Commit Graph

7562 Commits

Author SHA1 Message Date
Sebastiaan van Stijn c98e9c47ca
Use designated test domains (RFC2606) in tests
Some tests were using domain names that were intended to be "fake", but are
actually registered domain names (such as mycorp.com).

Even though we were not actually making connections to these domains, it's
better to use domains that are designated for testing/examples in RFC2606:
https://tools.ietf.org/html/rfc2606

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f3886f354a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 12:10:38 +02:00
Sebastiaan van Stijn a6f6b5fa34
Merge pull request #3219 from thaJeztah/20.10_backport_deprecate_encrypted_tls
[20.10 backport] context: deprecate support for encrypted TLS private keys
2021-07-29 11:40:02 +02:00
Sebastiaan van Stijn 8437cfefae
context: deprecate support for encrypted TLS private keys
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext

From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 15535d4594)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 15:48:11 +02:00
Sebastiaan van Stijn 68a5ca859f
cli/context: ignore linting warnings about RFC 1423 encryption
From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

When linting on Go 1.16:

    cli/context/docker/load.go:69:6: SA1019: x509.IsEncryptedPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
            if x509.IsEncryptedPEMBlock(pemBlock) {
               ^
    cli/context/docker/load.go:70:20: SA1019: x509.DecryptPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
                keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
                                ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2688f25eb7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 15:48:09 +02:00
Sebastiaan van Stijn f9d091f4b1
Merge pull request #3174 from thaJeztah/20.10_backport_deprecate_kube
[20.10 backport] Deprecate Kubernetes stack support
2021-07-28 15:47:43 +02:00
Silvin Lubecki e9b8231d6a
Merge pull request #3205 from thaJeztah/20.10_backport_update_dockerfile_syntax
[20.10 backport] Update Dockerfiles to latest syntax, remove "experimental"
2021-07-22 15:42:42 +02:00
Sebastiaan van Stijn 8a64739631
Update Dockerfiles to latest syntax, remove "experimental"
The experimental image is deprecated (now "labs"), and the features we use
are now included in the regular (stable) syntax.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 48dbf6f3cf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-22 14:57:33 +02:00
Silvin Lubecki a555c853b0
Merge pull request #3200 from thaJeztah/20.10_backport_update_md2man
[20.10 backport] Update go-md2man to v2.0.1 to fix table rendering in man-pages
2021-07-22 14:44:56 +02:00
Sebastiaan van Stijn 260ba1a8a2
vendor: cpuguy83/go-md2man/v2 v2.0.1
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.0...v2.0.1

- Fix handling multiple definition descriptions
- Fix inline markup causing table cells to split
- Remove escaping tilde character (prevents tildes (`~`) from disappearing).
- Do not escape dash, underscore, and ampersand (prevents ampersands (`&`) from disappearing).
- Ignore unknown HTML tags to prevent noisy warnings

With this, generating manpages becomes a lot less noisy; no more of these:

    WARNING: go-md2man does not handle node type HTMLSpan
    WARNING: go-md2man does not handle node type HTMLSpan
    WARNING: go-md2man does not handle node type HTMLSpan

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 13e8225007)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-21 11:04:19 +02:00
Sebastiaan van Stijn f63cb8b97e
vendor: github.com/russross/blackfriday/v2 v2.1.0
removes the github.com/shurcooL/sanitized_anchor_name dependency

full diff: https://github.com/russross/blackfriday/compare/v2.0.1...v2.1.0

- Committed to github.com/russross/blackfriday/v2 as the canonical import path for blackfriday v2.
- Reduced the amount of dependencies.
- Added a SanitizedAnchorName function.
- Added Node.IsContainer and Node.IsLeaf methods.
- Fixed parsing of links that end with a double backslashes.
- Fixed an issue where fence length wasn't computed.
- Improved the default value for the HTMLRendererParameters.FootnoteReturnLinkContents field.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ef14ae09bb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-21 11:03:01 +02:00
Sebastiaan van Stijn c1492eabde
Merge pull request #3196 from thaJeztah/20.10_backport_go1.17_for_windows
[20.10 backport] Dockerfile: remove custom go build for windows/arm64
2021-07-19 14:52:01 +02:00
Tonis Tiigi 48e6b44379
Dockerfile: remove custom go build for windows/arm64
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit f3d1b02e2b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-19 14:35:07 +02:00
Sebastiaan van Stijn bfcd17b5b7
Merge pull request #3175 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] docs fixes
2021-07-07 12:30:30 +02:00
Sebastiaan van Stijn 8279b718ea
Merge pull request #3176 from thaJeztah/20.10_backport_update_ci_engine
[20.10 backport] CI: update engine versions and Jenkins labels
2021-07-02 17:38:48 +02:00
Sebastiaan van Stijn 644c003606
circleCI: update docker engine to 20.10.6
20.10.6 looks to be the latest supported version:
https://circleci.com/docs/2.0/building-docker-images/#docker-version

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c6cd0493ab)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:53:15 +02:00
Sebastiaan van Stijn 0d17280a30
Jenkinsfile: update old engine version to 19.03
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 661b87ac9b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:53:13 +02:00
Sebastiaan van Stijn eedfe50a99
Jenkinsfile: update labels to prevent running on cgroups v2
The dind engine version that we use in e2e does not support cgroups v2,
so if we landed on an Ubuntu 20.04 node with cgroups v2 enabled, CI failed:

    Stderr:   Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2849437f21)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:53:11 +02:00
Metal f3dd1ee6c1
Fix minor wording
Signed-off-by: Metal <2466052+tedhexaflow@users.noreply.github.com>
(cherry picked from commit 3b502ca00e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:44:11 +02:00
OKA Naoya c7cf60f657
docs: Fix wrong bridge driver option
Signed-off-by: OKA Naoya <git@okanaoya.com>
(cherry picked from commit 10e909a26c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:44:09 +02:00
Mathieu Champlon 1d37fb3027
Deprecate Kubernetes context support
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
(cherry picked from commit a033cdf515)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:36:33 +02:00
Mathieu Champlon 0793f96394
Deprecate Kubernetes stack support
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
(cherry picked from commit c05f0f5957)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:36:31 +02:00
Mathieu Champlon b639ea8b89
Deprecate Kubernetes stack support
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
(cherry picked from commit 7190255a68)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:36:28 +02:00
Silvin Lubecki 063e3dd329
Merge pull request #3156 from thaJeztah/20.10_backport_bump_credential_helpers
[20.10 backport] vendor: github.com/docker/docker-credential-helpers v0.6.4
2021-06-23 15:11:28 +02:00
Sebastiaan van Stijn 0168626037
vendor: github.com/docker/docker-credential-helpers v0.6.4
full diff: 38bea2ce27...v0.6.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7672267e16)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-22 23:56:03 +02:00
Silvin Lubecki 00ea8bdc41
Merge pull request #3132 from thaJeztah/20.10_backport_bump_term_ansiterm
[20.10 backport] vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compat
2021-06-21 14:18:37 +02:00
Sebastiaan van Stijn e3a9a92b14
vendor: moby/term, Azure/go-ansiterm for golang.org/x/sys/windows compat
Changes:

- winterm: GetStdFile(): Added compatibility with "golang.org/x/sys/windows"
- winterm: fix GetStdFile() falltrough
- update deprecation message to refer to the correct replacement
- add go.mod
- Fix int overflow
- Convert int to string using rune()

full diff:

- bea5bbe245...3f7ff695ad
- d6e3b3328b...d185dfc1b5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b5bc279901)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-21 13:32:31 +02:00
Silvin Lubecki 6da4ee40c7
Merge pull request #3123 from thaJeztah/20.10_backport_bump_docker_20.10.7
[20.10] vendor: github.com/docker/docker v20.10.7
2021-06-15 14:06:14 +02:00
Sebastiaan van Stijn ab733b5564
[20.10] vendor: github.com/docker/docker v20.10.7
full diff: 46229ca1d8...v20.10.7

This is the equivalent of 49f6071532 on master, but
the vendored version in 20.10 was different. Last updates where:

- Master: 7bef248765
    - diff: https://github.com/moby/moby/compare/v20.10.1...d5209b29b9777e0b9713d87847a5dc8ce9d93da6
    - d5209b29b9 is a commit from moby "master"
- 20.10: 5941f4104a
    - diff: https://github.com/docker/docker/compare/v20.10.1...46229ca1d815cfd4b50eb377ac75ad8300e13a85
    - 46229ca1d8 is a commit from moby "20.10"

The 20.10 version mentions it was cherry-picked from 7bef248765,
but that's not the case; there's another diff in the 20.10 branch that was not in
master: d5209b29b9...46229ca1d815cfd4b50eb377ac75ad8300e13a85
raw diff d5209b29b9..46229ca1d815cfd4b50eb377ac75ad8300e13a85

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-06-07 11:53:56 +02:00
Silvin Lubecki f0df35096d
Merge pull request #3107 from thaJeztah/20.10_backport_sigurg_handling
[20.10 backport] Ignore SIGURG on Unix (including Darwin)
2021-05-31 11:40:07 +02:00
Silvin Lubecki f485f66943
Merge pull request #3111 from thaJeztah/20.10_backport_fix_reference_link
[20.10 backport] docs: fix link to command-line reference
2021-05-31 09:45:27 +02:00
Sebastiaan van Stijn 746c553574
docs: fix link to command-line reference
This link worked on GitHub, but was broken on docs.docker.com, so
replacing with a regular link directly to the docs instead.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 04e6884f65)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-26 14:17:34 +02:00
David Scott 2945ba4f7a
Ignore SIGURG on Darwin too
This extends #2929 to Darwin as well as Linux.

Running the example in https://github.com/golang/go/issues/37942
I see lots of:
```
dave@m1 sigurg % uname -ms
Darwin arm64

dave@m1 sigurg % go run main.go
received urgent I/O condition: 2021-05-21 16:03:03.482211 +0100 BST m=+0.014553751
received urgent I/O condition: 2021-05-21 16:03:03.507171 +0100 BST m=+0.039514459
```

Signed-off-by: David Scott <dave@recoil.org>
(cherry picked from commit cedaf44ea2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:38:46 +02:00
Sebastiaan van Stijn 032e485e1c
ForwardAllSignals: check if channel is closed, and remove warning
Commit fff164c22e modified ForwardAllSignals to
take `SIGURG` signals into account, which can be generated by the Go runtime
on Go 1.14 and up as an interrupt to support pre-emptable system calls on Linux.

With the updated code, the signal (`s`) would sometimes be `nil`, causing spurious
(but otherwise harmless) warnings to be printed;

    Unsupported signal: <nil>. Discarding.

To debug this issue, I patched v20.10.4 to handle `nil`, and added a debug line
to print the signal in all cases;

```patch
diff --git a/cli/command/container/signals.go b/cli/command/container/signals.go
index 06e4d9eb6..0cb53ef06 100644
--- a/cli/command/container/signals.go
+++ b/cli/command/container/signals.go
@@ -22,8 +22,9 @@ func ForwardAllSignals(ctx context.Context, cli command.Cli, cid string, sigc <-
                case <-ctx.Done():
                        return
                }
+               fmt.Fprintf(cli.Err(), "Signal: %v\n", s)

               if s == signal.SIGCHLD || s == signal.SIGPIPE {
```

When running a cross-compiled macOS binary with Go 1.13 (`make -f docker.Makefile binary-osx`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    ^CSignal: interrupt
    Cloning into 'getting-started'...
    error: could not lock config file /git/getting-started/.git/config: No such file or directory
    fatal: could not set 'core.repositoryformatversion' to '0'
    Signal: <nil>
    Signal: <nil>

When running a macOS binary built with Go 1.15 (`DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    # this is the same as on Go 1.13
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    ^CSignal: interrupt
    Signal: urgent I/O condition
    Signal: urgent I/O condition
    fatal: --stdin requires a git repository
    fatal: index-pack failed
    Signal: <nil>
    Signal: <nil>

This patch checks if the channel is closed, and removes the warning (to prevent warnings if new
signals are added that are not in our known list of signals)

We should also consider updating `notfiyAllSignals()`, which currently forwards
_all_ signals (`signal.Notify(sigc)` without passing a list of signals), and
instead pass it "all signals _minus_ the signals we don't want forwarded":
35f023a7c2/cli/command/container/signals.go (L55)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9342ec6b71)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:36:29 +02:00
Brian Goff 88de81ff21
Fix `docker start` blocking on signal handling
We refactorted `ForwardAllSignals` so it blocks but did not update the
call in `start` to call it in a goroutine.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e1a7517514)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:35:59 +02:00
Sebastiaan van Stijn 706ca7985b
Revert "[20.10] Revert "Ignore SIGURG on Linux.""
This reverts commit f33a69f6ee.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:30:31 +02:00
Silvin Lubecki e0d47b1c0b
Merge pull request #3093 from thaJeztah/20.10_backport_fix_plugin_link
[20.10 backport] docs: dockerd: fix broken link and markdown touch-ups
2021-05-19 14:53:15 +02:00
Silvin Lubecki 54b529feae
Merge pull request #3099 from thaJeztah/20.10_backport_silence_unhandleable_deprecated_warnings
[20.10 backport] printServerWarningsLegacy: silence "No kernel memory limit support"; silence "No oom kill disable support" on cgroup v2
2021-05-19 11:28:35 +02:00
Silvin Lubecki c88e6432ec
Merge pull request #3100 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] documentation fixes
2021-05-19 11:21:49 +02:00
Tianon Gravi f291a49ba5
Swap "LABEL maintainer" for the OCI pre-defined "org.opencontainers.image.authors"
https://github.com/opencontainers/image-spec/blob/v1.0.1/annotations.md#pre-defined-annotation-keys

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
(cherry picked from commit 782192a6e5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:58:35 +02:00
Erik Humphrey 78fcd905c6
docs: Fix broken jump link
Signed-off-by: Erik Humphrey <erik.humphrey@carleton.ca>
(cherry picked from commit 57e7680591)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:58:33 +02:00
Akihiro Suda 12e2f94eba
printServerWarningsLegacy: silence "No oom kill disable support" on cgroup v2
The warning should be ignored on cgroup v2 hosts.

Relevant: 8086443a44

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 05ec0188fa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:54:39 +02:00
Akihiro Suda 00755d7dba
printServerWarningsLegacy: silence "No kernel memory limit support"
The kernel memory limit is deprecated in Docker 20.10.0,
and its support was removed in runc v1.0.0-rc94.
So, this warning can be safely removed.

Relevant: b8ca7de823

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 731f52cfe8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:54:36 +02:00
Sebastiaan van Stijn 8264f5be8d
docs: dockerd: fix broken link and markdown touch-ups
Jekyll doesn't work well with markdown links that are wrapped, so changing
the link to be on a single line.

While at it, also added/changed some code-hints.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f3034ee928)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-12 09:35:23 +02:00
Silvin Lubecki 9780f41efe
Merge pull request #3079 from thaJeztah/20.10_backport_update_docker_stop
[20.10 backport] docs updates
2021-05-04 15:44:44 +02:00
Sebastiaan van Stijn 4fbdf3f362
docs: document log-opts for "dual logging" cache
These options are available in Docker 20.10 and up, but were
previously only available in Docker EE, and not documented.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2586decba8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-04 15:10:08 +02:00
Chris Vermilion 1ff45aac40
Update stop.md
Updates the stop.md doc to mention that the stop signal can be changed, either with the Dockerfile or via `docker run --stop-signal`. This is a real gotcha if you're not familiar with this feature and build a container that extends a container that uses `STOPSIGNAL`.

Signed-off-by: Christopher Vermilion <christopher.vermilion@gmail.com>
(cherry picked from commit 41d169d211)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-04 15:08:53 +02:00
Silvin Lubecki bb03b9d3c2
Merge pull request #3078 from thaJeztah/20.10_backport_update_proxy_examples
[20.10 backport] docs: various changes, and touch-up main CLI page
2021-05-04 13:28:41 +02:00
Sebastiaan van Stijn ed71df1b9f
docs: cleanup / refactor cli doc
More improvements can be made, but this makes a start on cleaning up
this page:

- Reorganise configuration file options into sections
- Use tables for related options to make them easier to find
- Add warning about the config file's possibility to contain sensitive information
- Some MarkDown touch-ups (use "console" code-hint to assist copy/paste)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3c8d65963d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-04 12:32:35 +02:00
Sebastiaan van Stijn ee20fa1ec4
docs: add reference for "docker config" commands
This is mostly a copy of the equivalent `docker secret` commands,
which uses the same mechanisms behind the hood (hence, are 90% the
same).

We can make further refinements to these docs, but this gives us
a starting point.

Adding these documents, because there were some links pointing to
these pages in the docs, but there was no markdown file to link to
on GitHub.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 276e7180f2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-04 12:32:33 +02:00
Sebastiaan van Stijn ffe40dc6b6
docs: update some examples for proxy configuration
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 68284ff591)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-04 12:32:31 +02:00