Migrate container client to moby/moby modules#5420
Merged
Conversation
rdimitrov
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
blkt,
jhrozek and
yrobla
as code owners
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #5420 +/- ##
==========================================
- Coverage 68.85% 68.85% -0.01%
==========================================
Files 634 634
Lines 64422 64433 +11
==========================================
+ Hits 44358 44363 +5
- Misses 16783 16788 +5
- Partials 3281 3282 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
rdimitrov
force-pushed
the
rdimitrov/migrate-docker-docker-to-moby
branch
from
190c8a9 to
9b2461b
Compare
github-actions
Bot
added
size/L
github.com/docker/docker is deprecated as of Docker v29 (November 2025) and is frozen: it receives no further releases, including fixes for the daemon-side advisories CVE-2026-33997 and CVE-2026-34040 that govulncheck currently suppresses for this project. Upstream now ships the maintained client and API types as the split modules github.com/moby/moby/client and github.com/moby/moby/api, both of which ToolHive already requires. Migrate pkg/container/docker and pkg/container/images off github.com/docker/docker/{client,api/types,pkg/stdcopy} and github.com/docker/go-connections/nat onto github.com/moby/moby/client and github.com/moby/moby/api. The new client exposes a redesigned surface, so call sites are adapted to the per-operation Options/Result structs, the client.Filters type, the network.Port struct (replacing the nat.Port string), and netip.Addr host addresses, while preserving existing behavior. After this change the production build no longer imports github.com/docker/docker; it remains only as an indirect test dependency via testcontainers-go. Drop the now-dormant govulncheck ignore entries for GO-2026-4883 and GO-2026-4887. These daemon-side Moby advisories are no longer in govulncheck's called set once docker/docker is off the production build, so the suppressions are no longer needed. Also drop the stale GO-2026-4514 entry: buger/jsonparser is no longer in the module graph, so that ignore is dead. Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rdimitrov
force-pushed
the
rdimitrov/migrate-docker-docker-to-moby
branch
from
9b2461b to
233f4a9
Compare
github-actions
Bot
added
size/L
JAORMX
approved these changes
Jun 3, 2026
rdimitrov
added a commit
to stacklok/toolhive-registry-server
that referenced
this pull request
Jun 3, 2026
## Summary Removes **all** govulncheck and grype vuln suppressions from the repo. After this PR there are no active ignore entries in `.github/workflows/security-scan.yml` (`IGNORED_VULNS=""`) or `.grype.yaml` (`ignore: []`). ### Dropped (stale): `GO-2026-4771` / `GO-2026-4772` (pgx pgproto3 decode) These were added when no fix for `github.com/jackc/pgx/v5` existed. The fix shipped in **`pgx/v5 v5.9.0`**, and this project is already on **`v5.9.2`** — so the advisories no longer apply, the version isn't in the affected range, and govulncheck doesn't report them. Removing them does not change which vulnerabilities are reported (they were never in the found/called set). ### Dropped (intentionally surfaced): `GO-2026-4883` / `GO-2026-4887` (docker daemon) Also removes the `GHSA-x744-4wpc-v9h2` / `CVE-2026-34040` block from `.grype.yaml`. These are Docker daemon advisories (plugin privilege off-by-one and AuthZ bypass). This client-only consumer reaches `github.com/docker/docker` solely through toolhive's transitive import — the daemon-side vulnerable paths are unreachable here. `github.com/docker/docker` is frozen at `v28.5.2` with no fixed release, so there is **nothing to bump to**; the real remediation is the upstream `docker/docker` → `github.com/moby/moby/{client,api}` migration (stacklok/toolhive#5420). Rather than keep these masked, we remove the suppressions now so the advisories surface. Once the moby-migrated toolhive is bumped here, `docker/docker` leaves the dependency graph and both scanners go green again — at which point no follow-up cleanup is needed because the ignore entries are already gone. ##⚠️ Expected CI state Both `Security Scan / Go Vulnerability Check` and `Security Scan / Grype Repository Scan` are **required status checks** and will be **red** on this PR until the toolhive/moby bump lands: - **Grype** fails on `GHSA-x744-4wpc-v9h2` (`docker/docker@v28.5.2`, High, fix `29.3.1`). - **govulncheck** fails on `GO-2026-4883` / `GO-2026-4887` (docker), plus transiently on `GO-2026-5037/5038/5039` (stdlib, until CI's `stable` toolchain reaches `go1.26.4`). Merging therefore requires an admin bypass, and downstream PRs cut from `main` will inherit the same red required checks until the bump merges. ## Notes - No code changes — security-scan workflow + grype config only. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
rdimitrov
added a commit
to stacklok/toolhive-registry-server
that referenced
this pull request
Jun 3, 2026
## Summary
Bumps `github.com/stacklok/toolhive` **v0.28.3 → v0.29.0**, which
removes `github.com/docker/docker` from this project's build.
v0.29.0 migrates toolhive's container runtime off the **deprecated,
frozen** `docker/docker` module onto the maintained
`github.com/moby/moby/{client,api}` modules (stacklok/toolhive#5420).
With that, nothing in registry-server's import graph pulls
`docker/docker` anymore, so it drops out of the production build and
`go.mod` entirely (it remains only as an indirect `go.sum` checksum via
the module graph).
This **completes** the remediation that #805 set up: #805 removed the
`GO-2026-4883` / `GO-2026-4887` (`CVE-2026-33997` / `CVE-2026-34040`)
docker daemon-advisory suppressions ahead of this bump (with a note that
the scans were expected to fail until it landed). This is that bump.
## Verification (local)
- `go build ./...` ✓, `go vet ./...` ✓ — no breaking changes from the
minor bump
- `docker/docker` in production build: **0 packages**; `go mod why` →
"main module does not need package"; gone from `go.mod`
- **Grype** (`--only-fixed --fail-on high`, matching CI): no
`docker/docker` / high+fixed findings → exit 0 — the Grype Repository
Scan will pass
- govulncheck: no `docker/docker` findings (the advisories are off the
build)
- Refreshed the now-satisfied "until the bump lands" notes in
`security-scan.yml` and `.grype.yaml`
## Note on the `Go Vulnerability Check` job
It will likely **stay red on the pre-existing stdlib batch**
`GO-2026-5037/5038/5039` (`crypto/x509`, `mime`, `net/textproto`; fixed
in **Go 1.26.4**), reached via this project's own code. That's unrelated
to this bump — it's red on `main` for the same reason, pending CI's Go
toolchain reaching 1.26.4 (the Actions `go-versions` manifest still tops
out at 1.26.3). This PR only removes the **docker** advisories from the
reported set.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates
pkg/container/dockerandpkg/container/imagesoff the deprecatedgithub.com/docker/dockermodule onto the maintained split modulesgithub.com/moby/moby/clientandgithub.com/moby/moby/api(both already required by ToolHive).github.com/docker/dockeris deprecated as of Docker v29 (Nov 2025) and frozen — it gets no further releases, including fixes for the daemon-side advisories CVE-2026-33997 (GO-2026-4883) and CVE-2026-34040 (GO-2026-4887) that we currently suppress in govulncheck (#4521). Rather than carry a suppression for a dead module indefinitely, this removes the dependency from the production build. The moby README migration map:After this change the production build no longer imports
github.com/docker/docker(go mod why→ "main module does not need package"); it remains only as an indirect test dependency viatestcontainers-go.What changed
The new
moby/moby/clientis a redesigned API, not a drop-in rename, so call sites were adapted while preserving behavior:Options/Resultstructs — e.g.ContainerList(ctx, ContainerListOptions{…}) → res.Items,ContainerCreate(ctx, ContainerCreateOptions{Config, HostConfig, NetworkingConfig, Name}),Ping(ctx, PingOptions{}).dockerAPIinterface and thefakeDockerAPItest double updated to match.filters.NewArgs()/Arg()→ the chainableclient.Filtersmap.nat.Port(string) →network.Port(struct):nat.NewPort("tcp", n)→network.ParsePort(n),.Int()/.Proto()→.Num()/.Proto().PortBinding.HostIP,IPAMConfig.Gateway,EndpointSettings.IPAddress,HostConfig.DNSmoved fromstring/[]stringtonetip.Addr/[]netip.Addr; a smallparseHostIPhelper maps empty↔zero to preserve "all interfaces" semantics, and reads areIsValid()-guarded so the zero value still renders as"".ContainerLogsResultis anio.ReadCloserandContainerAttachResultembedsHijackedResponse, so existing stream handling is unchanged (only thestdcopyimport path moved).client.NewClientWithOpts(...)→mobyclient.New(...); droppedWithAPIVersionNegotiation()(now the default).registry.go— since*mobyclient.Clientdirectly satisfies go-containerregistry'sdaemon.Client, the previously separate daemon client is dropped and a single client serves bothImageBuildanddaemon.Image/daemon.Write.~670 lines, mostly mechanical option/result adaptation + test fixtures.
Test plan
go build ./...go vet ./...go test ./pkg/container/...— all passgolangci-lint run ./pkg/container/...— 0 issuesgofmtclean;GOOS=windows go build ./pkg/container/docker/sdk/compilesgithub.com/docker/docker/go-connections/natsource imports remain inpkg/Reviewer notes (behavior-equivalence)
HostConfig.DNSnow returns an error on an unparseable address (was silent passthrough). In practiceadditionalDNSonly ever comes from an inspected container IP, so this path shouldn't trigger.parseHostIP,getDockerBridgeGatewayIP, the DNS-IP extraction increateDnsContainer, and thenetwork.Portrework insetupExposedPorts/setupPortBindings/comparePortConfig.🤖 Generated with Claude Code