Commit Graph

48816 Commits

Author SHA1 Message Date
Paweł Gronowski
d66177591e c8d/cache: Use the same cache logic as graphdrivers
Implement the cache adaptor for containerd image store and use the same
cache logic.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-07 14:58:06 +01:00
Paweł Gronowski
bf30fee58a image/cache: Refactor backend specific code
Move image store backend specific code out of the cache code and move it
to a separate interface to allow using the same cache code with
containerd image store.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-07 14:58:04 +01:00
Paweł Gronowski
608d77d740 Merge pull request #47497 from robmry/resolvconf_fixes
Fix 'resolv.conf' parsing issues
2024-03-07 13:05:10 +01:00
Paweł Gronowski
66adfc729a Merge pull request #47521 from robmry/no_ipv6_addr_when_ipv6_disabled
Don't configure IPv6 addr/gw when IPv6 disabled.
2024-03-07 12:57:27 +01:00
Sebastiaan van Stijn
ab4b5a4890 Merge pull request #47519 from thaJeztah/dupword
golangci-lint: enable dupword linter
2024-03-07 12:41:54 +01:00
Sebastiaan van Stijn
f5a5e3f203 golangci-lint: enable dupword linter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-07 11:44:27 +01:00
Sebastiaan van Stijn
773f792b88 Merge pull request #47523 from tonistiigi/snapshot-lock-fix
builder-next: fix missing lock in ensurelayer
2024-03-07 11:17:25 +01:00
Sebastiaan van Stijn
4adc40ac40 fix duplicate words (dupwords)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-03-07 10:57:03 +01:00
Rob Murray
8921897e3b Ignore bad ndots in host resolv.conf
Rather than error out if the host's resolv.conf has a bad ndots option,
just ignore it. Still validate ndots supplied via '--dns-option' and
treat failure as an error.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-03-07 09:27:34 +00:00
Tonis Tiigi
37545cc644 builder-next: fix missing lock in ensurelayer
When this was called concurrently from the moby image
exporter there could be a data race where a layer was
written to the refs map when it was already there.

In that case the reference count got mixed up and on
release only one of these layers was actually released.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2024-03-06 23:11:32 -08:00
Bjorn Neergaard
6c10086976 Merge pull request #47520 from vvoland/buildkit-v13-leaseutil
builder-next/export: Use leaseutil for descref lease
2024-03-06 11:55:02 -07:00
Rob Murray
ef5295cda4 Don't configure IPv6 addr/gw when IPv6 disabled.
When IPv6 is disabled in a container by, for example, using the --sysctl
option - an IPv6 address/gateway is still allocated. Don't attempt to
apply that config because doing so enables IPv6 on the interface.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-03-06 18:32:31 +00:00
Paweł Gronowski
49b77753cb builder-next/export: Use leaseutil for descref lease
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-06 17:47:37 +01:00
Paweł Gronowski
d91665a2ac Merge pull request #47511 from vvoland/buildkit-v13.0
vendor: github.com/moby/buildkit v0.13.0
2024-03-06 17:41:55 +01:00
Sebastiaan van Stijn
4e53936f0a Merge pull request #47509 from thirdkeyword/master
remove repetitive words
2024-03-06 13:52:16 +01:00
Sebastiaan van Stijn
cb8c8e9631 Merge pull request #47498 from Dzejrou/lower-perm-fix
daemon: overlay2: remove world writable permission from the lower file
2024-03-06 13:09:30 +01:00
Paweł Gronowski
c4fc6c3371 builder-next/executor: Replace removed network.Sample
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-06 12:02:12 +01:00
Paweł Gronowski
0f30791a0d vendor: github.com/moby/buildkit v0.13.0
full diff: https://github.com/moby/buildkit/compare/v0.13.0-rc3...v0.13.0

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-06 11:54:43 +01:00
Albin Kerouanton
7c7e453255 Merge pull request #47474 from robmry/47441_mac_addr_config_migration
Don't create endpoint config for MAC addr config migration
2024-03-06 11:04:17 +01:00
thirdkeyword
06628e383a remove repetitive words
Signed-off-by: thirdkeyword <fliterdashen@gmail.com>
2024-03-06 18:03:51 +08:00
Sebastiaan van Stijn
4046928978 Merge pull request #47504 from AkihiroSuda/rootlesskit-2.0.2
update RootlessKit to 2.0.2
2024-03-06 10:12:32 +01:00
Akihiro Suda
b32cfc3b3a dockerd-rootless-setuptool.sh: check RootlessKit functionality
RootlessKit will print hints if something is still unsatisfied.

e.g., `kernel.apparmor_restrict_unprivileged_userns` constraint
rootless-containers/rootlesskit@33c3e7ca6c

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-06 07:43:00 +09:00
Akihiro Suda
49fd8df9b9 Dockerfile: update RootlessKit to v2.0.2
https://github.com/rootless-containers/rootlesskit/compare/v2.0.1...v2.0.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-06 07:38:55 +09:00
Akihiro Suda
72ec187dfe go.mod: github.com/rootless-containers/rootlesskit/v2 v2.0.2
https://github.com/rootless-containers/rootlesskit/compare/v2.0.1...v2.0.2

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-06 07:38:00 +09:00
Akihiro Suda
83cda67f73 go.mod: golang.org/x/sys v0.18.0
https://github.com/golang/sys/compare/v0.16.0...v0.18.0

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2024-03-06 07:37:37 +09:00
Paweł Gronowski
460b4aebdf Merge pull request #47502 from vvoland/go-1.21.8
update to go1.21.8
2024-03-05 21:58:11 +01:00
Paweł Gronowski
57b7ffa7f6 update to go1.21.8
go1.21.8 (released 2024-03-05) includes 5 security fixes

- crypto/x509: Verify panics on certificates with an unknown public key algorithm (CVE-2024-24783, https://go.dev/issue/65390)
- net/http: memory exhaustion in Request.ParseMultipartForm (CVE-2023-45290, https://go.dev/issue/65383)
- net/http, net/http/cookiejar: incorrect forwarding of sensitive headers and cookies on HTTP redirect (CVE-2023-45289, https://go.dev/issue/65065)
- html/template: errors returned from MarshalJSON methods may break template escaping (CVE-2024-24785, https://go.dev/issue/65697)
- net/mail: comments in display names are incorrectly handled (CVE-2024-24784, https://go.dev/issue/65083)

View the release notes for more information:
https://go.dev/doc/devel/release#go1.22.1

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.8+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.7...go1.21.8

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-05 19:17:18 +01:00
Jaroslav Jindrak
cadb124ab6 daemon: overlay2: remove world writable permission from the lower file
In de2447c, the creation of the 'lower' file was changed from using
os.Create to using ioutils.AtomicWriteFile, which ignores the system's
umask. This means that even though the requested permission in the
source code was always 0666, it was 0644 on systems with default
umask of 0022 prior to de2447c, so the move to AtomicFile potentially
increased the file's permissions.

This is not a security issue because the parent directory does not
allow writes into the file, but it can confuse security scanners on
Linux-based systems into giving false positives.

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
2024-03-05 14:25:50 +01:00
Sebastiaan van Stijn
046827c657 Merge pull request #47485 from vvoland/vendor-dns
vendor: github.com/miekg/dns v1.1.57
2024-03-04 11:55:01 +01:00
Sebastiaan van Stijn
04c9d7f6a3 Merge pull request #47465 from vvoland/v26-remove-deprecated
api/search: Reset `is_automated` to false
2024-03-04 11:27:24 +01:00
Paweł Gronowski
b2921509e5 api/search: Reset is_automated field to false
The field will still be present in the response, but will always be
`false`.
Searching for `is-automated=true` will yield no results, while
`is-automated=false` will effectively be a no-op.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-04 10:15:59 +01:00
Rob Murray
f04f69e366 Accumulate resolv.conf options
If there are multiple "options" lines, keep the options from all of
them.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-03-01 16:59:28 +00:00
Rob Murray
7f69142aa0 resolv.conf comments have '#' or ';' in the first column
When a '#' or ';' appears anywhere else, it's not a comment marker.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-03-01 16:58:04 +00:00
Sebastiaan van Stijn
97a5435d33 Merge pull request #47477 from robmry/resolvconf_gocompat
Remove slices.Clone() calls to avoid Go bug
2024-03-01 17:28:01 +01:00
Rob Murray
91d9307738 Replace uses of slices.Clone()
Avoid https://github.com/golang/go/issues/64759

Co-authored-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-03-01 15:27:29 +00:00
Sebastiaan van Stijn
137a9d6a4c Merge pull request #47395 from robmry/47370_windows_natnw_dns_test
Test DNS on Windows 'nat' networks
2024-03-01 13:02:52 +01:00
Paweł Gronowski
9f4e824a6e vendor: github.com/miekg/dns v1.1.57
full diff: https://github.com/github.com/miekg/dns/compare/v1.1.43...v1.1.57

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-03-01 10:14:22 +01:00
Albin Kerouanton
f8e6801533 Merge pull request #47478 from fopina/patch-1
fix typo in error message
2024-03-01 08:53:43 +01:00
Filipe Pina
ef681124ca fix typo in error message
Signed-off-by: Filipe Pina <hzlu1ot0@duck.com>
2024-02-29 23:27:00 +00:00
Rob Murray
a580544d82 Don't create endpoint config for MAC addr config migration
In a container-create API request, HostConfig.NetworkMode (the identity
of the "main" network) may be a name, id or short-id.

The configuration for that network, including preferred IP address etc,
may be keyed on network name or id - it need not match the NetworkMode.

So, when migrating the old container-wide MAC address to the new
per-endpoint field - it is not safe to create a new EndpointSettings
entry unless there is no possibility that it will duplicate settings
intended for the same network (because one of the duplicates will be
discarded later, dropping the settings it contains).

This change introduces a new API restriction, if the deprecated container
wide field is used in the new API, and EndpointsConfig is provided for
any network, the NetworkMode and key under which the EndpointsConfig is
store must be the same - no mixing of ids and names.

Signed-off-by: Rob Murray <rob.murray@docker.com>
2024-02-29 17:02:19 +00:00
Sebastiaan van Stijn
b8aa8579ca Merge pull request #47352 from serhii-nakon/allow_host_loopback
Allow to enable host loopback and use 10.0.2.2 to connect to the host (OPTIONALLY)
2024-02-29 17:58:28 +01:00
Paweł Gronowski
225ccc0cfd Merge pull request #47473 from vvoland/cli-v26
Dockerfile: Update dev cli to v26.0.0-rc1
2024-02-29 16:02:16 +01:00
Paweł Gronowski
d19d98b136 Merge pull request #47475 from thaJeztah/nothing_to_see_here_move_along_move_along
distribution/xfer: fix pull progress message
2024-02-29 14:46:41 +01:00
Sebastiaan van Stijn
ebf3f8c7fe distribution/xfer: fix pull progress message
This message accidentally changed in ac2a028dcc
because my IDE's "refactor tool" was a bit over-enthusiastic. It also went and
updated the tests accordingly, so CI didn't catch this :)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-02-29 14:02:55 +01:00
Sebastiaan van Stijn
a242208be3 Merge pull request #47457 from vvoland/ci-report-timeout
ci: Update `teststat` to v0.1.25
2024-02-29 13:39:09 +01:00
Paweł Gronowski
2af2496c8c Dockerfile: Update dev cli to v26.0.0-rc1
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-02-29 12:45:17 +01:00
Paweł Gronowski
fc0e5401f2 ci: Update teststat to v0.1.25
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-02-29 10:06:07 +01:00
Bjorn Neergaard
8517c3386c Merge pull request #47458 from vvoland/ci-reports-better-find
ci: Make `find` for test reports more specific
2024-02-29 01:47:07 -07:00
Sebastiaan van Stijn
6c3b3523c9 Merge pull request #47041 from robmry/46968_refactor_resolvconf
Refactor 'resolv.conf' generation.
2024-02-29 09:33:55 +01:00
Bjorn Neergaard
d40b140c08 Merge pull request #47440 from thaJeztah/fix_ping_connection_errs
client: fix connection-errors being shadowed by API version errors
2024-02-28 13:33:49 -07:00