Commit Graph

3067 Commits

Author SHA1 Message Date
Paweł Gronowski
b08bc5df85 Merge pull request #47553 from vvoland/testing-libnetwork-rerun-flaky
hack/unit: Rerun failed flaky libnetwork tests
2024-10-30 10:21:08 +00:00
Albin Kerouanton
2807c0c2d2 Revert "ci: run integration tests with firewalld enabled"
Temporarily remove firewallds jobs. These are actually not running
firewalld due to a typo in GHA definitions. Moreover, these new jobs
are putting too much load on the CI, causing GHA cache backend to return
429 for many jobs. This slows down build jobs (as they can't use
existing cache), and at least one buildkit test is now failing.

This reverts commit 4e567e1622.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-28 18:24:14 +01:00
Akihiro Suda
1bb5f8bb67 update to go1.23.2
vendor.mod still allows go1.22.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-10-22 00:04:58 +09:00
Albin Kerouanton
4e567e1622 ci: run integration tests with firewalld enabled
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-15 12:54:51 +02:00
Albin Kerouanton
8883db20c5 hack: run firewalld when $DOCKER_FIREWALLD is set
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2024-10-15 12:52:25 +02:00
Sebastiaan van Stijn
36549fb56e vendor: golang.org/x/mod v0.21.0
full diff: https://github.com/golang/mod/compare/v0.20.0...v0.21.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-10 02:35:59 +02:00
Sebastiaan van Stijn
6b7565ba40 vendor: go.etcd.io/bbolt v1.3.11
BoltDB

- Fix the freelist.allocs isn't rollbacked when a tx is rollbacked.

CMD

- Add -gobench-output option for bench command to adapt to benchstat.

Other

- Bump go version to 1.22.x.
- This patch also added dmflakey package, which can be reused by other projects. See #812.

full diff: https://github.com/etcd-io/bbolt/compare/v1.3.10...v1.3.11

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-10 02:35:08 +02:00
Sebastiaan van Stijn
ca4c68ab95 update to go1.22.8
go1.22.8 (released 2024-10-01) includes fixes to cgo, and the maps and syscall
packages. See the Go 1.22.8 milestone on our issue tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.22.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.7...go1.22.8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-10-03 13:12:30 +02:00
Laura Brehm
4babd72186 tests: skip docker-py exec exit code test
Temporarily skip the exec run failed exit code test in `docker-py` –
a3652028b1/tests/integration/models_containers_test.py (L356-L363)

We can reenable this after the PR fixing the expected exit code in that
test is merged/released/included – https://github.com/docker/docker-py/pull/3290

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-09-27 15:43:43 +01:00
Akihiro Suda
43036f350a Dockerfile: update RootlessKit to v2.3.1
https://github.com/rootless-containers/rootlesskit/compare/v2.0.2...v2.3.1

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-09-11 04:35:59 +09:00
Sebastiaan van Stijn
92195c1333 Dockerfile: update containerd binary to v1.7.22
Update the containerd binary that's used in CI and static binaries

- Update to go1.22.7, go1.23.1
- CRI: Cumulative stats can't decrease
- Fix bug where init exits were being dropped
- Update runc binary to 1.1.14

- diff: https://github.com/containerd/containerd/compare/v1.7.21...v1.7.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.22

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-10 10:44:44 +02:00
Paweł Gronowski
a2e14dd8bd update to go1.22.7
- https://github.com/golang/go/issues?q=milestone%3AGo1.22.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.22.6...go1.22.7

These minor releases include 3 security fixes following the security policy:

- go/parser: stack exhaustion in all Parse* functions

    Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.

    This is CVE-2024-34155 and Go issue https://go.dev/issue/69138.

- encoding/gob: stack exhaustion in Decoder.Decode

    Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion.

    This is a follow-up to CVE-2022-30635.

    Thanks to Md Sakib Anwar of The Ohio State University (anwar.40@osu.edu) for reporting this issue.

    This is CVE-2024-34156 and Go issue https://go.dev/issue/69139.

- go/build/constraint: stack exhaustion in Parse

    Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.

    This is CVE-2024-34158 and Go issue https://go.dev/issue/69141.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.23.1

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-09-05 17:47:03 +02:00
Sebastiaan van Stijn
fa734fe3d2 Merge pull request #48421 from thaJeztah/make_update_link
hack/make/.binary: enable pie mode on windows/arm64
2024-09-03 23:08:17 +02:00
Sebastiaan van Stijn
2189aa2426 update runc binary to 1.1.14
Update the runc binary that's used in CI and for the static packages.

diff: https://github.com/opencontainers/runc/compare/v1.1.13...v1.1.14

Release Notes:

- Fix CVE-2024-45310, a low-severity attack that allowed maliciously configured containers to create empty files and directories on the host.
- Add support for Go 1.23.
- Revert "allow overriding VERSION value in Makefile" and add EXTRA_VERSION.
- rootfs: consolidate mountpoint creation logic.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-03 13:30:19 +02:00
Sebastiaan van Stijn
d000f12fcc hack/make/.binary: enable pie mode on windows/arm64
pie-mode is supported for windows/arm64 since https://go.dev/cl/452415,
which is part of go1.20. Also update link to Go source for pie-mode support
to match the location for current versions of Go because the package was
moved in https://go.dev/cl/438475.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-03 10:24:00 +02:00
Sebastiaan van Stijn
3df59c9dcf update to go1.22.6
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-09-02 12:47:48 +02:00
Cory Snider
4cd5c2b643 hack/make/.binary: set CGO_LDFLAGS=-latomic for arm/v5
cross-compiling for arm/v5 was failing;

    #56 84.12 /usr/bin/arm-linux-gnueabi-clang -marm -o $WORK/b001/exe/a.out -Wl,--export-dynamic-symbol=_cgo_panic -Wl,--export-dynamic-symbol=_cgo_topofstack -Wl,--export-dynamic-symbol=crosscall2 -Qunused-arguments -Wl,--compress-debug-sections=zlib /tmp/go-link-759578347/go.o /tmp/go-link-759578347/000000.o /tmp/go-link-759578347/000001.o /tmp/go-link-759578347/000002.o /tmp/go-link-759578347/000003.o /tmp/go-link-759578347/000004.o /tmp/go-link-759578347/000005.o /tmp/go-link-759578347/000006.o /tmp/go-link-759578347/000007.o /tmp/go-link-759578347/000008.o /tmp/go-link-759578347/000009.o /tmp/go-link-759578347/000010.o /tmp/go-link-759578347/000011.o /tmp/go-link-759578347/000012.o /tmp/go-link-759578347/000013.o /tmp/go-link-759578347/000014.o /tmp/go-link-759578347/000015.o /tmp/go-link-759578347/000016.o /tmp/go-link-759578347/000017.o /tmp/go-link-759578347/000018.o -O2 -g -O2 -g -O2 -g -lpthread -O2 -g -no-pie -static
    #56 84.12 ld.lld: error: undefined symbol: __atomic_load_4
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced 2 more times
    #56 84.12
    #56 84.12 ld.lld: error: undefined symbol: __atomic_store_4
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(_cgo_wait_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(x_cgo_notify_runtime_init_done)
    #56 84.12 >>> referenced by gcc_libinit.c
    #56 84.12 >>>               /tmp/go-link-759578347/000009.o:(x_cgo_set_context_function)
    #56 84.12 clang: error: linker command failed with exit code 1 (use -v to see invocation)

From discussion on GitHub;
https://github.com/moby/moby/pull/46982#issuecomment-2206992611

The arm/v5 build failure looks to be due to libatomic not being included
in the link. For reasons probably buried in mailing list archives,
[gcc](https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81358) and clang don't
bother to implicitly auto-link libatomic. This is not a big deal on many
modern platforms with atomic intrinsics as the compiler generates inline
instruction sequences, avoiding any libcalls into libatomic. ARMv5 is not
one of those platforms: all atomic operations require a libcall.

In theory, adding `CGO_LDFLAGS=-latomic` should fix arm/v5 builds.

While it could be argued that cgo should automatically link against
libatomic in the same way that it automatically links against libpthread,
the Go maintainers would have a valid counter-argument that it should be
the C toolchain's responsibility to link against libatomic automatically,
just like it does with libgcc or compiler-rt.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-02 12:45:46 +02:00
Cory Snider
e853c093bf hack/make/.binary: set CCGO_CFLAGS=-Wno-atomic-alignment for arm/v5
cross-compiling for arm/v5 fails on go1.22; a fix is included for this
in go1.23 (https://github.com/golang/go/issues/65290), but for go1.22
we can set the correct option manually.

    1.189 + go build -mod=vendor -modfile=vendor.mod -o /tmp/bundles/binary-daemon/dockerd -tags 'netgo osusergo static_build journald' -ldflags '-w -X "github.com/docker/docker/dockerversion.Version=dev" -X "github.com/docker/docker/dockerversion.GitCommit=HEAD" -X "github.com/docker/docker/dockerversion.BuildTime=2024-08-29T16:59:57.000000000+00:00" -X "github.com/docker/docker/dockerversion.PlatformName=" -X "github.com/docker/docker/dockerversion.ProductName=" -X "github.com/docker/docker/dockerversion.DefaultProductLicense=" -extldflags -static ' -gcflags= github.com/docker/docker/cmd/dockerd
    67.78 # runtime/cgo
    67.78 gcc_libinit.c:44:8: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:47:6: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:49:10: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:69:9: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    67.78 gcc_libinit.c:71:3: error: large atomic operation may incur significant performance penalty; the access size (4 bytes) exceeds the max lock-free size (0 bytes) [-Werror,-Watomic-alignment]
    78.20 + rm -f /go/src/github.com/docker/docker/go.mod

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Cory Snider <csnider@mirantis.com>
2024-09-02 12:45:44 +02:00
Paweł Gronowski
de4fc1c927 Dockerfile: update containerd binary to v1.7.21 (static binaries and CI only)
Update the containerd binary that's used in CI and static binaries

- full diff: https://github.com/containerd/containerd/compare/v1.7.20...v1.7.21
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.21

```markdown changelog
Update containerd (static binaries only) to [v1.7.21](https://github.com/containerd/containerd/releases/tag/v1.7.21)
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-27 13:28:34 +02:00
Sebastiaan van Stijn
bffb44a556 Merge pull request #48311 from crazy-max/govulncheck
govulncheck to report known vulnerabilities
2024-08-09 17:19:13 +02:00
CrazyMax
3cd28504de govulncheck to report known vulnerabilities
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2024-08-09 10:56:09 +02:00
Sebastiaan van Stijn
8d06e70f34 Merge pull request #48132 from robmry/bind_socket_for_docker_proxy
Create docker-proxy TCP/UDP listener sockets in the daemon
2024-08-08 20:30:58 +02:00
Paweł Gronowski
f3cf9359bd Merge pull request #47526 from vvoland/c8d-list-multiplatform
c8d: Multi-platform image list
2024-08-08 11:38:31 +02:00
Paweł Gronowski
efb3c50799 swagger: Disable ImageSummary model generation
Our version of go-swagger doesn't handle the `omitempty` correctly for
the new field.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-07 13:48:50 +02:00
Paweł Gronowski
b24c2e95e5 update to go1.21.13
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.13+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.12...go1.21.13

go1.21.13 (released 2024-08-06) includes fixes to the go command, the
covdata command, and the bytes package. See the Go 1.21.13 milestone on
our issue tracker for details.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-08-07 11:45:08 +02:00
Rob Murray
dac7ffa340 Remove rootlesskit-docker-proxy
It's not needed, now the daemon tells RootlessKit about port
mappings directly.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-08-05 14:04:05 +01:00
Rob Murray
e0c7a839a8 Only build docker-proxy for Linux
Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-08-05 14:04:04 +01:00
Kir Kolyshkin
3279b4f8f4 hack/make: suppress "not mounted" message
The "not mounted" error from .integration-daemon-stop is not an error,
so let's suppress that one (this is the only effect of -q option, at
least according to its man page).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2024-07-30 13:39:23 -07:00
Tianon Gravi
67c5cf07ea Merge pull request #47789 from williamh/47770-control-enable-journald-driver
hack: explicitly control enabling the journald logging driver
2024-07-23 15:00:27 -07:00
Sebastiaan van Stijn
fbbda057ac update containerd binary to v1.7.20
Update the containerd binary that's used in CI and for the static packages.

release notes: https://github.com/containerd/containerd/releases/tag/v1.7.20
full diff: https://github.com/containerd/containerd/compare/v1.7.18...v1.7.19

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:32:27 +02:00
William Hubbs
499c842c52 hack: explicitly control enabling the journald logging driver
Without this, the dependency on systemd is said to be "automagic", which
can lead to breakage, for example, if a binary package of docker is
built on a system that has systemd installed then installed on a system
that does not have systemd installed.

for example: https://bugs.gentoo.org/914076

Signed-off-by: William Hubbs <w.d.hubbs@gmail.com>
2024-07-16 11:00:29 -05:00
Paweł Gronowski
4d1d7c3ebe update to go1.21.12
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.12+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.11...go1.21.12

These minor releases include 1 security fixes following the security policy:

net/http: denial of service due to improper 100-continue handling

The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail.

An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail.

Thanks to Geoff Franks for reporting this issue.

This is CVE-2024-24791 and Go issue https://go.dev/issue/67555.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.21.12

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.12
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-07-03 10:28:59 +02:00
Sebastiaan van Stijn
398e15b7de update containerd binary to v1.7.19
Update the containerd binary that's used in CI and for the static packages.

- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.19
- full diff: https://github.com/containerd/containerd/compare/v1.7.18...v1.7.19

Welcome to the v1.7.19 release of containerd!

The nineteenth patch release for containerd 1.7 contains various updates and
splits the main module from the api module in preparation for the same change
in containerd 2.0. Splitting the modules will allow 1.7 and 2.x to both exist
as transitive dependencies without running into API registration errors.
Projects should use this version as the minimum 1.7 version in preparing to
use containerd 2.0 or to be imported alongside it.

Highlights

- Fix support for OTLP config
- Add API go module
- Remove overlayfs volatile option on temp mounts
- Update runc binary to v1.1.13
- Migrate platforms package to github.com/containerd/platforms
- Migrate reference/docker package to github.com/distribution/reference

Container Runtime Interface (CRI)

- Fix panic in NRI from nil CRI reference
- Fix Windows HPC working directory

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 21:45:56 +02:00
Sebastiaan van Stijn
da039ca918 api/types: move GraphDriverData to api/types/storage
The `GraphDriverData` type is shared between images and containers, and
putting it in either package would result in a circular import, so adding
a new package for this type.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 12:46:47 +02:00
Sebastiaan van Stijn
e12b7493b9 api/types: move Port to api/types/container
This moves the `Port` type to the container package, and
deprecates the old location.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-02 12:46:47 +02:00
Paweł Gronowski
1327342b14 hack: Ignore deprecate-integration-cli validation
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-06-17 14:05:15 +02:00
Sebastiaan van Stijn
9101392309 update runc binary to v1.1.13
Update the runc binary that's used in CI and for the static packages.

full diff: https://github.com/opencontainers/runc/compare/v1.1.12...v1.1.13

Release notes:

* If building with Go 1.22.x, make sure to use 1.22.4 or a later version.

* Support go 1.22.4+.
* runc list: fix race with runc delete.
* Fix set nofile rlimit error.
* libct/cg/fs: fix setting rt_period vs rt_runtime.
* Fix a debug msg for user ns in nsexec.
* script/*: fix gpg usage wrt keyboxd.
* CI fixes and misc backports.
* Fix codespell warnings.

* Silence security false positives from golang/net.
* libcontainer: allow containers to make apps think fips is enabled/disabled for testing.
* allow overriding VERSION value in Makefile.
* Vagrantfile.fedora: bump Fedora to 39.
* ci/cirrus: rm centos stream 8.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-13 21:25:10 +02:00
Tianon Gravi
b5bc84119e Merge pull request #47960 from robmry/dev_container_ip6_tables
Dev container: try to load kernel module ip6_tables
2024-06-13 11:22:45 -07:00
Sebastiaan van Stijn
13c3384303 hack/vendor.sh: remove redundant -compat 1.18
This was added to use a specific format for the vendor.mod/go.mod
file, but we should no longer need this, as go1.21 is now the
minimum.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-13 13:24:07 +02:00
Rob Murray
44d00e3b9b Dev container: try to load kernel module ip6_tables
On an nftables host, the ip6_tables kernel module may not be loaded,
but it needs to be for dockerd to run (with ip6tables now enabled by
default).

If ip6tables doesn't work, try the dind official image's trick for
loading the module using "ip link show".

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-06-12 14:34:20 +01:00
Sebastiaan van Stijn
5318c38eae update containerd binary to v1.7.18
Update the containerd binary that's used in CI and for the static packages.

- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.18
- full diff: https://github.com/containerd/containerd/compare/v1.7.17...v1.7.18

Welcome to the v1.7.18 release of containerd!

The eighteenth patch release for containerd 1.7 contains various updates along
with an updated version of Go. Go 1.22.4 and 1.21.11 include a fix for a symlink
time of check to time of use race condition during directory removal.

Highlights

- Update Go version to 1.21.11
- Remove uses of platforms.Platform alias
- Migrate log imports to github.com/containerd/log
- Migrate errdefs package to github.com/containerd/errdefs
- Fix usage of "unknown" platform

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-05 10:18:42 +02:00
Sebastiaan van Stijn
91e2c29865 update to go1.21.11
go1.21.11 (released 2024-06-04) includes security fixes to the archive/zip
and net/netip packages, as well as bug fixes to the compiler, the go command,
the runtime, and the os package. See the Go 1.21.11 milestone on our issue
tracker for details;

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.11+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.10...go1.21.11

From the security announcement;

We have just released Go versions 1.22.4 and 1.21.11, minor point releases.
These minor releases include 2 security fixes following the security policy:

- archive/zip: mishandling of corrupt central directory record

  The archive/zip package's handling of certain types of invalid zip files
  differed from the behavior of most zip implementations. This misalignment
  could be exploited to create an zip file with contents that vary depending
  on the implementation reading the file. The archive/zip package now rejects
  files containing these errors.

  Thanks to Yufan You for reporting this issue.

  This is CVE-2024-24789 and Go issue https://go.dev/issue/66869.

- net/netip: unexpected behavior from Is methods for IPv4-mapped IPv6 addresses

  The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected
  for IPv4-mapped IPv6 addresses, returning false for addresses which would
  return true in their traditional IPv4 forms.

  Thanks to Enze Wang of Alioth and Jianjun Chen of Zhongguancun Lab
  for reporting this issue.

  This is CVE-2024-24790 and Go issue https://go.dev/issue/67680.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-06-04 23:23:27 +02:00
Sebastiaan van Stijn
89624e09e6 api/types: migrate NetworkCreateResponse to network.CreateResponse
Migrate the type to the network package, and generate it from swagger.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-05-29 19:22:34 +02:00
Sebastiaan van Stijn
347bb4122a update docker-py to 7.1.0
full diff: https://github.com/docker/docker-py/compare/7.0.0...7.1.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-05-28 11:38:54 +02:00
Paweł Gronowski
4f0cb7d964 Dockerfile: update containerd binary to v1.7.17 (static binaries and CI only)
Update the containerd binary that's used in CI and static binaries

- full diff: https://github.com/containerd/containerd/compare/v1.7.15...v1.7.17
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.17

```markdown changelog
Update containerd (static binaries only) to [v1.7.17](https://github.com/containerd/containerd/releases/tag/v1.7.17)
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-05-17 11:07:11 +02:00
Paweł Gronowski
6c97e0e0b5 update to go1.21.10
- https://github.com/golang/go/issues?q=milestone%3AGo1.21.10+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.9...go1.21.10

These minor releases include 2 security fixes following the security policy:

- cmd/go: arbitrary code execution during build on darwin
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the -lto_library flag in a "#cgo LDFLAGS" directive.
Thanks to Juho Forsén of Mattermost for reporting this issue.
This is CVE-2024-24787 and Go issue https://go.dev/issue/67119.

- net: malformed DNS message can cause infinite loop
A malformed DNS message in response to a query can cause the Lookup functions to get stuck in an infinite loop.
Thanks to long-name-let-people-remember-you on GitHub for reporting this issue, and to Mateusz Poliwczak for bringing the issue to our attention.
This is CVE-2024-24788 and Go issue https://go.dev/issue/66754.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.3

**- Description for the changelog**

```markdown changelog
Update Go runtime to 1.21.10
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-05-08 09:31:46 +02:00
Paweł Gronowski
3485cfbb1e update containerd binary to v1.7.15
Update the containerd binary that's used in CI

- full diff: https://github.com/containerd/containerd/compare/v1.7.13...v1.7.15
- release notes: https://github.com/containerd/containerd/releases/tag/v1.7.15

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-08 13:01:28 +02:00
Paweł Gronowski
329d403e20 update to go1.21.9
go1.21.9 (released 2024-04-03) includes a security fix to the net/http
package, as well as bug fixes to the linker, and the go/types and
net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved)
for more details.

These minor releases include 1 security fixes following the security policy:

- http2: close connections when receiving too many headers

Maintaining HPACK state requires that we parse and process all HEADERS
and CONTINUATION frames on a connection. When a request's headers exceed
MaxHeaderBytes, we don't allocate memory to store the excess headers but
we do parse them. This permits an attacker to cause an HTTP/2 endpoint
to read arbitrary amounts of header data, all associated with a request
which is going to be rejected. These headers can include Huffman-encoded
data which is significantly more expensive for the receiver to decode
than for an attacker to send.

Set a limit on the amount of excess header frames we will process before
closing a connection.

Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue.

This is CVE-2023-45288 and Go issue https://go.dev/issue/65051.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.2

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.8...go1.21.9

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-04-04 10:13:50 +02:00
Paweł Gronowski
d0d8d5d97d hack/unit: Rerun failed flaky libnetwork tests
libnetwork tests tend to be flaky (namely `TestNetworkDBIslands` and
`TestNetworkDBCRUDTableEntries`).

Move execution of tests which name has `TestFlaky` prefix to a separate
gotestsum pass which allows them to be reran 4 times.

On Windows, the libnetwork test execution is not split into a separate
pass.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-19 12:35:26 +01:00
Paweł Gronowski
0d5ef431a1 docker-py: Temporarily skip test_commit and test_commit_with_changes
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-13 13:03:48 +01:00