Update to moby v20.10.11 #281
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before: > Generally Necessary: > - cgroup hierarchy: nonexistent?? > (see https://github.com/tianon/cgroupfs-mount) After: > Generally Necessary: > - cgroup hierarchy: cgroupv2 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 76b5906) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CONFIG_NF_NAT_IPV4 was removed in kernel commit 3bf195ae6037e310, which made its way into v5.1-rc1. The functionality is now under NF_NAT which we already check for. Make the check for NF_NAT_IPV4 conditional. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit eeb53c1) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CONFIG_NF_NAT_NEEDED was removed in kernel commit 4806e975729f99c7, which made its way into v5.2-rc1. The functionality is now under NF_NAT which we already check for. Make the check for NF_NAT_NEEDED conditional. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 03da411) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Kernel commit 2d1c498072de69e (which made its way into kernel v5.8-rc1) removed CONFIG_MEMCG_SWAP_ENABLED Kconfig option, making swap accounting always enabled (unless swapaccount=0 boot option is provided). Make the check conditional. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 070f9d9) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These config options are removed by kernel commit f382fb0bcef4, which made its way into kernel v5.0-rc1. Make the check conditional. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 18e0543) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This parameter was removed by kernel commit 4c145dce260137, which made its way to kernel v5.3-rc1. Since that commit, the functionality is built-in (i.e. it is available as long as CONFIG_XFRM is on). Make the check conditional. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 06d9020) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This PR was originally proposed by @phillc here: docker-archive/engine#456 Signed-off-by: FreddieOliveira <fredf_oliveira@ufu.br> (cherry picked from commit 2db5676) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Jim Lin <b04705003@ntu.edu.tw> (cherry picked from commit c9ec21e) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Loggers that implement BufSize() (e.g. awslogs) uses the method to tell Copier about the maximum log line length. However loggerWithCache and RingBuffer hide the method by wrapping loggers. As a result, Copier uses its default 16KB limit which breaks log lines > 16kB even the destinations can handle that. This change implements BufSize() on loggerWithCache and RingBuffer to make sure these logger wrappes don't hide the method on the underlying loggers. Fixes #41794. Signed-off-by: Kazuyoshi Kato <katokazu@amazon.com> (cherry picked from commit bb11365) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This fixes a panic when an admin specifies a custom default runtime, when a plugin is started the shim config is nil. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 2903863) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
When pulling an image by platform, it is possible for the image's configured platform to not match what was in the manifest list. The image itself is buggy because either the manifest list is incorrect or the image config is incorrect. In any case, this is preventing people from upgrading because many times users do not have control over these buggy images. This was not a problem in 19.03 because we did not compare on platform before. It just assumed if we had the image it was the one we wanted regardless of platform, which has its own problems. Example Dockerfile that has this problem: ```Dockerfile FROM --platform=linux/arm64 k8s.gcr.io/build-image/debian-iptables:buster-v1.3.0 RUN echo hello ``` This fails the first time you try to build after it finishes pulling but before performing the `RUN` command. On the second attempt it works because the image is already there and does not hit the code that errors out on platform mismatch (Actually it ignores errors if an image is returned at all). Must be run with the classic builder (DOCKER_BUILDKIT=0). Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 3996953) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit 7c7e168) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
These syscalls (some of which have been in Linux for a while but were missing from the profile) fall into a few buckets: * close_range(2), epoll_pwait2(2) are just extensions of existing "safe for everyone" syscalls. * The mountv2 API syscalls (fs*(2), move_mount(2), open_tree(2)) are all equivalent to aspects of mount(2) and thus go into the CAP_SYS_ADMIN category. * process_madvise(2) is similar to the other process_*(2) syscalls and thus goes in the CAP_SYS_PTRACE category. Signed-off-by: Aleksa Sarai <asarai@suse.de> (cherry picked from commit 54eff43) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
…ogger [20.10 backport] Handle long log messages correctly on SizedLogger
In some cases, in fact many in the wild, an image may have the incorrect platform on the image config. This can lead to failures to run an image, particularly when a user specifies a `--platform`. Typically what we see in the wild is a manifest list with an an entry for, as an example, linux/arm64 pointing to an image config that has linux/amd64 on it. This change falls back to looking up the manifest list for an image to see if the manifest list shows the image as the correct one for that platform. In order to accomplish this we need to traverse the leases associated with an image. Each image, if pulled with Docker 20.10, will have the manifest list stored in the containerd content store with the resource assigned to a lease keyed on the image ID. So we look up the lease for the image, then look up the assocated resources to find the manifest list, then check the manifest list for a platform match, then ensure that manifest referes to our image config. This is only used as a fallback when a user specified they want a particular platform and the image config that we have does not match that platform. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 4be5453) Signed-off-by: Brian Goff <cpuguy83@gmail.com>
Wrap platforms.Only and fallback to our ignore mismatches due to empty CPU variants. This just cleans things up and makes the logic re-usable in other places. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit 50f39e7) Signed-off-by: Brian Goff <cpuguy83@gmail.com>
…ntegration_test_fix_subnet_missmatch [20.10 backport] Update TestDaemonRestartWithLiveRestore: fix docker0 subnet missmatch
[20.10 backport] Update rootlesskit to v0.13.1 to fix handling of IPv6 addresses
[20.10 backport] update runc binary to v1.0.0-rc93
…rns_uid_username_match [20.10 backport] Fix userns-remap option when username & UID match
…casing [20.10 backport] api/docs: fix NanoCPUs casing in swagger
…le_panic [20.10 backport] Fix daemon panic when starting container with invalid device cgroup rule
[20.10 backport] assorted small fixes, docs changes, and contrib
[20.10 backport] replace json.Unmarshal with NewFromJSON in Create
…nconsisent_platform [20.10 backport] Fix builder inconsistent error on buggy platform
[20.10 backport] builder: ensure libnetwork state file do not leak
…9_plugins_custom_runtime-panic [20.10 backport] Add shim config for custom runtimes for plugins
[20.10 backport] profiles: seccomp: update to Linux 5.11 syscall list
…d_plat [20.10] Fallback to manifest list when no platform match
[20.10] vendor: update github.com/docker/distribution and github.com/containerd/containerd
imageutil: make mediatype detection more stricter to mitigate CVE-2021-41190. full diff: moby/buildkit@244e8cd...bc07b2b Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The twelfth patch release for containerd 1.4 contains a few minor bug fixes and an update to mitigate CVE-2021-41190. Notable Updates * Handle ambiguous OCI manifest parsing GHSA-5j5w-g665-5m35 * Update pull to try next mirror for non-404 errors * Update pull to handle of non-https urls in descriptors See the changelog for complete list of changes Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Looks like vndr didn't like the replace rule missing a scheme;
github.com/docker/distribution: Err: exit status 128, out: fatal: repository 'github.com/samuelkarp/docker-distribution' does not exist
github.com/containerd/containerd: Err: exit status 128, out: fatal: repository 'github.com/moby/containerd' does not exist
While at it, I also replaced the schem for go-immutable-radix, because GitHub
is deprecating the git:// protocol.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[20.10] fix vendor validation
- Bring mediaType out of reserved status - specs-go: adding mediaType to the index and manifest structures full diff: opencontainers/image-spec@v1.0.1...v1.0.2 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cef0a7c) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[20.10] update containerd binary to v1.4.12
[20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8
…spec [20.10 backport] vendor: github.com/opencontainers/image-spec v1.0.2
[20.10 backport] info: unset cgroup-related fields when CgroupDriver == none
…lena * commit '847da184ad5048b27f5bdf9d53d070f731b43180': (1704 commits) vendor: github.com/opencontainers/image-spec v1.0.2 [20.10] fix vendor validation [20.10] update containerd binary to v1.4.12 [20.10] vendor: github.com/moby/buildkit v0.8.3-4-gbc07b2b8 distribution: validate blob type vendor: update github.com/containerd/containerd TestBuildUserNamespaceValidateCapabilitiesAreV2: cleanup daemon storage testutil: daemon.Cleanup(): cleanup more directories info: unset cgroup-related fields when CgroupDriver == none [20.10] Update Go to 1.16.10 vendor: update github.com/docker/distribution cmd/dockerd: create panic.log file without readonly flag Fix race in TestCreateServiceSecretFileMode, TestCreateServiceConfigFileMode Fix racey TestHealthKillContainer dockerd-rootless.sh: Fix variable not double quotes cause unexpected behavior Remove needless check Fix log statement 'failed to exit' timeout accuracy docker daemon container stop refactor docker kill: fix bug where failed kills didnt fallback to unix kill buildkit: normalize build target and local platform ...
Signed-off-by: Robert Günzler <robertg@balena.io>
Signed-off-by: Robert Günzler <robertg@balena.io>
Signed-off-by: Robert Günzler <robertg@balena.io>
robertgzr
force-pushed
the
20.10-balena
branch
from
afd2970
to
46f5e65
Compare
|
An error occurred whilst building your landr site preview: |
Signed-off-by: Robert Günzler <robertg@balena.io>
robertgzr
force-pushed
the
20.10-balena
branch
from
0f9ac3e
to
c480f78
Compare
|
@balena-ci retest |
|
alright! ci passing, thanks to:
the last two will most likely make it incompatible with the pre-20.10 version, because of the new target @lmbarros I don't expect you to review the huge changeset but maybe checkout the branch and run the integration tests yourself, as we don't get those done by CI :) |
|
I'm relatively confident about this PR though, I opened balena-os/meta-balena#2498 already, which builds on all device types and passes the unmanaged and HUP suites on genericx86-64 |
lmbarros
approved these changes
Feb 21, 2022
ghost
merged commit
|
@lmbarros cheers o/
always trying to reduce the amount of "secret" knowledge that only lives in my head haha |
This pull request was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.