Commit Graph

9082 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 41384b0678
Merge pull request #4344 from dvdksn/docs/dockerd-runtimes-refresh
docs: update the runtime configuration section
2023-06-26 12:46:13 +02:00
David Karlsson 6c7d17fa01 docs: update the runtime configuration section
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2023-06-22 21:14:44 +02:00
Sebastiaan van Stijn 87cc259b5e
Merge pull request #4361 from thaJeztah/update_buildx_0.11
Dockerfile: update buildx to v0.11.0
2023-06-21 16:27:09 +02:00
Sebastiaan van Stijn 085d5c2816
Merge pull request #4343 from thaJeztah/cleanup_sprintf
replace some basic uses of fmt.Sprintf(), and minor refactor
2023-06-21 11:49:50 +02:00
Sebastiaan van Stijn c96484a114
Merge pull request #4346 from thaJeztah/build_errors
build: error if Dockerfile name is passed with Dockerfile from stdin
2023-06-21 11:48:12 +02:00
Sebastiaan van Stijn bf5d1ce973
Dockerfile: update buildx to v0.11.0
Update the version of buildx we use in the dev-container to v0.11.0;
https://github.com/docker/buildx/releases/tag/v0.11.0

Full diff: https://github.com/docker/buildx/compare/v0.10.4..v0.11.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-21 11:41:27 +02:00
Sebastiaan van Stijn 2133d0446a
cli/command/context: remove deprecated k8s / orchestrator option-stubs
support for kubernetes contexts was deprecated in docker 20.10 through
b639ea8b89, 0793f96394,
and 1d37fb3027, and removed altoghether in
23.0 through 193ede9b12.

This patch removes the remaining stubs for options that were deprecated
and no longer used.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-21 11:39:04 +02:00
Sebastiaan van Stijn 3c99d229d9
Merge pull request #4363 from thaJeztah/cleanup_useragent
cli/command: newAPIClientFromEndpoint: use WithUserAgent
2023-06-21 11:38:55 +02:00
Sebastiaan van Stijn d1f5262bc5
Merge pull request #4362 from thaJeztah/context_dont_pass_cli
cli/command/context: don't pass CLI if we only need context-store
2023-06-21 11:37:58 +02:00
Sebastiaan van Stijn 5d55800abe
Merge pull request #4355 from thaJeztah/update_gotestsum_1.10
Dockerfile: update gotestsum to v1.10.0
2023-06-21 10:10:06 +02:00
Sebastiaan van Stijn 20b5c464fb
Merge pull request #4350 from thaJeztah/update_go_1.20.5
update go to go1.20.5, alpine 3.17
2023-06-21 10:08:20 +02:00
Sebastiaan van Stijn 2d06cfcde6
cli/command: newAPIClientFromEndpoint: use WithUserAgent
More things to be done after this, to allow passing a custom user-agent,
but let's start with just using this utility.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-20 15:01:41 +02:00
Sebastiaan van Stijn 8181aa8879
cli/command/context: don't pass CLI if we only need context-store
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-20 13:39:02 +02:00
Sebastiaan van Stijn 3b8d5da66b
update go to go1.20.5
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 21:17:09 +02:00
Sebastiaan van Stijn acb248f8d5
Dockerfile: update ALPINE_VERSION to 3.17
Official Golang images are now only available for 3.18 and 3.17;
3.18 doesn't look to play well with gotestsum, so sticking to
an older version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 21:17:05 +02:00
Sebastiaan van Stijn 9c2694d2b0
Dockerfile: update gotestsum to v1.10.0
full diff: https://github.com/gotestyourself/gotestsum/compare/v1.8.2...v1.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-14 21:00:20 +02:00
Sebastiaan van Stijn c2535aa467
build: error if Dockerfile name is passed with Dockerfile from stdin
When passing a Dockerfile through stdin, it's not possible to specify the
name of the Dockerfile (using the `-f` option). When building with BuildKit
enabled, an error is already produced for this case, but the classic builder
silently ignored it.

This patch adds an error for this situation:

    echo -e 'FROM busybox' | DOCKER_BUILDKIT=0 docker build -f some.Dockerfile -
    DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
    BuildKit is currently disabled; enable it by removing the DOCKER_BUILDKIT=0
    environment-variable.

    unable to prepare context: ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-13 14:03:03 +02:00
Sebastiaan van Stijn 77dd05caad
cli/command/image: remove errStdinConflict
This error was only used in a single location, so no need to define a
package-level variable for this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-13 13:47:56 +02:00
Sebastiaan van Stijn 7d723e2ba7
Merge pull request #4337 from thaJeztah/dont_mutate_configfile
cli/command/container: don't mutate ConfigFile.DetachKeys
2023-06-12 21:37:37 +02:00
Sebastiaan van Stijn d68b361538
cli/compose/convert: convertEnvironment: sort results
All users of this function sorted the results afterwards, so let's
do it as part of the function itself.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 19:03:59 +02:00
Sebastiaan van Stijn f4bde68694
replace some basic uses of fmt.Sprintf()
Really tiny gains here, and doesn't significantly impact readability:

    BenchmarkSprintf
    BenchmarkSprintf-10    11528700     91.59 ns/op   32 B/op  1 allocs/op
    BenchmarkConcat
    BenchmarkConcat-10    100000000     11.76 ns/op    0 B/op  0 allocs/op

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 19:03:49 +02:00
Sebastiaan van Stijn 8aee745ab2
Merge pull request #4342 from thaJeztah/remove_cli_plugins_metadata_experimental
cli-plugins: remove deprecated Metadata.Experimental
2023-06-12 17:33:52 +02:00
Sebastiaan van Stijn 6a50c4f700
cli-plugins: remove deprecated Metadata.Experimental
This field was marked deprecated in 977d3ae046,
which is part of Docker 20.10 and up.

This patch removes the field.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 14:53:30 +02:00
Sebastiaan van Stijn f26ac475a3
Merge pull request #4341 from thaJeztah/update_engine
vendor: update docker/docker to latest  v25.0.0-dev
2023-06-12 13:51:19 +02:00
Sebastiaan van Stijn 58ec4161b2
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230607145746-36334ed18760
full diff: 75e92ce14f...36334ed187

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:31:41 +02:00
Sebastiaan van Stijn bf492bffd3
vendor: docker/docker ed798d651a50cbd0af4dca127c4bfa243dda9cf7 (v25.0.0-dev)
full diff: cf4df9d8ae...ed798d651a

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:30:02 +02:00
Sebastiaan van Stijn 54c80d49d3
vendor: github.com/opencontainers/image-spec v1.1.0-rc3
full diff: https://github.com/opencontainers/image-spec/compare/3a7f492d3f1b...v1.1.0-rc3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:25:25 +02:00
Sebastiaan van Stijn 9ad605acc6
vendor: github.com/sirupsen/logrus v1.9.3
full diff: https://github.com/sirupsen/logrus/compare/v1.9.0...v1.9.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:21:25 +02:00
Sebastiaan van Stijn e15ae9e2ee
vendor: golang.org/x/net v0.10.0
full diff: https://github.com/golang/net/compare/v0.8.0...v0.10.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:19:45 +02:00
Sebastiaan van Stijn 3b62102ea4
vendor: golang.org/x/term v0.8.0
no changes in vendored files

full diff: https://github.com/golang/term/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:18:28 +02:00
Sebastiaan van Stijn db7886eef7
vendor: golang.org/x/text v0.9.0
no changes in vendored files

full diff: https://github.com/golang/text/compare/v0.8.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:16:06 +02:00
Sebastiaan van Stijn 45fd37aaac
vendor: golang.org/x/sys v0.8.0
full diff: https://github.com/golang/sys/compare/v0.6.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-12 11:11:33 +02:00
Sebastiaan van Stijn 9e481e09e0
Merge pull request #4226 from laurazard/fix-connhelper-docker-example
ssh: fix error on commandconn close, add ping and default timeout
2023-06-09 22:56:16 +02:00
Laura Brehm a5ebe2282a
commandconn: don't return error if command closed successfully
---
commandconn: fix race on `Close()`

During normal operation, if a `Read()` or `Write()` call results
in an EOF, we call `onEOF()` to handle the terminating command,
and store it's exit value.

However, if a Read/Write call was blocked while `Close()` is called
the in/out pipes are immediately closed which causes an EOF to be
returned. Here, we shouldn't call `onEOF()`, since the reason why
we got an EOF is because we're already terminating the connection.
This also prevents a race between two calls to the commands `Wait()`,
in the `Close()` call and `onEOF()`

---
Add CLI init timeout to SSH connections

---
connhelper: add 30s ssh default dialer timeout

(same as non-ssh dialer)

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2023-06-09 11:24:19 +02:00
Sebastiaan van Stijn 33c7baa7ed
Merge pull request #4336 from thaJeztah/move_attach_keys
docs: move "--detach-keys" example to examples section, add to "docker run" as well
2023-06-09 10:06:14 +02:00
Sebastiaan van Stijn 2331e4d521
cli/command/container: don't mutate ConfigFile.DetachKeys
This code was introduced in 15aa2a663b,
but from those changes, it appears that overwriting the config value was
merely out of convenience, and that struct being used as an intermediate.

While changing the config here should be mostly ephemeral, and not written
back to the config-file, let's be clear on intent, and not mutatte the config
as part of this code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 16:54:41 +02:00
Sebastiaan van Stijn 23e26f40fe
cli/command/container: createContainer(): return container-ID
This function returned the whole response, but we already handled the
warnings included in the response as part of the function. All consumers
of this function only used the container-ID, so let's simplify and return
just that (it's a non-exported func, so we can change the signature again
if we really need it).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 16:54:41 +02:00
Sebastiaan van Stijn c2c6fbe23c
cli/command/container: TestCreateContainerImagePullPolicy: use sub-tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 16:54:41 +02:00
Sebastiaan van Stijn 0c5adb2e98
cli/command/container: attach: rename var that collided with import
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 16:54:22 +02:00
Sebastiaan van Stijn 47951ff446
docs: add "--detach-keys" example to docker run reference
This is a copy of the section we have on the "docker attach" reference page.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 14:37:21 +02:00
Sebastiaan van Stijn c17b0df2a5
docs: move "--detach-keys" example to examples section
Also adds a named anchor, so that the section gets linked from the
options table.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-08 14:35:03 +02:00
Sebastiaan van Stijn 1db37a881a
Merge pull request #4325 from thaJeztah/add_context_const
cli/command: add EnvOverrideContext const for "DOCKER_CONTEXT"
2023-06-05 13:06:56 +02:00
Sebastiaan van Stijn 0b97e8aa1c
Merge pull request #4330 from dvdksn/docs/ssh-sock-path
docs: added example for specifying socket path with -H
2023-06-02 14:53:48 +02:00
Sebastiaan van Stijn b3a1180d26
Merge pull request #4307 from thaJeztah/remove_devicemapper
docs: remove devicemapper
2023-06-02 14:53:24 +02:00
Sebastiaan van Stijn fee1e0ebbd
Merge pull request #4322 from dvdksn/docs/credential-store-improvements
docs: rephrase section on credential stores for docker login
2023-06-02 14:52:39 +02:00
David Karlsson e4ceed468e docs: added example for specifying socket path with -H
Signed-off-by: David Karlsson <david.karlsson@docker.com>
2023-06-02 14:39:57 +02:00
Sebastiaan van Stijn 5251d37481
cli/command: add EnvOverrideContext const for "DOCKER_CONTEXT"
Add a const for the name of the environment-variable we accept, so
that we can document its purpose in code.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-02 14:20:53 +02:00
Sebastiaan van Stijn 7fae190283
Merge pull request #4324 from thaJeztah/fix_context_godoc
cli/command: fix GoDoc referencing wrong const
2023-06-02 14:12:41 +02:00
Sebastiaan van Stijn 7c480f4a89
Merge pull request #4327 from thaJeztah/dockerfile_goproxy
Dockerfile.vendor: update GOPROXY to use default with fallback
2023-06-02 14:08:24 +02:00
Sebastiaan van Stijn 6458dcbe51
Dockerfile.vendor: update GOPROXY to use default with fallback
Use the default proxy, to assist with vanity domains mis-behaving, but keep
a fallback for situations where we need to get modules from GitHub directly.

This should hopefully help with the gopkg.in/yaml.v2 domain often going AWOL;

    #14 245.9 	gopkg.in/yaml.v2@v2.4.0: unrecognized import path "gopkg.in/yaml.v2": reading https://gopkg.in/yaml.v2?go-get=1: 502 Bad Gateway
    #14 245.9 	server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe

    curl 'https://gopkg.in/yaml.v2?go-get=1'
    Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe

From the Go documentation; https://go.dev/ref/mod#goproxy-protocol

> List elements may be separated by commas (,) or pipes (|), which determine error
> fallback behavior. When a URL is followed by a comma, the go command falls back
> to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL
> is followed by a pipe, the go command falls back to later sources after any error,
> including non-HTTP errors such as timeouts. This error handling behavior lets a
> proxy act as a gatekeeper for unknown modules. For example, a proxy could respond
> with error 403 (Forbidden) for modules not on an approved list (see Private proxy
> serving private modules).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-02 13:12:35 +02:00