c41121cc48
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template package, as well as bug fixes to the compiler, the go command, the runtime, and the crypto/tls, go/types, net/http, and path/filepath packages. See the Go 1.20.8 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8 From the security mailing: [security] Go 1.21.1 and Go 1.20.8 are released Hello gophers, We have just released Go versions 1.21.1 and 1.20.8, minor point releases. These minor releases include 4 security fixes following the security policy: - cmd/go: go.mod toolchain directive allows arbitrary execution The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to execute scripts and binaries relative to the root of the module when the "go" command was executed within the module. This applies to modules downloaded using the "go" command from the module proxy, as well as modules downloaded directly using VCS software. Thanks to Juho Nurminen of Mattermost for reporting this issue. This is CVE-2023-39320 and Go issue https://go.dev/issue/62198. - html/template: improper handling of HTML-like comments within script contexts The html/template package did not properly handle HMTL-like "<!--" and "-->" comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may cause the template parser to improperly interpret the contents of <script> contexts, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39318 and Go issue https://go.dev/issue/62196. - html/template: improper handling of special tags within script contexts The html/template package did not apply the proper rules for handling occurrences of "<script", "<!--", and "</script" within JS literals in <script> contexts. This may cause the template parser to improperly consider script contexts to be terminated early, causing actions to be improperly escaped. This could be leveraged to perform an XSS attack. Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue. This is CVE-2023-39319 and Go issue https://go.dev/issue/62197. - crypto/tls: panic when processing post-handshake message on QUIC connections Processing an incomplete post-handshake message for a QUIC connection caused a panic. Thanks to Marten Seemann for reporting this issue. This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
313 lines
13 KiB
Docker
313 lines
13 KiB
Docker
# escape=`
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
# This file describes the standard way to build Docker in a container on Windows
|
|
# Server 2016 or Windows 10.
|
|
#
|
|
# Maintainer: @jhowardmsft
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# Prerequisites:
|
|
# --------------
|
|
#
|
|
# 1. Windows Server 2016 or Windows 10 with all Windows updates applied. The major
|
|
# build number must be at least 14393. This can be confirmed, for example, by
|
|
# running the following from an elevated PowerShell prompt - this sample output
|
|
# is from a fully up to date machine as at mid-November 2016:
|
|
#
|
|
# >> PS C:\> $(gin).WindowsBuildLabEx
|
|
# >> 14393.447.amd64fre.rs1_release_inmarket.161102-0100
|
|
#
|
|
# 2. Git for Windows (or another git client) must be installed. https://git-scm.com/download/win.
|
|
#
|
|
# 3. The machine must be configured to run containers. For example, by following
|
|
# the quick start guidance at https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start or
|
|
# https://github.com/docker/labs/blob/master/windows/windows-containers/Setup.md
|
|
#
|
|
# 4. If building in a Hyper-V VM: For Windows Server 2016 using Windows Server
|
|
# containers as the default option, it is recommended you have at least 1GB
|
|
# of memory assigned; For Windows 10 where Hyper-V Containers are employed, you
|
|
# should have at least 4GB of memory assigned. Note also, to run Hyper-V
|
|
# containers in a VM, it is necessary to configure the VM for nested virtualization.
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# Usage:
|
|
# -----
|
|
#
|
|
# The following steps should be run from an (elevated*) Windows PowerShell prompt.
|
|
#
|
|
# (*In a default installation of containers on Windows following the quick-start guidance at
|
|
# https://msdn.microsoft.com/en-us/virtualization/windowscontainers/quick_start/quick_start,
|
|
# the docker.exe client must run elevated to be able to connect to the daemon).
|
|
#
|
|
# 1. Clone the sources from github.com:
|
|
#
|
|
# >> git clone https://github.com/docker/docker.git C:\gopath\src\github.com\docker\docker
|
|
# >> Cloning into 'C:\gopath\src\github.com\docker\docker'...
|
|
# >> remote: Counting objects: 186216, done.
|
|
# >> remote: Compressing objects: 100% (21/21), done.
|
|
# >> remote: Total 186216 (delta 5), reused 0 (delta 0), pack-reused 186195
|
|
# >> Receiving objects: 100% (186216/186216), 104.32 MiB | 8.18 MiB/s, done.
|
|
# >> Resolving deltas: 100% (123139/123139), done.
|
|
# >> Checking connectivity... done.
|
|
# >> Checking out files: 100% (3912/3912), done.
|
|
# >> PS C:\>
|
|
#
|
|
#
|
|
# 2. Change directory to the cloned docker sources:
|
|
#
|
|
# >> cd C:\gopath\src\github.com\docker\docker
|
|
#
|
|
#
|
|
# 3. Build a docker image with the components required to build the docker binaries from source
|
|
# by running one of the following:
|
|
#
|
|
# >> docker build -t nativebuildimage -f Dockerfile.windows .
|
|
# >> docker build -t nativebuildimage -f Dockerfile.windows -m 2GB . (if using Hyper-V containers)
|
|
#
|
|
#
|
|
# 4. Build the docker executable binaries by running one of the following:
|
|
#
|
|
# >> $DOCKER_GITCOMMIT=(git rev-parse --short HEAD)
|
|
# >> docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT nativebuildimage hack\make.ps1 -Binary
|
|
# >> docker run --name binaries -e DOCKER_GITCOMMIT=$DOCKER_GITCOMMIT -m 2GB nativebuildimage hack\make.ps1 -Binary (if using Hyper-V containers)
|
|
#
|
|
#
|
|
# 5. Copy the binaries out of the container, replacing HostPath with an appropriate destination
|
|
# folder on the host system where you want the binaries to be located.
|
|
#
|
|
# >> docker cp binaries:C:\gopath\src\github.com\docker\docker\bundles\docker.exe C:\HostPath\docker.exe
|
|
# >> docker cp binaries:C:\gopath\src\github.com\docker\docker\bundles\dockerd.exe C:\HostPath\dockerd.exe
|
|
#
|
|
#
|
|
# 6. (Optional) Remove the interim container holding the built executable binaries:
|
|
#
|
|
# >> docker rm binaries
|
|
#
|
|
#
|
|
# 7. (Optional) Remove the image used for the container in which the executable
|
|
# binaries are build. Tip - it may be useful to keep this image around if you need to
|
|
# build multiple times. Then you can take advantage of the builder cache to have an
|
|
# image which has all the components required to build the binaries already installed.
|
|
#
|
|
# >> docker rmi nativebuildimage
|
|
#
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# The validation tests can only run directly on the host. This is because they calculate
|
|
# information from the git repo, but the .git directory is not passed into the image as
|
|
# it is excluded via .dockerignore. Run the following from a Windows PowerShell prompt
|
|
# (elevation is not required): (Note Go must be installed to run these tests)
|
|
#
|
|
# >> hack\make.ps1 -DCO -PkgImports -GoFormat
|
|
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# To run unit tests, ensure you have created the nativebuildimage above. Then run one of
|
|
# the following from an (elevated) Windows PowerShell prompt:
|
|
#
|
|
# >> docker run --rm nativebuildimage hack\make.ps1 -TestUnit
|
|
# >> docker run --rm -m 2GB nativebuildimage hack\make.ps1 -TestUnit (if using Hyper-V containers)
|
|
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# To run unit tests and binary build, ensure you have created the nativebuildimage above. Then
|
|
# run one of the following from an (elevated) Windows PowerShell prompt:
|
|
#
|
|
# >> docker run nativebuildimage hack\make.ps1 -All
|
|
# >> docker run -m 2GB nativebuildimage hack\make.ps1 -All (if using Hyper-V containers)
|
|
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# Important notes:
|
|
# ---------------
|
|
#
|
|
# Don't attempt to use a bind mount to pass a local directory as the bundles target
|
|
# directory. It does not work (golang attempts for follow a mapped folder incorrectly).
|
|
# Instead, use docker cp as per the example.
|
|
#
|
|
# go.zip is not removed from the image as it is used by the Windows CI servers
|
|
# to ensure the host and image are running consistent versions of go.
|
|
#
|
|
# Nanoserver support is a work in progress. Although the image will build if the
|
|
# FROM statement is updated, it will not work when running autogen through hack\make.ps1.
|
|
# It is suspected that the required GCC utilities (eg gcc, windres, windmc) silently
|
|
# quit due to the use of console hooks which are not available.
|
|
#
|
|
# The docker integration tests do not currently run in a container on Windows, predominantly
|
|
# due to Windows not supporting privileged mode, so anything using a volume would fail.
|
|
# They (along with the rest of the docker CI suite) can be run using
|
|
# https://github.com/kevpar/docker-w2wCIScripts/blob/master/runCI/Invoke-DockerCI.ps1.
|
|
#
|
|
# -----------------------------------------------------------------------------------------
|
|
|
|
|
|
# The number of build steps below are explicitly minimised to improve performance.
|
|
|
|
ARG WINDOWS_BASE_IMAGE=mcr.microsoft.com/windows/servercore
|
|
ARG WINDOWS_BASE_IMAGE_TAG=ltsc2022
|
|
FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
|
|
|
|
# Use PowerShell as the default shell
|
|
SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
|
|
|
|
ARG GO_VERSION=1.20.8
|
|
ARG GOTESTSUM_VERSION=v1.8.2
|
|
ARG GOWINRES_VERSION=v0.3.0
|
|
ARG CONTAINERD_VERSION=v1.7.3
|
|
|
|
# Environment variable notes:
|
|
# - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
|
|
# - CONTAINERD_VERSION must be consistent with 'hack/dockerfile/install/containerd.installer' used by Linux.
|
|
# - FROM_DOCKERFILE is used for detection of building within a container.
|
|
ENV GO_VERSION=${GO_VERSION} `
|
|
CONTAINERD_VERSION=${CONTAINERD_VERSION} `
|
|
GIT_VERSION=2.11.1 `
|
|
GOPATH=C:\gopath `
|
|
GO111MODULE=off `
|
|
FROM_DOCKERFILE=1 `
|
|
GOTESTSUM_VERSION=${GOTESTSUM_VERSION} `
|
|
GOWINRES_VERSION=${GOWINRES_VERSION}
|
|
|
|
RUN `
|
|
Function Test-Nano() { `
|
|
$EditionId = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion' -Name 'EditionID').EditionId; `
|
|
return (($EditionId -eq 'ServerStandardNano') -or ($EditionId -eq 'ServerDataCenterNano') -or ($EditionId -eq 'NanoServer')); `
|
|
}`
|
|
`
|
|
Function Download-File([string] $source, [string] $target) { `
|
|
if (Test-Nano) { `
|
|
$handler = New-Object System.Net.Http.HttpClientHandler; `
|
|
$client = New-Object System.Net.Http.HttpClient($handler); `
|
|
$client.Timeout = New-Object System.TimeSpan(0, 30, 0); `
|
|
$cancelTokenSource = [System.Threading.CancellationTokenSource]::new(); `
|
|
$responseMsg = $client.GetAsync([System.Uri]::new($source), $cancelTokenSource.Token); `
|
|
$responseMsg.Wait(); `
|
|
if (!$responseMsg.IsCanceled) { `
|
|
$response = $responseMsg.Result; `
|
|
if ($response.IsSuccessStatusCode) { `
|
|
$downloadedFileStream = [System.IO.FileStream]::new($target, [System.IO.FileMode]::Create, [System.IO.FileAccess]::Write); `
|
|
$copyStreamOp = $response.Content.CopyToAsync($downloadedFileStream); `
|
|
$copyStreamOp.Wait(); `
|
|
$downloadedFileStream.Close(); `
|
|
if ($copyStreamOp.Exception -ne $null) { throw $copyStreamOp.Exception } `
|
|
} `
|
|
} else { `
|
|
Throw ("Failed to download " + $source) `
|
|
}`
|
|
} else { `
|
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; `
|
|
$webClient = New-Object System.Net.WebClient; `
|
|
$webClient.DownloadFile($source, $target); `
|
|
} `
|
|
} `
|
|
`
|
|
setx /M PATH $('C:\git\cmd;C:\git\usr\bin;'+$Env:PATH+';C:\gcc\bin;C:\go\bin;C:\containerd\bin'); `
|
|
`
|
|
Write-Host INFO: Downloading git...; `
|
|
$location='https://www.nuget.org/api/v2/package/GitForWindows/'+$Env:GIT_VERSION; `
|
|
Download-File $location C:\gitsetup.zip; `
|
|
`
|
|
Write-Host INFO: Downloading go...; `
|
|
$dlGoVersion=$Env:GO_VERSION -replace '\.0$',''; `
|
|
Download-File "https://go.dev/dl/go${dlGoVersion}.windows-amd64.zip" C:\go.zip; `
|
|
`
|
|
Write-Host INFO: Downloading compiler 1 of 3...; `
|
|
Download-File https://raw.githubusercontent.com/moby/docker-tdmgcc/master/gcc.zip C:\gcc.zip; `
|
|
`
|
|
Write-Host INFO: Downloading compiler 2 of 3...; `
|
|
Download-File https://raw.githubusercontent.com/moby/docker-tdmgcc/master/runtime.zip C:\runtime.zip; `
|
|
`
|
|
Write-Host INFO: Downloading compiler 3 of 3...; `
|
|
Download-File https://raw.githubusercontent.com/moby/docker-tdmgcc/master/binutils.zip C:\binutils.zip; `
|
|
`
|
|
Write-Host INFO: Extracting git...; `
|
|
Expand-Archive C:\gitsetup.zip C:\git-tmp; `
|
|
New-Item -Type Directory C:\git | Out-Null; `
|
|
Move-Item C:\git-tmp\tools\* C:\git\.; `
|
|
Remove-Item -Recurse -Force C:\git-tmp; `
|
|
`
|
|
Write-Host INFO: Expanding go...; `
|
|
Expand-Archive C:\go.zip -DestinationPath C:\; `
|
|
`
|
|
Write-Host INFO: Expanding compiler 1 of 3...; `
|
|
Expand-Archive C:\gcc.zip -DestinationPath C:\gcc -Force; `
|
|
Write-Host INFO: Expanding compiler 2 of 3...; `
|
|
Expand-Archive C:\runtime.zip -DestinationPath C:\gcc -Force; `
|
|
Write-Host INFO: Expanding compiler 3 of 3...; `
|
|
Expand-Archive C:\binutils.zip -DestinationPath C:\gcc -Force; `
|
|
`
|
|
Write-Host INFO: Removing downloaded files...; `
|
|
Remove-Item C:\gcc.zip; `
|
|
Remove-Item C:\runtime.zip; `
|
|
Remove-Item C:\binutils.zip; `
|
|
Remove-Item C:\gitsetup.zip; `
|
|
`
|
|
Write-Host INFO: Downloading containerd; `
|
|
Install-Package -Force 7Zip4PowerShell; `
|
|
$location='https://github.com/containerd/containerd/releases/download/'+$Env:CONTAINERD_VERSION+'/containerd-'+$Env:CONTAINERD_VERSION.TrimStart('v')+'-windows-amd64.tar.gz'; `
|
|
Download-File $location C:\containerd.tar.gz; `
|
|
New-Item -Path C:\containerd -ItemType Directory; `
|
|
Expand-7Zip C:\containerd.tar.gz C:\; `
|
|
Expand-7Zip C:\containerd.tar C:\containerd; `
|
|
Remove-Item C:\containerd.tar.gz; `
|
|
Remove-Item C:\containerd.tar; `
|
|
`
|
|
# Ensure all directories exist that we will require below....
|
|
$srcDir = """$Env:GOPATH`\src\github.com\docker\docker\bundles"""; `
|
|
Write-Host INFO: Ensuring existence of directory $srcDir...; `
|
|
New-Item -Force -ItemType Directory -Path $srcDir | Out-Null; `
|
|
`
|
|
Write-Host INFO: Configuring git core.autocrlf...; `
|
|
C:\git\cmd\git config --global core.autocrlf true;
|
|
|
|
RUN `
|
|
Function Install-GoTestSum() { `
|
|
$Env:GO111MODULE = 'on'; `
|
|
$tmpGobin = "${Env:GOBIN_TMP}"; `
|
|
$Env:GOBIN = """${Env:GOPATH}`\bin"""; `
|
|
Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
|
|
&go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
|
|
$Env:GOBIN = "${tmpGobin}"; `
|
|
$Env:GO111MODULE = 'off'; `
|
|
if ($LASTEXITCODE -ne 0) { `
|
|
Throw '"gotestsum install failed..."'; `
|
|
} `
|
|
} `
|
|
`
|
|
Install-GoTestSum
|
|
|
|
RUN `
|
|
Function Install-GoWinres() { `
|
|
$Env:GO111MODULE = 'on'; `
|
|
$tmpGobin = "${Env:GOBIN_TMP}"; `
|
|
$Env:GOBIN = """${Env:GOPATH}`\bin"""; `
|
|
Write-Host "INFO: Installing go-winres version $Env:GOWINRES_VERSION in $Env:GOBIN"; `
|
|
&go install "github.com/tc-hib/go-winres@${Env:GOWINRES_VERSION}"; `
|
|
$Env:GOBIN = "${tmpGobin}"; `
|
|
$Env:GO111MODULE = 'off'; `
|
|
if ($LASTEXITCODE -ne 0) { `
|
|
Throw '"go-winres install failed..."'; `
|
|
} `
|
|
} `
|
|
`
|
|
Install-GoWinres
|
|
|
|
# Make PowerShell the default entrypoint
|
|
ENTRYPOINT ["powershell.exe"]
|
|
|
|
# Set the working directory to the location of the sources
|
|
WORKDIR ${GOPATH}\src\github.com\docker\docker
|
|
|
|
# Copy the sources into the container
|
|
COPY . .
|