Commit Graph

1357 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 80a3add604
cli/command/container: unnecessary use of fmt.Sprintf (gosimple)
cli/command/container/formatter_stats.go:184:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:191:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("-- / --")
                   ^
    cli/command/container/formatter_stats.go:201:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:184:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^
    cli/command/container/formatter_stats.go:191:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("-- / --")
                   ^
    cli/command/container/formatter_stats.go:201:10: S1039: unnecessary use of fmt.Sprintf (gosimple)
            return fmt.Sprintf("--")
                   ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5a65aadd8d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-08-18 19:16:29 +02:00
Sebastiaan van Stijn 80f673bf9e
gofmt with go1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a0f0578299)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-14 16:40:46 +02:00
John Howard 5fa500000a
Fix incorrect pointer inputs to `json.Unmarshal`
See https://github.com/howardjohn/go-unmarshal-double-pointer for more
info on why this is not safe and how this is detected.

Signed-off-by: John Howard <howardjohn@google.com>
(cherry picked from commit ee97fe95bc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:43:16 +02:00
coryb ee1ac1b319
fix innocuous data-race when config.Load called in parallel
Locking was removed in https://github.com/docker/cli/pull/3025 which
allows for parallel calls to config.Load to modify global state.
The consequence in this case is innocuous, but it does trigger a
`DATA RACE` exception when tests run with `-race` option.

Signed-off-by: coryb <cbennett@netflix.com>
(cherry picked from commit b5f4a6e45f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-01-27 10:37:14 +01:00
Sebastiaan van Stijn 82f9d5921b
info: skip client-side warning about seccomp profile on API >= 1.42
This warning will be moved to the daemon-side, similar to how it returns
other warnings. There's work in progress to change the name of the default
profile, so we may need to backport this change to prevent existing clients
from printing an incorrect warning if they're connecting to a newer daemon.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8964595692)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-10-11 16:38:53 +02:00
Sebastiaan van Stijn 893e52cf4b
Merge pull request #2 from moby/cli-ghsa-99pg-grm5-qq3v-default-authconfig-20.10
[20.10] registry: ensure default auth config has address
2021-09-09 20:40:54 +02:00
Samuel Karp 42d1c02750
registry: ensure default auth config has address
Signed-off-by: Samuel Karp <skarp@amazon.com>
2021-07-29 19:57:58 -07:00
Sebastiaan van Stijn 6288e8b1ac
change TestNewAPIClientFromFlagsWithHttpProxyEnv to an e2e test
Golang uses a `sync.Once` when determining the proxy to use. This means
that it's not possible to test the proxy configuration in unit tests,
because the proxy configuration will be "fixated" the first time Golang
detects the proxy configuration.

This patch changes TestNewAPIClientFromFlagsWithHttpProxyEnv to an e2e
test so that we can verify the CLI picks up the proxy configuration.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 40c6b117e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 12:11:10 +02:00
Sebastiaan van Stijn 1e9575e81a
cli/config/configfile: various test cleanups
- use var/const blocks when declaring a list of variables
- use const where possible

TestCheckKubernetesConfigurationRaiseAnErrorOnInvalidValue:

- use keys when assigning values
- make sure test is dereferenced in the loop
- use subtests

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit be327a4f0f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 12:10:40 +02:00
Sebastiaan van Stijn c98e9c47ca
Use designated test domains (RFC2606) in tests
Some tests were using domain names that were intended to be "fake", but are
actually registered domain names (such as mycorp.com).

Even though we were not actually making connections to these domains, it's
better to use domains that are designated for testing/examples in RFC2606:
https://tools.ietf.org/html/rfc2606

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f3886f354a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-29 12:10:38 +02:00
Sebastiaan van Stijn 8437cfefae
context: deprecate support for encrypted TLS private keys
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext

From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 15535d4594)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 15:48:11 +02:00
Sebastiaan van Stijn 68a5ca859f
cli/context: ignore linting warnings about RFC 1423 encryption
From https://go-review.googlesource.com/c/go/+/264159

> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.

When linting on Go 1.16:

    cli/context/docker/load.go:69:6: SA1019: x509.IsEncryptedPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
            if x509.IsEncryptedPEMBlock(pemBlock) {
               ^
    cli/context/docker/load.go:70:20: SA1019: x509.DecryptPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext.  (staticcheck)
                keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
                                ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2688f25eb7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-28 15:48:09 +02:00
Mathieu Champlon 1d37fb3027
Deprecate Kubernetes context support
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
(cherry picked from commit a033cdf515)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:36:33 +02:00
Mathieu Champlon 0793f96394
Deprecate Kubernetes stack support
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
(cherry picked from commit c05f0f5957)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-07-02 16:36:31 +02:00
David Scott 2945ba4f7a
Ignore SIGURG on Darwin too
This extends #2929 to Darwin as well as Linux.

Running the example in https://github.com/golang/go/issues/37942
I see lots of:
```
dave@m1 sigurg % uname -ms
Darwin arm64

dave@m1 sigurg % go run main.go
received urgent I/O condition: 2021-05-21 16:03:03.482211 +0100 BST m=+0.014553751
received urgent I/O condition: 2021-05-21 16:03:03.507171 +0100 BST m=+0.039514459
```

Signed-off-by: David Scott <dave@recoil.org>
(cherry picked from commit cedaf44ea2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:38:46 +02:00
Sebastiaan van Stijn 032e485e1c
ForwardAllSignals: check if channel is closed, and remove warning
Commit fff164c22e modified ForwardAllSignals to
take `SIGURG` signals into account, which can be generated by the Go runtime
on Go 1.14 and up as an interrupt to support pre-emptable system calls on Linux.

With the updated code, the signal (`s`) would sometimes be `nil`, causing spurious
(but otherwise harmless) warnings to be printed;

    Unsupported signal: <nil>. Discarding.

To debug this issue, I patched v20.10.4 to handle `nil`, and added a debug line
to print the signal in all cases;

```patch
diff --git a/cli/command/container/signals.go b/cli/command/container/signals.go
index 06e4d9eb6..0cb53ef06 100644
--- a/cli/command/container/signals.go
+++ b/cli/command/container/signals.go
@@ -22,8 +22,9 @@ func ForwardAllSignals(ctx context.Context, cli command.Cli, cid string, sigc <-
                case <-ctx.Done():
                        return
                }
+               fmt.Fprintf(cli.Err(), "Signal: %v\n", s)

               if s == signal.SIGCHLD || s == signal.SIGPIPE {
```

When running a cross-compiled macOS binary with Go 1.13 (`make -f docker.Makefile binary-osx`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    ^CSignal: interrupt
    Cloning into 'getting-started'...
    error: could not lock config file /git/getting-started/.git/config: No such file or directory
    fatal: could not set 'core.repositoryformatversion' to '0'
    Signal: <nil>
    Signal: <nil>

When running a macOS binary built with Go 1.15 (`DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary`):

    # regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
    # this is the same as on Go 1.13
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    Signal: <nil>

    # when cancelling with CTRL-C:
    ./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
    Cloning into 'getting-started'...
    ^CSignal: interrupt
    Signal: urgent I/O condition
    Signal: urgent I/O condition
    fatal: --stdin requires a git repository
    fatal: index-pack failed
    Signal: <nil>
    Signal: <nil>

This patch checks if the channel is closed, and removes the warning (to prevent warnings if new
signals are added that are not in our known list of signals)

We should also consider updating `notfiyAllSignals()`, which currently forwards
_all_ signals (`signal.Notify(sigc)` without passing a list of signals), and
instead pass it "all signals _minus_ the signals we don't want forwarded":
35f023a7c2/cli/command/container/signals.go (L55)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9342ec6b71)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:36:29 +02:00
Brian Goff 88de81ff21
Fix `docker start` blocking on signal handling
We refactorted `ForwardAllSignals` so it blocks but did not update the
call in `start` to call it in a goroutine.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e1a7517514)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:35:59 +02:00
Sebastiaan van Stijn 706ca7985b
Revert "[20.10] Revert "Ignore SIGURG on Linux.""
This reverts commit f33a69f6ee.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-25 12:30:31 +02:00
Akihiro Suda 12e2f94eba
printServerWarningsLegacy: silence "No oom kill disable support" on cgroup v2
The warning should be ignored on cgroup v2 hosts.

Relevant: 8086443a44

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 05ec0188fa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:54:39 +02:00
Akihiro Suda 00755d7dba
printServerWarningsLegacy: silence "No kernel memory limit support"
The kernel memory limit is deprecated in Docker 20.10.0,
and its support was removed in runc v1.0.0-rc94.
So, this warning can be safely removed.

Relevant: b8ca7de823

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 731f52cfe8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-05-18 23:54:36 +02:00
Tonis Tiigi fcc05e5ea1 update windows resources generation
New solution is not hardcoded to amd64 but integrates
with the cross toolchain and support creating arm binaries.

Go has been updated so that ASLR works

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 8b822c9219)
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-04-06 19:53:48 +00:00
Sebastiaan van Stijn 4c3b87d922
config.Load() remove unneeded locks
These were added in b83bc67136, but
I'm not sure why I added these; they're likely not needed.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 09ddcffb2f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-04-01 12:04:57 +02:00
Sebastiaan van Stijn 4571d90f20
config: print deprecation warning when falling back to ~/.dockercfg
Relates to the deprecation, added in 3c0a167ed5

The docker CLI up until v1.7.0 used the `~/.dockercfg` file to store credentials
after authenticating to a registry (`docker login`). Docker v1.7.0 replaced this
file with a new CLI configuration file, located in `~/.docker/config.json`. When
implementing the new configuration file, the old file (and file-format) was kept
as a fall-back, to assist existing users with migrating to the new file.

Given that the old file format encourages insecure storage of credentials
(credentials are stored unencrypted), and that no version of the CLI since
Docker v1.7.0 has created this file, the file is marked deprecated, and support
for this file will be removed in a future release.

This patch adds a deprecation warning, which is printed if the CLI falls back
to using the deprecated ~/.dockercfg file.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit b83bc67136)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-08 17:21:15 +01:00
Sebastiaan van Stijn f33a69f6ee
[20.10] Revert "Ignore SIGURG on Linux."
This reverts commit 3c87f01b18.

This commit introduced two regressions;

- spurious "Unsupported signal: <nil>. Discarding."
- docker start --attach hanging if the container does not
  have a TTY attached

Reverting for now, while we dug deeper into what's causing
the regression.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-03-01 20:56:18 +01:00
Silvin Lubecki 433014bcfb
Merge pull request #2959 from thaJeztah/20.10_backport_fix_login_panic
[20.10 backport] Fix panic when failing to get DefaultAuthConfig
2021-02-18 12:02:41 +01:00
Silvin Lubecki 61cb016851
Merge pull request #2961 from thaJeztah/20.10_backport_fix_context_dockerfile_from_stdin_with_buildkit
[20.10 backport] Fix reading context and dockerfile from stdin with BuildKit
2021-02-18 12:02:09 +01:00
Silvin Lubecki 830d6595e7
Merge pull request #2963 from thaJeztah/20.10_backport_fix_update_rollback_order
[20.10 backport] fix --update-order and --rollback-order flags
2021-02-18 11:58:23 +01:00
Silvin Lubecki 13048444cc
Merge pull request #2964 from thaJeztah/20.10_backport_fix_swarm_rollback_exitcode
[20.10 backport] Fix swarm rollback exitcode, and fix skipping verify step
2021-02-18 11:55:40 +01:00
Silvin Lubecki 3e293e6bd1
Merge pull request #2958 from thaJeztah/20.10_backport_fix_homedir_warning
[20.10 backport] cli/config: prevent warning if HOME is not set
2021-02-12 10:27:24 +01:00
Sebastiaan van Stijn d6eeeb6259
service rollback: always verify state
Prior to this change, progressbars would sometimes be hidden, and the function
would return early. In addition, the direction of the progressbars would sometimes
be "incrementing" (similar to "docker service update"), and sometimes be "decrementing"
(to indicate a "rollback" is being performed).

This fix makes sure that we always proceed with the "verifying" step, and now
prints a message _after_ the verifying stage was completed;

    $ docker service rollback foo
    foo
    overall progress: rolling back update: 5 out of 5 tasks
    1/5: running   [>                                                  ]
    2/5: starting  [===========>                                       ]
    3/5: starting  [===========>                                       ]
    4/5: running   [>                                                  ]
    5/5: running   [>                                                  ]
    verify: Service converged
    rollback: rollback completed

    $ docker service rollback foo
    foo
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged
    rollback: rollback completed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 104469be0b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:55:51 +01:00
Sebastiaan van Stijn 3e157d5293
docker service rollback: fix non-zero exit code in some cases
Before this change:
--------------------------------------------

    $ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
    t33qvykv8y0zbz266rxynsbo3
    overall progress: 1 out of 1 tasks
    1/1: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service update --replicas=5 foo
    foo
    overall progress: 5 out of 5 tasks
    1/5: running   [==================================================>]
    2/5: running   [==================================================>]
    3/5: running   [==================================================>]
    4/5: running   [==================================================>]
    5/5: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ echo $?
    1

After this change:
--------------------------------------------

    $ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
    t33qvykv8y0zbz266rxynsbo3
    overall progress: 1 out of 1 tasks
    1/1: running   [==================================================>]
    verify: Service converged

    $ echo $?
    0

    $ docker service update --replicas=5 foo
    foo
    overall progress: 5 out of 5 tasks
    1/5: running   [==================================================>]
    2/5: running   [==================================================>]
    3/5: running   [==================================================>]
    4/5: running   [==================================================>]
    5/5: running   [==================================================>]
    verify: Waiting 1 seconds to verify that tasks are stable...

    $ echo $?
    0

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 1 tasks
    1/1: running   [>                                                  ]
    verify: Service converged

    $ echo $?
    0

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ echo $?
    0

    $ docker service ps foo
    ID             NAME      IMAGE          NODE             DESIRED STATE   CURRENT STATE           ERROR     PORTS
    4dt4ms4c5qfb   foo.1     nginx:alpine   docker-desktop   Running         Running 2 minutes ago

Remaining issues with reconciliation
--------------------------------------------

Note that both before, and after this change, the command sometimes terminates
early, and does not wait for the service to reconcile; this is most apparent
when rolling back is scaling up (so more tasks are deployed);

    $ docker service rollback foo
    foo
    service rolled back: rollback completed

    $ docker service rollback foo
    foo
    rollback: manually requested rollback
    overall progress: rolling back update: 1 out of 5 tasks
    1/5: pending   [=================================>                 ]
    2/5: running   [>                                                  ]
    3/5: pending   [=================================>                 ]
    4/5: pending   [=================================>                 ]
    5/5: pending   [=================================>                 ]
    service rolled back: rollback completed

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ce26a165b0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:55:49 +01:00
Jim Lin 1fdf84b8e9
fix --update-order and --rollback-order flags
Signed-off-by: Jim Lin <b04705003@ntu.edu.tw>
(cherry picked from commit 26a6a724aa)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:53:34 +01:00
Alexey Igrychev 0de4e6e9a7
Fix reading context and dockerfile from stdin with BuildKit
Signed-off-by: Alexey Igrychev <alexey.igrychev@flant.com>
(cherry picked from commit fc9ca9a94a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:48:19 +01:00
Brian Goff 3c87f01b18
Ignore SIGURG on Linux.
In go1.14+, SIGURG is used by the runtime to handle preemtable system
calls.
In practice this signal caught *frequently*.

For reference:

https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md
https://github.com/golang/go/issues/37942

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit fff164c22e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:44:39 +01:00
Sebastiaan van Stijn de40c2b172
Fix panic when failing to get DefaultAuthConfig
Commit f32731f902 fixed a potential panic
when an error was returned while trying to get existing credentials.

However, other code paths currently use the result of `GetDefaultAuthConfig()`
even in an error condition; this resulted in a panic, because a `nil` was
returned.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c2820a7e3b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:42:06 +01:00
Sebastiaan van Stijn d513e46bfc
cli/config: prevent warning if HOME is not set
commit c2626a8270 replaced the use of
github.com/docker/docker/pkg/homedir with Golang's os.UserHomeDir().

This change was partially reverted in 7a279af43d
to account for situations where `$HOME` is not set.

In  situations where no configuration file is present in `~/.config/`, the CLI
falls back to looking for the (deprecated) `~/.dockercfg` configuration file,
which was still using `os.UserHomeDir()`, which produces an error/warning if
`$HOME` is not set.

This patch introduces a helper function and a global variable to get the user's
home-directory. The global variable is used to prevent repeatedly looking up
the user's information (which, depending on the setup can be a costly operation).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c85a37dbb4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-04 14:38:27 +01:00
Tibor Vass 48d30b5b32 Use golang.org/x/sys/execabs
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.

Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.

Signed-off-by: Tibor Vass <tibor@docker.com>
(cherry picked from commit 8d199d5bba)
Signed-off-by: Tibor Vass <tibor@docker.com>
2021-01-28 22:27:59 +00:00
Chris Crone 9ecc69d17e context: Ensure context name is valid on import
Signed-off-by: Chris Crone <christopher.crone@docker.com>
2021-01-28 22:27:59 +00:00
Chris Crone 6f49197cab context: Ensure import paths are valid
Signed-off-by: Chris Crone <christopher.crone@docker.com>
2021-01-28 22:27:59 +00:00
Sebastiaan van Stijn fa3e0bcdaf
Help link: remove color, add "bold" style, and white-space
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-14 14:28:29 +01:00
Tibor Vass 029ab0255a
Merge pull request #2857 from gtardif/help_guides_link
Help guides link
2020-12-07 15:34:45 -08:00
Djordje Lukic 9f9c4b7f3b Remove k8s.io/kubernetes dependency
We are only using the `IsPodReady` function that can be rewritten easily.

Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
2020-12-04 00:27:40 +01:00
Tibor Vass 40ec81a79a build: display [auth] output
Signed-off-by: Tibor Vass <tibor@docker.com>
2020-12-02 21:22:36 +00:00
Sebastiaan van Stijn 9a0a071d55 vendor: buildkit v0.8.0-rc2, docker
diffs:

- full diff: af34b94a78...6c0a036dce
- full diff: 4d1f260e84...v0.8.0-rc2

New dependencies:

- go.opencensus.io v0.22.3
- github.com/containerd/typeurl v1.0.1
- github.com/golang/groupcache 869f871628b6baa9cfbc11732cdf6546b17c1298

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-02 21:01:12 +00:00
Sebastiaan van Stijn 0e96d92567 vendor: golang.org/x/crypto c1f2f97bffc9c53fc40a1a28a5b460094c0050d9
full diff: 75b288015a...c1f2f97bff

relevant changes:

- pkcs12: document that we use the wrong PEM type
- pkcs12: drop PKCS#12 attributes with unknown OIDs
- ocsp: Improve documentation for ParseResponse and ParseResponseForCert

other changes (not in vendor);

- ssh: improve error message for KeyboardInteractiveChallenge
- ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
- ssh/terminal: replace with a golang.org/x/term wrapper
    - Deprecates ssh/terminal in favor of golang.org/x/term
- ssh/terminal: add support for zos
- ssh/terminal: bump x/term dependency to fix js/nacl
- nacl/auth: use Size instead of KeySize for Sum output
- sha3: remove go:nocheckptr annotation

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-12-02 21:01:12 +00:00
Guillaume Tardif d7697f9c72 AdditionalHelpMessage set in command annotations, removed env var check
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2020-12-02 16:01:53 +01:00
Guillaume Tardif 0ec9e434ed Additional help message is displayed in cyan
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2020-12-01 17:32:08 +01:00
Guillaume Tardif 2369d9d126 Do not display help link if env var “DOCKER_HIDE_HELP_GUIDES” is set
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2020-12-01 15:29:00 +01:00
Guillame Tardif dbd65f92c7 Display additional help message pointing to docs.docker.com guides.
Will display when user types `docker help` or `docker --help`, but not for `docker run --help`. 

Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
2020-12-01 15:11:24 +01:00
Tibor Vass 5cc2396164
Merge pull request #2541 from znck/allow-ssh-flags
feat: allow ssh flag arguments
2020-11-17 11:20:04 -08:00