Commit Graph

9308 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 6517db9398
update to go1.20.7
Includes a fix for CVE-2023-29409

go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7

From the mailing list announcement:

[security] Go 1.20.7 and Go 1.19.12 are released

Hello gophers,

We have just released Go versions 1.20.7 and 1.19.12, minor point releases.

These minor releases include 1 security fixes following the security policy:

- crypto/tls: restrict RSA keys in certificates to <= 8192 bits

  Extremely large RSA keys in certificate chains can cause a client/server
  to expend significant CPU time verifying signatures. Limit this by
  restricting the size of RSA keys transmitted during handshakes to <=
  8192 bits.

  Based on a survey of publicly trusted RSA keys, there are currently only
  three certificates in circulation with keys larger than this, and all
  three appear to be test certificates that are not actively deployed. It
  is possible there are larger keys in use in private PKIs, but we target
  the web PKI, so causing breakage here in the interests of increasing the
  default safety of users of crypto/tls seems reasonable.

  Thanks to Mateusz Poliwczak for reporting this issue.

View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-01 23:52:56 +02:00
Sebastiaan van Stijn bb0e232605
Merge pull request #4470 from thaJeztah/bump_containerd_1.6.22
vendor: github.com/containerd/containerd v1.6.22
2023-08-01 16:25:47 +02:00
Sebastiaan van Stijn 373fa57edc
vendor: github.com/containerd/containerd v1.6.22
- full diff: https://github.com/containerd/containerd/compare/v1.6.21...v1.6.22
- release notes: https://github.com/containerd/containerd/releases/tag/v1.6.22

---

Notable Updates

- RunC: Update runc binary to v1.1.8
- CRI: Fix `additionalGids`: it should fallback to `imageConfig.User`
  when `securityContext.RunAsUser`, `RunAsUsername` are empty
- CRI: Write generated CNI config atomically
- Fix concurrent writes for `UpdateContainerStats`
- Make `checkContainerTimestamps` less strict on Windows
- Port-Forward: Correctly handle known errors
- Resolve `docker.NewResolver` race condition
- SecComp: Always allow `name_to_handle_at`
- Adding support to run hcsshim from local clone
- Pinned image support
- Runtime/V2/RunC: Handle early exits w/o big locks
- CRITool: Move up to CRI-TOOLS v1.27.0
- Fix cpu architecture detection issue on emulated ARM platform
- Task: Don't `close()` io before `cancel()`
- Fix panic when remote differ returns empty result
- Plugins: Notify readiness when registered plugins are ready
- Unwrap io errors in server connection receive error handling

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-30 16:08:28 +02:00
Sebastiaan van Stijn a63f5606a6
Merge pull request #4469 from thaJeztah/bump_gotest_tools
vendor: gotest.tools/v3 v3.5.0
2023-07-30 15:57:34 +02:00
Sebastiaan van Stijn 0b535c791a
vendor: gotest.tools/v3 v3.5.0
- go.mod: update dependencies and go version by
- Use Go1.20
- Fix couple of typos
- Added `WithStdout` and `WithStderr` helpers
- Moved `cmdOperators` handling from `RunCmd` to `StartCmd`
- Deprecate `assert.ErrorType`
- Remove outdated Dockerfile
- add godoc links

full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.4.0...v3.5.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-29 21:04:40 +02:00
Sebastiaan van Stijn e0e2772439
Merge pull request #4453 from thaJeztah/small_interface_waitExitOrRemoved
cli/command/container: waitExitOrRemoved: take APIClient as argument
2023-07-24 14:03:10 +02:00
Sebastiaan van Stijn 7a89e897ea
cli/command/container: waitExitOrRemoved: take APIClient as argument
It only needs the API client, not the whole DockerCLI.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-24 09:54:11 +02:00
Sebastiaan van Stijn 8837d113e3
Merge pull request #4456 from thaJeztah/cli_engine_deps
vendor: update dependencies for engine
2023-07-20 23:46:46 +02:00
Sebastiaan van Stijn ce038e77b2
vendor: github.com/prometheus/common v0.42.0
full diff: https://github.com/prometheus/common/compare/v0.37.0...v0.42.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 13:10:46 +02:00
Sebastiaan van Stijn bffe277c9b
vendor: github.com/prometheus/procfs v0.9.0
full diff: https://github.com/prometheus/procfs/compare/v0.8.0...v0.9.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 13:10:13 +02:00
Sebastiaan van Stijn 92906a9936
vendor: github.com/Microsoft/go-winio v0.6.1
Unfortunately also brings in golang.org/x/tools and golang.org/x/mod as
a dependency, due to go-winio using a "tools.go" file.

full diff: https://github.com/Microsoft/go-winio/compare/v0.5.2...v0.6.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 13:10:06 +02:00
Sebastiaan van Stijn aacdca0fe6
vendor: google.golang.org/protobuf v1.30.0
full diff: https://github.com/protocolbuffers/protobuf-go/compare/v1.28.1...v1.30.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 00:30:58 +02:00
Sebastiaan van Stijn 3cf34c6d9d
vendor: google.golang.org/grpc v1.53.0
Also updating google.golang.org/genproto:
full diff: 10f96fb3db...7f2fa6fef1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 00:26:26 +02:00
Sebastiaan van Stijn 5b138189b9
vendor: github.com/cespare/xxhash/v2 v2.2.0
full diff: https://github.com/cespare/xxhash/compare/v2.1.2...v2.2.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 00:21:37 +02:00
Sebastiaan van Stijn c1d0657029
vendor: github.com/golang/protobuf v1.5.3
- jsonpb: accept 'null' as a valid representation of NullValue in unmarshal
  The canonical JSON representation for NullValue is JSON "null".

full diff: https://github.com/golang/protobuf/compare/v1.5.2...v1.5.3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 00:20:03 +02:00
Sebastiaan van Stijn 0b7c72c3ba
cli/command/container: RunStart: inline variable
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-20 00:03:11 +02:00
Sebastiaan van Stijn 4f67ff8e1f
Merge pull request #4418 from Danial-Gharib/fix-issue-4414-Danial-Gharib
Fix nil pointer dereference issue (#4414)
2023-07-19 15:56:26 +02:00
Danial ad43df5e86
configfile: Initialize nil AuthConfigs
Initialize AuthConfigs map if it's nil before returning it.
This fixes fileStore.Store nil dereference panic when adding a new key
to the map.

Signed-off-by: Danial Gharib <danial.mail.gh@gmail.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-19 15:36:10 +02:00
Sebastiaan van Stijn 803d4a9143
Merge pull request #4447 from thaJeztah/deprecate_NewStartOptions
cli/command/container: deprecate NewStartOptions
2023-07-19 15:05:04 +02:00
Sebastiaan van Stijn b52fd79f1d
docs: add missing docs for "DOCKER_TLS" env-var
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 15:03:40 +02:00
Sebastiaan van Stijn 298bddcc23
cli/command/container: deprecate NewStartOptions
It's unused in the CLI itself, and does nothing other than
initializing a new, empty StartOptions struct.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 14:12:07 +02:00
Bjorn Neergaard 9b79cbac0b
Merge pull request #4444 from thaJeztah/buildx_0.11.2
Dockerfile: update buildx to v0.11.2
2023-07-18 16:34:18 -06:00
Sebastiaan van Stijn 00870d68fc
Dockerfile: update buildx to v0.11.2
release notes: https://github.com/docker/buildx/releases/tag/v0.11.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-19 00:24:18 +02:00
Sebastiaan van Stijn 10b9009a9b
Merge pull request #4439 from thaJeztah/update_credential_helpers
vendor: github.com/docker/docker-credential-helpers v0.8.0
2023-07-17 19:23:33 +02:00
Sebastiaan van Stijn 78e4633929
vendor: github.com/docker/docker-credential-helpers v0.8.0
full diff: https://github.com/docker/docker-credential-helpers/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-17 16:06:44 +02:00
Sebastiaan van Stijn ce9f15c24c
Merge pull request #4427 from thaJeztah/context_inline_vars
cli/context/docker: Endpoint.ClientOpts, withHTTPClient: inline variables
2023-07-17 13:08:29 +02:00
Sebastiaan van Stijn 92b9f94a7c
Merge pull request #4429 from thaJeztah/update_buildx
Dockerfile: update buildx to v0.11.1
2023-07-15 15:16:11 +02:00
Sebastiaan van Stijn ff9f1be19e
Dockerfile: update buildx to v0.11.1
update the version we use in the dev-container;

- Fix a regression for bake where services in profiles would not be loaded.
- Fix a regression where --cgroup-parent option had no effect during build.
- Fix a regression where valid docker contexts could fail buildx builder name validation.
- Fix an issue where the host-gateway special address could not be used as an argument to --add-host.
- Fix a possible panic when terminal is resized during the build.

release notes: https://github.com/docker/buildx/releases/tag/v0.11.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 15:02:34 +02:00
Sebastiaan van Stijn d07dc5c410
Merge pull request #4421 from thaJeztah/update_go_1.20.6
update go to go1.20.6
2023-07-15 14:55:17 +02:00
Sebastiaan van Stijn 680fafdc9c
update go to go1.20.6
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved

Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6

These minor releases include 1 security fixes following the security policy:

net/http: insufficient sanitization of Host header

The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.

Thanks to Bartek Nowotarski for reporting this issue.

Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374

[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 14:42:35 +02:00
Sebastiaan van Stijn 223bf80d4b
cli/context/docker: Endpoint.ClientOpts, withHTTPClient: inline variables
Remove some intermediate variables, and inline them.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 14:41:25 +02:00
Sebastiaan van Stijn 6654ea1434
Merge pull request #4422 from thaJeztah/update_engine
vendor: github.com/docker/docker dab9ffb252186f4c47416addb136d579f9314c6a (25.0-dev)
2023-07-15 14:07:30 +02:00
Sebastiaan van Stijn 3469beb80d
replace uses of deprecated api/types that moved to api/types/system
These types were moved to api/types/system:

- types.Info
- types.Commit
- types.PluginsInfo
- types.NetworkAddressPool
- types.Runtime
- types.SecurityOpt
- types/KeyValue
- types.DecodeSecurityOptions()

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:20:49 +02:00
Sebastiaan van Stijn 1f87420b5b
vendor: github.com/docker/docker dab9ffb252186f4c47416addb136d579f9314c6a (25.0-dev)
full diff: 98d3da79ef...dab9ffb252

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:20:49 +02:00
Sebastiaan van Stijn 4d03b935c1
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230707182847-6f78b8199b05
no changes in vendored files

full diff: ad0f3ae162...6f78b8199b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-15 01:19:23 +02:00
Sebastiaan van Stijn a87d1373de
Merge pull request #4408 from thaJeztah/update_deps
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230627115642-ad0f3ae162fa
2023-07-15 01:16:49 +02:00
Sebastiaan van Stijn 424e499b6a
Merge pull request #4415 from vvoland/dont-ignore-volume-parse-err
cli/container: Don't ignore error when parsing volume spec
2023-07-15 00:05:56 +02:00
Sebastiaan van Stijn dbd53f0419
Merge pull request #4411 from crazy-max/update-xx
Dockerfile: update to xx 1.2.1
2023-07-13 00:38:48 +02:00
Sebastiaan van Stijn a6a69c83f2
Merge pull request #4416 from elezar/bump-cdi-dependency
Bump container-device-interface dependency to v0.6.0
2023-07-12 22:39:49 +02:00
Paweł Gronowski fe7afb700f
cli/container: Don't ignore error when parsing volume spec
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-07-12 09:45:55 +02:00
Evan Lezar 323ca1d567 Bump container-device-interface dependency to v0.6.0
Signed-off-by: Evan Lezar <elezar@nvidia.com>
2023-07-11 23:30:59 +02:00
CrazyMax fca67dd817
Dockerfile: update to xx 1.2.1
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-07-10 13:09:07 +02:00
Sebastiaan van Stijn de9f1f5b90
vendor: github.com/moby/swarmkit/v2 v2.0.0-20230627115642-ad0f3ae162fa
no changes in vendored files, but keeping in sync with the docker/docker version

full diff: 36334ed187...ad0f3ae162

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-07 18:18:14 +02:00
Sebastiaan van Stijn df04aca5d2
Merge pull request #4405 from cpuguy83/health_start_interval
Add support for health start interval
2023-07-07 18:15:10 +02:00
Sebastiaan van Stijn b8f51d9591
Merge pull request #4084 from elezar/add-cdi-support
Support CDI devices in --device flag
2023-07-06 22:44:58 +02:00
Brian Goff 125eeb7ab6 Add docs for health-start-interval
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-07-06 19:41:34 +00:00
Brian Goff 986879c071 Add flags to container/service for health start interval
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-07-06 19:05:34 +00:00
Brian Goff 9bfaa6ff79 revendor docker/docker from master
Revendoring to get new StartInterval field for container health config

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2023-07-06 19:05:13 +00:00
Evan Lezar dbd9d5d74f Update vendoring for CDI parser
Signed-off-by: Evan Lezar <elezar@nvidia.com>
2023-07-04 15:14:34 +02:00
Evan Lezar dad225d1e2 Support CDI devices in --device flag
Signed-off-by: Evan Lezar <elezar@nvidia.com>
2023-07-04 14:52:46 +02:00