[pull] master from moby:master #1404
Open
+1,117,787
−466,641
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
Add testutil daemon.WithResolvConf
integration: minor cleanups and linting fixes
…not_run integration-cli: TestRunInvalidCpuset.. create instead of run
This function is only used internally and has no external consumers. Mark it deprecated to be removed in the next release. Signed-off-by: Sebastiaan van Stijn <[email protected]>
This was added in f0ce367, but are no longer used since b677cf9, so we can now remove this. Signed-off-by: Sebastiaan van Stijn <[email protected]>
pkg/fileutils: deprecate GetTotalUsedFds
Signed-off-by: Sebastiaan van Stijn <[email protected]>
c8d: Use the roundtripper during build
pkg/fileutils: move GetTotalUsedFds internal in daemon
Signed-off-by: Derek McGowan <[email protected]>
commit 1932091 removed support for the --allow-nondistributable-artifacts, but forgot to remove this section. Signed-off-by: Sebastiaan van Stijn <[email protected]>
golangci-lint: remove temporary exception for deprecated code
Update swarm to latest for server alpn config
- update github.com/Azure/go-ansiterm to v0.0.0-20250102033503-faa5f7b0171c to fix OSC string terminator parsing. - add security policy - update github actions and test against go1.22, go1.23 full diff: moby/term@v0.5.0...v0.5.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
This function was using a confusing syntax because `Isolation.IsDefault()`
and `Isolation.IsHyperV()` don't accept an argument. It's valid (see below),
but just confusing, so let's use a more common approach.
```go
package main
import "fmt"
type NameSayer string
func (f NameSayer) SayMyName() {
fmt.Println(f)
}
func main() {
var foo NameSayer = "my name is"
foo.SayMyName()
NameSayer("my name is..").SayMyName()
// Thought SayMyName() would take no arguments? Think again!
NameSayer.SayMyName("slim shady!")
}
```
While at it, also renamed the `container` argument as it was shadowing
the `container` import.
Signed-off-by: Sebastiaan van Stijn <[email protected]>
vendor: github.com/moby/term v0.5.2
…artifacts man: remove --allow-nondistributable-artifacts
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Before this patch:
remove_test.go:62: timeout hit after 10s: waiting for container to be one of (exited), currently running
After this patch:
remove_test.go:62: waiting for container State.Status to be 'exited', currently 'running'
Signed-off-by: Sebastiaan van Stijn <[email protected]>
It doesn't look like this type was intended for external use; constructing a RingLogger can be done through the `NewRingLogger()` constructor, which returns a `Logger` interface (implemented by `RingLogger`). Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
In L3 modes, the ipvlan driver can't set up a default gateway with a next hop address, because there's no L2 for it to resolve the gateway IP into a MAC address. Instead, it sets up a route to 0.0.0.0 or [::] that's connected to the network's interface. The end result is the same - the container has a default route. So, include those routes when searching for endpoints that can act as a container's default gateway. Signed-off-by: Rob Murray <[email protected]>
In L3 modes, the ipvlan driver can't set up a default gateway with a next hop address, because there's no L2 for it to resolve the gateway IP into a MAC address. Instead, it sets up a route to 0.0.0.0 or [::] that's connected to the network's interface. The end result is the same - the container has a default route. So, don't set up routes to 0.0.0.0/:: when applying routes when an endpoint joins a sandbox, set them up when the endpoint is selected as the container's gateway. And, drop those routes when another endpoint becomes the gateway. Signed-off-by: Rob Murray <[email protected]>
Check that when a container has endpoints in an l3-ipvlan and another network type (bridge), there's no longer any clash betwen the ipvlan's connected default route and the bridge's default gateway. Signed-off-by: Rob Murray <[email protected]>
It's only accessed internally, so doesn't have to be exported. Signed-off-by: Sebastiaan van Stijn <[email protected]>
The response would not have a trailing newline, which made it difficult
to copy the path. While updating, also include the path of the stackdump
in the daemon log that's produced.
Before this:
root@fa87ff1bcd00:/go/src/github.com/docker/docker# curl -s http://127.0.0.1:123/stackdump
OK
goroutine stacks written to /tmp/goroutine-stacks-2025-01-19T160337Z.logroot@fa87ff1bcd00:/go/src/github.com/docker/docker#
After this:
root@fa87ff1bcd00:/go/src/github.com/docker/docker# curl -s http://127.0.0.1:123/stackdump
OK
goroutine stacks written to /tmp/goroutine-stacks-2025-01-19T160922Z.log
root@fa87ff1bcd00:/go/src/github.com/docker/docker#
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Handle situations where the server is already stopped internally, instead of requiring the caller to do this. Signed-off-by: Sebastiaan van Stijn <[email protected]>
…otent Handle situations where the server is already started or stopped internally, instead of requiring the caller to do this. Signed-off-by: Sebastiaan van Stijn <[email protected]>
diagnosticServer is only written to during controller.New, and the diagnostic server itself already has a mutex on EnableDiagnostic, DisableDiagnostic, and IsDiagnosticEnabled, which should prevent issues trying to concurrently change its state. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
- EnableDiagnostic -> Enable - DisableDiagnostic -> Shutdown - IsDiagnosticEnabled -> Enabled Signed-off-by: Sebastiaan van Stijn <[email protected]>
with this patch:
dockerd --network-diagnostic-port -1 --validate
unable to configure the Docker daemon with file /etc/docker/daemon.json: merged configuration validation from file and command line flags failed: invalid network-diagnostic-port (-1): value must be between 0 and 65535
Signed-off-by: Sebastiaan van Stijn <[email protected]>
…ble-event Fix: Duplicate event on network disconnect
Assorted fixes, improvements, and refactoring of network diagnostic server
…f not used This function was unconditionally trying to fetch linked container, even if the container was not using the default bridge (the only network that supports legacy links). Also removing the intermediate variable, as daemon.children, through daemon.linkindex.children already returns a variable with a copy of these links. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Encapsulate the "create link -> link.ToEnv" process. Signed-off-by: Sebastiaan van Stijn <[email protected]>
go test -v -bench ^\QBenchmarkLinkMultipleEnv\E$ -run ^$
goos: darwin
goarch: arm64
pkg: github.com/docker/docker/daemon/links
cpu: Apple M1 Pro
BenchmarkLinkMultipleEnv
BenchmarkLinkMultipleEnv-10 92817 12072 ns/op 8516 B/op 316 allocs/op
PASS
Signed-off-by: Sebastiaan van Stijn <[email protected]>
There's no need to loop and sort multiple times; this code picked the first port after sorting, which we already did in this function. Signed-off-by: Sebastiaan van Stijn <[email protected]>
The intent of this sorting was twofold; - the "default" port of the container to be the first TCP port (if present) - consecutive port-mappings with the same protocol to be together so that port-ranges would produce an env-var describing the range. The current sorting would sort TCP ports before UDP (or SCTP) port, but only if they had the same port-number. This could result in range-detection incorrectly combining TCP and UDP (or SCTP) ports in the same range. Signed-off-by: Sebastiaan van Stijn <[email protected]>
The code incorrectly created env-vars for consecutive port numbers with a different protocol; we should only consider ports to be part of a range if they have consecutive port-numbers and have the same protocol. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Rewrite the range-detection logic to prevent duplicate env-vars,
and to avoid looping over the same values multiple times.
Benchmark before / after:
goos: darwin
goarch: arm64
pkg: github.com/docker/docker/daemon/links
cpu: Apple M1 Pro
BenchmarkLinkMultipleEnv
BenchmarkLinkMultipleEnvOld-10 92817 12072 ns/op 8516 B/op 316 allocs/op
BenchmarkLinkMultipleEnvNew-10 149493 7792 ns/op 6435 B/op 213 allocs/op
PASS
Signed-off-by: Sebastiaan van Stijn <[email protected]>
daemon/links: assorted bug fixes and cleanup
If a container was started with - a numeric uid - both a user and group (username:groupname) - uid and gid (uid:gid) The copy action failed, because the "username:groupname" was looked up using getent. This patch; - splits `user` and `group` before looking up - if numeric `uid` or `gid` is used and lookup fails, the `uid` / `gid` is used as-is The code also looked up the user and group on the host instead of in the container when using getent; this patch fixes the lookup to only use the container's /etc/passwd and /etc/group instead. Signed-off-by: Sebastiaan van Stijn <[email protected]>
This reverts commit 433b1f9. Signed-off-by: Albin Kerouanton <[email protected]>
go1.23.5 (released 2025-01-16) includes security fixes to the crypto/x509 and net/http packages, as well as bug fixes to the compiler, the runtime, and the net package. See the Go 1.23.5 milestone on our issue tracker for details; - https://github.com/golang/go/issues?q=milestone%3AGo1.23.5+label%3ACherryPickApproved - full diff: golang/go@go1.23.4...go1.23.5 Hello gophers, We have just released Go versions 1.23.5 and 1.22.11, minor point releases. These minor releases include 2 security fixes following the security policy: - crypto/x509: usage of IPv6 zone IDs can bypass URI name constraints A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs. Thanks to Juho Forsén of Mattermost for reporting this issue. This is CVE-2024-45341 and Go issue https://go.dev/issue/71156. - net/http: sensitive headers incorrectly sent after cross-domain redirect The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2. Thanks to Kyle Seely for reporting this issue. This is CVE-2024-45336 and Go issue https://go.dev/issue/70530. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Revert "libnet/d/bridge: port mappings: filter by input iface"
Adjust all workflows to also run on branches like `27.x` Signed-off-by: Paweł Gronowski <[email protected]>
build: don't print warning when connection was terminated
update to go1.23.5 (fix CVE-2024-45341, CVE-2024-45336)
gha: Adjust release branches
Fix parsing of user/group during copy operation
Signed-off-by: CrazyMax <[email protected]>
vendor: update buildkit to v0.19.0
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )