Commit Graph

7519 Commits

Author SHA1 Message Date
Tonis Tiigi 8b822c9219 update windows resources generation
New solution is not hardcoded to amd64 but integrates
with the cross toolchain and support creating arm binaries.

Go has been updated so that ASLR works

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-04-06 00:20:59 -07:00
Tonis Tiigi 6423da8dcd dockerfile based binary building
Using cross compilation toolchains that work from any platform
Adds darwin/arm64 support and bake targets. Static and dynamic
binary targets are available, both with glibc and musl.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-04-06 00:20:21 -07:00
Chris Vermilion 41d169d211 Update stop.md
Updates the stop.md doc to mention that the stop signal can be changed, either with the Dockerfile or via `docker run --stop-signal`. This is a real gotcha if you're not familiar with this feature and build a container that extends a container that uses `STOPSIGNAL`.

Signed-off-by: Christopher Vermilion <christopher.vermilion@gmail.com>
2021-04-03 17:56:14 -04:00
Tibor Vass 59fd6f0270
Merge pull request #3025 from thaJeztah/remove_unneeded_locks
config.Load() remove unneeded locks
2021-04-01 03:03:58 -07:00
Silvin Lubecki b6d0e3bd11
Merge pull request #3035 from thaJeztah/bump_notary
vendor: github.com/theupdateframework/notary v0.7.0-21-gbf96a202
2021-04-01 10:40:24 +02:00
Sebastiaan van Stijn 75dd73f642
vendor: github.com/theupdateframework/notary v0.7.0-21-gbf96a202
no change in local code, but updates some dependencies to more recent
versions, which may help users that consume docker/cli to get a better
selection (when using go modules).

full diff: 5f1f4a34f4...bf96a202a0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-01 01:34:10 +02:00
Sebastiaan van Stijn 09ddcffb2f
config.Load() remove unneeded locks
These were added in b83bc67136, but
I'm not sure why I added these; they're likely not needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-25 21:45:14 +01:00
Sebastiaan van Stijn 25dc8034ff
vendor: github.com/spf13/cobra v1.1.3
full diff: https://github.com/spf13/cobra/compare/v1.1.1...v1.1.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-14 18:55:35 +01:00
Silvin Lubecki d3c36a2a73
Merge pull request #3006 from thaJeztah/fix_yaml_formatting
docs: remove trailing spaces to prevent yamldocs using "compact" notation
2021-03-11 15:53:59 +01:00
Sebastiaan van Stijn e05e66f4b4
docs: remove trailing spaces to prevent yamldocs using "compact" notation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-11 15:36:02 +01:00
Silvin Lubecki c0a6b1c7b3
Merge pull request #3001 from thaJeztah/remove_all_example
docs: improve example for "remove all stopped containers"
2021-03-09 14:14:18 +01:00
Sebastiaan van Stijn d051df9943
docs: improve example for "remove all stopped containers"
recommend using `docker container prune`, but show an example on
how to combine commands with a bit more context and warnings
about portability/compatibility.

Thanks to Charlie Arehart to do the initial work on this.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-09 13:20:47 +01:00
Silvin Lubecki 8c6e1e0b5f
Merge pull request #2666 from thaJeztah/old_config_deprecation_warning
config: print deprecation warning when falling back to ~/.dockercfg
2021-03-08 16:47:20 +01:00
Sebastiaan van Stijn b83bc67136
config: print deprecation warning when falling back to ~/.dockercfg
Relates to the deprecation, added in 3c0a167ed5

The docker CLI up until v1.7.0 used the `~/.dockercfg` file to store credentials
after authenticating to a registry (`docker login`). Docker v1.7.0 replaced this
file with a new CLI configuration file, located in `~/.docker/config.json`. When
implementing the new configuration file, the old file (and file-format) was kept
as a fall-back, to assist existing users with migrating to the new file.

Given that the old file format encourages insecure storage of credentials
(credentials are stored unencrypted), and that no version of the CLI since
Docker v1.7.0 has created this file, the file is marked deprecated, and support
for this file will be removed in a future release.

This patch adds a deprecation warning, which is printed if the CLI falls back
to using the deprecated ~/.dockercfg file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-08 16:13:02 +01:00
Tibor Vass 850845adab
Merge pull request #2996 from tonistiigi/sys-update
vendor: update x/sys to 134d130e
2021-03-04 21:10:43 -08:00
Tibor Vass c2ae636c36
Merge pull request #2997 from tonistiigi/notary-update
vendor: update notary to 5f1f4a34
2021-03-04 21:09:16 -08:00
Tonis Tiigi a54577b757 vendor: update notary to 5f1f4a34
Brings in fixes for darwin/arm64 targets

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-03-03 23:49:48 -08:00
Tonis Tiigi e50cf79579 vendor: update x/sys to 134d130e
Makes possible to build for windows/arm64

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2021-03-03 23:32:34 -08:00
OKA Naoya 10e909a26c
docs: Fix wrong bridge driver option
Signed-off-by: OKA Naoya <git@okanaoya.com>
2021-03-02 15:02:58 +09:00
Brian Goff e1a7517514 Fix `docker start` blocking on signal handling
We refactorted `ForwardAllSignals` so it blocks but did not update the
call in `start` to call it in a goroutine.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-03-02 00:54:13 +00:00
Sebastiaan van Stijn 9342ec6b71
ForwardAllSignals: check if channel is closed, and remove warning
Commit fff164c22e modified ForwardAllSignals to
take `SIGURG` signals into account, which can be generated by the Go runtime
on Go 1.14 and up as an interrupt to support pre-emptable system calls on Linux.

With the updated code, the signal (`s`) would sometimes be `nil`, causing spurious
(but otherwise harmless) warnings to be printed;

    Unsupported signal: <nil>. Discarding.

To debug this issue, I patched v20.10.4 to handle `nil`, and added a debug line
to print the signal in all cases;

```patch
diff --git a/cli/command/container/signals.go b/cli/command/container/signals.go
index 06e4d9eb6..0cb53ef06 100644
--- a/cli/command/container/signals.go
+++ b/cli/command/container/signals.go
@@ -22,8 +22,9 @@ func ForwardAllSignals(ctx context.Context, cli command.Cli, cid string, sigc <-
                case <-ctx.Done():
                        return
                }
+               fmt.Fprintf(cli.Err(), "Signal: %v\n", s)

               if s == signal.SIGCHLD || s == signal.SIGPIPE {
```

When running a cross-compiled macOS binary with Go 1.13 (`make -f docker.Makefile binary-osx`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    ^CSignal: interrupt
    Cloning into 'getting-started'...
    error: could not lock config file /git/getting-started/.git/config: No such file or directory
    fatal: could not set 'core.repositoryformatversion' to '0'
    Signal: <nil>
    Signal: <nil>

When running a macOS binary built with Go 1.15 (`DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    # this is the same as on Go 1.13
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    ^CSignal: interrupt
    Signal: urgent I/O condition
    Signal: urgent I/O condition
    fatal: --stdin requires a git repository
    fatal: index-pack failed
    Signal: <nil>
    Signal: <nil>

This patch checks if the channel is closed, and removes the warning (to prevent warnings if new
signals are added that are not in our known list of signals)

We should also consider updating `notfiyAllSignals()`, which currently forwards
_all_ signals (`signal.Notify(sigc)` without passing a list of signals), and
instead pass it "all signals _minus_ the signals we don't want forwarded":
35f023a7c2/cli/command/container/signals.go (L55)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-01 18:31:30 +01:00
Silvin Lubecki 70a00157f1
Merge pull request #2955 from thaJeztah/master_context_check
[master] Check contexts before importing them to reduce risk of extracted files escaping context store
2021-02-02 14:16:59 +01:00
Chris Crone b43b852031
context: Add tarball e2e tests
Signed-off-by: Chris Crone <christopher.crone@docker.com>
(cherry picked from commit 18f33b337d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-02 13:51:17 +01:00
Chris Crone 8c2872d2a3
context: Ensure context name is valid on import
Signed-off-by: Chris Crone <christopher.crone@docker.com>
(cherry picked from commit 9ecc69d17e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-02 13:51:15 +01:00
Chris Crone a2f0cf527b
context: Ensure import paths are valid
Signed-off-by: Chris Crone <christopher.crone@docker.com>
(cherry picked from commit 6f49197cab)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-02 13:51:12 +01:00
Silvin Lubecki a22ed24b98
Merge pull request #2951 from thaJeztah/add_node_label
Add docs and completion for docker node ls --filter node.label
2021-02-01 11:40:43 +01:00
Silvin Lubecki 375faee9bc
Merge pull request #2939 from thaJeztah/fix_swarm_rollback_exitcode
Fix swarm rollback exitcode, and fix skipping verify step
2021-02-01 11:29:15 +01:00
Sebastiaan van Stijn f52a9e2fef
Add docs and completion for docker node ls --filter node.label
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-27 14:11:31 +01:00
Sebastiaan van Stijn d26bdfd4ea
Merge pull request #2950 from tiborvass/execabs
Use golang.org/x/sys/execabs
2021-01-27 08:05:56 +01:00
Tibor Vass 8d199d5bba Use golang.org/x/sys/execabs
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.

Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.

Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-26 17:18:04 +00:00
Tibor Vass 7bef248765 vendor docker, docker-credential-helpers and golang/sys for execabs package
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-26 17:18:04 +00:00
Silvin Lubecki c6bb56136f
Merge pull request #2949 from thaJeztah/fix_man_table
fix docker-run man page table formatting
2021-01-25 18:04:11 +01:00
Sebastiaan van Stijn c0b7b58134
fix docker-run man page table formatting
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-25 17:41:58 +01:00
Sebastiaan van Stijn 669d833b90
Merge pull request #2944 from LeeDongGeon1996/patch-1
docs: Fix wrong variable name
2021-01-25 14:36:50 +01:00
DongGeon Lee 852fe05991 docs: Fix wrong variable name
Signed-off-by: LeeDongGeon <secmatth1996@gmail.com>
2021-01-23 19:04:15 +09:00
Silvin Lubecki 902e9fa22b
Merge pull request #2942 from thaJeztah/add_run_reference_redirect
docs: add redirect for old reference URL
2021-01-21 16:04:14 +01:00
Sebastiaan van Stijn a4fb01f957
docs: add redirect for old reference URL
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-21 15:40:37 +01:00
Sebastiaan van Stijn 104469be0b
service rollback: always verify state
Prior to this change, progressbars would sometimes be hidden, and the function
would return early. In addition, the direction of the progressbars would sometimes
be "incrementing" (similar to "docker service update"), and sometimes be "decrementing"
(to indicate a "rollback" is being performed).

This fix makes sure that we always proceed with the "verifying" step, and now
prints a message _after_ the verifying stage was completed;

    $ docker service rollback foo
    foo
    overall progress: rolling back update: 5 out of 5 tasks
    1/5: running   [>                                                  ]
    2/5: starting  [===========>                                       ]
    3/5: starting  [===========>                                       ]
    4/5: running   [>                                                  ]
    5/5: running   [>                                                  ]
    verify: Service converged
    rollback: rollback completed

    $ docker service rollback foo
    foo
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged
    rollback: rollback completed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-19 14:47:30 +01:00
Sebastiaan van Stijn ce26a165b0
docker service rollback: fix non-zero exit code in some cases
Before this change:
--------------------------------------------

    $ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
    t33qvykv8y0zbz266rxynsbo3
    overall progress: 1 out of 1 tasks
    1/1: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service update --replicas=5 foo
    foo
    overall progress: 5 out of 5 tasks
    1/5: running   [==================================================>]
    2/5: running   [==================================================>]
    3/5: running   [==================================================>]
    4/5: running   [==================================================>]
    5/5: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ echo $?
    1

After this change:
--------------------------------------------

    $ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
    t33qvykv8y0zbz266rxynsbo3
    overall progress: 1 out of 1 tasks
    1/1: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service update --replicas=5 foo
    foo
    overall progress: 5 out of 5 tasks
    1/5: running   [==================================================>]
    2/5: running   [==================================================>]
    3/5: running   [==================================================>]
    4/5: running   [==================================================>]
    5/5: running   [==================================================>]
    verify: Waiting 1 seconds to verify that tasks are stable...

    $ echo $?
    0

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ echo $?
    0

    $ docker service ps foo
    ID             NAME      IMAGE          NODE             DESIRED STATE   CURRENT STATE           ERROR     PORTS
    4dt4ms4c5qfb   foo.1     nginx:alpine   docker-desktop   Running         Running 2 minutes ago

Remaining issues with reconciliation
--------------------------------------------

Note that both before, and after this change, the command sometimes terminates
early, and does not wait for the service to reconcile; this is most apparent
when rolling back is scaling up (so more tasks are deployed);

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 5 tasks
    1/5: pending   [=================================>                 ]
    2/5: running   [>                                                  ]
    3/5: pending   [=================================>                 ]
    4/5: pending   [=================================>                 ]
    5/5: pending   [=================================>                 ]
    service rolled back: rollback completed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-19 14:47:28 +01:00
Silvin Lubecki 1e54c5d67c
Merge pull request #2934 from thaJeztah/fix_homedir_warning
cli/config: prevent warning if HOME is not set
2021-01-19 14:01:37 +01:00
Sebastiaan van Stijn c85a37dbb4
cli/config: prevent warning if HOME is not set
commit c2626a8270 replaced the use of
github.com/docker/docker/pkg/homedir with Golang's os.UserHomeDir().

This change was partially reverted in 7a279af43d
to account for situations where `$HOME` is not set.

In  situations where no configuration file is present in `~/.config/`, the CLI
falls back to looking for the (deprecated) `~/.dockercfg` configuration file,
which was still using `os.UserHomeDir()`, which produces an error/warning if
`$HOME` is not set.

This patch introduces a helper function and a global variable to get the user's
home-directory. The global variable is used to prevent repeatedly looking up
the user's information (which, depending on the setup can be a costly operation).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-18 17:47:00 +01:00
Sebastiaan van Stijn a49d70ca7f
Merge pull request #2927 from jimlinntu/fix_update_rollback_order
fix --update-order and --rollback-order flags
2021-01-18 17:26:47 +01:00
Jim Lin 26a6a724aa fix --update-order and --rollback-order flags
Signed-off-by: Jim Lin <b04705003@ntu.edu.tw>
2021-01-18 22:33:45 +08:00
Sebastiaan van Stijn 35f023a7c2
Merge pull request #2929 from cpuguy83/ignore_sigurg
Ignore SIGURG on Linux.
2021-01-16 02:07:19 +01:00
Brian Goff fff164c22e Ignore SIGURG on Linux.
In go1.14+, SIGURG is used by the runtime to handle preemtable system
calls.
In practice this signal caught *frequently*.

For reference:

https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md
https://github.com/golang/go/issues/37942

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-01-15 19:03:39 +00:00
Brian Goff cde469bf1a
Merge pull request #2931 from thaJeztah/bump_notary
vendor: github.com/theupdateframework/notary v0.7.0
2021-01-14 09:37:35 -08:00
Sebastiaan van Stijn 9f6966d4ec
vendor: github.com/theupdateframework/notary v0.7.0
full diff: https://github.com/theupdateframework/notary/compare/v0.6.1...v0.7.0

Changelog:

v0.7.0 12/01/2021
------------------------

- Switch to Go modules
- Use golang/x/crypto for ed25519
- Update Go version
- Update dependency versions
- Fixes from using Gosec for source analysis

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-14 16:10:01 +01:00
Sebastiaan van Stijn 9a3fdc1d64
Merge pull request #2906 from stoffus/added-docker-context-to-zsh-completion
Added docker context to zsh completion
2021-01-11 17:28:37 +01:00
Silvin Lubecki e31e005853
Merge pull request #2921 from thaJeztah/fix_deprecate_typo
docs: fix typo in deprecated.md
2021-01-08 16:18:09 +01:00
Sebastiaan van Stijn 697c3a5b48
docs: fix typo in deprecated.md
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-01-08 16:03:51 +01:00