From cb4247c2dfef64f21c824a0e9c896f5702cb13e9 Mon Sep 17 00:00:00 2001 From: Aaron Prindle Date: Tue, 26 Mar 2024 00:47:15 +0000 Subject: [PATCH] chore(deps): bump github.com/docker/docker from 25.0.4+incompatible to 26.0.0+incompatible --- .github/workflows/integration-tests.yaml | 2 +- .github/workflows/unit-tests.yaml | 3 +- go.mod | 5 +- go.sum | 6 +- scripts/test.sh | 3 +- vendor/github.com/docker/docker/api/common.go | 13 +- .../github.com/docker/docker/api/swagger.yaml | 20 +- .../docker/api/types/backend/backend.go | 9 +- .../docker/docker/api/types/client.go | 47 ---- .../docker/api/types/container/config.go | 2 +- .../docker/docker/api/types/image/opts.go | 58 ++++- .../docker/docker/api/types/mount/mount.go | 1 + .../docker/api/types/registry/registry.go | 2 +- .../docker/docker/api/types/types.go | 4 +- .../docker/api/types/types_deprecated.go | 139 ++---------- .../docker/api/types/versions/README.md | 14 -- .../docker/api/types/volume/cluster_volume.go | 10 +- .../docker/docker/builder/builder.go | 2 +- .../builder/dockerfile/containerbackend.go | 2 +- .../docker/client/distribution_inspect.go | 8 +- .../docker/docker/client/image_create.go | 4 +- .../docker/docker/client/image_import.go | 3 +- .../docker/docker/client/image_list.go | 3 +- .../docker/docker/client/image_pull.go | 4 +- .../docker/docker/client/image_push.go | 4 +- .../docker/docker/client/image_remove.go | 3 +- .../docker/docker/client/interface.go | 12 +- .../docker/docker/container/attach_context.go | 2 +- .../docker/docker/container/container.go | 4 +- .../docker/docker/container/container_unix.go | 39 +--- .../docker/container/container_windows.go | 3 +- .../daemon/logger/loggerutils/follow.go | 2 +- .../daemon/logger/loggerutils/logfile.go | 2 +- .../docker/docker/daemon/logger/ring.go | 2 +- .../github.com/docker/docker/image/image.go | 7 - .../docker/internal/cleanups/composite.go | 44 ++++ .../docker/internal/compatcontext/cancel.go | 89 ++++++++ .../internal/compatcontext/cancel_go121.go | 9 + .../rootless/mountopts/mountopts_linux.go | 39 ++++ .../docker/docker/internal/safepath/common.go | 66 ++++++ .../docker/docker/internal/safepath/errors.go | 42 ++++ .../docker/internal/safepath/join_linux.go | 150 +++++++++++++ .../docker/internal/safepath/join_windows.go | 93 ++++++++ .../internal/safepath/k8s_safeopen_linux.go | 112 ++++++++++ .../docker/internal/safepath/safepath.go | 63 ++++++ .../docker/internal/sliceutil/sliceutil.go | 34 +++ .../docker/internal/unix_noeintr/fs_unix.go | 85 ++++++++ .../docker/docker/oci/namespaces.go | 11 + .../docker/pkg/containerfs/containerfs.go | 14 +- .../docker/docker/pkg/homedir/homedir.go | 16 -- .../docker/docker/pkg/homedir/homedir_unix.go | 8 - .../docker/pkg/homedir/homedir_windows.go | 6 - .../docker/docker/pkg/plugins/discovery.go | 12 +- .../docker/pkg/system/image_os_deprecated.go | 19 -- .../docker/docker/plugin/v2/plugin_linux.go | 36 ++++ .../docker/restartmanager/restartmanager.go | 2 +- .../docker/docker/runconfig/config.go | 5 - .../docker/docker/runconfig/hostconfig.go | 11 - .../docker/volume/mounts/linux_parser.go | 12 +- .../docker/docker/volume/mounts/mounts.go | 108 ++++++++-- .../docker/docker/volume/mounts/parser.go | 8 + .../docker/volume/mounts/windows_parser.go | 15 +- .../protobuf/ptypes/timestamp/timestamp.pb.go | 64 ------ .../testdata/client_intermediate_cert.der | Bin 998 -> 0 bytes .../testdata/client_leaf_cert.der | Bin 1147 -> 0 bytes .../testdata/client_root_cert.der | Bin 1013 -> 0 bytes .../testdata/server_intermediate_cert.der | Bin 998 -> 0 bytes .../testdata/server_leaf_cert.der | Bin 1147 -> 0 bytes .../testdata/server_root_cert.der | Bin 1013 -> 0 bytes .../v2/remotesigner/testdata/client_cert.der | Bin 1013 -> 0 bytes .../v2/remotesigner/testdata/client_cert.pem | 24 --- .../v2/remotesigner/testdata/client_key.pem | 27 --- .../v2/remotesigner/testdata/server_cert.der | Bin 1013 -> 0 bytes .../v2/remotesigner/testdata/server_cert.pem | 24 --- .../v2/remotesigner/testdata/server_key.pem | 27 --- .../internal/v2/testdata/client_cert.pem | 24 --- .../internal/v2/testdata/client_key.pem | 27 --- .../internal/v2/testdata/server_cert.pem | 24 --- .../internal/v2/testdata/server_key.pem | 27 --- .../tlsconfigstore/testdata/client_cert.pem | 24 --- .../v2/tlsconfigstore/testdata/client_key.pem | 27 --- .../tlsconfigstore/testdata/server_cert.pem | 24 --- .../v2/tlsconfigstore/testdata/server_key.pem | 27 --- .../google/s2a-go/testdata/client_cert.pem | 24 --- .../google/s2a-go/testdata/client_key.pem | 27 --- .../s2a-go/testdata/mds_client_cert.pem | 19 -- .../google/s2a-go/testdata/mds_client_key.pem | 28 --- .../google/s2a-go/testdata/mds_root_cert.pem | 21 -- .../s2a-go/testdata/mds_server_cert.pem | 21 -- .../google/s2a-go/testdata/mds_server_key.pem | 28 --- .../s2a-go/testdata/self_signed_cert.pem | 19 -- .../s2a-go/testdata/self_signed_key.pem | 28 --- .../google/s2a-go/testdata/server_cert.pem | 24 --- .../google/s2a-go/testdata/server_key.pem | 27 --- .../github.com/moby/docker-image-spec/LICENSE | 201 ++++++++++++++++++ .../docker-image-spec}/specs-go/v1/image.go | 0 .../copy/test/data/case18/assets/README.md | 1 - vendor/modules.txt | 13 +- 98 files changed, 1374 insertions(+), 1030 deletions(-) delete mode 100644 vendor/github.com/docker/docker/api/types/versions/README.md create mode 100644 vendor/github.com/docker/docker/internal/cleanups/composite.go create mode 100644 vendor/github.com/docker/docker/internal/compatcontext/cancel.go create mode 100644 vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go create mode 100644 vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/common.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/errors.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/join_linux.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/join_windows.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go create mode 100644 vendor/github.com/docker/docker/internal/safepath/safepath.go create mode 100644 vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go create mode 100644 vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go delete mode 100644 vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go delete mode 100644 vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go delete mode 100644 vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go delete mode 100644 vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_key.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/testdata/client_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/testdata/client_key.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/testdata/server_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/testdata/server_key.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/client_key.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/internal/v2/tlsconfigstore/testdata/server_key.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/client_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/client_key.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/mds_client_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/mds_client_key.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/mds_root_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/mds_server_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/mds_server_key.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/self_signed_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/self_signed_key.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/server_cert.pem delete mode 100644 vendor/github.com/google/s2a-go/testdata/server_key.pem create mode 100644 vendor/github.com/moby/docker-image-spec/LICENSE rename vendor/github.com/{docker/docker/image/spec => moby/docker-image-spec}/specs-go/v1/image.go (100%) delete mode 100644 vendor/github.com/otiai10/copy/test/data/case18/assets/README.md diff --git a/.github/workflows/integration-tests.yaml b/.github/workflows/integration-tests.yaml index dc74b54aa4..e71882917e 100644 --- a/.github/workflows/integration-tests.yaml +++ b/.github/workflows/integration-tests.yaml @@ -34,7 +34,7 @@ jobs: remove-haskell: 'true' - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: - go-version: '1.20' + go-version: '1.22' - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3 - uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v1 diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index 10ec7e6950..be87b68356 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -15,7 +15,6 @@ jobs: steps: - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4.01 with: - go-version: '1.20' + go-version: '1.22' - uses: actions/checkout@b0e28b5ac45a892f91e7d036f8200cf5ed489415 # v3 - - run: make test diff --git a/go.mod b/go.mod index 30d9f843d8..bb5243bbd9 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/GoogleContainerTools/kaniko -go 1.21 +go 1.22 require ( cloud.google.com/go/storage v1.39.1 @@ -12,7 +12,7 @@ require ( github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 github.com/containerd/cgroups v1.1.0 // indirect - github.com/docker/docker v25.0.4+incompatible + github.com/docker/docker v26.0.0+incompatible github.com/go-git/go-billy/v5 v5.5.0 github.com/go-git/go-git/v5 v5.11.0 github.com/golang/mock v1.6.0 @@ -174,6 +174,7 @@ require ( github.com/hashicorp/hcl v1.0.0 // indirect github.com/magiconair/properties v1.8.7 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83 // indirect github.com/moby/sys/user v0.1.0 // indirect github.com/pelletier/go-toml/v2 v2.1.1 // indirect diff --git a/go.sum b/go.sum index fee2521515..886fff6e96 100644 --- a/go.sum +++ b/go.sum @@ -182,8 +182,8 @@ github.com/docker/cli v25.0.3+incompatible h1:KLeNs7zws74oFuVhgZQ5ONGZiXUUdgsdy6 github.com/docker/cli v25.0.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v25.0.4+incompatible h1:XITZTrq+52tZyZxUOtFIahUf3aH367FLxJzt9vZeAF8= -github.com/docker/docker v25.0.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.0.0+incompatible h1:Ng2qi+gdKADUa/VM+6b6YaY2nlZhk/lVJiKR/2bMudU= +github.com/docker/docker v26.0.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8= github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40= github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c= @@ -358,6 +358,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/moby/buildkit v0.13.0 h1:reVR1Y+rbNIUQ9jf0Q1YZVH5a/nhOixZsl+HJ9qQEGI= github.com/moby/buildkit v0.13.0/go.mod h1:aNmNQKLBFYAOFuzQjR3VA27/FijlvtBD1pjNwTSN37k= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk= diff --git a/scripts/test.sh b/scripts/test.sh index c097453c34..d2eaa58f9a 100755 --- a/scripts/test.sh +++ b/scripts/test.sh @@ -23,7 +23,7 @@ GREEN='\033[0;32m' RESET='\033[0m' echo "Running go tests..." -go test -cover -coverprofile=out/coverage.out -v -timeout 60s `go list ./... | grep -v vendor | grep -v integration` | sed ''/PASS/s//$(printf "${GREEN}PASS${RESET}")/'' | sed ''/FAIL/s//$(printf "${RED}FAIL${RESET}")/'' +go test -cover -coverprofile=out/coverage.out -v -timeout 120s `go list ./... | grep -v vendor | grep -v integration` | sed ''/PASS/s//$(printf "${GREEN}PASS${RESET}")/'' | sed ''/FAIL/s//$(printf "${RED}FAIL${RESET}")/'' GO_TEST_EXIT_CODE=${PIPESTATUS[0]} if [[ $GO_TEST_EXIT_CODE -ne 0 ]]; then exit $GO_TEST_EXIT_CODE @@ -33,7 +33,6 @@ echo "Running validation scripts..." scripts=( "$DIR/../hack/boilerplate.sh" "$DIR/../hack/gofmt.sh" - "$DIR/../hack/linter.sh" ) fail=0 for s in "${scripts[@]}" diff --git a/vendor/github.com/docker/docker/api/common.go b/vendor/github.com/docker/docker/api/common.go index 37e553d418..b11c2fe02b 100644 --- a/vendor/github.com/docker/docker/api/common.go +++ b/vendor/github.com/docker/docker/api/common.go @@ -2,8 +2,17 @@ package api // import "github.com/docker/docker/api" // Common constants for daemon and client. const ( - // DefaultVersion of Current REST API - DefaultVersion = "1.44" + // DefaultVersion of the current REST API. + DefaultVersion = "1.45" + + // MinSupportedAPIVersion is the minimum API version that can be supported + // by the API server, specified as "major.minor". Note that the daemon + // may be configured with a different minimum API version, as returned + // in [github.com/docker/docker/api/types.Version.MinAPIVersion]. + // + // API requests for API versions lower than the configured version produce + // an error. + MinSupportedAPIVersion = "1.24" // NoBaseImageSpecifier is the symbol used by the FROM // command to specify that no base image is to be used. diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml index 201b549064..5677340dbd 100644 --- a/vendor/github.com/docker/docker/api/swagger.yaml +++ b/vendor/github.com/docker/docker/api/swagger.yaml @@ -19,10 +19,10 @@ produces: consumes: - "application/json" - "text/plain" -basePath: "/v1.44" +basePath: "/v1.45" info: title: "Docker Engine API" - version: "1.44" + version: "1.45" x-logo: url: "https://docs.docker.com/assets/images/logo-docker-main.png" description: | @@ -55,8 +55,8 @@ info: the URL is not supported by the daemon, a HTTP `400 Bad Request` error message is returned. - If you omit the version-prefix, the current version of the API (v1.44) is used. - For example, calling `/info` is the same as calling `/v1.44/info`. Using the + If you omit the version-prefix, the current version of the API (v1.45) is used. + For example, calling `/info` is the same as calling `/v1.45/info`. Using the API without a version-prefix is deprecated and will be removed in a future release. Engine releases in the near future should support this version of the API, @@ -427,6 +427,10 @@ definitions: type: "object" additionalProperties: type: "string" + Subpath: + description: "Source path inside the volume. Must be relative without any back traversals." + type: "string" + example: "dir-inside-volume/subdirectory" TmpfsOptions: description: "Optional configuration for the `tmpfs` type." type: "object" @@ -8770,8 +8774,7 @@ paths:


- > **Deprecated**: This field is deprecated and will always - > be "false" in future. + > **Deprecated**: This field is deprecated and will always be "false". type: "boolean" example: false name: @@ -8814,13 +8817,8 @@ paths: description: | A JSON encoded value of the filters (a `map[string][]string`) to process on the images list. Available filters: - - `is-automated=(true|false)` (deprecated, see below) - `is-official=(true|false)` - `stars=` Matches images that has at least 'number' stars. - - The `is-automated` filter is deprecated. The `is_automated` field has - been deprecated by Docker Hub's search API. Consequently, searching - for `is-automated=true` will yield no results. type: "string" tags: ["Image"] /images/prune: diff --git a/vendor/github.com/docker/docker/api/types/backend/backend.go b/vendor/github.com/docker/docker/api/types/backend/backend.go index ee913d247e..e4e760905d 100644 --- a/vendor/github.com/docker/docker/api/types/backend/backend.go +++ b/vendor/github.com/docker/docker/api/types/backend/backend.go @@ -18,7 +18,6 @@ type ContainerCreateConfig struct { HostConfig *container.HostConfig NetworkingConfig *network.NetworkingConfig Platform *ocispec.Platform - AdjustCPUShares bool DefaultReadOnlyNonRecursive bool } @@ -91,7 +90,6 @@ type ContainerStatsConfig struct { Stream bool OneShot bool OutStream io.Writer - Version string } // ExecInspect holds information about a running process started @@ -131,6 +129,13 @@ type CreateImageConfig struct { Changes []string } +// GetImageOpts holds parameters to retrieve image information +// from the backend. +type GetImageOpts struct { + Platform *ocispec.Platform + Details bool +} + // CommitConfig is the configuration for creating an image as part of a build. type CommitConfig struct { Author string diff --git a/vendor/github.com/docker/docker/api/types/client.go b/vendor/github.com/docker/docker/api/types/client.go index 24b00a2759..882201f0ea 100644 --- a/vendor/github.com/docker/docker/api/types/client.go +++ b/vendor/github.com/docker/docker/api/types/client.go @@ -157,42 +157,12 @@ type ImageBuildResponse struct { OSType string } -// ImageCreateOptions holds information to create images. -type ImageCreateOptions struct { - RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry. - Platform string // Platform is the target platform of the image if it needs to be pulled from the registry. -} - // ImageImportSource holds source information for ImageImport type ImageImportSource struct { Source io.Reader // Source is the data to send to the server to create this image from. You must set SourceName to "-" to leverage this. SourceName string // SourceName is the name of the image to pull. Set to "-" to leverage the Source attribute. } -// ImageImportOptions holds information to import images from the client host. -type ImageImportOptions struct { - Tag string // Tag is the name to tag this image with. This attribute is deprecated. - Message string // Message is the message to tag the image with - Changes []string // Changes are the raw changes to apply to this image - Platform string // Platform is the target platform of the image -} - -// ImageListOptions holds parameters to list images with. -type ImageListOptions struct { - // All controls whether all images in the graph are filtered, or just - // the heads. - All bool - - // Filters is a JSON-encoded set of filter arguments. - Filters filters.Args - - // SharedSize indicates whether the shared size of images should be computed. - SharedSize bool - - // ContainerCount indicates whether container count should be computed. - ContainerCount bool -} - // ImageLoadResponse returns information to the client about a load process. type ImageLoadResponse struct { // Body must be closed to avoid a resource leak @@ -200,14 +170,6 @@ type ImageLoadResponse struct { JSON bool } -// ImagePullOptions holds information to pull images. -type ImagePullOptions struct { - All bool - RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry - PrivilegeFunc RequestPrivilegeFunc - Platform string -} - // RequestPrivilegeFunc is a function interface that // clients can supply to retry operations after // getting an authorization error. @@ -216,15 +178,6 @@ type ImagePullOptions struct { // if the privilege request fails. type RequestPrivilegeFunc func() (string, error) -// ImagePushOptions holds information to push images. -type ImagePushOptions ImagePullOptions - -// ImageRemoveOptions holds parameters to remove images. -type ImageRemoveOptions struct { - Force bool - PruneChildren bool -} - // ImageSearchOptions holds parameters to search images with. type ImageSearchOptions struct { RegistryAuth string diff --git a/vendor/github.com/docker/docker/api/types/container/config.go b/vendor/github.com/docker/docker/api/types/container/config.go index be41d6315e..86f46b74af 100644 --- a/vendor/github.com/docker/docker/api/types/container/config.go +++ b/vendor/github.com/docker/docker/api/types/container/config.go @@ -5,8 +5,8 @@ import ( "time" "github.com/docker/docker/api/types/strslice" - dockerspec "github.com/docker/docker/image/spec/specs-go/v1" "github.com/docker/go-connections/nat" + dockerspec "github.com/moby/docker-image-spec/specs-go/v1" ) // MinimumDuration puts a minimum on user configured duration. diff --git a/vendor/github.com/docker/docker/api/types/image/opts.go b/vendor/github.com/docker/docker/api/types/image/opts.go index 3cefecb0da..c6b1f351b4 100644 --- a/vendor/github.com/docker/docker/api/types/image/opts.go +++ b/vendor/github.com/docker/docker/api/types/image/opts.go @@ -1,9 +1,57 @@ package image -import ocispec "github.com/opencontainers/image-spec/specs-go/v1" +import "github.com/docker/docker/api/types/filters" -// GetImageOpts holds parameters to inspect an image. -type GetImageOpts struct { - Platform *ocispec.Platform - Details bool +// ImportOptions holds information to import images from the client host. +type ImportOptions struct { + Tag string // Tag is the name to tag this image with. This attribute is deprecated. + Message string // Message is the message to tag the image with + Changes []string // Changes are the raw changes to apply to this image + Platform string // Platform is the target platform of the image +} + +// CreateOptions holds information to create images. +type CreateOptions struct { + RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry. + Platform string // Platform is the target platform of the image if it needs to be pulled from the registry. +} + +// PullOptions holds information to pull images. +type PullOptions struct { + All bool + RegistryAuth string // RegistryAuth is the base64 encoded credentials for the registry + + // PrivilegeFunc is a function that clients can supply to retry operations + // after getting an authorization error. This function returns the registry + // authentication header value in base64 encoded format, or an error if the + // privilege request fails. + // + // Also see [github.com/docker/docker/api/types.RequestPrivilegeFunc]. + PrivilegeFunc func() (string, error) + Platform string +} + +// PushOptions holds information to push images. +type PushOptions PullOptions + +// ListOptions holds parameters to list images with. +type ListOptions struct { + // All controls whether all images in the graph are filtered, or just + // the heads. + All bool + + // Filters is a JSON-encoded set of filter arguments. + Filters filters.Args + + // SharedSize indicates whether the shared size of images should be computed. + SharedSize bool + + // ContainerCount indicates whether container count should be computed. + ContainerCount bool +} + +// RemoveOptions holds parameters to remove images. +type RemoveOptions struct { + Force bool + PruneChildren bool } diff --git a/vendor/github.com/docker/docker/api/types/mount/mount.go b/vendor/github.com/docker/docker/api/types/mount/mount.go index 57edf2ef18..6fe04da257 100644 --- a/vendor/github.com/docker/docker/api/types/mount/mount.go +++ b/vendor/github.com/docker/docker/api/types/mount/mount.go @@ -96,6 +96,7 @@ type BindOptions struct { type VolumeOptions struct { NoCopy bool `json:",omitempty"` Labels map[string]string `json:",omitempty"` + Subpath string `json:",omitempty"` DriverConfig *Driver `json:",omitempty"` } diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go index 05cb31075f..6bbae93ef2 100644 --- a/vendor/github.com/docker/docker/api/types/registry/registry.go +++ b/vendor/github.com/docker/docker/api/types/registry/registry.go @@ -94,7 +94,7 @@ type SearchResult struct { Name string `json:"name"` // IsAutomated indicates whether the result is automated. // - // Deprecated: the "is_automated" field is deprecated and will always be "false" in the future. + // Deprecated: the "is_automated" field is deprecated and will always be "false". IsAutomated bool `json:"is_automated"` // Description is a textual description of the repository Description string `json:"description"` diff --git a/vendor/github.com/docker/docker/api/types/types.go b/vendor/github.com/docker/docker/api/types/types.go index 56a8b77d45..ca07162a20 100644 --- a/vendor/github.com/docker/docker/api/types/types.go +++ b/vendor/github.com/docker/docker/api/types/types.go @@ -82,7 +82,7 @@ type ImageInspect struct { // Depending on how the image was created, this field may be empty. // // Deprecated: this field is omitted in API v1.45, but kept for backward compatibility. - Container string + Container string `json:",omitempty"` // ContainerConfig is an optional field containing the configuration of the // container that was last committed when creating the image. @@ -91,7 +91,7 @@ type ImageInspect struct { // and it is not in active use anymore. // // Deprecated: this field is omitted in API v1.45, but kept for backward compatibility. - ContainerConfig *container.Config + ContainerConfig *container.Config `json:",omitempty"` // DockerVersion is the version of Docker that was used to build the image. // diff --git a/vendor/github.com/docker/docker/api/types/types_deprecated.go b/vendor/github.com/docker/docker/api/types/types_deprecated.go index e332a7bb6d..231a5cca46 100644 --- a/vendor/github.com/docker/docker/api/types/types_deprecated.go +++ b/vendor/github.com/docker/docker/api/types/types_deprecated.go @@ -1,138 +1,35 @@ package types import ( - "github.com/docker/docker/api/types/checkpoint" - "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/image" - "github.com/docker/docker/api/types/swarm" - "github.com/docker/docker/api/types/system" ) -// CheckpointCreateOptions holds parameters to create a checkpoint from a container. +// ImageImportOptions holds information to import images from the client host. // -// Deprecated: use [checkpoint.CreateOptions]. -type CheckpointCreateOptions = checkpoint.CreateOptions +// Deprecated: use [image.ImportOptions]. +type ImageImportOptions = image.ImportOptions -// CheckpointListOptions holds parameters to list checkpoints for a container +// ImageCreateOptions holds information to create images. // -// Deprecated: use [checkpoint.ListOptions]. -type CheckpointListOptions = checkpoint.ListOptions +// Deprecated: use [image.CreateOptions]. +type ImageCreateOptions = image.CreateOptions -// CheckpointDeleteOptions holds parameters to delete a checkpoint from a container +// ImagePullOptions holds information to pull images. // -// Deprecated: use [checkpoint.DeleteOptions]. -type CheckpointDeleteOptions = checkpoint.DeleteOptions +// Deprecated: use [image.PullOptions]. +type ImagePullOptions = image.PullOptions -// Checkpoint represents the details of a checkpoint when listing endpoints. +// ImagePushOptions holds information to push images. // -// Deprecated: use [checkpoint.Summary]. -type Checkpoint = checkpoint.Summary +// Deprecated: use [image.PushOptions]. +type ImagePushOptions = image.PushOptions -// Info contains response of Engine API: -// GET "/info" +// ImageListOptions holds parameters to list images with. // -// Deprecated: use [system.Info]. -type Info = system.Info +// Deprecated: use [image.ListOptions]. +type ImageListOptions = image.ListOptions -// Commit holds the Git-commit (SHA1) that a binary was built from, as reported -// in the version-string of external tools, such as containerd, or runC. +// ImageRemoveOptions holds parameters to remove images. // -// Deprecated: use [system.Commit]. -type Commit = system.Commit - -// PluginsInfo is a temp struct holding Plugins name -// registered with docker daemon. It is used by [system.Info] struct -// -// Deprecated: use [system.PluginsInfo]. -type PluginsInfo = system.PluginsInfo - -// NetworkAddressPool is a temp struct used by [system.Info] struct. -// -// Deprecated: use [system.NetworkAddressPool]. -type NetworkAddressPool = system.NetworkAddressPool - -// Runtime describes an OCI runtime. -// -// Deprecated: use [system.Runtime]. -type Runtime = system.Runtime - -// SecurityOpt contains the name and options of a security option. -// -// Deprecated: use [system.SecurityOpt]. -type SecurityOpt = system.SecurityOpt - -// KeyValue holds a key/value pair. -// -// Deprecated: use [system.KeyValue]. -type KeyValue = system.KeyValue - -// ImageDeleteResponseItem image delete response item. -// -// Deprecated: use [image.DeleteResponse]. -type ImageDeleteResponseItem = image.DeleteResponse - -// ImageSummary image summary. -// -// Deprecated: use [image.Summary]. -type ImageSummary = image.Summary - -// ImageMetadata contains engine-local data about the image. -// -// Deprecated: use [image.Metadata]. -type ImageMetadata = image.Metadata - -// ServiceCreateResponse contains the information returned to a client -// on the creation of a new service. -// -// Deprecated: use [swarm.ServiceCreateResponse]. -type ServiceCreateResponse = swarm.ServiceCreateResponse - -// ServiceUpdateResponse service update response. -// -// Deprecated: use [swarm.ServiceUpdateResponse]. -type ServiceUpdateResponse = swarm.ServiceUpdateResponse - -// ContainerStartOptions holds parameters to start containers. -// -// Deprecated: use [container.StartOptions]. -type ContainerStartOptions = container.StartOptions - -// ResizeOptions holds parameters to resize a TTY. -// It can be used to resize container TTYs and -// exec process TTYs too. -// -// Deprecated: use [container.ResizeOptions]. -type ResizeOptions = container.ResizeOptions - -// ContainerAttachOptions holds parameters to attach to a container. -// -// Deprecated: use [container.AttachOptions]. -type ContainerAttachOptions = container.AttachOptions - -// ContainerCommitOptions holds parameters to commit changes into a container. -// -// Deprecated: use [container.CommitOptions]. -type ContainerCommitOptions = container.CommitOptions - -// ContainerListOptions holds parameters to list containers with. -// -// Deprecated: use [container.ListOptions]. -type ContainerListOptions = container.ListOptions - -// ContainerLogsOptions holds parameters to filter logs with. -// -// Deprecated: use [container.LogsOptions]. -type ContainerLogsOptions = container.LogsOptions - -// ContainerRemoveOptions holds parameters to remove containers. -// -// Deprecated: use [container.RemoveOptions]. -type ContainerRemoveOptions = container.RemoveOptions - -// DecodeSecurityOptions decodes a security options string slice to a type safe -// [system.SecurityOpt]. -// -// Deprecated: use [system.DecodeSecurityOptions]. -func DecodeSecurityOptions(opts []string) ([]system.SecurityOpt, error) { - return system.DecodeSecurityOptions(opts) -} +// Deprecated: use [image.RemoveOptions]. +type ImageRemoveOptions = image.RemoveOptions diff --git a/vendor/github.com/docker/docker/api/types/versions/README.md b/vendor/github.com/docker/docker/api/types/versions/README.md deleted file mode 100644 index 1ef911edb0..0000000000 --- a/vendor/github.com/docker/docker/api/types/versions/README.md +++ /dev/null @@ -1,14 +0,0 @@ -# Legacy API type versions - -This package includes types for legacy API versions. The stable version of the API types live in `api/types/*.go`. - -Consider moving a type here when you need to keep backwards compatibility in the API. This legacy types are organized by the latest API version they appear in. For instance, types in the `v1p19` package are valid for API versions below or equal `1.19`. Types in the `v1p20` package are valid for the API version `1.20`, since the versions below that will use the legacy types in `v1p19`. - -## Package name conventions - -The package name convention is to use `v` as a prefix for the version number and `p`(patch) as a separator. We use this nomenclature due to a few restrictions in the Go package name convention: - -1. We cannot use `.` because it's interpreted by the language, think of `v1.20.CallFunction`. -2. We cannot use `_` because golint complains about it. The code is actually valid, but it looks probably more weird: `v1_20.CallFunction`. - -For instance, if you want to modify a type that was available in the version `1.21` of the API but it will have different fields in the version `1.22`, you want to create a new package under `api/types/versions/v1p21`. diff --git a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go index 55fc5d3899..bbd9ff0b8f 100644 --- a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go +++ b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go @@ -238,13 +238,13 @@ type TopologyRequirement struct { // If requisite is specified, all topologies in preferred list MUST // also be present in the list of requisite topologies. // - // If the SP is unable to to make the provisioned volume available + // If the SP is unable to make the provisioned volume available // from any of the preferred topologies, the SP MAY choose a topology // from the list of requisite topologies. // If the list of requisite topologies is not specified, then the SP // MAY choose from the list of all possible topologies. // If the list of requisite topologies is specified and the SP is - // unable to to make the provisioned volume available from any of the + // unable to make the provisioned volume available from any of the // requisite topologies it MUST fail the CreateVolume call. // // Example 1: @@ -254,7 +254,7 @@ type TopologyRequirement struct { // {"region": "R1", "zone": "Z3"} // preferred = // {"region": "R1", "zone": "Z3"} - // then the the SP SHOULD first attempt to make the provisioned volume + // then the SP SHOULD first attempt to make the provisioned volume // available from "zone" "Z3" in the "region" "R1" and fall back to // "zone" "Z2" in the "region" "R1" if that is not possible. // @@ -268,7 +268,7 @@ type TopologyRequirement struct { // preferred = // {"region": "R1", "zone": "Z4"}, // {"region": "R1", "zone": "Z2"} - // then the the SP SHOULD first attempt to make the provisioned volume + // then the SP SHOULD first attempt to make the provisioned volume // accessible from "zone" "Z4" in the "region" "R1" and fall back to // "zone" "Z2" in the "region" "R1" if that is not possible. If that // is not possible, the SP may choose between either the "zone" @@ -287,7 +287,7 @@ type TopologyRequirement struct { // preferred = // {"region": "R1", "zone": "Z5"}, // {"region": "R1", "zone": "Z3"} - // then the the SP SHOULD first attempt to make the provisioned volume + // then the SP SHOULD first attempt to make the provisioned volume // accessible from the combination of the two "zones" "Z5" and "Z3" in // the "region" "R1". If that's not possible, it should fall back to // a combination of "Z5" and other possibilities from the list of diff --git a/vendor/github.com/docker/docker/builder/builder.go b/vendor/github.com/docker/docker/builder/builder.go index fc855f133d..dff93cfac7 100644 --- a/vendor/github.com/docker/docker/builder/builder.go +++ b/vendor/github.com/docker/docker/builder/builder.go @@ -64,7 +64,7 @@ type ExecBackend interface { // ContainerRm removes a container specified by `id`. ContainerRm(name string, config *backend.ContainerRmConfig) error // ContainerStart starts a new container - ContainerStart(ctx context.Context, containerID string, hostConfig *container.HostConfig, checkpoint string, checkpointDir string) error + ContainerStart(ctx context.Context, containerID string, checkpoint string, checkpointDir string) error // ContainerWait stops processing until the given container is stopped. ContainerWait(ctx context.Context, name string, condition containerpkg.WaitCondition) (<-chan containerpkg.StateStatus, error) } diff --git a/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go b/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go index 8986c1277a..c81923cbc6 100644 --- a/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go +++ b/vendor/github.com/docker/docker/builder/dockerfile/containerbackend.go @@ -72,7 +72,7 @@ func (c *containerManager) Run(ctx context.Context, cID string, stdout, stderr i } }() - if err := c.backend.ContainerStart(ctx, cID, nil, "", ""); err != nil { + if err := c.backend.ContainerStart(ctx, cID, "", ""); err != nil { close(finished) logCancellationError(cancelErrCh, "error from ContainerStart: "+err.Error()) return err diff --git a/vendor/github.com/docker/docker/client/distribution_inspect.go b/vendor/github.com/docker/docker/client/distribution_inspect.go index 68ef31b78b..68e6ec5ed6 100644 --- a/vendor/github.com/docker/docker/client/distribution_inspect.go +++ b/vendor/github.com/docker/docker/client/distribution_inspect.go @@ -10,11 +10,11 @@ import ( ) // DistributionInspect returns the image digest with the full manifest. -func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegistryAuth string) (registry.DistributionInspect, error) { +func (cli *Client) DistributionInspect(ctx context.Context, imageRef, encodedRegistryAuth string) (registry.DistributionInspect, error) { // Contact the registry to retrieve digest and platform information var distributionInspect registry.DistributionInspect - if image == "" { - return distributionInspect, objectNotFoundError{object: "distribution", id: image} + if imageRef == "" { + return distributionInspect, objectNotFoundError{object: "distribution", id: imageRef} } if err := cli.NewVersionError(ctx, "1.30", "distribution inspect"); err != nil { @@ -28,7 +28,7 @@ func (cli *Client) DistributionInspect(ctx context.Context, image, encodedRegist } } - resp, err := cli.get(ctx, "/distribution/"+image+"/json", url.Values{}, headers) + resp, err := cli.get(ctx, "/distribution/"+imageRef+"/json", url.Values{}, headers) defer ensureReaderClosed(resp) if err != nil { return distributionInspect, err diff --git a/vendor/github.com/docker/docker/client/image_create.go b/vendor/github.com/docker/docker/client/image_create.go index 29cd0b4373..7c7873dca5 100644 --- a/vendor/github.com/docker/docker/client/image_create.go +++ b/vendor/github.com/docker/docker/client/image_create.go @@ -8,13 +8,13 @@ import ( "strings" "github.com/distribution/reference" - "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/registry" ) // ImageCreate creates a new image based on the parent options. // It returns the JSON content in the response body. -func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) { +func (cli *Client) ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) { ref, err := reference.ParseNormalizedNamed(parentReference) if err != nil { return nil, err diff --git a/vendor/github.com/docker/docker/client/image_import.go b/vendor/github.com/docker/docker/client/image_import.go index cd376a14e5..5a890b0c59 100644 --- a/vendor/github.com/docker/docker/client/image_import.go +++ b/vendor/github.com/docker/docker/client/image_import.go @@ -8,11 +8,12 @@ import ( "github.com/distribution/reference" "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/image" ) // ImageImport creates a new image based on the source options. // It returns the JSON content in the response body. -func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) { +func (cli *Client) ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) { if ref != "" { // Check if the given image name can be resolved if _, err := reference.ParseNormalizedNamed(ref); err != nil { diff --git a/vendor/github.com/docker/docker/client/image_list.go b/vendor/github.com/docker/docker/client/image_list.go index fa6aecfc6e..a9cc1e21e5 100644 --- a/vendor/github.com/docker/docker/client/image_list.go +++ b/vendor/github.com/docker/docker/client/image_list.go @@ -5,14 +5,13 @@ import ( "encoding/json" "net/url" - "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/filters" "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/versions" ) // ImageList returns a list of images in the docker host. -func (cli *Client) ImageList(ctx context.Context, options types.ImageListOptions) ([]image.Summary, error) { +func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error) { var images []image.Summary // Make sure we negotiated (if the client is configured to do so), diff --git a/vendor/github.com/docker/docker/client/image_pull.go b/vendor/github.com/docker/docker/client/image_pull.go index d92049d588..6438cf6a96 100644 --- a/vendor/github.com/docker/docker/client/image_pull.go +++ b/vendor/github.com/docker/docker/client/image_pull.go @@ -7,7 +7,7 @@ import ( "strings" "github.com/distribution/reference" - "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/image" "github.com/docker/docker/errdefs" ) @@ -19,7 +19,7 @@ import ( // FIXME(vdemeester): there is currently used in a few way in docker/docker // - if not in trusted content, ref is used to pass the whole reference, and tag is empty // - if in trusted content, ref is used to pass the reference name, and tag for the digest -func (cli *Client) ImagePull(ctx context.Context, refStr string, options types.ImagePullOptions) (io.ReadCloser, error) { +func (cli *Client) ImagePull(ctx context.Context, refStr string, options image.PullOptions) (io.ReadCloser, error) { ref, err := reference.ParseNormalizedNamed(refStr) if err != nil { return nil, err diff --git a/vendor/github.com/docker/docker/client/image_push.go b/vendor/github.com/docker/docker/client/image_push.go index 6839a89e07..e6a6b11eea 100644 --- a/vendor/github.com/docker/docker/client/image_push.go +++ b/vendor/github.com/docker/docker/client/image_push.go @@ -8,7 +8,7 @@ import ( "net/url" "github.com/distribution/reference" - "github.com/docker/docker/api/types" + "github.com/docker/docker/api/types/image" "github.com/docker/docker/api/types/registry" "github.com/docker/docker/errdefs" ) @@ -17,7 +17,7 @@ import ( // It executes the privileged function if the operation is unauthorized // and it tries one more time. // It's up to the caller to handle the io.ReadCloser and close it properly. -func (cli *Client) ImagePush(ctx context.Context, image string, options types.ImagePushOptions) (io.ReadCloser, error) { +func (cli *Client) ImagePush(ctx context.Context, image string, options image.PushOptions) (io.ReadCloser, error) { ref, err := reference.ParseNormalizedNamed(image) if err != nil { return nil, err diff --git a/vendor/github.com/docker/docker/client/image_remove.go b/vendor/github.com/docker/docker/client/image_remove.go index b936d20830..652d1bfa3e 100644 --- a/vendor/github.com/docker/docker/client/image_remove.go +++ b/vendor/github.com/docker/docker/client/image_remove.go @@ -5,12 +5,11 @@ import ( "encoding/json" "net/url" - "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/image" ) // ImageRemove removes an image from the docker host. -func (cli *Client) ImageRemove(ctx context.Context, imageID string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) { +func (cli *Client) ImageRemove(ctx context.Context, imageID string, options image.RemoveOptions) ([]image.DeleteResponse, error) { query := url.Values{} if options.Force { diff --git a/vendor/github.com/docker/docker/client/interface.go b/vendor/github.com/docker/docker/client/interface.go index 302f5fb13e..45d233f253 100644 --- a/vendor/github.com/docker/docker/client/interface.go +++ b/vendor/github.com/docker/docker/client/interface.go @@ -90,15 +90,15 @@ type ImageAPIClient interface { ImageBuild(ctx context.Context, context io.Reader, options types.ImageBuildOptions) (types.ImageBuildResponse, error) BuildCachePrune(ctx context.Context, opts types.BuildCachePruneOptions) (*types.BuildCachePruneReport, error) BuildCancel(ctx context.Context, id string) error - ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) + ImageCreate(ctx context.Context, parentReference string, options image.CreateOptions) (io.ReadCloser, error) ImageHistory(ctx context.Context, image string) ([]image.HistoryResponseItem, error) - ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options types.ImageImportOptions) (io.ReadCloser, error) + ImageImport(ctx context.Context, source types.ImageImportSource, ref string, options image.ImportOptions) (io.ReadCloser, error) ImageInspectWithRaw(ctx context.Context, image string) (types.ImageInspect, []byte, error) - ImageList(ctx context.Context, options types.ImageListOptions) ([]image.Summary, error) + ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error) ImageLoad(ctx context.Context, input io.Reader, quiet bool) (types.ImageLoadResponse, error) - ImagePull(ctx context.Context, ref string, options types.ImagePullOptions) (io.ReadCloser, error) - ImagePush(ctx context.Context, ref string, options types.ImagePushOptions) (io.ReadCloser, error) - ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]image.DeleteResponse, error) + ImagePull(ctx context.Context, ref string, options image.PullOptions) (io.ReadCloser, error) + ImagePush(ctx context.Context, ref string, options image.PushOptions) (io.ReadCloser, error) + ImageRemove(ctx context.Context, image string, options image.RemoveOptions) ([]image.DeleteResponse, error) ImageSearch(ctx context.Context, term string, options types.ImageSearchOptions) ([]registry.SearchResult, error) ImageSave(ctx context.Context, images []string) (io.ReadCloser, error) ImageTag(ctx context.Context, image, ref string) error diff --git a/vendor/github.com/docker/docker/container/attach_context.go b/vendor/github.com/docker/docker/container/attach_context.go index 5a7d0748f0..9dd8e9da41 100644 --- a/vendor/github.com/docker/docker/container/attach_context.go +++ b/vendor/github.com/docker/docker/container/attach_context.go @@ -5,7 +5,7 @@ import ( "sync" ) -// attachContext is the context used for for attach calls. +// attachContext is the context used for attach calls. type attachContext struct { mu sync.Mutex ctx context.Context diff --git a/vendor/github.com/docker/docker/container/container.go b/vendor/github.com/docker/docker/container/container.go index e73f05654f..018300350d 100644 --- a/vendor/github.com/docker/docker/container/container.go +++ b/vendor/github.com/docker/docker/container/container.go @@ -514,14 +514,14 @@ func (container *Container) AddMountPointWithVolume(destination string, vol volu } // UnmountVolumes unmounts all volumes -func (container *Container) UnmountVolumes(volumeEventLog func(name string, action events.Action, attributes map[string]string)) error { +func (container *Container) UnmountVolumes(ctx context.Context, volumeEventLog func(name string, action events.Action, attributes map[string]string)) error { var errs []string for _, volumeMount := range container.MountPoints { if volumeMount.Volume == nil { continue } - if err := volumeMount.Cleanup(); err != nil { + if err := volumeMount.Cleanup(ctx); err != nil { errs = append(errs, err.Error()) continue } diff --git a/vendor/github.com/docker/docker/container/container_unix.go b/vendor/github.com/docker/docker/container/container_unix.go index 80cf5e58dd..66bcacd963 100644 --- a/vendor/github.com/docker/docker/container/container_unix.go +++ b/vendor/github.com/docker/docker/container/container_unix.go @@ -15,8 +15,6 @@ import ( "github.com/docker/docker/api/types/events" mounttypes "github.com/docker/docker/api/types/mount" swarmtypes "github.com/docker/docker/api/types/swarm" - "github.com/docker/docker/pkg/stringid" - "github.com/docker/docker/volume" volumemounts "github.com/docker/docker/volume/mounts" "github.com/moby/sys/mount" "github.com/opencontainers/selinux/go-selinux/label" @@ -129,34 +127,11 @@ func (container *Container) NetworkMounts() []Mount { } // CopyImagePathContent copies files in destination to the volume. -func (container *Container) CopyImagePathContent(v volume.Volume, destination string) error { - rootfs, err := container.GetResourcePath(destination) - if err != nil { - return err - } - - if _, err := os.Stat(rootfs); err != nil { - if os.IsNotExist(err) { - return nil - } - return err - } - - id := stringid.GenerateRandomID() - path, err := v.Mount(id) - if err != nil { - return err - } - - defer func() { - if err := v.Unmount(id); err != nil { - log.G(context.TODO()).Warnf("error while unmounting volume %s: %v", v.Name(), err) - } - }() - if err := label.Relabel(path, container.MountLabel, true); err != nil && !errors.Is(err, syscall.ENOTSUP) { +func (container *Container) CopyImagePathContent(volumePath, destination string) error { + if err := label.Relabel(volumePath, container.MountLabel, true); err != nil && !errors.Is(err, syscall.ENOTSUP) { return err } - return copyExistingContents(rootfs, path) + return copyExistingContents(destination, volumePath) } // ShmResourcePath returns path to shm @@ -396,7 +371,7 @@ func (container *Container) DetachAndUnmount(volumeEventLog func(name string, ac Warn("Unable to unmount") } } - return container.UnmountVolumes(volumeEventLog) + return container.UnmountVolumes(ctx, volumeEventLog) } // ignoreUnsupportedXAttrs ignores errors when extended attributes @@ -419,9 +394,13 @@ func copyExistingContents(source, destination string) error { return err } if len(dstList) != 0 { - // destination is not empty, do not copy + log.G(context.TODO()).WithFields(log.Fields{ + "source": source, + "destination": destination, + }).Debug("destination is not empty, do not copy") return nil } + return fs.CopyDir(destination, source, ignoreUnsupportedXAttrs()) } diff --git a/vendor/github.com/docker/docker/container/container_windows.go b/vendor/github.com/docker/docker/container/container_windows.go index bceedcb637..bfebdbad18 100644 --- a/vendor/github.com/docker/docker/container/container_windows.go +++ b/vendor/github.com/docker/docker/container/container_windows.go @@ -1,6 +1,7 @@ package container // import "github.com/docker/docker/container" import ( + "context" "fmt" "os" "path/filepath" @@ -128,7 +129,7 @@ func (container *Container) ConfigMounts() []Mount { // On Windows it only delegates to `UnmountVolumes` since there is nothing to // force unmount. func (container *Container) DetachAndUnmount(volumeEventLog func(name string, action events.Action, attributes map[string]string)) error { - return container.UnmountVolumes(volumeEventLog) + return container.UnmountVolumes(context.TODO(), volumeEventLog) } // TmpfsMounts returns the list of tmpfs mounts diff --git a/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go b/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go index 106101937a..6131bcea7c 100644 --- a/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go +++ b/vendor/github.com/docker/docker/daemon/logger/loggerutils/follow.go @@ -108,7 +108,7 @@ func (fl *follow) nextPos(current logPos) (next logPos, ok bool) { case st = <-fl.LogFile.read: } - // Have any any logs been written since we last checked? + // Have any logs been written since we last checked? if st.pos == current { // Nope. // Add ourself to the notify list. st.wait = append(st.wait, fl.c) diff --git a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go index 572a3a7952..61490c8d1a 100644 --- a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go +++ b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go @@ -59,7 +59,7 @@ type LogFile struct { // passing along ownership is expressed with function argument types. // Methods which take a pointer *logReadState argument borrow the state, // analogous to functions which require a lock to be held when calling. - // The caller retains ownership. Calling a method which which takes a + // The caller retains ownership. Calling a method which takes a // value logFileState argument gives ownership to the callee. read chan logReadState diff --git a/vendor/github.com/docker/docker/daemon/logger/ring.go b/vendor/github.com/docker/docker/daemon/logger/ring.go index ff43baac2f..8c19b543d6 100644 --- a/vendor/github.com/docker/docker/daemon/logger/ring.go +++ b/vendor/github.com/docker/docker/daemon/logger/ring.go @@ -138,7 +138,7 @@ type messageRing struct { wait *sync.Cond sizeBytes int64 // current buffer size - maxBytes int64 // max buffer size size + maxBytes int64 // max buffer size queue []*Message closed bool } diff --git a/vendor/github.com/docker/docker/image/image.go b/vendor/github.com/docker/docker/image/image.go index c955cbcb68..9bfa8602f2 100644 --- a/vendor/github.com/docker/docker/image/image.go +++ b/vendor/github.com/docker/docker/image/image.go @@ -28,13 +28,6 @@ func (id ID) Digest() digest.Digest { return digest.Digest(id) } -// IDFromDigest creates an ID from a digest -// -// Deprecated: cast to an ID using ID(digest). -func IDFromDigest(digest digest.Digest) ID { - return ID(digest) -} - // V1Image stores the V1 image configuration. type V1Image struct { // ID is a unique 64 character identifier of the image diff --git a/vendor/github.com/docker/docker/internal/cleanups/composite.go b/vendor/github.com/docker/docker/internal/cleanups/composite.go new file mode 100644 index 0000000000..3c00cd6d75 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/cleanups/composite.go @@ -0,0 +1,44 @@ +package cleanups + +import ( + "context" + + "github.com/docker/docker/internal/multierror" +) + +type Composite struct { + cleanups []func(context.Context) error +} + +// Add adds a cleanup to be called. +func (c *Composite) Add(f func(context.Context) error) { + c.cleanups = append(c.cleanups, f) +} + +// Call calls all cleanups in reverse order and returns an error combining all +// non-nil errors. +func (c *Composite) Call(ctx context.Context) error { + err := call(ctx, c.cleanups) + c.cleanups = nil + return err +} + +// Release removes all cleanups, turning Call into a no-op. +// Caller still can call the cleanups by calling the returned function +// which is equivalent to calling the Call before Release was called. +func (c *Composite) Release() func(context.Context) error { + cleanups := c.cleanups + c.cleanups = nil + return func(ctx context.Context) error { + return call(ctx, cleanups) + } +} + +func call(ctx context.Context, cleanups []func(context.Context) error) error { + var errs []error + for idx := len(cleanups) - 1; idx >= 0; idx-- { + c := cleanups[idx] + errs = append(errs, c(ctx)) + } + return multierror.Join(errs...) +} diff --git a/vendor/github.com/docker/docker/internal/compatcontext/cancel.go b/vendor/github.com/docker/docker/internal/compatcontext/cancel.go new file mode 100644 index 0000000000..3c29794b47 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/compatcontext/cancel.go @@ -0,0 +1,89 @@ +//go:build !go1.21 + +// Copyright (c) 2009 The Go Authors. All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// - Redistributions of source code must retain the above copyright +// +// notice, this list of conditions and the following disclaimer. +// - Redistributions in binary form must reproduce the above +// +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// - Neither the name of Google Inc. nor the names of its +// +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +// +// Source: https://cs.opensource.google/go/go/+/refs/tags/go1.21.1:src/context/context.go +// The only modifications to the original source were: +// - replacing the usage of internal reflectlite with reflect +// - replacing the usage of private value function with Value method call +package compatcontext // import "github.com/docker/docker/internal/compatcontext" + +import ( + "context" + "reflect" + "time" +) + +// WithoutCancel returns a copy of parent that is not canceled when parent is canceled. +// The returned context returns no Deadline or Err, and its Done channel is nil. +// Calling [Cause] on the returned context returns nil. +func WithoutCancel(parent context.Context) context.Context { + if parent == nil { + panic("cannot create context from nil parent") + } + return withoutCancelCtx{parent} +} + +type withoutCancelCtx struct { + c context.Context +} + +func (withoutCancelCtx) Deadline() (deadline time.Time, ok bool) { + return +} + +func (withoutCancelCtx) Done() <-chan struct{} { + return nil +} + +func (withoutCancelCtx) Err() error { + return nil +} + +func (c withoutCancelCtx) Value(key any) any { + return c.c.Value(key) +} + +func (c withoutCancelCtx) String() string { + return contextName(c.c) + ".WithoutCancel" +} + +type stringer interface { + String() string +} + +func contextName(c context.Context) string { + if s, ok := c.(stringer); ok { + return s.String() + } + return reflect.TypeOf(c).String() +} diff --git a/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go b/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go new file mode 100644 index 0000000000..e43555b292 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/compatcontext/cancel_go121.go @@ -0,0 +1,9 @@ +//go:build go1.21 + +package compatcontext // import "github.com/docker/docker/internal/compatcontext" + +import "context" + +func WithoutCancel(ctx context.Context) context.Context { + return context.WithoutCancel(ctx) +} diff --git a/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go b/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go new file mode 100644 index 0000000000..f4ecf710c8 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/rootless/mountopts/mountopts_linux.go @@ -0,0 +1,39 @@ +package mountopts + +import ( + "golang.org/x/sys/unix" +) + +// UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given +// path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that +// bind-mounting "with options" will not fail with user namespaces, due to +// kernel restrictions that require user namespace mounts to preserve +// CL_UNPRIVILEGED locked flags. +// +// TODO: Move to github.com/moby/sys/mount, and update BuildKit copy of this code as well (https://github.com/moby/buildkit/blob/v0.13.0/util/rootless/mountopts/mountopts_linux.go#L11-L18) +func UnprivilegedMountFlags(path string) ([]string, error) { + var statfs unix.Statfs_t + if err := unix.Statfs(path, &statfs); err != nil { + return nil, err + } + + // The set of keys come from https://github.com/torvalds/linux/blob/v4.13/fs/namespace.c#L1034-L1048. + unprivilegedFlags := map[uint64]string{ + unix.MS_RDONLY: "ro", + unix.MS_NODEV: "nodev", + unix.MS_NOEXEC: "noexec", + unix.MS_NOSUID: "nosuid", + unix.MS_NOATIME: "noatime", + unix.MS_RELATIME: "relatime", + unix.MS_NODIRATIME: "nodiratime", + } + + var flags []string + for mask, flag := range unprivilegedFlags { + if uint64(statfs.Flags)&mask == mask { + flags = append(flags, flag) + } + } + + return flags, nil +} diff --git a/vendor/github.com/docker/docker/internal/safepath/common.go b/vendor/github.com/docker/docker/internal/safepath/common.go new file mode 100644 index 0000000000..5beb2e6e43 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/common.go @@ -0,0 +1,66 @@ +package safepath + +import ( + "os" + "path/filepath" + + "github.com/pkg/errors" +) + +// evaluatePath evaluates symlinks in the concatenation of path and subpath. If +// err is nil, resolvedBasePath will contain result of resolving all symlinks +// in the given path, and resolvedSubpath will contain a relative path rooted +// at the resolvedBasePath pointing to the concatenation after resolving all +// symlinks. +func evaluatePath(path, subpath string) (resolvedBasePath string, resolvedSubpath string, err error) { + baseResolved, err := filepath.EvalSymlinks(path) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return "", "", &ErrNotAccessible{Path: path, Cause: err} + } + return "", "", errors.Wrapf(err, "error while resolving symlinks in base directory %q", path) + } + + combinedPath := filepath.Join(baseResolved, subpath) + combinedResolved, err := filepath.EvalSymlinks(combinedPath) + if err != nil { + if errors.Is(err, os.ErrNotExist) { + return "", "", &ErrNotAccessible{Path: combinedPath, Cause: err} + } + return "", "", errors.Wrapf(err, "error while resolving symlinks in combined path %q", combinedPath) + } + + subpart, err := filepath.Rel(baseResolved, combinedResolved) + if err != nil { + return "", "", &ErrEscapesBase{Base: baseResolved, Subpath: subpath} + } + + if !filepath.IsLocal(subpart) { + return "", "", &ErrEscapesBase{Base: baseResolved, Subpath: subpath} + } + + return baseResolved, subpart, nil +} + +// isLocalTo reports whether path, using lexical analysis only, has all of these properties: +// - is within the subtree rooted at basepath +// - is not empty +// - on Windows, is not a reserved name such as "NUL" +// +// If isLocalTo(path, basepath) returns true, then +// +// filepath.Rel(basepath, path) +// +// will always produce an unrooted path with no `..` elements. +// +// isLocalTo is a purely lexical operation. In particular, it does not account for the effect of any symbolic links that may exist in the filesystem. +// +// Both path and basepath are expected to be absolute paths. +func isLocalTo(path, basepath string) bool { + rel, err := filepath.Rel(basepath, path) + if err != nil { + return false + } + + return filepath.IsLocal(rel) +} diff --git a/vendor/github.com/docker/docker/internal/safepath/errors.go b/vendor/github.com/docker/docker/internal/safepath/errors.go new file mode 100644 index 0000000000..8fcfe262ee --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/errors.go @@ -0,0 +1,42 @@ +package safepath + +// ErrNotAccessible is returned by Join when the resulting path doesn't exist, +// is not accessible, or any of the path components was replaced with a symlink +// during the path traversal. +type ErrNotAccessible struct { + Path string + Cause error +} + +func (*ErrNotAccessible) NotFound() {} + +func (e *ErrNotAccessible) Unwrap() error { + return e.Cause +} + +func (e *ErrNotAccessible) Error() string { + msg := "cannot access path " + e.Path + if e.Cause != nil { + msg += ": " + e.Cause.Error() + } + return msg +} + +// ErrEscapesBase is returned by Join when the resulting concatenation would +// point outside of the specified base directory. +type ErrEscapesBase struct { + Base, Subpath string +} + +func (*ErrEscapesBase) InvalidParameter() {} + +func (e *ErrEscapesBase) Error() string { + msg := "path concatenation escapes the base directory" + if e.Base != "" { + msg += ", base: " + e.Base + } + if e.Subpath != "" { + msg += ", subpath: " + e.Subpath + } + return msg +} diff --git a/vendor/github.com/docker/docker/internal/safepath/join_linux.go b/vendor/github.com/docker/docker/internal/safepath/join_linux.go new file mode 100644 index 0000000000..68cb0d7abe --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/join_linux.go @@ -0,0 +1,150 @@ +package safepath + +import ( + "context" + "os" + "path/filepath" + "runtime" + "strconv" + + "github.com/containerd/log" + "github.com/docker/docker/internal/unix_noeintr" + "github.com/pkg/errors" + "golang.org/x/sys/unix" +) + +// Join makes sure that the concatenation of path and subpath doesn't +// resolve to a path outside of path and returns a path to a temporary file that is +// a bind mount to the exact same file/directory that was validated. +// +// After use, it is the caller's responsibility to call Close on the returned +// SafePath object, which will unmount the temporary file/directory +// and remove it. +func Join(_ context.Context, path, subpath string) (*SafePath, error) { + base, subpart, err := evaluatePath(path, subpath) + if err != nil { + return nil, err + } + + runtime.LockOSThread() + defer runtime.UnlockOSThread() + fd, err := safeOpenFd(base, subpart) + if err != nil { + return nil, err + } + + defer unix_noeintr.Close(fd) + + tmpMount, err := tempMountPoint(fd) + if err != nil { + return nil, errors.Wrap(err, "failed to create temporary file for safe mount") + } + + pid := strconv.Itoa(unix.Gettid()) + // Using explicit pid path, because /proc/self/fd/ fails with EACCES + // when running under "Enhanced Container Isolation" in Docker Desktop + // which uses sysbox runtime under the hood. + // TODO(vvoland): Investigate. + mountSource := "/proc/" + pid + "/fd/" + strconv.Itoa(fd) + + if err := unix_noeintr.Mount(mountSource, tmpMount, "none", unix.MS_BIND, ""); err != nil { + os.Remove(tmpMount) + return nil, errors.Wrap(err, "failed to mount resolved path") + } + + return &SafePath{ + path: tmpMount, + sourceBase: base, + sourceSubpath: subpart, + cleanup: cleanupSafePath(tmpMount), + }, nil +} + +// safeOpenFd opens the file at filepath.Join(path, subpath) in O_PATH +// mode and returns the file descriptor if subpath is within the subtree +// rooted at path. It is an error if any of components of path or subpath +// are symbolic links. +// +// It is a caller's responsibility to close the returned file descriptor, if no +// error was returned. +func safeOpenFd(path, subpath string) (int, error) { + // Open base volume path (_data directory). + prevFd, err := unix_noeintr.Open(path, unix.O_PATH|unix.O_DIRECTORY|unix.O_CLOEXEC|unix.O_NOFOLLOW, 0) + if err != nil { + return -1, &ErrNotAccessible{Path: path, Cause: err} + } + defer unix_noeintr.Close(prevFd) + + // Try to use the Openat2 syscall first (available on Linux 5.6+). + fd, err := unix_noeintr.Openat2(prevFd, subpath, &unix.OpenHow{ + Flags: unix.O_PATH | unix.O_CLOEXEC, + Mode: 0, + Resolve: unix.RESOLVE_BENEATH | unix.RESOLVE_NO_MAGICLINKS | unix.RESOLVE_NO_SYMLINKS, + }) + + switch { + case errors.Is(err, unix.ENOSYS): + // Openat2 is not available, fallback to Openat loop. + return kubernetesSafeOpen(path, subpath) + case errors.Is(err, unix.EXDEV): + return -1, &ErrEscapesBase{Base: path, Subpath: subpath} + case errors.Is(err, unix.ENOENT), errors.Is(err, unix.ELOOP): + return -1, &ErrNotAccessible{Path: filepath.Join(path, subpath), Cause: err} + case err != nil: + return -1, &os.PathError{Op: "openat2", Path: subpath, Err: err} + } + + // Openat2 is available and succeeded. + return fd, nil +} + +// tempMountPoint creates a temporary file/directory to act as mount +// point for the file descriptor. +func tempMountPoint(sourceFd int) (string, error) { + var stat unix.Stat_t + err := unix_noeintr.Fstat(sourceFd, &stat) + if err != nil { + return "", errors.Wrap(err, "failed to Fstat mount source fd") + } + + isDir := (stat.Mode & unix.S_IFMT) == unix.S_IFDIR + if isDir { + return os.MkdirTemp("", "safe-mount") + } + + f, err := os.CreateTemp("", "safe-mount") + if err != nil { + return "", err + } + + p := f.Name() + if err := f.Close(); err != nil { + return "", err + } + return p, nil +} + +// cleanupSafePaths returns a function that unmounts the path and removes the +// mountpoint. +func cleanupSafePath(path string) func(context.Context) error { + return func(ctx context.Context) error { + log.G(ctx).WithField("path", path).Debug("removing safe temp mount") + + if err := unix_noeintr.Unmount(path, unix.MNT_DETACH); err != nil { + if errors.Is(err, unix.EINVAL) { + log.G(ctx).WithField("path", path).Warn("safe temp mount no longer exists?") + return nil + } + return errors.Wrapf(err, "error unmounting safe mount %s", path) + } + if err := os.Remove(path); err != nil { + if errors.Is(err, os.ErrNotExist) { + log.G(ctx).WithField("path", path).Warn("safe temp mount no longer exists?") + return nil + } + return errors.Wrapf(err, "failed to delete temporary safe mount") + } + + return nil + } +} diff --git a/vendor/github.com/docker/docker/internal/safepath/join_windows.go b/vendor/github.com/docker/docker/internal/safepath/join_windows.go new file mode 100644 index 0000000000..63c646a682 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/join_windows.go @@ -0,0 +1,93 @@ +package safepath + +import ( + "context" + "os" + "path/filepath" + "strings" + + "github.com/containerd/log" + "github.com/docker/docker/internal/cleanups" + "github.com/docker/docker/internal/compatcontext" + "github.com/pkg/errors" + "golang.org/x/sys/windows" +) + +// Join locks all individual components of the path which is the concatenation +// of provided path and its subpath, checks that it doesn't escape the base path +// and returns the concatenated path. +// +// The path is safe (the path target won't change) until the returned SafePath +// is Closed. +// Caller is responsible for calling the Close function which unlocks the path. +func Join(ctx context.Context, path, subpath string) (*SafePath, error) { + base, subpart, err := evaluatePath(path, subpath) + if err != nil { + return nil, err + } + parts := strings.Split(subpart, string(os.PathSeparator)) + + cleanups := cleanups.Composite{} + defer func() { + if cErr := cleanups.Call(compatcontext.WithoutCancel(ctx)); cErr != nil { + log.G(ctx).WithError(cErr).Warn("failed to close handles after error") + } + }() + + fullPath := base + for _, part := range parts { + fullPath = filepath.Join(fullPath, part) + + handle, err := lockFile(fullPath) + if err != nil { + if errors.Is(err, windows.ERROR_FILE_NOT_FOUND) { + return nil, &ErrNotAccessible{Path: fullPath, Cause: err} + } + return nil, errors.Wrapf(err, "failed to lock file %s", fullPath) + } + cleanups.Add(func(context.Context) error { + if err := windows.CloseHandle(handle); err != nil { + return &os.PathError{Op: "CloseHandle", Path: fullPath, Err: err} + } + return err + }) + + realPath, err := filepath.EvalSymlinks(fullPath) + if err != nil { + return nil, errors.Wrapf(err, "failed to eval symlinks of %s", fullPath) + } + + if realPath != fullPath && !isLocalTo(realPath, base) { + return nil, &ErrEscapesBase{Base: base, Subpath: subpart} + } + + var info windows.ByHandleFileInformation + if err := windows.GetFileInformationByHandle(handle, &info); err != nil { + return nil, errors.WithStack(&os.PathError{Op: "GetFileInformationByHandle", Path: fullPath, Err: err}) + } + + if (info.FileAttributes & windows.FILE_ATTRIBUTE_REPARSE_POINT) != 0 { + return nil, &ErrNotAccessible{Path: fullPath, Cause: err} + } + } + + return &SafePath{ + path: fullPath, + sourceBase: base, + sourceSubpath: subpart, + cleanup: cleanups.Release(), + }, nil +} + +func lockFile(path string) (windows.Handle, error) { + p, err := windows.UTF16PtrFromString(path) + if err != nil { + return windows.InvalidHandle, &os.PathError{Op: "UTF16PtrFromString", Path: path, Err: err} + } + const flags = windows.FILE_FLAG_BACKUP_SEMANTICS | windows.FILE_FLAG_OPEN_REPARSE_POINT + handle, err := windows.CreateFile(p, windows.GENERIC_READ, windows.FILE_SHARE_READ, nil, windows.OPEN_EXISTING, flags, 0) + if err != nil { + return handle, &os.PathError{Op: "CreateFile", Path: path, Err: err} + } + return handle, nil +} diff --git a/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go b/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go new file mode 100644 index 0000000000..ebbe7e17a5 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/k8s_safeopen_linux.go @@ -0,0 +1,112 @@ +package safepath + +/* +Copyright 2014 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +import ( + "context" + "fmt" + "path/filepath" + "strings" + + "github.com/containerd/log" + "github.com/docker/docker/internal/unix_noeintr" + "golang.org/x/sys/unix" +) + +// kubernetesSafeOpen open path formed by concatenation of the base directory +// and its subpath and return its fd. +// Symlinks are disallowed (pathname must already resolve symlinks) and the +// path must be within the base directory. +// This is minimally modified code from https://github.com/kubernetes/kubernetes/blob/55fb1805a1217b91b36fa8fe8f2bf3a28af2454d/pkg/volume/util/subpath/subpath_linux.go#L530 +func kubernetesSafeOpen(base, subpath string) (int, error) { + // syscall.Openat flags used to traverse directories not following symlinks + const nofollowFlags = unix.O_RDONLY | unix.O_NOFOLLOW + // flags for getting file descriptor without following the symlink + const openFDFlags = unix.O_NOFOLLOW | unix.O_PATH + + pathname := filepath.Join(base, subpath) + segments := strings.Split(subpath, string(filepath.Separator)) + + // Assumption: base is the only directory that we have under control. + // Base dir is not allowed to be a symlink. + parentFD, err := unix_noeintr.Open(base, nofollowFlags|unix.O_CLOEXEC, 0) + if err != nil { + return -1, &ErrNotAccessible{Path: base, Cause: err} + } + defer func() { + if parentFD != -1 { + if err = unix_noeintr.Close(parentFD); err != nil { + log.G(context.TODO()).Errorf("Closing FD %v failed for safeopen(%v): %v", parentFD, pathname, err) + } + } + }() + + childFD := -1 + defer func() { + if childFD != -1 { + if err = unix_noeintr.Close(childFD); err != nil { + log.G(context.TODO()).Errorf("Closing FD %v failed for safeopen(%v): %v", childFD, pathname, err) + } + } + }() + + currentPath := base + + // Follow the segments one by one using openat() to make + // sure the user cannot change already existing directories into symlinks. + for _, seg := range segments { + var deviceStat unix.Stat_t + + currentPath = filepath.Join(currentPath, seg) + if !isLocalTo(currentPath, base) { + return -1, &ErrEscapesBase{Base: currentPath, Subpath: seg} + } + + // Trigger auto mount if it's an auto-mounted directory, ignore error if not a directory. + // Notice the trailing slash is mandatory, see "automount" in openat(2) and open_by_handle_at(2). + unix_noeintr.Fstatat(parentFD, seg+"/", &deviceStat, unix.AT_SYMLINK_NOFOLLOW) + + log.G(context.TODO()).Debugf("Opening path %s", currentPath) + childFD, err = unix_noeintr.Openat(parentFD, seg, openFDFlags|unix.O_CLOEXEC, 0) + if err != nil { + return -1, &ErrNotAccessible{Path: currentPath, Cause: err} + } + + err := unix_noeintr.Fstat(childFD, &deviceStat) + if err != nil { + return -1, fmt.Errorf("error running fstat on %s with %v", currentPath, err) + } + fileFmt := deviceStat.Mode & unix.S_IFMT + if fileFmt == unix.S_IFLNK { + return -1, fmt.Errorf("unexpected symlink found %s", currentPath) + } + + // Close parentFD + if err = unix_noeintr.Close(parentFD); err != nil { + return -1, fmt.Errorf("closing fd for %q failed: %v", filepath.Dir(currentPath), err) + } + // Set child to new parent + parentFD = childFD + childFD = -1 + } + + // We made it to the end, return this fd, don't close it + finalFD := parentFD + parentFD = -1 + + return finalFD, nil +} diff --git a/vendor/github.com/docker/docker/internal/safepath/safepath.go b/vendor/github.com/docker/docker/internal/safepath/safepath.go new file mode 100644 index 0000000000..c43e06fd22 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/safepath/safepath.go @@ -0,0 +1,63 @@ +package safepath + +import ( + "context" + "fmt" + "sync" + + "github.com/containerd/log" +) + +type SafePath struct { + path string + cleanup func(ctx context.Context) error + mutex sync.Mutex + + // Immutable fields + sourceBase, sourceSubpath string +} + +// Close releases the resources used by the path. +func (s *SafePath) Close(ctx context.Context) error { + s.mutex.Lock() + defer s.mutex.Unlock() + + if s.path == "" { + base, sub := s.SourcePath() + log.G(ctx).WithFields(log.Fields{ + "path": s.Path(), + "sourceBase": base, + "sourceSubpath": sub, + }).Warn("an attempt to close an already closed SafePath") + return nil + } + + s.path = "" + if s.cleanup != nil { + return s.cleanup(ctx) + } + return nil +} + +// IsValid return true when path can still be used and wasn't cleaned up by Close. +func (s *SafePath) IsValid() bool { + s.mutex.Lock() + defer s.mutex.Unlock() + return s.path != "" +} + +// Path returns a safe, temporary path that can be used to access the original path. +func (s *SafePath) Path() string { + s.mutex.Lock() + defer s.mutex.Unlock() + if s.path == "" { + panic(fmt.Sprintf("use-after-close attempted for safepath with source [%s, %s]", s.sourceBase, s.sourceSubpath)) + } + return s.path +} + +// SourcePath returns the source path the safepath points to. +func (s *SafePath) SourcePath() (string, string) { + // No mutex lock because these are immutable. + return s.sourceBase, s.sourceSubpath +} diff --git a/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go b/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go new file mode 100644 index 0000000000..0cb8ea7d68 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/sliceutil/sliceutil.go @@ -0,0 +1,34 @@ +// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16: +//go:build go1.19 + +package sliceutil + +func Dedup[T comparable](slice []T) []T { + keys := make(map[T]struct{}) + out := make([]T, 0, len(slice)) + for _, s := range slice { + if _, ok := keys[s]; !ok { + out = append(out, s) + keys[s] = struct{}{} + } + } + return out +} + +func Map[S ~[]In, In, Out any](s S, fn func(In) Out) []Out { + res := make([]Out, len(s)) + for i, v := range s { + res[i] = fn(v) + } + return res +} + +func Mapper[In, Out any](fn func(In) Out) func([]In) []Out { + return func(s []In) []Out { + res := make([]Out, len(s)) + for i, v := range s { + res[i] = fn(v) + } + return res + } +} diff --git a/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go b/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go new file mode 100644 index 0000000000..32c72d0041 --- /dev/null +++ b/vendor/github.com/docker/docker/internal/unix_noeintr/fs_unix.go @@ -0,0 +1,85 @@ +//go:build !windows + +// Wrappers for unix syscalls that retry on EINTR +// TODO: Consider moving (for example to moby/sys) and making the wrappers +// auto-generated. +package unix_noeintr + +import ( + "errors" + + "golang.org/x/sys/unix" +) + +func Retry(f func() error) { + for { + err := f() + if !errors.Is(err, unix.EINTR) { + return + } + } +} + +func Mount(source string, target string, fstype string, flags uintptr, data string) (err error) { + Retry(func() error { + err = unix.Mount(source, target, fstype, flags, data) + return err + }) + return +} + +func Unmount(target string, flags int) (err error) { + Retry(func() error { + err = unix.Unmount(target, flags) + return err + }) + return +} + +func Open(path string, mode int, perm uint32) (fd int, err error) { + Retry(func() error { + fd, err = unix.Open(path, mode, perm) + return err + }) + return +} + +func Close(fd int) (err error) { + Retry(func() error { + err = unix.Close(fd) + return err + }) + return +} + +func Openat(dirfd int, path string, mode int, perms uint32) (fd int, err error) { + Retry(func() error { + fd, err = unix.Openat(dirfd, path, mode, perms) + return err + }) + return +} + +func Openat2(dirfd int, path string, how *unix.OpenHow) (fd int, err error) { + Retry(func() error { + fd, err = unix.Openat2(dirfd, path, how) + return err + }) + return +} + +func Fstat(fd int, stat *unix.Stat_t) (err error) { + Retry(func() error { + err = unix.Fstat(fd, stat) + return err + }) + return +} + +func Fstatat(fd int, path string, stat *unix.Stat_t, flags int) (err error) { + Retry(func() error { + err = unix.Fstatat(fd, path, stat, flags) + return err + }) + return +} diff --git a/vendor/github.com/docker/docker/oci/namespaces.go b/vendor/github.com/docker/docker/oci/namespaces.go index 851edd61ef..befcefcc40 100644 --- a/vendor/github.com/docker/docker/oci/namespaces.go +++ b/vendor/github.com/docker/docker/oci/namespaces.go @@ -14,3 +14,14 @@ func RemoveNamespace(s *specs.Spec, nsType specs.LinuxNamespaceType) { } } } + +// NamespacePath returns the configured Path of the first namespace in +// s.Linux.Namespaces of type nsType. +func NamespacePath(s *specs.Spec, nsType specs.LinuxNamespaceType) (path string, ok bool) { + for _, n := range s.Linux.Namespaces { + if n.Type == nsType { + return n.Path, true + } + } + return "", false +} diff --git a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go b/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go index f71bb036c7..3b7fd80f28 100644 --- a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go +++ b/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go @@ -1,10 +1,6 @@ package containerfs // import "github.com/docker/docker/pkg/containerfs" -import ( - "path/filepath" - - "github.com/moby/sys/symlink" -) +import "path/filepath" // CleanScopedPath prepares the given path to be combined with a mount path or // a drive-letter. On Windows, it removes any existing driveletter (e.g. "C:"). @@ -17,11 +13,3 @@ func CleanScopedPath(path string) string { } return filepath.Join(string(filepath.Separator), path) } - -// ResolveScopedPath evaluates the given path scoped to the root. -// For example, if root=/a, and path=/b/c, then this function would return /a/b/c. -// -// Deprecated: use [symlink.FollowSymlinkInScope]. -func ResolveScopedPath(root, path string) (string, error) { - return symlink.FollowSymlinkInScope(filepath.Join(root, path), root) -} diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir.go b/vendor/github.com/docker/docker/pkg/homedir/homedir.go index 590683206c..c0ab3f5bf3 100644 --- a/vendor/github.com/docker/docker/pkg/homedir/homedir.go +++ b/vendor/github.com/docker/docker/pkg/homedir/homedir.go @@ -6,14 +6,6 @@ import ( "runtime" ) -// Key returns the env var name for the user's home dir based on -// the platform being run on. -// -// Deprecated: this function is no longer used, and will be removed in the next release. -func Key() string { - return envKeyName -} - // Get returns the home directory of the current user with the help of // environment variables depending on the target operating system. // Returned path should be used with "path/filepath" to form new paths. @@ -34,11 +26,3 @@ func Get() string { } return home } - -// GetShortcutString returns the string that is shortcut to user's home directory -// in the native shell of the platform running on. -// -// Deprecated: this function is no longer used, and will be removed in the next release. -func GetShortcutString() string { - return homeShortCut -} diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go deleted file mode 100644 index feae4d736c..0000000000 --- a/vendor/github.com/docker/docker/pkg/homedir/homedir_unix.go +++ /dev/null @@ -1,8 +0,0 @@ -//go:build !windows - -package homedir // import "github.com/docker/docker/pkg/homedir" - -const ( - envKeyName = "HOME" - homeShortCut = "~" -) diff --git a/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go b/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go deleted file mode 100644 index 37f4ee6701..0000000000 --- a/vendor/github.com/docker/docker/pkg/homedir/homedir_windows.go +++ /dev/null @@ -1,6 +0,0 @@ -package homedir // import "github.com/docker/docker/pkg/homedir" - -const ( - envKeyName = "USERPROFILE" - homeShortCut = "%USERPROFILE%" // be careful while using in format functions -) diff --git a/vendor/github.com/docker/docker/pkg/plugins/discovery.go b/vendor/github.com/docker/docker/pkg/plugins/discovery.go index 37316ed482..503ac574a9 100644 --- a/vendor/github.com/docker/docker/pkg/plugins/discovery.go +++ b/vendor/github.com/docker/docker/pkg/plugins/discovery.go @@ -10,6 +10,8 @@ import ( "strings" "sync" + "github.com/containerd/containerd/pkg/userns" + "github.com/containerd/log" "github.com/pkg/errors" ) @@ -56,10 +58,16 @@ func (l *LocalRegistry) Scan() ([]string, error) { for _, p := range l.specsPaths { dirEntries, err = os.ReadDir(p) - if err != nil && !os.IsNotExist(err) { + if err != nil { + if os.IsNotExist(err) { + continue + } + if os.IsPermission(err) && userns.RunningInUserNS() { + log.L.Debug(err.Error()) + continue + } return nil, errors.Wrap(err, "error reading dir entries") } - for _, entry := range dirEntries { if entry.IsDir() { infos, err := os.ReadDir(filepath.Join(p, entry.Name())) diff --git a/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go b/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go deleted file mode 100644 index afb57dae6a..0000000000 --- a/vendor/github.com/docker/docker/pkg/system/image_os_deprecated.go +++ /dev/null @@ -1,19 +0,0 @@ -package system - -import ( - "errors" - "runtime" - "strings" -) - -// ErrNotSupportedOperatingSystem means the operating system is not supported. -// -// Deprecated: use [github.com/docker/docker/image.CheckOS] and check the error returned. -var ErrNotSupportedOperatingSystem = errors.New("operating system is not supported") - -// IsOSSupported determines if an operating system is supported by the host. -// -// Deprecated: use [github.com/docker/docker/image.CheckOS] and check the error returned. -func IsOSSupported(os string) bool { - return strings.EqualFold(runtime.GOOS, os) -} diff --git a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go index 82f973ffc9..746afde8d5 100644 --- a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go +++ b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go @@ -1,3 +1,6 @@ +// FIXME(thaJeztah): remove once we are a module; the go:build directive prevents go from downgrading language version to go1.16: +//go:build go1.19 + package v2 // import "github.com/docker/docker/plugin/v2" import ( @@ -6,7 +9,10 @@ import ( "runtime" "strings" + "github.com/containerd/containerd/pkg/userns" "github.com/docker/docker/api/types" + "github.com/docker/docker/internal/rootless/mountopts" + "github.com/docker/docker/internal/sliceutil" "github.com/docker/docker/oci" specs "github.com/opencontainers/runtime-spec/specs-go" "github.com/pkg/errors" @@ -136,5 +142,35 @@ func (p *Plugin) InitSpec(execRoot string) (*specs.Spec, error) { p.modifyRuntimeSpec(&s) } + // Rootless mode requires modifying the mount flags + // https://github.com/moby/moby/issues/47248#issuecomment-1927776700 + // https://github.com/moby/moby/pull/47558 + if userns.RunningInUserNS() { + for i := range s.Mounts { + m := &s.Mounts[i] + for _, o := range m.Options { + switch o { + case "bind", "rbind": + if _, err := os.Lstat(m.Source); err != nil { + if errors.Is(err, os.ErrNotExist) { + continue + } + return nil, err + } + // UnprivilegedMountFlags gets the set of mount flags that are set on the mount that contains the given + // path and are locked by CL_UNPRIVILEGED. This is necessary to ensure that + // bind-mounting "with options" will not fail with user namespaces, due to + // kernel restrictions that require user namespace mounts to preserve + // CL_UNPRIVILEGED locked flags. + unpriv, err := mountopts.UnprivilegedMountFlags(m.Source) + if err != nil { + return nil, errors.Wrapf(err, "failed to get unprivileged mount flags for %+v", m) + } + m.Options = sliceutil.Dedup(append(m.Options, unpriv...)) + } + } + } + } + return &s, nil } diff --git a/vendor/github.com/docker/docker/restartmanager/restartmanager.go b/vendor/github.com/docker/docker/restartmanager/restartmanager.go index e1337662c1..16a85077f8 100644 --- a/vendor/github.com/docker/docker/restartmanager/restartmanager.go +++ b/vendor/github.com/docker/docker/restartmanager/restartmanager.go @@ -63,7 +63,7 @@ func (rm *RestartManager) ShouldRestart(exitCode uint32, hasBeenManuallyStopped if rm.active { return false, nil, fmt.Errorf("invalid call on an active restart manager") } - // if the container ran for more than 10s, regardless of status and policy reset the + // if the container ran for more than 10s, regardless of status and policy reset // the timeout back to the default. if executionDuration.Seconds() >= 10 { rm.timeout = 0 diff --git a/vendor/github.com/docker/docker/runconfig/config.go b/vendor/github.com/docker/docker/runconfig/config.go index 3ba1609e91..81047ea6d1 100644 --- a/vendor/github.com/docker/docker/runconfig/config.go +++ b/vendor/github.com/docker/docker/runconfig/config.go @@ -27,11 +27,6 @@ func (r ContainerDecoder) DecodeConfig(src io.Reader) (*container.Config, *conta return decodeContainerConfig(src, si) } -// DecodeHostConfig makes ContainerDecoder to implement httputils.ContainerDecoder -func (r ContainerDecoder) DecodeHostConfig(src io.Reader) (*container.HostConfig, error) { - return decodeHostConfig(src) -} - // decodeContainerConfig decodes a json encoded config into a ContainerConfigWrapper // struct and returns both a Config and a HostConfig struct, and performs some // validation. Certain parameters need daemon-side validation that cannot be done diff --git a/vendor/github.com/docker/docker/runconfig/hostconfig.go b/vendor/github.com/docker/docker/runconfig/hostconfig.go index 8a9e65f1a2..84a4ae0b6f 100644 --- a/vendor/github.com/docker/docker/runconfig/hostconfig.go +++ b/vendor/github.com/docker/docker/runconfig/hostconfig.go @@ -1,23 +1,12 @@ package runconfig // import "github.com/docker/docker/runconfig" import ( - "io" "strings" "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/network" ) -// DecodeHostConfig creates a HostConfig based on the specified Reader. -// It assumes the content of the reader will be JSON, and decodes it. -func decodeHostConfig(src io.Reader) (*container.HostConfig, error) { - var w ContainerConfigWrapper - if err := loadJSON(src, &w); err != nil { - return nil, err - } - return w.getHostConfig(), nil -} - // SetDefaultNetModeIfBlank changes the NetworkMode in a HostConfig structure // to default if it is not populated. This ensures backwards compatibility after // the validation of the network mode was moved from the docker CLI to the diff --git a/vendor/github.com/docker/docker/volume/mounts/linux_parser.go b/vendor/github.com/docker/docker/volume/mounts/linux_parser.go index e7e8ad80f3..1532187c77 100644 --- a/vendor/github.com/docker/docker/volume/mounts/linux_parser.go +++ b/vendor/github.com/docker/docker/volume/mounts/linux_parser.go @@ -96,8 +96,18 @@ func (p *linuxParser) validateMountConfigImpl(mnt *mount.Mount, validateBindSour if mnt.BindOptions != nil { return &errMountConfig{mnt, errExtraField("BindOptions")} } + anonymousVolume := len(mnt.Source) == 0 - if len(mnt.Source) == 0 && mnt.ReadOnly { + if mnt.VolumeOptions != nil && mnt.VolumeOptions.Subpath != "" { + if anonymousVolume { + return &errMountConfig{mnt, errAnonymousVolumeWithSubpath} + } + + if !filepath.IsLocal(mnt.VolumeOptions.Subpath) { + return &errMountConfig{mnt, errInvalidSubpath} + } + } + if mnt.ReadOnly && anonymousVolume { return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")} } case mount.TypeTmpfs: diff --git a/vendor/github.com/docker/docker/volume/mounts/mounts.go b/vendor/github.com/docker/docker/volume/mounts/mounts.go index 74caf015ff..7a518a046f 100644 --- a/vendor/github.com/docker/docker/volume/mounts/mounts.go +++ b/vendor/github.com/docker/docker/volume/mounts/mounts.go @@ -5,10 +5,12 @@ import ( "fmt" "os" "path/filepath" + "runtime/debug" "syscall" "github.com/containerd/log" mounttypes "github.com/docker/docker/api/types/mount" + "github.com/docker/docker/internal/safepath" "github.com/docker/docker/pkg/idtools" "github.com/docker/docker/pkg/stringid" "github.com/docker/docker/volume" @@ -74,19 +76,50 @@ type MountPoint struct { // Specifically needed for containers which are running and calls to `docker cp` // because both these actions require mounting the volumes. active int + + // SafePaths created by Setup that should be cleaned up before unmounting + // the volume. + safePaths []*safepath.SafePath } -// Cleanup frees resources used by the mountpoint -func (m *MountPoint) Cleanup() error { +// Cleanup frees resources used by the mountpoint and cleans up all the paths +// returned by Setup that hasn't been cleaned up by the caller. +func (m *MountPoint) Cleanup(ctx context.Context) error { if m.Volume == nil || m.ID == "" { return nil } + logger := log.G(ctx).WithFields(log.Fields{"active": m.active, "id": m.ID}) + + // TODO: Remove once the real bug is fixed: https://github.com/moby/moby/issues/46508 + if m.active == 0 { + logger.Error("An attempt to decrement a zero mount count") + logger.Error(string(debug.Stack())) + return nil + } + + for _, p := range m.safePaths { + if !p.IsValid() { + continue + } + + err := p.Close(ctx) + base, sub := p.SourcePath() + log.G(ctx).WithFields(log.Fields{ + "error": err, + "path": p.Path(), + "sourceBase": base, + "sourceSubpath": sub, + }).Warn("cleaning up SafePath that hasn't been cleaned up by the caller") + } + if err := m.Volume.Unmount(m.ID); err != nil { return errors.Wrapf(err, "error unmounting volume %s", m.Volume.Name()) } m.active-- + logger.Debug("MountPoint.Cleanup Decrement active count") + if m.active == 0 { m.ID = "" } @@ -97,30 +130,42 @@ func (m *MountPoint) Cleanup() error { // configured, or creating the source directory if supplied. // The, optional, checkFun parameter allows doing additional checking // before creating the source directory on the host. -func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun func(m *MountPoint) error) (path string, err error) { +// +// The returned path can be a temporary path, caller is responsible to +// call the returned cleanup function as soon as the path is not needed. +// Cleanup doesn't unmount the underlying volumes (if any), it only +// frees up the resources that were needed to guarantee that the path +// still points to the same target (to avoid TOCTOU attack). +// +// Cleanup function doesn't need to be called when error is returned. +func (m *MountPoint) Setup(ctx context.Context, mountLabel string, rootIDs idtools.Identity, checkFun func(m *MountPoint) error) (path string, cleanup func(context.Context) error, retErr error) { if m.SkipMountpointCreation { - return m.Source, nil + return m.Source, noCleanup, nil } defer func() { - if err != nil || !label.RelabelNeeded(m.Mode) { + if retErr != nil || !label.RelabelNeeded(m.Mode) { return } - var sourcePath string - sourcePath, err = filepath.EvalSymlinks(m.Source) + sourcePath, err := filepath.EvalSymlinks(path) if err != nil { path = "" - err = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source) + retErr = errors.Wrapf(err, "error evaluating symlinks from mount source %q", m.Source) + if cleanupErr := cleanup(ctx); cleanupErr != nil { + log.G(ctx).WithError(cleanupErr).Warn("failed to cleanup after error") + } + cleanup = noCleanup return } err = label.Relabel(sourcePath, mountLabel, label.IsShared(m.Mode)) - if errors.Is(err, syscall.ENOTSUP) { - err = nil - } - if err != nil { + if err != nil && !errors.Is(err, syscall.ENOTSUP) { path = "" - err = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath) + retErr = errors.Wrapf(err, "error setting label on mount source '%s'", sourcePath) + if cleanupErr := cleanup(ctx); cleanupErr != nil { + log.G(ctx).WithError(cleanupErr).Warn("failed to cleanup after error") + } + cleanup = noCleanup } }() @@ -129,18 +174,36 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun if id == "" { id = stringid.GenerateRandomID() } - path, err := m.Volume.Mount(id) + volumePath, err := m.Volume.Mount(id) if err != nil { - return "", errors.Wrapf(err, "error while mounting volume '%s'", m.Source) + return "", noCleanup, errors.Wrapf(err, "error while mounting volume '%s'", m.Source) } m.ID = id + clean := noCleanup + if m.Spec.VolumeOptions != nil && m.Spec.VolumeOptions.Subpath != "" { + subpath := m.Spec.VolumeOptions.Subpath + + safePath, err := safepath.Join(ctx, volumePath, subpath) + if err != nil { + if err := m.Volume.Unmount(id); err != nil { + log.G(ctx).WithError(err).Error("failed to unmount after safepath.Join failed") + } + return "", noCleanup, err + } + m.safePaths = append(m.safePaths, safePath) + log.G(ctx).Debugf("mounting (%s|%s) via %s", volumePath, subpath, safePath.Path()) + + clean = safePath.Close + volumePath = safePath.Path() + } + m.active++ - return path, nil + return volumePath, clean, nil } if len(m.Source) == 0 { - return "", fmt.Errorf("Unable to setup mount point, neither source nor volume defined") + return "", noCleanup, fmt.Errorf("Unable to setup mount point, neither source nor volume defined") } if m.Type == mounttypes.TypeBind { @@ -149,7 +212,7 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun // the process of shutting down. if checkFun != nil { if err := checkFun(m); err != nil { - return "", err + return "", noCleanup, err } } @@ -158,12 +221,12 @@ func (m *MountPoint) Setup(mountLabel string, rootIDs idtools.Identity, checkFun if err := idtools.MkdirAllAndChownNew(m.Source, 0o755, rootIDs); err != nil { if perr, ok := err.(*os.PathError); ok { if perr.Err != syscall.ENOTDIR { - return "", errors.Wrapf(err, "error while creating mount source path '%s'", m.Source) + return "", noCleanup, errors.Wrapf(err, "error while creating mount source path '%s'", m.Source) } } } } - return m.Source, nil + return m.Source, noCleanup, nil } func (m *MountPoint) LiveRestore(ctx context.Context) error { @@ -207,3 +270,8 @@ func errInvalidMode(mode string) error { func errInvalidSpec(spec string) error { return errors.Errorf("invalid volume specification: '%s'", spec) } + +// noCleanup is a no-op cleanup function. +func noCleanup(_ context.Context) error { + return nil +} diff --git a/vendor/github.com/docker/docker/volume/mounts/parser.go b/vendor/github.com/docker/docker/volume/mounts/parser.go index 2bcf9ab053..c4ff6c8c7e 100644 --- a/vendor/github.com/docker/docker/volume/mounts/parser.go +++ b/vendor/github.com/docker/docker/volume/mounts/parser.go @@ -11,6 +11,14 @@ import ( // It's used by both LCOW and Linux parsers. var ErrVolumeTargetIsRoot = errors.New("invalid specification: destination can't be '/'") +// errAnonymousVolumeWithSubpath is returned when Subpath is specified for +// anonymous volume. +var errAnonymousVolumeWithSubpath = errors.New("must not set Subpath when using anonymous volumes") + +// errInvalidSubpath is returned when the provided Subpath is not lexically an +// relative path within volume. +var errInvalidSubpath = errors.New("subpath must be a relative path within the volume") + // read-write modes var rwModes = map[string]bool{ "rw": true, diff --git a/vendor/github.com/docker/docker/volume/mounts/windows_parser.go b/vendor/github.com/docker/docker/volume/mounts/windows_parser.go index f9f0f08f44..c3a6c6bb69 100644 --- a/vendor/github.com/docker/docker/volume/mounts/windows_parser.go +++ b/vendor/github.com/docker/docker/volume/mounts/windows_parser.go @@ -4,6 +4,7 @@ import ( "errors" "fmt" "os" + "path/filepath" "regexp" "runtime" "strings" @@ -258,7 +259,19 @@ func (p *windowsParser) validateMountConfigReg(mnt *mount.Mount, additionalValid return &errMountConfig{mnt, errExtraField("BindOptions")} } - if len(mnt.Source) == 0 && mnt.ReadOnly { + anonymousVolume := len(mnt.Source) == 0 + if mnt.VolumeOptions != nil && mnt.VolumeOptions.Subpath != "" { + if anonymousVolume { + return errAnonymousVolumeWithSubpath + } + + // Check if path is relative but without any back traversals + if !filepath.IsLocal(mnt.VolumeOptions.Subpath) { + return &errMountConfig{mnt, errInvalidSubpath} + } + } + + if anonymousVolume && mnt.ReadOnly { return &errMountConfig{mnt, fmt.Errorf("must not set ReadOnly mode when using anonymous volumes")} } diff --git a/vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go b/vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go deleted file mode 100644 index a76f807600..0000000000 --- a/vendor/github.com/golang/protobuf/ptypes/timestamp/timestamp.pb.go +++ /dev/null @@ -1,64 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// source: github.com/golang/protobuf/ptypes/timestamp/timestamp.proto - -package timestamp - -import ( - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - timestamppb "google.golang.org/protobuf/types/known/timestamppb" - reflect "reflect" -) - -// Symbols defined in public import of google/protobuf/timestamp.proto. - -type Timestamp = timestamppb.Timestamp - -var File_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto protoreflect.FileDescriptor - -var file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_rawDesc = []byte{ - 0x0a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6c, - 0x61, 0x6e, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x70, 0x74, 0x79, - 0x70, 0x65, 0x73, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2f, 0x74, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, - 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x42, 0x37, - 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x67, 0x6f, 0x6c, - 0x61, 0x6e, 0x67, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x70, 0x74, 0x79, - 0x70, 0x65, 0x73, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x3b, 0x74, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x50, 0x00, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, -} - -var file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_goTypes = []interface{}{} -var file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_depIdxs = []int32{ - 0, // [0:0] is the sub-list for method output_type - 0, // [0:0] is the sub-list for method input_type - 0, // [0:0] is the sub-list for extension type_name - 0, // [0:0] is the sub-list for extension extendee - 0, // [0:0] is the sub-list for field type_name -} - -func init() { file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_init() } -func file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_init() { - if File_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto != nil { - return - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_rawDesc, - NumEnums: 0, - NumMessages: 0, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_goTypes, - DependencyIndexes: file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_depIdxs, - }.Build() - File_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto = out.File - file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_rawDesc = nil - file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_goTypes = nil - file_github_com_golang_protobuf_ptypes_timestamp_timestamp_proto_depIdxs = nil -} diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_intermediate_cert.der deleted file mode 100644 index 958f3cfaddf3645fa6c0578b5b6955d65ac4c172..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 998 zcmXqLVt!=M#B^!_GZP~dlZfxTkgMw#Mx5CteAhsdS=K*t&xAY!UN%mxHjlRNyo`+8 ztPBQ??S|Y2oNUaYENsF|p}{Z?2M?38qoI(207!`V#>K<# zoS$2em{(~iXuuB=;pX9R$t=q(&dkp<6f+P32{H5V78@nTm!uY##3!c~l^9AHNWiV< zWEA7BsH}1TV!h=2Tmw0AULzv|Gec7&Lt`^z^C)p%6J+ina%mHz5^^vyvNA9?G4eAQ zG%<29H8CnfQWlH+MyjTjz z2Bjk+Ub9TzT(Z$!`+w1f9a{SYn?h^$U$mDJKK^KOurlxGlhf8coXvjW^}bgt-rFjD znHJ|Xo9Wew;}%JlW_Kjsthc+chb^XXpU3LOdy_KCS4OTntgUFd?YsGkV{8gPCrIUU z7xZ1<|6Oe5g44&3J$ODp>G5YKW=00a#V!U;2J*mEAgjzGVIbBZvce&_^W7!+r|T*d zavIkkZ(n>dQ`LY6q(GR3)qt6i@xOr}h$qOxWx&zImXe>Fn2DZTf#J-^uui3sYst!# z{ImS~I{#0uS#WDz%!i-3yIxOGkACKhN$DyM2L{LbrkL@xJCpY3crHP)J~LHEx;nsZlX$z1Na++S~*x&F8L zSHsIX`Pf;-7fz4f$yxWfRV}c$Te2$X#22gkrUlwjtNp9{IiD}~zjo}z)1J=iJoj~z zPFk$n)~eK8B%5+0@w1g$N8H(l+-H4!LOMmyS_+%b`$^TD`}g=z?!9=Gts-l=GE2@y HTP6bly#{pd diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_leaf_cert.der deleted file mode 100644 index d2817641bafb022339926786ab85b545f40ac665..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1147 zcmXqLVktLhVvb+H%*4pVB*OPMYW498DSV5WgVNVW|Jr8oCgimNFB_*;n@8JsUPeZ4 zRtAH{c0+ChPB!LH7B*p~&|nycgNMo4(NM@h03^fC!x>zfmseSqn3HNKV890w6yxnyM_06xZQcZ?W@M4y!->Y40>Qzg1y0 z&gNQpqF{|c>D+ZZ(rFIKEL_n{%!~|-iyLnkG+s4m+z3nvvdS!tD-9Z#Eo|&v(%3b4 zVzNoZ_g%=<^$R1;>=M3fAjvH2AGv2jo&gWY$-*qG2F#3%{|y8|JV6#N1CA!Pl>FSp z%sk}C2j(GQ()!XwH^ngbB~t_{rh@w&h5|n>_#Tt3odjy zuPCdY_u)fF^#8=jc^^+Q{aqN5`$@Gm({I-q6VU_LtQOD6naL>j(`V|D&;QI6%^$Dc z@$uH$=blqSKTV1FFaEpmVP=>@vvi*Y`l|mqO|ORNA0oIS8nOI z?NiA8%5=ljL@D29-OKpueEYz|zv5rHb554&taa#n7142tpUKWU?R-O_r^0)6j>G3Y aOB;Xxy<$H9NT-Uzt(mu6i*GEf3IzZ)c%0q< diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/client_root_cert.der deleted file mode 100644 index d8c3710c85f9ff41ddfc709924c866350a727a4f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1013 zcmXqLV*Y5*#B_53GZP~dlZa+?pWMd9xVH0Kw4Tf@Xyh=ks1AdSQHxGwPW?5!&W`3Tbn1KjLh?$4C*eEf+B(=CCJ~_3h#8ApW0&YDg zqZoHZWt9UE>m}#s8pw(B8W|aw8XFoJ7#JIxMv3#90J%nHQ0^ddX%nLoaxgNoGB7tW z@-rATF>*0AF)}hdZr#y6M}F(|x(>G^%gcAlKWcTb*S((Se#vIyuMojqJ6T@W9G$-N zZ|C3aC}V-ru$PA$a>||`V5!;WvLO9;#Z4xLTYkS~Q%%)mH+DGbsA<2rr@8F$Psyk! zC02_czBy5RY)XCG=Yl1DX=(>VSrdJ-C#|hK7^zn?b35awX)f$Ntvf$$ zcUg9sL1fPSDbXqWt6$VVZu~MYZrj`2y}fI?80UuXsujC8ao09pzReSEFH3&Hjk;!&j?yPw^7|NHlfMLseyY=TyHB}&&4U!T;kt&%Ic z-@@f=`1w!pGyVU%zJI$PWGYXZ;?Bg($iTQb*dWkA7MKcT`B=nQL{>NicfPwM|8!l2 zLQdoQtUFt($qvv(cdI=i6tz3tUW`|a0C z&5N-8^H(H$?psgMz!}^;s& z=?+d?)Hkg%emvc~QLj+DwRvTMu)Tl4_m}{_7kTC1{xNsF-p9krsM-B)Ge_#Kiu#~{ zd67^5U(N6lVcaug+5}Tw2V+f_-BCNQyG;7WAZ_<^`6QjCrOhu7&ztq4tdo7t^%&>) zTR0VF*I2Sr HHQW{e5x{wf diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_intermediate_cert.der deleted file mode 100644 index dae619c097512f20d09d2054c63fc0f715d7be24..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 998 zcmXqLVt!=M#B^!_GZP~dlZZk6mxvepr#-!NVoqOL*`yn*LOZ7#@Un4gwRyCC=VfH% zW@RvFY&YaK;ACSCWnmL$3Jr#FICz+x9SwyH1VA$EJeHTH8JZfJT11KSnjmurkxQExm5_sxk(GhDiIJbd zpox)-sfm%1VO{t`EzVyWX$3+}`kJnrGQY>^=jnZyz4d%;|IQeuB_Gcfo1a{_>B5Fg zXYbI=4K*7QZdjc*51-)~EjRzyir2SPA5Z@zcTLeXV*g^*2f0P(7p>c z?c<>#uh>H(ryKBq6bQ4h8Za|5{x=W=@dR183^XGxLzc8JJvw;mpWjp+5Pu z!*lq#5Sb^i@`a>klJNjzx%iu)2*?h3yy-gEL(;p^g~mZo#n!wzh9Qua5C+wfRd ztarh_l9E{Oro7&WNVTl@3-~vy&EDU;)-f|r-8<&mQ>C=;``&D2+5V0(pW(g3o1}Sj z^gY793Mi&+ntK1`1tm%ENt=U{rb%k1PtbRHEhYTylqR?8HqOeuvA1fBY>pc~NUFTR KZE!sDzAgX``fm0B diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_leaf_cert.der deleted file mode 100644 index ce7f8d31d6802c7e68c188af8797c3a063894857..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1147 zcmXqLVktLhVvb+H%*4pVB%&$)xidhT`$ARBi)~L`p2_`@+!*`b5acj4ER7|Ts-W~ z`MCv&d6kBO2K*oqZXOPo%(Bel%=|nTUzhK>3dC_Z(le%bCn$9moio9jI@8{ zd;5%c{XT!(ig$;5K+$bpwI6ChVmse+UV1r`!RY5*U#A%ppFJxS>PX#w$sz7*X_R~A zg!|$g&z66XI$)aW-TrxDio@fp!U^sS#+*GdHMB|H?BTf!^g~J_=D$Y-Ot{~xpTg~G+{k6 Zdr{DieczoQDL-a%Ib3(Tsv+bGCjf+Ap-TV& diff --git a/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der b/vendor/github.com/google/s2a-go/internal/v2/certverifier/testdata/server_root_cert.der deleted file mode 100644 index 04b0d73600b72f80a03943d41973b279db9e8b32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1013 zcmXqLV*Y5*#B_53GZP~dlZb{E^N!s~snriRh?%)HJiGKl>CAisUN%mxHjlRNyo`+8 ztPBQ??S|Y2oNUaYENsF|p}{Z?2M?38qoI(207!`V#>K<# zoS$2em{(~iXuuB=;pX9R$t=q(&dkp<6f+P32{H5V78@nTm!uY##3!c~l^9AHNWiV< zWEA7BsH}1TV!h=2Tmw0AULzv|Q)5FT0|N^q(aL-(RkWjuO*nCZC(^b4{cp%V+e53*PfoZW)2DU5BJN^Jypf0+ z%dyqB7eAAEDfH_&Z*6C3aP8^9M)sYbgC^`~v;4F5#oepTLYl5+2bdY(i!-?My>4G) z&8u+L`?_9LxQB1$HP?fpd*5i(-|SJJ!`sZHa8UZu(QeP3Dc(Yr8?G#iY20z>);Fh$ zMQ>DZHkC%KUBdEb&cYv;1sHCx@Vv~#%*epFIM^W2Ko*z^WcgUcSVVXxICA%7?w=9J zwOIRjXviz}kjUu<@*rtt76}8f2J8wz2}@R(k?}tZs{u2RLJoFd>IDWnBZI}4y?mP{ zW+WALO{`uTY0T-O8uy=9`&z_;*e^$wYu3!Wz-Re-&a7vV%g_8h++q8CMf&zxTFdl~ zp5i+{-R9L&+mdUFEBoKr@u=5M->UQ>MNWJ7BRi)4^M4~B*uKhe`J%yAbG&-Thr?bk zCap+`USuL4V}qf=6kBV_EFAN zmIn*31Qb`P{oxd|=2o5l$|&AdTJ_-*k&5oDQvTTOiN8OjczyHyta?pWMd9xVH0Kw4Tf@Xyh=ks1AdSQHxGwPW?5!&W`3Tbn1KjLh?$4C*eEf+B(=CCJ~_3h#8ApW0&YDg zqZoHZWt9UE>m}#s8pw(B8W|aw8XFoJ7#JIxMv3#90J%nHQ0^ddX%nLoaxgNoGB7tW z@-rATF>*0AF)}hdZr#y6M}F(|x(>G^%gcAlKWcTb*S((Se#vIyuMojqJ6T@W9G$-N zZ|C3aC}V-ru$PA$a>||`V5!;WvLO9;#Z4xLTYkS~Q%%)mH+DGbsA<2rr@8F$Psyk! zC02_czBy5RY)XCG=Yl1DX=(>VSrdJ-C#|hK7^zn?b35awX)f$Ntvf$$ zcUg9sL1fPSDbXqWt6$VVZu~MYZrj`2y}fI?80UuXsujC8ao09pzReSEFH3&Hjk;!&j?yPw^7|NHlfMLseyY=TyHB}&&4U!T;kt&%Ic z-@@f=`1w!pGyVU%zJI$PWGYXZ;?Bg($iTQb*dWkA7MKcT`B=nQL{>NicfPwM|8!l2 zLQdoQtUFt($qvv(cdI=i6tz3tUW`|a0C z&5N-8^H(H$?psgMz!}^;s& z=?+d?)Hkg%emvc~QLj+DwRvTMu)Tl4_m}{_7kTC1{xNsF-p9krsM-B)Ge_#Kiu#~{ zd67^5U(N6lVcaug+5}Tw2V+f_-BCNQyG;7WAZ_<^`6QjCrOhu7&ztq4tdo7t^%&>) zTR0VF*I2Sr HHQW{e5x{wf diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem deleted file mode 100644 index 493a5a2648..0000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_cert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID8TCCAtmgAwIBAgIUKXNlBRVe6UepjQUijIFPZBd/4qYwDQYJKoZIhvcNAQEL -BQAwgYcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTESMBAGA1UEBwwJU3Vubnl2 -YWxlMRAwDgYDVQQKDAdDb21wYW55MREwDwYDVQQLDAhEaXZpc2lvbjEWMBQGA1UE -AwwNczJhX3Rlc3RfY2VydDEaMBgGCSqGSIb3DQEJARYLeHl6QHh5ei5jb20wHhcN -MjIwNTMxMjAwMzE1WhcNNDIwNTI2MjAwMzE1WjCBhzELMAkGA1UEBhMCVVMxCzAJ -BgNVBAgMAkNBMRIwEAYDVQQHDAlTdW5ueXZhbGUxEDAOBgNVBAoMB0NvbXBhbnkx -ETAPBgNVBAsMCERpdmlzaW9uMRYwFAYDVQQDDA1zMmFfdGVzdF9jZXJ0MRowGAYJ -KoZIhvcNAQkBFgt4eXpAeHl6LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -AQoCggEBAOOFuIucH7XXfohGxKd3uR/ihUA/LdduR9I8kfpUEbq5BOt8xZe5/Yn9 -a1ozEHVW6cOAbHbnwAR8tkSgZ/t42QIA2k77HWU1Jh2xiEIsJivo3imm4/kZWuR0 -OqPh7MhzxpR/hvNwpI5mJsAVBWFMa5KtecFZLnyZtwHylrRN1QXzuLrOxuKFufK3 -RKbTABScn5RbZL976H/jgfSeXrbt242NrIoBnVe6fRbekbq2DQ6zFArbQMUgHjHK -P0UqBgdr1QmHfi9KytFyx9BTP3gXWnWIu+bY7/v7qKJMHFwGETo+dCLWYevJL316 -HnLfhApDMfP8U+Yv/y1N/YvgaSOSlEcCAwEAAaNTMFEwHQYDVR0OBBYEFKhAU4nu -0h/lrnggbIGvx4ej0WklMB8GA1UdIwQYMBaAFKhAU4nu0h/lrnggbIGvx4ej0Wkl -MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAE/6NghzQ5fu6yR6 -EHKbj/YMrFdT7aGn5n2sAf7wJ33LIhiFHkpWBsVlm7rDtZtwhe891ZK/P60anlg9 -/P0Ua53tSRVRmCvTnEbXWOVMN4is6MsR7BlmzUxl4AtIn7jbeifEwRL7B4xDYmdA -QrQnsqoz45dLgS5xK4WDqXATP09Q91xQDuhud/b+A4jrvgwFASmL7rMIZbp4f1JQ -nlnl/9VoTBQBvJiWkDUtQDMpRLtauddEkv4AGz75p5IspXWD6cOemuh2iQec11xD -X20rs2WZbAcAiUa3nmy8OKYw435vmpj8gp39WYbX/Yx9TymrFFbVY92wYn+quTco -pKklVz0= ------END CERTIFICATE----- diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem deleted file mode 100644 index 55a7f10c74..0000000000 --- a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/client_key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEA44W4i5wftdd+iEbEp3e5H+KFQD8t125H0jyR+lQRurkE63zF -l7n9if1rWjMQdVbpw4BsdufABHy2RKBn+3jZAgDaTvsdZTUmHbGIQiwmK+jeKabj -+Rla5HQ6o+HsyHPGlH+G83CkjmYmwBUFYUxrkq15wVkufJm3AfKWtE3VBfO4us7G -4oW58rdEptMAFJyflFtkv3vof+OB9J5etu3bjY2sigGdV7p9Ft6RurYNDrMUCttA -xSAeMco/RSoGB2vVCYd+L0rK0XLH0FM/eBdadYi75tjv+/uookwcXAYROj50ItZh -68kvfXoect+ECkMx8/xT5i//LU39i+BpI5KURwIDAQABAoIBABgyjo/6iLzUMFbZ -/+w3pW6orrdIgN2akvTfED9pVYFgUA+jc3hRhY95bkNnjuaL2cy7Cc4Tk65mfRQL -Y0OxdJLr+EvSFSxAXM9npDA1ddHRsF8JqtFBSxNk8R+g1Yf0GDiO35Fgd3/ViWWA -VtQkRoSRApP3oiQKTRZd8H04keFR+PvmDk/Lq11l3Kc24A1PevKIPX1oI990ggw9 -9i4uSV+cnuMxmcI9xxJtgwdDFdjr39l2arLOHr4s6LGoV2IOdXHNlv5xRqWUZ0FH -MDHowkLgwDrdSTnNeaVNkce14Gqx+bd4hNaLCdKXMpedBTEmrut3f3hdV1kKjaKt -aqRYr8ECgYEA/YDGZY2jvFoHHBywlqmEMFrrCvQGH51m5R1Ntpkzr+Rh3YCmrpvq -xgwJXING0PUw3dz+xrH5lJICrfNE5Kt3fPu1rAEy+13mYsNowghtUq2Rtu0Hsjjx -2E3Bf8vEB6RNBMmGkUpTTIAroGF5tpJoRvfnWax+k4pFdrKYFtyZdNcCgYEA5cNv -EPltvOobjTXlUmtVP3n27KZN2aXexTcagLzRxE9CV4cYySENl3KuOMmccaZpIl6z -aHk6BT4X+M0LqElNUczrInfVqI+SGAFLGy7W6CJaqSr6cpyFUP/fosKpm6wKGgLq -udHfpvz5rckhKd8kJxFLvhGOK9yN5qpzih0gfhECgYAJfwRvk3G5wYmYpP58dlcs -VIuPenqsPoI3PPTHTU/hW+XKnWIhElgmGRdUrto9Q6IT/Y5RtSMLTLjq+Tzwb/fm -56rziYv2XJsfwgAvnI8z1Kqrto9ePsHYf3krJ1/thVsZPc9bq/QY3ohD1sLvcuaT -GgBBnLOVJU3a12/ZE2RwOwKBgF0csWMAoj8/5IB6if+3ral2xOGsl7oPZVMo/J2V -Z7EVqb4M6rd/pKFugTpUQgkwtkSOekhpcGD1hAN5HTNK2YG/+L5UMAsKe9sskwJm -HgOfAHy0BSDzW3ey6i9skg2bT9Cww+0gJ3Hl7U1HSCBO5LjMYpSZSrNtwzfqdb5Q -BX3xAoGARZdR28Ej3+/+0+fz47Yu2h4z0EI/EbrudLOWY936jIeAVwHckI3+BuqH -qR4poj1gfbnMxNuI9UzIXzjEmGewx9kDZ7IYnvloZKqoVQODO5GlKF2ja6IcMNlh -GCNdD6PSAS6HcmalmWo9sj+1YMkrl+GJikKZqVBHrHNwMGAG67w= ------END RSA PRIVATE KEY----- diff --git a/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der b/vendor/github.com/google/s2a-go/internal/v2/remotesigner/testdata/server_cert.der deleted file mode 100644 index 04b0d73600b72f80a03943d41973b279db9e8b32..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1013 zcmXqLV*Y5*#B_53GZP~dlZb{E^N!s~snriRh?%)HJiGKl>CAisUN%mxHjlRNyo`+8 ztPBQ??S|Y2oNUaYENsF|p}{Z?2M?38qoI(207!`V#>K<# zoS$2em{(~iXuuB=;pX9R$t=q(&dkp<6f+P32{H5V78@nTm!uY##3!c~l^9AHNWiV< zWEA7BsH}1TV!h=2Tmw0AULzv|Q)5FT0|N^q(aL-(RkWjuO*nCZC(^b4{cp%V+e53*PfoZW)2DU5BJN^Jypf0+ z%dyqB7eAAEDfH_&Z*6C3aP8^9M)sYbgC^`~v;4F5#oepTLYl5+2bdY(i!-?My>4G) z&8u+L`?_9LxQB1$HP?fpd*5i(-|SJJ!`sZHa8UZu(QeP3Dc(Yr8?G#iY20z>);Fh$ zMQ>DZHkC%KUBdEb&cYv;1sHCx@Vv~#%*epFIM^W2Ko*z^WcgUcSVVXxICA%7?w=9J zwOIRjXviz}kjUu<@*rtt76}8f2J8wz2}@R(k?}tZs{u2RLJoFd>IDWnBZI}4y?mP{ zW+WALO{`uTY0T-O8uy=9`&z_;*e^$wYu3!Wz-Re-&a7vV%g_8h++q8CMf&zxTFdl~ zp5i+{-R9L&+mdUFEBoKr@u=5M->UQ>MNWJ7BRi)4^M4~B*uKhe`J%yAbG&-Thr?bk zCap+`USuL4V}qf=6kBV_EFAN zmIn*31Qb`P{oxd|=2o5l$|&AdTJ_-*k&5oDQvTTOiN8OjczyHyta