Commit Graph

9329 Commits

Author SHA1 Message Date
Sebastiaan van Stijn cddd1869a8
Merge pull request #4694 from thaJeztah/update_golang_1.21.5
update to go1.21.5
2023-12-06 00:41:55 +01:00
Sebastiaan van Stijn c47141bde0
Merge pull request #4684 from dvdksn/fix-build-prune-cache-warn
prune: fix build cache prune warning
2023-12-06 00:18:19 +01:00
Sebastiaan van Stijn bdb45a9c2d
update to go1.21.5
go1.21.5 (released 2023-12-05) includes security fixes to the go command,
and the net/http and path/filepath packages, as well as bug fixes to the
compiler, the go command, the runtime, and the crypto/rand, net, os, and
syscall packages. See the Go 1.21.5 milestone on our issue tracker for
details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.5+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.5...go1.21.5

from the security mailing:

[security] Go 1.21.5 and Go 1.20.12 are released

Hello gophers,

We have just released Go versions 1.21.5 and 1.20.12, minor point releases.

These minor releases include 3 security fixes following the security policy:

- net/http: limit chunked data overhead

  A malicious HTTP sender can use chunk extensions to cause a receiver
  reading from a request or response body to read many more bytes from
  the network than are in the body.

  A malicious HTTP client can further exploit this to cause a server to
  automatically read a large amount of data (up to about 1GiB) when a
  handler fails to read the entire body of a request.

  Chunk extensions are a little-used HTTP feature which permit including
  additional metadata in a request or response body sent using the chunked
  encoding. The net/http chunked encoding reader discards this metadata.
  A sender can exploit this by inserting a large metadata segment with
  each byte transferred. The chunk reader now produces an error if the
  ratio of real body to encoded bytes grows too small.

  Thanks to Bartek Nowotarski for reporting this issue.

  This is CVE-2023-39326 and Go issue https://go.dev/issue/64433.

- cmd/go: go get may unexpectedly fallback to insecure git

  Using go get to fetch a module with the ".git" suffix may unexpectedly
  fallback to the insecure "git://" protocol if the module is unavailable
  via the secure "https://" and "git+ssh://" protocols, even if GOINSECURE
  is not set for said module. This only affects users who are not using
  the module proxy and are fetching modules directly (i.e. GOPROXY=off).

  Thanks to David Leadbeater for reporting this issue.

  This is CVE-2023-45285 and Go issue https://go.dev/issue/63845.

- path/filepath: retain trailing \ when cleaning paths like \\?\c:\

  Go 1.20.11 and Go 1.21.4 inadvertently changed the definition of the
  volume name in Windows paths starting with \\?\, resulting in
  filepath.Clean(\\?\c:\) returning \\?\c: rather than \\?\c:\ (among
  other effects). The previous behavior has been restored.

  This is an update to CVE-2023-45283 and Go issue https://go.dev/issue/64028.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:53:29 +01:00
Sebastiaan van Stijn afc62d8d1c
update to go1.21.4
Reverts "update to go1.21.4" due to regressions / breaking changes."

This reverts commit 4cf1c50ad1.
This re-applies commit 6472dabe4c.

----

update to go1.21.4

go1.21.4 (released 2023-11-07) includes security fixes to the path/filepath package, as well as bug fixes to the linker, the runtime, the compiler, and the go/types, net/http, and runtime/cgo packages. See the Go 1.21.4 milestone on our issue tracker for details:

- https://github.com/golang/go/issues?q=milestone%3AGo1.21.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.21.3...go1.21.4

from the security mailing:

[security] Go 1.21.4 and Go 1.20.11 are released

Hello gophers,

We have just released Go versions 1.21.4 and 1.20.11, minor point releases.

These minor releases include 2 security fixes following the security policy:

- path/filepath: recognize `\??\` as a Root Local Device path prefix.

  On Windows, a path beginning with `\??\` is a Root Local Device path equivalent
  to a path beginning with `\\?\`. Paths with a `\??\` prefix may be used to
  access arbitrary locations on the system. For example, the path `\??\c:\x`
  is equivalent to the more common path c:\x.

  The filepath package did not recognize paths with a `\??\` prefix as special.

  Clean could convert a rooted path such as `\a\..\??\b` into
  the root local device path `\??\b`. It will now convert this
  path into `.\??\b`.

  `IsAbs` did not report paths beginning with `\??\` as absolute.
  It now does so.

  VolumeName now reports the `\??\` prefix as a volume name.

  `Join(`\`, `??`, `b`)` could convert a seemingly innocent
  sequence of path elements into the root local device path
  `\??\b`. It will now convert this to `\.\??\b`.

  This is CVE-2023-45283 and https://go.dev/issue/63713.

- path/filepath: recognize device names with trailing spaces and superscripts

  The `IsLocal` function did not correctly detect reserved names in some cases:

  - reserved names followed by spaces, such as "COM1 ".
  - "COM" or "LPT" followed by a superscript 1, 2, or 3.

  `IsLocal` now correctly reports these names as non-local.

  This is CVE-2023-45284 and https://go.dev/issue/63713.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-05 23:52:56 +01:00
David Karlsson 8bbc97c867 prune: fix build cache prune warning
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
2023-12-05 20:11:15 +01:00
Sebastiaan van Stijn 0acee94354
Merge pull request #4687 from TheRealGramdalf/dockerd-ref-patch
Fix typo in dockerd reference documentation
2023-12-03 14:50:41 +01:00
TheRealGramdalf e93ec2f6a6 Fix typo in dockerd reference documentation
Signed-off-by: Graeme Wiebe <graeme.wiebe@gmail.com>
2023-12-02 15:18:27 -08:00
Sebastiaan van Stijn ecf9bd3870
Merge pull request #4686 from thaJeztah/update_engine2
vendor: github.com/docker/docker 029519a1498b (v25.0.0-dev)
2023-12-01 16:45:05 +01:00
Sebastiaan van Stijn f807c9494b
Merge pull request #4690 from thaJeztah/bump_mux
vendor: github.com/gorilla/mux v1.8.1
2023-12-01 16:44:41 +01:00
Sebastiaan van Stijn 5a04708880
vendor: github.com/docker/docker 029519a1498b (v25.0.0-dev)
full diff: cfdca8dc1d...029519a149

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 16:32:47 +01:00
Sebastiaan van Stijn aa9fdb4dd0
vendor: github.com/gorilla/mux v1.8.1
full diff: https://github.com/gorilla/mux/compare/v1.8.0...v1.8.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-12-01 16:12:20 +01:00
Sebastiaan van Stijn 0c46ef0c3a
Merge pull request #4689 from perlun/patch-1
exec.md: remove misleading part
2023-12-01 14:52:22 +01:00
Per Lundberg a431b1dda6
exec.md: remove misleading part
"By default" implies that this is something which could be
disabled for an individual `docker exec` call. This doesn't seem
to be the case, so removing the "by default" part would make
these docs clearer to me.

Signed-off-by: Per Lundberg <per.lundberg@hibox.tv>
2023-12-01 15:32:41 +02:00
Sebastiaan van Stijn c1455b6751
Merge pull request #4683 from thaJeztah/remove_ce_ee
Readme: remove reference to "Docker EE"
2023-11-28 12:52:36 +01:00
Sebastiaan van Stijn 654ff3ae00
Merge pull request #4681 from thaJeztah/noraw
docs: remove "{% raw %}" / "{% endraw %}" Jekyl (liquid) leftovers
2023-11-28 10:25:31 +01:00
Sebastiaan van Stijn b62b5d48f2
Readme: remove reference to "Docker EE"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-28 10:23:11 +01:00
Sebastiaan van Stijn 48e889023f
Merge pull request #4679 from thaJeztah/fix_flag_typo
docs/man: fix -name flag with single hyphen
2023-11-27 22:12:05 +01:00
Sebastiaan van Stijn 354f62f0c5
docs: reference/commandlin/cli: remove redundant italic
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 22:05:49 +01:00
Sebastiaan van Stijn e2626200aa
docs: remove "{% raw %}" / "{% endraw %}" Jekyl (liquid) leftovers
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 22:05:39 +01:00
Sebastiaan van Stijn 174cbb588f
docs/man: fix -name flag with single hyphen
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-27 20:58:55 +01:00
Sebastiaan van Stijn 5aa3077c36
Merge pull request #4673 from thaJeztah/update_engine
vendor: github.com/docker/docker cfdca8dc1d4c (v25.0.0-dev)
2023-11-24 10:29:26 +01:00
Sebastiaan van Stijn 539537ddf5
vendor: github.com/docker/docker cfdca8dc1d4c (v25.0.0-dev)
also added nolint:staticcheck to spec.Networks refs

full diff: https://github.com/docker/docker/compare/v25.0.0-beta.1...cfdca8dc1d4c84ee235f395a011ca62315c957a7

Co-authored-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-24 09:50:12 +01:00
Sebastiaan van Stijn 6d820e817b
Merge pull request #4354 from thaJeztah/update_alpine_3.18
Dockerfile: update ALPINE_VERSION to 3.18
2023-11-23 23:51:30 +01:00
Sebastiaan van Stijn 0c0ef7f690
Merge pull request #4675 from thaJeztah/update_buildx
Dockerfile: update buildx to v0.12.0
2023-11-23 23:44:04 +01:00
Sebastiaan van Stijn 6a74a63ee2
Dockerfile: update ALPINE_VERSION to 3.18
This also moves `musl-dev` to the alpine-base stage, due to changes in
Alpine 3.18 causing gotestsum build to fail because stdlib.h was missing;

    #17 5.065 # runtime/cgo
    #17 5.065 In file included from _cgo_export.c:3:
    #17 5.065 /usr/include/fortify/stdlib.h:23:15: fatal error: stdlib.h: No such file or directory
    #17 5.065    23 | #include_next <stdlib.h>
    #17 5.065       |               ^~~~~~~~~~

alpine 3.17:

    / # find / | grep stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

alpine 3.18

    / # find / | grep stdlib.h
    /usr/lib/llvm16/lib/clang/16/include/__clang_hip_stdlib.h
    /usr/include/fortify/stdlib.h
    /usr/include/c++/12.2.1/tr1/stdlib.h
    /usr/include/c++/12.2.1/stdlib.h

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-23 23:37:48 +01:00
Sebastiaan van Stijn 49f7de7089
Merge pull request #4674 from thaJeztah/docs_bookworm
docs: update debian examples to use bookworm
2023-11-23 23:35:30 +01:00
Sebastiaan van Stijn 35c6e915d1
Dockerfile: update buildx to v0.12.0
Release notes: https://github.com/docker/buildx/releases/tag/v0.12.0

Full diff: https://github.com/docker/buildx/compare/v0.11.1...v0.12.0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-23 23:32:14 +01:00
Sebastiaan van Stijn 6468c63c81
docs: update debian examples to use bookworm
"bullseye" is no longer the "latest" debian, so these
examples were now incorrect.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-23 23:21:07 +01:00
Sebastiaan van Stijn 1c6d7d00d6
Merge pull request #4410 from crazy-max/update-bookworm
Dockerfile: update to debian bookworm
2023-11-23 23:19:41 +01:00
CrazyMax 0d95231ccb
Dockerfile: use "debian" in stages instead of distro name
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-11-23 23:11:42 +01:00
CrazyMax c5194a9e5d
Dockerfile: update to debian bookworm
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
2023-11-23 23:11:35 +01:00
Sebastiaan van Stijn ce22ac2736
Merge pull request #3770 from thaJeztah/update_golangci_lint_step2
golangci-lint: enable more linters
2023-11-23 17:56:28 +01:00
Sebastiaan van Stijn 8046bb2d9e
Merge pull request #4671 from thaJeztah/bind_recusrive_no_bool
mount: bind-recursive: remove boolean convenience values
2023-11-22 11:48:56 +01:00
Sebastiaan van Stijn 7be05a6f44
mount: bind-recursive: remove boolean convenience values
- updates fc6976db45
- updates 74bace156c

Commit fc6976db45 introduced support for the
`bind-recursive` option on `--mount`, and deprecated the `bind-nonrecursive`
option.  Unlike `bind-nonrecursive` boolean, the `bind-recursive` option
accepts a string value with multiple options.

For convenience, the `bind-recursive` option also was made to accept boolean
values (true/false, 1/0). However, as the option works as the _reverse_ of
`bind-nonrecursive` (`bind-nonrecursive=true` === `bind-recursive=false`),
the new option won't be a "drop-in" replacement, and having more options
to choose from may only be adding more complexity / cognitive overload.

This patch removes support for boolean values; if we see a need to add
support for boolean values in future, it would be trivial to add back this
functionality.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-22 11:22:38 +01:00
Sebastiaan van Stijn 1401f91085
Merge pull request #4666 from thaJeztah/bump_hcsshim
vendor: github.com/Microsoft/hcsshim v0.11.4
2023-11-21 11:20:16 +01:00
Sebastiaan van Stijn 6620b0bfd0
Merge pull request #4668 from thaJeztah/bump_engine3
vendor: github.com/docker/docker v25.0.0-beta.1
2023-11-21 09:27:35 +01:00
Sebastiaan van Stijn dad4a19624
vendor: github.com/docker/docker v25.0.0-beta.1
no changes in vendored files

full diff: https://github.com/docker/docker/compare/34e923e3e31b...v25.0.0-beta.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 22:53:51 +01:00
Sebastiaan van Stijn 781f243502
Merge pull request #4667 from Hugo-C/doc-zstd
docs: Add zstd as supported in load command
2023-11-20 19:59:50 +01:00
Sebastiaan van Stijn 30d36e977e
templates: linting: fix "error return value is not checked (errchkjson)
The linter is correct; given that these functions do not allow for an error
to be returned, we panic. Alternatively, we could return the error string
as output, or add a `//nolint:errchkjson` comment.

    templates/templates.go:17:3: Error return value of `(*encoding/json.Encoder).Encode` is not checked: unsafe type `interface{}` found (errchkjson)
            enc.Encode(v)
            ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 19:52:46 +01:00
Sebastiaan van Stijn 4e2477f85f
golangci-lint: enable more linters
fix some nolintlint false positives

For some reason, nolintlint doesn't consider these used, but they seem to be
legitimate cases where deprecated fields are used.

    templates/templates.go:27:29: directive `//nolint:staticcheck // strings.Title is deprecated, but we only use it for ASCII, so replacing with golang.org/x/text is out of scope` is unused for linter "staticcheck" (nolintlint)
        "title":    strings.Title, //nolint:staticcheck // strings.Title is deprecated, but we only use it for ASCII, so replacing with golang.org/x/text is out of scope
                                   ^
    cli/command/formatter/image_test.go:75:31: directive `//nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.` is unused for linter "staticcheck" (nolintlint)
                call:     ctx.VirtualSize, //nolint:staticcheck // ignore SA1019: field is deprecated, but still set on API < v1.44.
                                           ^
    cli/command/registry/formatter_search.go💯39: directive `//nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).` is unused for linter "staticcheck" (nolintlint)
        return c.formatBool(c.s.IsAutomated) //nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).
                                             ^
    cli/command/registry/formatter_search_test.go:50:55: directive `//nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).` is unused for linter "staticcheck" (nolintlint)
                    s: registrytypes.SearchResult{IsAutomated: true}, //nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).
                                                                      ^
    cli/command/registry/formatter_search_test.go:53:31: directive `//nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).` is unused for linter "staticcheck" (nolintlint)
                call:     ctx.IsAutomated, //nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).
                                           ^
    cli/command/registry/formatter_search_test.go:59:27: directive `//nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).` is unused for linter "staticcheck" (nolintlint)
                call: ctx.IsAutomated, //nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).
                                       ^
    cli/command/registry/formatter_search_test.go:202:84: directive `//nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).` is unused for linter "staticcheck" (nolintlint)
            {Name: "result2", Description: "Not official", StarCount: 5, IsAutomated: true}, //nolint:staticcheck // ignore SA1019 (IsAutomated is deprecated).
                                                                                             ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 19:52:46 +01:00
Sebastiaan van Stijn 0e73168b7e
golangci-lint: revive: enable use-any
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 19:52:46 +01:00
Sebastiaan van Stijn 9c0c49a5f2
golangci-lint: revive: enable empty-lines
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 19:52:45 +01:00
Sebastiaan van Stijn 8e9aec6904
golangci-lint: revive: enable import-shadowing
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 19:52:41 +01:00
Hugo Chastel f387558b55 Add zstd as supported in load command doc
Signed-off-by: Hugo Chastel <Hugo-C@users.noreply.github.com>
2023-11-20 19:38:17 +01:00
Sebastiaan van Stijn f4962c65bc
vendor: github.com/Microsoft/hcsshim v0.11.4
no changes in vendored files

full diff: https://github.com/microsoft/hcsshim/compare/v0.11.1...v0.11.4

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 18:15:18 +01:00
Sebastiaan van Stijn 391668f57a
golangci-lint: enable perfsprint linter
cli/compose/types/types.go:568:17: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
            return []byte(fmt.Sprintf("%v", e.External)), nil
                          ^
    cli/command/formatter/buildcache.go:174:9: fmt.Sprintf can be replaced with faster strconv.Itoa (perfsprint)
        return fmt.Sprintf("%d", c.v.UsageCount)
               ^
    cli/command/formatter/buildcache.go:178:9: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
        return fmt.Sprintf("%t", c.v.InUse)
               ^
    cli/command/formatter/buildcache.go:182:9: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
        return fmt.Sprintf("%t", c.v.Shared)
               ^
    cli/command/formatter/image.go:259:9: fmt.Sprintf can be replaced with faster strconv.FormatInt (perfsprint)
        return fmt.Sprintf("%d", c.i.Containers)
               ^
    cli/command/formatter/tabwriter/tabwriter_test.go:698:9: fmt.Sprintf can be replaced with faster strconv.Itoa (perfsprint)
            b.Run(fmt.Sprintf("%d", x), func(b *testing.B) {
                  ^
    cli/command/formatter/tabwriter/tabwriter_test.go:720:9: fmt.Sprintf can be replaced with faster strconv.Itoa (perfsprint)
            b.Run(fmt.Sprintf("%d", h), func(b *testing.B) {
                  ^
    cli/command/image/prune.go:62:31: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
        pruneFilters.Add("dangling", fmt.Sprintf("%v", !options.all))
                                     ^
    cli/command/network/formatter.go:92:9: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
        return fmt.Sprintf("%v", c.n.EnableIPv6)
               ^
    cli/command/network/formatter.go:96:9: fmt.Sprintf can be replaced with faster strconv.FormatBool (perfsprint)
        return fmt.Sprintf("%v", c.n.Internal)
               ^
    cli/command/service/formatter.go:745:9: fmt.Sprintf can be replaced with faster strconv.FormatUint (perfsprint)
            pub = fmt.Sprintf("%d", pr.pStart)
                  ^
    cli/command/service/formatter.go:750:9: fmt.Sprintf can be replaced with faster strconv.FormatUint (perfsprint)
            tgt = fmt.Sprintf("%d", pr.tStart)
                  ^
    cli/command/service/opts.go:49:10: fmt.Sprintf can be replaced with faster strconv.FormatUint (perfsprint)
            return fmt.Sprintf("%v", *i.value)
                   ^
    cli/compose/loader/loader.go:720:36: fmt.Sprint can be replaced with faster strconv.Itoa (perfsprint)
                    v, err := toServicePortConfigs(fmt.Sprint(value))
                                                   ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 16:18:19 +01:00
Sebastiaan van Stijn 8bbdb93cf9
golangci-lint: enable nilerr linter
cli/command/idresolver/idresolver.go:33:4: error is not nil (line 31) but it returns nil (nilerr)
    			return id, nil
    			^
    cli/command/idresolver/idresolver.go:45:4: error is not nil (line 43) but it returns nil (nilerr)
    			return id, nil
    			^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 16:02:18 +01:00
Sebastiaan van Stijn 7e9d2c78c6
golangci-lint: enable dupword linter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 16:02:18 +01:00
Sebastiaan van Stijn 2d61f70f00
golangci-lint: govet: enable shadow check
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 16:02:18 +01:00
Sebastiaan van Stijn 606cbd60a1
golangci-lint: enable predeclared linter
cli/command/utils.go:190:35: param new has same name as predeclared identifier (predeclared)
    func StringSliceReplaceAt(s, old, new []string, requireIndex int) ([]string, bool) {
                                      ^

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-11-20 16:02:17 +01:00