[pull] master from moby:master

Makefile

@@ -1,5 +1,7 @@
 .PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate win
 
+BUILDX_VERSION ?= v0.5.1
+
 ifdef USE_BUILDX
 BUILDX ?= $(shell command -v buildx)
 BUILDX ?= $(shell command -v docker-buildx)
@@ -273,22 +275,6 @@ buildx: bundles/buildx ## build buildx cli tool
 endif
 endif
 
-# This intentionally is not using the `--output` flag from the docker CLI, which
-# is a buildkit option. The idea here being that if buildx is being used, it's
-# because buildkit is not supported natively
 bundles/buildx: bundles ## build buildx CLI tool
-	docker build -f $${BUILDX_DOCKERFILE:-Dockerfile.buildx} -t "moby-buildx:$${BUILDX_COMMIT:-latest}" \
-		--build-arg BUILDX_COMMIT \
-		--build-arg BUILDX_REPO \
-		--build-arg GOOS=$$(if [ -n "$(GOOS)" ]; then echo $(GOOS); else go env GOHOSTOS || uname | awk '{print tolower($$0)}' || true; fi) \
-		--build-arg GOARCH=$$(if [ -n "$(GOARCH)" ]; then echo $(GOARCH); else go env GOHOSTARCH || true; fi) \
-		.
-
-	id=$$(docker create moby-buildx:$${BUILDX_COMMIT:-latest}); \
-	if [ -n "$${id}" ]; then \
-		docker cp $${id}:/usr/bin/buildx $@ \
-		&& touch $@; \
-		docker rm -f $${id}; \
-	fi
-
+	curl -fsSL https://raw.githubusercontent.com/moby/buildkit/70deac12b5857a1aa4da65e90b262368e2f71500/hack/install-buildx | VERSION="$(BUILDX_VERSION)" BINDIR="$(@D)" bash
 	$@ version

daemon/graphdriver/windows/windows.go

@@ -832,13 +832,13 @@ func writeLayerReexec() {
 
 // writeLayer writes a layer from a tar file.
 func writeLayer(layerData io.Reader, home string, id string, parentLayerPaths ...string) (size int64, retErr error) {
-	err := winio.EnableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege})
+	err := winio.EnableProcessPrivileges([]string{winio.SeSecurityPrivilege, winio.SeBackupPrivilege, winio.SeRestorePrivilege})
 	if err != nil {
 		return 0, err
 	}
 	if noreexec {
 		defer func() {
-			if err := winio.DisableProcessPrivileges([]string{winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
+			if err := winio.DisableProcessPrivileges([]string{winio.SeSecurityPrivilege, winio.SeBackupPrivilege, winio.SeRestorePrivilege}); err != nil {
 				// This should never happen, but just in case when in debugging mode.
 				// See https://github.com/docker/docker/pull/28002#discussion_r86259241 for rationale.
 				panic("Failed to disabled process privileges while in non re-exec mode")

hack/ci/windows.ps1

@@ -874,6 +874,7 @@ Try {
             } else  {
                 $env:DOCKER_HOST=$DASHH_CUT  
                 $env:PATH="$env:TEMP\binary;$env:PATH;"  # Force to use the test binaries, not the host ones.
+                $env:GO111MODULE="off"
                 Write-Host -ForegroundColor Green "INFO: DOCKER_HOST at $DASHH_CUT"
 
                 $ErrorActionPreference = "SilentlyContinue"

hack/generate-test-certs.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+set -eu
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)"
+
+# integration/testdata/https (and integration-cli/fixtures/https, which has symlinks to these files)
+OUT_DIR="${SCRIPT_DIR}/../integration/testdata/https"
+
+# generate CA
+echo 01 > "${OUT_DIR}/ca.srl"
+openssl genrsa -out "${OUT_DIR}/ca-key.pem"
+
+openssl req \
+	-new \
+	-x509 \
+	-days 3652 \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=moby-ci/name=moby/emailAddress=moby@example.org" \
+	-nameopt compat \
+	-text \
+	-key "${OUT_DIR}/ca-key.pem" \
+	-out "${OUT_DIR}/ca.pem"
+
+# Now that we have a CA, create a server key and certificate signing request.
+# Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use
+# to connect or just use '*' for a certificate valid for any hostname:
+
+openssl genrsa -out server-key.pem
+openssl req -new \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=server/name=moby/emailAddress=moby@example.org" \
+	-text \
+	-key "${OUT_DIR}/server-key.pem" \
+	-out "${OUT_DIR}/server.csr"
+
+# Options for server certificate
+cat > "${OUT_DIR}/server-options.cfg" << 'EOF'
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=serverAuth
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
+EOF
+
+# Generate the certificate and sign with our CA
+openssl x509 \
+	-req \
+	-days 3652 \
+	-extfile "${OUT_DIR}/server-options.cfg" \
+	-CA "${OUT_DIR}/ca.pem" \
+	-CAkey "${OUT_DIR}/ca-key.pem" \
+	-nameopt compat \
+	-text \
+	-in "${OUT_DIR}/server.csr" \
+	-out "${OUT_DIR}/server-cert.pem"
+
+# For client authentication, create a client key and certificate signing request
+openssl genrsa -out "${OUT_DIR}/client-key.pem"
+openssl req -new \
+	-subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=client/name=moby/emailAddress=moby@example.org" \
+	-text \
+	-key "${OUT_DIR}/client-key.pem" \
+	-out "${OUT_DIR}/client.csr"
+
+# Options for client certificate
+cat > "${OUT_DIR}/client-options.cfg" << 'EOF'
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+extendedKeyUsage=clientAuth
+subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1
+EOF
+
+# Generate the certificate and sign with our CA:
+openssl x509 \
+	-req \
+	-days 3652 \
+	-extfile "${OUT_DIR}/client-options.cfg" \
+	-CA "${OUT_DIR}/ca.pem" \
+	-CAkey "${OUT_DIR}/ca-key.pem" \
+	-nameopt compat \
+	-text \
+	-in "${OUT_DIR}/client.csr" \
+	-out "${OUT_DIR}/client-cert.pem"
+
+rm "${OUT_DIR}/ca.srl"
+rm "${OUT_DIR}/ca-key.pem"
+rm "${OUT_DIR}"/*.cfg
+rm "${OUT_DIR}"/*.csr

integration/plugin/logging/helpers_test.go

@@ -31,7 +31,7 @@ func ensurePlugin(t *testing.T, name string) string {
 	}
 
 	cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name))
-	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GO111MODULE=off")
 	if out, err := cmd.CombinedOutput(); err != nil {
 		t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out)))
 	}

integration/plugin/volumes/helpers_test.go

@@ -36,7 +36,7 @@ func ensurePlugin(t *testing.T, name string) string {
 	assert.NilError(t, err)
 
 	cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name))
-	cmd.Env = append(os.Environ(), "CGO_ENABLED=0")
+	cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GO111MODULE=off")
 	if out, err := cmd.CombinedOutput(); err != nil {
 		t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out)))
 	}

integration/testdata/https/ca.pem

@@ -1,23 +1,82 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            45:9c:ce:13:92:42:39:2e:90:f5:93:05:f1:03:92:17:5d:e4:89:8d
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org
+        Validity
+            Not Before: May 17 19:49:34 2021 GMT
+            Not After : May 17 19:49:34 2031 GMT
+        Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c2:5a:af:10:15:fb:c8:46:c4:31:d7:ee:ec:d9:
+                    c4:1e:c3:b3:b6:4c:ec:e1:2b:57:40:a2:74:cd:d5:
+                    8e:7d:69:b6:22:60:21:05:be:a5:92:40:4c:43:2b:
+                    eb:c9:00:32:5f:59:1c:59:50:e2:98:df:ff:9b:2d:
+                    16:9f:c6:a0:57:78:bc:ae:a5:8d:b3:7d:98:73:7a:
+                    6f:d2:05:52:15:89:89:22:ec:9d:9a:e7:c7:35:8f:
+                    6b:38:a3:33:54:c5:74:2a:05:ad:af:a0:8a:54:7b:
+                    7d:d4:6a:9b:2b:90:cb:9a:e7:6e:94:bd:a2:f3:5b:
+                    40:d1:fa:4d:ec:fd:6f:14:1d:89:5b:fc:35:c2:1c:
+                    98:0b:c4:53:7a:25:16:3f:02:e9:e8:46:20:4d:e8:
+                    1e:25:0d:0d:10:e9:36:42:2a:88:d9:91:b3:fa:9e:
+                    07:c0:a9:b1:44:db:2c:e5:cb:85:bf:4a:38:a0:cf:
+                    7e:2c:20:e5:a9:cf:49:2a:6f:e3:b8:93:fd:38:9b:
+                    2a:c2:ea:c3:0f:3b:f5:f3:30:c8:f7:51:d5:8b:d0:
+                    5e:97:75:21:e4:d2:47:ca:1d:66:4a:36:b2:81:13:
+                    d9:13:19:0d:35:04:84:ca:35:f4:47:f9:47:37:21:
+                    64:95:a1:cb:8a:01:d3:e6:50:e2:01:17:e5:0e:64:
+                    89:0d
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98
+            X509v3 Authority Key Identifier: 
+                keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         46:73:2d:4b:ce:b0:c2:13:19:85:97:67:95:d9:15:6f:cf:e0:
+         89:e4:42:90:4e:a3:5a:64:8c:e9:92:6f:b4:cb:56:e6:ec:6e:
+         91:04:18:12:79:ca:70:bb:e5:ba:5d:ed:fe:8c:47:7e:8f:8b:
+         bd:9f:40:5a:63:51:b8:80:6f:b2:7b:ff:c1:43:68:7d:21:0c:
+         0a:a4:ea:b7:2d:0a:31:e4:3e:5e:bb:72:bd:63:6b:a1:2d:d3:
+         ca:6a:e0:af:17:52:12:71:73:77:41:11:f1:24:32:54:b4:67:
+         c9:5e:b1:f1:cf:bd:95:91:c8:9c:43:4f:3f:c3:f6:3c:0e:41:
+         2b:f9:c7:25:3f:17:4d:4a:e7:27:36:bc:9e:d4:30:e6:6e:29:
+         95:e4:33:66:b4:2e:11:ac:97:61:df:3f:4d:03:8e:96:04:10:
+         a5:d8:5f:85:a3:4b:6c:d5:1c:7d:17:8c:4c:8a:cb:9d:27:65:
+         2c:ee:dd:2b:19:27:1a:57:3c:68:2d:eb:6e:e8:b2:59:8c:0a:
+         17:75:ba:fc:89:d8:fc:c0:45:44:8a:a1:9c:52:b0:f3:b7:6d:
+         f2:2e:24:ee:50:d9:27:4d:33:89:5c:97:34:b0:47:81:94:4b:
+         c1:b4:aa:d9:65:b5:4f:98:0b:a9:76:30:a0:ef:f1:71:23:0f:
+         04:dc:83:fd
 -----BEGIN CERTIFICATE-----
-MIID0TCCAzqgAwIBAgIJAP2r7GqEJwSnMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD
-VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG
-A1UEChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMI
-Y2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWls
-QGhvc3QuZG9tYWluMB4XDTEzMTIwMzE2NTYzMFoXDTIzMTIwMTE2NTYzMFowgaIx
-CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2Nv
-MRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYD
-VQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEW
-EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAn
-0xDw+5y7ZptQacq66pUhRu82JP2WU6IDgo5QUtNU6/CX5PwQATe/OnYTZQFbksxp
-AU9boG0FCkgxfsgPYXEuZxVEGKI2fxfKHOZZI8mrkWmj6eWU/0cvCjGVc9rTITP5
-sNQvg+hORyVDdNp2IdsbMJayiB3AQYMFx3vSDOMTAgMBAAGjggELMIIBBzAdBgNV
-HQ4EFgQUZu7DFz09q0QBa2+ymRm9qgK1NPswgdcGA1UdIwSBzzCBzIAUZu7DFz09
-q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD
-QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x
-ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI
-Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq
-hCcEpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF8fJKKM+/oOdnNi
-zEd0M1+PmZOyqvjYQn/2ZR8UHH6Imgc/OPQKZXf0bVE1Txc/DaUNn9Isd1SuCuaE
-ic3vAIYYU7PmgeNN6vwec48V96T7jr+GAi6AVMhQEc2hHCfVtx11Xx+x6aHDZzJt
-Zxtf5lL6KSO9Y+EFwM+rju6hm5hW
+MIIEETCCAvmgAwIBAgIURZzOE5JCOS6Q9ZMF8QOSF13kiY0wDQYJKoZIhvcNAQEL
+BQAwgZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJh
+bmNpc2NvMRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYD
+VQQDDAdtb2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5
+QGV4YW1wbGUub3JnMB4XDTIxMDUxNzE5NDkzNFoXDTMxMDUxNzE5NDkzNFowgZcx
+CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJhbmNpc2Nv
+MRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYDVQQDDAdt
+b2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5QGV4YW1w
+bGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlqvEBX7yEbE
+Mdfu7NnEHsOztkzs4StXQKJ0zdWOfWm2ImAhBb6lkkBMQyvryQAyX1kcWVDimN//
+my0Wn8agV3i8rqWNs32Yc3pv0gVSFYmJIuydmufHNY9rOKMzVMV0KgWtr6CKVHt9
+1GqbK5DLmudulL2i81tA0fpN7P1vFB2JW/w1whyYC8RTeiUWPwLp6EYgTegeJQ0N
+EOk2QiqI2ZGz+p4HwKmxRNss5cuFv0o4oM9+LCDlqc9JKm/juJP9OJsqwurDDzv1
+8zDI91HVi9Bel3Uh5NJHyh1mSjaygRPZExkNNQSEyjX0R/lHNyFklaHLigHT5lDi
+ARflDmSJDQIDAQABo1MwUTAdBgNVHQ4EFgQUhVfQ/6m0Hh+AM/u4NO19BjnNNJgw
+HwYDVR0jBBgwFoAUhVfQ/6m0Hh+AM/u4NO19BjnNNJgwDwYDVR0TAQH/BAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEARnMtS86wwhMZhZdnldkVb8/gieRCkE6jWmSM
+6ZJvtMtW5uxukQQYEnnKcLvlul3t/oxHfo+LvZ9AWmNRuIBvsnv/wUNofSEMCqTq
+ty0KMeQ+XrtyvWNroS3TymrgrxdSEnFzd0ER8SQyVLRnyV6x8c+9lZHInENPP8P2
+PA5BK/nHJT8XTUrnJza8ntQw5m4pleQzZrQuEayXYd8/TQOOlgQQpdhfhaNLbNUc
+fReMTIrLnSdlLO7dKxknGlc8aC3rbuiyWYwKF3W6/InY/MBFRIqhnFKw87dt8i4k
+7lDZJ00ziVyXNLBHgZRLwbSq2WW1T5gLqXYwoO/xcSMPBNyD/Q==
 -----END CERTIFICATE-----