| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
api: synchronize api/swagger.yaml with docs/api/v1.43.yaml
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- forward-port changes from 0ffaa6c7858f0a5d85318efda43a2d20a684eae2 to api/swagger.yaml (v1.44-dev)
- backports the changes to v1.43;
- Update container OOMKilled flag immediately 57d2d6ef621cc126ca904e8fc98fbacbd345790a
- Add no-new-privileges to SecurityOptions returned by /info eb7738221c3b6a6a1c1f46e4f38357473feddfc4
- API: deprecate VirtualSize field for /images/json and /images/{id}/json 1261fe69a3586bb102182aa885197822419c768c
- api/types/container: create type for changes endpoint dbb48e4b29e124aef6716ee8ad6856bf696235ca
- builder-next/prune: Handle "until" filter timestamps 54a125f67703ab51ed8a004b625439dfafa7aa6c
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \
| |/
|/| |
vendor: github.com/containerd/containerd v1.6.21
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
release notes: https://github.com/containerd/containerd/releases/tag/v1.6.21
Notable Updates
- update runc binary to v1.1.7
- Remove entry for container from container store on error
- oci: partially restore comment on read-only mounts for uid/gid uses
- windows: Add ArgsEscaped support for CRI
- oci: Use WithReadonlyTempMount when adding users/groups
- archive: consistently respect value of WithSkipDockerManifest
full diff: https://github.com/containerd/containerd/compare/c0efc63d3907...v1.6.21
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\
| |
| | |
d/graphdriver/copy: support src fs w/o xattr support
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Treat copying extended attributes from a source filesystem which does
not support extended attributes as a no-op, same as if the file did not
possess the extended attribute. Only fail copying extended attributes if
the source file has the attribute and the destination filesystem does
not support xattrs.
Signed-off-by: Cory Snider <csnider@mirantis.com>
|
| |\ \
| | |
| | | |
api/types/container: create type for changes endpoint
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
- use gotest.tools for asserting
- check result returned
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | |
| | |
| | |
| | | |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \
| |_|/
|/| | |
container: split security options to a SecurityOptions struct
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Split these options to a separate struct, so that we can handle them in isolation.
- Change some tests to use subtests, and improve coverage
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \
| | | |
| | | | |
libnetwork: remove redundant init(), remove dead code, and fix stubs / build-tags
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Use the same signature for all platforms, but stub the neigh type.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Use the same signature for all platforms, but stub the nwIface type.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Also renaming another var for consistency ':-)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
- sandbox, endpoint changed in c71555f03042ca531e24f6368d7e8c128774926f, but
missed updating the stubs.
- add missing stub for Controller.cleanupServiceDiscovery()
- While at it also doing some minor (formatting) changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | |
| | | |
| | | |
| | | | |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \
| | | | |
| | | | | |
update go to go1.20.4
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle,
crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our
issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved
release notes: https://go.dev/doc/devel/release#go1.20.4
full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4
from the announcement:
> These minor releases include 3 security fixes following the security policy:
>
> - html/template: improper sanitization of CSS values
>
> Angle brackets (`<>`) were not considered dangerous characters when inserted
> into CSS contexts. Templates containing multiple actions separated by a '/'
> character could result in unexpectedly closing the CSS context and allowing
> for injection of unexpected HMTL, if executed with untrusted input.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
> Not all valid JavaScript whitespace characters were considered to be
> whitespace. Templates containing whitespace characters outside of the character
> set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
> actions may not be properly sanitized during execution.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
> Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
> executed with empty input could result in output that would have unexpected
> results when parsed due to HTML normalization rules. This may allow injection
> of arbitrary attributes into tags.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
pkg/jsonmessage: JSONMessage.Display(): remove special case for 401 errors
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
- inline an intermediate variable
- remove a redundant intermediate function
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |/ / / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This special case was added in 3043c2641990d94298c6377b7ef14709263a4709 as
a sentinel error (`AuthRequiredError`) to check whether authentication
is required (and to prompt the users to authenticate). A later refactor
(946bbee39a33b229b9da39e0f2062d43dde8dcee) removed the `AuthRequiredError`,
but kept the error-message and logic.
Starting with fcee6056dc50de7698772a3049cdfa1eb0f2416f, it looks like we
no longer depend on this specific error, so we can return the registry's
error message instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
c8d: commit: generateCommitImageConfig: don't merge image config
|
| | | | | |
| | | | |
| | | | |
| | | | | |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Remove intermediate variable and inline the struct-literal.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| | | |/ /
| |/| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
daemon.CreateImageFromContainer() already constructs a new config by taking
the image config, applying custom options (`docker commit --change ..`) (if
any), and merging those with the containers' configuration, so there is
no need to merge options again.
https://github.com/moby/moby/blob/e22758bfb2d615f67512336f121c677d099b3269/daemon/commit.go#L152-L158
This patch removes the merge logic from generateCommitImageConfig, and
removes the unused arguments and error-return.
Co-authored-by: Djordje Lukic <djordje.lukic@docker.com>
Co-authored-by: Laura Brehm <laurabrehm@hey.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \
| | | | |
| | | | | |
vendor: github.com/opencontainers/runtime-spec v1.1.0-rc.2
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
release notes: https://github.com/opencontainers/runtime-spec/releases/tag/v1.1.0-rc.2
Additions
- config-linux: add support for rsvd hugetlb cgroup
- features: add features.md to formalize the runc features JSON
- config-linux: add support for time namespace
Minor fixes and documentation
- config-linux: clarify where device nodes can be created
- runtime: remove When serialized in JSON, the format MUST adhere to the following pattern
- Update CI to Go 1.20
- config: clarify Linux mount options
- config-linux: fix url error
- schema: fix schema for timeOffsets
- schema: remove duplicate keys
full diff: https://github.com/opencontainers/runtime-spec/compare/v1.1.0-rc.1...v1.1.0-rc.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \ \
| |/ / / /
|/| | | | |
vendor: github.com/moby/term v0.5.0
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
- split exported functions from implementation
- windows: IsConsole(): fix deprecation comment
- deprecate Termios in favor of unix.Termios
- windows: keyToString(): fix string conversion
- gha: update actions, add macOS, and add Go1.20
- gha: add windows
full diff: https://github.com/moby/term/compare/1aeaba8785877a66f57739be9fccb6f5cfab429e...v0.5.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
term: remove interrupt handler on termios
On termios platforms, interrupt signals are not generated in raw mode
terminals as the ISIG setting is not enabled. Remove interrupt handler
as it does nothing for raw mode and prevents other uses of INT signal
with this library.
This code seems to go back all the way to moby/moby#214 where signal
handling was improved for monolithic docker repository. Raw mode -ISIG
got reintroduced in moby/moby@3f63b878076, but the INT handler was left
behind.
full diff: https://github.com/moby/term/compare/abb19827d345...1aeaba8785877a66f57739be9fccb6f5cfab429e
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \
| | | | |
| | | | | |
vendor: github.com/opencontainers/runc v1.1.7
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7
This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).
- When used with systemd v240+, systemd cgroup drivers no longer skip
DeviceAllow rules if the device does not exist (a regression introduced
in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
used to sign runc releases.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \ \
| |_|/ / /
|/| | | | |
daemon/containerd: containerConfigToOciImageConfig: add ArgsEscaped
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The OCI image-spec now also provides ArgsEscaped for backward compatibility
with the option used by Docker.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \
| | | | |
| | | | | |
cmd/dockerd: gracefully shut down the API server
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As of Go 1.8, "net/http".Server provides facilities to close all
listeners, making the same facilities in server.Server redundant.
http.Server also improves upon server.Server by additionally providing a
facility to also wait for outstanding requests to complete after closing
all listeners. Leverage those facilities to give in-flight requests up
to five seconds to finish up after all containers have been shut down.
Signed-off-by: Cory Snider <csnider@mirantis.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Logging through a dependency-injected interface value was a vestige of
when Trap was in pkg/signal to avoid importing logrus in a reusable
package: cc4da8112814cdbb00dbf23370f9ed764383de1f.
Now that Trap lives under cmd/dockerd, nobody will be importing this so
we no longer need to worry about minimizing the package's dependencies.
Signed-off-by: Cory Snider <csnider@mirantis.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Always calling os.Exit() on clean shutdown may not always be desirable
as deferred functions are not run. Let the cleanup callback decide
whether or not to call os.Exit() itself. Allow the process to exit the
normal way, by returning from func main().
Simplify the trap.Trap implementation. The signal notifications are
buffered in a channel so there is little need to spawn a new goroutine
for each received signal. With all signals being handled in the same
goroutine, there are no longer any concurrency concerns around the
interrupt counter.
Signed-off-by: Cory Snider <csnider@mirantis.com>
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The fix to ignore SIGPIPE signals was originally added in the Go 1.4
era. signal.Ignore was first added in Go 1.5.
Signed-off-by: Cory Snider <csnider@mirantis.com>
|
| |\ \ \ \ \
| |_|_|/ /
|/| | | | |
c8d/import: Don't gc unnamed images
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Create dangling images for imported images which don't have a name
annotation attached. Previously the content got loaded, but no image
referencing it was created which caused it to be garbage collected
immediately.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
update runc binary to v1.1.7
|
| | | |_|/ /
| |/| | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7
full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7
This is the seventh patch release in the 1.1.z release of runc, and is
the last planned release of the 1.1.z series. It contains a fix for
cgroup device rules with systemd when handling device rules for devices
that don't exist (though for devices whose drivers don't correctly
register themselves in the kernel -- such as the NVIDIA devices -- the
full fix only works with systemd v240+).
- When used with systemd v240+, systemd cgroup drivers no longer skip
DeviceAllow rules if the device does not exist (a regression introduced
in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5,
removing an extra warning emitted by runc run/start.
- The source code now has a new file, runc.keyring, which contains the keys
used to sign runc releases.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
c8d: delete dangling image on pull
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | | |
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
|
| |\ \ \ \ \ \
| |_|_|/ / /
|/| | | | | |
libnetwork: processSetKeyReexec() remove defer(), and some refactoring
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This function included a defer to close the net.Conn if an error occurred,
but the calling function (SetExternalKey()) also had a defer to close it
unconditionally.
Rewrite it to use json.NewEncoder(), which accepts a writer, and inline
the code.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
|
