Commit Graph

7470 Commits

Author SHA1 Message Date
Sebastiaan van Stijn de7d866b6a
[20.10] update golang to 1.17.11
go1.17.11 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
crypto/tls package. See the Go 1.17.11 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.17.11+label%3ACherryPickApproved

Hello gophers,

We have just released Go versions 1.18.3 and 1.17.11, minor point releases.

These minor releases include 4 security fixes following the security policy:

- crypto/rand: rand.Read hangs with extremely large buffers
  On Windows, rand.Read will hang indefinitely if passed a buffer larger than
  1 << 32 - 1 bytes.

  Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
  for reporting this issue.

  This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
  Session tickets generated by crypto/tls did not contain a randomly generated
  ticket_age_add. This allows an attacker that can observe TLS handshakes to
  correlate successive connections by comparing ticket ages during session
  resumption.

  Thanks to GitHub user nervuri for reporting this.

  This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows

  If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
  are executed when Cmd.Path is unset and, in the working directory, there are
  binaries named either "..com" or "..exe", they will be executed.

  Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
  this.

  This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows

  On Windows, the `filepath.Clean` function could convert an invalid path to a
  valid, absolute path. For example, Clean(`.\c:`) returned `c:`.

  Thanks to Unrud for reporting this issue.

  This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.

[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-06-02 09:23:24 +02:00
Sebastiaan van Stijn aa7e414fdc
Merge pull request #3601 from thaJeztah/20.10_bump_golang_1.17.10
[20.10] update golang to 1.17.10, golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
2022-05-11 18:22:17 +02:00
Sebastiaan van Stijn 240e4b5501
[20.10] vendor: golang.org/x/sys v0.0.0-20220412211240-33da011f77ad
Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

full diff: 63515b42dc...33da011f77

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:37:09 +02:00
Sebastiaan van Stijn 5d4776bd90
[20.10] update golang to 1.17.10
go1.17.10 (released 2022-05-10) includes security fixes to the syscall package,
as well as bug fixes to the compiler, runtime, and the crypto/x509 and net/http/httptest
packages. See the Go 1.17.10 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.17.10+label%3ACherryPickApproved

Full diff: http://github.com/golang/go/compare/go1.17.9...go1.17.10

Includes fixes for:

- CVE-2022-29526 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526);
  (description at https://go.dev/issue/52313).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-11 14:35:54 +02:00
Sebastiaan van Stijn 1841277463
Merge pull request #3592 from thaJeztah/20.10_backport_bump_x_sys
[20.10 backport] vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
2022-05-06 10:40:09 +02:00
Sebastiaan van Stijn 49e9c2ae3d vendor: golang.org/x/sys 63515b42dcdf9544f4e6a02fd7632793fde2f72d (for Go 1.17)
Go 1.17 requires golang.org/x/sys a76c4d0a0096537dc565908b53073460d96c8539 (May 8,
2021) or later, see https://github.com/golang/go/issues/45702. While this seems
to affect macOS only, let's update to the latest version.

full diff: d19ff857e8...63515b42dc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 61a1775adb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:08:27 +02:00
Sebastiaan van Stijn 87a3ce2699 vendor: golang.org/x/sys d19ff857e887eacb631721f188c7d365c2331456
full diff: 134d130e1a...d19ff857e8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8ebe404dfc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:07:40 +02:00
Tonis Tiigi 1d8abed17d
vendor: update x/sys to 134d130e
Makes possible to build for windows/arm64

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit e50cf79579)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-05-06 10:06:43 +02:00
Sebastiaan van Stijn fd82621d35
Merge pull request #3563 from thaJeztah/20.10_bump_golang_1.17.9
[20.10] update golang to 1.17.9
2022-04-21 16:44:35 +02:00
Sebastiaan van Stijn e5ca16bda7
Merge pull request #3551 from thaJeztah/20.10_backport_deprecation_add_missing_fluend_option
[20.10 backport] docs: deprecated: add entry for "fluent-async-connect" log-opt
2022-04-21 16:01:02 +02:00
Sebastiaan van Stijn 31dad66f9a
[20.10] update golang to 1.17.9
go1.17.9 (released 2022-04-12) includes security fixes to the crypto/elliptic
and encoding/pem packages, as well as bug fixes to the linker and runtime. See
the Go 1.17.9 milestone on the issue tracker for details:

Includes fixes for:

- CVE-2022-24675 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24675)
- CVE-2022-28327 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28327)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-19 18:20:51 +02:00
Sebastiaan van Stijn 113c5b526a
Merge pull request #3532 from thaJeztah/20.10_update_engine_20.10.14
[20.10] vendor: docker/docker 20.10.14, docker/distribution v2.8.1, image-spec v1.0.2
2022-04-19 17:50:26 +02:00
Sebastiaan van Stijn c73edb36ca
Merge pull request #3556 from thaJeztah/20.10_update_go_1.17
[20.10 backport] update go to 1.17
2022-04-19 17:33:14 +02:00
Sebastiaan van Stijn 80f673bf9e
gofmt with go1.17
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a0f0578299)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-14 16:40:46 +02:00
Sebastiaan van Stijn 3d4cc8e699
[20.10] update remaining files to go1.17.8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-14 16:40:29 +02:00
Tonis Tiigi 30277a8f80
update go to 1.17.8
Removes the platform based switch between different versions.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6119e4ba90)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-14 16:35:06 +02:00
Sebastiaan van Stijn 994ed4085b
Merge pull request #3522 from thaJeztah/20.10_backport_json_unmarshal_pointer
[20.10 backport] Fix incorrect pointer inputs to `json.Unmarshal`
2022-04-14 16:16:13 +02:00
Sebastiaan van Stijn b10a23a46f
Merge pull request #3521 from thaJeztah/20.10_backport_dockerfile_update_xx
[20.10 backport] Dockerfile: update xx to 1.1
2022-04-14 16:13:54 +02:00
Silvin Lubecki 26d906094a
Merge pull request #3523 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] assorted documentation fixes
2022-04-14 14:44:30 +02:00
Silvin Lubecki 9c091c4346
Merge pull request #3526 from thaJeztah/20.10_backport_update_e2e_compose
[20.10 backport] e2e: update docker-compose to 1.29.2
2022-04-14 14:43:04 +02:00
Silvin Lubecki a13500b745
Merge pull request #3527 from thaJeztah/20.10_fix_go_versions
[20.10] update remaining Dockerfiles to go 1.16.15
2022-04-14 14:42:47 +02:00
Sebastiaan van Stijn cfef3a7dc1
docs: deprecated: add entry for "fluent-async-connect" log-opt
This option was deperecated in the upstream fluentd logging driver v1.4.0,
and while we documented it as deprecated in the API changelog, there was
no mention yet in the deprecated docs.

relates to:

- https://github.com/fluent/fluent-logger-golang/pull/56
- https://github.com/moby/moby/pull/39086

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 95b0c43e43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-10 12:05:30 +02:00
Sebastiaan van Stijn 53426025c3
[20.10] docs: reformat table for compatibility
equivalent of 49a7d75a22 on the master
branch.

My IDE's linter kept complaining:

> For compatibility reasons all table rows should have borders (pipe
> symbols) at the start and at the end.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-10 12:03:20 +02:00
Iain Samuel McLean Elder 573a664639
Describe privileged mode in terms of capabilities
I didn't see where in the page that `--privileged` mode adds all capabilities.

I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document.

> Full container capabilities (--privileged)
>
> The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

https://stackoverflow.com/a/36441605/111424
Signed-off-by: Iain Samuel McLean Elder <iain@isme.es>
(cherry picked from commit 8b408372f9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:37:19 +02:00
Sebastiaan van Stijn cf0ab7ac4c
[20.10] vendor: github.com/docker/distribution v2.8.1
previous commit was a commit from the master/main branch (~ v2.7); this switches
back to using a released version.

full diff: 0d3efadf01..v2.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:31:17 +02:00
Sebastiaan van Stijn d05fd4ffc8
[20.10] vendor: github.com/opencontainers/image-spec v1.0.2
full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:27:12 +02:00
Sebastiaan van Stijn 870f138250
[20.10] vendor: github.com/docker/docker v20.10.14
no local changes in vendored files.

full diff: https://github.com/docker/docker/compare/v20.10.7...v20.10.14

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 11:26:41 +02:00
Sebastiaan van Stijn 7ffc243093
Merge pull request #3530 from thaJeztah/20.10_bump_buildx_0.8.2
[20.10] circleci: update buildx to v0.8.2
2022-04-04 10:56:10 +02:00
Sebastiaan van Stijn 198d6b8724
[20.10] circleci: update buildx to v0.8.2
release notes: https://github.com/docker/buildx/releases/tag/v0.8.2

Notable changes:

- Update Compose spec used by buildx bake to v1.2.1 to fix parsing ports definition
- Fix possible crash on handling progress streams from BuildKit v0.10
- Fix parsing groups in buildx bake when already loaded by a parent group

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-04 10:37:24 +02:00
Sebastiaan van Stijn 55a14ec851
[20.10] update remaining Dockerfiles to go 1.16.15
These were missed, probably because they are no longer present
in the master branch.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 22:29:24 +02:00
Sebastiaan van Stijn 1f9a0df05a
e2e: update docker-compose to 1.29.2
Newer versions have COMPOSE_DOCKER_CLI_BUILD enabled by default,
so removing that env-var.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 524e3b215d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 22:25:50 +02:00
Sebastiaan van Stijn 4ae338b33a
docs: reference: remove trailing space to fix yaml formatting
This was introduced in 41a5e0e4df, and
having the trailing whitespace causes the yamldocs generator to
switch to "compact" formatting, which makes that yaml hard to read.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4b35192d7c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 21:33:26 +02:00
Sebastiaan van Stijn 6380142dd4
docs: fix (table) formatting, fix some broken links
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 885f44a5ba)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:57:46 +02:00
Sebastiaan van Stijn 82f422fcf3
docs: build: fix minor markdown and syntax issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7d4ae13753)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:49:02 +02:00
Busindre 80fd77903b
Update the list of log drivers
Some new drivers were added to the "docker run" section to make the documentation more up to date.

Signed-off-by: d.alvarez <david.alvarez@flyeralarm.com>
(cherry picked from commit 040210bfae)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:48:46 +02:00
Stefan Scherer c3d4d623c8
Fix CMD --ignored-param1 example
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit 119c7fb84d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:48:33 +02:00
Mozi 2e82d11def
docs: dockerd: fix broken link in blockquote area
Signed-off-by: Mozi <29089388+pzhlkj6612@users.noreply.github.com>
(cherry picked from commit e5f5d946e2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:48:18 +02:00
Nicolas De Loof 738a6ee1cc
improve cp documentation with some illustration examples
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
(cherry picked from commit 41a5e0e4df)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:48:03 +02:00
Sebastiaan van Stijn 246d96bb6c
docs: unify "docker create" and "docker run" reference
The `docker create` command shares most (all) of its options with `docker run`,
which uses `docker create` under the hood. The `docker create` reference docs
already referred users to the `docker run` sections for details, but some
flags were only documented on the `docker create` page.

This patch:

- moves those flags from the `docker create` to the `docker run` page
- does some minor rephrasing and touch-ups.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6c16afe1d4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:47:48 +02:00
Chee Hau Lim 2fd0f17057
docs: add missing documentation for --pull flag
These options were added in 22cd418967,
but did not update the documentation.

Signed-off-by: Chee Hau Lim <cheehau.lim@mobimeo.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7eb61e2ffc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:47:30 +02:00
John Howard 5fa500000a
Fix incorrect pointer inputs to `json.Unmarshal`
See https://github.com/howardjohn/go-unmarshal-double-pointer for more
info on why this is not safe and how this is detected.

Signed-off-by: John Howard <howardjohn@google.com>
(cherry picked from commit ee97fe95bc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:43:16 +02:00
Tonis Tiigi 1e6a8ce2b7
Dockerfile: update xx to 1.1
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
(cherry picked from commit 40d8016627)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-04-01 20:35:40 +02:00
Sebastiaan van Stijn 81d965569d
Merge pull request #3514 from thaJeztah/20.10_backport_fix_ldflags
[20.10] use GO_LDFLAGS instead of LDFLAGS to prevent inheriting unrelated options
2022-03-31 21:14:24 +02:00
Sebastiaan van Stijn 6f7a931a2d
[20.10] use GO_LDFLAGS instead of LDFLAGS to prevent inheriting unrelated options
When building on Fedora 36, the build failed. I suspect this is because the
rpm tools also set LDFLAGS, but with options that cannot be used;

    GO_LINKMODE=dynamic
    + ./scripts/build/binary
      /go/src/github.com/docker/cli ~/rpmbuild/BUILD/src
      Building dynamic docker-linux-arm64
      + go build -o build/docker-linux-arm64 -tags ' pkcs11' -ldflags '-Wl,-z,relro -Wl,--as-needed  -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1 -Wl,-dT,/root/rpmbuild/BUILD/src/.package_note-docker-ce-cli-0.0.0.20220330082637.68cad50-0.fc36.aarch64.ld -w -X "github.com/docker/cli/cli/version.GitCommit=68cad50" -X "github.com/docker/cli/cli/version.BuildTime=2022-03-30T20:05:36Z" -X "github.com/docker/cli/cli/version.Version=0.0.0-20220330082637-68cad50" -X "github.com/docker/cli/cli/version.PlatformName=Docker Engine - Community"' -buildmode=pie github.com/docker/cli/cmd/docker
    # github.com/docker/cli/cmd/docker
    flag provided but not defined: -Wl,-z,relro
    usage: link [options] main.o

This patch changes the variable we use to `GO_LDFLAGS`, taking a similar approach
as containerd, and various other projects using this name: https://grep.app/search?q=GO_LDFLAGS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 391e6ad944)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-31 14:12:25 +02:00
Nicolas De loof 16169434a4
Merge pull request #3516 from thaJeztah/20.10_no_git_proto 2022-03-31 13:53:36 +02:00
Sebastiaan van Stijn 91bab605f7
[20.10] vendor.conf: don't use git:// protocol
The `git://` protocol is insecure (equivalent of `http://`), and GitHub has
deprecated support for this, see:
https://github.blog/2021-09-01-improving-git-protocol-security-github/

Which causes vendoring with `vndr` to fail:

    2022/03/31 09:29:01 Download dependencies
    2022/03/31 09:29:02 Starting whole vndr cycle because no package specified
    fatal: remote error:
      The unauthenticated git protocol on port 9418 is no longer supported.
    Please see https://github.blog/2021-09-01-improving-git-protocol-security-github/ for more information.
    fatal: remote error:

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-31 13:34:40 +02:00
Sebastiaan van Stijn a224086349
Merge pull request #3461 from thaJeztah/20.10_bump_go_1.16.15
[20.10] update to go 1.16.15 to address CVE-2022-24921
2022-03-04 18:18:07 +01:00
Sebastiaan van Stijn a282e0c5d2
[20.10] update to go 1.16.15 to address CVE-2022-24921
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921)

go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package,
as well as bug fixes to the compiler, runtime, the go command, and to the net package.
See the Go 1.16.15 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.16.14...go1.16.15

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-03-04 16:45:28 +01:00
Silvin Lubecki f3764ff5f9
Merge pull request #3430 from thaJeztah/20.10_backport_docs_fixes
[20.10 backport] assorted documentation fixes
2022-02-22 15:55:42 +01:00
Jon Zeolla 700364e304
Fix mistake with env var example in docker run docs
Signed-off-by: Jon Zeolla <zeolla@gmail.com>
(cherry picked from commit cb1bb72fd9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2022-02-18 12:44:39 +01:00