Commit Graph

10339 Commits

Author SHA1 Message Date
Sebastiaan van Stijn e29292f921
add security policy
Based on the security policy in the Moby repository (with the name
of the project changed, and a link to to the Moby documentation for
maintained branches).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-08-05 11:58:34 +02:00
Laura Brehm 78de7da660
Merge pull request #5310 from thaJeztah/gha_permissions
gha: set permissions to read-only by default
2024-08-02 11:26:06 +01:00
Laura Brehm 93ee2e6638
Merge pull request #5311 from thaJeztah/vendor_otel_trace
vendor: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0
2024-08-02 11:25:20 +01:00
Sebastiaan van Stijn 40a5b297b6
vendor: go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.21.0
commit 89db01ef97 added these tracing modules
as dependency, but did not require the otlptracehttp module. This module
was added later through f0a29af0f3 as indirect
dependency for docker/docker. The otlptracehttp and otlptracegrpc modules
have no dependency between each-other, but similar to their otlpmetric
cousins, are preferred to be on the same version.

This patch aligns their versions. No changes in vendored code;

full diff: https://github.com/open-telemetry/opentelemetry-go/compare/exporters/otlp/otlptrace/otlptracehttp/v1.19.0...exporters/otlp/otlptrace/otlptracehttp/v1.21.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-31 22:28:36 +02:00
Sebastiaan van Stijn e4d99b4b60
gha: set permissions to read-only by default
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-31 14:19:02 +02:00
Laura Brehm ddd4c39930
Merge pull request #5303 from laurazard/fix-flaky-runattach-test
tests/run: fix flaky `RunAttachTermination` test
2024-07-29 13:43:31 +01:00
Laura Brehm eac83574c1
tests/run: fix flaky `RunAttachTermination` test
This test was just incorrect (and testing incorrect
behavior): it was checking that `docker run` exited with a `context
canceled` error after signalling the CLI/cancelling the command's
context, but this was incorrect (and was fixed in
991b1303da - which was when this test
started failing).

However, since this test assertion was happening inside of a goroutine,
it would sometimes pass if this assertion didn't get to run before the
test suite terminated. It was flaky because sometimes this assertion
inside the goroutine did get to execute, but after the test finished
execution, which is a big no-no.

As an aside, assertions inside goroutines are generally bad, and `govet`
even has a linter for this (but it only catches `t.Fatal` and `t.FailNow`
calls and not `assert.Xx`.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-29 13:29:12 +01:00
Paweł Gronowski 393de5f44f
Merge pull request #5252 from thaJeztah/migrate_userns
vendor: docker/docker 2b1097f08088 (removes containerd dependency)
2024-07-26 16:25:11 +02:00
Laura Brehm bc7e64d425
Merge pull request #5297 from laurazard/fix-context-cancel-attach-exit-code
attach: wait for exit code from `ContainerWait`
2024-07-26 14:11:01 +01:00
Laura Brehm 7b46bfc5ac
attach: wait for exit code from `ContainerWait`
Such as with `docker run`, if a user CTRL-Cs while attached to a
container, we should forward the signal and wait for the exit from
`ContainerWait`, instead of just returning.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-26 14:05:31 +01:00
Sebastiaan van Stijn f0a29af0f3
vendor: docker/docker 2b1097f08088 (removes containerd dependency)
full diff: aae044039c...2b1097f080

The userns package in libcontainer was integrated into the moby/sys/user
module at commit 3778ae603c706494fd1e2c2faf83b406e38d687d.

The userns package is used in many places, and currently either depends
on runc/libcontainer, or on containerd, both of which have a complex
dependency tree. This patch is part of a series of patches to unify the
implementations, and to migrate toward that implementation to simplify
the dependency tree.

[3778ae603c706494fd1e2c2faf83b406e38d687d]: 3778ae603c

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-25 14:57:30 +02:00
Sebastiaan van Stijn b34e8e4dff
vendor: github.com/moby/sys/sequential v0.6.0
full diff: https://github.com/moby/sys/compare/sequential/v0.5.0...sequential/v0.6.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-25 14:56:13 +02:00
Sebastiaan van Stijn ea37ac9bac
vendor: github.com/moby/sys/symlink v0.3.0
full diff: https://github.com/moby/sys/compare/symlink/v0.2.0...symlink/v0.3.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-25 14:55:23 +02:00
Sebastiaan van Stijn 435c658333
vendor: github.com/moby/sys/signal v0.7.1
full diff: https://github.com/moby/sys/compare/signal/v0.7.0...signal/v0.7.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-25 14:54:29 +02:00
Sebastiaan van Stijn 501904d48f
vendor: golang.org/x/sys v0.22.0
full diff: https://github.com/golang/sys/compare/v0.21.0...v0.22.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-25 14:53:35 +02:00
Laura Brehm 826fc32e82
Merge pull request #5298 from laurazard/fix-linter
lint: replace deprecated linter names
2024-07-25 12:37:19 +01:00
Laura Brehm cc4163296f
lint: replace deprecated linter names
`megacheck` has been deprecated/split into `gosimple`, `staticcheck`,
and `unused`, which we're already using.

d2b439faa5/pkg/lint/lintersdb/validator_test.go (L227)

`vet` is now `govet`.

d2b439faa5/pkg/lint/lintersdb/validator_test.go (L228)

For more context, see: https://github.com/golangci/golangci-lint/pull/4562

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-25 12:18:50 +01:00
Sebastiaan van Stijn 788e99620d
Merge pull request #5295 from laurazard/fix-context-cancel-attach
attach: don't return context cancelled error
2024-07-25 02:00:26 +02:00
Laura Brehm 66aa0f672c
attach: don't return context cancelled error
In 3f0d90a2a9 we introduced a global
signal handler and made sure all the contexts passed into command
execution get (appropriately) cancelled when we get a SIGINT.

Due to that change, and how we use this context during `docker attach`,
we started to return the context cancelation error when a user signals
the running `docker attach`.

Since this is the intended behavior, we shouldn't return an error, so
this commit adds checks to ignore this specific error in this case.

Also adds a regression test.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-25 00:49:33 +01:00
Sebastiaan van Stijn 0cc1b8c0df
Merge pull request #5289 from thaJeztah/remove_ubuntu_23.10
docs: refresh image versions in examples
2024-07-24 13:11:35 +02:00
Laura Brehm 1e0f669b00
Merge pull request #5291 from laurazard/fix-all-the-flaky-connhelper-tests
tests: fix other flaky `connhelper` tests
2024-07-24 12:03:55 +01:00
Laura Brehm 4a7388f0dd
tests: fix other flaky `connhelper` tests
Follow up to cc68c66c95 (there were more
tests with incorrect syntax).

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-24 11:52:23 +01:00
Laura Brehm 1055536c5c
Merge pull request #5290 from laurazard/fix-flaxy-connhelper-test
Fix flaky `TestCloseRunningCommand` test
2024-07-24 11:03:24 +01:00
Laura Brehm cc68c66c95
tests: fix flaxy `TestCloseRunningCommand` test
Looks like this test was failing due to bad syntax on the `while` loop,
which caused it to die after 1 second. If the test took a bit longer,
the process would be dead before the following assertions run, causing
the test to fail/be flaky.

Signed-off-by: Laura Brehm <laurabrehm@hey.com>
2024-07-24 10:31:45 +01:00
Sebastiaan van Stijn b36522b473
docs: refresh image versions in examples
use current LTS versions of ubuntu where suitable, remove uses of
ubuntu:23.10 (which reache EOL), and and update some other examples
to use more current versions.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-24 09:47:36 +02:00
Paweł Gronowski a69c0365b6
Merge pull request #5273 from thaJeztah/vendor_containerd_1.7.20
vendor: github.com/containerd/containerd v1.7.20
2024-07-23 14:59:23 +02:00
Laura Brehm 8f20c9a238
Merge pull request #5259 from thaJeztah/move_file_warning
cli/config/credentials: move warning to fileStore
2024-07-22 17:59:14 +01:00
Sebastiaan van Stijn d5f90ed547
Merge pull request #5236 from thaJeztah/cleanup_run_errors
cli/command/container: remove reportError, and put StatusError to use
2024-07-22 17:56:16 +02:00
Sebastiaan van Stijn 6559d86217
Merge pull request #5145 from psaintlaurent/ENGINE-903
Add OomScoreAdj to "docker service create" and "docker compose"
2024-07-19 19:09:28 +02:00
plaurent aa2c2cd906 Allow for OomScoreAdj
Signed-off-by: plaurent <patrick@saint-laurent.us>
2024-07-19 13:02:01 -04:00
Sebastiaan van Stijn 401048b9cb
vendor: github.com/containerd/containerd v1.7.20
no changes in vendored code

full diff: https://github.com/containerd/containerd/compare/v1.7.19...v1.7.20

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 19:01:54 +02:00
Sebastiaan van Stijn 5568565b54
Merge pull request #5098 from thaJeztah/custom_headers_env_var
add support for DOCKER_CUSTOM_HEADERS env-var (experimental)
2024-07-19 16:43:56 +02:00
Sebastiaan van Stijn 6638deb9d6
add support for DOCKER_CUSTOM_HEADERS env-var (experimental)
This environment variable allows for setting additional headers
to be sent by the client. Headers set through this environment
variable are added to headers set through the config-file (through
the HttpHeaders field).

This environment variable can be used in situations where headers
must be set for a specific invocation of the CLI, but should not
be set by default, and therefore cannot be set in the config-file.

WARNING: If both config and environment-variable are set, the environment
variable currently overrides all headers set in the configuration file.
This behavior may change in a future update, as we are considering the
environment variable to be appending to existing headers (and to only
override headers with the same name).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 15:04:26 +02:00
Sebastiaan van Stijn cd92610bca
Merge pull request #5268 from thaJeztah/add_macos_apple_silicon
gha: update to macOS 13, add macOS 14 arm64 (Apple Silicon M1)
2024-07-19 13:29:35 +02:00
Sebastiaan van Stijn 9617e8d0ce
gha: update to macOS 13, add macOS 14 arm64 (Apple Silicon M1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 13:05:43 +02:00
Sebastiaan van Stijn ef8b0bf066
Merge pull request #5262 from thaJeztah/relax_pr_check
gha: check-pr-branch: verify major version only
2024-07-19 12:48:41 +02:00
Sebastiaan van Stijn 6d8fcbb233
gha: check-pr-branch: verify major version only
We'll be using release branches for minor version updates, so instead
of (e.g.) a 27.0 branch, we'll be using 27.x and continue using the
branch for minor version updates.

This patch changes the validation step to only compare against the
major version.

Co-authored-by: Cory Snider <corhere@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 12:19:57 +02:00
Sebastiaan van Stijn 659a3bebf2
Merge pull request #5264 from thaJeztah/bump_buildx_compose
Dockerfile: update buildx to v0.16.1, compose to v2.29.0
2024-07-19 10:22:33 +02:00
Sebastiaan van Stijn 77c0d83602
Dockerfile: update compose to v2.29.0
This is the version used in the dev-container, and for testing.

release notes: https://github.com/docker/compose/releases/tag/v2.29.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:44:06 +02:00
Sebastiaan van Stijn d00e1abf55
Dockerfile: update buildx to v0.16.1
This is the version used in the dev-container, and for testing.

release notes:
https://github.com/docker/buildx/releases/tag/v0.16.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 02:42:47 +02:00
Sebastiaan van Stijn ab80ea355f
cli/config/credentials: move warning to fileStore
The fileStore itself is aware that it's insecure, so we can make it
responsible for printing the warning. It's not "perfect", as we use
`os.Stderr` unconditionally (not `dockerCli.Err()`), but probably won't
make a difference in _most_ cases.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-19 01:42:01 +02:00
Sebastiaan van Stijn 26b412e491
Merge pull request #5258 from thaJeztah/cleanup_unencrypted_warning
login: slightly cleanup warning about unencrypted store
2024-07-19 01:41:35 +02:00
Sebastiaan van Stijn fcefe44bda
login: slightly cleanup warning about unencrypted store
- Add an empty line before the warning to separate it from the command's output
- Use the `/go/` redirect URL that we have available.
- Put quotes around the filename used for storage.
- Use present tense for the message, as the message is printed while saving.
- User "credentials" instead of "password" for consistency with "credentials-store"

Before:

    docker login myregistry.example.com
    Username: thajeztah
    Password:
    WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/engine/reference/commandline/login/#credential-stores

    Login Succeeded

After:

    docker login myregistry.example.com
    Username: thajeztah
    Password:

    WARNING! Your credentials are stored unencrypted in '/root/.docker/config.json'.
    Configure a credential helper to remove this warning. See
    https://docs.docker.com/go/credential-store/

    Login Succeeded

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-18 18:22:13 +02:00
Sebastiaan van Stijn a78ab63801
login: don't print "unencrypted" warning when failing to save credentials
If we fail to save credentials, make sure that the error about saving
doesn't get lost in the warning about credentials being stored unencrypted.

Also discard errors about printing the warning, as those would be unlikely,
and if they would occur, probably would fail to be printed as well.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-18 18:15:12 +02:00
Sebastiaan van Stijn 90058df305
cli/command/container: remove reportError, and put StatusError to use
The `reportError` utility was present because cli.StatusError would print
the error decorated with `Status: <error-message>, Code: <exit-code>`.
That was not desirable in many cases as it would mess-up the output. To
prevent this, the CLI had code to check for an empty `Status` (error message)
in which case the error would be "ignored" (and only used for the exit-status),
and the `reportError` utility would be used to manually print a custom error
message before returning the error.

Now that bca2090061 fixed the output format
of `cli.StatusError`, and 3dd6fc365d and
350a0b68a9 no longer discard these error,
we can get rid of this utility, and just set the error-message for
the status-error.

This patch:

- Introduces a `withHelp` which takes care of decorating errors with
  a "Run --help" hint for the user.
- Introduces a `toStatusError` utility that detects certain errors in
  the container to assign a corresponding exit-code (these error-codes
  can be used to distinguish "client" errors from "container" errors).
- Removes the `reportError` utility, and removes code that manually
  printed errors before returning.

Behavior is mostly unmodified, with the exception of some slight reformatting
of the errors:

- `withHelp` adds a `docker:` prefix to the error, to indicate the error
  is produced by the `docker` command. This prefix was already present
  in most cases.
- The "--help" hint is slightly updated ("Run 'docker run --help' for
  more information" instead of "See 'docker run --help'"), to make it
  more clear that it's a "call to action".
- An empty is added before the "--help" hint to separate it better from
  the error-message.

Before this patch:

    $ docker run --pull=invalid-option alpine
    docker: invalid pull option: 'invalid-option': must be one of "always", "missing" or "never".
    See 'docker run --help'.
    $ echo $?
    125

    $ docker run --rm alpine nosuchcommand
    docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "nosuchcommand": executable file not found in $PATH: unknown.
    $ echo $?
    127

With this patch:

    $ docker run --pull=invalid-option alpine
    docker: invalid pull option: 'invalid-option': must be one of "always", "missing" or "never"

    Run 'docker run --help' for more information
    $ echo $?
    125

    $ docker run --rm alpine nosuchcommand
    docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "nosuchcommand": executable file not found in $PATH: unknown.

    Run 'docker run --help' for more information
    $ echo $?
    127

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 15:59:30 +02:00
Sebastiaan van Stijn 07baebe90b
Merge pull request #5255 from thaJeztah/bump_docs_tool
vendor: github.com/docker/cli-docs-tool v0.8.0
2024-07-17 15:59:18 +02:00
Sebastiaan van Stijn 2da5f06962
Merge pull request #5238 from thaJeztah/completion_improvements
various improvements to shell completions
2024-07-17 15:35:14 +02:00
Sebastiaan van Stijn 64a3fb82dc
docs: fix typos and version for cli-docs-tool scripts
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 15:25:37 +02:00
Sebastiaan van Stijn e3e9b99015
vendor: github.com/docker/cli-docs-tool v0.8.0
no changes in vendored code

full diff: https://github.com/docker/cli-docs-tool/compare/v0.7.0...v0.8.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2024-07-17 15:23:23 +02:00
Sebastiaan van Stijn 05a808166b
Merge pull request #5233 from thaJeztah/nicer_errors
cli: FlagErrorFunc: don't print long usage output for invalid flags
2024-07-17 14:00:52 +02:00