Update to 20 10 14 #2
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Chris Crone <[email protected]>
Signed-off-by: Chris Crone <[email protected]>
Signed-off-by: Chris Crone <[email protected]>
…ackage Signed-off-by: Tibor Vass <[email protected]> (cherry picked from commit 7bef248) Signed-off-by: Tibor Vass <[email protected]>
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.
However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.
Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.
Signed-off-by: Tibor Vass <[email protected]>
(cherry picked from commit 8d199d5)
Signed-off-by: Tibor Vass <[email protected]>
Signed-off-by: Harald Albers <[email protected]> (cherry picked from commit a4e86b5) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Roch Feuillade <[email protected]> (cherry picked from commit 69b5487) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Harald Albers <[email protected]> (cherry picked from commit 8242fe1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Harald Albers <[email protected]> (cherry picked from commit ba2fef9) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Harald Albers <[email protected]> (cherry picked from commit 5a252fb) Signed-off-by: Sebastiaan van Stijn <[email protected]>
These options were deprecated and removed in the Linux kernel v5.0 and up in; - torvalds/linux@f382fb0 - torvalds/linux@fb5772c - torvalds/linux@23aa164 Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit fb2ea09) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit 697c3a5) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit a4fb01f) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Christopher Svensson <[email protected]> (cherry picked from commit 584c08e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Christopher Svensson <[email protected]> (cherry picked from commit b04241d) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: LeeDongGeon <[email protected]> (cherry picked from commit 852fe05) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit c0b7b58) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit f52a9e2) Signed-off-by: Sebastiaan van Stijn <[email protected]>
commit c2626a8 replaced the use of github.com/docker/docker/pkg/homedir with Golang's os.UserHomeDir(). This change was partially reverted in 7a279af to account for situations where `$HOME` is not set. In situations where no configuration file is present in `~/.config/`, the CLI falls back to looking for the (deprecated) `~/.dockercfg` configuration file, which was still using `os.UserHomeDir()`, which produces an error/warning if `$HOME` is not set. This patch introduces a helper function and a global variable to get the user's home-directory. The global variable is used to prevent repeatedly looking up the user's information (which, depending on the setup can be a costly operation). Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit c85a37d) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Commit f32731f fixed a potential panic when an error was returned while trying to get existing credentials. However, other code paths currently use the result of `GetDefaultAuthConfig()` even in an error condition; this resulted in a panic, because a `nil` was returned. Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit c2820a7) Signed-off-by: Sebastiaan van Stijn <[email protected]>
In go1.14+, SIGURG is used by the runtime to handle preemtable system calls. In practice this signal caught *frequently*. For reference: https://go.googlesource.com/proposal/+/master/design/24543-non-cooperative-preemption.md golang/go#37942 Signed-off-by: Brian Goff <[email protected]> (cherry picked from commit fff164c) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Alexey Igrychev <[email protected]> (cherry picked from commit fc9ca9a) Signed-off-by: Sebastiaan van Stijn <[email protected]>
In the recent PR !2877, some code was added to check if md2man is already installed in the build environment. This is to cater to the needs of Linux distributions. However it turns out that Linux distributions install md2man as bin/go-md2man instead of bin/md2man, hence the PR !2877 doesn't help much. This commit fixes it by settling on using the binary name go-md2man. For reference, here the file list of the package go-md2man in several distributions: - Debian: <https://packages.debian.org/sid/amd64/go-md2man/filelist> - Ubuntu: <https://packages.ubuntu.com/hirsute/amd64/go-md2man/filelist> - Fedora: <https://fedora.pkgs.org/31/fedora-x86_64/golang-github-cpuguy83-md2man-2.0.0-0.4.20190624gitf79a8a8.fc31.x86_64.rpm.html> - ArchLinux: <https://www.archlinux.org/packages/community/x86_64/go-md2man/> Signed-off-by: Arnaud Rebillout <[email protected]> (cherry picked from commit 6e2607c) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Jim Lin <[email protected]> (cherry picked from commit 26a6a72) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Before this change:
--------------------------------------------
$ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
t33qvykv8y0zbz266rxynsbo3
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service update --replicas=5 foo
foo
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
service rolled back: rollback completed
$ echo $?
1
After this change:
--------------------------------------------
$ docker service create --replicas=1 --name foo -p 8080:80 nginx:alpine
t33qvykv8y0zbz266rxynsbo3
overall progress: 1 out of 1 tasks
1/1: running [==================================================>]
verify: Service converged
$ echo $?
0
$ docker service update --replicas=5 foo
foo
overall progress: 5 out of 5 tasks
1/5: running [==================================================>]
2/5: running [==================================================>]
3/5: running [==================================================>]
4/5: running [==================================================>]
5/5: running [==================================================>]
verify: Waiting 1 seconds to verify that tasks are stable...
$ echo $?
0
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
$ echo $?
0
$ docker service rollback foo
foo
service rolled back: rollback completed
$ echo $?
0
$ docker service ps foo
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS
4dt4ms4c5qfb foo.1 nginx:alpine docker-desktop Running Running 2 minutes ago
Remaining issues with reconciliation
--------------------------------------------
Note that both before, and after this change, the command sometimes terminates
early, and does not wait for the service to reconcile; this is most apparent
when rolling back is scaling up (so more tasks are deployed);
$ docker service rollback foo
foo
service rolled back: rollback completed
$ docker service rollback foo
foo
rollback: manually requested rollback
overall progress: rolling back update: 1 out of 5 tasks
1/5: pending [=================================> ]
2/5: running [> ]
3/5: pending [=================================> ]
4/5: pending [=================================> ]
5/5: pending [=================================> ]
service rolled back: rollback completed
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit ce26a16)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Prior to this change, progressbars would sometimes be hidden, and the function
would return early. In addition, the direction of the progressbars would sometimes
be "incrementing" (similar to "docker service update"), and sometimes be "decrementing"
(to indicate a "rollback" is being performed).
This fix makes sure that we always proceed with the "verifying" step, and now
prints a message _after_ the verifying stage was completed;
$ docker service rollback foo
foo
overall progress: rolling back update: 5 out of 5 tasks
1/5: running [> ]
2/5: starting [===========> ]
3/5: starting [===========> ]
4/5: running [> ]
5/5: running [> ]
verify: Service converged
rollback: rollback completed
$ docker service rollback foo
foo
overall progress: rolling back update: 1 out of 1 tasks
1/1: running [> ]
verify: Service converged
rollback: rollback completed
Signed-off-by: Sebastiaan van Stijn <[email protected]>
(cherry picked from commit 104469b)
Signed-off-by: Sebastiaan van Stijn <[email protected]>
…dir_warning [20.10 backport] cli/config: prevent warning if HOME is not set
…m_rollback_exitcode [20.10 backport] Fix swarm rollback exitcode, and fix skipping verify step
…te_rollback_order [20.10 backport] fix --update-order and --rollback-order flags
…1.16.11 [20.10 backport] Update Go to 1.16.11
go1.16.12 (released 2021-12-09) includes security fixes to the syscall and net/http packages. See the Go 1.16.12 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.12+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10] Update Go to 1.16.12
Locking was removed in docker#3025 which allows for parallel calls to config.Load to modify global state. The consequence in this case is innocuous, but it does trigger a `DATA RACE` exception when tests run with `-race` option. Signed-off-by: coryb <[email protected]> (cherry picked from commit b5f4a6e) Signed-off-by: Sebastiaan van Stijn <[email protected]>
…ang/glog glog has the same issue as k8s.io/klog, and is calling `user.Current()` inside an `init()`; see kubernetes/klog@466fbb6 Calling `user.Current()` on Windows can result in remove connections being made to get the user's information, which can be a heavy call. See docker#2420 glog was only used in a single location in compose-on-kubernetes, so we may as well remove it. Signed-off-by: Sebastiaan van Stijn <[email protected]>
…_kubernetes [20.10] vendor: compose-on-kubernetes v0.5.0 to remove github.com/golang/glog
go1.16.13 (released 2022-01-06) includes fixes to the compiler, linker, runtime, and the net/http package. See the Go 1.16.13 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.13+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <[email protected]>
Includes security fixes for crypto/elliptic (CVE-2022-23806), math/big (CVE-2022-23772), and cmd/go (CVE-2022-23773). go1.16.14 (released 2022-02-10) includes security fixes to the crypto/elliptic, math/big packages and to the go command, as well as bug fixes to the compiler, linker, runtime, the go command, and the debug/macho, debug/pe, net/http/httptest, and testing packages. See the Go 1.16.14 milestone on our issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.14+label%3ACherryPickApproved full diff: golang/go@go1.16.13...go1.16.14 Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10] Update Go to 1.16.14
…_race [20.10 backport] fix innocuous data-race when config.Load called in parallel
Signed-off-by: Zeel B Patel <[email protected]> (cherry picked from commit 2d6ebd1) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]> (cherry picked from commit ae3a614) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Ubuntu version references were a mixture of 14.04 (in descriptions) and 20.04 (in example code). Updated description references to 20.04 to match example code. Signed-off-by: Mike Dalton <[email protected]> (cherry picked from commit 6ad2ceb) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Pieter E Smit <[email protected]> (cherry picked from commit a1204a5) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: jlecordier <[email protected]> (cherry picked from commit a185143) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sandro Jäckel <[email protected]> (cherry picked from commit 2725f09) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Gsealy <[email protected]> (cherry picked from commit b0ec87a) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Brad Baker <[email protected]> (cherry picked from commit 172b2dc) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Simple typo Signed-off-by: Leonid Skorospelov <[email protected]> (cherry picked from commit 0ca2d25) Signed-off-by: Sebastiaan van Stijn <[email protected]>
This change will update the docs at https://docs.docker.com/engine/reference/builder/#buildkit This change is required by moby/buildkit#1884 Signed-off-by: Takuya Noguchi <[email protected]> (cherry picked from commit 0c723fd) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Govind Rai <[email protected]> (cherry picked from commit e12aade) Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Jon Zeolla <[email protected]> (cherry picked from commit cb1bb72) Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10 backport] assorted documentation fixes
Addresses [CVE-2022-24921](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24921) go1.16.15 (released 2022-03-03) includes a security fix to the regexp/syntax package, as well as bug fixes to the compiler, runtime, the go command, and to the net package. See the Go 1.16.15 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.16.15+label%3ACherryPickApproved full diff: golang/go@go1.16.14...go1.16.15 Signed-off-by: Sebastiaan van Stijn <[email protected]>
[20.10] update to go 1.16.15 to address CVE-2022-24921
bitshifter1
approved these changes
Apr 11, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
checked out tag v20.10.14
cherry-picked commits for CI and release workflow