go1.20.10 (released 2023-10-10) includes a security fix to the net/http package.
See the Go 1.20.10 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.10+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.9...go1.20.10
From the security mailing:
[security] Go 1.21.3 and Go 1.20.10 are released
Hello gophers,
We have just released Go versions 1.21.3 and 1.20.10, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: rapid stream resets can cause excessive work
A malicious HTTP/2 client which rapidly creates requests and
immediately resets them can cause excessive server resource consumption.
While the total number of requests is bounded to the
http2.Server.MaxConcurrentStreams setting, resetting an in-progress
request allows the attacker to create a new request while the existing
one is still executing.
HTTP/2 servers now bound the number of simultaneously executing
handler goroutines to the stream concurrency limit. New requests
arriving when at the limit (which can only happen after the client
has reset an existing, in-flight request) will be queued until a
handler exits. If the request queue grows too large, the server
will terminate the connection.
This issue is also fixed in golang.org/x/net/http2 v0.17.0,
for users manually configuring HTTP/2.
The default stream concurrency limit is 250 streams (requests)
per HTTP/2 connection. This value may be adjusted using the
golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams
setting and the ConfigureServer function.
This is CVE-2023-39325 and Go issue https://go.dev/issue/63417.
This is also tracked by CVE-2023-44487.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.9 (released 2023-10-05) includes one security fixes to the cmd/go package,
as well as bug fixes to the go command and the linker. See the Go 1.20.9
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.9+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.8...go1.20.9
From the security mailing:
[security] Go 1.21.2 and Go 1.20.9 are released
Hello gophers,
We have just released Go versions 1.21.2 and 1.20.9, minor point releases.
These minor releases include 1 security fixes following the security policy:
- cmd/go: line directives allows arbitrary execution during build
"//line" directives can be used to bypass the restrictions on "//go:cgo_"
directives, allowing blocked linker and compiler flags to be passed during
compliation. This can result in unexpected execution of arbitrary code when
running "go build". The line directive requires the absolute path of the file in
which the directive lives, which makes exploting this issue significantly more
complex.
This is CVE-2023-39323 and Go issue https://go.dev/issue/63211.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.8 (released 2023-09-06) includes two security fixes to the html/template
package, as well as bug fixes to the compiler, the go command, the runtime,
and the crypto/tls, go/types, net/http, and path/filepath packages. See the
Go 1.20.8 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.8+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.7...go1.20.8
From the security mailing:
[security] Go 1.21.1 and Go 1.20.8 are released
Hello gophers,
We have just released Go versions 1.21.1 and 1.20.8, minor point releases.
These minor releases include 4 security fixes following the security policy:
- cmd/go: go.mod toolchain directive allows arbitrary execution
The go.mod toolchain directive, introduced in Go 1.21, could be leveraged to
execute scripts and binaries relative to the root of the module when the "go"
command was executed within the module. This applies to modules downloaded using
the "go" command from the module proxy, as well as modules downloaded directly
using VCS software.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-39320 and Go issue https://go.dev/issue/62198.
- html/template: improper handling of HTML-like comments within script contexts
The html/template package did not properly handle HMTL-like "<!--" and "-->"
comment tokens, nor hashbang "#!" comment tokens, in <script> contexts. This may
cause the template parser to improperly interpret the contents of <script>
contexts, causing actions to be improperly escaped. This could be leveraged to
perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39318 and Go issue https://go.dev/issue/62196.
- html/template: improper handling of special tags within script contexts
The html/template package did not apply the proper rules for handling occurrences
of "<script", "<!--", and "</script" within JS literals in <script> contexts.
This may cause the template parser to improperly consider script contexts to be
terminated early, causing actions to be improperly escaped. This could be
leveraged to perform an XSS attack.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this
issue.
This is CVE-2023-39319 and Go issue https://go.dev/issue/62197.
- crypto/tls: panic when processing post-handshake message on QUIC connections
Processing an incomplete post-handshake message for a QUIC connection caused a panic.
Thanks to Marten Seemann for reporting this issue.
This is CVE-2023-39321 and CVE-2023-39322 and Go issue https://go.dev/issue/62266.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4b00be585c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fixes issue #3889 by only loading docker plugins path when needed: if it is fast enough than it shouldn't be a problem to do this on demand; OTOH if it is slow then we shouldn't do this during *every* bash session initialization, regardless if docker completion will be needed or not.
Signed-off-by: Oded Arbel <oded@geek.co.il>
(cherry picked from commit 1da67be9ca)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When using a personal access token, Docker Hub produces an error if actions
are requested beyond the token's allowed actions. This resulted in errors
when using a PAT with limited permissions to do a "docker manifest inspect".
This patch sets actions to "pull" only by default, and requests "push" action
for requests that need it.
To verify:
- create a PAT with limited access (read-only)
- log in with your username and the PAT as password
Before this patch:
docker manifest inspect ubuntu:latest
Get "https://registry-1.docker.io/v2/library/ubuntu/manifests/latest": unauthorized: access token has insufficient scopes
With this patch applied:
docker manifest inspect ubuntu:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.index.v1+json",
"manifests": [
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:56887c5194fddd8db7e36ced1c16b3569d89f74c801dc8a5adbf48236fb34564",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 424,
"digest": "sha256:c835a4f2a632bc91a2b494e871549f0dd83f2966c780e66435774e77e048ddf0",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
}
]
}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit d2047b954e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This is a similar fix as 006c946389, which
fixed this for detection of commands that were executed. Make sure we don't
call the "/_ping" endpoint if we don't need to.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit bb57783ab8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Includes a fix for CVE-2023-29409
go1.20.7 (released 2023-08-01) includes a security fix to the crypto/tls
package, as well as bug fixes to the assembler and the compiler. See the
Go 1.20.7 milestone on our issue tracker for details:
- https://github.com/golang/go/issues?q=milestone%3AGo1.20.7+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.20.6...go1.20.7
From the mailing list announcement:
[security] Go 1.20.7 and Go 1.19.12 are released
Hello gophers,
We have just released Go versions 1.20.7 and 1.19.12, minor point releases.
These minor releases include 1 security fixes following the security policy:
- crypto/tls: restrict RSA keys in certificates to <= 8192 bits
Extremely large RSA keys in certificate chains can cause a client/server
to expend significant CPU time verifying signatures. Limit this by
restricting the size of RSA keys transmitted during handshakes to <=
8192 bits.
Based on a survey of publicly trusted RSA keys, there are currently only
three certificates in circulation with keys larger than this, and all
three appear to be test certificates that are not actively deployed. It
is possible there are larger keys in use in private PKIs, but we target
the web PKI, so causing breakage here in the interests of increasing the
default safety of users of crypto/tls seems reasonable.
Thanks to Mateusz Poliwczak for reporting this issue.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.20.7
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6517db9398)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- go.mod: update dependencies and go version by
- Use Go1.20
- Fix couple of typos
- Added `WithStdout` and `WithStderr` helpers
- Moved `cmdOperators` handling from `RunCmd` to `StartCmd`
- Deprecate `assert.ErrorType`
- Remove outdated Dockerfile
- add godoc links
full diff: https://github.com/gotestyourself/gotest.tools/compare/v3.4.0...v3.5.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 0b535c791a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Initialize AuthConfigs map if it's nil before returning it.
This fixes fileStore.Store nil dereference panic when adding a new key
to the map.
Signed-off-by: Danial Gharib <danial.mail.gh@gmail.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ad43df5e86)
go1.20.6 (released 2023-07-11) includes a security fix to the net/http package,
as well as bug fixes to the compiler, cgo, the cover tool, the go command,
the runtime, and the crypto/ecdsa, go/build, go/printer, net/mail, and text/template
packages. See the Go 1.20.6 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.20.6+label%3ACherryPickApproved
Full diff: https://github.com/golang/go/compare/go1.20.5...go1.20.6
These minor releases include 1 security fixes following the security policy:
net/http: insufficient sanitization of Host header
The HTTP/1 client did not fully validate the contents of the Host header.
A maliciously crafted Host header could inject additional headers or entire
requests. The HTTP/1 client now refuses to send requests containing an
invalid Request.Host or Request.URL.Host value.
Thanks to Bartek Nowotarski for reporting this issue.
Includes security fixes for [CVE-2023-29406 ][1] and Go issue https://go.dev/issue/60374
[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 680fafdc9c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.5 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, the
runtime, and the crypto/rsa, net, and os packages. See the Go 1.20.5 milestone
on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.5+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.4...go1.20.5
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3b8d5da66b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle,
crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our
issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved
release notes: https://go.dev/doc/devel/release#go1.20.4
full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4
from the announcement:
> These minor releases include 3 security fixes following the security policy:
>
> - html/template: improper sanitization of CSS values
>
> Angle brackets (`<>`) were not considered dangerous characters when inserted
> into CSS contexts. Templates containing multiple actions separated by a '/'
> character could result in unexpectedly closing the CSS context and allowing
> for injection of unexpected HMTL, if executed with untrusted input.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
> Not all valid JavaScript whitespace characters were considered to be
> whitespace. Templates containing whitespace characters outside of the character
> set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
> actions may not be properly sanitized during execution.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
> Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
> executed with empty input could result in output that would have unexpected
> results when parsed due to HTML normalization rules. This may allow injection
> of arbitrary attributes into tags.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fd0621d0fe)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.3 (released 2023-04-04) includes security fixes to the go/parser,
html/template, mime/multipart, net/http, and net/textproto packages, as well
as bug fixes to the compiler, the linker, the runtime, and the time package.
See the Go 1.20.3 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.3+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.20.2...go1.20.3
Further details from the announcement on the mailing list:
We have just released Go versions 1.20.3 and 1.19.8, minor point releases.
These minor releases include 4 security fixes following the security policy:
- go/parser: infinite loop in parsing
Calling any of the Parse functions on Go source code which contains `//line`
directives with very large line numbers can cause an infinite loop due to
integer overflow.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.
- html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as Javascript string
delimiters, and as such did not escape them as expected. Backticks are
used, since ES6, for JS template literals. If a template contained a Go
template action within a Javascript template literal, the contents of the
action could be used to terminate the literal, injecting arbitrary Javascript
code into the Go template.
As ES6 template literals are rather complex, and themselves can do string
interpolation, we've decided to simply disallow Go template actions from being
used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe
way to allow this behavior. This takes the same approach as
github.com/google/safehtml. Template.Parse will now return an Error when it
encounters templates like this, with a currently unexported ErrorCode with a
value of 12. This ErrorCode will be exported in the next major release.
Users who rely on this behavior can re-enable it using the GODEBUG flag
jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
should be used with caution.
Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue.
This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.
- net/http, net/textproto: denial of service from excessive memory allocation
HTTP and MIME header parsing could allocate large amounts of memory, even when
parsing small inputs.
Certain unusual patterns of input data could cause the common function used to
parse HTTP and MIME headers to allocate substantially more memory than
required to hold the parsed headers. An attacker can exploit this behavior to
cause an HTTP server to allocate large amounts of memory from a small request,
potentially leading to memory exhaustion and a denial of service.
Header parsing now correctly allocates only the memory required to hold parsed
headers.
Thanks to Jakob Ackermann (@das7pad) for discovering this issue.
This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.
- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
Multipart form parsing can consume large amounts of CPU and memory when
processing form inputs containing very large numbers of parts. This stems from
several causes:
mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form
can consume. ReadForm could undercount the amount of memory consumed, leading
it to accept larger inputs than intended. Limiting total memory does not
account for increased pressure on the garbage collector from large numbers of
small allocations in forms with many parts. ReadForm could allocate a large
number of short-lived buffers, further increasing pressure on the garbage
collector. The combination of these factors can permit an attacker to cause an
program that parses multipart forms to consume large amounts of CPU and
memory, potentially resulting in a denial of service. This affects programs
that use mime/multipart.Reader.ReadForm, as well as form parsing in the
net/http package with the Request methods FormFile, FormValue,
ParseMultipartForm, and PostFormValue.
ReadForm now does a better job of estimating the memory consumption of parsed
forms, and performs many fewer short-lived allocations.
In addition, mime/multipart.Reader now imposes the following limits on the
size of parsed forms:
Forms parsed with ReadForm may contain no more than 1000 parts. This limit may
be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form
parts parsed with NextPart and NextRawPart may contain no more than 10,000
header fields. In addition, forms parsed with ReadForm may contain no more
than 10,000 header fields across all parts. This limit may be adjusted with
the environment variable GODEBUG=multipartmaxheaders=.
Thanks to Jakob Ackermann for discovering this issue.
This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 591bead147)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverting 23.0-specific commits before backporting the 1.20 update.
This reverts commit 5cd7710a04.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverting 23.0-specific commits before backporting the 1.20 update.
This reverts commit c769f20797.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Reverting 23.0-specific commits before backporting the 1.20 update.
This reverts commit a483dfd10b.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
internal/test/cli.go:184:34: unused-parameter: parameter 'insecure' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeCli) RegistryClient(insecure bool) registryclient.RegistryClient {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 399ded9b98)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
internal/test/notary/client.go:16:33: unused-parameter: parameter 'imgRefAndAuth' seems to be unused, consider removing or renaming it as _ (revive)
func GetOfflineNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
^
internal/test/notary/client.go:25:45: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:30:60: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:42:44: unused-parameter: parameter 'target' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) AddTarget(target *client.Target, roles ...data.RoleName) error {
^
internal/test/notary/client.go:48:47: unused-parameter: parameter 'targetName' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RemoveTarget(targetName string, roles ...data.RoleName) error {
^
internal/test/notary/client.go:54:46: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
^
internal/test/notary/client.go:59:50: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
^
internal/test/notary/client.go:65:61: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
^
internal/test/notary/client.go:85:48: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error {
^
internal/test/notary/client.go:90:59: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error {
^
internal/test/notary/client.go:95:53: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) AddDelegationPaths(name data.RoleName, paths []string) error {
^
internal/test/notary/client.go💯63: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error {
^
internal/test/notary/client.go:105:55: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RemoveDelegationRole(name data.RoleName) error {
^
internal/test/notary/client.go:110:56: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RemoveDelegationPaths(name data.RoleName, paths []string) error {
^
internal/test/notary/client.go:115:55: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RemoveDelegationKeys(name data.RoleName, keyIDs []string) error {
^
internal/test/notary/client.go:120:55: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) ClearDelegationPaths(name data.RoleName) error {
^
internal/test/notary/client.go:126:42: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) Witness(roles ...data.RoleName) ([]data.RoleName, error) {
^
internal/test/notary/client.go:131:44: unused-parameter: parameter 'role' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
^
internal/test/notary/client.go:142:52: unused-parameter: parameter 'version' seems to be unused, consider removing or renaming it as _ (revive)
func (o OfflineNotaryRepository) SetLegacyVersions(version int) {}
^
internal/test/notary/client.go:150:39: unused-parameter: parameter 'imgRefAndAuth' seems to be unused, consider removing or renaming it as _ (revive)
func GetUninitializedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
^
internal/test/notary/client.go:163:51: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:168:66: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:180:52: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
^
internal/test/notary/client.go:185:56: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
^
internal/test/notary/client.go:191:67: unused-parameter: parameter 'name' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
^
internal/test/notary/client.go:206:50: unused-parameter: parameter 'role' seems to be unused, consider removing or renaming it as _ (revive)
func (u UninitializedNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
^
internal/test/notary/client.go:211:38: unused-parameter: parameter 'imgRefAndAuth' seems to be unused, consider removing or renaming it as _ (revive)
func GetEmptyTargetsNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
^
internal/test/notary/client.go:223:50: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (e EmptyTargetsNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:228:65: unused-parameter: parameter 'rootKeyIDs' seems to be unused, consider removing or renaming it as _ (revive)
func (e EmptyTargetsNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
^
internal/test/notary/client.go:240:51: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (e EmptyTargetsNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
^
internal/test/notary/client.go:245:68: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (e EmptyTargetsNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
^
internal/test/notary/client.go:284:49: unused-parameter: parameter 'role' seems to be unused, consider removing or renaming it as _ (revive)
func (e EmptyTargetsNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
^
internal/test/notary/client.go:289:32: unused-parameter: parameter 'imgRefAndAuth' seems to be unused, consider removing or renaming it as _ (revive)
func GetLoadedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
^
internal/test/notary/client.go:509:45: unused-parameter: parameter 'imgRefAndAuth' seems to be unused, consider removing or renaming it as _ (revive)
func GetLoadedWithNoSignersNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
^
internal/test/notary/client.go:532:75: unused-parameter: parameter 'roles' seems to be unused, consider removing or renaming it as _ (revive)
func (l LoadedWithNoSignersNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 20a70cb530)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/config/configfile/file_test.go:189:33: unused-parameter: parameter 'authConfig' seems to be unused, consider removing or renaming it as _ (revive)
func (c *mockNativeStore) Store(authConfig types.AuthConfig) error {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit dd6ede2109)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/compose/schema/schema.go:20:44: unused-parameter: parameter 'input' seems to be unused, consider removing or renaming it as _ (revive)
func (checker portsFormatChecker) IsFormat(input interface{}) bool {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7c8680c69b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/volume/prune_test.go:113:22: unused-parameter: parameter 'args' seems to be unused, consider removing or renaming it as _ (revive)
func simplePruneFunc(args filters.Args) (types.VolumesPruneReport, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 607f290f65)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/service/update_test.go:507:41: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (s secretAPIClientMock) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
^
cli/command/service/update_test.go:511:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (s secretAPIClientMock) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
^
cli/command/service/update_test.go:515:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (s secretAPIClientMock) SecretRemove(ctx context.Context, id string) error {
^
cli/command/service/update_test.go:519:51: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (s secretAPIClientMock) SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error) {
^
cli/command/service/update_test.go:523:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (s secretAPIClientMock) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c69640d8c1)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/plugin/client_test.go:23:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginCreate(ctx context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
^
cli/command/plugin/client_test.go:30:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginEnable(ctx context.Context, name string, enableOptions types.PluginEnableOptions) error {
^
cli/command/plugin/client_test.go:37:36: unused-parameter: parameter 'context' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginDisable(context context.Context, name string, disableOptions types.PluginDisableOptions) error {
^
cli/command/plugin/client_test.go:44:35: unused-parameter: parameter 'context' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginRemove(context context.Context, name string, removeOptions types.PluginRemoveOptions) error {
^
cli/command/plugin/client_test.go:51:36: unused-parameter: parameter 'context' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginInstall(context context.Context, name string, installOptions types.PluginInstallOptions) (io.ReadCloser, error) {
^
cli/command/plugin/client_test.go:58:33: unused-parameter: parameter 'context' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginList(context context.Context, filter filters.Args) (types.PluginsListResponse, error) {
^
cli/command/plugin/client_test.go:66:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error) {
^
cli/command/plugin/client_test.go:74:27: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) Info(ctx context.Context) (types.Info, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit da3416c023)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/image/build/context_test.go:21:19: unused-parameter: parameter 't' seems to be unused, consider removing or renaming it as _ (revive)
func prepareEmpty(t *testing.T) string {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae5a86bb8d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I could either remove the name for these contexts, or make the fake functions
more accurately reflect the actual implementation (decided to go for the latter
one)
cli/command/secret/client_test.go:19:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) SecretCreate(ctx context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
^
cli/command/secret/client_test.go:26:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) SecretInspectWithRaw(ctx context.Context, id string) (swarm.Secret, []byte, error) {
^
cli/command/secret/client_test.go:33:33: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
^
cli/command/secret/client_test.go:40:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) SecretRemove(ctx context.Context, name string) error {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9dd012aa5d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
I could either remove the name for these contexts, or make the fake functions
more accurately reflect the actual implementation (decided to go for the latter
one)
. cli/command/config/client_test.go:19:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
^
cli/command/config/client_test.go:26:43: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
^
cli/command/config/client_test.go:33:33: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
^
cli/command/config/client_test.go:40:35: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *fakeClient) ConfigRemove(ctx context.Context, name string) error {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 66c66bdce7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Only a single method of the FakeClient was actually implemented (and used).
This patch embeds the interface it must implement to reduce the boilerplating
for not yet implemented methods.
Calling any of the unimplemented methods will result in a panic, which will
make it clear when they must be implemented :)
This also fixes various linting errors;
internal/test/network/client.go:17:37: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworkConnect(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
^
internal/test/network/client.go:22:65: unused-parameter: parameter 'options' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworkCreate(_ context.Context, _ string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
^
internal/test/network/client.go:27:40: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworkDisconnect(ctx context.Context, networkID, container string, force bool) error {
^
internal/test/network/client.go:45:53: unused-parameter: parameter 'options' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworkList(_ context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
^
internal/test/network/client.go:50:36: unused-parameter: parameter 'ctx' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworkRemove(ctx context.Context, networkID string) error {
^
internal/test/network/client.go:55:55: unused-parameter: parameter 'pruneFilter' seems to be unused, consider removing or renaming it as _ (revive)
func (c *FakeClient) NetworksPrune(_ context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ac024a4d8b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These method must implements an interface, but don't use the argument.
cli/trust/trust.go:85:40: unused-parameter: parameter 'u' seems to be unused, consider removing or renaming it as _ (revive)
func (scs simpleCredentialStore) Basic(u *url.URL) (string, string) {
^
cli/trust/trust.go:89:47: unused-parameter: parameter 'u' seems to be unused, consider removing or renaming it as _ (revive)
func (scs simpleCredentialStore) RefreshToken(u *url.URL, service string) string {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit a2d532819d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
opts/capabilities.go:25:2: redefines-builtin-id: redefinition of the built-in function cap (revive)
cap = strings.ToUpper(strings.TrimSpace(cap))
^
opts/capabilities.go:30:3: redefines-builtin-id: redefinition of the built-in function cap (revive)
cap = "CAP_" + cap
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f5fad186c0)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This method implements the interface defined in distribution, but doesn't
use the argument.
cli/registry/client/endpoint.go:123:69: unused-parameter: parameter 'params' seems to be unused, consider removing or renaming it as _ (revive)
func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 9252fae838)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function must match the interface, but doesn't use the firs argument.
cli/command/service/progress/progress.go:417:40: unused-parameter: parameter 'service' seems to be unused, consider removing or renaming it as _ (revive)
func (u *globalProgressUpdater) update(service swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 92506afd49)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These functions must have the same signature, but only some of them accept
an "all" boolean argument;
88924b1802/cli/command/system/prune.go (L79)
cli/command/container/prune.go:78:38: unused-parameter: parameter 'all' seems to be unused, consider removing or renaming it as _ (revive)
func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
^
cli/command/network/prune.go:73:38: unused-parameter: parameter 'all' seems to be unused, consider removing or renaming it as _ (revive)
func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
^
cli/command/volume/prune.go:78:38: unused-parameter: parameter 'all' seems to be unused, consider removing or renaming it as _ (revive)
func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c3d7f167bd)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These wrappers were added to abstract stack deploy to k8s and swarm. Now
that support for deploying to k8s was removed, we can remove these wrappers.
This deprecates:
- RunDeploy()
- RunPs()
- RunRemove()
- GetServices()
This also addresses some linting failers, due to these functions having
unused arguments:
cli/command/stack/deploy.go:51:39: unused-parameter: parameter 'flags' seems to be unused, consider removing or renaming it as _ (revive)
func RunDeploy(dockerCli command.Cli, flags *pflag.FlagSet, config *composetypes.Config, opts options.Deploy) error {
^
cli/command/stack/ps.go:42:35: unused-parameter: parameter 'flags' seems to be unused, consider removing or renaming it as _ (revive)
func RunPs(dockerCli command.Cli, flags *pflag.FlagSet, opts options.PS) error {
^
cli/command/stack/remove.go:35:39: unused-parameter: parameter 'flags' seems to be unused, consider removing or renaming it as _ (revive)
func RunRemove(dockerCli command.Cli, flags *pflag.FlagSet, opts options.Remove) error {
^
cli/command/stack/list.go:37:14: unused-parameter: parameter 'cmd' seems to be unused, consider removing or renaming it as _ (revive)
func RunList(cmd *cobra.Command, dockerCli command.Cli, opts options.List) error {
^
cli/command/stack/services.go:56:41: unused-parameter: parameter 'flags' seems to be unused, consider removing or renaming it as _ (revive)
func GetServices(dockerCli command.Cli, flags *pflag.FlagSet, opts options.Services) ([]swarmtypes.Service, error) {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f08252c10a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
cli/command/container/run.go:176:3: redefines-builtin-id: redefinition of the built-in function close (revive)
close, err := attachContainer(ctx, dockerCli, &errCh, config, createResponse.ID)
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit be97731f1a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
update the version we use in the dev-container;
- Fix a regression for bake where services in profiles would not be loaded.
- Fix a regression where --cgroup-parent option had no effect during build.
- Fix a regression where valid docker contexts could fail buildx builder name validation.
- Fix an issue where the host-gateway special address could not be used as an argument to --add-host.
- Fix a possible panic when terminal is resized during the build.
release notes: https://github.com/docker/buildx/releases/tag/v0.11.1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ff9f1be19e)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.19.10 (released 2023-06-06) includes four security fixes to the cmd/go and
runtime packages, as well as bug fixes to the compiler, the go command, and the
runtime. See the Go 1.19.10 milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.10+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.19.9...go1.19.10
These minor releases include 3 security fixes following the security policy:
- cmd/go: cgo code injection
The go command may generate unexpected code at build time when using cgo. This
may result in unexpected behavior when running a go program which uses cgo.
This may occur when running an untrusted module which contains directories with
newline characters in their names. Modules which are retrieved using the go command,
i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e.
GO111MODULE=off, may be affected).
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29402 and Go issue https://go.dev/issue/60167.
- runtime: unexpected behavior of setuid/setgid binaries
The Go runtime didn't act any differently when a binary had the setuid/setgid
bit set. On Unix platforms, if a setuid/setgid binary was executed with standard
I/O file descriptors closed, opening any files could result in unexpected
content being read/written with elevated prilieges. Similarly if a setuid/setgid
program was terminated, either via panic or signal, it could leak the contents
of its registers.
Thanks to Vincent Dehors from Synacktiv for reporting this issue.
This is CVE-2023-29403 and Go issue https://go.dev/issue/60272.
- cmd/go: improper sanitization of LDFLAGS
The go command may execute arbitrary code at build time when using cgo. This may
occur when running "go get" on a malicious module, or when running any other
command which builds untrusted code. This is can by triggered by linker flags,
specified via a "#cgo LDFLAGS" directive.
Thanks to Juho Nurminen of Mattermost for reporting this issue.
This is CVE-2023-29404 and CVE-2023-29405 and Go issues https://go.dev/issue/60305 and https://go.dev/issue/60306.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Official Golang images are now only available for 3.18 and 3.17;
3.18 doesn't look to play well with gotestsum, so sticking to
an older version.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit acb248f8d5)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use the default proxy, to assist with vanity domains mis-behaving, but keep
a fallback for situations where we need to get modules from GitHub directly.
This should hopefully help with the gopkg.in/yaml.v2 domain often going AWOL;
#14 245.9 gopkg.in/yaml.v2@v2.4.0: unrecognized import path "gopkg.in/yaml.v2": reading https://gopkg.in/yaml.v2?go-get=1: 502 Bad Gateway
#14 245.9 server response: Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe
curl 'https://gopkg.in/yaml.v2?go-get=1'
Cannot obtain refs from GitHub: cannot talk to GitHub: Get https://github.com/go-yaml/yaml.git/info/refs?service=git-upload-pack: write tcp 10.131.9.188:60820->140.82.121.3:443: write: broken pipe
From the Go documentation; https://go.dev/ref/mod#goproxy-protocol
> List elements may be separated by commas (,) or pipes (|), which determine error
> fallback behavior. When a URL is followed by a comma, the go command falls back
> to later sources only after a 404 (Not Found) or 410 (Gone) response. When a URL
> is followed by a pipe, the go command falls back to later sources after any error,
> including non-HTTP errors such as timeouts. This error handling behavior lets a
> proxy act as a gatekeeper for unknown modules. For example, a proxy could respond
> with error 403 (Forbidden) for modules not on an approved list (see Private proxy
> serving private modules).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 6458dcbe51)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit c846428cb6 added proxies to the
example `daemon.json`, based on the implementation that was added in
427c7cc5f8.
However, a follow-up pull request changed the proxy-configuration in`daemon.json`
to nest the configuration in a "proxies" struct, and the documentation was
not updated accordingly; see:
101dafd049
This patch fixes the example.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2713d0bcde)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This field was marked deprecated in 977d3ae046,
which is part of v20.10 and up, but the comment was missing a newline before
the deprecation message, which may be picked up by IDEs, but is not matching
the correct format, so may not be picked up by linters.
This patch fixes the format, to make sure linters pick up that the field is
deprecated.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 72e3813ab9)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.19.9 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/tls
and syscall packages. See the Go 1.19.9 milestone on our issue tracker for details.
https://github.com/golang/go/issues?q=milestone%3AGo1.19.9+label%3ACherryPickApproved
release notes: https://go.dev/doc/devel/release#go1.19.9
full diff: https://github.com/golang/go/compare/go1.19.8...go1.19.9
from the announcement:
> These minor releases include 3 security fixes following the security policy:
>
>- html/template: improper sanitization of CSS values
>
> Angle brackets (`<>`) were not considered dangerous characters when inserted
> into CSS contexts. Templates containing multiple actions separated by a '/'
> character could result in unexpectedly closing the CSS context and allowing
> for injection of unexpected HMTL, if executed with untrusted input.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
> Not all valid JavaScript whitespace characters were considered to be
> whitespace. Templates containing whitespace characters outside of the character
> set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
> actions may not be properly sanitized during execution.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
> Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
> executed with empty input could result in output that would have unexpected
> results when parsed due to HTML normalization rules. This may allow injection
> of arbitrary attributes into tags.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The --format=json option was added for all inspect commands, but was not
implemented for "docker version". This patch implements the missing option.
Before this patch:
docker version --format=json
json
With this patch:
docker version --format=json
{"Client":{"Platform":{"Name":""},"Version":"24.0.0-dev","ApiVersion":"..."}}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 23bd746c43)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The --format=json option was added for all inspect commands, but was not implemented
for "docker info". This patch implements the missing option.
Before this patch:
docker info --format=json
json
With this patch applied:
docker info --format=json
{"ID":"80c2f18a-2c88-4e4a-ba69-dca0eea59835","Containers":7,"ContainersRunning":"..."}
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 46234b82e2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These tests were deliberately producing errors as part of the test, but
printing those errors could be confusing / make it more difficult to find
actual test-failures.
Before this patch:
=== RUN TestVolumeCreateErrors
Error: conflicting options: either specify --name or provide positional arg, not both
Error: "create" requires at most 1 argument.
See 'create --help'.
Usage: create [OPTIONS] [VOLUME] [flags]
Create a volume
Error: error creating volume
--- PASS: TestVolumeCreateErrors (0.00s)
PASS
With this patch applied:
=== RUN TestVolumeCreateErrors
--- PASS: TestVolumeCreateErrors (0.00s)
PASS
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit db827d583b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes the cli erroring out if the variable is set to an empty
value.
```
$ export DOCKER_BUILDKIT=
$ docker version
DOCKER_BUILDKIT environment variable expects boolean value: strconv.ParseBool: parsing "": invalid syntax
```
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
(cherry picked from commit ff7f76af7a)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Adds documentation for the options that were added in
427c7cc5f8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c846428cb6)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Update the description for the changes made in;
68e96f88ee
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit c209743612)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Adding a description based on the Go documentation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3701748000)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
No need to mention that the env-var may be removed at that point to keep
the description more to-the-point.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 879e0804a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Support for this environment variable was removed in docker 23.0 in
1240f8b41d
From that patch:
> All regular, non-EOL Linux distros now come with more recent kernels
> out of the box. There may still be users trying to run on kernel 3.10
> or older (some embedded systems, e.g.), but those should be a rare
> exception, which we don't have to take into account.
>
> This patch removes the kernel version check on Linux, and the corresponding
> DOCKER_NOWARN_KERNEL_VERSION environment that was there to skip this
> check.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 4a863df57a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This function no longer uses the /info endpoint to resolve the registry
to use. The documentation for this function was still referring to
the (once used) special registry for Windows images, which is no longer
in use, so update the docs to reflect reality :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 5bd359132b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The next release will be "v24.0.0", not "v23.1.0"
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 04df700257)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Edited second paragraph under ### Daemon configuration file to change "regardless their value" to "regardless of their value"
Signed-off-by: Jake Stokes <contactjake@developerjake.com>
(cherry picked from commit 9335690a66)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This adds the new aliases that were added in 9b54d860cd
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 08a794dc0c)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Commit 1e3622c50c moved the generator code
to a subdirectory, but forgot to update the markdown version of this script.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 37f234fbe7)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.19.8 (released 2023-04-04) includes security fixes to the go/parser,
html/template, mime/multipart, net/http, and net/textproto packages, as well as
bug fixes to the linker, the runtime, and the time package. See the Go 1.19.8
milestone on our issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.19.8+label%3ACherryPickApproved
full diff: https://github.com/golang/go/compare/go1.19.7...go1.19.8
Further details from the announcement on the mailing list:
We have just released Go versions 1.20.3 and 1.19.8, minor point releases.
These minor releases include 4 security fixes following the security policy:
- go/parser: infinite loop in parsing
Calling any of the Parse functions on Go source code which contains `//line`
directives with very large line numbers can cause an infinite loop due to
integer overflow.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2023-24537 and Go issue https://go.dev/issue/59180.
- html/template: backticks not treated as string delimiters
Templates did not properly consider backticks (`) as Javascript string
delimiters, and as such did not escape them as expected. Backticks are
used, since ES6, for JS template literals. If a template contained a Go
template action within a Javascript template literal, the contents of the
action could be used to terminate the literal, injecting arbitrary Javascript
code into the Go template.
As ES6 template literals are rather complex, and themselves can do string
interpolation, we've decided to simply disallow Go template actions from being
used inside of them (e.g. "var a = {{.}}"), since there is no obviously safe
way to allow this behavior. This takes the same approach as
github.com/google/safehtml. Template.Parse will now return an Error when it
encounters templates like this, with a currently unexported ErrorCode with a
value of 12. This ErrorCode will be exported in the next major release.
Users who rely on this behavior can re-enable it using the GODEBUG flag
jstmpllitinterp=1, with the caveat that backticks will now be escaped. This
should be used with caution.
Thanks to Sohom Datta, Manipal Institute of Technology, for reporting this issue.
This is CVE-2023-24538 and Go issue https://go.dev/issue/59234.
- net/http, net/textproto: denial of service from excessive memory allocation
HTTP and MIME header parsing could allocate large amounts of memory, even when
parsing small inputs.
Certain unusual patterns of input data could cause the common function used to
parse HTTP and MIME headers to allocate substantially more memory than
required to hold the parsed headers. An attacker can exploit this behavior to
cause an HTTP server to allocate large amounts of memory from a small request,
potentially leading to memory exhaustion and a denial of service.
Header parsing now correctly allocates only the memory required to hold parsed
headers.
Thanks to Jakob Ackermann (@das7pad) for discovering this issue.
This is CVE-2023-24534 and Go issue https://go.dev/issue/58975.
- net/http, net/textproto, mime/multipart: denial of service from excessive resource consumption
Multipart form parsing can consume large amounts of CPU and memory when
processing form inputs containing very large numbers of parts. This stems from
several causes:
mime/multipart.Reader.ReadForm limits the total memory a parsed multipart form
can consume. ReadForm could undercount the amount of memory consumed, leading
it to accept larger inputs than intended. Limiting total memory does not
account for increased pressure on the garbage collector from large numbers of
small allocations in forms with many parts. ReadForm could allocate a large
number of short-lived buffers, further increasing pressure on the garbage
collector. The combination of these factors can permit an attacker to cause an
program that parses multipart forms to consume large amounts of CPU and
memory, potentially resulting in a denial of service. This affects programs
that use mime/multipart.Reader.ReadForm, as well as form parsing in the
net/http package with the Request methods FormFile, FormValue,
ParseMultipartForm, and PostFormValue.
ReadForm now does a better job of estimating the memory consumption of parsed
forms, and performs many fewer short-lived allocations.
In addition, mime/multipart.Reader now imposes the following limits on the
size of parsed forms:
Forms parsed with ReadForm may contain no more than 1000 parts. This limit may
be adjusted with the environment variable GODEBUG=multipartmaxparts=. Form
parts parsed with NextPart and NextRawPart may contain no more than 10,000
header fields. In addition, forms parsed with ReadForm may contain no more
than 10,000 header fields across all parts. This limit may be adjusted with
the environment variable GODEBUG=multipartmaxheaders=.
Thanks to Jakob Ackermann for discovering this issue.
This is CVE-2023-24536 and Go issue https://go.dev/issue/59153.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This moves all the terminal writing to a goroutine that updates the
terminal periodically.
In our MITM copier we just use an atomic to add to the total number of
bytes read/written, the goroutine reads the total and updates the
terminal as needed.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit eb392ff4ce)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Only show progress updates after a time threshold has elapsed in order
to reduce the number of writes to the terminal.
This improves readability of the progress.
Also moves cursor show/hide into the progress printer to reduce chances
if messing up the user's terminal in case of cancellation.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit 90b7bc36d4)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This just makes it easier to reason about what is happening.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit efd011b793)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
- Instead of rewriting the entire line every time only clear and write
the parts that changed.
- Hide the cursor while writing progress
Both these things make the progress updates significantly easier to
read.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ccae6e9299)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
This fixes a case where a non-tty will have control characters + the log
line for every single read operation.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit f27927d934)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
These were deprecated in 6c400a9c2009bba9376ad61ab59c04c1ad675871 (docker 19.03),
but the "Deprecated:" comments were missing a newline before them.
While most IDEs will detect such comments as "deprecated", pkg.go.dev and linters
will ignore them, which may result in users not being aware of them being deprecated.
This patch;
- Fixes the "Deprecated:" comments.
- Changes the var aliases to functions, which is slightly more boilerplating,
but makes sure the functions are documented as "function", instead of shown
in the "variables" section on pkg.go.dev.
- Adds some punctuation and adds "doc links", which allows readers to navigate
to related content on pkg.go.dev.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 817897f891)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We can slightly improve plugins listing by spawning a
goroutine for each iteration.
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit 89583b92b7)
# Conflicts:
# vendor.mod
# vendor/modules.txt
We are currently loading plugin command stubs for every
invocation which still has a significant performance hit.
With this change we are doing this operation only if cobra
completion arg request is found.
- 20.10.23: `docker --version` takes ~15ms
- 23.0.1: `docker --version` takes ~93ms
With this change `docker --version` takes ~9ms
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
(cherry picked from commit c39c711a18)
looks like this one was forgotten to be updated :)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit e4436853e8)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2023-03-30 16:56:58 +02:00
262 changed files with 2941 additions and 1315 deletions
flags.VarP(hostOpt,"host","H","Daemon socket(s) to connect to")
flags.VarP(hostOpt,"host","H","Daemon socket to connect to")
flags.StringVarP(&o.Context,"context","c","",
`Name of the context to use to connect to the daemon (overrides `+client.EnvOverrideHost+` env var and default context set with "docker context use")`)
errs=append(errs,fmt.Sprintf(`"--%s" requires API version %s, but the Docker daemon API version is %s`,f.Name,getFlagAnnotation(f,"version"),details.CurrentVersion()))
| `-c`, `--context` | `string` | | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
| `-D`, `--debug` | | | Enable debug mode |
| `-H`, `--host` | `list` | | Daemon socket(s) to connect to |
| `-l`, `--log-level` | `string` | `info` | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`) |
| `--tls` | | | Use TLS; implied by --tlsverify |
| `--tlscacert` | `string` | `/root/.docker/ca.pem` | Trust certs signed only by this CA |
| `-c`, `--context` | `string` | | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
| `-D`, `--debug` | | | Enable debug mode |
| [`-H`](#host), [`--host`](#host) | `list` | | Daemon socket to connect to |
| `-l`, `--log-level` | `string` | `info` | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`) |
| `--tls` | | | Use TLS; implied by --tlsverify |
| `--tlscacert` | `string` | `/root/.docker/ca.pem` | Trust certs signed only by this CA |
| `DOCKER_API_VERSION` | Override the negotiated API version to use for debugging (e.g. `1.19`) |
| `DOCKER_CERT_PATH` | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
| `DOCKER_CONFIG` | The location of your client configuration files. |
| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry. |
| `DOCKER_CONTENT_TRUST` | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run. |
| `DOCKER_CONTEXT` | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`) |
| `DOCKER_DEFAULT_PLATFORM` | Default platform for commands that take the `--platform` flag. |
| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release, at which point this environment-variable is removed. |
| `DOCKER_HOST` | Daemon socket to connect to. |
| `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
| `BUILDKIT_PROGRESS` | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
| `DOCKER_API_VERSION` | Override the negotiated API version to use for debugging (e.g. `1.19`) |
| `DOCKER_CERT_PATH` | Location of your authentication keys. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
| `DOCKER_CONFIG` | The location of your client configuration files. |
| `DOCKER_CONTENT_TRUST_SERVER` | The URL of the Notary server to use. Defaults to the same URL as the registry. |
| `DOCKER_CONTENT_TRUST` | When set Docker uses notary to sign and verify images. Equates to `--disable-content-trust=false` for build, create, pull, push, run. |
| `DOCKER_CONTEXT` | Name of the `docker context` to use (overrides `DOCKER_HOST` env var and default context set with `docker context use`) |
| `DOCKER_DEFAULT_PLATFORM` | Default platform for commands that take the `--platform` flag. |
| `DOCKER_HIDE_LEGACY_COMMANDS` | When set, Docker hides "legacy" top-level commands (such as `docker rm`, and `docker pull`) in `docker help` output, and only `Management commands` per object-type (e.g., `docker container`) are printed. This may become the default in a future release. |
| `DOCKER_HOST` | Daemon socket to connect to. |
| `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) |
| `BUILDKIT_PROGRESS` | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](https://docs.docker.com/build/buildkit/). Use plain to show container output (default `auto`). |
Because Docker is developed using Go, you can also use any environment
variables used by the Go runtime. In particular, you may find these useful:
| `DOCKER_CERT_PATH` | Location of your authentication keys. This variable is used both by the [`docker` CLI](cli.md) and the `dockerd` daemon. |
|`DOCKER_DRIVER` | The storage driver to use. |
|`DOCKER_RAMDISK` | If set this disables 'pivot_root'. |
| `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the [`docker` CLI](cli.md) and the `dockerd` daemon. |
| `DOCKER_TMPDIR` | Location for temporary files created by the daemon. |
| `HTTP_PROXY` | Proxy URL for HTTP requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details. |
| `HTTPS_PROXY` | Proxy URL for HTTPS requests unless overridden by NoProxy. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details. |
| `MOBY_DISABLE_PIGZ` | Disables the use of [`unpigz`](https://linux.die.net/man/1/pigz) to decompress layers in parallel when pulling images, even if it is installed. | |
| `NO_PROXY` | Comma-separated values specifying hosts that should be excluded from proxying. See the [Go specification](https://pkg.go.dev/golang.org/x/net/http/httpproxy#Config) for details. |
## Examples
### Proxy configuration
> **Note**
>
> Refer to the [Docker Desktop manual](https://docs.docker.com/desktop/networking/#httphttps-proxy-support)
> if you are running [Docker Desktop](https://docs.docker.com/desktop/).
If you are behind an HTTP proxy server, for example in corporate settings,
you may have to configure the Docker daemon to use the proxy server for
operations such as pulling and pushing images. The daemon can be configured
in three ways:
1. Using environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY`).
2. Using the "http-proxy", "https-proxy", and "no-proxy" fields in the
[daemon configuration file](#daemon-configuration-file) (Docker Engine 23.0 or newer).
3. Using the `--http-proxy`, `--https-proxy`, and `--no-proxy` command-line
options. (Docker Engine 23.0 or newer).
The command-line and configuration file options take precedence over environment
variables. Refer to [control and configure Docker with systemd](https://docs.docker.com/config/daemon/systemd/#httphttps-proxy)
to set these environment variables on a host using `systemd`.
### Daemon socket option
The Docker daemon can listen for [Docker Engine API](https://docs.docker.com/engine/api/)
@ -1143,7 +1172,7 @@ of the flag name, e.g., `labels` for the `label` flag.
The options set in the configuration file must not conflict with options set
via flags. The docker daemon fails to start if an option is duplicated between
the file and the flags, regardless their value. We do this to avoid
the file and the flags, regardless of their value. We do this to avoid
silently ignore changes introduced in configuration reloads.
For example, the daemon fails to start if you set daemon labels
in the configuration file and also set daemon labels via the `--label` flag.
@ -1222,6 +1251,11 @@ This is a full example of the allowed configuration options on Linux:
"fixed-cidr-v6":"",
"group":"",
"hosts":[],
"proxies":{
"http-proxy":"http://proxy.example.com:80",
"https-proxy":"https://proxy.example.com:443",
"no-proxy":"*.test.example.com,.example.org",
},
"icc":false,
"init":false,
"init-path":"/usr/libexec/docker-init",
@ -1255,7 +1289,7 @@ This is a full example of the allowed configuration options on Linux:
| [`-f`](#format), [`--format`](#format) | `string` | | Format output using a custom template:<br>'json': Print in JSON format<br>'TEMPLATE': Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
If you want to add a running container to a network use the `docker network connect` subcommand.
You can connect multiple containers to the same network. Once connected, the
containers can communicate easily using only another container's IP address
containers can communicate using only another container's IP address
or name. For `overlay` networks or custom plugins that support multi-host
connectivity, containers connected to the same multi-host network but launched
from different Engines can also communicate in this way.
@ -498,6 +507,8 @@ from different Engines can also communicate in this way.
You can disconnect a container from a network using the `docker network
disconnect` command.
For more information on connecting a container to a network when using the `run` command, see the ["*Docker network overview*"](https://docs.docker.com/network/).
### <a name="volumes-from"></a> Mount volumes from container (--volumes-from)
| `no` | Do not automatically restart the container when it exits. This is the default. |
| `on-failure[:max-retries]` | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts. |
| `unless-stopped` | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted. |
| `always` | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. |
| `unless-stopped` | Restart the container unless it's explicitly stopped or Docker itself is stopped or restarted. |
| `always` | Always restart the container regardless of the exit status. When you specify always, the Docker daemon tries to restart the container indefinitely. The container always starts on daemon startup, regardless of the current state of the container. |
```console
$ docker run --restart=always redis
```
This will run the `redis` container with a restart policy of **always**
so that if the container exits, Docker will restart it.
so that if the container exits, Docker restarts it.
More detailed information on restart policies can be found in the
You can find more detailed information on restart policies in the
@ -877,7 +893,7 @@ On Windows, this will affect containers differently depending on what type of is
OsMaxProcessMemorySize : 137438953344
```
- With `hyperv` isolation, Windows will create a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
- With `hyperv` isolation, Windows creates a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
The `--sysctl` sets namespaced kernel parameters (sysctls) in the
@ -909,6 +924,7 @@ $ docker run --sysctl net.ipv4.ip_forward=1 someimage
> inside of a container that also modify the host system. As the kernel
> evolves we expect to see more sysctls become namespaced.
#### Currently supported sysctls
IPC Namespace:
@ -922,3 +938,13 @@ Network Namespace:
- Sysctls beginning with `net.*`
- If you use the `--network=host` option using these sysctls are not allowed.
## Command internals
The `docker run` command is equivalent to the following API calls:
- `/<APIversion>/containers/create`
- If that call returns a 404 (image not found), and depending on the `--pull` option ("always", "missing", "never") the call can trigger a `docker pull <image>`.
- `/containers/create` again after pulling the image.
- `/containers/(id)/start` to start the container.
- `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.
| `-f`, `--format` | `string` | | Format output using a custom template:<br>'json': Print in JSON format<br>'TEMPLATE': Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
| [`-f`](#format), [`--format`](#format) | `string` | | Format output using a custom template:<br>'json': Print in JSON format<br>'TEMPLATE': Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
