Commit Graph

8872 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 3c6c0bce1c
cli/registry/client: set actions when authn with token
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".

This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.

To verify:

- create a PAT with limited access (read-only)
- log in with your username and the PAT as password

Before this patch:

    docker manifest inspect ubuntu:latest
    Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes

With this patch applied:

    docker manifest inspect ubuntu:latest
    {
       "schemaVersion": 2,
       "mediaType": "application/vnd.oci.image.index.v1+json",
       "manifests": [
          {
             "mediaType": "application/vnd.oci.image.manifest.v1+json",
             "size": 424,
             "digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
             "platform": {
                "architecture": "amd64",
                "os": "linux"
             }
          },
          {
             "mediaType": "application/vnd.oci.image.manifest.v1+json",
             "size": 424,
             "digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
             "platform": {
                "architecture": "arm",
                "os": "linux",
                "variant": "v7"
             }
          }
       ]
    }

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d2047b954e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-22 21:55:01 +02:00
Sebastiaan van Stijn 65655cc262
cmd/docker: areFlagsSupported: don't Ping if not needed
This is a similar fix as 006c946389, which
fixed this for detection of commands that were executed. Make sure we don't
call the "/_ping" endpoint if we don't need to.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bb57783ab8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-22 10:46:50 +02:00
Sebastiaan van Stijn 580730fce9
Merge pull request #4500 from neersighted/backport_4478
[24.0 backport] login: Add message about using PATs
2023-08-17 20:37:25 +02:00
Djordje Lukic 11606268f8
login: Add message about using PATs
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
(cherry picked from commit 8d51f36ca3)
Signed-off-by: Bjorn Neergaard <bjorn.neergaard@docker.com>
2023-08-17 06:56:09 -06:00
Sebastiaan van Stijn 27a19966fb
Merge pull request #4491 from dvdksn/24.0_backport_docs/host-gateway
[24.0 Backport] docs: document special host-gateway value for add-host
2023-08-09 13:28:05 +02:00
David Karlsson a8987063b3 docs: document special host-gateway value for add-host
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
(cherry picked from commit 299925f4c3)
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2023-08-09 09:19:14 +02:00
Sebastiaan van Stijn b74562d917
Merge pull request #4476 from thaJeztah/24.0_backport_update_go1.20.7
[24.0 backport] update to go1.20.7
2023-08-02 11:51:04 +02:00
Sebastiaan van Stijn c0e376854b
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6517db9398)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:53:48 +02:00
Sebastiaan van Stijn 3bc4543f83
Merge pull request #4471 from thaJeztah/24.0_backport_bump_gotest_tools
[24.0 backport] vendor: gotest.tools/v3 v3.5.0
2023-08-01 16:27:40 +02:00
Sebastiaan van Stijn 1481c8ce9a
vendor: gotest.tools/v3 v3.5.0
- go.mod: update dependencies and go version by
- Use Go1.20
- Fix couple of typos
- Added `WithStdout` and `WithStderr` helpers
- Moved `cmdOperators` handling from `RunCmd` to `StartCmd`
- Deprecate `assert.ErrorType`
- Remove outdated Dockerfile
- add godoc links

full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.4.0...v3.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0b535c791a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-29 21:34:33 +02:00
Sebastiaan van Stijn b17b6b562d
Merge pull request #4460 from thaJeztah/24.0_update_engine
[24.0] vendor: github.com/docker/docker v24.0.5
2023-07-25 15:03:00 +02:00
Sebastiaan van Stijn e97c765575
vendor: github.com/docker/docker v24.0.5
no changes in vendored files

full diff: https://github.com/docker/docker/compare/d4a26c153000...v24.0.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-25 08:55:10 +02:00
Sebastiaan van Stijn ced0996600
Merge pull request #4450 from vvoland/fix-issue-4414-Danial-Gharib-24
[24.0 backport] configfile: Initialize nil AuthConfigs
2023-07-19 21:44:22 +02:00
Danial 1ee40e2c74
configfile: Initialize nil AuthConfigs
Initialize AuthConfigs map if it's nil before returning it.
This fixes fileStore.Store nil dereference panic when adding a new key
to the map.

Signed-off-by: Danial Gharib <danial.mail.gh@gmail.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ad43df5e86)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-19 16:00:16 +02:00
Sebastiaan van Stijn 40cc1d8eae
Merge pull request #4445 from thaJeztah/24.0_backport_buildx_0.11.2
[24.0 backport Dockerfile: update buildx to v0.11.2
2023-07-19 00:59:56 +02:00
Sebastiaan van Stijn 3c2278afae
Merge pull request #4443 from thaJeztah/24.0_update_engine2
[24.0] vendor: github.com/docker/docker v24.0.5-0.20230718221249-d4a26c153000
2023-07-19 00:27:09 +02:00
Sebastiaan van Stijn 3bd6d6902e
Dockerfile: update buildx to v0.11.2
release notes: https://github.com/docker/buildx/releases/tag/v0.11.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 00870d68fc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 00:25:33 +02:00
Sebastiaan van Stijn 05bf7fbcc8
vendor: github.com/docker/docker v24.0.5-0.20230718221249-d4a26c153000
full diff: 8443a06149...d4a26c1530

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 00:17:46 +02:00
Sebastiaan van Stijn c6d7c0bb21
Merge pull request #4438 from thaJeztah/24.0_update_engine
[24.0] vendor: github.com/docker/docker v24.0.5-0.20230717072055-8443a06149b5
2023-07-17 11:58:29 +02:00
Sebastiaan van Stijn dd08d44044
Merge pull request #4425 from thaJeztah/24.0_backport_credential-store-improvements
[24.0 backport] docs: rephrase section on credential stores for docker login
2023-07-17 11:39:07 +02:00
Sebastiaan van Stijn 809975d8bd
Merge pull request #4423 from thaJeztah/24.0_backport_dont-ignore-volume-parse-err
[24.0 backport] cli/container: Don't ignore error when parsing volume spec
2023-07-17 11:38:35 +02:00
Sebastiaan van Stijn 8b5023dd2e
vendor: github.com/docker/docker v24.0.5-0.20230717072055-8443a06149b5
tip of the v24.0 branch

full diff: 36e9e796c6...8443a06149

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 09:30:01 +02:00
Sebastiaan van Stijn 9edd9a1f2f
Merge pull request #4430 from thaJeztah/24.0_backport_update_buildx
[24.0 backport] Dockerfile: update buildx to v0.11.1
2023-07-15 15:16:33 +02:00
Sebastiaan van Stijn e93cdb6ca5
Merge pull request #4428 from thaJeztah/24.0_backport_update_go_1.20.6
[24.0 backport] update go to go1.20.6
2023-07-15 15:08:38 +02:00
Sebastiaan van Stijn 2a6348d1b2
Dockerfile: update buildx to v0.11.1
update the version we use in the dev-container;

- Fix a regression for bake where services in profiles would not be loaded.
- Fix a regression where --cgroup-parent option had no effect during build.
- Fix a regression where valid docker contexts could fail buildx builder name validation.
- Fix an issue where the host-gateway special address could not be used as an argument to --add-host.
- Fix a possible panic when terminal is resized during the build.

release notes: https://github.com/docker/buildx/releases/tag/v0.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ff9f1be19e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 15:03:54 +02:00
Sebastiaan van Stijn f4782b3250
update go to go1.20.6
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6

These minor releases include 1 security fixes following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 680fafdc9c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 14:49:10 +02:00
Sebastiaan van Stijn a5024666e7
Merge pull request #4424 from thaJeztah/24.0_backport_update-xx
[24.0 backport] Dockerfile: update to xx 1.2.1
2023-07-15 14:46:32 +02:00
Sebastiaan van Stijn 39b2a6cc6a
Merge pull request #4426 from thaJeztah/24.0_update_engine
[24.0] vendor: github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc
2023-07-15 13:02:13 +02:00
Sebastiaan van Stijn 7d06f6b2f7
vendor: github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc
full diff: https://github.com/docker/docker/compare/v24.0.4...36e9e796c6fc84202c32a852f6cdcd6ed175f96b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 02:23:53 +02:00
David Karlsson 1447974b83
docs: rephrase section on credential stores for docker login
Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 9828575314)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:13:51 +02:00
CrazyMax 46293e97f7
Dockerfile: update to xx 1.2.1
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit fca67dd817)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:09:59 +02:00
Paweł Gronowski bfe2ff8208
cli/container: Don't ignore error when parsing volume spec
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit fe7afb700f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 00:06:57 +02:00
Sebastiaan van Stijn 380eb72940
Merge pull request #4407 from thaJeztah/24.0_update_engine
[24.0] vendor: github.com/docker/docker v24.0.4
2023-07-13 16:56:44 +02:00
Sebastiaan van Stijn b407429628
vendor: github.com/docker/docker v24.0.4
full diff: https://github.com/docker/docker/compare/v24.0.2...v24.0.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-10 09:48:09 +02:00
Sebastiaan van Stijn 79c42c0b97
vendor: golang.org/x/net v0.10.0
full diff: https://github.com/golang/net/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:07:19 +02:00
Sebastiaan van Stijn a96d0a526c
vendor: golang.org/x/text v0.9.0
no changes in vendored files

full diff: https://github.com/golang/text/compare/v0.8.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:06:32 +02:00
Sebastiaan van Stijn 5c5c50d717
vendor: golang.org/x/term v0.8.0
no changes in vendored files

full diff: https://github.com/golang/term/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:05:12 +02:00
Sebastiaan van Stijn 4bf11b7562
vendor: golang.org/x/sys v0.8.0
full diff: https://github.com/golang/sys/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:03:50 +02:00
Sebastiaan van Stijn 224c7dbec4
vendor: github.com/sirupsen/logrus v1.9.3
full diff: https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:00:12 +02:00
Sebastiaan van Stijn e25d5c64c5
vendor: github.com/opencontainers/image-spec v1.1.0-rc3
full diff: https://github.com/opencontainers/image-spec/compare/3a7f492d3f1b...v1.1.0-rc3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 17:58:46 +02:00
Sebastiaan van Stijn 419e94df4a
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230531205928-01bb7a41396b
no changes in vendored files

full diff: 75e92ce14f...01bb7a4139

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 17:56:34 +02:00
Bjorn Neergaard 3713ee1eea
Merge pull request #4395 from thaJeztah/24.0_backport_fix-connhelper-docker-example
[24.0 backport] ssh: fix error on commandconn close, add ping and default timeout
2023-06-30 11:55:44 -06:00
Laura Brehm 2d5f041bde
commandconn: return original error while closing
Changes the `Read` and `Write` error handling
logic to return the original error while closing
the connection. We still skip calling `handleEOF`
if already closing the connection.

Fixes the flaky `TestCloseWhileWriting` and
`TestCloseWhileReading` tests.

Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Laura Brehm <laurabrehm@hey.com>
(cherry picked from commit d5f564adaa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 19:23:36 +02:00
Laura Brehm 520e3600ee
commandconn: don't return error if command closed successfully
---
commandconn: fix race on `Close()`

During normal operation, if a `Read()` or `Write()` call results
in an EOF, we call `onEOF()` to handle the terminating command,
and store it's exit value.

However, if a Read/Write call was blocked while `Close()` is called
the in/out pipes are immediately closed which causes an EOF to be
returned. Here, we shouldn't call `onEOF()`, since the reason why
we got an EOF is because we're already terminating the connection.
This also prevents a race between two calls to the commands `Wait()`,
in the `Close()` call and `onEOF()`

---
Add CLI init timeout to SSH connections

---
connhelper: add 30s ssh default dialer timeout

(same as non-ssh dialer)

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
(cherry picked from commit a5ebe2282a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 19:23:12 +02:00
Sebastiaan van Stijn fad718c7ea
Merge pull request #4393 from thaJeztah/24.0_backport_debug_relax
[24.0 backport] docker info: fix condition for printing debug information
2023-06-30 15:38:59 +02:00
Sebastiaan van Stijn cd68c8f003
docker info: fix condition for printing debug information
The daemon collects this information regardless if "debug" is
enabled. Print the debugging information if either the daemon,
or the client has debug enabled.

We should probably improve this logic and print any of these if
set (but some special rules are needed for file-descriptors, which
may use "-1".

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92d7a234dd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-30 15:15:38 +02:00
Bjorn Neergaard 05fabe63ba
Merge pull request #4368 from thaJeztah/24.0_backport_update_buildx_0.11
[24.0 backport] Dockerfile: update gotestsum to v1.10.0, buildx v0.11.0
2023-06-28 06:22:26 -06:00
Sebastiaan van Stijn 0a2dcdb446
Merge pull request #4381 from thaJeztah/24.0_backport_update-link-overlay-driver
[24.0 backport] docs: update link location for the overlay driver
2023-06-27 12:35:42 +02:00
David Karlsson a78fd6ca69
docs: update link location for the overlay driver
File location changes in docker/docs#17176

Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 035e26fb0b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-27 09:28:19 +02:00
Sebastiaan van Stijn ddb9220abf
Merge pull request #4375 from dvdksn/24.0_backport_fix-staticip-example
[24.0 Backport] Fix static ip example (docker run)
2023-06-26 17:22:57 +02:00