[pull] master from moby:master #14
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
pull
bot
added
⤵️ pull
and removed
🔍 Ready for Review
Partially reverts 0046b16 "daemon: set libnetwork sandbox key w/o OCI hook" Running SetKey to store the OCI Sandbox key after task creation, rather than from the OCI prestart hook, meant it happened after sysctl settings were applied by the runtime - which was the intention, we wanted to complete Sandbox configuration after IPv6 had been disabled by a sysctl if that was going to happen. But, it meant '--sysctl' options for a specfic network interface caused container task creation to fail, because the interface is only moved into the network namespace during SetKey. This change restores the SetKey prestart hook, and regenerates config files that depend on the container's support for IPv6 after the task has been created. It also adds a regression test that makes sure it's possible to set an interface-specfic sysctl. Signed-off-by: Rob Murray <rob.murray@docker.com>
Restore the SetKey prestart hook.
Partially reverts 0046b16 "daemon: set libnetwork sandbox key w/o OCI hook" Running SetKey to store the OCI Sandbox key after task creation, rather than from the OCI prestart hook, meant it happened after sysctl settings were applied by the runtime - which was the intention, we wanted to complete Sandbox configuration after IPv6 had been disabled by a sysctl if that was going to happen. But, it meant '--sysctl' options for a specfic network interface caused container task creation to fail, because the interface is only moved into the network namespace during SetKey. This change restores the SetKey prestart hook, and regenerates config files that depend on the container's support for IPv6 after the task has been created. It also adds a regression test that makes sure it's possible to set an interface-specfic sysctl. Signed-off-by: Rob Murray <rob.murray@docker.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
ci: update workflow artifacts retention
…start_hook [26.0 backport] Restore the SetKey prestart hook.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The NetworkMode "default" is now normalized into the value it
aliases ("bridge" on Linux and "nat" on Windows) by the
ContainerCreate endpoint, the legacy image builder, Swarm's
cluster executor and by the container restore codepath.
builder-next is left untouched as it already uses the normalized
value (ie. bridge).
Going forward, this will make maintenance easier as there's one
less NetworkMode to care about.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Previous commit made this unnecessary. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
CONTRIBUTING.md: update Slack link
Docker 26.0 was released with API v1.45, so any change in the API should now target v1.46. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
chore: remove repetitive words Signed-off-by: avoidaway <cmoman@126.com>
This was using `errors.Wrap` when there was no error to wrap, meanwhile we are supposed to be creating a new error. Found this while investigating some log corruption issues and unexpectedly getting a nil reader and a nil error from `getTailReader`. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Fix cases where we are wrapping a nil error
This was brought up by bmitch that its not expected to have a platform object in the config descriptor. Also checked with tianon who agreed, its not _wrong_ but is unexpected and doesn't neccessarily make sense to have it there. Also, while technically incorrect, ECR is throwing an error when it sees this. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Unlike its stdlib counterparts, AtomicFileWriter does not take into consideration umask due to its use of chmod. Failure to recognize this may cause subtle problems like the one described in #47498. Therefore the documentation has been updated to let users know that umask is not taken into consideration when using AtomicFileWriter. Closes #47516. Signed-off-by: Antonio Aguilar <antonio@zoftko.com>
…orkMode api: normalize the default NetworkMode
illumos is the opensource continuation of OpenSolaris after Oracle closed to source it (again). For example use see: openbao/openbao#205. Signed-off-by: Jasper Siepkes <siepkes@serviceplanet.nl>
full diffs changes relevant to vendored code: - golang/net@v0.18.0...v0.22.0 - websocket: add support for dialing with context - http2: remove suspicious uint32->v conversion in frame code - http2: send an error of FLOW_CONTROL_ERROR when exceed the maximum octets - golang/crypto@v0.17.0...v0.21.0 - internal/poly1305: drop Go 1.12 compatibility - internal/poly1305: improve sum_ppc64le.s - ocsp: don't use iota for externally defined constants Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: golang/net@v0.22.0...v0.23.0 Includes a fix for CVE-2023-45288, which is also addressed in go1.22.2 and go1.21.9; > http2: close connections when receiving too many headers > > Maintaining HPACK state requires that we parse and process > all HEADERS and CONTINUATION frames on a connection. > When a request's headers exceed MaxHeaderBytes, we don't > allocate memory to store the excess headers but we do > parse them. This permits an attacker to cause an HTTP/2 > endpoint to read arbitrary amounts of data, all associated > with a request which is going to be rejected. > > Set a limit on the amount of excess header frames we > will process before closing a connection. > > Thanks to Bartek Nowotarski for reporting this issue. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.21.9 (released 2024-04-03) includes a security fix to the net/http package, as well as bug fixes to the linker, and the go/types and net/http packages. See the [Go 1.21.9 milestone](https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved) for more details. These minor releases include 1 security fixes following the security policy: - http2: close connections when receiving too many headers Maintaining HPACK state requires that we parse and process all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, we don't allocate memory to store the excess headers but we do parse them. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. Set a limit on the amount of excess header frames we will process before closing a connection. Thanks to Bartek Nowotarski (https://nowotarski.info/) for reporting this issue. This is CVE-2023-45288 and Go issue https://go.dev/issue/65051. View the release notes for more information: https://go.dev/doc/devel/release#go1.22.2 - https://github.com/golang/go/issues?q=milestone%3AGo1.21.9+label%3ACherryPickApproved - full diff: golang/go@go1.21.8...go1.21.9 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
update to go1.21.9
Signed-off-by: Rob Murray <rob.murray@docker.com>
vendor: golang.org/x/net v0.23.0
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Update the containerd binary that's used in CI and for the static packages. - release notes: https://github.com/containerd/containerd/releases/tag/v1.7.18 - full diff: containerd/containerd@v1.7.17...v1.7.18 Welcome to the v1.7.18 release of containerd! The eighteenth patch release for containerd 1.7 contains various updates along with an updated version of Go. Go 1.22.4 and 1.21.11 include a fix for a symlink time of check to time of use race condition during directory removal. Highlights - Update Go version to 1.21.11 - Remove uses of platforms.Platform alias - Migrate log imports to github.com/containerd/log - Migrate errdefs package to github.com/containerd/errdefs - Fix usage of "unknown" platform Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
update containerd binary to v1.7.18
vendor: github.com/containerd/containerd v1.7.18
api/types: migrate NetworkResource to api/types/network
Until now, containers on the default bridge network have been configured to talk directly to external DNS servers - their resolv.conf files have either been populated with nameservers from the host's resolv.conf, or with servers from '--dns' (or with Google's nameservers as a fallback). This change makes the internal bridge more like other networks by using the internal resolver. But, the internal resolver is not populated with container names or aliases - it's only for external DNS lookups. Containers on the default network, on a host that has a loopback resolver (like systemd's on 127.0.0.53) will now use that resolver via the internal resolver. So, the logic used to find systemd's current set of resolvers is no longer needed by the daemon. Legacy links work just as they did before, using '/etc/hosts' and magic. (Buildkit does not use libnetwork, so it can't use the internal resolver. But it does use libnetwork/resolvconf's logic to configure resolv.conf. So, code to set up resolv.conf for a legacy networking without an internal resolver can't be removed yet.) Signed-off-by: Rob Murray <rob.murray@docker.com>
Don't fall-back to Google's DNS servers in a network that has an internal resolver. Now the default bridge uses the internal resolver, the only reason a network started by the daemon should end up without any upstream servers is if the host's resolv.conf doesn't list any. In this case, the '--dns' option can be used to explicitly configure nameservers for a container if necessary. (Note that buildkit's containers do not have an internal resolver, so they will still set up Google's nameservers if the host has no resolvers that can be used in the container's namespace.) Signed-off-by: Rob Murray <rob.murray@docker.com>
…ridge Add resolver for default bridge, remove default nameservers
- full diff: moby/buildkit@v0.13.1...v0.14.0-rc2 Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
eea0b41bf4fb1d69e109ff5ff8045c63f0c0d510 added a new argument to `instructions.Parse` to support issuing linter warnings. Classic builder uses it to parse the Dockerfile instructions and its usage needs adjustment. The classic builder is deprecated and we won't be adding any new features to it, so we just pass a nil linter callback. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
1b1c5bc08ad81add007eb647e66ed0929693f3a0 extended the function signature with one additional return value. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com> Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
b5c50afa882e2b34aba880fd5028615e2ef94e07 changed the signature of NewGatewayFrontend to include a slice of allowed repositories. Docker does not allow to specify this option, so don't place any restrictions by passing an empty slice. Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
removes use of the deprecated "golang.org/x/net/context" package full diff: golang/appengine@v1.6.7...v1.6.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
vendor: github.com/moby/buildkit v0.14.0-rc2-dev
api: Make EnableIPv6 optional (impl #1 - pointer-based)
vendor: google.golang.org/appengine v1.6.8
Allow clients (e.g. cri-dockerd) to fetch container annotations in ContainerList api. Signed-off-by: cncal <flycalvin@qq.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
vendor: update buildkit to v0.14.0-rc2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
api/types: move NetworkCreate, NetworkCreateRequest, NetworksPruneReport to api/types/network
The CheckDuplicate option is no longer part of the current API; it's only used by the client when connecting to old API versions, which need to have this field set. This patch: - Removes the CheckDuplicate from the API documentation, as the API describes the current version of the API (which does not have this field). - Moves the CheckDuplicate field to the CreateRequest type; this is the type used for the network create request. The CheckDuplicate is not an option that's set by the user, and set internally by the client, so removing it from the CreateOptions struct moves it entirely internal. - Change the CheckDuplicate field to be a pointer; this makes the "omitempty" become active, and the client will no longer include the field in the request JSON unless it's set (API < 1.44). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
api/types/network: make CheckDuplicate optional
api/server: ContainerList returns container annotations
…rameterErrof" This reverts commit 5a2fa59. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This reverts commit 9369132. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Rob is currently a curator, and has been actively contributing to this repo for 7 months now. Beside day-to-day triaging and bug fixing, Rob is an instrumental contributor to libnetwork, and amongst other things, to the ongoing work on IPv6 improvements. I nominated Rob as maintainer, and votes passed, so opening a PR to make it official. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Revert "libnet/i/defaultipam: Disambiguate PoolID string format"
Add Rob Murray (@robmry) as maintainer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )