Merge pull request #5553 from thaJeztah/login_idempotent

cli/config/credentials: skip saving config-file if credentials didn't change

cli/command/registry.go

@@ -86,7 +86,8 @@ func GetDefaultAuthConfig(cfg *configfile.ConfigFile, checkCredStore bool, serve
 }
 
 // ConfigureAuth handles prompting of user's username and password if needed.
-// Deprecated: use PromptUserForCredentials instead.
+//
+// Deprecated: use [PromptUserForCredentials] instead.
 func ConfigureAuth(ctx context.Context, cli Cli, flUser, flPassword string, authConfig *registrytypes.AuthConfig, _ bool) error {
 	defaultUsername := authConfig.Username
 	serverAddress := authConfig.ServerAddress

cli/config/credentials/file_store.go

@@ -30,6 +30,10 @@ func NewFileStore(file store) Store {
 
 // Erase removes the given credentials from the file store.
 func (c *fileStore) Erase(serverAddress string) error {
+	if _, exists := c.file.GetAuthConfigs()[serverAddress]; !exists {
+		// nothing to do; no credentials found for the given serverAddress
+		return nil
+	}
 	delete(c.file.GetAuthConfigs(), serverAddress)
 	return c.file.Save()
 }
@@ -70,9 +74,14 @@ https://docs.docker.com/go/credential-store/
 // CLI invocation (no need to warn the user multiple times per command).
 var alreadyPrinted atomic.Bool
 
-// Store saves the given credentials in the file store.
+// Store saves the given credentials in the file store. This function is
+// idempotent and does not update the file if credentials did not change.
 func (c *fileStore) Store(authConfig types.AuthConfig) error {
 	authConfigs := c.file.GetAuthConfigs()
+	if oldAuthConfig, ok := authConfigs[authConfig.ServerAddress]; ok && oldAuthConfig == authConfig {
+		// Credentials didn't change, so skip updating the configuration file.
+		return nil
+	}
 	authConfigs[authConfig.ServerAddress] = authConfig
 	if err := c.file.Save(); err != nil {
 		return err

docs/generate/go.mod

@@ -3,7 +3,7 @@ module github.com/docker/cli/docs/generate
 // dummy go.mod to avoid dealing with dependencies specific
 // to docs generation and not really part of the project.
 
-go 1.16
+go 1.22.0
 
 //require (
 //	github.com/docker/cli v0.0.0+incompatible

man/go.mod

@@ -3,7 +3,7 @@ module github.com/docker/cli/man
 // dummy go.mod to avoid dealing with dependencies specific
 // to manpages generation and not really part of the project.
 
-go 1.16
+go 1.12.0
 
 //require (
 //	github.com/docker/cli v0.0.0+incompatible

scripts/vendor

@@ -18,7 +18,7 @@ init() {
   cat > go.mod <<EOL
 module github.com/docker/cli
 
-go 1.19
+go 1.22.0
 EOL
 }
 

vendor.mod

@@ -4,7 +4,7 @@ module github.com/docker/cli
 // There is no 'go.mod' file, as that would imply opting in for all the rules
 // around SemVer, which this repo cannot abide by as it uses CalVer.
 
-go 1.21.0
+go 1.22.0
 
 require (
 	dario.cat/mergo v1.0.1
@@ -13,7 +13,7 @@ require (
 	github.com/distribution/reference v0.6.0
 	github.com/docker/cli-docs-tool v0.8.0
 	github.com/docker/distribution v2.8.3+incompatible
-	github.com/docker/docker v27.0.2-0.20240912171519-164cae56ed95+incompatible // master (v-next)
+	github.com/docker/docker v27.0.2-0.20241018142220-36a3bd090489+incompatible // master (v-next)
 	github.com/docker/docker-credential-helpers v0.8.2
 	github.com/docker/go-connections v0.5.0
 	github.com/docker/go-units v0.5.0

vendor.sum

@@ -57,8 +57,8 @@ github.com/docker/cli-docs-tool v0.8.0/go.mod h1:8TQQ3E7mOXoYUs811LiPdUnAhXrcVsB
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.0.2-0.20240912171519-164cae56ed95+incompatible h1:HRK75BHG33htes7s+v/fJ8saCNw3B7f3spcgLsvbLRQ=
+github.com/docker/docker v27.0.2-0.20241018142220-36a3bd090489+incompatible h1:utxxyIvPGk7UmtlGHirUyNUP2Spf8yL660PCbmb7tsk=
-github.com/docker/docker v27.0.2-0.20240912171519-164cae56ed95+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.0.2-0.20241018142220-36a3bd090489+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
 github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=

vendor/github.com/docker/docker/api/swagger.yaml

@@ -6005,7 +6005,7 @@ definitions:
           accept un-encrypted (HTTP) and/or untrusted (HTTPS with certificates
           from unknown CAs) communication.
 
-          By default, local registries (`127.0.0.0/8`) are configured as
+          By default, local registries (`::1/128` and `127.0.0.0/8`) are configured as
           insecure. All other registries are secure. Communicating with an
           insecure registry is not possible if the daemon assumes that registry
           is secure.
@@ -6170,6 +6170,8 @@ definitions:
       Expected:
         description: |
           Commit ID of external tool expected by dockerd as set at build time.
+
+          **Deprecated**: This field is deprecated and will be omitted in a API v1.49.
         type: "string"
         example: "2d41c047c83e09a6d61d464906feb2a2f3c52aa4"
 
@@ -7881,10 +7883,12 @@ paths:
           type: "string"
         - name: "h"
           in: "query"
+          required: true
           description: "Height of the TTY session in characters"
           type: "integer"
         - name: "w"
           in: "query"
+          required: true
           description: "Width of the TTY session in characters"
           type: "integer"
       tags: ["Container"]
@@ -10236,10 +10240,12 @@ paths:
           type: "string"
         - name: "h"
           in: "query"
+          required: true
           description: "Height of the TTY session in characters"
           type: "integer"
         - name: "w"
           in: "query"
+          required: true
           description: "Width of the TTY session in characters"
           type: "integer"
       tags: ["Exec"]

vendor/github.com/docker/docker/api/types/system/info.go

@@ -137,8 +137,13 @@ type PluginsInfo struct {
 // Commit holds the Git-commit (SHA1) that a binary was built from, as reported
 // in the version-string of external tools, such as containerd, or runC.
 type Commit struct {
-	ID       string // ID is the actual commit ID of external tool.
+	// ID is the actual commit ID or version of external tool.
-	Expected string // Expected is the commit ID of external tool expected by dockerd as set at build time.
+	ID string
+
+	// Expected is the commit ID of external tool expected by dockerd as set at build time.
+	//
+	// Deprecated: this field is no longer used in API v1.49, but kept for backward-compatibility with older API versions.
+	Expected string
 }
 
 // NetworkAddressPool is a temp struct used by [Info] struct.

vendor/github.com/docker/docker/api/types/types.go

@@ -172,4 +172,6 @@ type BuildCachePruneOptions struct {
 	All         bool
 	KeepStorage int64
 	Filters     filters.Args
+
+	// FIXME(thaJeztah): add new options; see https://github.com/moby/moby/issues/48639
 }

vendor/github.com/docker/docker/client/client.go

@@ -2,7 +2,7 @@
 Package client is a Go client for the Docker Engine API.
 
 For more information about the Engine API, see the documentation:
-https://docs.docker.com/engine/api/
+https://docs.docker.com/reference/api/engine/
 
 # Usage
 

vendor/github.com/docker/docker/client/container_create.go

@@ -5,6 +5,8 @@ import (
 	"encoding/json"
 	"net/url"
 	"path"
+	"sort"
+	"strings"
 
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
@@ -12,12 +14,6 @@ import (
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
-type configWrapper struct {
-	*container.Config
-	HostConfig       *container.HostConfig
-	NetworkingConfig *network.NetworkingConfig
-}
-
 // ContainerCreate creates a new container based on the given configuration.
 // It can be associated with a name, but it's not mandatory.
 func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *ocispec.Platform, containerName string) (container.CreateResponse, error) {
@@ -58,6 +54,9 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 			// When using API under 1.42, the Linux daemon doesn't respect the ConsoleSize
 			hostConfig.ConsoleSize = [2]uint{0, 0}
 		}
+
+		hostConfig.CapAdd = normalizeCapabilities(hostConfig.CapAdd)
+		hostConfig.CapDrop = normalizeCapabilities(hostConfig.CapDrop)
 	}
 
 	// Since API 1.44, the container-wide MacAddress is deprecated and will trigger a WARNING if it's specified.
@@ -74,7 +73,7 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 		query.Set("name", containerName)
 	}
 
-	body := configWrapper{
+	body := container.CreateRequest{
 		Config:           config,
 		HostConfig:       hostConfig,
 		NetworkingConfig: networkingConfig,
@@ -114,3 +113,42 @@ func hasEndpointSpecificMacAddress(networkingConfig *network.NetworkingConfig) b
 	}
 	return false
 }
+
+// allCapabilities is a magic value for "all capabilities"
+const allCapabilities = "ALL"
+
+// normalizeCapabilities normalizes capabilities to their canonical form,
+// removes duplicates, and sorts the results.
+//
+// It is similar to [github.com/docker/docker/oci/caps.NormalizeLegacyCapabilities],
+// but performs no validation based on supported capabilities.
+func normalizeCapabilities(caps []string) []string {
+	var normalized []string
+
+	unique := make(map[string]struct{})
+	for _, c := range caps {
+		c = normalizeCap(c)
+		if _, ok := unique[c]; ok {
+			continue
+		}
+		unique[c] = struct{}{}
+		normalized = append(normalized, c)
+	}
+
+	sort.Strings(normalized)
+	return normalized
+}
+
+// normalizeCap normalizes a capability to its canonical format by upper-casing
+// and adding a "CAP_" prefix (if not yet present). It also accepts the "ALL"
+// magic-value.
+func normalizeCap(cap string) string {
+	cap = strings.ToUpper(cap)
+	if cap == allCapabilities {
+		return cap
+	}
+	if !strings.HasPrefix(cap, "CAP_") {
+		cap = "CAP_" + cap
+	}
+	return cap
+}

vendor/github.com/docker/docker/client/container_resize.go

@@ -19,9 +19,10 @@ func (cli *Client) ContainerExecResize(ctx context.Context, execID string, optio
 }
 
 func (cli *Client) resize(ctx context.Context, basePath string, height, width uint) error {
+	// FIXME(thaJeztah): the API / backend accepts uint32, but container.ResizeOptions uses uint.
 	query := url.Values{}
-	query.Set("h", strconv.Itoa(int(height)))
+	query.Set("h", strconv.FormatUint(uint64(height), 10))
-	query.Set("w", strconv.Itoa(int(width)))
+	query.Set("w", strconv.FormatUint(uint64(width), 10))
 
 	resp, err := cli.post(ctx, basePath+"/resize", query, nil, nil)
 	ensureReaderClosed(resp)

vendor/github.com/docker/docker/client/image_build.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
 )
 
 // ImageBuild sends a request to the daemon to build images.
@@ -44,10 +45,15 @@ func (cli *Client) ImageBuild(ctx context.Context, buildContext io.Reader, optio
 }
 
 func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options types.ImageBuildOptions) (url.Values, error) {
-	query := url.Values{
+	query := url.Values{}
-		"t":           options.Tags,
+	if len(options.Tags) > 0 {
-		"securityopt": options.SecurityOpt,
+		query["t"] = options.Tags
-		"extrahosts":  options.ExtraHosts,
+	}
+	if len(options.SecurityOpt) > 0 {
+		query["securityopt"] = options.SecurityOpt
+	}
+	if len(options.ExtraHosts) > 0 {
+		query["extrahosts"] = options.ExtraHosts
 	}
 	if options.SuppressOutput {
 		query.Set("q", "1")
@@ -58,9 +64,11 @@ func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options types.I
 	if options.NoCache {
 		query.Set("nocache", "1")
 	}
-	if options.Remove {
+	if !options.Remove {
-		query.Set("rm", "1")
+		// only send value when opting out because the daemon's default is
-	} else {
+		// to remove intermediate containers after a successful build,
+		//
+		// TODO(thaJeztah): deprecate "Remove" option, and provide a "NoRemove" or "Keep" option instead.
 		query.Set("rm", "0")
 	}
 
@@ -83,42 +91,70 @@ func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options types.I
 		query.Set("isolation", string(options.Isolation))
 	}
 
-	query.Set("cpusetcpus", options.CPUSetCPUs)
+	if options.CPUSetCPUs != "" {
-	query.Set("networkmode", options.NetworkMode)
+		query.Set("cpusetcpus", options.CPUSetCPUs)
-	query.Set("cpusetmems", options.CPUSetMems)
-	query.Set("cpushares", strconv.FormatInt(options.CPUShares, 10))
-	query.Set("cpuquota", strconv.FormatInt(options.CPUQuota, 10))
-	query.Set("cpuperiod", strconv.FormatInt(options.CPUPeriod, 10))
-	query.Set("memory", strconv.FormatInt(options.Memory, 10))
-	query.Set("memswap", strconv.FormatInt(options.MemorySwap, 10))
-	query.Set("cgroupparent", options.CgroupParent)
-	query.Set("shmsize", strconv.FormatInt(options.ShmSize, 10))
-	query.Set("dockerfile", options.Dockerfile)
-	query.Set("target", options.Target)
-
-	ulimitsJSON, err := json.Marshal(options.Ulimits)
-	if err != nil {
-		return query, err
 	}
-	query.Set("ulimits", string(ulimitsJSON))
+	if options.NetworkMode != "" && options.NetworkMode != network.NetworkDefault {
-
+		query.Set("networkmode", options.NetworkMode)
-	buildArgsJSON, err := json.Marshal(options.BuildArgs)
-	if err != nil {
-		return query, err
 	}
-	query.Set("buildargs", string(buildArgsJSON))
+	if options.CPUSetMems != "" {
-
+		query.Set("cpusetmems", options.CPUSetMems)
-	labelsJSON, err := json.Marshal(options.Labels)
-	if err != nil {
-		return query, err
 	}
-	query.Set("labels", string(labelsJSON))
+	if options.CPUShares != 0 {
-
+		query.Set("cpushares", strconv.FormatInt(options.CPUShares, 10))
-	cacheFromJSON, err := json.Marshal(options.CacheFrom)
+	}
-	if err != nil {
+	if options.CPUQuota != 0 {
-		return query, err
+		query.Set("cpuquota", strconv.FormatInt(options.CPUQuota, 10))
+	}
+	if options.CPUPeriod != 0 {
+		query.Set("cpuperiod", strconv.FormatInt(options.CPUPeriod, 10))
+	}
+	if options.Memory != 0 {
+		query.Set("memory", strconv.FormatInt(options.Memory, 10))
+	}
+	if options.MemorySwap != 0 {
+		query.Set("memswap", strconv.FormatInt(options.MemorySwap, 10))
+	}
+	if options.CgroupParent != "" {
+		query.Set("cgroupparent", options.CgroupParent)
+	}
+	if options.ShmSize != 0 {
+		query.Set("shmsize", strconv.FormatInt(options.ShmSize, 10))
+	}
+	if options.Dockerfile != "" {
+		query.Set("dockerfile", options.Dockerfile)
+	}
+	if options.Target != "" {
+		query.Set("target", options.Target)
+	}
+	if len(options.Ulimits) != 0 {
+		ulimitsJSON, err := json.Marshal(options.Ulimits)
+		if err != nil {
+			return query, err
+		}
+		query.Set("ulimits", string(ulimitsJSON))
+	}
+	if len(options.BuildArgs) != 0 {
+		buildArgsJSON, err := json.Marshal(options.BuildArgs)
+		if err != nil {
+			return query, err
+		}
+		query.Set("buildargs", string(buildArgsJSON))
+	}
+	if len(options.Labels) != 0 {
+		labelsJSON, err := json.Marshal(options.Labels)
+		if err != nil {
+			return query, err
+		}
+		query.Set("labels", string(labelsJSON))
+	}
+	if len(options.CacheFrom) != 0 {
+		cacheFromJSON, err := json.Marshal(options.CacheFrom)
+		if err != nil {
+			return query, err
+		}
+		query.Set("cachefrom", string(cacheFromJSON))
 	}
-	query.Set("cachefrom", string(cacheFromJSON))
 	if options.SessionID != "" {
 		query.Set("session", options.SessionID)
 	}
@@ -131,7 +167,9 @@ func (cli *Client) imageBuildOptionsToQuery(ctx context.Context, options types.I
 	if options.BuildID != "" {
 		query.Set("buildid", options.BuildID)
 	}
-	query.Set("version", string(options.Version))
+	if options.Version != "" {
+		query.Set("version", string(options.Version))
+	}
 
 	if options.Outputs != nil {
 		outputsJSON, err := json.Marshal(options.Outputs)

vendor/github.com/docker/docker/pkg/archive/archive.go

@@ -654,7 +654,7 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 
 		ta.Buffer.Reset(ta.TarWriter)
 		defer ta.Buffer.Reset(nil)
-		_, err = io.Copy(ta.Buffer, file)
+		_, err = pools.Copy(ta.Buffer, file)
 		file.Close()
 		if err != nil {
 			return err
@@ -705,7 +705,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
 		if err != nil {
 			return err
 		}
-		if _, err := io.Copy(file, reader); err != nil {
+		if _, err := pools.Copy(file, reader); err != nil {
 			file.Close()
 			return err
 		}
@@ -1375,7 +1375,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
 			if err := tw.WriteHeader(hdr); err != nil {
 				return err
 			}
-			if _, err := io.Copy(tw, srcF); err != nil {
+			if _, err := pools.Copy(tw, srcF); err != nil {
 				return err
 			}
 			return nil

vendor/github.com/docker/docker/registry/config.go

@@ -184,7 +184,7 @@ func (config *serviceConfig) loadMirrors(mirrors []string) error {
 func (config *serviceConfig) loadInsecureRegistries(registries []string) error {
 	// Localhost is by default considered as an insecure registry. This is a
 	// stop-gap for people who are running a private registry on localhost.
-	registries = append(registries, "127.0.0.0/8")
+	registries = append(registries, "::1/128", "127.0.0.0/8")
 
 	var (
 		insecureRegistryCIDRs = make([]*registry.NetIPNet, 0)

vendor/modules.txt

@@ -55,7 +55,7 @@ github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
 github.com/docker/distribution/uuid
-# github.com/docker/docker v27.0.2-0.20240912171519-164cae56ed95+incompatible
+# github.com/docker/docker v27.0.2-0.20241018142220-36a3bd090489+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types