Commit Graph

8615 Commits

Author SHA1 Message Date
Sebastiaan van Stijn 60933212ff
vendor: github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
full diff: 02efb9a75e...3a7f492d3f

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f4b22fb6cf)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-07-10 09:56:51 +02:00
Sebastiaan van Stijn def48b36de
Merge pull request #4364 from thaJeztah/23.0_update_g01.19.10
[23.0] update go to go1.19.10, alpine 3.17
2023-06-21 10:50:45 +02:00
Sebastiaan van Stijn a483dfd10b
[23.0] update go to go1.19.10
go1.19.10 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, and the
runtime. See the Go 1.19.10 milestone on our issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.19.10+label%3ACherryPickApproved

full diff: https://github.com/golang/go/compare/go1.19.9...go1.19.10

These minor releases include 3 security fixes following the security policy:

- cmd/go: cgo code injection
  The go command may generate unexpected code at build time when using cgo. This
  may result in unexpected behavior when running a go program which uses cgo.

  This may occur when running an untrusted module which contains directories with
  newline characters in their names. Modules which are retrieved using the go command,
  i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
  GO111MODULE=off, may be affected).

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.

- runtime: unexpected behavior of setuid/setgid binaries

  The Go runtime didn't act any differently when a binary had the setuid/setgid
  bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
  I/O file descriptors closed, opening any files could result in unexpected
  content being read/written with elevated prilieges. Similarly if a setuid/setgid
  program was terminated, either via panic or signal, it could leak the contents
  of its registers.

  Thanks to Vincent Dehors from Synacktiv for reporting this issue.

  This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.

- cmd/go: improper sanitization of LDFLAGS

  The go command may execute arbitrary code at build time when using cgo. This may
  occur when running "go get" on a malicious module, or when running any other
  command which builds untrusted code. This is can by triggered by linker flags,
  specified via a "#cgo LDFLAGS" directive.

  Thanks to Juho Nurminen of Mattermost for reporting this issue.

  This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-21 00:57:59 +02:00
Sebastiaan van Stijn dd7238df1e
Dockerfile: update ALPINE_VERSION to 3.17
Official Golang images are now only available for 3.18 and 3.17;
3.18 doesn't look to play well with gotestsum, so sticking to
an older version.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit acb248f8d5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-21 00:57:27 +02:00
Sebastiaan van Stijn 5df4fd8b46
Merge pull request #4329 from thaJeztah/23.0_backport_dockerfile_goproxy
[23.0 backport] Dockerfile.vendor: update GOPROXY to use default with fallback
2023-06-02 14:08:35 +02:00
Sebastiaan van Stijn e7f7256b25
Dockerfile.vendor: update GOPROXY to use default with fallback
Use the default proxy, to assist with vanity domains mis-behaving, but keep
a fallback for situations where we need to get modules from GitHub directly.

This should hopefully help with the gopkg.in/yaml.v2 domain often going AWOL;

    #14 245.9 	gopkg.in/yaml.v2@v2.4.0: unrecognized import path "gopkg.in/yaml.v2": reading https://gopkg.in/yaml.v2?go-get=1: 502 Bad Gateway
    #14 245.9 	server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe

    curl 'https://gopkg.in/yaml.v2?go-get=1'
    Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe

From the Go documentation; https://go.dev/ref/mod#goproxy-protocol

> List elements may be separated by commas (,) or pipes (|), which determine error
> fallback behavior. When a URL is followed by a comma, the go command falls back
> to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL
> is followed by a pipe, the go command falls back to later sources after any error,
> including non-HTTP errors such as timeouts. This error handling behavior lets a
> proxy act as a gatekeeper for unknown modules. For example, a proxy could respond
> with error 403 (Forbidden) for modules not on an approved list (see Private proxy
> serving private modules).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6458dcbe51)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-06-02 13:16:32 +02:00
Sebastiaan van Stijn 90c59dcdf4
Merge pull request #4311 from thaJeztah/23.0_backport_fix_daemon_proxy 2023-05-19 17:51:21 +02:00
Sebastiaan van Stijn 710a4042d1
docs: fix example for proxies in daemon.json
commit c846428cb6 added proxies to the
example `daemon.json`, based on the implementation that was added in
427c7cc5f8.

However, a follow-up pull request changed the proxy-configuration in`daemon.json`
to nest the configuration in a "proxies" struct, and the documentation was
not updated accordingly; see:
101dafd049

This patch fixes the example.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2713d0bcde)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-19 17:29:05 +02:00
Sebastiaan van Stijn 44a7d9537f
Merge pull request #4285 from thaJeztah/23.0_backport_vendor_distribution_v2.8.2
[23.0 backport] vendor: github.com/docker/distribution v2.8.2
2023-05-11 19:49:44 +02:00
Sebastiaan van Stijn a98af2b396
vendor: github.com/docker/distribution v2.8.2
CI

- Dockerfile: fix filenames of artifacts

Bugfixes

-  Fix panic in inmemory driver
-  Add code to handle pagination of parts. Fixes max layer size of 10GB bug
-  Parse http forbidden as denied
-  Revert "registry/client: set Accept: identity header when getting layers

Runtime

- Update to go1.19.9
- Dockerfile: update xx to v1.2.1 ([#3907](https://github.com/distribution/distribution/pull/3907))

Security

- Fix [CVE-2022-28391](https://www.cve.org/CVERecord?id=CVE-2022-28391) by bumping alpine from 3.14 to 3.16
- Fix [CVE-2023-2253](https://www.cve.org/CVERecord?id=CVE-2023-2253) runaway allocation on /v2/_catalog [`521ea3d9`](521ea3d973)

full diff: https://github.com/docker/distribution/compare/v2.8.1...v2.8.2-beta.2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 353e0a942d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-11 19:17:50 +02:00
Sebastiaan van Stijn 254f611800
Merge pull request #4278 from thaJeztah/23.0_backport_fix_cli_plugins_metadata_experimental_deprecation
[23.0 backport] cli-plugins/manager: fix deprecation comment of Metadata.Experimental
2023-05-11 16:41:43 +02:00
Sebastiaan van Stijn a8d4f0d392
Merge pull request #4274 from thaJeztah/23.0_backport_update_tag_documentation
[23.0 backport] Update tag docs to clarify name
2023-05-10 21:14:45 +02:00
Sebastiaan van Stijn 6f353c8000
cli-plugins/manager: fix deprecation comment of Metadata.Experimental
This field was marked deprecated in 977d3ae046,
which is part of v20.10 and up, but the comment was missing a newline before
the deprecation message, which may be picked up by IDEs, but is not matching
the correct format, so may not be picked up by linters.

This patch fixes the format, to make sure linters pick up that the field is
deprecated.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 72e3813ab9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 22:21:46 +02:00
Craig Osterhout 63b205048f
Update tag docs to clarify name
Signed-off-by: Craig Osterhout <craig.osterhout@docker.com>
(cherry picked from commit 4119d268e7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-09 22:08:23 +02:00
Sebastiaan van Stijn 33f7513d5f
Merge pull request #4270 from dvdksn/23.0_backport_docs/host-flag
[23.0 Backport] docs: add description and examples for docker -H
2023-05-08 15:32:56 +02:00
David Karlsson c76773b197 docs: update description for docker -H flag
Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 759fa585cf)
Signed-off-by: David Karlsson <david.karlsson@docker.com>
2023-05-08 15:11:10 +02:00
Sebastiaan van Stijn ef23cbc431
Merge pull request #4254 from thaJeztah/23.0_update_go1.19.9
[23.0] update go to go1.19.9
2023-05-04 12:51:27 +02:00
Sebastiaan van Stijn c769f20797
[23.0] update go to go1.19.9
go1.19.9 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/tls
and syscall packages. See the Go 1.19.9 milestone on our issue tracker for details.

https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved

release notes: https://go.dev/doc/devel/release#go1.19.9
full diff: https://github.com/golang/go/compare/go1.19.8...go1.19.9

from the announcement:

> These minor releases include 3 security fixes following the security policy:
>
>- html/template: improper sanitization of CSS values
>
>   Angle brackets (`<>`) were not considered dangerous characters when inserted
>   into CSS contexts. Templates containing multiple actions separated by a '/'
>   character could result in unexpectedly closing the CSS context and allowing
>   for injection of unexpected HMTL, if executed with untrusted input.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
>   Not all valid JavaScript whitespace characters were considered to be
>   whitespace. Templates containing whitespace characters outside of the character
>   set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
>   actions may not be properly sanitized during execution.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
>   Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
>   executed with empty input could result in output that would have unexpected
>   results when parsed due to HTML normalization rules. This may allow injection
>   of arbitrary attributes into tags.
>
>   Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
>   This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-05-03 21:00:18 +02:00
Sebastiaan van Stijn fcab2d0f9a
Merge pull request #4234 from thaJeztah/23.0_update_engine
[23.0] vendor: github.com/docker/docker v23.0.5
2023-04-28 14:59:49 +02:00
Sebastiaan van Stijn 802f174889
[23.0] vendor: github.com/docker/docker v23.0.5
full diff: https://github.com/moby/moby/compare/v23.0.4...v23.0.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 23:20:45 +02:00
Sebastiaan van Stijn 498743aed2
[23.0] vendor: github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83
no changes to vendored files

full diff: a745a8755c...e28e8ba9bc

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 23:20:36 +02:00
Sebastiaan van Stijn fde09d1d87
[23.0] vendor: github.com/opencontainers/runc v1.1.5
no changes to vendored files

full diff: https://github.com/opencontainers/runc/compare/v1.1.3...v1.1.5

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 23:20:26 +02:00
Sebastiaan van Stijn bc4487a59e
Merge pull request #4233 from thaJeztah/23.0_update_engine
[23.0] vendor: github.com/docker/docker v23.0.4
2023-04-26 16:46:06 +02:00
Sebastiaan van Stijn f332962161
Merge pull request #4232 from thaJeztah/23.0_backport_docs_fixes
[23.0 backport] Docs freshness updates
2023-04-26 16:44:30 +02:00
Sebastiaan van Stijn 3cda7c30c6
[23.0] vendor: github.com/docker/docker v23.0.4
no changes in vendored files

full diff: https://github.com/moby/moby/compare/v23.0.3...v23.0.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 16:13:12 +02:00
Chris Chinchilla 6c0f9022c8
Docs freshness updates
Signed-off-by: Chris Chinchilla <chris.ward@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e693e7f3b4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 15:39:17 +02:00
Sebastiaan van Stijn 776388cc19
Merge pull request #4229 from thaJeztah/23.0_backport_volumes_prune_all
[23.0 backport] volumes: prune: add --all / -a option
2023-04-26 13:00:58 +02:00
Sebastiaan van Stijn 8e00eb4a69
Merge pull request #4230 from thaJeztah/23.0_backport_docker_info_json
[23.0 backport] fix docker info, docker version --format=json not outputting json format
2023-04-26 13:00:27 +02:00
Sebastiaan van Stijn 91b7318833
Merge pull request #4231 from thaJeztah/23.0_backport_test_fixes
[23.0 backport] ci: add validation for generated docs, bump docker/bake-action
2023-04-26 12:59:57 +02:00
dependabot[bot] 17357a7783
build(deps): bump docker/bake-action from 2 to 3
Bumps [docker/bake-action](https://github.com/docker/bake-action) from 2 to 3.
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](https://github.com/docker/bake-action/compare/v2...v3)

---
updated-dependencies:
- dependency-name: docker/bake-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
(cherry picked from commit 6c4c3c23c7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:15:44 +02:00
David Karlsson 2cf68537d7
ci: remove fetch depth 0 for validate jobs
Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 341c843ac2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:15:33 +02:00
David Karlsson 4a42917081
ci: add validation for generated markdown
Signed-off-by: David Karlsson <david.karlsson@docker.com>
(cherry picked from commit 25ed7847ec)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:15:33 +02:00
Sebastiaan van Stijn f914316a97
fix docker version --format=json not outputting json format
The --format=json option was added for all inspect commands, but was not
implemented for "docker version". This patch implements the missing option.

Before this patch:

    docker version --format=json
    json

With this patch:

    docker version --format=json
    {"Client":{"Platform":{"Name":""},"Version":"24.0.0-dev","ApiVersion":"..."}}

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 23bd746c43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:12:25 +02:00
Sebastiaan van Stijn 9dfe5a29ee
cli/command/system: make default version template a const
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 80640bca72)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:12:25 +02:00
Sebastiaan van Stijn 2c1fde2239
fix docker info --format=json not outputting json format
The --format=json option was added for all inspect commands, but was not implemented
for "docker info". This patch implements the missing option.

Before this patch:

    docker info --format=json
    json

With this patch applied:

    docker info --format=json
    {"ID":"80c2f18a-2c88-4e4a-ba69-dca0eea59835","Containers":7,"ContainersRunning":"..."}

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 46234b82e2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:12:25 +02:00
Sebastiaan van Stijn 99124087e0
cli/command/formatter: export JSONFormat const
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 1aaa179d9d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:12:24 +02:00
Sebastiaan van Stijn 86e79b55ed
volumes: prune: add --all / -a option
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0dec5d20a2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:06:39 +02:00
Sebastiaan van Stijn ada43812d0
cli/command/volume: suppress err output in tests
These tests were deliberately producing errors as part of the test, but
printing those errors could be confusing / make it more difficult to find
actual test-failures.

Before this patch:

    === RUN   TestVolumeCreateErrors
    Error: conflicting options: either specify --name or provide positional arg, not both
    Error: "create" requires at most 1 argument.
    See 'create --help'.

    Usage:  create [OPTIONS] [VOLUME] [flags]

    Create a volume
    Error: error creating volume
    --- PASS: TestVolumeCreateErrors (0.00s)
    PASS

With this patch applied:

    === RUN   TestVolumeCreateErrors
    --- PASS: TestVolumeCreateErrors (0.00s)
    PASS

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit db827d583b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-26 12:06:33 +02:00
Sebastiaan van Stijn ced769fc12
Merge pull request #4217 from vvoland/buildkit-empty-23
[23.0 backport] Handle empty DOCKER_BUILDKIT like unset
2023-04-20 09:01:14 +02:00
Paweł Gronowski c648e0b065
Handle empty DOCKER_BUILDKIT like unset
This fixes the cli erroring out if the variable is set to an empty
value.

```
$ export DOCKER_BUILDKIT=
$ docker version
DOCKER_BUILDKIT environment variable expects boolean value: strconv.ParseBool: parsing "": invalid syntax
```

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ff7f76af7a)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2023-04-19 15:53:40 +02:00
Sebastiaan van Stijn f480fb1e37
Merge pull request #4202 from thaJeztah/23.0_backport_docs_daemon_proxy_config
[23.0 backport] docs/reference: update dockerd docs for changes in 23.0
2023-04-13 21:58:12 +02:00
Sebastiaan van Stijn ad7ae5a894
Merge pull request #4196 from thaJeztah/23.0_backport_registry_fix_ResolveAuthConfig_docs
[23.0 backport] cli/command: fix documentation for ResolveAuthConfig
2023-04-13 14:20:31 +02:00
Sebastiaan van Stijn b6cd3c85b5
docs: update dockerd usage output for new proxy-options
Adds documentation for the options that were added in
427c7cc5f8

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c846428cb6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:39 +02:00
Sebastiaan van Stijn aa85421ff8
docs/reference: dockerd: remove default oom-score-adjust
The daemon no longer adjusts its oom-score by default; see

- 2b8e68ef06
- cf7a5be0f2

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c730a8eb95)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:39 +02:00
Sebastiaan van Stijn 6bc4bf4f05
docs/reference: dockerd: update seccomp flag description
Update the description for the changes made in;
68e96f88ee

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c209743612)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:38 +02:00
Sebastiaan van Stijn 8a35f92fff
docs/reference: dockerd: use table for env-vars
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 32bc912008)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:38 +02:00
Sebastiaan van Stijn 2cb152c41d
docs/reference: use table for proxy env-vars
Adding a description based on the Go documentation.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3701748000)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:38 +02:00
Sebastiaan van Stijn 623da1997e
docs/reference: reformat env-vars table, and simplify
No need to mention that the env-var may be removed at that point to keep
the description more to-the-point.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 879e0804a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:38 +02:00
Sebastiaan van Stijn e76242fff2
docs/reference: remove mention of DOCKER_NOWARN_KERNEL_VERSION
Support for this environment variable was removed in docker 23.0 in
1240f8b41d

From that patch:

> All regular, non-EOL Linux distros now come with more recent kernels
> out of the box. There may still be users trying to run on kernel 3.10
> or older (some embedded systems, e.g.), but those should be a rare
> exception, which we don't have to take into account.
>
> This patch removes the kernel version check on Linux, and the corresponding
> DOCKER_NOWARN_KERNEL_VERSION environment that was there to skip this
> check.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4a863df57a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-04-13 13:59:38 +02:00
Sebastiaan van Stijn 0b3f54066c
Merge pull request #4195 from thaJeztah/23.0_backport_fix_deprecation_version
[23.0 backport] docs: deprecated: fix version (23.1.0 -> 24.0.0)
2023-04-12 12:42:21 +02:00