Commit Graph

3079 Commits

Author SHA1 Message Date
Sebastiaan van Stijn
ec5c9e06e3 Dockerfile: update runc binary to v1.2.3
This is the third patch release of the 1.2.z release branch of runc. It
primarily fixes some minor regressions introduced in 1.2.0.

- Fixed a regression in use of securejoin.MkdirAll, where multiple
  runc processes racing to create the same mountpoint in a shared rootfs
  would result in spurious EEXIST errors. In particular, this regression
  caused issues with BuildKit.
- Fixed a regression in eBPF support for pre-5.6 kernels after upgrading
  Cilium's eBPF library version to 0.16 in runc.

full diff: https://github.com/opencontainers/runc/compare/v1.2.2...v1.2.3
release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-12-11 21:52:50 +01:00
Rob Murray
4b8c72060d Merge pull request #49038 from robmry/modprobeless
Try to load kernel modules, without modprobe
2024-12-06 14:08:17 +00:00
Rob Murray
2af19b6b7c Don't try to modprobe ip6_tables in the moby dev container
dockerd will now do this itself, if ip6tables is enabled.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-12-06 10:27:24 +00:00
Sebastiaan van Stijn
52d7e407b7 update to go1.23.4
go1.23.4 (released 2024-12-03) includes fixes to the compiler, the runtime,
the trace command, and the syscall package. See the Go 1.23.4 milestone on
our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.23.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.3...go1.23.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-12-04 10:02:48 +01:00
Sebastiaan van Stijn
8d4d6c8ae6 Merge pull request #48918 from austinvazquez/update-containerd-v1.7.24-in-ci
Dockerfile: update containerd v1.7.24
2024-11-21 18:54:30 +01:00
Austin Vazquez
8cecf3a71c Dockerfile: update containerd to v1.7.24
Signed-off-by: Austin Vazquez <macedonv@amazon.com>
2024-11-21 15:20:52 +00:00
Sebastiaan van Stijn
e257856116 Dockerfile: update to runc v1.2.2
- 1.2.2 release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.2
- 1.2.1 release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.1
- 1.2.0 release notes: https://github.com/opencontainers/runc/releases/tag/v1.2.0

Breaking changes and deprecations are included below;

Breaking changes:

Several aspects of how mount options work has been adjusted in a way that
could theoretically break users that have very strange mount option strings.
This was necessary to fix glaring issues in how mount options were being
treated. The key changes are:

- Mount options on bind-mounts that clear a mount flag are now always
  applied. Previously, if a user requested a bind-mount with only clearing
  options (such as rw,exec,dev) the options would be ignored and the
  original bind-mount options would be set. Unfortunately this also means
  that container configurations which specified only clearing mount options
  will now actually get what they asked for, which could break existing
  containers (though it seems unlikely that a user who requested a specific
  mount option would consider it "broken" to get the mount options they
  asked foruser who requested a specific mount option would consider it
  "broken" to get the mount options they asked for). This also allows us to
  silently add locked mount flags the user did not explicitly request to be
  cleared in rootless mode, allowing for easier use of bind-mounts for
  rootless containers.
- Container configurations using bind-mounts with superblock mount flags
  (i.e. filesystem-specific mount flags, referred to as "data" in
  mount(2), as opposed to VFS generic mount flags like MS_NODEV) will
  now return an error. This is because superblock mount flags will also
  affect the host mount (as the superblock is shared when bind-mounting),
  which is obviously not acceptable. Previously, these flags were silently
  ignored so this change simply tells users that runc cannot fulfil their
  request rather than just ignoring it.

Deprecated

- runc option --criu is now ignored (with a warning), and the option will
  be removed entirely in a future release. Users who need a non-standard
  criu binary should rely on the standard way of looking up binaries in
  $PATH.
- runc kill option -a is now deprecated. Previously, it had to be specified
  to kill a container (with SIGKILL) which does not have its own private PID
  namespace (so that runc would send SIGKILL to all processes). Now, this is
  done automatically.
- github.com/opencontainers/runc/libcontainer/user is now deprecated, please
  use github.com/moby/sys/user instead. It will be removed in a future
  release.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-11-19 15:16:30 +01:00
Sebastiaan van Stijn
a2f7293405 Merge pull request #48860 from vvoland/hack-features-c8d
hack: Add explicit containerd feature to `daemon.json`
2024-11-13 22:21:42 +01:00
Paweł Gronowski
fc590032f3 hack: Add explicit containerd feature to daemon.json
While it's still turned off by default, it's easier to just flip the
`false` to `true` inside the devcontainer.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-11-13 14:45:01 +01:00
Sebastiaan van Stijn
ae21b3c8ac Merge pull request #48756 from akerouanton/reduce-number-of-firewalld-jobs
ci: re-add firewalld jobs
2024-11-12 15:34:57 +01:00
Paweł Gronowski
20818454c4 update to go1.23.3
- https://github.com/golang/go/issues?q=milestone%3AGo1.23.3+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.23.2...go1.23.3

go1.23.3 (released 2024-11-06) includes fixes to the linker, the
runtime, and the net/http, os, and syscall packages. See the Go 1.23.3
milestone on our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-11-07 13:22:47 +01:00
Albin Kerouanton
816dbbfddc ci: re-enable firewalld jobs
Commit 4e567e16 added firewalld to the test matrix for various CI jobs
(namely unit, integration and integration-cli).

Commit 2807c0c2 reverted that commit as it was putting too much load on
GHA cache, and thus it was returning 429 more frequently, so builds had
a greater chance of spending time building everything from scratch. This
was slowing down our CI even more than what it was before.

This new commit re-adds firewalld to the test matrix of unit,
integration and integration-cli jobs. Unlike 4e567e16, not all
combinations of OS, storage and 'mode' will be tested. Instead,
firewalld jobs will run only on ubuntu-22.04, and with the containerd
snapshotter.

Also, the revert commit mistakenly reverted a fix that was originally
intended for commit 8883db20, but was actually 'fixed up' in the wrong
commit. Let's re-revert that too.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-31 18:01:37 +01:00
Paweł Gronowski
b08bc5df85 Merge pull request #47553 from vvoland/testing-libnetwork-rerun-flaky
hack/unit: Rerun failed flaky libnetwork tests
2024-10-30 10:21:08 +00:00
Albin Kerouanton
2807c0c2d2 Revert "ci: run integration tests with firewalld enabled"
Temporarily remove firewallds jobs. These are actually not running
firewalld due to a typo in GHA definitions. Moreover, these new jobs
are putting too much load on the CI, causing GHA cache backend to return
429 for many jobs. This slows down build jobs (as they can't use
existing cache), and at least one buildkit test is now failing.

This reverts commit 4e567e1622.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-28 18:24:14 +01:00
Akihiro Suda
1bb5f8bb67 update to go1.23.2
vendor.mod still allows go1.22.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-22 00:04:58 +09:00
Albin Kerouanton
4e567e1622 ci: run integration tests with firewalld enabled
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-15 12:54:51 +02:00
Albin Kerouanton
8883db20c5 hack: run firewalld when $DOCKER_FIREWALLD is set
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-15 12:52:25 +02:00
Sebastiaan van Stijn
36549fb56e vendor: golang.org/x/mod v0.21.0
full diff: https://github.com/golang/mod/compare/v0.20.0...v0.21.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-10 02:35:59 +02:00
Sebastiaan van Stijn
6b7565ba40 vendor: go.etcd.io/bbolt v1.3.11
BoltDB

- Fix the freelist.allocs isn't rollbacked when a tx is rollbacked.

CMD

- Add -gobench-output option for bench command to adapt to benchstat.

Other

- Bump go version to 1.22.x.
- This patch also added dmflakey package, which can be reused by other projects. See #812.

full diff: https://github.com/etcd-io/bbolt/compare/v1.3.10...v1.3.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-10 02:35:08 +02:00
Sebastiaan van Stijn
ca4c68ab95 update to go1.22.8
go1.22.8 (released 2024-10-01) includes fixes to cgo, and the maps and syscall
packages. See the Go 1.22.8 milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.22.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.7...go1.22.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-03 13:12:30 +02:00
Laura Brehm
4babd72186 tests: skip docker-py exec exit code test
Temporarily skip the exec run failed exit code test in `docker-py` –
a3652028b1/tests/integration/models_containers_test.py (L356-L363)

We can reenable this after the PR fixing the expected exit code in that
test is merged/released/included – https://github.com/docker/docker-py/pull/3290

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-09-27 15:43:43 +01:00
Akihiro Suda
43036f350a Dockerfile: update RootlessKit to v2.3.1
https://github.com/rootless-containers/rootlesskit/compare/v2.0.2...v2.3.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-09-11 04:35:59 +09:00
Sebastiaan van Stijn
92195c1333 Dockerfile: update containerd binary to v1.7.22
Update the containerd binary that's used in CI and static binaries

- Update to go1.22.7, go1.23.1
- CRI: Cumulative stats can't decrease
- Fix bug where init exits were being dropped
- Update runc binary to 1.1.14

- diff: https://github.com/containerd/containerd/compare/v1.7.21...v1.7.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.22

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-10 10:44:44 +02:00
Paweł Gronowski
a2e14dd8bd update to go1.22.7
- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-09-05 17:47:03 +02:00
Sebastiaan van Stijn
fa734fe3d2 Merge pull request #48421 from thaJeztah/make_update_link
hack/make/.binary: enable pie mode on windows/arm64
2024-09-03 23:08:17 +02:00
Sebastiaan van Stijn
2189aa2426 update runc binary to 1.1.14
Update the runc binary that's used in CI and for the static packages.

diff: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14

Release Notes:

- Fix CVE-2024-45310, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-03 13:30:19 +02:00
Sebastiaan van Stijn
d000f12fcc hack/make/.binary: enable pie mode on windows/arm64
pie-mode is supported for windows/arm64 since https://go.dev/cl/452415,
which is part of go1.20. Also update link to Go source for pie-mode support
to match the location for current versions of Go because the package was
moved in https://go.dev/cl/438475.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-03 10:24:00 +02:00
Sebastiaan van Stijn
3df59c9dcf update to go1.22.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-02 12:47:48 +02:00
Cory Snider
4cd5c2b643 hack/make/.binary: set CGO_LDFLAGS=-latomic for arm/v5
cross-compiling for arm/v5 was failing;

    #56 84.12 /usr/bin/arm-linux-gnueabi-clang -marm -o $WORK/b001/exe/a.out -Wl,--export-dynamic-symbol=_cgo_panic -Wl,--export-dynamic-symbol=_cgo_topofstack -Wl,--export-dynamic-symbol=crosscall2 -Qunused-arguments -Wl,--compress-debug-sections=zlib /tmp/go-link-759578347/go.o /tmp/go-link-759578347/000000.o /tmp/go-link-759578347/000001.o /tmp/go-link-759578347/000002.o /tmp/go-link-759578347/000003.o /tmp/go-link-759578347/000004.o /tmp/go-link-759578347/000005.o /tmp/go-link-759578347/000006.o /tmp/go-link-759578347/000007.o /tmp/go-link-759578347/000008.o /tmp/go-link-759578347/000009.o /tmp/go-link-759578347/000010.o /tmp/go-link-759578347/000011.o /tmp/go-link-759578347/000012.o /tmp/go-link-759578347/000013.o /tmp/go-link-759578347/000014.o /tmp/go-link-759578347/000015.o /tmp/go-link-759578347/000016.o /tmp/go-link-759578347/000017.o /tmp/go-link-759578347/000018.o -O2 -g -O2 -g -O2 -g -lpthread -O2 -g -no-pie -static
    #56 84.12 ld.lld: error: undefined symbol: __atomic_load_4
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced 2 more times
    #56 84.12
    #56 84.12 ld.lld: error: undefined symbol: __atomic_store_4
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(x_cgo_notify_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(x_cgo_set_context_function)
    #56 84.12 clang: error: linker command failed with exit code 1 (use -v to see invocation)

From discussion on GitHub;
https://github.com/moby/moby/pull/46982#issuecomment-2206992611

The arm/v5 build failure looks to be due to libatomic not being included
in the link. For reasons probably buried in mailing list archives,
[gcc](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81358) and clang don't
bother to implicitly auto-link libatomic. This is not a big deal on many
modern platforms with atomic intrinsics as the compiler generates inline
instruction sequences, avoiding any libcalls into libatomic. ARMv5 is not
one of those platforms: all atomic operations require a libcall.

In theory, adding `CGO_LDFLAGS=-latomic` should fix arm/v5 builds.

While it could be argued that cgo should automatically link against
libatomic in the same way that it automatically links against libpthread,
the Go maintainers would have a valid counter-argument that it should be
the C toolchain's responsibility to link against libatomic automatically,
just like it does with libgcc or compiler-rt.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-02 12:45:46 +02:00
Cory Snider
e853c093bf hack/make/.binary: set CCGO_CFLAGS=-Wno-atomic-alignment for arm/v5
cross-compiling for arm/v5 fails on go1.22; a fix is included for this
in go1.23 (https://github.com/golang/go/issues/65290), but for go1.22
we can set the correct option manually.

    1.189 + go build -mod=vendor -modfile=vendor.mod -o /tmp/bundles/binary-daemon/dockerd -tags 'netgo osusergo static_build journald' -ldflags '-w -X "github.com/docker/docker/dockerversion.Version=dev" -X "github.com/docker/docker/dockerversion.GitCommit=HEAD" -X "github.com/docker/docker/dockerversion.BuildTime=2024-08-29T16:59:57.000000000+00:00" -X "github.com/docker/docker/dockerversion.PlatformName=" -X "github.com/docker/docker/dockerversion.ProductName=" -X "github.com/docker/docker/dockerversion.DefaultProductLicense=" -extldflags -static ' -gcflags= github.com/docker/docker/cmd/dockerd
    67.78 # runtime/cgo
    67.78 gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:47:6: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:49:10: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:69:9: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:71:3: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    78.20 + rm -f /go/src/github.com/docker/docker/go.mod

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-02 12:45:44 +02:00
Paweł Gronowski
de4fc1c927 Dockerfile: update containerd binary to v1.7.21 (static binaries and CI only)
Update the containerd binary that's used in CI and static binaries

- full diff: https://github.com/containerd/containerd/compare/v1.7.20...v1.7.21
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.21

```markdown changelog
Update containerd (static binaries only) to [v1.7.21](https://github.com/containerd/containerd/releases/tag/v1.7.21)
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-27 13:28:34 +02:00
Sebastiaan van Stijn
bffb44a556 Merge pull request #48311 from crazy-max/govulncheck
govulncheck to report known vulnerabilities
2024-08-09 17:19:13 +02:00
CrazyMax
3cd28504de govulncheck to report known vulnerabilities
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-08-09 10:56:09 +02:00
Sebastiaan van Stijn
8d06e70f34 Merge pull request #48132 from robmry/bind_socket_for_docker_proxy
Create docker-proxy TCP/UDP listener sockets in the daemon
2024-08-08 20:30:58 +02:00
Paweł Gronowski
f3cf9359bd Merge pull request #47526 from vvoland/c8d-list-multiplatform
c8d: Multi-platform image list
2024-08-08 11:38:31 +02:00
Paweł Gronowski
efb3c50799 swagger: Disable ImageSummary model generation
Our version of go-swagger doesn't handle the `omitempty` correctly for
the new field.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-07 13:48:50 +02:00
Paweł Gronowski
b24c2e95e5 update to go1.21.13
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.12...go1.21.13

go1.21.13 (released 2024-08-06) includes fixes to the go command, the
covdata command, and the bytes package. See the Go 1.21.13 milestone on
our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-07 11:45:08 +02:00
Rob Murray
dac7ffa340 Remove rootlesskit-docker-proxy
It's not needed, now the daemon tells RootlessKit about port
mappings directly.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-08-05 14:04:05 +01:00
Rob Murray
e0c7a839a8 Only build docker-proxy for Linux
Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-08-05 14:04:04 +01:00
Kir Kolyshkin
3279b4f8f4 hack/make: suppress "not mounted" message
The "not mounted" error from .integration-daemon-stop is not an error,
so let's suppress that one (this is the only effect of -q option, at
least according to its man page).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-30 13:39:23 -07:00
Tianon Gravi
67c5cf07ea Merge pull request #47789 from williamh/47770-control-enable-journald-driver
hack: explicitly control enabling the journald logging driver
2024-07-23 15:00:27 -07:00
Sebastiaan van Stijn
fbbda057ac update containerd binary to v1.7.20
Update the containerd binary that's used in CI and for the static packages.

release notes: https://github.com/containerd/containerd/releases/tag/v1.7.20
full diff: https://github.com/containerd/containerd/compare/v1.7.18...v1.7.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:32:27 +02:00
William Hubbs
499c842c52 hack: explicitly control enabling the journald logging driver
Without this, the dependency on systemd is said to be "automagic", which
can lead to breakage, for example, if a binary package of docker is
built on a system that has systemd installed then installed on a system
that does not have systemd installed.

for example: https://bugs.gentoo.org/914076

Signed-off-by: William Hubbs <w.d.hubbs@gmail.com>
2024-07-16 11:00:29 -05:00
Paweł Gronowski
4d1d7c3ebe update to go1.21.12
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12

These minor releases include 1 security fixes following the security policy:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.12

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.12
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-07-03 10:28:59 +02:00
Sebastiaan van Stijn
398e15b7de update containerd binary to v1.7.19
Update the containerd binary that's used in CI and for the static packages.

- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.19
- full diff: https://github.com/containerd/containerd/compare/v1.7.18...v1.7.19

Welcome to the v1.7.19 release of containerd!

The nineteenth patch release for containerd 1.7 contains various updates and
splits the main module from the api module in preparation for the same change
in containerd 2.0. Splitting the modules will allow 1.7 and 2.x to both exist
as transitive dependencies without running into API registration errors.
Projects should use this version as the minimum 1.7 version in preparing to
use containerd 2.0 or to be imported alongside it.

Highlights

- Fix support for OTLP config
- Add API go module
- Remove overlayfs volatile option on temp mounts
- Update runc binary to v1.1.13
- Migrate platforms package to github.com/containerd/platforms
- Migrate reference/docker package to github.com/distribution/reference

Container Runtime Interface (CRI)

- Fix panic in NRI from nil CRI reference
- Fix Windows HPC working directory

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 21:45:56 +02:00
Sebastiaan van Stijn
da039ca918 api/types: move GraphDriverData to api/types/storage
The `GraphDriverData` type is shared between images and containers, and
putting it in either package would result in a circular import, so adding
a new package for this type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 12:46:47 +02:00
Sebastiaan van Stijn
e12b7493b9 api/types: move Port to api/types/container
This moves the `Port` type to the container package, and
deprecates the old location.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 12:46:47 +02:00
Paweł Gronowski
1327342b14 hack: Ignore deprecate-integration-cli validation
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-06-17 14:05:15 +02:00
Sebastiaan van Stijn
9101392309 update runc binary to v1.1.13
Update the runc binary that's used in CI and for the static packages.

full diff: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13

Release notes:

* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.

* Support go 1.22.4+.
* runc list: fix race with runc delete.
* Fix set nofile rlimit error.
* libct/cg/fs: fix setting rt_period vs rt_runtime.
* Fix a debug msg for user ns in nsexec.
* script/*: fix gpg usage wrt keyboxd.
* CI fixes and misc backports.
* Fix codespell warnings.

* Silence security false positives from golang/net.
* libcontainer: allow containers to make apps think fips is enabled/disabled for testing.
* allow overriding VERSION value in Makefile.
* Vagrantfile.fedora: bump Fedora to 39.
* ci/cirrus: rm centos stream 8.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-13 21:25:10 +02:00
Tianon Gravi
b5bc84119e Merge pull request #47960 from robmry/dev_container_ip6_tables
Dev container: try to load kernel module ip6_tables
2024-06-13 11:22:45 -07:00