Commit Graph

9184 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 4b00be585c
update to go1.20.8
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8

From the security mailing:

[security] Go 1.21.1 and Go 1.20.8 are released

Hello gophers,

We have just released Go versions 1.21.1 and 1.20.8, minor point releases.

These minor releases include 4 security fixes following the security policy:

- cmd/go: go.mod toolchain directive allows arbitrary execution
  The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
  execute scripts and binaries relative to the root of the module when the "go"
  command was executed within the module. This applies to modules downloaded using
  the "go" command from the module proxy, as well as modules downloaded directly
  using VCS software.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.

- html/template: improper handling of HTML-like comments within script contexts
  The html/template package did not properly handle HMTL-like "<!--" and "-->"
  comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
  cause the template parser to improperly interpret the contents of <script>
  contexts, causing actions to be improperly escaped. This could be leveraged to
  perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.

- html/template: improper handling of special tags within script contexts
  The html/template package did not apply the proper rules for handling occurrences
  of "<script", "<!--", and "</script" within JS literals in <script> contexts.
  This may cause the template parser to improperly consider script contexts to be
  terminated early, causing actions to be improperly escaped. This could be
  leveraged to perform an XSS attack.

  Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
  issue.

  This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.

- crypto/tls: panic when processing post-handshake message on QUIC connections
  Processing an incomplete post-handshake message for a QUIC connection caused a panic.

  Thanks to Marten Seemann for reporting this issue.

  This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-11 15:49:14 +02:00
Sebastiaan van Stijn 8671a5ea5b
Merge pull request #4493 from akerouanton/create-default-endpoint-settings
Create default EndpointSettings if no --network provided
2023-09-11 11:30:16 +02:00
Albin Kerouanton 9e1b42e642
Add missing opts to --network advanced syntax
The new advanced --network syntax introduced in docker/cli#1767 is
lacking support for `link-local-ip` and `mac-address` fields. This
commit adds both.

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-10 18:57:50 +02:00
Albin Kerouanton 58f4260872
Rename expectedCfg into expectedHostCfg
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-10 18:57:46 +02:00
Albin Kerouanton f1048e1a3a
Create default EndpointSettings if no --network provided
Following flags are silently ignored when they're passed with no
`--network` specified (ie. when the default network is used):

- `--network-alias`
- `--ip`
- `--ip6`
- `--link-local-ip`

This is not really an issue right now since the first 3 parameters are
not allowed on the default bridge network. However, with
[moby/moby#45905][1], the container-wide MacAddress parameter will be
deprecated and dismissed. Because of that, with [docker/cli#4419][2],
it's currently not possible to use the `--mac-address` flag with no
default network specified.

Morever, `docker network connect --link-local-ip ...` works properly, so
it should also work on `docker container create`. This also lay the
ground for making the default bridge network just a "normal" network.

Since the 3 parameters in the list above aren't ignored anymore, if
users provide them, moby's ContainerStart endpoint will complain about
those. To provide better UX, [moby/moby#46183][3] make sure these
invalid parameters lead to a proper error message on `docker container
create` / `docker run`.

[1]: https://github.com/moby/moby/pull/45905
[2]: https://github.com/docker/cli/pull/4419
[3]: https://github.com/moby/moby/pull/46183

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
2023-09-10 17:19:43 +02:00
Sebastiaan van Stijn d4aca90d19
Merge pull request #4554 from thaJeztah/update_engine
vendor: github.com/docker/docker 06499c52e2b1 (v25.0.0-dev)
2023-09-08 18:24:32 +02:00
briantracy 2c193b59de Fix extremely minor typo in docker-run man page
The latin phrase "vice versa" can be pronounced "vice-a-versa", but should not be rendered as such.

Signed-off-by: briantracy <brian.tracy33@gmail.com>
2023-09-07 21:11:13 -07:00
Sebastiaan van Stijn 40dc66b26f
vendor: github.com/docker/docker 06499c52e2b1 (v25.0.0-dev)
full diff: 032797ea4b...06499c52e2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-08 01:55:58 +02:00
Bjorn Neergaard ba2a5208ab
Merge pull request #4547 from thaJeztah/swap_reference
migrate reference github.com/distribution/reference
2023-09-05 12:19:45 -06:00
Sebastiaan van Stijn d6040fbfa2
Merge pull request #4551 from docker/dependabot/github_actions/actions/checkout-4
build(deps): bump actions/checkout from 3 to 4
2023-09-05 18:10:43 +02:00
Sebastiaan van Stijn f13b786724
vendor: github.com/docker/docker 032797ea4bcb (v25.0.0-dev)
full diff: 7abd7fa739...032797ea4b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-05 17:53:23 +02:00
Sebastiaan van Stijn fb2ba5d63b
migrate reference github.com/distribution/reference
The "reference" package was moved to a separate module, which was extracted
from b9b19409cf

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-05 17:53:20 +02:00
Sebastiaan van Stijn 25ce44280b
Merge pull request #4552 from thaJeztah/update_engine
vendor: github.com/docker/docker 7abd7fa73965 (v25.0.0-dev)
2023-09-05 17:32:58 +02:00
Sebastiaan van Stijn 04af128211
vendor: github.com/docker/docker 7abd7fa73965 (v25.0.0-dev)
full diff: a65c948e7e...7abd7fa739

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-09-05 13:43:35 +02:00
dependabot[bot] dee40053f6
build(deps): bump actions/checkout from 3 to 4
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-09-05 08:37:30 +00:00
Bjorn Neergaard f74f88445f
Merge pull request #4530 from thaJeztah/fix_events_json_format
cli/command/system: fix "docker events" not supporting --format=json
2023-08-29 07:43:55 -06:00
Sebastiaan van Stijn 6dfdd1eae9
cli/command/system: fix "docker events" not supporting --format=json
Before this patch:

    docker events --format=json
    json
    json
    json
    ^C

With this patch:

    docker events --format=json
    {"status":"create","id":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","from":"hello-world","Type":"container","Action":"create","Actor":{"ID":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","Attributes":{"image":"hello-world","name":"dreamy_goldstine"}},"scope":"local","time":1693168508,"timeNano":1693168508190136885}
    {"status":"attach","id":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","from":"hello-world","Type":"container","Action":"attach","Actor":{"ID":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","Attributes":{"image":"hello-world","name":"dreamy_goldstine"}},"scope":"local","time":1693168508,"timeNano":1693168508192851593}
    {"Type":"network","Action":"connect","Actor":{"ID":"c54920dd5074a73e28bea62007e0334d81cc040a90372be311cf16806403d350","Attributes":{"container":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","name":"bridge","type":"bridge"}},"scope":"local","time":1693168508,"timeNano":1693168508212398802}
    {"status":"start","id":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","from":"hello-world","Type":"container","Action":"start","Actor":{"ID":"4ac3bba8abd68961e627540fed81ad16d55b88e45629d7cdb792126d09b6488d","Attributes":{"image":"hello-world","name":"dreamy_goldstine"}},"scope":"local","time":1693168508,"timeNano":1693168508312969843}
    ^C

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 14:48:49 +02:00
Sebastiaan van Stijn db6209abdd
update golangci-lint to v1.54.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 14:21:47 +02:00
Sebastiaan van Stijn a1367a0231
Merge pull request #4540 from thaJeztah/manifest_deref
cli/registry: fix client.pullManifestList not de-referencing manifest, and remove "v1" check
2023-08-29 11:43:19 +02:00
Sebastiaan van Stijn 28dfb13e39
Merge pull request #4541 from thaJeztah/cli_registry_cleanup
cli/registry/client: remove some redundant conditions
2023-08-29 11:42:59 +02:00
Sebastiaan van Stijn 9ad0792443
cli/registry/client: remove some redundant conditions
Remove some redundant error-checks or combine them. Also made a small
optimisation when initialising a slice.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 09:43:58 +02:00
Sebastiaan van Stijn 22b4bab90f
cli/registry: client.iterateEndpoints: remove check for APIVersion1
registryService.LookupPullEndpoints uses lookupV2Endpoints
https://github.com/moby/moby/blob/v24.0.5/registry/service.go#L137-L142

which, as the name indicates, only returns V2 endpoints;
https://github.com/moby/moby/blob/v24.0.5/registry/service_v2.go#L10-L80

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 09:41:48 +02:00
Sebastiaan van Stijn 5250f1bab5
cli/registry: fix client.pullManifestList not de-referencing manifest
Kudos to gosec;

    cli/registry/client/fetcher.go:205:57: G601: Implicit memory aliasing in for loop. (gosec)
            imageManifest.Descriptor.Platform = types.OCIPlatform(&manifestDescriptor.Platform)
                                                                  ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-29 08:50:07 +02:00
Sebastiaan van Stijn bd9f60b70d
Merge pull request #4522 from thaJeztah/dockerfile_copy_link
Dockerfile: use COPY --link where possible
2023-08-28 23:04:47 +02:00
Sebastiaan van Stijn 962056e434
Merge pull request #4534 from thaJeztah/update_engine
vendor: github.com/docker/docker 5b53ddfcdd1c (v25.0.0-dev)
2023-08-28 23:03:41 +02:00
Sebastiaan van Stijn 16ac0e7b86
Merge pull request #4532 from thaJeztah/tests_dont_require_utc
force TestNewHistoryCommandSuccess to use UTC timezone
2023-08-28 22:59:40 +02:00
Sebastiaan van Stijn f1066d80e1
Merge pull request #4531 from thaJeztah/update_docs_tool
update cli-docs-tool to v0.6.0
2023-08-28 22:57:13 +02:00
Sebastiaan van Stijn d40fc1a0fa
vendor: github.com/docker/docker a65c948e7edf (v25.0.0-dev)
full diff: 4b19b2f4ba...a65c948e7e

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 21:11:17 +02:00
Sebastiaan van Stijn 79f24c7afb
Merge pull request #4536 from thaJeztah/docs_fix_whitespace
docs/reference: run.md: remove stray whitespace
2023-08-28 16:24:02 +02:00
Sebastiaan van Stijn be9e42ee00
Merge pull request #4533 from thaJeztah/test_table_TestParseRestartPolicy
rewrite TestParseRestartPolicy to use sub-tests
2023-08-28 14:41:36 +02:00
Sebastiaan van Stijn 261c18f9ee
ParseRestartPolicy: validate for missing policy-names
Also make it slightly more clearer we're returning a default (empty)
policy if the input is empty.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 12:58:54 +02:00
Sebastiaan van Stijn 3d2aac6a0d
docs/reference: run.md: remove stray whitespace
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 12:22:22 +02:00
Sebastiaan van Stijn dfca19a796
Merge pull request #4510 from thaJeztah/info_cdi_dirs
info: add CDI spec directories to output
2023-08-28 12:19:16 +02:00
Sebastiaan van Stijn 4cce7bb2fc
rewrite TestParseRestartPolicy to use sub-tests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 11:58:42 +02:00
Sebastiaan van Stijn 42ac5d4bf9
force TestNewHistoryCommandSuccess to use UTC timezone
This test was skipped if the host was not using UTC timezone, because the output
of timestamps would be different, causing the test to fail.

This patch overrides the TZ env-var to make the test use UTC, so that we don't
have to skip the test.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 10:43:21 +02:00
Sebastiaan van Stijn fcb2b7920e
Merge pull request #3781 from imjasonh/history-test
un-skip history test and fix golden mismatches
2023-08-28 10:35:23 +02:00
Sebastiaan van Stijn 17f4c8259b
update cli-docs-tool to v0.6.0
release notes: https://github.com/docker/cli-docs-tool/releases/tag/v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-28 01:58:58 +02:00
Sebastiaan van Stijn 39296a9b19
Merge pull request #4524 from thaJeztah/docs_update_golang_links
docs, man, contribute: update links to go documentation, and use https where available
2023-08-25 17:22:47 +02:00
Sebastiaan van Stijn 6f80b0b302
Merge pull request #4526 from struharv/4521-manpages-adding-c-option
adding -c option for docker run/build in manpages
2023-08-25 17:09:34 +02:00
Vaclav Struhar be219b3172 adding -c option for docker run/build in manpages
Signed-off-by: Vaclav Struhar <struharv@gmail.com>
2023-08-25 15:06:16 +02:00
Sebastiaan van Stijn 273f2cd95e
cli/command/manifest: update link to Go documentation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 14:12:45 +02:00
Sebastiaan van Stijn 722e3aae4f
man: update links to Go documentation
Go documentation moved to the `go.dev` domain;

    curl -sI https://golang.org/doc/install/source#environment | grep 'location'
    location: https://go.dev/doc/install/source

Also updated some links to use https, where available.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 14:11:18 +02:00
Sebastiaan van Stijn dc4feccb89
docs/reference: update links to Go documentation
Go documentation moved to the `go.dev` domain;

    curl -sI https://golang.org/doc/install/source#environment | grep 'location'
    location: https://go.dev/doc/install/source

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 14:10:40 +02:00
Sebastiaan van Stijn 1d3af726eb
CONTRIBUTING.md: update links
- docs moved to https://go.dev/doc/
- blog moved to https://go.dev/blog/
- update DCO link to use https

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 14:09:07 +02:00
Sebastiaan van Stijn af05a68828
Dockerfile: use COPY --link where possible
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-25 01:56:35 +02:00
Sebastiaan van Stijn 41183c2c92
Merge pull request #4514 from thaJeztah/patternmatcher_dockerignore
replace dockerfile/dockerignore with patternmatcher/ignorefile
2023-08-23 13:53:41 +02:00
Sebastiaan van Stijn c7a3a307be
Merge pull request #4516 from thaJeztah/cgroup_parent_description
update flag-description for --cgroup-parent
2023-08-23 13:53:17 +02:00
Sebastiaan van Stijn 3d11292731
Merge pull request #4505 from guss77/docker-cli-slows-bash-init
Docker cli slows bash init
2023-08-23 13:30:58 +02:00
Oded Arbel 1da67be9ca Stop slowing bash init by caching plugins path slowly
Fixes issue #3889 by only loading docker plugins path when needed: if it is fast enough than it shouldn't be a problem to do this on demand; OTOH if it is slow then we shouldn't do this during *every* bash session initialization, regardless if docker completion will be needed or not.

Signed-off-by: Oded Arbel <oded@geek.co.il>
2023-08-23 13:40:29 +03:00
Sebastiaan van Stijn 5bff12354d
replace dockerfile/dockerignore with patternmatcher/ignorefile
The BuildKit dockerignore package was migrated to the patternmatcher
repository / module. This patch updates our uses of the BuildKit package
with its new location.

A small local change was made to keep the format of the existing error message,
because the "ignorefile" package is slightly more agnostic in that respect
and doesn't include ".dockerignore" in the error message.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-08-23 12:09:12 +02:00