The comment was not formatted correctly, and because of that not picked up as
being deprecated.
updates b4ca1c7368
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e3fa7280ad)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes a security fix for crypto/elliptic (CVE-2023-24532).
> go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic
> package, as well as bug fixes to the linker, the runtime, and the crypto/x509
> and syscall packages. See the Go 1.19.7 milestone on our issue tracker for
> details.
https://go.dev/doc/devel/release#go1.19.minor
From the announcement:
> We have just released Go versions 1.20.2 and 1.19.7, minor point releases.
>
> These minor releases include 1 security fixes following the security policy:
>
> - crypto/elliptic: incorrect P-256 ScalarMult and ScalarBaseMult results
>
> The ScalarMult and ScalarBaseMult methods of the P256 Curve may return an
> incorrect result if called with some specific unreduced scalars (a scalar larger
> than the order of the curve).
>
> This does not impact usages of crypto/ecdsa or crypto/ecdh.
>
> This is CVE-2023-24532 and Go issue https://go.dev/issue/58647.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 23da1cec6c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make the error more specific by stating that it's caused by a specific
environment variable and not an environment as a whole.
Also don't escape the variable to make it more readable.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit 012b77952e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
On Windows, ignore all variables that start with "=" when building an
environment variables map for stack.
For MS-DOS compatibility cmd.exe can set some special environment
variables that start with a "=" characters, which breaks the general
assumption that the first encountered "=" separates a variable name from
variable value and causes trouble when parsing.
These variables don't seem to be documented anywhere, but they are
described by some third-party sources and confirmed empirically on my
Windows installation.
Useful sources:
https://devblogs.microsoft.com/oldnewthing/20100506-00/?p=14133https://ss64.com/nt/syntax-variables.html
Known variables:
- `=ExitCode` stores the exit code returned by external command (in hex
format)
- `=ExitCodeAscii` - same as above, except the value is the ASCII
representation of the code (so exit code 65 (0x41) becomes 'A').
- `=::=::\` and friends - store drive specific working directory.
There is one env variable for each separate drive letter that was
accessed in the shell session and stores the working directory for that
specific drive.
The general format for these is:
`=<DRIVE_LETTER>:=<CWD>` (key=`=<DRIVE_LETTER>:`, value=`<CWD>`)
where <CWD> is a working directory for the drive that is assigned to
the letter <DRIVE_LETTER>
A couple of examples:
`=C:=C:\some\dir` (key: `=C:`, value: `C:\some\dir`)
`=D:=D:\some\other\dir` (key: `=C:`, value: `C:\some\dir`)
`=Z:=Z:\` (key: `=Z:`, value: `Z:\`)
`=::=::\` is the one that seems to be always set and I'm not exactly
sure what this one is for (what's drive `::`?). Others are set as
soon as you CD to a path on some drive. Considering that you start a
cmd.exe also has some working directory, there are 2 of these on start.
All these variables can be safely ignored because they can't be
deliberately set by the user, their meaning is only relevant to the
cmd.exe session and they're all are related to the MS-DOS/Batch feature
that are irrelevant for us.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit a47058bbd5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Tests mocking the output of GET images/json with fakeClient used an
array with one empty element as an empty response.
Change it to just an empty array.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit a1953e19b2)
go1.19.6 (released 2023-02-14) includes security fixes to the crypto/tls,
mime/multipart, net/http, and path/filepath packages, as well as bug fixes to
the go command, the linker, the runtime, and the crypto/x509, net/http, and
time packages. See the Go 1.19.6 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.6+label%3ACherryPickApproved
From the announcement on the security mailing:
We have just released Go versions 1.20.1 and 1.19.6, minor point releases.
These minor releases include 4 security fixes following the security policy:
- path/filepath: path traversal in filepath.Clean on Windows
On Windows, the filepath.Clean function could transform an invalid path such
as a/../c:/b into the valid path c:\b. This transformation of a relative (if
invalid) path into an absolute path could enable a directory traversal attack.
The filepath.Clean function will now transform this path into the relative
(but still invalid) path .\c:\b.
This is CVE-2022-41722 and Go issue https://go.dev/issue/57274.
- net/http, mime/multipart: denial of service from excessive resource
consumption
Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely
unlimited amounts of memory and disk files. This also affects form parsing in
the net/http package with the Request methods FormFile, FormValue,
ParseMultipartForm, and PostFormValue.
ReadForm takes a maxMemory parameter, and is documented as storing "up to
maxMemory bytes +10MB (reserved for non-file parts) in memory". File parts
which cannot be stored in memory are stored on disk in temporary files. The
unconfigurable 10MB reserved for non-file parts is excessively large and can
potentially open a denial of service vector on its own. However, ReadForm did
not properly account for all memory consumed by a parsed form, such as map
ntry overhead, part names, and MIME headers, permitting a maliciously crafted
form to consume well over 10MB. In addition, ReadForm contained no limit on
the number of disk files created, permitting a relatively small request body
to create a large number of disk temporary files.
ReadForm now properly accounts for various forms of memory overhead, and
should now stay within its documented limit of 10MB + maxMemory bytes of
memory consumption. Users should still be aware that this limit is high and
may still be hazardous.
ReadForm now creates at most one on-disk temporary file, combining multiple
form parts into a single temporary file. The mime/multipart.File interface
type's documentation states, "If stored on disk, the File's underlying
concrete type will be an *os.File.". This is no longer the case when a form
contains more than one file part, due to this coalescing of parts into a
single file. The previous behavior of using distinct files for each form part
may be reenabled with the environment variable
GODEBUG=multipartfiles=distinct.
Users should be aware that multipart.ReadForm and the http.Request methods
that call it do not limit the amount of disk consumed by temporary files.
Callers can limit the size of form data with http.MaxBytesReader.
This is CVE-2022-41725 and Go issue https://go.dev/issue/58006.
- crypto/tls: large handshake records may cause panics
Both clients and servers may send large TLS handshake records which cause
servers and clients, respectively, to panic when attempting to construct
responses.
This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable
session resumption (by setting Config.ClientSessionCache to a non-nil value),
and TLS 1.3 servers which request client certificates (by setting
Config.ClientAuth
> = RequestClientCert).
This is CVE-2022-41724 and Go issue https://go.dev/issue/58001.
- net/http: avoid quadratic complexity in HPACK decoding
A maliciously crafted HTTP/2 stream could cause excessive CPU consumption
in the HPACK decoder, sufficient to cause a denial of service from a small
number of small requests.
This issue is also fixed in golang.org/x/net/http2 v0.7.0, for users manually
configuring HTTP/2.
This is CVE-2022-41723 and Go issue https://go.dev/issue/57855.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e921e103a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The error returned from "os/exec".Command when attempting to execute a
directory has been changed from syscall.EACCESS to syscall.EISDIR on
Go 1.20. 2b8f214094
Consequently, any runc runtime built against Go 1.20 will return an
error containing 'is a directory' and not 'permission denied'. Update
the string matching so the CLI exits with status code 126 on 'is a
directory' errors (EISDIR) in addition to 'permission denied' (EACCESS).
Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 9b5ceb52b0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This prevents us needing to attempt to reconstruct the exact indentation
registry side, which is not canonical - so may differ.
Signed-off-by: Justin Chadwell <me@jedevc.com>
This behavior should not break any more use cases than before.
Previously, if the mismatch occured, we would actually push a manifest
that we then never referred to in the manifest list! If this was done in
a new repository, the command would fail with an obscure error from the
registry - the content wouldn't exist with the descriptor we expect it
to.
Signed-off-by: Justin Chadwell <me@jedevc.com>
The additionalHelp message is printed at the end of the --help output;
To get more help with docker, check out our guides at https://docs.docker.com/go/guides/
PS>
As this message may contain an URL, users may copy/paste the URL to open it
in their browser, but can easily end up copying their prompt (as there's
no whitespace after it), and as a result end up on a broken URL, for example:
https://docs.docker.com/go/guides/PS
This patch adds an extra newline at the end to provide some whitespace
around the message, making it less error-prone to copy the URL;
To get more help with docker, check out our guides at https://docs.docker.com/go/guides/
PS>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This prevents the escape-characters being included when piping the
output, e.g. `docker --help > output.txt`, or `docker --help | something`.
These control-characters could cause issues if users copy/pasted the URL
from the output, resulting in them becoming part of the URL they tried
to visit, which would fail, e.g. when copying the output from:
To get more help with docker, check out our guides at https://docs.docker.com/go/guides/
Users ended up on URLs like;
https://docs.docker.com/go/guides/ESChttps://docs.docker.com/go/guides/%1B[0m
Before this patch, control characters ("bold") would be printed, even if
no TTY was attached;
docker --help > output.txt
cat output.txt | grep 'For more help' | od -c
0000000 033 [ 1 m F o r m o r e h e l
0000020 p o n h o w t o u s e
0000040 D o c k e r , h e a d t o
0000060 h t t p s : / / d o c s . d o c
0000100 k e r . c o m / g o / g u i d e
0000120 s / 033 [ 0 m \n
0000127
docker --help | grep 'For more help' | od -c
0000000 033 [ 1 m F o r m o r e h e l
0000020 p o n h o w t o u s e
0000040 D o c k e r , h e a d t o
0000060 h t t p s : / / d o c s . d o c
0000100 k e r . c o m / g o / g u i d e
0000120 s / 033 [ 0 m \n
0000127
With this patch, no control characters are included:
docker --help > output.txt
cat output.txt | grep 'For more help' | od -c
0000000 F o r m o r e h e l p o n
0000020 h o w t o u s e D o c k
0000040 e r , h e a d t o h t t p
0000060 s : / / d o c s . d o c k e r .
0000100 c o m / g o / g u i d e s / \n
0000117
docker --help | grep 'For more help' | od -c
0000000 F o r m o r e h e l p o n
0000020 h o w t o u s e D o c k
0000040 e r , h e a d t o h t t p
0000060 s : / / d o c s . d o c k e r .
0000100 c o m / g o / g u i d e s / \n
0000117
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Both the DockerCLI and Cobra Commands provide accessors for Input, Output,
and Error streams (usually STDIN, STDOUT, STDERR). While we were already
passing DockerCLI's Output to Cobra, we were not doing so for the other
streams (and were passing none for plugin commands), potentially resulting
in DockerCLI output/input to mean something else than a Cobra Command's
intput/output/error.
This patch sets them to the same streams when constructing the Cobra
command.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Current versions of the docs generator take this into account, but on
the 20.10 branch, the trailing whitespace can make the YAML generator
switch to use "compact" formatting, which is hard to read, and hard
to review diffs when updating.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Synchronize append on the `removed` slice with mutex because
containerRemoveFunc is called in parallel for each removed container by
`container rm` cli command.
Also reduced the shared access area by separating the scopes of test
cases.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This validator was not specific to "log options", so renaming it to make this
clearer; also updating values used in the tests to make it clear they're not
"actual" valid values, just for testing, and while updating, also fixed some
unhandled errors in tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This comment was added in 7929888214
when this code was still in the Moby repository. That comment doesn't appear
to apply to the CLI's usage of this struct though, as nothing in the CLI
sets this field (or uses it), so this should be safe to remove.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I think the cli code block misses a backslash to brevent line break when copy/pasting it to a terminal.
I doubt that this is intentional, if it is, feel free to reject the pr.
Signed-off-by: Julian <gitea+julian@ic.thejulian.uk>
Libtrust was only used for pushing schema 2, v1 images, which is no longer
supported; this TODO was likely left from when the CLI and daemon were
in the same repository.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, the error would suggest installing buildx:
echo "FROM scratch" | DOCKER_BUILDKIT=0 docker build -
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
...
However, this error would also be shown if buildx is actually installed,
but disabled through "DOCKER_BUILDKIT=0";
docker buildx version
github.com/docker/buildx v0.9.1 ed00243
With this patch, it reports that it's disabled, and how to fix:
echo "FROM scratch" | DOCKER_BUILDKIT=0 docker build -
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
BuildKit is currently disabled; enabled it by removing the DOCKER_BUILDKIT=0
environment-variable.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Allows us to remove the replace rule, although we probably need to
add it back if we want to update to a newer version from the release
branch (as go mod doesn't support release branches :(( ).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes security fixes for net/http (CVE-2022-41717, CVE-2022-41720),
and os (CVE-2022-41720).
These minor releases include 2 security fixes following the security policy:
- os, net/http: avoid escapes from os.DirFS and http.Dir on Windows
The os.DirFS function and http.Dir type provide access to a tree of files
rooted at a given directory. These functions permitted access to Windows
device files under that root. For example, os.DirFS("C:/tmp").Open("COM1")
would open the COM1 device.
Both os.DirFS and http.Dir only provide read-only filesystem access.
In addition, on Windows, an os.DirFS for the directory \(the root of the
current drive) can permit a maliciously crafted path to escape from the
drive and access any path on the system.
The behavior of os.DirFS("") has changed. Previously, an empty root was
treated equivalently to "/", so os.DirFS("").Open("tmp") would open the
path "/tmp". This now returns an error.
This is CVE-2022-41720 and Go issue https://go.dev/issue/56694.
- net/http: limit canonical header cache by bytes, not entries
An attacker can cause excessive memory growth in a Go server accepting
HTTP/2 requests.
HTTP/2 server connections contain a cache of HTTP header keys sent by
the client. While the total number of entries in this cache is capped,
an attacker sending very large keys can cause the server to allocate
approximately 64 MiB per open connection.
This issue is also fixed in golang.org/x/net/http2 vX.Y.Z, for users
manually configuring HTTP/2.
Thanks to Josselin Costanzi for reporting this issue.
This is CVE-2022-41717 and Go issue https://go.dev/issue/56350.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.19.4
And the milestone on the issue tracker:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.4+label%3ACherryPickApproved
Full diff: https://github.com/golang/go/compare/go1.19.3...go1.19.4
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 20ba591b7f fixed incorrect feature
detection in the CLI, but introduced a regression; previously the "ping"
would only be executed if needed (see b39739123b),
but by not inlining the call to `ServerInfo()` would now always be called.
This patch inlines the code again to only execute the "ping" conditionally,
which allows it to be executed lazily (and omitted for commands that don't
require a daemon connection).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When server is unreachable and docker checkpoint (or any command that
needs to check the server type) is run, incorrect error was returned.
When checking if the daemon had the right OS, we compared the OSType
from the clients ServerInfo(). In situations where the client cannot
connect to the daemon, a "stub" Info is used for this, in which we
assume the daemon has experimental enabled, and is running the latest
API version.
However, we cannot fill in the correct OSType, so this field is empty
in this situation.
This patch only compares the OSType if the field is non-empty, otherwise
assumes the platform matches.
before this:
docker -H unix:///no/such/socket.sock checkpoint create test test
docker checkpoint create is only supported on a Docker daemon running on linux, but the Docker daemon is running on
with this patch:
docker -H unix:///no/such/socket.sock checkpoint create test test
Cannot connect to the Docker daemon at unix:///no/such/socket.sock. Is the docker daemon running?
Co-authored-by: Adyanth Hosavalike <ahosavalike@ucsd.edu>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests were using the default client, which would try to make a connection
with the daemon (which isn't running). Some of these test subsequently had
tests that depended on the result of that connection (i.e., "ping" result).
This patch updates the test to use a dummy client, so that the ping result is
predictable.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows the cli to be initialized with a (custom) API client.
Currently to be used for unit tests, but could be used for other
scenarios.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use /bin/sh in the examples, as it's more likely to be present in a
container than bash (some users got confused by this, so using plain
"sh" in the examples could lead to less confusion).
Also added some extra wording around defaults, and how they're inherited
by the exec'd process.
It's definitely not "perfect" yet (lots to do in this document to improve
it), but it's a start :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update the example output to not use deprecated storage drivers or
Windows versions.
Also removes the section about `--debug`, because the `docker info` output
depends on the _daemon_ (not the client) to have debug mode enabled.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
using latest ubuntu LTS, and alpine for some examples. Also syncing some
wording between the man-pages and online docs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some touch-ups in the attach reference and man-page;
- remove uses of old images (ubuntu 14.04)
- adds some more wording about `-i` and `-t` to use the detach sequence.
- use `--filter` instead of `grep` to list the container, to make the
example more portable.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker v1.12 is really old, so no need to continue including this
in the docs. Also reformatted a markdown table.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows us to pin to a specific version of Alpine, in case the
golang:alpine image switches to a newer version, which may at times
be incompatible, e.g. see https://github.com/moby/moby/issues/44570
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make sure that the container has multiple port-mappings to illustrate
that only the given port is matched.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use strings.Cut
- don't use nat.NewPort as we don't accept port ranges
- use an early return if there's no results
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Using both @generated, and using Go's format for generated files,
to match the format we now use on moby/moby.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
if a context is set (e.g. through DOCKER_CONTEXT or the CLI config file), but
wasn't found, then a "stub" context is added, including an error message that
the context doesn't exist.
DOCKER_CONTEXT=nosuchcontext docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default Current DOCKER_HOST based configuration unix:///var/run/docker.sock
nosuchcontext * context "nosuchcontext": context not found: …
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This updates `docker context ls` to:
- not abort listing contexts when failing one (or more) contexts
- instead, adding an ERROR column to inform the user there was
an issue loading the context.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows commands that don't require a client connection (such as `context use`)
to be functional, but still produces an error when trying to run a command that
needs to connect with the API;
mkdir -p ~/.docker/ && echo '{"currentContext":"nosuchcontext"}' > ~/.docker/config.json
docker version
Failed to initialize: unable to resolve docker endpoint: load context "nosuchcontext": context does not exist: open /root/.docker/contexts/meta/8bfef2a74c7d06add4bf4c73b0af97d9f79c76fe151ae0e18b9d7e57104c149b/meta.json: no such file or directory
docker context use default
default
Current context is now "default"
docker version
Client:
Version: 22.06.0-dev
API version: 1.42
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "docker context show" command is intended to show the currently configured
context. While the context that's configured may not be valid (e.g., in case
an environment variable was set to configure the context, or if the context
was removed from the filesystem), we should still be able to _show_ the
context.
This patch removes the context validation, and instead only shows the context.
This can help in cases where the context is used to (e.g.) set the command-
prompt, but the user removed the context. With this change, the context name
can still be shown, but commands that _require_ the context will still fail.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This internalizes constructing the Client(), which allows us to provide
fallbacks when trying to determin the current API version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
On termios platforms, interrupt signals are not generated in raw mode terminals
as the ISIG setting is not enabled. Remove interrupt handler as it does nothing
for raw mode and prevents other uses of INT signal with this library.
This code seems to go back all the way to moby/moby#214 where signal handling was
improved for monolithic docker repository. Raw mode -ISIG got reintroduced in
https://github.com/moby/moby/commit/3f63b878076, but the INT handler was left
behind.
full diff: abb19827d3...c43b287e0e
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sam is on my team, and we started to do weekly triage sessions to
clean up the backlog. Adding him, so that he can help with doing
triage without my assistance :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As a stepping-stone towards switching to go modules, we're switching the
versioning scheme to be SemVer(ish) instead of CalVer. Note that this
currently still is `+incompatible` version, as changing to a version > 1
requires the module to be renamed, but changes in that area will arrive
in a future release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As a stepping-stone towards switching to go modules, we're switching the
versioning scheme to be SemVer(ish) instead of CalVer. Note that this
currently still is `+incompatible` version, as changing to a version > 1
requires the module to be renamed, but changes in that area will arrive
in a future release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also move the resolveContextName() function together with the
method for easier cross-referencing.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There's no strict need to perform this validation inside this function;
validating flags should happen earlier, to allow faster detecting of
configuration issues (we may want to have a central config "validate"
function though).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
resolveContextName() is used to find which context to use, based on the
available configuration options. Once resolved, the context name is
used to load the actual context, which will fail if the context doesn't
exist, so there's no need to produce an error at this stage; only
check priority of the configuration options to pick the context
with the highest priority.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CommonOptions was inherited from when the cli and daemon were in the same
repository, and some options would be shared between them. That's no longer
the case, and some options are even "incorrect" (for example, while the
daemon can be configured to run on multiple hosts, the CLI can only connect
with a single host / connection). This patch does not (yet) address that,
but merges the CommonOptions into the ClientOptions.
An alias is created for the old type, although it doesn't appear there's
any external consumers using the CommonOptions type (or its constructor).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Manually updating the indirect dependency to force go.etcd.io/etcd/server/v3
to v3.5.5 or up, which is now compatible with go.opentelemetry.io/otel v1.0.0.
With this, we can remove the replace rule for this module.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no significant changes in vendored code, other than updating build-tags
for go1.17, but removes some dependencies from the module, which can
help with future updates;
full diff: 3f7ff695ad...abb19827d3
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Make the package-level configMergeTests local to the test itself.
- Rename fields to better describe intent
- Remove some redundant variables
- Reverse "expected" and "actual" fields for consistency
- Use assert.Check() to not fail early
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Various fixes:
- Don't capitalize error messages
- Rename variables that collided with imports or types
- Prefer assert.Check over assert.Assert to prevent tests covering multiple
cases from failing early
- Fix inconsistent order of expected <--> actual, which made it difficult to
check which output was the expected output.
- Fix formatting of some comments
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The test used `gopkg.in/yaml.v2` to verify the TextMarshaller implementation,
which was implemented to allow printing the errors in JSON formatted output;
> This exists primarily to implement encoding.TextMarshaller such that
> rendering a plugin as JSON (e.g. for `docker info -f '{{json .CLIPlugins}}'`)
> renders the Err field as a useful string and not just `{}`.
Given that both yaml.Marshal and json.Marshal use this, we may as well use
Go's stdlib.
While updating, also changed some of the assertions to checks, so that we don't
fail the test early.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When marshaling the type with `gopkg.in/yaml.v3`, unmarshaling would
recursively call the type's `MarshalYAML()` function, which ultimately
resulted in a crash:
runtime: goroutine stack exceeds 1000000000-byte limit
runtime: sp=0x140202e0430 stack=[0x140202e0000, 0x140402e0000]
fatal error: stack overflow
This applies a similar fix as was implemented in e7788d6f9a
for the `MarshalJSON()` implementation. An alternative would be to use
a type alias (to remove the `MarshalYAML()`), but keeping it simple.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The version was originally added in 570ee9cb54,
at the time the `expected` config did not have a `version:` field. A later
refactor in 0cf2e6353a updated the `expected`
config to have a `version:` included. However, the test was not updated,
which now resulted in the test using a compose file with a duplicate version
field:
version: '3.10'
version: "3.10"
services:
foo:
build:
This issue was masked by `yaml.Unmarshal()` from `gopkg.in/yaml.v2` which
silently ignores the duplicate, taking the value of the last occurrence. When
upgrading to `gopkg.in/yaml.v3`, the duplicate value resulted in an error:
yaml: unmarshal errors:
line 2: mapping key "version" already defined at line 1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
On Windows, syscall.StartProcess and os/exec.Cmd did not properly
check for invalid environment variable values. A malicious
environment variable value could exploit this behavior to set a
value for a different environment variable. For example, the
environment variable string "A=B\x00C=D" set the variables "A=B" and
"C=D".
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this
issue.
This is CVE-2022-41716 and Go issue https://go.dev/issue/56284.
This Go release also fixes https://github.com/golang/go/issues/56309, a
runtime bug which can cause random memory corruption when a goroutine
exits with runtime.LockOSThread() set. This fix is necessary to unblock
work to replace certain uses of pkg/reexec with unshared OS threads.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fix tries to address issues raised in moby/moby#44346.
The max-concurrent-downloads and max-concurrent-uploads limits are applied for the whole engine and not for each pull/push command.
Signed-off-by: Luis Henrique Mulinari <luis.mulinari@gmail.com>
This restores compatibility with go1.18, which was broken since commit;
c062238ea4
cmd.Environ() is new in go1.19, and not needed for this specific case.
Without this, trying to use this package in code that uses go1.18 will fail;
builder/remotecontext/git/gitutils.go:216:23: cmd.Environ undefined (type *exec.Cmd has no field or method Environ)
Changing to use `os.Environ()` instead restores compatibility with go1.18
Full diff: f9cb47a052...5aac513617
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This example was mounting `/dev/zero` as `/dev/nulo` inside the container.
The `nulo` name was intended to be a "made up / custom" name, but various
readers thought it to be a typo for `/dev/null`.
This patch updates the example to use `/dev/foobar` as name, which should
make it more clear that it's a custom name.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 955c1f881a
(v17.12.0) replaced detection of support for multiple lowerdirs (as required by
overlay2) to not depend on the kernel version. The `overlay2.override_kernel_check`
was still used to print a warning that older kernel versions may not have full
support.
After this, e226aea280
(v20.10, but backported to v19.03.7) removed uses of the option altogether.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
> Security options with `:` as a separator are deprecated and will be completely unsupported in 17.04, use `=` instead.
Signed-off-by: Felix Geyer <debfx@fobos.de>
From the mailing list:
We have just released Go versions 1.19.2 and 1.18.7, minor point releases.
These minor releases include 3 security fixes following the security policy:
- archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
- net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the
inbound request, including unparseable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter
with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy.Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and
Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
- regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
View the release notes for more information: https://go.dev/doc/devel/release#go1.19.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
gofumpt provides a supserset of gofmt / go fmt, but not every developer may have
it installed, so for situations where it's not available, fall back to gofmt.
As our code has been formatted with gofumpt already, in most cases contributions
will follow those formatting rules, but in some cases there may be a difference,
which would already be flagged by manual code review, but let's also enable the
gofumpt linter.
With this change, `make fmt` will use gofumpt is available; gofumpt has been
added to the dev-container, so `make -f docker.Makefile fmt` will always use it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like the linter uses an explicit -lang, which (for go1.19)
results in some additional formatting for octal values.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The existing `remove()` was unused, and using that as name makes it more
consistent with the metadata-store. Also renaming `removeAllEndpointData`
to just `removeEndpoint`, as it's part of the TLS-store, which should already
make it clear it's about (TLS)data.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There's no reason to stop listing contexts if a context does not exist
while iterating over the directories,
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Go conventions are for interfaces to be defined on the receiver side,
and for producers to return concrete types. This patch changes the
constructor to return a concrete type.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The package defined various special errors; these errors existed for two reasons;
- being able to distinguish "not found" errors from other errors (as "not found"
errors can be ignored in various cases).
- to be able to update the context _name_ in the error message after the error
was created. This was needed in cases where the name was not available at the
location where the error was produced (e.g. only the "id" was present), and
the helpers to detect "not found" errors did not support wrapped errors (so
wrapping the error with a "name" could break logic); a `setContextName` interface
and corresponding `patchErrContextName()` utility was created for this (which
was a "creative", but not very standard approach).
This patch:
- Removes the special error-types, replacing them with errdefs definitions (which
is a more common approach in our code-base to detect error types / classes).
- Removes the internal utilities for error-handling, and deprecates the exported
utilities (to allow external consumers to adjust their code).
- Some errors have been enriched with detailed information (which may be useful
for debugging / problem solving).
- Note that in some cases, `patchErrContextName()` was called, but the code
producing the error would never return a `setContextName` error, so would
never update the error message.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test was depending on the fact that contextDir's are a string,
and for the test is was using the context _name_ as a pseudo-ID.
This patch updates the test to be more explicit where ID's and where
names are used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows callers to just pass the name, and handle the conversion to ID and
path internally. This also fixes a test which incorrectly used "names" as
pseudo-IDs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit cbec75e2f3 updated `runDocker()` to load
plugin-stubs before `processAliases()` was executed. As a result, plugin
stubs were considered as "builtin commands", causing the alias verification
to fail;
Without alias installed:
```bash
docker version
Client:
Version: 22.06.0-beta.0-140-g3dad26ca2.m
API version: 1.42
Go version: go1.19.1
Git commit: 3dad26ca2
Built: Wed Sep 28 22:36:09 2022
OS/Arch: darwin/arm64
Context: default
...
```
After running `docker buildx install`;
```bash
./build/docker buildx install
cat ~/.docker/config.json
{
"aliases": {
"builder": "buildx"
}
}
./build/docker version
not allowed to alias with builtin "buildx" as target
```
This patch moves loading the stubs _after_ the call to `processAliases()`, so
that verification passes. As an extra precaution, the `processAliases()` function
is also updated to exclude plugin-stub commands.
Note that cbec75e2f3 also introduced a performance
regression, which may be related to the early loading of plugins (and creating
stubs); it looks like various other code locations may also be loading plugins,
for example `tryPluginRun()` calls `pluginmanager.PluginRunCommand()`, which
also traverses plugin directories.
We should look under what circumstances the plugin stub-commands are actually
needed, and make sure that they're only created in those situations.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, running `docker context rm --force` would fail if the context
did not exist. This behavior was different from other commands, which allowed
ignoring non-existing objects.
For example; when trying to remove a non-existing volume, the command would
fail without "force":
```bash
docker volume rm nosuchvolume
Error: No such volume: nosuchvolume
echo $?
1
```
But using the `-f` / `--force` option would make the command complete successfully
(the error itself is still printed for informational purposes);
```bash
docker volume rm -f nosuchvolume
nosuchvolume
echo $?
0
```
With this patch, `docker context rm` behaves the same:
```bash
docker context rm nosuchcontext
context "nosuchcontext" does not exist
echo $?
1
```
```bash
docker context rm -f nosuchcontext
nosuchcontext
echo $?
0
```
This patch also simplifies how we check if the context exists; previously we
would try to read the context's metadata; this could fail if a context was
corrupted, or if an empty directory was present. This patch now only checks
if the directory exists, without first validating the context's data.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also removing redundant defer for env.PatchAll(), which is now automatically
handled in t.Cleanup()
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
From the mailing list:
We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:
- net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
- net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove `../` path components appended to a
relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
URL `https://go.dev/../go`, despite the JoinPath documentation stating that
`../` path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Release notes:
go1.19.1 (released 2022-09-06) includes security fixes to the net/http and
net/url packages, as well as bug fixes to the compiler, the go command, the pprof
command, the linker, the runtime, and the crypto/tls and crypto/x509 packages.
See the Go 1.19.1 milestone on the issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.19.1+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
From the mailing list:
We have just released Go versions 1.19.1 and 1.18.6, minor point releases.
These minor releases include 2 security fixes following the security policy:
- net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
- net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove `../` path components appended to a
relative path. For example, `JoinPath("https://go.dev", "../go")` returned the
URL `https://go.dev/../go`, despite the JoinPath documentation stating that
`../` path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
Release notes:
go1.18.6 (released 2022-09-06) includes security fixes to the net/http package,
as well as bug fixes to the compiler, the go command, the pprof command, the
runtime, and the crypto/tls, encoding/xml, and net packages. See the Go 1.18.6
milestone on the issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.18.6+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the "deadcode", "structcheck", and "varcheck" linters, as they are
deprecated:
WARN [runner] The linter 'deadcode' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [runner] The linter 'structcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [runner] The linter 'varcheck' is deprecated (since v1.49.0) due to: The owner seems to have abandoned the linter. Replaced by unused.
WARN [linters context] structcheck is disabled because of generics. You can track the evolution of the generics support by following the golangci/golangci-lint#2649.
And ignore gosec G113, which only affects gp < 1.16.14. and go < 1.17.7
opts/opts.go:398:13: G113: Potential uncontrolled memory consumption in Rat.SetString (CVE-2022-23772) (gosec)
cpu, ok := new(big.Rat).SetString(value)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/container/opts.go:928:2: assigned to src, but reassigned without using the value (wastedassign)
src := ""
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Picking 2 seconds, although that's just a randomly picked timeout;
given that this is only for testing, it's not too important.
e2e/plugin/basic/basic.go:25:12: G112: Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server (gosec)
server := http.Server{
Addr: l.Addr().String(),
Handler: http.NewServeMux(),
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While fixing, also updated errors without placeholders to `errors.New()`, and
updated some code to use pkg/errors if it was already in use in the file.
cli/command/config/inspect.go:59:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
^
cli/command/node/inspect.go:61:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
^
cli/command/secret/inspect.go:57:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("Cannot supply extra formatting options to the pretty template")
^
cli/command/trust/common.go:77:74: ST1005: error strings should not be capitalized (stylecheck)
return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signatures or cannot access %s", remote)
^
cli/command/trust/common.go:85:73: ST1005: error strings should not be capitalized (stylecheck)
return []trustTagRow{}, []client.RoleWithSignatures{}, []data.Role{}, fmt.Errorf("No signers for %s", remote)
^
cli/command/trust/sign.go:137:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("No tag specified for %s", imgRefAndAuth.Name())
^
cli/command/trust/sign.go:151:19: ST1005: error strings should not be capitalized (stylecheck)
return *target, fmt.Errorf("No tag specified")
^
cli/command/trust/signer_add.go:77:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("Failed to add signer to: %s", strings.Join(errRepos, ", "))
^
cli/command/trust/signer_remove.go:52:10: ST1005: error strings should not be capitalized (stylecheck)
return fmt.Errorf("Error removing signer from: %s", strings.Join(errRepos, ", "))
^
cli/command/trust/signer_remove.go:67:17: ST1005: error strings should not be capitalized (stylecheck)
return false, fmt.Errorf("All signed tags are currently revoked, use docker trust sign to fix")
^
cli/command/trust/signer_remove.go:108:17: ST1005: error strings should not be capitalized (stylecheck)
return false, fmt.Errorf("No signer %s for repository %s", signerName, repoName)
^
opts/hosts.go:89:14: ST1005: error strings should not be capitalized (stylecheck)
return "", fmt.Errorf("Invalid bind address format: %s", addr)
^
opts/hosts.go💯14: ST1005: error strings should not be capitalized (stylecheck)
return "", fmt.Errorf("Invalid proto, expected %s: %s", proto, addr)
^
opts/hosts.go:119:14: ST1005: error strings should not be capitalized (stylecheck)
return "", fmt.Errorf("Invalid proto, expected tcp: %s", tryAddr)
^
opts/hosts.go:144:14: ST1005: error strings should not be capitalized (stylecheck)
return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
^
opts/hosts.go:155:14: ST1005: error strings should not be capitalized (stylecheck)
return "", fmt.Errorf("Invalid bind address format: %s", tryAddr)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We try to keep this package close to upstream golang's code, so suppress the
linter warning.
cli/command/formatter/tabwriter/tabwriter.go:200:1: ST1020: comment on exported method Init should be of the form "Init ..." (stylecheck)
// A Writer must be initialized with a call to Init. The first parameter (output)
^
cli/command/formatter/tabwriter/tabwriter.go:425:1: ST1022: comment on exported const Escape should be of the form "Escape ..." (stylecheck)
// To escape a text segment, bracket it with Escape characters.
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/cli_options_test.go:29:2: os.Setenv() can be replaced by `t.Setenv()` in TestWithContentTrustFromEnv (tenv)
os.Setenv(envvar, "true")
^
cli/command/cli_options_test.go:31:2: os.Setenv() can be replaced by `t.Setenv()` in TestWithContentTrustFromEnv (tenv)
os.Setenv(envvar, "false")
^
cli/command/cli_options_test.go:33:2: os.Setenv() can be replaced by `t.Setenv()` in TestWithContentTrustFromEnv (tenv)
os.Setenv(envvar, "invalid")
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/manifest/inspect_test.go:9:2: ST1019: package "github.com/docker/cli/cli/manifest/types" is being imported more than once (stylecheck)
"github.com/docker/cli/cli/manifest/types"
^
cli/command/manifest/inspect_test.go:10:2: ST1019(related information): other import of "github.com/docker/cli/cli/manifest/types" (stylecheck)
manifesttypes "github.com/docker/cli/cli/manifest/types"
^
cli/command/stack/swarm/deploy_composefile.go:14:2: ST1019: package "github.com/docker/docker/client" is being imported more than once (stylecheck)
apiclient "github.com/docker/docker/client"
^
cli/command/stack/swarm/deploy_composefile.go:15:2: ST1019(related information): other import of "github.com/docker/docker/client" (stylecheck)
dockerclient "github.com/docker/docker/client"
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/image/build/context.go:238:23: "400" can be replaced by http.StatusBadRequest (usestdlibvars)
if resp.StatusCode < 400 {
^
cli/trust/trust.go:139:30: "GET" can be replaced by http.MethodGet (usestdlibvars)
req, err := http.NewRequest("GET", endpointStr, nil)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This type was copied from the daemone in 8b725e10e7,
but actually unused on the CLI side, so we can remove it here.
The original code is still present in the daemon at
7b9275c0da/opts/runtime.go
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Having the intermediate variable made it difficult to see if it was
possibly mutated and/or something special done with it, so just use
the cli's accessors to get its Err().
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
As it's just an alias for filepath.IsAbs. Also added a normalize step in
TrimBuildFilesFromExcludes, so that callers are not _required_ to first
normalize the path.
We are considering deprecating and/or removing this function in the archive
package, so removing it in the cli code helps transitioning if we decide to
deprecate and/or remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`NewDockerCli` was configuring the standard streams using local code; this patch
instead uses the available `WithStandardStreams()` option to do the same.
There is slight difference in the order of events;
Previously, user-provided options would be applied first, after which NewDockerCli
would check if any of "in", "out", or "err" were nil, and if so set them to the
default stream (or writer) for that output.
The new code unconditionally sets the defaults _before_ applying user-provided
options. In practive, howver, this makes no difference; the fields set are not
exported, and the only functions updating them are `WithStandardStreams`,
`WithInputStream`, and `WithCombinedStream`, neither of which checks the old
value (so always overrides).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Migrating these functions to allow them being shared between moby, docker/cli,
and containerd, and to allow using them without importing all of sys / system,
which (in containerd) also depends on hcsshim and more.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- moby: a60b458179...d2590dc3cd
- swarmkit: 6068d1894d...48dd89375d
The .Parent field for buildcache entries was deprecated, and replaced with a
.Parents (plural) field. This patch updates the code accordingly. Unlike the
change in buildx
9c3be32bc9
we continue to fall back to the old field (which will be set on older API
versions).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These options were soft-deprecated in Docker 17.05, and at the time
considered to not be removed. However, with the move towards containerd
snapshotters, having these options around adds additional complexity to
handle fallbacks for deprecated (and hidden) flags, so completing the
deprecation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update the repository's issues form to handle bug and features requests.
Additionally, add links to other resources to guide users across
support documentation and forums.
Signed-off-by: Bruno Sousa <bruno.sousa@docker.com>
Add newline at the end of files
Signed-off-by: Bruno Sousa <bruno.sousa@docker.com>
Update Go runtime to 1.18.5 to address CVE-2022-32189.
Full diff: https://github.com/golang/go/compare/go1.18.4...go1.18.5
--------------------------------------------------------
From the security announcement:
https://groups.google.com/g/golang-announce/c/YqYYG87xB10
We have just released Go versions 1.18.5 and 1.17.13, minor point
releases.
These minor releases include 1 security fixes following the security
policy:
encoding/gob & math/big: decoding big.Float and big.Rat can panic
Decoding big.Float and big.Rat types can panic if the encoded message is
too short.
This is CVE-2022-32189 and Go issue https://go.dev/issue/53871.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.18.5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Avoid updating the config-file if nothing changed. This also prevents creating
the file and config-directory if the default is used and no config-file existed
yet.
`config.Save()` performs various steps (creating the directory, updating
or copying permissions, etc etc), which are not needed if the defaults are
used; a445d97c25/cli/config/configfile/file.go (L135-L176)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This code was handling validation and parsing, only to discard the
results if it was the default context.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Older versions of Go do not format these comments, so we can already
reformat them ahead of time to prevent gofmt linting failing once
we update to Go 1.19 or up.
Result of:
gofmt -s -w $(find . -type f -name '*.go' | grep -v "/vendor/")
With some manual adjusting.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.18.4 (released 2022-07-12) includes security fixes to the compress/gzip,
encoding/gob, encoding/xml, go/parser, io/fs, net/http, and path/filepath
packages, as well as bug fixes to the compiler, the go command, the linker,
the runtime, and the runtime/metrics package. See the Go 1.18.4 milestone on the
issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.4+label%3ACherryPickApproved
This update addresses:
CVE-2022-1705, CVE-2022-1962, CVE-2022-28131, CVE-2022-30630, CVE-2022-30631,
CVE-2022-30632, CVE-2022-30633, CVE-2022-30635, and CVE-2022-32148.
Full diff: https://github.com/golang/go/compare/go1.18.3...go1.18.4
From the security announcement;
https://groups.google.com/g/golang-announce/c/nqrv9fbR0zE
We have just released Go versions 1.18.4 and 1.17.12, minor point releases. These
minor releases include 9 security fixes following the security policy:
- net/http: improper sanitization of Transfer-Encoding header
The HTTP/1 client accepted some invalid Transfer-Encoding headers as indicating
a "chunked" encoding. This could potentially allow for request smuggling, but
only if combined with an intermediate server that also improperly failed to
reject the header as invalid.
This is CVE-2022-1705 and https://go.dev/issue/53188.
- When `httputil.ReverseProxy.ServeHTTP` was called with a `Request.Header` map
containing a nil value for the X-Forwarded-For header, ReverseProxy would set
the client IP as the value of the X-Forwarded-For header, contrary to its
documentation. In the more usual case where a Director function set the
X-Forwarded-For header value to nil, ReverseProxy would leave the header
unmodified as expected.
This is https://go.dev/issue/53423 and CVE-2022-32148.
Thanks to Christian Mehlmauer for reporting this issue.
- compress/gzip: stack exhaustion in Reader.Read
Calling Reader.Read on an archive containing a large number of concatenated
0-length compressed files can cause a panic due to stack exhaustion.
This is CVE-2022-30631 and Go issue https://go.dev/issue/53168.
- encoding/xml: stack exhaustion in Unmarshal
Calling Unmarshal on a XML document into a Go struct which has a nested field
that uses the any field tag can cause a panic due to stack exhaustion.
This is CVE-2022-30633 and Go issue https://go.dev/issue/53611.
- encoding/xml: stack exhaustion in Decoder.Skip
Calling Decoder.Skip when parsing a deeply nested XML document can cause a
panic due to stack exhaustion. The Go Security team discovered this issue, and
it was independently reported by Juho Nurminen of Mattermost.
This is CVE-2022-28131 and Go issue https://go.dev/issue/53614.
- encoding/gob: stack exhaustion in Decoder.Decode
Calling Decoder.Decode on a message which contains deeply nested structures
can cause a panic due to stack exhaustion.
This is CVE-2022-30635 and Go issue https://go.dev/issue/53615.
- path/filepath: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-30632 and Go issue https://go.dev/issue/53416.
- io/fs: stack exhaustion in Glob
Calling Glob on a path which contains a large number of path separators can
cause a panic due to stack exhaustion.
This is CVE-2022-30630 and Go issue https://go.dev/issue/53415.
- go/parser: stack exhaustion in all Parse* functions
Calling any of the Parse functions on Go source code which contains deeply
nested types or declarations can cause a panic due to stack exhaustion.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2022-1962 and Go issue https://go.dev/issue/53616.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Cobra allows for aliases to be defined for a command, but only allows these
to be defined at the same level (for example, `docker image ls` as alias for
`docker image list`). Our CLI has some commands that are available both as a
top-level shorthand as well as `docker <object> <verb>` subcommands. For example,
`docker ps` is a shorthand for `docker container ps` / `docker container ls`.
This patch introduces a custom "aliases" annotation that can be used to print
all available aliases for a command. While this requires these aliases to be
defined manually, in practice the list of aliases rarely changes, so maintenance
should be minimal.
As a convention, we could consider the first command in this list to be the
canonical command, so that we can use this information to add redirects in
our documentation in future.
Before this patch:
docker images --help
Usage: docker images [OPTIONS] [REPOSITORY[:TAG]]
List images
Options:
-a, --all Show all images (default hides intermediate images)
...
With this patch:
docker images --help
Usage: docker images [OPTIONS] [REPOSITORY[:TAG]]
List images
Aliases:
docker image ls, docker image list, docker images
Options:
-a, --all Show all images (default hides intermediate images)
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, specifying the `--pull` flag without a value, could
result in the flag after it, or the positional argument to be used as
value.
This patch makes sure that the value is an expected value;
docker create --pull --rm hello-world
docker: invalid pull option: '--rm': must be one of "always", "missing" or "never".
docker run --pull --rm hello-world
docker: invalid pull option: '--rm': must be one of "always", "missing" or "never".
docker run --pull hello-world
docker: invalid pull option: 'hello-world': must be one of "always", "missing" or "never".
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The default output for Cobra aliases only shows the subcommand as alias, which
is not very intuitive. This patch changes the output to print the full command
as it would be called by the user.
Note that there's still some improvements to be made; due to how aliases must be
set-up in Cobra, aliases at different "levels" are still not shown. So for example,
`docker ps --help` will not show `docker container ps` as alias, and vice-versa.
This will require additional changes, and can possibly be resolved using custom
metadata/annotations.
Before this patch:
docker container ls --help
Usage: docker container ls [OPTIONS]
List containers
Aliases:
ls, ps, list
After this patch:
docker container ls --help
Usage: docker container ls [OPTIONS]
List containers
Aliases:
docker container ls, docker container ps, docker container list
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `DEBIAN_FRONTEND` environment variable is used to control the interface by which debconf questions are presented to the user (see [`man 7 debconf`][1]). In `DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y`, the `DEBIAN_FRONTEND` environment variable is only set for the `apt-get update` command which does not ask debconf questions, and will not affect the `apt-get install` command where these questions are actually asked. It should be the other way around.
[1]: https://manpages.debian.org/debconf.7.html
Signed-off-by: Murukesh Mohanan <murukesh.mohanan@gmail.com>
- do an early check if a custom format is specified either through the
command-line, or through the cli's configuration, before adjusting
the options (to add "size" if needed).
- also removes a redundant `options.Size = opts.size` line, as this value is
already copied at the start of buildContainerListOptions()
- Update NewContainerFormat to use "table" format as a default if no format
was given.
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Phong Tran <tran.pho@northeastern.edu>
Ths prettyPrintServerInfo() was checking for the Labels property to be
nil, but didn't check for empty slices.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Move the "default output" section into the description, and
describe the section that can be found in the output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.18.3 (released 2022-06-01) includes security fixes to the crypto/rand,
crypto/tls, os/exec, and path/filepath packages, as well as bug fixes to the
compiler, and the crypto/tls and text/template/parse packages. See the Go
1.18.3 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.18.3+label%3ACherryPickApproved
Hello gophers,
We have just released Go versions 1.18.3 and 1.17.11, minor point releases.
These minor releases include 4 security fixes following the security policy:
- crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a buffer larger than
1 << 32 - 1 bytes.
Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go toolset,
for reporting this issue.
This is [CVE-2022-30634][CVE-2022-30634] and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain a randomly generated
ticket_age_add. This allows an attacker that can observe TLS handshakes to
correlate successive connections by comparing ticket ages during session
resumption.
Thanks to GitHub user nervuri for reporting this.
This is [CVE-2022-30629][CVE-2022-30629] and Go issue https://go.dev/issue/52814.
- `os/exec`: empty `Cmd.Path` can result in running unintended binary on Windows
If, on Windows, `Cmd.Run`, `cmd.Start`, `cmd.Output`, or `cmd.CombinedOutput`
are executed when Cmd.Path is unset and, in the working directory, there are
binaries named either "..com" or "..exe", they will be executed.
Thanks to Chris Darroch, brian m. carlson, and Mikhail Shcherbakov for reporting
this.
This is [CVE-2022-30580][CVE-2022-30580] and Go issue https://go.dev/issue/52574.
- `path/filepath`: Clean(`.\c:`) returns `c:` on Windows
On Windows, the `filepath.Clean` function could convert an invalid path to a
valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
Thanks to Unrud for reporting this issue.
This is [CVE-2022-29804][CVE-2022-29804] and Go issue https://go.dev/issue/52476.
[CVE-2022-30634]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634
[CVE-2022-30629]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629
[CVE-2022-30580]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580
[CVE-2022-29804]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This updates the pretty-print format of docker info to provide more
details on installed plugins, to help users find where a specific
plugin is installed (e.g. to update it, or to uninstall it).
Before this patch:
```bash
Client:
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2)
compose: Docker Compose (Docker Inc., v2.4.1)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
...
```
With this patch applied:
```bash
docker info
Client:
Context: desktop-linux
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.8.2
Path: /usr/local/lib/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.4.1
Path: /usr/local/lib/docker/cli-plugins/docker-compose
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc.)
Version: 0.6.0
Path: /usr/local/lib/docker/cli-plugins/docker-sbom
scan: Docker Scan (Docker Inc.)
Version: v0.17.0
Path: /usr/local/lib/docker/cli-plugins/docker-scan
Server:
...
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
no changes in vendored code other than a typo-fix, just aligning with latest master
8abb84c734...cb01202de8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Notable changes:
- introduce CreateMountpoint for parity between binds and mounts
full diff: c9d04033d4...d633169483
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes the containers have an expected console size not only for
`run` but also for `create`. Also remove the comment, as this is no
longer ignored on Linux daemon since e994efcf64c133de799f16f5cd6feb1fc41fade4
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
We should consider removing this file, but it's still used in some
scripts, so let's keep that one for later.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Wording and documentation still need to be updated, but will do
so in a follow-up.
Also removing the default "10 seconds" from the timeout flags, as
this default is not actually used, and may not match the actual
default (which is defined on the daemon side).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Formatting stats runs in a loop to refresh the stats for each container. This
patch makes some small performance improvments by reducing the use of Sprintf
in favor of concatenating strings, and using strconv directly where possible.
Benchmark can be run with:
GO111MODULE=off go test -test.v -test.bench '^BenchmarkStatsFormat' -test.run '^$' ./cli/command/container/
Before/after:
BenchmarkStatsFormatOld-8 2655 428064 ns/op 62432 B/op 5600 allocs/op
BenchmarkStatsFormat-8 3338 335822 ns/op 52832 B/op 4700 allocs/op
Average of 5 runs;
benchstat old.txt new.txt
name old time/op new time/op delta
StatsFormat-8 432µs ± 1% 344µs ± 5% -20.42% (p=0.008 n=5+5)
name old alloc/op new alloc/op delta
StatsFormat-8 62.4kB ± 0% 52.8kB ± 0% -15.38% (p=0.000 n=5+4)
name old allocs/op new allocs/op delta
StatsFormat-8 5.60k ± 0% 4.70k ± 0% -16.07% (p=0.008 n=5+5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/container/hijack.go:188:1⚠️ nolint directive did not match any issue (nolint)
cli/command/image/trust.go:346:1⚠️ nolint directive did not match any issue (nolint)
cli/command/manifest/push.go:211:1⚠️ nolint directive did not match any issue (nolint)
cli/command/trust/signer_remove.go:79:1⚠️ nolint directive did not match any issue (nolint)
internal/pkg/containerized/snapshot.go:95:1⚠️ nolint directive did not match any issue (nolint)
internal/pkg/containerized/snapshot.go:138:1⚠️ nolint directive did not match any issue (nolint)
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This hides the flags when connecting to an older engine, or if
swarm is not enabled, and is also used to add badges in the
documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Prevent completion on "create" subcommands to prevent them
from completing with local filenames
- Add completion for "docker image save"
- Add completion for "docker image tag"
- Disable completion for "docker login"
- Exclude "paused" containers for "docker container attach" and
"docker container exec"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, the Server output would be printed even if we failed to
connect (including WARNINGS):
```bash
docker -H tcp://127.0.0.1:2375 info
Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2)
compose: Docker Compose (Docker Inc., v2.4.1)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Plugins:
Volume:
Network:
Log:
Swarm:
NodeID:
Is Manager: false
Node Address:
CPUs: 0
Total Memory: 0B
Docker Root Dir:
Debug Mode: false
Experimental: false
Live Restore Enabled: false
WARNING: No memory limit support
WARNING: No swap limit support
WARNING: No oom kill disable support
WARNING: No cpu cfs quota support
WARNING: No cpu cfs period support
WARNING: No cpu shares support
WARNING: No cpuset support
WARNING: IPv4 forwarding is disabled
WARNING: bridge-nf-call-iptables is disabled
WARNING: bridge-nf-call-ip6tables is disabled
ERROR: Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
errors pretty printing info
```
With this patch;
```bash
docker -H tcp://127.0.0.1:2375 info
Client:
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc., v0.8.2)
compose: Docker Compose (Docker Inc., v2.4.1)
sbom: View the packaged-based Software Bill Of Materials (SBOM) for an image (Anchore Inc., 0.6.0)
scan: Docker Scan (Docker Inc., v0.17.0)
Server:
ERROR: Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
errors pretty printing info
```
And if a custom format is used:
```bash
docker -H tcp://127.0.0.1:2375 info --format '{{.Containers}}'
Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
0
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, the function could print an error in some cases, for example;
```bash
docker -H tcp://127.0.0.1:2375 info --format '{{.LoggingDriver}}'
template: :1:2: executing "" at <.LoggingDriver>: reflect: indirection through nil pointer to embedded struct field Info
```
With this patch applied, the error is handled gracefully, and when failing to
connect with the daemon, the error is logged;
```bash
docker -H tcp://127.0.0.1:2375 info --format '{{.LoggingDriver}}'
Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
docker -H tcp://127.0.0.1:2375 info --format '{{json .}}'
Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?
{"ID":"","Containers":0,"..."}}
```
Note that the connection error is also included in the JSON `ServerErrors` field,
so that the information does not get lost, even if STDERR would be redirected;
```bash
docker -H tcp://127.0.0.1:2375 info --format '{{json .ServerErrors}}' 2> /dev/null
["Cannot connect to the Docker daemon at tcp://127.0.0.1:2375. Is the docker daemon running?"]
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test is very flaky, the retry loop runs for 550ms and some more, 750ms is
cleary not enough for everything to set and for the cli to return the tty resize
error. A sleep of 1.5 seconds in this test should be enough for the retry loop to
finish.
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
I some cases, for example if there is a heavy load, the initialization of the TTY size
would fail. This change makes the cli retry 10 times instead of 5 and we wait
incrementally from 10ms to 100ms
Relates to #3554
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
These annotations were added because these options were not supported
when using kubernetes as an orchestrator. Now that this feature was
removed, we can remove these annotations.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Getting the client API version is non-intuitive.
Other keys follow the json example or the version output, however `'{{.Client.ApiVersion}}'` does not work, nor does `'{{.Client.APIversion}}'`
Signed-off-by: Gabriel Gore <gabgore@cisco.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 616e8db4c3...6068d1894d
a replace rule was needed (similar as in github.com/docker/docker) to fix some
dependency issues;
github.com/docker/cli/cli/trust imports
github.com/theupdateframework/notary/trustpinning tested by
github.com/theupdateframework/notary/trustpinning.test imports
github.com/cloudflare/cfssl/helpers imports
github.com/google/certificate-transparency-go imports
go.etcd.io/etcd/v3 imports
go.etcd.io/etcd/tests/v3/integration imports
go.etcd.io/etcd/server/v3/embed imports
go.opentelemetry.io/otel/semconv: module go.opentelemetry.io/otel@latest found (v1.7.0), but does not contain package go.opentelemetry.io/otel/semconv
github.com/docker/cli/cli/trust imports
github.com/theupdateframework/notary/trustpinning tested by
github.com/theupdateframework/notary/trustpinning.test imports
github.com/cloudflare/cfssl/helpers imports
github.com/google/certificate-transparency-go imports
go.etcd.io/etcd/v3 imports
go.etcd.io/etcd/tests/v3/integration imports
go.etcd.io/etcd/server/v3/embed imports
go.opentelemetry.io/otel/exporters/otlp imports
go.opentelemetry.io/otel/sdk/metric/controller/basic imports
go.opentelemetry.io/otel/metric/registry: module go.opentelemetry.io/otel/metric@latest found (v0.30.0), but does not contain package go.opentelemetry.io/otel/metric/registry
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The code is similar to that used by the volume rm subcommand, however,
one difference I noticed was VolumeRemove takes the force flag/option
was a parameter. This isn't the case for NetworkRemove.
To get NetworkRemove to take a similar parameter, this would require
modifying the Docker daemon. For now this isn't a route I wish to take
when the code can be arrange to mimic the same behavior.
Co-authored-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Conner Crosby <conner@cavcrosby.tech>
pkg/urlutil (despite its poorly chosen name) is not really intended as a
generic utility to handle URLs, and should only be used by the builder to
handle (remote) build contexts.
The `IsURL()` function only does a very rudimentary check for `http(s)://`
prefixes, without any other validation, but due to its name may give
incorrect expectations.
As we're deprecating this package for uses other than for build-contexts,
this patch replaces this instance of the utility for a local function.
While changing, also cleaned up some intermediate variables, and made
the logic slightly more descriptive.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This check doesn't really make sense because the client doesn't know on what
OS the daemon is really running.
The daemon uses the console size on creation when available (on windows).
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Now that we no longer support kubernetes as orchestrator in the cli
itself, we may as well be using "Swarm" for these to make it clearer
what these commands are for :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds a new annotation to commands that are known to be frequently
used, and allows setting a custom weight/order for these commands to
influence in what order they appear in the --help output.
I'm not entirely happy with the implementation (we could at least use
some helpers for this, and/or make it more generic to group commands
in output), but it could be a start.
For now, limiting this to only be used for the top-level --help, but
we can expand this to subcommands as well if we think it makes sense
to highlight "common" / "commonly used" commands.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These commands are commonly used, so removing them from the list of "legacy"
top-level commands that are hidden when setting DOCKER_HIDE_LEGACY_COMMANDS=1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, the top-level flags, such as `--config` and `--tlscacert`,
were printed at the top of the `--help` output. These flags are not used
frequently, and putting them at the top, made the information that's more
relevant to most users harder to find.
This patch moves the top-level flags for the root command (`docker`) to the
bottom of the help output, putting the subcommands more prominent in view.
With this patch:
Usage: docker [OPTIONS] COMMAND
A self-sufficient runtime for containers
Management Commands:
builder Manage builds
buildx* Docker Buildx (Docker Inc., v0.7.1)
checkpoint Manage checkpoints
completion Generate the autocompletion script for the specified shell
container Manage containers
context Manage contexts
image Manage images
manifest Manage Docker image manifests and manifest lists
network Manage networks
plugin Manage plugins
stack Manage Swarm stacks
system Manage Docker
trust Manage trust on Docker images
volume Manage volumes
Orchestration Commands:
config Manage Swarm configs
node Manage Swarm nodes
secret Manage Swarm secrets
service Manage Swarm services
swarm Manage Swarm
Commands:
attach Attach local standard input, output, and error streams to a running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes
Global Options:
--config string Location of client config files (default "/root/.docker")
-c, --context string Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with "docker context use")
-D, --debug Enable debug mode
-H, --host list Daemon socket(s) to connect to
-l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default "/root/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default "/root/.docker/cert.pem")
--tlskey string Path to TLS key file (default "/root/.docker/key.pem")
--tlsverify Use TLS and verify the remote
-v, --version Print version information and quit
Run 'docker COMMAND --help' for more information on a command.
To get more help with docker, check out our guides at https://docs.docker.com/go/guides/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This groups all swarm-related subcommands to their own section in the --help
output, to make it clearer which commands require swarm to be enabled
With this change:
Usage: docker [OPTIONS] COMMAND
A self-sufficient runtime for containers
Options:
--config string Location of client config files (default "/Users/sebastiaan/.docker")
-c, --context string Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with "docker context use")
-D, --debug Enable debug mode
-H, --host list Daemon socket(s) to connect to
-l, --log-level string Set the logging level ("debug"|"info"|"warn"|"error"|"fatal") (default "info")
--tls Use TLS; implied by --tlsverify
--tlscacert string Trust certs signed only by this CA (default "/Users/sebastiaan/.docker/ca.pem")
--tlscert string Path to TLS certificate file (default "/Users/sebastiaan/.docker/cert.pem")
--tlskey string Path to TLS key file (default "/Users/sebastiaan/.docker/key.pem")
--tlsverify Use TLS and verify the remote
-v, --version Print version information and quit
Management Commands:
builder Manage builds
buildx* Docker Buildx (Docker Inc., v0.8.1)
checkpoint Manage checkpoints
completion Generate the autocompletion script for the specified shell
compose* Docker Compose (Docker Inc., v2.3.3)
container Manage containers
context Manage contexts
image Manage images
manifest Manage Docker image manifests and manifest lists
network Manage networks
plugin Manage plugins
scan* Docker Scan (Docker Inc., v0.17.0)
system Manage Docker
trust Manage trust on Docker images
volume Manage volumes
Orchestration Commands:
config Manage Swarm configs
node Manage Swarm nodes
secret Manage Swarm secrets
service Manage Swarm services
stack Manage Swarm stacks
swarm Manage Swarm
Commands:
attach Attach local standard input, output, and error streams to a running container
build Build an image from a Dockerfile
commit Create a new image from a container's changes
cp Copy files/folders between a container and the local filesystem
create Create a new container
diff Inspect changes to files or directories on a container's filesystem
events Get real time events from the server
exec Run a command in a running container
export Export a container's filesystem as a tar archive
history Show the history of an image
images List images
import Import the contents from a tarball to create a filesystem image
info Display system-wide information
inspect Return low-level information on Docker objects
kill Kill one or more running containers
load Load an image from a tar archive or STDIN
login Log in to a Docker registry
logout Log out from a Docker registry
logs Fetch the logs of a container
pause Pause all processes within one or more containers
port List port mappings or a specific mapping for the container
ps List containers
pull Pull an image or a repository from a registry
push Push an image or a repository to a registry
rename Rename a container
restart Restart one or more containers
rm Remove one or more containers
rmi Remove one or more images
run Run a command in a new container
save Save one or more images to a tar archive (streamed to STDOUT by default)
search Search the Docker Hub for images
start Start one or more stopped containers
stats Display a live stream of container(s) resource usage statistics
stop Stop one or more running containers
tag Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
top Display the running processes of a container
unpause Unpause all processes within one or more containers
update Update configuration of one or more containers
version Show the Docker version information
wait Block until one or more containers stop, then print their exit codes
Run 'docker COMMAND --help' for more information on a command.
To get more help with docker, check out our guides at https://docs.docker.com/go/guides/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Configuration (enabling/disabling) of Experimental client features
was deprecated in Docker 19.03, and removed in 20.10. Experimental
CLI features are now always enabled. In Docker 20.10, the Experimental
field in `docker version` was kept (but always true).
This patch removes the field from the output (both "pretty" output
and the JSON struct).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Make use of existing modules and functions in order to output the merged configs.
Added skip interpolation flag of variables, so that you can pipe the output back to stack deploy without much hassle.
Signed-off-by: Stoica-Marcu Floris-Andrei <floris.sm@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These warnings were for features that are no longer supported (overlay
on a backingFS without d_type support), or related to the deprecated
devicemapper storage driver.
Removing this function for that reason.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
My IDE's linter kept complaining:
> For compatibility reasons all table rows should have borders (pipe
> symbols) at the start and at the end.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We should consider removing this file, but it's still used in some
scripts, so let's keep that one for later.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `~/.dockercfg` file was replaced by `~/.docker/config.json` in 2015
(github.com/docker/docker/commit/18c9b6c6455f116ae59cde8544413b3d7d294a5e),
but the CLI still falls back to checking if this file exists if no current
(`~/.docker/config.json`) file was found.
Given that no version of the CLI since Docker v1.7.0 has created this file,
and if such a file exists, it means someone hasn't re-authenticated for
5 years, it's probably safe to remove this fallback.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some commands in the output of `docker` show up with an asterisk, like
app, build, buildx or scan. This tweak removes that so that the
asterisk is not filled in when choosing those commands.
Signed-off-by: Marc Cornellà <hello@mcornella.com>
This change allows some make targets to be ran outside the dev-container for
easier discovery and use:
- `make clean` can be used on the host (as artifacts created from within the
development container are usually stored on the host).
- `make help` was already allowed
- `make dev` and `make shell` are added to the regular Makefile, to make it
easier to create and start the development container.
- When attempting to run `make dev` from within the development container, a
message is printed, and the target is cancelled:
root@docker-cli-dev$ make dev
you are already in the dev container
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This makes some minor improvments to the dev container:
- add `nano` as an alternative to `vi` to help beginning contributors, or people
that don't remember how to quit `vi` ;-)
- add `jq` as it's often handy to have available to debug JSON output.
- set a custom prompt to make it clearer that the user is in a container
- add a short MOTD that shows that the user is in a container, and a pointer
to 'make help' (we can add more help/instructions to this MOTD in future).
Before this patch:
make -f docker.Makefile dev
...
bash-5.1#
With this patch:
make -f docker.Makefile dev
...
You are now in a development container. Run 'make help' to learn about
available make targets.
root@docker-cli-dev$
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was introduced in 9d40c7464e, which added
support for `SOURCE_DATE_EPOCH` to override the build-time.
macOS uses the BSD flavor of `date`, which does not support the `--date` option
to set a custom time.
Before this:
DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary
./scripts/build/binary
date: illegal option -- -
usage: date [-jnRu] [-d dst] [-r seconds] [-t west] [-v[+|-]val[ymwdHMS]] ...
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format]
After this:
DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary
./scripts/build/binary
Building static docker-darwin-amd64
+ go build -o build/docker-darwin-amd64 -tags ' osusergo pkcs11' -ldflags ' -w -X "github.com/docker/cli/cli/version.GitCommit=a4b6fe16a" -X "github.com/docker/cli/cli/version.BuildTime=2022-04-06T10:57:25Z" -X "github.com/docker/cli/cli/version.Version=20.10.2-589-ga4b6fe16a.m"' -buildmode=pie github.com/docker/cli/cmd/docker
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove "Docker" from registry, as the registry specification is no
longer docker-specific, but part of the OCI distribution spec.
Also removed "Register" from one of the docs pages, as the login
command hasn't supported creating a new acccount on Docker Hub for
a long time.
I'm wondering if we should be more explicit about what log in / out
does (effectively; authenticate, and on success store the credentials
or token, and on log out; remove credentials/token).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
release notes: https://github.com/docker/buildx/releases/tag/v0.8.2
Notable changes:
- Update Compose spec used by buildx bake to v1.2.1 to fix parsing ports definition
- Fix possible crash on handling progress streams from BuildKit v0.10
- Fix parsing groups in buildx bake when already loaded by a parent group
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was introduced in 41a5e0e4df, and
having the trailing whitespace causes the yamldocs generator to
switch to "compact" formatting, which makes that yaml hard to read.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test uses two subtests that were sharing the same variable.
Subtests run in a goroutine, which could lead to them concurrently
accessing the variable, resulting in a panic:
=== FAIL: cli/command/container TestRemoveForce/without_force (0.00s)
Error: Error: No such container: nosuchcontainer
--- FAIL: TestRemoveForce/without_force (0.00s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x40393f]
goroutine 190 [running]:
testing.tRunner.func1.2({0xb76380, 0x124c9a0})
/usr/local/go/src/testing/testing.go:1389 +0x24e
testing.tRunner.func1()
/usr/local/go/src/testing/testing.go:1392 +0x39f
panic({0xb76380, 0x124c9a0})
/usr/local/go/src/runtime/panic.go:838 +0x207
sort.StringSlice.Less(...)
/usr/local/go/src/sort/sort.go:319
sort.insertionSort({0xd87380, 0xc00051b3b0}, 0x0, 0x2)
/usr/local/go/src/sort/sort.go:40 +0xb1
sort.quickSort({0xd87380, 0xc00051b3b0}, 0x18?, 0xb4f060?, 0xc000540e01?)
/usr/local/go/src/sort/sort.go:222 +0x171
sort.Sort({0xd87380, 0xc00051b3b0})
/usr/local/go/src/sort/sort.go:231 +0x53
sort.Strings(...)
/usr/local/go/src/sort/sort.go:335
github.com/docker/cli/cli/command/container.TestRemoveForce.func2(0xc0005389c0?)
/go/src/github.com/docker/cli/cli/command/container/rm_test.go:36 +0x125
testing.tRunner(0xc00053e4e0, 0xc00051b140)
/usr/local/go/src/testing/testing.go:1439 +0x102
created by testing.(*T).Run
/usr/local/go/src/testing/testing.go:1486 +0x35f
=== FAIL: cli/command/container TestRemoveForce (0.00s)
This patch changes the test to use to separate variables.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When building on Fedora 36, the build failed. I suspect this is because the
rpm tools also set LDFLAGS, but with options that cannot be used;
GO_LINKMODE=dynamic
+ ./scripts/build/binary
/go/src/github.com/docker/cli ~/rpmbuild/BUILD/src
Building dynamic docker-linux-arm64
+ go build -o build/docker-linux-arm64 -tags ' pkcs11' -ldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT,/root/rpmbuild/BUILD/src/.package_note-docker-ce-cli-0.0.0.20220330082637.68cad50-0.fc36.aarch64.ld -w -X "github.com/docker/cli/cli/version.GitCommit=68cad50" -X "github.com/docker/cli/cli/version.BuildTime=2022-03-30T20:05:36Z" -X "github.com/docker/cli/cli/version.Version=0.0.0-20220330082637-68cad50" -X "github.com/docker/cli/cli/version.PlatformName=Docker Engine - Community"' -buildmode=pie github.com/docker/cli/cmd/docker
# github.com/docker/cli/cmd/docker
flag provided but not defined: -Wl,-z,relro
usage: link [options] main.o
This patch changes the variable we use to `GO_LDFLAGS`, taking a similar approach
as containerd, and various other projects using this name: https://grep.app/search?q=GO_LDFLAGS
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function was not used anywhere, and the error type already satisfied
the github.com/docker/docker/errdefs.ErrNotFound interface, so let's remove
this utility and (if needed at some point) use errdefs.IsNotFound() instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was added in fd2f1b3b66 as part of
the `docker engine` sub-commands, which were deprecated, and removed in
43b2f52d0c.
This function is not used by anyone, so safe to remove.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was added in fd2f1b3b66 as part of
the `docker engine` sub-commands, which were deprecated, and removed
in 43b2f52d0c.
This function is not used by anyone, so safe to remove.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's slightly more verbose, but helps finding the purpose of each
of the environment variables. In tests, I kept the fixed strings.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This will generate "details_url" for options, so that the options
table on the pages at docs.docker.com link to the section describing
the option.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this, the sections are linked from the "options" table when
producing the documentation on docs.docker.com
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The daemon (and registry) already have a default limit. This patch
removes the default from the client side, to not duplicate setting
these defaults.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This only affects the version used in the dev container, but
I noticed it was an older version of buildx.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests were creating a stub container, using the current timestamp as
created date. However, if CI was slow to run the test, `Less than a second ago`
would change into `1 second ago`, causing the test to fail:
--- FAIL: TestContainerListNoTrunc (0.00s)
list_test.go:198: assertion failed:
--- expected
+++ actual
@@ -1,4 +1,4 @@
-CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
-container_id busybox:latest "top" Less than a second ago Up 1 second c1
-container_id busybox:latest "top" Less than a second ago Up 1 second c2,foo/bar
+CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
+container_id busybox:latest "top" 1 second ago Up 1 second c1
+container_id busybox:latest "top" 1 second ago Up 1 second c2,foo/bar
This patch changes the "created" time of the container to be a minute ago. This
will result in `About a minute ago`, with a margin of 1 minute.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function is deprecated because it has known limitations when using
with multi-byte strings. This limitations are quite "corner case", and
our use (mostly) is for ASCII strings. The suggestion replacement brings
20k+ lines of code, which is a bit too much to fix those corner cases.
templates/templates.go:23:14: SA1019: strings.Title is deprecated: The rule Title uses for word boundaries does not handle Unicode punctuation properly. Use golang.org/x/text/cases instead. (staticcheck)
"title": strings.Title,
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- updated the default value for `--limit` on `docker search` as the const has been
removed (added a todo to remove it)
- updated some fixtures to account for `KernelMemoryTCP` no longer being included
in the output.
full diff: 83b51522df...8941dcfcc5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also removed deprecated linters:
The linter 'interfacer' is deprecated (since v1.38.0) due to: The repository of the linter has been archived by the owner.
The linter 'golint' is deprecated (since v1.41.0) due to: The repository of the linter has been archived by the owner. Replaced by revive.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/compose/interpolation/interpolation.go:102:4: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
"invalid interpolation format for %s: %#v. You may need to escape any $ with another $.",
^
cli/command/stack/loader/loader.go:30:30: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return nil, errors.Errorf("Compose file contains unsupported options:\n\n%s\n",
^
cli/command/formatter/formatter.go:76:30: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return tmpl, errors.Errorf("Template parsing error: %v\n", err)
^
cli/command/formatter/formatter.go:97:24: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return errors.Errorf("Template parsing error: %v\n", err)
^
cli/command/image/build.go:257:25: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return errors.Errorf("error checking context: '%s'.", err)
^
cli/command/volume/create.go:35:27: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return errors.Errorf("Conflicting options: either specify --name or provide positional arg, not both\n")
^
cli/command/container/create.go:160:24: error-strings: error strings should not be capitalized or end with punctuation or a newline (revive)
return errors.Errorf("failed to remove the CID file '%s': %s \n", cid.path, err)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- remove check for "A self-sufficient runtime for containers"; really
not important to check for.
- don't make the checks positional (just match that we find them, and
that we don't find them multiple times)
- account for leading whitespace to change instead of hard-coding the
number of spaces before output.
- change the badopt check; I think it should be sufficient to check
that the bad option was printed and that "run --help" output is
printed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The COMPANY_NAME currently sets the "CompanyName" field in the metadata
of Windows binaries. Our intent of this field is this field to contain
information about the company/party that produced the binary.
Also from [FileVersionInfo.CompanyName][FileVersionInfo.CompanyName]:
> Gets the name of the company that produced the file
Based on the above, "PACKAGER_NAME" is a bit more generic, and clearer
on intent, and we may at some point re-use this same information to
propagate equivalent fields on other platforms (rpms, debs)
[FileVersionInfo.CompanyName]: https://docs.microsoft.com/en-us/dotnet/api/system.diagnostics.fileversioninfo.companyname
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some warnings about go1.16 compatibility, so including them here:
+ go mod tidy -modfile=vendor.mod
github.com/docker/cli/cli/registry/client imports
github.com/docker/distribution/registry/api/v2 imports
github.com/gorilla/mux loaded from github.com/gorilla/mux@v1.7.0,
but go 1.16 would select v1.8.0
github.com/docker/cli/cli/compose/loader imports
gopkg.in/yaml.v2 tested by
gopkg.in/yaml.v2.test imports
gopkg.in/check.v1 loaded from gopkg.in/check.v1@v1.0.0-20200227125254-8fa46927fb4f,
but go 1.16 would select v1.0.0-20201130134442-10cb98267c6c
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/Shopify/logrus-bugsnag loaded from github.com/Shopify/logrus-bugsnag@v0.0.0-20170309145241-6dbc35f2c30d,
but go 1.16 would select v0.0.0-20171204204709-577dee27f20d
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server/storage imports
gopkg.in/rethinkdb/rethinkdb-go.v6 imports
github.com/opentracing/opentracing-go loaded from github.com/opentracing/opentracing-go@v1.1.0,
but go 1.16 would select v1.2.0
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server/storage imports
gopkg.in/rethinkdb/rethinkdb-go.v6 imports
github.com/opentracing/opentracing-go/ext loaded from github.com/opentracing/opentracing-go@v1.1.0,
but go 1.16 would select v1.2.0
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server/storage imports
gopkg.in/rethinkdb/rethinkdb-go.v6 imports
github.com/opentracing/opentracing-go/log loaded from github.com/opentracing/opentracing-go@v1.1.0,
but go 1.16 would select v1.2.0
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/spf13/viper imports
github.com/spf13/afero loaded from github.com/spf13/afero@v1.1.2,
but go 1.16 would select v1.2.2
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/spf13/viper imports
github.com/spf13/cast loaded from github.com/spf13/cast@v1.3.0,
but go 1.16 would select v1.3.1
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/spf13/viper imports
github.com/spf13/jwalterweatherman loaded from github.com/spf13/jwalterweatherman@v1.0.0,
but go 1.16 would select v1.1.0
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/spf13/viper imports
gopkg.in/ini.v1 loaded from gopkg.in/ini.v1@v1.51.0,
but go 1.16 would select v1.56.0
github.com/docker/cli/cli/command imports
github.com/theupdateframework/notary/client tested by
github.com/theupdateframework/notary/client.test imports
github.com/theupdateframework/notary/server imports
github.com/theupdateframework/notary/utils imports
github.com/spf13/viper imports
github.com/spf13/afero imports
github.com/spf13/afero/mem loaded from github.com/spf13/afero@v1.1.2,
but go 1.16 would select v1.2.2
To upgrade to the versions selected by go 1.16:
go mod tidy -go=1.16 && go mod tidy -go=1.17
If reproducibility with go 1.16 is not needed:
go mod tidy -compat=1.17
For other options, see:
https://golang.org/doc/modules/pruning
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removes the platform based switch between different versions.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `apt` command is meant to provide a user-friendly interface, but does not
have a stable interface, and not recommended for scripting, see:
#54 [linux/amd64 build-buster 1/1] RUN xx-apt install --no-install-recommends -y libc6-dev libgcc-8-dev
#54 0.706 Hit:1 http://security.debian.org/debian-security buster/updates InRelease
#54 0.707 Hit:2 http://deb.debian.org/debian buster InRelease
#54 0.708 Hit:3 http://deb.debian.org/debian buster-updates InRelease
#54 2.149 Reading package lists...
#54 4.917 + apt install --no-install-recommends -y libc6-dev libgcc-8-dev
#54 4.934
#54 4.934 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
This changes the command to use `apt-get` instead
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Our previous CI probably did not cross-compile for s390x and ppc64le,
and therefore did not get these errors; the scripts/build/.variables
file sets CGO_ENABLED=1 for amd64|arm64|arm|s390x architectures if
it's not set;
87b8e57868/scripts/build/.variables (L34-L46)
When compiling statically with CGO enabled, we must have osusergo
enabled as well, so set it accordingly, to prevent;
#53 [linux/amd64 build 2/2] RUN --mount=type=bind,target=.,ro --mount=type=cache,target=/root/.cache --mount=from=dockercore/golang-cross:xx-sdk-extras,target=/xx-sdk,src=/xx-sdk --mount=type=tmpfs,target=cli/winresources xx-go --wrap && TARGET=/out ./scripts/build/binary && xx-verify $([ "static" = "static" ] && echo "--static") /out/docker
#53 953.6 # github.com/docker/cli/cmd/docker
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000022.o: in function `New':
#53 953.6 /go/src/github.com/docker/cli/vendor/github.com/miekg/pkcs11/pkcs11.go:75: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000018.o: in function `mygetgrouplist':
#53 953.6 /usr/local/go/src/os/user/getgrouplist_unix.go:18: warning: Using 'getgrouplist' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000017.o: in function `mygetgrgid_r':
#53 953.6 /usr/local/go/src/os/user/cgo_lookup_unix.go:40: warning: Using 'getgrgid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000017.o: in function `mygetgrnam_r':
#53 953.6 /usr/local/go/src/os/user/cgo_lookup_unix.go:45: warning: Using 'getgrnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000017.o: in function `mygetpwnam_r':
#53 953.6 /usr/local/go/src/os/user/cgo_lookup_unix.go:35: warning: Using 'getpwnam_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000017.o: in function `mygetpwuid_r':
#53 953.6 /usr/local/go/src/os/user/cgo_lookup_unix.go:30: warning: Using 'getpwuid_r' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
#53 953.6 /usr/bin/s390x-linux-gnu-ld: /tmp/go-link-2402600021/000004.o: in function `_cgo_3c1cec0c9a4e_C2func_getaddrinfo':
#53 953.6 /tmp/go-build/cgo-gcc-prolog:58: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 5770296d90...3147a52a75
This version contains a fix for CVE-2022-27191 (not sure if it affects us).
From the golang mailing list:
Hello gophers,
Version v0.0.0-20220315160706-3147a52a75dd of golang.org/x/crypto/ssh implements
client authentication support for signature algorithms based on SHA-2 for use with
existing RSA keys.
Previously, a client would fail to authenticate with RSA keys to servers that
reject signature algorithms based on SHA-1. This includes OpenSSH 8.8 by default
and—starting today March 15, 2022 for recently uploaded keys.
We are providing this announcement as the error (“ssh: unable to authenticate”)
might otherwise be difficult to troubleshoot.
Version v0.0.0-20220314234659-1baeb1ce4c0b (included in the version above) also
fixes a potential security issue where an attacker could cause a crash in a
golang.org/x/crypto/ssh server under these conditions:
- The server has been configured by passing a Signer to ServerConfig.AddHostKey.
- The Signer passed to AddHostKey does not also implement AlgorithmSigner.
- The Signer passed to AddHostKey does return a key of type “ssh-rsa” from its PublicKey method.
Servers that only use Signer implementations provided by the ssh package are
unaffected. This is CVE-2022-27191.
Alla prossima,
Filippo for the Go Security team
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Now that HEREDOC is included in the stable Dockerfile syntax, we can
use the latest stable syntax for all Dockerfiles.
The recommendation for the stable syntax is to use `:1` (which is
equivalent to "latest" stable syntax.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The CLI currenly calls the `/info` endpoint to get the address
of the default registry to use.
This functionality was added as part of the initial Windows implementation
of the engine. For legal reasons, Microsoft Windows (and thus Docker images
based on Windows) were not allowed to be distributed through non-Microsoft
infrastructure. As a temporary solution, a dedicated "registry-win-tp3.docker.io"
registry was created to serve Windows images.
As a result, the default registry was no longer "fixed", so a helper function
(`ElectAuthServer`) was added to allow the CLI to get the correct registry
address from the daemon. (docker/docker PR's/issues 18019, 19891, 19973)
Using separate registries was not an ideal solution, and a more permanent
solution was created by introducing "foreign image layers" in the distribution
spec, after which the "registry-win-tp3.docker.io" ceased to exist, and
removed from the engine through docker/docker PR 21100.
However, the `ElectAuthServer` was left in place, quoting from that PR;
> make the client check which default registry the daemon uses is still
> more correct than leaving it up to the client, even if it won't technically
> matter after this PR. There may be some backward compatibility scenarios
> where `ElectAuthServer` [sic] is still helpful.
That comment was 5 years ago, and given that the engine and cli are
released in tandem, and the default registry is not configurable, we
can save the extra roundtrip to the daemon by using a fixed value.
This patch deprecates the `ElectAuthServer` function, and makes it
return the default registry without calling (potentially expensie)
`/info` API endpoint.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change all `inspect` commands will output a compact JSON
representation of the elements, the default format (indented JSON) stays the
same.
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
including all the directives and a link to the documentation.
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Once upon a time, there was a website named ["The Docker index"][2]; a complimentary
service for users of Docker, provided by dotCloud. The Docker Index was the place
to find and explore pre-made container images, and allowed you to [share your
images and download them][1]. The Docker Index evolved rapidly, and gained new
features, such as [Trusted Images][3], and "stars" to rank your favorite images.
The website also provided an API, which allowed you to search images, even from
the comfort of your `docker` CLI. Things moved fast in container-land, and while
there was an API to use, it was still a work in progress. While the Docker Index
allowed users to "star" images, the search API did not rank results accordingly.
As any engineer knows, there's no problem that can't be solved with some elbow-
grease and a piece of Duct tape, so while the Docker Index team worked on making
the search API better, the `docker` engine [fixed the problem on the client side][4]
Years went by, and the Docker Index API became the "registry V1" specification,
including search. The registry got a major "v2" rewrite and became the [OCI Distribution
Spec][5], and Docker Index became Docker Hub, which included V2 and V3 search APIs.
The V1 search API continued to be supported, as it was the only documented API
for registries, but improvements were made, including ranking of search results.
Duct tape is durable, and even though improvements were made, the Docker client
continued to sort the results as well. Unfortunately, this meant that search
results on the command-line were ranked different from their equivalent on the
registry (such as Docker Hub).
This patch removes the client-side sorting of results, using the order in which
the search API returned them to (finally) celebrate the work of the engineers
working on the search API, also when used from the command-line.
[1]: https://web.archive.org/web/20130708004229/http://docker.io/
[2]: https://web.archive.org/web/20130623223614/https://index.docker.io/
[3]: https://web.archive.org/web/20140208001647/https://index.docker.io/
[4]: 1669b802cc
[5]: https://github.com/opencontainers/distribution-spec
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This has now been implemented in buildkit#2116, so this note can
be removed (once integrated into Docker).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change it is now possible to give a relative path to the --volume and
--mount flags.
$ docker run --mount type=bind,source=./,target=/test ...
$ docker run -v .:/test ...
Fixes#1203
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Changed `matcher.Matches(file)` to `matcher.MatchesOrParentMatches(file)`:
cli/command/image/build/context.go:95:9: SA1019: matcher.Matches is deprecated: This implementation is buggy (it only checks a single parent dir against the pattern) and will be removed soon. Use either MatchesOrParentMatches or MatchesUsingParentResults instead. (staticcheck)
return matcher.Matches(file)
^
And updated a test to match the JSON omitting empty RootFS.Type fields (in
practice, this field should never be empty in real situations, and always
be "layer"). Changed the test to use subtests to easier find which case
is failing.
full diff: 343665850e...83b51522df
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The information in this struct was basically fixed (there's
some discrepancy around the "DefaultVersion" which, probably,
should never vary, and always be set to the Default (maximum)
API version supported by the client.
Experimental is now always enabled, so this information did
not require any dynamic info as well.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This was there for historic reasons (I think `goimports` expected this,
and we used to have a linter that wanted it), but it's not needed, so
let's remove it (to make my IDE less complaining about unneeded aliases)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Not a fan of aliases, but unfortunately they're sometimes needed. We import both
docker/docker/registry and docker/registry and api/types/registry, so I looked
for which one to continue using an alias, and this was the one "least" used,
and which already used this alias everywhere, except for two places.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Just `config` as name for the package should work; this also revealed that one
file was importing the same package twice.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.0.3...v3.1.0
noteworthy changes:
- ci: add go1.16
- ci: add go1.17, remove go1.13
- golden: only create dir if update flag is set
- icmd: replace all usages of os/exec with golang.org/x/sys/execabs
- assert: ErrorIs
- fs: add DirFromPath
- Stop creating directory outside of testdata
- fs: Fix comparing symlink permissions
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These dependencies were either unused, or go modules already resolved them
to the same version as specified in the replace rule, so those could be
removed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These were an "upgrade" not a "downgrade" (It was put in vendor.conf
to push it ahead of the version resolved by go mod). Let's move it
to the "requires" section as an indirect, that way it will dissolve
once other modules require this version or up.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
remove the replace rule to update it to the actual version specified:
full diff: 63515b42dc...69cdffdb93
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Support for LCOW has been removed from the daemon, so removing the
corresponding daemon configuration options.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker create` command shares most (all) of its options with `docker run`,
which uses `docker create` under the hood. The `docker create` reference docs
already referred users to the `docker run` sections for details, but some
flags were only documented on the `docker create` page.
This patch:
- moves those flags from the `docker create` to the `docker run` page
- does some minor rephrasing and touch-ups.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously, `version: "3"` was equivalent to `version: "3.0"`, which
caused confusion for many users, as they expected it to be "3.x".
docker-compose and docker compose (v2) have adopted the compose-spec
(https://compose-spec.io), which no longer has a version field in
the compose file, and always picks the "latest" supported version.
This changes how `docker stack` interprets "major" version numbers
specified in compose-files:
When only the major version ("3") is specified, it is now equivalent
to "3.x" (latest supported v3 schema).
Compose-files that specify both major and minor version (e.g. "3.0"
or "3.1") continue to use the existing behavior; validation is down-
graded to the specified version and will produce an error if options
are used that are not supported in that schema version. This allows
users to locally verify that a composse-file does not use options
that are not supported in the intended deployment environment (for
example if the deploy environment only supports older versions of
the schema).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove various tests and utilities related to testing kubernetes support
Also removing the Kubernetes and DefaultStackOrchestrator from CreateOptions
and UpdateOptions, instead updating the flags to not be bound to a variable.
This might break some consumers of those options, but given that they've become
non-functional, that's probably ok (otherwise they may ignore the deprecation
warning and end up with non-functional code).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Explicitly mention flags and environment variables that were removed, to
make the deprecation more discoverable.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove mentions of which options are supported by Kubernetes.
Note that there's some filters remaining that were marked as "not supported
by swarm": those filters need to be checked if this is accurate (and if so,
those filters must be removed).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removes the flags that have been deprecated or removed;
- --default-stack-orchestrator
- --kubernetes
- --kubeconfig
- --namespace
- --orchestrator
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Removes the --kubeconfig flag, and the corresponding ExportOptions.Kubeconfig,
as well as special handling for kubeconfig export, as it's no longer used.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The compose spec (https://compose-spec.io) defines the version to be optional,
and implementations of the spec to check for supported attributes instead.
While this change does not switch the `docker stack` implementation to use the
compose-spec, it makes it function more similar. Previously, omitting a version
number would either produce an error (as the field was required), or switched
the handling to assume it was version 1.0 (which is deprecated).
With this change, compose files without a version number will be handled as
the latest version supported by `docker stack` (currently 3.10). This allows
users that work with docker-compose or docker compose (v2) to deploy their
compose file, without having to re-add a version number. Fields that are
not supported by stackes (schema 3.10) will still produce an error.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adding a copy of the 3.9 schema, with only the version-string changed.
This makes it easier to find changes since 3.9, which are added after
this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
glog has the same issue as k8s.io/klog, and is calling `user.Current()`
inside an `init()`; see 466fbb6507
Calling `user.Current()` on Windows can result in remove connections being
made to get the user's information, which can be a heavy call. See https://github.com/docker/cli/issues/2420
glog was only used in a single location in compose-on-kubernetes, so we may as
well remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I didn't see where in the page that `--privileged` mode adds all capabilities.
I think this page once did contain that information. I got it from a Stack Overflow answer that seems to have copied from an earlier version of this same document.
> Full container capabilities (--privileged)
>
> The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.
https://stackoverflow.com/a/36441605/111424
Signed-off-by: Iain Samuel McLean Elder <iain@isme.es>
- expand a bit on what's happening
- clarify start of deprecation of the classic builder
- show examples of error and warning
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change:
echo 'FROM busybox' | DOCKER_BUILDKIT=1 docker build -
ERROR: BuildKit is enabled but the buildx component is missing or broken.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
echo 'FROM busybox' | docker build -
DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
Install the buildx component to build images with BuildKit:
https://docs.docker.com/go/buildx/
Sending build context to Docker daemon 2.048kB
...
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While the module proxy can speed up vendoring, it may cause issues when
(temporarily) vendoring from a fork, because the proxy may not have the
module yet on first try, which causes vendoring to fail:
vendor.mod:95:2: replace github.com/thaJeztah/compose-on-kubernetes:
version "0b59cf047b3b0199048fe13fdcd21b0cb46549f2" invalid:
Get "0b59cf047b.info": read tcp 172.17.0.2:60290->172.217.168.209:443: read: connection reset by peer
Using `GOPROXY=direct` to fetch sources directly from upstream (GitHub) instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
There was some debate about this, and wether or not tidy should be run
when vendoring, but without this, validation failed after running
`make vendor`, and manually doing a `go mod tidy` is complicated
(due to the `vendor.mod`, and because the cache is not inside the
build-cache, not on the host).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext
From https://go-review.googlesource.com/c/go/+/264159
> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.
This feature allowed using an encrypted private key with a supplied password,
but did not provide additional security as the encryption is known to be broken,
and the key is sitting next to the password in the filesystem. Users are recommended
to decrypt the private key, and store it un-encrypted to continue using it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Change the order of received/written and sent/read in NET I/O and BLOCK I/O description reflect the order in I/O (Input/Output).
From example above:
CONTAINER NAME: awesome_brattain
BLOCK I/O: 147kB / 0B
awesome_brattain has written 147kB and read 0B
Signed-off-by: Tomas Bäckman <larstomas@gmail.com>
Ubuntu version references were a mixture of 14.04 (in descriptions) and 20.04 (in example code). Updated description references to 20.04 to match example code.
Signed-off-by: Mike Dalton <mikedalton@github.com>
This adds a Windows TERM signal which makes propagation of termination to containers work properly.
Signed-off-by: Mathieu Champlon <mathieu.champlon@docker.com>
go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime, the
misc/wasm directory, and to the net/http package. See the Go 1.16.10 milestone
for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.10+label%3ACherryPickApproved
From the announcement e-mail:
[security] Go 1.17.3 and Go 1.16.10 are released
We have just released Go versions 1.17.3 and 1.16.10, minor point releases.
These minor releases include two security fixes following the security policy:
- archive/zip: don't panic on (*Reader).Open
Reader.Open (the API implementing io/fs.FS introduced in Go 1.16) can be made
to panic by an attacker providing either a crafted ZIP archive containing
completely invalid names or an empty filename argument.
Thank you to Colin Arnott, SiteHost and Noah Santschi-Cooney, Sourcegraph Code
Intelligence Team for reporting this issue. This is CVE-2021-41772 and Go issue
golang.org/issue/48085.
- debug/macho: invalid dynamic symbol table command can cause panic
Malformed binaries parsed using Open or OpenFat can cause a panic when calling
ImportedSymbols, due to an out-of-bounds slice operation.
Thanks to Burak Çarıkçı - Yunus Yıldırım (CT-Zer0 Crypttech) for reporting this
issue. This is CVE-2021-41771 and Go issue golang.org/issue/48990.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 9bd3a7c029
(docker 17.04 and up) added a maximum timeout of 1 minute to the
restart timeout.
This patch updates the documentation to match the current behavior.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: imdario/mergo@v0.3.8...v0.3.12
includes:
- imdario/mergo@c085d66e6b use src map if dst is nil and can't be set
- fixesimdario/mergo#90 panic: reflect: reflect.Value.Set using unaddressable value merging nested structures
Signed-off-by: Jonathan Warriss-Simmons <misterws@diogenes.ws>
This includes additional fixes for CVE-2021-39293.
go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip package,
as well as bug fixes to the archive/zip, go/internal/gccgoimporter, html/template,
net/http, and runtime/pprof packages. See the Go 1.16.8 milestone on the issue
tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.16.8+label%3ACherryPickApproved
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The DefaultStopSignal const has been deprecated, because the daemon already
handles a default value. The current code did not actually send the default
value unless the flag was set, which also made the flag description incorrect,
because in that case, the _daemon's_ default would be used, which could
potentially be different as was specified here.
This patch removes the default value from the flag, leaving it to the daemon
to set a default.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The /go/ redirects are now defined in the docs repository, so the one
we defined here can be removed.
Also adds a missing redirect for an old URL to the main CLI page.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Locking was removed in https://github.com/docker/cli/pull/3025 which
allows for parallel calls to config.Load to modify global state.
The consequence in this case is innocuous, but it does trigger a
`DATA RACE` exception when tests run with `-race` option.
Signed-off-by: coryb <cbennett@netflix.com>
This replaces the use of bash where suitable, to allow easier copy/pasting
of shell examples without copying the prompt or process output.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows us to drop the `//go:generate` and use of the github.com/mjibson/esc
utility.
worth noting that Go's native "embed" does not compress files. We could compress
these files as part of a build / validate step (which would add some complexity
when updating these files) if this is a concern, but not sure if the additional
complexity is warranted.
Comparing before/after sizes (see below);
macOS: 54125840 - 54005264 = 120576 (+120.58 kB)
Linux: 52393231 - 52277701 = 115530 (+115.53 kB)
Before:
ls -l build/
total 208736
lrwxr-xr-x 1 sebastiaan staff 19 Aug 15 09:36 docker@ -> docker-linux-amd64
-rwxr-xr-x 1 sebastiaan staff 54005264 Aug 15 09:35 docker-darwin-amd64*
-rwxr-xr-x 1 sebastiaan staff 52277701 Aug 15 09:36 docker-linux-amd64*
After:
ls -l build/
total 208960
lrwxr-xr-x 1 sebastiaan staff 18 Aug 15 09:32 docker@ -> docker-linux-amd64
-rwxr-xr-x 1 sebastiaan staff 54125840 Aug 15 09:31 docker-darwin-amd64*
-rwxr-xr-x 1 sebastiaan staff 52393231 Aug 15 09:32 docker-linux-amd64*
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 73aef6edfe
modified archive.ReplaceFileTarWrapper to set the Name field in the tar header,
if the field was not set.
That change exposed an issue in how a Dockerfile from stdin was sent to the daemon.
When attempting to build using a build-context, and a Dockerfile from stdin, the
following happened:
```bash
mkdir build-stdin && cd build-stdin && echo hello > hello.txt
DOCKER_BUILDKIT=0 docker build --no-cache -t foo -f- . <<'EOF'
FROM alpine
COPY . .
EOF
Sending build context to Docker daemon 2.607kB
Error response from daemon: dockerfile parse error line 1: unknown instruction: .DOCKERIGNORE
```
Removing the `-t foo`, oddly lead to a different failure:
```bash
DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<'EOF'
FROM alpine
COPY . .
EOF
Sending build context to Docker daemon 2.581kB
Error response from daemon: Cannot locate specified Dockerfile: .dockerfile.701d0d71fb1497d6a7ce
```
From the above, it looks like the tar headers got mangled, causing (in the first
case) the daemon to use the build-context tar as a plain-text file, and therefore
parsing it as Dockerfile, and in the second case, causing it to not being able to
find the Dockerfile in the context.
I noticed that both TarModifierFuncs were using the same `hdrTmpl` struct, which
looks to caused them to step on each other's toes. Changing them to each initialize
their own struct made the issue go away.
After this change:
```bash
DOCKER_BUILDKIT=0 docker build --no-cache -t foo -f- . <<'EOF'
FROM alpine
COPY . .
EOF
Sending build context to Docker daemon 2.607kB
Step 1/2 : FROM alpine
---> d4ff818577bc
Step 2/2 : COPY . .
---> 556f745e6938
Successfully built 556f745e6938
Successfully tagged foo:latest
DOCKER_BUILDKIT=0 docker build --no-cache -f- . <<'EOF'
FROM alpine
COPY . .
EOF
Sending build context to Docker daemon 2.607kB
Step 1/2 : FROM alpine
---> d4ff818577bc
Step 2/2 : COPY . .
---> aaaee43bec5e
Successfully built aaaee43bec5e
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This warning will be moved to the daemon-side, similar to how it returns
other warnings. There's work in progress to change the name of the default
profile, so we may need to backport this change to prevent existing clients
from printing an incorrect warning if they're connecting to a newer daemon.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- make sure the target directory is created if missing
- add support for custom ID's in headings through `<a>` tags (e.g.
`<a name=heading2></a>`). This allows use of custom anchors that
work both on GitHub (GFM doesn't support extended MarkDown), and
in Jekyll (which does).
- add code to cleanup markdown for use in our docs:
- remove absolute URLs to https://docs.docker.com
- remove tabs in MarkDown, and convert them to 4 spaces. This
prevents the YAML conversion from switching between "short"
and "long" syntax. Tabs in code examples also don't always
work well, so using spaces doesn't hurt for that.
- refactor some code for readability, and to be less "hacky" (still
lots to be improved though)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Keeping the dockerfiles/Dockerfile.cross image at 1.13, as we don't
have more current versions of that image. However, I don't think it's
still used, so we should remove it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
It's the only use of this function, and it's better to check that
the client actually sends the header.
This also simplifies some asserts, and makes sure that "actual" and "expected"
are in the correct order.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Golang uses a `sync.Once` when determining the proxy to use. This means
that it's not possible to test the proxy configuration in unit tests,
because the proxy configuration will be "fixated" the first time Golang
detects the proxy configuration.
This patch changes TestNewAPIClientFromFlagsWithHttpProxyEnv to an e2e
test so that we can verify the CLI picks up the proxy configuration.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
> Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since
> it does not authenticate the ciphertext, it is vulnerable to padding oracle
> attacks that can let an attacker recover the plaintext
From https://go-review.googlesource.com/c/go/+/264159
> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
From https://go-review.googlesource.com/c/go/+/264159
> It's unfortunate that we don't implement PKCS#8 encryption so we can't
> recommend an alternative but PEM encryption is so broken that it's worth
> deprecating outright.
When linting on Go 1.16:
cli/context/docker/load.go:69:6: SA1019: x509.IsEncryptedPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. (staticcheck)
if x509.IsEncryptedPEMBlock(pemBlock) {
^
cli/context/docker/load.go:70:20: SA1019: x509.DecryptPEMBlock is deprecated: Legacy PEM encryption as specified in RFC 1423 is insecure by design. Since it does not authenticate the ciphertext, it is vulnerable to padding oracle attacks that can let an attacker recover the plaintext. (staticcheck)
keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword))
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The experimental image is deprecated (now "labs"), and the features we use
are now included in the regular (stable) syntax.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/cpuguy83/go-md2man/compare/v2.0.0...v2.0.1
- Fix handling multiple definition descriptions
- Fix inline markup causing table cells to split
- Remove escaping tilde character (prevents tildes (`~`) from disappearing).
- Do not escape dash, underscore, and ampersand (prevents ampersands (`&`) from disappearing).
- Ignore unknown HTML tags to prevent noisy warnings
With this, generating manpages becomes a lot less noisy; no more of these:
WARNING: go-md2man does not handle node type HTMLSpan
WARNING: go-md2man does not handle node type HTMLSpan
WARNING: go-md2man does not handle node type HTMLSpan
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
removes the github.com/shurcooL/sanitized_anchor_name dependency
full diff: https://github.com/russross/blackfriday/compare/v2.0.1...v2.1.0
- Committed to github.com/russross/blackfriday/v2 as the canonical import path for blackfriday v2.
- Reduced the amount of dependencies.
- Added a SanitizedAnchorName function.
- Added Node.IsContainer and Node.IsLeaf methods.
- Fixed parsing of links that end with a double backslashes.
- Fixed an issue where fence length wasn't computed.
- Improved the default value for the HTMLRendererParameters.FootnoteReturnLinkContents field.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Support for ALL_PROXY as default build-arg was added recently in
buildkit and the classic builder.
This patch adds the `ALL_PROXY` environment variable to the list of
configurable proxy variables, and updates the documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Errors always need to go to stderr.
This also fixes a test in moby/moby's integration-cli which is checking
to see if errors connecting to the daemon are output on stderr.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The docker info output contains both "local" and "remote" (daemon-side) information.
The API endpoint to collect daemon information (`/info`) is known to be "heavy",
and (depending on what information is needed) not needed.
This patch checks if the template (`--format`) used requires information from the
daemon, and if not, omits making an API request.
This will improve performance if (for example), the current "context" is requested
from `docker info` or if only plugin information is requested.
Before:
time docker info --format '{{range .ClientInfo.Plugins}}Plugin: {{.Name}}, {{end}}'
Plugin: buildx, Plugin: compose, Plugin: scan,
________________________________________________________
Executed in 301.91 millis fish external
usr time 168.64 millis 82.00 micros 168.56 millis
sys time 113.72 millis 811.00 micros 112.91 millis
time docker info --format '{{json .ClientInfo.Plugins}}'
time docker info --format '{{.ClientInfo.Context}}'
default
________________________________________________________
Executed in 334.38 millis fish external
usr time 177.23 millis 93.00 micros 177.13 millis
sys time 124.90 millis 927.00 micros 123.97 millis
docker context use remote-ssh-daemon
time docker info --format '{{.ClientInfo.Context}}'
remote-ssh-daemon
________________________________________________________
Executed in 1.22 secs fish external
usr time 116.93 millis 110.00 micros 116.82 millis
sys time 144.36 millis 887.00 micros 143.47 millis
And daemon logs:
Jul 06 12:42:12 remote-ssh-daemon dockerd[14377]: time="2021-07-06T12:42:12.139529947Z" level=debug msg="Calling HEAD /_ping"
Jul 06 12:42:12 remote-ssh-daemon dockerd[14377]: time="2021-07-06T12:42:12.140772052Z" level=debug msg="Calling HEAD /_ping"
Jul 06 12:42:12 remote-ssh-daemon dockerd[14377]: time="2021-07-06T12:42:12.163832016Z" level=debug msg="Calling GET /v1.41/info"
After:
time ./build/docker info --format '{{range .ClientInfo.Plugins}}Plugin: {{.Name}}, {{end}}'
Plugin: buildx, Plugin: compose, Plugin: scan,
________________________________________________________
Executed in 139.84 millis fish external
usr time 76.53 millis 62.00 micros 76.46 millis
sys time 69.25 millis 723.00 micros 68.53 millis
time ./build/docker info --format '{{.ClientInfo.Context}}'
default
________________________________________________________
Executed in 136.94 millis fish external
usr time 74.61 millis 74.00 micros 74.54 millis
sys time 65.77 millis 858.00 micros 64.91 millis
docker context use remote-ssh-daemon
time ./build/docker info --format '{{.ClientInfo.Context}}'
remote-ssh-daemon
________________________________________________________
Executed in 1.02 secs fish external
usr time 74.25 millis 76.00 micros 74.17 millis
sys time 65.09 millis 643.00 micros 64.44 millis
And daemon logs:
Jul 06 12:42:55 remote-ssh-daemon dockerd[14377]: time="2021-07-06T12:42:55.313654687Z" level=debug msg="Calling HEAD /_ping"
Jul 06 12:42:55 remote-ssh-daemon dockerd[14377]: time="2021-07-06T12:42:55.314811624Z" level=debug msg="Calling HEAD /_ping"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The previous example was out of date. I changed the distro & pined the
tag to help prevent the new example from becoming out of date too.
Signed-off-by: Kelton Bassingthwaite <KeltonBassingthwaite@gmail.com>
Commit 330a003533
introduced "synchronous" service update and rollback, using progress bars to show
current status for each task.
As part of that change, progress bars were "reversed" when doing a rollback, to
indicate that status was rolled back to a previous state.
Reversing direction is somewhat confusing, as progress bars now return to their
"initial" state to indicate it was "completed"; for an "automatic" rollback, this
may be somewhat clear (progress bars "move to the right", then "roll back" if the
update failed), but when doing a manual rollback, it feels counter-intuitive
(rolling back is the _expected_ outcome).
This patch removes the code to reverse the direction of progress-bars, and makes
progress-bars always move from left ("start") to right ("finished").
Before this patch
----------------------------------------
1. create a service with automatic rollback on failure
$ docker service create --update-failure-action=rollback --name foo --tty --replicas=5 nginx:alpine
9xi1w3mv5sqtyexsuh78qg0cb
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Waiting 2 seconds to verify that tasks are stable...
2. update the service, making it fail after 3 seconds
$ docker service update --entrypoint="/bin/sh -c 'sleep 3; exit 1'" foo
overall progress: rolling back update: 2 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: starting [============================================> ]
4/5: running [==================================================>]
5/5: running [==================================================>]
3. Once the service starts failing, automatic rollback is started; progress-bars now move in the reverse direction;
overall progress: rolling back update: 3 out of 5 tasks
1/5: ready [===========> ]
2/5: ready [===========> ]
3/5: running [> ]
4/5: running [> ]
5/5: running [> ]
4. When the rollback is completed, the progressbars are at the "start" to indicate they completed;
overall progress: rolling back update: 5 out of 5 tasks
1/5: running [> ]
2/5: running [> ]
3/5: running [> ]
4/5: running [> ]
5/5: running [> ]
rollback: update rolled back due to failure or early termination of task bndiu8a998agr8s6sjlg9tnrw
verify: Service converged
After this patch
----------------------------------------
Progress bars always go from left to right; also in a rollback situation;
After updating to the "faulty" entrypoint, task are deployed:
$ docker service update --entrypoint="/bin/sh -c 'sleep 3; exit 1'" foo
foo
overall progress: 1 out of 5 tasks
1/5:
2/5: running [==================================================>]
3/5: ready [======================================> ]
4/5:
5/5:
Once tasks start failing, rollback is started, and presented the same as a regular
update; progress bars go from left to right;
overall progress: rolling back update: 3 out of 5 tasks
1/5: ready [======================================> ]
2/5: starting [============================================> ]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
rollback: update rolled back due to failure or early termination of task c11dxd7ud3d5pq8g45qkb4rjx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Changes:
- winterm: GetStdFile(): Added compatibility with "golang.org/x/sys/windows"
- winterm: fix GetStdFile() falltrough
- update deprecation message to refer to the correct replacement
- add go.mod
- Fix int overflow
- Convert int to string using rune()
full diff:
- bea5bbe245...3f7ff695ad
- d6e3b3328b...d185dfc1b5
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The dind engine version that we use in e2e does not support cgroups v2,
so if we landed on an Ubuntu 20.04 node with cgroups v2 enabled, CI failed:
Stderr: Error response from daemon: cgroups: cgroup mountpoint does not exist: unknown
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We updated some of these functions to make sure os.environ was
preserved, but some where not.
This adds a utility to help with this, which also prevents the
os.environ to be added multiple times.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: d5209b29b9...v20.10.7
skipping the buildkit update for now, as it didn't bring changes
in vendored files.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This link worked on GitHub, but was broken on docs.docker.com, so
replacing with a regular link directly to the docs instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This extends #2929 to Darwin as well as Linux.
Running the example in https://github.com/golang/go/issues/37942
I see lots of:
```
dave@m1 sigurg % uname -ms
Darwin arm64
dave@m1 sigurg % go run main.go
received urgent I/O condition: 2021-05-21 16:03:03.482211 +0100 BST m=+0.014553751
received urgent I/O condition: 2021-05-21 16:03:03.507171 +0100 BST m=+0.039514459
```
Signed-off-by: David Scott <dave@recoil.org>
Jekyll doesn't work well with markdown links that are wrapped, so changing
the link to be on a single line.
While at it, also added/changed some code-hints.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The kernel memory limit is deprecated in Docker 20.10.0,
and its support was removed in runc v1.0.0-rc94.
So, this warning can be safely removed.
Relevant: b8ca7de823
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
More improvements can be made, but this makes a start on cleaning up
this page:
- Reorganise configuration file options into sections
- Use tables for related options to make them easier to find
- Add warning about the config file's possibility to contain sensitive information
- Some MarkDown touch-ups (use "console" code-hint to assist copy/paste)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is mostly a copy of the equivalent `docker secret` commands,
which uses the same mechanisms behind the hood (hence, are 90% the
same).
We can make further refinements to these docs, but this gives us
a starting point.
Adding these documents, because there were some links pointing to
these pages in the docs, but there was no markdown file to link to
on GitHub.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use var/const blocks when declaring a list of variables
- use const where possible
TestCheckKubernetesConfigurationRaiseAnErrorOnInvalidValue:
- use keys when assigning values
- make sure test is dereferenced in the loop
- use subtests
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some tests were using domain names that were intended to be "fake", but are
actually registered domain names (such as mycorp.com).
Even though we were not actually making connections to these domains, it's
better to use domains that are designated for testing/examples in RFC2606:
https://tools.ietf.org/html/rfc2606
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- rename "experimental" to "labs"
- rephrase recommendation for picking a version
- clarify that the "labs" channel provides a superset of the "stable" channel.
- remove "External implementation features" section, because it overlapped
with the "syntax" section.
- removed `:latest` from the "stable" channel (generally not recommended)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- update some examples to show the BuildKit output
- remove some wording about "images" being used for the build cache
- add a link to the `--cache-from` section
- added a link to "scanning your image with `docker scan`"
- updated link to "push your image"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- use "console" for code-hints, to make process output distinguishable
from the commands that are executed
- use a consistent prompt for powershell examples
- minor changes in wording around "build context" to reduce confusion
with `docker context`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These options are available in Docker 20.10 and up, but were
previously only available in Docker EE, and not documented.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows setting WINDRES to mingw's windres.
For the record, mingw's windres needs --use-temp-file for a weird reason:
in that case, it keeps preprocessor arguments intact (including quotes),
without it, mingw's windres calls popen, which happens to pass the entire
command to sh -c, stripping quotes after evaluation and causing a syntax
error in mingw's windres.
To use mingw's windres, set WINDRES to:
- `x86_64-w64-mingw32-windres` on 64 bit
- `i686-w64-mingw32-windres` on 32 bit
Signed-off-by: Tibor Vass <tibor@docker.com>
When the git checkout is dirty on top of a git tag (i.e., v20.10.6.m),
the VERSION_QUAD was keeping a trailing comma.
Now the trailing comma is stripped.
Signed-off-by: Tibor Vass <tibor@docker.com>
New solution is not hardcoded to amd64 but integrates
with the cross toolchain and support creating arm binaries.
Go has been updated so that ASLR works
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Using cross compilation toolchains that work from any platform
Adds darwin/arm64 support and bake targets. Static and dynamic
binary targets are available, both with glibc and musl.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Updates the stop.md doc to mention that the stop signal can be changed, either with the Dockerfile or via `docker run --stop-signal`. This is a real gotcha if you're not familiar with this feature and build a container that extends a container that uses `STOPSIGNAL`.
Signed-off-by: Christopher Vermilion <christopher.vermilion@gmail.com>
no change in local code, but updates some dependencies to more recent
versions, which may help users that consume docker/cli to get a better
selection (when using go modules).
full diff: 5f1f4a34f4...bf96a202a0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
recommend using `docker container prune`, but show an example on
how to combine commands with a bit more context and warnings
about portability/compatibility.
Thanks to Charlie Arehart to do the initial work on this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relates to the deprecation, added in 3c0a167ed5
The docker CLI up until v1.7.0 used the `~/.dockercfg` file to store credentials
after authenticating to a registry (`docker login`). Docker v1.7.0 replaced this
file with a new CLI configuration file, located in `~/.docker/config.json`. When
implementing the new configuration file, the old file (and file-format) was kept
as a fall-back, to assist existing users with migrating to the new file.
Given that the old file format encourages insecure storage of credentials
(credentials are stored unencrypted), and that no version of the CLI since
Docker v1.7.0 has created this file, the file is marked deprecated, and support
for this file will be removed in a future release.
This patch adds a deprecation warning, which is printed if the CLI falls back
to using the deprecated ~/.dockercfg file.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We refactorted `ForwardAllSignals` so it blocks but did not update the
call in `start` to call it in a goroutine.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Commit fff164c22e modified ForwardAllSignals to
take `SIGURG` signals into account, which can be generated by the Go runtime
on Go 1.14 and up as an interrupt to support pre-emptable system calls on Linux.
With the updated code, the signal (`s`) would sometimes be `nil`, causing spurious
(but otherwise harmless) warnings to be printed;
Unsupported signal: <nil>. Discarding.
To debug this issue, I patched v20.10.4 to handle `nil`, and added a debug line
to print the signal in all cases;
```patch
diff --git a/cli/command/container/signals.go b/cli/command/container/signals.go
index 06e4d9eb6..0cb53ef06 100644
--- a/cli/command/container/signals.go
+++ b/cli/command/container/signals.go
@@ -22,8 +22,9 @@ func ForwardAllSignals(ctx context.Context, cli command.Cli, cid string, sigc <-
case <-ctx.Done():
return
}
+ fmt.Fprintf(cli.Err(), "Signal: %v\n", s)
if s == signal.SIGCHLD || s == signal.SIGPIPE {
```
When running a cross-compiled macOS binary with Go 1.13 (`make -f docker.Makefile binary-osx`):
# regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
Cloning into 'getting-started'...
Signal: <nil>
# when cancelling with CTRL-C:
./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
^CSignal: interrupt
Cloning into 'getting-started'...
error: could not lock config file /git/getting-started/.git/config: No such file or directory
fatal: could not set 'core.repositoryformatversion' to '0'
Signal: <nil>
Signal: <nil>
When running a macOS binary built with Go 1.15 (`DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary`):
# regular "docker run" (note that the `<nil>` signal only happens "sometimes"):
# this is the same as on Go 1.13
./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
Cloning into 'getting-started'...
Signal: <nil>
# when cancelling with CTRL-C:
./build/docker run --rm alpine/git clone https://github.com/docker/getting-started.git
Cloning into 'getting-started'...
^CSignal: interrupt
Signal: urgent I/O condition
Signal: urgent I/O condition
fatal: --stdin requires a git repository
fatal: index-pack failed
Signal: <nil>
Signal: <nil>
This patch checks if the channel is closed, and removes the warning (to prevent warnings if new
signals are added that are not in our known list of signals)
We should also consider updating `notfiyAllSignals()`, which currently forwards
_all_ signals (`signal.Notify(sigc)` without passing a list of signals), and
instead pass it "all signals _minus_ the signals we don't want forwarded":
35f023a7c2/cli/command/container/signals.go (L55)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some new drivers were added to the "docker run" section to make the documentation more up to date.
Signed-off-by: d.alvarez <david.alvarez@flyeralarm.com>
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.
However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.
Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.
Signed-off-by: Tibor Vass <tibor@docker.com>
Prior to this change, progressbars would sometimes be hidden, and the function
would return early. In addition, the direction of the progressbars would sometimes
be "incrementing" (similar to "docker service update"), and sometimes be "decrementing"
(to indicate a "rollback" is being performed).
This fix makes sure that we always proceed with the "verifying" step, and now
prints a message _after_ the verifying stage was completed;
$ docker service rollback foo
foo
overall progress: rolling back update: 5 out of 5 tasks
1/5: running [> ]
2/5: starting [===========> ]
3/5: starting [===========> ]
4/5: running [> ]
5/5: running [> ]
verify: Service converged
rollback: rollback completed
$ docker service rollback foo
foo
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
rollback: rollback completed
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change:
--------------------------------------------
$ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
t33qvykv8y0zbz266rxynsbo3
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service update --replicas=5 foo
foo
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
service rolled back: rollback completed
$ echo $?
1
After this change:
--------------------------------------------
$ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
t33qvykv8y0zbz266rxynsbo3
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service update --replicas=5 foo
foo
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Waiting 1 seconds to verify that tasks are stable...
$ echo $?
0
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
service rolled back: rollback completed
$ echo $?
0
$ docker service ps foo
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
4dt4ms4c5qfb foo.1 nginx:alpine docker-desktop Running Running 2 minutes ago
Remaining issues with reconciliation
--------------------------------------------
Note that both before, and after this change, the command sometimes terminates
early, and does not wait for the service to reconcile; this is most apparent
when rolling back is scaling up (so more tasks are deployed);
$ docker service rollback foo
foo
service rolled back: rollback completed
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 5 tasks
1/5: pending [=================================> ]
2/5: running [> ]
3/5: pending [=================================> ]
4/5: pending [=================================> ]
5/5: pending [=================================> ]
service rolled back: rollback completed
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit c2626a8270 replaced the use of
github.com/docker/docker/pkg/homedir with Golang's os.UserHomeDir().
This change was partially reverted in 7a279af43d
to account for situations where `$HOME` is not set.
In situations where no configuration file is present in `~/.config/`, the CLI
falls back to looking for the (deprecated) `~/.dockercfg` configuration file,
which was still using `os.UserHomeDir()`, which produces an error/warning if
`$HOME` is not set.
This patch introduces a helper function and a global variable to get the user's
home-directory. The global variable is used to prevent repeatedly looking up
the user's information (which, depending on the setup can be a costly operation).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/theupdateframework/notary/compare/v0.6.1...v0.7.0
Changelog:
v0.7.0 12/01/2021
------------------------
- Switch to Go modules
- Use golang/x/crypto for ed25519
- Update Go version
- Update dependency versions
- Fixes from using Gosec for source analysis
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit f32731f902 fixed a potential panic
when an error was returned while trying to get existing credentials.
However, other code paths currently use the result of `GetDefaultAuthConfig()`
even in an error condition; this resulted in a panic, because a `nil` was
returned.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The created time of the containerd is initialized with nanoseconds,
it seems to be a mistake.
In other places of the code, this field is initialized with seconds:
$ grep -rh 'time\.Now()\.Unix()' | grep Created
Created: time.Now().Unix(),
Created: time.Now().Unix(),
return []image.HistoryResponseItem{{ID: img, Created: time.Now().Unix()}}, nil
We can also see the the formatter assumes it to be seconds:
cli/command/formatter/container.go
----
func (c *ContainerContext) CreatedAt() string {
return time.Unix(c.c.Created, 0).String()
}
Interestingly, initializing the field with nanoseconds seems to work,
except on mips architecture, where it causes some kind of overflow.
~~~~
=== Failed
=== FAIL: cli/command/container TestContainerListWithoutFormat (0.00s)
list_test.go:183: assertion failed:
--- expected
+++ actual
@@ -1,7 +1,7 @@
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
-container_id busybox:latest "top" Less than a second ago Up 1 second c1
-container_id busybox:latest "top" Less than a second ago Up 1 second c2
-container_id busybox:latest "top" Less than a second ago Up 1 second 80-82/tcp c3
-container_id busybox:latest "top" Less than a second ago Up 1 second 81/udp c4
-container_id busybox:latest "top" Less than a second ago Up 1 second 8.8.8.8:82->82/tcp c5
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second c1
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second c2
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second 80-82/tcp c3
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second 81/udp c4
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second 8.8.8.8:82->82/tcp c5
=== FAIL: cli/command/container TestContainerListNoTrunc (0.00s)
list_test.go:198: assertion failed:
--- expected
+++ actual
@@ -1,4 +1,4 @@
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
-container_id busybox:latest "top" Less than a second ago Up 1 second c1
-container_id busybox:latest "top" Less than a second ago Up 1 second c2,foo/bar
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second c1
+container_id busybox:latest "top" -153722867 minutes ago Up 1 second c2,foo/bar
~~~~
Logs above taken from:
https://buildd.debian.org/status/fetch.php?pkg=docker.io&arch=mipsel&ver=20.10.0%7Erc1%2Bdfsg3-1&stamp=1606895899
~~~~
=== RUN TestChtimesLinux
chtimes_linux_test.go:87: Expected: 2262-04-11 23:47:16 +0000 UTC, got: 1990-01-27 10:50:44 +0000 UTC
--- FAIL: TestChtimesLinux (0.00s)
=== RUN TestChtimes
chtimes_test.go:92: Expected: 2262-04-11 23:47:16 +0000 UTC, got: 1990-01-27 10:50:44 +0000 UTC
--- FAIL: TestChtimes (0.00s)
~~~~
Logs above taken from:
https://buildd.debian.org/status/fetch.php?pkg=docker.io&arch=mips64el&ver=20.10.0%7Erc1%2Bdfsg3-1&stamp=1606895622
Signed-off-by: Arnaud Rebillout <elboulangero@gmail.com>
Distributions uses generate-man.sh to create man pages, however it only
assumes a container environment and attempts to build binaries towards
`/go` which might be an illegal path in `fakeroot`.
This patch ensures we only build `md2man` from the vendored sources if
the command is not present. This allows distributions to supply thier
packaged `md2man`.
Signed-off-by: Morten Linderud <morten@linderud.pw>
Docker Engine v20.10 and up includes optimizations to verify if images in the
local image cache need updating before pulling, preventing the Docker Engine
from making unnecessary API requests. These optimizations require the container
image registry to conform to the Open Container Initiative Distribution Specification
(https://github.com/opencontainers/distribution-spec).
While most registries conform to the specification, we encountered some registries
to be non-compliant, resulting in `docker pull` to fail.
As a temporary solution, Docker Engine v20.10 includes a fallback mechanism to
allow `docker pull` to be functional when using a non-compliant registry. A
warning message is printed in this situation:
WARNING Failed to pull manifest by the resolved digest. This registry does not
appear to conform to the distribution registry specification; falling back to
pull by tag. This fallback is DEPRECATED, and will be removed in a future
release.
The fallback is added to allow users to either migrate their images to a compliant
registry, or for these registries to become compliant.
Note that this fallback only addresses failures on `docker pull`. Other commands,
such as `docker stack deploy`, or pulling images with `containerd` will continue
to fail.
Given that other functionality is still broken with these registries, we consider
this fallback a _temporary_ solution, and will remove the fallback in an upcoming
major release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/moby/buildkit/compare/v0.8.0-rc2...v0.8.0
note that this is currently a few commits "behind" the version used in docker,
but changes since v0.8.0 do not affect the code that's vendored in the CLI,
so prefering to use a tagged version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like the YAML conversion doesn't like lines starting with `[`, and
causing it to use the "compact" formatting in the generated YAML.
This patch un-wraps these lines to prevent this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 7f0af18e79...bea5bbe245
- Fix windows integer overflow on GOOS=windows, GOARCH=arm
- go.mod: github.com/creack/pty v1.1.11
- v1.1.11: Add arm support for OpenBSD
- v1.1.10: Fix CTTY to work with go1.15
- CI: fix Go version matrix, and drop go 1.12, add go 1.15
- CI: remove "sudo" to fix incorrect Go versions (incorrect PATH, GOROOT)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 318312a373...0b889c03f1
- v1/stats: add all fields of memory.oom_control
- memory: remove wrong memory.kmem.limit_in_bytes check
- CI: test against Go 1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: ae3a8d7530...0834f99b7b
- walker: fix notadir error
- improving error returns
- more typed errors
- remove extra verbosity (eg. PathError already contains action and path)
- ensure stack traces are added to errors
- various testing and linting fixes
- copy: use Clonefileat from golang.org/x/sys/unix on macOS
- go.mod: update opencontainers/go-digest v1.0.0
- github: test go1.15
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 75b288015a...c1f2f97bff
relevant changes:
- pkcs12: document that we use the wrong PEM type
- pkcs12: drop PKCS#12 attributes with unknown OIDs
- ocsp: Improve documentation for ParseResponse and ParseResponseForCert
other changes (not in vendor);
- ssh: improve error message for KeyboardInteractiveChallenge
- ssh: remove slow unnecessary diffie-hellman-group-exchange primality check
- ssh/terminal: replace with a golang.org/x/term wrapper
- Deprecates ssh/terminal in favor of golang.org/x/term
- ssh/terminal: add support for zos
- ssh/terminal: bump x/term dependency to fix js/nacl
- nacl/auth: use Size instead of KeySize for Sum output
- sha3: remove go:nocheckptr annotation
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Will display when user types `docker help` or `docker --help`, but not for `docker run --help`.
Signed-off-by: Guillaume Tardif <guillaume.tardif@gmail.com>
Repeated builds of docker is currently unreproducible as the embedded
time does not support SOURCE_DATE_EPOCH. This patch ensures we check for
the defined variable before utilizing current date.
This has been fixed previously with manpages as well
2d7091aaeb
Signed-off-by: Morten Linderud <morten@linderud.pw>
This hack was added in an attempt to continue supporting the experimental
(non-buildkit) `--platform` option, by dynamically updating the API version
required if buildkit isn't enabled.
This hack didn't work, however, because at the moment the override is
added, the command is not yet attached to the "root" (`docker`) command,
and because of that, the command itself is the `root` command;
`cmd.Root()` returned the `build` command.
As a result, validation steps defined as `PersistentPreRunE` on the root
command were not executed, causing invalid flags/options to not producing
an error.
Attempts to use an alternative approach (for example, cobra supports both
a `PersistentPreRun` and `PersistentPreRunE`) did not work either, because
`PersistentPreRunE` takes precedence over `PersistentPreRun`, and only one
will be executed.
Now that `--platform` should be supported for other cases than just for
experimental (LCOW), let's remove the 'experimental' check, and just assume
it's supported for API v1.32 and up.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
diffs and relevant changes:
docker/docker: c2cc352355...af34b94a78
- replace pkg/symlink with github.com/moby/sys/symlink
moby/sys: 6154f11e68...1bc8673b57
changes:
- mount, mountinfo: Add support for OpenBSD in addition to FreeBSD
- mount, mountinfo: Exclude macOS (darwin)
- mount.RecursiveUnmount(): minor improvements
- mount.RecursiveUnmount: add a fast path
- mount: bump mountinfo to v0.3.1
- mount: Some refactor and improved GoDoc about Windows support
- mount: use MNT_* flags from golang.org/x/sys/unix on freebsd (reduces use of cgo)
- mountinfo.Mounted: add fast path for Linux using openat2
- mountinfo.Mounted: optimize by adding fast paths
- mountinfo: correctness improvements
- mountinfo: deprecate PidMountInfo
- mountinfo: fix not showing package doc, typos
- mountinfo: fix path unescaping
- mountinfo: make GetMountinfoFromReader Linux-specific
- mountinfo: rename FstypeFilter -> FSTypeFilter, fix FilterFunc docs
- mountinfo: use idiomatic naming for fields
- Migrate github.com/docker/docker/pkg/symlink
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
To create this, I ran every JSON document through `jq -S` (which sorts the keys and consistently pretty-prints the result in a format which matches the majority of documents in this file).
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
full diff: 73f35e472e...7f0af18e79
- update gotest.tools to v3
- Use unix.Ioctl{Get,Set}Termios on all unix platforms
- Make Termios type alias, remove casts
vendor: golang.org/x/sys eeed37f84f13f52d35e095e8023ba65671ff86a1
ed371f2e16...eeed37f84f
- all: add GOOS=ios
- unix: add back IoctlCtlInfo on darwin
- windows: add SetConsoleCursorPosition
- unix: update Dockerfile to Linux 5.9 and Go 1.15.2 (adds `CAP_CHECKPOINT_RESTORE`)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Docker v17.07 introduced an experimental `--stream` flag on `docker build` which
allowed the build-context to be incrementally sent to the daemon, instead of
unconditionally sending the whole build-context.
This functionality has been reimplemented as part of BuildKit, which uses streaming
by default and the `--stream` option will be ignored when using the classic builder,
printing a deprecation warning instead.
Users that want to use this feature are encouraged to enable BuildKit by setting
the `DOCKER_BUILDKIT=1` environment variable or through the daemon or CLI configuration
files.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While performance will be worse, we can safely ignore the --stream
option when used, and print a deprecation warning instead of failing
the build.
With this patch:
echo -e "FROM scratch\nLABEL foo=bar" | docker build --stream -
DEPRECATED: The experimental --stream flag has been removed and the build context
will be sent non-streaming. Enable BuildKit instead with DOCKER_BUILDKIT=1
to stream build context, see https://docs.docker.com/go/buildkit/
Sending build context to Docker daemon 2.048kB
Step 1/2 : FROM scratch
--->
Step 2/2 : LABEL foo=bar
---> Running in 99e4021085b6
Removing intermediate container 99e4021085b6
---> 1a7a41be241f
Successfully built 1a7a41be241f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Caught by CodeQL:
> Incorrect conversion of an integer with architecture-dependent bit size
> from strconv.ParseUint to a lower bit size type uint16 without an upper
> bound check.
fixes https://github.com/docker/cli/security/code-scanning/2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
While running a plugin and canceling with SIGTERM, main process will
close right away without letting the plugin close itself down and handle
the exit code properly. Add appcontext that is useful for handling
sigterm, as well as supporting sigkill when things go wrong.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
full diff: https://github.com/gofrs/flock/compare/v0.7.1...v0.7.3
Relevant changes:
- fix: close/Unlock won't close the file descriptor if not locked
- fix license text, update year
Note that there's also a v0.8.0 release; that release only adds aix support,
which is currently of no interest to us, so skipping that version for now.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/spf13/cobra/compare/v1.0.0...v1.1.1
Notable changes:
- Extend Go completions and revamp zsh comp
- Add completion for help command
- Complete subcommands when TraverseChildren is set
- Fix stderr printing functions
- fix: fish output redirection
- fix manpage building with new go-md2man
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The experimental feature to run Linux containers on Windows (LCOW) was introduced
as a technical preview in Docker 17.09. While many enhancements were made after
its introduction, the feature never reached completeness, and development has
now stopped in favor of running docker natively on Linux in WSL2.
Developers that need to run Linux workloads on a Windows host are encouraged
to use Docker Desktop with WSL2 instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The CLI disabled experimental features by default, requiring users
to set a configuration option to enable them.
Disabling experimental features was a request from Enterprise users
that did not want experimental features to be accessible.
We are changing this policy, and now enable experimental features
by default. Experimental features may still change and/or removed,
and will be highlighted in the documentation and "usage" output.
For example, the `docker manifest inspect --help` output now shows:
EXPERIMENTAL:
docker manifest inspect is an experimental feature.
Experimental features provide early access to product functionality. These features
may change between releases without warning or can be removed entirely from a future
release. Learn more about experimental features: https://docs.docker.com/go/experimental/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
All output of the usage / --help output uses spaces, and having a tab
in the output can be somewhat cumbersome (e.g. our YAML docs generator
doesn't like them, and copy/pasing the output in iTerm produces a warning).
This patch changes the output to use two spaces instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some deprecations are ammended during a major (YY.MM) release, to
inform users as early as possible about deprecations. Removing the
minor version from this overview clarifies that features are
marked deprecated during which major release's lifecycle.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Analysis takes more than 10 minutes, which is quite long to
run, so change it to only run on a cron job.
Also changing the cron to run on Thursdays instead of Fridays;
no need to worry about security issues during the Weekend.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This feature went GA, so adding this workflow again. Workflow
is updated to the suggested template when enabling.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.6.0...v1.7.0
removes dependency on github.com/konsorten/go-windows-terminal-sequences
Features:
* a new buffer pool management API has been added
* a set of `<LogLevel>Fn()` functions have been added
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If a file contains trailing whitespace, the YAML generator uses a
compact format, which is hard to read.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When initializing the API client, the User-Agent was added to any custom
HTTPHeaders that were configured. However, because the map was not properly
dereferenced, the original map was modified, causing the User-Agent to also
be saved to config.json after `docker login` and `docker logout`:
Before this change;
$ cat ~/.docker/config.json
cat: can't open '/root/.docker/config.json': No such file or directory
$ docker login -u myusername
Password:
...
Login Succeeded
$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "<base64 auth>"
}
},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.12 (linux)"
}
}
$ docker logout
{
"auths": {},
"HttpHeaders": {
"User-Agent": "Docker-Client/19.03.12 (linux)"
}
}
After this change:
$ cat ~/.docker/config.json
cat: can't open '/root/.docker/config.json': No such file or directory
$ docker login -u myusername
Password:
...
Login Succeeded
$ cat ~/.docker/config.json
{
"auths": {
"https://index.docker.io/v1/": {
"auth": "<base64 auth>"
}
}
}
$ docker logout
Removing login credentials for https://index.docker.io/v1/
$ cat ~/.docker/config.json
{
"auths": {}
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 01cd748eb6 started using
Dockerfile features that are currently only supported with
buildkit enabled.
While we enabled buildkit in our Jenkinsfile, the makefile
did not do the same, causing some targets to fail if buildkit
was not enabled.
This patch updates the makefile to enable buildkit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Dockerfile `ENV` instruction allows values to be set using either `ENV name=value`
or `ENV name value`. The latter (`ENV name value`) form can be ambiguous, for example,
the following defines a single env-variable (`ONE`) with value `"TWO= THREE=world"`,
but may have intended to be setting three env-vars:
ENV ONE TWO= THREE=world
This format also does not allow setting multiple environment-variables in a single
`ENV` line in the Dockerfile.
Use of the `ENV name value` syntax is discouraged, and may be removed in a future
release. Users are encouraged to update their Dockerfiles to use the `ENV name=value`
syntax, for example:
ENV ONE="" TWO="" THREE="world"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `ENV key value` form can be ambiguous, for example, the following defines
a single env-variable (`ONE`) with value `"TWO= THREE=world"`:
ENV ONE TWO= THREE=world
While we cannot deprecate/remove that syntax (as it would break existing
Dockerfiles), we should reduce exposure of the format in our examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These annotations use `nil` as value, which caused the flag-hiding functions
to ignore the annotations, and therefore not hiding the flags.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/containerd/containerd/compare/v1.4.0...v1.4.1
Welcome to the v1.4.1 release of containerd!
The first patch release for `containerd` 1.4 includes a fix for v1 shims hanging
on exit and exec when the log pipe fills up along with other minor changes.
Notable Updates:
* Always consume shim logs to prevent logs in the shim from blocking
* Fix error deleting v2 bundle directory when removing rootfs returns `ErrNotExist`
* Fix metrics monitoring of v2 runtime tasks
* Fix incorrect stat for Windows containers
* Fix devmapper device deletion on rollback
* Update seccomp default profile
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This implements a special "RESET" value that can be used to reset the
list of capabilities to add/drop when updating a service.
Given the following service;
| CapDrop | CapAdd |
| -------------- | ------------- |
| CAP_SOME_CAP | |
When updating the service, and applying `--cap-drop RESET`, the "drop" list
is reset to its default:
| CapDrop | CapAdd |
| -------------- | ------------- |
| | |
When updating the service, and applying `--cap-drop RESET`, combined with
`--cap-add CAP_SOME_CAP` and `--cap-drop CAP_SOME_OTHER_CAP`:
| CapDrop | CapAdd |
| -------------- | ------------- |
| CAP_FOO_CAP | CAP_SOME_CAP |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adding/removing capabilities when updating a service is considered a tri-state;
- if the capability was previously "dropped", then remove it from "CapabilityDrop",
but do NOT add it to "CapabilityAdd". However, if the capability was not yet in
the service's "CapabilityDrop", then simply add it to the service's "CapabilityAdd"
- likewise, if the capability was previously "added", then remove it from
"CapabilityAdd", but do NOT add it to "CapabilityDrop". If the capability was
not yet in the service's "CapabilityAdd", then simply add it to the service's
"CapabilityDrop".
In other words, given a service with the following:
| CapDrop | CapAdd |
| -------------- | ------------- |
| CAP_SOME_CAP | |
When updating the service, and applying `--cap-add CAP_SOME_CAP`, the previously
dropped capability is removed:
| CapDrop | CapAdd |
| -------------- | ------------- |
| | |
When updating the service a second time, applying `--cap-add CAP_SOME_CAP`,
capability is now added:
| CapDrop | CapAdd |
| -------------- | ------------- |
| | CAP_SOME_CAP |
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When creating and updating services, we need to avoid unneeded service churn.
The interaction of separate lists to "add" and "drop" capabilities, a special
("ALL") capability, as well as a "relaxed" format for accepted capabilities
(case-insensitive, `CAP_` prefix optional) make this rather involved.
This patch updates how we handle `--cap-add` / `--cap-drop` when _creating_ as
well as _updating_, with the following rules/assumptions applied:
- both existing (service spec) and new (values passed through flags or in
the compose-file) are normalized and de-duplicated before use.
- the special "ALL" capability is equivalent to "all capabilities" and taken
into account when normalizing capabilities. Combining "ALL" capabilities
and other capabilities is therefore equivalent to just specifying "ALL".
- adding capabilities takes precedence over dropping, which means that if
a capability is both set to be "dropped" and to be "added", it is removed
from the list to "drop".
- the final lists should be sorted and normalized to reduce service churn
- no validation of capabilities is handled by the client. Validation is
delegated to the daemon/server.
When deploying a service using a docker-compose file, the docker-compose file
is *mostly* handled as being "declarative". However, many of the issues outlined
above also apply to compose-files, so similar handling is applied to compose
files as well to prevent service churn.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The shorthand `-v` will auto-create the host-path as a directory if
the socket is not yet up, instead of failing the container. To prevent
accidental creation of `/var/run/docker.sock` as a directory, use
the `--mount` flag instead, which does not auto-create host-paths.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Bash is installed already, so we might as well use it as a default.
This also removes the DOCKER_CLI_SHELL variable, which was added
in b039db985a to allow using bash
instead of (a)sh. Now that Bash is the default, there should be
no need to override, and we can keep things simple.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The tabwriter was configured to have a min-width for columns of 20 positions.
This seemed quite wide, and caused smaller columns to be printed with a large
gap between.
Before:
docker container stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
29184b3ae391 amazing_shirley 0.00% 800KiB / 1.944GiB 0.04% 1.44kB / 0B 0B / 0B 1
403c101bad56 agitated_swartz 0.15% 34.31MiB / 1.944GiB 1.72% 10.2MB / 206kB 0B / 0B 51
0dc4b7f6c6be container2 0.00% 1.012MiB / 1.944GiB 0.05% 12.9kB / 0B 0B / 0B 5
2d99abcc6f62 container99 0.00% 972KiB / 1.944GiB 0.05% 13kB / 0B 0B / 0B 5
9f9aa90173ac foo 0.00% 820KiB / 1.944GiB 0.04% 13kB / 0B 0B / 0B 5
docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
29184b3ae391 docker-cli-dev "ash" 4 hours ago Up 4 hours amazing_shirley
403c101bad56 docker-dev:master "hack/dind bash" 3 days ago Up 3 days agitated_swartz
0dc4b7f6c6be nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp container2
2d99abcc6f62 nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp container99
9f9aa90173ac nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp foo
docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-cli-dev latest 5f603caa04aa 4 hours ago 610MB
docker-cli-native latest 9dd29f8d387b 4 hours ago 519MB
docker-dev master 8132bf7a199e 3 days ago 2.02GB
docker-dev improve-build-errors 69e208994b3f 11 days ago 2.01GB
docker-dev refactor-idtools 69e208994b3f 11 days ago 2.01GB
After:
docker container stats
CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS
29184b3ae391 amazing_shirley 0.14% 5.703MiB / 1.944GiB 0.29% 1.44kB / 0B 0B / 0B 10
403c101bad56 agitated_swartz 0.15% 56.97MiB / 1.944GiB 2.86% 10.2MB / 206kB 0B / 0B 51
0dc4b7f6c6be container2 0.00% 1016KiB / 1.944GiB 0.05% 12.9kB / 0B 0B / 0B 5
2d99abcc6f62 container99 0.00% 956KiB / 1.944GiB 0.05% 13kB / 0B 0B / 0B 5
9f9aa90173ac foo 0.00% 980KiB / 1.944GiB 0.05% 13kB / 0B 0B / 0B 5
docker container ls
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
29184b3ae391 docker-cli-dev "ash" 12 minutes ago Up 12 minutes amazing_shirley
403c101bad56 docker-dev:master "hack/dind bash" 3 days ago Up 3 days agitated_swartz
0dc4b7f6c6be nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp container2
2d99abcc6f62 nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp container99
9f9aa90173ac nginx:alpine "/docker-entrypoint.…" 4 days ago Up 4 days 80/tcp foo
docker image ls
REPOSITORY TAG IMAGE ID CREATED SIZE
docker-cli-dev latest 5f603caa04aa 4 hours ago 610MB
docker-cli-native latest 9dd29f8d387b 4 hours ago 519MB
docker-dev master 8132bf7a199e 3 days ago 2.02GB
docker-dev improve-build-errors 69e208994b3f 11 days ago 2.01GB
docker-dev refactor-idtools 69e208994b3f 11 days ago 2.01GB
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
os.LookupEnv() was not available yet at the time this was
implemented, but now provides the functionality we need,
so replacing our custom handling.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Running `make dynbinary` inside the dev-container failed because
gcc was not installed. Adding the `build-base` metapackage, which
has gcc, make, g++ and other packages that are needed.
Before this change:
$ make -f docker.Makefile shell
$$ make dynbinary
./scripts/build/dynbinary
Building dynamically linked build/docker-linux-amd64
# github.com/docker/cli/cmd/docker
/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exec: "gcc": executable file not found in $PATH
make: *** [Makefile:63: dynbinary] Error 2
With this patch applied
$ make -f docker.Makefile shell
$$ make dynbinary
./scripts/build/dynbinary
Building dynamically linked build/docker-linux-amd64
$$ echo $?
0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The vanity domain is down, and the project has moved
to a new location.
vendor check started failing because of this:
Collecting initial packages
Download dependencies
unrecognized import path "vbom.ml/util" (https fetch: Get https://vbom.ml/util?go-get=1: dial tcp: lookup vbom.ml on 169.254.169.254:53: no such host)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When using `docker rm` / `docker container rm` with the `-f` / `--force` option, attempts to remove non-existing containers should print a warning, but should return a zero exit code ("successful").
Currently, a non-zero exit code is returned, marking the removal as "failed";
$ docker rm -fv 798c9471b695
Error: No such container: 798c9471b695
$ echo $?
1
The command should match the behavior of `rm` / `rm -f`, with the exception that
a warning is printed (instead of silently ignored):
Running `rm` with `-f` silences output and returns a zero exit code:
touch some-file && rm -f no-such-file some-file; echo exit code: $?; ls -la
# exit code: 0
# total 0
# drwxr-xr-x 2 sebastiaan staff 64 Aug 14 12:17 .
# drwxr-xr-x 199 sebastiaan staff 6368 Aug 14 12:13 ..
mkdir some-directory && rm -rf no-such-directory some-directory; echo exit code: $?; ls -la
# exit code: 0
# total 0
# drwxr-xr-x 2 sebastiaan staff 64 Aug 14 12:17 .
# drwxr-xr-x 199 sebastiaan staff 6368 Aug 14 12:13 ..
Note that other reasons for a delete to fail should still result in a non-zero
exit code, matching the behavior of `rm`. For instance, in the example below,
the `rm` failed because directories can only be removed if the `-r` option is used;
touch some-file && mkdir some-directory && rm -f some-directory no-such-file some-file; echo exit code: $?; ls -la
# rm: some-directory: is a directory
# exit code: 1
# total 0
# drwxr-xr-x 3 sebastiaan staff 96 Aug 14 14:15 .
# drwxr-xr-x 199 sebastiaan staff 6368 Aug 14 12:13 ..
# drwxr-xr-x 2 sebastiaan staff 64 Aug 14 14:15 some-directory
This patch updates the `docker rm` / `docker container rm` command to not produce
an error when attempting to remove a missing containers, and instead only print
the error, but return a zero (0) exit code.
With this patch applied:
docker create --name mycontainer busybox \
&& docker rm nosuchcontainer mycontainer; \
echo exit code: $?; \
docker ps -a --filter name=mycontainer
# df23cc8573f00e97d6e948b48d9ea7d75ce3b4faaab4fe1d3458d3bfa451f39d
# mycontainer
# Error: No such container: nosuchcontainer
# exit code: 0
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Add support for --gpus to run/create container in bash and zsh
- Remove --group from run and update container as it's not a valid flag in zsh
- Add --group-add --group-rm for create and update update service in bash
Signed-off-by: Richard Chen Zheng <58443436+rchenzheng@users.noreply.github.com>
Combining `-add` and `-rm` flags on `docker service update` should
be usable to explicitly replace existing options. The current order
of processing did not allow this, causing the `-rm` flag to remove
properties that were specified in `-add`. This behavior was inconsistent
with (for example) `--host-add` and `--host-rm`.
This patch updates the behavior to first remove properties, then
add new properties.
Note that there's still some improvements to make, to make the removal
more granulas (e.g. to make `--label-rm label=some-value` only remove
the label if value matches `some-value`); these changes are left for
a follow-up.
Before this change:
-----------------------------
Create a service with two env-vars
```bash
docker service create --env FOO=bar --env BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Env }}' test | jq .
[
"FOO=bar",
"BAR=baz"
]
```
Update the service, with the intent to replace the value of `FOO` for a new value
```bash
docker service update --env-rm FOO --env-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Env }}' test | jq .
[
"BAR=baz"
]
```
Create a service with two labels
```bash
docker service create --label FOO=bar --label BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "bar"
}
```
Update the service, with the intent to replace the value of `FOO` for a new value
```bash
docker service update --label-rm FOO --label-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.Labels }}' test | jq .
{
"BAR": "baz"
}
```
Create a service with two container labels
```bash
docker service create --container-label FOO=bar --container-label BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "bar"
}
```
Update the service, with the intent to replace the value of `FOO` for a new value
```bash
docker service update --container-label-rm FOO --container-label-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Labels }}' test | jq .
{
"BAR": "baz",
}
```
With this patch applied:
--------------------------------
Create a service with two env-vars
```bash
docker service create --env FOO=bar --env BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Env }}' test | jq .
[
"FOO=bar",
"BAR=baz"
]
```
Update the service, and replace the value of `FOO` for a new value
```bash
docker service update --env-rm FOO --env-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Env }}' test | jq .
[
"BAR=baz",
"FOO=updated-foo"
]
```
Create a service with two labels
```bash
docker service create --label FOO=bar --label BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "bar"
}
```
Update the service, and replace the value of `FOO` for a new value
```bash
docker service update --label-rm FOO --label-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "updated-foo"
}
```
Create a service with two container labels
```bash
docker service create --container-label FOO=bar --container-label BAR=baz --name=test nginx:alpine
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "bar"
}
```
Update the service, and replace the value of `FOO` for a new value
```bash
docker service update --container-label-rm FOO --container-label-add FOO=updated-foo test
docker service inspect --format '{{json .Spec.TaskTemplate.ContainerSpec.Labels }}' test | jq .
{
"BAR": "baz",
"FOO": "updated-foo"
}
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The docker CLI up until v1.7.0 used the `~/.dockercfg` file to store credentials
after authenticating to a registry (`docker login`). Docker v1.7.0 replaced this
file with a new CLI configuration file, located in `~/.docker/config.json`. When
implementing the new configuration file, the old file (and file-format) was kept
as a fall-back, to assist existing users with migrating to the new file.
Given that the old file format encourages insecure storage of credentials
(credentials are stored unencrypted), and that no version of the CLI since
Docker v1.7.0 has created this file, the file is marked deprecated, and support
for this file will be removed in a future release.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When doing `docker service inspect --pretty` on services without
`TaskTemplate.Resources` or `TaskTemplate.Resources.Limits`, the command
fails. This is due to a missing check on ResourceLimitPids().
This bug has been introduced by 395a6d560d
and produces following error message:
```
Template parsing error: template: :139:10: executing "" at <.ResourceLimitPids>: error calling ResourceLimitPids: runtime error: invalid memory address or nil pointer dereference
```
Signed-off-by: Albin Kerouanton <albin@akerouanton.name>
full diff: 26c1120b8d...efbc4488d8
Relevant changes:
- sysx/xattr: fix and improve
- fix getxattrAll: change initial buffer size to 128 to prevent unneeded
iterations and change the logic to get the real size in case we get ERANGE
rather than doubling the buffer)
- improve listxattrAll; refactor for readability, prevent calling `listxattr()`
twice. Handle condition when attributes size is changed in between the two
calls to listxattr().
- Remove Windows' Readlink fork
- Drops support for Go 1.12 and under
- Fix sameFile() to recognize empty files as the same
- fixes "Empty files can diff as "modified" even when they're not"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: c2c7d7b0e1...ae3a8d7530
Relevant changes
- Update dependencies
- update docker/docker to current master
- update opencontainers/runc to v1.0.0-rc10
- update pkg/errors to v0.9.1 to support Go 1.13 errors
- update stretchr/testify to the latest version
- Drop support for go1.12, and use errors.Is() for error-detection
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: aaf470eca7...78e6ffd279
- Add DefaultAddressPools to Info
- Configure shims from runtime config
- pkg/archive: use containerd/sys to detect UserNamespaces
- removes github.com/opencontainers/runc/libcontainer/system dependency
- pkg/archive: Don't use init() to set unpigz path
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This feature does not appear to be generally available yet, so
reverting for now.
This reverts commit 454c1927c0.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Both libaries provide similar functionality. We're currently using
Google Shlex in more places, so prefering that one for now, but we
could decide to switch to mattn/go-shellwords in future if that
library is considered better (it looks to be more actively maintained,
but that may be related to it providing "more features").
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In situations where `~/.docker/config.json` was a symlink, saving
the file would replace the symlink with a file, instead of updating
the target file location;
mkdir -p ~/.docker
touch ~/real-config.json
ln -s ~/real-config.json ~/.docker/config.json
ls -la ~/.docker/config.json
# lrwxrwxrwx 1 root root 22 Jun 23 12:34 /root/.docker/config.json -> /root/real-config.json
docker login
# Username: thajeztah
# Password:
# Login Succeeded
ls -la ~/.docker/config.json
-rw-r--r-- 1 root root 229 Jun 23 12:36 /root/.docker/config.json
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The wrapping made the code harder to read (and in some cases destracted
from the actual code flow).
Some of these functions take too many arguments; instead of hiding that,
it probably better to make it apparent that something needs to be done
(and fix it :-)).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- change `validateResolveImageFlag()` to only perform _validation_,
and not combine it with modifying the option.
- use a `switch` instead of `if` in `validateResolveImageFlag()`
- `deployServices()`: break up some `switch` cases to make them
easier to read/understand the logic.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- TestParseRunAttach: use subtests to reduce cyclomatic complexity
- TestParseRunWithInvalidArgs: use subtests, and check if the expected
error is returned.
- Removed parseMustError() as it was mostly redundant
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/xeipuuv/gojsonschema/compare/v1.1.0...v1.2.0
- Fix a race condition when registering new formats.
- Improve the performance of uniqueItems.
- Fix an issue where integers would be shown as a fraction
- Require format to be of type string and formats can now be registered after a schema is parsed.
- Improve the handling of true and false schema.
- Fix an issue where an invalid schema would cause a panic.
- Properly handle file URIs that contain spaces.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/mitchellh/mapstructure/compare/v1.0.0...v1.3.2
v1.3.2
- Decode into interface type with a struct value is supported
v1.3.1
- Squash should only squash embedded structs.
v1.3.0
- Added `",omitempty"` support. This will ignore zero values in the source
structure when encoding.
v1.2.3
- Fix duplicate entries in Keys list with pointer values.
v1.2.2
- Do not add unsettable (unexported) values to the unused metadata key
or "remain" value.
v1.2.1
- Go modules checksum mismatch fix
v1.2.0
- Added support to capture unused values in a field using the `",remain"` value
in the mapstructure tag. There is an example to showcase usage.
- Added `DecoderConfig` option to always squash embedded structs
- `json.Number` can decode into `uint` types
- Empty slices are preserved and not replaced with nil slices
- Fix panic that can occur in when decoding a map into a nil slice of structs
- Improved package documentation for godoc
v1.1.2
- Fix error when decode hook decodes interface implementation into interface
type.
v1.1.1
- Fix panic that can happen in `decodePtr`
v1.1.0
- Added `StringToIPHookFunc` to convert `string` to `net.IP` and `net.IPNet`
- Support struct to struct decoding
- If source map value is nil, then destination map value is nil (instead of empty)
- If source slice value is nil, then destination slice value is nil (instead of empty)
- If source pointer is nil, then destination pointer is set to nil (instead of
allocated zero value of type)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If no env-vars were loaded from "files", and "overrides" was nil,
the code returned an empty slice instead of a `nil` value.
Also add a test for this function, as no unit test was present yet.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests failed when running natively on macOS;
unknown server OS: darwin
Skipping them, like we do on Windows
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, a warning would be printed if the `~/.docker/config.json`
file was empty:
mkdir -p ~/.docker && touch ~/.docker/config.json
docker pull busybox
WARNING: Error loading config file: /root/.docker/config.json: EOF
Using default tag: latest
....
Given that we also accept an empty "JSON" file (`{}`), it should be
okay to ignore an empty file, as it's effectively a configuration file
with no custom options set.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I'm not sure if this fixes anything, however I have seen some weird
behavior on Windows where temp config files are left around and there
doesn't seem to be any errors reported.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The output format was changed to combine tag and name in a single
column, but this change was never reflected in the docs.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously, if a registry AuthInfo was not present in the CLI config file, docker logout could not be used
to ask the credential helper to forget about it. It causes problem for people working with
multiple alternative config files, and it causes problems for cases like Docker Desktop w/ WSL 2, as
it uses the same win32 credential helper as the Windows CLI, but a different config file, leading to
bugs where I cannot logout from a registry from wsl2 if I logged in from Windows and vice-versa.
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
There's no need to perform an `os.Stat()` first, because
`os.Open()` also returns the same errors if the file does
not exist, or couldn't be opened for other reasons.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reflects a Moby change to add documentation around
disabling a new feature -- to use pgzip to decompress
layers, rather than the built-in go gzip.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This creates a new section of environment variables in the CLI docs
which documents environment variables that can both be used on dockerd
and on docker cli.
In addition, it moves some of the environment variable documentation
from the docker cli documentation to the dockerd documentation, as
these environment variables are dockerd-specific.
Signed-off-by: Sargun Dhillon <sargun@sargun.me>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This prevents inconsistent errors when using a symlink, or when renaming
the binary;
Before this change;
ln -s $(which docker) toto
./toto rune
docker: 'rune' is not a docker command.
./toto run daslkjadslkjdaslkj
Unable to find image 'adslkjadslakdsj:latest' locally
./toto: Error response from daemon: pull access denied for adslkjadslakdsj, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
After this change:
ln -s $(which docker) toto
./toto rune
docker: 'rune' is not a docker command.
./toto run daslkjadslkjdaslkj
Unable to find image 'adslkjadslakdsj:latest' locally
docker: Error response from daemon: pull access denied for adslkjadslakdsj, repository does not exist or may require 'docker login': denied: requested access to the resource is den>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/gorilla/mux/compare/v1.7.3...v1.7.4
v1.7.4 addresses a number of performance improvements, bugs, and documentation
improvements.
- Reduce allocations in (*routeRegexp).getURLQuery
- Fixed golint warnings
- fix headers regexp test case
- Fix the CORSMethodMiddleware bug with subrouters
- Remove/cleanup request context helpers
- Guess the scheme if r.URL.Scheme is unset
- Added capacity to slice creation, when capacity is known
- Modified http status codes, using constants provided by the http package
- bugfix/subrouter custom methodNotAllowed handler returning 404
- Update README (self-host logo)
- Remove TravisCI badge
- Add documentation for using mux to serve a SPA
- Simplify code
- Avoid unnecessary conversion
- Update config.yml (#495) @elithrar
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously we only set the platform when performing a pull, which is
only initiated if pull always is set, or if the image reference does not
exist in the daemon.
The daemon now supports specifying which platform you wanted on
container create so it can validate the image reference is the platform
you thought you were getting.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
The Engine API docs are not available in this GitHub repository,
so linking to the docs.docker.com website instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Rewrite Jenkinsfile to new declarative syntax without parallel as the e2e framework is not tailored for than (container name clash, port clash,...)
Signed-off-by: Tibor Vass <tibor@docker.com>
Signed-off-by: Silvin Lubecki <silvin.lubecki@docker.com>
we were only one commit behind v1.0.0, so updating to that
version; we can do a follow-up to update to the latest minor
release (v1.3.0)
full diff: f15292f7a6...v1.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- replace the "none" code-hint with "console"
- some changes in the "experimental" instructions
- reformat some notes
- reformat / re-indent JSON output to use 2 spaces (for consistency)
- split JSON outputs to separate code-block so that it can be highlighted
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is not currently used by the CLI, but can be used by
docker compose to bring parity on this feature with the
compose v2.4 schema.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Temporarily vendoring tip of the release-1.x branch, to address
docker context inspect being slow on Windows because this package
performs user lookup through `os.Current()` during `init()`.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds the currently selected "docker context" to the output
of "docker version", which allows users to see which context
is selected to produce the version output, and can be used (for
example), to set the prompt to the currently selected context:
(in `~/.bashrc`):
```bash
function docker_context_prompt() {
PS1="context: $(docker version --format='{{.Client.Context}}')> "
}
PROMPT_COMMAND=docker_context_prompt
```
After reloading the `~/.bashrc`, the prompt now shows the currently selected
`docker context`:
```bash
$ source ~/.bashrc
context: default> docker context create --docker host=unix:///var/run/docker.sock my-context
my-context
Successfully created context "my-context"
context: default> docker context use my-context
my-context
Current context is now "my-context"
context: my-context> docker context use default
default
Current context is now "default"
context: default>
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Using `/var/run/docker.sock` as docker host is invalid, and causes
an error, so adding `unix://` to it.
In addition, we document the name of the context to go after the
options, so change the order in the examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/spf13/cobra/compare/v0.0.3...v1.0.0
Notable Changes
- Fish completion (including support for Go custom completion)
- API (urgent): Rename BashCompDirectives to ShellCompDirectives
- Remove/replace SetOutput on Command - deprecated
- Custom completions coded in Go (instead of Bash)
- Partial Revert of 922
- Correct documentation for InOrStdin
- Apply formatting to templates
- Revert change so help is printed on stdout again
- Update md2man to v2.0.0
- update viper to v1.4.0
- Update cmd/root.go example in README.md
vendor: update cpuguy83/go-md2man v2.0.0
full diff: https://github.com/cpuguy83/go-md2man/compare/v1.0.8...v2.0.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This flag type was not yet merged upstream, so instead of
using a fork of spf13/pflag, define the type locally, so that
we can vendor the upstream package again.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
2020/05/03 21:45:38 WARNING: package github.com/containerd/ttrpc is unused, consider removing it from vendor.conf
2020/05/03 21:45:38 WARNING: package github.com/opencontainers/runtime-spec is unused, consider removing it from vendor.conf
2020/05/03 21:45:38 WARNING: package github.com/syndtr/gocapability is unused, consider removing it from vendor.conf
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/sirupsen/logrus/compare/v1.5.0...v1.6.0
- Add flag to disable quotes in TextFormatter
- Revert "fix race conditions on entry"
- fixes Deadlock during Entry.Infof after upgrade to v1.5.0
- fixes Deadlock when using WithField inside of hook
- fixes Overly-aggressive mutex locks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Fix dead URL to [Dockerfile best practices](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#leverage-build-cache).
2. Add missing information about cache invalidation by `COPY`. It works in the same way as in the case of `ADD`. Informing only about the `ADD`s behavior is misleading as one can infer that these two directives differ in this regard.
3. Add missing info on RUN cache invalidation by COPY
Signed-off-by: Maciej Kalisz <maciej.d.kalisz@gmail.com>
This link was broken when generating the documentation (due to
a bug in Jekyll not converting wrapped internal links)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
* Added two new modes accepted by the `--mode` flag
* `replicated-job` creates a replicated job
* `global-job` creates a global job.
* When using `replicated-job` mode, the `replicas` flag sets the
`TotalCompletions` parameter of the job. This is the total number of
tasks that will run
* Added a new flag, `max-concurrent`, for use with `replicated-job`
mode. This flag sets the `MaxConcurrent` parameter of the job, which
is the maximum number of replicas the job will run simultaneously.
* When using `replicated-job` or `global-job` mode, using any of the
update parameter flags will result in an error, as jobs cannot be
updated in the traditional sense.
* Updated the `docker service ls` UI to include the completion status
(completed vs total tasks) if the service is a job.
* Updated the progress bars UI for service creation and update to
support jobs. For jobs, there is displayed a bar covering the overall
progress of the job (the number of tasks completed over the total
number of tasks to complete).
* Added documentation explaining the use of the new flags, and of jobs
in general.
Signed-off-by: Drew Erny <derny@mirantis.com>
Service create expects the name to be passed using the
`--name` flag, not as a positional parameter
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These packages are now living in their own repository. Updating
docker/docker to replace the dependencies.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch changes the package to lazily obtain the user's home-
directory on first use, instead of when initializing the package.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Currently the documentation uses a special case for this command,
so adding a description to the YAML in order to remove that
special case.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Colon may not be something non-native English readers
know about, so explain the symbol in the running text.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- add code-fences with code-hints so that the right hightlighting is applied
- replace `*` for `-` in bullet-lists for consistency with other parts of the
documentation.
- reduced number of "notes", either by combining some, or by changing some
to regular text.
- removed "line numbers" from some examples, because there's only four lines,
which should not need really need line numbers.
- reformat some notes to our new format
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- add code-fences with code-hints so that the right
hightlighting is applied
- reduced number of "notes", either by combining some,
or by changing some to regular text.
- use tables for some option lists
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- fix various broken links
- fix incorrect anchors
- updated links for content that moved, so that no
redirect to the new location is needed.
- touched-up Markdown;
- re-format some JSON output
- add blank line betweeen command and command output
- format "note" blocks
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
67ebcd6dcf added an exception for
the "host-gateway" magic value to the validation rules, but didn't
add thise value to any of the tests.
This patch adds the magic value to tests, to verify the validation
is skipped for this magic value.
Note that validation on the client side is "optional" and mostly
done to provide a more user-friendly error message for regular
values (IP-addresses).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- relates to moby/buildkit 1111
- relates to moby/buildkit 1079
- relates to docker/buildx 129
full diff: 9461782956...e31b211e4f
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Perform feature detection when actually needed, instead of during
initializing
- Version negotiation is performed either when making an API request,
or when (e.g.) running `docker help` (to hide unsupported features)
- Use a 2 second timeout when 'pinging' the daemon; this should be
sufficient for most cases, and when feature detection failed, the
daemon will still perform validation (and produce an error if needed)
- context.WithTimeout doesn't currently work with ssh connections (connhelper),
so we're only applying this timeout for tcp:// connections, otherwise
keep the old behavior.
Before this change:
time sh -c 'DOCKER_HOST=tcp://42.42.42.41:4242 docker help &> /dev/null'
real 0m32.919s
user 0m0.370s
sys 0m0.227s
time sh -c 'DOCKER_HOST=tcp://42.42.42.41:4242 docker context ls &> /dev/null'
real 0m32.072s
user 0m0.029s
sys 0m0.023s
After this change:
time sh -c 'DOCKER_HOST=tcp://42.42.42.41:4242 docker help &> /dev/null'
real 0m 2.28s
user 0m 0.03s
sys 0m 0.03s
time sh -c 'DOCKER_HOST=tcp://42.42.42.41:4242 docker context ls &> /dev/null'
real 0m 0.13s
user 0m 0.02s
sys 0m 0.02s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These options should never be changed, so using a const for them
instead of a var. Given that these are only used in the opt
package itself, they can be un-exported.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The non-experimental, experimental, and ssh-connhelper stages
are running the same tests, which makes it difficult to find
_which_ variant of the test failed if they all run in the
same stage.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker network prune` command removes unused custom networks,
but built-in networks won't be removed. This patch updates the
message to mention that it's only removing custom networks.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The trust tests were not resetting the environment after they
ran, which could result in tests following those tests to fail.
While at it, I also updated some other tests to use gotest.tools
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The deprecation policy was written when we had monthly releases
(edge+stable), and stable releases were released every 3 months.
The release cadence has changed to be longer than 3 months for
stable releases, so adjusting the policy accordingly.
Note that the policy continues to be "at least x releases", so
even though we _can_ remove a feature after one release, it does
not mean we _must_ remove it: announcing deprecations early helps
users migrate away from features we do not intent to support in
future.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This section was included on a page on docs.docker.com, but not linked
in the navigation. Putting the section on the deprecated features page
to be sure they can be found together.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
these markdown files are not consumed directly in the docs,
but only their content is included through the YAML does,
so there's no need to have these comments in them
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Unlike GitHub's web-UI, the "rouge" hightlighter used in our
online documentation is case-sensitive. As a result, code-blocks
having the Dockerfile (uppercase) code-hint were not highlighted.
This changes those to use lowercase, which is supported by both.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
If the markdown contains trailing spaces, or has tabs included,
the YAML generator uses a compact format for the text (using `\n`
and `\t`, instead of plain newlines).
The compact format makes it difficult to review changes in the
yaml docs when vendoring in the documentation repository.
This patch:
- removes trailing whitespace
- replaces tabs for spaces
- fixes some minor formatting and markdown issues
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The script was written to only take subcommands at the first and second level
into account, but failed to find the Markdown files for extended descriptions of
subcommands at the third level, such as `docker trust key generate`, and
`docker trust key load`:
WARN: /go/src/github.com/docker/cli/docs/reference/commandline/key_generate.md does not exist, skipping
WARN: /go/src/github.com/docker/cli/docs/reference/commandline/key_load.md does not exist, skipping
WARN: /go/src/github.com/docker/cli/docs/reference/commandline/signer_add.md does not exist, skipping
WARN: /go/src/github.com/docker/cli/docs/reference/commandline/signer_remove.md does not exist, skipping
This patch updates the script to accomodate subcommands that are more deeply
nested. While at it, some minor cleaning and linting issues were also addressed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These files were intended to document the `swarm join-token` and
`swarm unlock-key` subcommands, but were incorrectly using an underscore
instead of a hyphen (`-`). As a result, the examples were not picked up
by the yamldocs generator.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Relates to - moby/moby 40007
The above PR added support in moby, that detects if
a special string "host-gateway" is added to the IP
section of --add-host, and if true, replaces it with
a special IP value (value of --host-gateway-ip Daemon flag
which defaults to the IP of the default bridge).
This PR is needed to skip the validation for the above
feature
Signed-off-by: Arko Dasgupta <arko.dasgupta@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Also pinning the e2e image to the "buster" variant,
which is what's currently used, but making it explicit.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, this would cause a panic:
docker run -it --rm -v 1:/1 alpine
panic: runtime error: index out of range
goroutine 1 [running]:
github.com/docker/cli/cli/compose/loader.isFilePath(0xc42027e058, 0x1, 0x557dcb978c20)
...
After this change, a correct error is returned:
docker run -it --rm -v 1:/1 alpine
docker: Error response from daemon: create 1: volume name is too short, names should be at least two alphanumeric characters.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 1d94cc7ab1...bac4c82f69
Version v0.0.0-20200220183623-bac4c82f6975 of golang.org/x/crypto fixes a
vulnerability in the golang.org/x/crypto/ssh package which allowed peers to
cause a panic in SSH servers that accept public keys and in any SSH client.
An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public
key, such that the library will panic when trying to verify a signature
with it. Clients can deliver such a public key and signature to any
golang.org/x/crypto/ssh server with a PublicKeyCallback, and servers can
deliver them to any golang.org/x/crypto/ssh client.
This issue was discovered and reported by Alex Gaynor, Fish in a Barrel,
and is tracked as CVE-2020-9283.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When printing services' tasks with `docker service ps` command, tasks are grouped only by task slot.
This leads to interleaving tasks from different services when `docker service ps` is called with multiple services.
Besides this, global services do not have slots at all and printing tasks for them doesn't group and
doesn't properly indent tasks with \_.
With this patch all tasks are grouped by service ID, slot and node ID (relevant only for global services) and it fixes issue 533.
Before this patch:
```console
docker service ps a b c
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
xbzm6ed776yw c.j1afavbqqhr21jvnid3nnfoyt nginx:alpine docker-desktop Running Running 5 seconds ago
4mcsovp8ckwn \_ c.j1afavbqqhr21jvnid3nnfoyt nginx:alpine docker-desktop Shutdown Shutdown 6 seconds ago
qpcgdsx1r21a b.1 nginx:alpine docker-desktop Running Running 2 seconds ago
kfjo1hly92l4 a.1 nginx:alpine docker-desktop Running Running 5 seconds ago
pubrerosvsw5 b.1 nginx:alpine docker-desktop Shutdown Shutdown 3 seconds ago
fu08gfi8tfyv a.1 nginx:alpine docker-desktop Shutdown Shutdown 7 seconds ago
pu6qmgyoibq4 b.2 nginx:alpine docker-desktop Running Ready 1 second ago
tz1n4hjne6pk \_ b.2 nginx:alpine docker-desktop Shutdown Shutdown less than a second ago
xq8dogqcbxd2 a.2 nginx:alpine docker-desktop Running Running 44 seconds ago
rm40lofzed0h a.3 nginx:alpine docker-desktop Running Starting less than a second ago
sqqj2n9fpi82 b.3 nginx:alpine docker-desktop Running Running 5 seconds ago
prv3gymkvqk6 \_ b.3 nginx:alpine docker-desktop Shutdown Shutdown 6 seconds ago
qn7c7jmjuo76 a.3 nginx:alpine docker-desktop Shutdown Shutdown less than a second ago
wi9330mbabpg a.4 nginx:alpine docker-desktop Running Running 2 seconds ago
p5oy6h7nkvc3 \_ a.4 nginx:alpine docker-desktop Shutdown Shutdown 3 seconds ago
```
After this patch:
```console
docker service ps a b c
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
kfjo1hly92l4 a.1 nginx:alpine docker-desktop Running Running 32 seconds ago
fu08gfi8tfyv \_ a.1 nginx:alpine docker-desktop Shutdown Shutdown 34 seconds ago
3pam0limnn24 a.2 nginx:alpine docker-desktop Running Running 23 seconds ago
xq8dogqcbxd2 \_ a.2 nginx:alpine docker-desktop Shutdown Shutdown 24 seconds ago
rm40lofzed0h a.3 nginx:alpine docker-desktop Running Running 26 seconds ago
qn7c7jmjuo76 \_ a.3 nginx:alpine docker-desktop Shutdown Shutdown 27 seconds ago
wi9330mbabpg a.4 nginx:alpine docker-desktop Running Running 29 seconds ago
p5oy6h7nkvc3 \_ a.4 nginx:alpine docker-desktop Shutdown Shutdown 30 seconds ago
qpcgdsx1r21a b.1 nginx:alpine docker-desktop Running Running 29 seconds ago
pubrerosvsw5 \_ b.1 nginx:alpine docker-desktop Shutdown Shutdown 30 seconds ago
pu6qmgyoibq4 b.2 nginx:alpine docker-desktop Running Running 26 seconds ago
tz1n4hjne6pk \_ b.2 nginx:alpine docker-desktop Shutdown Shutdown 27 seconds ago
sqqj2n9fpi82 b.3 nginx:alpine docker-desktop Running Running 32 seconds ago
prv3gymkvqk6 \_ b.3 nginx:alpine docker-desktop Shutdown Shutdown 33 seconds ago
xbzm6ed776yw c.j1afavbqqhr21jvnid3nnfoyt nginx:alpine docker-desktop Running Running 32 seconds ago
4mcsovp8ckwn \_ c.j1afavbqqhr21jvnid3nnfoyt nginx:alpine docker-desktop Shutdown Shutdown 33 seconds ago
```
Signed-off-by: Andrii Berehuliak <berkusandrew@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker search --automated` and `docker search --stars` options were
deprecated in release v1.12.0, and scheduled for removal in v17.09.
This patch removes the deprecated flags, in favor of their equivalent
`--filter` options (`docker search --filter=is-automated=<true|false>` and
`docker search --filter=stars=...`).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 7f9f9232dd...0f039a052c
- tonistiigi/fsutil#69 receive: use filter on receive diff
- prevents incremental transfers with userns because the metadata
on disk is always different than the one being transferred.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This dependency is references in the hcsshim package, but
was not added when hcsshim was updated in dff269b5e4
The missing dependency was printed as a warning by vndr:
WARNING: dependency is not vendored: github.com/containerd/cgroups/stats/v1
But somehow didn't get noticed in CI (possibly because our "make cross" builds
multiple targets, and a single failure isn't noticed?)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Below are the changes proposed.
- Corrected syntax error.
- Updated example commands to maintain consistency.
- Provided more clarity.
Signed-off-by: Venkateswara Reddy Bukkasamudram <bukkasamudram@outlook.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is required for supporting some Kubernetes distributions such as
rancher/k3s.
It comes with a test case validating correct parsing of a k3s kubeconfig
file
Signed-off-by: Simon Ferquel <simon.ferquel@docker.com>
Includes 69ecbb4d6d
(forward-port of 8b5121be2f),
which fixes CVE-2020-7919:
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/golang/go/compare/go1.12.15...go1.12.16
go1.12.16 (released 2020/01/28) includes two security fixes. One mitigates the
CVE-2020-0601 certificate verification bypass on Windows. The other affects only
32-bit architectures.
https://github.com/golang/go/issues?q=milestone%3AGo1.12.16+label%3ACherryPickApproved
- X.509 certificate validation bypass on Windows 10
A Windows vulnerability allows attackers to spoof valid certificate chains when
the system root store is in use. These releases include a mitigation for Go
applications, but it’s strongly recommended that affected users install the
Windows security update to protect their system.
This issue is CVE-2020-0601 and Go issue golang.org/issue/36834.
- Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue. The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of golang.org/x/crypto/cryptobyte.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `docker push` command up until [v0.9.1](https://github.com/moby/moby/blob/v0.9.1/api/client.go#L998)
always pushed all tags of a given image, so `docker push foo/bar` would push (e.g.)
all of `foo/bar:latest`, `foo:/bar:v1`, `foo/bar:v1.0.0`.
Pushing all tags of an image was not desirable in many case, so docker v0.10.0
enhanced `docker push` to optionally specify a tag to push (`docker push foo/bar:v1`)
(see https://github.com/moby/moby/issues/3411 and the pull request that implemented
this: https://github.com/moby/moby/pull/4948).
This behavior exists up until today, and is confusing, because unlike other commands,
`docker push` does not default to use the `:latest` tag when omitted, but instead
makes it push "all tags of the image"
For example, in the following situation;
```
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
thajeztah/myimage latest b534869c81f0 41 hours ago 1.22MB
```
Running `docker push thajeztah/myimage` seemingly does the expected behavior (it
pushes `thajeztah/myimage:latest` to Docker Hub), however, it does not so for the
reason expected (`:latest` being the default tag), but because `:latest` happens
to be the only tag present for the `thajeztah/myimage` image.
If another tag exists for the image:
```
docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
thajeztah/myimage latest b534869c81f0 41 hours ago 1.22MB
thajeztah/myimage v1.0.0 b534869c81f0 41 hours ago 1.22MB
```
Running the same command (`docker push thajeztah/myimage`) will push _both_ images
to Docker Hub.
> Note that the behavior described above is currently not (clearly) documented;
> the `docker push` reference documentation (https://docs.docker.com/engine/reference/commandline/push/)
does not mention that omitting the tag will push all tags
This patch changes the default behavior, and if no tag is specified, `:latest` is
assumed. To push _all_ tags, a new flag (`-a` / `--all-tags`) is added, similar
to the flag that's present on `docker pull`.
With this change:
- `docker push myname/myimage` will be the equivalent of `docker push myname/myimage:latest`
- to push all images, the user needs to set a flag (`--all-tags`), so `docker push --all-tags myname/myimage:latest`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/go-yaml/yaml/compare/v2.2.3...v2.2.8
includes:
- go-yaml/yaml 515 Improve heuristics preventing CPU/memory abuse
- go-yaml/yaml@f90ceb4f40 Fix check for non-map alias merging in v2
- fix for "yaml.Unmarshal crashes on "assignment to entry in nil map""
- go-yaml/yaml 543 Port stale simple_keys fix to v2
- go-yaml/yaml@1f64d6156d Fix issue in simple_keys improvements
- fixes "Invalid simple_keys now cause panics later in decode"
- go-yaml/yaml 555 Optimize cases with long potential simple_keys
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
With this change, go packages/modules that use versioned
import paths (github.com/foo/bar/v2), but don't use a directory
in the repository, can now be supported.
For example:
```
github.com/coreos/go-systemd/v22 v22.0.0
```
will vendor the github.com/coreos/go-systemd repository
into `vendor/github.com/coreos/go-systemd/v22`.
full diff: b177b583eb...v0.1.0
- LK4D4/vndr#79 Add more clear messages around clone failures
- LK4D4/vndr#80 add riscv64 support
- LK4D4/vndr#83 migrate bitbucket to api 2.0
- fixesLK4D4/vndr#82https://api.bitbucket.org/1.0/repositories/ww/goautoneg: 410 Gone
- LK4D4/vndr#86 Replace sort.Sort with sort.Strings
- LK4D4/vndr#87 support `github.com/coreos/go-systemd/v22`
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Added transforms for when merging compose overrides to preserve the
functionality that was broken by bumping mergo to v1.3.8
This includes:
- Special transform for ulimits so single overrides both soft/hard and
the reverse
- Special transform for service network configs so the override replaces
all aliases
Signed-off-by: Nick Adcock <nick.adcock@docker.com>
Before this patch:
docker push --quiet nosuchimage
docker.io/library/nosuchimage
echo $?
0
With this patch applied:
docker push --quiet nosuchimage:latest
An image does not exist locally with the tag: nosuchimage
echo $?
1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Comments should have a leading space unless the comment is
for special purposes (go:generate, nolint:)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Refactor code to allow mixed notation with -p flag.
Signed-off-by: Aleksander Piotrowski <apiotrowski312@gmail.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverses the order long-form port options when converted to short-form
to correctly match the documentation and `docker service create`.
Post change `-p published=8111,target=8112` is the equivalent of
`8111:8112`
Signed-off-by: Nick Adcock <nick.adcock@docker.com>
When using advanced syntax for setting config and secret values, default
the target value to the source value when the user does not specify a
target.
Signed-off-by: Nick Adcock <nick.adcock@docker.com>
Allow the use of the advanced source=x syntax for config and secret values when there is no comma
Before this change the following would fail with config not found:
docker service create --name hello1 --config source=myconfig nginx:alpine
And the following would fail with secret not found:
docker service create --name hello2 --secret source=mysecret nginx:alpine
Signed-off-by: Nick Adcock <nick.adcock@docker.com>
full diff: a09e6e323e...a9507c6f76
Includes:
- moby/moby#40077 Update "auto-generate" comments to improve detection by linters
- moby/moby#40143 registry: add a critical section to protect authTransport.modReq
- moby/moby#40212 Move DefaultCapabilities() to caps package
- moby/moby#40021 Use newer x/sys/windows SecurityAttributes struct (carry 40017)
- carries moby/moby#40017 Use newer x/sys/windows SecurityAttributes struct
- moby/moby#40135 pkg/system: make OSVersion an alias for hcsshim OSVersion
- follow-up to moby/moby#39100 Use Microsoft/hcsshim constants and deprecate pkg/system.GetOsVersion()
- moby/moby#40250 Bump hcsshim to b3f49c06ffaeef24d09c6c08ec8ec8425a0303e2
- moby/moby#40243 Use certs.d from XDG_CONFIG_HOME when in rootless mode
- fixesmoby/moby#40236 Docker rootless dies when unable to read /etc/docker/certs.d
- moby/moby#40283 Fix possible runtime panic in Lgetxattr
- moby/moby#40178 builder/remotecontext: small refactor
- moby/moby#40179 builder/remotecontext: allow ssh:// for remote context URLs
- fixesdocker/cli#2164 Docker build cannot resolve git context with html escapes
- moby/moby#40302 client.ImagePush(): default to ":latest" instead of "all tags"
- relates to docker/cli#2214 [proposal] change "docker push" behavior to default to ":latest" instead of "all tags"
- relates to docker/cli#2220 implement docker push `-a`/ `--all-tags`
- moby/moby#40263 Normalize comment formatting
- moby/moby#40238 Allow client consumers like traefik to compile on illumos
- moby/moby#40108 bump google.golang.org/grpc v1.23.1
- moby/moby#40312 update vendor golang.org/x/sys to 6d18c012aee9febd81bbf9806760c8c4480e870d
- moby/moby#40247 pkg/system: deprecate constants in favor of golang.org/x/sys/windows
- moby/moby#40246 pkg/system: minor cleanups and remove use of deprecated system.GetOSVersion()
- moby/moby#40122 Update buildkit to containerd leases
- vendor: update buildkit to leases support (4f4e03067523b2fc5ca2f17514a5e75ad63e02fb)
- vendor: update containerd to acdcf13d5eaf0dfe0eaeabe7194a82535549bc2b
- vendor: update runc to d736ef14f0288d6993a1845745d6756cfc9ddd5a (v1.0.0-rc9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.12.14 (released 2019/12/04) includes a fix to the runtime. See the Go 1.12.14
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.12.14+label%3ACherryPickApproved
Update Golang 1.12.13
------------------------
go1.12.13 (released 2019/10/31) fixes an issue on macOS 10.15 Catalina where the
non-notarized installer and binaries were being rejected by Gatekeeper. Only macOS
users who hit this issue need to update.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
macOS doesn't ship with the GNU version of `date`, which
causes the command to fail if the `--rfc-3339 ns` format option
is used.
Given that we don't need the build-time with nanosecond precision,
this patch changes the format used, so that the CLI binary can be
built on the host (outside of a container);
Before this change, `make binary` would fail:
DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary
WARNING: binary creates a Linux executable. Use cross for macOS or Windows.
./scripts/build/binary
make: *** [binary] Error 1
With this change, the binary can be built on the host:
DISABLE_WARN_OUTSIDE_CONTAINER=1 make binary
WARNING: binary creates a Linux executable. Use cross for macOS or Windows.
./scripts/build/binary
Building statically linked build/docker-darwin-amd64
While the previous version formatted (and parsed) the date with nanoseconds precision,
that level of precision is not actually used;
```go
func reformatDate(buildTime string) string {
t, errTime := time.Parse(time.RFC3339Nano, buildTime)
if errTime == nil {
return t.Format(time.ANSIC)
}
return buildTime
}
```
Both the old, and new input will yield the same output:
```go
fmt.Println(reformatDate("2019-12-31T13:41:44.846741804+00:00"))
// Tue Dec 31 13:41:44 2019
fmt.Println(reformatDate("2019-12-31T13:41:44Z"))
// Tue Dec 31 13:41:44 2019
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this change, plugins were listed in a random order:
Client:
Debug Mode: false
Plugins:
doodle: Docker Doodles all around! 🐳🎃 (thaJeztah, v0.0.1)
shell: Open a browser shell on the Docker Host. (thaJeztah, v0.0.1)
app: Docker Application (Docker Inc., v0.8.0)
buildx: Build with BuildKit (Docker Inc., v0.3.1-tp-docker)
With this change, plugins are listed alphabetically:
Client:
Debug Mode: false
Plugins:
app: Docker Application (Docker Inc., v0.8.0)
buildx: Build with BuildKit (Docker Inc., v0.3.1-tp-docker)
doodle: Docker Doodles all around! 🐳🎃 (thaJeztah, v0.0.1)
shell: Open a browser shell on the Docker Host. (thaJeztah, v0.0.1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update the list of overrides for table headers so that columns using split or
join will produce the correct table header.
Before this patch:
docker ps --format='table {{split .Names "/"}}'
[NAMES]
[unruffled_mclean]
[eloquent_meitner]
[sleepy_grothendieck]
With this patch applied:
docker ps --format='table {{split .Names "/"}}'
NAMES
[unruffled_mclean]
[eloquent_meitner]
[sleepy_grothendieck]
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Before this patch, using a template that used templating functions (such as
`lower` or `json`) caused the command to fail in the pre-processor step (in
`buildContainerListOptions`):
docker ps --format='{{upper .Names}}'
template: :1:8: executing "" at <.Names>: invalid value; expected string
This problem was due to the pre-processing using a different "context" type than
was used in the actual template, and custom functions to not be defined when
instantiating the Go template.
With this patch, using functions in templates works correctly:
docker ps --format='{{upper .Names}}'
MUSING_NEUMANN
ELOQUENT_MEITNER
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Move the remaining test with the others, and rename it from
`TestBuildContainerListOptions` to `TestContainerListBuildContainerListOptions`,
so that it has the same prefix as the other tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: 7c1e88399e...v1.3.0
This also adds back containerd/ttrpc as a dependency, which is referenced by the BuildKit client (indirectly)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When running `docker login` or `docker logout`, the CLI updates
the configuration file by creating a temporary file, to replace
the old one (if exists).
When using `sudo`, this caused the file to be created as `root`,
making it inaccessible to the current user.
This patch updates the CLI to fetch permissions and ownership of
the existing configuration file, and applies those permissions
to the new file, so that it has the same permissions as the
existing file (if any).
Currently, only done for "Unix-y" systems (Mac, Linux), but
can be implemented for Windows in future if there's a need.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/opencontainers/runc/compare/v1.0.0-rc8...3e425f80a8c931f88e6d94a8c831b9d5aa481657
- opencontainers/runc#2010 criu image path permission error when checkpoint rootless container
- opencontainers/runc#2028 Update to Go 1.12 and drop obsolete versions
- opencontainers/runc#2029 Update dependencies
- opencontainers/runc#2034 Support for logging from children processes
- opencontainers/runc#2035 specconv: always set "type: bind" in case of MS_BIND
- opencontainers/runc#2038 `r.destroy` can defer exec in `runner.run` method
- opencontainers/runc#2041 Change the permissions of the notify listener socket to rwx for everyone
- opencontainers/runc#2042 libcontainer: intelrdt: add missing destroy handler in defer func
- opencontainers/runc#2047 Move systemd.Manager initialization into a function in that module
- opencontainers/runc#2057 main: not reopen /dev/stderr
- closes opencontainers/runc#2056 Runc + podman|cri-o + systemd issue with stderr
- closes kubernetes/kubernetes#77615 kubelet fails starting CRI-O containers (Ubuntu 18.04 + systemd cgroups driver)
- closes cri-o/cri-o#2368 Joining worker node not starting flannel or kube-proxy / CRI-O error "open /dev/stderr: no such device or address"
- opencontainers/runc#2061 libcontainer: fix TestGetContainerState to check configs.NEWCGROUP
- opencontainers/runc#2065 Fix cgroup hugetlb size prefix for kB
- opencontainers/runc#2067 libcontainer: change seccomp test for clone syscall
- opencontainers/runc#2074 Update dependency libseccomp-golang
- opencontainers/runc#2081 Bump CRIU to 3.12
- opencontainers/runc#2089 doc: First process in container needs `Init: true`
- opencontainers/runc#2094 Skip searching /dev/.udev for device nodes
- closes opencontainers/runc#2093 HostDevices() race with older udevd versions
- opencontainers/runc#2098 man: fix man-pages
- opencontainers/runc#2103 cgroups/fs: check nil pointers in cgroup manager
- opencontainers/runc#2107 Make get devices function public
- opencontainers/runc#2113 libcontainer: initial support for cgroups v2
- opencontainers/runc#2116 Avoid the dependency on cgo through go-systemd/util package
- removes github.com/coreos/pkg as dependency
- opencontainers/runc#2117 Remove libcontainer detection for systemd features
- fixes opencontainers/runc#2117 Cache the systemd detection results
- opencontainers/runc#2119 libcontainer: update masked paths of /proc
- relates to #36368 Add /proc/keys to masked paths
- relates to #38299 Masked /proc/asound
- relates to #37404 Add /proc/acpi to masked paths (CVE-2018-10892)
- opencontainers/runc#2122 nsenter: minor fixes
- opencontainers/runc#2123 Bump x/sys and update syscall for initial Risc-V support
- opencontainers/runc#2125 cgroup: support mount of cgroup2
- opencontainers/runc#2126 libcontainer/nsenter: Don't import C in non-cgo file
- opencontainers/runc#2129 Only allow proc mount if it is procfs
- addresses opencontainers/runc#2129 AppArmor can be bypassed by a malicious image that specifies a volume at /proc (CVE-2019-16884)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These subcommands were created to allow upgrading a Docker Community
engine to Docker Enterprise, but never really took off.
This patch removes the `docker engine` subcommands, as they added
quite some complexity / additional code.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Setting proxy-configuration in config.json was added in
commit 35f1e301b5 (docker
17.07), but never found its way to the documentation.
This patch adds some basic information about the feature.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The top-level `docker deploy` command (using the "Docker Application Bundle"
(`.dab`) file format was introduced as an experimental feature in Docker 1.13 /
17.03, but superseded by support for Docker Compose files.
With no development being done on this feature, and no active use of the file
format, support for the DAB file format and the top-level `docker deploy` command
(hidden by default in 19.03), is removed in this patch, in favour of `docker stack deploy`
using compose files.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Modify the docker run docs, to specify working of --device flag
in containers that are started in privileged mode. The custom device
permissions that are given to a device in privileged mode are ignored
and goes with `rwm` by default
Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
Updating this file to match reality. Both Justin and Aaron
have informed me that they were not expecting to be involved
with maintaining the CLI, so removing them from the list.
Aaron was mostly active on the daemon / engine, so I decided
to not include him in the alumni on this repository, and
Justin remains active as a maintainer on the engine.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The "docs maintainers" role was never defined; removing
the section from the file to make the file less confusing.
We can add people with specific expertise to the general
"maintainers" section instead.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Anca Iordache <anca.iordache@docker.com>
Possible approach for client info
- split ClientInfo() into ClientInfo() and loadClientInfo()
- split ConfigFile() into ConfigFile() and loadConfigFile()
- ConfigFile() and ClientInfo() call their corresponding loadXX function
if it has not yet been loaded; this allows them to be used before
Initialize() was called.
- Initialize() *always* (re-)loads the configuration; this makes sure
that the correct configuration is used when actually calling commands.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/stack/kubernetes/convert_test.go:199:35: Using the variable on range scope `c` in function literal (scopelint)
conv, err := NewStackConverter(c.version)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/container/create_test.go:120:20: Using the variable on range scope `c` in function literal (scopelint)
defer func() { c.ResponseCounter++ }()
^
cli/command/container/create_test.go:121:12: Using the variable on range scope `c` in function literal (scopelint)
switch c.ResponseCounter {
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/stack/kubernetes/watcher_test.go:44:20: Using a reference for the variable on range scope `obj` (scopelint)
if err := o.Add(&obj); err != nil {
^
cli/command/stack/kubernetes/watcher_test.go:49:20: Using a reference for the variable on range scope `obj` (scopelint)
if err := o.Add(&obj); err != nil {
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
opts/network_test.go:74:35: Using the variable on range scope `tc` in function literal (scopelint)
assert.NilError(t, network.Set(tc.value))
^
opts/network_test.go:102:40: Using the variable on range scope `tc` in function literal (scopelint)
assert.ErrorContains(t, network.Set(tc.value), tc.expectedError)
^
opts/opts_test.go:270:30: Using the variable on range scope `tc` in function literal (scopelint)
val, err := ValidateLabel(tc.value)
^
opts/opts_test.go:271:7: Using the variable on range scope `tc` in function literal (scopelint)
if tc.expectedErr != "" {
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/manifest/store/store_test.go:97:29: Using the variable on range scope `testcase` in function literal (scopelint)
actual, err := store.Get(testcase.listRef, testcase.manifestRef)
^
cli/manifest/store/store_test.go:98:7: Using the variable on range scope `testcase` in function literal (scopelint)
if testcase.expectedErr != "" {
^
cli/manifest/store/store_test.go:99:26: Using the variable on range scope `testcase` in function literal (scopelint)
assert.Error(t, err, testcase.expectedErr)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/compose/template/template_test.go:279:31: Using the variable on range scope `tc` in function literal (scopelint)
actual := ExtractVariables(tc.dict, defaultPattern)
^
cli/compose/template/template_test.go:280:41: Using the variable on range scope `tc` in function literal (scopelint)
assert.Check(t, is.DeepEqual(actual, tc.expected))
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/cli_test.go:157:15: Using the variable on range scope `testcase` in function literal (scopelint)
pingFunc: testcase.pingFunc,
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/trust/key_load_test.go:121:27: Using the variable on range scope `keyID` in function literal (scopelint)
testLoadKeyFromPath(t, keyID, keyBytes)
^
cli/command/trust/key_load_test.go:176:32: Using the variable on range scope `keyBytes` in function literal (scopelint)
testLoadKeyTooPermissive(t, keyBytes)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/context/create_test.go:270:31: Using the variable on range scope `c` in function literal (scopelint)
Name: c.name,
^
cli/command/context/create_test.go:271:31: Using the variable on range scope `c` in function literal (scopelint)
Description: c.description,
^
cli/command/context/create_test.go:272:31: Using the variable on range scope `c` in function literal (scopelint)
DefaultStackOrchestrator: c.orchestrator,
cli/command/context/create_test.go:346:31: Using the variable on range scope `c` in function literal (scopelint)
Name: c.name,
^
cli/command/context/create_test.go:347:31: Using the variable on range scope `c` in function literal (scopelint)
Description: c.description,
^
cli/command/context/create_test.go:348:31: Using the variable on range scope `c` in function literal (scopelint)
DefaultStackOrchestrator: c.orchestrator,
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
e2e/cli-plugins/flags_test.go:135:27: Using the variable on range scope `args` in function literal (scopelint)
res := icmd.RunCmd(run(args...))
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/compose/loader/merge.go:64:41: Using a reference for the variable on range scope `overrideService` (scopelint)
if err := mergo.Merge(&baseService, &overrideService, mergo.WithAppendSlice, mergo.WithOverride, mergo.WithTransformers(specials)); err != nil {
^
cli/compose/loader/loader_test.go:1587:28: Using the variable on range scope `testcase` in function literal (scopelint)
config, err := loadYAML(testcase.yaml)
^
cli/compose/loader/loader_test.go:1590:58: Using the variable on range scope `testcase` in function literal (scopelint)
assert.Check(t, is.DeepEqual(config.Services[0].Init, testcase.init))
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
templates/templates_test.go:74:29: Using the variable on range scope `testCase` in function literal (scopelint)
assert.Check(t, is.Equal(testCase.expected, b.String()))
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
service/logs/parse_logs_test.go:26:35: Using the variable on range scope `testcase` in function literal (scopelint)
actual, err := ParseLogDetails(testcase.line)
^
service/logs/parse_logs_test.go:27:7: Using the variable on range scope `testcase` in function literal (scopelint)
if testcase.err != nil {
^
service/logs/parse_logs_test.go:28:26: Using the variable on range scope `testcase` in function literal (scopelint)
assert.Error(t, err, testcase.err.Error())
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/config/config_test.go:590:11: Using the variable on range scope `tc` in function literal (scopelint)
SetDir(tc.dir)
^
cli/config/config_test.go:591:19: Using the variable on range scope `tc` in function literal (scopelint)
f, err := Path(tc.path...)
^
cli/config/config_test.go:592:23: Using the variable on range scope `tc` in function literal (scopelint)
assert.Equal(t, f, tc.expected)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/formatter/container_test.go:315:17: Error return value of `ContainerWrite` is not checked (errcheck)
ContainerWrite(context.context, containers)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/cli_test.go:297:11: Error return value of `cli.Apply` is not checked (errcheck)
cli.Apply(
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/context/store/store_test.go:156:2: SA5001: should check returned error before deferring f.Close() (staticcheck)
defer f.Close()
^
cli/context/store/store_test.go:189:2: SA5001: should check returned error before deferring f.Close() (staticcheck)
defer f.Close()
^
cli/context/store/store_test.go:240:2: SA5001: should check returned error before deferring f.Close() (staticcheck)
defer f.Close()
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/image/build.go:434:32: SA1006: printf-style function with dynamic format string and no further arguments should use print-style function instead (staticcheck)
fmt.Fprintf(dockerCli.Out(), imageID)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/utils.go:81:20: SA1006: printf-style function with dynamic format string and no further arguments should use print-style function instead (staticcheck)
fmt.Fprintf(outs, message)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/trust/key_generate.go:91:30: SA1006: printf-style function with dynamic format string and no further arguments should use print-style function instead (staticcheck)
fmt.Fprintf(streams.Out(), err.Error())
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/service/update_test.go:31:16: SA1012: do not pass a nil Context, even if a function permits it; pass context.TODO if you are unsure about which Context to use (staticcheck)
updateService(nil, nil, flags, spec)
^
cli/command/service/update_test.go:535:16: SA1012: do not pass a nil Context, even if a function permits it; pass context.TODO if you are unsure about which Context to use (staticcheck)
updateService(nil, nil, flags, spec)
^
cli/command/service/update_test.go:540:16: SA1012: do not pass a nil Context, even if a function permits it; pass context.TODO if you are unsure about which Context to use (staticcheck)
updateService(nil, nil, flags, spec)
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Running `docker stack services <STACK> --orchestrator swarm would yield
the message "Noting found in stack: asdf" with an exit code 0. The same
command with kubernetes orchestrator would yield "nothing found in
stack: adsf" (note the lower-case "nothing") and a non-zero exit code.
This change makes the `stack services` command uniform for both
orchestrators. The logic of getting and printing services is split to
reuse the same formatting code.
Signed-off-by: Djordje Lukic <djordje.lukic@docker.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
API v1.41 adds a new option to get the number of desired
and running tasks when listing services. This patch enables
this functionality, and provides a fallback mechanism when
the ServiceStatus is not available, which would be when
using an older API version.
Now that the swarm.Service struct captures this information,
the `ListInfo` type is no longer needed, so it is removed,
and the related list- and formatting functions have been
modified accordingly.
To reduce repetition, sorting the services has been moved
to the formatter. This is a slight change in behavior, but
all calls to the formatter performed this sort first, so
the change will not lead to user-facing changes.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch:
- Adds new GlobalService and ServiceStatus options
- Makes the NodeList() function functional
- Minor improvment to the `newService()` function to allow passing options
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This test was intending to run all tests, but didn't, which was
caught by golangci-lint;
cli/compose/loader/windows_path_test.go:46:17: SA4010: this result of append is never used, except maybe in other appends (staticcheck)
tests := append(isabstests, winisabstests...)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/container/opts.go:700:37: Using a reference for the variable on range scope `n` (scopelint)
if err := applyContainerOptions(&n, copts); err != nil {
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
```
cli/command/service/update.go:1007:43: Using a reference for the variable on range scope `entry` (scopelint)
if _, ok := portSet[portConfigToString(&entry)]; !ok {
^
cli/command/service/update.go:1008:32: Using a reference for the variable on range scope `entry` (scopelint)
portSet[portConfigToString(&entry)] = entry
^
cli/command/service/update.go:1034:44: Using a reference for the variable on range scope `port` (scopelint)
if _, ok := portSet[portConfigToString(&port)]; ok {
^
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like we're just on the edge of the deadline, and it's sometimes
failing;
```
cli/command/image/trust.go:346:1⚠️ nolint directive did not match any issue (nolint)
cli/command/manifest/push.go:211:1⚠️ nolint directive did not match any issue (nolint)
internal/pkg/containerized/snapshot.go:95:1⚠️ nolint directive did not match any issue (nolint)
internal/pkg/containerized/snapshot.go:138:1⚠️ nolint directive did not match any issue (nolint)
WARNING: deadline exceeded by linter interfacer (try increasing --deadline)
Exited with code 3
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: b6684a403c...a09e6e323e
relevant changes:
- moby/moby#39995 Update containerd binary to v1.2.10
- moby/moby#40001 Update runc to v1.0.0-rc8-92-g84373aaa (CVE-2019-16884)
- moby/moby#39999 bump golang 1.13.1 (CVE-2019-16276)
- moby/moby#40102 bump golang 1.13.3 (CVE-2019-17596)
- moby/moby#40134 Revert "homedir: add cgo or osusergo buildtag constraints for unix"
- reverts moby/moby#39994 homedir: add cgo or osusergo buildtag constraints for unix,
in favor of documenting when to set the `osusergo` build tag. The `osusergo`
build-flag must be used when compiling a static binary with `cgo` enabled,
and linking against `glibc`.
- moby/moby#39983 builder: remove legacy build's session handling
This feature was used by docker build --stream and it was kept experimental.
Users of this endpoint should enable BuildKit anyway by setting Version to BuilderBuildKit.
- Related: #2105 build: remove --stream (was experimental)
- moby/moby #40045 Bump logrus 1.4.2, go-shellwords, mergo, flock, creack/pty,
golang/gddo, gorilla/mux
- moby/moby#39713 bump containerd and dependencies to v1.3.0
- moby/moby#39987 Add ability to handle index acknowledgment with splunk log driver
- moby/moby#40070 Use ocischema package instead of custom handler
- relates to moby/moby#39727 Docker 19.03 doesn't support OCI image
- relates to docker/hub-feedback#1871
- relates to docker/distribution#3024
- moby/moby#39231 Add support for sending down service Running and Desired task counts
- moby/moby#39822 daemon: Use short libnetwork ID in exec-root
- moby/moby#39100 Use Microsoft/hcsshim constants and deprecate pkg/system.GetOsVersion()
- updates/requires Microsoft/hscshim@2226e083fc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This patch:
- Combines the shellcheck and lint stages. Free CircleCI plans allow a maximum
of 4 concurrent jobs, and from the timing, the "lint" and "shellcheck" stages
combined would still take less time than the other stages, so combining them
keeps the same overall duration, but saving one machine "slot".
- Splits some steps, so that their output can be found more easily in the CI
results. For example, separating building of Docker images from running them.
- Adds a "Docker info" step, because information about the environment can be
useful when debugging.
- Adds the "Docker info" and "Docker version" steps to all stages, so that it's
possible to get that information without having to find the stage in which
it's printed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The configuration abused "Exclude" to exclude file-paths by filtering
on the output, however, the `Skip` option was designed for that, whereas
`Exclude` is for matching warnings.
An explicit "Skip" was added for "vendor", because even though the vendor
directory should already be ignored by the linter, in some situations,
it still seemed to warn on issues, so let's explicitly ignore it.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Golang 1.12.12
-------------------------------
full diff: https://github.com/golang/go/compare/go1.12.11...go1.12.12
go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime,
syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for
details.
https://github.com/golang/go/issues?q=milestone%3AGo1.12.12
Golang 1.12.11 (CVE-2019-17596)
-------------------------------
full diff: https://github.com/golang/go/compare/go1.12.10...go1.12.11
go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa
package. See the Go 1.12.11 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.12.11
[security] Go 1.13.2 and Go 1.12.11 are released
Hi gophers,
We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported
security issue. We recommend that all affected users update to one of these
releases (if you're not sure which, choose Go 1.13.2).
Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using
crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic,
even if the certificates don't chain to a trusted root. The chain can be
delivered via a crypto/tls connection to a client, or to a server that accepts
and verifies client certificates. net/http clients can be made to crash by an
HTTPS server, while net/http servers that accept client certificates will
recover the panic and are unaffected.
Moreover, an application might crash invoking
crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate
request, parsing a golang.org/x/crypto/openpgp Entity, or during a
golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client
can panic due to a malformed host key, while a server could panic if either
PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts
a certificate with a malformed public key.
The issue is CVE-2019-17596 and Go issue golang.org/issue/34960.
Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also
like to thank regilero for a previous disclosure of CVE-2019-16276.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This case was in a test in the engine repository, where
it is being removed, so add it to the list of existing
tests here.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
In c2626a82 homedir logic got extremely simplified to only
checking HOME environment variable on UNIX systems.
Although this should work well enough in traditional environments,
this could break minimal containerized environments.
This patch reverts to using github.com/docker/docker/pkg/homedir
that was recently updated to have less dependencies.
Signed-off-by: Tibor Vass <tibor@docker.com>
Before this patch:
```
Usage: docker build [OPTIONS] PATH | URL | -
Build an image from a Dockerfile
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
--build-arg list Set build-time variables
--cache-from strings Images to consider as cache sources
--cgroup-parent string Optional parent cgroup for the container
--cpu-period int Limit the CPU CFS (Completely Fair Scheduler) period
--cpu-quota int Limit the CPU CFS (Completely Fair Scheduler) quota
-c, --cpu-shares int CPU shares (relative weight)
--cpuset-cpus string CPUs in which to allow execution (0-3, 0,1)
--cpuset-mems string MEMs in which to allow execution (0-3, 0,1)
--disable-content-trust Skip image verification (default true)
-f, --file string Name of the Dockerfile (Default is 'PATH/Dockerfile')
--force-rm Always remove intermediate containers
--iidfile string Write the image ID to the file
--isolation string Container isolation technology
--label list Set metadata for an image
-m, --memory bytes Memory limit
--memory-swap bytes Swap limit equal to memory plus swap: '-1' to enable unlimited swap
--network string Set the networking mode for the RUN instructions during build (default "default")
--no-cache Do not use cache when building the image
-o, --output stringArray Output destination (format: type=local,dest=path)
--platform string Set platform if server is multi-platform capable
--progress string Set type of progress output (auto, plain, tty). Use plain to show container output (default "auto")
--pull Always attempt to pull a newer version of the image
-q, --quiet Suppress the build output and print image ID on success
--rm Remove intermediate containers after a successful build (default true)
--secret stringArray Secret file to expose to the build (only if BuildKit enabled): id=mysecret,src=/local/secret
--security-opt strings Security options
--shm-size bytes Size of /dev/shm
--squash Squash newly built layers into a single new layer
--ssh stringArray SSH agent socket or keys to expose to the build (only if BuildKit enabled) (format: default|<id>[=<socket>|<key>[,<key>]])
-t, --tag list Name and optionally a tag in the 'name:tag' format
--target string Set the target build stage to build.
--ulimit ulimit Ulimit options (default [])
```
With this patch applied:
```
DOCKER_BUILDKIT=1 docker build --help
Usage: docker build [OPTIONS] PATH | URL | -
Build an image from a Dockerfile
Options:
--add-host list Add a custom host-to-IP mapping (host:ip)
--build-arg list Set build-time variables
--cache-from strings Images to consider as cache sources
--disable-content-trust Skip image verification (default true)
-f, --file string Name of the Dockerfile (Default is 'PATH/Dockerfile')
--iidfile string Write the image ID to the file
--isolation string Container isolation technology
--label list Set metadata for an image
--network string Set the networking mode for the RUN instructions during build (default "default")
--no-cache Do not use cache when building the image
-o, --output stringArray Output destination (format: type=local,dest=path)
--platform string Set platform if server is multi-platform capable
--progress string Set type of progress output (auto, plain, tty). Use plain to show container output (default "auto")
--pull Always attempt to pull a newer version of the image
-q, --quiet Suppress the build output and print image ID on success
--secret stringArray Secret file to expose to the build (only if BuildKit enabled): id=mysecret,src=/local/secret
--squash Squash newly built layers into a single new layer
--ssh stringArray SSH agent socket or keys to expose to the build (only if BuildKit enabled) (format: default|<id>[=<socket>|<key>[,<key>]])
-t, --tag list Name and optionally a tag in the 'name:tag' format
--target string Set the target build stage to build.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
--stream was always experimental and this patch removes the functionality.
Users should enable BuildKit with DOCKER_BUILDKIT=1
Signed-off-by: Tibor Vass <tibor@docker.com>
full diff: https://github.com/golang/go/compare/go1.12.9...go1.12.10
```
Hi gophers,
We have just released Go 1.13.1 and Go 1.12.10 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.1).
net/http (through net/textproto) used to accept and normalize invalid HTTP/1.1 headers with a space before the colon, in violation of RFC 7230. If a Go server is used behind an uncommon reverse proxy that accepts and forwards but doesn't normalize such invalid headers, the reverse proxy and the server can interpret the headers differently. This can lead to filter bypasses or request smuggling, the latter if requests from separate clients are multiplexed onto the same upstream connection by the proxy. Such invalid headers are now rejected by Go servers, and passed without normalization to Go client applications.
The issue is CVE-2019-16276 and Go issue golang.org/issue/34540.
Thanks to Andrew Stucki, Adam Scarr (99designs.com), and Jan Masarik (masarik.sh) for discovering and reporting this issue.
Downloads are available at https://golang.org/dl for all supported platforms.
Alla prossima,
Filippo on behalf of the Go team
```
From the patch: 6e6f4aaf70
```
net/textproto: don't normalize headers with spaces before the colon
RFC 7230 is clear about headers with a space before the colon, like
X-Answer : 42
being invalid, but we've been accepting and normalizing them for compatibility
purposes since CL 5690059 in 2012.
On the client side, this is harmless and indeed most browsers behave the same
to this day. On the server side, this becomes a security issue when the
behavior doesn't match that of a reverse proxy sitting in front of the server.
For example, if a WAF accepts them without normalizing them, it might be
possible to bypass its filters, because the Go server would interpret the
header differently. Worse, if the reverse proxy coalesces requests onto a
single HTTP/1.1 connection to a Go server, the understanding of the request
boundaries can get out of sync between them, allowing an attacker to tack an
arbitrary method and path onto a request by other clients, including
authentication headers unknown to the attacker.
This was recently presented at multiple security conferences:
https://portswigger.net/blog/http-desync-attacks-request-smuggling-reborn
net/http servers already reject header keys with invalid characters.
Simply stop normalizing extra spaces in net/textproto, let it return them
unchanged like it does for other invalid headers, and let net/http enforce
RFC 7230, which is HTTP specific. This loses us normalization on the client
side, but there's no right answer on the client side anyway, and hiding the
issue sounds worse than letting the application decide.
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is currently just a copy of the v3.8 schema, in preparation
of new features to be added in the new schema.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For now, just verifying that an error is returned, but not checking the
error message itself, because those are not under our control, and may
change with different Go versions.
```
=== Failed
=== FAIL: opts TestParseDockerDaemonHost (0.00s)
hosts_test.go:87: tcp tcp:a.b.c.d address expected error "Invalid bind address format: tcp:a.b.c.d" return, got "parse tcp://tcp:a.b.c.d: invalid port \":a.b.c.d\" after host" and addr
hosts_test.go:87: tcp tcp:a.b.c.d/path address expected error "Invalid bind address format: tcp:a.b.c.d/path" return, got "parse tcp://tcp:a.b.c.d/path: invalid port \":a.b.c.d\" after host" and addr
=== FAIL: opts TestParseTCP (0.00s)
hosts_test.go:129: tcp tcp:a.b.c.d address expected error Invalid bind address format: tcp:a.b.c.d return, got parse tcp://tcp:a.b.c.d: invalid port ":a.b.c.d" after host and addr
hosts_test.go:129: tcp tcp:a.b.c.d/path address expected error Invalid bind address format: tcp:a.b.c.d/path return, got parse tcp://tcp:a.b.c.d/path: invalid port ":a.b.c.d" after host and addr
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.12.8 (released 2019/08/13) includes security fixes to the net/http and net/url packages.
See the Go 1.12.8 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.12.8
- net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted
clients could be remotely made to allocate an unlimited amount of memory, until the program
crashes. Servers will now close connections if the send queue accumulates too many control
messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of golang.org/x/net/http2.
net/url: parsing validation issue
- url.Parse would accept URLs with malformed hosts, such that the Host field could have arbitrary
suffixes that would appear in neither Hostname() nor Port(), allowing authorization bypasses
in certain applications. Note that URLs with invalid, not numeric ports will now return an error
from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me) for discovering
and reporting this issue.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
exec.CombinedOutput should not be used here because:
- it redirects cmd Stdout and Stderr and we want it to be the tty
- it calls cmd.Run which we already did
While at it
- use pty.Start() as it is cleaner
- make sure we don't leave a zombie running, by calling Wait() in defer
- use test.Name() for containerName
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
The docker-in-docker image now enables TLS by default (added in
docker-library/docker#166), which complicates testing in our
environment, and isn't needed for the tests we're running.
This patch sets the `DOCKER_TLS_CERTDIR` to an empty value to
disable TLS.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This allows overriding the version of Go without making modifications in the
source code, which can be useful to test against multiple versions.
For example:
make GO_VERSION=1.13beta1 -f docker.Makefile binary
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These changes were made as part of the `docker engine` feature
in commit fd2f1b3b66, but later
reverted in f250152bf4 and
b7ec4a42d9
These lines were forgotten to be removed, and should no longer
be needed.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The State field allows printing the container state without
additional information about uptime, healthcheck, etc.
With this patch, the container's state can be printed independently:
```bash
docker ps -a --format '{{.State}}'
running
paused
exited
created
```
```bash
docker ps -a --format 'table {{.Names}}\t{{.State}}\t{{.Status}}'
NAMES STATE STATUS
elastic_burnell running Up About a minute
pausie paused Up 5 minutes (Paused)
peaceful_stonebraker exited Exited (0) 10 hours ago
vigilant_shaw created Created
```
```bash
docker ps -a --format 'raw'
container_id: 0445f73f3a71
image: docker-cli-dev
command: "ash"
created_at: 2019-07-12 11:16:11 +0000 UTC
state: running
status: Up 2 minutes
names: elastic_burnell
labels:
ports:
container_id: 1aff69a3912c
image: nginx:alpine
command: "nginx -g 'daemon of ..."
created_at: 2019-07-12 11:12:10 +0000 UTC
state: paused
status: Up 6 minutes (Paused)
names: pausie
labels: maintainer=NGINX Docker Maintainers <docker-maint@nginx.com>
ports: 80/tcp
container_id: d48acf66c318
image: alpine:3.9.3
command: "id -u"
created_at: 2019-07-12 00:52:17 +0000 UTC
state: exited
status: Exited (0) 10 hours ago
names: peaceful_stonebraker
labels:
ports:
container_id: a0733fe0dace
image: b7b28af77ffe
command: "/bin/sh -c '#(nop) ..."
created_at: 2019-07-12 00:51:29 +0000 UTC
state: created
status: Created
names: vigilant_shaw
labels:
ports:
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1. Adds `docker events` description info on the two scope types of events.
2. Adds `docker events` note in two places about backlog limit of event log.
Further info and background info in Issue 727
Signed-off-by: Bret Fisher <bret@bretfisher.com>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When deploying a stack using a relative path as bind-mount
source in the compose file, the CLI converts the relative
path to an absolute path, relative to the location of the
docker-compose file.
This causes a problem when deploying a stack that uses
an absolute Windows path, because a non-Windows client will
fail to detect that the path (e.g. `C:\somedir`) is an absolute
path (and not a relative directory named `C:\`).
The existing code did already take Windows clients deploying
a Linux stack into account (by checking if the path had a leading
slash). This patch adds the reverse, and adds detection for Windows
absolute paths on non-Windows clients.
The code used to detect Windows absolute paths is copied from the
Golang filepath package;
1d0e94b1e1/src/path/filepath/path_windows.go (L12-L65)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `aufs` storage driver is deprecated in favor of `overlay2`, and will
be removed in a future release. Users of the `aufs` storage driver are
recommended to migrate to a different storage driver, such as `overlay2`, which
is now the default storage driver.
The `aufs` storage driver facilitates running Docker on distros that have no
support for OverlayFS, such as Ubuntu 14.04 LTS, which originally shipped with
a 3.14 kernel.
Now that Ubuntu 14.04 is no longer a supported distro for Docker, and `overlay2`
is available to all supported distros (as they are either on kernel 4.x, or have
support for multiple lowerdirs backported), there is no reason to continue
maintenance of the `aufs` storage driver.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Add a test to verify that killing the docker CLI forwards
the signal to the container. Test-case for moby/moby 28872
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This partially reverts e0b59ab52b,
and does not automatically disable proxying signals in TTY-mode
Before this change:
------------------------------------
Start a container with a TTY in one shell:
```
docker run -it --init --name repro-28872 busybox sleep 30
```
then, in another shell, kill the docker cli:
```
kill `pgrep -f repro-28872`
```
Notice that the CLI was killed, but the signal not forwarded to the container;
the container continues running
```
docker container inspect --format '{{ .State.Status }}' repro-28872
running
docker container rm -f repro-28872
```
After this change:
------------------------------------
Start a container with a TTY in one shell:
```
docker run -it --init --name repro-28872 busybox sleep 30
```
then, in another shell, kill the docker cli:
```
kill `pgrep -f repro-28872`
```
Verify that the signal was forwarded to the container, and the container exited
```
docker container inspect --format '{{ .State.Status }}' repro-28872
exited
docker container rm -f repro-28872
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This code was attempting to check Linux file permissions
to determine if the key was accessible by other users, which
doesn't work, and therefore prevented users on Windows
to load keys.
Skipping this check on Windows (correspinding tests
were already skipped).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
For backward compatibility: if no custom options are provided for the network,
and only a single network is specified, omit the endpoint-configuration
on the client (the daemon will still create it when creating the container)
This fixes an issue on older versions of legacy Swarm, which did not support
`NetworkingConfig.EndpointConfig`.
This was introduced in 5bc09639cc (#1767)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adds capabilities to import a .zip file with importZip.
Detects the content type of source by checking bytes & DetectContentType.
Adds LimitedReader reader, a fork of io.LimitedReader,
was needed for better error messaging instead of just getting back EOF.
We are using limited reader to avoid very big files causing memory issues.
Adds a new file size limit for context imports,
this limit is used for the main file for .zip & .tar and individual compressed
files for .zip.
Added TestImportZip that will check the import content type
Then will assert no err on Importing .zip file
Signed-off-by: Goksu Toprak <goksu.toprak@docker.com>
To test, add $(pwd)/build/plugins-linux-amd64 to "cliPluginsExtraDirs" config and run:
make plugins
make binary
HELLO_EXPERIMENTAL=1 docker helloworld
To show it enabled:
HELLO_EXPERIMENTAL=1 DOCKER_CLI_EXPERIMENTAL=enabled docker helloworld
Signed-off-by: Tibor Vass <tibor@docker.com>
This is less of a layering violation and removes some ugly hardcoded
`"kubernetes"` strings which were needed to avoid an import loop.
Signed-off-by: Ian Campbell <ijc@docker.com>
This removes the need for the core context code to import
`github.com/docker/cli/cli/context/kubernetes` which in turn reduces the
transitive import tree in this file to not pull in all of Kubernetes.
Note that this means that any calling code which is interested in the
kubernetes endpoint must import `github.com/docker/cli/cli/context/kubernetes`
itself somewhere in order to trigger the dynamic registration. In practice
anything which is interested in Kubernetes must import that package (e.g.
`./cli/command/context.list` does for the `EndpointFromContext` function) to do
anything useful, so this restriction is not too onerous.
As a special case a small amount of Kubernetes related logic remains in
`ResolveDefaultContext` to handle error handling when the stack orchestrator
includes Kubernetes. In order to avoid a circular import loop this hardcodes
the kube endpoint name.
Similarly to avoid an import loop the existing `TestDefaultContextInitializer`
cannot continue to unit test for the Kubernetes case, so that aspect of the
test is carved off into a very similar test in the kubernetes context package.
Lastly, note that the kubernetes endpoint is now modifiable via
`WithContextEndpointType`.
Signed-off-by: Ian Campbell <ijc@docker.com>
These are needed by any dynamically registered (via
`RegisterDefaultStoreEndpoints`) endpoint type to write a useful/sensible unit
test.
Signed-off-by: Ian Campbell <ijc@docker.com>
Previously an endpoint registered using `RegisterDefaultStoreEndpoints` would
not be taken into consideration by `resolveDefaultContext` and so could not
provide any details.
Resolve this by passing a `store.Config` to `resolveDefaultContext` and using
it to iterate over all registered endpoints. Any endpoint can ensure that their
type implements the new `EndpointDefaultResolver` in order to provide a default.
The Docker and Kubernetes endpoints are special cased, shortly the Kubernetes
one will be refactored to be dynamically registered.
Signed-off-by: Ian Campbell <ijc@docker.com>
I'm about to refactor the code which includes the Kubernetes support in a way
which relies on something vendoring `./cli/context/kubernetes/` in order to
trigger the inclusion of support for the Kubernetes endpoint in the final
binary.
In practice anything which is interested in Kubernetes must import that package
(e.g. `./cli/command/context.list` does for the `EndpointFromContext`
function). However if it was somehow possible to build without that import then
the `KUBERNETES ENDPOINT` column would be mysteriously empty.
Out of an abundance of caution add a specific check on the final binary.
Signed-off-by: Ian Campbell <ijc@docker.com>
This reverts commit 59defcb34d which caused #1892
since the timeout applied not only to the dial phase but to everything, so it
would kill `docker logs -f ...` if the container was not chatty enough.
Signed-off-by: Ian Campbell <ijc@docker.com>
The comment on `github.com/docker/cli/kubernetes.NewKubernetesConfig` said:
// Deprecated: Use github.com/docker/compose-on-kubernetes/api.NewKubernetesConfig instead
By making this switch in `github.com/docker/cli/context/kubernetes/load.go` we
break a vendoring chain:
`github.com/docker/cli/cli/command`
→ `vendor/github.com/docker/cli/cli/context/kubernetes/load.go`
→ `vendor/github.com/docker/cli/kubernetes`
→ `github.com/docker/compose-on-kubernetes/api/compose/...`
This means that projects which just want `github.com/docker/cli/cli/command`
(which is itself pulled in transitively by
`github.com/docker/cli/cli-plugins/plugin`) which do not themselves need the
compose-on-kubernetes API avoid a huge pile of transitive dependencies.
On one of my private projects the diff on the vendor dir is:
280 files changed, 21 insertions(+), 211346 deletions(-)
and includes dropping:
* `github.com/docker/compose-on-kubernetes/api/compose/{clone,impersonation}`
* `github.com/docker/compose-on-kubernetes/api/compose/{v1alpha3,v1beta1,v1beta2,v1beta3}`
* `github.com/google/btree`
* `github.com/googleapis/gnostic`
* `github.com/gregjones/httpcache`
* `github.com/peterbourgon/diskv`
* `k8s.io/api/*` (_lots_ of subpackages)
* `k8s.io/client-go/{discovery,kubernetes/scheme}`
and I've gone from:
$ du -sh vendor/k8s.io/
8.1M vendor/k8s.io/
to:
$ du -sh vendor/k8s.io/
2.1M vendor/k8s.io/
(overall I went from 36M → 29M of vendor dir for this particular project)
The change to `cli/command/system/version.go` is just for consistency and
allows us to drop the now unused alias.
Signed-off-by: Ian Campbell <ijc@docker.com>
Refactor `RunCreate` slightly so that all three paths always produce the same
output, namely the name of the new context of `stdout` (for scripting) and the
success log message on `stderr`.
Validate by extending the existing unit tests to always check the output is as
expected.
Signed-off-by: Ian Campbell <ijc@docker.com>
This partially mitigates #1739 ("Docker commands take 1 minute to timeout if
context endpoint is unreachable") and is a simpler alternative to #1747 (which
completely defers the client connection until an actual call is attempted).
Note that the previous 60s delay was the culmination of two separate 30s
timeouts since the ping is tried twice. This with this patch the overall
timeout is 20s. https://github.com/moby/moby/pull/39206 will remove the second
ping and once that propagates to this tree the timeout will be 10s.
Signed-off-by: Ian Campbell <ijc@docker.com>
- Follows the proposal on issue [#34394](https://github.com/moby/moby/issues/34394)
- Maintains current behavior as default (Pull image if missing)
- Adds tristate flag allowing modification (PullMissing, PullAlways, PullNever)
Signed-off-by: Zander Mackie <zmackie@gmail.com>
This just makes it easier to build a targeted binary for the
goos/goach/goarm version.
This of course will not work for all cases but is nice to get things
going.
Specifically cross-compiling pkcs for yubikey support requires some
extra work whichis not tackled here.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This regressed in 3af168c7df ("Ensure plugins can use `PersistentPreRunE`
again.") but this wasn't noticed because the helloworld test plugin has it's
own `PersistentPreRunE` which has the effect of deferring the resolution of the
global variable. In the case where the hook isn't used the variable is resolved
during `newPluginCommand` which is before the global variable was set.
Initialize the plugin command with a stub function wrapping the call to the
(global) hook, this defers resolving the variable until after it has been set,
otherwise the initial value (`nil`) is used in the struct.
Signed-off-by: Ian Campbell <ijc@docker.com>
The linter is complaining:
cmd/docker/docker.go:72:23⚠️ dockerCli can be github.com/docker/cli/cli/command.Cli (interfacer)
Unclear precisely which change in the preceeding commits caused it to notice
this possibility.
Signed-off-by: Ian Campbell <ijc@docker.com>
Previously `docker --badopt` would always include experimental commands even if
experimental was not enabled.
Signed-off-by: Ian Campbell <ijc@docker.com>
This allows setting the ip/ipv6 address as an option in the
advanced `--network` syntax;
```
docker run --network name=mynetwork,ip=172.20.88.22,ip6=2001:db8::8822
```
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-04-03 17:03:34 +02:00
5071 changed files with 493049 additions and 822704 deletions
# - windows-2022 # FIXME: some tests are failing on the Windows runner, as well as on Appveyor since June 24, 2018: https://ci.appveyor.com/project/docker/cli/history
steps:
-
name:Prepare git
if:matrix.os == 'windows-latest'
run:|
git config --system core.autocrlf false
git config --system core.eol lf
-
name:Checkout
uses:actions/checkout@v3
with:
path:${{ env.GOPATH }}/src/github.com/docker/cli
-
name:Set up Go
uses:actions/setup-go@v3
with:
go-version:1.19.4
-
name:Test
run:|
go test -coverprofile=/tmp/coverage.txt $(go list ./... | grep -vE '/vendor/|/e2e/')
@ -88,7 +88,7 @@ use for simple changes](https://docs.docker.com/opensource/workflow/make-a-contr
<tr>
<td>Community Slack</td>
<td>
The Docker Community has a dedicated Slack chat to discuss features and issues. You can sign-up <ahref="https://community.docker.com/registrations/groups/4316"target="_blank">with this link</a>.
The Docker Community has a dedicated Slack chat to discuss features and issues. You can sign-up <ahref="https://dockr.ly/slack"target="_blank">with this link</a>.
</td>
</tr>
<tr>
@ -333,7 +333,7 @@ mind when nudging others to comply.
The rules:
1. All code should be formatted with `gofmt -s`.
1. All code should be formatted with `gofumpt` (preferred) or `gofmt -s`.
2. All code should pass the default levels of
[`golint`](https://github.com/golang/lint).
3. All code should follow the guidelines covered in [Effective
@ -362,4 +362,4 @@ The rules:
If you are having trouble getting into the mood of idiomatic Go, we recommend
reading through [Effective Go](https://golang.org/doc/effective_go.html). The
[Go Blog](https://blog.golang.org) is also a great resource. Drinking the
test-unit:## run unit tests, to change the output format use: GOTESTSUM_FORMAT=(dots|short|standard-quiet|short-verbose|standard-verbose) make test-unit
gotestsum $(TESTFLAGS) -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/')}
rm -rf ./build/* man/man[1-9] docs/yaml
.PHONY:test
test:test-unit## run tests
.PHONY:test-unit
test-unit:## run unit tests, to change the output format use: GOTESTSUM_FORMAT=(dots|short|standard-quiet|short-verbose|standard-verbose) make test-unit
gotestsum -- $${TESTDIRS:-$(shell go list ./... | grep -vE '/vendor/|/e2e/')}$(TESTFLAGS)
.PHONY:test-coverage
test-coverage:## run test coverage
gotestsum -- -coverprofile=coverage.txt $(shell go list ./... | grep -vE '/vendor/|/e2e/')
.PHONY:fmt
fmt:
go list -f {{.Dir}} ./... | xargs gofmt -w -s -d
mkdir -p $(CURDIR)/build/coverage
gotestsum -- $(shell go list ./... | grep -vE '/vendor/|/e2e/') -coverprofile=$(CURDIR)/build/coverage/coverage.txt
{name:"builtin alias", c:&fakeCandidate{path:builtinAlias},invalid:`plugin "alias" duplicates an alias of builtin command "builtin"`},
{name:"fetch failure", c:&fakeCandidate{path:goodPluginPath,exec:false},invalid:fmt.Sprintf("failed to fetch metadata: faked a failure to exec %q",goodPluginPath)},
{name:"metadata not json", c:&fakeCandidate{path:goodPluginPath,exec:true,meta:`xyzzy`},invalid:"invalid character"},
{name:"empty schemaversion", c:&fakeCandidate{path:goodPluginPath,exec:true,meta:`{}`},invalid:`plugin SchemaVersion "" is not valid`},
{name:"invalid schemaversion", c:&fakeCandidate{path:goodPluginPath,exec:true,meta:`{"SchemaVersion": "xyzzy"}`},invalid:`plugin SchemaVersion "xyzzy" is not valid`},
{name:"no vendor", c:&fakeCandidate{path:goodPluginPath,exec:true,meta:`{"SchemaVersion": "0.1.0"}`},invalid:"plugin metadata does not define a vendor"},
{name:"empty vendor", c:&fakeCandidate{path:goodPluginPath,exec:true,meta:`{"SchemaVersion": "0.1.0", "Vendor": ""}`},invalid:"plugin metadata does not define a vendor"},
return"",errors.Errorf("Current context %q is not found on the file system, please check your config file at %s",config.CurrentContext,config.Filename)
// User did not specify "quiet" flag; suppress output if no terminal is attached
opts.quiet=!dockerCli.Out().IsTerminal()
}
returnrunCopy(dockerCli,opts)
},
Annotations:map[string]string{
"aliases":"docker container cp, docker cp",
},
}
flags:=cmd.Flags()
flags.BoolVarP(&opts.followLink,"follow-link","L",false,"Always follow symbol link in SRC_PATH")
flags.BoolVarP(&opts.copyUIDGID,"archive","a",false,"Archive mode (copy all uid/gid information)")
flags.BoolVarP(&opts.quiet,"quiet","q",false,"Suppress progress output during copy. Progress output is automatically suppressed if no terminal is attached")
t.Fatalf("Expected filter with key %s to be %s but got %s",k,v,f.Get(k))
}
}
}
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
