com/docker/docker/dockerversion" "github.com/docker/docker/dockerversion"
"github.com/docker/docker/errdefs"
"github.com/gorilla/mux" "github.com/gorilla/mux"
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
@ -57,7 +58,8 @@ func (s *Server) Accept(addr string, listeners ...net.Listener) {
for _, listener := range listeners { for _, listener := range listeners {
httpServer := &HTTPServer{ httpServer := &HTTPServer{
srv: &http.Server{ srv: &http.Server{
Addr: addr, Addr: addr,
ReadHeaderTimeout: 5 * time.Minute, // "G112: Potential Slowloris Attack (gosec)"; not a real concern for our use, so setting a long timeout.
}, },
l: listener, l: listener,
} }
@ -139,11 +141,11 @@ func (s *Server) makeHTTPHandler(handler httputils.APIFunc) http.HandlerFunc {
} }
if err := handlerFunc(ctx, w, r, vars); err != nil { if err := handlerFunc(ctx, w, r, vars); err != nil {
statusCode := errdefs.GetHTTPErrorStatusCode(err) statusCode := httpstatus.FromError(err)
if statusCode >= 500 { if statusCode >= 500 {
logrus.Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err) logrus.Errorf("Handler for %s %s returned error: %v", r.Method, r.URL.Path, err)
} }
httputils.MakeErrorHandler(err)(w, r) makeErrorHandler(err)(w, r)
} }
} }
} }
@ -184,7 +186,7 @@ func (s *Server) createMux() *mux.Router {
m.Path("/debug" + r.Path()).Handler(f) m.Path("/debug" + r.Path()).Handler(f)
} }
notFoundHandler := httputils.MakeErrorHandler(pageNotFoundError{}) notFoundHandler := makeErrorHandler(pageNotFoundError{})
m.HandleFunc(versionMatcher+"/{path:.*}", notFoundHandler) m.HandleFunc(versionMatcher+"/{path:.*}", notFoundHandler)
m.NotFoundHandler = notFoundHandler m.NotFoundHandler = notFoundHandler
m.MethodNotAllowedHandler = notFoundHandler m.MethodNotAllowedHandler = notFoundHandler

View file

@ -24,7 +24,7 @@ info:
title: "Docker Engine API" title: "Docker Engine API"
version: "1.41" version: "1.41"
x-logo: x-logo:
url: "https://docs.docker.com/images/logo-docker-main.png" url: "https://docs.docker.com/assets/images/logo-docker-main.png"
description: | description: |
The Engine API is an HTTP API served by Docker Engine. It is the API the The Engine API is an HTTP API served by Docker Engine. It is the API the
Docker client uses to communicate with the Engine, so everything the Docker Docker client uses to communicate with the Engine, so everything the Docker
@ -560,7 +560,7 @@ definitions:
format: "int64" format: "int64"
minimum: 0 minimum: 0
maximum: 100 maximum: 100
NanoCPUs: NanoCpus:
description: "CPU quota in units of 10<sup>-9</sup> CPUs." description: "CPU quota in units of 10<sup>-9</sup> CPUs."
type: "integer" type: "integer"
format: "int64" format: "int64"
@ -1891,23 +1891,52 @@ definitions:
BuildCache: BuildCache:
type: "object" type: "object"
description: |
BuildCache contains information about a build cache record.
properties: properties:
ID: ID:
type: "string" type: "string"
description: |
Unique ID of the build cache record.
example: "ndlpt0hhvkqcdfkputsk4cq9c"
Parent: Parent:
description: |
ID of the parent build cache record.
type: "string" type: "string"
example: "hw53o5aio51xtltp5xjp8v7fx"
Type: Type:
type: "string" type: "string"
description: |
Cache record type.
example: "regular"
# see https://github.com/moby/buildkit/blob/fce4a32258dc9d9664f71a4831d5de10f0670677/client/diskusage.go#L75-L84
enum:
- "internal"
- "frontend"
- "source.local"
- "source.git.checkout"
- "exec.cachemount"
- "regular"
Description: Description:
type: "string" type: "string"
description: |
Description of the build-step that produced the build cache.
example: "mount / from exec /bin/sh -c echo 'Binary::apt::APT::Keep-Downloaded-Packages \"true\";' > /etc/apt/apt.conf.d/keep-cache"
InUse: InUse:
type: "boolean" type: "boolean"
description: |
Indicates if the build cache is in use.
example: false
Shared: Shared:
type: "boolean" type: "boolean"
description: |
Indicates if the build cache is shared.
example: true
Size: Size:
description: | description: |
Amount of disk space used by the build cache (in bytes). Amount of disk space used by the build cache (in bytes).
type: "integer" type: "integer"
example: 51
CreatedAt: CreatedAt:
description: | description: |
Date and time at which the build cache was created in Date and time at which the build cache was created in
@ -1925,6 +1954,7 @@ definitions:
example: "2017-08-09T07:09:37.632105588Z" example: "2017-08-09T07:09:37.632105588Z"
UsageCount: UsageCount:
type: "integer" type: "integer"
example: 26
ImageID: ImageID:
type: "object" type: "object"
@ -3347,7 +3377,7 @@ definitions:
Limits: Limits:
description: "Define resources limits." description: "Define resources limits."
$ref: "#/definitions/Limit" $ref: "#/definitions/Limit"
Reservation: Reservations:
description: "Define resources reservation." description: "Define resources reservation."
$ref: "#/definitions/ResourceObject" $ref: "#/definitions/ResourceObject"
RestartPolicy: RestartPolicy:
@ -5415,6 +5445,28 @@ paths:
`/?[a-zA-Z0-9][a-zA-Z0-9_.-]+`. `/?[a-zA-Z0-9][a-zA-Z0-9_.-]+`.
type: "string" type: "string"
pattern: "^/?[a-zA-Z0-9][a-zA-Z0-9_.-]+$" pattern: "^/?[a-zA-Z0-9][a-zA-Z0-9_.-]+$"
- name: "platform"
in: "query"
description: |
Platform in the format `os[/arch[/variant]]` used for image lookup.
When specified, the daemon checks if the requested image is present
in the local image cache with the given OS and Architecture, and
otherwise returns a `404` status.
If the option is not set, the host's native OS and Architecture are
used to look up the image in the image cache. However, if no platform
is passed and the given image does exist in the local image cache,
but its OS or architecture does not match, the container is created
with the available image, and a warning is added to the `Warnings`
field in the response, for example;
WARNING: The requested image's platform (linux/arm64/v8) does not
match the detected host platform (linux/amd64) and no
specific platform was requested
type: "string"
default: ""
- name: "body" - name: "body"
in: "body" in: "body"
description: "Container to create" description: "Container to create"
@ -5466,7 +5518,7 @@ paths:
MemorySwap: 0 MemorySwap: 0
MemoryReservation: 0 MemoryReservation: 0
KernelMemory: 0 KernelMemory: 0
NanoCPUs: 500000 NanoCpus: 500000
CpuPercent: 80 CpuPercent: 80
CpuShares: 512 CpuShares: 512
CpuPeriod: 100000 CpuPeriod: 100000
@ -5583,12 +5635,12 @@ paths:
schema: schema:
$ref: "#/definitions/ErrorResponse" $ref: "#/definitions/ErrorResponse"
404: 404:
description: "no such container" description: "no such image"
schema: schema:
$ref: "#/definitions/ErrorResponse" $ref: "#/definitions/ErrorResponse"
examples: examples:
application/json: application/json:
message: "No such container: c2ada9df5af8" message: "No such image: c2ada9df5af8"
409: 409:
description: "conflict" description: "conflict"
schema: schema:
@ -5755,7 +5807,6 @@ paths:
property1: "string" property1: "string"
property2: "string" property2: "string"
IpcMode: "" IpcMode: ""
LxcConf: []
Memory: 0 Memory: 0
MemorySwap: 0 MemorySwap: 0
MemoryReservation: 0 MemoryReservation: 0
@ -7310,7 +7361,7 @@ paths:
For example, the build arg `FOO=bar` would become `{"FOO":"bar"}` in JSON. This would result in the For example, the build arg `FOO=bar` would become `{"FOO":"bar"}` in JSON. This would result in the
the query parameter `buildargs={"FOO":"bar"}`. Note that `{"FOO":"bar"}` should be URI component encoded. query parameter `buildargs={"FOO":"bar"}`. Note that `{"FOO":"bar"}` should be URI component encoded.
[Read more about the buildargs instruction.](https://docs.docker.com/engine/reference/builder/#arg) [Read more about the buildargs instruction.](https://docs.docker.com/engine/reference/builder/#arg)
@ -8607,12 +8658,20 @@ paths:
if `tty` was specified as part of creating and starting the exec instance. if `tty` was specified as part of creating and starting the exec instance.
operationId: "ExecResize" operationId: "ExecResize"
responses: responses:
201: 200:
description: "No error" description: "No error"
400:
description: "bad parameter"
schema:
$ref: "#/definitions/ErrorResponse"
404: 404:
description: "No such exec instance" description: "No such exec instance"
schema: schema:
$ref: "#/definitions/ErrorResponse" $ref: "#/definitions/ErrorResponse"
500:
description: "Server error"
schema:
$ref: "#/definitions/ErrorResponse"
parameters: parameters:
- name: "id" - name: "id"
in: "path" in: "path"

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package container // import "github.com/docker/docker/api/types/container" package container // import "github.com/docker/docker/api/types/container"

View file

@ -1,4 +1,5 @@
/*Package filters provides tools for encoding a mapping of keys to a set of /*
Package filters provides tools for encoding a mapping of keys to a set of
multiple values. multiple values.
*/ */
package filters // import "github.com/docker/docker/api/types/filters" package filters // import "github.com/docker/docker/api/types/filters"
@ -48,7 +49,7 @@ func (args Args) Keys() []string {
// MarshalJSON returns a JSON byte representation of the Args // MarshalJSON returns a JSON byte representation of the Args
func (args Args) MarshalJSON() ([]byte, error) { func (args Args) MarshalJSON() ([]byte, error) {
if len(args.fields) == 0 { if len(args.fields) == 0 {
return []byte{}, nil return []byte("{}"), nil
} }
return json.Marshal(args.fields) return json.Marshal(args.fields)
} }
@ -106,9 +107,6 @@ func FromJSON(p string) (Args, error) {
// UnmarshalJSON populates the Args from JSON encode bytes // UnmarshalJSON populates the Args from JSON encode bytes
func (args Args) UnmarshalJSON(raw []byte) error { func (args Args) UnmarshalJSON(raw []byte) error {
if len(raw) == 0 {
return nil
}
return json.Unmarshal(raw, &args.fields) return json.Unmarshal(raw, &args.fields)
} }

View file

@ -1,6 +1,7 @@
package filters // import "github.com/docker/docker/api/types/filters" package filters // import "github.com/docker/docker/api/types/filters"
import ( import (
"encoding/json"
"errors" "errors"
"testing" "testing"
@ -8,6 +9,26 @@ import (
is "gotest.tools/v3/assert/cmp" is "gotest.tools/v3/assert/cmp"
) )
func TestMarshalJSON(t *testing.T) {
fields := map[string]map[string]bool{
"created": {"today": true},
"image.name": {"ubuntu*": true, "*untu": true},
}
a := Args{fields: fields}
_, err := a.MarshalJSON()
if err != nil {
t.Errorf("failed to marshal the filters: %s", err)
}
}
func TestMarshalJSONWithEmpty(t *testing.T) {
_, err := json.Marshal(NewArgs())
if err != nil {
t.Errorf("failed to marshal the filters: %s", err)
}
}
func TestToJSON(t *testing.T) { func TestToJSON(t *testing.T) {
fields := map[string]map[string]bool{ fields := map[string]map[string]bool{
"created": {"today": true}, "created": {"today": true},

View file

@ -45,31 +45,32 @@ func (ipnet *NetIPNet) UnmarshalJSON(b []byte) (err error) {
// IndexInfo contains information about a registry // IndexInfo contains information about a registry
// //
// RepositoryInfo Examples: // RepositoryInfo Examples:
// {
// "Index" : {
// "Name" : "docker.io",
// "Mirrors" : ["https://registry-2.docker.io/v1/", "https://registry-3.docker.io/v1/"],
// "Secure" : true,
// "Official" : true,
// },
// "RemoteName" : "library/debian",
// "LocalName" : "debian",
// "CanonicalName" : "docker.io/debian"
// "Official" : true,
// }
// //
// { // {
// "Index" : { // "Index" : {
// "Name" : "127.0.0.1:5000", // "Name" : "docker.io",
// "Mirrors" : [], // "Mirrors" : ["https://registry-2.docker.io/v1/", "https://registry-3.docker.io/v1/"],
// "Secure" : false, // "Secure" : true,
// "Official" : false, // "Official" : true,
// }, // },
// "RemoteName" : "user/repo", // "RemoteName" : "library/debian",
// "LocalName" : "127.0.0.1:5000/user/repo", // "LocalName" : "debian",
// "CanonicalName" : "127.0.0.1:5000/user/repo", // "CanonicalName" : "docker.io/debian"
// "Official" : false, // "Official" : true,
// } // }
//
// {
// "Index" : {
// "Name" : "127.0.0.1:5000",
// "Mirrors" : [],
// "Secure" : false,
// "Official" : false,
// },
// "RemoteName" : "user/repo",
// "LocalName" : "127.0.0.1:5000/user/repo",
// "CanonicalName" : "127.0.0.1:5000/user/repo",
// "Official" : false,
// }
type IndexInfo struct { type IndexInfo struct {
// Name is the name of the registry, such as "docker.io" // Name is the name of the registry, such as "docker.io"
Name string Name string

View file

@ -100,8 +100,10 @@ func GetTimestamp(value string, reference time.Time) (string, error) {
// if the incoming nanosecond portion is longer or shorter than 9 digits it is // if the incoming nanosecond portion is longer or shorter than 9 digits it is
// converted to nanoseconds. The expectation is that the seconds and // converted to nanoseconds. The expectation is that the seconds and
// seconds will be used to create a time variable. For example: // seconds will be used to create a time variable. For example:
// seconds, nanoseconds, err := ParseTimestamp("1136073600.000000001",0) //
// if err == nil since := time.Unix(seconds, nanoseconds) // seconds, nanoseconds, err := ParseTimestamp("1136073600.000000001",0)
// if err == nil since := time.Unix(seconds, nanoseconds)
//
// returns seconds as def(aultSeconds) if value == "" // returns seconds as def(aultSeconds) if value == ""
func ParseTimestamps(value string, def int64) (int64, int64, error) { func ParseTimestamps(value string, def int64) (int64, int64, error) {
if value == "" { if value == "" {

View file

@ -5,7 +5,6 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"path" "path"
"runtime" "runtime"
"sync" "sync"
@ -13,13 +12,16 @@ import (
"github.com/containerd/containerd/content" "github.com/containerd/containerd/content"
containerderrors "github.com/containerd/containerd/errdefs" containerderrors "github.com/containerd/containerd/errdefs"
"github.com/containerd/containerd/gc"
"github.com/containerd/containerd/images" "github.com/containerd/containerd/images"
"github.com/containerd/containerd/leases"
"github.com/containerd/containerd/platforms" "github.com/containerd/containerd/platforms"
ctdreference "github.com/containerd/containerd/reference" ctdreference "github.com/containerd/containerd/reference"
"github.com/containerd/containerd/remotes" "github.com/containerd/containerd/remotes"
"github.com/containerd/containerd/remotes/docker" "github.com/containerd/containerd/remotes/docker"
"github.com/containerd/containerd/remotes/docker/schema1" "github.com/containerd/containerd/remotes/docker/schema1"
distreference "github.com/docker/distribution/reference" distreference "github.com/docker/distribution/reference"
dimages "github.com/docker/docker/daemon/images"
"github.com/docker/docker/distribution" "github.com/docker/docker/distribution"
"github.com/docker/docker/distribution/metadata" "github.com/docker/docker/distribution/metadata"
"github.com/docker/docker/distribution/xfer" "github.com/docker/docker/distribution/xfer"
@ -34,6 +36,7 @@ import (
"github.com/moby/buildkit/source" "github.com/moby/buildkit/source"
"github.com/moby/buildkit/util/flightcontrol" "github.com/moby/buildkit/util/flightcontrol"
"github.com/moby/buildkit/util/imageutil" "github.com/moby/buildkit/util/imageutil"
"github.com/moby/buildkit/util/leaseutil"
"github.com/moby/buildkit/util/progress" "github.com/moby/buildkit/util/progress"
"github.com/moby/buildkit/util/resolver" "github.com/moby/buildkit/util/resolver"
digest "github.com/opencontainers/go-digest" digest "github.com/opencontainers/go-digest"
@ -54,6 +57,8 @@ type SourceOpt struct {
ImageStore image.Store ImageStore image.Store
RegistryHosts docker.RegistryHosts RegistryHosts docker.RegistryHosts
LayerStore layer.Store LayerStore layer.Store
LeaseManager leases.Manager
GarbageCollect func(ctx context.Context) (gc.Stats, error)
} }
// Source is the source implementation for accessing container images // Source is the source implementation for accessing container images
@ -101,7 +106,7 @@ func (is *Source) resolveRemote(ctx context.Context, ref string, platform *ocisp
key := "getconfig::" + ref + "::" + platforms.Format(p) key := "getconfig::" + ref + "::" + platforms.Format(p)
res, err := is.g.Do(ctx, key, func(ctx context.Context) (interface{}, error) { res, err := is.g.Do(ctx, key, func(ctx context.Context) (interface{}, error) {
res := resolver.DefaultPool.GetResolver(is.RegistryHosts, ref, "pull", sm, g) res := resolver.DefaultPool.GetResolver(is.RegistryHosts, ref, "pull", sm, g)
dgst, dt, err := imageutil.Config(ctx, ref, res, is.ContentStore, nil, platform) dgst, dt, err := imageutil.Config(ctx, ref, res, is.ContentStore, is.LeaseManager, platform)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -183,6 +188,7 @@ func (is *Source) Resolve(ctx context.Context, id source.Identifier, sm *session
type puller struct { type puller struct {
is *Source is *Source
resolveLocalOnce sync.Once resolveLocalOnce sync.Once
g flightcontrol.Group
src *source.ImageIdentifier src *source.ImageIdentifier
desc ocispec.Descriptor desc ocispec.Descriptor
ref string ref string
@ -253,9 +259,7 @@ func (p *puller) resolveLocal() {
} }
func (p *puller) resolve(ctx context.Context, g session.Group) error { func (p *puller) resolve(ctx context.Context, g session.Group) error {
// key is used to synchronize resolutions that can happen in parallel when doing multi-stage. _, err := p.g.Do(ctx, "", func(ctx context.Context) (_ interface{}, err error) {
key := "resolve::" + p.ref + "::" + platforms.Format(p.platform)
_, err := p.is.g.Do(ctx, key, func(ctx context.Context) (_ interface{}, err error) {
resolveProgressDone := oneOffProgress(ctx, "resolve "+p.src.Reference.String()) resolveProgressDone := oneOffProgress(ctx, "resolve "+p.src.Reference.String())
defer func() { defer func() {
resolveProgressDone(err) resolveProgressDone(err)
@ -329,8 +333,12 @@ func (p *puller) CacheKey(ctx context.Context, g session.Group, index int) (stri
return dgst.String(), nil, false, nil return dgst.String(), nil, false, nil
} }
if len(p.config) == 0 && p.desc.MediaType != images.MediaTypeDockerSchema1Manifest {
return "", nil, false, errors.Errorf("invalid empty config file resolved for %s", p.src.Reference.String())
}
k := cacheKeyFromConfig(p.config).String() k := cacheKeyFromConfig(p.config).String()
if k == "" { if k == "" || p.desc.MediaType == images.MediaTypeDockerSchema1Manifest {
dgst, err := p.mainManifestKey(p.platform) dgst, err := p.mainManifestKey(p.platform)
if err != nil { if err != nil {
return "", nil, false, err return "", nil, false, err
@ -360,8 +368,10 @@ func (p *puller) getRef(ctx context.Context, diffIDs []layer.DiffID, opts ...cac
func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.ImmutableRef, error) { func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.ImmutableRef, error) {
p.resolveLocal() p.resolveLocal()
if err := p.resolve(ctx, g); err != nil { if len(p.config) == 0 {
return nil, err if err := p.resolve(ctx, g); err != nil {
return nil, err
}
} }
if p.config != nil { if p.config != nil {
@ -384,6 +394,17 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
ongoing := newJobs(p.ref) ongoing := newJobs(p.ref)
ctx, done, err := leaseutil.WithLease(ctx, p.is.LeaseManager, leases.WithExpiration(5*time.Minute), leaseutil.MakeTemporary)
if err != nil {
return nil, err
}
defer func() {
done(context.TODO())
if p.is.GarbageCollect != nil {
go p.is.GarbageCollect(context.TODO())
}
}()
pctx, stopProgress := context.WithCancel(ctx) pctx, stopProgress := context.WithCancel(ctx)
pw, _, ctx := progress.FromContext(ctx) pw, _, ctx := progress.FromContext(ctx)
@ -406,6 +427,8 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
platform := platforms.Only(p.platform) platform := platforms.Only(p.platform)
var nonLayers []digest.Digest
var ( var (
schema1Converter *schema1.Converter schema1Converter *schema1.Converter
handlers []images.Handler handlers []images.Handler
@ -426,6 +449,7 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest, case images.MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest,
images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex, images.MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex,
images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig: images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
nonLayers = append(nonLayers, desc.Digest)
default: default:
return nil, images.ErrSkipDesc return nil, images.ErrSkipDesc
} }
@ -435,8 +459,6 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
// Get all the children for a descriptor // Get all the children for a descriptor
childrenHandler := images.ChildrenHandler(p.is.ContentStore) childrenHandler := images.ChildrenHandler(p.is.ContentStore)
// Set any children labels for that content
childrenHandler = images.SetChildrenLabels(p.is.ContentStore, childrenHandler)
// Filter the children by the platform // Filter the children by the platform
childrenHandler = images.FilterPlatforms(childrenHandler, platform) childrenHandler = images.FilterPlatforms(childrenHandler, platform)
// Limit manifests pulled to the best match in an index // Limit manifests pulled to the best match in an index
@ -524,6 +546,9 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers)) layers := make([]xfer.DownloadDescriptor, 0, len(mfst.Layers))
for i, desc := range mfst.Layers { for i, desc := range mfst.Layers {
if err := desc.Digest.Validate(); err != nil {
return nil, errors.Wrap(err, "layer digest could not be validated")
}
ongoing.add(desc) ongoing.add(desc)
layers = append(layers, &layerDescriptor{ layers = append(layers, &layerDescriptor{
desc: desc, desc: desc,
@ -536,9 +561,6 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
defer func() { defer func() {
<-progressDone <-progressDone
for _, desc := range mfst.Layers {
p.is.ContentStore.Delete(context.TODO(), desc.Digest)
}
}() }()
r := image.NewRootFS() r := image.NewRootFS()
@ -554,6 +576,16 @@ func (p *puller) Snapshot(ctx context.Context, g session.Group) (cache.Immutable
return nil, err return nil, err
} }
// keep manifest blobs until ref is alive for cache
for _, nl := range nonLayers {
if err := p.is.LeaseManager.AddResource(ctx, leases.Lease{ID: ref.ID()}, leases.Resource{
ID: nl.String(),
Type: "content",
}); err != nil {
return nil, err
}
}
// TODO: handle windows layers for cross platform builds // TODO: handle windows layers for cross platform builds
if p.src.RecordType != "" && cache.GetRecordType(ref) == "" { if p.src.RecordType != "" && cache.GetRecordType(ref) == "" {
@ -608,7 +640,7 @@ func (ld *layerDescriptor) Download(ctx context.Context, progressOutput pkgprogr
return nil, 0, err return nil, 0, err
} }
return ioutil.NopCloser(content.NewReader(ra)), ld.desc.Size, nil return io.NopCloser(content.NewReader(ra)), ld.desc.Size, nil
} }
func (ld *layerDescriptor) Close() { func (ld *layerDescriptor) Close() {
@ -798,6 +830,7 @@ func cacheKeyFromConfig(dt []byte) digest.Digest {
var img ocispec.Image var img ocispec.Image
err := json.Unmarshal(dt, &img) err := json.Unmarshal(dt, &img)
if err != nil { if err != nil {
logrus.WithError(err).Errorf("failed to unmarshal image config for cache key %v", err)
return digest.FromBytes(dt) return digest.FromBytes(dt)
} }
if img.RootFS.Type != "layers" || len(img.RootFS.DiffIDs) == 0 { if img.RootFS.Type != "layers" || len(img.RootFS.DiffIDs) == 0 {
@ -821,11 +854,11 @@ func resolveModeToString(rm source.ResolveMode) string {
} }
func platformMatches(img *image.Image, p *ocispec.Platform) bool { func platformMatches(img *image.Image, p *ocispec.Platform) bool {
if img.Architecture != p.Architecture { return dimages.OnlyPlatformWithFallback(*p).Match(ocispec.Platform{
return false Architecture: img.Architecture,
} OS: img.OS,
if img.Variant != "" && img.Variant != p.Variant { OSVersion: img.OSVersion,
return false OSFeatures: img.OSFeatures,
} Variant: img.Variant,
return img.OS == p.OS })
} }

View file

@ -22,6 +22,11 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
) )
func init() {
// See https://github.com/moby/buildkit/pull/1993.
v1.EmptyLayerRemovalSupported = false
}
// ResolveCacheImporterFunc returns a resolver function for local inline cache // ResolveCacheImporterFunc returns a resolver function for local inline cache
func ResolveCacheImporterFunc(sm *session.Manager, resolverFunc docker.RegistryHosts, cs content.Store, rs reference.Store, is imagestore.Store) remotecache.ResolveCacheImporterFunc { func ResolveCacheImporterFunc(sm *session.Manager, resolverFunc docker.RegistryHosts, cs content.Store, rs reference.Store, is imagestore.Store) remotecache.ResolveCacheImporterFunc {

View file

@ -383,10 +383,7 @@ func (s *snapshotter) Commit(ctx context.Context, name, key string, opts ...snap
if err != nil { if err != nil {
return err return err
} }
if err := b.Put(keyIsCommitted, []byte{}); err != nil { return b.Put(keyIsCommitted, []byte{})
return err
}
return nil
}) })
} }

View file

@ -17,6 +17,7 @@ import (
"github.com/docker/docker/builder" "github.com/docker/docker/builder"
"github.com/docker/docker/daemon/config" "github.com/docker/docker/daemon/config"
"github.com/docker/docker/daemon/images" "github.com/docker/docker/daemon/images"
"github.com/docker/docker/opts"
"github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/streamformatter" "github.com/docker/docker/pkg/streamformatter"
"github.com/docker/docker/pkg/system" "github.com/docker/docker/pkg/system"
@ -75,11 +76,13 @@ type Opt struct {
Rootless bool Rootless bool
IdentityMapping *idtools.IdentityMapping IdentityMapping *idtools.IdentityMapping
DNSConfig config.DNSConfig DNSConfig config.DNSConfig
ApparmorProfile string
} }
// Builder can build using BuildKit backend // Builder can build using BuildKit backend
type Builder struct { type Builder struct {
controller *control.Controller controller *control.Controller
dnsconfig config.DNSConfig
reqBodyHandler *reqBodyHandler reqBodyHandler *reqBodyHandler
mu sync.Mutex mu sync.Mutex
@ -100,6 +103,7 @@ func New(opt Opt) (*Builder, error) {
} }
b := &Builder{ b := &Builder{
controller: c, controller: c,
dnsconfig: opt.DNSConfig,
reqBodyHandler: reqHandler, reqBodyHandler: reqHandler,
jobs: map[string]*buildJob{}, jobs: map[string]*buildJob{},
} }
@ -316,7 +320,7 @@ func (b *Builder) Build(ctx context.Context, opt backend.BuildConfig) (*builder.
return nil, errors.Errorf("network mode %q not supported by buildkit", opt.Options.NetworkMode) return nil, errors.Errorf("network mode %q not supported by buildkit", opt.Options.NetworkMode)
} }
extraHosts, err := toBuildkitExtraHosts(opt.Options.ExtraHosts) extraHosts, err := toBuildkitExtraHosts(opt.Options.ExtraHosts, b.dnsconfig.HostGatewayIP)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -545,18 +549,28 @@ func (j *buildJob) SetUpload(ctx context.Context, rc io.ReadCloser) error {
} }
// toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format // toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format
func toBuildkitExtraHosts(inp []string) (string, error) { func toBuildkitExtraHosts(inp []string, hostGatewayIP net.IP) (string, error) {
if len(inp) == 0 { if len(inp) == 0 {
return "", nil return "", nil
} }
hosts := make([]string, 0, len(inp)) hosts := make([]string, 0, len(inp))
for _, h := range inp { for _, h := range inp {
parts := strings.Split(h, ":") host, ip, ok := strings.Cut(h, ":")
if !ok || host == "" || ip == "" {
if len(parts) != 2 || parts[0] == "" || net.ParseIP(parts[1]) == nil {
return "", errors.Errorf("invalid host %s", h) return "", errors.Errorf("invalid host %s", h)
} }
hosts = append(hosts, parts[0]+"="+parts[1]) // If the IP Address is a "host-gateway", replace this value with the
// IP address stored in the daemon level HostGatewayIP config variable.
if ip == opts.HostGatewayName {
gateway := hostGatewayIP.String()
if gateway == "" {
return "", fmt.Errorf("unable to derive the IP value for host-gateway")
}
ip = gateway
} else if net.ParseIP(ip) == nil {
return "", fmt.Errorf("invalid host %s", h)
}
hosts = append(hosts, host+"="+ip)
} }
return strings.Join(hosts, ","), nil return strings.Join(hosts, ","), nil
} }

View file

@ -111,6 +111,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
PruneRefChecker: refChecker, PruneRefChecker: refChecker,
LeaseManager: lm, LeaseManager: lm,
ContentStore: store, ContentStore: store,
GarbageCollect: mdb.GarbageCollect,
}) })
if err != nil { if err != nil {
return nil, err return nil, err
@ -125,6 +126,8 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
ReferenceStore: dist.ReferenceStore, ReferenceStore: dist.ReferenceStore,
RegistryHosts: opt.RegistryHosts, RegistryHosts: opt.RegistryHosts,
LayerStore: dist.LayerStore, LayerStore: dist.LayerStore,
LeaseManager: lm,
GarbageCollect: mdb.GarbageCollect,
}) })
if err != nil { if err != nil {
return nil, err return nil, err
@ -132,7 +135,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {
dns := getDNSConfig(opt.DNSConfig) dns := getDNSConfig(opt.DNSConfig)
exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping) exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, dns, opt.Rootless, opt.IdentityMapping, opt.ApparmorProfile)
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package buildkit package buildkit
@ -24,12 +25,25 @@ import (
const networkName = "bridge" const networkName = "bridge"
func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping) (executor.Executor, error) { func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dnsConfig *oci.DNSConfig, rootless bool, idmap *idtools.IdentityMapping, apparmorProfile string) (executor.Executor, error) {
netRoot := filepath.Join(root, "net")
networkProviders := map[pb.NetMode]network.Provider{ networkProviders := map[pb.NetMode]network.Provider{
pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")}, pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: netRoot},
pb.NetMode_HOST: network.NewHostProvider(), pb.NetMode_HOST: network.NewHostProvider(),
pb.NetMode_NONE: network.NewNoneProvider(), pb.NetMode_NONE: network.NewNoneProvider(),
} }
// make sure net state directory is cleared from previous state
fis, err := os.ReadDir(netRoot)
if err == nil {
for _, fi := range fis {
fp := filepath.Join(netRoot, fi.Name())
if err := os.RemoveAll(fp); err != nil {
logrus.WithError(err).Errorf("failed to delete old network state: %v", fp)
}
}
}
return runcexecutor.New(runcexecutor.Opt{ return runcexecutor.New(runcexecutor.Opt{
Root: filepath.Join(root, "executor"), Root: filepath.Join(root, "executor"),
CommandCandidates: []string{"runc"}, CommandCandidates: []string{"runc"},
@ -38,6 +52,7 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, dn
NoPivot: os.Getenv("DOCKER_RAMDISK") != "", NoPivot: os.Getenv("DOCKER_RAMDISK") != "",
IdentityMapping: idmap, IdentityMapping: idmap,
DNS: dnsConfig, DNS: dnsConfig,
ApparmorProfile: apparmorProfile,
}, networkProviders) }, networkProviders)
} }
@ -117,7 +132,10 @@ func (iface *lnInterface) Close() error {
if iface.sbx != nil { if iface.sbx != nil {
go func() { go func() {
if err := iface.sbx.Delete(); err != nil { if err := iface.sbx.Delete(); err != nil {
logrus.Errorf("failed to delete builder network sandbox: %v", err) logrus.WithError(err).Errorf("failed to delete builder network sandbox")
}
if err := os.RemoveAll(filepath.Join(iface.provider.Root, iface.sbx.ContainerID())); err != nil {
logrus.WithError(err).Errorf("failed to delete builder sandbox directory")
} }
}() }()
} }

View file

@ -11,7 +11,7 @@ import (
"github.com/moby/buildkit/executor/oci" "github.com/moby/buildkit/executor/oci"
) )
func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping) (executor.Executor, error) { func newExecutor(_, _ string, _ libnetwork.NetworkController, _ *oci.DNSConfig, _ bool, _ *idtools.IdentityMapping, _ string) (executor.Executor, error) {
return &winExecutor{}, nil return &winExecutor{}, nil
} }

View file

@ -20,10 +20,9 @@ import (
// ) // )
func emptyImageConfig() ([]byte, error) { func emptyImageConfig() ([]byte, error) {
img := ocispec.Image{ img := ocispec.Image{}
Architecture: runtime.GOARCH, img.Architecture = runtime.GOARCH
OS: runtime.GOOS, img.OS = runtime.GOOS
}
img.RootFS.Type = "layers" img.RootFS.Type = "layers"
img.Config.WorkingDir = "/" img.Config.WorkingDir = "/"
img.Config.Env = []string{"PATH=" + system.DefaultPathEnvUnix} img.Config.Env = []string{"PATH=" + system.DefaultPathEnvUnix}

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package worker package worker
@ -11,7 +12,7 @@ func detectDefaultGCCap(root string) int64 {
if err := syscall.Statfs(root, &st); err != nil { if err := syscall.Statfs(root, &st); err != nil {
return defaultCap return defaultCap
} }
diskSize := int64(st.Bsize) * int64(st.Blocks) // nolint unconvert diskSize := int64(st.Bsize) * int64(st.Blocks) //nolint unconvert
avail := diskSize / 10 avail := diskSize / 10
return (avail/(1<<30) + 1) * 1e9 // round up return (avail/(1<<30) + 1) * 1e9 // round up
} }

View file

@ -1,3 +1,4 @@
//go:build windows
// +build windows // +build windows
package worker package worker

View file

@ -4,7 +4,6 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"io/ioutil"
nethttp "net/http" nethttp "net/http"
"runtime" "runtime"
"strings" "strings"
@ -442,7 +441,7 @@ func (ld *layerDescriptor) Download(ctx context.Context, progressOutput pkgprogr
return nil, 0, err return nil, 0, err
} }
return ioutil.NopCloser(content.NewReader(ra)), ld.desc.Size, nil return io.NopCloser(content.NewReader(ra)), ld.desc.Size, nil
} }
func (ld *layerDescriptor) Close() { func (ld *layerDescriptor) Close() {

View file

@ -5,7 +5,6 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"sort" "sort"
"strings" "strings"
@ -257,10 +256,10 @@ func (b *Builder) dispatchDockerfileWithCancellation(parseResult []instructions.
totalCommands += len(stage.Commands) totalCommands += len(stage.Commands)
} }
shlex := shell.NewLex(escapeToken) shlex := shell.NewLex(escapeToken)
for _, meta := range metaArgs { for i := range metaArgs {
currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &meta) currentCommandIndex = printCommand(b.Stdout, currentCommandIndex, totalCommands, &metaArgs[i])
err := processMetaArg(meta, shlex, buildArgs) err := processMetaArg(metaArgs[i], shlex, buildArgs)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -268,7 +267,8 @@ func (b *Builder) dispatchDockerfileWithCancellation(parseResult []instructions.
stagesResults := newStagesBuildResults() stagesResults := newStagesBuildResults()
for _, stage := range parseResult { for _, s := range parseResult {
stage := s
if err := stagesResults.checkStageNameAvailable(stage.Name); err != nil { if err := stagesResults.checkStageNameAvailable(stage.Name); err != nil {
return nil, err return nil, err
} }
@ -348,8 +348,8 @@ func BuildFromConfig(config *container.Config, changes []string, os string) (*co
} }
} }
b.Stdout = ioutil.Discard b.Stdout = io.Discard
b.Stderr = ioutil.Discard b.Stderr = io.Discard
b.disableCommit = true b.disableCommit = true
var commands []instructions.Command var commands []instructions.Command

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -35,7 +35,6 @@ import (
// //
// Sets the environment variable foo to bar, also makes interpolation // Sets the environment variable foo to bar, also makes interpolation
// in the dockerfile available from the next statement on via ${foo}. // in the dockerfile available from the next statement on via ${foo}.
//
func dispatchEnv(d dispatchRequest, c *instructions.EnvCommand) error { func dispatchEnv(d dispatchRequest, c *instructions.EnvCommand) error {
runConfig := d.state.runConfig runConfig := d.state.runConfig
commitMessage := bytes.NewBufferString("ENV") commitMessage := bytes.NewBufferString("ENV")
@ -73,7 +72,6 @@ func dispatchMaintainer(d dispatchRequest, c *instructions.MaintainerCommand) er
// LABEL some json data describing the image // LABEL some json data describing the image
// //
// Sets the Label variable foo to bar, // Sets the Label variable foo to bar,
//
func dispatchLabel(d dispatchRequest, c *instructions.LabelCommand) error { func dispatchLabel(d dispatchRequest, c *instructions.LabelCommand) error {
if d.state.runConfig.Labels == nil { if d.state.runConfig.Labels == nil {
d.state.runConfig.Labels = make(map[string]string) d.state.runConfig.Labels = make(map[string]string)
@ -90,8 +88,10 @@ func dispatchLabel(d dispatchRequest, c *instructions.LabelCommand) error {
// //
// Add the file 'foo' to '/path'. Tarball and Remote URL (http, https) handling // Add the file 'foo' to '/path'. Tarball and Remote URL (http, https) handling
// exist here. If you do not wish to have this automatic handling, use COPY. // exist here. If you do not wish to have this automatic handling, use COPY.
//
func dispatchAdd(d dispatchRequest, c *instructions.AddCommand) error { func dispatchAdd(d dispatchRequest, c *instructions.AddCommand) error {
if c.Chmod != "" {
return errors.New("the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled")
}
downloader := newRemoteSourceDownloader(d.builder.Output, d.builder.Stdout) downloader := newRemoteSourceDownloader(d.builder.Output, d.builder.Stdout)
copier := copierFromDispatchRequest(d, downloader, nil) copier := copierFromDispatchRequest(d, downloader, nil)
defer copier.Cleanup() defer copier.Cleanup()
@ -109,8 +109,10 @@ func dispatchAdd(d dispatchRequest, c *instructions.AddCommand) error {
// COPY foo /path // COPY foo /path
// //
// Same as 'ADD' but without the tar and remote url handling. // Same as 'ADD' but without the tar and remote url handling.
//
func dispatchCopy(d dispatchRequest, c *instructions.CopyCommand) error { func dispatchCopy(d dispatchRequest, c *instructions.CopyCommand) error {
if c.Chmod != "" {
return errors.New("the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled")
}
var im *imageMount var im *imageMount
var err error var err error
if c.From != "" { if c.From != "" {
@ -151,7 +153,6 @@ func (d *dispatchRequest) getImageMount(imageRefOrID string) (*imageMount, error
} }
// FROM [--platform=platform] imagename[:tag | @digest] [AS build-stage-name] // FROM [--platform=platform] imagename[:tag | @digest] [AS build-stage-name]
//
func initializeStage(d dispatchRequest, cmd *instructions.Stage) error { func initializeStage(d dispatchRequest, cmd *instructions.Stage) error {
d.builder.imageProber.Reset() d.builder.imageProber.Reset()
@ -298,7 +299,6 @@ func dispatchOnbuild(d dispatchRequest, c *instructions.OnbuildCommand) error {
// WORKDIR /tmp // WORKDIR /tmp
// //
// Set the working directory for future RUN/CMD/etc statements. // Set the working directory for future RUN/CMD/etc statements.
//
func dispatchWorkdir(d dispatchRequest, c *instructions.WorkdirCommand) error { func dispatchWorkdir(d dispatchRequest, c *instructions.WorkdirCommand) error {
runConfig := d.state.runConfig runConfig := d.state.runConfig
var err error var err error
@ -341,11 +341,16 @@ func dispatchWorkdir(d dispatchRequest, c *instructions.WorkdirCommand) error {
// RUN echo hi # sh -c echo hi (Linux and LCOW) // RUN echo hi # sh -c echo hi (Linux and LCOW)
// RUN echo hi # cmd /S /C echo hi (Windows) // RUN echo hi # cmd /S /C echo hi (Windows)
// RUN [ "echo", "hi" ] # echo hi // RUN [ "echo", "hi" ] # echo hi
//
func dispatchRun(d dispatchRequest, c *instructions.RunCommand) error { func dispatchRun(d dispatchRequest, c *instructions.RunCommand) error {
if !system.IsOSSupported(d.state.operatingSystem) { if !system.IsOSSupported(d.state.operatingSystem) {
return system.ErrNotSupportedOperatingSystem return system.ErrNotSupportedOperatingSystem
} }
if len(c.FlagsUsed) > 0 {
// classic builder RUN currently does not support any flags, so fail on the first one
return errors.Errorf("the --%s option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled", c.FlagsUsed[0])
}
stateRunConfig := d.state.runConfig stateRunConfig := d.state.runConfig
cmdFromArgs, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, stateRunConfig, d.state.operatingSystem, c.Name(), c.String()) cmdFromArgs, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, stateRunConfig, d.state.operatingSystem, c.Name(), c.String())
buildArgs := d.state.buildArgs.FilterAllowed(stateRunConfig.Env) buildArgs := d.state.buildArgs.FilterAllowed(stateRunConfig.Env)
@ -430,7 +435,6 @@ func prependEnvOnCmd(buildArgs *BuildArgs, buildArgVars []string, cmd strslice.S
// //
// Set the default command to run in the container (which may be empty). // Set the default command to run in the container (which may be empty).
// Argument handling is the same as RUN. // Argument handling is the same as RUN.
//
func dispatchCmd(d dispatchRequest, c *instructions.CmdCommand) error { func dispatchCmd(d dispatchRequest, c *instructions.CmdCommand) error {
runConfig := d.state.runConfig runConfig := d.state.runConfig
cmd, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem, c.Name(), c.String()) cmd, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem, c.Name(), c.String())
@ -461,7 +465,6 @@ func dispatchCmd(d dispatchRequest, c *instructions.CmdCommand) error {
// //
// Set the default healthcheck command to run in the container (which may be empty). // Set the default healthcheck command to run in the container (which may be empty).
// Argument handling is the same as RUN. // Argument handling is the same as RUN.
//
func dispatchHealthcheck(d dispatchRequest, c *instructions.HealthCheckCommand) error { func dispatchHealthcheck(d dispatchRequest, c *instructions.HealthCheckCommand) error {
runConfig := d.state.runConfig runConfig := d.state.runConfig
if runConfig.Healthcheck != nil { if runConfig.Healthcheck != nil {
@ -481,7 +484,6 @@ func dispatchHealthcheck(d dispatchRequest, c *instructions.HealthCheckCommand)
// //
// Handles command processing similar to CMD and RUN, only req.runConfig.Entrypoint // Handles command processing similar to CMD and RUN, only req.runConfig.Entrypoint
// is initialized at newBuilder time instead of through argument parsing. // is initialized at newBuilder time instead of through argument parsing.
//
func dispatchEntrypoint(d dispatchRequest, c *instructions.EntrypointCommand) error { func dispatchEntrypoint(d dispatchRequest, c *instructions.EntrypointCommand) error {
runConfig := d.state.runConfig runConfig := d.state.runConfig
cmd, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem, c.Name(), c.String()) cmd, argsEscaped := resolveCmdLine(c.ShellDependantCmdLine, runConfig, d.state.operatingSystem, c.Name(), c.String())
@ -511,7 +513,6 @@ func dispatchEntrypoint(d dispatchRequest, c *instructions.EntrypointCommand) er
// //
// Expose ports for links and port mappings. This all ends up in // Expose ports for links and port mappings. This all ends up in
// req.runConfig.ExposedPorts for runconfig. // req.runConfig.ExposedPorts for runconfig.
//
func dispatchExpose(d dispatchRequest, c *instructions.ExposeCommand, envs []string) error { func dispatchExpose(d dispatchRequest, c *instructions.ExposeCommand, envs []string) error {
// custom multi word expansion // custom multi word expansion
// expose $FOO with FOO="80 443" is expanded as EXPOSE [80,443]. This is the only command supporting word to words expansion // expose $FOO with FOO="80 443" is expanded as EXPOSE [80,443]. This is the only command supporting word to words expansion
@ -545,7 +546,6 @@ func dispatchExpose(d dispatchRequest, c *instructions.ExposeCommand, envs []str
// //
// Set the user to 'foo' for future commands and when running the // Set the user to 'foo' for future commands and when running the
// ENTRYPOINT/CMD at container run time. // ENTRYPOINT/CMD at container run time.
//
func dispatchUser(d dispatchRequest, c *instructions.UserCommand) error { func dispatchUser(d dispatchRequest, c *instructions.UserCommand) error {
d.state.runConfig.User = c.User d.state.runConfig.User = c.User
return d.builder.commit(d.state, fmt.Sprintf("USER %v", c.User)) return d.builder.commit(d.state, fmt.Sprintf("USER %v", c.User))
@ -554,7 +554,6 @@ func dispatchUser(d dispatchRequest, c *instructions.UserCommand) error {
// VOLUME /foo // VOLUME /foo
// //
// Expose the volume /foo for use. Will also accept the JSON array form. // Expose the volume /foo for use. Will also accept the JSON array form.
//
func dispatchVolume(d dispatchRequest, c *instructions.VolumeCommand) error { func dispatchVolume(d dispatchRequest, c *instructions.VolumeCommand) error {
if d.state.runConfig.Volumes == nil { if d.state.runConfig.Volumes == nil {
d.state.runConfig.Volumes = map[string]struct{}{} d.state.runConfig.Volumes = map[string]struct{}{}

View file

@ -3,6 +3,7 @@ package dockerfile // import "github.com/docker/docker/builder/dockerfile"
import ( import (
"bytes" "bytes"
"context" "context"
"fmt"
"runtime" "runtime"
"strings" "strings"
"testing" "testing"
@ -570,3 +571,40 @@ func TestRunIgnoresHealthcheck(t *testing.T) {
assert.NilError(t, dispatch(sb, run)) assert.NilError(t, dispatch(sb, run))
assert.Check(t, is.DeepEqual(expectedTest, sb.state.runConfig.Healthcheck.Test)) assert.Check(t, is.DeepEqual(expectedTest, sb.state.runConfig.Healthcheck.Test))
} }
func TestDispatchUnsupportedOptions(t *testing.T) {
b := newBuilderWithMockBackend()
sb := newDispatchRequest(b, '`', nil, NewBuildArgs(make(map[string]*string)), newStagesBuildResults())
sb.state.baseImage = &mockImage{}
sb.state.operatingSystem = runtime.GOOS
t.Run("ADD with chmod", func(t *testing.T) {
cmd := &instructions.AddCommand{SourcesAndDest: []string{".", "."}, Chmod: "0655"}
err := dispatch(sb, cmd)
assert.Error(t, err, "the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled")
})
t.Run("COPY with chmod", func(t *testing.T) {
cmd := &instructions.CopyCommand{SourcesAndDest: []string{".", "."}, Chmod: "0655"}
err := dispatch(sb, cmd)
assert.Error(t, err, "the --chmod option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled")
})
t.Run("RUN with unsupported options", func(t *testing.T) {
cmd := &instructions.RunCommand{
ShellDependantCmdLine: instructions.ShellDependantCmdLine{
CmdLine: strslice.StrSlice{"echo foo"},
PrependShell: true,
},
}
// classic builder "RUN" currently doesn't support any flags, but testing
// both "known" flags and "bogus" flags for completeness, and in case
// one or more of these flags will be supported in future
for _, f := range []string{"mount", "network", "security", "any-flag"} {
cmd.FlagsUsed = []string{f}
err := dispatch(sb, cmd)
assert.Error(t, err, fmt.Sprintf("the --%s option requires BuildKit. Refer to https://docs.docker.com/go/buildkit/ to learn how to build images with BuildKit enabled", f))
}
})
}

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -1,3 +1,4 @@
//go:build !windows
// +build !windows // +build !windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -1,3 +1,4 @@
//go:build windows
// +build windows // +build windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -1,3 +1,4 @@
//go:build windows
// +build windows // +build windows
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"

View file

@ -1,7 +1,6 @@
package dockerfile // import "github.com/docker/docker/builder/dockerfile" package dockerfile // import "github.com/docker/docker/builder/dockerfile"
import ( import (
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"testing" "testing"
@ -11,7 +10,7 @@ import (
// It returns the created path and a cleanup function which is meant to be used as deferred call. // It returns the created path and a cleanup function which is meant to be used as deferred call.
// When an error occurs, it terminates the test. // When an error occurs, it terminates the test.
func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) { func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
path, err := ioutil.TempDir(dir, prefix) path, err := os.MkdirTemp(dir, prefix)
if err != nil { if err != nil {
t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err) t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
@ -30,7 +29,7 @@ func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
// When an error occurs, it terminates the test // When an error occurs, it terminates the test
func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string { func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string {
filePath := filepath.Join(dir, filename) filePath := filepath.Join(dir, filename)
err := ioutil.WriteFile(filePath, []byte(contents), perm) err := os.WriteFile(filePath, []byte(contents), perm)
if err != nil { if err != nil {
t.Fatalf("Error when creating %s file: %s", filename, err) t.Fatalf("Error when creating %s file: %s", filename, err)

View file

@ -2,7 +2,6 @@ package remotecontext // import "github.com/docker/docker/builder/remotecontext"
import ( import (
"errors" "errors"
"io/ioutil"
"log" "log"
"os" "os"
"sort" "sort"
@ -20,7 +19,7 @@ const (
const shouldStayFilename = "should_stay" const shouldStayFilename = "should_stay"
func extractFilenames(files []os.FileInfo) []string { func extractFilenames(files []os.DirEntry) []string {
filenames := make([]string, len(files)) filenames := make([]string, len(files))
for i, file := range files { for i, file := range files {
@ -31,7 +30,7 @@ func extractFilenames(files []os.FileInfo) []string {
} }
func checkDirectory(t *testing.T, dir string, expectedFiles []string) { func checkDirectory(t *testing.T, dir string, expectedFiles []string) {
files, err := ioutil.ReadDir(dir) files, err := os.ReadDir(dir)
if err != nil { if err != nil {
t.Fatalf("Could not read directory: %s", err) t.Fatalf("Could not read directory: %s", err)

View file

@ -11,7 +11,7 @@ import (
// MakeGitContext returns a Context from gitURL that is cloned in a temporary directory. // MakeGitContext returns a Context from gitURL that is cloned in a temporary directory.
func MakeGitContext(gitURL string) (builder.Source, error) { func MakeGitContext(gitURL string) (builder.Source, error) {
root, err := git.Clone(gitURL) root, err := git.Clone(gitURL, git.WithIsolatedConfig(true))
if err != nil { if err != nil {
return nil, err return nil, err
} }

View file

@ -1,40 +1,56 @@
package git // import "github.com/docker/docker/builder/remotecontext/git" package git // import "github.com/docker/docker/builder/remotecontext/git"
import ( import (
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
"os/exec"
"path/filepath" "path/filepath"
"strings" "strings"
"github.com/moby/sys/symlink" "github.com/moby/sys/symlink"
"github.com/pkg/errors" "github.com/pkg/errors"
exec "golang.org/x/sys/execabs"
) )
type gitRepo struct { type gitRepo struct {
remote string remote string
ref string ref string
subdir string subdir string
isolateConfig bool
}
// CloneOption changes the behaviour of Clone().
type CloneOption func(*gitRepo)
// WithIsolatedConfig disables reading the user or system gitconfig files when
// performing Git operations.
func WithIsolatedConfig(v bool) CloneOption {
return func(gr *gitRepo) {
gr.isolateConfig = v
}
} }
// Clone clones a repository into a newly created directory which // Clone clones a repository into a newly created directory which
// will be under "docker-build-git" // will be under "docker-build-git"
func Clone(remoteURL string) (string, error) { func Clone(remoteURL string, opts ...CloneOption) (string, error) {
repo, err := parseRemoteURL(remoteURL) repo, err := parseRemoteURL(remoteURL)
if err != nil { if err != nil {
return "", err return "", err
} }
return cloneGitRepo(repo) for _, opt := range opts {
opt(&repo)
}
return repo.clone()
} }
func cloneGitRepo(repo gitRepo) (checkoutDir string, err error) { func (repo gitRepo) clone() (checkoutDir string, err error) {
fetch := fetchArgs(repo.remote, repo.ref) fetch := fetchArgs(repo.remote, repo.ref)
root, err := ioutil.TempDir("", "docker-build-git") root, err := os.MkdirTemp("", "docker-build-git")
if err != nil { if err != nil {
return "", err return "", err
} }
@ -45,21 +61,21 @@ func cloneGitRepo(repo gitRepo) (checkoutDir string, err error) {
} }
}() }()
if out, err := gitWithinDir(root, "init"); err != nil { if out, err := repo.gitWithinDir(root, "init"); err != nil {
return "", errors.Wrapf(err, "failed to init repo at %s: %s", root, out) return "", errors.Wrapf(err, "failed to init repo at %s: %s", root, out)
} }
// Add origin remote for compatibility with previous implementation that // Add origin remote for compatibility with previous implementation that
// used "git clone" and also to make sure local refs are created for branches // used "git clone" and also to make sure local refs are created for branches
if out, err := gitWithinDir(root, "remote", "add", "origin", repo.remote); err != nil { if out, err := repo.gitWithinDir(root, "remote", "add", "origin", repo.remote); err != nil {
return "", errors.Wrapf(err, "failed add origin repo at %s: %s", repo.remote, out) return "", errors.Wrapf(err, "failed add origin repo at %s: %s", repo.remote, out)
} }
if output, err := gitWithinDir(root, fetch...); err != nil { if output, err := repo.gitWithinDir(root, fetch...); err != nil {
return "", errors.Wrapf(err, "error fetching: %s", output) return "", errors.Wrapf(err, "error fetching: %s", output)
} }
checkoutDir, err = checkoutGit(root, repo.ref, repo.subdir) checkoutDir, err = repo.checkout(root)
if err != nil { if err != nil {
return "", err return "", err
} }
@ -163,20 +179,20 @@ func supportsShallowClone(remoteURL string) bool {
return true return true
} }
func checkoutGit(root, ref, subdir string) (string, error) { func (repo gitRepo) checkout(root string) (string, error) {
// Try checking out by ref name first. This will work on branches and sets // Try checking out by ref name first. This will work on branches and sets
// .git/HEAD to the current branch name // .git/HEAD to the current branch name
if output, err := gitWithinDir(root, "checkout", ref); err != nil { if output, err := repo.gitWithinDir(root, "checkout", repo.ref); err != nil {
// If checking out by branch name fails check out the last fetched ref // If checking out by branch name fails check out the last fetched ref
if _, err2 := gitWithinDir(root, "checkout", "FETCH_HEAD"); err2 != nil { if _, err2 := repo.gitWithinDir(root, "checkout", "FETCH_HEAD"); err2 != nil {
return "", errors.Wrapf(err, "error checking out %s: %s", ref, output) return "", errors.Wrapf(err, "error checking out %s: %s", repo.ref, output)
} }
} }
if subdir != "" { if repo.subdir != "" {
newCtx, err := symlink.FollowSymlinkInScope(filepath.Join(root, subdir), root) newCtx, err := symlink.FollowSymlinkInScope(filepath.Join(root, repo.subdir), root)
if err != nil { if err != nil {
return "", errors.Wrapf(err, "error setting git context, %q not within git root", subdir) return "", errors.Wrapf(err, "error setting git context, %q not within git root", repo.subdir)
} }
fi, err := os.Stat(newCtx) fi, err := os.Stat(newCtx)
@ -192,13 +208,21 @@ func checkoutGit(root, ref, subdir string) (string, error) {
return root, nil return root, nil
} }
func gitWithinDir(dir string, args ...string) ([]byte, error) { func (repo gitRepo) gitWithinDir(dir string, args ...string) ([]byte, error) {
a := []string{"--work-tree", dir, "--git-dir", filepath.Join(dir, ".git")} args = append([]string{"-c", "protocol.file.allow=never"}, args...) // Block sneaky repositories from using repos from the filesystem as submodules.
return git(append(a, args...)...) cmd := exec.Command("git", args...)
} cmd.Dir = dir
// Disable unsafe remote protocols.
cmd.Env = append(os.Environ(), "GIT_PROTOCOL_FROM_USER=0")
func git(args ...string) ([]byte, error) { if repo.isolateConfig {
return exec.Command("git", args...).CombinedOutput() cmd.Env = append(cmd.Env,
"GIT_CONFIG_NOSYSTEM=1", // Disable reading from system gitconfig.
"HOME=/dev/null", // Disable reading from user gitconfig.
)
}
return cmd.CombinedOutput()
} }
// isGitTransport returns true if the provided str is a git transport by inspecting // isGitTransport returns true if the provided str is a git transport by inspecting

View file

@ -1,9 +1,10 @@
package git // import "github.com/docker/docker/builder/remotecontext/git" package git // import "github.com/docker/docker/builder/remotecontext/git"
import ( import (
"bytes"
"fmt" "fmt"
"io/ioutil"
"net/http" "net/http"
"net/http/cgi"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
"os" "os"
@ -161,7 +162,7 @@ func TestCloneArgsGit(t *testing.T) {
} }
func gitGetConfig(name string) string { func gitGetConfig(name string) string {
b, err := git([]string{"config", "--get", name}...) b, err := gitRepo{}.gitWithinDir("", "config", "--get", name)
if err != nil { if err != nil {
// since we are interested in empty or non empty string, // since we are interested in empty or non empty string,
// we can safely ignore the err here. // we can safely ignore the err here.
@ -171,9 +172,50 @@ func gitGetConfig(name string) string {
} }
func TestCheckoutGit(t *testing.T) { func TestCheckoutGit(t *testing.T) {
root, err := ioutil.TempDir("", "docker-build-git-checkout") root := t.TempDir()
gitpath, err := exec.LookPath("git")
assert.NilError(t, err) assert.NilError(t, err)
defer os.RemoveAll(root) gitversion, _ := exec.Command(gitpath, "version").CombinedOutput()
t.Logf("%s", gitversion) // E.g. "git version 2.30.2"
// Serve all repositories under root using the Smart HTTP protocol so
// they can be cloned. The Dumb HTTP protocol is incompatible with
// shallow cloning but we unconditionally shallow-clone submodules, and
// we explicitly disable the file protocol.
// (Another option would be to use `git daemon` and the Git protocol,
// but that listens on a fixed port number which is a recipe for
// disaster in CI. Funnily enough, `git daemon --port=0` works but there
// is no easy way to discover which port got picked!)
// Associate git-http-backend logs with the current (sub)test.
// Incompatible with parallel subtests.
currentSubtest := t
githttp := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var logs bytes.Buffer
(&cgi.Handler{
Path: gitpath,
Args: []string{"http-backend"},
Dir: root,
Env: []string{
"GIT_PROJECT_ROOT=" + root,
"GIT_HTTP_EXPORT_ALL=1",
},
Stderr: &logs,
}).ServeHTTP(w, r)
if logs.Len() == 0 {
return
}
for {
line, err := logs.ReadString('\n')
currentSubtest.Log("git-http-backend: " + line)
if err != nil {
break
}
}
})
server := httptest.NewServer(&githttp)
defer server.Close()
autocrlf := gitGetConfig("core.autocrlf") autocrlf := gitGetConfig("core.autocrlf")
if !(autocrlf == "true" || autocrlf == "false" || if !(autocrlf == "true" || autocrlf == "false" ||
@ -185,88 +227,54 @@ func TestCheckoutGit(t *testing.T) {
eol = "\r\n" eol = "\r\n"
} }
must := func(out []byte, err error) {
t.Helper()
if len(out) > 0 {
t.Logf("%s", out)
}
assert.NilError(t, err)
}
gitDir := filepath.Join(root, "repo") gitDir := filepath.Join(root, "repo")
_, err = git("init", gitDir) must(gitRepo{}.gitWithinDir(root, "-c", "init.defaultBranch=master", "init", gitDir))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(gitDir, "config", "user.email", "test@docker.com"))
must(gitRepo{}.gitWithinDir(gitDir, "config", "user.name", "Docker test"))
_, err = gitWithinDir(gitDir, "config", "user.email", "test@docker.com") assert.NilError(t, os.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch"), 0644))
assert.NilError(t, err)
_, err = gitWithinDir(gitDir, "config", "user.name", "Docker test")
assert.NilError(t, err)
err = ioutil.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch"), 0644)
assert.NilError(t, err)
subDir := filepath.Join(gitDir, "subdir") subDir := filepath.Join(gitDir, "subdir")
assert.NilError(t, os.Mkdir(subDir, 0755)) assert.NilError(t, os.Mkdir(subDir, 0755))
assert.NilError(t, os.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 5000"), 0644))
err = ioutil.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 5000"), 0644)
assert.NilError(t, err)
if runtime.GOOS != "windows" { if runtime.GOOS != "windows" {
if err = os.Symlink("../subdir", filepath.Join(gitDir, "parentlink")); err != nil { assert.NilError(t, os.Symlink("../subdir", filepath.Join(gitDir, "parentlink")))
t.Fatal(err) assert.NilError(t, os.Symlink("/subdir", filepath.Join(gitDir, "absolutelink")))
}
if err = os.Symlink("/subdir", filepath.Join(gitDir, "absolutelink")); err != nil {
t.Fatal(err)
}
} }
_, err = gitWithinDir(gitDir, "add", "-A") must(gitRepo{}.gitWithinDir(gitDir, "add", "-A"))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(gitDir, "commit", "-am", "First commit"))
must(gitRepo{}.gitWithinDir(gitDir, "checkout", "-b", "test"))
_, err = gitWithinDir(gitDir, "commit", "-am", "First commit") assert.NilError(t, os.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 3000"), 0644))
assert.NilError(t, err) assert.NilError(t, os.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM busybox\nEXPOSE 5000"), 0644))
_, err = gitWithinDir(gitDir, "checkout", "-b", "test") must(gitRepo{}.gitWithinDir(gitDir, "add", "-A"))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(gitDir, "commit", "-am", "Branch commit"))
must(gitRepo{}.gitWithinDir(gitDir, "checkout", "master"))
err = ioutil.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte("FROM scratch\nEXPOSE 3000"), 0644)
assert.NilError(t, err)
err = ioutil.WriteFile(filepath.Join(subDir, "Dockerfile"), []byte("FROM busybox\nEXPOSE 5000"), 0644)
assert.NilError(t, err)
_, err = gitWithinDir(gitDir, "add", "-A")
assert.NilError(t, err)
_, err = gitWithinDir(gitDir, "commit", "-am", "Branch commit")
assert.NilError(t, err)
_, err = gitWithinDir(gitDir, "checkout", "master")
assert.NilError(t, err)
// set up submodule // set up submodule
subrepoDir := filepath.Join(root, "subrepo") subrepoDir := filepath.Join(root, "subrepo")
_, err = git("init", subrepoDir) must(gitRepo{}.gitWithinDir(root, "-c", "init.defaultBranch=master", "init", subrepoDir))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(subrepoDir, "config", "user.email", "test@docker.com"))
must(gitRepo{}.gitWithinDir(subrepoDir, "config", "user.name", "Docker test"))
_, err = gitWithinDir(subrepoDir, "config", "user.email", "test@docker.com") assert.NilError(t, os.WriteFile(filepath.Join(subrepoDir, "subfile"), []byte("subcontents"), 0644))
assert.NilError(t, err)
_, err = gitWithinDir(subrepoDir, "config", "user.name", "Docker test") must(gitRepo{}.gitWithinDir(subrepoDir, "add", "-A"))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(subrepoDir, "commit", "-am", "Subrepo initial"))
err = ioutil.WriteFile(filepath.Join(subrepoDir, "subfile"), []byte("subcontents"), 0644) must(gitRepo{}.gitWithinDir(gitDir, "submodule", "add", server.URL+"/subrepo", "sub"))
assert.NilError(t, err) must(gitRepo{}.gitWithinDir(gitDir, "add", "-A"))
must(gitRepo{}.gitWithinDir(gitDir, "commit", "-am", "With submodule"))
_, err = gitWithinDir(subrepoDir, "add", "-A")
assert.NilError(t, err)
_, err = gitWithinDir(subrepoDir, "commit", "-am", "Subrepo initial")
assert.NilError(t, err)
cmd := exec.Command("git", "submodule", "add", subrepoDir, "sub") // this command doesn't work with --work-tree
cmd.Dir = gitDir
assert.NilError(t, cmd.Run())
_, err = gitWithinDir(gitDir, "add", "-A")
assert.NilError(t, err)
_, err = gitWithinDir(gitDir, "commit", "-am", "With submodule")
assert.NilError(t, err)
type singleCase struct { type singleCase struct {
frag string frag string
@ -300,28 +308,31 @@ func TestCheckoutGit(t *testing.T) {
} }
for _, c := range cases { for _, c := range cases {
ref, subdir := getRefAndSubdir(c.frag) t.Run(c.frag, func(t *testing.T) {
r, err := cloneGitRepo(gitRepo{remote: gitDir, ref: ref, subdir: subdir}) currentSubtest = t
ref, subdir := getRefAndSubdir(c.frag)
r, err := gitRepo{remote: server.URL + "/repo", ref: ref, subdir: subdir}.clone()
if c.fail { if c.fail {
assert.Check(t, is.ErrorContains(err, "")) assert.Check(t, is.ErrorContains(err, ""))
continue return
} }
assert.NilError(t, err)
defer os.RemoveAll(r)
if c.submodule {
b, err := ioutil.ReadFile(filepath.Join(r, "sub/subfile"))
assert.NilError(t, err) assert.NilError(t, err)
assert.Check(t, is.Equal("subcontents", string(b))) defer os.RemoveAll(r)
} else { if c.submodule {
_, err := os.Stat(filepath.Join(r, "sub/subfile")) b, err := os.ReadFile(filepath.Join(r, "sub/subfile"))
assert.Assert(t, is.ErrorContains(err, "")) assert.NilError(t, err)
assert.Assert(t, os.IsNotExist(err)) assert.Check(t, is.Equal("subcontents", string(b)))
} } else {
_, err := os.Stat(filepath.Join(r, "sub/subfile"))
assert.Assert(t, is.ErrorContains(err, ""))
assert.Assert(t, os.IsNotExist(err))
}
b, err := ioutil.ReadFile(filepath.Join(r, "Dockerfile")) b, err := os.ReadFile(filepath.Join(r, "Dockerfile"))
assert.NilError(t, err) assert.NilError(t, err)
assert.Check(t, is.Equal(c.exp, string(b))) assert.Check(t, is.Equal(c.exp, string(b)))
})
} }
} }

View file

@ -4,7 +4,6 @@ import (
"bytes" "bytes"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"net" "net"
"net/http" "net/http"
"net/url" "net/url"
@ -58,7 +57,7 @@ func GetWithStatusError(address string) (resp *http.Response, err error) {
return resp, nil return resp, nil
} }
msg := fmt.Sprintf("failed to GET %s with status %s", address, resp.Status) msg := fmt.Sprintf("failed to GET %s with status %s", address, resp.Status)
body, err := ioutil.ReadAll(resp.Body) body, err := io.ReadAll(resp.Body)
resp.Body.Close() resp.Body.Close()
if err != nil { if err != nil {
return nil, errdefs.System(errors.New(msg + ": error reading body")) return nil, errdefs.System(errors.New(msg + ": error reading body"))
@ -81,10 +80,10 @@ func GetWithStatusError(address string) (resp *http.Response, err error) {
// inspectResponse looks into the http response data at r to determine whether its // inspectResponse looks into the http response data at r to determine whether its
// content-type is on the list of acceptable content types for remote build contexts. // content-type is on the list of acceptable content types for remote build contexts.
// This function returns: // This function returns:
// - a string representation of the detected content-type // - a string representation of the detected content-type
// - an io.Reader for the response body // - an io.Reader for the response body
// - an error value which will be non-nil either when something goes wrong while // - an error value which will be non-nil either when something goes wrong while
// reading bytes from r or when the detected content-type is not acceptable. // reading bytes from r or when the detected content-type is not acceptable.
func inspectResponse(ct string, r io.Reader, clen int64) (string, io.Reader, error) { func inspectResponse(ct string, r io.Reader, clen int64) (string, io.Reader, error) {
plen := clen plen := clen
if plen <= 0 || plen > maxPreambleLength { if plen <= 0 || plen > maxPreambleLength {

View file

@ -3,7 +3,6 @@ package remotecontext // import "github.com/docker/docker/builder/remotecontext"
import ( import (
"bytes" "bytes"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"net/url" "net/url"
@ -52,7 +51,7 @@ func TestSelectAcceptableMIME(t *testing.T) {
func TestInspectEmptyResponse(t *testing.T) { func TestInspectEmptyResponse(t *testing.T) {
ct := "application/octet-stream" ct := "application/octet-stream"
br := ioutil.NopCloser(bytes.NewReader([]byte(""))) br := io.NopCloser(bytes.NewReader([]byte("")))
contentType, bReader, err := inspectResponse(ct, br, 0) contentType, bReader, err := inspectResponse(ct, br, 0)
if err == nil { if err == nil {
t.Fatal("Should have generated an error for an empty response") t.Fatal("Should have generated an error for an empty response")
@ -60,7 +59,7 @@ func TestInspectEmptyResponse(t *testing.T) {
if contentType != "application/octet-stream" { if contentType != "application/octet-stream" {
t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType) t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType)
} }
body, err := ioutil.ReadAll(bReader) body, err := io.ReadAll(bReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -71,7 +70,7 @@ func TestInspectEmptyResponse(t *testing.T) {
func TestInspectResponseBinary(t *testing.T) { func TestInspectResponseBinary(t *testing.T) {
ct := "application/octet-stream" ct := "application/octet-stream"
br := ioutil.NopCloser(bytes.NewReader(binaryContext)) br := io.NopCloser(bytes.NewReader(binaryContext))
contentType, bReader, err := inspectResponse(ct, br, int64(len(binaryContext))) contentType, bReader, err := inspectResponse(ct, br, int64(len(binaryContext)))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -79,7 +78,7 @@ func TestInspectResponseBinary(t *testing.T) {
if contentType != "application/octet-stream" { if contentType != "application/octet-stream" {
t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType) t.Fatalf("Content type should be 'application/octet-stream' but is %q", contentType)
} }
body, err := ioutil.ReadAll(bReader) body, err := io.ReadAll(bReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -96,7 +95,7 @@ func TestInspectResponseBinary(t *testing.T) {
func TestResponseUnsupportedContentType(t *testing.T) { func TestResponseUnsupportedContentType(t *testing.T) {
content := []byte(dockerfileContents) content := []byte(dockerfileContents)
ct := "application/json" ct := "application/json"
br := ioutil.NopCloser(bytes.NewReader(content)) br := io.NopCloser(bytes.NewReader(content))
contentType, bReader, err := inspectResponse(ct, br, int64(len(dockerfileContents))) contentType, bReader, err := inspectResponse(ct, br, int64(len(dockerfileContents)))
if err == nil { if err == nil {
@ -105,7 +104,7 @@ func TestResponseUnsupportedContentType(t *testing.T) {
if contentType != ct { if contentType != ct {
t.Fatalf("Should not have altered content-type: orig: %s, altered: %s", ct, contentType) t.Fatalf("Should not have altered content-type: orig: %s, altered: %s", ct, contentType)
} }
body, err := ioutil.ReadAll(bReader) body, err := io.ReadAll(bReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -117,7 +116,7 @@ func TestResponseUnsupportedContentType(t *testing.T) {
func TestInspectResponseTextSimple(t *testing.T) { func TestInspectResponseTextSimple(t *testing.T) {
content := []byte(dockerfileContents) content := []byte(dockerfileContents)
ct := "text/plain" ct := "text/plain"
br := ioutil.NopCloser(bytes.NewReader(content)) br := io.NopCloser(bytes.NewReader(content))
contentType, bReader, err := inspectResponse(ct, br, int64(len(content))) contentType, bReader, err := inspectResponse(ct, br, int64(len(content)))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -125,7 +124,7 @@ func TestInspectResponseTextSimple(t *testing.T) {
if contentType != "text/plain" { if contentType != "text/plain" {
t.Fatalf("Content type should be 'text/plain' but is %q", contentType) t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
} }
body, err := ioutil.ReadAll(bReader) body, err := io.ReadAll(bReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -136,7 +135,7 @@ func TestInspectResponseTextSimple(t *testing.T) {
func TestInspectResponseEmptyContentType(t *testing.T) { func TestInspectResponseEmptyContentType(t *testing.T) {
content := []byte(dockerfileContents) content := []byte(dockerfileContents)
br := ioutil.NopCloser(bytes.NewReader(content)) br := io.NopCloser(bytes.NewReader(content))
contentType, bodyReader, err := inspectResponse("", br, int64(len(content))) contentType, bodyReader, err := inspectResponse("", br, int64(len(content)))
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -144,7 +143,7 @@ func TestInspectResponseEmptyContentType(t *testing.T) {
if contentType != "text/plain" { if contentType != "text/plain" {
t.Fatalf("Content type should be 'text/plain' but is %q", contentType) t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
} }
body, err := ioutil.ReadAll(bodyReader) body, err := io.ReadAll(bodyReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -156,7 +155,7 @@ func TestInspectResponseEmptyContentType(t *testing.T) {
func TestUnknownContentLength(t *testing.T) { func TestUnknownContentLength(t *testing.T) {
content := []byte(dockerfileContents) content := []byte(dockerfileContents)
ct := "text/plain" ct := "text/plain"
br := ioutil.NopCloser(bytes.NewReader(content)) br := io.NopCloser(bytes.NewReader(content))
contentType, bReader, err := inspectResponse(ct, br, -1) contentType, bReader, err := inspectResponse(ct, br, -1)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -164,7 +163,7 @@ func TestUnknownContentLength(t *testing.T) {
if contentType != "text/plain" { if contentType != "text/plain" {
t.Fatalf("Content type should be 'text/plain' but is %q", contentType) t.Fatalf("Content type should be 'text/plain' but is %q", contentType)
} }
body, err := ioutil.ReadAll(bReader) body, err := io.ReadAll(bReader)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -191,7 +190,7 @@ func TestDownloadRemote(t *testing.T) {
assert.NilError(t, err) assert.NilError(t, err)
assert.Check(t, is.Equal(mimeTypes.TextPlain, contentType)) assert.Check(t, is.Equal(mimeTypes.TextPlain, contentType))
raw, err := ioutil.ReadAll(content) raw, err := io.ReadAll(content)
assert.NilError(t, err) assert.NilError(t, err)
assert.Check(t, is.Equal(dockerfileContents, string(raw))) assert.Check(t, is.Equal(dockerfileContents, string(raw)))
} }
@ -238,5 +237,5 @@ func TestGetWithStatusError(t *testing.T) {
func readBody(b io.ReadCloser) ([]byte, error) { func readBody(b io.ReadCloser) ([]byte, error) {
defer b.Close() defer b.Close()
return ioutil.ReadAll(b) return io.ReadAll(b)
} }

View file

@ -1,7 +1,6 @@
package remotecontext // import "github.com/docker/docker/builder/remotecontext" package remotecontext // import "github.com/docker/docker/builder/remotecontext"
import ( import (
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"testing" "testing"
@ -23,7 +22,7 @@ func init() {
} }
func TestCloseRootDirectory(t *testing.T) { func TestCloseRootDirectory(t *testing.T) {
contextDir, err := ioutil.TempDir("", "builder-tarsum-test") contextDir, err := os.MkdirTemp("", "builder-tarsum-test")
defer os.RemoveAll(contextDir) defer os.RemoveAll(contextDir)
if err != nil { if err != nil {
t.Fatalf("Error with creating temporary directory: %s", err) t.Fatalf("Error with creating temporary directory: %s", err)

View file

@ -1,7 +1,6 @@
package remotecontext // import "github.com/docker/docker/builder/remotecontext" package remotecontext // import "github.com/docker/docker/builder/remotecontext"
import ( import (
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"testing" "testing"
@ -11,7 +10,7 @@ import (
// It returns the created path and a cleanup function which is meant to be used as deferred call. // It returns the created path and a cleanup function which is meant to be used as deferred call.
// When an error occurs, it terminates the test. // When an error occurs, it terminates the test.
func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) { func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
path, err := ioutil.TempDir(dir, prefix) path, err := os.MkdirTemp(dir, prefix)
if err != nil { if err != nil {
t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err) t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
@ -32,7 +31,7 @@ func createTestTempDir(t *testing.T, dir, prefix string) (string, func()) {
// whose parent directories are properly cleaned up. // whose parent directories are properly cleaned up.
// When an error occurs, it terminates the test. // When an error occurs, it terminates the test.
func createTestTempSubdir(t *testing.T, dir, prefix string) string { func createTestTempSubdir(t *testing.T, dir, prefix string) string {
path, err := ioutil.TempDir(dir, prefix) path, err := os.MkdirTemp(dir, prefix)
if err != nil { if err != nil {
t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err) t.Fatalf("Error when creating directory %s with prefix %s: %s", dir, prefix, err)
@ -45,7 +44,7 @@ func createTestTempSubdir(t *testing.T, dir, prefix string) string {
// When an error occurs, it terminates the test // When an error occurs, it terminates the test
func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string { func createTestTempFile(t *testing.T, dir, filename, contents string, perm os.FileMode) string {
filePath := filepath.Join(dir, filename) filePath := filepath.Join(dir, filename)
err := ioutil.WriteFile(filePath, []byte(contents), perm) err := os.WriteFile(filePath, []byte(contents), perm)
if err != nil { if err != nil {
t.Fatalf("Error when creating %s file: %s", filename, err) t.Fatalf("Error when creating %s file: %s", filename, err)

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -58,7 +58,7 @@ func TestCheckpointCreate(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -40,7 +40,7 @@ func TestCheckpointDelete(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -43,7 +43,7 @@ func TestCheckpointList(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }

View file

@ -2,9 +2,9 @@
Package client is a Go client for the Docker Engine API. Package client is a Go client for the Docker Engine API.
For more information about the Engine API, see the documentation: For more information about the Engine API, see the documentation:
https://docs.docker.com/engine/reference/api/ https://docs.docker.com/engine/api/
Usage # Usage
You use the library by creating a client object and calling methods on it. The You use the library by creating a client object and calling methods on it. The
client can be created either from environment variables with NewClientWithOpts(client.FromEnv), client can be created either from environment variables with NewClientWithOpts(client.FromEnv),
@ -37,7 +37,6 @@ For example, to list running containers (the equivalent of "docker ps"):
fmt.Printf("%s %s\n", container.ID[:10], container.Image) fmt.Printf("%s %s\n", container.ID[:10], container.Image)
} }
} }
*/ */
package client // import "github.com/docker/docker/client" package client // import "github.com/docker/docker/client"
@ -57,6 +56,36 @@ import (
"github.com/pkg/errors" "github.com/pkg/errors"
) )
// DummyHost is a hostname used for local communication.
//
// It acts as a valid formatted hostname for local connections (such as "unix://"
// or "npipe://") which do not require a hostname. It should never be resolved,
// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
// and [RFC 6761, Section 6.3]).
//
// [RFC 7230, Section 5.4] defines that an empty header must be used for such
// cases:
//
// If the authority component is missing or undefined for the target URI,
// then a client MUST send a Host header field with an empty field-value.
//
// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
// allow an empty header to be used, and requires req.URL.Scheme to be either
// "http" or "https".
//
// For further details, refer to:
//
// - https://github.com/docker/engine-api/issues/189
// - https://github.com/golang/go/issues/13624
// - https://github.com/golang/go/issues/61076
// - https://github.com/moby/moby/issues/45935
//
// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
const DummyHost = "api.moby.localhost"
// ErrRedirect is the error returned by checkRedirect when the request is non-GET. // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
var ErrRedirect = errors.New("unexpected redirect in response") var ErrRedirect = errors.New("unexpected redirect in response")
@ -135,9 +164,6 @@ func NewClientWithOpts(ops ...Opt) (*Client, error) {
} }
} }
if _, ok := c.client.Transport.(http.RoundTripper); !ok {
return nil, fmt.Errorf("unable to verify TLS configuration, invalid transport %v", c.client.Transport)
}
if c.scheme == "" { if c.scheme == "" {
c.scheme = "http" c.scheme = "http"

View file

@ -3,7 +3,7 @@ package client // import "github.com/docker/docker/client"
import ( import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"io/ioutil" "io"
"net/http" "net/http"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
@ -37,7 +37,7 @@ func errorMock(statusCode int, message string) func(req *http.Request) (*http.Re
return &http.Response{ return &http.Response{
StatusCode: statusCode, StatusCode: statusCode,
Body: ioutil.NopCloser(bytes.NewReader(body)), Body: io.NopCloser(bytes.NewReader(body)),
Header: header, Header: header,
}, nil }, nil
} }
@ -47,7 +47,7 @@ func plainTextErrorMock(statusCode int, message string) func(req *http.Request)
return func(req *http.Request) (*http.Response, error) { return func(req *http.Request) (*http.Response, error) {
return &http.Response{ return &http.Response{
StatusCode: statusCode, StatusCode: statusCode,
Body: ioutil.NopCloser(bytes.NewReader([]byte(message))), Body: io.NopCloser(bytes.NewReader([]byte(message))),
}, nil }, nil
} }
} }

View file

@ -3,7 +3,7 @@ package client // import "github.com/docker/docker/client"
import ( import (
"bytes" "bytes"
"context" "context"
"io/ioutil" "io"
"net/http" "net/http"
"net/url" "net/url"
"os" "os"
@ -274,7 +274,7 @@ func TestNegotiateAPIVersionAutomatic(t *testing.T) {
httpClient := newMockClient(func(req *http.Request) (*http.Response, error) { httpClient := newMockClient(func(req *http.Request) (*http.Response, error) {
resp := &http.Response{StatusCode: http.StatusOK, Header: http.Header{}} resp := &http.Response{StatusCode: http.StatusOK, Header: http.Header{}}
resp.Header.Set("API-Version", pingVersion) resp.Header.Set("API-Version", pingVersion)
resp.Body = ioutil.NopCloser(strings.NewReader("OK")) resp.Body = io.NopCloser(strings.NewReader("OK"))
return resp, nil return resp, nil
}) })

View file

@ -1,3 +1,4 @@
//go:build linux || freebsd || openbsd || netbsd || darwin || solaris || illumos || dragonfly
// +build linux freebsd openbsd netbsd darwin solaris illumos dragonfly // +build linux freebsd openbsd netbsd darwin solaris illumos dragonfly
package client // import "github.com/docker/docker/client" package client // import "github.com/docker/docker/client"

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -56,7 +56,7 @@ func TestConfigCreate(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusCreated, StatusCode: http.StatusCreated,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"encoding/json" "encoding/json"
"io/ioutil" "io"
"github.com/docker/docker/api/types/swarm" "github.com/docker/docker/api/types/swarm"
) )
@ -23,7 +23,7 @@ func (cli *Client) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.C
return swarm.Config{}, nil, wrapResponseError(err, resp, "config", id) return swarm.Config{}, nil, wrapResponseError(err, resp, "config", id)
} }
body, err := ioutil.ReadAll(resp.body) body, err := io.ReadAll(resp.body)
if err != nil { if err != nil {
return swarm.Config{}, nil, err return swarm.Config{}, nil, err
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -89,7 +89,7 @@ func TestConfigInspect(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -92,7 +92,7 @@ func TestConfigList(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -49,7 +49,7 @@ func TestConfigRemove(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("body"))), Body: io.NopCloser(bytes.NewReader([]byte("body"))),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -50,7 +50,7 @@ func TestConfigUpdate(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("body"))), Body: io.NopCloser(bytes.NewReader([]byte("body"))),
}, nil }, nil
}), }),
} }

View file

@ -22,7 +22,7 @@ import (
// multiplexed. // multiplexed.
// The format of the multiplexed stream is as follows: // The format of the multiplexed stream is as follows:
// //
// [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT} // [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT}
// //
// STREAM_TYPE can be 1 for stdout and 2 for stderr // STREAM_TYPE can be 1 for stdout and 2 for stderr
// //

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -76,7 +76,7 @@ func TestContainerCommit(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -6,7 +6,7 @@ import (
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -40,7 +40,7 @@ func TestContainerStatPathNoHeaderError(t *testing.T) {
client: newMockClient(func(req *http.Request) (*http.Response, error) { client: newMockClient(func(req *http.Request) (*http.Response, error) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }
@ -76,7 +76,7 @@ func TestContainerStatPath(t *testing.T) {
base64PathStat := base64.StdEncoding.EncodeToString(content) base64PathStat := base64.StdEncoding.EncodeToString(content)
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
Header: http.Header{ Header: http.Header{
"X-Docker-Container-Path-Stat": []string{base64PathStat}, "X-Docker-Container-Path-Stat": []string{base64PathStat},
}, },
@ -147,7 +147,7 @@ func TestCopyToContainer(t *testing.T) {
return nil, fmt.Errorf("noOverwriteDirNonDir not set in URL query properly, expected true, got %s", noOverwriteDirNonDir) return nil, fmt.Errorf("noOverwriteDirNonDir not set in URL query properly, expected true, got %s", noOverwriteDirNonDir)
} }
content, err := ioutil.ReadAll(req.Body) content, err := io.ReadAll(req.Body)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -160,7 +160,7 @@ func TestCopyToContainer(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }
@ -208,7 +208,7 @@ func TestCopyFromContainerNoHeaderError(t *testing.T) {
client: newMockClient(func(req *http.Request) (*http.Response, error) { client: newMockClient(func(req *http.Request) (*http.Response, error) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }
@ -246,7 +246,7 @@ func TestCopyFromContainer(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("content"))), Body: io.NopCloser(bytes.NewReader([]byte("content"))),
Header: http.Header{ Header: http.Header{
"X-Docker-Container-Path-Stat": []string{base64PathStat}, "X-Docker-Container-Path-Stat": []string{base64PathStat},
}, },
@ -263,7 +263,7 @@ func TestCopyFromContainer(t *testing.T) {
if stat.Mode != 0700 { if stat.Mode != 0700 {
t.Fatalf("expected container path stat mode to be 0700, got '%v'", stat.Mode) t.Fatalf("expected container path stat mode to be 0700, got '%v'", stat.Mode)
} }
content, err := ioutil.ReadAll(r) content, err := io.ReadAll(r)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -4,8 +4,8 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"net/url" "net/url"
"path"
"github.com/containerd/containerd/platforms"
"github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/network" "github.com/docker/docker/api/types/network"
"github.com/docker/docker/api/types/versions" "github.com/docker/docker/api/types/versions"
@ -16,7 +16,6 @@ type configWrapper struct {
*container.Config *container.Config
HostConfig *container.HostConfig HostConfig *container.HostConfig
NetworkingConfig *network.NetworkingConfig NetworkingConfig *network.NetworkingConfig
Platform *specs.Platform
} }
// ContainerCreate creates a new container based in the given configuration. // ContainerCreate creates a new container based in the given configuration.
@ -38,8 +37,8 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
} }
query := url.Values{} query := url.Values{}
if platform != nil { if p := formatPlatform(platform); p != "" {
query.Set("platform", platforms.Format(*platform)) query.Set("platform", p)
} }
if containerName != "" { if containerName != "" {
@ -61,3 +60,15 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
err = json.NewDecoder(serverResp.body).Decode(&response) err = json.NewDecoder(serverResp.body).Decode(&response)
return response, err return response, err
} }
// formatPlatform returns a formatted string representing platform (e.g. linux/arm/v7).
//
// Similar to containerd's platforms.Format(), but does allow components to be
// omitted (e.g. pass "architecture" only, without "os":
// https://github.com/containerd/containerd/blob/v1.5.2/platforms/platforms.go#L243-L263
func formatPlatform(platform *specs.Platform) string {
if platform == nil {
return ""
}
return path.Join(platform.OS, platform.Architecture, platform.Variant)
}

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -62,7 +62,7 @@ func TestContainerCreateWithName(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }
@ -97,7 +97,7 @@ func TestContainerCreateAutoRemove(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
} }
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -46,7 +46,7 @@ func TestContainerDiff(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -53,7 +53,7 @@ func TestContainerExecCreate(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }
@ -99,7 +99,7 @@ func TestContainerExecStart(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }
@ -139,7 +139,7 @@ func TestContainerExecInspect(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -32,7 +32,7 @@ func TestContainerExport(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("response"))), Body: io.NopCloser(bytes.NewReader([]byte("response"))),
}, nil }, nil
}), }),
} }
@ -41,7 +41,7 @@ func TestContainerExport(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
defer body.Close() defer body.Close()
content, err := ioutil.ReadAll(body) content, err := io.ReadAll(body)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"encoding/json" "encoding/json"
"io/ioutil" "io"
"net/url" "net/url"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
@ -41,7 +41,7 @@ func (cli *Client) ContainerInspectWithRaw(ctx context.Context, containerID stri
return types.ContainerJSON{}, nil, wrapResponseError(err, serverResp, "container", containerID) return types.ContainerJSON{}, nil, wrapResponseError(err, serverResp, "container", containerID)
} }
body, err := ioutil.ReadAll(serverResp.body) body, err := io.ReadAll(serverResp.body)
if err != nil { if err != nil {
return types.ContainerJSON{}, nil, err return types.ContainerJSON{}, nil, err
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -68,7 +68,7 @@ func TestContainerInspect(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }
@ -110,7 +110,7 @@ func TestContainerInspectNode(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -35,7 +35,7 @@ func TestContainerKill(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -73,7 +73,7 @@ func TestContainerList(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -24,7 +24,7 @@ import (
// multiplexed. // multiplexed.
// The format of the multiplexed stream is as follows: // The format of the multiplexed stream is as follows:
// //
// [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT} // [8]byte{STREAM_TYPE, 0, 0, 0, SIZE1, SIZE2, SIZE3, SIZE4}[]byte{OUTPUT}
// //
// STREAM_TYPE can be 1 for stdout and 2 for stderr // STREAM_TYPE can be 1 for stdout and 2 for stderr
// //

View file

@ -5,7 +5,6 @@ import (
"context" "context"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"log" "log"
"net/http" "net/http"
"os" "os"
@ -135,7 +134,7 @@ func TestContainerLogs(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("response"))), Body: io.NopCloser(bytes.NewReader([]byte("response"))),
}, nil }, nil
}), }),
} }
@ -146,7 +145,7 @@ func TestContainerLogs(t *testing.T) {
} }
assert.NilError(t, err) assert.NilError(t, err)
defer body.Close() defer body.Close()
content, err := ioutil.ReadAll(body) content, err := io.ReadAll(body)
assert.NilError(t, err) assert.NilError(t, err)
assert.Check(t, is.Contains(string(content), "response")) assert.Check(t, is.Contains(string(content), "response"))
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -31,7 +31,7 @@ func TestContainerPause(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -114,7 +114,7 @@ func TestContainersPrune(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
version: "1.25", version: "1.25",

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -56,7 +56,7 @@ func TestContainerRemove(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -35,7 +35,7 @@ func TestContainerRename(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -77,7 +77,7 @@ func resizeTransport(expectedURL string) func(req *http.Request) (*http.Response
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
} }
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -37,7 +37,7 @@ func TestContainerRestart(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -46,7 +46,7 @@ func TestContainerStart(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -51,7 +51,7 @@ func TestContainerStats(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("response"))), Body: io.NopCloser(bytes.NewReader([]byte("response"))),
}, nil }, nil
}), }),
} }
@ -60,7 +60,7 @@ func TestContainerStats(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
defer resp.Body.Close() defer resp.Body.Close()
content, err := ioutil.ReadAll(resp.Body) content, err := io.ReadAll(resp.Body)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -37,7 +37,7 @@ func TestContainerStop(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"reflect" "reflect"
"strings" "strings"
@ -57,7 +57,7 @@ func TestContainerTop(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -31,7 +31,7 @@ func TestContainerUnpause(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte(""))), Body: io.NopCloser(bytes.NewReader([]byte(""))),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -40,7 +40,7 @@ func TestContainerUpdate(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"log" "log"
"net/http" "net/http"
"strings" "strings"
@ -46,7 +46,7 @@ func TestContainerWait(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -46,7 +46,7 @@ func TestDiskUsage(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -6,7 +6,6 @@ import (
"encoding/json" "encoding/json"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -138,7 +137,7 @@ func TestEvents(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(buffer), Body: io.NopCloser(buffer),
}, nil }, nil
}), }),
} }

View file

@ -62,7 +62,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
} }
func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) { func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, error) {
req.Host = cli.addr req.URL.Host = cli.addr
if cli.proto == "unix" || cli.proto == "npipe" {
// Override host header for non-tcp connections.
req.Host = DummyHost
}
req.Header.Set("Connection", "Upgrade") req.Header.Set("Connection", "Upgrade")
req.Header.Set("Upgrade", proto) req.Header.Set("Upgrade", proto)

View file

@ -3,7 +3,7 @@ package client
import ( import (
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net" "net"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
@ -92,7 +92,7 @@ func TestTLSCloseWriter(t *testing.T) {
_, err = resp.Conn.Write([]byte("hello")) _, err = resp.Conn.Write([]byte("hello"))
assert.NilError(t, err) assert.NilError(t, err)
b, err := ioutil.ReadAll(resp.Reader) b, err := io.ReadAll(resp.Reader)
assert.NilError(t, err) assert.NilError(t, err)
assert.Assert(t, string(b) == "hello") assert.Assert(t, string(b) == "hello")
assert.Assert(t, resp.CloseWrite()) assert.Assert(t, resp.CloseWrite())

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"reflect" "reflect"
"strings" "strings"
@ -195,7 +195,7 @@ func TestImageBuild(t *testing.T) {
headers.Add("Server", "Docker/v1.23 (MyOS)") headers.Add("Server", "Docker/v1.23 (MyOS)")
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("body"))), Body: io.NopCloser(bytes.NewReader([]byte("body"))),
Header: headers, Header: headers,
}, nil }, nil
}), }),
@ -207,7 +207,7 @@ func TestImageBuild(t *testing.T) {
if buildResponse.OSType != "MyOS" { if buildResponse.OSType != "MyOS" {
t.Fatalf("expected OSType to be 'MyOS', got %s", buildResponse.OSType) t.Fatalf("expected OSType to be 'MyOS', got %s", buildResponse.OSType)
} }
response, err := ioutil.ReadAll(buildResponse.Body) response, err := io.ReadAll(buildResponse.Body)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -52,7 +52,7 @@ func TestImageCreate(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("body"))), Body: io.NopCloser(bytes.NewReader([]byte("body"))),
}, nil }, nil
}), }),
} }
@ -63,7 +63,7 @@ func TestImageCreate(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
response, err := ioutil.ReadAll(createResponse) response, err := io.ReadAll(createResponse)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"strings" "strings"
"testing" "testing"
@ -47,7 +47,7 @@ func TestImageHistory(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(b)), Body: io.NopCloser(bytes.NewReader(b)),
}, nil }, nil
}), }),
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"reflect" "reflect"
"strings" "strings"
@ -56,7 +56,7 @@ func TestImageImport(t *testing.T) {
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader([]byte("response"))), Body: io.NopCloser(bytes.NewReader([]byte("response"))),
}, nil }, nil
}), }),
} }
@ -71,7 +71,7 @@ func TestImageImport(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
response, err := ioutil.ReadAll(importResponse) response, err := io.ReadAll(importResponse)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

View file

@ -4,7 +4,7 @@ import (
"bytes" "bytes"
"context" "context"
"encoding/json" "encoding/json"
"io/ioutil" "io"
"github.com/docker/docker/api/types" "github.com/docker/docker/api/types"
) )
@ -20,7 +20,7 @@ func (cli *Client) ImageInspectWithRaw(ctx context.Context, imageID string) (typ
return types.ImageInspect{}, nil, wrapResponseError(err, serverResp, "image", imageID) return types.ImageInspect{}, nil, wrapResponseError(err, serverResp, "image", imageID)
} }
body, err := ioutil.ReadAll(serverResp.body) body, err := io.ReadAll(serverResp.body)
if err != nil { if err != nil {
return types.ImageInspect{}, nil, err return types.ImageInspect{}, nil, err
} }

View file

@ -5,7 +5,7 @@ import (
"context" "context"
"encoding/json" "encoding/json"
"fmt" "fmt"
"io/ioutil" "io"
"net/http" "net/http"
"reflect" "reflect"
"strings" "strings"
@ -67,7 +67,7 @@ func TestImageInspect(t *testing.T) {
} }
return &http.Response{ return &http.Response{
StatusCode: http.StatusOK, StatusCode: http.StatusOK,
Body: ioutil.NopCloser(bytes.NewReader(content)), Body: io.NopCloser(bytes.NewReader(content)),
}, nil }, nil
}), }),
} }

Some files were not shown because too many files have changed in this diff Show more