summaryrefslogtreecommitdiff
path: root/hack
Commit message (Collapse)AuthorAgeFilesLines
* update containerd binary to v1.7.1Sebastiaan van Stijn2023-05-151-1/+1
| | | | | | full diff: https://github.com/containerd/containerd/compare/v1.7.0...v1.7.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Merge pull request #45304 from crazy-max/buildkit-version-buildinfoBrian Goff2023-05-101-1/+9
|\ | | | | Set BuildKit version using buildinfo
| * hack: enable Go modules when building dockerd and docker-proxyKevin Alvarez2023-04-251-1/+9
| | | | | | | | | | | | | | | | | | This is a workaround to have buildinfo with deps embedded in the binary. We need to create a go.mod file before building with -modfile=vendor.mod, otherwise it fails with: "-modfile cannot be used to set the module root directory." Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* | added alias validationJeyanthinath Muthuram2023-05-081-0/+2
| | | | | | | | Signed-off-by: Jeyanthinath Muthuram <jeyanthinath10@gmail.com>
* | Merge pull request #45353 from thaJeztah/api_container_change_typeSebastiaan van Stijn2023-05-041-2/+3
|\ \ | | | | | | api/types/container: create type for changes endpoint
| * | api/types/container: create type for changes endpointSebastiaan van Stijn2023-05-031-2/+3
| | | | | | | | | | | | Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* | | update runc binary to v1.1.7Sebastiaan van Stijn2023-04-271-1/+1
| |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.7 full diff: https://github.com/opencontainers/runc/compare/v1.1.6...v1.1.7 This is the seventh patch release in the 1.1.z release of runc, and is the last planned release of the 1.1.z series. It contains a fix for cgroup device rules with systemd when handling device rules for devices that don't exist (though for devices whose drivers don't correctly register themselves in the kernel -- such as the NVIDIA devices -- the full fix only works with systemd v240+). - When used with systemd v240+, systemd cgroup drivers no longer skip DeviceAllow rules if the device does not exist (a regression introduced in runc 1.1.3). This fix also reverts the workaround added in runc 1.1.5, removing an extra warning emitted by runc run/start. - The source code now has a new file, runc.keyring, which contains the keys used to sign runc releases. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* | update runc binary to v1.1.6Sebastiaan van Stijn2023-04-131-1/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.6 full diff: https://github.com/opencontainers/runc/compare/v1.1.5...v1.1.6 This is the sixth patch release in the 1.1.z series of runc, which fixes a series of cgroup-related issues. Note that this release can no longer be built from sources using Go 1.16. Using a latest maintained Go 1.20.x or Go 1.19.x release is recommended. Go 1.17 can still be used. - systemd cgroup v1 and v2 drivers were deliberately ignoring UnitExist error from systemd while trying to create a systemd unit, which in some scenarios may result in a container not being added to the proper systemd unit and cgroup. - systemd cgroup v2 driver was incorrectly translating cpuset range from spec's resources.cpu.cpus to systemd unit property (AllowedCPUs) in case of more than 8 CPUs, resulting in the wrong AllowedCPUs setting. - systemd cgroup v1 driver was prefixing container's cgroup path with the path of PID 1 cgroup, resulting in inability to place PID 1 in a non-root cgroup. - runc run/start may return "permission denied" error when starting a rootless container when the file to be executed does not have executable bit set for the user, not taking the CAP_DAC_OVERRIDE capability into account. This is a regression in runc 1.1.4, as well as in Go 1.20 and 1.20.1 - cgroup v1 drivers are now aware of misc controller. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* golangci-lint: enable importas linter to force consistent aliasesSebastiaan van Stijn2023-04-081-0/+11
| | | | | | | | | | | | This enforces the github.com/containerd/containerd/errdefs package to be aliased as "cerrdefs". Any other alias (or no alias used) results in a linting failure: integration/container/pause_test.go:9:2: import "github.com/containerd/containerd/errdefs" imported as "c8derrdefs" but must be "cerrdefs" according to config (importas) c8derrdefs "github.com/containerd/containerd/errdefs" ^ Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* update runc binary to v1.1.5Sebastiaan van Stijn2023-03-301-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | release notes: https://github.com/opencontainers/runc/releases/tag/v1.1.5 diff: https://github.com/opencontainers/runc/compare/v1.1.4...v1.1.5 This is the fifth patch release in the 1.1.z series of runc, which fixes three CVEs found in runc. * CVE-2023-25809 is a vulnerability involving rootless containers where (under specific configurations), the container would have write access to the /sys/fs/cgroup/user.slice/... cgroup hierarchy. No other hierarchies on the host were affected. This vulnerability was discovered by Akihiro Suda. <https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc> * CVE-2023-27561 was a regression which effectively re-introduced CVE-2019-19921. This bug was present from v1.0.0-rc95 to v1.1.4. This regression was discovered by @Beuc. <https://github.com/advisories/GHSA-vpvm-3wq2-2wvm> * CVE-2023-28642 is a variant of CVE-2023-27561 and was fixed by the same patch. This variant of the above vulnerability was reported by Lei Wang. <https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c> In addition, the following other fixes are included in this release: * Fix the inability to use `/dev/null` when inside a container. * Fix changing the ownership of host's `/dev/null` caused by fd redirection (a regression in 1.1.1). * Fix rare runc exec/enter unshare error on older kernels, including CentOS < 7.7. * nsexec: Check for errors in `write_log()`. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* update containerd binary to v1.7.0Sebastiaan van Stijn2023-03-121-1/+1
| | | | | | | - release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0 - full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.4...v1.7.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Upgrade to Go 1.20Bjorn Neergaard2023-02-221-1/+1
| | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com> Co-authored-by: Cory Snider <csnider@mirantis.com> Signed-off-by: Cory Snider <csnider@mirantis.com>
* update containerd binary to v1.7.0-beta.4Sebastiaan van Stijn2023-02-171-1/+1
| | | | | | | release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.4 full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.3...v1.7.0-beta.4 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* update containerd binary to v1.7.0-beta.3Sebastiaan van Stijn2023-01-301-1/+1
| | | | | | full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.2...v1.7.0-beta.3 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Merge pull request #44853 from crazy-max/rm-install-suffixSebastiaan van Stijn2023-01-205-31/+14
|\ | | | | hack: remove -installsuffix build flag
| * hack: display build cmd when DOCKER_DEBUG setCrazyMax2023-01-192-16/+10
| | | | | | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
| * hack: remove unnecessary vars in make.sh scriptCrazyMax2023-01-194-10/+4
| | | | | | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
| * hack: remove ORIG_BUILDFLAGS varCrazyMax2023-01-191-5/+1
| | | | | | | | | | | | | | This var was used for the cross target but it has been removed in 8086f4012330d1c1058e07fc4e5e4522dd432c20 so not necessary anymore Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
| * hack: remove -installsuffix build flagCrazyMax2023-01-191-2/+1
| | | | | | | | | | | | | | Has been introduced in 232d59baeb13778abc242a602ca434d83e1eb6e8 to work around a bug with "go build" but not required anymore since go 1.5: https://github.com/golang/go/commit/4dab6d01f12591f256d36b32cd6480ef679458f1 Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* | hack: check if cross-compiling before setting ARM target nameCrazyMax2023-01-201-16/+19
|/ | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: name for target ARM architecture not specifiedKevin Alvarez2023-01-161-53/+16
| | | | | | | | | | | | | Build currently doesn't set the right name for target ARM architecture through switches in CGO_CFLAGS and CGO_CXXFLAGS when doing cross-compilation. This was previously fixed in https://github.com/moby/moby/pull/43474 Also removes the toolchain configuration. Following changes for cross-compilation in https://github.com/moby/moby/pull/44546, we forgot to remove the toolchain configuration that is not used anymore as xx already sets correct cc/cxx envs already. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: typo in displayed platform nameCrazyMax2023-01-161-1/+1
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* Merge pull request #44748 from vvoland/buildflags-nopie-whenraceSebastiaan van Stijn2023-01-051-6/+9
|\ | | | | hack/make: Don't add -buildmode=pie with -race
| * hack/make: Don't add -buildmode=pie with -racePaweł Gronowski2023-01-051-6/+9
| | | | | | | | | | | | | | | | Make it possible to add `-race` to the BUILDFLAGS without making the build fail with error: "-buildmode=pie not supported when -race is enabled" Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
* | hack: restore copy_binaries funcCrazyMax2023-01-051-0/+24
|/ | | | | | This function is still useful for the dev environment. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* ci: use GITHUB_REF and GITHUB_SHA to set version and commitCrazyMax2023-01-011-0/+8
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: update buildmode pie conditionCrazyMax2023-01-011-6/+3
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: do not set buildmode pie for statically linked binaryCrazyMax2023-01-013-11/+14
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: use PKG_CONFIG var when checking libdevmapperCrazyMax2023-01-011-5/+1
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* IAmStatic not used anymoreCrazyMax2023-01-014-4/+0
| | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* hack: remove containerutility scriptCrazyMax2023-01-011-20/+0
| | | | | | | this script is not used anymore. containerutility is built in the Dockerfile. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* Dockerfile: use TARGETPLATFORM to build DockerCrazyMax2023-01-016-122/+66
| | | | | | | | | | | | | | | | Better support for cross compilation so we can fully rely on `--platform` flag of buildx for a seamless integration. This removes unnecessary extra cross logic in the Dockerfile, DOCKER_CROSSPLATFORMS and CROSS vars and some hack scripts as well. Non-sandboxed build invocation is still supported and dev stages in the Dockerfile have been updated accordingly. Bake definition and GitHub Actions workflows have been updated accordingly as well. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* update containerd binary to v1.7.0-beta.1Sebastiaan van Stijn2022-12-151-1/+1
| | | | | | | | release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.1 full diff: https://github.com/containerd/containerd/compare/v1.7.0-beta.0...v1.7.0-beta.1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* hack: introduce validate/no-moduleBjorn Neergaard2022-12-121-0/+17
| | | | | | | | | | | | Moby is not a Go module; to prevent anyone from mistakenly trying to convert it to one before we are ready, introduce a check (usable in CI and locally) for a go.mod file. This is preferable to trying to .gitignore the file as we can ensure that a mistakenly created go.mod is surfaced by Git-based tooling and is less likely to surprise a contributor. Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
* hack: replace go-mod-prepare.sh with wrapper scriptBjorn Neergaard2022-12-124-23/+34
| | | | | | | | | | | | | To make the local build environment more correct and consistent, we should never leave an uncommitted go.mod in the tree; however, we need a go.mod for certain commands to work properly. Use a wrapper script to create and destroy the go.mod as needed instead of potentially changing tooling behavior by leaving it. If a go.mod already exists, this script will warn and call the wrapped command with GO111MODULE=on. Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
* Merge pull request #44459 from neersighted/validate_always_tidySebastiaan van Stijn2022-12-123-43/+73
|\ | | | | validate/vendor: always tidy
| * hack/go-mod-prepare.sh: find root robustly; make steps transparentBjorn Neergaard2022-11-181-2/+7
| | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
| * hack/validate/vendor: clean up license validation stepBjorn Neergaard2022-11-181-9/+10
| | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
| * hack/validate/vendor: split tidy from vendorBjorn Neergaard2022-11-181-31/+32
| | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
| * hack/vendor.sh: allow running tidy & vendor separatelyBjorn Neergaard2022-11-181-5/+28
| | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
* | Merge pull request #44531 from thaJeztah/containerd_1.7_binarySebastiaan van Stijn2022-12-011-1/+1
|\ \ | | | | | | update containerd binary to v1.7.0-beta.0
| * | update containerd binary to v1.7.0-beta.0Sebastiaan van Stijn2022-11-261-1/+1
| | | | | | | | | | | | | | | | | | release notes: https://github.com/containerd/containerd/releases/tag/v1.7.0-beta.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* | | hack/generate-authors.sh: refactor and simplifyBjorn Neergaard2022-11-301-9/+11
|/ / | | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* | Merge pull request #44494 from crazy-max/go-autogenSebastiaan van Stijn2022-11-231-4/+0
|\ \ | | | | | | hack: remove obsolete sources for go-autogen
| * | hack: remove obsolete sources for go-autogenCrazyMax2022-11-181-4/+0
| |/ | | | | | | Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* | Dockerfile: remove hardcoded platforms for vpnkit stageCrazyMax2022-11-222-5/+4
|/ | | | | | | | | | Current Dockerfile downloads vpnkit for both linux/amd64 and linux/arm64 platforms even if target platform does not match. This change will download vpnkit only if target platform matches, otherwise it will just use a dummy scratch stage. Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
* Merge pull request #44466 from neersighted/drop_changelogSebastiaan van Stijn2022-11-163-39/+0
|\ | | | | cleanup: drop historical CHANGELOG.md
| * hack/validate: drop changelog-related stepsBjorn Neergaard2022-11-153-39/+0
| | | | | | | | Signed-off-by: Bjorn Neergaard <bneergaard@mirantis.com>
* | Merge pull request #44467 from AkihiroSuda/rootlesskit-1.1.0Sebastiaan van Stijn2022-11-161-3/+3
|\ \ | | | | | | update RootlessKit to v1.1.0
| * | rootlesskit.installer: s/vendor.conf/vendor.mod/Akihiro Suda2022-11-161-1/+1
| | | | | | | | | | | | Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
View Lorry Controller Status