diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml
index dc74b54aa4..e71882917e 100644
--- a/.github/workflows/integration-tests.yaml
+++ b/.github/workflows/integration-tests.yaml
@@ -34,7 +34,7 @@ jobs:
remove-haskell: 'true'
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
- go-version: '1.20'
+ go-version: '1.22'
- uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
- uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v1
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index 10ec7e6950..be87b68356 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -15,7 +15,6 @@ jobs:
steps:
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4.01
with:
- go-version: '1.20'
+ go-version: '1.22'
- uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3
-
- run: make test
diff --git a/go.mod b/go.mod
index 2677cb9bb7..0bf1c1ef3a 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/GoogleContainerTools/kaniko
-go 1.21
+go 1.22
require (
cloud.google.com/go/storage v1.39.1
@@ -12,7 +12,7 @@ require (
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
github.com/containerd/cgroups v1.1.0 // indirect
- github.com/docker/docker v25.0.4+incompatible
+ github.com/docker/docker v26.0.0+incompatible
github.com/go-git/go-billy/v5 v5.5.0
github.com/go-git/go-git/v5 v5.11.0
github.com/golang/mock v1.6.0
@@ -174,6 +174,7 @@ require (
github.com/hashicorp/hcl v1.0.0 // indirect
github.com/magiconair/properties v1.8.7 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
+ github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83 // indirect
github.com/moby/sys/user v0.1.0 // indirect
github.com/pelletier/go-toml/v2 v2.1.1 // indirect
diff --git a/go.sum b/go.sum
index 4462693310..1b2c4ae889 100644
--- a/go.sum
+++ b/go.sum
@@ -180,8 +180,8 @@ github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6
github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v25.0.4+incompatible h1:XITZTrq+52tZyZxUOtFIahUf3aH367FLxJzt9vZeAF8=
-github.com/docker/docker v25.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU=
+github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -352,6 +352,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
github.com/moby/buildkit v0.13.0 h1:reVR1Y+rbNIUQ9jf0Q1YZVH5a/nhOixZsl+HJ9qQEGI=
github.com/moby/buildkit v0.13.0/go.mod h1:aNmNQKLBFYAOFuzQjR3VA27/FijlvtBD1pjNwTSN37k=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
diff --git a/scripts/test.sh b/scripts/test.sh
index c097453c34..d2eaa58f9a 100755
--- a/scripts/test.sh
+++ b/scripts/test.sh
@@ -23,7 +23,7 @@ GREEN='\033[0;32m'
RESET='\033[0m'
echo "Running go tests..."
-go test -cover -coverprofile=out/coverage.out -v -timeout 60s `go list ./... | grep -v vendor | grep -v integration` | sed ''/PASS/s//$(printf "${GREEN}PASS${RESET}")/'' | sed ''/FAIL/s//$(printf "${RED}FAIL${RESET}")/''
+go test -cover -coverprofile=out/coverage.out -v -timeout 120s `go list ./... | grep -v vendor | grep -v integration` | sed ''/PASS/s//$(printf "${GREEN}PASS${RESET}")/'' | sed ''/FAIL/s//$(printf "${RED}FAIL${RESET}")/''
GO_TEST_EXIT_CODE=${PIPESTATUS[0]}
if [[ $GO_TEST_EXIT_CODE -ne 0 ]]; then
exit $GO_TEST_EXIT_CODE
@@ -33,7 +33,6 @@ echo "Running validation scripts..."
scripts=(
"$DIR/../hack/boilerplate.sh"
"$DIR/../hack/gofmt.sh"
- "$DIR/../hack/linter.sh"
)
fail=0
for s in "${scripts[@]}"
diff --git a/vendor/github.com/docker/docker/api/common.go b/vendor/github.com/docker/docker/api/common.go
index 37e553d418..b11c2fe02b 100644
--- a/vendor/github.com/docker/docker/api/common.go
+++ b/vendor/github.com/docker/docker/api/common.go
@@ -2,8 +2,17 @@ package api // import "github.com/docker/docker/api"
// Common constants for daemon and client.
const (
- // DefaultVersion of Current REST API
- DefaultVersion = "1.44"
+ // DefaultVersion of the current REST API.
+ DefaultVersion = "1.45"
+
+ // MinSupportedAPIVersion is the minimum API version that can be supported
+ // by the API server, specified as "major.minor". Note that the daemon
+ // may be configured with a different minimum API version, as returned
+ // in [github.com/docker/docker/api/types.Version.MinAPIVersion].
+ //
+ // API requests for API versions lower than the configured version produce
+ // an error.
+ MinSupportedAPIVersion = "1.24"
// NoBaseImageSpecifier is the symbol used by the FROM
// command to specify that no base image is to be used.
diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml
index 201b549064..5677340dbd 100644
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
consumes:
- "application/json"
- "text/plain"
-basePath: "/v1.44"
+basePath: "/v1.45"
info:
title: "Docker Engine API"
- version: "1.44"
+ version: "1.45"
x-logo:
url: "https://docs.docker.com/assets/images/logo-docker-main.png"
description: |
@@ -55,8 +55,8 @@ info:
the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
is returned.
- If you omit the version-prefix, the current version of the API (v1.44) is used.
- For example, calling `/info` is the same as calling `/v1.44/info`. Using the
+ If you omit the version-prefix, the current version of the API (v1.45) is used.
+ For example, calling `/info` is the same as calling `/v1.45/info`. Using the
API without a version-prefix is deprecated and will be removed in a future release.
Engine releases in the near future should support this version of the API,
@@ -427,6 +427,10 @@ definitions:
type: "object"
additionalProperties:
type: "string"
+ Subpath:
+ description: "Source path inside the volume. Must be relative without any back traversals."
+ type: "string"
+ example: "dir-inside-volume/subdirectory"
TmpfsOptions:
description: "Optional configuration for the `tmpfs` type."
type: "object"
@@ -8770,8 +8774,7 @@ paths:
- > **Deprecated**: This field is deprecated and will always
- > be "false" in future.
+ > **Deprecated**: This field is deprecated and will always be "false".
type: "boolean"
example: false
name:
@@ -8814,13 +8817,8 @@ paths:
description: |
A JSON encoded value of the filters (a `map[string][]string`) to process on the images list. Available filters:
- - `is-automated=(true|false)` (deprecated, see below)
- `is-official=(true|false)`
- `stars=` Matches images that has at least 'number' stars.
-
- The `is-automated` filter is deprecated. The `is_automated` field has
- been deprecated by Docker Hub's search API. Consequently, searching
- for `is-automated=true` will yield no results.
type: "string"
tags: ["Image"]
/images/prune:
diff --git a/vendor/github.com/docker/docker/api/types/backend/backend.go b/vendor/github.com/docker/docker/api/types/backend/backend.go
index ee913d247e..e4e760905d 100644
--- a/vendor/github.com/docker/docker/api/types/backend/backend.go
+++ b/vendor/github.com/docker/docker/api/types/backend/backend.go
@@ -18,7 +18,6 @@ type ContainerCreateConfig struct {
HostConfig *container.HostConfig
NetworkingConfig *network.NetworkingConfig
Platform *ocispec.Platform
- AdjustCPUShares bool
DefaultReadOnlyNonRecursive bool
}
@@ -91,7 +90,6 @@ type ContainerStatsConfig struct {
Stream bool
OneShot bool
OutStream io.Writer
- Version string
}
// ExecInspect holds information about a running process started
@@ -131,6 +129,13 @@ type CreateImageConfig struct {
Changes []string
}
+// GetImageOpts holds parameters to retrieve image information
+// from the backend.
+type GetImageOpts struct {
+ Platform *ocispec.Platform
+ Details bool
+}
+
// CommitConfig is the configuration for creating an image as part of a build.
type CommitConfig struct {
Author string
diff --git a/vendor/github.com/docker/docker/api/types/client.go b/vendor/github.com/docker/docker/api/types/client.go
index 24b00a2759..882201f0ea 100644
--- a/vendor/github.com/docker/docker/api/types/client.go
+++ b/vendor/github.com/docker/docker/api/types/client.go
@@ -157,42 +157,12 @@ type ImageBuildResponse struct {
OSType string
}
-// ImageCreateOptions holds information to create images.
-type ImageCreateOptions struct {
- RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry.
- Platform string // Platform is the target platform of the image if it needs to be pulled from the registry.
-}
-
// ImageImportSource holds source information for ImageImport
type ImageImportSource struct {
Source io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this.
SourceName string // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute.
}
-// ImageImportOptions holds information to import images from the client host.
-type ImageImportOptions struct {
- Tag string // Tag is the name to tag this image with. This attribute is deprecated.
- Message string // Message is the message to tag the image with
- Changes []string // Changes are the raw changes to apply to this image
- Platform string // Platform is the target platform of the image
-}
-
-// ImageListOptions holds parameters to list images with.
-type ImageListOptions struct {
- // All controls whether all images in the graph are filtered, or just
- // the heads.
- All bool
-
- // Filters is a JSON-encoded set of filter arguments.
- Filters filters.Args
-
- // SharedSize indicates whether the shared size of images should be computed.
- SharedSize bool
-
- // ContainerCount indicates whether container count should be computed.
- ContainerCount bool
-}
-
// ImageLoadResponse returns information to the client about a load process.
type ImageLoadResponse struct {
// Body must be closed to avoid a resource leak
@@ -200,14 +170,6 @@ type ImageLoadResponse struct {
JSON bool
}
-// ImagePullOptions holds information to pull images.
-type ImagePullOptions struct {
- All bool
- RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry
- PrivilegeFunc RequestPrivilegeFunc
- Platform string
-}
-
// RequestPrivilegeFunc is a function interface that
// clients can supply to retry operations after
// getting an authorization error.
@@ -216,15 +178,6 @@ type ImagePullOptions struct {
// if the privilege request fails.
type RequestPrivilegeFunc func() (string, error)
-// ImagePushOptions holds information to push images.
-type ImagePushOptions ImagePullOptions
-
-// ImageRemoveOptions holds parameters to remove images.
-type ImageRemoveOptions struct {
- Force bool
- PruneChildren bool
-}
-
// ImageSearchOptions holds parameters to search images with.
type ImageSearchOptions struct {
RegistryAuth string
diff --git a/vendor/github.com/docker/docker/api/types/container/config.go b/vendor/github.com/docker/docker/api/types/container/config.go
index be41d6315e..86f46b74af 100644
--- a/vendor/github.com/docker/docker/api/types/container/config.go
+++ b/vendor/github.com/docker/docker/api/types/container/config.go
@@ -5,8 +5,8 @@ import (
"time"
"github.com/docker/docker/api/types/strslice"
- dockerspec "github.com/docker/docker/image/spec/specs-go/v1"
"github.com/docker/go-connections/nat"
+ dockerspec "github.com/moby/docker-image-spec/specs-go/v1"
)
// MinimumDuration puts a minimum on user configured duration.
diff --git a/vendor/github.com/docker/docker/api/types/image/opts.go b/vendor/github.com/docker/docker/api/types/image/opts.go
index 3cefecb0da..c6b1f351b4 100644
--- a/vendor/github.com/docker/docker/api/types/image/opts.go
+++ b/vendor/github.com/docker/docker/api/types/image/opts.go
@@ -1,9 +1,57 @@
package image
-import ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+import "github.com/docker/docker/api/types/filters"
-// GetImageOpts holds parameters to inspect an image.
-type GetImageOpts struct {
- Platform *ocispec.Platform
- Details bool
+// ImportOptions holds information to import images from the client host.
+type ImportOptions struct {
+ Tag string // Tag is the name to tag this image with. This attribute is deprecated.
+ Message string // Message is the message to tag the image with
+ Changes []string // Changes are the raw changes to apply to this image
+ Platform string // Platform is the target platform of the image
+}
+
+// CreateOptions holds information to create images.
+type CreateOptions struct {
+ RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry.
+ Platform string // Platform is the target platform of the image if it needs to be pulled from the registry.
+}
+
+// PullOptions holds information to pull images.
+type PullOptions struct {
+ All bool
+ RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry
+
+ // PrivilegeFunc is a function that clients can supply to retry operations
+ // after getting an authorization error. This function returns the registry
+ // authentication header value in base64 encoded format, or an error if the
+ // privilege request fails.
+ //
+ // Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc].
+ PrivilegeFunc func() (string, error)
+ Platform string
+}
+
+// PushOptions holds information to push images.
+type PushOptions PullOptions
+
+// ListOptions holds parameters to list images with.
+type ListOptions struct {
+ // All controls whether all images in the graph are filtered, or just
+ // the heads.
+ All bool
+
+ // Filters is a JSON-encoded set of filter arguments.
+ Filters filters.Args
+
+ // SharedSize indicates whether the shared size of images should be computed.
+ SharedSize bool
+
+ // ContainerCount indicates whether container count should be computed.
+ ContainerCount bool
+}
+
+// RemoveOptions holds parameters to remove images.
+type RemoveOptions struct {
+ Force bool
+ PruneChildren bool
}
diff --git a/vendor/github.com/docker/docker/api/types/mount/mount.go b/vendor/github.com/docker/docker/api/types/mount/mount.go
index 57edf2ef18..6fe04da257 100644
--- a/vendor/github.com/docker/docker/api/types/mount/mount.go
+++ b/vendor/github.com/docker/docker/api/types/mount/mount.go
@@ -96,6 +96,7 @@ type BindOptions struct {
type VolumeOptions struct {
NoCopy bool `json:",omitempty"`
Labels map[string]string `json:",omitempty"`
+ Subpath string `json:",omitempty"`
DriverConfig *Driver `json:",omitempty"`
}
diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go
index 05cb31075f..6bbae93ef2 100644
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@@ -94,7 +94,7 @@ type SearchResult struct {
Name string `json:"name"`
// IsAutomated indicates whether the result is automated.
//
- // Deprecated: the "is_automated" field is deprecated and will always be "false" in the future.
+ // Deprecated: the "is_automated" field is deprecated and will always be "false".
IsAutomated bool `json:"is_automated"`
// Description is a textual description of the repository
Description string `json:"description"`
diff --git a/vendor/github.com/docker/docker/api/types/types.go b/vendor/github.com/docker/docker/api/types/types.go
index 56a8b77d45..ca07162a20 100644
--- a/vendor/github.com/docker/docker/api/types/types.go
+++ b/vendor/github.com/docker/docker/api/types/types.go
@@ -82,7 +82,7 @@ type ImageInspect struct {
// Depending on how the image was created, this field may be empty.
//
// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
- Container string
+ Container string `json:",omitempty"`
// ContainerConfig is an optional field containing the configuration of the
// container that was last committed when creating the image.
@@ -91,7 +91,7 @@ type ImageInspect struct {
// and it is not in active use anymore.
//
// Deprecated: this field is omitted in API v1.45, but kept for backward compatibility.
- ContainerConfig *container.Config
+ ContainerConfig *container.Config `json:",omitempty"`
// DockerVersion is the version of Docker that was used to build the image.
//
diff --git a/vendor/github.com/docker/docker/api/types/types_deprecated.go b/vendor/github.com/docker/docker/api/types/types_deprecated.go
index e332a7bb6d..231a5cca46 100644
--- a/vendor/github.com/docker/docker/api/types/types_deprecated.go
+++ b/vendor/github.com/docker/docker/api/types/types_deprecated.go
@@ -1,138 +1,35 @@
package types
import (
- "github.com/docker/docker/api/types/checkpoint"
- "github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/image"
- "github.com/docker/docker/api/types/swarm"
- "github.com/docker/docker/api/types/system"
)
-// CheckpointCreateOptions holds parameters to create a checkpoint from a container.
+// ImageImportOptions holds information to import images from the client host.
//
-// Deprecated: use [checkpoint.CreateOptions].
-type CheckpointCreateOptions = checkpoint.CreateOptions
+// Deprecated: use [image.ImportOptions].
+type ImageImportOptions = image.ImportOptions
-// CheckpointListOptions holds parameters to list checkpoints for a container
+// ImageCreateOptions holds information to create images.
//
-// Deprecated: use [checkpoint.ListOptions].
-type CheckpointListOptions = checkpoint.ListOptions
+// Deprecated: use [image.CreateOptions].
+type ImageCreateOptions = image.CreateOptions
-// CheckpointDeleteOptions holds parameters to delete a checkpoint from a container
+// ImagePullOptions holds information to pull images.
//
-// Deprecated: use [checkpoint.DeleteOptions].
-type CheckpointDeleteOptions = checkpoint.DeleteOptions
+// Deprecated: use [image.PullOptions].
+type ImagePullOptions = image.PullOptions
-// Checkpoint represents the details of a checkpoint when listing endpoints.
+// ImagePushOptions holds information to push images.
//
-// Deprecated: use [checkpoint.Summary].
-type Checkpoint = checkpoint.Summary
+// Deprecated: use [image.PushOptions].
+type ImagePushOptions = image.PushOptions
-// Info contains response of Engine API:
-// GET "/info"
+// ImageListOptions holds parameters to list images with.
//
-// Deprecated: use [system.Info].
-type Info = system.Info
+// Deprecated: use [image.ListOptions].
+type ImageListOptions = image.ListOptions
-// Commit holds the Git-commit (SHA1) that a binary was built from, as reported
-// in the version-string of external tools, such as containerd, or runC.
+// ImageRemoveOptions holds parameters to remove images.
//
-// Deprecated: use [system.Commit].
-type Commit = system.Commit
-
-// PluginsInfo is a temp struct holding Plugins name
-// registered with docker daemon. It is used by [system.Info] struct
-//
-// Deprecated: use [system.PluginsInfo].
-type PluginsInfo = system.PluginsInfo
-
-// NetworkAddressPool is a temp struct used by [system.Info] struct.
-//
-// Deprecated: use [system.NetworkAddressPool].
-type NetworkAddressPool = system.NetworkAddressPool
-
-// Runtime describes an OCI runtime.
-//
-// Deprecated: use [system.Runtime].
-type Runtime = system.Runtime
-
-// SecurityOpt contains the name and options of a security option.
-//
-// Deprecated: use [system.SecurityOpt].
-type SecurityOpt = system.SecurityOpt
-
-// KeyValue holds a key/value pair.
-//
-// Deprecated: use [system.KeyValue].
-type KeyValue = system.KeyValue
-
-// ImageDeleteResponseItem image delete response item.
-//
-// Deprecated: use [image.DeleteResponse].
-type ImageDeleteResponseItem = image.DeleteResponse
-
-// ImageSummary image summary.
-//
-// Deprecated: use [image.Summary].
-type ImageSummary = image.Summary
-
-// ImageMetadata contains engine-local data about the image.
-//
-// Deprecated: use [image.Metadata].
-type ImageMetadata = image.Metadata
-
-// ServiceCreateResponse contains the information returned to a client
-// on the creation of a new service.
-//
-// Deprecated: use [swarm.ServiceCreateResponse].
-type ServiceCreateResponse = swarm.ServiceCreateResponse
-
-// ServiceUpdateResponse service update response.
-//
-// Deprecated: use [swarm.ServiceUpdateResponse].
-type ServiceUpdateResponse = swarm.ServiceUpdateResponse
-
-// ContainerStartOptions holds parameters to start containers.
-//
-// Deprecated: use [container.StartOptions].
-type ContainerStartOptions = container.StartOptions
-
-// ResizeOptions holds parameters to resize a TTY.
-// It can be used to resize container TTYs and
-// exec process TTYs too.
-//
-// Deprecated: use [container.ResizeOptions].
-type ResizeOptions = container.ResizeOptions
-
-// ContainerAttachOptions holds parameters to attach to a container.
-//
-// Deprecated: use [container.AttachOptions].
-type ContainerAttachOptions = container.AttachOptions
-
-// ContainerCommitOptions holds parameters to commit changes into a container.
-//
-// Deprecated: use [container.CommitOptions].
-type ContainerCommitOptions = container.CommitOptions
-
-// ContainerListOptions holds parameters to list containers with.
-//
-// Deprecated: use [container.ListOptions].
-type ContainerListOptions = container.ListOptions
-
-// ContainerLogsOptions holds parameters to filter logs with.
-//
-// Deprecated: use [container.LogsOptions].
-type ContainerLogsOptions = container.LogsOptions
-
-// ContainerRemoveOptions holds parameters to remove containers.
-//
-// Deprecated: use [container.RemoveOptions].
-type ContainerRemoveOptions = container.RemoveOptions
-
-// DecodeSecurityOptions decodes a security options string slice to a type safe
-// [system.SecurityOpt].
-//
-// Deprecated: use [system.DecodeSecurityOptions].
-func DecodeSecurityOptions(opts []string) ([]system.SecurityOpt, error) {
- return system.DecodeSecurityOptions(opts)
-}
+// Deprecated: use [image.RemoveOptions].
+type ImageRemoveOptions = image.RemoveOptions
diff --git a/vendor/github.com/docker/docker/api/types/versions/README.md b/vendor/github.com/docker/docker/api/types/versions/README.md
deleted file mode 100644
index 1ef911edb0..0000000000
--- a/vendor/github.com/docker/docker/api/types/versions/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# Legacy API type versions
-
-This package includes types for legacy API versions. The stable version of the API types live in `api/types/*.go`.
-
-Consider moving a type here when you need to keep backwards compatibility in the API. This legacy types are organized by the latest API version they appear in. For instance, types in the `v1p19` package are valid for API versions below or equal `1.19`. Types in the `v1p20` package are valid for the API version `1.20`, since the versions below that will use the legacy types in `v1p19`.
-
-## Package name conventions
-
-The package name convention is to use `v` as a prefix for the version number and `p`(patch) as a separator. We use this nomenclature due to a few restrictions in the Go package name convention:
-
-1. We cannot use `.` because it's interpreted by the language, think of `v1.20.CallFunction`.
-2. We cannot use `_` because golint complains about it. The code is actually valid, but it looks probably more weird: `v1_20.CallFunction`.
-
-For instance, if you want to modify a type that was available in the version `1.21` of the API but it will have different fields in the version `1.22`, you want to create a new package under `api/types/versions/v1p21`.
diff --git a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
index 55fc5d3899..bbd9ff0b8f 100644
--- a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
+++ b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
@@ -238,13 +238,13 @@ type TopologyRequirement struct {
// If requisite is specified, all topologies in preferred list MUST
// also be present in the list of requisite topologies.
//
- // If the SP is unable to to make the provisioned volume available
+ // If the SP is unable to make the provisioned volume available
// from any of the preferred topologies, the SP MAY choose a topology
// from the list of requisite topologies.
// If the list of requisite topologies is not specified, then the SP
// MAY choose from the list of all possible topologies.
// If the list of requisite topologies is specified and the SP is
- // unable to to make the provisioned volume available from any of the
+ // unable to make the provisioned volume available from any of the
// requisite topologies it MUST fail the CreateVolume call.
//
// Example 1:
@@ -254,7 +254,7 @@ type TopologyRequirement struct {
// {"region": "R1", "zone": "Z3"}
// preferred =
// {"region": "R1", "zone": "Z3"}
- // then the the SP SHOULD first attempt to make the provisioned volume
+ // then the SP SHOULD first attempt to make the provisioned volume
// available from "zone" "Z3" in the "region" "R1" and fall back to
// "zone" "Z2" in the "region" "R1" if that is not possible.
//
@@ -268,7 +268,7 @@ type TopologyRequirement struct {
// preferred =
// {"region": "R1", "zone": "Z4"},
// {"region": "R1", "zone": "Z2"}
- // then the the SP SHOULD first attempt to make the provisioned volume
+ // then the SP SHOULD first attempt to make the provisioned volume
// accessible from "zone" "Z4" in the "region" "R1" and fall back to
// "zone" "Z2" in the "region" "R1" if that is not possible. If that
// is not possible, the SP may choose between either the "zone"
@@ -287,7 +287,7 @@ type TopologyRequirement struct {
// preferred =
// {"region": "R1", "zone": "Z5"},
// {"region": "R1", "zone": "Z3"}
- // then the the SP SHOULD first attempt to make the provisioned volume
+ // then the SP SHOULD first attempt to make the provisioned volume
// accessible from the combination of the two "zones" "Z5" and "Z3" in
// the "region" "R1". If that's not possible, it should fall back to
// a combination of "Z5" and other possibilities from the list of
diff --git a/vendor/github.com/docker/docker/builder/builder.go b/vendor/github.com/docker/docker/builder/builder.go
index fc855f133d..dff93cfac7 100644
--- a/vendor/github.com/docker/docker/builder/builder.go
+++ b/vendor/github.com/docker/docker/builder/builder.go
@@ -64,7 +64,7 @@ type ExecBackend interface {
// ContainerRm removes a container specified by `id`.
ContainerRm(name string, config *backend.ContainerRmConfig) error
// ContainerStart starts a new container
- ContainerStart(ctx context.Context, containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error
+ ContainerStart(ctx context.Context, containerID string, checkpoint string, checkpointDir string) error
// ContainerWait stops processing until the given container is stopped.
ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error)
}
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go b/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go
index 8986c1277a..c81923cbc6 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go
@@ -72,7 +72,7 @@ func (c *containerManager) Run(ctx context.Context, cID string, stdout, stderr i
}
}()
- if err := c.backend.ContainerStart(ctx, cID, nil, "", ""); err != nil {
+ if err := c.backend.ContainerStart(ctx, cID, "", ""); err != nil {
close(finished)
logCancellationError(cancelErrCh, "error from ContainerStart: "+err.Error())
return err
diff --git a/vendor/github.com/docker/docker/client/distribution_inspect.go b/vendor/github.com/docker/docker/client/distribution_inspect.go
index 68ef31b78b..68e6ec5ed6 100644
--- a/vendor/github.com/docker/docker/client/distribution_inspect.go
+++ b/vendor/github.com/docker/docker/client/distribution_inspect.go
@@ -10,11 +10,11 @@ import (
)
// DistributionInspect returns the image digest with the full manifest.
-func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) {
+func (cli *Client) DistributionInspect(ctx context.Context, imageRef, encodedRegistryAuth string) (registry.DistributionInspect, error) {
// Contact the registry to retrieve digest and platform information
var distributionInspect registry.DistributionInspect
- if image == "" {
- return distributionInspect, objectNotFoundError{object: "distribution", id: image}
+ if imageRef == "" {
+ return distributionInspect, objectNotFoundError{object: "distribution", id: imageRef}
}
if err := cli.NewVersionError(ctx, "1.30", "distribution inspect"); err != nil {
@@ -28,7 +28,7 @@ func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegist
}
}
- resp, err := cli.get(ctx, "/distribution/"+image+"/json", url.Values{}, headers)
+ resp, err := cli.get(ctx, "/distribution/"+imageRef+"/json", url.Values{}, headers)
defer ensureReaderClosed(resp)
if err != nil {
return distributionInspect, err
diff --git a/vendor/github.com/docker/docker/client/image_create.go b/vendor/github.com/docker/docker/client/image_create.go
index 29cd0b4373..7c7873dca5 100644
--- a/vendor/github.com/docker/docker/client/image_create.go
+++ b/vendor/github.com/docker/docker/client/image_create.go
@@ -8,13 +8,13 @@ import (
"strings"
"github.com/distribution/reference"
- "github.com/docker/docker/api/types"
+ "github.com/docker/docker/api/types/image"
"github.com/docker/docker/api/types/registry"
)
// ImageCreate creates a new image based on the parent options.
// It returns the JSON content in the response body.
-func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) {
ref, err := reference.ParseNormalizedNamed(parentReference)
if err != nil {
return nil, err
diff --git a/vendor/github.com/docker/docker/client/image_import.go b/vendor/github.com/docker/docker/client/image_import.go
index cd376a14e5..5a890b0c59 100644
--- a/vendor/github.com/docker/docker/client/image_import.go
+++ b/vendor/github.com/docker/docker/client/image_import.go
@@ -8,11 +8,12 @@ import (
"github.com/distribution/reference"
"github.com/docker/docker/api/types"
+ "github.com/docker/docker/api/types/image"
)
// ImageImport creates a new image based on the source options.
// It returns the JSON content in the response body.
-func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) {
+func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) {
if ref != "" {
// Check if the given image name can be resolved
if _, err := reference.ParseNormalizedNamed(ref); err != nil {
diff --git a/vendor/github.com/docker/docker/client/image_list.go b/vendor/github.com/docker/docker/client/image_list.go
index fa6aecfc6e..a9cc1e21e5 100644
--- a/vendor/github.com/docker/docker/client/image_list.go
+++ b/vendor/github.com/docker/docker/client/image_list.go
@@ -5,14 +5,13 @@ import (
"encoding/json"
"net/url"
- "github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/filters"
"github.com/docker/docker/api/types/image"
"github.com/docker/docker/api/types/versions"
)
// ImageList returns a list of images in the docker host.
-func (cli *Client) ImageList(ctx context.Context, options types.ImageListOptions) ([]image.Summary, error) {
+func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error) {
var images []image.Summary
// Make sure we negotiated (if the client is configured to do so),
diff --git a/vendor/github.com/docker/docker/client/image_pull.go b/vendor/github.com/docker/docker/client/image_pull.go
index d92049d588..6438cf6a96 100644
--- a/vendor/github.com/docker/docker/client/image_pull.go
+++ b/vendor/github.com/docker/docker/client/image_pull.go
@@ -7,7 +7,7 @@ import (
"strings"
"github.com/distribution/reference"
- "github.com/docker/docker/api/types"
+ "github.com/docker/docker/api/types/image"
"github.com/docker/docker/errdefs"
)
@@ -19,7 +19,7 @@ import (
// FIXME(vdemeester): there is currently used in a few way in docker/docker
// - if not in trusted content, ref is used to pass the whole reference, and tag is empty
// - if in trusted content, ref is used to pass the reference name, and tag for the digest
-func (cli *Client) ImagePull(ctx context.Context, refStr string, options types.ImagePullOptions) (io.ReadCloser, error) {
+func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.PullOptions) (io.ReadCloser, error) {
ref, err := reference.ParseNormalizedNamed(refStr)
if err != nil {
return nil, err
diff --git a/vendor/github.com/docker/docker/client/image_push.go b/vendor/github.com/docker/docker/client/image_push.go
index 6839a89e07..e6a6b11eea 100644
--- a/vendor/github.com/docker/docker/client/image_push.go
+++ b/vendor/github.com/docker/docker/client/image_push.go
@@ -8,7 +8,7 @@ import (
"net/url"
"github.com/distribution/reference"
- "github.com/docker/docker/api/types"
+ "github.com/docker/docker/api/types/image"
"github.com/docker/docker/api/types/registry"
"github.com/docker/docker/errdefs"
)
@@ -17,7 +17,7 @@ import (
// It executes the privileged function if the operation is unauthorized
// and it tries one more time.
// It's up to the caller to handle the io.ReadCloser and close it properly.
-func (cli *Client) ImagePush(ctx context.Context, image string, options types.ImagePushOptions) (io.ReadCloser, error) {
+func (cli *Client) ImagePush(ctx context.Context, image string, options image.PushOptions) (io.ReadCloser, error) {
ref, err := reference.ParseNormalizedNamed(image)
if err != nil {
return nil, err
diff --git a/vendor/github.com/docker/docker/client/image_remove.go b/vendor/github.com/docker/docker/client/image_remove.go
index b936d20830..652d1bfa3e 100644
--- a/vendor/github.com/docker/docker/client/image_remove.go
+++ b/vendor/github.com/docker/docker/client/image_remove.go
@@ -5,12 +5,11 @@ import (
"encoding/json"
"net/url"
- "github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/image"
)
// ImageRemove removes an image from the docker host.
-func (cli *Client) ImageRemove(ctx context.Context, imageID string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) {
+func (cli *Client) ImageRemove(ctx context.Context, imageID string, options image.RemoveOptions) ([]image.DeleteResponse, error) {
query := url.Values{}
if options.Force {
diff --git a/vendor/github.com/docker/docker/client/interface.go b/vendor/github.com/docker/docker/client/interface.go
index 302f5fb13e..45d233f253 100644
--- a/vendor/github.com/docker/docker/client/interface.go
+++ b/vendor/github.com/docker/docker/client/interface.go
@@ -90,15 +90,15 @@ type ImageAPIClient interface {
ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error)
BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error)
BuildCancel(ctx context.Context, id string) error
- ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error)
+ ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error)
ImageHistory(ctx context.Context, image string) ([]image.HistoryResponseItem, error)
- ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error)
+ ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error)
ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error)
- ImageList(ctx context.Context, options types.ImageListOptions) ([]image.Summary, error)
+ ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error)
ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error)
- ImagePull(ctx context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error)
- ImagePush(ctx context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error)
- ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error)
+ ImagePull(ctx context.Context, ref string, options image.PullOptions) (io.ReadCloser, error)
+ ImagePush(ctx context.Context, ref string, options image.PushOptions) (io.ReadCloser, error)
+ ImageRemove(ctx context.Context, image string, options image.RemoveOptions) ([]image.DeleteResponse, error)
ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error)
ImageSave(ctx context.Context, images []string) (io.ReadCloser, error)
ImageTag(ctx context.Context, image, ref string) error
diff --git a/vendor/github.com/docker/docker/container/attach_context.go b/vendor/github.com/docker/docker/container/attach_context.go
index 5a7d0748f0..9dd8e9da41 100644
--- a/vendor/github.com/docker/docker/container/attach_context.go
+++ b/vendor/github.com/docker/docker/container/attach_context.go
@@ -5,7 +5,7 @@ import (
"sync"
)
-// attachContext is the context used for for attach calls.
+// attachContext is the context used for attach calls.
type attachContext struct {
mu sync.Mutex
ctx context.Context
diff --git a/vendor/github.com/docker/docker/container/container.go b/vendor/github.com/docker/docker/container/container.go
index e73f05654f..018300350d 100644
--- a/vendor/github.com/docker/docker/container/container.go
+++ b/vendor/github.com/docker/docker/container/container.go
@@ -514,14 +514,14 @@ func (container *Container) AddMountPointWithVolume(destination string, vol volu
}
// UnmountVolumes unmounts all volumes
-func (container *Container) UnmountVolumes(volumeEventLog func(name string, action events.Action, attributes map[string]string)) error {
+func (container *Container) UnmountVolumes(ctx context.Context, volumeEventLog func(name string, action events.Action, attributes map[string]string)) error {
var errs []string
for _, volumeMount := range container.MountPoints {
if volumeMount.Volume == nil {
continue
}
- if err := volumeMount.Cleanup(); err != nil {
+ if err := volumeMount.Cleanup(ctx); err != nil {
errs = append(errs, err.Error())
continue
}
diff --git a/vendor/github.com/docker/docker/container/container_unix.go b/vendor/github.com/docker/docker/container/container_unix.go
index 80cf5e58dd..66bcacd963 100644
--- a/vendor/github.com/docker/docker/container/container_unix.go
+++ b/vendor/github.com/docker/docker/container/container_unix.go
@@ -15,8 +15,6 @@ import (
"github.com/docker/docker/api/types/events"
mounttypes "github.com/docker/docker/api/types/mount"
swarmtypes "github.com/docker/docker/api/types/swarm"
- "github.com/docker/docker/pkg/stringid"
- "github.com/docker/docker/volume"
volumemounts "github.com/docker/docker/volume/mounts"
"github.com/moby/sys/mount"
"github.com/opencontainers/selinux/go-selinux/label"
@@ -129,34 +127,11 @@ func (container *Container) NetworkMounts() []Mount {
}
// CopyImagePathContent copies files in destination to the volume.
-func (container *Container) CopyImagePathContent(v volume.Volume, destination string) error {
- rootfs, err := container.GetResourcePath(destination)
- if err != nil {
- return err
- }
-
- if _, err := os.Stat(rootfs); err != nil {
- if os.IsNotExist(err) {
- return nil
- }
- return err
- }
-
- id := stringid.GenerateRandomID()
- path, err := v.Mount(id)
- if err != nil {
- return err
- }
-
- defer func() {
- if err := v.Unmount(id); err != nil {
- log.G(context.TODO()).Warnf("error while unmounting volume %s: %v", v.Name(), err)
- }
- }()
- if err := label.Relabel(path, container.MountLabel, true); err != nil && !errors.Is(err, syscall.ENOTSUP) {
+func (container *Container) CopyImagePathContent(volumePath, destination string) error {
+ if err := label.Relabel(volumePath, container.MountLabel, true); err != nil && !errors.Is(err, syscall.ENOTSUP) {
return err
}
- return copyExistingContents(rootfs, path)
+ return copyExistingContents(destination, volumePath)
}
// ShmResourcePath returns path to shm
@@ -396,7 +371,7 @@ func (container *Container) DetachAndUnmount(volumeEventLog func(name string, ac
Warn("Unable to unmount")
}
}
- return container.UnmountVolumes(volumeEventLog)
+ return container.UnmountVolumes(ctx, volumeEventLog)
}
// ignoreUnsupportedXAttrs ignores errors when extended attributes
@@ -419,9 +394,13 @@ func copyExistingContents(source, destination string) error {
return err
}
if len(dstList) != 0 {
- // destination is not empty, do not copy
+ log.G(context.TODO()).WithFields(log.Fields{
+ "source": source,
+ "destination": destination,
+ }).Debug("destination is not empty, do not copy")
return nil
}
+
return fs.CopyDir(destination, source, ignoreUnsupportedXAttrs())
}
diff --git a/vendor/github.com/docker/docker/container/container_windows.go b/vendor/github.com/docker/docker/container/container_windows.go
index bceedcb637..bfebdbad18 100644
--- a/vendor/github.com/docker/docker/container/container_windows.go
+++ b/vendor/github.com/docker/docker/container/container_windows.go
@@ -1,6 +1,7 @@
package container // import "github.com/docker/docker/container"
import (
+ "context"
"fmt"
"os"
"path/filepath"
@@ -128,7 +129,7 @@ func (container *Container) ConfigMounts() []Mount {
// On Windows it only delegates to `UnmountVolumes` since there is nothing to
// force unmount.
func (container *Container) DetachAndUnmount(volumeEventLog func(name string, action events.Action, attributes map[string]string)) error {
- return container.UnmountVolumes(volumeEventLog)
+ return container.UnmountVolumes(context.TODO(), volumeEventLog)
}
// TmpfsMounts returns the list of tmpfs mounts
diff --git a/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go b/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go
index 106101937a..6131bcea7c 100644
--- a/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go
+++ b/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go
@@ -108,7 +108,7 @@ func (fl *follow) nextPos(current logPos) (next logPos, ok bool) {
case st = <-fl.LogFile.read:
}
- // Have any any logs been written since we last checked?
+ // Have any logs been written since we last checked?
if st.pos == current { // Nope.
// Add ourself to the notify list.
st.wait = append(st.wait, fl.c)
diff --git a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
index 572a3a7952..61490c8d1a 100644
--- a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
+++ b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
@@ -59,7 +59,7 @@ type LogFile struct {
// passing along ownership is expressed with function argument types.
// Methods which take a pointer *logReadState argument borrow the state,
// analogous to functions which require a lock to be held when calling.
- // The caller retains ownership. Calling a method which which takes a
+ // The caller retains ownership. Calling a method which takes a
// value logFileState argument gives ownership to the callee.
read chan logReadState
diff --git a/vendor/github.com/docker/docker/daemon/logger/ring.go b/vendor/github.com/docker/docker/daemon/logger/ring.go
index ff43baac2f..8c19b543d6 100644
--- a/vendor/github.com/docker/docker/daemon/logger/ring.go
+++ b/vendor/github.com/docker/docker/daemon/logger/ring.go
@@ -138,7 +138,7 @@ type messageRing struct {
wait *sync.Cond
sizeBytes int64 // current buffer size
- maxBytes int64 // max buffer size size
+ maxBytes int64 // max buffer size
queue []*Message
closed bool
}
diff --git a/vendor/github.com/docker/docker/image/image.go b/vendor/github.com/docker/docker/image/image.go
index c955cbcb68..9bfa8602f2 100644
--- a/vendor/github.com/docker/docker/image/image.go
+++ b/vendor/github.com/docker/docker/image/image.go
@@ -28,13 +28,6 @@ func (id ID) Digest() digest.Digest {
return digest.Digest(id)
}
-// IDFromDigest creates an ID from a digest
-//
-// Deprecated: cast to an ID using ID(digest).
-func IDFromDigest(digest digest.Digest) ID {
- return ID(digest)
-}
-
// V1Image stores the V1 image configuration.
type V1Image struct {
// ID is a unique 64 character identifier of the image
diff --git a/vendor/github.com/docker/docker/internal/cleanups/composite.go b/vendor/github.com/docker/docker/internal/cleanups/composite.go
new file mode 100644
index 0000000000..3c00cd6d75
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/cleanups/composite.go
@@ -0,0 +1,44 @@
+package cleanups
+
+import (
+ "context"
+
+ "github.com/docker/docker/internal/multierror"
+)
+
+type Composite struct {
+ cleanups []func(context.Context) error
+}
+
+// Add adds a cleanup to be called.
+func (c *Composite) Add(f func(context.Context) error) {
+ c.cleanups = append(c.cleanups, f)
+}
+
+// Call calls all cleanups in reverse order and returns an error combining all
+// non-nil errors.
+func (c *Composite) Call(ctx context.Context) error {
+ err := call(ctx, c.cleanups)
+ c.cleanups = nil
+ return err
+}
+
+// Release removes all cleanups, turning Call into a no-op.
+// Caller still can call the cleanups by calling the returned function
+// which is equivalent to calling the Call before Release was called.
+func (c *Composite) Release() func(context.Context) error {
+ cleanups := c.cleanups
+ c.cleanups = nil
+ return func(ctx context.Context) error {
+ return call(ctx, cleanups)
+ }
+}
+
+func call(ctx context.Context, cleanups []func(context.Context) error) error {
+ var errs []error
+ for idx := len(cleanups) - 1; idx >= 0; idx-- {
+ c := cleanups[idx]
+ errs = append(errs, c(ctx))
+ }
+ return multierror.Join(errs...)
+}
diff --git a/vendor/github.com/docker/docker/internal/compatcontext/cancel.go b/vendor/github.com/docker/docker/internal/compatcontext/cancel.go
new file mode 100644
index 0000000000..3c29794b47
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/compatcontext/cancel.go
@@ -0,0 +1,89 @@
+//go:build !go1.21
+
+// Copyright (c) 2009 The Go Authors. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+// - Redistributions of source code must retain the above copyright
+//
+// notice, this list of conditions and the following disclaimer.
+// - Redistributions in binary form must reproduce the above
+//
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+// - Neither the name of Google Inc. nor the names of its
+//
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+//
+// Source: https://cs.opensource.google/go/go/+/refs/tags/go1.21.1:src/context/context.go
+// The only modifications to the original source were:
+// - replacing the usage of internal reflectlite with reflect
+// - replacing the usage of private value function with Value method call
+package compatcontext // import "github.com/docker/docker/internal/compatcontext"
+
+import (
+ "context"
+ "reflect"
+ "time"
+)
+
+// WithoutCancel returns a copy of parent that is not canceled when parent is canceled.
+// The returned context returns no Deadline or Err, and its Done channel is nil.
+// Calling [Cause] on the returned context returns nil.
+func WithoutCancel(parent context.Context) context.Context {
+ if parent == nil {
+ panic("cannot create context from nil parent")
+ }
+ return withoutCancelCtx{parent}
+}
+
+type withoutCancelCtx struct {
+ c context.Context
+}
+
+func (withoutCancelCtx) Deadline() (deadline time.Time, ok bool) {
+ return
+}
+
+func (withoutCancelCtx) Done() <-chan struct{} {
+ return nil
+}
+
+func (withoutCancelCtx) Err() error {
+ return nil
+}
+
+func (c withoutCancelCtx) Value(key any) any {
+ return c.c.Value(key)
+}
+
+func (c withoutCancelCtx) String() string {
+ return contextName(c.c) + ".WithoutCancel"
+}
+
+type stringer interface {
+ String() string
+}
+
+func contextName(c context.Context) string {
+ if s, ok := c.(stringer); ok {
+ return s.String()
+ }
+ return reflect.TypeOf(c).String()
+}
diff --git a/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go b/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go
new file mode 100644
index 0000000000..e43555b292
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go
@@ -0,0 +1,9 @@
+//go:build go1.21
+
+package compatcontext // import "github.com/docker/docker/internal/compatcontext"
+
+import "context"
+
+func WithoutCancel(ctx context.Context) context.Context {
+ return context.WithoutCancel(ctx)
+}
diff --git a/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go b/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go
new file mode 100644
index 0000000000..f4ecf710c8
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go
@@ -0,0 +1,39 @@
+package mountopts
+
+import (
+ "golang.org/x/sys/unix"
+)
+
+// UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given
+// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
+// bind-mounting "with options" will not fail with user namespaces, due to
+// kernel restrictions that require user namespace mounts to preserve
+// CL_UNPRIVILEGED locked flags.
+//
+// TODO: Move to github.com/moby/sys/mount, and update BuildKit copy of this code as well (https://github.com/moby/buildkit/blob/v0.13.0/util/rootless/mountopts/mountopts_linux.go#L11-L18)
+func UnprivilegedMountFlags(path string) ([]string, error) {
+ var statfs unix.Statfs_t
+ if err := unix.Statfs(path, &statfs); err != nil {
+ return nil, err
+ }
+
+ // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048.
+ unprivilegedFlags := map[uint64]string{
+ unix.MS_RDONLY: "ro",
+ unix.MS_NODEV: "nodev",
+ unix.MS_NOEXEC: "noexec",
+ unix.MS_NOSUID: "nosuid",
+ unix.MS_NOATIME: "noatime",
+ unix.MS_RELATIME: "relatime",
+ unix.MS_NODIRATIME: "nodiratime",
+ }
+
+ var flags []string
+ for mask, flag := range unprivilegedFlags {
+ if uint64(statfs.Flags)&mask == mask {
+ flags = append(flags, flag)
+ }
+ }
+
+ return flags, nil
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/common.go b/vendor/github.com/docker/docker/internal/safepath/common.go
new file mode 100644
index 0000000000..5beb2e6e43
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/common.go
@@ -0,0 +1,66 @@
+package safepath
+
+import (
+ "os"
+ "path/filepath"
+
+ "github.com/pkg/errors"
+)
+
+// evaluatePath evaluates symlinks in the concatenation of path and subpath. If
+// err is nil, resolvedBasePath will contain result of resolving all symlinks
+// in the given path, and resolvedSubpath will contain a relative path rooted
+// at the resolvedBasePath pointing to the concatenation after resolving all
+// symlinks.
+func evaluatePath(path, subpath string) (resolvedBasePath string, resolvedSubpath string, err error) {
+ baseResolved, err := filepath.EvalSymlinks(path)
+ if err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ return "", "", &ErrNotAccessible{Path: path, Cause: err}
+ }
+ return "", "", errors.Wrapf(err, "error while resolving symlinks in base directory %q", path)
+ }
+
+ combinedPath := filepath.Join(baseResolved, subpath)
+ combinedResolved, err := filepath.EvalSymlinks(combinedPath)
+ if err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ return "", "", &ErrNotAccessible{Path: combinedPath, Cause: err}
+ }
+ return "", "", errors.Wrapf(err, "error while resolving symlinks in combined path %q", combinedPath)
+ }
+
+ subpart, err := filepath.Rel(baseResolved, combinedResolved)
+ if err != nil {
+ return "", "", &ErrEscapesBase{Base: baseResolved, Subpath: subpath}
+ }
+
+ if !filepath.IsLocal(subpart) {
+ return "", "", &ErrEscapesBase{Base: baseResolved, Subpath: subpath}
+ }
+
+ return baseResolved, subpart, nil
+}
+
+// isLocalTo reports whether path, using lexical analysis only, has all of these properties:
+// - is within the subtree rooted at basepath
+// - is not empty
+// - on Windows, is not a reserved name such as "NUL"
+//
+// If isLocalTo(path, basepath) returns true, then
+//
+// filepath.Rel(basepath, path)
+//
+// will always produce an unrooted path with no `..` elements.
+//
+// isLocalTo is a purely lexical operation. In particular, it does not account for the effect of any symbolic links that may exist in the filesystem.
+//
+// Both path and basepath are expected to be absolute paths.
+func isLocalTo(path, basepath string) bool {
+ rel, err := filepath.Rel(basepath, path)
+ if err != nil {
+ return false
+ }
+
+ return filepath.IsLocal(rel)
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/errors.go b/vendor/github.com/docker/docker/internal/safepath/errors.go
new file mode 100644
index 0000000000..8fcfe262ee
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/errors.go
@@ -0,0 +1,42 @@
+package safepath
+
+// ErrNotAccessible is returned by Join when the resulting path doesn't exist,
+// is not accessible, or any of the path components was replaced with a symlink
+// during the path traversal.
+type ErrNotAccessible struct {
+ Path string
+ Cause error
+}
+
+func (*ErrNotAccessible) NotFound() {}
+
+func (e *ErrNotAccessible) Unwrap() error {
+ return e.Cause
+}
+
+func (e *ErrNotAccessible) Error() string {
+ msg := "cannot access path " + e.Path
+ if e.Cause != nil {
+ msg += ": " + e.Cause.Error()
+ }
+ return msg
+}
+
+// ErrEscapesBase is returned by Join when the resulting concatenation would
+// point outside of the specified base directory.
+type ErrEscapesBase struct {
+ Base, Subpath string
+}
+
+func (*ErrEscapesBase) InvalidParameter() {}
+
+func (e *ErrEscapesBase) Error() string {
+ msg := "path concatenation escapes the base directory"
+ if e.Base != "" {
+ msg += ", base: " + e.Base
+ }
+ if e.Subpath != "" {
+ msg += ", subpath: " + e.Subpath
+ }
+ return msg
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/join_linux.go b/vendor/github.com/docker/docker/internal/safepath/join_linux.go
new file mode 100644
index 0000000000..68cb0d7abe
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/join_linux.go
@@ -0,0 +1,150 @@
+package safepath
+
+import (
+ "context"
+ "os"
+ "path/filepath"
+ "runtime"
+ "strconv"
+
+ "github.com/containerd/log"
+ "github.com/docker/docker/internal/unix_noeintr"
+ "github.com/pkg/errors"
+ "golang.org/x/sys/unix"
+)
+
+// Join makes sure that the concatenation of path and subpath doesn't
+// resolve to a path outside of path and returns a path to a temporary file that is
+// a bind mount to the exact same file/directory that was validated.
+//
+// After use, it is the caller's responsibility to call Close on the returned
+// SafePath object, which will unmount the temporary file/directory
+// and remove it.
+func Join(_ context.Context, path, subpath string) (*SafePath, error) {
+ base, subpart, err := evaluatePath(path, subpath)
+ if err != nil {
+ return nil, err
+ }
+
+ runtime.LockOSThread()
+ defer runtime.UnlockOSThread()
+ fd, err := safeOpenFd(base, subpart)
+ if err != nil {
+ return nil, err
+ }
+
+ defer unix_noeintr.Close(fd)
+
+ tmpMount, err := tempMountPoint(fd)
+ if err != nil {
+ return nil, errors.Wrap(err, "failed to create temporary file for safe mount")
+ }
+
+ pid := strconv.Itoa(unix.Gettid())
+ // Using explicit pid path, because /proc/self/fd/ fails with EACCES
+ // when running under "Enhanced Container Isolation" in Docker Desktop
+ // which uses sysbox runtime under the hood.
+ // TODO(vvoland): Investigate.
+ mountSource := "/proc/" + pid + "/fd/" + strconv.Itoa(fd)
+
+ if err := unix_noeintr.Mount(mountSource, tmpMount, "none", unix.MS_BIND, ""); err != nil {
+ os.Remove(tmpMount)
+ return nil, errors.Wrap(err, "failed to mount resolved path")
+ }
+
+ return &SafePath{
+ path: tmpMount,
+ sourceBase: base,
+ sourceSubpath: subpart,
+ cleanup: cleanupSafePath(tmpMount),
+ }, nil
+}
+
+// safeOpenFd opens the file at filepath.Join(path, subpath) in O_PATH
+// mode and returns the file descriptor if subpath is within the subtree
+// rooted at path. It is an error if any of components of path or subpath
+// are symbolic links.
+//
+// It is a caller's responsibility to close the returned file descriptor, if no
+// error was returned.
+func safeOpenFd(path, subpath string) (int, error) {
+ // Open base volume path (_data directory).
+ prevFd, err := unix_noeintr.Open(path, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC|unix.O_NOFOLLOW, 0)
+ if err != nil {
+ return -1, &ErrNotAccessible{Path: path, Cause: err}
+ }
+ defer unix_noeintr.Close(prevFd)
+
+ // Try to use the Openat2 syscall first (available on Linux 5.6+).
+ fd, err := unix_noeintr.Openat2(prevFd, subpath, &unix.OpenHow{
+ Flags: unix.O_PATH | unix.O_CLOEXEC,
+ Mode: 0,
+ Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS | unix.RESOLVE_NO_SYMLINKS,
+ })
+
+ switch {
+ case errors.Is(err, unix.ENOSYS):
+ // Openat2 is not available, fallback to Openat loop.
+ return kubernetesSafeOpen(path, subpath)
+ case errors.Is(err, unix.EXDEV):
+ return -1, &ErrEscapesBase{Base: path, Subpath: subpath}
+ case errors.Is(err, unix.ENOENT), errors.Is(err, unix.ELOOP):
+ return -1, &ErrNotAccessible{Path: filepath.Join(path, subpath), Cause: err}
+ case err != nil:
+ return -1, &os.PathError{Op: "openat2", Path: subpath, Err: err}
+ }
+
+ // Openat2 is available and succeeded.
+ return fd, nil
+}
+
+// tempMountPoint creates a temporary file/directory to act as mount
+// point for the file descriptor.
+func tempMountPoint(sourceFd int) (string, error) {
+ var stat unix.Stat_t
+ err := unix_noeintr.Fstat(sourceFd, &stat)
+ if err != nil {
+ return "", errors.Wrap(err, "failed to Fstat mount source fd")
+ }
+
+ isDir := (stat.Mode & unix.S_IFMT) == unix.S_IFDIR
+ if isDir {
+ return os.MkdirTemp("", "safe-mount")
+ }
+
+ f, err := os.CreateTemp("", "safe-mount")
+ if err != nil {
+ return "", err
+ }
+
+ p := f.Name()
+ if err := f.Close(); err != nil {
+ return "", err
+ }
+ return p, nil
+}
+
+// cleanupSafePaths returns a function that unmounts the path and removes the
+// mountpoint.
+func cleanupSafePath(path string) func(context.Context) error {
+ return func(ctx context.Context) error {
+ log.G(ctx).WithField("path", path).Debug("removing safe temp mount")
+
+ if err := unix_noeintr.Unmount(path, unix.MNT_DETACH); err != nil {
+ if errors.Is(err, unix.EINVAL) {
+ log.G(ctx).WithField("path", path).Warn("safe temp mount no longer exists?")
+ return nil
+ }
+ return errors.Wrapf(err, "error unmounting safe mount %s", path)
+ }
+ if err := os.Remove(path); err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ log.G(ctx).WithField("path", path).Warn("safe temp mount no longer exists?")
+ return nil
+ }
+ return errors.Wrapf(err, "failed to delete temporary safe mount")
+ }
+
+ return nil
+ }
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/join_windows.go b/vendor/github.com/docker/docker/internal/safepath/join_windows.go
new file mode 100644
index 0000000000..63c646a682
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/join_windows.go
@@ -0,0 +1,93 @@
+package safepath
+
+import (
+ "context"
+ "os"
+ "path/filepath"
+ "strings"
+
+ "github.com/containerd/log"
+ "github.com/docker/docker/internal/cleanups"
+ "github.com/docker/docker/internal/compatcontext"
+ "github.com/pkg/errors"
+ "golang.org/x/sys/windows"
+)
+
+// Join locks all individual components of the path which is the concatenation
+// of provided path and its subpath, checks that it doesn't escape the base path
+// and returns the concatenated path.
+//
+// The path is safe (the path target won't change) until the returned SafePath
+// is Closed.
+// Caller is responsible for calling the Close function which unlocks the path.
+func Join(ctx context.Context, path, subpath string) (*SafePath, error) {
+ base, subpart, err := evaluatePath(path, subpath)
+ if err != nil {
+ return nil, err
+ }
+ parts := strings.Split(subpart, string(os.PathSeparator))
+
+ cleanups := cleanups.Composite{}
+ defer func() {
+ if cErr := cleanups.Call(compatcontext.WithoutCancel(ctx)); cErr != nil {
+ log.G(ctx).WithError(cErr).Warn("failed to close handles after error")
+ }
+ }()
+
+ fullPath := base
+ for _, part := range parts {
+ fullPath = filepath.Join(fullPath, part)
+
+ handle, err := lockFile(fullPath)
+ if err != nil {
+ if errors.Is(err, windows.ERROR_FILE_NOT_FOUND) {
+ return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
+ }
+ return nil, errors.Wrapf(err, "failed to lock file %s", fullPath)
+ }
+ cleanups.Add(func(context.Context) error {
+ if err := windows.CloseHandle(handle); err != nil {
+ return &os.PathError{Op: "CloseHandle", Path: fullPath, Err: err}
+ }
+ return err
+ })
+
+ realPath, err := filepath.EvalSymlinks(fullPath)
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to eval symlinks of %s", fullPath)
+ }
+
+ if realPath != fullPath && !isLocalTo(realPath, base) {
+ return nil, &ErrEscapesBase{Base: base, Subpath: subpart}
+ }
+
+ var info windows.ByHandleFileInformation
+ if err := windows.GetFileInformationByHandle(handle, &info); err != nil {
+ return nil, errors.WithStack(&os.PathError{Op: "GetFileInformationByHandle", Path: fullPath, Err: err})
+ }
+
+ if (info.FileAttributes & windows.FILE_ATTRIBUTE_REPARSE_POINT) != 0 {
+ return nil, &ErrNotAccessible{Path: fullPath, Cause: err}
+ }
+ }
+
+ return &SafePath{
+ path: fullPath,
+ sourceBase: base,
+ sourceSubpath: subpart,
+ cleanup: cleanups.Release(),
+ }, nil
+}
+
+func lockFile(path string) (windows.Handle, error) {
+ p, err := windows.UTF16PtrFromString(path)
+ if err != nil {
+ return windows.InvalidHandle, &os.PathError{Op: "UTF16PtrFromString", Path: path, Err: err}
+ }
+ const flags = windows.FILE_FLAG_BACKUP_SEMANTICS | windows.FILE_FLAG_OPEN_REPARSE_POINT
+ handle, err := windows.CreateFile(p, windows.GENERIC_READ, windows.FILE_SHARE_READ, nil, windows.OPEN_EXISTING, flags, 0)
+ if err != nil {
+ return handle, &os.PathError{Op: "CreateFile", Path: path, Err: err}
+ }
+ return handle, nil
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go b/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go
new file mode 100644
index 0000000000..ebbe7e17a5
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go
@@ -0,0 +1,112 @@
+package safepath
+
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+import (
+ "context"
+ "fmt"
+ "path/filepath"
+ "strings"
+
+ "github.com/containerd/log"
+ "github.com/docker/docker/internal/unix_noeintr"
+ "golang.org/x/sys/unix"
+)
+
+// kubernetesSafeOpen open path formed by concatenation of the base directory
+// and its subpath and return its fd.
+// Symlinks are disallowed (pathname must already resolve symlinks) and the
+// path must be within the base directory.
+// This is minimally modified code from https://github.com/kubernetes/kubernetes/blob/55fb1805a1217b91b36fa8fe8f2bf3a28af2454d/pkg/volume/util/subpath/subpath_linux.go#L530
+func kubernetesSafeOpen(base, subpath string) (int, error) {
+ // syscall.Openat flags used to traverse directories not following symlinks
+ const nofollowFlags = unix.O_RDONLY | unix.O_NOFOLLOW
+ // flags for getting file descriptor without following the symlink
+ const openFDFlags = unix.O_NOFOLLOW | unix.O_PATH
+
+ pathname := filepath.Join(base, subpath)
+ segments := strings.Split(subpath, string(filepath.Separator))
+
+ // Assumption: base is the only directory that we have under control.
+ // Base dir is not allowed to be a symlink.
+ parentFD, err := unix_noeintr.Open(base, nofollowFlags|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return -1, &ErrNotAccessible{Path: base, Cause: err}
+ }
+ defer func() {
+ if parentFD != -1 {
+ if err = unix_noeintr.Close(parentFD); err != nil {
+ log.G(context.TODO()).Errorf("Closing FD %v failed for safeopen(%v): %v", parentFD, pathname, err)
+ }
+ }
+ }()
+
+ childFD := -1
+ defer func() {
+ if childFD != -1 {
+ if err = unix_noeintr.Close(childFD); err != nil {
+ log.G(context.TODO()).Errorf("Closing FD %v failed for safeopen(%v): %v", childFD, pathname, err)
+ }
+ }
+ }()
+
+ currentPath := base
+
+ // Follow the segments one by one using openat() to make
+ // sure the user cannot change already existing directories into symlinks.
+ for _, seg := range segments {
+ var deviceStat unix.Stat_t
+
+ currentPath = filepath.Join(currentPath, seg)
+ if !isLocalTo(currentPath, base) {
+ return -1, &ErrEscapesBase{Base: currentPath, Subpath: seg}
+ }
+
+ // Trigger auto mount if it's an auto-mounted directory, ignore error if not a directory.
+ // Notice the trailing slash is mandatory, see "automount" in openat(2) and open_by_handle_at(2).
+ unix_noeintr.Fstatat(parentFD, seg+"/", &deviceStat, unix.AT_SYMLINK_NOFOLLOW)
+
+ log.G(context.TODO()).Debugf("Opening path %s", currentPath)
+ childFD, err = unix_noeintr.Openat(parentFD, seg, openFDFlags|unix.O_CLOEXEC, 0)
+ if err != nil {
+ return -1, &ErrNotAccessible{Path: currentPath, Cause: err}
+ }
+
+ err := unix_noeintr.Fstat(childFD, &deviceStat)
+ if err != nil {
+ return -1, fmt.Errorf("error running fstat on %s with %v", currentPath, err)
+ }
+ fileFmt := deviceStat.Mode & unix.S_IFMT
+ if fileFmt == unix.S_IFLNK {
+ return -1, fmt.Errorf("unexpected symlink found %s", currentPath)
+ }
+
+ // Close parentFD
+ if err = unix_noeintr.Close(parentFD); err != nil {
+ return -1, fmt.Errorf("closing fd for %q failed: %v", filepath.Dir(currentPath), err)
+ }
+ // Set child to new parent
+ parentFD = childFD
+ childFD = -1
+ }
+
+ // We made it to the end, return this fd, don't close it
+ finalFD := parentFD
+ parentFD = -1
+
+ return finalFD, nil
+}
diff --git a/vendor/github.com/docker/docker/internal/safepath/safepath.go b/vendor/github.com/docker/docker/internal/safepath/safepath.go
new file mode 100644
index 0000000000..c43e06fd22
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/safepath/safepath.go
@@ -0,0 +1,63 @@
+package safepath
+
+import (
+ "context"
+ "fmt"
+ "sync"
+
+ "github.com/containerd/log"
+)
+
+type SafePath struct {
+ path string
+ cleanup func(ctx context.Context) error
+ mutex sync.Mutex
+
+ // Immutable fields
+ sourceBase, sourceSubpath string
+}
+
+// Close releases the resources used by the path.
+func (s *SafePath) Close(ctx context.Context) error {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+
+ if s.path == "" {
+ base, sub := s.SourcePath()
+ log.G(ctx).WithFields(log.Fields{
+ "path": s.Path(),
+ "sourceBase": base,
+ "sourceSubpath": sub,
+ }).Warn("an attempt to close an already closed SafePath")
+ return nil
+ }
+
+ s.path = ""
+ if s.cleanup != nil {
+ return s.cleanup(ctx)
+ }
+ return nil
+}
+
+// IsValid return true when path can still be used and wasn't cleaned up by Close.
+func (s *SafePath) IsValid() bool {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+ return s.path != ""
+}
+
+// Path returns a safe, temporary path that can be used to access the original path.
+func (s *SafePath) Path() string {
+ s.mutex.Lock()
+ defer s.mutex.Unlock()
+ if s.path == "" {
+ panic(fmt.Sprintf("use-after-close attempted for safepath with source [%s, %s]", s.sourceBase, s.sourceSubpath))
+ }
+ return s.path
+}
+
+// SourcePath returns the source path the safepath points to.
+func (s *SafePath) SourcePath() (string, string) {
+ // No mutex lock because these are immutable.
+ return s.sourceBase, s.sourceSubpath
+}
diff --git a/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go b/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go
new file mode 100644
index 0000000000..0cb8ea7d68
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go
@@ -0,0 +1,34 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
+package sliceutil
+
+func Dedup[T comparable](slice []T) []T {
+ keys := make(map[T]struct{})
+ out := make([]T, 0, len(slice))
+ for _, s := range slice {
+ if _, ok := keys[s]; !ok {
+ out = append(out, s)
+ keys[s] = struct{}{}
+ }
+ }
+ return out
+}
+
+func Map[S ~[]In, In, Out any](s S, fn func(In) Out) []Out {
+ res := make([]Out, len(s))
+ for i, v := range s {
+ res[i] = fn(v)
+ }
+ return res
+}
+
+func Mapper[In, Out any](fn func(In) Out) func([]In) []Out {
+ return func(s []In) []Out {
+ res := make([]Out, len(s))
+ for i, v := range s {
+ res[i] = fn(v)
+ }
+ return res
+ }
+}
diff --git a/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go b/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go
new file mode 100644
index 0000000000..32c72d0041
--- /dev/null
+++ b/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go
@@ -0,0 +1,85 @@
+//go:build !windows
+
+// Wrappers for unix syscalls that retry on EINTR
+// TODO: Consider moving (for example to moby/sys) and making the wrappers
+// auto-generated.
+package unix_noeintr
+
+import (
+ "errors"
+
+ "golang.org/x/sys/unix"
+)
+
+func Retry(f func() error) {
+ for {
+ err := f()
+ if !errors.Is(err, unix.EINTR) {
+ return
+ }
+ }
+}
+
+func Mount(source string, target string, fstype string, flags uintptr, data string) (err error) {
+ Retry(func() error {
+ err = unix.Mount(source, target, fstype, flags, data)
+ return err
+ })
+ return
+}
+
+func Unmount(target string, flags int) (err error) {
+ Retry(func() error {
+ err = unix.Unmount(target, flags)
+ return err
+ })
+ return
+}
+
+func Open(path string, mode int, perm uint32) (fd int, err error) {
+ Retry(func() error {
+ fd, err = unix.Open(path, mode, perm)
+ return err
+ })
+ return
+}
+
+func Close(fd int) (err error) {
+ Retry(func() error {
+ err = unix.Close(fd)
+ return err
+ })
+ return
+}
+
+func Openat(dirfd int, path string, mode int, perms uint32) (fd int, err error) {
+ Retry(func() error {
+ fd, err = unix.Openat(dirfd, path, mode, perms)
+ return err
+ })
+ return
+}
+
+func Openat2(dirfd int, path string, how *unix.OpenHow) (fd int, err error) {
+ Retry(func() error {
+ fd, err = unix.Openat2(dirfd, path, how)
+ return err
+ })
+ return
+}
+
+func Fstat(fd int, stat *unix.Stat_t) (err error) {
+ Retry(func() error {
+ err = unix.Fstat(fd, stat)
+ return err
+ })
+ return
+}
+
+func Fstatat(fd int, path string, stat *unix.Stat_t, flags int) (err error) {
+ Retry(func() error {
+ err = unix.Fstatat(fd, path, stat, flags)
+ return err
+ })
+ return
+}
diff --git a/vendor/github.com/docker/docker/oci/namespaces.go b/vendor/github.com/docker/docker/oci/namespaces.go
index 851edd61ef..befcefcc40 100644
--- a/vendor/github.com/docker/docker/oci/namespaces.go
+++ b/vendor/github.com/docker/docker/oci/namespaces.go
@@ -14,3 +14,14 @@ func RemoveNamespace(s *specs.Spec, nsType specs.LinuxNamespaceType) {
}
}
}
+
+// NamespacePath returns the configured Path of the first namespace in
+// s.Linux.Namespaces of type nsType.
+func NamespacePath(s *specs.Spec, nsType specs.LinuxNamespaceType) (path string, ok bool) {
+ for _, n := range s.Linux.Namespaces {
+ if n.Type == nsType {
+ return n.Path, true
+ }
+ }
+ return "", false
+}
diff --git a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go b/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go
index f71bb036c7..3b7fd80f28 100644
--- a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go
+++ b/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go
@@ -1,10 +1,6 @@
package containerfs // import "github.com/docker/docker/pkg/containerfs"
-import (
- "path/filepath"
-
- "github.com/moby/sys/symlink"
-)
+import "path/filepath"
// CleanScopedPath prepares the given path to be combined with a mount path or
// a drive-letter. On Windows, it removes any existing driveletter (e.g. "C:").
@@ -17,11 +13,3 @@ func CleanScopedPath(path string) string {
}
return filepath.Join(string(filepath.Separator), path)
}
-
-// ResolveScopedPath evaluates the given path scoped to the root.
-// For example, if root=/a, and path=/b/c, then this function would return /a/b/c.
-//
-// Deprecated: use [symlink.FollowSymlinkInScope].
-func ResolveScopedPath(root, path string) (string, error) {
- return symlink.FollowSymlinkInScope(filepath.Join(root, path), root)
-}
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir.go b/vendor/github.com/docker/docker/pkg/homedir/homedir.go
index 590683206c..c0ab3f5bf3 100644
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir.go
+++ b/vendor/github.com/docker/docker/pkg/homedir/homedir.go
@@ -6,14 +6,6 @@ import (
"runtime"
)
-// Key returns the env var name for the user's home dir based on
-// the platform being run on.
-//
-// Deprecated: this function is no longer used, and will be removed in the next release.
-func Key() string {
- return envKeyName
-}
-
// Get returns the home directory of the current user with the help of
// environment variables depending on the target operating system.
// Returned path should be used with "path/filepath" to form new paths.
@@ -34,11 +26,3 @@ func Get() string {
}
return home
}
-
-// GetShortcutString returns the string that is shortcut to user's home directory
-// in the native shell of the platform running on.
-//
-// Deprecated: this function is no longer used, and will be removed in the next release.
-func GetShortcutString() string {
- return homeShortCut
-}
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go
deleted file mode 100644
index feae4d736c..0000000000
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go
+++ /dev/null
@@ -1,8 +0,0 @@
-//go:build !windows
-
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-const (
- envKeyName = "HOME"
- homeShortCut = "~"
-)
diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go
deleted file mode 100644
index 37f4ee6701..0000000000
--- a/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package homedir // import "github.com/docker/docker/pkg/homedir"
-
-const (
- envKeyName = "USERPROFILE"
- homeShortCut = "%USERPROFILE%" // be careful while using in format functions
-)
diff --git a/vendor/github.com/docker/docker/pkg/plugins/discovery.go b/vendor/github.com/docker/docker/pkg/plugins/discovery.go
index 37316ed482..503ac574a9 100644
--- a/vendor/github.com/docker/docker/pkg/plugins/discovery.go
+++ b/vendor/github.com/docker/docker/pkg/plugins/discovery.go
@@ -10,6 +10,8 @@ import (
"strings"
"sync"
+ "github.com/containerd/containerd/pkg/userns"
+ "github.com/containerd/log"
"github.com/pkg/errors"
)
@@ -56,10 +58,16 @@ func (l *LocalRegistry) Scan() ([]string, error) {
for _, p := range l.specsPaths {
dirEntries, err = os.ReadDir(p)
- if err != nil && !os.IsNotExist(err) {
+ if err != nil {
+ if os.IsNotExist(err) {
+ continue
+ }
+ if os.IsPermission(err) && userns.RunningInUserNS() {
+ log.L.Debug(err.Error())
+ continue
+ }
return nil, errors.Wrap(err, "error reading dir entries")
}
-
for _, entry := range dirEntries {
if entry.IsDir() {
infos, err := os.ReadDir(filepath.Join(p, entry.Name()))
diff --git a/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go b/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go
deleted file mode 100644
index afb57dae6a..0000000000
--- a/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go
+++ /dev/null
@@ -1,19 +0,0 @@
-package system
-
-import (
- "errors"
- "runtime"
- "strings"
-)
-
-// ErrNotSupportedOperatingSystem means the operating system is not supported.
-//
-// Deprecated: use [github.com/docker/docker/image.CheckOS] and check the error returned.
-var ErrNotSupportedOperatingSystem = errors.New("operating system is not supported")
-
-// IsOSSupported determines if an operating system is supported by the host.
-//
-// Deprecated: use [github.com/docker/docker/image.CheckOS] and check the error returned.
-func IsOSSupported(os string) bool {
- return strings.EqualFold(runtime.GOOS, os)
-}
diff --git a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
index 82f973ffc9..746afde8d5 100644
--- a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
+++ b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
@@ -1,3 +1,6 @@
+// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16:
+//go:build go1.19
+
package v2 // import "github.com/docker/docker/plugin/v2"
import (
@@ -6,7 +9,10 @@ import (
"runtime"
"strings"
+ "github.com/containerd/containerd/pkg/userns"
"github.com/docker/docker/api/types"
+ "github.com/docker/docker/internal/rootless/mountopts"
+ "github.com/docker/docker/internal/sliceutil"
"github.com/docker/docker/oci"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
@@ -136,5 +142,35 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) {
p.modifyRuntimeSpec(&s)
}
+ // Rootless mode requires modifying the mount flags
+ // https://github.com/moby/moby/issues/47248#issuecomment-1927776700
+ // https://github.com/moby/moby/pull/47558
+ if userns.RunningInUserNS() {
+ for i := range s.Mounts {
+ m := &s.Mounts[i]
+ for _, o := range m.Options {
+ switch o {
+ case "bind", "rbind":
+ if _, err := os.Lstat(m.Source); err != nil {
+ if errors.Is(err, os.ErrNotExist) {
+ continue
+ }
+ return nil, err
+ }
+ // UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given
+ // path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that
+ // bind-mounting "with options" will not fail with user namespaces, due to
+ // kernel restrictions that require user namespace mounts to preserve
+ // CL_UNPRIVILEGED locked flags.
+ unpriv, err := mountopts.UnprivilegedMountFlags(m.Source)
+ if err != nil {
+ return nil, errors.Wrapf(err, "failed to get unprivileged mount flags for %+v", m)
+ }
+ m.Options = sliceutil.Dedup(append(m.Options, unpriv...))
+ }
+ }
+ }
+ }
+
return &s, nil
}
diff --git a/vendor/github.com/docker/docker/restartmanager/restartmanager.go b/vendor/github.com/docker/docker/restartmanager/restartmanager.go
index e1337662c1..16a85077f8 100644
--- a/vendor/github.com/docker/docker/restartmanager/restartmanager.go
+++ b/vendor/github.com/docker/docker/restartmanager/restartmanager.go
@@ -63,7 +63,7 @@ func (rm *RestartManager) ShouldRestart(exitCode uint32, hasBeenManuallyStopped
if rm.active {
return false, nil, fmt.Errorf("invalid call on an active restart manager")
}
- // if the container ran for more than 10s, regardless of status and policy reset the
+ // if the container ran for more than 10s, regardless of status and policy reset
// the timeout back to the default.
if executionDuration.Seconds() >= 10 {
rm.timeout = 0
diff --git a/vendor/github.com/docker/docker/runconfig/config.go b/vendor/github.com/docker/docker/runconfig/config.go
index 3ba1609e91..81047ea6d1 100644
--- a/vendor/github.com/docker/docker/runconfig/config.go
+++ b/vendor/github.com/docker/docker/runconfig/config.go
@@ -27,11 +27,6 @@ func (r ContainerDecoder) DecodeConfig(src io.Reader) (*container.Config, *conta
return decodeContainerConfig(src, si)
}
-// DecodeHostConfig makes ContainerDecoder to implement httputils.ContainerDecoder
-func (r ContainerDecoder) DecodeHostConfig(src io.Reader) (*container.HostConfig, error) {
- return decodeHostConfig(src)
-}
-
// decodeContainerConfig decodes a json encoded config into a ContainerConfigWrapper
// struct and returns both a Config and a HostConfig struct, and performs some
// validation. Certain parameters need daemon-side validation that cannot be done
diff --git a/vendor/github.com/docker/docker/runconfig/hostconfig.go b/vendor/github.com/docker/docker/runconfig/hostconfig.go
index 8a9e65f1a2..84a4ae0b6f 100644
--- a/vendor/github.com/docker/docker/runconfig/hostconfig.go
+++ b/vendor/github.com/docker/docker/runconfig/hostconfig.go
@@ -1,23 +1,12 @@
package runconfig // import "github.com/docker/docker/runconfig"
import (
- "io"
"strings"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/network"
)
-// DecodeHostConfig creates a HostConfig based on the specified Reader.
-// It assumes the content of the reader will be JSON, and decodes it.
-func decodeHostConfig(src io.Reader) (*container.HostConfig, error) {
- var w ContainerConfigWrapper
- if err := loadJSON(src, &w); err != nil {
- return nil, err
- }
- return w.getHostConfig(), nil
-}
-
// SetDefaultNetModeIfBlank changes the NetworkMode in a HostConfig structure
// to default if it is not populated. This ensures backwards compatibility after
// the validation of the network mode was moved from the docker CLI to the
diff --git a/vendor/github.com/docker/docker/volume/mounts/linux_parser.go b/vendor/github.com/docker/docker/volume/mounts/linux_parser.go
index e7e8ad80f3..1532187c77 100644
--- a/vendor/github.com/docker/docker/volume/mounts/linux_parser.go
+++ b/vendor/github.com/docker/docker/volume/mounts/linux_parser.go
@@ -96,8 +96,18 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour
if mnt.BindOptions != nil {
return &errMountConfig{mnt, errExtraField("BindOptions")}
}
+ anonymousVolume := len(mnt.Source) == 0
- if len(mnt.Source) == 0 && mnt.ReadOnly {
+ if mnt.VolumeOptions != nil && mnt.VolumeOptions.Subpath != "" {
+ if anonymousVolume {
+ return &errMountConfig{mnt, errAnonymousVolumeWithSubpath}
+ }
+
+ if !filepath.IsLocal(mnt.VolumeOptions.Subpath) {
+ return &errMountConfig{mnt, errInvalidSubpath}
+ }
+ }
+ if mnt.ReadOnly && anonymousVolume {
return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")}
}
case mount.TypeTmpfs:
diff --git a/vendor/github.com/docker/docker/volume/mounts/mounts.go b/vendor/github.com/docker/docker/volume/mounts/mounts.go
index 74caf015ff..7a518a046f 100644
--- a/vendor/github.com/docker/docker/volume/mounts/mounts.go
+++ b/vendor/github.com/docker/docker/volume/mounts/mounts.go
@@ -5,10 +5,12 @@ import (
"fmt"
"os"
"path/filepath"
+ "runtime/debug"
"syscall"
"github.com/containerd/log"
mounttypes "github.com/docker/docker/api/types/mount"
+ "github.com/docker/docker/internal/safepath"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/stringid"
"github.com/docker/docker/volume"
@@ -74,19 +76,50 @@ type MountPoint struct {
// Specifically needed for containers which are running and calls to `docker cp`
// because both these actions require mounting the volumes.
active int
+
+ // SafePaths created by Setup that should be cleaned up before unmounting
+ // the volume.
+ safePaths []*safepath.SafePath
}
-// Cleanup frees resources used by the mountpoint
-func (m *MountPoint) Cleanup() error {
+// Cleanup frees resources used by the mountpoint and cleans up all the paths
+// returned by Setup that hasn't been cleaned up by the caller.
+func (m *MountPoint) Cleanup(ctx context.Context) error {
if m.Volume == nil || m.ID == "" {
return nil
}
+ logger := log.G(ctx).WithFields(log.Fields{"active": m.active, "id": m.ID})
+
+ // TODO: Remove once the real bug is fixed: https://github.com/moby/moby/issues/46508
+ if m.active == 0 {
+ logger.Error("An attempt to decrement a zero mount count")
+ logger.Error(string(debug.Stack()))
+ return nil
+ }
+
+ for _, p := range m.safePaths {
+ if !p.IsValid() {
+ continue
+ }
+
+ err := p.Close(ctx)
+ base, sub := p.SourcePath()
+ log.G(ctx).WithFields(log.Fields{
+ "error": err,
+ "path": p.Path(),
+ "sourceBase": base,
+ "sourceSubpath": sub,
+ }).Warn("cleaning up SafePath that hasn't been cleaned up by the caller")
+ }
+
if err := m.Volume.Unmount(m.ID); err != nil {
return errors.Wrapf(err, "error unmounting volume %s", m.Volume.Name())
}
m.active--
+ logger.Debug("MountPoint.Cleanup Decrement active count")
+
if m.active == 0 {
m.ID = ""
}
@@ -97,30 +130,42 @@ func (m *MountPoint) Cleanup() error {
// configured, or creating the source directory if supplied.
// The, optional, checkFun parameter allows doing additional checking
// before creating the source directory on the host.
-func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun func(m *MountPoint) error) (path string, err error) {
+//
+// The returned path can be a temporary path, caller is responsible to
+// call the returned cleanup function as soon as the path is not needed.
+// Cleanup doesn't unmount the underlying volumes (if any), it only
+// frees up the resources that were needed to guarantee that the path
+// still points to the same target (to avoid TOCTOU attack).
+//
+// Cleanup function doesn't need to be called when error is returned.
+func (m *MountPoint) Setup(ctx context.Context, mountLabel string, rootIDs idtools.Identity, checkFun func(m *MountPoint) error) (path string, cleanup func(context.Context) error, retErr error) {
if m.SkipMountpointCreation {
- return m.Source, nil
+ return m.Source, noCleanup, nil
}
defer func() {
- if err != nil || !label.RelabelNeeded(m.Mode) {
+ if retErr != nil || !label.RelabelNeeded(m.Mode) {
return
}
- var sourcePath string
- sourcePath, err = filepath.EvalSymlinks(m.Source)
+ sourcePath, err := filepath.EvalSymlinks(path)
if err != nil {
path = ""
- err = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source)
+ retErr = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source)
+ if cleanupErr := cleanup(ctx); cleanupErr != nil {
+ log.G(ctx).WithError(cleanupErr).Warn("failed to cleanup after error")
+ }
+ cleanup = noCleanup
return
}
err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode))
- if errors.Is(err, syscall.ENOTSUP) {
- err = nil
- }
- if err != nil {
+ if err != nil && !errors.Is(err, syscall.ENOTSUP) {
path = ""
- err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
+ retErr = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath)
+ if cleanupErr := cleanup(ctx); cleanupErr != nil {
+ log.G(ctx).WithError(cleanupErr).Warn("failed to cleanup after error")
+ }
+ cleanup = noCleanup
}
}()
@@ -129,18 +174,36 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun
if id == "" {
id = stringid.GenerateRandomID()
}
- path, err := m.Volume.Mount(id)
+ volumePath, err := m.Volume.Mount(id)
if err != nil {
- return "", errors.Wrapf(err, "error while mounting volume '%s'", m.Source)
+ return "", noCleanup, errors.Wrapf(err, "error while mounting volume '%s'", m.Source)
}
m.ID = id
+ clean := noCleanup
+ if m.Spec.VolumeOptions != nil && m.Spec.VolumeOptions.Subpath != "" {
+ subpath := m.Spec.VolumeOptions.Subpath
+
+ safePath, err := safepath.Join(ctx, volumePath, subpath)
+ if err != nil {
+ if err := m.Volume.Unmount(id); err != nil {
+ log.G(ctx).WithError(err).Error("failed to unmount after safepath.Join failed")
+ }
+ return "", noCleanup, err
+ }
+ m.safePaths = append(m.safePaths, safePath)
+ log.G(ctx).Debugf("mounting (%s|%s) via %s", volumePath, subpath, safePath.Path())
+
+ clean = safePath.Close
+ volumePath = safePath.Path()
+ }
+
m.active++
- return path, nil
+ return volumePath, clean, nil
}
if len(m.Source) == 0 {
- return "", fmt.Errorf("Unable to setup mount point, neither source nor volume defined")
+ return "", noCleanup, fmt.Errorf("Unable to setup mount point, neither source nor volume defined")
}
if m.Type == mounttypes.TypeBind {
@@ -149,7 +212,7 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun
// the process of shutting down.
if checkFun != nil {
if err := checkFun(m); err != nil {
- return "", err
+ return "", noCleanup, err
}
}
@@ -158,12 +221,12 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun
if err := idtools.MkdirAllAndChownNew(m.Source, 0o755, rootIDs); err != nil {
if perr, ok := err.(*os.PathError); ok {
if perr.Err != syscall.ENOTDIR {
- return "", errors.Wrapf(err, "error while creating mount source path '%s'", m.Source)
+ return "", noCleanup, errors.Wrapf(err, "error while creating mount source path '%s'", m.Source)
}
}
}
}
- return m.Source, nil
+ return m.Source, noCleanup, nil
}
func (m *MountPoint) LiveRestore(ctx context.Context) error {
@@ -207,3 +270,8 @@ func errInvalidMode(mode string) error {
func errInvalidSpec(spec string) error {
return errors.Errorf("invalid volume specification: '%s'", spec)
}
+
+// noCleanup is a no-op cleanup function.
+func noCleanup(_ context.Context) error {
+ return nil
+}
diff --git a/vendor/github.com/docker/docker/volume/mounts/parser.go b/vendor/github.com/docker/docker/volume/mounts/parser.go
index 2bcf9ab053..c4ff6c8c7e 100644
--- a/vendor/github.com/docker/docker/volume/mounts/parser.go
+++ b/vendor/github.com/docker/docker/volume/mounts/parser.go
@@ -11,6 +11,14 @@ import (
// It's used by both LCOW and Linux parsers.
var ErrVolumeTargetIsRoot = errors.New("invalid specification: destination can't be '/'")
+// errAnonymousVolumeWithSubpath is returned when Subpath is specified for
+// anonymous volume.
+var errAnonymousVolumeWithSubpath = errors.New("must not set Subpath when using anonymous volumes")
+
+// errInvalidSubpath is returned when the provided Subpath is not lexically an
+// relative path within volume.
+var errInvalidSubpath = errors.New("subpath must be a relative path within the volume")
+
// read-write modes
var rwModes = map[string]bool{
"rw": true,
diff --git a/vendor/github.com/docker/docker/volume/mounts/windows_parser.go b/vendor/github.com/docker/docker/volume/mounts/windows_parser.go
index f9f0f08f44..c3a6c6bb69 100644
--- a/vendor/github.com/docker/docker/volume/mounts/windows_parser.go
+++ b/vendor/github.com/docker/docker/volume/mounts/windows_parser.go
@@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"os"
+ "path/filepath"
"regexp"
"runtime"
"strings"
@@ -258,7 +259,19 @@ func (p *windowsParser) validateMountConfigReg(mnt *mount.Mount, additionalValid
return &errMountConfig{mnt, errExtraField("BindOptions")}
}
- if len(mnt.Source) == 0 && mnt.ReadOnly {
+ anonymousVolume := len(mnt.Source) == 0
+ if mnt.VolumeOptions != nil && mnt.VolumeOptions.Subpath != "" {
+ if anonymousVolume {
+ return errAnonymousVolumeWithSubpath
+ }
+
+ // Check if path is relative but without any back traversals
+ if !filepath.IsLocal(mnt.VolumeOptions.Subpath) {
+ return &errMountConfig{mnt, errInvalidSubpath}
+ }
+ }
+
+ if anonymousVolume && mnt.ReadOnly {
return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")}
}
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der
deleted file mode 100644
index 958f3cfadd..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der
deleted file mode 100644
index d2817641ba..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der
deleted file mode 100644
index d8c3710c85..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der
deleted file mode 100644
index dae619c097..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der
deleted file mode 100644
index ce7f8d31d6..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der
deleted file mode 100644
index 04b0d73600..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der
deleted file mode 100644
index d8c3710c85..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem
deleted file mode 100644
index 493a5a2648..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
-a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
-OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
-RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
-P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
-HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
-0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
-EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
-/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
-QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
-nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
-X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
-pKklVz0=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem
deleted file mode 100644
index 55a7f10c74..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
-l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
-+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
-4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
-xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
-68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
-/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
-Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
-VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
-9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
-MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
-aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
-xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
-2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
-EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
-aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
-udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
-VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
-56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
-GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
-Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
-HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
-BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
-qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
-GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der
deleted file mode 100644
index 04b0d73600..0000000000
Binary files a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der and /dev/null differ
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem
deleted file mode 100644
index 0f98322c72..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
-fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
-qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
-xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
-Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
-Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
-ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
-e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
-POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
-AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
-odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
-PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
-Dhm6uZM=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem
deleted file mode 100644
index 81afea783d..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
-8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
-QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
-XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
-Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
-gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
-LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
-jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
-4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
-Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
-nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
-drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
-duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
-L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
-06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
-eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
-uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
-lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
-a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
-hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
-7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
-r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
-eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
-B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
-7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem
deleted file mode 100644
index 493a5a2648..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
-a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
-OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
-RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
-P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
-HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
-0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
-EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
-/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
-QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
-nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
-X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
-pKklVz0=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem b/vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem
deleted file mode 100644
index 55a7f10c74..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
-l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
-+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
-4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
-xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
-68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
-/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
-Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
-VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
-9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
-MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
-aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
-xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
-2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
-EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
-aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
-udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
-VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
-56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
-GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
-Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
-HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
-BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
-qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
-GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem
deleted file mode 100644
index 0f98322c72..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
-fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
-qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
-xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
-Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
-Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
-ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
-e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
-POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
-AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
-odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
-PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
-Dhm6uZM=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem b/vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem
deleted file mode 100644
index 81afea783d..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
-8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
-QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
-XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
-Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
-gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
-LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
-jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
-4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
-Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
-nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
-drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
-duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
-L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
-06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
-eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
-uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
-lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
-a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
-hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
-7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
-r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
-eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
-B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
-7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem
deleted file mode 100644
index 493a5a2648..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
-a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
-OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
-RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
-P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
-HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
-0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
-EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
-/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
-QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
-nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
-X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
-pKklVz0=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem b/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem
deleted file mode 100644
index 55a7f10c74..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
-l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
-+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
-4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
-xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
-68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
-/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
-Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
-VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
-9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
-MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
-aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
-xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
-2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
-EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
-aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
-udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
-VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
-56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
-GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
-Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
-HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
-BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
-qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
-GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem
deleted file mode 100644
index 0f98322c72..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
-fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
-qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
-xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
-Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
-Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
-ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
-e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
-POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
-AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
-odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
-PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
-Dhm6uZM=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem b/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem
deleted file mode 100644
index 81afea783d..0000000000
--- a/vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
-8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
-QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
-XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
-Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
-gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
-LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
-jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
-4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
-Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
-nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
-drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
-duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
-L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
-06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
-eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
-uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
-lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
-a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
-hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
-7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
-r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
-eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
-B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
-7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/testdata/client_cert.pem b/vendor/github.com/google/s2a-go/testdata/client_cert.pem
deleted file mode 100644
index 493a5a2648..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/client_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9
-a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0
-OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3
-RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK
-P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316
-HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu
-0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6
-EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9
-/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA
-QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ
-nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD
-X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco
-pKklVz0=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/client_key.pem b/vendor/github.com/google/s2a-go/testdata/client_key.pem
deleted file mode 100644
index 55a7f10c74..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/client_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF
-l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj
-+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G
-4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA
-xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh
-68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ
-/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL
-Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA
-VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9
-9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH
-MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt
-aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq
-xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx
-2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv
-EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z
-aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq
-udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs
-VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm
-56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT
-GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V
-Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm
-HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q
-BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH
-qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh
-GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w=
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/testdata/mds_client_cert.pem b/vendor/github.com/google/s2a-go/testdata/mds_client_cert.pem
deleted file mode 100644
index 60c4cf0691..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/mds_client_cert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDCDCCAfACFFlYsYCFit01ZpYmfjxpo7/6wMEbMA0GCSqGSIb3DQEBCwUAMEgx
-CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0GA1UECgwGR29vZ2xlMRswGQYD
-VQQDDBJ0ZXN0LXMyYS1tdGxzLXJvb3QwHhcNMjMwODIyMTY0NTE4WhcNNDMwODIy
-MTY0NTE4WjA5MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExHTAbBgNVBAMMFHRl
-c3QtczJhLW10bHMtY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
-AQEAqrQQMyxNtmdCB+uY3szgRsfPrKC+TV9Fusnd8PfaCVuGTGcSBKM018nV2TDn
-3IYFQ1HgLpGwGwOFDBb3y0o9i2/l2VJySriX1GSNX6nDmVasQlO1wuOLCP7/LRmO
-7b6Kise5W0IFhYaptKyWnekn2pS0tAjimqpfn2w0U6FDGtQUqg/trQQmGtTSJHjb
-A+OFd0EFC18KGP8Q+jOMaMkJRmpeEiAPyHPDoMhqQNT26RApv9j2Uzo4SuXzHH6T
-cAdm1+zG+EXY/UZKX9oDkSbwIJvN+gCmNyORLalJ12gsGYOCjMd8K0mlXBqrmmbO
-VHVbUm9062lhE7x59AA8DK4DoQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCPOvtL
-dq2hxFHlIy0YUK8jp/DtwJZPwzx1id5FtWwd0CxBS1StIgmkHMxtkJGz1iyQLplI
-je+Msd4sTsb5zZi/8kGKehi8Wj4lghp4oP30cpob41OvM68M9RC/wSOVk9igSww+
-l3zof6wKRIswsi5VHrL16ruIVVoDlyFbKr8yk+cp9OPOV8hNNN7ewY9xC8OgnTt8
-YtdaLe6uTplKBLW+j3GtshigRhyfkGJyPFYL4LAeDJCHlC1qmBnkyP0ijMp6vneM
-E8TLavnMTMcpihWTWpyKeRkO6HDRsP4AofQAp7VAiAdSOplga+w2qgrVICV+m8MK
-BTq2PBvc59T6OFLq
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/mds_client_key.pem b/vendor/github.com/google/s2a-go/testdata/mds_client_key.pem
deleted file mode 100644
index 9d112d1e9f..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/mds_client_key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCqtBAzLE22Z0IH
-65jezOBGx8+soL5NX0W6yd3w99oJW4ZMZxIEozTXydXZMOfchgVDUeAukbAbA4UM
-FvfLSj2Lb+XZUnJKuJfUZI1fqcOZVqxCU7XC44sI/v8tGY7tvoqKx7lbQgWFhqm0
-rJad6SfalLS0COKaql+fbDRToUMa1BSqD+2tBCYa1NIkeNsD44V3QQULXwoY/xD6
-M4xoyQlGal4SIA/Ic8OgyGpA1PbpECm/2PZTOjhK5fMcfpNwB2bX7Mb4Rdj9Rkpf
-2gORJvAgm836AKY3I5EtqUnXaCwZg4KMx3wrSaVcGquaZs5UdVtSb3TraWETvHn0
-ADwMrgOhAgMBAAECggEAUccupZ1ZY4OHTi0PkNk8rpwFwTFGyeFVEf2ofkr24RnA
-NnUAXEllxOUUNlcoFOz9s3kTeavg3qgqgpa0QmdAIb9LMXg+ec6CKkW7trMpGho8
-LxBUWNfSoU4sKEqAvyPT0lWJVo9D/up6/avbAi6TIbOw+Djzel4ZrlHTpabxc3WT
-EilXzn4q54b3MzxCQeQjcnzTieW4Q5semG2kLiXFToHIY2di01P/O8awUjgrD+uW
-/Cb6H49MnHm9VPkqea1iwZeMQd6Gh5FrC7RezsBjdB1JBcfsv6PFt2ySInjB8SF+
-XR5Gr3Cc5sh9s0LfprZ9Dq0rlSWmwasPMI1COK6SswKBgQDczgeWd3erQ1JX9LEI
-wollawqC9y7uJhEsw1hrPqA3uqZYiLUc7Nmi4laZ12mcGoXNDS3R3XmD58qGmGaU
-lxEVTb8KDVWBgw450VoBKzSMQnCP6zn4nZxTYxeqMKjDGf6TRB6TZc843qsG3eRC
-k91yxrCQ/0HV6PT48C+lieDzLwKBgQDF6aNKiyrswr457undBnM1H8q/Y6xC5ZlK
-UtiQdhuyBnicvz0U8WPxBY/8gha0OXWuSnBqq/z77iFVNv/zT6p9K7kM7nBGd8cB
-8KO6FNbyaHWFrhCI5zNzRTH4oha0hfvUOoti09vqavCtWD4L+D/63ba1wNLKPO9o
-4gWbCnUCLwKBgQC/vus372csgrnvR761LLrEJ8BpGt7WUJh5luoht7DKtHvgRleB
-Vu1oVcV+s2Iy/ZVUDC3OIdZ0hcWKPK5YOxfKuEk+IXYvke+4peTTPwHTC59UW6Fs
-FPK8N0FFuhvT0a8RlAY5WiAp8rPysp6WcnHMSl7qi8BQUozp4Sp/RsziYQKBgBXv
-r4mzoy5a53rEYGd/L4XT4EUWZyGDEVqLlDVu4eL5lKTLDZokp08vrqXuRVX0iHap
-CYzJQ2EpI8iuL/BoBB2bmwcz5n3pCMXORld5t9lmeqA2it6hwbIlGUTVsm6P6zm6
-w3hQwy9YaxTLkxUAjxbfPEEo/jQsTNzzMGve3NlBAoGAbgJExpDyMDnaD2Vi5eyr
-63b54BsqeLHqxJmADifyRCj7G1SJMm3zMKkNNOS0vsXgoiId973STFf1XQiojiv8
-Slbxyv5rczcY0n3LOuQYcM5OzsjzpNFZsT2dDnMfNRUF3rx3Geu/FuJ9scF1b00r
-fVMrcL3jSf/W1Xh4TgtyoU8=
------END PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/testdata/mds_root_cert.pem b/vendor/github.com/google/s2a-go/testdata/mds_root_cert.pem
deleted file mode 100644
index 44e436f6ec..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/mds_root_cert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDcTCCAlmgAwIBAgIUDUkgI+2FZtuUHyUUi0ZBH7JvN00wDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUx
-GzAZBgNVBAMMEnRlc3QtczJhLW10bHMtcm9vdDAeFw0yMzA4MjEyMTI5MTVaFw00
-MzA4MjEyMTI5MTVaMEgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEPMA0GA1UE
-CgwGR29vZ2xlMRswGQYDVQQDDBJ0ZXN0LXMyYS1tdGxzLXJvb3QwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbFEQfpvla27bATedrN4BAWsI9GSwSnJLW
-QWzXcnAk6cKxQBAhnaKHRxHY8ttLhNTtxQeub894CLzJvHE/0xDhuMzjtCCCZ7i2
-r08tKZ1KcEzPJCPNlxlzAXPA45XU3LRlbGvju/PBPhm6n1hCEKTNI/KETJ5DEaYg
-Cf2LcXVsl/zW20MwDZ+e2w/9a2a6n6DdpW1ekOR550hXAUOIxvmXRBeYeGLFvp1n
-rQgZBhRaxP03UB+PQD2oMi/4mfsS96uGCXdzzX8qV46O8m132HUbnA/wagIwboEe
-d7Bx237dERDyHw5GFnll7orgA0FOtoEufXdeQxWVvTjO0+PVPgsvAgMBAAGjUzBR
-MB0GA1UdDgQWBBRyMtg/yutV8hw8vOq0i8x0eBQi7DAfBgNVHSMEGDAWgBRyMtg/
-yutV8hw8vOq0i8x0eBQi7DAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
-A4IBAQArN/gdqWMxd5Rvq2eJMTp6I4RepJOT7Go4sMsRsy1caJqqcoS2EvREDZMN
-XNEBcyQBB5kYd6TCcZGoLnEtWYXQ4jjEiXG1g7/+rWxyqw0ZYuP7FWzuHg3Uor/x
-fApbEKwptP5ywVc+33h4qreGcqXkVCCn+sAcstGgrqubdGZW2T5gazUMyammOOuN
-9IWL1PbvXmgEKD+80NUIrk09zanYyrElGdU/zw/kUbZ3Jf6WUBtJGhTzRQ1qZeKa
-VnpCbLoG3vObEB8mxDUAlIzwAtfvw4U32BVIZA8xrocz6OOoAnSW1bTlo3EOIo/G
-MTV7jmY9TBPtfhRuO/cG650+F+cw
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/mds_server_cert.pem b/vendor/github.com/google/s2a-go/testdata/mds_server_cert.pem
deleted file mode 100644
index 68c6061345..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/mds_server_cert.pem
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDbjCCAlagAwIBAgIUbexZ5sZl86Al9dsI2PkOgtqKnkgwDQYJKoZIhvcNAQEL
-BQAwSDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQ8wDQYDVQQKDAZHb29nbGUx
-GzAZBgNVBAMMEnRlc3QtczJhLW10bHMtcm9vdDAeFw0yMzA4MjIwMDMyMDRaFw00
-MzA4MjIwMDMyMDRaMDkxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEdMBsGA1UE
-AwwUdGVzdC1zMmEtbXRscy1zZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
-ggEKAoIBAQCMEzybsGPqfh92GLwy43mt8kQDF3ztr8y06RwU1hVnY7QqYK4obpvh
-HkJVnTz9gwNBF3n5nUalqRzactlf2PCydN9oSYNCO8svVmo7vw1CleKAKFAiV5Qn
-H76QlqD15oJreh7nSM8R4qj5KukIHvt0cN0gD6CJQzIURDtsKJwkW3yQjYyT/FAK
-GYtFrB6buDn3Eg3Hsw6z7uj7CzLBsSl7BIGrQILbpbI9nFNT3rUTUhXZKY/3UtJA
-Ob66AjTmMbD16RGYZR4JsPx6CstheifJ6YSI79r5KgD37zX0jMXFWimvb2SmZmFe
-LoohtC8K7uTyjm/dROx6nHXdDt5TQYXHAgMBAAGjXzBdMBsGA1UdEQQUMBKHEAAA
-AAAAAAAAAAAAAAAAAAAwHQYDVR0OBBYEFI3i2+tIk6YYn0MIxC0q93jk1VsUMB8G
-A1UdIwQYMBaAFHIy2D/K61XyHDy86rSLzHR4FCLsMA0GCSqGSIb3DQEBCwUAA4IB
-AQAUhk+s/lrIAULBbU7E22C8f93AzTxE1mhyHGNlfPPJP3t1Dl+h4X4WkFpkz5gT
-EcNXB//Vvoq99HbEK5/92sxsIPexKdJBdcggeHXIgLDkOrEZEb0Nnh9eaAuU2QDn
-JW44hMB+aF6mEaJvOHE6DRkQw3hwFYFisFKKHtlQ3TyOhw5CHGzSExPZusdSFNIe
-2E7V/0QzGPJEFnEFUNe9N8nTH2P385Paoi+5+Iizlp/nztVXfzv0Cj/i+qGgtDUs
-HB+gBU2wxMw8eYyuNzACH70wqGR1Parj8/JoyYhx0S4+Gjzy3JH3CcAMaxyfH/dI
-4Wcvfz/isxgmH1UqIt3oc6ad
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/mds_server_key.pem b/vendor/github.com/google/s2a-go/testdata/mds_server_key.pem
deleted file mode 100644
index b14ad0f724..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/mds_server_key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCMEzybsGPqfh92
-GLwy43mt8kQDF3ztr8y06RwU1hVnY7QqYK4obpvhHkJVnTz9gwNBF3n5nUalqRza
-ctlf2PCydN9oSYNCO8svVmo7vw1CleKAKFAiV5QnH76QlqD15oJreh7nSM8R4qj5
-KukIHvt0cN0gD6CJQzIURDtsKJwkW3yQjYyT/FAKGYtFrB6buDn3Eg3Hsw6z7uj7
-CzLBsSl7BIGrQILbpbI9nFNT3rUTUhXZKY/3UtJAOb66AjTmMbD16RGYZR4JsPx6
-CstheifJ6YSI79r5KgD37zX0jMXFWimvb2SmZmFeLoohtC8K7uTyjm/dROx6nHXd
-Dt5TQYXHAgMBAAECggEAIB5zGdIG/yh/Z1GBqfuOFaxFGx5iJ5BVlLAVH9P9IXFz
-yPnVRXEjbinFlSMSbqEBeIX9EpcVMXxHIPIP1RIGEy2IYr3kiqXyT771ahDDZh6/
-Spqz0UQatSPqyvW3H9uE0Uc12dvQm23JSCUmPRX5m7gbhDQBIChXzdzdcU4Yi59V
-4xmJUvbsAcLw5CBM6kwV+1NGVH9+3mUdhrr9M6B6+sVB/xnaqMGEDfQGiwL8U7EY
-QOuc46KXu3Pd/qCdVLn60IrdjSzDJKeC5UZZ+ejNAo+DfbtOovBj3qu3OCUg4XVy
-0CDBJ1sTdLvUfF4Gb+crjPsd+qBbXcjVfqdadwhsoQKBgQDBF1Pys/NitW8okJwp
-2fiDIASP3TiI+MthWHGyuoZGPvmXQ3H6iuLSm8c/iYI2WPTf53Xff1VcFm1GmQms
-GCsYM8Ax94zCeO6Ei1sYYxwcBloEZfOeV37MPA4pjJF4Lt+n5nveNxP+lrsjksJz
-wToSEgWPDT1b/xcdt4/5j9J85wKBgQC5tiLx+33mwH4DoaFRmSl0+VuSNYFw6DTQ
-SQ+kWqWGH4NENc9wf4Dj2VUZQhpXNhXVSxj+aP2d/ck1NrTJAWqYEXCDtFQOGSa2
-cGPRr+Fhy5NIEaEvR7IXcMBZzx3koYmWVBHricyrXs5FvHrT3N14mGDUG8n24U3f
-R799bau0IQKBgQC97UM+lHCPJCWNggiJRgSifcje9VtZp1btjoBvq/bNe74nYkjn
-htsrC91Fiu1Qpdlfr50K1IXSyaB886VG6JLjAGxI+dUzqJ38M9LLvxj0G+9JKjsi
-AbAQFfZcOg8QZxLJZPVsE0MQhZTXndC06VhEVAOxvPUg214Sde8hK61/+wKBgCRw
-O10VhnePT2pw/VEgZ0T/ZFtEylgYB7zSiRIrgwzVBBGPKVueePC8BPmGwdpYz2Hh
-cU8B1Ll6QU+Co2hJMdwSl+wPpup5PuJPHRbYlrV0lzpt0x2OyL/WrLcyb2Ab3f40
-EqwPhqwdVwXR3JvTW1U9OMqFhVQ+kuP7lPQMX8NhAoGBAJOgZ7Tokipc4Mi68Olw
-SCaOPvjjy4sW2rTRuKyjc1wTAzy7SJ3vXHfGkkN99nTLJFwAyJhWUpnRdwAXGi+x
-gyOa95ImsEfRSwEjbluWfF8/P0IU8GR+ZTqT4NnNCOsi8T/xst4Szd1ECJNnnZDe
-1ChfPP1AH+/75MJCvu6wQBQv
------END PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/testdata/self_signed_cert.pem b/vendor/github.com/google/s2a-go/testdata/self_signed_cert.pem
deleted file mode 100644
index ad1bad5984..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/self_signed_cert.pem
+++ /dev/null
@@ -1,19 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDITCCAgkCFBS8mLoytMpMWBwpAtnRaq3eIKnsMA0GCSqGSIb3DQEBCwUAME0x
-CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UECgwEVGVzdDEiMCAGA1UE
-AwwZdGVzdC1zMmEtbXRscy1zZWxmLXNpZ25lZDAeFw0yMzA4MjIyMTE2MDFaFw00
-MzA4MjIyMTE2MDFaME0xCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTENMAsGA1UE
-CgwEVGVzdDEiMCAGA1UEAwwZdGVzdC1zMmEtbXRscy1zZWxmLXNpZ25lZDCCASIw
-DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFFPsYasKZeCFLEXl3RpE/ZOXFe
-2lhutIalSpZvCmso+mQGoZ4cHK7At+kDjBi5CrnXkYcw7quQAhHgU0frhWdj7tsW
-HUUtq7T8eaGWKBnVD9fl+MjtAl1BmhXwV9qRBbj4EesSKGDSGpKf66dOtzw83JbB
-cU7XlPAH1c1zo2GXC1himcZ+SVGHVrOjn4NmeFs8g94/Dke8dWkHwv5YTMVugFK4
-5KxKgSOKkr4ka7PCBzgxCnW4wYSZNRHcxrqkiArO2HAQq0ACr7u+fVDYH//9mP2Z
-ADo/zch7O5yhkiNbjXJIRrptDWEuVYMRloYDhT773h7bV/Q0Wo0NQGtasJ8CAwEA
-ATANBgkqhkiG9w0BAQsFAAOCAQEAPjbH0TMyegF/MDvglkc0sXr6DqlmTxDCZZmG
-lYPZ5Xy062+rxIHghMARbvO4BxepiG37KsP2agvOldm4TtU8nQ8LyswmSIFm4BQ+
-XQWwdsWyYyd8l0d5sXAdaN6AXwy50fvqCepmEqyreMY6dtLzlwo9gVCBFB7QuAPt
-Nc14phpEUZt/KPNuY6cUlB7bz3tmnFbwxUrWj1p0KBEYsr7+KEVZxR+z0wtlU7S9
-ZBrmUvx0fq5Ef7JWtHW0w4ofg1op742sdYl+53C26GZ76ts4MmqVz2/94DScgRaU
-gT0GLVuuCZXRDVeTXqTb4mditRCfzFPe9cCegYhGhSqBs8yh5A==
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/self_signed_key.pem b/vendor/github.com/google/s2a-go/testdata/self_signed_key.pem
deleted file mode 100644
index bcf08e4f12..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/self_signed_key.pem
+++ /dev/null
@@ -1,28 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQChRT7GGrCmXghS
-xF5d0aRP2TlxXtpYbrSGpUqWbwprKPpkBqGeHByuwLfpA4wYuQq515GHMO6rkAIR
-4FNH64VnY+7bFh1FLau0/HmhligZ1Q/X5fjI7QJdQZoV8FfakQW4+BHrEihg0hqS
-n+unTrc8PNyWwXFO15TwB9XNc6NhlwtYYpnGfklRh1azo5+DZnhbPIPePw5HvHVp
-B8L+WEzFboBSuOSsSoEjipK+JGuzwgc4MQp1uMGEmTUR3Ma6pIgKzthwEKtAAq+7
-vn1Q2B///Zj9mQA6P83IezucoZIjW41ySEa6bQ1hLlWDEZaGA4U++94e21f0NFqN
-DUBrWrCfAgMBAAECggEAR8e8YwyqJ8KezcgdgIC5M9kp2i4v3UCZFX0or8CI0J2S
-pUbWVLuKgLXCpfIwPyjNf15Vpei/spkMcsx4BQDthdFTFSzIpmvni0z9DlD5VFYj
-ESOJElV7wepbHPy2/c+izmuL/ic81aturGiFyRgeMq+cN3WuaztFTXkPTrzzsZGF
-p/Mx3gqm7Hoc3d2xlv+8L5GjCtEJPlQgZJV+s3ennBjOAd8CC7d9qJetE3Er46pn
-r5jedV3bQRZYBzmooYNHjbAs26++wYac/jTE0/U6nKS17eWq4BQZUtlMXUw5N81B
-7LKn7C03rj2KCn+Nf5uin9ALmoy888LXCDdvL/NZkQKBgQDduv1Heu+tOZuNYUdQ
-Hswmd8sVNAAWGZxdxixHMv58zrgbLFXSX6K89X2l5Sj9XON8TH46MuSFdjSwwWw5
-fBrhVEhA5srcqpvVWIBE05yqPpt0s1NQktMWJKELWlG8jOhVKwM5OYDpdxtwehpz
-1g70XJz+nF/LTV8RdTK+OWDDpQKBgQC6MhdbGHUz/56dY3gZpE5TXnN2hkNbZCgk
-emr6z85VHhQflZbedhCzB9PUnZnCKWOGQHQdxRTtRfd46LVboZqCdYO1ZNQv6toP
-ysS7dTpZZFy7CpQaW0Y6/jS65jW6xIDKR1W40vgltZ3sfpG37JaowpzWdw2WuOnw
-Bg0rcJAf8wKBgQCqE+p/z97UwuF8eufWnyj9QNo382E1koOMspv4KTdnyLETtthF
-vDH6O1wbykG8xmmASLRyM+NyNA+KnXNETNvZh2q8zctBpGRQK8iIAsGjHM7ln0AD
-B/x+ea5GJQuZU4RK/+lDFca6TjBwAFkWDVX/PqL18kDQkxKfM4SuwRhmOQKBgDGh
-eoJIsa0LnP787Z2AI3Srf4F/ZmLs/ppCm1OBotEjdF+64v0nYWonUvqgi8SqfaHi
-elEZIGvis4ViGj1zhRjzNAlc+AZRxpBhDzGcnNIJI4Kj3jhsTfsZmXqcNIQ1LtM8
-Uogyi/yZPaA1WKg7Aym2vlGYaGHdplXZdxc2KOSrAoGABRkD9l2OVcwK7RyNgFxo
-mjxx0tfUdDBhHIi2igih1FiHpeP9E+4/kE/K7PnU9DoDrL1jW1MTpXaYV4seOylk
-k9z/9QfcRa9ePD2N4FqbHWSYp5n3aLoIcGq/9jyjTwayZbbIhWO+vNuHE9wIvecZ
-8x3gNkxJRb4NaLIoNzAhCoo=
------END PRIVATE KEY-----
diff --git a/vendor/github.com/google/s2a-go/testdata/server_cert.pem b/vendor/github.com/google/s2a-go/testdata/server_cert.pem
deleted file mode 100644
index 0f98322c72..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/server_cert.pem
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIID8TCCAtmgAwIBAgIUKCoDuLtiZXvhsBY2RoDm0ugizJ8wDQYJKoZIhvcNAQEL
-BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2
-YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE
-AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN
-MjIwNTMxMjAwODI1WhcNNDIwNTI2MjAwODI1WjCBhzELMAkGA1UEBhMCVVMxCzAJ
-BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx
-ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ
-KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAKK1++PXQ+M3hjYH/v0K4UEYl5ljzpNM1i52eQM+gFooojT87PDSaphT
-fs0PXy/PTAjHBEvPhWpOpmQXfJNYzjwcCvg66hbqkv++/VTZiFLAsHagzkEz+FRJ
-qT5Eq7G5FLyw1izX1uxyPN7tAEWEEg7eqsiaXD3Cq8+TYN9cjirPeF7RZF8yFCYE
-xqvbo+Yc6RL6xw19iXVTfctRgQe581KQuIY5/LXo3dWDEilFdsADAe8XAEcO64es
-Ow0g1UvXLnpXSE151kXBFb3sKH/ZjCecDYMCIMEb4sWLSblkSxJ5sNSmXIG4wtr2
-Qnii7CXZgnVYraQE/Jyh+NMQANuoSdMCAwEAAaNTMFEwHQYDVR0OBBYEFAyQQQuM
-ab+YUQqjK8dVVOoHVFmXMB8GA1UdIwQYMBaAFAyQQQuMab+YUQqjK8dVVOoHVFmX
-MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBADj0vQ6ykWhicoqR
-e6VZMwlEJV7/DSvWWKBd9MUjfKye0A4565ya5lmnzP3DiD3nqGe3miqmLsXKDs+X
-POqlPXTWIamP7D4MJ32XtSLwZB4ru+I+Ao/P/VngPepoRPQoBnzHe7jww0rokqxl
-AZERjlbTUwUAy/BPWPSzSJZ2j0tcs6ZLDNyYzpK4ao8R9/1VmQ92Tcp3feJs1QTg
-odRQc3om/AkWOwsll+oyX0UbJeHkFHiLanUPXbdh+/BkSvZJ8ynL+feSDdaurPe+
-PSfnqLtQft9/neecGRdEaQzzzSFVQUVQzTdK1Q7hA7b55b2HvIa3ktDiks+sJsYN
-Dhm6uZM=
------END CERTIFICATE-----
diff --git a/vendor/github.com/google/s2a-go/testdata/server_key.pem b/vendor/github.com/google/s2a-go/testdata/server_key.pem
deleted file mode 100644
index 81afea783d..0000000000
--- a/vendor/github.com/google/s2a-go/testdata/server_key.pem
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAorX749dD4zeGNgf+/QrhQRiXmWPOk0zWLnZ5Az6AWiiiNPzs
-8NJqmFN+zQ9fL89MCMcES8+Fak6mZBd8k1jOPBwK+DrqFuqS/779VNmIUsCwdqDO
-QTP4VEmpPkSrsbkUvLDWLNfW7HI83u0ARYQSDt6qyJpcPcKrz5Ng31yOKs94XtFk
-XzIUJgTGq9uj5hzpEvrHDX2JdVN9y1GBB7nzUpC4hjn8tejd1YMSKUV2wAMB7xcA
-Rw7rh6w7DSDVS9cueldITXnWRcEVvewof9mMJ5wNgwIgwRvixYtJuWRLEnmw1KZc
-gbjC2vZCeKLsJdmCdVitpAT8nKH40xAA26hJ0wIDAQABAoIBACaNR+lsD8G+XiZf
-LqN1+HkcAo9tfnyYMAdCOtnx7SdviT9Uzi8hK/B7mAeuJLeHPlS2EuaDfPD7QaFl
-jza6S+MiIdc+3kgfvESsVAnOoOY6kZUJ9NSuI6CU82y1iJjLaYZrv9NQMLRFPPb0
-4KOX709mosB1EnXvshW0rbc+jtDFhrm1SxMt+k9TuzmMxjbOeW4LOLXPgU8X1T3Q
-Xy0hMZZtcgBs9wFIo8yCtmOixax9pnFE8rRltgDxTodn9LLdz1FieyntNgDksZ0P
-nt4kV7Mqly7ELaea+Foaj244mKsesic2e3GhAlMRLun/VSunSf7mOCxfpITB8dp1
-drDhOYECgYEA19151dVxRcviuovN6Dar+QszMTnU8pDJ8BjLFjXjP/hNBBwMTHDE
-duMuWk2qnwZqMooI/shxrF/ufmTgS0CFrh2+ANBZu27vWConJNXcyNtdigI4wt50
-L0Y2qcZn2mg67qFXHwoR3QNwrwnPwEjRXA09at9CSRZzcwDQ0ETXhYsCgYEAwPaG
-06QdK8Zyly7TTzZJwxzv9uGiqzodmGtX6NEKjgij2JaCxHpukqZBJoqa0jKeK1cm
-eNVkOvT5ff9TMzarSHQLr3pZen2/oVLb5gaFkbcJt/klv9Fd+ZRilHY3i6QwS6pD
-uMiPOWS4DrLHDRVoVlAZTDjT1RVwwTs+P2NhJdkCgYEAsriXysbxBYyMp05gqEW7
-lHIFbFgpSrs9th+Q5U6wW6JEgYaHWDJ1NslY80MiZI93FWjbkbZ7BvBWESeL3EIL
-a+EMErht0pVCbIhZ6FF4foPAqia0wAJVx14mm+G80kNBp5jE/NnleEsE3KcO7nBb
-hg8gLn+x7bk81JZ0TDrzBYkCgYEAuQKluv47SeF3tSScTfKLPpvcKCWmxe1uutkQ
-7JShPhVioyOMNb39jnYBOWbjkm4d4QgqRuiytSR0oi3QI+Ziy5EYMyNn713qAk9j
-r2TJZDDPDKnBW+zt4YI4EohWMXk3JRUW4XDKggjjwJQA7bZ812TtHHvP/xoThfG7
-eSNb3eECgYBw6ssgCtMrdvQiEmjKVX/9yI38mvC2kSGyzbrQnGUfgqRGomRpeZuD
-B5E3kysA4td5pT5lvcLgSW0TbOz+YbiriXjwOihPIelCvc9gE2eOUI71/byUWPFz
-7u5F/xQ4NaGr5suLF+lBC6h7pSbM4El9lIHQAQadpuEdzHqrw+hs3g==
------END RSA PRIVATE KEY-----
diff --git a/vendor/github.com/moby/docker-image-spec/LICENSE b/vendor/github.com/moby/docker-image-spec/LICENSE
new file mode 100644
index 0000000000..261eeb9e9f
--- /dev/null
+++ b/vendor/github.com/moby/docker-image-spec/LICENSE
@@ -0,0 +1,201 @@
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/vendor/github.com/docker/docker/image/spec/specs-go/v1/image.go b/vendor/github.com/moby/docker-image-spec/specs-go/v1/image.go
similarity index 100%
rename from vendor/github.com/docker/docker/image/spec/specs-go/v1/image.go
rename to vendor/github.com/moby/docker-image-spec/specs-go/v1/image.go
diff --git a/vendor/github.com/otiai10/copy/test/data/case18/assets/README.md b/vendor/github.com/otiai10/copy/test/data/case18/assets/README.md
deleted file mode 100644
index 5570c7ff58..0000000000
--- a/vendor/github.com/otiai10/copy/test/data/case18/assets/README.md
+++ /dev/null
@@ -1 +0,0 @@
-# Hello
\ No newline at end of file
diff --git a/vendor/modules.txt b/vendor/modules.txt
index eeb71f871b..4ee7b321a5 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -500,7 +500,7 @@ github.com/docker/distribution
github.com/docker/distribution/digestset
github.com/docker/distribution/reference
github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v25.0.4+incompatible
+# github.com/docker/docker v26.0.0+incompatible
## explicit
github.com/docker/docker/api
github.com/docker/docker/api/types
@@ -543,9 +543,14 @@ github.com/docker/docker/daemon/network
github.com/docker/docker/dockerversion
github.com/docker/docker/errdefs
github.com/docker/docker/image
-github.com/docker/docker/image/spec/specs-go/v1
+github.com/docker/docker/internal/cleanups
+github.com/docker/docker/internal/compatcontext
github.com/docker/docker/internal/mounttree
github.com/docker/docker/internal/multierror
+github.com/docker/docker/internal/rootless/mountopts
+github.com/docker/docker/internal/safepath
+github.com/docker/docker/internal/sliceutil
+github.com/docker/docker/internal/unix_noeintr
github.com/docker/docker/internal/unshare
github.com/docker/docker/layer
github.com/docker/docker/libcontainerd/types
@@ -863,6 +868,9 @@ github.com/moby/buildkit/frontend/dockerfile/parser
github.com/moby/buildkit/frontend/dockerfile/shell
github.com/moby/buildkit/util/stack
github.com/moby/buildkit/util/suggest
+# github.com/moby/docker-image-spec v1.3.1
+## explicit; go 1.18
+github.com/moby/docker-image-spec/specs-go/v1
# github.com/moby/locker v1.0.1
## explicit; go 1.13
github.com/moby/locker