This test was only testing whether we could load a legacy config-file that
contained the "experimental" (experimental CLI) option. Experimental cli
options are disabled since 977d3ae046 (20.10),
and now enabled by default, but we should not fail to start the cli if the
config-file contains the option.
Move the test to the config package, as it doesn't need the cli for this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This looks like a copy/paste from other tests, because this test
does not test anything related to docker content trust.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was exported in 812f113685
for use in other parts of the CLI, but it's now only used locally.
Make it internal again, as it was never designed to be exported. There
are no known external consumers of this function, but deprecating it
first, in case there are.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was exported in e43c7920ea
for use of "docker app", which is now deprecated. The signature of this
function also depended on a non-exported type, so it could not be used
externally.
Make it internal again, as it was never designed to be exported. There
are no known external consumers of this function.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was exported in e43c7920ea
for use of "docker app", which is now deprecated. The signature of this
function also depended on a non-exported type so it could not be used
externally.
Make it internal again, as it was never designed to be exported. There
are no known external consumers of this function.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's only used internally, and has no external consumers. Un-export
it, rename it to something more descriptive, and move it to a separate
file to align with other packages.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was introduced in 79141ce5eb, which
was reverted in f596202125, and re-applied
in the previous commit.
Before this patch, saving credentials worked correctly;
docker login -u thajeztah
Password:
Login Succeeded
cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "REDACTED"
}
}
}
But when resolving the credentials, the credentials stored would not be found;
docker pull -q thajeztah/private-test-image
Error response from daemon: pull access denied for thajeztah/private-test-image, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
With this patch applied:
docker pull -q thajeztah/private-test-image
docker.io/thajeztah/private-test-image:latest
Thanks to mtrmac (Miloslav Trmač) for spotting this mistake!
Suggested-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit f596202125, and reapplies
79141ce5eb.
> cli/command: remove uses of GetAuthConfigKey, ParseRepositoryInfo
>
> Re-implement locally, based on the code in github.com/docker/docker/registry,
> but leaving out bits that are not used on the client-side, such as
> configuration of Mirrors, and configurable insecure-registry, which
> are not used on the client side.
This commit contains a regression due to a typo in `authConfigKey`;
const authConfigKey = "https:/index.docker.io/v1/"
Which is missing a `/` after the scheme.
Which currently fails the TestRetrieveAuthTokenFromImage test.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's currently slower because it calls registry.ParseRepositoryInfo,
which does a DNS lookup for hostnames to determine if they're a loopback
address (and marked "insecure");
go test -v -run TestRetrieveAuthTokenFromImage
=== RUN TestRetrieveAuthTokenFromImage
=== RUN TestRetrieveAuthTokenFromImage/no-prefix
=== RUN TestRetrieveAuthTokenFromImage/docker.io
=== RUN TestRetrieveAuthTokenFromImage/index.docker.io
=== RUN TestRetrieveAuthTokenFromImage/registry-1.docker.io
=== RUN TestRetrieveAuthTokenFromImage/registry.hub.docker.com
=== RUN TestRetrieveAuthTokenFromImage/[::1]
=== RUN TestRetrieveAuthTokenFromImage/[::1]:5000
=== RUN TestRetrieveAuthTokenFromImage/127.0.0.1
=== RUN TestRetrieveAuthTokenFromImage/localhost
=== RUN TestRetrieveAuthTokenFromImage/localhost:5000
=== RUN TestRetrieveAuthTokenFromImage/no-auth.example.com
--- PASS: TestRetrieveAuthTokenFromImage (0.35s)
--- PASS: TestRetrieveAuthTokenFromImage/no-prefix (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/docker.io (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/index.docker.io (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/registry-1.docker.io (0.08s)
--- PASS: TestRetrieveAuthTokenFromImage/registry.hub.docker.com (0.12s)
--- PASS: TestRetrieveAuthTokenFromImage/[::1] (0.13s)
--- PASS: TestRetrieveAuthTokenFromImage/[::1]:5000 (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/127.0.0.1 (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/localhost (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/localhost:5000 (0.00s)
--- PASS: TestRetrieveAuthTokenFromImage/no-auth.example.com (0.01s)
PASS
ok github.com/docker/cli/cli/command 1.367s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "Service.Auth" pretended to return a message from the registry,
but the message returned is hard-coded in the registry package.
Remove its use to make this more transparent, and not to pretend
this is anything returned by the registry.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Restore part of the code removed by 966b44183f
that closed the stream. It's required now because the Run command won't
finish before the output stream was processed by the caller.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Fix a regression introduced by 30c4637f03
which made the `docker run` command produce potentially truncated
stdout/stderr output.
Previous implementation stopped the content streaming as soon as the
container exited which would potentially truncate a long outputs.
This change fixes the issue by only canceling the IO stream immediately
if neither stdout nor stderr is attached.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Cobra now defines a CompletionFunc for the same, so we can alias
it to that, and stop using our own definition.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- remove pruneFilters.Contains for checks, as this is already
handled by pruneFilters.ExactMatch.
- Update GoDoc to better describe the function's functionality
- Use a swtich instead of if/else.
This function should be moved to a separate package; possibly splitting
it out to a "Merge" function that accepts two filter.Args as argument.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was only used internally, and has no known external consumers.
It was deprecated in e37d814ce96b01393a400c081666ea1cca2eb8bd; this commit
removes it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was only used internally, and has no known external consumers.
It was deprecated in d80436021c21c26b492f0014511f13f41d8b42d9; this commit
removes it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was only used by "docker trust sign", and has no known external
consumers. It was deprecated in c6f456bc90574f4180f3b990e8a4e216485e35b7;
this commit removes it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method was a shallow wrapper around registryclient.NewRegistryClient but
due to its signature resulted in various dependencies becoming a dependency
of the "command" package. Consequence of this was that cli-plugins, which
need the cli/command package, would also get those dependencies. It is no
longer used, and was deprecated in 8ad07217dc.
This patch removes the RegistryClient method from the interface
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method is a shallow wrapper around manifeststore.NewStore, but
due to its signature resulted in various dependencies becoming a dependency
of the "command" package. Consequence of this was that cli-plugins, which
need the cli/command package, would also get those dependencies. It is no
longer used, and was deprecated in e32d5d56f5.
This patch removes the ManifestStore method from the interface
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method is a shallow wrapper around trust.GetNotaryRepository, but
due to its signature resulted in the trust package, and notary dependencies
to become a dependency of the CLI. Consequence of this was that cli-plugins,
which need the cli/command package, would also get notary and its
dependencies as a dependency. It is no longer used, and was deprecated
in 9bc16bbde0.
This patch removes the NotaryClient method from the interface
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Re-implement locally, based on the code in github.com/docker/docker/registry,
but leaving out bits that are not used on the client-side, such as
configuration of Mirrors, and configurable insecure-registry, which
are not used on the client side.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This validation is now handled by the API-client since [moby@5d6b566],
so no longer needed to be done in the cli. This function was only used
internally and has no external consumers, so removing it without
deprecating first.
[moby@5d6b566]: 5d6b56699d
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This patch fixes the `TestRunAttachTermination` flaky runs.
It seems like we weren't halting on the `waitFunc` so if the
process was fast enough to setup the signal handler and execute
`waitExitOrRemoved`. We now instead wait for the `killCh` channel
to close inside the mocked `waitFunc`.
Signed-off-by: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Swarm has size constraints on the size of configs, but the client-side would
read content into memory, regardless its size. This could lead to either the
client reading too much into memory, or it sending data that's larger than
the size limit of gRPC, which resulted in the error not being handled by
SwarmKit and a generic gRPC error returned.
Reading a config from a file used a system.OpenSequential for reading
([FILE_FLAG_SEQUENTIAL_SCAN]). While there could be a very marginal benefit
to prevent polluting the system's cache (Windows won’t aggressively keep it
in the cache, freeing up system memory for other tasks). These details were
not documented in code, and possibly may be too marginal, but adding a comment
to outline won't hurt so this patch also adds a comment.
This patch:
- Factors out the reading code to a readConfigData, analogous to the
equivalent in secret create.
- Implements reading the data with a limit-reader to prevent reading
large files into memory.
- The limit is based on SwarmKits limits ([MaxConfigSize]), but made
twice that size, just in case larger sizes are supported in future;
the main goal is to have some constraints, and to prevent hitting
the gRPC limit.
- Updates some error messages to include STDIN (when used), or the
filename (when used).
Before this patch:
ls -lh largefile
-rw------- 1 thajeztah staff 8.1M Mar 9 00:19 largefile
docker config create nosuchfile ./nosuchfile
Error reading content from "./nosuchfile": open ./nosuchfile: no such file or directory
docker config create toolarge ./largefile
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
docker config create empty ./emptyfile
Error response from daemon: rpc error: code = InvalidArgument desc = config data must be larger than 0 and less than 1024000 bytes
cat ./largefile | docker config create toolarge -
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
cat ./emptyfile | docker config create empty -
Error response from daemon: rpc error: code = InvalidArgument desc = config data must be larger than 0 and less than 1024000 bytes
With this patch:
docker config create nosuchfile ./nosuchfile
error reading from ./nosuchfile: open ./nosuchfile: no such file or directory
docker config create empty ./emptyfile
error reading from ./emptyfile: data is empty
docker config create toolarge ./largefile
Error response from daemon: rpc error: code = InvalidArgument desc = config data must be larger than 0 and less than 1024000 bytes
cat ./largefile | docker config create toolarge -
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 1024000 bytes
cat ./emptyfile | docker config create empty -
error reading from STDIN: data is empty
[FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
[MaxConfigSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/manager/controlapi#MaxConfigSize
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Swarm has size constraints on the size of secrets, but the client-side would
read content into memory, regardless its size. This could lead to either the
client reading too much into memory, or it sending data that's larger than
the size limit of gRPC, which resulted in the error not being handled by
SwarmKit and a generic gRPC error returned.
Reading a secret from a file was added in [moby@c6f0b7f], which used a
system.OpenSequential for reading ([FILE_FLAG_SEQUENTIAL_SCAN]). While
there could be a very marginal benefit to prevent polluting the system's
cache (Windows won’t aggressively keep it in the cache, freeing up system
memory for other tasks). These details were not documented in code, and
possibly may be too marginal, but adding a comment to outline won't hurt
so this patch also adds a comment.
This patch:
- Rewrites readSecretData to not return a nil-error if no file was
set, in stead only calling it when not using a driver.
- Implements reading the data with a limit-reader to prevent reading
large files into memory.
- The limit is based on SwarmKits limits ([MaxSecretSize]), but made
twice that size, just in case larger sizes are supported in future;
the main goal is to have some constraints, and to prevent hitting
the gRPC limit.
- Updates some error messages to include STDIN (when used), or the
filename (when used).
Before this patch:
ls -lh largefile
-rw------- 1 thajeztah staff 8.1M Mar 9 00:19 largefile
docker secret create nosuchfile ./nosuchfile
Error reading content from "./nosuchfile": open ./nosuchfile: no such file or directory
docker secret create toolarge ./largefile
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
docker secret create empty ./emptyfile
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./largefile | docker secret create toolarge -
Error response from daemon: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (8462870 vs. 4194304)
cat ./emptyfile | docker secret create empty -
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
With this patch:
docker secret create nosuchfile ./nosuchfile
error reading from ./nosuchfile: open ./nosuchfile: no such file or directory
docker secret create empty ./emptyfile
error reading from ./emptyfile: data is empty
docker secret create toolarge ./largefile
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./largefile | docker secret create toolarge -
Error response from daemon: rpc error: code = InvalidArgument desc = secret data must be larger than 0 and less than 512000 bytes
cat ./emptyfile | docker secret create empty -
error reading from STDIN: data is empty
[moby@c6f0b7f]: c6f0b7f448
[FILE_FLAG_SEQUENTIAL_SCAN]: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-createfilea#FILE_FLAG_SEQUENTIAL_SCAN
[MaxSecretSize]: https://pkg.go.dev/github.com/moby/swarmkit/v2@v2.0.0-20250103191802-8c1959736554/api/validation#MaxSecretSize
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Seen failing when used elsewhere;
vendor/github.com/docker/cli/cli/command/formatter/displayutils.go:78:20: predeclared any requires go1.18 or later (-lang was set to go1.16; check go.mod)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
