Commit Graph

6707 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 27d9aa2d9f
vendor: update golang.org/x/crypto 69ecbb4d6d5dab05e49161c6e77ea40a030884e1 (CVE-2020-7919)
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:

- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-29 11:25:09 +01:00
Sebastiaan van Stijn 19fd390c36
Update Golang 1.12.16 (CVE-2020-0601, CVE-2020-7919)
full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16

go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.

https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved

- X.509 certificate validation bypass on Windows 10
  A Windows vulnerability allows attackers to spoof valid certificate chains when
  the system root store is in use. These releases include a mitigation for Go
  applications, but it’s strongly recommended that affected users install the
  Windows security update to protect their system.
  This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
  On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
  functions of golang.org/x/crypto/cryptobyte can lead to a panic.
  The malformed certificate can be delivered via a crypto/tls connection to a
  client, or to a server that accepts client certificates. net/http clients can
  be made to crash by an HTTPS server, while net/http servers that accept client
  certificates will recover the panic and are unaffected.
  Thanks to Project Wycheproof for providing the test cases that led to the
  discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
  This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-29 11:23:02 +01:00
Tonis Tiigi 4f3bc15817
docs: document dockerignore update
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-28 19:37:25 +01:00
Tonis Tiigi f7009ee126
docs: document build outputs
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-28 19:37:22 +01:00
Tonis Tiigi 73cd257d0f
docs: document cache-from
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-28 19:37:15 +01:00
Silvin Lubecki 774216439b
Merge pull request #2275 from thaJeztah/bump_utils
Bump vndr v0.1.0, mjibson/esc v0.2.0, gotestsum v0.4.0
2020-01-28 16:27:35 +01:00
Sebastiaan van Stijn 9e620e990f
implement docker push -a/--all-tags
The `docker push` command up until [v0.9.1](https://github.com/moby/moby/blob/v0.9.1/api/client.go#L998)
always pushed all tags of a given image, so `docker push foo/bar` would push (e.g.)
all of  `foo/bar:latest`, `foo:/bar:v1`, `foo/bar:v1.0.0`.

Pushing all tags of an image was not desirable in many case, so docker v0.10.0
enhanced `docker push` to optionally specify a tag to push (`docker push foo/bar:v1`)
(see https://github.com/moby/moby/issues/3411 and the pull request that implemented
this: https://github.com/moby/moby/pull/4948).

This behavior exists up until today, and is confusing, because unlike other commands,
`docker push` does not default to use the `:latest` tag when omitted, but instead
makes it push "all tags of the image"

For example, in the following situation;

```
docker images

REPOSITORY          TAG                        IMAGE ID            CREATED             SIZE
thajeztah/myimage   latest                     b534869c81f0        41 hours ago        1.22MB
```

Running `docker push thajeztah/myimage` seemingly does the expected behavior (it
pushes `thajeztah/myimage:latest` to Docker Hub), however, it does not so for the
reason expected (`:latest` being the default tag), but because `:latest` happens
to be the only tag present for the `thajeztah/myimage` image.

If another tag exists for the image:

```
docker images

REPOSITORY          TAG                        IMAGE ID            CREATED             SIZE
thajeztah/myimage   latest                     b534869c81f0        41 hours ago        1.22MB
thajeztah/myimage   v1.0.0                     b534869c81f0        41 hours ago        1.22MB
```

Running the same command (`docker push thajeztah/myimage`) will push _both_ images
to Docker Hub.

> Note that the behavior described above is currently not (clearly) documented;
> the `docker push` reference documentation (https://docs.docker.com/engine/reference/commandline/push/)
does not mention that omitting the tag will push all tags

This patch changes the default behavior, and if no tag is specified, `:latest` is
assumed. To push _all_ tags, a new flag (`-a` / `--all-tags`) is added, similar
to the flag that's present on `docker pull`.

With this change:

- `docker push myname/myimage` will be the equivalent of `docker push myname/myimage:latest`
- to push all images, the user needs to set a flag (`--all-tags`), so `docker push --all-tags myname/myimage:latest`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-28 16:21:06 +01:00
Silvin Lubecki 82b2fda758
Merge pull request #2298 from thaJeztah/bump_yaml
vendor: bump gopkg.in/yaml.v2 v2.2.8
2020-01-28 16:07:55 +01:00
Sebastiaan van Stijn 3dfcfbb2bf
vendor: bump gopkg.in/yaml.v2 v2.2.8
full diff: https://github.com/go-yaml/yaml/compare/v2.2.3...v2.2.8

includes:

- go-yaml/yaml 515 Improve heuristics preventing CPU/memory abuse
- go-yaml/yaml@f90ceb4f40 Fix check for non-map alias merging in v2
    - fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
- go-yaml/yaml 543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d6156d Fix issue in simple_keys improvements
    - fixes "Invalid simple_keys now cause panics later in decode"
- go-yaml/yaml 555 Optimize cases with long potential simple_keys

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-28 15:44:12 +01:00
Sebastiaan van Stijn 3c8c0ff380
Merge pull request #2108 from Kovah/iptables-notice
Add notice about port binding and overriding of UFW to docker run reference
2020-01-28 12:48:04 +01:00
Sebastiaan van Stijn 594be50a63
bump gotestsum v0.4.0
full diff: https://github.com/gotestyourself/gotestsum/compare/v0.3.5...v0.4.0

includes:

- gotestyourself/gotestsum#59 Report if a package was cached in short formats
- gotestyourself/gotestsum#63 always colorize output unless specifically requested not to
- gotestyourself/gotestsum#61 Improve short-verbose output for tests in CWD
- gotestyourself/gotestsum#70 https://github.com/gotestyourself/gotestsum/pull/70
- gotestyourself/gotestsum#73 Add short-with-failures format

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-27 17:48:01 +01:00
Sebastiaan van Stijn 3f83832be1
bump gotestsum v0.3.5
full diff: https://github.com/gotestyourself/gotestsum/compare/v0.3.4...v0.3.5

- gotestyourself/gotestsum#52 Add a --version flag that goreleaser will populate for us
- gotestyourself/gotestsum#57 Identify and, filter or display coverage output

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-27 17:41:07 +01:00
Sebastiaan van Stijn 97010520d4
bump mjibson/esc v0.2.0
full diff: https://github.com/mjibson/esc/compare/v0.1.0...v0.2.0

includes:

- mjibson/esc#51 Readdir Implementation - and covering with tests
- mjibson/esc#53 update go versions and golint import location
- mjibson/esc#58 Avoid unnecessary conversion and so pass with unconvert linter

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-27 17:40:56 +01:00
Sebastiaan van Stijn 7904c23df8
bump vndr v0.1.0 to support versioned import paths
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.

For example:

```
github.com/coreos/go-systemd/v22 v22.0.0
```

will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.

full diff: b177b583eb...v0.1.0

- LK4D4/vndr#79 Add more clear messages around clone failures
- LK4D4/vndr#80 add riscv64 support
- LK4D4/vndr#83 migrate bitbucket to api 2.0
    - fixes LK4D4/vndr#82 https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-27 17:28:09 +01:00
Silvin Lubecki 809cc8948d
Merge pull request #2289 from thaJeztah/update_flag_description
Update flag description for docker rm -v
2020-01-27 15:14:29 +01:00
Sebastiaan van Stijn 8f5379b301
Update flag description for docker rm -v
The `-v` option removes anonymous volume only, and keeps
named volumes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-25 13:54:23 +01:00
Sebastiaan van Stijn 7a0b138571
Merge pull request #2277 from zappy-shu/bump_mergo_v0.3.8
Bump mergo v0.3.8
2020-01-24 17:48:45 +01:00
Nick Adcock 4006c42e13 Added transforms for compose overrides
Added transforms for when merging compose overrides to preserve the
functionality that was broken by bumping mergo to v1.3.8

This includes:
- Special transform for ulimits so single overrides both soft/hard and
the reverse
- Special transform for service network configs so the override replaces
all aliases

Signed-off-by: Nick Adcock <nick.adcock@docker.com>
2020-01-24 15:52:36 +00:00
Kovah a955ed6477
Add notice about port binding and overriding of UFW to docker run reference
Signed-off-by: Kovah <mail@kovah.de>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-24 16:35:43 +01:00
Silvin Lubecki e753eec764
Merge pull request #2287 from thaJeztah/fix_quiet_push
Fix: docker push --quiet suppressing errors and exit code
2020-01-24 16:34:42 +01:00
Sebastiaan van Stijn 94443920b1
Fix: docker push --quiet suppressing errors and exit code
Before this patch:

    docker push --quiet nosuchimage
    docker.io/library/nosuchimage

    echo $?
    0

With this patch applied:

    docker push --quiet nosuchimage:latest
    An image does not exist locally with the tag: nosuchimage

    echo $?
    1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-24 13:53:24 +01:00
Sebastiaan van Stijn 74fb129a73
Merge pull request #1596 from glefloch/951-run-trust-tests
Add content trust tests for run command
2020-01-23 16:41:45 +01:00
Sebastiaan van Stijn 6cf7970cd3 bump imdario/mergo v0.3.8
full diff: https://github.com/imdario/mergo/compare/v0.3.7...v0.3.8

includes:

- imdario/mergo#112 Add strict override
    - fixes imdario/mergo#111 WithOverride should be able to check types
- imdario/mergo#106 Fix merging of interface types with concrete values
- imdario/mergo#120 should not overwrite pointers directly, instead check embedded values
    - fixes imdario/mergo#114 Embedded struct of pointer types will overwrite the whole destination struct
- imdario/mergo#125 added WithOverrideEmptySlice config flag

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-21 14:08:10 +00:00
Silvin Lubecki 9b420b1511
Merge pull request #2273 from thaJeztah/max_download_attempts_completion
completion: add `--max-download-attempts`
2020-01-21 11:54:32 +01:00
Silvin Lubecki 8813df36cf
Merge pull request #2269 from thaJeztah/bump_golang_1.12.15
Update Golang 1.12.15
2020-01-21 11:48:53 +01:00
Sebastiaan van Stijn e9b9a0014c
completion: add `--max-download-attempts`
Follow-up to 86281a7b4b

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-20 14:47:52 +01:00
glefloch 348f24cae6
Add content trust tests for run command
Signed-off-by: Guillaume Le Floch <glfloch@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-20 14:18:52 +01:00
Sebastiaan van Stijn d443b74091
Merge pull request #1856 from arthrp/master
Forcing the creation of tmp directory
2020-01-20 14:04:39 +01:00
Silvin Lubecki 52714e413c
Merge pull request #2263 from thaJeztah/bump_miekg_pkcs11
vendor: bump miekg/pkcs11 v1.0.3
2020-01-17 16:32:47 +01:00
Silvin Lubecki 7d087b5aa6
Merge pull request #1950 from RahulZoldyck/1943-bug-fix
Add log-driver and options to service inspect "pretty" format
2020-01-17 15:42:22 +01:00
Rahul Zoldyck 139af1f6d6
Add log-driver and options to service inspect "pretty" format
Signed-off-by: Rahul Zoldyck <rahulzoldyck@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-17 15:10:36 +01:00
Sebastiaan van Stijn 84c6b08cf6
Update Golang 1.12.15
full diff: https://github.com/golang/go/compare/go1.12.14...go1.12.15

go1.12.15 (released 2020/01/09) includes fixes to the runtime and the net/http
package. See the Go 1.12.15 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.12.15+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-17 15:00:22 +01:00
Sebastiaan van Stijn b53ffd6c1f
vendor: bump miekg/pkcs11 v1.0.3
full diff: https://github.com/miekg/pkcs11/compare/v1.0.2...v1.0.3

- miekg/pkcs11#100 Add typed convenience `Find...` methods to `Session`
- miekg/pkcs11#115 Add CK_EFFECTIVELY_INFINITE and CK_UNAVAILABLE_INFORMATION

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 17:30:06 +01:00
Sebastiaan van Stijn c6d10b6da0
Merge pull request #2091 from mikesir87/user-group-info
Add clarification when using USER UID:GID
2020-01-16 15:24:28 +01:00
Silvin Lubecki d05846d2cb
Merge pull request #2260 from thaJeztah/fix_comment_formatting
Fix comment formatting and minor linting issue
2020-01-16 14:55:38 +01:00
Sebastiaan van Stijn 1d6445dc99
opts: fix formatting of comments
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 12:48:09 +01:00
Sebastiaan van Stijn e7f720b0a6
cli/config: fix formatting of comments
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 12:47:49 +01:00
Sebastiaan van Stijn 73dcf50d5a
cli/command: fix formatting of comments, and minor linting issues
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 12:47:12 +01:00
Sebastiaan van Stijn 6e5528b650
e2e: fix formatting of comments
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-16 12:46:07 +01:00
Silvin Lubecki ddde460613
Merge pull request #2258 from thaJeztah/e2e_update_compose
Dockerfile.e2e: update compose v1.25.1, enable buildkit
2020-01-16 11:27:49 +01:00
Silvin Lubecki 0ab564b1c8
Merge pull request #2251 from thaJeztah/1962-fix-port-bug
Convert ports before parsing.
2020-01-16 11:26:44 +01:00
Sebastiaan van Stijn c804b1083e
Dockerfile.e2e: update compose v1.25.1, enable buildkit
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-15 18:41:44 +01:00
Aleksander Piotrowski c2c7503d49
Convert ports before parsing.
Refactor code to allow mixed notation with -p flag.

Signed-off-by: Aleksander Piotrowski <apiotrowski312@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-01-15 15:09:00 +01:00
Sebastiaan van Stijn c8e27296b7
Merge pull request #2252 from zappy-shu/2250-reverse-port-long-format-order
Reverse order of long-form ports
2020-01-15 14:54:10 +01:00
Nick Adcock 154a1f6df8 Reverse order of long-form ports
Reverses the order long-form port options when converted to short-form
to correctly match the documentation and `docker service create`.

Post change `-p published=8111,target=8112` is the equivalent of
`8111:8112`

Signed-off-by: Nick Adcock <nick.adcock@docker.com>
2020-01-15 12:11:57 +00:00
Silvin Lubecki 34d8486237
Merge pull request #2243 from zappy-shu/2058-single-value-advanced-syntax
Detect single-value advanced syntax
2020-01-13 16:53:11 +01:00
Sebastiaan van Stijn a4f60165b7
Merge pull request #2132 from tonistiigi/ssh-mux
connhelper: use ssh multiplexing
2020-01-09 23:12:25 +01:00
Tonis Tiigi 4ecbef4660 docs: document ssh multiplexing env
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-01-09 10:25:12 -08:00
Tonis Tiigi c04dd6e244 connhelper: add ssh multiplexing
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
2020-01-09 10:14:59 -08:00
Silvin Lubecki af097b2618
Merge pull request #2228 from thaJeztah/config_permissions
config: preserve ownership and permissions on configfile
2020-01-09 15:26:54 +01:00