These were the only two jobs running directly via `runs-on:` that did
not have a `timeout-minutes` guardrail. Add 120 minutes as a starting
point to prevent runaway jobs, matching the existing convention used
elsewhere in the workflows. Tuning each job's timeout to its usual
runtime is left as a follow-up, as suggested in the issue.
Signed-off-by: Takumi Akasaka <takumiakasaka1231@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
ContainerUpdate only starts applying per-device blkio settings in the
current API version.
The fields existed in the Go request type before that because it shares
`container.Resources` with other endpoints, but they were not documented
as supported for container update and older daemons ignored them.
Clear these fields when handling requests for older API versions so
clients pinned to those versions keep the previous behavior, while v1.55
clients can use the newly supported fields.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The POST /containers/{id}/update API accepts BlkioWeightDevice,
BlkioDeviceReadBps, BlkioDeviceWriteBps, BlkioDeviceReadIOps, and
BlkioDeviceWriteIOps in its Resources body, but these five fields were
silently ignored when updating a running container.
The root cause was in toContainerdResources (daemon/update_linux.go):
only BlkioWeight was mapped into specs.LinuxBlockIO; the per-device
fields were never converted, so tsk.UpdateResources never wrote to
cgroupv2 io.max or the cgroupv1 blkio throttle files.
Fix by calling the existing getBlkioWeightDevices and
getBlkioThrottleDevices helpers (already used in oci_linux.go for
container creation) to populate all five fields. The function signature
is extended to return an error so that stat(2) failures on invalid
device paths are surfaced to the caller instead of being silently
dropped.
The API makes distinction between nil and zero-length slices while
doing. A nil per-device blkio field means the caller did not request an
update for that setting, while a non-nil empty slice means the caller
explicitly requested the setting to be cleared.
The Windows stub is updated to match the new signature.
Signed-off-by: Alexis Couvreur <alexiscouvreur.pro@gmail.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Follow-up to PR 52804, applying thaJeztah's review suggestion: check
IsLoopback first for both address families (preserving any requested
loopback address), and only fall back to the canonical loopback for
the family otherwise. No behavior change; ::1 now returns through the
loopback-preserving branch instead of the IPv6 fallback, with the same
result.
Signed-off-by: Andrew Liu <andrewjliu22@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The concurrency groups currently cancel older runs for push, tag,
scheduled, and manually dispatched events.
On maintained refs this canhide a regression when a later run starts
before the earlier validation finishes.
Keep cancellation for stale pull request runs only, while allowing
non-PR validation to complete.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Rootless snapshotter mode can report image TotalSize one filesystem
block above the per-image and reclaimable sizes after loading BusyBox.
The empty disk usage case already accepts this overlayfs accounting
artifact.
Allow the same bounded 4096-byte positive drift in the
after_LoadBusybox assertions while keeping strict equality for other
daemon modes.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Both query parameters are now collectionFormat: multi arrays in the
swagger so they can accept multiple values later without an API
version bump. The server still operates on a single platform and
rejects requests passing more than one; type is read directly as a
list of repeated values instead of a comma-separated string.
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
runDaemon would unconditionally send an error event if the daemon
was running as a system service;
Run New-Item -ItemType Directory -Force -Path ".\bundles" | Out-Null
2026-06-08T03:31:52.1865738Z [Information] Starting up
2026-06-08T03:31:52.3160498Z [Information] OTEL tracing is not configured, using no-op tracer provider
2026-06-08T03:31:52.5037110Z [Information] Windows default isolation mode: process
2026-06-08T03:31:52.7212058Z [Information] Loading containers: start.
2026-06-08T03:31:52.7345902Z [Information] [graphdriver] trying configured driver: windowsfilter
2026-06-08T03:31:52.8920546Z [Information] Restoring containers: start.
2026-06-08T03:31:52.9910057Z [Information] Restoring existing overlay networks from HNS into docker
2026-06-08T03:31:53.8958218Z [Information] Loading containers: done.
2026-06-08T03:31:53.9093383Z [Information] Docker daemon [storage-driver=windowsfilter containerd-snapshotter=false version=29.1.5 commit=3b01d641]
2026-06-08T03:31:53.9103431Z [Information] Initializing buildkit
2026-06-08T03:31:54.3243456Z [Information] Completed buildkit initialization
2026-06-08T03:31:54.4878293Z [Information] Daemon has completed initialization
2026-06-08T03:31:54.4881959Z [Information] API listen on //./pipe/docker_engine
2026-06-08T03:47:45.7182269Z [Information] Processing signal 'terminated'
2026-06-08T03:47:45.7203206Z [Information] Daemon shutdown complete
Error: 2026-06-08T03:47:45.7206236Z [Error] <nil>
If debug was enabled, it would log this error twice (once as error, and once as debug).
Let's make this a single log, and only an error if there was one. Note that this may still
be redundant, as `daemonCLI.start` also logs this error;
4c19a01575/daemon/command/daemon.go (L127-L134)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The allocator reads its bounds from net.ipv4.ip_local_port_range but
ignored net.ipv4.ip_local_reserved_ports, so dynamically allocated host
ports could land on ports the kernel itself would never hand out
automatically, typically ports set aside for other applications.
Skip those ports when allocating from the default ephemeral range,
mirroring the kernel behaviour for automatic port assignment. Requests
for a specific port or an explicit port range are unchanged, like
explicit binds are unchanged by ip_local_reserved_ports.
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
Add a new Engine API endpoint that returns the in-toto attestation
statements attached to an image for a given platform. The endpoint
locates the attestation manifest(s) referencing the requested platform's
image manifest, enumerates the statement layers, and returns each
layer's OCI descriptor (including media type, digest, size, and
annotations) together with its in-toto predicate type.
Query parameters:
- platform: JSON-encoded OCI platform; defaults to the daemon's host
platform if omitted.
- type: comma-separated list of in-toto predicate type URIs; if
omitted, all statements are returned.
- statement: boolean, defaults to false. When true, the daemon reads
each matching statement blob and includes the verbatim in-toto JSON
in the response. When false (or omitted), statement blobs are not
read and the Statement field is absent from each entry.
The manifest-chain walk (locating the platform image manifest and its
associated attestation manifest) is delegated to policy-helpers'
image.ResolveSignatureChain so that moby and BuildKit agree on how to
interpret the attestation storage format. The statement-layer iteration
and blob reading is inlined: when statement bodies are requested it
fails fast on the first unreadable blob and reads matching blobs
eagerly into memory; otherwise statement-layer blobs are never read
from the content store.
The endpoint is implemented for the containerd image store. The legacy
graphdriver store returns errdefs.NotImplemented (HTTP 501).
Signed-off-by: Sopho Merkviladze <smerkviladze@mirantis.com>
Syncs changes from 2ecaac9631
and d5f6bdb027 to older API
versions, in addition to formatting changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Split the default GC policy filter into separate selectors so containerd
filters OR the intended reproducible cache types instead of ANDing
mutually exclusive record types.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When the daemon is linked against libnftables it programs the kernel
without invoking the `nft` command. Allow the nftables firewall backend
to be enabled when libnftables is used, irrespective of whether `nft` is
installed on the host.
Update the bridge network driver to clean up stale nftables tables in
iptables mode without depending on the `nft` command.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Afford applying nft commands via libnftables without needing to go
through our table abstraction. Make the table abstraction responsible
for lazily allocating an nft context.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Join `$ROOTLESSKIT_STATE_DIR/netns` when inspecting
`net.ipv4.ip_forward`, to silence the bogus warning
"IPv4 forwarding is disabled".
Fix issue 52737
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
This step would fail if the daemon was never started ("Starting test daemon"),
or failed to start;
Run Get-WinEvent -ea SilentlyContinue `
out-file: D:\a\_temp\2b911acb-4e0e-4684-bf63-606f0da5f7c6.ps1:2
Line |
2 | Get-WinEvent -ea SilentlyContinue `
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Could not find a part of the path 'D:\a\moby\moby\go\src\github.com\docker\docker\bundles\daemon.log'.
Error: Process completed with exit code 1.
- Update the step to skip if we never attempted to start the daemon
- Make sure the output directory is created: even if we failed to start
the daemon (and thus tests weren't run), the startup itself could
potentially contain information that helps debugging the reason for
the daemon starting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
