The concurrency groups currently cancel older runs for push, tag,
scheduled, and manually dispatched events.
On maintained refs this canhide a regression when a later run starts
before the earlier validation finishes.
Keep cancellation for stale pull request runs only, while allowing
non-PR validation to complete.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Rootless snapshotter mode can report image TotalSize one filesystem
block above the per-image and reclaimable sizes after loading BusyBox.
The empty disk usage case already accepts this overlayfs accounting
artifact.
Allow the same bounded 4096-byte positive drift in the
after_LoadBusybox assertions while keeping strict equality for other
daemon modes.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Both query parameters are now collectionFormat: multi arrays in the
swagger so they can accept multiple values later without an API
version bump. The server still operates on a single platform and
rejects requests passing more than one; type is read directly as a
list of repeated values instead of a comma-separated string.
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
runDaemon would unconditionally send an error event if the daemon
was running as a system service;
Run New-Item -ItemType Directory -Force -Path ".\bundles" | Out-Null
2026-06-08T03:31:52.1865738Z [Information] Starting up
2026-06-08T03:31:52.3160498Z [Information] OTEL tracing is not configured, using no-op tracer provider
2026-06-08T03:31:52.5037110Z [Information] Windows default isolation mode: process
2026-06-08T03:31:52.7212058Z [Information] Loading containers: start.
2026-06-08T03:31:52.7345902Z [Information] [graphdriver] trying configured driver: windowsfilter
2026-06-08T03:31:52.8920546Z [Information] Restoring containers: start.
2026-06-08T03:31:52.9910057Z [Information] Restoring existing overlay networks from HNS into docker
2026-06-08T03:31:53.8958218Z [Information] Loading containers: done.
2026-06-08T03:31:53.9093383Z [Information] Docker daemon [storage-driver=windowsfilter containerd-snapshotter=false version=29.1.5 commit=3b01d641]
2026-06-08T03:31:53.9103431Z [Information] Initializing buildkit
2026-06-08T03:31:54.3243456Z [Information] Completed buildkit initialization
2026-06-08T03:31:54.4878293Z [Information] Daemon has completed initialization
2026-06-08T03:31:54.4881959Z [Information] API listen on //./pipe/docker_engine
2026-06-08T03:47:45.7182269Z [Information] Processing signal 'terminated'
2026-06-08T03:47:45.7203206Z [Information] Daemon shutdown complete
Error: 2026-06-08T03:47:45.7206236Z [Error] <nil>
If debug was enabled, it would log this error twice (once as error, and once as debug).
Let's make this a single log, and only an error if there was one. Note that this may still
be redundant, as `daemonCLI.start` also logs this error;
4c19a01575/daemon/command/daemon.go (L127-L134)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a new Engine API endpoint that returns the in-toto attestation
statements attached to an image for a given platform. The endpoint
locates the attestation manifest(s) referencing the requested platform's
image manifest, enumerates the statement layers, and returns each
layer's OCI descriptor (including media type, digest, size, and
annotations) together with its in-toto predicate type.
Query parameters:
- platform: JSON-encoded OCI platform; defaults to the daemon's host
platform if omitted.
- type: comma-separated list of in-toto predicate type URIs; if
omitted, all statements are returned.
- statement: boolean, defaults to false. When true, the daemon reads
each matching statement blob and includes the verbatim in-toto JSON
in the response. When false (or omitted), statement blobs are not
read and the Statement field is absent from each entry.
The manifest-chain walk (locating the platform image manifest and its
associated attestation manifest) is delegated to policy-helpers'
image.ResolveSignatureChain so that moby and BuildKit agree on how to
interpret the attestation storage format. The statement-layer iteration
and blob reading is inlined: when statement bodies are requested it
fails fast on the first unreadable blob and reads matching blobs
eagerly into memory; otherwise statement-layer blobs are never read
from the content store.
The endpoint is implemented for the containerd image store. The legacy
graphdriver store returns errdefs.NotImplemented (HTTP 501).
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Syncs changes from 2ecaac9631
and d5f6bdb027 to older API
versions, in addition to formatting changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Split the default GC policy filter into separate selectors so containerd
filters OR the intended reproducible cache types instead of ANDing
mutually exclusive record types.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When the daemon is linked against libnftables it programs the kernel
without invoking the `nft` command. Allow the nftables firewall backend
to be enabled when libnftables is used, irrespective of whether `nft` is
installed on the host.
Update the bridge network driver to clean up stale nftables tables in
iptables mode without depending on the `nft` command.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Afford applying nft commands via libnftables without needing to go
through our table abstraction. Make the table abstraction responsible
for lazily allocating an nft context.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Join `$ROOTLESSKIT_STATE_DIR/netns` when inspecting
`net.ipv4.ip_forward`, to silence the bogus warning
"IPv4 forwarding is disabled".
Fix issue 52737
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This step would fail if the daemon was never started ("Starting test daemon"),
or failed to start;
Run Get-WinEvent -ea SilentlyContinue `
out-file: D:\a\_temp\2b911acb-4e0e-4684-bf63-606f0da5f7c6.ps1:2
Line |
2 | Get-WinEvent -ea SilentlyContinue `
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not find a part of the path 'D:\a\moby\moby\go\src\github.com\docker\docker\bundles\daemon.log'.
Error: Process completed with exit code 1.
- Update the step to skip if we never attempted to start the daemon
- Make sure the output directory is created: even if we failed to start
the daemon (and thus tests weren't run), the startup itself could
potentially contain information that helps debugging the reason for
the daemon starting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If setup failed or was skipped, this produced an error;
Run (Stop-Service -DisplayName "OpenTelemetry Collector" -PassThru).WaitForStatus('Stopped', (New-TimeSpan -Seconds 30))
Stop-Service: D:\a\_temp\f0230cca-e5e4-4a0b-9fe2-0d0a6a5bc60e.ps1:2
Line |
2 | (Stop-Service -DisplayName "OpenTelemetry Collector" -PassThru).WaitF …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot find any service with display name 'OpenTelemetry Collector'.
Error: Process completed with exit code 1.
Skip this step if we skipped "Set up OpenTelemetry Collector", and ignore situations
where the service could not be found for other reasons.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
TestDaemonRestartWithNames in the DockerDaemonSuite has been broken
since commit 72ec7cd6cc. The test takes
the combined output of a `docker run` command as the ID of the created
container. This works fine so long as the command emits no warnings,
otherwise it will corrupt the ID that the test captures. Modify the test
to read the ID from the command's stdout to make the test robust to
warnings being printed.
Signed-off-by: Cory Snider <csnider@mirantis.com>
This feature will be deprecated and removed in a couple releases,
when we make the default bridge network just another bridge network.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Port the firewall ruleset for encrypted overlay networks to nftables.
Maximize compatibility with the most distros by only using nftables
features that are widely available. Use the deprecated 'meta secpath
exists' expression instead of the more modern 'meta ipsec exists'.
Extract the VNI from VXLAN packets using the more widely available '@th'
raw payload expressions instead of '@ih' or 'vxlan vni' expressions.
Signed-off-by: Cory Snider <csnider@mirantis.com>
In order to develop and test the nftables implementation of Swarm
networking it must be possible for the daemon to join a swarm when
configured to use nftables as the firewall backend. Add a new daemon
feature flag `swarm-nftables` to suppress the incompatibility check.
Signed-off-by: Cory Snider <csnider@mirantis.com>
