diff -Nru docker.io-20.10.7/cli/appveyor.yml docker.io-20.10.11/cli/appveyor.yml --- docker.io-20.10.7/cli/appveyor.yml 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/appveyor.yml 2021-11-17 23:49:46.000000000 +0000 @@ -4,7 +4,7 @@ environment: GOPATH: c:\gopath - GOVERSION: 1.13.15 + GOVERSION: 1.16.10 DEPVERSION: v0.4.1 install: diff -Nru docker.io-20.10.7/cli/.circleci/config.yml docker.io-20.10.11/cli/.circleci/config.yml --- docker.io-20.10.7/cli/.circleci/config.yml 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/.circleci/config.yml 2021-11-17 23:49:46.000000000 +0000 @@ -4,13 +4,13 @@ lint: working_directory: /work - docker: [{image: 'docker:19.03-git'}] + docker: [{image: 'docker:20.10-git'}] environment: DOCKER_BUILDKIT: 1 steps: - checkout - setup_remote_docker: - version: 19.03.12 + version: 20.10.6 reusable: true exclusive: false - run: @@ -39,7 +39,7 @@ cross: working_directory: /work - docker: [{image: 'docker:19.03-git'}] + docker: [{image: 'docker:20.10-git'}] environment: DOCKER_BUILDKIT: 1 BUILDX_VERSION: "v0.5.1" @@ -47,7 +47,7 @@ steps: - checkout - setup_remote_docker: - version: 19.03.12 + version: 20.10.6 reusable: true exclusive: false - run: @@ -69,13 +69,13 @@ test: working_directory: /work - docker: [{image: 'docker:19.03-git'}] + docker: [{image: 'docker:20.10-git'}] environment: DOCKER_BUILDKIT: 1 steps: - checkout - setup_remote_docker: - version: 19.03.12 + version: 20.10.6 reusable: true exclusive: false - run: @@ -116,13 +116,13 @@ validate: working_directory: /work - docker: [{image: 'docker:19.03-git'}] + docker: [{image: 'docker:20.10-git'}] environment: DOCKER_BUILDKIT: 1 steps: - checkout - setup_remote_docker: - version: 19.03.12 + version: 20.10.6 reusable: true exclusive: false - run: diff -Nru docker.io-20.10.7/cli/cli/command/cli.go docker.io-20.10.11/cli/cli/command/cli.go --- docker.io-20.10.7/cli/cli/command/cli.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/cli.go 2021-11-17 23:49:46.000000000 +0000 @@ -255,7 +255,7 @@ if tlsconfig.IsErrEncryptedKey(err) { passRetriever := passphrase.PromptRetrieverWithInOut(cli.In(), cli.Out(), nil) newClient := func(password string) (client.APIClient, error) { - cli.dockerEndpoint.TLSPassword = password + cli.dockerEndpoint.TLSPassword = password //nolint: staticcheck // SA1019: cli.dockerEndpoint.TLSPassword is deprecated return newAPIClientFromEndpoint(cli.dockerEndpoint, cli.configFile) } cli.client, err = getClientWithPassword(passRetriever, newClient) diff -Nru docker.io-20.10.7/cli/cli/command/cli_test.go docker.io-20.10.11/cli/cli/command/cli_test.go --- docker.io-20.10.7/cli/cli/command/cli_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/cli_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -6,7 +6,6 @@ "crypto/x509" "fmt" "io/ioutil" - "net/http" "os" "runtime" "testing" @@ -80,24 +79,6 @@ assert.Check(t, is.Equal(customVersion, apiclient.ClientVersion())) } -func TestNewAPIClientFromFlagsWithHttpProxyEnv(t *testing.T) { - defer env.Patch(t, "HTTP_PROXY", "http://proxy.acme.com:1234")() - defer env.Patch(t, "DOCKER_HOST", "tcp://docker.acme.com:2376")() - - opts := &flags.CommonOptions{} - configFile := &configfile.ConfigFile{} - apiclient, err := NewAPIClientFromFlags(opts, configFile) - assert.NilError(t, err) - transport, ok := apiclient.HTTPClient().Transport.(*http.Transport) - assert.Assert(t, ok) - assert.Assert(t, transport.Proxy != nil) - request, err := http.NewRequest(http.MethodGet, "tcp://docker.acme.com:2376", nil) - assert.NilError(t, err) - url, err := transport.Proxy(request) - assert.NilError(t, err) - assert.Check(t, is.Equal("http://proxy.acme.com:1234", url.String())) -} - type fakeClient struct { client.Client pingFunc func() (types.Ping, error) diff -Nru docker.io-20.10.7/cli/cli/command/container/create_test.go docker.io-20.10.11/cli/cli/command/container/create_test.go --- docker.io-20.10.7/cli/cli/command/container/create_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/container/create_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -133,7 +133,7 @@ return ioutil.NopCloser(strings.NewReader("")), nil }, infoFunc: func() (types.Info, error) { - return types.Info{IndexServerAddress: "http://indexserver"}, nil + return types.Info{IndexServerAddress: "https://indexserver.example.com"}, nil }, } cli := test.NewFakeCli(client) diff -Nru docker.io-20.10.7/cli/cli/command/context/create.go docker.io-20.10.11/cli/cli/command/context/create.go --- docker.io-20.10.7/cli/cli/command/context/create.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/create.go 2021-11-17 23:49:46.000000000 +0000 @@ -62,8 +62,11 @@ &opts.DefaultStackOrchestrator, "default-stack-orchestrator", "", "Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)") + flags.SetAnnotation("default-stack-orchestrator", "deprecated", nil) flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint") flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint") + flags.SetAnnotation("kubernetes", "kubernetes", nil) + flags.SetAnnotation("kubernetes", "deprecated", nil) flags.StringVar(&opts.From, "from", "", "create context from a named context") return cmd } diff -Nru docker.io-20.10.7/cli/cli/command/context/create_test.go docker.io-20.10.11/cli/cli/command/context/create_test.go --- docker.io-20.10.7/cli/cli/command/context/create_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/create_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -169,7 +169,7 @@ kubeMeta := ctxMetadata.Endpoints[kubernetes.KubernetesEndpoint].(kubernetes.EndpointMeta) kubeEP, err := kubeMeta.WithTLSData(s, name) assert.NilError(t, err) - assert.Equal(t, "https://someserver", kubeEP.Host) + assert.Equal(t, "https://someserver.example.com", kubeEP.Host) assert.Equal(t, "the-ca", string(kubeEP.TLSData.CA)) assert.Equal(t, "the-cert", string(kubeEP.TLSData.Cert)) assert.Equal(t, "the-key", string(kubeEP.TLSData.Key)) @@ -287,7 +287,7 @@ assert.Equal(t, newContextTyped.Description, c.expectedDescription) assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator) assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375") - assert.Equal(t, kubeEndpoint.Host, "https://someserver") + assert.Equal(t, kubeEndpoint.Host, "https://someserver.example.com") }) } } @@ -361,7 +361,7 @@ assert.Equal(t, newContextTyped.Description, c.expectedDescription) assert.Equal(t, newContextTyped.StackOrchestrator, c.expectedOrchestrator) assert.Equal(t, dockerEndpoint.Host, "tcp://42.42.42.42:2375") - assert.Equal(t, kubeEndpoint.Host, "https://someserver") + assert.Equal(t, kubeEndpoint.Host, "https://someserver.example.com") }) } } diff -Nru docker.io-20.10.7/cli/cli/command/context/export.go docker.io-20.10.11/cli/cli/command/context/export.go --- docker.io-20.10.7/cli/cli/command/context/export.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/export.go 2021-11-17 23:49:46.000000000 +0000 @@ -46,6 +46,8 @@ flags := cmd.Flags() flags.BoolVar(&opts.Kubeconfig, "kubeconfig", false, "Export as a kubeconfig file") + flags.SetAnnotation("kubeconfig", "kubernetes", nil) + flags.SetAnnotation("kubeconfig", "deprecated", nil) return cmd } diff -Nru docker.io-20.10.7/cli/cli/command/context/list_test.go docker.io-20.10.11/cli/cli/command/context/list_test.go --- docker.io-20.10.7/cli/cli/command/context/list_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/list_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -18,7 +18,7 @@ DefaultStackOrchestrator: orchestrator, Description: "description of " + name, Kubernetes: map[string]string{keyFrom: "default"}, - Docker: map[string]string{keyHost: "https://someswarmserver"}, + Docker: map[string]string{keyHost: "https://someswarmserver.example.com"}, }) assert.NilError(t, err) } diff -Nru docker.io-20.10.7/cli/cli/command/context/testdata/inspect.golden docker.io-20.10.11/cli/cli/command/context/testdata/inspect.golden --- docker.io-20.10.7/cli/cli/command/context/testdata/inspect.golden 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/testdata/inspect.golden 2021-11-17 23:49:46.000000000 +0000 @@ -7,11 +7,11 @@ }, "Endpoints": { "docker": { - "Host": "https://someswarmserver", + "Host": "https://someswarmserver.example.com", "SkipTLSVerify": false }, "kubernetes": { - "Host": "https://someserver", + "Host": "https://someserver.example.com", "SkipTLSVerify": false, "DefaultNamespace": "default" } diff -Nru docker.io-20.10.7/cli/cli/command/context/testdata/list.golden docker.io-20.10.11/cli/cli/command/context/testdata/list.golden --- docker.io-20.10.7/cli/cli/command/context/testdata/list.golden 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/testdata/list.golden 2021-11-17 23:49:46.000000000 +0000 @@ -1,5 +1,5 @@ -NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR -current * description of current https://someswarmserver https://someserver (default) all -default Current DOCKER_HOST based configuration unix:///var/run/docker.sock swarm -other description of other https://someswarmserver https://someserver (default) all -unset description of unset https://someswarmserver https://someserver (default) +NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR +current * description of current https://someswarmserver.example.com https://someserver.example.com (default) all +default Current DOCKER_HOST based configuration unix:///var/run/docker.sock swarm +other description of other https://someswarmserver.example.com https://someserver.example.com (default) all +unset description of unset https://someswarmserver.example.com https://someserver.example.com (default) diff -Nru docker.io-20.10.7/cli/cli/command/context/testdata/test-kubeconfig docker.io-20.10.11/cli/cli/command/context/testdata/test-kubeconfig --- docker.io-20.10.7/cli/cli/command/context/testdata/test-kubeconfig 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/testdata/test-kubeconfig 2021-11-17 23:49:46.000000000 +0000 @@ -2,7 +2,7 @@ clusters: - cluster: certificate-authority-data: dGhlLWNh - server: https://someserver + server: https://someserver.example.com name: test-cluster contexts: - context: diff -Nru docker.io-20.10.7/cli/cli/command/context/update.go docker.io-20.10.11/cli/cli/command/context/update.go --- docker.io-20.10.7/cli/cli/command/context/update.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/context/update.go 2021-11-17 23:49:46.000000000 +0000 @@ -61,8 +61,11 @@ &opts.DefaultStackOrchestrator, "default-stack-orchestrator", "", "Default orchestrator for stack operations to use with this context (swarm|kubernetes|all)") + flags.SetAnnotation("default-stack-orchestrator", "deprecated", nil) flags.StringToStringVar(&opts.Docker, "docker", nil, "set the docker endpoint") flags.StringToStringVar(&opts.Kubernetes, "kubernetes", nil, "set the kubernetes endpoint") + flags.SetAnnotation("kubernetes", "kubernetes", nil) + flags.SetAnnotation("kubernetes", "deprecated", nil) return cmd } diff -Nru docker.io-20.10.7/cli/cli/command/image/trust_test.go docker.io-20.10.11/cli/cli/command/image/trust_test.go --- docker.io-20.10.7/cli/cli/command/image/trust_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/image/trust_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -15,17 +15,17 @@ ) func TestENVTrustServer(t *testing.T) { - defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "https://notary-test.com:5000"})() + defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "https://notary-test.example.com:5000"})() indexInfo := ®istrytypes.IndexInfo{Name: "testserver"} output, err := trust.Server(indexInfo) - expectedStr := "https://notary-test.com:5000" + expectedStr := "https://notary-test.example.com:5000" if err != nil || output != expectedStr { t.Fatalf("Expected server to be %s, got %s", expectedStr, output) } } func TestHTTPENVTrustServer(t *testing.T) { - defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "http://notary-test.com:5000"})() + defer env.PatchAll(t, map[string]string{"DOCKER_CONTENT_TRUST_SERVER": "http://notary-test.example.com:5000"})() indexInfo := ®istrytypes.IndexInfo{Name: "testserver"} _, err := trust.Server(indexInfo) if err == nil { diff -Nru docker.io-20.10.7/cli/cli/command/registry/login.go docker.io-20.10.11/cli/cli/command/registry/login.go --- docker.io-20.10.7/cli/cli/command/registry/login.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/registry/login.go 2021-11-17 23:49:46.000000000 +0000 @@ -114,22 +114,19 @@ var response registrytypes.AuthenticateOKBody isDefaultRegistry := serverAddress == authServer authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) - if authConfig == nil { - authConfig = &types.AuthConfig{} - } if err == nil && authConfig.Username != "" && authConfig.Password != "" { - response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig) + response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig) } if err != nil || authConfig.Username == "" || authConfig.Password == "" { - err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry) + err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry) if err != nil { return err } - response, err = clnt.RegistryLogin(ctx, *authConfig) + response, err = clnt.RegistryLogin(ctx, authConfig) if err != nil && client.IsErrConnectionFailed(err) { // If the server isn't responding (yet) attempt to login purely client side - response, err = loginClientSide(ctx, *authConfig) + response, err = loginClientSide(ctx, authConfig) } // If we (still) have an error, give up if err != nil { @@ -152,7 +149,7 @@ } } - if err := creds.Store(configtypes.AuthConfig(*authConfig)); err != nil { + if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil { return errors.Errorf("Error saving credentials: %v", err) } diff -Nru docker.io-20.10.7/cli/cli/command/registry.go docker.io-20.10.11/cli/cli/command/registry.go --- docker.io-20.10.7/cli/cli/command/registry.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/registry.go 2021-11-17 23:49:46.000000000 +0000 @@ -63,17 +63,14 @@ indexServer := registry.GetAuthConfigKey(index) isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli) authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry) - if authConfig == nil { - authConfig = &types.AuthConfig{} - } if err != nil { fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err) } - err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry) + err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry) if err != nil { return "", err } - return EncodeAuthToBase64(*authConfig) + return EncodeAuthToBase64(authConfig) } } @@ -92,7 +89,7 @@ // GetDefaultAuthConfig gets the default auth config given a serverAddress // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it -func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) { +func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) { if !isDefaultRegistry { serverAddress = registry.ConvertToHostname(serverAddress) } @@ -101,13 +98,15 @@ if checkCredStore { authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress) if err != nil { - return nil, err + return types.AuthConfig{ + ServerAddress: serverAddress, + }, err } } authconfig.ServerAddress = serverAddress authconfig.IdentityToken = "" res := types.AuthConfig(authconfig) - return &res, nil + return res, nil } // ConfigureAuth handles prompting of user's username and password if needed diff -Nru docker.io-20.10.7/cli/cli/command/registry_test.go docker.io-20.10.11/cli/cli/command/registry_test.go --- docker.io-20.10.7/cli/cli/command/registry_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/registry_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -66,10 +66,10 @@ }, }, { - expectedAuthServer: "https://foo.bar", + expectedAuthServer: "https://foo.example.com", expectedWarning: "", infoFunc: func() (types.Info, error) { - return types.Info{IndexServerAddress: "https://foo.bar"}, nil + return types.Info{IndexServerAddress: "https://foo.example.com"}, nil }, }, { @@ -145,7 +145,21 @@ assert.Check(t, is.Equal(tc.expectedErr, err.Error())) } else { assert.NilError(t, err) - assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig)) + assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig)) } } } + +func TestGetDefaultAuthConfig_HelperError(t *testing.T) { + cli := test.NewFakeCli(&fakeClient{}) + errBuf := new(bytes.Buffer) + cli.SetErr(errBuf) + cli.ConfigFile().CredentialsStore = "fake-does-not-exist" + serverAddress := "test-server-address" + expectedAuthConfig := types.AuthConfig{ + ServerAddress: serverAddress, + } + authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/") + assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig)) + assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist")) +} diff -Nru docker.io-20.10.7/cli/cli/command/stack/cmd.go docker.io-20.10.11/cli/cli/command/stack/cmd.go --- docker.io-20.10.7/cli/cli/command/stack/cmd.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/stack/cmd.go 2021-11-17 23:49:46.000000000 +0000 @@ -69,7 +69,9 @@ flags := cmd.PersistentFlags() flags.String("kubeconfig", "", "Kubernetes config file") flags.SetAnnotation("kubeconfig", "kubernetes", nil) + flags.SetAnnotation("kubeconfig", "deprecated", nil) flags.String("orchestrator", "", "Orchestrator to use (swarm|kubernetes|all)") + flags.SetAnnotation("orchestrator", "deprecated", nil) return cmd } diff -Nru docker.io-20.10.7/cli/cli/command/stack/kubernetes/cli.go docker.io-20.10.11/cli/cli/command/stack/kubernetes/cli.go --- docker.io-20.10.7/cli/cli/command/stack/kubernetes/cli.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/stack/kubernetes/cli.go 2021-11-17 23:49:46.000000000 +0000 @@ -50,6 +50,7 @@ func AddNamespaceFlag(flags *flag.FlagSet) { flags.String("namespace", "", "Kubernetes namespace to use") flags.SetAnnotation("namespace", "kubernetes", nil) + flags.SetAnnotation("namespace", "deprecated", nil) } // WrapCli wraps command.Cli with kubernetes specifics diff -Nru docker.io-20.10.7/cli/cli/command/stack/list.go docker.io-20.10.11/cli/cli/command/stack/list.go --- docker.io-20.10.7/cli/cli/command/stack/list.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/stack/list.go 2021-11-17 23:49:46.000000000 +0000 @@ -30,8 +30,10 @@ flags.StringVar(&opts.Format, "format", "", "Pretty-print stacks using a Go template") flags.StringSliceVar(&opts.Namespaces, "namespace", []string{}, "Kubernetes namespaces to use") flags.SetAnnotation("namespace", "kubernetes", nil) + flags.SetAnnotation("namespace", "deprecated", nil) flags.BoolVarP(&opts.AllNamespaces, "all-namespaces", "", false, "List stacks from all Kubernetes namespaces") flags.SetAnnotation("all-namespaces", "kubernetes", nil) + flags.SetAnnotation("all-namespaces", "deprecated", nil) return cmd } diff -Nru docker.io-20.10.7/cli/cli/command/swarm/ca_test.go docker.io-20.10.11/cli/cli/command/swarm/ca_test.go --- docker.io-20.10.7/cli/cli/command/swarm/ca_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/swarm/ca_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -104,20 +104,20 @@ errorMsg: "flag requires the `--rotate` flag to update the CA", }, { - args: []string{"--external-ca=protocol=cfssl,url=https://some.com/https/url"}, + args: []string{"--external-ca=protocol=cfssl,url=https://some.example.com/https/url"}, errorMsg: "flag requires the `--rotate` flag to update the CA", }, { // to make sure we're not erroring because we didn't provide a CA cert and external CA args: []string{ "--ca-cert=" + tmpfile, - "--external-ca=protocol=cfssl,url=https://some.com/https/url", + "--external-ca=protocol=cfssl,url=https://some.example.com/https/url", }, errorMsg: "flag requires the `--rotate` flag to update the CA", }, { args: []string{ "--rotate", - "--external-ca=protocol=cfssl,url=https://some.com/https/url", + "--external-ca=protocol=cfssl,url=https://some.example.com/https/url", }, errorMsg: "rotating to an external CA requires the `--ca-cert` flag to specify the external CA's cert - " + "to add an external CA with the current root CA certificate, use the `update` command instead", @@ -243,7 +243,7 @@ "--rotate", "--detach", "--ca-cert=" + certfile, - "--external-ca=protocol=cfssl,url=https://some.external.ca"}) + "--external-ca=protocol=cfssl,url=https://some.external.ca.example.com"}) cmd.SetOut(cli.OutBuffer()) assert.NilError(t, cmd.Execute()) @@ -253,7 +253,7 @@ expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{ { Protocol: swarm.ExternalCAProtocolCFSSL, - URL: "https://some.external.ca", + URL: "https://some.external.ca.example.com", CACert: cert, Options: make(map[string]string), }, @@ -281,7 +281,7 @@ "--detach", "--ca-cert=" + certfile, "--ca-key=" + keyfile, - "--external-ca=protocol=cfssl,url=https://some.external.ca"}) + "--external-ca=protocol=cfssl,url=https://some.external.ca.example.com"}) cmd.SetOut(cli.OutBuffer()) assert.NilError(t, cmd.Execute()) @@ -291,7 +291,7 @@ expected.CAConfig.ExternalCAs = []*swarm.ExternalCA{ { Protocol: swarm.ExternalCAProtocolCFSSL, - URL: "https://some.external.ca", + URL: "https://some.external.ca.example.com", CACert: cert, Options: make(map[string]string), }, diff -Nru docker.io-20.10.7/cli/cli/command/system/info.go docker.io-20.10.11/cli/cli/command/system/info.go --- docker.io-20.10.7/cli/cli/command/system/info.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/system/info.go 2021-11-17 23:49:46.000000000 +0000 @@ -14,6 +14,7 @@ "github.com/docker/cli/templates" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/swarm" + "github.com/docker/docker/api/types/versions" "github.com/docker/go-units" "github.com/spf13/cobra" ) @@ -211,9 +212,6 @@ for _, o := range so.Options { switch o.Key { case "profile": - if o.Value != "default" { - fmt.Fprintln(dockerCli.Err(), " WARNING: You're not using the default seccomp profile") - } fmt.Fprintln(dockerCli.Out(), " Profile:", o.Value) } } @@ -378,6 +376,9 @@ } func printServerWarnings(dockerCli command.Cli, info types.Info) { + if versions.LessThan(dockerCli.Client().ClientVersion(), "1.42") { + printSecurityOptionsWarnings(dockerCli, info) + } if len(info.Warnings) > 0 { fmt.Fprintln(dockerCli.Err(), strings.Join(info.Warnings, "\n")) return @@ -387,6 +388,29 @@ printServerWarningsLegacy(dockerCli, info) } +// printSecurityOptionsWarnings prints warnings based on the security options +// returned by the daemon. +// DEPRECATED: warnings are now generated by the daemon, and returned in +// info.Warnings. This function is used to provide backward compatibility with +// daemons that do not provide these warnings. No new warnings should be added +// here. +func printSecurityOptionsWarnings(dockerCli command.Cli, info types.Info) { + if info.OSType == "windows" { + return + } + kvs, _ := types.DecodeSecurityOptions(info.SecurityOptions) + for _, so := range kvs { + if so.Name != "seccomp" { + continue + } + for _, o := range so.Options { + if o.Key == "profile" && o.Value != "default" && o.Value != "builtin" { + _, _ = fmt.Fprintln(dockerCli.Err(), "WARNING: You're not using the default seccomp profile") + } + } + } +} + // printServerWarningsLegacy generates warnings based on information returned by the daemon. // DEPRECATED: warnings are now generated by the daemon, and returned in // info.Warnings. This function is used to provide backward compatibility with diff -Nru docker.io-20.10.7/cli/cli/command/system/version.go docker.io-20.10.11/cli/cli/command/system/version.go --- docker.io-20.10.7/cli/cli/command/system/version.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/command/system/version.go 2021-11-17 23:49:46.000000000 +0000 @@ -114,6 +114,7 @@ flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template") flags.StringVar(&opts.kubeConfig, "kubeconfig", "", "Kubernetes config file") flags.SetAnnotation("kubeconfig", "kubernetes", nil) + flags.SetAnnotation("kubeconfig", "deprecated", nil) return cmd } diff -Nru docker.io-20.10.7/cli/cli/config/configfile/file_test.go docker.io-20.10.11/cli/cli/config/configfile/file_test.go --- docker.io-20.10.7/cli/cli/config/configfile/file_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/config/configfile/file_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -27,16 +27,19 @@ } func TestProxyConfig(t *testing.T) { - httpProxy := "http://proxy.mycorp.com:3128" - httpsProxy := "https://user:password@proxy.mycorp.com:3129" - ftpProxy := "http://ftpproxy.mycorp.com:21" - noProxy := "*.intra.mycorp.com" - defaultProxyConfig := ProxyConfig{ - HTTPProxy: httpProxy, - HTTPSProxy: httpsProxy, - FTPProxy: ftpProxy, - NoProxy: noProxy, - } + var ( + httpProxy = "http://proxy.mycorp.example.com:3128" + httpsProxy = "https://user:password@proxy.mycorp.example.com:3129" + ftpProxy = "http://ftpproxy.mycorp.example.com:21" + noProxy = "*.intra.mycorp.example.com" + + defaultProxyConfig = ProxyConfig{ + HTTPProxy: httpProxy, + HTTPSProxy: httpsProxy, + FTPProxy: ftpProxy, + NoProxy: noProxy, + } + ) cfg := ConfigFile{ Proxies: map[string]ProxyConfig{ @@ -59,18 +62,21 @@ } func TestProxyConfigOverride(t *testing.T) { - httpProxy := "http://proxy.mycorp.com:3128" - overrideHTTPProxy := "http://proxy.example.com:3128" - overrideNoProxy := "" - httpsProxy := "https://user:password@proxy.mycorp.com:3129" - ftpProxy := "http://ftpproxy.mycorp.com:21" - noProxy := "*.intra.mycorp.com" - defaultProxyConfig := ProxyConfig{ - HTTPProxy: httpProxy, - HTTPSProxy: httpsProxy, - FTPProxy: ftpProxy, - NoProxy: noProxy, - } + var ( + httpProxy = "http://proxy.mycorp.example.com:3128" + httpProxyOverride = "http://proxy.example.com:3128" + httpsProxy = "https://user:password@proxy.mycorp.example.com:3129" + ftpProxy = "http://ftpproxy.mycorp.example.com:21" + noProxy = "*.intra.mycorp.example.com" + noProxyOverride = "" + + defaultProxyConfig = ProxyConfig{ + HTTPProxy: httpProxy, + HTTPSProxy: httpsProxy, + FTPProxy: ftpProxy, + NoProxy: noProxy, + } + ) cfg := ConfigFile{ Proxies: map[string]ProxyConfig{ @@ -84,46 +90,49 @@ } ropts := map[string]*string{ - "HTTP_PROXY": clone(overrideHTTPProxy), - "NO_PROXY": clone(overrideNoProxy), + "HTTP_PROXY": clone(httpProxyOverride), + "NO_PROXY": clone(noProxyOverride), } proxyConfig := cfg.ParseProxyConfig("/var/run/docker.sock", ropts) expected := map[string]*string{ - "HTTP_PROXY": &overrideHTTPProxy, + "HTTP_PROXY": &httpProxyOverride, "http_proxy": &httpProxy, "HTTPS_PROXY": &httpsProxy, "https_proxy": &httpsProxy, "FTP_PROXY": &ftpProxy, "ftp_proxy": &ftpProxy, - "NO_PROXY": &overrideNoProxy, + "NO_PROXY": &noProxyOverride, "no_proxy": &noProxy, } assert.Check(t, is.DeepEqual(expected, proxyConfig)) } func TestProxyConfigPerHost(t *testing.T) { - httpProxy := "http://proxy.mycorp.com:3128" - httpsProxy := "https://user:password@proxy.mycorp.com:3129" - ftpProxy := "http://ftpproxy.mycorp.com:21" - noProxy := "*.intra.mycorp.com" - - extHTTPProxy := "http://proxy.example.com:3128" - extHTTPSProxy := "https://user:password@proxy.example.com:3129" - extFTPProxy := "http://ftpproxy.example.com:21" - extNoProxy := "*.intra.example.com" - - defaultProxyConfig := ProxyConfig{ - HTTPProxy: httpProxy, - HTTPSProxy: httpsProxy, - FTPProxy: ftpProxy, - NoProxy: noProxy, - } - externalProxyConfig := ProxyConfig{ - HTTPProxy: extHTTPProxy, - HTTPSProxy: extHTTPSProxy, - FTPProxy: extFTPProxy, - NoProxy: extNoProxy, - } + var ( + httpProxy = "http://proxy.mycorp.example.com:3128" + httpsProxy = "https://user:password@proxy.mycorp.example.com:3129" + ftpProxy = "http://ftpproxy.mycorp.example.com:21" + noProxy = "*.intra.mycorp.example.com" + + extHTTPProxy = "http://proxy.example.com:3128" + extHTTPSProxy = "https://user:password@proxy.example.com:3129" + extFTPProxy = "http://ftpproxy.example.com:21" + extNoProxy = "*.intra.example.com" + + defaultProxyConfig = ProxyConfig{ + HTTPProxy: httpProxy, + HTTPSProxy: httpsProxy, + FTPProxy: ftpProxy, + NoProxy: noProxy, + } + + externalProxyConfig = ProxyConfig{ + HTTPProxy: extHTTPProxy, + HTTPSProxy: extHTTPSProxy, + FTPProxy: extFTPProxy, + NoProxy: extNoProxy, + } + ) cfg := ConfigFile{ Proxies: map[string]ProxyConfig{ @@ -226,9 +235,11 @@ } func TestGetAllCredentialsCredHelper(t *testing.T) { - testCredHelperSuffix := "test_cred_helper" - testCredHelperRegistryHostname := "credhelper.com" - testExtraCredHelperRegistryHostname := "somethingweird.com" + const ( + testCredHelperSuffix = "test_cred_helper" + testCredHelperRegistryHostname = "credhelper.com" + testExtraCredHelperRegistryHostname = "somethingweird.com" + ) unexpectedCredHelperAuth := types.AuthConfig{ Username: "file_store_user", @@ -265,9 +276,11 @@ } func TestGetAllCredentialsFileStoreAndCredHelper(t *testing.T) { - testFileStoreRegistryHostname := "example.com" - testCredHelperSuffix := "test_cred_helper" - testCredHelperRegistryHostname := "credhelper.com" + const ( + testFileStoreRegistryHostname = "example.com" + testCredHelperSuffix = "test_cred_helper" + testCredHelperRegistryHostname = "credhelper.com" + ) expectedFileStoreAuth := types.AuthConfig{ Username: "file_store_user", @@ -301,10 +314,12 @@ } func TestGetAllCredentialsCredStoreAndCredHelper(t *testing.T) { - testCredStoreSuffix := "test_creds_store" - testCredStoreRegistryHostname := "credstore.com" - testCredHelperSuffix := "test_cred_helper" - testCredHelperRegistryHostname := "credhelper.com" + const ( + testCredStoreSuffix = "test_creds_store" + testCredStoreRegistryHostname = "credstore.com" + testCredHelperSuffix = "test_cred_helper" + testCredHelperRegistryHostname = "credhelper.com" + ) configFile := New("filename") configFile.CredentialsStore = testCredStoreSuffix @@ -343,9 +358,11 @@ } func TestGetAllCredentialsCredHelperOverridesDefaultStore(t *testing.T) { - testCredStoreSuffix := "test_creds_store" - testCredHelperSuffix := "test_cred_helper" - testRegistryHostname := "example.com" + const ( + testCredStoreSuffix = "test_creds_store" + testCredHelperSuffix = "test_cred_helper" + testRegistryHostname = "example.com" + ) configFile := New("filename") configFile.CredentialsStore = testCredStoreSuffix @@ -424,38 +441,36 @@ expectError bool }{ { - "no kubernetes config is valid", - nil, - false, + name: "no kubernetes config is valid", }, { - "enabled is valid", - &KubernetesConfig{AllNamespaces: "enabled"}, - false, + name: "enabled is valid", + config: &KubernetesConfig{AllNamespaces: "enabled"}, }, { - "disabled is valid", - &KubernetesConfig{AllNamespaces: "disabled"}, - false, + name: "disabled is valid", + config: &KubernetesConfig{AllNamespaces: "disabled"}, }, { - "empty string is valid", - &KubernetesConfig{AllNamespaces: ""}, - false, + name: "empty string is valid", + config: &KubernetesConfig{AllNamespaces: ""}, }, { - "other value is invalid", - &KubernetesConfig{AllNamespaces: "unknown"}, - true, + name: "other value is invalid", + config: &KubernetesConfig{AllNamespaces: "unknown"}, + expectError: true, }, } - for _, test := range testCases { - err := checkKubernetesConfiguration(test.config) - if test.expectError { - assert.Assert(t, err != nil, test.name) - } else { - assert.NilError(t, err, test.name) - } + for _, tc := range testCases { + test := tc + t.Run(test.name, func(t *testing.T) { + err := checkKubernetesConfiguration(test.config) + if test.expectError { + assert.Assert(t, err != nil, test.name) + } else { + assert.NilError(t, err, test.name) + } + }) } } diff -Nru docker.io-20.10.7/cli/cli/config/credentials/file_store_test.go docker.io-20.10.11/cli/cli/config/credentials/file_store_test.go --- docker.io-20.10.7/cli/cli/config/credentials/file_store_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/config/credentials/file_store_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -70,7 +70,7 @@ func TestFileStoreGetAll(t *testing.T) { s1 := "https://example.com" - s2 := "https://example2.com" + s2 := "https://example2.example.com" f := newStore(map[string]types.AuthConfig{ s1: { Auth: "super_secret_token", @@ -80,7 +80,7 @@ s2: { Auth: "super_secret_token2", Email: "foo@example2.com", - ServerAddress: "https://example2.com", + ServerAddress: "https://example2.example.com", }, }) diff -Nru docker.io-20.10.7/cli/cli/connhelper/connhelper.go docker.io-20.10.11/cli/cli/connhelper/connhelper.go --- docker.io-20.10.7/cli/cli/connhelper/connhelper.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/connhelper/connhelper.go 2021-11-17 23:49:46.000000000 +0000 @@ -49,7 +49,7 @@ Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) { return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args("docker", "system", "dial-stdio")...)...) }, - Host: "http://docker", + Host: "http://docker.example.com", }, nil } // Future version may support plugins via ~/.docker/config.json. e.g. "dind" @@ -63,6 +63,6 @@ Dialer: func(ctx context.Context, network, addr string) (net.Conn, error) { return commandconn.New(ctx, cmd, flags...) }, - Host: "http://docker", + Host: "http://docker.example.com", }, nil } diff -Nru docker.io-20.10.7/cli/cli/context/docker/load.go docker.io-20.10.11/cli/cli/context/docker/load.go --- docker.io-20.10.7/cli/cli/context/docker/load.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/cli/context/docker/load.go 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,12 @@ // a Docker Engine endpoint, with its tls data type Endpoint struct { EndpointMeta - TLSData *context.TLSData + TLSData *context.TLSData + + // Deprecated: Use of encrypted TLS private keys has been deprecated, and + // will be removed in a future release. Golang has deprecated support for + // legacy PEM encryption (as specified in RFC 1423), as it is insecure by + // design (see https://go-review.googlesource.com/c/go/+/264159). TLSPassword string } @@ -66,8 +71,9 @@ } var err error - if x509.IsEncryptedPEMBlock(pemBlock) { - keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword)) + // TODO should we follow Golang, and deprecate RFC 1423 encryption, and produce a warning (or just error)? see https://github.com/docker/cli/issues/3212 + if x509.IsEncryptedPEMBlock(pemBlock) { //nolint: staticcheck // SA1019: x509.IsEncryptedPEMBlock is deprecated, and insecure by design + keyBytes, err = x509.DecryptPEMBlock(pemBlock, []byte(c.TLSPassword)) //nolint: staticcheck // SA1019: x509.IsEncryptedPEMBlock is deprecated, and insecure by design if err != nil { return nil, errors.Wrap(err, "private key is encrypted, but could not decrypt it") } diff -Nru docker.io-20.10.7/cli/Dockerfile docker.io-20.10.11/cli/Dockerfile --- docker.io-20.10.7/cli/Dockerfile 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/Dockerfile 2021-11-17 23:49:46.000000000 +0000 @@ -1,20 +1,21 @@ -#syntax=docker/dockerfile:1.2 +# syntax=docker/dockerfile:1.3 ARG BASE_VARIANT=alpine -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 +ARG XX_VERSION=1.0.0-rc.2 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-${BASE_VARIANT} AS gostable -FROM --platform=$BUILDPLATFORM golang:1.16-${BASE_VARIANT} AS golatest +FROM --platform=$BUILDPLATFORM golang:1.17rc1-${BASE_VARIANT} AS golatest -FROM gostable AS go-linux -FROM golatest AS go-darwin -FROM golatest AS go-windows-amd64 -FROM golatest AS go-windows-386 -FROM golatest AS go-windows-arm -FROM --platform=$BUILDPLATFORM tonistiigi/golang:497feff1-${BASE_VARIANT} AS go-windows-arm64 +FROM gostable AS go-linux +FROM gostable AS go-darwin +FROM gostable AS go-windows-amd64 +FROM gostable AS go-windows-386 +FROM gostable AS go-windows-arm +FROM golatest AS go-windows-arm64 FROM go-windows-${TARGETARCH} AS go-windows -FROM --platform=$BUILDPLATFORM tonistiigi/xx@sha256:620d36a9d7f1e3b102a5c7e8eff12081ac363828b3a44390f24fa8da2d49383d AS xx +FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx FROM go-${TARGETOS} AS build-base-alpine COPY --from=xx / / diff -Nru docker.io-20.10.7/cli/dockerfiles/Dockerfile.binary-native docker.io-20.10.11/cli/dockerfiles/Dockerfile.binary-native --- docker.io-20.10.7/cli/dockerfiles/Dockerfile.binary-native 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/dockerfiles/Dockerfile.binary-native 2021-11-17 23:49:46.000000000 +0000 @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 FROM golang:${GO_VERSION}-alpine diff -Nru docker.io-20.10.7/cli/dockerfiles/Dockerfile.dev docker.io-20.10.11/cli/dockerfiles/Dockerfile.dev --- docker.io-20.10.7/cli/dockerfiles/Dockerfile.dev 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/dockerfiles/Dockerfile.dev 2021-11-17 23:49:46.000000000 +0000 @@ -1,5 +1,6 @@ -# syntax=docker/dockerfile:1.1.7-experimental -ARG GO_VERSION=1.13.15 +# syntax=docker/dockerfile:1.3 + +ARG GO_VERSION=1.16.10 FROM golang:${GO_VERSION}-alpine AS golang ENV CGO_ENABLED=0 @@ -9,21 +10,21 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \ - GO111MODULE=on go get github.com/mjibson/esc@${ESC_VERSION} + GO111MODULE=on go install github.com/mjibson/esc@${ESC_VERSION} FROM golang AS gotestsum ARG GOTESTSUM_VERSION=v0.4.0 RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \ - GO111MODULE=on go get gotest.tools/gotestsum@${GOTESTSUM_VERSION} + GO111MODULE=on go install gotest.tools/gotestsum@${GOTESTSUM_VERSION} FROM golang AS vndr ARG VNDR_VERSION=v0.1.2 RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \ - GO111MODULE=on go get github.com/LK4D4/vndr@${VNDR_VERSION} + GO111MODULE=on go install github.com/LK4D4/vndr@${VNDR_VERSION} FROM golang AS dev RUN apk add --no-cache \ @@ -43,4 +44,5 @@ COPY --from=gotestsum /go/bin/* /go/bin/ WORKDIR /go/src/github.com/docker/cli +ENV GO111MODULE=auto COPY . . diff -Nru docker.io-20.10.7/cli/dockerfiles/Dockerfile.e2e docker.io-20.10.11/cli/dockerfiles/Dockerfile.e2e --- docker.io-20.10.7/cli/dockerfiles/Dockerfile.e2e 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/dockerfiles/Dockerfile.e2e 2021-11-17 23:49:46.000000000 +0000 @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 # Use Debian based image as docker-compose requires glibc. FROM golang:${GO_VERSION}-buster diff -Nru docker.io-20.10.7/cli/dockerfiles/Dockerfile.lint docker.io-20.10.11/cli/dockerfiles/Dockerfile.lint --- docker.io-20.10.7/cli/dockerfiles/Dockerfile.lint 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/dockerfiles/Dockerfile.lint 2021-11-17 23:49:46.000000000 +0000 @@ -1,6 +1,6 @@ -# syntax=docker/dockerfile:1.1.3-experimental +# syntax=docker/dockerfile:1.3 -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 ARG GOLANGCI_LINTER_SHA="v1.21.0" FROM golang:${GO_VERSION}-alpine AS build @@ -13,6 +13,7 @@ go get github.com/golangci/golangci-lint/cmd/golangci-lint@${GOLANGCI_LINTER_SHA} FROM golang:${GO_VERSION}-alpine AS lint +ENV GO111MODULE=off ENV CGO_ENABLED=0 ENV DISABLE_WARN_OUTSIDE_CONTAINER=1 COPY --from=build /go/bin/golangci-lint /usr/local/bin diff -Nru docker.io-20.10.7/cli/docs/deprecated.md docker.io-20.10.11/cli/docs/deprecated.md --- docker.io-20.10.7/cli/docs/deprecated.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/deprecated.md 2021-11-17 23:49:46.000000000 +0000 @@ -50,9 +50,11 @@ Status | Feature | Deprecated | Remove -----------|------------------------------------------------------------------------------------------------------------------------------------|------------|------------ +Deprecated | [Support for encrypted TLS private keys](#support-for-encrypted-tls-private-keys) | v20.10 | - +Deprecated | [Kubernetes stack and context support](#kubernetes-stack-and-context-support) | v20.10 | - Deprecated | [Pulling images from non-compliant image registries](#pulling-images-from-non-compliant-image-registries) | v20.10 | - Deprecated | [Linux containers on Windows (LCOW)](#linux-containers-on-windows-lcow-experimental) | v20.10 | - -Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options–with-cgroups-v1) | v20.10 | - +Deprecated | [BLKIO weight options with cgroups v1](#blkio-weight-options-with-cgroups-v1) | v20.10 | - Deprecated | [Kernel memory limit](#kernel-memory-limit) | v20.10 | - Deprecated | [Classic Swarm and overlay networks using external key/value stores](#classic-swarm-and-overlay-networks-using-cluster-store) | v20.10 | - Deprecated | [Support for the legacy `~/.dockercfg` configuration file for authentication](#support-for-legacy-dockercfg-configuration-files) | v20.10 | - @@ -97,6 +99,22 @@ Removed | [`--run` flag on `docker commit`](#--run-flag-on-docker-commit) | v0.10 | v1.13 Removed | [Three arguments form in `docker import`](#three-arguments-form-in-docker-import) | v0.6.7 | v1.12 +### Support for encrypted TLS private keys + +**Deprecated in Release: v20.10** + +Use of encrypted TLS private keys has been deprecated, and will be removed in a +future release. Golang has deprecated support for legacy PEM encryption (as +specified in [RFC 1423](https://datatracker.ietf.org/doc/html/rfc1423)), as it +is insecure by design (see [https://go-review.googlesource.com/c/go/+/264159](https://go-review.googlesource.com/c/go/+/264159)). + +### Kubernetes stack and context support + +**Deprecated in Release: v20.10** + +Following the deprecation of [Compose on Kubernetes](https://github.com/docker/compose-on-kubernetes), support for +Kubernetes in the `stack` and `context` commands in the docker CLI is now marked as deprecated as well. + ### Pulling images from non-compliant image registries **Deprecated in Release: v20.10** @@ -570,9 +588,9 @@ Because of which, the driver specific log tag options `syslog-tag`, `gelf-tag` and `fluentd-tag` have been deprecated in favor of the generic `tag` option. -```bash +```console {% raw %} -docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}" +$ docker --log-driver=syslog --log-opt tag="{{.ImageName}}/{{.Name}}/{{.ID}}" {% endraw %} ``` diff -Nru docker.io-20.10.7/cli/docs/extend/index.md docker.io-20.10.11/cli/docs/extend/index.md --- docker.io-20.10.7/cli/docs/extend/index.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/index.md 2021-11-17 23:49:46.000000000 +0000 @@ -55,7 +55,7 @@ 1. Install the `sshfs` plugin. - ```bash + ```console $ docker plugin install vieux/sshfs Plugin "vieux/sshfs" is requesting the following privileges: @@ -74,7 +74,7 @@ 2. Check that the plugin is enabled in the output of `docker plugin ls`. - ```bash + ```console $ docker plugin ls ID NAME TAG DESCRIPTION ENABLED @@ -87,7 +87,7 @@ This volume can now be mounted into containers. - ```bash + ```console $ docker volume create \ -d vieux/sshfs \ --name sshvolume \ @@ -96,9 +96,10 @@ sshvolume ``` + 4. Verify that the volume was created successfully. - ```bash + ```console $ docker volume ls DRIVER NAME @@ -107,18 +108,19 @@ 5. Start a container that uses the volume `sshvolume`. - ```bash + ```console $ docker run --rm -v sshvolume:/data busybox ls /data ``` 6. Remove the volume `sshvolume` - ```bash - docker volume rm sshvolume + ```console + $ docker volume rm sshvolume sshvolume ``` + To disable a plugin, use the `docker plugin disable` command. To completely remove it, use the `docker plugin remove` command. For other available commands and options, see the @@ -134,7 +136,7 @@ >**Note:** The `/run/docker/plugins` directory is mandatory inside of the plugin's filesystem for docker to communicate with the plugin. -```bash +```console $ git clone https://github.com/vieux/docker-volume-sshfs $ cd docker-volume-sshfs $ docker build -t rootfsimage . @@ -193,13 +195,13 @@ `f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62` and their corresponding log entries in the docker daemon logs. -```bash +```console $ docker plugin install tiborvass/sample-volume-plugin INFO[0036] Starting... Found 0 volumes on startup plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62 ``` -```bash +```console $ docker volume create -d tiborvass/sample-volume-plugin samplevol INFO[0193] Create Called... Ensuring directory /data/samplevol exists on host... plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62 @@ -208,7 +210,7 @@ INFO[0193] Path Called... Returned path /data/samplevol plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62 ``` -```bash +```console $ docker run -v samplevol:/tmp busybox sh INFO[0421] Get Called... Found samplevol plugin=f52a3df433b9aceee436eaada0752f5797aab1de47e5485f1690a073b860ff62 @@ -223,7 +225,7 @@ plugins. This is specifically useful to collect plugin logs if they are redirected to a file. -```bash +```console $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins list ID PID STATUS BUNDLE CREATED OWNER @@ -232,13 +234,14 @@ c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d 14984 running /run/docker/containerd/daemon/io.containerd.runtime.v1.linux/moby-plugins/c5bb4b90941efcaccca999439ed06d6a6affdde7081bb34dc84126b57b3e793d 2018-02-08T21:35:12.321288966Z root ``` -```bash +```console $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 cat /var/log/plugin.log ``` If the plugin has a built-in shell, then exec into the plugin can be done as follows: -```bash + +```console $ sudo docker-runc --root /var/run/docker/plugins/runtime-root/moby-plugins exec -t 93f1e7dbfe11c938782c2993628c895cf28e2274072c4a346a6002446c949b25 sh ``` @@ -251,17 +254,18 @@ these basic requests should work. Note that plugin sockets are available on the host under `/var/run/docker/plugins/` -```bash -curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List +```console +$ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/e8a37ba56fc879c991f7d7921901723c64df6b42b87e6a0b055771ecf8477a6d/plugin.sock http:/VolumeDriver.List {"Mountpoint":"","Err":"","Volumes":[{"Name":"myvol1","Mountpoint":"/data/myvol1"},{"Name":"myvol2","Mountpoint":"/data/myvol2"}],"Volume":null} ``` -```bash -curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/45e00a7ce6185d6e365904c8bcf62eb724b1fe307e0d4e7ecc9f6c1eb7bcdb70/plugin.sock http:/NetworkDriver.GetCapabilities +```console +$ curl -H "Content-Type: application/json" -XPOST -d '{}' --unix-socket /var/run/docker/plugins/45e00a7ce6185d6e365904c8bcf62eb724b1fe307e0d4e7ecc9f6c1eb7bcdb70/plugin.sock http:/NetworkDriver.GetCapabilities {"Scope":"local"} ``` + When using curl 7.5 and above, the URL should be of the form `http://hostname/APICall`, where `hostname` is the valid hostname where the plugin is installed and `APICall` is the call to the plugin API. diff -Nru docker.io-20.10.7/cli/docs/extend/legacy_plugins.md docker.io-20.10.11/cli/docs/extend/legacy_plugins.md --- docker.io-20.10.7/cli/docs/extend/legacy_plugins.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/legacy_plugins.md 2021-11-17 23:49:46.000000000 +0000 @@ -72,7 +72,7 @@ | [Horcrux Volume Plugin](https://github.com/muthu-r/horcrux) | A volume plugin that allows on-demand, version controlled access to your data. Horcrux is an open-source plugin, written in Go, and supports SCP, [Minio](https://www.minio.io) and Amazon S3. | | [HPE 3Par Volume Plugin](https://github.com/hpe-storage/python-hpedockerplugin/) | A volume plugin that supports HPE 3Par and StoreVirtual iSCSI storage arrays. | | [Infinit volume plugin](https://infinit.sh/documentation/docker/volume-plugin) | A volume plugin that makes it easy to mount and manage Infinit volumes using Docker. | -| [IPFS Volume Plugin](http://github.com/vdemeester/docker-volume-ipfs) | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume. | +| [IPFS Volume Plugin](https://github.com/vdemeester/docker-volume-ipfs) | An open source volume plugin that allows using an [ipfs](https://ipfs.io/) filesystem as a volume. | | [Keywhiz plugin](https://github.com/calavera/docker-volume-keywhiz) | A plugin that provides credentials and secret management using Keywhiz as a central repository. | | [Local Persist Plugin](https://github.com/CWSpear/local-persist) | A volume plugin that extends the default `local` driver's functionality by allowing you specify a mountpoint anywhere on the host, which enables the files to *always persist*, even if the volume is removed via `docker volume rm`. | | [NetApp Plugin](https://github.com/NetApp/netappdvp) (nDVP) | A volume plugin that provides direct integration with the Docker ecosystem for the NetApp storage portfolio. The nDVP package supports the provisioning and management of storage resources from the storage platform to Docker hosts, with a robust framework for adding additional platforms in the future. | @@ -80,7 +80,7 @@ | [Nimble Storage Volume Plugin](https://connect.nimblestorage.com/community/app-integration/docker) | A volume plug-in that integrates with Nimble Storage Unified Flash Fabric arrays. The plug-in abstracts array volume capabilities to the Docker administrator to allow self-provisioning of secure multi-tenant volumes and clones. | | [OpenStorage Plugin](https://github.com/libopenstorage/openstorage) | A cluster-aware volume plugin that provides volume management for file and block storage solutions. It implements a vendor neutral specification for implementing extensions such as CoS, encryption, and snapshots. It has example drivers based on FUSE, NFS, NBD and EBS to name a few. | | [Portworx Volume Plugin](https://github.com/portworx/px-dev) | A volume plugin that turns any server into a scale-out converged compute/storage node, providing container granular storage and highly available volumes across any node, using a shared-nothing storage backend that works with any docker scheduler. | -| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume) | A volume plugin that connects Docker to [Quobyte](http://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform. | +| [Quobyte Volume Plugin](https://github.com/quobyte/docker-volume) | A volume plugin that connects Docker to [Quobyte](https://www.quobyte.com/containers)'s data center file system, a general-purpose scalable and fault-tolerant storage platform. | | [REX-Ray plugin](https://github.com/emccode/rexray) | A volume plugin which is written in Go and provides advanced storage functionality for many platforms including VirtualBox, EC2, Google Compute Engine, OpenStack, and EMC. | | [Virtuozzo Storage and Ploop plugin](https://github.com/virtuozzo/docker-volume-ploop) | A volume plugin with support for Virtuozzo Storage distributed cloud file system as well as ploop devices. | | [VMware vSphere Storage Plugin](https://github.com/vmware/docker-volume-vsphere) | Docker Volume Driver for vSphere enables customers to address persistent storage requirements for Docker containers in vSphere environments. | diff -Nru docker.io-20.10.7/cli/docs/extend/plugin_api.md docker.io-20.10.11/cli/docs/extend/plugin_api.md --- docker.io-20.10.7/cli/docs/extend/plugin_api.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugin_api.md 2021-11-17 23:49:46.000000000 +0000 @@ -90,7 +90,7 @@ Plugins should be started before Docker, and stopped after Docker. For example, when packaging a plugin for a platform which supports `systemd`, you might use [`systemd` dependencies]( -http://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) to +https://www.freedesktop.org/software/systemd/man/systemd.unit.html#Before=) to manage startup and shutdown order. When upgrading a plugin, you should first stop the Docker daemon, upgrade the @@ -114,7 +114,7 @@ The `service` file (for example `/lib/systemd/system/your-plugin.service`): -``` +```systemd [Unit] Description=Your plugin Before=docker.service @@ -127,9 +127,10 @@ [Install] WantedBy=multi-user.target ``` + The `socket` file (for example `/lib/systemd/system/your-plugin.socket`): -``` +```systemd [Unit] Description=Your plugin @@ -166,7 +167,8 @@ **Request:** empty body **Response:** -``` + +```json { "Implements": ["VolumeDriver"] } diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_authorization.md docker.io-20.10.11/cli/docs/extend/plugins_authorization.md --- docker.io-20.10.7/cli/docs/extend/plugins_authorization.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_authorization.md 2021-11-17 23:49:46.000000000 +0000 @@ -114,9 +114,9 @@ `--authorization-plugin=PLUGIN_ID` format. The flag supplies a `PLUGIN_ID` value. This value can be the plugin’s socket or a path to a specification file. Authorization plugins can be loaded without restarting the daemon. Refer -to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reloading) for more information. +to the [`dockerd` documentation](../reference/commandline/dockerd.md#configuration-reload-behavior) for more information. -```bash +```console $ dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... ``` @@ -124,26 +124,26 @@ ### Calling authorized command (allow) -```bash +```console $ docker pull centos -... +<...> f1b10cd84249: Pull complete -... +<...> ``` ### Calling unauthorized command (deny) -```bash +```console $ docker pull centos -... +<...> docker: Error response from daemon: authorization denied by plugin PLUGIN_NAME: volumes are not allowed. ``` ### Error from plugins -```bash +```console $ docker pull centos -... +<...> docker: Error response from daemon: plugin PLUGIN_NAME failed with error: AuthZPlugin.AuthZReq: Cannot connect to the Docker daemon. Is the docker daemon running on this host?. ``` @@ -180,6 +180,7 @@ "Err": "The error message if things go wrong" } ``` + #### /AuthZPlugin.AuthZRes **Request**: diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_graphdriver.md docker.io-20.10.11/cli/docs/extend/plugins_graphdriver.md --- docker.io-20.10.7/cli/docs/extend/plugins_graphdriver.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_graphdriver.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,7 +31,7 @@ before using the plugin. See the following example for the correct ordering of steps. -``` +```console $ docker plugin install cpuguy83/docker-overlay2-graphdriver-plugin # this command also enables the driver $ pkill dockerd @@ -309,6 +309,7 @@ and `Parent`. `Parent` may be an empty string, in which case there is no parent. **Response**: + ``` {% raw %} {{ TAR STREAM }} @@ -354,6 +355,7 @@ ### /GraphDriver.ApplyDiff **Request**: + ``` {% raw %} {{ TAR STREAM }} diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_logging.md docker.io-20.10.11/cli/docs/extend/plugins_logging.md --- docker.io-20.10.7/cli/docs/extend/plugins_logging.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_logging.md 2021-11-17 23:49:46.000000000 +0000 @@ -211,6 +211,7 @@ to determine what set of logs to read. **Response**: + ``` {% raw %}{{ log stream }}{% endraw %} ``` diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_network.md docker.io-20.10.11/cli/docs/extend/plugins_network.md --- docker.io-20.10.7/cli/docs/extend/plugins_network.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_network.md 2021-11-17 23:49:46.000000000 +0000 @@ -42,7 +42,7 @@ network drivers: by being mentioned as a driver in network-oriented Docker commands. For example, -```bash +```console $ docker network create --driver weave mynet ``` @@ -51,7 +51,7 @@ The `mynet` network is now owned by `weave`, so subsequent commands referring to that network will be sent to the plugin, -```bash +```console $ docker run --network=mynet busybox top ``` diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_services.md docker.io-20.10.11/cli/docs/extend/plugins_services.md --- docker.io-20.10.7/cli/docs/extend/plugins_services.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_services.md 2021-11-17 23:49:46.000000000 +0000 @@ -29,20 +29,20 @@ 1. Prepare manager. In node 1: - ```bash + ```console $ docker swarm init Swarm initialized: current node (dxn1zf6l61qsb1josjja83ngz) is now a manager. ``` 2. Join swarm, install plugin and create volume on worker. In node 2: - ```bash + ```console $ docker swarm join \ - --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \ - 192.168.99.100:2377 + --token SWMTKN-1-49nj1cmql0jkz5s954yi3oex3nedyz0fb0xx14ie39trti4wxv-8vxv8rssmk743ojnwacrr2e7c \ + 192.168.99.100:2377 ``` - ```bash + ```console $ docker plugin install tiborvass/sample-volume-plugin latest: Pulling from tiborvass/sample-volume-plugin eb9c16fbdc53: Download complete @@ -51,23 +51,24 @@ Installed plugin tiborvass/sample-volume-plugin ``` - ```bash + ```console $ docker volume create -d tiborvass/sample-volume-plugin --name pluginVol ``` 3. Create a service using the plugin and volume. In node1: - ```bash + ```console $ docker service create --name my-service --mount type=volume,volume-driver=tiborvass/sample-volume-plugin,source=pluginVol,destination=/tmp busybox top $ docker service ls z1sj8bb8jnfn my-service replicated 1/1 busybox:latest ``` - docker service ls shows service 1 instance of service running. + + `docker service ls` shows service 1 instance of service running. 4. Observe the task getting scheduled in node 2: - ```bash + ```console {% raw %} $ docker ps --format '{{.ID}}\t {{.Status}} {{.Names}} {{.Command}}' 83fc1e842599 Up 2 days my-service.1.9jn59qzn7nbc3m0zt1hij12xs "top" @@ -87,7 +88,7 @@ 1. Install a global scoped network plugin on both manager and worker. On node1 and node2: - ```bash + ```console $ docker plugin install bboreham/weave2 Plugin "bboreham/weave2" is requesting the following privileges: - network: [host] @@ -102,7 +103,7 @@ 2. Create a network using plugin on manager. On node1: - ```bash + ```console $ docker network create --driver=bboreham/weave2:latest globalnet $ docker network ls @@ -115,12 +116,12 @@ On node 1: - ```bash + ```console $ docker service create --network globalnet --name myservice --replicas=8 mrjana/simpleweb simpleweb w90drnfzw85nygbie9kb89vpa ``` - ```bash + ```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 87520965206a mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4 "simpleweb" 5 seconds ago Up 4 seconds myservice.4.ytdzpktmwor82zjxkh118uf1v @@ -131,7 +132,7 @@ On node 2: - ```bash + ```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 53c0ae7c1dae mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4 "simpleweb" 2 seconds ago Up Less than a second myservice.7.x44tvvdm3iwkt9kif35f7ykz1 @@ -142,14 +143,14 @@ 4. Scale down the number of instances. On node1: - ```bash + ```console $ docker service scale myservice=0 myservice scaled to 0 ``` 5. Disable and uninstall the plugin on the worker. On node2: - ```bash + ```console $ docker plugin rm -f bboreham/weave2 bboreham/weave2 ``` @@ -159,12 +160,12 @@ On node 1: - ```bash + ```console $ docker service scale myservice=8 myservice scaled to 8 ``` - ```bash + ```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES cf4b0ec2415e mrjana/simpleweb@sha256:317d7f221d68c86d503119b0ea12c29de42af0a22ca087d522646ad1069a47a4 "simpleweb" 39 seconds ago Up 36 seconds myservice.3.r7p5o208jmlzpcbm2ytl3q6n1 @@ -179,7 +180,7 @@ On node 2: - ```bash + ```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ``` diff -Nru docker.io-20.10.7/cli/docs/extend/plugins_volume.md docker.io-20.10.11/cli/docs/extend/plugins_volume.md --- docker.io-20.10.7/cli/docs/extend/plugins_volume.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/extend/plugins_volume.md 2021-11-17 23:49:46.000000000 +0000 @@ -54,7 +54,7 @@ accepts a volume name and path on the host, and the `--volume-driver` flag accepts a driver type. -```bash +```console $ docker volume create --driver=flocker volumename $ docker container run -it --volume volumename:/data busybox sh diff -Nru docker.io-20.10.7/cli/docs/reference/builder.md docker.io-20.10.11/cli/docs/reference/builder.md --- docker.io-20.10.7/cli/docs/reference/builder.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/builder.md 2021-11-17 23:49:46.000000000 +0000 @@ -179,7 +179,7 @@ begin with a `FROM` instruction**. This may be after [parser directives](#parser-directives), [comments](#format), and globally scoped [ARGs](#arg). The `FROM` instruction specifies the [*Parent -Image*](https://docs.docker.com/glossary/#parent_image) from which you are +Image*](https://docs.docker.com/glossary/#parent-image) from which you are building. `FROM` may only be preceded by one or more `ARG` instructions, which declare arguments that are used in `FROM` lines in the `Dockerfile`. @@ -599,10 +599,10 @@ Matching is done using Go's -[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. A +[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules. A preprocessing step removes leading and trailing whitespace and eliminates `.` and `..` elements using Go's -[filepath.Clean](http://golang.org/pkg/path/filepath/#Clean). Lines +[filepath.Clean](https://golang.org/pkg/path/filepath/#Clean). Lines that are blank after preprocessing are ignored. Beyond Go's filepath.Match rules, Docker also supports a special @@ -677,7 +677,7 @@ ``` The `FROM` instruction initializes a new build stage and sets the -[*Base Image*](https://docs.docker.com/glossary/#base_image) for subsequent instructions. As such, a +[*Base Image*](https://docs.docker.com/glossary/#base-image) for subsequent instructions. As such, a valid `Dockerfile` must start with a `FROM` instruction. The image can be any valid image – it is especially easy to start by **pulling an image** from the [*Public Repositories*](https://docs.docker.com/docker-hub/repos/). @@ -759,6 +759,7 @@ RUN /bin/bash -c 'source $HOME/.bashrc; \ echo $HOME' ``` + Together they are equivalent to this single line: ```dockerfile @@ -938,6 +939,7 @@ ```console $ docker image inspect --format='{{json .Config.Labels}}' myimage ``` + ```json { "com.example.vendor": "ACME Incorporated", @@ -1115,7 +1117,7 @@ the context of the build. Each `` may contain wildcards and matching will be done using Go's -[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example: +[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules. For example: To add all files starting with "hom": @@ -1291,7 +1293,7 @@ of the build. Each `` may contain wildcards and matching will be done using Go's -[filepath.Match](http://golang.org/pkg/path/filepath#Match) rules. For example: +[filepath.Match](https://golang.org/pkg/path/filepath#Match) rules. For example: To add all files starting with "hom": @@ -2171,9 +2173,14 @@ STOPSIGNAL signal ``` -The `STOPSIGNAL` instruction sets the system call signal that will be sent to the container to exit. -This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9, -or a signal name in the format SIGNAME, for instance SIGKILL. +The `STOPSIGNAL` instruction sets the system call signal that will be sent to the +container to exit. This signal can be a signal name in the format `SIG`, +for instance `SIGKILL`, or an unsigned number that matches a position in the +kernel's syscall table, for instance `9`. The default is `SIGTERM` if not +defined. + +The image's default stopsignal can be overridden per container, using the +`--stop-signal` flag on `docker run` and `docker create`. ## HEALTHCHECK diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/attach.md docker.io-20.10.11/cli/docs/reference/commandline/attach.md --- docker.io-20.10.7/cli/docs/reference/commandline/attach.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/attach.md 2021-11-17 23:49:46.000000000 +0000 @@ -84,7 +84,7 @@ ### Attach to and detach from a running container -```bash +```console $ docker run -d --name topdemo ubuntu /usr/bin/top -b $ docker attach topdemo @@ -130,22 +130,19 @@ And in this second example, you can see the exit code returned by the `bash` process is returned by the `docker attach` command to its caller too: -```bash - $ docker run --name test -d -it debian +```console +$ docker run --name test -d -it debian +275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab - 275c44472aebd77c926d4527885bb09f2f6db21d878c75f0a1c212c03d3bcfab +$ docker attach test +root@f38c87f2a42d:/# exit 13 - $ docker attach test +exit - root@f38c87f2a42d:/# exit 13 - - exit - - $ echo $? - - 13 +$ echo $? +13 - $ docker ps -a | grep test +$ docker ps -a | grep test - 275c44472aeb debian:7 "/bin/bash" 26 seconds ago Exited (13) 17 seconds ago test +275c44472aeb debian:7 "/bin/bash" 26 seconds ago Exited (13) 17 seconds ago test ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/build.md docker.io-20.10.11/cli/docs/reference/commandline/build.md --- docker.io-20.10.7/cli/docs/reference/commandline/build.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/build.md 2021-11-17 23:49:46.000000000 +0000 @@ -92,7 +92,7 @@ For example, run this command to use a directory called `docker` in the branch `container`: -```bash +```console $ docker build https://github.com/docker/rootfs.git#container:docker ``` @@ -120,7 +120,7 @@ If you pass an URL to a remote tarball, the URL itself is sent to the daemon: -```bash +```console $ docker build http://server/context.tar.gz ``` @@ -136,7 +136,7 @@ Instead of specifying a context, you can pass a single `Dockerfile` in the `URL` or pipe the file in via `STDIN`. To pipe a `Dockerfile` from `STDIN`: -```bash +```console $ docker build - < Dockerfile ``` @@ -176,7 +176,7 @@ There should be informational output of the reason for failure output to `STDERR`: -```bash +```console $ docker build -t fail . Sending build context to Docker daemon 2.048 kB @@ -198,7 +198,7 @@ ### Build with PATH -```bash +```console $ docker build . Uploading context 10240 bytes @@ -243,7 +243,7 @@ ### Build with URL -```bash +```console $ docker build github.com/creack/docker-firefox ``` @@ -251,7 +251,7 @@ The Dockerfile at the root of the repository is used as Dockerfile. You can specify an arbitrary Git repository by using the `git://` or `git@` scheme. -```bash +```console $ docker build -f ctx/Dockerfile http://server/ctx.tar.gz Downloading context: http://server/ctx.tar.gz [===================>] 240 B/240 B @@ -277,7 +277,7 @@ ### Build with - -```bash +```console $ docker build - < Dockerfile ``` @@ -286,7 +286,7 @@ Since there is no context, a Dockerfile `ADD` only works if it refers to a remote URL. -```bash +```console $ docker build - < context.tar.gz ``` @@ -295,7 +295,7 @@ ### Use a .dockerignore file -```bash +```console $ docker build . Uploading context 18.829 MB @@ -334,7 +334,7 @@ ### Tag an image (-t) -```bash +```console $ docker build -t vieux/apache:2.0 . ``` @@ -348,27 +348,27 @@ For example, to tag an image both as `whenry/fedora-jboss:latest` and `whenry/fedora-jboss:v2.1`, use the following: -```bash +```console $ docker build -t whenry/fedora-jboss:latest -t whenry/fedora-jboss:v2.1 . ``` ### Specify a Dockerfile (-f) -```bash +```console $ docker build -f Dockerfile.debug . ``` This will use a file called `Dockerfile.debug` for the build instructions instead of `Dockerfile`. -```bash +```console $ curl example.com/remote/Dockerfile | docker build -f - . ``` The above command will use the current directory as the build context and read a Dockerfile from stdin. -```bash +```console $ docker build -f dockerfiles/Dockerfile.debug -t myapp_debug . $ docker build -f dockerfiles/Dockerfile.prod -t myapp_prod . ``` @@ -377,7 +377,7 @@ `.`) twice, once using a debug version of a `Dockerfile` and once using a production version. -```bash +```console $ cd /home/me/myapp/some/dir/really/deep $ docker build -f /home/me/myapp/dockerfiles/debug /home/me/myapp $ docker build -f ../../../../dockerfiles/debug /home/me/myapp @@ -420,7 +420,7 @@ files. The `ARG` instruction lets Dockerfile authors define values that users can set at build-time using the `--build-arg` flag: -```bash +```console $ docker build --build-arg HTTP_PROXY=http://10.20.30.2:1234 --build-arg FTP_PROXY=http://40.50.60.5:4567 . ``` @@ -439,7 +439,7 @@ from the local environment will be propagated into the Docker container being built: -```bash +```console $ export HTTP_PROXY=http://10.20.30.2:1234 $ docker build --build-arg HTTP_PROXY . ``` @@ -491,7 +491,7 @@ ... ``` -```bash +```console $ docker build -t mybuildimage --target build-env . ``` @@ -516,7 +516,7 @@ context, and exports the files to a directory named `out` in the current directory. If the directory does not exist, Docker creates the directory automatically: -```bash +```console $ docker build -o out . ``` @@ -525,13 +525,13 @@ using the long-hand CSV syntax, specifying both `type` and `dest` (destination path): -```bash +```console $ docker build --output type=local,dest=out . ``` Use the `tar` type to export the files as a `.tar` archive: -```bash +```console $ docker build --output type=tar,dest=out.tar . ``` @@ -540,8 +540,8 @@ and writes the output tarball to standard output, which is then redirected to the `out.tar` file: -```bash -docker build -o - . > out.tar +```console +$ docker build -o - . > out.tar ``` The `--output` option exports all files from the target stage. A common pattern @@ -562,7 +562,7 @@ When building the Dockerfile with the `-o` option, only the files from the final stage are exported to the `out` directory, in this case, the `vndr` binary: -```bash +```console $ docker build -o out . [+] Building 2.3s (7/7) FINISHED @@ -610,7 +610,7 @@ The following example builds an image with inline-cache metadata and pushes it to a registry, then uses the image as a cache source on another machine: -```bash +```console $ docker build -t myname/myapp --build-arg BUILDKIT_INLINE_CACHE=1 . $ docker push myname/myapp ``` @@ -618,8 +618,9 @@ After pushing the image, the image is used as cache source on another machine. BuildKit automatically pulls the image from the registry if needed. -```bash -# on another machine +On another machine: + +```console $ docker build --cache-from myname/myapp . ``` @@ -666,7 +667,7 @@ base image is still supported. - When using this option you may see significantly more space used due to storing two copies of the image, one for the build cache with all the cache - layers in tact, and one for the squashed version. + layers intact, and one for the squashed version. - While squashing layers may produce smaller images, it may have a negative impact on performance, as a single layer takes longer to extract, and downloading a single layer cannot be parallelized. @@ -725,7 +726,7 @@ Then make sure the experimental flag is enabled: -```bash +```console $ docker version -f '{{.Server.Experimental}}' true ``` @@ -745,15 +746,15 @@ An image named `test` is built with `--squash` argument. -```bash +```console $ docker build --squash -t test . -[...] +<...> ``` If everything is right, the history looks like this: -```bash +```console $ docker history test IMAGE CREATED CREATED BY SIZE COMMENT diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/checkpoint.md docker.io-20.10.11/cli/docs/reference/commandline/checkpoint.md --- docker.io-20.10.7/cli/docs/reference/commandline/checkpoint.md 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/checkpoint.md 2021-11-17 23:49:46.000000000 +0000 @@ -0,0 +1,102 @@ +--- +title: docker checkpoint +description: "The checkpoint command description and usage" +keywords: experimental, checkpoint, restore, criu +experimental: true +--- + +## Description + +Checkpoint and Restore is an experimental feature that allows you to freeze a running +container by checkpointing it, which turns its state into a collection of files +on disk. Later, the container can be restored from the point it was frozen. + +This is accomplished using a tool called [CRIU](https://criu.org), which is an +external dependency of this feature. A good overview of the history of +checkpoint and restore in Docker is available in this +[Kubernetes blog post](https://kubernetes.io/blog/2015/07/how-did-quake-demo-from-dockercon-work/). + +### Installing CRIU + +If you use a Debian system, you can add the CRIU PPA and install with `apt-get` +[from the criu launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa). + +Alternatively, you can [build CRIU from source](https://criu.org/Installation). + +You need at least version 2.0 of CRIU to run checkpoint and restore in Docker. + +### Use cases for checkpoint and restore + +This feature is currently focused on single-host use cases for checkpoint and +restore. Here are a few: + +- Restarting the host machine without stopping/starting containers +- Speeding up the start time of slow start applications +- "Rewinding" processes to an earlier point in time +- "Forensic debugging" of running processes + +Another primary use case of checkpoint and restore outside of Docker is the live +migration of a server from one machine to another. This is possible with the +current implementation, but not currently a priority (and so the workflow is +not optimized for the task). + +### Using checkpoint and restore + +A new top level command `docker checkpoint` is introduced, with three subcommands: + +- `docker checkpoint create` (creates a new checkpoint) +- `docker checkpoint ls` (lists existing checkpoints) +- `docker checkpoint rm` (deletes an existing checkpoint) + +Additionally, a `--checkpoint` flag is added to the `docker container start` command. + +The options for `docker checkpoint create`: + +```console +Usage: docker checkpoint create [OPTIONS] CONTAINER CHECKPOINT + +Create a checkpoint from a running container + + --leave-running=false Leave the container running after checkpoint + --checkpoint-dir Use a custom checkpoint storage directory +``` + +And to restore a container: + +```console +Usage: docker start --checkpoint CHECKPOINT_ID [OTHER OPTIONS] CONTAINER +``` + +Example of using checkpoint and restore on a container: + +```console +$ docker run --security-opt=seccomp:unconfined --name cr -d busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done' +abc0123 + +$ docker checkpoint create cr checkpoint1 + +# +$ docker start --checkpoint checkpoint1 cr +abc0123 +``` + +This process just logs an incrementing counter to stdout. If you run `docker logs` +in between running/checkpoint/restoring you should see that the counter +increases while the process is running, stops while it's checkpointed, and +resumes from the point it left off once you restore. + +### Known limitations + +seccomp is only supported by CRIU in very up to date kernels. + +External terminal (i.e. `docker run -t ..`) is not supported at the moment. +If you try to create a checkpoint for a container with an external terminal, +it would fail: + +```console +$ docker checkpoint create cr checkpoint1 +Error response from daemon: Cannot checkpoint container c1: rpc error: code = 2 desc = exit status 1: "criu failed: type NOTIFY errno 0\nlog file: /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log\n" + +$ cat /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log +Error (mount.c:740): mnt: 126:./dev/console doesn't have a proper root mount +``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/cli.md docker.io-20.10.11/cli/docs/reference/commandline/cli.md --- docker.io-20.10.7/cli/docs/reference/commandline/cli.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/cli.md 2021-11-17 23:49:46.000000000 +0000 @@ -3,7 +3,7 @@ description: "Docker's CLI command description and usage" keywords: "Docker, Docker documentation, CLI, command line, config.json, CLI configuration file" redirect_from: - - /go/experimental/ + - /reference/commandline/cli/ - /engine/reference/commandline/engine/ - /engine/reference/commandline/engine_activate/ - /engine/reference/commandline/engine_check/ @@ -24,7 +24,7 @@ To list available commands, either run `docker` with no parameters or execute `docker help`: -```bash +```console $ docker Usage: docker [OPTIONS] COMMAND [ARG...] docker [ --help | -v | --version ] @@ -78,6 +78,7 @@ | `DOCKER_HOST` | Daemon socket to connect to. | | `DOCKER_STACK_ORCHESTRATOR` | Configure the default orchestrator to use when using `docker stack` management commands. | | `DOCKER_TLS_VERIFY` | When set Docker uses TLS and verifies the remote. This variable is used both by the `docker` CLI and the [`dockerd` daemon](dockerd.md) | +| `BUILDKIT_PROGRESS` | Set type of progress output (`auto`, `plain`, `tty`) when [building](build.md) with [BuildKit backend](../builder.md#buildkit). Use plain to show container output (default `auto`). | Because Docker is developed using Go, you can also use any environment variables used by the Go runtime. In particular, you may find these useful: @@ -87,7 +88,7 @@ * `NO_PROXY` These Go environment variables are case-insensitive. See the -[Go specification](http://golang.org/pkg/net/http/) for details on these +[Go specification](https://golang.org/pkg/net/http/) for details on these variables. ## Configuration files @@ -312,6 +313,9 @@ These features are intended for testing and feedback, and they may change between releases without warning or can be removed from a future release. +Starting with Docker 20.10, experimental CLI features are enabled by default, +and require no configuration to enable them. + ### Notary If using your own notary server and a self-signed certificate or an internal diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/commit.md docker.io-20.10.11/cli/docs/reference/commandline/commit.md --- docker.io-20.10.7/cli/docs/reference/commandline/commit.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/commit.md 2021-11-17 23:49:46.000000000 +0000 @@ -43,7 +43,7 @@ ### Commit a container -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -62,7 +62,7 @@ ### Commit a container with new configurations -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -84,7 +84,7 @@ ### Commit a container with new `CMD` and `EXPOSE` instructions -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/config_create.md docker.io-20.10.11/cli/docs/reference/commandline/config_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/config_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/config_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -33,7 +33,7 @@ ### Create a config -```bash +```console $ printf | docker config create my_config - onakdyv307se2tl7nl20anokv @@ -46,7 +46,7 @@ ### Create a config with a file -```bash +```console $ docker config create my_config ./config.json dg426haahpi5ezmkkj5kyl3sn @@ -59,7 +59,7 @@ ### Create a config with labels -```bash +```console $ docker config create \ --label env=dev \ --label rev=20170324 \ @@ -68,7 +68,7 @@ eo7jnzguqgtpdah3cm5srfb97 ``` -```bash +```console $ docker config inspect my_config [ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/config_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/config_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/config_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/config_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -23,7 +23,7 @@ By default, this renders all results in a JSON array. If a format is specified, the given template will be executed for each result. -Go's [text/template](http://golang.org/pkg/text/template/) package +Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. For detailed information about using configs, refer to [store configuration data using Docker Configs](https://docs.docker.com/engine/swarm/configs/). @@ -43,14 +43,14 @@ For example, given the following config: -```bash +```console $ docker config ls ID NAME CREATED UPDATED eo7jnzguqgtpdah3cm5srfb97 my_config 3 minutes ago 3 minutes ago ``` -```bash +```console $ docker config inspect config.json ``` @@ -83,7 +83,7 @@ config. The following example command outputs the creation time of the config. -```bash +```console $ docker config inspect --format='{{.CreatedAt}}' eo7jnzguqgtpdah3cm5srfb97 2017-03-24 08:15:09.735271783 +0000 UTC diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/config_ls.md docker.io-20.10.11/cli/docs/reference/commandline/config_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/config_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/config_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,7 +36,7 @@ ## Examples -```bash +```console $ docker config ls ID NAME CREATED UPDATED @@ -60,7 +60,7 @@ The `id` filter matches all or prefix of a config's id. -```bash +```console $ docker config ls -f "id=6697bflskwj1998km1gnnjr38" ID NAME CREATED UPDATED @@ -75,7 +75,7 @@ The following filter matches all configs with a `project` label regardless of its value: -```bash +```console $ docker config ls --filter label=project ID NAME CREATED UPDATED @@ -85,7 +85,7 @@ The following filter matches only services with the `project` label with the `project-a` value. -```bash +```console $ docker service ls --filter label=project=test ID NAME CREATED UPDATED @@ -98,7 +98,7 @@ The following filter matches config with a name containing a prefix of `test`. -```bash +```console $ docker config ls --filter name=test_config ID NAME CREATED UPDATED @@ -128,7 +128,7 @@ The following example uses a template without headers and outputs the `ID` and `Name` entries separated by a colon (`:`) for all images: -```bash +```console $ docker config ls --format "{{.ID}}: {{.Name}}" 77af4d6b9913: config-1 @@ -139,7 +139,7 @@ To list all configs with their name and created date in a table format you can use: -```bash +```console $ docker config ls --format "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}" ID NAME CREATED diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/config_rm.md docker.io-20.10.11/cli/docs/reference/commandline/config_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/config_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/config_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -35,7 +35,7 @@ This example removes a config: -```bash +```console $ docker config rm my_config sapth4csdo5b6wz2p5uimh5xg ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/container_prune.md docker.io-20.10.11/cli/docs/reference/commandline/container_prune.md --- docker.io-20.10.7/cli/docs/reference/commandline/container_prune.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/container_prune.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ ### Prune containers -```bash +```console $ docker container prune WARNING! This will remove all stopped containers. Are you sure you want to continue? [y/N] y @@ -66,7 +66,7 @@ The following removes containers created more than 5 minutes ago: -```bash +```console $ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}' CONTAINER ID IMAGE COMMAND CREATED AT STATUS @@ -88,7 +88,7 @@ The following removes containers created before `2017-01-04T13:10:00`: -```bash +```console $ docker ps -a --format 'table {{.ID}}\t{{.Image}}\t{{.Command}}\t{{.CreatedAt}}\t{{.Status}}' CONTAINER ID IMAGE COMMAND CREATED AT STATUS diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/context_create.md docker.io-20.10.11/cli/docs/reference/commandline/context_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/context_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/context_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -62,7 +62,7 @@ with a docker endpoint of `/var/run/docker.sock` and a kubernetes configuration sourced from the file `/home/me/my-kube-config`: -```bash +```console $ docker context create \ --docker host=unix:///var/run/docker.sock \ --kubernetes config-file=/home/me/my-kube-config \ @@ -75,19 +75,19 @@ an existing context. The example below creates a new context named `my-context` from the existing context `existing-context`: -```bash +```console $ docker context create --from existing-context my-context ``` If the `--from` option is not set, the `context` is created from the current context: -```bash +```console $ docker context create my-context ``` This can be used to create a context out of an existing `DOCKER_HOST` based script: -```bash +```console $ source my-setup-script.sh $ docker context create my-context ``` @@ -98,7 +98,7 @@ the existing context `existing-context` and a kubernetes configuration sourced from the file `/home/me/my-kube-config`: -```bash +```console $ docker context create \ --docker from=existing-context \ --kubernetes config-file=/home/me/my-kube-config \ @@ -110,7 +110,7 @@ context named `my-context` using the kuberentes configuration from the existing context `existing-context` and a docker endpoint of `/var/run/docker.sock`: -```bash +```console $ docker context create \ --docker host=unix:///var/run/docker.sock \ --kubernetes from=existing-context \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/context_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/context_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/context_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/context_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -23,7 +23,7 @@ ### Inspect a context by name -```bash +```console $ docker context inspect "local+aks" [ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/context_ls.md docker.io-20.10.11/cli/docs/reference/commandline/context_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/context_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/context_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,7 +25,9 @@ Use `docker context ls` to print all contexts. The currently active context is indicated with an `*`: -```bash +```console +$ docker context ls + NAME DESCRIPTION DOCKER ENDPOINT KUBERNETES ENDPOINT ORCHESTRATOR default * Current DOCKER_HOST based configuration unix:///var/run/docker.sock swarm production tcp:///prod.corp.example.com:2376 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/context_update.md docker.io-20.10.11/cli/docs/reference/commandline/context_update.md --- docker.io-20.10.7/cli/docs/reference/commandline/context_update.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/context_update.md 2021-11-17 23:49:46.000000000 +0000 @@ -54,7 +54,7 @@ ### Update an existing context -```bash +```console $ docker context update \ --description "some description" \ --docker "host=tcp://myserver:2376,ca=~/ca-file,cert=~/cert-file,key=~/key-file" \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/cp.md docker.io-20.10.11/cli/docs/reference/commandline/cp.md --- docker.io-20.10.7/cli/docs/reference/commandline/cp.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/cp.md 2021-11-17 23:49:46.000000000 +0000 @@ -95,11 +95,11 @@ running `tar` in `docker exec`. Both of the following examples do the same thing in different ways (consider `SRC_PATH` and `DEST_PATH` are directories): -```bash +```console $ docker exec CONTAINER tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | tar Cxf DEST_PATH - ``` -```bash +```console $ tar Ccf $(dirname SRC_PATH) - $(basename SRC_PATH) | docker exec -i CONTAINER tar Cxf DEST_PATH - ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/create.md docker.io-20.10.11/cli/docs/reference/commandline/create.md --- docker.io-20.10.7/cli/docs/reference/commandline/create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/create.md 2021-11-17 23:49:46.000000000 +0000 @@ -109,7 +109,7 @@ Unit is optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g` (gigabytes). If you omit the unit, the system uses bytes. --stop-signal string Signal to stop a container (default "SIGTERM") - --stop-timeout=10 Timeout (in seconds) to stop a container + --stop-timeout int Timeout (in seconds) to stop a container --storage-opt value Storage driver options for the container (default []) --sysctl value Sysctl options (default map[]) --tmpfs value Mount a tmpfs directory (default []) @@ -131,6 +131,7 @@ --volumes-from value Mount volumes from the specified container(s) (default []) -w, --workdir string Working directory inside the container ``` + ## Description The `docker create` command creates a writeable container layer over the @@ -149,7 +150,7 @@ ### Create and start a container -```bash +```console $ docker create -t -i fedora bash 6d8af538ec541dd581ebc2a24153a28329acb5268abe5ef868c1f1a261221752 @@ -165,7 +166,7 @@ (i.e., `docker run` too). For example, this allows you to `create` the `data` volume container, and then use it from another container: -```bash +```console $ docker create -v /data --name data ubuntu 240633dfbb98128fa77473d3d9018f6123b99c454b3251427ae190a7d951ad57 @@ -180,7 +181,7 @@ Similarly, `create` a host directory bind mounted volume container, which can then be used from the subsequent container: -```bash +```console $ docker create -v /home/docker:/docker --name docker ubuntu 9aa88c08f319cd1e4515c3c46b0de7cc9aa75e878357b1e96f91e2c773029f03 @@ -202,7 +203,7 @@ Set storage driver options per container. -```bash +```console $ docker create -it --storage-opt size=120G fedora /bin/bash ``` @@ -239,14 +240,14 @@ created into the container once it is run. This poses a problem when a new device needs to be added to running container. -One of the solution is to add a more permissive rule to a container +One of the solutions is to add a more permissive rule to a container allowing it access to a wider range of devices. For example, supposing our container needs access to a character device with major `42` and any number of minor number (added as new devices appear), the following rule would be added: -``` -docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image +```console +$ docker create --device-cgroup-rule='c 42:* rmw' -name my-container my-image ``` Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 ` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/diff.md docker.io-20.10.11/cli/docs/reference/commandline/diff.md --- docker.io-20.10.7/cli/docs/reference/commandline/diff.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/diff.md 2021-11-17 23:49:46.000000000 +0000 @@ -33,7 +33,7 @@ Inspect the changes to an `nginx` container: -```bash +```console $ docker diff 1fdfd1f54c1b C /dev diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/dockerd.md docker.io-20.10.11/cli/docs/reference/commandline/dockerd.md --- docker.io-20.10.7/cli/docs/reference/commandline/dockerd.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/dockerd.md 2021-11-17 23:49:46.000000000 +0000 @@ -164,7 +164,7 @@ > supported anymore for security reasons. On Systemd based systems, you can communicate with the daemon via -[Systemd socket activation](http://0pointer.de/blog/projects/socket-activation.html), +[Systemd socket activation](https://0pointer.de/blog/projects/socket-activation.html), use `dockerd -H fd://`. Using `fd://` will work perfectly for most setups but you can also specify individual sockets: `dockerd -H fd://3`. If the specified socket activated files aren't found, then Docker will exit. You can @@ -174,20 +174,21 @@ You can configure the Docker daemon to listen to multiple sockets at the same time using multiple `-H` options: -```bash -# listen using the default unix socket, and on 2 specific IP addresses on this host. +The example below runs the daemon listenin on the default unix socket, and +on 2 specific IP addresses on this host: +```console $ sudo dockerd -H unix:///var/run/docker.sock -H tcp://192.168.59.106 -H tcp://10.10.10.2 ``` The Docker client will honor the `DOCKER_HOST` environment variable to set the `-H` flag for the client. Use **one** of the following commands: -```bash +```console $ docker -H tcp://0.0.0.0:2375 ps ``` -```bash +```console $ export DOCKER_HOST="tcp://0.0.0.0:2375" $ docker ps @@ -197,7 +198,7 @@ the empty string is equivalent to setting the `--tlsverify` flag. The following are equivalent: -```bash +```console $ docker --tlsverify ps # or $ export DOCKER_TLS_VERIFY=1 @@ -210,7 +211,7 @@ The Docker client supports connecting to a remote daemon via SSH: -``` +```console $ docker -H ssh://me@example.com:22 ps $ docker -H ssh://me@example.com ps $ docker -H ssh://example.com ps @@ -267,22 +268,21 @@ Run Docker in daemon mode: -```bash +```console $ sudo /dockerd -H 0.0.0.0:5555 & ``` Download an `ubuntu` image: -```bash +```console $ docker -H :5555 pull ubuntu ``` You can use multiple `-H`, for example, if you want to listen on both TCP and a Unix socket -```bash -# Run docker in daemon mode -$ sudo /dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock & +```console +$ sudo dockerd -H tcp://127.0.0.1:2375 -H unix:///var/run/docker.sock & # Download an ubuntu image, use default Unix socket $ docker pull ubuntu # OR use the TCP port @@ -307,7 +307,7 @@ are created automatically by using loopback mounts of automatically created sparse files. Refer to [Devicemapper options](#devicemapper-options) below for a way how to customize this setup. -[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](http://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/) +[~jpetazzo/Resizing Docker containers with the Device Mapper plugin](https://jpetazzo.github.io/2014/01/29/docker-device-mapper-resize/) article explains how to tune your existing setup without the use of options. The `btrfs` driver is very fast for `docker build` - but like `devicemapper` @@ -395,7 +395,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.thinpooldev=/dev/mapper/thin-pool ``` @@ -406,7 +406,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.directlvm_device=/dev/xvdf ``` @@ -416,7 +416,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.thinp_percent=95 ``` @@ -426,7 +426,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.thinp_metapercent=1 ``` @@ -437,7 +437,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.thinp_autoextend_threshold=80 ``` @@ -448,7 +448,7 @@ ###### Example: -```bash +```console $ sudo dockerd --storage-opt dm.thinp_autoextend_percent=20 ``` @@ -467,7 +467,7 @@ ###### Examples -```bash +```console $ sudo dockerd --storage-opt dm.basesize=50G ``` @@ -479,7 +479,7 @@ that may already be initialized and inherited by pulled images. Typically, a change to this value requires additional steps to take effect: - ```bash +```console $ sudo service docker stop $ sudo rm -rf /var/lib/docker @@ -502,7 +502,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.loopdatasize=200G ``` @@ -520,7 +520,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.loopmetadatasize=4G ``` @@ -531,7 +531,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.fs=ext4 ``` @@ -541,7 +541,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt "dm.mkfsarg=-O ^has_journal" ``` @@ -551,7 +551,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.mountopt=nodiscard ``` @@ -567,7 +567,7 @@ ###### Example -```bash +```console $ sudo dockerd \ --storage-opt dm.datadev=/dev/sdb1 \ --storage-opt dm.metadatadev=/dev/sdc1 @@ -585,13 +585,13 @@ If setting up a new metadata pool it is required to be valid. This can be achieved by zeroing the first 4k to indicate empty metadata, like this: -```bash +```console $ dd if=/dev/zero of=$metadata_dev bs=4096 count=1 ``` ###### Example -```bash +```console $ sudo dockerd \ --storage-opt dm.datadev=/dev/sdb1 \ --storage-opt dm.metadatadev=/dev/sdc1 @@ -604,7 +604,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.blocksize=512K ``` @@ -620,7 +620,7 @@ ###### Examples -```bash +```console $ sudo dockerd --storage-opt dm.blkdiscard=false ``` @@ -632,11 +632,11 @@ To view the `udev` sync support of a Docker daemon that is using the `devicemapper` driver, run: -```bash +```console $ docker info -[...] +<...> Udev Sync Supported: true -[...] +<...> ``` When `udev` sync support is `true`, then `devicemapper` and udev can @@ -650,7 +650,7 @@ To allow the `docker` daemon to start, regardless of `udev` sync not being supported, set `dm.override_udev_sync_check` to true: -```bash +```console $ sudo dockerd --storage-opt dm.override_udev_sync_check=true ``` @@ -683,7 +683,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.use_deferred_removal=true ``` @@ -701,7 +701,7 @@ To avoid this failure, enable both deferred device deletion and deferred device removal on the daemon. -```bash +```console $ sudo dockerd \ --storage-opt dm.use_deferred_deletion=true \ --storage-opt dm.use_deferred_removal=true @@ -741,7 +741,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.min_free_space=10% ``` @@ -757,7 +757,7 @@ ###### Example -```bash +```console $ sudo dockerd --storage-opt dm.xfs_nospace_max_retries=0 ``` @@ -783,7 +783,7 @@ ###### Example -```bash +```console $ sudo dockerd \ --log-level debug \ --storage-opt dm.libdm_log_level=7 @@ -799,7 +799,7 @@ ###### Example -```bash +```console $ sudo dockerd -s zfs --storage-opt zfs.fsname=zroot/docker ``` @@ -814,7 +814,7 @@ ###### Example -```bash +```console $ sudo dockerd -s btrfs --storage-opt btrfs.min_space=10G ``` @@ -837,7 +837,7 @@ ###### Example -```bash +```console $ sudo dockerd -s overlay2 --storage-opt overlay2.size=1G ``` @@ -959,7 +959,7 @@ control `containerd` startup, manually start `containerd` and pass the path to the `containerd` socket using the `--containerd` flag. For example: -```bash +```console $ sudo dockerd --containerd /var/run/dev/docker-containerd.sock ``` @@ -987,7 +987,7 @@ This is the same example via the command line: -```bash +```console $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-runc-replacement ``` @@ -1009,7 +1009,7 @@ This example sets the `cgroupdriver` to `systemd`: -```bash +```console $ sudo dockerd --exec-opt native.cgroupdriver=systemd ``` @@ -1030,13 +1030,13 @@ To set the DNS server for all Docker containers, use: -```bash +```console $ sudo dockerd --dns 8.8.8.8 ``` To set the DNS search domain for all Docker containers, use: -```bash +```console $ sudo dockerd --dns-search example.com ``` @@ -1162,7 +1162,7 @@ using the `--cluster-store-opt` flag, specifying the paths to PEM encoded files. For example: -```bash +```console $ sudo dockerd \ --cluster-advertise 192.168.1.2:2376 \ --cluster-store etcd://192.168.1.2:2379 \ @@ -1189,7 +1189,7 @@ authorization plugins when you start the Docker `daemon` using the `--authorization-plugin=PLUGIN_ID` option. -```bash +```console $ sudo dockerd --authorization-plugin=plugin1 --authorization-plugin=plugin2,... ``` @@ -1210,7 +1210,7 @@ ### Daemon user namespace options The Linux kernel -[user namespace support](http://man7.org/linux/man-pages/man7/user_namespaces.7.html) +[user namespace support](https://man7.org/linux/man-pages/man7/user_namespaces.7.html) provides additional security by enabling a process, and therefore a container, to have a unique range of user and group IDs which are outside the traditional user and group range utilized by the host system. Potentially the most important @@ -1360,11 +1360,11 @@ "debug": true, "default-address-pools": [ { - "base": "172.80.0.0/16", + "base": "172.30.0.0/16", "size": 24 }, { - "base": "172.90.0.0/16", + "base": "172.31.0.0/16", "size": 24 } ], diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/events.md docker.io-20.10.11/cli/docs/reference/commandline/events.md --- docker.io-20.10.7/cli/docs/reference/commandline/events.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/events.md 2021-11-17 23:49:46.000000000 +0000 @@ -194,11 +194,11 @@ If a format (`--format`) is specified, the given template will be executed instead of the default -format. Go's [text/template](http://golang.org/pkg/text/template/) package +format. Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. If a format is set to `{{json .}}`, the events are streamed as valid JSON -Lines. For information about JSON Lines, please refer to http://jsonlines.org/. +Lines. For information about JSON Lines, please refer to https://jsonlines.org/. ## Examples @@ -208,13 +208,13 @@ **Shell 1: Listening for events:** -```bash +```console $ docker events ``` **Shell 2: Start and Stop containers:** -```bash +```console $ docker create --name test alpine:latest top $ docker start test $ docker stop test @@ -239,7 +239,7 @@ You can filter the output by an absolute timestamp or relative time on the host machine, using the following different time syntaxes: -```bash +```console $ docker events --since 1483283804 2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local) 2017-01-05T00:35:58.859401177+08:00 container create d9cd...4d70 (image=alpine:latest, name=test) @@ -292,7 +292,7 @@ The following commands show several different ways to filter the `docker event` output. -```bash +```console $ docker events --filter 'event=stop' 2017-01-05T00:40:22.880175420+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test) @@ -388,7 +388,7 @@ ### Format the output -```bash +```console $ docker events --filter 'type=container' --format 'Type={{.Type}} Status={{.Status}} ID={{.ID}}' Type=container Status=create ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26 @@ -401,7 +401,7 @@ #### Format as JSON -```bash +```console $ docker events --format '{{json .}}' {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4.. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/exec.md docker.io-20.10.11/cli/docs/reference/commandline/exec.md --- docker.io-20.10.7/cli/docs/reference/commandline/exec.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/exec.md 2021-11-17 23:49:46.000000000 +0000 @@ -46,7 +46,7 @@ First, start a container. -```bash +```console $ docker run --name ubuntu_bash --rm -i -t ubuntu bash ``` @@ -54,7 +54,7 @@ Next, execute a command on the container. -```bash +```console $ docker exec -d ubuntu_bash touch /tmp/execWorks ``` @@ -63,7 +63,7 @@ Next, execute an interactive `bash` shell on the container. -```bash +```console $ docker exec -it ubuntu_bash bash ``` @@ -71,7 +71,7 @@ Next, set an environment variable in the current bash session. -```bash +```console $ docker exec -it -e VAR=1 ubuntu_bash bash ``` @@ -81,14 +81,14 @@ By default `docker exec` command runs in the same working directory set when container was created. -```bash +```console $ docker exec -it ubuntu_bash pwd / ``` You can select working directory for the command to execute into -```bash +```console $ docker exec -it -w /root ubuntu_bash pwd /root ``` @@ -98,7 +98,7 @@ If the container is paused, then the `docker exec` command will fail with an error: -```bash +```console $ docker pause test test diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/export.md docker.io-20.10.11/cli/docs/reference/commandline/export.md --- docker.io-20.10.7/cli/docs/reference/commandline/export.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/export.md 2021-11-17 23:49:46.000000000 +0000 @@ -30,10 +30,10 @@ Each of these commands has the same result. -```bash +```console $ docker export red_panda > latest.tar ``` -```bash +```console $ docker export --output="latest.tar" red_panda ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/history.md docker.io-20.10.11/cli/docs/reference/commandline/history.md --- docker.io-20.10.7/cli/docs/reference/commandline/history.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/history.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,7 +24,7 @@ To see how the `docker:latest` image was built: -```bash +```console $ docker history docker IMAGE CREATED CREATED BY SIZE COMMENT @@ -38,7 +38,7 @@ To see how the `docker:apache` image was added to a container's base image: -```bash +```console $ docker history docker:scm IMAGE CREATED CREATED BY SIZE COMMENT 2ac9d1098bf1 3 months ago /bin/bash 241.4 MB Added Apache to Fedora base image @@ -71,7 +71,7 @@ `ID` and `CreatedSince` entries separated by a colon (`:`) for the `busybox` image: -```bash +```console $ docker history --format "{{.ID}}: {{.CreatedSince}}" busybox f6e427c148a7: 4 weeks ago diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/image_prune.md docker.io-20.10.11/cli/docs/reference/commandline/image_prune.md --- docker.io-20.10.7/cli/docs/reference/commandline/image_prune.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/image_prune.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ Example output: -```bash +```console $ docker image prune -a WARNING! This will remove all images without at least one container associated to them. @@ -101,7 +101,7 @@ The following removes images created before `2017-01-04T00:00:00`: -```bash +```console $ docker images --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedAt}}\t{{.Size}}' REPOSITORY TAG IMAGE ID CREATED AT SIZE foo latest 2f287ac753da 2017-01-04 13:42:23 -0800 PST 3.98 MB @@ -128,7 +128,7 @@ The following removes images created more than 10 days (`240h`) ago: -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -168,25 +168,25 @@ The following example removes images with the label `deprecated`: -```bash +```console $ docker image prune --filter="label=deprecated" ``` The following example removes images with the label `maintainer` set to `john`: -```bash +```console $ docker image prune --filter="label=maintainer=john" ``` This example removes images which have no `maintainer` label: -```bash +```console $ docker image prune --filter="label!=maintainer" ``` This example removes images which have a maintainer label not set to `john`: -```bash +```console $ docker image prune --filter="label!=maintainer=john" ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/images.md docker.io-20.10.11/cli/docs/reference/commandline/images.md --- docker.io-20.10.7/cli/docs/reference/commandline/images.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/images.md 2021-11-17 23:49:46.000000000 +0000 @@ -48,7 +48,7 @@ ### List the most recently created images -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -72,7 +72,7 @@ For example, to list all images in the "java" repository, run this command : -```bash +```console $ docker images java REPOSITORY TAG IMAGE ID CREATED SIZE @@ -88,7 +88,7 @@ repository and tag are listed. To find all local images in the "java" repository with tag "8" you can use: -```bash +```console $ docker images java:8 REPOSITORY TAG IMAGE ID CREATED SIZE @@ -97,7 +97,7 @@ If nothing matches `REPOSITORY[:TAG]`, the list is empty. -```bash +```console $ docker images java:0 REPOSITORY TAG IMAGE ID CREATED SIZE @@ -105,7 +105,7 @@ ### List the full length image IDs -```bash +```console $ docker images --no-trunc REPOSITORY TAG IMAGE ID CREATED SIZE @@ -127,7 +127,7 @@ unchanged, the digest value is predictable. To list image digest values, use the `--digests` flag: -```bash +```console $ docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE localhost:5000/test/busybox sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf 4986bf8c1536 9 weeks ago 2.43 MB @@ -153,7 +153,7 @@ #### Show untagged images (dangling) -```bash +```console $ docker images --filter "dangling=true" REPOSITORY TAG IMAGE ID CREATED SIZE @@ -173,7 +173,7 @@ You can use this in conjunction with `docker rmi ...`: -```bash +```console $ docker rmi $(docker images -f "dangling=true" -q) 8abc22fbb042 @@ -194,7 +194,7 @@ The following filter matches images with the `com.example.version` label regardless of its value. -```bash +```console $ docker images --filter "label=com.example.version" REPOSITORY TAG IMAGE ID CREATED SIZE @@ -204,7 +204,7 @@ The following filter matches images with the `com.example.version` label with the `1.0` value. -```bash +```console $ docker images --filter "label=com.example.version=1.0" REPOSITORY TAG IMAGE ID CREATED SIZE @@ -213,7 +213,7 @@ In this example, with the `0.1` value, it returns an empty set because no matches were found. -```bash +```console $ docker images --filter "label=com.example.version=0.1" REPOSITORY TAG IMAGE ID CREATED SIZE ``` @@ -223,7 +223,7 @@ The `before` filter shows only images created before the image with given id or reference. For example, having these images: -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -234,7 +234,7 @@ Filtering with `before` would give: -```bash +```console $ docker images --filter "before=image1" REPOSITORY TAG IMAGE ID CREATED SIZE @@ -244,7 +244,7 @@ Filtering with `since` would give: -```bash +```console $ docker images --filter "since=image3" REPOSITORY TAG IMAGE ID CREATED SIZE image1 latest eeae25ada2aa 4 minutes ago 188.3 MB @@ -256,7 +256,7 @@ The `reference` filter shows only images whose reference matches the specified pattern. -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -268,7 +268,7 @@ Filtering with `reference` would give: -```bash +```console $ docker images --filter=reference='busy*:*libc' REPOSITORY TAG IMAGE ID CREATED SIZE @@ -278,7 +278,7 @@ Filtering with multiple `reference` would give, either match A or B: -```bash +```console $ docker images --filter=reference='busy*:uclibc' --filter=reference='busy*:glibc' REPOSITORY TAG IMAGE ID CREATED SIZE @@ -310,7 +310,7 @@ The following example uses a template without headers and outputs the `ID` and `Repository` entries separated by a colon (`:`) for all images: -```bash +```console $ docker images --format "{{.ID}}: {{.Repository}}" 77af4d6b9913: @@ -327,7 +327,7 @@ To list all images with their repository and tag in a table format you can use: -```bash +```console $ docker images --format "table {{.ID}}\t{{.Repository}}\t{{.Tag}}" IMAGE ID REPOSITORY TAG diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/import.md docker.io-20.10.11/cli/docs/reference/commandline/import.md --- docker.io-20.10.7/cli/docs/reference/commandline/import.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/import.md 2021-11-17 23:49:46.000000000 +0000 @@ -39,39 +39,39 @@ This will create a new untagged image. -```bash -$ docker import http://example.com/exampleimage.tgz +```console +$ docker import https://example.com/exampleimage.tgz ``` ### Import from a local file -- Import to docker via pipe and `STDIN`. +Import to docker via pipe and `STDIN`. - ```bash - $ cat exampleimage.tgz | docker import - exampleimagelocal:new - ``` +```console +$ cat exampleimage.tgz | docker import - exampleimagelocal:new +``` -- Import with a commit message. +Import with a commit message. - ```bash - $ cat exampleimage.tgz | docker import --message "New image imported from tarball" - exampleimagelocal:new - ``` +```console +$ cat exampleimage.tgz | docker import --message "New image imported from tarball" - exampleimagelocal:new +``` -- Import to docker from a local archive. +Import to docker from a local archive. - ```bash - $ docker import /path/to/exampleimage.tgz - ``` +```console +$ docker import /path/to/exampleimage.tgz +``` ### Import from a local directory -```bash +```console $ sudo tar -c . | docker import - exampleimagedir ``` ### Import from a local directory with new configurations -```bash +```console $ sudo tar -c . | docker import --change "ENV DEBUG=true" - exampleimagedir ``` @@ -87,6 +87,6 @@ `--platform`. This would be necessary when importing a Linux image into a Windows daemon. -```bash +```console $ docker import --platform=linux .\linuximage.tar ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/info.md docker.io-20.10.11/cli/docs/reference/commandline/info.md --- docker.io-20.10.7/cli/docs/reference/commandline/info.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/info.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,7 +24,7 @@ under different names is counted only once. If a format is specified, the given template will be executed instead of the -default format. Go's [text/template](http://golang.org/pkg/text/template/) package +default format. Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. Depending on the storage driver in use, additional information can be shown, such @@ -44,8 +44,9 @@ using the `devicemapper` storage driver. As can be seen in the output, additional information about the `devicemapper` storage driver is shown: -```bash +```console $ docker info + Client: Context: default Debug Mode: false @@ -104,8 +105,9 @@ Here is a sample output for a daemon running on Ubuntu, using the overlay2 storage driver and a node that is part of a 2-node swarm: -```bash -$ docker -D info +```console +$ docker --debug info + Client: Context: default Debug Mode: true @@ -194,7 +196,7 @@ You can also specify the output format: -```bash +```console $ docker info --format '{{json .}}' {"ID":"I54V:OLXT:HVMM:TPKO:JPHQ:CQCD:JNLC:O3BZ:4ZVJ:43XJ:PFHZ:6N2S","Containers":14, ...} diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/inspect.md docker.io-20.10.11/cli/docs/reference/commandline/inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -29,7 +29,7 @@ If a format is specified, the given template will be executed for each result. -Go's [text/template](http://golang.org/pkg/text/template/) package +Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. ## Specify target type (--type) @@ -45,7 +45,7 @@ The following example inspects a _volume_ named "myvolume" -```bash +```console $ docker inspect --type=volume myvolume ``` @@ -56,25 +56,25 @@ For the most part, you can pick out any field from the JSON in a fairly straightforward manner. -```bash +```console $ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $INSTANCE_ID ``` ### Get an instance's MAC address -```bash +```console $ docker inspect --format='{{range .NetworkSettings.Networks}}{{.MacAddress}}{{end}}' $INSTANCE_ID ``` ### Get an instance's log path -```bash +```console $ docker inspect --format='{{.LogPath}}' $INSTANCE_ID ``` ### Get an instance's image name -```bash +```console $ docker inspect --format='{{.Config.Image}}' $INSTANCE_ID ``` @@ -83,7 +83,7 @@ You can loop over arrays and maps in the results to produce simple text output: -```bash +```console $ docker inspect --format='{{range $p, $conf := .NetworkSettings.Ports}} {{$p}} -> {{(index $conf 0).HostPort}} {{end}}' $INSTANCE_ID ``` @@ -97,7 +97,7 @@ then `index` 0 contains the first object inside of that. Then we ask for the `HostPort` field to get the public address. -```bash +```console $ docker inspect --format='{{(index (index .NetworkSettings.Ports "8787/tcp") 0).HostPort}}' $INSTANCE_ID ``` @@ -108,6 +108,6 @@ Docker adds a template function, `json`, which can be applied to get results in JSON format. -```bash +```console $ docker inspect --format='{{json .Config}}' $INSTANCE_ID ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/kill.md docker.io-20.10.11/cli/docs/reference/commandline/kill.md --- docker.io-20.10.7/cli/docs/reference/commandline/kill.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/kill.md 2021-11-17 23:49:46.000000000 +0000 @@ -20,8 +20,18 @@ The `docker kill` subcommand kills one or more containers. The main process inside the container is sent `SIGKILL` signal (default), or the signal that is -specified with the `--signal` option. You can kill a container using the -container's ID, ID-prefix, or name. +specified with the `--signal` option. You can reference a container by its +ID, ID-prefix, or name. + +The `--signal` (or `-s` shorthand) flag sets the system call signal that is sent +to the container. This signal can be a signal name in the format `SIG`, for +instance `SIGINT`, or an unsigned number that matches a position in the kernel's +syscall table, for instance `2`. + +While the default (`SIGKILL`) signal will terminate the container, the signal +set through `--signal` may be non-terminal, depending on the container's main +process. For example, the `SIGHUP` signal in most cases will be non-terminal, +and the container will continue running after receiving the signal. > **Note** > @@ -32,21 +42,21 @@ ## Examples -### Send a KILL signal to a container +### Send a KILL signal to a container -The following example sends the default `KILL` signal to the container named +The following example sends the default `SIGKILL` signal to the container named `my_container`: -```bash +```console $ docker kill my_container ``` -### Send a custom signal to a container +### Send a custom signal to a container The following example sends a `SIGHUP` signal to the container named `my_container`: -```bash +```console $ docker kill --signal=SIGHUP my_container ``` @@ -54,11 +64,11 @@ You can specify a custom signal either by _name_, or _number_. The `SIG` prefix is optional, so the following examples are equivalent: -```bash +```console $ docker kill --signal=SIGHUP my_container $ docker kill --signal=HUP my_container $ docker kill --signal=1 my_container ``` -Refer to the [`signal(7)`](http://man7.org/linux/man-pages/man7/signal.7.html) +Refer to the [`signal(7)`](https://man7.org/linux/man-pages/man7/signal.7.html) man-page for a list of standard Linux signals. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/load.md docker.io-20.10.11/cli/docs/reference/commandline/load.md --- docker.io-20.10.7/cli/docs/reference/commandline/load.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/load.md 2021-11-17 23:49:46.000000000 +0000 @@ -18,6 +18,7 @@ The tarball may be compressed with gzip, bzip, or xz -q, --quiet Suppress the load output but still outputs the imported images ``` + ## Description Load an image or repository from a tar archive (even if compressed with gzip, @@ -25,7 +26,7 @@ ## Examples -```bash +```console $ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/login.md docker.io-20.10.11/cli/docs/reference/commandline/login.md --- docker.io-20.10.7/cli/docs/reference/commandline/login.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/login.md 2021-11-17 23:49:46.000000000 +0000 @@ -30,7 +30,7 @@ If you want to login to a self-hosted registry you can specify this by adding the server name. -```bash +```console $ docker login localhost:8080 ``` @@ -44,7 +44,7 @@ The following example reads a password from a file, and passes it to the `docker login` command using `STDIN`: -```bash +```console $ cat ~/my_password.txt | docker login --username foo --password-stdin ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/logout.md docker.io-20.10.11/cli/docs/reference/commandline/logout.md --- docker.io-20.10.7/cli/docs/reference/commandline/logout.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/logout.md 2021-11-17 23:49:46.000000000 +0000 @@ -18,7 +18,7 @@ ## Examples -```bash +```console $ docker logout localhost:8080 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/logs.md docker.io-20.10.11/cli/docs/reference/commandline/logs.md --- docker.io-20.10.7/cli/docs/reference/commandline/logs.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/logs.md 2021-11-17 23:49:46.000000000 +0000 @@ -67,7 +67,7 @@ In order to retrieve logs before a specific point in time, run: -```bash +```console $ docker run --name test -d busybox sh -c "while true; do $(echo date); sleep 1; done" $ date Tue 14 Nov 2017 16:40:00 CET diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/manifest.md docker.io-20.10.11/cli/docs/reference/commandline/manifest.md --- docker.io-20.10.7/cli/docs/reference/commandline/manifest.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/manifest.md 2021-11-17 23:49:46.000000000 +0000 @@ -40,8 +40,8 @@ ### manifest inspect -```bash -manifest inspect --help +```console +$ docker manifest inspect --help Usage: docker manifest inspect [OPTIONS] [MANIFEST_LIST] MANIFEST @@ -55,7 +55,7 @@ ### manifest create -```bash +```console Usage: docker manifest create MANIFEST_LIST MANIFEST [MANIFEST...] Create a local manifest list for annotating and pushing to a registry @@ -68,7 +68,7 @@ ### manifest annotate -```bash +```console Usage: docker manifest annotate [OPTIONS] MANIFEST_LIST MANIFEST Add additional information to a local image manifest @@ -85,7 +85,7 @@ ### manifest push -```bash +```console Usage: docker manifest push [OPTIONS] MANIFEST_LIST Push a manifest list to a repository @@ -113,7 +113,7 @@ ### Inspect an image's manifest object -```bash +```console $ docker manifest inspect hello-world { "schemaVersion": 2, @@ -143,7 +143,7 @@ Here is an example of inspecting an image's manifest with the `--verbose` flag: -```bash +```console $ docker manifest inspect --verbose hello-world { "Ref": "docker.io/library/hello-world:latest", @@ -187,7 +187,7 @@ Finally, you need to `push` your manifest list to the desired registry. Below are descriptions of these three commands, and an example putting them all together. -```bash +```console $ docker manifest create 45.55.81.106:5000/coolapp:v1 \ 45.55.81.106:5000/coolapp-ppc64le-linux:v1 \ 45.55.81.106:5000/coolapp-arm-linux:v1 \ @@ -197,11 +197,11 @@ Created manifest list 45.55.81.106:5000/coolapp:v1 ``` -```bash +```console $ docker manifest annotate 45.55.81.106:5000/coolapp:v1 45.55.81.106:5000/coolapp-arm-linux --arch arm ``` -```bash +```console $ docker manifest push 45.55.81.106:5000/coolapp:v1 Pushed manifest 45.55.81.106:5000/coolapp@sha256:9701edc932223a66e49dd6c894a11db8c2cf4eccd1414f1ec105a623bf16b426 with digest: sha256:f67dcc5fc786f04f0743abfe0ee5dae9bd8caf8efa6c8144f7f2a43889dc513b Pushed manifest 45.55.81.106:5000/coolapp@sha256:f3b3b28a45160805bb16542c9531888519430e9e6d6ffc09d72261b0d26ff74f with digest: sha256:b64ca0b60356a30971f098c92200b1271257f100a55b351e6bbe985638352f3a @@ -213,7 +213,7 @@ ### Inspect a manifest list -```bash +```console $ docker manifest inspect coolapp:v1 { "schemaVersion": 2, @@ -264,7 +264,7 @@ Here is an example of creating and pushing a manifest list using a known insecure registry. -```bash +```console $ docker manifest create --insecure myprivateregistry.mycompany.com/repo/image:1.0 \ myprivateregistry.mycompany.com/repo/image-linux-ppc64le:1.0 \ myprivateregistry.mycompany.com/repo/image-linux-s390x:1.0 \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_connect.md docker.io-20.10.11/cli/docs/reference/commandline/network_connect.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_connect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_connect.md 2021-11-17 23:49:46.000000000 +0000 @@ -30,7 +30,7 @@ ### Connect a running container to a network -```bash +```console $ docker network connect multi-host-network container1 ``` @@ -38,7 +38,7 @@ You can also use the `docker run --network=` option to start a container and immediately connect it to a network. -```bash +```console $ docker run -itd --network=multi-host-network busybox ``` @@ -46,7 +46,7 @@ You can specify the IP address you want to be assigned to the container's interface. -```bash +```console $ docker network connect --ip 10.10.36.122 multi-host-network container2 ``` @@ -54,7 +54,7 @@ You can use `--link` option to link another container with a preferred alias -```bash +```console $ docker network connect --link container1:c1 multi-host-network container2 ``` @@ -63,7 +63,7 @@ `--alias` option can be used to resolve the container by another name in the network being connected to. -```bash +```console $ docker network connect --alias db --alias mysql multi-host-network container2 ``` @@ -79,11 +79,11 @@ address(es) from outside that range. This ensures that the IP address is not given to another container while this container is not on the network. -```bash +```console $ docker network create --subnet 172.20.0.0/16 --ip-range 172.20.240.0/20 multi-host-network ``` -```bash +```console $ docker network connect --ip 172.20.128.2 multi-host-network container2 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_create.md docker.io-20.10.11/cli/docs/reference/commandline/network_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -45,7 +45,7 @@ this bridge network. You cannot remove this default bridge network, but you can create new ones using the `network create` command. -```bash +```console $ docker network create -d bridge my-bridge-network ``` @@ -75,7 +75,7 @@ Once you have prepared the `overlay` network prerequisites you simply choose a Docker host in the cluster and issue the following to create the network: -```bash +```console $ docker network create -d overlay my-multihost-network ``` @@ -102,7 +102,7 @@ When you start a container, use the `--network` flag to connect it to a network. This example adds the `busybox` container to the `mynet` network: -```bash +```console $ docker run -itd --network=mynet busybox ``` @@ -126,14 +126,14 @@ and specify subnetwork values directly using the `--subnet` option. On a `bridge` network you can only create a single subnet: -```bash +```console $ docker network create --driver=bridge --subnet=192.168.0.0/16 br0 ``` Additionally, you also specify the `--gateway` `--ip-range` and `--aux-address` options. -```bash +```console $ docker network create \ --driver=bridge \ --subnet=172.28.0.0/16 \ @@ -148,7 +148,7 @@ subnet mask to adhere to the current guidance of not having more than 256 IPs in a single overlay network. Each of the subnetworks has 126 usable addresses. -```bash +```console $ docker network create -d overlay \ --subnet=192.168.10.0/25 \ --subnet=192.168.20.0/25 \ @@ -175,7 +175,7 @@ | `com.docker.network.bridge.enable_icc` | `--icc` | Enable or Disable Inter Container Connectivity | | `com.docker.network.bridge.host_binding_ipv4` | `--ip` | Default IP when binding container ports | | `com.docker.network.driver.mtu` | `--mtu` | Set the containers network MTU | -| `com.docker.network.container_interface_prefix` | - | Set a custom prefix for container interfaces | +| `com.docker.network.container_iface_prefix` | - | Set a custom prefix for container interfaces | The following arguments can be passed to `docker network create` for any network driver, again with their approximate equivalents to `docker daemon`. @@ -191,7 +191,7 @@ For example, let's use `-o` or `--opt` options to specify an IP address binding when publishing ports: -```bash +```console $ docker network create \ -o "com.docker.network.bridge.host_binding_ipv4"="172.19.0.1" \ simple-network @@ -212,7 +212,7 @@ if no services depend on it. Any option available when creating an overlay network is also available when creating the ingress network, besides the `--attachable` option. -```bash +```console $ docker network create -d overlay \ --subnet=10.11.0.0/16 \ --ingress \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_disconnect.md docker.io-20.10.11/cli/docs/reference/commandline/network_disconnect.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_disconnect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_disconnect.md 2021-11-17 23:49:46.000000000 +0000 @@ -23,7 +23,7 @@ ## Examples -```bash +```console $ docker network disconnect multi-host-network container1 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/network_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ Connect two containers to the default `bridge` network: -```bash +```console $ sudo docker run -itd --name=container1 busybox f2870c98fd504370fb86e59f32cd0753b1ac9b69b7d80566ffc7192a82b3ed27 @@ -44,10 +44,10 @@ You can specify an alternate format to execute a given template for each result. Go's -[text/template](http://golang.org/pkg/text/template/) package describes all the +[text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. -```bash +```console $ sudo docker network inspect bridge ``` @@ -104,13 +104,13 @@ Create and inspect a user-defined network: -```bash +```console $ docker network create simple-network 69568e6336d8c96bbf57869030919f7c69524f71183b44d80948bd3927c87f6a ``` -```bash +```console $ docker network inspect simple-network ``` @@ -146,7 +146,7 @@ of the peers. Peers are the nodes in the swarm cluster which have at least one task attached to the network. Node name is of the format `-`. -```bash +```console $ docker network inspect ingress ``` @@ -213,7 +213,7 @@ Following is an example output for an overlay network `ov1` that has one service `s1` attached to. service `s1` in this case has three replicas. -```bash +```console $ docker network inspect --verbose ov1 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_ls.md docker.io-20.10.11/cli/docs/reference/commandline/network_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,8 +31,8 @@ ### List all networks -```bash -$ sudo docker network ls +```console +$ docker network ls NETWORK ID NAME DRIVER SCOPE 7fca4eb8c647 bridge bridge local 9f904ee27bf5 none null local @@ -42,7 +42,7 @@ Use the `--no-trunc` option to display the full network id: -```bash +```console $ docker network ls --no-trunc NETWORK ID NAME DRIVER SCOPE 18a2866682b85619a026c81b98a5e375bd33e1b0936a26cc497c283d27bae9b3 none null local @@ -74,7 +74,7 @@ The following example matches networks with the `bridge` driver: -```bash +```console $ docker network ls --filter driver=bridge NETWORK ID NAME DRIVER SCOPE db9db329f835 test1 bridge local @@ -88,7 +88,7 @@ The following filter matches all networks with an ID containing the `63d1ff1f77b0...` string. -```bash +```console $ docker network ls --filter id=63d1ff1f77b07ca51070a8c227e962238358bd310bde1529cf62e6c307ade161 NETWORK ID NAME DRIVER SCOPE 63d1ff1f77b0 dev bridge local @@ -96,7 +96,7 @@ You can also filter for a substring in an ID as this shows: -```bash +```console $ docker network ls --filter id=95e74588f40d NETWORK ID NAME DRIVER SCOPE 95e74588f40d foo bridge local @@ -113,7 +113,7 @@ The following filter matches networks with the `usage` label regardless of its value. -```bash +```console $ docker network ls -f "label=usage" NETWORK ID NAME DRIVER SCOPE db9db329f835 test1 bridge local @@ -122,7 +122,7 @@ The following filter matches networks with the `usage` label with the `prod` value. -```bash +```console $ docker network ls -f "label=usage=prod" NETWORK ID NAME DRIVER SCOPE f6e212da9dfd test2 bridge local @@ -134,7 +134,7 @@ The following filter matches all networks with a name containing the `foobar` string. -```bash +```console $ docker network ls --filter name=foobar NETWORK ID NAME DRIVER SCOPE 06e7eef0a170 foobar bridge local @@ -142,7 +142,7 @@ You can also filter for a substring in a name as this shows: -```bash +```console $ docker network ls --filter name=foo NETWORK ID NAME DRIVER SCOPE 95e74588f40d foo bridge local @@ -155,7 +155,7 @@ The following example matches networks with the `swarm` scope: -```bash +```console $ docker network ls --filter scope=swarm NETWORK ID NAME DRIVER SCOPE xbtm0v4f1lfh ingress overlay swarm @@ -164,7 +164,7 @@ The following example matches networks with the `local` scope: -```bash +```console $ docker network ls --filter scope=local NETWORK ID NAME DRIVER SCOPE e85227439ac7 bridge bridge local @@ -180,7 +180,7 @@ The following filter matches all user defined networks: -```bash +```console $ docker network ls --filter type=custom NETWORK ID NAME DRIVER SCOPE 95e74588f40d foo bridge local @@ -190,7 +190,7 @@ By having this flag it allows for batch cleanup. For example, use this filter to delete all user defined networks: -```bash +```console $ docker network rm `docker network ls --filter type=custom -q` ``` @@ -223,7 +223,7 @@ The following example uses a template without headers and outputs the `ID` and `Driver` entries separated by a colon (`:`) for all networks: -```bash +```console $ docker network ls --format "{{.ID}}: {{.Driver}}" afaaab448eb2: bridge d1584f8dc718: host diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_prune.md docker.io-20.10.11/cli/docs/reference/commandline/network_prune.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_prune.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_prune.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,7 +24,7 @@ ## Examples -```bash +```console $ docker network prune WARNING! This will remove all custom networks not used by at least one container. @@ -64,7 +64,7 @@ The following removes networks created more than 5 minutes ago. Note that system networks such as `bridge`, `host`, and `none` will never be pruned: -```bash +```console $ docker network ls NETWORK ID NAME DRIVER SCOPE diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/network_rm.md docker.io-20.10.11/cli/docs/reference/commandline/network_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/network_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/network_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -29,8 +29,8 @@ To remove the network named 'my-network': -```bash - $ docker network rm my-network +```console +$ docker network rm my-network ``` ### Remove multiple networks @@ -39,8 +39,8 @@ multiple network names or ids. The following example deletes a network with id `3695c422697f` and a network named `my-network`: -```bash - $ docker network rm 3695c422697f my-network +```console +$ docker network rm 3695c422697f my-network ``` When you specify multiple networks, the command attempts to delete each in turn. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_demote.md docker.io-20.10.11/cli/docs/reference/commandline/node_demote.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_demote.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_demote.md 2021-11-17 23:49:46.000000000 +0000 @@ -28,7 +28,7 @@ ## Examples -```bash +```console $ docker node demote ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/node_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -22,7 +22,7 @@ Returns information about a node. By default, this command renders all results in a JSON array. You can specify an alternate format to execute a given template for each result. Go's -[text/template](http://golang.org/pkg/text/template/) package describes all the +[text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. > **Note** @@ -36,7 +36,7 @@ ### Inspect a node -```bash +```console $ docker node inspect swarm-manager ``` @@ -113,7 +113,7 @@ ### Specify an output format -```bash +```console $ docker node inspect --format '{{ .ManagerStatus.Leader }}' self false @@ -121,7 +121,7 @@ Use `--format=pretty` or the `--pretty` shorthand to pretty-print the output: -```bash +```console $ docker node inspect --format=pretty self ID: e216jshn25ckzbvmwlnh5jr3g diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_ls.md docker.io-20.10.11/cli/docs/reference/commandline/node_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,7 +36,7 @@ ## Examples -```bash +```console $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -44,6 +44,7 @@ 38ciaotwjuritcdtn9npbnkuz swarm-worker1 Ready Active e216jshn25ckzbvmwlnh5jr3g * swarm-manager1 Ready Active Leader ``` + > **Note** > > In the above example output, there is a hidden column of `.Self` that indicates @@ -69,7 +70,7 @@ The `id` filter matches all or part of a node's id. -```bash +```console $ docker node ls -f id=1 ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -85,7 +86,7 @@ The following filter matches nodes with the `foo` label regardless of its value. -```bash +```console $ docker node ls -f "label=foo" ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -135,7 +136,7 @@ The following filter matches nodes with the `membership` of `accepted`. -```bash +```console $ docker node ls -f "membership=accepted" ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -149,7 +150,7 @@ The following filter matches the nodes with a name equal to `swarm-master` string. -```bash +```console $ docker node ls -f name=swarm-manager1 ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -162,7 +163,7 @@ The following filter matches nodes with the `manager` role. -```bash +```console $ docker node ls -f "role=manager" ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -195,8 +196,9 @@ `ID`, `Hostname`, and `TLS Status` entries separated by a colon (`:`) for all nodes: -```bash +```console $ docker node ls --format "{{.ID}}: {{.Hostname}} {{.TLSStatus}}" + e216jshn25ckzbvmwlnh5jr3g: swarm-manager1 Ready 35o6tiywb700jesrt3dmllaza: swarm-worker1 Needs Rotation ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_promote.md docker.io-20.10.11/cli/docs/reference/commandline/node_promote.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_promote.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_promote.md 2021-11-17 23:49:46.000000000 +0000 @@ -28,7 +28,7 @@ ## Examples -```bash +```console $ docker node promote ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_ps.md docker.io-20.10.11/cli/docs/reference/commandline/node_ps.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_ps.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_ps.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,8 +36,9 @@ ## Examples -```bash +```console $ docker node ps swarm-manager1 + NAME IMAGE NODE DESIRED STATE CURRENT STATE redis.1.7q92v0nr1hcgts2amcjyqg3pq redis:3.0.6 swarm-manager1 Running Running 5 hours redis.6.b465edgho06e318egmgjbqo4o redis:3.0.6 swarm-manager1 Running Running 29 seconds @@ -64,7 +65,7 @@ The following filter matches all tasks with a name containing the `redis` string. -```bash +```console $ docker node ps -f name=redis swarm-manager1 NAME IMAGE NODE DESIRED STATE CURRENT STATE @@ -79,7 +80,7 @@ The `id` filter matches a task's id. -```bash +```console $ docker node ps -f id=bg8c07zzg87di2mufeq51a2qp swarm-manager1 NAME IMAGE NODE DESIRED STATE CURRENT STATE @@ -93,7 +94,7 @@ The following filter matches tasks with the `usage` label regardless of its value. -```bash +```console $ docker node ps -f "label=usage" NAME IMAGE NODE DESIRED STATE CURRENT STATE @@ -132,8 +133,9 @@ The following example uses a template without headers and outputs the `Name` and `Image` entries separated by a colon (`:`) for all tasks: -```bash +```console $ docker node ps --format "{{.Name}}: {{.Image}}" + top.1: busybox top.2: busybox top.3: busybox diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_rm.md docker.io-20.10.11/cli/docs/reference/commandline/node_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -34,11 +34,12 @@ ### Remove a stopped node from the swarm -```bash +```console $ docker node rm swarm-node-02 Node swarm-node-02 removed from swarm ``` + ### Attempt to remove a running node from a swarm Removes the specified nodes from the swarm, but only if the nodes are in the @@ -58,7 +59,7 @@ This may cause transient errors or interruptions, depending on the type of task being run on the node. -```bash +```console $ docker node rm --force swarm-node-03 Node swarm-node-03 removed from swarm diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/node_update.md docker.io-20.10.11/cli/docs/reference/commandline/node_update.md --- docker.io-20.10.7/cli/docs/reference/commandline/node_update.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/node_update.md 2021-11-17 23:49:46.000000000 +0000 @@ -43,7 +43,7 @@ To add multiple labels to a node, pass the `--label-add` flag for each label: -```bash +```console $ docker node update --label-add foo --label-add bar worker1 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/pause.md docker.io-20.10.11/cli/docs/reference/commandline/pause.md --- docker.io-20.10.7/cli/docs/reference/commandline/pause.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/pause.md 2021-11-17 23:49:46.000000000 +0000 @@ -30,7 +30,7 @@ ## Examples -```bash +```console $ docker pause my_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_create.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,7 +25,7 @@ The following example shows how to create a sample `plugin`. -```bash +```console $ ls -ls /home/pluginDir total 4 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_disable.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_disable.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_disable.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_disable.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ The following example shows that the `sample-volume-plugin` plugin is installed and enabled: -```bash +```console $ docker plugin ls ID NAME DESCRIPTION ENABLED @@ -36,7 +36,7 @@ To disable the plugin, use the following command: -```bash +```console $ docker plugin disable tiborvass/sample-volume-plugin tiborvass/sample-volume-plugin diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_enable.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_enable.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_enable.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_enable.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ The following example shows that the `sample-volume-plugin` plugin is installed, but disabled: -```bash +```console $ docker plugin ls ID NAME DESCRIPTION ENABLED @@ -35,7 +35,7 @@ To enable the plugin, use the following command: -```bash +```console $ docker plugin enable tiborvass/sample-volume-plugin tiborvass/sample-volume-plugin diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ The following example example inspects the `tiborvass/sample-volume-plugin` plugin: -```bash +```console $ docker plugin inspect tiborvass/sample-volume-plugin:latest ``` @@ -144,7 +144,7 @@ ### Formatting the output -```bash +```console $ docker plugin inspect -f '{{.Id}}' tiborvass/sample-volume-plugin:latest 8c74c978c434745c3ade82f1bc0acf38d04990eaf494fa507c16d9f1daa99c21 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_install.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_install.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_install.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_install.md 2021-11-17 23:49:46.000000000 +0000 @@ -33,7 +33,7 @@ Hub and prompt the user to accept the list of privileges that the plugin needs, set the plugin's parameters and enable the plugin. -```bash +```console $ docker plugin install vieux/sshfs DEBUG=1 Plugin "vieux/sshfs" is requesting the following privileges: @@ -46,7 +46,7 @@ After the plugin is installed, it appears in the list of plugins: -```bash +```console $ docker plugin ls ID NAME DESCRIPTION ENABLED diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_ls.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,7 +31,7 @@ ## Examples -```bash +```console $ docker plugin ls ID NAME DESCRIPTION ENABLED @@ -58,7 +58,7 @@ might have multiple capabilities. Currently `volumedriver`, `networkdriver`, `ipamdriver`, `logdriver`, `metricscollector`, and `authz` are supported capabilities. -```bash +```console $ docker plugin install --disable vieux/sshfs Installed plugin vieux/sshfs @@ -90,7 +90,7 @@ The following example uses a template without headers and outputs the `ID` and `Name` entries separated by a colon (`:`) for all plugins: -```bash +```console $ docker plugin ls --format "{{.ID}}: {{.Name}}" 4be01827a72e: vieux/sshfs:latest diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_push.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_push.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_push.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_push.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ The following example shows how to push a sample `user/plugin`. -```bash +```console $ docker plugin ls ID NAME DESCRIPTION ENABLED diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_rm.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,7 +31,7 @@ The following example disables and removes the `sample-volume-plugin:latest` plugin: -```bash +```console $ docker plugin disable tiborvass/sample-volume-plugin tiborvass/sample-volume-plugin diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_set.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_set.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_set.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_set.md 2021-11-17 23:49:46.000000000 +0000 @@ -84,7 +84,7 @@ The following example change the env variable `DEBUG` on the `sample-volume-plugin` plugin. -```bash +```console $ docker plugin inspect -f {{.Settings.Env}} tiborvass/sample-volume-plugin [DEBUG=0] @@ -99,7 +99,7 @@ The following example change the source of the `mymount` mount on the `myplugin` plugin. -```bash +```console $ docker plugin inspect -f '{{with $mount := index .Settings.Mounts 0}}{{$mount.Source}}{{end}}' myplugin /foo @@ -119,7 +119,7 @@ The following example change the path of the `mydevice` device on the `myplugin` plugin. -```bash +```console $ docker plugin inspect -f '{{with $device := index .Settings.Devices 0}}{{$device.Path}}{{end}}' myplugin /dev/foo @@ -139,7 +139,7 @@ The following example change the value of the args on the `myplugin` plugin. -```bash +```console $ docker plugin inspect -f '{{.Settings.Args}}' myplugin ["foo", "bar"] diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/plugin_upgrade.md docker.io-20.10.11/cli/docs/reference/commandline/plugin_upgrade.md --- docker.io-20.10.7/cli/docs/reference/commandline/plugin_upgrade.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/plugin_upgrade.md 2021-11-17 23:49:46.000000000 +0000 @@ -30,7 +30,7 @@ The following example installs `vieus/sshfs` plugin, uses it to create and use a volume, then upgrades the plugin. -```bash +```console $ docker plugin install vieux/sshfs DEBUG=1 Plugin "vieux/sshfs:next" is requesting the following privileges: diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/port.md docker.io-20.10.11/cli/docs/reference/commandline/port.md --- docker.io-20.10.7/cli/docs/reference/commandline/port.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/port.md 2021-11-17 23:49:46.000000000 +0000 @@ -22,7 +22,7 @@ You can find out all the ports mapped by not specifying a `PRIVATE_PORT`, or just a specific mapping: -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/ps.md docker.io-20.10.11/cli/docs/reference/commandline/ps.md --- docker.io-20.10.7/cli/docs/reference/commandline/ps.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/ps.md 2021-11-17 23:49:46.000000000 +0000 @@ -45,7 +45,7 @@ Running `docker ps --no-trunc` showing 2 linked containers. -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -58,7 +58,7 @@ The `docker ps` command only shows running containers by default. To see all containers, use the `-a` (or `--all`) flag: -```bash +```console $ docker ps -a ``` @@ -70,7 +70,7 @@ The `docker ps -s` command displays two different on-disk-sizes for each container: -```bash +```console $ docker ps -s CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES SIZE SIZE @@ -114,7 +114,7 @@ The following filter matches containers with the `color` label regardless of its value. -```bash +```console $ docker ps --filter "label=color" CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -124,7 +124,7 @@ The following filter matches containers with the `color` label with the `blue` value. -```bash +```console $ docker ps --filter "label=color=blue" CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -137,7 +137,7 @@ The following filter matches all containers with a name containing the `nostalgic_stallman` string. -```bash +```console $ docker ps --filter "name=nostalgic_stallman" CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -146,7 +146,7 @@ You can also filter for a substring in a name as this shows: -```bash +```console $ docker ps --filter "name=nostalgic" CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -160,7 +160,7 @@ The `exited` filter matches containers by exist status code. For example, to filter for containers that have exited successfully: -```bash +```console $ docker ps -a --filter 'exited=0' CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -174,7 +174,7 @@ You can use a filter to locate containers that exited with status of `137` meaning a `SIGKILL(9)` killed them. -```bash +```console $ docker ps -a --filter 'exited=137' CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -194,7 +194,7 @@ `created`, `restarting`, `running`, `removing`, `paused`, `exited` and `dead`. For example, to filter for `running` containers: -```bash +```console $ docker ps --filter status=running CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -205,7 +205,7 @@ To filter for `paused` containers: -```bash +```console $ docker ps --filter status=paused CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -226,7 +226,7 @@ If you don't specify a `tag`, the `latest` tag is used. For example, to filter for containers that use the latest `ubuntu` image: -```bash +```console $ docker ps --filter ancestor=ubuntu CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -239,7 +239,7 @@ Match containers based on the `ubuntu-c1` image which, in this case, is a child of `ubuntu`: -```bash +```console $ docker ps --filter ancestor=ubuntu-c1 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -248,7 +248,7 @@ Match containers based on the `ubuntu` version `12.04.5` image: -```bash +```console $ docker ps --filter ancestor=ubuntu:12.04.5 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -258,7 +258,7 @@ The following matches containers based on the layer `d0e008c6cf02` or an image that have this layer in its layer stack. -```bash +```console $ docker ps --filter ancestor=d0e008c6cf02 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -272,7 +272,7 @@ The `before` filter shows only containers created before the container with given id or name. For example, having these containers created: -```bash +```console $ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -283,7 +283,7 @@ Filtering with `before` would give: -```bash +```console $ docker ps -f before=9c3527ed70ce CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -296,7 +296,7 @@ The `since` filter shows only containers created since the container with given id or name. For example, with the same containers as in `before` filter: -```bash +```console $ docker ps -f since=6e63f6ff38b0 CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -309,7 +309,7 @@ The `volume` filter shows only containers that mount a specific volume or have a volume mounted in a specific path: -```bash +```console $ docker ps --filter volume=remote-volume --format "table {{.ID}}\t{{.Mounts}}" CONTAINER ID MOUNTS @@ -329,7 +329,7 @@ The following filter matches all containers that are connected to a network with a name containing `net1`. -```bash +```console $ docker run -d --net=net1 --name=test1 ubuntu top $ docker run -d --net=net2 --name=test2 ubuntu top @@ -343,7 +343,7 @@ example shows all containers that are attached to the `net1` network, using the network id as a filter; -```bash +```console $ docker network inspect --format "{{.ID}}" net1 8c0b4110ae930dbe26b258de9bc34a03f98056ed6f27f991d32919bfe401d7c5 @@ -361,7 +361,7 @@ The following filter matches all containers that have published port of 80: -```bash +```console $ docker run -d --publish=80 busybox top $ docker run -d --expose=8080 busybox top @@ -378,7 +378,8 @@ ``` The following filter matches all containers that have exposed TCP port in the range of `8000-8080`: -```bash + +```console $ docker ps --filter expose=8000-8080/tcp CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -386,7 +387,8 @@ ``` The following filter matches all containers that have exposed UDP port `80`: -```bash + +```console $ docker ps --filter publish=80/udp CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES @@ -423,7 +425,7 @@ The following example uses a template without headers and outputs the `ID` and `Command` entries separated by a colon (`:`) for all running containers: -```bash +```console $ docker ps --format "{{.ID}}: {{.Command}}" a87ecb4f327c: /bin/sh -c #(nop) MA @@ -434,7 +436,7 @@ To list all running containers with their labels in a table format you can use: -```bash +```console $ docker ps --format "table {{.ID}}\t{{.Labels}}" CONTAINER ID LABELS diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/pull.md docker.io-20.10.11/cli/docs/reference/commandline/pull.md --- docker.io-20.10.7/cli/docs/reference/commandline/pull.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/pull.md 2021-11-17 23:49:46.000000000 +0000 @@ -53,7 +53,7 @@ `docker pull`. If no tag is provided, Docker Engine uses the `:latest` tag as a default. This command pulls the `debian:latest` image: -```bash +```console $ docker pull debian Using default tag: latest @@ -72,7 +72,7 @@ only pulls its metadata, but not its layers, because all layers are already present locally: -```bash +```console $ docker pull debian:jessie jessie: Pulling from library/debian @@ -85,7 +85,7 @@ To see which images are present locally, use the [`docker images`](images.md) command: -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -121,22 +121,22 @@ To know the digest of an image, pull the image first. Let's pull the latest `ubuntu:14.04` image from Docker Hub: -```bash -$ docker pull ubuntu:14.04 +```console +$ docker pull ubuntu:20.04 -14.04: Pulling from library/ubuntu -5a132a7e7af1: Pull complete -fd2731e4c50c: Pull complete -28a2f68d1120: Pull complete -a3ed95caeb02: Pull complete -Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 -Status: Downloaded newer image for ubuntu:14.04 +20.04: Pulling from library/ubuntu +16ec32c2132b: Pull complete +Digest: sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 +Status: Downloaded newer image for ubuntu:20.04 +docker.io/library/ubuntu:20.04 ``` Docker prints the digest of the image after the pull has finished. In the example above, the digest of the image is: - sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 +```console +sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 +``` Docker also prints the digest of an image when *pushing* to a registry. This may be useful if you want to pin to a version of the image you just pushed. @@ -144,22 +144,19 @@ A digest takes the place of the tag when pulling an image, for example, to pull the above image by digest, run the following command: -```bash -$ docker pull ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 +```console +$ docker pull ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 -sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2: Pulling from library/ubuntu -5a132a7e7af1: Already exists -fd2731e4c50c: Already exists -28a2f68d1120: Already exists -a3ed95caeb02: Already exists -Digest: sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 -Status: Downloaded newer image for ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 +docker.io/library/ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3: Pulling from library/ubuntu +Digest: sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 +Status: Image is up to date for ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 +docker.io/library/ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 ``` Digest can also be used in the `FROM` of a Dockerfile, for example: ```dockerfile -FROM ubuntu@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 +FROM ubuntu@sha256:82becede498899ec668628e7cb0ad87b6e1c371cb8a1e597d83a47fac21d6af3 LABEL org.opencontainers.image.authors="some maintainer " ``` @@ -181,7 +178,7 @@ The following command pulls the `testing/test-image` image from a local registry listening on port 5000 (`myregistry.local:5000`): -```bash +```console $ docker pull myregistry.local:5000/testing/test-image ``` @@ -200,7 +197,7 @@ This command pulls all images from the `fedora` repository: -```bash +```console $ docker pull --all-tags fedora Pulling repository fedora @@ -217,7 +214,7 @@ images that were pulled. The example below shows all the `fedora` images that are present locally: -```bash +```console $ docker images fedora REPOSITORY TAG IMAGE ID CREATED SIZE @@ -232,7 +229,7 @@ Killing the `docker pull` process, for example by pressing `CTRL-c` while it is running in a terminal, will terminate the pull operation. -```bash +```console $ docker pull fedora Using default tag: latest diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/push.md docker.io-20.10.11/cli/docs/reference/commandline/push.md --- docker.io-20.10.7/cli/docs/reference/commandline/push.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/push.md 2021-11-17 23:49:46.000000000 +0000 @@ -50,7 +50,7 @@ and then committing it to a new image name. Note that only `a-z0-9-_.` are allowed when naming images: -```bash +```console $ docker container commit c16378f943fe rhel-httpd:latest ``` @@ -59,7 +59,7 @@ this, tag the image with the host name or IP address, and the port of the registry: -```bash +```console $ docker image tag rhel-httpd:latest registry-host:5000/myadmin/rhel-httpd:latest $ docker image push registry-host:5000/myadmin/rhel-httpd:latest @@ -67,7 +67,7 @@ Check that this worked by running: -```bash +```console $ docker image ls ``` @@ -82,7 +82,7 @@ tags to Docker Hub. -```bash +```console $ docker image tag myimage registry-host:5000/myname/myimage:latest $ docker image tag myimage registry-host:5000/myname/myimage:v1.0.1 $ docker image tag myimage registry-host:5000/myname/myimage:v1.0 @@ -91,7 +91,7 @@ The image is now tagged under multiple names: -```bash +```console $ docker image ls REPOSITORY TAG IMAGE ID CREATED SIZE @@ -106,7 +106,7 @@ image are pushed: -```bash +```console $ docker image push --all-tags registry-host:5000/myname/myimage The push refers to repository [registry-host:5000/myname/myimage] diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/rename.md docker.io-20.10.11/cli/docs/reference/commandline/rename.md --- docker.io-20.10.7/cli/docs/reference/commandline/rename.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/rename.md 2021-11-17 23:49:46.000000000 +0000 @@ -21,6 +21,6 @@ ## Examples -```bash +```console $ docker rename my_container my_new_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/restart.md docker.io-20.10.11/cli/docs/reference/commandline/restart.md --- docker.io-20.10.7/cli/docs/reference/commandline/restart.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/restart.md 2021-11-17 23:49:46.000000000 +0000 @@ -18,6 +18,6 @@ ## Examples -```bash +```console $ docker restart my_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/rmi.md docker.io-20.10.11/cli/docs/reference/commandline/rmi.md --- docker.io-20.10.7/cli/docs/reference/commandline/rmi.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/rmi.md 2021-11-17 23:49:46.000000000 +0000 @@ -35,7 +35,7 @@ the image is removed. Digest references are removed automatically when an image is removed by tag. -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -71,7 +71,7 @@ If you use the `-f` flag and specify the image's short or long ID, then this command untags and removes all images that match the specified ID. -```bash +```console $ docker images REPOSITORY TAG IMAGE ID CREATED SIZE @@ -89,7 +89,7 @@ An image pulled by digest has no tag associated with it: -```bash +```console $ docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE @@ -98,7 +98,7 @@ To remove an image using its digest: -```bash +```console $ docker rmi localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf Untagged: localhost:5000/test/busybox@sha256:cbbf2f9a99b47fc460d422812b6a5adff7dfee951d8fa2e4a98caa0382cfbdbf Deleted: 4986bf8c15363d1c5d15512d5266f8777bfba4974ac56e3270e7760f6f0a8125 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/rm.md docker.io-20.10.11/cli/docs/reference/commandline/rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,7 +24,7 @@ This removes the container referenced under the link `/redis`. -```bash +```console $ docker rm /redis /redis @@ -37,7 +37,7 @@ between the two containers. This does not apply when `--link` is used with user-specified networks. -```bash +```console $ docker rm --link /webapp/redis /webapp/redis @@ -47,7 +47,7 @@ This command force-removes a running container. -```bash +```console $ docker rm --force redis redis @@ -88,7 +88,7 @@ ### Remove a container and its volumes -```bash +```console $ docker rm -v redis redis ``` @@ -98,7 +98,7 @@ ### Remove a container and selectively remove volumes -```bash +```console $ docker create -v awesome:/foo -v /bar --name hello redis hello diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/run.md docker.io-20.10.11/cli/docs/reference/commandline/run.md --- docker.io-20.10.7/cli/docs/reference/commandline/run.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/run.md 2021-11-17 23:49:46.000000000 +0000 @@ -120,7 +120,7 @@ or `g` (gigabytes). If you omit the unit, the system uses bytes. --sig-proxy Proxy received signals to the process (default true) --stop-signal string Signal to stop a container (default "SIGTERM") - --stop-timeout=10 Timeout (in seconds) to stop a container + --stop-timeout int Timeout (in seconds) to stop a container --storage-opt value Storage driver options for the container (default []) --sysctl value Sysctl options (default map[]) --tmpfs value Mount a tmpfs directory (default []) @@ -161,7 +161,7 @@ ### Assign name and allocate pseudo-TTY (--name, -it) -```bash +```console $ docker run --name test -it debian root@d6c0fe130dba:/# exit 13 @@ -180,7 +180,7 @@ ### Capture container ID (--cidfile) -```bash +```console $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test" ``` @@ -191,7 +191,7 @@ ### Full container capabilities (--privileged) -```bash +```console $ docker run -t -i --rm ubuntu bash root@bc338942ef20:/# mount -t tmpfs none /mnt mount: permission denied @@ -201,7 +201,7 @@ capabilities are dropped; including `cap_sys_admin` (which is required to mount filesystems). However, the `--privileged` flag will allow it to run: -```bash +```console $ docker run -t -i --privileged ubuntu bash root@50e3f57e16e6:/# mount -t tmpfs none /mnt root@50e3f57e16e6:/# df -h @@ -216,7 +216,7 @@ ### Set working directory (-w) -```bash +```console $ docker run -w /path/to/dir/ -i -t ubuntu pwd ``` @@ -225,7 +225,7 @@ ### Set storage driver options per container -```bash +```console $ docker run -it --storage-opt size=120G fedora /bin/bash ``` @@ -240,7 +240,7 @@ ### Mount tmpfs (--tmpfs) -```bash +```console $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image ``` @@ -249,7 +249,7 @@ ### Mount volume (-v, --read-only) -```bash +```console $ docker run -v `pwd`:`pwd` -w `pwd` -i -t ubuntu pwd ``` @@ -259,7 +259,7 @@ combination executes the command using the container, but inside the current working directory. -```bash +```console $ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash ``` @@ -268,7 +268,7 @@ example above, Docker will create the `/doesnt/exist` folder before starting your container. -```bash +```console $ docker run --read-only -v /icanwrite busybox touch /icanwrite/here ``` @@ -277,7 +277,7 @@ filesystem as read only prohibiting writes to locations other than the specified volumes for the container. -```bash +```console $ docker run -t -i -v /var/run/docker.sock:/var/run/docker.sock -v /path/to/static-docker-binary:/usr/bin/docker busybox sh ``` @@ -327,17 +327,17 @@ Examples: -```bash +```console $ docker run --read-only --mount type=volume,target=/icanwrite busybox touch /icanwrite/here ``` -```bash +```console $ docker run -t -i --mount type=bind,src=/data,dst=/data busybox sh ``` ### Publish or expose port (-p, --expose) -```bash +```console $ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash ``` @@ -351,7 +351,7 @@ you configured UFW to block this specific port, as Docker manages his own iptables rules. [Read more](https://docs.docker.com/network/iptables/) -```bash +```console $ docker run --expose 80 ubuntu bash ``` @@ -360,7 +360,7 @@ ### Set environment variables (-e, --env, --env-file) -```bash +```console $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash ``` @@ -370,7 +370,7 @@ You can define the variable and its value when running the container: -```bash +```console $ docker run --env VAR1=value1 --env VAR2=value2 ubuntu env | grep VAR VAR1=value1 VAR2=value2 @@ -378,7 +378,7 @@ You can also use variables that you've exported to your local environment: -```bash +```console export VAR1=value1 export VAR2=value2 @@ -396,7 +396,7 @@ the syntax `=value` (which sets the variable to the given value) or `` (which takes the value from the local environment), and `#` for comments. -```bash +```console $ cat env.list # This is a comment VAR1=value1 @@ -413,7 +413,7 @@ A label is a `key=value` pair that applies metadata to a container. To label a container with two labels: -```bash +```console $ docker run -l my-label --label com.example.foo=bar ubuntu bash ``` @@ -428,7 +428,7 @@ label in the file with an EOL mark. The example below loads labels from a labels file in the current directory: -```bash +```console $ docker run --label-file ./labels ubuntu bash ``` @@ -456,21 +456,21 @@ When you start a container use the `--network` flag to connect it to a network. This adds the `busybox` container to the `my-net` network. -```bash +```console $ docker run -itd --network=my-net busybox ``` You can also choose the IP addresses for the container with `--ip` and `--ip6` flags when you start the container on a user-defined network. -```bash +```console $ docker run -itd --network=my-net --ip=10.10.9.75 busybox ``` If you want to add a running container to a network use the `docker network connect` subcommand. You can connect multiple containers to the same network. Once connected, the -containers can communicate easily need only another container's IP address +containers can communicate easily using only another container's IP address or name. For `overlay` networks or custom plugins that support multi-host connectivity, containers connected to the same multi-host network but launched from different Engines can also communicate in this way. @@ -486,7 +486,7 @@ ### Mount volumes from container (--volumes-from) -```bash +```console $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ubuntu pwd ``` @@ -516,14 +516,14 @@ or `STDERR`. This makes it possible to manipulate the output and input as needed. -```bash +```console $ echo "test" | docker run -i -a stdin ubuntu cat - ``` This pipes data into a container and prints the container's ID by attaching only to the container's `STDIN`. -```bash +```console $ docker run -a stderr ubuntu echo test ``` @@ -531,7 +531,7 @@ only attached to the `STDERR` of the container. The container's logs still store what's been written to `STDERR` and `STDOUT`. -```bash +```console $ cat somefile | docker run -i -a stdin mybuilder dobuild ``` @@ -543,7 +543,7 @@ ### Add host device to container (--device) -```bash +```console $ docker run --device=/dev/sdc:/dev/xvdc \ --device=/dev/sdd --device=/dev/zero:/dev/nulo \ -i -t \ @@ -564,7 +564,7 @@ flag. If the container is running in privileged mode, then the permissions specified will be ignored. -```bash +```console $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc Command (m for help): q @@ -620,20 +620,20 @@ To use `--gpus`, specify which GPUs (or all) to use. If no value is provied, all available GPUs are used. The example below exposes all available GPUs. -```bash +```console $ docker run -it --rm --gpus all ubuntu nvidia-smi ``` Use the `device` option to specify GPUs. The example below exposes a specific GPU. -```bash +```console $ docker run -it --rm --gpus device=GPU-3a23c669-1f69-c64e-cf85-44e9b07e7a2a ubuntu nvidia-smi ``` The example below exposes the first and third GPUs. -```bash +```console $ docker run -it --rm --gpus device=0,2 nvidia-smi ``` @@ -650,7 +650,7 @@ | `unless-stopped` | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted. | | `always` | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. | -```bash +```console $ docker run --restart=always redis ``` @@ -667,16 +667,18 @@ more `--add-host` flags. This example adds a static address for a host named `docker`: -```bash -$ docker run --add-host=docker:10.180.0.1 --rm -it debian +```console +$ docker run --add-host=docker:93.184.216.34 --rm -it alpine -root@f38c87f2a42d:/# ping docker -PING docker (10.180.0.1): 48 data bytes -56 bytes from 10.180.0.1: icmp_seq=0 ttl=254 time=7.600 ms -56 bytes from 10.180.0.1: icmp_seq=1 ttl=254 time=30.705 ms -^C--- docker ping statistics --- -2 packets transmitted, 2 packets received, 0% packet loss -round-trip min/avg/max/stddev = 7.600/19.152/30.705/11.553 ms +/ # ping docker +PING docker (93.184.216.34): 56 data bytes +64 bytes from 93.184.216.34: seq=0 ttl=37 time=93.052 ms +64 bytes from 93.184.216.34: seq=1 ttl=37 time=92.467 ms +64 bytes from 93.184.216.34: seq=2 ttl=37 time=92.252 ms +^C +--- docker ping statistics --- +4 packets transmitted, 4 packets received, 0% packet loss +round-trip min/avg/max = 92.209/92.495/93.052 ms ``` Sometimes you need to connect to the Docker host from within your @@ -688,7 +690,7 @@ using IPv4 or IPv6 networking in your containers. Use the following flags for IPv4 address retrieval for a network device named `eth0`: -```bash +```console $ HOSTIP=`ip -4 addr show scope global dev eth0 | grep inet | awk '{print $2}' | cut -d / -f 1 | sed -n 1p` $ docker run --add-host=docker:${HOSTIP} --rm -it debian ``` @@ -704,7 +706,7 @@ `--ulimit` is specified with a soft and hard limit as such: `=[:]`, for example: -```bash +```console $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n" 1024 ``` @@ -716,7 +718,7 @@ > the default `ulimits` set on the daemon. The `as` option is disabled now. > In other words, the following script is not supported: > -> ```bash +> ```console > $ docker run -it --ulimit as=1024 fedora /bin/bash` > ``` @@ -729,7 +731,7 @@ maximum number of processes available to a user, not to a container. For example, start four containers with `daemon` user: -```bash +```console $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top @@ -745,9 +747,12 @@ ### Stop container with signal (--stop-signal) -The `--stop-signal` flag sets the system call signal that will be sent to the container to exit. -This signal can be a valid unsigned number that matches a position in the kernel's syscall table, for instance 9, -or a signal name in the format SIGNAME, for instance SIGKILL. +The `--stop-signal` flag sets the system call signal that will be sent to the +container to exit. This signal can be a signal name in the format `SIG`, +for instance `SIGKILL`, or an unsigned number that matches a position in the +kernel's syscall table, for instance `9`. + +The default is `SIGTERM` if not specified. ### Optional security options (--security-opt) @@ -756,8 +761,16 @@ ### Stop container with timeout (--stop-timeout) -The `--stop-timeout` flag sets the timeout (in seconds) that a pre-defined (see `--stop-signal`) system call -signal that will be sent to the container to exit. After timeout elapses the container will be killed with SIGKILL. +The `--stop-timeout` flag sets the number of seconds to wait for the container +to stop after sending the pre-defined (see `--stop-signal`) system call signal. +If the container does not exit after the timeout elapses, it is forcibly killed +with a `SIGKILL` signal. + +If `--stop-timeout` is set to `-1`, no timeout is applied, and the daemon will +wait indefinitely for the container to exit. + +The default is determined by the daemon, and is 10 seconds for Linux containers, +and 30 seconds for Windows containers. ### Specify isolation technology for container (--isolation) @@ -766,7 +779,7 @@ On Linux, the only supported is the `default` option which uses Linux namespaces. These two commands are equivalent on Linux: -```bash +```console $ docker run -d busybox top $ docker run -d --isolation default busybox top ``` @@ -847,7 +860,7 @@ container. For example, to turn on IP forwarding in the containers network namespace, run this command: -```bash +```console $ docker run --sysctl net.ipv4.ip_forward=1 someimage ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/save.md docker.io-20.10.11/cli/docs/reference/commandline/save.md --- docker.io-20.10.7/cli/docs/reference/commandline/save.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/save.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ ### Create a backup that can then be used with `docker load`. -```bash +```console $ docker save busybox > busybox.tar $ ls -sh busybox.tar @@ -48,14 +48,14 @@ You can use gzip to save the image file and make the backup smaller. -```bash -docker save myimage:latest | gzip > myimage_latest.tar.gz +```console +$ docker save myimage:latest | gzip > myimage_latest.tar.gz ``` ### Cherry-pick particular tags You can even cherry-pick particular tags of an image repository. -```bash +```console $ docker save -o ubuntu.tar ubuntu:lucid ubuntu:saucy ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/search.md docker.io-20.10.11/cli/docs/reference/commandline/search.md --- docker.io-20.10.7/cli/docs/reference/commandline/search.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/search.md 2021-11-17 23:49:46.000000000 +0000 @@ -32,7 +32,7 @@ This example displays images with a name containing 'busybox': -```bash +```console $ docker search busybox NAME DESCRIPTION STARS OFFICIAL AUTOMATED @@ -68,8 +68,9 @@ This example displays images with a name containing 'busybox', at least 3 stars and the description isn't truncated in the output: -```bash +```console $ docker search --filter=stars=3 --no-trunc busybox + NAME DESCRIPTION STARS OFFICIAL AUTOMATED busybox Busybox base image. 325 [OK] progrium/busybox 50 [OK] @@ -97,7 +98,7 @@ This example displays images with a name containing 'busybox' and at least 3 stars: -```bash +```console $ docker search --filter stars=3 busybox NAME DESCRIPTION STARS OFFICIAL AUTOMATED @@ -111,7 +112,7 @@ This example displays images with a name containing 'busybox' and are automated builds: -```bash +```console $ docker search --filter is-automated=true busybox NAME DESCRIPTION STARS OFFICIAL AUTOMATED @@ -124,12 +125,11 @@ This example displays images with a name containing 'busybox', at least 3 stars and are official builds: -```bash +```console $ docker search --filter is-official=true --filter stars=3 busybox -NAME DESCRIPTION STARS OFFICIAL AUTOMATED -progrium/busybox 50 [OK] -radial/busyboxplus Full-chain, Internet enabled, busybox made... 8 [OK] +NAME DESCRIPTION STARS OFFICIAL AUTOMATED +busybox Busybox base image. 325 [OK] ``` ### Format the output @@ -154,7 +154,7 @@ The following example uses a template without headers and outputs the `Name` and `StarCount` entries separated by a colon (`:`) for all images: -```bash +```console $ docker search --format "{{.Name}}: {{.StarCount}}" nginx nginx: 5441 @@ -171,7 +171,7 @@ This example outputs a table format: -```bash +```console $ docker search --format "table {{.Name}}\t{{.IsAutomated}}\t{{.IsOfficial}}" nginx NAME AUTOMATED OFFICIAL diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/secret_create.md docker.io-20.10.11/cli/docs/reference/commandline/secret_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/secret_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/secret_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -33,8 +33,8 @@ ### Create a secret -```bash -$ printf | docker secret create my_secret - +```console +$ printf "my super secret password" | docker secret create my_secret - onakdyv307se2tl7nl20anokv @@ -46,7 +46,7 @@ ### Create a secret with a file -```bash +```console $ docker secret create my_secret ./secret.json dg426haahpi5ezmkkj5kyl3sn @@ -59,15 +59,16 @@ ### Create a secret with labels -```bash -$ docker secret create --label env=dev \ - --label rev=20170324 \ - my_secret ./secret.json +```console +$ docker secret create \ + --label env=dev \ + --label rev=20170324 \ + my_secret ./secret.json eo7jnzguqgtpdah3cm5srfb97 ``` -```bash +```console $ docker secret inspect my_secret [ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/secret_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/secret_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/secret_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/secret_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -23,7 +23,7 @@ By default, this renders all results in a JSON array. If a format is specified, the given template will be executed for each result. -Go's [text/template](http://golang.org/pkg/text/template/) package +Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. For detailed information about using secrets, refer to [manage sensitive data with Docker secrets](https://docs.docker.com/engine/swarm/secrets/). @@ -43,14 +43,14 @@ For example, given the following secret: -```bash +```console $ docker secret ls ID NAME CREATED UPDATED eo7jnzguqgtpdah3cm5srfb97 my_secret 3 minutes ago 3 minutes ago ``` -```bash +```console $ docker secret inspect secret.json ``` @@ -82,7 +82,7 @@ secret. The following example command outputs the creation time of the secret. -```bash +```console $ docker secret inspect --format='{{.CreatedAt}}' eo7jnzguqgtpdah3cm5srfb97 2017-03-24 08:15:09.735271783 +0000 UTC diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/secret_ls.md docker.io-20.10.11/cli/docs/reference/commandline/secret_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/secret_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/secret_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,7 +36,7 @@ ## Examples -```bash +```console $ docker secret ls ID NAME CREATED UPDATED @@ -60,7 +60,7 @@ The `id` filter matches all or prefix of a secret's id. -```bash +```console $ docker secret ls -f "id=6697bflskwj1998km1gnnjr38" ID NAME CREATED UPDATED @@ -75,7 +75,7 @@ The following filter matches all secrets with a `project` label regardless of its value: -```bash +```console $ docker secret ls --filter label=project ID NAME CREATED UPDATED @@ -85,7 +85,7 @@ The following filter matches only services with the `project` label with the `project-a` value. -```bash +```console $ docker service ls --filter label=project=test ID NAME CREATED UPDATED @@ -98,7 +98,7 @@ The following filter matches secret with a name containing a prefix of `test`. -```bash +```console $ docker secret ls --filter name=test_secret ID NAME CREATED UPDATED @@ -128,7 +128,7 @@ The following example uses a template without headers and outputs the `ID` and `Name` entries separated by a colon (`:`) for all images: -```bash +```console $ docker secret ls --format "{{.ID}}: {{.Name}}" 77af4d6b9913: secret-1 @@ -139,7 +139,7 @@ To list all secrets with their name and created date in a table format you can use: -```bash +```console $ docker secret ls --format "table {{.ID}}\t{{.Name}}\t{{.CreatedAt}}" ID NAME CREATED diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/secret_rm.md docker.io-20.10.11/cli/docs/reference/commandline/secret_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/secret_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/secret_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -35,7 +35,7 @@ This example removes a secret: -```bash +```console $ docker secret rm secret.json sapth4csdo5b6wz2p5uimh5xg ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_create.md docker.io-20.10.11/cli/docs/reference/commandline/service_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -101,7 +101,7 @@ ### Create a service -```bash +```console $ docker service create --name redis redis:3.0.6 dmu1ept4cxcfe8k8lhtux3ro3 @@ -124,7 +124,7 @@ your image is stored on `registry.example.com`, which is a private registry, use a command like the following: -```bash +```console $ docker login registry.example.com $ docker service create \ @@ -142,7 +142,7 @@ Use the `--replicas` flag to set the number of replica tasks for a replicated service. The following command creates a `redis` service with `5` replica tasks: -```bash +```console $ docker service create --name redis --replicas=5 redis:3.0.6 4cdgfyky7ozwh3htjfw0d12qv @@ -156,7 +156,7 @@ In the following example the desired state is `5` replicas, but the current number of `RUNNING` tasks is `3`: -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE @@ -166,7 +166,7 @@ Once all the tasks are created and `RUNNING`, the actual number of tasks is equal to the desired number: -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE @@ -180,7 +180,7 @@ Create a service specifying a secret: -```bash +```console $ docker service create --name redis --secret secret.json redis:3.0.6 4cdgfyky7ozwh3htjfw0d12qv @@ -188,7 +188,7 @@ Create a service specifying the secret, target, user/group ID, and mode: -```bash +```console $ docker service create --name redis \ --secret source=ssh-key,target=ssh \ --secret source=app-key,target=app,uid=1000,gid=1001,mode=0400 \ @@ -217,13 +217,13 @@ pre-exist in the container. The `mode` is specified as a 4-number sequence such as `0755`. -```bash +```console $ docker service create --name=redis --config redis-conf redis:3.0.6 ``` Create a service with a config and specify the target location and file mode: -```bash +```console $ docker service create --name redis \ --config source=redis-conf,target=/etc/redis/redis.conf,mode=0400 redis:3.0.6 ``` @@ -236,7 +236,7 @@ ### Create a service with a rolling update policy -```bash +```console $ docker service create \ --replicas 10 \ --name redis \ @@ -254,7 +254,7 @@ This sets an environment variable for all tasks in a service. For example: -```bash +```console $ docker service create \ --name redis_2 \ --replicas 5 \ @@ -265,7 +265,7 @@ To specify multiple environment variables, specify multiple `--env` flags, each with a separate key-value pair. -```bash +```console $ docker service create \ --name redis_2 \ --replicas 5 \ @@ -279,7 +279,7 @@ This option sets the docker service containers hostname to a specific string. For example: -```bash +```console $ docker service create --name redis --hostname myredis redis:3.0.6 ``` @@ -288,7 +288,7 @@ A label is a `key=value` pair that applies metadata to a service. To label a service with two labels: -```bash +```console $ docker service create \ --name redis_2 \ --label com.example.foo="bar" @@ -592,7 +592,7 @@ The following example creates a service that uses a named volume: -```bash +```console $ docker service create \ --name my-service \ --replicas 3 \ @@ -622,7 +622,7 @@ The following command creates a service with three replicas with an anonymous volume on `/path/in/container`: -```bash +```console $ docker service create \ --name my-service \ --replicas 3 \ @@ -640,7 +640,7 @@ The following example bind-mounts a host directory at `/path/in/container` in the containers backing the service: -```bash +```console $ docker service create \ --name my-service \ --mount type=bind,source=/path/on/host,destination=/path/in/container \ @@ -655,7 +655,7 @@ The following command creates a global service: -```bash +```console $ docker service create \ --name redis_2 \ --mode global \ @@ -688,7 +688,7 @@ For example, the following limits tasks for the redis service to nodes where the node type label equals queue: -```bash +```console $ docker service create \ --name redis_2 \ --constraint node.platform.os==linux \ @@ -703,7 +703,7 @@ In the example below, no node satisfying the constraint was found, causing the service to not reconcile with the desired state: -```bash +```console $ docker service create \ --name web \ --constraint node.labels.region==east \ @@ -721,7 +721,7 @@ After adding the `region=east` label to a node in the cluster, the service reconciles, and the desired number of replicas are deployed: -```bash +```console $ docker node update --label-add region=east yswe2dm4c5fdgtsrli1e8ya5l yswe2dm4c5fdgtsrli1e8ya5l @@ -736,7 +736,7 @@ nodes. One example of where this can be useful is to balance tasks over a set of datacenters or availability zones. The example below illustrates this: -```bash +```console $ docker service create \ --replicas 9 \ --name redis_2 \ @@ -787,7 +787,7 @@ Tasks are spread first over the various datacenters, and then over racks (as indicated by the respective labels): -```bash +```console $ docker service create \ --replicas 9 \ --name redis_2 \ @@ -812,7 +812,7 @@ The following example requires that 4GB of memory be available and reservable on a given node before scheduling the service to run on that node. -```bash +```console $ docker service create --reserve-memory=4GB --name=too-big nginx:alpine ``` @@ -825,7 +825,7 @@ by the task to 4GB. The task will be scheduled even if each of your nodes has only 2GB of memory, because `--limit-memory` is an upper limit. -```bash +```console $ docker service create --limit-memory=4GB --name=too-big nginx:alpine ``` @@ -880,7 +880,7 @@ The example below illustrates this: -```bash +```console $ docker service create \ --name nginx \ --replicas 2 \ @@ -896,7 +896,7 @@ First, create an overlay network on a manager node the docker network create command: -```bash +```console $ docker network create --driver overlay my-network etjpu59cykrptrgw0z0hk5snf @@ -908,7 +908,7 @@ When you create a service and pass the `--network` flag to attach the service to the overlay network: -```bash +```console $ docker service create \ --replicas 3 \ --network my-network \ @@ -933,7 +933,7 @@ of arguments. The short version is positional, and allows you to specify the published port and target port separated by a colon (`:`). -```bash +```console $ docker service create --name my_web --replicas 3 --publish 8080:80 nginx ``` @@ -942,7 +942,7 @@ mode when using the short format. Here is an example of using the long format for the same service as above: -```bash +```console $ docker service create --name my_web --replicas 3 --publish published=8080,target=80 nginx ``` @@ -1018,7 +1018,7 @@ ### Create services using templates You can use templates for some flags of `service create`, using the syntax -provided by the Go's [text/template](http://golang.org/pkg/text/template/) package. +provided by the Go's [text/template](https://golang.org/pkg/text/template/) package. The supported flags are the following : @@ -1074,7 +1074,7 @@ In this example, we are going to set the template of the created containers based on the service's name, the node's ID and hostname where it sits. -```bash +```console $ docker service create \ --name hosttempl \ --hostname="{{.Node.Hostname}}-{{.Node.ID}}-{{.Service.Name}}"\ @@ -1098,7 +1098,7 @@ configured for this particular node. To force a specific isolation mode, you can use the `--isolation` flag: -```bash +```console $ docker service create --name myservice --isolation=process microsoft/nanoserver ``` @@ -1112,7 +1112,7 @@ You can narrow the kind of nodes your task can land on through the using the `--generic-resource` flag (if the nodes advertise these resources): -```bash +```console $ docker service create \ --name cuda \ --generic-resource "NVIDIA-GPU=2" \ @@ -1129,7 +1129,7 @@ Jobs are started by using one of two modes, `replicated-job` or `global-job` -```bash +```console $ docker service create --name myjob \ --mode replicated-job \ bash "true" @@ -1159,12 +1159,13 @@ the total number of replicas that are executing simultaneously at any one time, the `--max-concurrent` flag can be used: -```bash -$ docker service create --name mythrottledjob \ - --mode replicated-job \ - --replicas 10 \ - --max-concurrent 2 \ - bash "true" +```console +$ docker service create \ + --name mythrottledjob \ + --mode replicated-job \ + --replicas 10 \ + --max-concurrent 2 \ + bash "true" ``` The above command will execute 10 Tasks in total, but only 2 of them will be diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/service_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,7 +24,7 @@ By default, this renders all results in a JSON array. If a format is specified, the given template will be executed for each result. -Go's [text/template](http://golang.org/pkg/text/template/) package +Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. > **Note** @@ -42,7 +42,7 @@ For example, given the following service; -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE dmu1ept4cxcf redis replicated 3/3 redis:3.0.6 @@ -51,7 +51,7 @@ Both `docker service inspect redis`, and `docker service inspect dmu1ept4cxcf` produce the same result: -```bash +```console $ docker service inspect redis ``` @@ -99,7 +99,7 @@ ] ``` -```bash +```console $ docker service inspect dmu1ept4cxcf [ @@ -118,7 +118,7 @@ You can print the inspect output in a human-readable format instead of the default JSON output, by using the `--pretty` option: -```bash +```console $ docker service inspect --pretty frontend ID: c8wgl7q4ndfd52ni6qftkvnnp @@ -153,7 +153,7 @@ service. For example, the following command outputs the number of replicas of the "redis" service. -```bash +```console $ docker service inspect --format='{{.Spec.Mode.Replicated.Replicas}}' redis 10 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_ls.md docker.io-20.10.11/cli/docs/reference/commandline/service_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,7 +36,7 @@ On a manager node: -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE @@ -67,7 +67,7 @@ The `id` filter matches all or part of a service's id. -```bash +```console $ docker service ls -f "id=0bcjw" ID NAME MODE REPLICAS IMAGE 0bcjwfh8ychr redis replicated 1/1 redis:3.0.6 @@ -81,7 +81,7 @@ The following filter matches all services with a `project` label regardless of its value: -```bash +```console $ docker service ls --filter label=project ID NAME MODE REPLICAS IMAGE 01sl1rp6nj5u frontend2 replicated 1/1 nginx:alpine @@ -92,7 +92,7 @@ The following filter matches only services with the `project` label with the `project-a` value. -```bash +```console $ docker service ls --filter label=project=project-a ID NAME MODE REPLICAS IMAGE 36xvvwwauej0 frontend replicated 5/5 nginx:alpine @@ -105,7 +105,7 @@ The following filter matches only `global` services. -```bash +```console $ docker service ls --filter mode=global ID NAME MODE REPLICAS IMAGE w7y0v2yrn620 top global 1/1 busybox @@ -117,7 +117,7 @@ The following filter matches services with a name containing `redis`. -```bash +```console $ docker service ls --filter name=redis ID NAME MODE REPLICAS IMAGE 0bcjwfh8ychr redis replicated 1/1 redis:3.0.6 @@ -146,7 +146,7 @@ The following example uses a template without headers and outputs the `ID`, `Mode`, and `Replicas` entries separated by a colon (`:`) for all services: -```bash +```console $ docker service ls --format "{{.ID}}: {{.Mode}} {{.Replicas}}" 0zmvwuiu3vue: replicated 10/10 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_ps.md docker.io-20.10.11/cli/docs/reference/commandline/service_ps.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_ps.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_ps.md 2021-11-17 23:49:46.000000000 +0000 @@ -38,7 +38,7 @@ The following command shows all the tasks that are part of the `redis` service: -```bash +```console $ docker service ps redis ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS @@ -58,7 +58,7 @@ example, after updating the service to use the `redis:3.0.6` image, the output may look like this: -```bash +```console $ docker service ps redis ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS @@ -83,7 +83,7 @@ default, but is printed if `--no-trunc` is used. The `--no-trunc` option also shows the non-truncated task ID, and error-messages, as can be seen below; -```bash +```console $ docker service ps --no-trunc redis ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS @@ -112,7 +112,7 @@ The `id` filter matches on all or a prefix of a task's ID. -```bash +```console $ docker service ps -f "id=8" redis ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS @@ -124,8 +124,9 @@ The `name` filter matches on task names. -```bash +```console $ docker service ps -f "name=redis.1" redis + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS qihejybwf1x5 redis.1 redis:3.0.6 manager1 Running Running 8 seconds ``` @@ -135,8 +136,9 @@ The `node` filter matches on a node name or a node ID. -```bash +```console $ docker service ps -f "node=manager1" redis + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS 0qihejybwf1x redis.1 redis:3.0.6 manager1 Running Running 8 seconds 1x0v8yomsncd redis.5 redis:3.0.6 manager1 Running Running 8 seconds @@ -173,8 +175,9 @@ The following example uses a template without headers and outputs the `Name` and `Image` entries separated by a colon (`:`) for all tasks: -```bash +```console $ docker service ps --format "{{.Name}}: {{.Image}}" top + top.1: busybox top.2: busybox top.3: busybox diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_rm.md docker.io-20.10.11/cli/docs/reference/commandline/service_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -33,7 +33,7 @@ Remove the `redis` service: -```bash +```console $ docker service rm redis redis diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_rollback.md docker.io-20.10.11/cli/docs/reference/commandline/service_rollback.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_rollback.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_rollback.md 2021-11-17 23:49:46.000000000 +0000 @@ -43,13 +43,13 @@ Create a service with a single replica: -```bash +```console $ docker service create --name my-service -p 8080:80 nginx:alpine ``` Confirm that the service is running with a single replica: -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE PORTS @@ -58,7 +58,7 @@ Update the service to use three replicas: -```bash +```console $ docker service update --replicas=3 my-service $ docker service ls @@ -70,7 +70,7 @@ Now roll back the service to its previous version, and confirm it is running a single replica again: -```bash +```console $ docker service rollback my-service $ docker service ls diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_scale.md docker.io-20.10.11/cli/docs/reference/commandline/service_scale.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_scale.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_scale.md 2021-11-17 23:49:46.000000000 +0000 @@ -37,7 +37,7 @@ The following command scales the "frontend" service to 50 tasks. -```bash +```console $ docker service scale frontend=50 frontend scaled to 50 @@ -45,7 +45,7 @@ The following command tries to scale a global service to 10 tasks and returns an error. -```bash +```console $ docker service create --mode global --name backend backend:latest b4g08uwuairexjub6ome6usqh @@ -58,7 +58,7 @@ Directly afterwards, run `docker service ls`, to see the actual number of replicas. -```bash +```console $ docker service ls --filter name=frontend ID NAME MODE REPLICAS IMAGE @@ -68,7 +68,7 @@ You can also scale a service using the [`docker service update`](service_update.md) command. The following commands are equivalent: -```bash +```console $ docker service scale frontend=50 $ docker service update --replicas=50 frontend ``` @@ -79,7 +79,7 @@ tasks for multiple services at once. The following example scales both the backend and frontend services: -```bash +```console $ docker service scale backend=3 frontend=5 backend scaled to 3 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/service_update.md docker.io-20.10.11/cli/docs/reference/commandline/service_update.md --- docker.io-20.10.7/cli/docs/reference/commandline/service_update.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/service_update.md 2021-11-17 23:49:46.000000000 +0000 @@ -127,13 +127,13 @@ ### Update a service -```bash +```console $ docker service update --limit-cpu 2 redis ``` ### Perform a rolling restart with no parameter changes -```bash +```console $ docker service update --force --update-parallelism 1 --update-delay 30s redis ``` @@ -161,7 +161,7 @@ - The `--mount-rm` flag takes the `target` path of the mount. -```bash +```console $ docker service create \ --name=myservice \ --mount type=volume,source=test-data,target=/somewhere \ @@ -189,7 +189,7 @@ The following example adds a published service port to an existing service. -```bash +```console $ docker service update \ --publish-add published=8080,target=80 \ myservice @@ -204,7 +204,7 @@ The following example adds a new alias name to an existing service already connected to network my-network: -```bash +```console $ docker service update \ --network-rm my-network \ --network-add name=my-network,alias=web1 \ @@ -219,7 +219,7 @@ The following example updates the number of replicas for the service from 4 to 5, and then rolls back to the previous configuration. -```bash +```console $ docker service update --replicas=5 web web @@ -230,9 +230,10 @@ 80bvrzp6vxf3 web replicated 0/5 nginx:alpine ``` + Roll back the `web` service... -```bash +```console $ docker service update --rollback web web @@ -246,7 +247,7 @@ Other options can be combined with `--rollback` as well, for example, `--update-delay 0s` to execute the rollback without a delay between tasks: -```bash +```console $ docker service update \ --rollback \ --update-delay 0s @@ -283,7 +284,7 @@ The following example adds a secret named `ssh-2` and removes `ssh-1`: -```bash +```console $ docker service update \ --secret-add source=ssh-2,target=ssh-2 \ --secret-rm ssh-1 \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stack_deploy.md docker.io-20.10.11/cli/docs/reference/commandline/stack_deploy.md --- docker.io-20.10.7/cli/docs/reference/commandline/stack_deploy.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stack_deploy.md 2021-11-17 23:49:46.000000000 +0000 @@ -43,7 +43,7 @@ The `deploy` command supports compose file version `3.0` and above. -```bash +```console $ docker stack deploy --compose-file docker-compose.yml vossibility Ignoring unsupported options: links @@ -60,7 +60,7 @@ The Compose file can also be provided as standard input with `--compose-file -`: -```bash +```console $ cat docker-compose.yml | docker stack deploy --compose-file - vossibility Ignoring unsupported options: links @@ -79,7 +79,7 @@ configuration and environment-specific overrides, you can provide multiple `--compose-file` flags. -```bash +```console $ docker stack deploy --compose-file docker-compose.yml -c docker-compose.prod.yml vossibility Ignoring unsupported options: links @@ -96,7 +96,7 @@ You can verify that the services were correctly created: -```bash +```console $ docker service ls ID NAME MODE REPLICAS IMAGE diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stack_ls.md docker.io-20.10.11/cli/docs/reference/commandline/stack_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/stack_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stack_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -37,7 +37,7 @@ The following command shows all stacks and some additional information: -```bash +```console $ docker stack ls ID SERVICES ORCHESTRATOR @@ -65,7 +65,7 @@ The following example uses a template without headers and outputs the `Name` and `Services` entries separated by a colon (`:`) for all stacks: -```bash +```console $ docker stack ls --format "{{.Name}}: {{.Services}}" web-server: 1 web-cache: 4 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stack_ps.md docker.io-20.10.11/cli/docs/reference/commandline/stack_ps.md --- docker.io-20.10.7/cli/docs/reference/commandline/stack_ps.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stack_ps.md 2021-11-17 23:49:46.000000000 +0000 @@ -40,8 +40,9 @@ The following command shows all the tasks that are part of the `voting` stack: -```bash +```console $ docker stack ps voting + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS xim5bcqtgk1b voting_worker.1 dockersamples/examplevotingapp_worker:latest node2 Running Running 2 minutes ago q7yik0ks1in6 voting_result.1 dockersamples/examplevotingapp_result:before node1 Running Running 2 minutes ago @@ -71,8 +72,9 @@ The `id` filter matches on all or a prefix of a task's ID. -```bash +```console $ docker stack ps -f "id=t" voting + ID NAME IMAGE NODE DESIRED STATE CURRENTSTATE ERROR PORTS tz6j82jnwrx7 voting_db.1 postgres:9.4 node1 Running Running 14 minutes ago t72q3z038jeh voting_redis.2 redis:alpine node3 Running Running 14 minutes ago @@ -82,8 +84,9 @@ The `name` filter matches on task names. -```bash +```console $ docker stack ps -f "name=voting_redis" voting + ID NAME IMAGE NODE DESIRED STATE CURRENTSTATE ERROR PORTS w48spazhbmxc voting_redis.1 redis:alpine node2 Running Running 17 minutes ago t72q3z038jeh voting_redis.2 redis:alpine node3 Running Running 17 minutes ago @@ -93,8 +96,9 @@ The `node` filter matches on a node name or a node ID. -```bash +```console $ docker stack ps -f "node=node1" voting + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS q7yik0ks1in6 voting_result.1 dockersamples/examplevotingapp_result:before node1 Running Running 18 minutes ago tz6j82jnwrx7 voting_db.1 postgres:9.4 node1 Running Running 18 minutes ago @@ -105,8 +109,9 @@ The `desired-state` filter can take the values `running`, `shutdown`, `ready` or `accepted`. -```bash +```console $ docker stack ps -f "desired-state=running" voting + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS xim5bcqtgk1b voting_worker.1 dockersamples/examplevotingapp_worker:latest node2 Running Running 21 minutes ago q7yik0ks1in6 voting_result.1 dockersamples/examplevotingapp_result:before node1 Running Running 21 minutes ago @@ -142,8 +147,9 @@ The following example uses a template without headers and outputs the `Name` and `Image` entries separated by a colon (`:`) for all tasks: -```bash +```console $ docker stack ps --format "{{.Name}}: {{.Image}}" voting + voting_worker.1: dockersamples/examplevotingapp_worker:latest voting_result.1: dockersamples/examplevotingapp_result:before voting_vote.1: dockersamples/examplevotingapp_vote:before @@ -158,8 +164,9 @@ The `--no-resolve` option shows IDs for task name, without mapping IDs to Names. -```bash +```console $ docker stack ps --no-resolve voting + ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS xim5bcqtgk1b 10z9fjfqzsxnezo4hb81p8mqg.1 dockersamples/examplevotingapp_worker:latest qaqt4nrzo775jrx6detglho01 Running Running 30 minutes ago q7yik0ks1in6 hbxltua1na7mgqjnidldv5m65.1 dockersamples/examplevotingapp_result:before mxpaef1tlh23s052erw88a4w5 Running Running 30 minutes ago @@ -178,8 +185,9 @@ default, but is printed if `--no-trunc` is used. The `--no-trunc` option also shows the non-truncated task IDs, and error-messages, as can be seen below: -```bash +```console $ docker stack ps --no-trunc voting + ID NAME IMAGE NODE DESIRED STATE CURREN STATE ERROR PORTS xim5bcqtgk1bxqz91jzo4a1s5 voting_worker.1 dockersamples/examplevotingapp_worker:latest@sha256:3e4ddf59c15f432280a2c0679c4fc5a2ee5a797023c8ef0d3baf7b1385e9fed node2 Running Runnin 32 minutes ago q7yik0ks1in6kv32gg6y6yjf7 voting_result.1 dockersamples/examplevotingapp_result:before@sha256:83b56996e930c292a6ae5187fda84dd6568a19d97cdb933720be15c757b7463 node1 Running Runnin 32 minutes ago @@ -196,7 +204,7 @@ The `-q ` or `--quiet` option only shows IDs of the tasks in the stack. This example outputs all task IDs of the "voting" stack; -```bash +```console $ docker stack ps -q voting xim5bcqtgk1b q7yik0ks1in6 @@ -212,14 +220,14 @@ the task IDs as input for other commands, such as `docker inspect`. The following example inspects all tasks of the "voting" stack; -```bash +```console $ docker inspect $(docker stack ps -q voting) [ { "ID": "xim5bcqtgk1b1gk0krq1", "Version": { -(...) +<...> ``` ## Related commands diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stack_rm.md docker.io-20.10.11/cli/docs/reference/commandline/stack_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/stack_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stack_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -38,7 +38,7 @@ This will remove the stack with the name `myapp`. Services, networks, and secrets associated with the stack will be removed. -```bash +```console $ docker stack rm myapp Removing service myapp_redis @@ -52,7 +52,7 @@ This will remove all the specified stacks, `myapp` and `vossibility`. Services, networks, and secrets associated with all the specified stacks will be removed. -```bash +```console $ docker stack rm myapp vossibility Removing service myapp_redis diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stack_services.md docker.io-20.10.11/cli/docs/reference/commandline/stack_services.md --- docker.io-20.10.7/cli/docs/reference/commandline/stack_services.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stack_services.md 2021-11-17 23:49:46.000000000 +0000 @@ -36,7 +36,7 @@ The following command shows all services in the `myapp` stack: -```bash +```console $ docker stack services myapp ID NAME REPLICAS IMAGE COMMAND @@ -52,7 +52,7 @@ The following command shows both the `web` and `db` services: -```bash +```console $ docker stack services --filter name=myapp_web --filter name=myapp_db myapp ID NAME REPLICAS IMAGE COMMAND @@ -103,7 +103,7 @@ The following example uses a template without headers and outputs the `ID`, `Mode`, and `Replicas` entries separated by a colon (`:`) for all services: -```bash +```console $ docker stack services --format "{{.ID}}: {{.Mode}} {{.Replicas}}" 0zmvwuiu3vue: replicated 10/10 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/start.md docker.io-20.10.11/cli/docs/reference/commandline/start.md --- docker.io-20.10.7/cli/docs/reference/commandline/start.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/start.md 2021-11-17 23:49:46.000000000 +0000 @@ -20,6 +20,6 @@ ## Examples -```bash +```console $ docker start my_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stats.md docker.io-20.10.11/cli/docs/reference/commandline/stats.md --- docker.io-20.10.7/cli/docs/reference/commandline/stats.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stats.md 2021-11-17 23:49:46.000000000 +0000 @@ -53,7 +53,7 @@ Running `docker stats` on all running containers against a Linux daemon. -```bash +```console $ docker stats CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS @@ -77,7 +77,7 @@ Running `docker stats` on multiple containers by name and id against a Linux daemon. -```bash +```console $ docker stats awesome_brattain 67b2525d8ad1 CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS @@ -87,7 +87,7 @@ Running `docker stats` with customized format on all (Running and Stopped) containers. -```bash +```console $ docker stats --all --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" fervent_panini 5acfcb1b4fd1 drunk_visvesvaraya big_heisenberg CONTAINER CPU % MEM USAGE / LIMIT @@ -151,7 +151,7 @@ The following example uses a template without headers and outputs the `Container` and `CPUPerc` entries separated by a colon (`:`) for all images: -```bash +```console $ docker stats --format "{{.Container}}: {{.CPUPerc}}" 09d3bb5b1604: 6.61% @@ -162,7 +162,7 @@ To list all containers statistics with their name, CPU percentage and memory usage in a table format you can use: -```bash +```console $ docker stats --format "table {{.Container}}\t{{.CPUPerc}}\t{{.MemUsage}}" CONTAINER CPU % PRIV WORKING SET diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/stop.md docker.io-20.10.11/cli/docs/reference/commandline/stop.md --- docker.io-20.10.7/cli/docs/reference/commandline/stop.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/stop.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,6 +25,6 @@ ## Examples -```bash +```console $ docker stop my_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_ca.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_ca.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_ca.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_ca.md 2021-11-17 23:49:46.000000000 +0000 @@ -38,8 +38,9 @@ Run the `docker swarm ca` command without any options to view the current root CA certificate in PEM format. -```bash +```console $ docker swarm ca + -----BEGIN CERTIFICATE----- MIIBazCCARCgAwIBAgIUJPzo67QC7g8Ebg2ansjkZ8CbmaswCgYIKoZIzj0EAwIw EzERMA8GA1UEAxMIc3dhcm0tY2EwHhcNMTcwNTAzMTcxMDAwWhcNMzcwNDI4MTcx @@ -55,7 +56,7 @@ Pass the `--rotate` flag (and optionally a `--ca-cert`, along with a `--ca-key` or `--external-ca` parameter flag), in order to rotate the current swarm root CA. -``` +```console $ docker swarm ca --rotate desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e rotated TLS certificates: [=========================> ] 1/2 nodes @@ -65,7 +66,7 @@ Once the rotation os finished (all the progress bars have completed) the now-current CA certificate will be printed: -``` +```console $ docker swarm ca --rotate desired root digest: sha256:05da740cf2577a25224c53019e2cce99bcc5ba09664ad6bb2a9425d9ebd1b53e rotated TLS certificates: [==================================================>] 2/2 nodes diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_init.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_init.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_init.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_init.md 2021-11-17 23:49:46.000000000 +0000 @@ -37,8 +37,9 @@ ## Examples -```bash +```console $ docker swarm init --advertise-addr 192.168.99.121 + Swarm initialized: current node (bvz81updecsj6wjz393c09vti) is now a manager. To add a worker to this swarm, run the following command: @@ -132,20 +133,21 @@ The following example initializes a new Swarm, and configures the data path port to UDP port 7777; -```bash -docker swarm init --data-path-port=7777 +```console +$ docker swarm init --data-path-port=7777 ``` + After the swarm is initialized, use the `docker info` command to verify that the port is configured: -```bash -docker info -... +```console +$ docker info +<...> ClusterID: 9vs5ygs0gguyyec4iqf2314c0 Managers: 1 Nodes: 1 Data Path Port: 7777 -... +<...> ``` ### `--default-addr-pool` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_join.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_join.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_join.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_join.md 2021-11-17 23:49:46.000000000 +0000 @@ -32,9 +32,10 @@ The example below demonstrates joining a manager node using a manager token. -```bash +```console $ docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2 192.168.99.121:2377 This node joined a swarm as a manager. + $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS dkp8vy1dq1kxleu9g4u78tlag * manager2 Ready Active Reachable @@ -49,9 +50,10 @@ The example below demonstrates joining a worker node using a worker token. -```bash +```console $ docker swarm join --token SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-1awxwuwd3z9j1z3puu7rcgdbx 192.168.99.121:2377 This node joined a swarm as a worker. + $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS 7ln70fl22uw2dvjn2ft53m3q5 worker2 Ready Active diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_join-token.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_join-token.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_join-token.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_join-token.md 2021-11-17 23:49:46.000000000 +0000 @@ -40,7 +40,7 @@ `join-token` to print the full `docker swarm join` command to join a new node to the swarm: -```bash +```console $ docker swarm join-token worker To add a worker to this swarm, run the following command: @@ -60,7 +60,7 @@ Use the `--rotate` flag to generate a new join token for the specified role: -```bash +```console $ docker swarm join-token --rotate worker Successfully rotated worker join token. @@ -76,7 +76,7 @@ The `-q` (or `--quiet`) flag only prints the token: -```bash +```console $ docker swarm join-token -q worker SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-b30ljddcqhef9b9v4rs7mel7t diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_leave.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_leave.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_leave.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_leave.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,7 +31,7 @@ Consider the following swarm, as seen from the manager: -```bash +```console $ docker node ls ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS @@ -42,7 +42,7 @@ To remove `worker2`, issue the following command from `worker2` itself: -```bash +```console $ docker swarm leave Node left the default swarm. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_unlock-key.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_unlock-key.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_unlock-key.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_unlock-key.md 2021-11-17 23:49:46.000000000 +0000 @@ -35,7 +35,7 @@ ## Examples -```bash +```console $ docker swarm unlock-key To unlock a swarm manager after it restarts, run the `docker swarm unlock` @@ -50,7 +50,7 @@ Use the `--rotate` flag to rotate the unlock key to a new, randomly-generated key: -```bash +```console $ docker swarm unlock-key --rotate Successfully rotated manager unlock key. @@ -66,7 +66,7 @@ The `-q` (or `--quiet`) flag only prints the key: -```bash +```console $ docker swarm unlock-key -q SWMKEY-1-7c37Cc8654o6p38HnroywCi19pllOnGtbdZEgtKxZu8 diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_unlock.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_unlock.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_unlock.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_unlock.md 2021-11-17 23:49:46.000000000 +0000 @@ -31,7 +31,7 @@ ## Examples -```bash +```console $ docker swarm unlock Please enter unlock key: ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/swarm_update.md docker.io-20.10.11/cli/docs/reference/commandline/swarm_update.md --- docker.io-20.10.7/cli/docs/reference/commandline/swarm_update.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/swarm_update.md 2021-11-17 23:49:46.000000000 +0000 @@ -35,7 +35,7 @@ ## Examples -```bash +```console $ docker swarm update --cert-expiry 720h ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/system_df.md docker.io-20.10.11/cli/docs/reference/commandline/system_df.md --- docker.io-20.10.7/cli/docs/reference/commandline/system_df.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/system_df.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ By default the command will just show a summary of the data used: -```bash +```console $ docker system df TYPE TOTAL ACTIVE SIZE RECLAIMABLE @@ -37,7 +37,7 @@ A more detailed view can be requested using the `-v, --verbose` flag: -```bash +```console $ docker system df -v Images space usage: @@ -101,7 +101,7 @@ The following example uses a template without headers and outputs the `Type` and `TotalCount` entries separated by a colon (`:`): -```bash +```console $ docker system df --format "{{.Type}}: {{.TotalCount}}" Images: 2 @@ -112,7 +112,7 @@ To list the disk usage with size and reclaimable size in a table format you can use: -```bash +```console $ docker system df --format "table {{.Type}}\t{{.Size}}\t{{.Reclaimable}}" TYPE SIZE RECLAIMABLE diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/system_events.md docker.io-20.10.11/cli/docs/reference/commandline/system_events.md --- docker.io-20.10.7/cli/docs/reference/commandline/system_events.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/system_events.md 2021-11-17 23:49:46.000000000 +0000 @@ -147,11 +147,11 @@ If a format (`--format`) is specified, the given template will be executed instead of the default -format. Go's [text/template](http://golang.org/pkg/text/template/) package +format. Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. If a format is set to `{{json .}}`, the events are streamed as valid JSON -Lines. For information about JSON Lines, please refer to http://jsonlines.org/ . +Lines. For information about JSON Lines, please refer to https://jsonlines.org/ . ## Examples @@ -161,13 +161,13 @@ **Shell 1: Listening for events:** -```bash +```console $ docker system events ``` **Shell 2: Start and Stop containers:** -```bash +```console $ docker create --name test alpine:latest top $ docker start test $ docker stop test @@ -192,7 +192,7 @@ You can filter the output by an absolute timestamp or relative time on the host machine, using the following different time syntaxes: -```bash +```console $ docker system events --since 1483283804 2017-01-05T00:35:41.241772953+08:00 volume create testVol (driver=local) @@ -243,7 +243,7 @@ The following commands show several different ways to filter the `docker event` output. -```bash +```console $ docker system events --filter 'event=stop' 2017-01-05T00:40:22.880175420+08:00 container stop 0fdb...ff37 (image=alpine:latest, name=test) @@ -316,7 +316,7 @@ ### Format the output -```bash +```console $ docker system events --filter 'type=container' --format 'Type={{.Type}} Status={{.Status}} ID={{.ID}}' Type=container Status=create ID=2ee349dac409e97974ce8d01b70d250b85e0ba8189299c126a87812311951e26 @@ -329,7 +329,7 @@ #### Format as JSON -```bash +```console $ docker system events --format '{{json .}}' {"status":"create","id":"196016a57679bf42424484918746a9474cd905dd993c4d0f4.. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/system_prune.md docker.io-20.10.11/cli/docs/reference/commandline/system_prune.md --- docker.io-20.10.7/cli/docs/reference/commandline/system_prune.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/system_prune.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ ## Examples -```bash +```console $ docker system prune WARNING! This will remove: @@ -56,7 +56,7 @@ deleted if there is currently no container using the volume. Use the `--volumes` flag when running the command to prune volumes as well: -```bash +```console $ docker system prune -a --volumes WARNING! This will remove: diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/tag.md docker.io-20.10.11/cli/docs/reference/commandline/tag.md --- docker.io-20.10.7/cli/docs/reference/commandline/tag.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/tag.md 2021-11-17 23:49:46.000000000 +0000 @@ -40,7 +40,7 @@ To tag a local image with ID "0e5574283393" into the "fedora" repository with "version1.0": -```bash +```console $ docker tag 0e5574283393 fedora/httpd:version1.0 ``` @@ -49,7 +49,7 @@ To tag a local image with name "httpd" into the "fedora" repository with "version1.0": -```bash +```console $ docker tag httpd fedora/httpd:version1.0 ``` @@ -61,7 +61,7 @@ To tag a local image with name "httpd" and tag "test" into the "fedora" repository with "version1.0.test": -```bash +```console $ docker tag httpd:test fedora/httpd:version1.0.test ``` @@ -70,6 +70,6 @@ To push an image to a private registry and not the central Docker registry you must tag it with the registry hostname and port (if needed). -```bash +```console $ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0 ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/trust_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -29,7 +29,7 @@ Use the `docker trust inspect` to get trust information about an image. The following example prints trust information for the `alpine:latest` image: -```bash +```console $ docker trust inspect alpine:latest ``` @@ -79,7 +79,7 @@ If signers are set up for the repository via other `docker trust` commands, `docker trust inspect` includes a `Signers` key: -```bash +```console $ docker trust inspect my-image:purple ``` @@ -157,7 +157,7 @@ If the image tag is unsigned or unavailable, `docker trust inspect` does not display any signed tags. -```bash +```console $ docker trust inspect unsigned-img No signatures or cannot access unsigned-img @@ -166,7 +166,7 @@ However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information: -```bash +```console $ docker trust inspect alpine:unsigned ``` @@ -204,7 +204,7 @@ If no tag is specified, `docker trust inspect` will report details for all signed tags in the repository: -```bash +```console $ docker trust inspect alpine ``` @@ -273,7 +273,7 @@ `docker trust inspect` can take multiple repositories and images as arguments, and reports the results in an ordered list: -```bash +```console $ docker trust inspect alpine notary ``` @@ -388,7 +388,7 @@ ### Get details about signatures for a single image tag -```bash +```console $ docker trust inspect --pretty alpine:latest SIGNED TAG DIGEST SIGNERS @@ -410,7 +410,7 @@ `docker trust inspect --pretty` displays them appropriately as a `SIGNER` and specify their `KEYS`: -```bash +```console $ docker trust inspect --pretty my-image:purple SIGNED TAG DIGEST SIGNERS @@ -431,7 +431,7 @@ However, if other tags are signed in the same image repository, `docker trust inspect` reports relevant key information. -```bash +```console $ docker trust inspect --pretty alpine:unsigned No signatures for alpine:unsigned @@ -444,7 +444,7 @@ ### Get details about signatures for all image tags in a repository -```bash +```console $ docker trust inspect --pretty alpine SIGNED TAG DIGEST SIGNERS @@ -466,7 +466,7 @@ Here's an example with signers that are set up by `docker trust` commands: -```bash +```console $ docker trust inspect --pretty my-image SIGNED TAG DIGEST SIGNERS diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_key_generate.md docker.io-20.10.11/cli/docs/reference/commandline/trust_key_generate.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_key_generate.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_key_generate.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,7 +25,7 @@ ### Generate a key-pair -```bash +```console $ docker trust key generate alice Generating key for alice... @@ -44,7 +44,7 @@ Provide the `--dir` argument to specify a directory to generate the key in: -```bash +```console $ docker trust key generate alice --dir /foo Generating key for alice... diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_key_load.md docker.io-20.10.11/cli/docs/reference/commandline/trust_key_load.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_key_load.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_key_load.md 2021-11-17 23:49:46.000000000 +0000 @@ -28,7 +28,7 @@ For a private key `alice.pem` with permissions `-rw-------` -```bash +```console $ docker trust key load alice.pem Loading key from "alice.pem"... @@ -39,7 +39,7 @@ To specify a name use the `--name` flag: -```bash +```console $ docker trust key load --name alice-key alice.pem Loading key from "alice.pem"... diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_revoke.md docker.io-20.10.11/cli/docs/reference/commandline/trust_revoke.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_revoke.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_revoke.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ Here's an example of a repo with two signed tags: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice @@ -46,7 +46,7 @@ When `alice`, one of the signers, runs `docker trust revoke`: -```bash +```console $ docker trust revoke example/trust-demo:red Enter passphrase for delegation key with ID 27d42a8: Successfully deleted signature for example/trust-demo:red @@ -54,7 +54,7 @@ After revocation, the tag is removed from the list of released tags: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS blue f1c38dbaeeb473c36716f6494d803fbfbe9d8a76916f7c0093f227821e378197 alice, bob @@ -74,7 +74,7 @@ When no tag is specified, `docker trust` revokes all signatures that you have a signing key for. -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS red 852cc04935f930a857b630edc4ed6131e91b22073bcc216698842e44f64d2943 alice @@ -93,7 +93,7 @@ When `alice`, one of the signers, runs `docker trust revoke`: -```bash +```console $ docker trust revoke example/trust-demo Please confirm you would like to delete all signature data for example/trust-demo? [y/N] y Enter passphrase for delegation key with ID 27d42a8: @@ -102,7 +102,7 @@ All tags that have `alice`'s signature on them are removed from the list of released tags: -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_signer_add.md docker.io-20.10.11/cli/docs/reference/commandline/trust_signer_add.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_signer_add.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_signer_add.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ To add a new signer, `alice`, to this repository: -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -44,7 +44,7 @@ Add `alice` with `docker trust signer add`: -```bash +```console $ docker trust signer add alice example/trust-demo --key alice.crt Adding signer "alice" to example/trust-demo... Enter passphrase for repository key with ID 642692c: @@ -53,7 +53,7 @@ `docker trust inspect --pretty` now lists `alice` as a valid signer: -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -74,13 +74,13 @@ When adding a signer on a repo for the first time, `docker trust signer add` sets up a new repo if it doesn't exist. -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures or cannot access example/trust-demo ``` -```bash +```console $ docker trust signer add alice example/trust-demo --key alice.crt Initializing signed repository for example/trust-demo... @@ -93,7 +93,7 @@ Successfully added signer: alice to example/trust-demo ``` -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -113,7 +113,7 @@ ## Add a signer to multiple repos To add a signer, `alice`, to multiple repositories: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -128,7 +128,8 @@ Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 ``` -```bash + +```console $ docker trust inspect --pretty example/trust-demo2 SIGNED TAG DIGEST SIGNERS @@ -143,9 +144,10 @@ Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 ``` + Add `alice` to both repositories with a single `docker trust signer add` command: -```bash +```console $ docker trust signer add alice example/trust-demo example/trust-demo2 --key alice.crt Adding signer "alice" to example/trust-demo... @@ -160,7 +162,7 @@ `docker trust inspect --pretty` now lists `alice` as a valid signer of both `example/trust-demo` and `example/trust-demo2`: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -177,7 +179,7 @@ Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 ``` -```bash +```console $ docker trust inspect --pretty example/trust-demo2 SIGNED TAG DIGEST SIGNERS @@ -197,7 +199,7 @@ `docker trust signer add` adds signers to repositories on a best effort basis, so it will continue to add the signer to subsequent repositories if one attempt fails: -```bash +```console $ docker trust signer add alice example/unauthorized example/authorized --key alice.crt Adding signer "alice" to example/unauthorized... diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_signer_remove.md docker.io-20.10.11/cli/docs/reference/commandline/trust_signer_remove.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_signer_remove.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_signer_remove.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,7 +25,8 @@ ### Remove a signer from a repo To remove an existing signer, `alice`, from this repository: -```bash + +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -44,7 +45,7 @@ Remove `alice` with `docker trust signer remove`: -```bash +```console $ docker trust signer remove alice example/trust-demo Removing signer "alice" from image example/trust-demo... @@ -54,7 +55,7 @@ `docker trust inspect --pretty` now does not list `alice` as a valid signer: -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -74,7 +75,7 @@ To remove an existing signer, `alice`, from multiple repositories: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -91,7 +92,7 @@ Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 ``` -```bash +```console $ docker trust inspect --pretty example/trust-demo2 SIGNED TAG DIGEST SIGNERS @@ -110,7 +111,7 @@ Remove `alice` from both images with a single `docker trust signer remove` command: -```bash +```console $ docker trust signer remove alice example/trust-demo example/trust-demo2 Removing signer "alice" from image example/trust-demo... @@ -125,7 +126,7 @@ Run `docker trust inspect --pretty` to confirm that `alice` is no longer listed as a valid signer of either `example/trust-demo` or `example/trust-demo2`: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -141,7 +142,7 @@ Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 ``` -```bash +```console $ docker trust inspect --pretty example/trust-demo2 SIGNED TAG DIGEST SIGNERS @@ -161,7 +162,7 @@ basis, so it will continue to remove the signer from subsequent repositories if one attempt fails: -```bash +```console $ docker trust signer remove alice example/unauthorized example/authorized Removing signer "alice" from image example/unauthorized... diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/trust_sign.md docker.io-20.10.11/cli/docs/reference/commandline/trust_sign.md --- docker.io-20.10.7/cli/docs/reference/commandline/trust_sign.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/trust_sign.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ Given an image: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -40,7 +40,7 @@ Sign a new tag with `docker trust sign`: -```bash +```console $ docker trust sign example/trust-demo:v2 Signing and pushing trust metadata for example/trust-demo:v2 @@ -60,7 +60,7 @@ Use `docker trust inspect --pretty` to list the new signature: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -76,7 +76,7 @@ Given an image: -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures for example/trust-demo @@ -95,7 +95,7 @@ Sign a new tag with `docker trust sign`: -```bash +```console $ docker trust sign example/trust-demo:v1 Signing and pushing trust metadata for example/trust-demo:v1 @@ -113,7 +113,7 @@ `docker trust inspect --pretty` lists the new signature: -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS @@ -134,13 +134,13 @@ When signing an image on a repo for the first time, `docker trust sign` sets up new keys before signing the image. -```bash +```console $ docker trust inspect --pretty example/trust-demo No signatures or cannot access example/trust-demo ``` -```bash +```console $ docker trust sign example/trust-demo:v1 Signing and pushing trust metadata for example/trust-demo:v1 @@ -165,7 +165,7 @@ Successfully signed docker.io/example/trust-demo:v1 ``` -```bash +```console $ docker trust inspect --pretty example/trust-demo SIGNED TAG DIGEST SIGNERS diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/unpause.md docker.io-20.10.11/cli/docs/reference/commandline/unpause.md --- docker.io-20.10.7/cli/docs/reference/commandline/unpause.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/unpause.md 2021-11-17 23:49:46.000000000 +0000 @@ -26,7 +26,7 @@ ## Examples -```bash +```console $ docker unpause my_container my_container ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/update.md docker.io-20.10.11/cli/docs/reference/commandline/update.md --- docker.io-20.10.7/cli/docs/reference/commandline/update.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/update.md 2021-11-17 23:49:46.000000000 +0000 @@ -59,7 +59,7 @@ name or ID. You can use `docker ps` to find these values. You can also use the ID returned from the `docker run` command. Then, do the following: -```bash +```console $ docker update --cpu-shares 512 abebf7571666 ``` @@ -67,7 +67,7 @@ To update multiple resource configurations for multiple containers: -```bash +```console $ docker update --cpu-shares 512 -m 300M abebf7571666 hopeful_morse ``` @@ -85,19 +85,19 @@ For example, if you started a container with this command: -```bash +```console $ docker run -dit --name test --kernel-memory 50M ubuntu bash ``` You can update kernel memory while the container is running: -```bash +```console $ docker update --kernel-memory 80M test ``` If you started a container *without* kernel memory initialized: -```bash +```console $ docker run -dit --name test2 --memory 300M ubuntu bash ``` @@ -116,7 +116,7 @@ To update restart policy for one or more containers: -```bash +```console $ docker update --restart=on-failure:3 abebf7571666 hopeful_morse ``` diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/version.md docker.io-20.10.11/cli/docs/reference/commandline/version.md --- docker.io-20.10.7/cli/docs/reference/commandline/version.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/version.md 2021-11-17 23:49:46.000000000 +0000 @@ -22,14 +22,14 @@ By default, this will render all version information in an easy to read layout. If a format is specified, the given template will be executed instead. -Go's [text/template](http://golang.org/pkg/text/template/) package +Go's [text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. ## Examples ### Default output -```bash +```console $ docker version Client: @@ -64,7 +64,7 @@ ### Get the server version -```bash +```console $ docker version --format '{{.Server.Version}}' 19.03.8 @@ -72,7 +72,7 @@ ### Dump raw JSON data -```bash +```console $ docker version --format '{{json .}}' {"Client":{"Platform":{"Name":"Docker Engine - Community"},"Version":"19.03.8","ApiVersion":"1.40","DefaultAPIVersion":"1.40","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"darwin","Arch":"amd64","BuildTime":"Wed Mar 11 01:21:11 2020","Experimental":true},"Server":{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"19.03.8","Details":{"ApiVersion":"1.40","Arch":"amd64","BuildTime":"Wed Mar 11 01:29:16 2020","Experimental":"true","GitCommit":"afacb8b","GoVersion":"go1.12.17","KernelVersion":"4.19.76-linuxkit","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.2.13","Details":{"GitCommit":"7ad184331fa3e55e52b890ea95e65ba581ae3429"}},{"Name":"runc","Version":"1.0.0-rc10","Details":{"GitCommit":"dc9208a3303feef5b3839f4323d9beb36df0a9dd"}},{"Name":"docker-init","Version":"0.18.0","Details":{"GitCommit":"fec3683"}}],"Version":"19.03.8","ApiVersion":"1.40","MinAPIVersion":"1.12","GitCommit":"afacb8b","GoVersion":"go1.12.17","Os":"linux","Arch":"amd64","KernelVersion":"4.19.76-linuxkit","Experimental":true,"BuildTime":"2020-03-11T01:29:16.000000000+00:00"}} @@ -82,7 +82,7 @@ The following example prints the currently used [`docker context`](context.md): -```bash +```console $ docker version --format='{{.Client.Context}}' default ``` @@ -94,7 +94,7 @@ Declare a function to obtain the current context in your `~/.bashrc`, and set this command as your `PROMPT_COMMAND` -```bash +```console function docker_context_prompt() { PS1="context: $(docker version --format='{{.Client.Context}}')> " } @@ -105,7 +105,7 @@ After reloading the `~/.bashrc`, the prompt now shows the currently selected `docker context`: -```bash +```console $ source ~/.bashrc context: default> docker context create --docker host=unix:///var/run/docker.sock my-context my-context diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/volume_create.md docker.io-20.10.11/cli/docs/reference/commandline/volume_create.md --- docker.io-20.10.7/cli/docs/reference/commandline/volume_create.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/volume_create.md 2021-11-17 23:49:46.000000000 +0000 @@ -27,7 +27,7 @@ Create a volume and then configure the container to use it: -```bash +```console $ docker volume create hello hello @@ -58,7 +58,7 @@ Some volume drivers may take options to customize the volume creation. Use the `-o` or `--opt` flags to pass driver options: -```bash +```console $ docker volume create --driver fake \ --opt tardis=blue \ --opt timey=wimey \ @@ -74,12 +74,12 @@ `mount` command. You can provide multiple options by passing the `--opt` flag multiple times. Some `mount` options (such as the `o` option) can take a comma-separated list of options. Complete list of available mount options can be -found [here](http://man7.org/linux/man-pages/man8/mount.8.html). +found [here](https://man7.org/linux/man-pages/man8/mount.8.html). For example, the following creates a `tmpfs` volume called `foo` with a size of 100 megabyte and `uid` of 1000. -```bash +```console $ docker volume create --driver local \ --opt type=tmpfs \ --opt device=tmpfs \ @@ -89,7 +89,7 @@ Another example that uses `btrfs`: -```bash +```console $ docker volume create --driver local \ --opt type=btrfs \ --opt device=/dev/sda2 \ @@ -99,7 +99,7 @@ Another example that uses `nfs` to mount the `/path/to/dir` in `rw` mode from `192.168.1.1`: -```bash +```console $ docker volume create --driver local \ --opt type=nfs \ --opt o=addr=192.168.1.1,rw \ diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/volume_inspect.md docker.io-20.10.11/cli/docs/reference/commandline/volume_inspect.md --- docker.io-20.10.7/cli/docs/reference/commandline/volume_inspect.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/volume_inspect.md 2021-11-17 23:49:46.000000000 +0000 @@ -21,12 +21,12 @@ Returns information about a volume. By default, this command renders all results in a JSON array. You can specify an alternate format to execute a given template for each result. Go's -[text/template](http://golang.org/pkg/text/template/) package describes all the +[text/template](https://golang.org/pkg/text/template/) package describes all the details of the format. ## Examples -```bash +```console $ docker volume create myvolume myvolume @@ -34,7 +34,7 @@ Use the `docker volume inspect` comment to inspect the configuration of the volume: -```bash +```console $ docker volume inspect myvolume ``` @@ -53,10 +53,11 @@ } ] ``` + Use the `--format` flag to format the output using a Go template, for example, to print the `Mountpoint` property: -```bash +```console $ docker volume inspect --format '{{ .Mountpoint }}' myvolume /var/lib/docker/volumes/myvolume/_data diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/volume_ls.md docker.io-20.10.11/cli/docs/reference/commandline/volume_ls.md --- docker.io-20.10.7/cli/docs/reference/commandline/volume_ls.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/volume_ls.md 2021-11-17 23:49:46.000000000 +0000 @@ -34,7 +34,8 @@ ## Examples ### Create a volume -```bash + +```console $ docker volume create rosemary rosemary @@ -66,7 +67,7 @@ The `dangling` filter matches on all volumes not referenced by any containers -```bash +```console $ docker run -d -v tyler:/tmpwork busybox f86a7dd02898067079c99ceacd810149060a70528eff3754d0b0f1a93bd0af18 @@ -81,7 +82,7 @@ The following example matches volumes that are created with the `local` driver: -```bash +```console $ docker volume ls -f driver=local DRIVER VOLUME NAME @@ -96,7 +97,7 @@ First, let's create some volumes to illustrate this; -```bash +```console $ docker volume create the-doctor --label is-timelord=yes the-doctor @@ -108,7 +109,7 @@ The following example filter matches volumes with the `is-timelord` label regardless of its value. -```bash +```console $ docker volume ls --filter label=is-timelord DRIVER VOLUME NAME @@ -121,7 +122,7 @@ Filtering on both `key` *and* `value` of the label, produces the expected result: -```bash +```console $ docker volume ls --filter label=is-timelord=yes DRIVER VOLUME NAME @@ -131,7 +132,7 @@ Specifying multiple label filter produces an "and" search; all conditions should be met; -```bash +```console $ docker volume ls --filter label=is-timelord=yes --filter label=is-timelord=no DRIVER VOLUME NAME @@ -143,7 +144,7 @@ The following filter matches all volumes with a name containing the `rose` string. -```bash +```console $ docker volume ls -f name=rose DRIVER VOLUME NAME @@ -173,7 +174,7 @@ The following example uses a template without headers and outputs the `Name` and `Driver` entries separated by a colon (`:`) for all volumes: -```bash +```console $ docker volume ls --format "{{.Name}}: {{.Driver}}" vol1: local diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/volume_prune.md docker.io-20.10.11/cli/docs/reference/commandline/volume_prune.md --- docker.io-20.10.7/cli/docs/reference/commandline/volume_prune.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/volume_prune.md 2021-11-17 23:49:46.000000000 +0000 @@ -23,7 +23,7 @@ ## Examples -```bash +```console $ docker volume prune WARNING! This will remove all local volumes not used by at least one container. diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/volume_rm.md docker.io-20.10.11/cli/docs/reference/commandline/volume_rm.md --- docker.io-20.10.7/cli/docs/reference/commandline/volume_rm.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/volume_rm.md 2021-11-17 23:49:46.000000000 +0000 @@ -25,7 +25,7 @@ ## Examples -```bash +```console $ docker volume rm hello hello diff -Nru docker.io-20.10.7/cli/docs/reference/commandline/wait.md docker.io-20.10.11/cli/docs/reference/commandline/wait.md --- docker.io-20.10.7/cli/docs/reference/commandline/wait.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/commandline/wait.md 2021-11-17 23:49:46.000000000 +0000 @@ -24,27 +24,27 @@ Start a container in the background. -```bash +```console $ docker run -dit --name=my_container ubuntu bash ``` Run `docker wait`, which should block until the container exits. -```bash +```console $ docker wait my_container ``` In another terminal, stop the first container. The `docker wait` command above returns the exit code. -```bash +```console $ docker stop my_container ``` This is the same `docker wait` command from above, but it now exits, returning `0`. -```bash +```console $ docker wait my_container 0 diff -Nru docker.io-20.10.7/cli/docs/reference/glossary.md docker.io-20.10.11/cli/docs/reference/glossary.md --- docker.io-20.10.7/cli/docs/reference/glossary.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/glossary.md 2021-11-17 23:49:46.000000000 +0000 @@ -20,7 +20,7 @@ aufs (advanced multi layered unification filesystem) is a Linux [filesystem](#filesystem) that Docker supports as a storage backend. It implements the -[union mount](http://en.wikipedia.org/wiki/Union_mount) for Linux file systems. +[union mount](https://en.wikipedia.org/wiki/Union_mount) for Linux file systems. ## base image @@ -28,7 +28,7 @@ ## boot2docker -[boot2docker](http://boot2docker.io/) is a lightweight Linux distribution made +[boot2docker](https://boot2docker.io/) is a lightweight Linux distribution made specifically to run Docker containers. The boot2docker management tool for Mac and Windows was deprecated and replaced by [`docker-machine`](#machine) which you can install with the Docker Toolbox. ## bridge @@ -56,7 +56,7 @@ ## btrfs btrfs (B-tree file system) is a Linux [filesystem](#filesystem) that Docker -supports as a storage backend. It is a [copy-on-write](http://en.wikipedia.org/wiki/Copy-on-write) +supports as a storage backend. It is a [copy-on-write](https://en.wikipedia.org/wiki/Copy-on-write) filesystem. ## build @@ -241,7 +241,7 @@ ## overlay storage driver OverlayFS is a [filesystem](#filesystem) service for Linux which implements a -[union mount](http://en.wikipedia.org/wiki/Union_mount) for other file systems. +[union mount](https://en.wikipedia.org/wiki/Union_mount) for other file systems. It is supported by the Docker daemon as a storage driver. ## registry diff -Nru docker.io-20.10.7/cli/docs/reference/run.md docker.io-20.10.11/cli/docs/reference/run.md --- docker.io-20.10.7/cli/docs/reference/run.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/reference/run.md 2021-11-17 23:49:46.000000000 +0000 @@ -132,7 +132,7 @@ You can specify to which of the three standard streams (`STDIN`, `STDOUT`, `STDERR`) you'd like to connect instead, as in: -```bash +```console $ docker run -a stdin -a stdout -i -t ubuntu /bin/bash ``` @@ -141,7 +141,7 @@ as you'll see in later examples. Specifying `-t` is forbidden when the client is receiving its standard input from a pipe, as in: -```bash +```console $ echo test | docker run -i busybox cat ``` @@ -198,7 +198,7 @@ The following example runs a container from the `alpine` image with the `sha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0` digest: -```bash +```console $ docker run alpine@sha256:9cacb71397b640eca97488cf08582ae4e4068513101088e9f96c9814bfda95e0 date ``` @@ -232,13 +232,13 @@ Build the Dockerfile and tag the image as `myhtop`: -```bash +```console $ docker build -t myhtop . ``` Use the following command to run `htop` inside a container: -```bash +```console $ docker run -it --rm --pid=host myhtop ``` @@ -248,13 +248,13 @@ Start a container running a redis server: -```bash +```console $ docker run --name my-redis -d redis ``` Debug the redis container by running another container that has strace in it: -```bash +```console $ docker run -it --pid=container:my-redis my_strace_docker_image bash $ strace -p 1 ``` @@ -440,7 +440,7 @@ running the `redis-cli` command and connecting to the Redis server over the `localhost` interface. -```bash +```console $ docker run -d --name redis example/redis --bind 127.0.0.1 $ # use the redis container's network stack to access localhost $ docker run --rm -it --network container:redis example/redis-cli -h 127.0.0.1 @@ -460,7 +460,7 @@ The following example creates a network using the built-in `bridge` network driver and running a container in the created network -```bash +```console $ docker network create -d bridge my-net $ docker run --network=my-net -itd --name=container3 busybox ``` @@ -471,7 +471,7 @@ container itself as well as `localhost` and a few other common things. The `--add-host` flag can be used to add additional lines to `/etc/hosts`. -```bash +```console $ docker run -it --add-host db-static:86.75.30.9 ubuntu cat /etc/hosts 172.17.0.22 09d03f76bf2c @@ -554,22 +554,22 @@ -An ever increasing delay (double the previous delay, starting at 100 -milliseconds) is added before each restart to prevent flooding the server. +An increasing delay (double the previous delay, starting at 100 milliseconds) +is added before each restart to prevent flooding the server. This means the daemon will wait for 100 ms, then 200 ms, 400, 800, 1600, -and so on until either the `on-failure` limit is hit, or when you `docker stop` -or `docker rm -f` the container. +and so on until either the `on-failure` limit, the maximum delay of 1 minute is +hit, or when you `docker stop` or `docker rm -f` the container. If a container is successfully restarted (the container is started and runs for at least 10 seconds), the delay is reset to its default value of 100 ms. You can specify the maximum amount of times Docker will try to restart the -container when using the **on-failure** policy. The default is that Docker +container when using the **on-failure** policy. The default is that Docker will try forever to restart the container. The number of (attempted) restarts for a container can be obtained via [`docker inspect`](commandline/inspect.md). For example, to get the number of restarts for container "my-container"; -```bash +```console {% raw %} $ docker inspect -f "{{ .RestartCount }}" my-container # 2 @@ -578,7 +578,7 @@ Or, to get the last time the container was (re)started; -```bash +```console {% raw %} $ docker inspect -f "{{ .State.StartedAt }}" my-container # 2015-03-04T23:47:07.691840179Z @@ -591,14 +591,14 @@ ### Examples -```bash +```console $ docker run --restart=always redis ``` This will run the `redis` container with a restart policy of **always** so that if the container exits, Docker will restart it. -```bash +```console $ docker run --restart=on-failure:10 redis ``` @@ -616,7 +616,7 @@ **_125_** if the error is with Docker daemon **_itself_** -```bash +```console $ docker run --foo busybox; echo $? flag provided but not defined: --foo @@ -626,7 +626,7 @@ **_126_** if the **_contained command_** cannot be invoked -```bash +```console $ docker run busybox /etc; echo $? docker: Error response from daemon: Container command '/etc' could not be invoked. @@ -635,7 +635,7 @@ **_127_** if the **_contained command_** cannot be found -```bash +```console $ docker run busybox foo; echo $? docker: Error response from daemon: Container command 'foo' not found or does not exist. @@ -644,9 +644,9 @@ **_Exit code_** of **_contained command_** otherwise -```bash -$ docker run busybox /bin/sh -c 'exit 3'; echo $? - +```console +$ docker run busybox /bin/sh -c 'exit 3' +$ echo $? 3 ``` @@ -669,8 +669,8 @@ > to running `docker rm -v my-container`. Only volumes that are specified without > a name are removed. For example, when running: > -> ```bash -> docker run --rm -v /foo -v awesome:/bar busybox top +> ```console +> $ docker run --rm -v /foo -v awesome:/bar busybox top > ``` > > the volume for `/foo` will be removed, but the volume for `/bar` will not. @@ -696,7 +696,7 @@ the `--security-opt` flag. Specifying the level in the following command allows you to share the same content between containers. -```bash +```console $ docker run --security-opt label=level:s0:c100,c200 -it fedora bash ``` @@ -707,7 +707,7 @@ To disable the security labeling for this container versus running with the `--privileged` flag, use the following command: -```bash +```console $ docker run --security-opt label=disable -it fedora bash ``` @@ -716,7 +716,7 @@ that is only allowed to listen on Apache ports by executing the following command: -```bash +```console $ docker run --security-opt label=type:svirt_apache_t -it centos bash ``` @@ -727,7 +727,7 @@ If you want to prevent your container processes from gaining additional privileges, you can execute the following command: -```bash +```console $ docker run --security-opt no-new-privileges -it centos bash ``` @@ -836,14 +836,14 @@ Examples: -```bash +```console $ docker run -it ubuntu:14.04 /bin/bash ``` We set nothing about memory, this means the processes in the container can use as much memory and swap memory as they need. -```bash +```console $ docker run -it -m 300M --memory-swap -1 ubuntu:14.04 /bin/bash ``` @@ -851,7 +851,7 @@ the container can use 300M memory and as much swap memory as they need (if the host supports swap memory). -```bash +```console $ docker run -it -m 300M ubuntu:14.04 /bin/bash ``` @@ -860,7 +860,7 @@ (--memory-swap) will be set as double of memory, in this case, memory + swap would be 2*300M, so processes can use 300M swap memory as well. -```bash +```console $ docker run -it -m 300M --memory-swap 1G ubuntu:14.04 /bin/bash ``` @@ -886,7 +886,7 @@ The following example limits the memory (`-m`) to 500M and sets the memory reservation to 200M. -```bash +```console $ docker run -it -m 500M --memory-reservation 200M ubuntu:14.04 /bin/bash ``` @@ -896,7 +896,7 @@ The following example set memory reservation to 1G without a hard memory limit. -```bash +```console $ docker run -it --memory-reservation 1G ubuntu:14.04 /bin/bash ``` @@ -914,13 +914,13 @@ The following example limits the memory to 100M and disables the OOM killer for this container: -```bash +```console $ docker run -it -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash ``` The following example, illustrates a dangerous way to use the flag: -```bash +```console $ docker run -it --oom-kill-disable ubuntu:14.04 /bin/bash ``` @@ -990,14 +990,14 @@ Examples: -```bash +```console $ docker run -it -m 500M --kernel-memory 50M ubuntu:14.04 /bin/bash ``` We set memory and kernel memory, so the processes in the container can use 500M memory in total, in this 500M memory, it can be 50M kernel memory tops. -```bash +```console $ docker run -it --kernel-memory 50M ubuntu:14.04 /bin/bash ``` @@ -1014,7 +1014,7 @@ For example, you can set: -```bash +```console $ docker run -it --memory-swappiness=0 ubuntu:14.04 /bin/bash ``` @@ -1065,7 +1065,7 @@ Examples: -```bash +```console $ docker run -it --cpu-period=50000 --cpu-quota=25000 ubuntu:14.04 /bin/bash ``` @@ -1086,13 +1086,13 @@ Examples: -```bash +```console $ docker run -it --cpuset-cpus="1,3" ubuntu:14.04 /bin/bash ``` This means processes in container can be executed on cpu 1 and cpu 3. -```bash +```console $ docker run -it --cpuset-cpus="0-2" ubuntu:14.04 /bin/bash ``` @@ -1103,14 +1103,14 @@ Examples: -```bash +```console $ docker run -it --cpuset-mems="1,3" ubuntu:14.04 /bin/bash ``` This example restricts the processes in the container to only use memory from memory nodes 1 and 3. -```bash +```console $ docker run -it --cpuset-mems="0-2" ubuntu:14.04 /bin/bash ``` @@ -1142,14 +1142,14 @@ For example, the commands below create two containers with different blkio weight: -```bash +```console $ docker run -it --name c1 --blkio-weight 300 ubuntu:14.04 /bin/bash $ docker run -it --name c2 --blkio-weight 600 ubuntu:14.04 /bin/bash ``` If you do block IO in the two containers at the same time, by, for example: -```bash +```console $ time dd if=/mnt/zerofile of=test.out bs=1M count=1024 oflag=direct ``` @@ -1160,7 +1160,7 @@ The `DEVICE_NAME:WEIGHT` is a string containing a colon-separated device name and weight. For example, to set `/dev/sda` device weight to `200`: -```bash +```console $ docker run -it \ --blkio-weight-device "/dev/sda:200" \ ubuntu @@ -1172,7 +1172,7 @@ The following example uses a default weight of `300` and overrides this default on `/dev/sda` setting that weight to `200`: -```bash +```console $ docker run -it \ --blkio-weight 300 \ --blkio-weight-device "/dev/sda:200" \ @@ -1183,7 +1183,7 @@ For example, this command creates a container and limits the read rate to `1mb` per second from `/dev/sda`: -```bash +```console $ docker run -it --device-read-bps /dev/sda:1mb ubuntu ``` @@ -1191,7 +1191,7 @@ For example, this command creates a container and limits the write rate to `1mb` per second for `/dev/sda`: -```bash +```console $ docker run -it --device-write-bps /dev/sda:1mb ubuntu ``` @@ -1203,7 +1203,7 @@ For example, this command creates a container and limits the read rate to `1000` IO per second from `/dev/sda`: -```bash +```console $ docker run -ti --device-read-iops /dev/sda:1000 ubuntu ``` @@ -1211,7 +1211,7 @@ For example, this command creates a container and limits the write rate to `1000` IO per second to `/dev/sda`: -```bash +```console $ docker run -ti --device-write-iops /dev/sda:1000 ubuntu ``` @@ -1220,7 +1220,7 @@ ## Additional groups -```bash +```console --group-add: Add additional groups to run as ``` @@ -1228,11 +1228,12 @@ up for the specified user. If one wants to add more to that list of groups, then one can use this flag: -```bash +```console $ docker run --rm --group-add audio --group-add nogroup --group-add 777 busybox id uid=0(root) gid=0(root) groups=10(wheel),29(audio),99(nogroup),777 ``` + ## Runtime privilege and Linux capabilities | Option | Description | @@ -1253,20 +1254,20 @@ in AppArmor or SELinux to allow the container nearly all the same access to the host as processes running outside containers on the host. Additional information about running with `--privileged` is available on the -[Docker Blog](http://blog.docker.com/2013/09/docker-can-now-run-within-docker/). +[Docker Blog](https://blog.docker.com/2013/09/docker-can-now-run-within-docker/). If you want to limit access to a specific device or devices you can use the `--device` flag. It allows you to specify one or more devices that will be accessible within the container. -```bash +```console $ docker run --device=/dev/snd:/dev/snd ... ``` By default, the container will be able to `read`, `write`, and `mknod` these devices. This can be overridden using a third `:rwm` set of options to each `--device` flag: -```bash +```console $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc Command (m for help): q @@ -1336,20 +1337,20 @@ | SYSLOG | Perform privileged syslog(2) operations. | | WAKE_ALARM | Trigger something that will wake up the system. | -Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html), +Further reference information is available on the [capabilities(7) - Linux man page](https://man7.org/linux/man-pages/man7/capabilities.7.html), and in the [Linux kernel source code](https://github.com/torvalds/linux/blob/124ea650d3072b005457faed69909221c2905a1f/include/uapi/linux/capability.h). Both flags support the value `ALL`, so to allow a container to use all capabilities except for `MKNOD`: -```bash +```console $ docker run --cap-add=ALL --cap-drop=MKNOD ... ``` The `--cap-add` and `--cap-drop` flags accept capabilities to be specified with a `CAP_` prefix. The following examples are therefore equivalent: -```bash +```console $ docker run --cap-add=SYS_ADMIN ... $ docker run --cap-add=CAP_SYS_ADMIN ... ``` @@ -1357,7 +1358,7 @@ For interacting with the network stack, instead of using `--privileged` they should use `--cap-add=NET_ADMIN` to modify the network interfaces. -```bash +```console $ docker run -it --rm ubuntu:14.04 ip link add dummy0 type dummy RTNETLINK answers: Operation not permitted @@ -1368,7 +1369,7 @@ To mount a FUSE based filesystem, you need to combine both `--cap-add` and `--device`: -```bash +```console $ docker run --rm -it --cap-add SYS_ADMIN sshfs sshfs sven@10.10.10.20:/home/sven /mnt fuse: failed to open /dev/fuse: Operation not permitted @@ -1448,7 +1449,7 @@ Recall the optional `COMMAND` in the Docker commandline: -```bash +```console $ docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...] ``` @@ -1463,7 +1464,7 @@ ### ENTRYPOINT (default command to execute at runtime) -```bash +```console --entrypoint="": Overwrite the default entrypoint set by the image ``` @@ -1479,20 +1480,20 @@ example of how to run a shell in a container that has been set up to automatically run something else (like `/usr/bin/redis-server`): -```bash +```console $ docker run -it --entrypoint /bin/bash example/redis ``` or two examples of how to pass more parameters to that ENTRYPOINT: -```bash +```console $ docker run -it --entrypoint /bin/bash example/redis -c ls -l $ docker run -it --entrypoint /usr/bin/redis-cli example/redis --help ``` You can reset a containers entrypoint by passing an empty string, for example: -```bash +```console $ docker run -it --entrypoint="" mysql bash ``` @@ -1579,7 +1580,7 @@ operator names an environment variable without specifying a value, then the current value of the named variable is propagated into the container's environment: -```bash +```console $ export today=Wednesday $ docker run -e "deep=purple" -e today --rm alpine env @@ -1640,7 +1641,7 @@ Example: -```bash +```console {% raw %} $ docker run --name=test -d \ --health-cmd='stat /etc/passwd || exit 1' \ @@ -1693,7 +1694,7 @@ ### TMPFS (mount tmpfs filesystems) -```bash +```console --tmpfs=[]: Create a tmpfs mount with: container-dir[:], where the options are identical to the Linux 'mount -t tmpfs -o' command. @@ -1702,7 +1703,7 @@ The example below mounts an empty tmpfs into the container with the `rw`, `noexec`, `nosuid`, and `size=65536k` options. -```bash +```console $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image ``` diff -Nru docker.io-20.10.7/cli/docs/yaml/yaml.go docker.io-20.10.11/cli/docs/yaml/yaml.go --- docker.io-20.10.7/cli/docs/yaml/yaml.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/docs/yaml/yaml.go 2021-11-17 23:49:46.000000000 +0000 @@ -199,6 +199,9 @@ if _, ok := flag.Annotations["experimental"]; ok { opt.Experimental = true } + if _, ok := flag.Annotations["deprecated"]; ok { + opt.Deprecated = true + } if v, ok := flag.Annotations["version"]; ok { opt.MinAPIVersion = v[0] } diff -Nru docker.io-20.10.7/cli/e2e/global/cli_test.go docker.io-20.10.11/cli/e2e/global/cli_test.go --- docker.io-20.10.7/cli/e2e/global/cli_test.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/e2e/global/cli_test.go 2021-11-17 23:49:46.000000000 +0000 @@ -1,9 +1,13 @@ package global import ( + "net/http" + "net/http/httptest" + "strings" "testing" "github.com/docker/cli/internal/test/environment" + "gotest.tools/v3/assert" "gotest.tools/v3/icmd" "gotest.tools/v3/skip" ) @@ -22,3 +26,42 @@ result = icmd.RunCmd(icmd.Command("docker", "--tlsverify=true", "ps")) result.Assert(t, icmd.Expected{ExitCode: 1, Err: "ca.pem"}) } + +// TestTCPSchemeUsesHTTPProxyEnv verifies that the cli uses HTTP_PROXY if +// DOCKER_HOST is set to use the 'tcp://' scheme. +// +// Prior to go1.16, https:// schemes would use HTTPS_PROXY, and any other +// scheme would use HTTP_PROXY. However, golang/net@7b1cca2 (per a request in +// golang/go#40909) changed this behavior to only use HTTP_PROXY for http:// +// schemes, no longer using a proxy for any other scheme. +// +// Docker uses the tcp:// scheme as a default for API connections, to indicate +// that the API is not "purely" HTTP. Various parts in the code also *require* +// this scheme to be used. While we could change the default and allow http(s) +// schemes to be used, doing so will take time, taking into account that there +// are many installs in existence that have tcp:// configured as DOCKER_HOST. +// +// Note that due to Golang's use of sync.Once for proxy-detection, this test +// cannot be done as a unit-test, hence it being an e2e test. +func TestTCPSchemeUsesHTTPProxyEnv(t *testing.T) { + const responseJSON = `{"Version": "99.99.9", "ApiVersion": "1.41", "MinAPIVersion": "1.12"}` + var received string + proxyServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + received = r.Host + w.Header().Set("Content-Type", "application/json") + _, _ = w.Write([]byte(responseJSON)) + })) + defer proxyServer.Close() + + // Configure the CLI to use our proxyServer. DOCKER_HOST can point to any + // address (as it won't be connected to), but must use tcp:// for this test, + // to verify it's using HTTP_PROXY. + result := icmd.RunCmd( + icmd.Command("docker", "version", "--format", "{{ .Server.Version }}"), + icmd.WithEnv("HTTP_PROXY="+proxyServer.URL, "DOCKER_HOST=tcp://docker.acme.example.com:2376"), + ) + // Verify the command ran successfully, and that it connected to the proxyServer + result.Assert(t, icmd.Success) + assert.Equal(t, strings.TrimSpace(result.Stdout()), "99.99.9") + assert.Equal(t, received, "docker.acme.example.com:2376") +} diff -Nru docker.io-20.10.7/cli/experimental/checkpoint-restore.md docker.io-20.10.11/cli/experimental/checkpoint-restore.md --- docker.io-20.10.7/cli/experimental/checkpoint-restore.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/experimental/checkpoint-restore.md 1970-01-01 00:00:00.000000000 +0000 @@ -1,88 +0,0 @@ -# Docker Checkpoint & Restore - -Checkpoint & Restore is a new feature that allows you to freeze a running -container by checkpointing it, which turns its state into a collection of files -on disk. Later, the container can be restored from the point it was frozen. - -This is accomplished using a tool called [CRIU](http://criu.org), which is an -external dependency of this feature. A good overview of the history of -checkpoint and restore in Docker is available in this -[Kubernetes blog post](https://kubernetes.io/blog/2015/07/how-did-quake-demo-from-dockercon-work/). - -## Installing CRIU - -If you use a Debian system, you can add the CRIU PPA and install with apt-get -[from the criu launchpad](https://launchpad.net/~criu/+archive/ubuntu/ppa). - -Alternatively, you can [build CRIU from source](http://criu.org/Installation). - -You need at least version 2.0 of CRIU to run checkpoint/restore in Docker. - -## Use cases for checkpoint & restore - -This feature is currently focused on single-host use cases for checkpoint and -restore. Here are a few: - -- Restarting the host machine without stopping/starting containers -- Speeding up the start time of slow start applications -- "Rewinding" processes to an earlier point in time -- "Forensic debugging" of running processes - -Another primary use case of checkpoint & restore outside of Docker is the live -migration of a server from one machine to another. This is possible with the -current implementation, but not currently a priority (and so the workflow is -not optimized for the task). - -## Using checkpoint & restore - -A new top level command `docker checkpoint` is introduced, with three subcommands: -- `create` (creates a new checkpoint) -- `ls` (lists existing checkpoints) -- `rm` (deletes an existing checkpoint) - -Additionally, a `--checkpoint` flag is added to the container start command. - -The options for checkpoint create: - - Usage: docker checkpoint create [OPTIONS] CONTAINER CHECKPOINT - - Create a checkpoint from a running container - - --leave-running=false Leave the container running after checkpoint - --checkpoint-dir Use a custom checkpoint storage directory - -And to restore a container: - - Usage: docker start --checkpoint CHECKPOINT_ID [OTHER OPTIONS] CONTAINER - - -A simple example of using checkpoint & restore on a container: - - $ docker run --security-opt=seccomp:unconfined --name cr -d busybox /bin/sh -c 'i=0; while true; do echo $i; i=$(expr $i + 1); sleep 1; done' - > abc0123 - - $ docker checkpoint create cr checkpoint1 - - # - $ docker start --checkpoint checkpoint1 cr - > abc0123 - -This process just logs an incrementing counter to stdout. If you `docker logs` -in between running/checkpoint/restoring you should see that the counter -increases while the process is running, stops while it's checkpointed, and -resumes from the point it left off once you restore. - -## Current limitation - -seccomp is only supported by CRIU in very up to date kernels. - -External terminal (i.e. `docker run -t ..`) is not supported at the moment. -If you try to create a checkpoint for a container with an external terminal, -it would fail: - - $ docker checkpoint create cr checkpoint1 - Error response from daemon: Cannot checkpoint container c1: rpc error: code = 2 desc = exit status 1: "criu failed: type NOTIFY errno 0\nlog file: /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log\n" - - $ cat /var/lib/docker/containers/eb62ebdbf237ce1a8736d2ae3c7d88601fc0a50235b0ba767b559a1f3c5a600b/checkpoints/checkpoint1/criu.work/dump.log - Error (mount.c:740): mnt: 126:./dev/console doesn't have a proper root mount - diff -Nru docker.io-20.10.7/cli/experimental/README.md docker.io-20.10.11/cli/experimental/README.md --- docker.io-20.10.7/cli/experimental/README.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/experimental/README.md 2021-11-17 23:49:46.000000000 +0000 @@ -11,8 +11,6 @@ ## Use Docker experimental -Experimental features are now included in the standard Docker binaries as of -version 1.13.0. To enable experimental features, start the Docker daemon with the `--experimental` flag or enable the daemon flag in the `/etc/docker/daemon.json` configuration file: @@ -39,5 +37,5 @@ Metrics (Prometheus) output for basic container, image, and daemon operations. * [External graphdriver plugins](../docs/extend/plugins_graphdriver.md) - * [Checkpoint & Restore](checkpoint-restore.md) + * [Checkpoint & Restore](../docs/reference/commandline/checkpoint.md) * [Docker build with --squash argument](../docs/reference/commandline/build.md#squash-an-images-layers---squash-experimental) diff -Nru docker.io-20.10.7/cli/Jenkinsfile docker.io-20.10.11/cli/Jenkinsfile --- docker.io-20.10.7/cli/Jenkinsfile 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/Jenkinsfile 2021-11-17 23:49:46.000000000 +0000 @@ -1,6 +1,6 @@ pipeline { agent { - label "linux && x86_64" + label "amd64 && ubuntu-1804 && overlay2" } options { @@ -21,9 +21,9 @@ make -f docker.Makefile test-e2e-non-experimental" } } - stage("e2e (non-experimental) - 18.09 engine") { + stage("e2e (non-experimental) - 19.03 engine") { steps { - sh "E2E_ENGINE_VERSION=18.09-dind \ + sh "E2E_ENGINE_VERSION=19.03-dind \ E2E_UNIQUE_ID=clie2e${BUILD_NUMBER} \ IMAGE_TAG=clie2e${BUILD_NUMBER} \ make -f docker.Makefile test-e2e-non-experimental" diff -Nru docker.io-20.10.7/cli/man/Dockerfile.5.md docker.io-20.10.11/cli/man/Dockerfile.5.md --- docker.io-20.10.7/cli/man/Dockerfile.5.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/man/Dockerfile.5.md 2021-11-17 23:49:46.000000000 +0000 @@ -183,6 +183,18 @@ To display an image's labels, use the `docker inspect` command. +**STOPSIGNAL** + + -- `STOPSIGNAL ` + The **STOPSIGNAL** instruction sets the system call signal that will be sent + to the container to exit. This signal can be a signal name in the format + **SIG**, for instance **SIGKILL**, or an unsigned number that matches a + position in the kernel's syscall table, for instance **9**. The default is + **SIGTERM** if not defined. + + The image's default stopsignal can be overridden per container, using the + **--stop-signal** flag on **docker-run(1)** and **docker-create(1)**. + **EXPOSE** -- `EXPOSE [...]` The **EXPOSE** instruction informs Docker that the container listens on the diff -Nru docker.io-20.10.7/cli/man/docker-run.1.md docker.io-20.10.11/cli/man/docker-run.1.md --- docker.io-20.10.7/cli/man/docker-run.1.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/man/docker-run.1.md 2021-11-17 23:49:46.000000000 +0000 @@ -622,10 +622,26 @@ Under these conditions, user can pass any size less than the backing fs size. **--stop-signal**=*SIGTERM* - Signal to stop a container. Default is SIGTERM. + Signal to stop the container. Default is SIGTERM. -**--stop-timeout**=*10* - Timeout (in seconds) to stop a container. Default is 10. + The `--stop-signal` flag sets the system call signal that will be sent to the + container to exit. This signal can be a signal name in the format `SIG`, + for instance `SIGKILL`, or an unsigned number that matches a position in the + kernel's syscall table, for instance `9`. + +**--stop-timeout** + Timeout (in seconds) to stop a container, or **-1** to disable timeout. + + The `--stop-timeout` flag sets the number of seconds to wait for the container + to stop after sending the pre-defined (see `--stop-signal`) system call signal. + If the container does not exit after the timeout elapses, it is forcibly killed + with a `SIGKILL` signal. + + If `--stop-timeout` is set to **-1**, no timeout is applied, and the daemon will + wait indefinitely for the container to exit. + + The default is determined by the daemon, and 10 seconds for Linux containers, + and 30 seconds for Windows containers. **--shm-size**="" Size of `/dev/shm`. The format is ``. diff -Nru docker.io-20.10.7/cli/scripts/build/plugins docker.io-20.10.11/cli/scripts/build/plugins --- docker.io-20.10.7/cli/scripts/build/plugins 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/scripts/build/plugins 2021-11-17 23:49:46.000000000 +0000 @@ -17,5 +17,5 @@ echo "Building statically linked $TARGET" export CGO_ENABLED=0 - go build -o "${TARGET}" --ldflags "${LDFLAGS}" "github.com/docker/cli/${p}" + GO111MODULE=auto go build -o "${TARGET}" --ldflags "${LDFLAGS}" "github.com/docker/cli/${p}" done diff -Nru docker.io-20.10.7/cli/scripts/test/e2e/run docker.io-20.10.11/cli/scripts/test/e2e/run --- docker.io-20.10.7/cli/scripts/test/e2e/run 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/scripts/test/e2e/run 2021-11-17 23:49:46.000000000 +0000 @@ -71,6 +71,7 @@ PATH="$PWD/build/:/usr/bin:/usr/local/bin:/usr/local/go/bin" \ HOME="$HOME" \ DOCKER_CLI_E2E_PLUGINS_EXTRA_DIRS="$PWD/build/plugins-linux-amd64" \ + GO111MODULE=auto \ "$(command -v gotestsum)" -- ${TESTDIRS:-./e2e/...} ${TESTFLAGS-} } diff -Nru docker.io-20.10.7/cli/vendor/github.com/Azure/go-ansiterm/go.mod docker.io-20.10.11/cli/vendor/github.com/Azure/go-ansiterm/go.mod --- docker.io-20.10.7/cli/vendor/github.com/Azure/go-ansiterm/go.mod 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/Azure/go-ansiterm/go.mod 2021-11-17 23:49:46.000000000 +0000 @@ -0,0 +1,5 @@ +module github.com/Azure/go-ansiterm + +go 1.16 + +require golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 diff -Nru docker.io-20.10.7/cli/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go docker.io-20.10.11/cli/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go --- docker.io-20.10.7/cli/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/Azure/go-ansiterm/winterm/ansi.go 2021-11-17 23:49:46.000000000 +0000 @@ -10,6 +10,7 @@ "syscall" "github.com/Azure/go-ansiterm" + windows "golang.org/x/sys/windows" ) // Windows keyboard constants @@ -162,15 +163,28 @@ func GetStdFile(nFile int) (*os.File, uintptr) { var file *os.File - switch nFile { - case syscall.STD_INPUT_HANDLE: + + // syscall uses negative numbers + // windows package uses very big uint32 + // Keep these switches split so we don't have to convert ints too much. + switch uint32(nFile) { + case windows.STD_INPUT_HANDLE: file = os.Stdin - case syscall.STD_OUTPUT_HANDLE: + case windows.STD_OUTPUT_HANDLE: file = os.Stdout - case syscall.STD_ERROR_HANDLE: + case windows.STD_ERROR_HANDLE: file = os.Stderr default: - panic(fmt.Errorf("Invalid standard handle identifier: %v", nFile)) + switch nFile { + case syscall.STD_INPUT_HANDLE: + file = os.Stdin + case syscall.STD_OUTPUT_HANDLE: + file = os.Stdout + case syscall.STD_ERROR_HANDLE: + file = os.Stderr + default: + panic(fmt.Errorf("Invalid standard handle identifier: %v", nFile)) + } } fd, err := syscall.GetStdHandle(nFile) diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,176 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "io/ioutil" - "os" - "path/filepath" - "sync" - - "github.com/pkg/errors" -) - -var bufferPool = &sync.Pool{ - New: func() interface{} { - buffer := make([]byte, 32*1024) - return &buffer - }, -} - -// XAttrErrorHandlers transform a non-nil xattr error. -// Return nil to ignore an error. -// xattrKey can be empty for listxattr operation. -type XAttrErrorHandler func(dst, src, xattrKey string, err error) error - -type copyDirOpts struct { - xeh XAttrErrorHandler -} - -type CopyDirOpt func(*copyDirOpts) error - -// WithXAttrErrorHandler allows specifying XAttrErrorHandler -// If nil XAttrErrorHandler is specified (default), CopyDir stops -// on a non-nil xattr error. -func WithXAttrErrorHandler(xeh XAttrErrorHandler) CopyDirOpt { - return func(o *copyDirOpts) error { - o.xeh = xeh - return nil - } -} - -// WithAllowXAttrErrors allows ignoring xattr errors. -func WithAllowXAttrErrors() CopyDirOpt { - xeh := func(dst, src, xattrKey string, err error) error { - return nil - } - return WithXAttrErrorHandler(xeh) -} - -// CopyDir copies the directory from src to dst. -// Most efficient copy of files is attempted. -func CopyDir(dst, src string, opts ...CopyDirOpt) error { - var o copyDirOpts - for _, opt := range opts { - if err := opt(&o); err != nil { - return err - } - } - inodes := map[uint64]string{} - return copyDirectory(dst, src, inodes, &o) -} - -func copyDirectory(dst, src string, inodes map[uint64]string, o *copyDirOpts) error { - stat, err := os.Stat(src) - if err != nil { - return errors.Wrapf(err, "failed to stat %s", src) - } - if !stat.IsDir() { - return errors.Errorf("source %s is not directory", src) - } - - if st, err := os.Stat(dst); err != nil { - if err := os.Mkdir(dst, stat.Mode()); err != nil { - return errors.Wrapf(err, "failed to mkdir %s", dst) - } - } else if !st.IsDir() { - return errors.Errorf("cannot copy to non-directory: %s", dst) - } else { - if err := os.Chmod(dst, stat.Mode()); err != nil { - return errors.Wrapf(err, "failed to chmod on %s", dst) - } - } - - fis, err := ioutil.ReadDir(src) - if err != nil { - return errors.Wrapf(err, "failed to read %s", src) - } - - if err := copyFileInfo(stat, dst); err != nil { - return errors.Wrapf(err, "failed to copy file info for %s", dst) - } - - if err := copyXAttrs(dst, src, o.xeh); err != nil { - return errors.Wrap(err, "failed to copy xattrs") - } - - for _, fi := range fis { - source := filepath.Join(src, fi.Name()) - target := filepath.Join(dst, fi.Name()) - - switch { - case fi.IsDir(): - if err := copyDirectory(target, source, inodes, o); err != nil { - return err - } - continue - case (fi.Mode() & os.ModeType) == 0: - link, err := getLinkSource(target, fi, inodes) - if err != nil { - return errors.Wrap(err, "failed to get hardlink") - } - if link != "" { - if err := os.Link(link, target); err != nil { - return errors.Wrap(err, "failed to create hard link") - } - } else if err := CopyFile(target, source); err != nil { - return errors.Wrap(err, "failed to copy files") - } - case (fi.Mode() & os.ModeSymlink) == os.ModeSymlink: - link, err := os.Readlink(source) - if err != nil { - return errors.Wrapf(err, "failed to read link: %s", source) - } - if err := os.Symlink(link, target); err != nil { - return errors.Wrapf(err, "failed to create symlink: %s", target) - } - case (fi.Mode() & os.ModeDevice) == os.ModeDevice: - if err := copyDevice(target, fi); err != nil { - return errors.Wrapf(err, "failed to create device") - } - default: - // TODO: Support pipes and sockets - return errors.Wrapf(err, "unsupported mode %s", fi.Mode()) - } - if err := copyFileInfo(fi, target); err != nil { - return errors.Wrap(err, "failed to copy file info") - } - - if err := copyXAttrs(target, source, o.xeh); err != nil { - return errors.Wrap(err, "failed to copy xattrs") - } - } - - return nil -} - -// CopyFile copies the source file to the target. -// The most efficient means of copying is used for the platform. -func CopyFile(target, source string) error { - src, err := os.Open(source) - if err != nil { - return errors.Wrapf(err, "failed to open source %s", source) - } - defer src.Close() - tgt, err := os.Create(target) - if err != nil { - return errors.Wrapf(err, "failed to open target %s", target) - } - defer tgt.Close() - - return copyFileContent(tgt, src) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_linux.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_linux.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_linux.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_linux.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,147 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "io" - "os" - "syscall" - - "github.com/containerd/continuity/sysx" - "github.com/pkg/errors" - "golang.org/x/sys/unix" -) - -func copyFileInfo(fi os.FileInfo, name string) error { - st := fi.Sys().(*syscall.Stat_t) - if err := os.Lchown(name, int(st.Uid), int(st.Gid)); err != nil { - if os.IsPermission(err) { - // Normally if uid/gid are the same this would be a no-op, but some - // filesystems may still return EPERM... for instance NFS does this. - // In such a case, this is not an error. - if dstStat, err2 := os.Lstat(name); err2 == nil { - st2 := dstStat.Sys().(*syscall.Stat_t) - if st.Uid == st2.Uid && st.Gid == st2.Gid { - err = nil - } - } - } - if err != nil { - return errors.Wrapf(err, "failed to chown %s", name) - } - } - - if (fi.Mode() & os.ModeSymlink) != os.ModeSymlink { - if err := os.Chmod(name, fi.Mode()); err != nil { - return errors.Wrapf(err, "failed to chmod %s", name) - } - } - - timespec := []unix.Timespec{ - unix.NsecToTimespec(syscall.TimespecToNsec(StatAtime(st))), - unix.NsecToTimespec(syscall.TimespecToNsec(StatMtime(st))), - } - if err := unix.UtimesNanoAt(unix.AT_FDCWD, name, timespec, unix.AT_SYMLINK_NOFOLLOW); err != nil { - return errors.Wrapf(err, "failed to utime %s", name) - } - - return nil -} - -const maxSSizeT = int64(^uint(0) >> 1) - -func copyFileContent(dst, src *os.File) error { - st, err := src.Stat() - if err != nil { - return errors.Wrap(err, "unable to stat source") - } - - size := st.Size() - first := true - srcFd := int(src.Fd()) - dstFd := int(dst.Fd()) - - for size > 0 { - // Ensure that we are never trying to copy more than SSIZE_MAX at a - // time and at the same time avoids overflows when the file is larger - // than 4GB on 32-bit systems. - var copySize int - if size > maxSSizeT { - copySize = int(maxSSizeT) - } else { - copySize = int(size) - } - n, err := unix.CopyFileRange(srcFd, nil, dstFd, nil, copySize, 0) - if err != nil { - if (err != unix.ENOSYS && err != unix.EXDEV) || !first { - return errors.Wrap(err, "copy file range failed") - } - - buf := bufferPool.Get().(*[]byte) - _, err = io.CopyBuffer(dst, src, *buf) - bufferPool.Put(buf) - return errors.Wrap(err, "userspace copy failed") - } - - first = false - size -= int64(n) - } - - return nil -} - -func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error { - xattrKeys, err := sysx.LListxattr(src) - if err != nil { - e := errors.Wrapf(err, "failed to list xattrs on %s", src) - if xeh != nil { - e = xeh(dst, src, "", e) - } - return e - } - for _, xattr := range xattrKeys { - data, err := sysx.LGetxattr(src, xattr) - if err != nil { - e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src) - if xeh != nil { - if e = xeh(dst, src, xattr, e); e == nil { - continue - } - } - return e - } - if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil { - e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst) - if xeh != nil { - if e = xeh(dst, src, xattr, e); e == nil { - continue - } - } - return e - } - } - - return nil -} - -func copyDevice(dst string, fi os.FileInfo) error { - st, ok := fi.Sys().(*syscall.Stat_t) - if !ok { - return errors.New("unsupported stat type") - } - return unix.Mknod(dst, uint32(fi.Mode()), int(st.Rdev)) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_unix.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_unix.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_unix.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,112 +0,0 @@ -// +build darwin freebsd openbsd solaris - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "io" - "os" - "syscall" - - "github.com/containerd/continuity/sysx" - "github.com/pkg/errors" - "golang.org/x/sys/unix" -) - -func copyFileInfo(fi os.FileInfo, name string) error { - st := fi.Sys().(*syscall.Stat_t) - if err := os.Lchown(name, int(st.Uid), int(st.Gid)); err != nil { - if os.IsPermission(err) { - // Normally if uid/gid are the same this would be a no-op, but some - // filesystems may still return EPERM... for instance NFS does this. - // In such a case, this is not an error. - if dstStat, err2 := os.Lstat(name); err2 == nil { - st2 := dstStat.Sys().(*syscall.Stat_t) - if st.Uid == st2.Uid && st.Gid == st2.Gid { - err = nil - } - } - } - if err != nil { - return errors.Wrapf(err, "failed to chown %s", name) - } - } - - if (fi.Mode() & os.ModeSymlink) != os.ModeSymlink { - if err := os.Chmod(name, fi.Mode()); err != nil { - return errors.Wrapf(err, "failed to chmod %s", name) - } - } - - timespec := []syscall.Timespec{StatAtime(st), StatMtime(st)} - if err := syscall.UtimesNano(name, timespec); err != nil { - return errors.Wrapf(err, "failed to utime %s", name) - } - - return nil -} - -func copyFileContent(dst, src *os.File) error { - buf := bufferPool.Get().(*[]byte) - _, err := io.CopyBuffer(dst, src, *buf) - bufferPool.Put(buf) - - return err -} - -func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error { - xattrKeys, err := sysx.LListxattr(src) - if err != nil { - e := errors.Wrapf(err, "failed to list xattrs on %s", src) - if xeh != nil { - e = xeh(dst, src, "", e) - } - return e - } - for _, xattr := range xattrKeys { - data, err := sysx.LGetxattr(src, xattr) - if err != nil { - e := errors.Wrapf(err, "failed to get xattr %q on %s", xattr, src) - if xeh != nil { - if e = xeh(dst, src, xattr, e); e == nil { - continue - } - } - return e - } - if err := sysx.LSetxattr(dst, xattr, data, 0); err != nil { - e := errors.Wrapf(err, "failed to set xattr %q on %s", xattr, dst) - if xeh != nil { - if e = xeh(dst, src, xattr, e); e == nil { - continue - } - } - return e - } - } - - return nil -} - -func copyDevice(dst string, fi os.FileInfo) error { - st, ok := fi.Sys().(*syscall.Stat_t) - if !ok { - return errors.New("unsupported stat type") - } - return unix.Mknod(dst, uint32(fi.Mode()), int(st.Rdev)) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_windows.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_windows.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/copy_windows.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/copy_windows.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "io" - "os" - - "github.com/pkg/errors" -) - -func copyFileInfo(fi os.FileInfo, name string) error { - if err := os.Chmod(name, fi.Mode()); err != nil { - return errors.Wrapf(err, "failed to chmod %s", name) - } - - // TODO: copy windows specific metadata - - return nil -} - -func copyFileContent(dst, src *os.File) error { - buf := bufferPool.Get().(*[]byte) - _, err := io.CopyBuffer(dst, src, *buf) - bufferPool.Put(buf) - return err -} - -func copyXAttrs(dst, src string, xeh XAttrErrorHandler) error { - return nil -} - -func copyDevice(dst string, fi os.FileInfo) error { - return errors.New("device copy not supported") -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,326 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "context" - "os" - "path/filepath" - "strings" - - "golang.org/x/sync/errgroup" - - "github.com/sirupsen/logrus" -) - -// ChangeKind is the type of modification that -// a change is making. -type ChangeKind int - -const ( - // ChangeKindUnmodified represents an unmodified - // file - ChangeKindUnmodified = iota - - // ChangeKindAdd represents an addition of - // a file - ChangeKindAdd - - // ChangeKindModify represents a change to - // an existing file - ChangeKindModify - - // ChangeKindDelete represents a delete of - // a file - ChangeKindDelete -) - -func (k ChangeKind) String() string { - switch k { - case ChangeKindUnmodified: - return "unmodified" - case ChangeKindAdd: - return "add" - case ChangeKindModify: - return "modify" - case ChangeKindDelete: - return "delete" - default: - return "" - } -} - -// Change represents single change between a diff and its parent. -type Change struct { - Kind ChangeKind - Path string -} - -// ChangeFunc is the type of function called for each change -// computed during a directory changes calculation. -type ChangeFunc func(ChangeKind, string, os.FileInfo, error) error - -// Changes computes changes between two directories calling the -// given change function for each computed change. The first -// directory is intended to the base directory and second -// directory the changed directory. -// -// The change callback is called by the order of path names and -// should be appliable in that order. -// Due to this apply ordering, the following is true -// - Removed directory trees only create a single change for the root -// directory removed. Remaining changes are implied. -// - A directory which is modified to become a file will not have -// delete entries for sub-path items, their removal is implied -// by the removal of the parent directory. -// -// Opaque directories will not be treated specially and each file -// removed from the base directory will show up as a removal. -// -// File content comparisons will be done on files which have timestamps -// which may have been truncated. If either of the files being compared -// has a zero value nanosecond value, each byte will be compared for -// differences. If 2 files have the same seconds value but different -// nanosecond values where one of those values is zero, the files will -// be considered unchanged if the content is the same. This behavior -// is to account for timestamp truncation during archiving. -func Changes(ctx context.Context, a, b string, changeFn ChangeFunc) error { - if a == "" { - logrus.Debugf("Using single walk diff for %s", b) - return addDirChanges(ctx, changeFn, b) - } else if diffOptions := detectDirDiff(b, a); diffOptions != nil { - logrus.Debugf("Using single walk diff for %s from %s", diffOptions.diffDir, a) - return diffDirChanges(ctx, changeFn, a, diffOptions) - } - - logrus.Debugf("Using double walk diff for %s from %s", b, a) - return doubleWalkDiff(ctx, changeFn, a, b) -} - -func addDirChanges(ctx context.Context, changeFn ChangeFunc, root string) error { - return filepath.Walk(root, func(path string, f os.FileInfo, err error) error { - if err != nil { - return err - } - - // Rebase path - path, err = filepath.Rel(root, path) - if err != nil { - return err - } - - path = filepath.Join(string(os.PathSeparator), path) - - // Skip root - if path == string(os.PathSeparator) { - return nil - } - - return changeFn(ChangeKindAdd, path, f, nil) - }) -} - -// diffDirOptions is used when the diff can be directly calculated from -// a diff directory to its base, without walking both trees. -type diffDirOptions struct { - diffDir string - skipChange func(string) (bool, error) - deleteChange func(string, string, os.FileInfo) (string, error) -} - -// diffDirChanges walks the diff directory and compares changes against the base. -func diffDirChanges(ctx context.Context, changeFn ChangeFunc, base string, o *diffDirOptions) error { - changedDirs := make(map[string]struct{}) - return filepath.Walk(o.diffDir, func(path string, f os.FileInfo, err error) error { - if err != nil { - return err - } - - // Rebase path - path, err = filepath.Rel(o.diffDir, path) - if err != nil { - return err - } - - path = filepath.Join(string(os.PathSeparator), path) - - // Skip root - if path == string(os.PathSeparator) { - return nil - } - - // TODO: handle opaqueness, start new double walker at this - // location to get deletes, and skip tree in single walker - - if o.skipChange != nil { - if skip, err := o.skipChange(path); skip { - return err - } - } - - var kind ChangeKind - - deletedFile, err := o.deleteChange(o.diffDir, path, f) - if err != nil { - return err - } - - // Find out what kind of modification happened - if deletedFile != "" { - path = deletedFile - kind = ChangeKindDelete - f = nil - } else { - // Otherwise, the file was added - kind = ChangeKindAdd - - // ...Unless it already existed in a base, in which case, it's a modification - stat, err := os.Stat(filepath.Join(base, path)) - if err != nil && !os.IsNotExist(err) { - return err - } - if err == nil { - // The file existed in the base, so that's a modification - - // However, if it's a directory, maybe it wasn't actually modified. - // If you modify /foo/bar/baz, then /foo will be part of the changed files only because it's the parent of bar - if stat.IsDir() && f.IsDir() { - if f.Size() == stat.Size() && f.Mode() == stat.Mode() && sameFsTime(f.ModTime(), stat.ModTime()) { - // Both directories are the same, don't record the change - return nil - } - } - kind = ChangeKindModify - } - } - - // If /foo/bar/file.txt is modified, then /foo/bar must be part of the changed files. - // This block is here to ensure the change is recorded even if the - // modify time, mode and size of the parent directory in the rw and ro layers are all equal. - // Check https://github.com/docker/docker/pull/13590 for details. - if f.IsDir() { - changedDirs[path] = struct{}{} - } - if kind == ChangeKindAdd || kind == ChangeKindDelete { - parent := filepath.Dir(path) - if _, ok := changedDirs[parent]; !ok && parent != "/" { - pi, err := os.Stat(filepath.Join(o.diffDir, parent)) - if err := changeFn(ChangeKindModify, parent, pi, err); err != nil { - return err - } - changedDirs[parent] = struct{}{} - } - } - - return changeFn(kind, path, f, nil) - }) -} - -// doubleWalkDiff walks both directories to create a diff -func doubleWalkDiff(ctx context.Context, changeFn ChangeFunc, a, b string) (err error) { - g, ctx := errgroup.WithContext(ctx) - - var ( - c1 = make(chan *currentPath) - c2 = make(chan *currentPath) - - f1, f2 *currentPath - rmdir string - ) - g.Go(func() error { - defer close(c1) - return pathWalk(ctx, a, c1) - }) - g.Go(func() error { - defer close(c2) - return pathWalk(ctx, b, c2) - }) - g.Go(func() error { - for c1 != nil || c2 != nil { - if f1 == nil && c1 != nil { - f1, err = nextPath(ctx, c1) - if err != nil { - return err - } - if f1 == nil { - c1 = nil - } - } - - if f2 == nil && c2 != nil { - f2, err = nextPath(ctx, c2) - if err != nil { - return err - } - if f2 == nil { - c2 = nil - } - } - if f1 == nil && f2 == nil { - continue - } - - var f os.FileInfo - k, p := pathChange(f1, f2) - switch k { - case ChangeKindAdd: - if rmdir != "" { - rmdir = "" - } - f = f2.f - f2 = nil - case ChangeKindDelete: - // Check if this file is already removed by being - // under of a removed directory - if rmdir != "" && strings.HasPrefix(f1.path, rmdir) { - f1 = nil - continue - } else if f1.f.IsDir() { - rmdir = f1.path + string(os.PathSeparator) - } else if rmdir != "" { - rmdir = "" - } - f1 = nil - case ChangeKindModify: - same, err := sameFile(f1, f2) - if err != nil { - return err - } - if f1.f.IsDir() && !f2.f.IsDir() { - rmdir = f1.path + string(os.PathSeparator) - } else if rmdir != "" { - rmdir = "" - } - f = f2.f - f1 = nil - f2 = nil - if same { - if !isLinked(f) { - continue - } - k = ChangeKindUnmodified - } - } - if err := changeFn(k, p, f, nil); err != nil { - return err - } - } - return nil - }) - - return g.Wait() -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff_unix.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff_unix.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff_unix.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,74 +0,0 @@ -// +build !windows - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "bytes" - "os" - "syscall" - - "github.com/containerd/continuity/sysx" - "github.com/pkg/errors" -) - -// detectDirDiff returns diff dir options if a directory could -// be found in the mount info for upper which is the direct -// diff with the provided lower directory -func detectDirDiff(upper, lower string) *diffDirOptions { - // TODO: get mount options for upper - // TODO: detect AUFS - // TODO: detect overlay - return nil -} - -// compareSysStat returns whether the stats are equivalent, -// whether the files are considered the same file, and -// an error -func compareSysStat(s1, s2 interface{}) (bool, error) { - ls1, ok := s1.(*syscall.Stat_t) - if !ok { - return false, nil - } - ls2, ok := s2.(*syscall.Stat_t) - if !ok { - return false, nil - } - - return ls1.Mode == ls2.Mode && ls1.Uid == ls2.Uid && ls1.Gid == ls2.Gid && ls1.Rdev == ls2.Rdev, nil -} - -func compareCapabilities(p1, p2 string) (bool, error) { - c1, err := sysx.LGetxattr(p1, "security.capability") - if err != nil && err != sysx.ENODATA { - return false, errors.Wrapf(err, "failed to get xattr for %s", p1) - } - c2, err := sysx.LGetxattr(p2, "security.capability") - if err != nil && err != sysx.ENODATA { - return false, errors.Wrapf(err, "failed to get xattr for %s", p2) - } - return bytes.Equal(c1, c2), nil -} - -func isLinked(f os.FileInfo) bool { - s, ok := f.Sys().(*syscall.Stat_t) - if !ok { - return false - } - return !f.IsDir() && s.Nlink > 1 -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff_windows.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff_windows.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/diff_windows.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/diff_windows.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,48 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "os" - - "golang.org/x/sys/windows" -) - -func detectDirDiff(upper, lower string) *diffDirOptions { - return nil -} - -func compareSysStat(s1, s2 interface{}) (bool, error) { - f1, ok := s1.(windows.Win32FileAttributeData) - if !ok { - return false, nil - } - f2, ok := s2.(windows.Win32FileAttributeData) - if !ok { - return false, nil - } - return f1.FileAttributes == f2.FileAttributes, nil -} - -func compareCapabilities(p1, p2 string) (bool, error) { - // TODO: Use windows equivalent - return true, nil -} - -func isLinked(os.FileInfo) bool { - return false -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/dtype_linux.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/dtype_linux.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/dtype_linux.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/dtype_linux.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,103 +0,0 @@ -// +build linux - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "fmt" - "io/ioutil" - "os" - "syscall" - "unsafe" -) - -func locateDummyIfEmpty(path string) (string, error) { - children, err := ioutil.ReadDir(path) - if err != nil { - return "", err - } - if len(children) != 0 { - return "", nil - } - dummyFile, err := ioutil.TempFile(path, "fsutils-dummy") - if err != nil { - return "", err - } - name := dummyFile.Name() - err = dummyFile.Close() - return name, err -} - -// SupportsDType returns whether the filesystem mounted on path supports d_type -func SupportsDType(path string) (bool, error) { - // locate dummy so that we have at least one dirent - dummy, err := locateDummyIfEmpty(path) - if err != nil { - return false, err - } - if dummy != "" { - defer os.Remove(dummy) - } - - visited := 0 - supportsDType := true - fn := func(ent *syscall.Dirent) bool { - visited++ - if ent.Type == syscall.DT_UNKNOWN { - supportsDType = false - // stop iteration - return true - } - // continue iteration - return false - } - if err = iterateReadDir(path, fn); err != nil { - return false, err - } - if visited == 0 { - return false, fmt.Errorf("did not hit any dirent during iteration %s", path) - } - return supportsDType, nil -} - -func iterateReadDir(path string, fn func(*syscall.Dirent) bool) error { - d, err := os.Open(path) - if err != nil { - return err - } - defer d.Close() - fd := int(d.Fd()) - buf := make([]byte, 4096) - for { - nbytes, err := syscall.ReadDirent(fd, buf) - if err != nil { - return err - } - if nbytes == 0 { - break - } - for off := 0; off < nbytes; { - ent := (*syscall.Dirent)(unsafe.Pointer(&buf[off])) - if stop := fn(ent); stop { - return nil - } - off += int(ent.Reclen) - } - } - return nil -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,38 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import "context" - -// Usage of disk information -type Usage struct { - Inodes int64 - Size int64 -} - -// DiskUsage counts the number of inodes and disk usage for the resources under -// path. -func DiskUsage(ctx context.Context, roots ...string) (Usage, error) { - return diskUsage(ctx, roots...) -} - -// DiffUsage counts the numbers of inodes and disk usage in the -// diff between the 2 directories. The first path is intended -// as the base directory and the second as the changed directory. -func DiffUsage(ctx context.Context, a, b string) (Usage, error) { - return diffUsage(ctx, a, b) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du_unix.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du_unix.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du_unix.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,110 +0,0 @@ -// +build !windows - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "context" - "os" - "path/filepath" - "syscall" -) - -type inode struct { - // TODO(stevvooe): Can probably reduce memory usage by not tracking - // device, but we can leave this right for now. - dev, ino uint64 -} - -func newInode(stat *syscall.Stat_t) inode { - return inode{ - // Dev is uint32 on darwin/bsd, uint64 on linux/solaris - dev: uint64(stat.Dev), // nolint: unconvert - // Ino is uint32 on bsd, uint64 on darwin/linux/solaris - ino: uint64(stat.Ino), // nolint: unconvert - } -} - -func diskUsage(ctx context.Context, roots ...string) (Usage, error) { - - var ( - size int64 - inodes = map[inode]struct{}{} // expensive! - ) - - for _, root := range roots { - if err := filepath.Walk(root, func(path string, fi os.FileInfo, err error) error { - if err != nil { - return err - } - - select { - case <-ctx.Done(): - return ctx.Err() - default: - } - - inoKey := newInode(fi.Sys().(*syscall.Stat_t)) - if _, ok := inodes[inoKey]; !ok { - inodes[inoKey] = struct{}{} - size += fi.Size() - } - - return nil - }); err != nil { - return Usage{}, err - } - } - - return Usage{ - Inodes: int64(len(inodes)), - Size: size, - }, nil -} - -func diffUsage(ctx context.Context, a, b string) (Usage, error) { - var ( - size int64 - inodes = map[inode]struct{}{} // expensive! - ) - - if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error { - if err != nil { - return err - } - - if kind == ChangeKindAdd || kind == ChangeKindModify { - inoKey := newInode(fi.Sys().(*syscall.Stat_t)) - if _, ok := inodes[inoKey]; !ok { - inodes[inoKey] = struct{}{} - size += fi.Size() - } - - return nil - - } - return nil - }); err != nil { - return Usage{}, err - } - - return Usage{ - Inodes: int64(len(inodes)), - Size: size, - }, nil -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du_windows.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du_windows.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/du_windows.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/du_windows.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,82 +0,0 @@ -// +build windows - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "context" - "os" - "path/filepath" -) - -func diskUsage(ctx context.Context, roots ...string) (Usage, error) { - var ( - size int64 - ) - - // TODO(stevvooe): Support inodes (or equivalent) for windows. - - for _, root := range roots { - if err := filepath.Walk(root, func(path string, fi os.FileInfo, err error) error { - if err != nil { - return err - } - - select { - case <-ctx.Done(): - return ctx.Err() - default: - } - - size += fi.Size() - return nil - }); err != nil { - return Usage{}, err - } - } - - return Usage{ - Size: size, - }, nil -} - -func diffUsage(ctx context.Context, a, b string) (Usage, error) { - var ( - size int64 - ) - - if err := Changes(ctx, a, b, func(kind ChangeKind, _ string, fi os.FileInfo, err error) error { - if err != nil { - return err - } - - if kind == ChangeKindAdd || kind == ChangeKindModify { - size += fi.Size() - - return nil - - } - return nil - }); err != nil { - return Usage{}, err - } - - return Usage{ - Size: size, - }, nil -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,43 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import "os" - -// GetLinkInfo returns an identifier representing the node a hardlink is pointing -// to. If the file is not hard linked then 0 will be returned. -func GetLinkInfo(fi os.FileInfo) (uint64, bool) { - return getLinkInfo(fi) -} - -// getLinkSource returns a path for the given name and -// file info to its link source in the provided inode -// map. If the given file name is not in the map and -// has other links, it is added to the inode map -// to be a source for other link locations. -func getLinkSource(name string, fi os.FileInfo, inodes map[uint64]string) (string, error) { - inode, isHardlink := getLinkInfo(fi) - if !isHardlink { - return "", nil - } - - path, ok := inodes[inode] - if !ok { - inodes[inode] = name - } - return path, nil -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink_unix.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink_unix.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink_unix.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,34 +0,0 @@ -// +build !windows - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "os" - "syscall" -) - -func getLinkInfo(fi os.FileInfo) (uint64, bool) { - s, ok := fi.Sys().(*syscall.Stat_t) - if !ok { - return 0, false - } - - // Ino is uint32 on bsd, uint64 on darwin/linux/solaris - return uint64(s.Ino), !fi.IsDir() && s.Nlink > 1 // nolint: unconvert -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink_windows.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink_windows.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/hardlink_windows.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/hardlink_windows.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,23 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import "os" - -func getLinkInfo(fi os.FileInfo) (uint64, bool) { - return 0, false -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/path.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/path.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/path.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/path.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,311 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "bytes" - "context" - "io" - "os" - "path/filepath" - - "github.com/pkg/errors" -) - -var ( - errTooManyLinks = errors.New("too many links") -) - -type currentPath struct { - path string - f os.FileInfo - fullPath string -} - -func pathChange(lower, upper *currentPath) (ChangeKind, string) { - if lower == nil { - if upper == nil { - panic("cannot compare nil paths") - } - return ChangeKindAdd, upper.path - } - if upper == nil { - return ChangeKindDelete, lower.path - } - - switch i := directoryCompare(lower.path, upper.path); { - case i < 0: - // File in lower that is not in upper - return ChangeKindDelete, lower.path - case i > 0: - // File in upper that is not in lower - return ChangeKindAdd, upper.path - default: - return ChangeKindModify, upper.path - } -} - -func directoryCompare(a, b string) int { - l := len(a) - if len(b) < l { - l = len(b) - } - for i := 0; i < l; i++ { - c1, c2 := a[i], b[i] - if c1 == filepath.Separator { - c1 = byte(0) - } - if c2 == filepath.Separator { - c2 = byte(0) - } - if c1 < c2 { - return -1 - } - if c1 > c2 { - return +1 - } - } - if len(a) < len(b) { - return -1 - } - if len(a) > len(b) { - return +1 - } - return 0 -} - -func sameFile(f1, f2 *currentPath) (bool, error) { - if os.SameFile(f1.f, f2.f) { - return true, nil - } - - equalStat, err := compareSysStat(f1.f.Sys(), f2.f.Sys()) - if err != nil || !equalStat { - return equalStat, err - } - - if eq, err := compareCapabilities(f1.fullPath, f2.fullPath); err != nil || !eq { - return eq, err - } - - // If not a directory also check size, modtime, and content - if !f1.f.IsDir() { - if f1.f.Size() != f2.f.Size() { - return false, nil - } - t1 := f1.f.ModTime() - t2 := f2.f.ModTime() - - if t1.Unix() != t2.Unix() { - return false, nil - } - - // If the timestamp may have been truncated in both of the - // files, check content of file to determine difference - if t1.Nanosecond() == 0 && t2.Nanosecond() == 0 { - if (f1.f.Mode() & os.ModeSymlink) == os.ModeSymlink { - return compareSymlinkTarget(f1.fullPath, f2.fullPath) - } - if f1.f.Size() == 0 { // if file sizes are zero length, the files are the same by definition - return true, nil - } - return compareFileContent(f1.fullPath, f2.fullPath) - } else if t1.Nanosecond() != t2.Nanosecond() { - return false, nil - } - } - - return true, nil -} - -func compareSymlinkTarget(p1, p2 string) (bool, error) { - t1, err := os.Readlink(p1) - if err != nil { - return false, err - } - t2, err := os.Readlink(p2) - if err != nil { - return false, err - } - return t1 == t2, nil -} - -const compareChuckSize = 32 * 1024 - -// compareFileContent compares the content of 2 same sized files -// by comparing each byte. -func compareFileContent(p1, p2 string) (bool, error) { - f1, err := os.Open(p1) - if err != nil { - return false, err - } - defer f1.Close() - f2, err := os.Open(p2) - if err != nil { - return false, err - } - defer f2.Close() - - b1 := make([]byte, compareChuckSize) - b2 := make([]byte, compareChuckSize) - for { - n1, err1 := f1.Read(b1) - if err1 != nil && err1 != io.EOF { - return false, err1 - } - n2, err2 := f2.Read(b2) - if err2 != nil && err2 != io.EOF { - return false, err2 - } - if n1 != n2 || !bytes.Equal(b1[:n1], b2[:n2]) { - return false, nil - } - if err1 == io.EOF && err2 == io.EOF { - return true, nil - } - } -} - -func pathWalk(ctx context.Context, root string, pathC chan<- *currentPath) error { - return filepath.Walk(root, func(path string, f os.FileInfo, err error) error { - if err != nil { - return err - } - - // Rebase path - path, err = filepath.Rel(root, path) - if err != nil { - return err - } - - path = filepath.Join(string(os.PathSeparator), path) - - // Skip root - if path == string(os.PathSeparator) { - return nil - } - - p := ¤tPath{ - path: path, - f: f, - fullPath: filepath.Join(root, path), - } - - select { - case <-ctx.Done(): - return ctx.Err() - case pathC <- p: - return nil - } - }) -} - -func nextPath(ctx context.Context, pathC <-chan *currentPath) (*currentPath, error) { - select { - case <-ctx.Done(): - return nil, ctx.Err() - case p := <-pathC: - return p, nil - } -} - -// RootPath joins a path with a root, evaluating and bounding any -// symlink to the root directory. -func RootPath(root, path string) (string, error) { - if path == "" { - return root, nil - } - var linksWalked int // to protect against cycles - for { - i := linksWalked - newpath, err := walkLinks(root, path, &linksWalked) - if err != nil { - return "", err - } - path = newpath - if i == linksWalked { - newpath = filepath.Join("/", newpath) - if path == newpath { - return filepath.Join(root, newpath), nil - } - path = newpath - } - } -} - -func walkLink(root, path string, linksWalked *int) (newpath string, islink bool, err error) { - if *linksWalked > 255 { - return "", false, errTooManyLinks - } - - path = filepath.Join("/", path) - if path == "/" { - return path, false, nil - } - realPath := filepath.Join(root, path) - - fi, err := os.Lstat(realPath) - if err != nil { - // If path does not yet exist, treat as non-symlink - if os.IsNotExist(err) { - return path, false, nil - } - return "", false, err - } - if fi.Mode()&os.ModeSymlink == 0 { - return path, false, nil - } - newpath, err = os.Readlink(realPath) - if err != nil { - return "", false, err - } - *linksWalked++ - return newpath, true, nil -} - -func walkLinks(root, path string, linksWalked *int) (string, error) { - switch dir, file := filepath.Split(path); { - case dir == "": - newpath, _, err := walkLink(root, file, linksWalked) - return newpath, err - case file == "": - if os.IsPathSeparator(dir[len(dir)-1]) { - if dir == "/" { - return dir, nil - } - return walkLinks(root, dir[:len(dir)-1], linksWalked) - } - newpath, _, err := walkLink(root, dir, linksWalked) - return newpath, err - default: - newdir, err := walkLinks(root, dir, linksWalked) - if err != nil { - return "", err - } - newpath, islink, err := walkLink(root, filepath.Join(newdir, file), linksWalked) - if err != nil { - return "", err - } - if !islink { - return newpath, nil - } - if filepath.IsAbs(newpath) { - return newpath, nil - } - return filepath.Join(newdir, newpath), nil - } -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/stat_darwinfreebsd.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/stat_darwinfreebsd.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/stat_darwinfreebsd.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/stat_darwinfreebsd.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,44 +0,0 @@ -// +build darwin freebsd - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "syscall" - "time" -) - -// StatAtime returns the access time from a stat struct -func StatAtime(st *syscall.Stat_t) syscall.Timespec { - return st.Atimespec -} - -// StatCtime returns the created time from a stat struct -func StatCtime(st *syscall.Stat_t) syscall.Timespec { - return st.Ctimespec -} - -// StatMtime returns the modified time from a stat struct -func StatMtime(st *syscall.Stat_t) syscall.Timespec { - return st.Mtimespec -} - -// StatATimeAsTime returns the access time as a time.Time -func StatATimeAsTime(st *syscall.Stat_t) time.Time { - return time.Unix(int64(st.Atimespec.Sec), int64(st.Atimespec.Nsec)) // nolint: unconvert -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/stat_linuxopenbsd.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/stat_linuxopenbsd.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/stat_linuxopenbsd.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/stat_linuxopenbsd.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,45 +0,0 @@ -// +build linux openbsd - -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import ( - "syscall" - "time" -) - -// StatAtime returns the Atim -func StatAtime(st *syscall.Stat_t) syscall.Timespec { - return st.Atim -} - -// StatCtime returns the Ctim -func StatCtime(st *syscall.Stat_t) syscall.Timespec { - return st.Ctim -} - -// StatMtime returns the Mtim -func StatMtime(st *syscall.Stat_t) syscall.Timespec { - return st.Mtim -} - -// StatATimeAsTime returns st.Atim as a time.Time -func StatATimeAsTime(st *syscall.Stat_t) time.Time { - // The int64 conversions ensure the line compiles for 32-bit systems as well. - return time.Unix(int64(st.Atim.Sec), int64(st.Atim.Nsec)) // nolint: unconvert -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/time.go docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/time.go --- docker.io-20.10.7/cli/vendor/github.com/containerd/continuity/fs/time.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/containerd/continuity/fs/time.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -/* - Copyright The containerd Authors. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. -*/ - -package fs - -import "time" - -// Gnu tar and the go tar writer don't have sub-second mtime -// precision, which is problematic when we apply changes via tar -// files, we handle this by comparing for exact times, *or* same -// second count and either a or b having exactly 0 nanoseconds -func sameFsTime(a, b time.Time) bool { - return a == b || - (a.Unix() == b.Unix() && - (a.Nanosecond() == 0 || b.Nanosecond() == 0)) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/cpuguy83/go-md2man/v2/go.mod docker.io-20.10.11/cli/vendor/github.com/cpuguy83/go-md2man/v2/go.mod --- docker.io-20.10.7/cli/vendor/github.com/cpuguy83/go-md2man/v2/go.mod 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/cpuguy83/go-md2man/v2/go.mod 2021-11-17 23:49:46.000000000 +0000 @@ -1,9 +1,5 @@ module github.com/cpuguy83/go-md2man/v2 -go 1.12 +go 1.11 -require ( - github.com/pmezard/go-difflib v1.0.0 // indirect - github.com/russross/blackfriday/v2 v2.0.1 - github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect -) +require github.com/russross/blackfriday/v2 v2.1.0 diff -Nru docker.io-20.10.7/cli/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go docker.io-20.10.11/cli/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go --- docker.io-20.10.7/cli/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/cpuguy83/go-md2man/v2/md2man/roff.go 2021-11-17 23:49:46.000000000 +0000 @@ -15,7 +15,7 @@ extensions blackfriday.Extensions listCounters []int firstHeader bool - defineTerm bool + firstDD bool listDepth int } @@ -42,7 +42,8 @@ quoteCloseTag = "\n.RE\n" listTag = "\n.RS\n" listCloseTag = "\n.RE\n" - arglistTag = "\n.TP\n" + dtTag = "\n.TP\n" + dd2Tag = "\n" tableStart = "\n.TS\nallbox;\n" tableEnd = ".TE\n" tableCellStart = "T{\n" @@ -90,7 +91,7 @@ switch node.Type { case blackfriday.Text: - r.handleText(w, node, entering) + escapeSpecialChars(w, node.Literal) case blackfriday.Softbreak: out(w, crTag) case blackfriday.Hardbreak: @@ -150,40 +151,21 @@ out(w, codeCloseTag) case blackfriday.Table: r.handleTable(w, node, entering) - case blackfriday.TableCell: - r.handleTableCell(w, node, entering) case blackfriday.TableHead: case blackfriday.TableBody: case blackfriday.TableRow: // no action as cell entries do all the nroff formatting return blackfriday.GoToNext + case blackfriday.TableCell: + r.handleTableCell(w, node, entering) + case blackfriday.HTMLSpan: + // ignore other HTML tags default: fmt.Fprintln(os.Stderr, "WARNING: go-md2man does not handle node type "+node.Type.String()) } return walkAction } -func (r *roffRenderer) handleText(w io.Writer, node *blackfriday.Node, entering bool) { - var ( - start, end string - ) - // handle special roff table cell text encapsulation - if node.Parent.Type == blackfriday.TableCell { - if len(node.Literal) > 30 { - start = tableCellStart - end = tableCellEnd - } else { - // end rows that aren't terminated by "tableCellEnd" with a cr if end of row - if node.Parent.Next == nil && !node.Parent.IsHeader { - end = crTag - } - } - } - out(w, start) - escapeSpecialChars(w, node.Literal) - out(w, end) -} - func (r *roffRenderer) handleHeading(w io.Writer, node *blackfriday.Node, entering bool) { if entering { switch node.Level { @@ -230,15 +212,20 @@ if node.ListFlags&blackfriday.ListTypeOrdered != 0 { out(w, fmt.Sprintf(".IP \"%3d.\" 5\n", r.listCounters[len(r.listCounters)-1])) r.listCounters[len(r.listCounters)-1]++ + } else if node.ListFlags&blackfriday.ListTypeTerm != 0 { + // DT (definition term): line just before DD (see below). + out(w, dtTag) + r.firstDD = true } else if node.ListFlags&blackfriday.ListTypeDefinition != 0 { - // state machine for handling terms and following definitions - // since blackfriday does not distinguish them properly, nor - // does it seperate them into separate lists as it should - if !r.defineTerm { - out(w, arglistTag) - r.defineTerm = true + // DD (definition description): line that starts with ": ". + // + // We have to distinguish between the first DD and the + // subsequent ones, as there should be no vertical + // whitespace between the DT and the first DD. + if r.firstDD { + r.firstDD = false } else { - r.defineTerm = false + out(w, dd2Tag) } } else { out(w, ".IP \\(bu 2\n") @@ -251,7 +238,7 @@ func (r *roffRenderer) handleTable(w io.Writer, node *blackfriday.Node, entering bool) { if entering { out(w, tableStart) - //call walker to count cells (and rows?) so format section can be produced + // call walker to count cells (and rows?) so format section can be produced columns := countColumns(node) out(w, strings.Repeat("l ", columns)+"\n") out(w, strings.Repeat("l ", columns)+".\n") @@ -261,28 +248,41 @@ } func (r *roffRenderer) handleTableCell(w io.Writer, node *blackfriday.Node, entering bool) { - var ( - start, end string - ) - if node.IsHeader { - start = codespanTag - end = codespanCloseTag - } if entering { + var start string if node.Prev != nil && node.Prev.Type == blackfriday.TableCell { - out(w, "\t"+start) - } else { - out(w, start) + start = "\t" + } + if node.IsHeader { + start += codespanTag + } else if nodeLiteralSize(node) > 30 { + start += tableCellStart } + out(w, start) } else { - // need to carriage return if we are at the end of the header row - if node.IsHeader && node.Next == nil { - end = end + crTag + var end string + if node.IsHeader { + end = codespanCloseTag + } else if nodeLiteralSize(node) > 30 { + end = tableCellEnd + } + if node.Next == nil && end != tableCellEnd { + // Last cell: need to carriage return if we are at the end of the + // header row and content isn't wrapped in a "tablecell" + end += crTag } out(w, end) } } +func nodeLiteralSize(node *blackfriday.Node) int { + total := 0 + for n := node.FirstChild; n != nil; n = n.FirstChild { + total += len(n.Literal) + } + return total +} + // because roff format requires knowing the column count before outputting any table // data we need to walk a table tree and count the columns func countColumns(node *blackfriday.Node) int { @@ -309,15 +309,6 @@ io.WriteString(w, output) // nolint: errcheck } -func needsBackslash(c byte) bool { - for _, r := range []byte("-_&\\~") { - if c == r { - return true - } - } - return false -} - func escapeSpecialChars(w io.Writer, text []byte) { for i := 0; i < len(text); i++ { // escape initial apostrophe or period @@ -328,7 +319,7 @@ // directly copy normal characters org := i - for i < len(text) && !needsBackslash(text[i]) { + for i < len(text) && text[i] != '\\' { i++ } if i > org { diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/client/client.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/client/client.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/client/client.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/client/client.go 2021-11-17 23:49:46.000000000 +0000 @@ -2,7 +2,7 @@ Package client is a Go client for the Docker Engine API. For more information about the Engine API, see the documentation: -https://docs.docker.com/engine/reference/api/ +https://docs.docker.com/engine/api/ Usage diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive.go 2021-11-17 23:49:46.000000000 +0000 @@ -402,10 +402,24 @@ // ReadSecurityXattrToTarHeader reads security.capability xattr from filesystem // to a tar header func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error { + const ( + // Values based on linux/include/uapi/linux/capability.h + xattrCapsSz2 = 20 + versionOffset = 3 + vfsCapRevision2 = 2 + vfsCapRevision3 = 3 + ) capability, _ := system.Lgetxattr(path, "security.capability") if capability != nil { + length := len(capability) + if capability[versionOffset] == vfsCapRevision3 { + // Convert VFS_CAP_REVISION_3 to VFS_CAP_REVISION_2 as root UID makes no + // sense outside the user namespace the archive is built in. + capability[versionOffset] = vfsCapRevision2 + length = xattrCapsSz2 + } hdr.Xattrs = make(map[string]string) - hdr.Xattrs["security.capability"] = string(capability) + hdr.Xattrs["security.capability"] = string(capability[:length]) } return nil } @@ -739,13 +753,18 @@ return nil, err } + whiteoutConverter, err := getWhiteoutConverter(options.WhiteoutFormat, options.InUserNS) + if err != nil { + return nil, err + } + go func() { ta := newTarAppender( idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps), compressWriter, options.ChownOpts, ) - ta.WhiteoutConverter = getWhiteoutConverter(options.WhiteoutFormat, options.InUserNS) + ta.WhiteoutConverter = whiteoutConverter defer func() { // Make sure to check the error on Close. @@ -903,7 +922,10 @@ var dirs []*tar.Header idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) rootIDs := idMapping.RootPair() - whiteoutConverter := getWhiteoutConverter(options.WhiteoutFormat, options.InUserNS) + whiteoutConverter, err := getWhiteoutConverter(options.WhiteoutFormat, options.InUserNS) + if err != nil { + return err + } // Iterate through the files in the archive. loop: @@ -917,6 +939,12 @@ return err } + // ignore XGlobalHeader early to avoid creating parent directories for them + if hdr.Typeflag == tar.TypeXGlobalHeader { + logrus.Debugf("PAX Global Extended Headers found for %s and ignored", hdr.Name) + continue + } + // Normalize name, for safety and for a simple is-root check // This keeps "../" as-is, but normalizes "/../" to "/". Or Windows: // This keeps "..\" as-is, but normalizes "\..\" to "\". @@ -936,7 +964,7 @@ parent := filepath.Dir(hdr.Name) parentPath := filepath.Join(dest, parent) if _, err := os.Lstat(parentPath); err != nil && os.IsNotExist(err) { - err = idtools.MkdirAllAndChownNew(parentPath, 0777, rootIDs) + err = idtools.MkdirAllAndChownNew(parentPath, 0755, rootIDs) if err != nil { return err } diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_linux.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_linux.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_linux.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_linux.go 2021-11-17 23:49:46.000000000 +0000 @@ -2,29 +2,26 @@ import ( "archive/tar" - "fmt" - "io/ioutil" "os" "path/filepath" "strings" - "syscall" - "github.com/containerd/continuity/fs" "github.com/docker/docker/pkg/system" - "github.com/moby/sys/mount" "github.com/pkg/errors" "golang.org/x/sys/unix" ) -func getWhiteoutConverter(format WhiteoutFormat, inUserNS bool) tarWhiteoutConverter { +func getWhiteoutConverter(format WhiteoutFormat, inUserNS bool) (tarWhiteoutConverter, error) { if format == OverlayWhiteoutFormat { - return overlayWhiteoutConverter{inUserNS: inUserNS} + if inUserNS { + return nil, errors.New("specifying OverlayWhiteoutFormat is not allowed in userns") + } + return overlayWhiteoutConverter{}, nil } - return nil + return nil, nil } type overlayWhiteoutConverter struct { - inUserNS bool } func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os.FileInfo) (wo *tar.Header, err error) { @@ -77,13 +74,7 @@ if base == WhiteoutOpaqueDir { err := unix.Setxattr(dir, "trusted.overlay.opaque", []byte{'y'}, 0) if err != nil { - if c.inUserNS { - if err = replaceDirWithOverlayOpaque(dir); err != nil { - return false, errors.Wrapf(err, "replaceDirWithOverlayOpaque(%q) failed", dir) - } - } else { - return false, errors.Wrapf(err, "setxattr(%q, trusted.overlay.opaque=y)", dir) - } + return false, errors.Wrapf(err, "setxattr(%q, trusted.overlay.opaque=y)", dir) } // don't write the file itself return false, err @@ -95,19 +86,7 @@ originalPath := filepath.Join(dir, originalBase) if err := unix.Mknod(originalPath, unix.S_IFCHR, 0); err != nil { - if c.inUserNS { - // Ubuntu and a few distros support overlayfs in userns. - // - // Although we can't call mknod directly in userns (at least on bionic kernel 4.15), - // we can still create 0,0 char device using mknodChar0Overlay(). - // - // NOTE: we don't need this hack for the containerd snapshotter+unpack model. - if err := mknodChar0Overlay(originalPath); err != nil { - return false, errors.Wrapf(err, "failed to mknodChar0UserNS(%q)", originalPath) - } - } else { - return false, errors.Wrapf(err, "failed to mknod(%q, S_IFCHR, 0)", originalPath) - } + return false, errors.Wrapf(err, "failed to mknod(%q, S_IFCHR, 0)", originalPath) } if err := os.Chown(originalPath, hdr.Uid, hdr.Gid); err != nil { return false, err @@ -119,146 +98,3 @@ return true, nil } - -// mknodChar0Overlay creates 0,0 char device by mounting overlayfs and unlinking. -// This function can be used for creating 0,0 char device in userns on Ubuntu. -// -// Steps: -// * Mkdir lower,upper,merged,work -// * Create lower/dummy -// * Mount overlayfs -// * Unlink merged/dummy -// * Unmount overlayfs -// * Make sure a 0,0 char device is created as upper/dummy -// * Rename upper/dummy to cleansedOriginalPath -func mknodChar0Overlay(cleansedOriginalPath string) error { - dir := filepath.Dir(cleansedOriginalPath) - tmp, err := ioutil.TempDir(dir, "mc0o") - if err != nil { - return errors.Wrapf(err, "failed to create a tmp directory under %s", dir) - } - defer os.RemoveAll(tmp) - lower := filepath.Join(tmp, "l") - upper := filepath.Join(tmp, "u") - work := filepath.Join(tmp, "w") - merged := filepath.Join(tmp, "m") - for _, s := range []string{lower, upper, work, merged} { - if err := os.MkdirAll(s, 0700); err != nil { - return errors.Wrapf(err, "failed to mkdir %s", s) - } - } - dummyBase := "d" - lowerDummy := filepath.Join(lower, dummyBase) - if err := ioutil.WriteFile(lowerDummy, []byte{}, 0600); err != nil { - return errors.Wrapf(err, "failed to create a dummy lower file %s", lowerDummy) - } - // lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286 - lowerEscaped := strings.ReplaceAll(lower, ":", "\\:") - mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work) - if err := mount.Mount("overlay", merged, "overlay", mOpts); err != nil { - return err - } - mergedDummy := filepath.Join(merged, dummyBase) - if err := os.Remove(mergedDummy); err != nil { - syscall.Unmount(merged, 0) - return errors.Wrapf(err, "failed to unlink %s", mergedDummy) - } - if err := syscall.Unmount(merged, 0); err != nil { - return errors.Wrapf(err, "failed to unmount %s", merged) - } - upperDummy := filepath.Join(upper, dummyBase) - if err := isChar0(upperDummy); err != nil { - return err - } - if err := os.Rename(upperDummy, cleansedOriginalPath); err != nil { - return errors.Wrapf(err, "failed to rename %s to %s", upperDummy, cleansedOriginalPath) - } - return nil -} - -func isChar0(path string) error { - osStat, err := os.Stat(path) - if err != nil { - return errors.Wrapf(err, "failed to stat %s", path) - } - st, ok := osStat.Sys().(*syscall.Stat_t) - if !ok { - return errors.Errorf("got unsupported stat for %s", path) - } - if os.FileMode(st.Mode)&syscall.S_IFMT != syscall.S_IFCHR { - return errors.Errorf("%s is not a character device, got mode=%d", path, st.Mode) - } - if st.Rdev != 0 { - return errors.Errorf("%s is not a 0,0 character device, got Rdev=%d", path, st.Rdev) - } - return nil -} - -// replaceDirWithOverlayOpaque replaces path with a new directory with trusted.overlay.opaque -// xattr. The contents of the directory are preserved. -func replaceDirWithOverlayOpaque(path string) error { - if path == "/" { - return errors.New("replaceDirWithOverlayOpaque: path must not be \"/\"") - } - dir := filepath.Dir(path) - tmp, err := ioutil.TempDir(dir, "rdwoo") - if err != nil { - return errors.Wrapf(err, "failed to create a tmp directory under %s", dir) - } - defer os.RemoveAll(tmp) - // newPath is a new empty directory crafted with trusted.overlay.opaque xattr. - // we copy the content of path into newPath, remove path, and rename newPath to path. - newPath, err := createDirWithOverlayOpaque(tmp) - if err != nil { - return errors.Wrapf(err, "createDirWithOverlayOpaque(%q) failed", tmp) - } - if err := fs.CopyDir(newPath, path); err != nil { - return errors.Wrapf(err, "CopyDir(%q, %q) failed", newPath, path) - } - if err := os.RemoveAll(path); err != nil { - return err - } - return os.Rename(newPath, path) -} - -// createDirWithOverlayOpaque creates a directory with trusted.overlay.opaque xattr, -// without calling setxattr, so as to allow creating opaque dir in userns on Ubuntu. -func createDirWithOverlayOpaque(tmp string) (string, error) { - lower := filepath.Join(tmp, "l") - upper := filepath.Join(tmp, "u") - work := filepath.Join(tmp, "w") - merged := filepath.Join(tmp, "m") - for _, s := range []string{lower, upper, work, merged} { - if err := os.MkdirAll(s, 0700); err != nil { - return "", errors.Wrapf(err, "failed to mkdir %s", s) - } - } - dummyBase := "d" - lowerDummy := filepath.Join(lower, dummyBase) - if err := os.MkdirAll(lowerDummy, 0700); err != nil { - return "", errors.Wrapf(err, "failed to create a dummy lower directory %s", lowerDummy) - } - // lowerdir needs ":" to be escaped: https://github.com/moby/moby/issues/40939#issuecomment-627098286 - lowerEscaped := strings.ReplaceAll(lower, ":", "\\:") - mOpts := fmt.Sprintf("lowerdir=%s,upperdir=%s,workdir=%s", lowerEscaped, upper, work) - if err := mount.Mount("overlay", merged, "overlay", mOpts); err != nil { - return "", err - } - mergedDummy := filepath.Join(merged, dummyBase) - if err := os.Remove(mergedDummy); err != nil { - syscall.Unmount(merged, 0) - return "", errors.Wrapf(err, "failed to rmdir %s", mergedDummy) - } - // upperDummy becomes a 0,0-char device file here - if err := os.Mkdir(mergedDummy, 0700); err != nil { - syscall.Unmount(merged, 0) - return "", errors.Wrapf(err, "failed to mkdir %s", mergedDummy) - } - // upperDummy becomes a directory with trusted.overlay.opaque xattr - // (but can't be verified in userns) - if err := syscall.Unmount(merged, 0); err != nil { - return "", errors.Wrapf(err, "failed to unmount %s", merged) - } - upperDummy := filepath.Join(upper, dummyBase) - return upperDummy, nil -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_other.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_other.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_other.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_other.go 2021-11-17 23:49:46.000000000 +0000 @@ -2,6 +2,6 @@ package archive // import "github.com/docker/docker/pkg/archive" -func getWhiteoutConverter(format WhiteoutFormat, inUserNS bool) tarWhiteoutConverter { - return nil +func getWhiteoutConverter(format WhiteoutFormat, inUserNS bool) (tarWhiteoutConverter, error) { + return nil, nil } diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_unix.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_unix.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/archive/archive_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/archive/archive_unix.go 2021-11-17 23:49:46.000000000 +0000 @@ -81,11 +81,6 @@ // handleTarTypeBlockCharFifo is an OS-specific helper function used by // createTarFile to handle the following types of header: Block; Char; Fifo func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error { - if sys.RunningInUserNS() { - // cannot create a device if running in user namespace - return nil - } - mode := uint32(hdr.Mode & 07777) switch hdr.Typeflag { case tar.TypeBlock: @@ -96,7 +91,12 @@ mode |= unix.S_IFIFO } - return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor))) + err := system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor))) + if errors.Is(err, syscall.EPERM) && sys.RunningInUserNS() { + // In most cases, cannot create a device if running in user namespace + err = nil + } + return err } func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error { diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go 2021-11-17 23:49:46.000000000 +0000 @@ -245,38 +245,51 @@ return nil, fmt.Errorf("Could not get user for username %s: %v", name, err) } - uid := strconv.Itoa(usr.Uid) - - subuidRangesWithUserName, err := parseSubuid(name) + subuidRanges, err := lookupSubUIDRanges(usr) if err != nil { return nil, err } - subgidRangesWithUserName, err := parseSubgid(name) + subgidRanges, err := lookupSubGIDRanges(usr) if err != nil { return nil, err } - subuidRangesWithUID, err := parseSubuid(uid) + return &IdentityMapping{ + uids: subuidRanges, + gids: subgidRanges, + }, nil +} + +func lookupSubUIDRanges(usr user.User) ([]IDMap, error) { + rangeList, err := parseSubuid(strconv.Itoa(usr.Uid)) if err != nil { return nil, err } - subgidRangesWithUID, err := parseSubgid(uid) + if len(rangeList) == 0 { + rangeList, err = parseSubuid(usr.Name) + if err != nil { + return nil, err + } + } + if len(rangeList) == 0 { + return nil, errors.Errorf("no subuid ranges found for user %q", usr.Name) + } + return createIDMap(rangeList), nil +} + +func lookupSubGIDRanges(usr user.User) ([]IDMap, error) { + rangeList, err := parseSubgid(strconv.Itoa(usr.Uid)) if err != nil { return nil, err } - - subuidRanges := append(subuidRangesWithUserName, subuidRangesWithUID...) - subgidRanges := append(subgidRangesWithUserName, subgidRangesWithUID...) - - if len(subuidRanges) == 0 { - return nil, errors.Errorf("no subuid ranges found for user %q", name) + if len(rangeList) == 0 { + rangeList, err = parseSubgid(usr.Name) + if err != nil { + return nil, err + } } - if len(subgidRanges) == 0 { - return nil, errors.Errorf("no subgid ranges found for user %q", name) + if len(rangeList) == 0 { + return nil, errors.Errorf("no subgid ranges found for user %q", usr.Name) } - - return &IdentityMapping{ - uids: createIDMap(subuidRanges), - gids: createIDMap(subgidRanges), - }, nil + return createIDMap(rangeList), nil } diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/signal/signal.go docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/signal/signal.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/pkg/signal/signal.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/pkg/signal/signal.go 2021-11-17 23:49:46.000000000 +0000 @@ -12,9 +12,16 @@ ) // CatchAll catches all signals and relays them to the specified channel. +// SIGURG is not handled, as it's used by the Go runtime to support +// preemptable system calls. func CatchAll(sigc chan os.Signal) { var handledSigs []os.Signal - for _, s := range SignalMap { + for n, s := range SignalMap { + if n == "URG" { + // Do not handle SIGURG, as in go1.14+, the go runtime issues + // SIGURG as an interrupt to support preemptable system calls on Linux. + continue + } handledSigs = append(handledSigs, s) } signal.Notify(sigc, handledSigs...) diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker/vendor.conf docker.io-20.10.11/cli/vendor/github.com/docker/docker/vendor.conf --- docker.io-20.10.7/cli/vendor/github.com/docker/docker/vendor.conf 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker/vendor.conf 2021-11-17 23:49:46.000000000 +0000 @@ -1,5 +1,5 @@ github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109 -github.com/Microsoft/hcsshim 9dcb42f100215f8d375b4a9265e5bba009217a85 # moby branch +github.com/Microsoft/hcsshim 89a9a3b524264d34985f1d48793ab2b2d2e430f6 # moby branch github.com/Microsoft/go-winio 5b44b70ab3ab4d291a7c1d28afe7b4afeced0ed4 # v0.4.15 github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a github.com/golang/gddo 72a348e765d293ed6d1ded7b699591f14d6cd921 @@ -33,7 +33,7 @@ golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb # buildkit -github.com/moby/buildkit 68bb095353c65bc3993fd534c26cf77fe05e61b1 # v0.8 branch +github.com/moby/buildkit 244e8cde639f71a05a1a2e0670bd88e0206ce55c # v0.8.3-3-g244e8cde github.com/tonistiigi/fsutil 0834f99b7b85462efb69b4f571a4fa3ca7da5ac9 github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746 @@ -47,7 +47,7 @@ # libnetwork # When updating, also update LIBNETWORK_COMMIT in hack/dockerfile/install/proxy.installer accordingly -github.com/docker/libnetwork fa125a3512ee0f6187721c88582bf8c4378bd4d7 +github.com/docker/libnetwork 64b7a4574d1426139437d20e81c0b6d391130ec8 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec @@ -72,7 +72,7 @@ github.com/ugorji/go b4c50a2b199d93b13dc15e78929cfb23bfdf21ab # v1.1.1 github.com/hashicorp/consul 9a9cc9341bb487651a0399e3fc5e1e8a42e62dd9 # v0.5.2 github.com/miekg/dns 6c0c4e6581f8e173cc562c8b3363ab984e4ae071 # v1.1.27 -github.com/ishidawataru/sctp 6e2cb1366111dcf547c13531e3a263a067715847 +github.com/ishidawataru/sctp f2269e66cdee387bd321445d5d300893449805be go.etcd.io/bbolt 232d8fc87f50244f9c808f4745759e08a304c029 # v1.3.5 # get graph and distribution packages @@ -142,7 +142,7 @@ github.com/cilium/ebpf 1c8d4c9ef7759622653a1d319284a44652333b28 # cluster -github.com/docker/swarmkit d6592ddefd8a5319aadff74c558b816b1a0b2590 +github.com/docker/swarmkit 17d8d4e4d8bdec33d386e6362d3537fa9493ba00 github.com/gogo/protobuf 5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1 github.com/golang/protobuf 84668698ea25b64748563aa20726db66a6b8d299 # v1.3.5 github.com/cloudflare/cfssl 5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2 diff -Nru docker.io-20.10.7/cli/vendor/github.com/docker/docker-credential-helpers/credentials/version.go docker.io-20.10.11/cli/vendor/github.com/docker/docker-credential-helpers/credentials/version.go --- docker.io-20.10.7/cli/vendor/github.com/docker/docker-credential-helpers/credentials/version.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/docker/docker-credential-helpers/credentials/version.go 2021-11-17 23:49:46.000000000 +0000 @@ -1,4 +1,4 @@ package credentials // Version holds a string describing the current version -const Version = "0.6.3" +const Version = "0.6.4" diff -Nru docker.io-20.10.7/cli/vendor/github.com/moby/term/go.mod docker.io-20.10.11/cli/vendor/github.com/moby/term/go.mod --- docker.io-20.10.7/cli/vendor/github.com/moby/term/go.mod 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/moby/term/go.mod 2021-11-17 23:49:46.000000000 +0000 @@ -3,10 +3,10 @@ go 1.13 require ( - github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 + github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 github.com/creack/pty v1.1.11 github.com/google/go-cmp v0.4.0 github.com/pkg/errors v0.9.1 // indirect - golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a + golang.org/x/sys v0.0.0-20210616094352-59db8d763f22 gotest.tools/v3 v3.0.2 ) diff -Nru docker.io-20.10.7/cli/vendor/github.com/moby/term/windows/console.go docker.io-20.10.11/cli/vendor/github.com/moby/term/windows/console.go --- docker.io-20.10.7/cli/vendor/github.com/moby/term/windows/console.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/moby/term/windows/console.go 2021-11-17 23:49:46.000000000 +0000 @@ -29,7 +29,7 @@ // IsConsole returns true if the given file descriptor is a Windows Console. // The code assumes that GetConsoleMode will return an error for file descriptors that are not a console. -// Deprecated: use golang.org/x/sys/windows.GetConsoleMode() or golang.org/x/crypto/ssh/terminal.IsTerminal() +// Deprecated: use golang.org/x/sys/windows.GetConsoleMode() or golang.org/x/term.IsTerminal() var IsConsole = isConsole func isConsole(fd uintptr) bool { diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/block.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/block.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/block.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/block.go 2021-11-17 23:49:46.000000000 +0000 @@ -18,8 +18,7 @@ "html" "regexp" "strings" - - "github.com/shurcooL/sanitized_anchor_name" + "unicode" ) const ( @@ -259,7 +258,7 @@ } if end > i { if id == "" && p.extensions&AutoHeadingIDs != 0 { - id = sanitized_anchor_name.Create(string(data[i:end])) + id = SanitizedAnchorName(string(data[i:end])) } block := p.addBlock(Heading, data[i:end]) block.HeadingID = id @@ -673,6 +672,7 @@ if beg == 0 || beg >= len(data) { return 0 } + fenceLength := beg - 1 var work bytes.Buffer work.Write([]byte(info)) @@ -706,6 +706,7 @@ if doRender { block := p.addBlock(CodeBlock, work.Bytes()) // TODO: get rid of temp buffer block.IsFenced = true + block.FenceLength = fenceLength finalizeCodeBlock(block) } @@ -1503,7 +1504,7 @@ id := "" if p.extensions&AutoHeadingIDs != 0 { - id = sanitized_anchor_name.Create(string(data[prev:eol])) + id = SanitizedAnchorName(string(data[prev:eol])) } block := p.addBlock(Heading, data[prev:eol]) @@ -1588,3 +1589,24 @@ } return i } + +// SanitizedAnchorName returns a sanitized anchor name for the given text. +// +// It implements the algorithm specified in the package comment. +func SanitizedAnchorName(text string) string { + var anchorName []rune + futureDash := false + for _, r := range text { + switch { + case unicode.IsLetter(r) || unicode.IsNumber(r): + if futureDash && len(anchorName) > 0 { + anchorName = append(anchorName, '-') + } + futureDash = false + anchorName = append(anchorName, unicode.ToLower(r)) + default: + futureDash = true + } + } + return string(anchorName) +} diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/doc.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/doc.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/doc.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/doc.go 2021-11-17 23:49:46.000000000 +0000 @@ -15,4 +15,32 @@ // // If you're interested in calling Blackfriday from command line, see // https://github.com/russross/blackfriday-tool. +// +// Sanitized Anchor Names +// +// Blackfriday includes an algorithm for creating sanitized anchor names +// corresponding to a given input text. This algorithm is used to create +// anchors for headings when AutoHeadingIDs extension is enabled. The +// algorithm is specified below, so that other packages can create +// compatible anchor names and links to those anchors. +// +// The algorithm iterates over the input text, interpreted as UTF-8, +// one Unicode code point (rune) at a time. All runes that are letters (category L) +// or numbers (category N) are considered valid characters. They are mapped to +// lower case, and included in the output. All other runes are considered +// invalid characters. Invalid characters that precede the first valid character, +// as well as invalid character that follow the last valid character +// are dropped completely. All other sequences of invalid characters +// between two valid characters are replaced with a single dash character '-'. +// +// SanitizedAnchorName exposes this functionality, and can be used to +// create compatible links to the anchor names generated by blackfriday. +// This algorithm is also implemented in a small standalone package at +// github.com/shurcooL/sanitized_anchor_name. It can be useful for clients +// that want a small package and don't need full functionality of blackfriday. package blackfriday + +// NOTE: Keep Sanitized Anchor Name algorithm in sync with package +// github.com/shurcooL/sanitized_anchor_name. +// Otherwise, users of sanitized_anchor_name will get anchor names +// that are incompatible with those generated by blackfriday. diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/entities.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/entities.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/entities.go 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/entities.go 2021-11-17 23:49:46.000000000 +0000 @@ -0,0 +1,2236 @@ +package blackfriday + +// Extracted from https://html.spec.whatwg.org/multipage/entities.json +var entities = map[string]bool{ + "Æ": true, + "Æ": true, + "&": true, + "&": true, + "Á": true, + "Á": true, + "Ă": true, + "Â": true, + "Â": true, + "А": true, + "𝔄": true, + "À": true, + "À": true, + "Α": true, + "Ā": true, + "⩓": true, + "Ą": true, + "𝔸": true, + "⁡": true, + "Å": true, + "Å": true, + "𝒜": true, + "≔": true, + "Ã": true, + "Ã": true, + "Ä": true, + "Ä": true, + "∖": true, + "⫧": true, + "⌆": true, + "Б": true, + "∵": true, + "ℬ": true, + "Β": true, + "𝔅": true, + "𝔹": true, + "˘": true, + "ℬ": true, + "≎": true, + "Ч": true, + "©": true, + "©": true, + "Ć": true, + "⋒": true, + "ⅅ": true, + "ℭ": true, + "Č": true, + "Ç": true, + "Ç": true, + "Ĉ": true, + "∰": true, + "Ċ": true, + "¸": true, + "·": true, + "ℭ": true, + "Χ": true, + "⊙": true, + "⊖": true, + "⊕": true, + "⊗": true, + "∲": true, + "”": true, + "’": true, + "∷": true, + "⩴": true, + "≡": true, + "∯": true, + "∮": true, + "ℂ": true, + "∐": true, + "∳": true, + "⨯": true, + "𝒞": true, + "⋓": true, + "≍": true, + "ⅅ": true, + "⤑": true, + "Ђ": true, + "Ѕ": true, + "Џ": true, + "‡": true, + "↡": true, + "⫤": true, + "Ď": true, + "Д": true, + "∇": true, + "Δ": true, + "𝔇": true, + "´": true, + "˙": true, + "˝": true, + "`": true, + "˜": true, + "⋄": true, + "ⅆ": true, + "𝔻": true, + "¨": true, + "⃜": true, + "≐": true, + "∯": true, + "¨": true, + "⇓": true, + "⇐": true, + "⇔": true, + "⫤": true, + "⟸": true, + "⟺": true, + "⟹": true, + "⇒": true, + "⊨": true, + "⇑": true, + "⇕": true, + "∥": true, + "↓": true, + "⤓": true, + "⇵": true, + "̑": true, + "⥐": true, + "⥞": true, + "↽": true, + "⥖": true, + "⥟": true, + "⇁": true, + "⥗": true, + "⊤": true, + "↧": true, + "⇓": true, + "𝒟": true, + "Đ": true, + "Ŋ": true, + "Ð": true, + "Ð": true, + "É": true, + "É": true, + "Ě": true, + "Ê": true, + "Ê": true, + "Э": true, + "Ė": true, + "𝔈": true, + "È": true, + "È": true, + "∈": true, + "Ē": true, + "◻": true, + "▫": true, + "Ę": true, + "𝔼": true, + "Ε": true, + "⩵": true, + "≂": true, + "⇌": true, + "ℰ": true, + "⩳": true, + "Η": true, + "Ë": true, + "Ë": true, + "∃": true, + "ⅇ": true, + "Ф": true, + "𝔉": true, + "◼": true, + "▪": true, + "𝔽": true, + "∀": true, + "ℱ": true, + "ℱ": true, + "Ѓ": true, + ">": true, + ">": true, + "Γ": true, + "Ϝ": true, + "Ğ": true, + "Ģ": true, + "Ĝ": true, + "Г": true, + "Ġ": true, + "𝔊": true, + "⋙": true, + "𝔾": true, + "≥": true, + "⋛": true, + "≧": true, + "⪢": true, + "≷": true, + "⩾": true, + "≳": true, + "𝒢": true, + "≫": true, + "Ъ": true, + "ˇ": true, + "^": true, + "Ĥ": true, + "ℌ": true, + "ℋ": true, + "ℍ": true, + "─": true, + "ℋ": true, + "Ħ": true, + "≎": true, + "≏": true, + "Е": true, + "IJ": true, + "Ё": true, + "Í": true, + "Í": true, + "Î": true, + "Î": true, + "И": true, + "İ": true, + "ℑ": true, + "Ì": true, + "Ì": true, + "ℑ": true, + "Ī": true, + "ⅈ": true, + "⇒": true, + "∬": true, + "∫": true, + "⋂": true, + "⁣": true, + "⁢": true, + "Į": true, + "𝕀": true, + "Ι": true, + "ℐ": true, + "Ĩ": true, + "І": true, + "Ï": true, + "Ï": true, + "Ĵ": true, + "Й": true, + "𝔍": true, + "𝕁": true, + "𝒥": true, + "Ј": true, + "Є": true, + "Х": true, + "Ќ": true, + "Κ": true, + "Ķ": true, + "К": true, + "𝔎": true, + "𝕂": true, + "𝒦": true, + "Љ": true, + "<": true, + "<": true, + "Ĺ": true, + "Λ": true, + "⟪": true, + "ℒ": true, + "↞": true, + "Ľ": true, + "Ļ": true, + "Л": true, + "⟨": true, + "←": true, + "⇤": true, + "⇆": true, + "⌈": true, + "⟦": true, + "⥡": true, + "⇃": true, + "⥙": true, + "⌊": true, + "↔": true, + "⥎": true, + "⊣": true, + "↤": true, + "⥚": true, + "⊲": true, + "⧏": true, + "⊴": true, + "⥑": true, + "⥠": true, + "↿": true, + "⥘": true, + "↼": true, + "⥒": true, + "⇐": true, + "⇔": true, + "⋚": true, + "≦": true, + "≶": true, + "⪡": true, + "⩽": true, + "≲": true, + "𝔏": true, + "⋘": true, + "⇚": true, + "Ŀ": true, + "⟵": true, + "⟷": true, + "⟶": true, + "⟸": true, + "⟺": true, + "⟹": true, + "𝕃": true, + "↙": true, + "↘": true, + "ℒ": true, + "↰": true, + "Ł": true, + "≪": true, + "⤅": true, + "М": true, + " ": true, + "ℳ": true, + "𝔐": true, + "∓": true, + "𝕄": true, + "ℳ": true, + "Μ": true, + "Њ": true, + "Ń": true, + "Ň": true, + "Ņ": true, + "Н": true, + "​": true, + "​": true, + "​": true, + "​": true, + "≫": true, + "≪": true, + " ": true, + "𝔑": true, + "⁠": true, + " ": true, + "ℕ": true, + "⫬": true, + "≢": true, + "≭": true, + "∦": true, + "∉": true, + "≠": true, + "≂̸": true, + "∄": true, + "≯": true, + "≱": true, + "≧̸": true, + "≫̸": true, + "≹": true, + "⩾̸": true, + "≵": true, + "≎̸": true, + "≏̸": true, + "⋪": true, + "⧏̸": true, + "⋬": true, + "≮": true, + "≰": true, + "≸": true, + "≪̸": true, + "⩽̸": true, + "≴": true, + "⪢̸": true, + "⪡̸": true, + "⊀": true, + "⪯̸": true, + "⋠": true, + "∌": true, + "⋫": true, + "⧐̸": true, + "⋭": true, + "⊏̸": true, + "⋢": true, + "⊐̸": true, + "⋣": true, + "⊂⃒": true, + "⊈": true, + "⊁": true, + "⪰̸": true, + "⋡": true, + "≿̸": true, + "⊃⃒": true, + "⊉": true, + "≁": true, + "≄": true, + "≇": true, + "≉": true, + "∤": true, + "𝒩": true, + "Ñ": true, + "Ñ": true, + "Ν": true, + "Œ": true, + "Ó": true, + "Ó": true, + "Ô": true, + "Ô": true, + "О": true, + "Ő": true, + "𝔒": true, + "Ò": true, + "Ò": true, + "Ō": true, + "Ω": true, + "Ο": true, + "𝕆": true, + "“": true, + "‘": true, + "⩔": true, + "𝒪": true, + "Ø": true, + "Ø": true, + "Õ": true, + "Õ": true, + "⨷": true, + "Ö": true, + "Ö": true, + "‾": true, + "⏞": true, + "⎴": true, + "⏜": true, + "∂": true, + "П": true, + "𝔓": true, + "Φ": true, + "Π": true, + "±": true, + "ℌ": true, + "ℙ": true, + "⪻": true, + "≺": true, + "⪯": true, + "≼": true, + "≾": true, + "″": true, + "∏": true, + "∷": true, + "∝": true, + "𝒫": true, + "Ψ": true, + """: true, + """: true, + "𝔔": true, + "ℚ": true, + "𝒬": true, + "⤐": true, + "®": true, + "®": true, + "Ŕ": true, + "⟫": true, + "↠": true, + "⤖": true, + "Ř": true, + "Ŗ": true, + "Р": true, + "ℜ": true, + "∋": true, + "⇋": true, + "⥯": true, + "ℜ": true, + "Ρ": true, + "⟩": true, + "→": true, + "⇥": true, + "⇄": true, + "⌉": true, + "⟧": true, + "⥝": true, + "⇂": true, + "⥕": true, + "⌋": true, + "⊢": true, + "↦": true, + "⥛": true, + "⊳": true, + "⧐": true, + "⊵": true, + "⥏": true, + "⥜": true, + "↾": true, + "⥔": true, + "⇀": true, + "⥓": true, + "⇒": true, + "ℝ": true, + "⥰": true, + "⇛": true, + "ℛ": true, + "↱": true, + "⧴": true, + "Щ": true, + "Ш": true, + "Ь": true, + "Ś": true, + "⪼": true, + "Š": true, + "Ş": true, + "Ŝ": true, + "С": true, + "𝔖": true, + "↓": true, + "←": true, + "→": true, + "↑": true, + "Σ": true, + "∘": true, + "𝕊": true, + "√": true, + "□": true, + "⊓": true, + "⊏": true, + "⊑": true, + "⊐": true, + "⊒": true, + "⊔": true, + "𝒮": true, + "⋆": true, + "⋐": true, + "⋐": true, + "⊆": true, + "≻": true, + "⪰": true, + "≽": true, + "≿": true, + "∋": true, + "∑": true, + "⋑": true, + "⊃": true, + "⊇": true, + "⋑": true, + "Þ": true, + "Þ": true, + "™": true, + "Ћ": true, + "Ц": true, + " ": true, + "Τ": true, + "Ť": true, + "Ţ": true, + "Т": true, + "𝔗": true, + "∴": true, + "Θ": true, + "  ": true, + " ": true, + "∼": true, + "≃": true, + "≅": true, + "≈": true, + "𝕋": true, + "⃛": true, + "𝒯": true, + "Ŧ": true, + "Ú": true, + "Ú": true, + "↟": true, + "⥉": true, + "Ў": true, + "Ŭ": true, + "Û": true, + "Û": true, + "У": true, + "Ű": true, + "𝔘": true, + "Ù": true, + "Ù": true, + "Ū": true, + "_": true, + "⏟": true, + "⎵": true, + "⏝": true, + "⋃": true, + "⊎": true, + "Ų": true, + "𝕌": true, + "↑": true, + "⤒": true, + "⇅": true, + "↕": true, + "⥮": true, + "⊥": true, + "↥": true, + "⇑": true, + "⇕": true, + "↖": true, + "↗": true, + "ϒ": true, + "Υ": true, + "Ů": true, + "𝒰": true, + "Ũ": true, + "Ü": true, + "Ü": true, + "⊫": true, + "⫫": true, + "В": true, + "⊩": true, + "⫦": true, + "⋁": true, + "‖": true, + "‖": true, + "∣": true, + "|": true, + "❘": true, + "≀": true, + " ": true, + "𝔙": true, + "𝕍": true, + "𝒱": true, + "⊪": true, + "Ŵ": true, + "⋀": true, + "𝔚": true, + "𝕎": true, + "𝒲": true, + "𝔛": true, + "Ξ": true, + "𝕏": true, + "𝒳": true, + "Я": true, + "Ї": true, + "Ю": true, + "Ý": true, + "Ý": true, + "Ŷ": true, + "Ы": true, + "𝔜": true, + "𝕐": true, + "𝒴": true, + "Ÿ": true, + "Ж": true, + "Ź": true, + "Ž": true, + "З": true, + "Ż": true, + "​": true, + "Ζ": true, + "ℨ": true, + "ℤ": true, + "𝒵": true, + "á": true, + "á": true, + "ă": true, + "∾": true, + "∾̳": true, + "∿": true, + "â": true, + "â": true, + "´": true, + "´": true, + "а": true, + "æ": true, + "æ": true, + "⁡": true, + "𝔞": true, + "à": true, + "à": true, + "ℵ": true, + "ℵ": true, + "α": true, + "ā": true, + "⨿": true, + "&": true, + "&": true, + "∧": true, + "⩕": true, + "⩜": true, + "⩘": true, + "⩚": true, + "∠": true, + "⦤": true, + "∠": true, + "∡": true, + "⦨": true, + "⦩": true, + "⦪": true, + "⦫": true, + "⦬": true, + "⦭": true, + "⦮": true, + "⦯": true, + "∟": true, + "⊾": true, + "⦝": true, + "∢": true, + "Å": true, + "⍼": true, + "ą": true, + "𝕒": true, + "≈": true, + "⩰": true, + "⩯": true, + "≊": true, + "≋": true, + "'": true, + "≈": true, + "≊": true, + "å": true, + "å": true, + "𝒶": true, + "*": true, + "≈": true, + "≍": true, + "ã": true, + "ã": true, + "ä": true, + "ä": true, + "∳": true, + "⨑": true, + "⫭": true, + "≌": true, + "϶": true, + "‵": true, + "∽": true, + "⋍": true, + "⊽": true, + "⌅": true, + "⌅": true, + "⎵": true, + "⎶": true, + "≌": true, + "б": true, + "„": true, + "∵": true, + "∵": true, + "⦰": true, + "϶": true, + "ℬ": true, + "β": true, + "ℶ": true, + "≬": true, + "𝔟": true, + "⋂": true, + "◯": true, + "⋃": true, + "⨀": true, + "⨁": true, + "⨂": true, + "⨆": true, + "★": true, + "▽": true, + "△": true, + "⨄": true, + "⋁": true, + "⋀": true, + "⤍": true, + "⧫": true, + "▪": true, + "▴": true, + "▾": true, + "◂": true, + "▸": true, + "␣": true, + "▒": true, + "░": true, + "▓": true, + "█": true, + "=⃥": true, + "≡⃥": true, + "⌐": true, + "𝕓": true, + "⊥": true, + "⊥": true, + "⋈": true, + "╗": true, + "╔": true, + "╖": true, + "╓": true, + "═": true, + "╦": true, + "╩": true, + "╤": true, + "╧": true, + "╝": true, + "╚": true, + "╜": true, + "╙": true, + "║": true, + "╬": true, + "╣": true, + "╠": true, + "╫": true, + "╢": true, + "╟": true, + "⧉": true, + "╕": true, + "╒": true, + "┐": true, + "┌": true, + "─": true, + "╥": true, + "╨": true, + "┬": true, + "┴": true, + "⊟": true, + "⊞": true, + "⊠": true, + "╛": true, + "╘": true, + "┘": true, + "└": true, + "│": true, + "╪": true, + "╡": true, + "╞": true, + "┼": true, + "┤": true, + "├": true, + "‵": true, + "˘": true, + "¦": true, + "¦": true, + "𝒷": true, + "⁏": true, + "∽": true, + "⋍": true, + "\": true, + "⧅": true, + "⟈": true, + "•": true, + "•": true, + "≎": true, + "⪮": true, + "≏": true, + "≏": true, + "ć": true, + "∩": true, + "⩄": true, + "⩉": true, + "⩋": true, + "⩇": true, + "⩀": true, + "∩︀": true, + "⁁": true, + "ˇ": true, + "⩍": true, + "č": true, + "ç": true, + "ç": true, + "ĉ": true, + "⩌": true, + "⩐": true, + "ċ": true, + "¸": true, + "¸": true, + "⦲": true, + "¢": true, + "¢": true, + "·": true, + "𝔠": true, + "ч": true, + "✓": true, + "✓": true, + "χ": true, + "○": true, + "⧃": true, + "ˆ": true, + "≗": true, + "↺": true, + "↻": true, + "®": true, + "Ⓢ": true, + "⊛": true, + "⊚": true, + "⊝": true, + "≗": true, + "⨐": true, + "⫯": true, + "⧂": true, + "♣": true, + "♣": true, + ":": true, + "≔": true, + "≔": true, + ",": true, + "@": true, + "∁": true, + "∘": true, + "∁": true, + "ℂ": true, + "≅": true, + "⩭": true, + "∮": true, + "𝕔": true, + "∐": true, + "©": true, + "©": true, + "℗": true, + "↵": true, + "✗": true, + "𝒸": true, + "⫏": true, + "⫑": true, + "⫐": true, + "⫒": true, + "⋯": true, + "⤸": true, + "⤵": true, + "⋞": true, + "⋟": true, + "↶": true, + "⤽": true, + "∪": true, + "⩈": true, + "⩆": true, + "⩊": true, + "⊍": true, + "⩅": true, + "∪︀": true, + "↷": true, + "⤼": true, + "⋞": true, + "⋟": true, + "⋎": true, + "⋏": true, + "¤": true, + "¤": true, + "↶": true, + "↷": true, + "⋎": true, + "⋏": true, + "∲": true, + "∱": true, + "⌭": true, + "⇓": true, + "⥥": true, + "†": true, + "ℸ": true, + "↓": true, + "‐": true, + "⊣": true, + "⤏": true, + "˝": true, + "ď": true, + "д": true, + "ⅆ": true, + "‡": true, + "⇊": true, + "⩷": true, + "°": true, + "°": true, + "δ": true, + "⦱": true, + "⥿": true, + "𝔡": true, + "⇃": true, + "⇂": true, + "⋄": true, + "⋄": true, + "♦": true, + "♦": true, + "¨": true, + "ϝ": true, + "⋲": true, + "÷": true, + "÷": true, + "÷": true, + "⋇": true, + "⋇": true, + "ђ": true, + "⌞": true, + "⌍": true, + "$": true, + "𝕕": true, + "˙": true, + "≐": true, + "≑": true, + "∸": true, + "∔": true, + "⊡": true, + "⌆": true, + "↓": true, + "⇊": true, + "⇃": true, + "⇂": true, + "⤐": true, + "⌟": true, + "⌌": true, + "𝒹": true, + "ѕ": true, + "⧶": true, + "đ": true, + "⋱": true, + "▿": true, + "▾": true, + "⇵": true, + "⥯": true, + "⦦": true, + "џ": true, + "⟿": true, + "⩷": true, + "≑": true, + "é": true, + "é": true, + "⩮": true, + "ě": true, + "≖": true, + "ê": true, + "ê": true, + "≕": true, + "э": true, + "ė": true, + "ⅇ": true, + "≒": true, + "𝔢": true, + "⪚": true, + "è": true, + "è": true, + "⪖": true, + "⪘": true, + "⪙": true, + "⏧": true, + "ℓ": true, + "⪕": true, + "⪗": true, + "ē": true, + "∅": true, + "∅": true, + "∅": true, + " ": true, + " ": true, + " ": true, + "ŋ": true, + " ": true, + "ę": true, + "𝕖": true, + "⋕": true, + "⧣": true, + "⩱": true, + "ε": true, + "ε": true, + "ϵ": true, + "≖": true, + "≕": true, + "≂": true, + "⪖": true, + "⪕": true, + "=": true, + "≟": true, + "≡": true, + "⩸": true, + "⧥": true, + "≓": true, + "⥱": true, + "ℯ": true, + "≐": true, + "≂": true, + "η": true, + "ð": true, + "ð": true, + "ë": true, + "ë": true, + "€": true, + "!": true, + "∃": true, + "ℰ": true, + "ⅇ": true, + "≒": true, + "ф": true, + "♀": true, + "ffi": true, + "ff": true, + "ffl": true, + "𝔣": true, + "fi": true, + "fj": true, + "♭": true, + "fl": true, + "▱": true, + "ƒ": true, + "𝕗": true, + "∀": true, + "⋔": true, + "⫙": true, + "⨍": true, + "½": true, + "½": true, + "⅓": true, + "¼": true, + "¼": true, + "⅕": true, + "⅙": true, + "⅛": true, + "⅔": true, + "⅖": true, + "¾": true, + "¾": true, + "⅗": true, + "⅜": true, + "⅘": true, + "⅚": true, + "⅝": true, + "⅞": true, + "⁄": true, + "⌢": true, + "𝒻": true, + "≧": true, + "⪌": true, + "ǵ": true, + "γ": true, + "ϝ": true, + "⪆": true, + "ğ": true, + "ĝ": true, + "г": true, + "ġ": true, + "≥": true, + "⋛": true, + "≥": true, + "≧": true, + "⩾": true, + "⩾": true, + "⪩": true, + "⪀": true, + "⪂": true, + "⪄": true, + "⋛︀": true, + "⪔": true, + "𝔤": true, + "≫": true, + "⋙": true, + "ℷ": true, + "ѓ": true, + "≷": true, + "⪒": true, + "⪥": true, + "⪤": true, + "≩": true, + "⪊": true, + "⪊": true, + "⪈": true, + "⪈": true, + "≩": true, + "⋧": true, + "𝕘": true, + "`": true, + "ℊ": true, + "≳": true, + "⪎": true, + "⪐": true, + ">": true, + ">": true, + "⪧": true, + "⩺": true, + "⋗": true, + "⦕": true, + "⩼": true, + "⪆": true, + "⥸": true, + "⋗": true, + "⋛": true, + "⪌": true, + "≷": true, + "≳": true, + "≩︀": true, + "≩︀": true, + "⇔": true, + " ": true, + "½": true, + "ℋ": true, + "ъ": true, + "↔": true, + "⥈": true, + "↭": true, + "ℏ": true, + "ĥ": true, + "♥": true, + "♥": true, + "…": true, + "⊹": true, + "𝔥": true, + "⤥": true, + "⤦": true, + "⇿": true, + "∻": true, + "↩": true, + "↪": true, + "𝕙": true, + "―": true, + "𝒽": true, + "ℏ": true, + "ħ": true, + "⁃": true, + "‐": true, + "í": true, + "í": true, + "⁣": true, + "î": true, + "î": true, + "и": true, + "е": true, + "¡": true, + "¡": true, + "⇔": true, + "𝔦": true, + "ì": true, + "ì": true, + "ⅈ": true, + "⨌": true, + "∭": true, + "⧜": true, + "℩": true, + "ij": true, + "ī": true, + "ℑ": true, + "ℐ": true, + "ℑ": true, + "ı": true, + "⊷": true, + "Ƶ": true, + "∈": true, + "℅": true, + "∞": true, + "⧝": true, + "ı": true, + "∫": true, + "⊺": true, + "ℤ": true, + "⊺": true, + "⨗": true, + "⨼": true, + "ё": true, + "į": true, + "𝕚": true, + "ι": true, + "⨼": true, + "¿": true, + "¿": true, + "𝒾": true, + "∈": true, + "⋹": true, + "⋵": true, + "⋴": true, + "⋳": true, + "∈": true, + "⁢": true, + "ĩ": true, + "і": true, + "ï": true, + "ï": true, + "ĵ": true, + "й": true, + "𝔧": true, + "ȷ": true, + "𝕛": true, + "𝒿": true, + "ј": true, + "є": true, + "κ": true, + "ϰ": true, + "ķ": true, + "к": true, + "𝔨": true, + "ĸ": true, + "х": true, + "ќ": true, + "𝕜": true, + "𝓀": true, + "⇚": true, + "⇐": true, + "⤛": true, + "⤎": true, + "≦": true, + "⪋": true, + "⥢": true, + "ĺ": true, + "⦴": true, + "ℒ": true, + "λ": true, + "⟨": true, + "⦑": true, + "⟨": true, + "⪅": true, + "«": true, + "«": true, + "←": true, + "⇤": true, + "⤟": true, + "⤝": true, + "↩": true, + "↫": true, + "⤹": true, + "⥳": true, + "↢": true, + "⪫": true, + "⤙": true, + "⪭": true, + "⪭︀": true, + "⤌": true, + "❲": true, + "{": true, + "[": true, + "⦋": true, + "⦏": true, + "⦍": true, + "ľ": true, + "ļ": true, + "⌈": true, + "{": true, + "л": true, + "⤶": true, + "“": true, + "„": true, + "⥧": true, + "⥋": true, + "↲": true, + "≤": true, + "←": true, + "↢": true, + "↽": true, + "↼": true, + "⇇": true, + "↔": true, + "⇆": true, + "⇋": true, + "↭": true, + "⋋": true, + "⋚": true, + "≤": true, + "≦": true, + "⩽": true, + "⩽": true, + "⪨": true, + "⩿": true, + "⪁": true, + "⪃": true, + "⋚︀": true, + "⪓": true, + "⪅": true, + "⋖": true, + "⋚": true, + "⪋": true, + "≶": true, + "≲": true, + "⥼": true, + "⌊": true, + "𝔩": true, + "≶": true, + "⪑": true, + "↽": true, + "↼": true, + "⥪": true, + "▄": true, + "љ": true, + "≪": true, + "⇇": true, + "⌞": true, + "⥫": true, + "◺": true, + "ŀ": true, + "⎰": true, + "⎰": true, + "≨": true, + "⪉": true, + "⪉": true, + "⪇": true, + "⪇": true, + "≨": true, + "⋦": true, + "⟬": true, + "⇽": true, + "⟦": true, + "⟵": true, + "⟷": true, + "⟼": true, + "⟶": true, + "↫": true, + "↬": true, + "⦅": true, + "𝕝": true, + "⨭": true, + "⨴": true, + "∗": true, + "_": true, + "◊": true, + "◊": true, + "⧫": true, + "(": true, + "⦓": true, + "⇆": true, + "⌟": true, + "⇋": true, + "⥭": true, + "‎": true, + "⊿": true, + "‹": true, + "𝓁": true, + "↰": true, + "≲": true, + "⪍": true, + "⪏": true, + "[": true, + "‘": true, + "‚": true, + "ł": true, + "<": true, + "<": true, + "⪦": true, + "⩹": true, + "⋖": true, + "⋋": true, + "⋉": true, + "⥶": true, + "⩻": true, + "⦖": true, + "◃": true, + "⊴": true, + "◂": true, + "⥊": true, + "⥦": true, + "≨︀": true, + "≨︀": true, + "∺": true, + "¯": true, + "¯": true, + "♂": true, + "✠": true, + "✠": true, + "↦": true, + "↦": true, + "↧": true, + "↤": true, + "↥": true, + "▮": true, + "⨩": true, + "м": true, + "—": true, + "∡": true, + "𝔪": true, + "℧": true, + "µ": true, + "µ": true, + "∣": true, + "*": true, + "⫰": true, + "·": true, + "·": true, + "−": true, + "⊟": true, + "∸": true, + "⨪": true, + "⫛": true, + "…": true, + "∓": true, + "⊧": true, + "𝕞": true, + "∓": true, + "𝓂": true, + "∾": true, + "μ": true, + "⊸": true, + "⊸": true, + "⋙̸": true, + "≫⃒": true, + "≫̸": true, + "⇍": true, + "⇎": true, + "⋘̸": true, + "≪⃒": true, + "≪̸": true, + "⇏": true, + "⊯": true, + "⊮": true, + "∇": true, + "ń": true, + "∠⃒": true, + "≉": true, + "⩰̸": true, + "≋̸": true, + "ʼn": true, + "≉": true, + "♮": true, + "♮": true, + "ℕ": true, + " ": true, + " ": true, + "≎̸": true, + "≏̸": true, + "⩃": true, + "ň": true, + "ņ": true, + "≇": true, + "⩭̸": true, + "⩂": true, + "н": true, + "–": true, + "≠": true, + "⇗": true, + "⤤": true, + "↗": true, + "↗": true, + "≐̸": true, + "≢": true, + "⤨": true, + "≂̸": true, + "∄": true, + "∄": true, + "𝔫": true, + "≧̸": true, + "≱": true, + "≱": true, + "≧̸": true, + "⩾̸": true, + "⩾̸": true, + "≵": true, + "≯": true, + "≯": true, + "⇎": true, + "↮": true, + "⫲": true, + "∋": true, + "⋼": true, + "⋺": true, + "∋": true, + "њ": true, + "⇍": true, + "≦̸": true, + "↚": true, + "‥": true, + "≰": true, + "↚": true, + "↮": true, + "≰": true, + "≦̸": true, + "⩽̸": true, + "⩽̸": true, + "≮": true, + "≴": true, + "≮": true, + "⋪": true, + "⋬": true, + "∤": true, + "𝕟": true, + "¬": true, + "¬": true, + "∉": true, + "⋹̸": true, + "⋵̸": true, + "∉": true, + "⋷": true, + "⋶": true, + "∌": true, + "∌": true, + "⋾": true, + "⋽": true, + "∦": true, + "∦": true, + "⫽⃥": true, + "∂̸": true, + "⨔": true, + "⊀": true, + "⋠": true, + "⪯̸": true, + "⊀": true, + "⪯̸": true, + "⇏": true, + "↛": true, + "⤳̸": true, + "↝̸": true, + "↛": true, + "⋫": true, + "⋭": true, + "⊁": true, + "⋡": true, + "⪰̸": true, + "𝓃": true, + "∤": true, + "∦": true, + "≁": true, + "≄": true, + "≄": true, + "∤": true, + "∦": true, + "⋢": true, + "⋣": true, + "⊄": true, + "⫅̸": true, + "⊈": true, + "⊂⃒": true, + "⊈": true, + "⫅̸": true, + "⊁": true, + "⪰̸": true, + "⊅": true, + "⫆̸": true, + "⊉": true, + "⊃⃒": true, + "⊉": true, + "⫆̸": true, + "≹": true, + "ñ": true, + "ñ": true, + "≸": true, + "⋪": true, + "⋬": true, + "⋫": true, + "⋭": true, + "ν": true, + "#": true, + "№": true, + " ": true, + "⊭": true, + "⤄": true, + "≍⃒": true, + "⊬": true, + "≥⃒": true, + ">⃒": true, + "⧞": true, + "⤂": true, + "≤⃒": true, + "<⃒": true, + "⊴⃒": true, + "⤃": true, + "⊵⃒": true, + "∼⃒": true, + "⇖": true, + "⤣": true, + "↖": true, + "↖": true, + "⤧": true, + "Ⓢ": true, + "ó": true, + "ó": true, + "⊛": true, + "⊚": true, + "ô": true, + "ô": true, + "о": true, + "⊝": true, + "ő": true, + "⨸": true, + "⊙": true, + "⦼": true, + "œ": true, + "⦿": true, + "𝔬": true, + "˛": true, + "ò": true, + "ò": true, + "⧁": true, + "⦵": true, + "Ω": true, + "∮": true, + "↺": true, + "⦾": true, + "⦻": true, + "‾": true, + "⧀": true, + "ō": true, + "ω": true, + "ο": true, + "⦶": true, + "⊖": true, + "𝕠": true, + "⦷": true, + "⦹": true, + "⊕": true, + "∨": true, + "↻": true, + "⩝": true, + "ℴ": true, + "ℴ": true, + "ª": true, + "ª": true, + "º": true, + "º": true, + "⊶": true, + "⩖": true, + "⩗": true, + "⩛": true, + "ℴ": true, + "ø": true, + "ø": true, + "⊘": true, + "õ": true, + "õ": true, + "⊗": true, + "⨶": true, + "ö": true, + "ö": true, + "⌽": true, + "∥": true, + "¶": true, + "¶": true, + "∥": true, + "⫳": true, + "⫽": true, + "∂": true, + "п": true, + "%": true, + ".": true, + "‰": true, + "⊥": true, + "‱": true, + "𝔭": true, + "φ": true, + "ϕ": true, + "ℳ": true, + "☎": true, + "π": true, + "⋔": true, + "ϖ": true, + "ℏ": true, + "ℎ": true, + "ℏ": true, + "+": true, + "⨣": true, + "⊞": true, + "⨢": true, + "∔": true, + "⨥": true, + "⩲": true, + "±": true, + "±": true, + "⨦": true, + "⨧": true, + "±": true, + "⨕": true, + "𝕡": true, + "£": true, + "£": true, + "≺": true, + "⪳": true, + "⪷": true, + "≼": true, + "⪯": true, + "≺": true, + "⪷": true, + "≼": true, + "⪯": true, + "⪹": true, + "⪵": true, + "⋨": true, + "≾": true, + "′": true, + "ℙ": true, + "⪵": true, + "⪹": true, + "⋨": true, + "∏": true, + "⌮": true, + "⌒": true, + "⌓": true, + "∝": true, + "∝": true, + "≾": true, + "⊰": true, + "𝓅": true, + "ψ": true, + " ": true, + "𝔮": true, + "⨌": true, + "𝕢": true, + "⁗": true, + "𝓆": true, + "ℍ": true, + "⨖": true, + "?": true, + "≟": true, + """: true, + """: true, + "⇛": true, + "⇒": true, + "⤜": true, + "⤏": true, + "⥤": true, + "∽̱": true, + "ŕ": true, + "√": true, + "⦳": true, + "⟩": true, + "⦒": true, + "⦥": true, + "⟩": true, + "»": true, + "»": true, + "→": true, + "⥵": true, + "⇥": true, + "⤠": true, + "⤳": true, + "⤞": true, + "↪": true, + "↬": true, + "⥅": true, + "⥴": true, + "↣": true, + "↝": true, + "⤚": true, + "∶": true, + "ℚ": true, + "⤍": true, + "❳": true, + "}": true, + "]": true, + "⦌": true, + "⦎": true, + "⦐": true, + "ř": true, + "ŗ": true, + "⌉": true, + "}": true, + "р": true, + "⤷": true, + "⥩": true, + "”": true, + "”": true, + "↳": true, + "ℜ": true, + "ℛ": true, + "ℜ": true, + "ℝ": true, + "▭": true, + "®": true, + "®": true, + "⥽": true, + "⌋": true, + "𝔯": true, + "⇁": true, + "⇀": true, + "⥬": true, + "ρ": true, + "ϱ": true, + "→": true, + "↣": true, + "⇁": true, + "⇀": true, + "⇄": true, + "⇌": true, + "⇉": true, + "↝": true, + "⋌": true, + "˚": true, + "≓": true, + "⇄": true, + "⇌": true, + "‏": true, + "⎱": true, + "⎱": true, + "⫮": true, + "⟭": true, + "⇾": true, + "⟧": true, + "⦆": true, + "𝕣": true, + "⨮": true, + "⨵": true, + ")": true, + "⦔": true, + "⨒": true, + "⇉": true, + "›": true, + "𝓇": true, + "↱": true, + "]": true, + "’": true, + "’": true, + "⋌": true, + "⋊": true, + "▹": true, + "⊵": true, + "▸": true, + "⧎": true, + "⥨": true, + "℞": true, + "ś": true, + "‚": true, + "≻": true, + "⪴": true, + "⪸": true, + "š": true, + "≽": true, + "⪰": true, + "ş": true, + "ŝ": true, + "⪶": true, + "⪺": true, + "⋩": true, + "⨓": true, + "≿": true, + "с": true, + "⋅": true, + "⊡": true, + "⩦": true, + "⇘": true, + "⤥": true, + "↘": true, + "↘": true, + "§": true, + "§": true, + ";": true, + "⤩": true, + "∖": true, + "∖": true, + "✶": true, + "𝔰": true, + "⌢": true, + "♯": true, + "щ": true, + "ш": true, + "∣": true, + "∥": true, + "­": true, + "­": true, + "σ": true, + "ς": true, + "ς": true, + "∼": true, + "⩪": true, + "≃": true, + "≃": true, + "⪞": true, + "⪠": true, + "⪝": true, + "⪟": true, + "≆": true, + "⨤": true, + "⥲": true, + "←": true, + "∖": true, + "⨳": true, + "⧤": true, + "∣": true, + "⌣": true, + "⪪": true, + "⪬": true, + "⪬︀": true, + "ь": true, + "/": true, + "⧄": true, + "⌿": true, + "𝕤": true, + "♠": true, + "♠": true, + "∥": true, + "⊓": true, + "⊓︀": true, + "⊔": true, + "⊔︀": true, + "⊏": true, + "⊑": true, + "⊏": true, + "⊑": true, + "⊐": true, + "⊒": true, + "⊐": true, + "⊒": true, + "□": true, + "□": true, + "▪": true, + "▪": true, + "→": true, + "𝓈": true, + "∖": true, + "⌣": true, + "⋆": true, + "☆": true, + "★": true, + "ϵ": true, + "ϕ": true, + "¯": true, + "⊂": true, + "⫅": true, + "⪽": true, + "⊆": true, + "⫃": true, + "⫁": true, + "⫋": true, + "⊊": true, + "⪿": true, + "⥹": true, + "⊂": true, + "⊆": true, + "⫅": true, + "⊊": true, + "⫋": true, + "⫇": true, + "⫕": true, + "⫓": true, + "≻": true, + "⪸": true, + "≽": true, + "⪰": true, + "⪺": true, + "⪶": true, + "⋩": true, + "≿": true, + "∑": true, + "♪": true, + "¹": true, + "¹": true, + "²": true, + "²": true, + "³": true, + "³": true, + "⊃": true, + "⫆": true, + "⪾": true, + "⫘": true, + "⊇": true, + "⫄": true, + "⟉": true, + "⫗": true, + "⥻": true, + "⫂": true, + "⫌": true, + "⊋": true, + "⫀": true, + "⊃": true, + "⊇": true, + "⫆": true, + "⊋": true, + "⫌": true, + "⫈": true, + "⫔": true, + "⫖": true, + "⇙": true, + "⤦": true, + "↙": true, + "↙": true, + "⤪": true, + "ß": true, + "ß": true, + "⌖": true, + "τ": true, + "⎴": true, + "ť": true, + "ţ": true, + "т": true, + "⃛": true, + "⌕": true, + "𝔱": true, + "∴": true, + "∴": true, + "θ": true, + "ϑ": true, + "ϑ": true, + "≈": true, + "∼": true, + " ": true, + "≈": true, + "∼": true, + "þ": true, + "þ": true, + "˜": true, + "×": true, + "×": true, + "⊠": true, + "⨱": true, + "⨰": true, + "∭": true, + "⤨": true, + "⊤": true, + "⌶": true, + "⫱": true, + "𝕥": true, + "⫚": true, + "⤩": true, + "‴": true, + "™": true, + "▵": true, + "▿": true, + "◃": true, + "⊴": true, + "≜": true, + "▹": true, + "⊵": true, + "◬": true, + "≜": true, + "⨺": true, + "⨹": true, + "⧍": true, + "⨻": true, + "⏢": true, + "𝓉": true, + "ц": true, + "ћ": true, + "ŧ": true, + "≬": true, + "↞": true, + "↠": true, + "⇑": true, + "⥣": true, + "ú": true, + "ú": true, + "↑": true, + "ў": true, + "ŭ": true, + "û": true, + "û": true, + "у": true, + "⇅": true, + "ű": true, + "⥮": true, + "⥾": true, + "𝔲": true, + "ù": true, + "ù": true, + "↿": true, + "↾": true, + "▀": true, + "⌜": true, + "⌜": true, + "⌏": true, + "◸": true, + "ū": true, + "¨": true, + "¨": true, + "ų": true, + "𝕦": true, + "↑": true, + "↕": true, + "↿": true, + "↾": true, + "⊎": true, + "υ": true, + "ϒ": true, + "υ": true, + "⇈": true, + "⌝": true, + "⌝": true, + "⌎": true, + "ů": true, + "◹": true, + "𝓊": true, + "⋰": true, + "ũ": true, + "▵": true, + "▴": true, + "⇈": true, + "ü": true, + "ü": true, + "⦧": true, + "⇕": true, + "⫨": true, + "⫩": true, + "⊨": true, + "⦜": true, + "ϵ": true, + "ϰ": true, + "∅": true, + "ϕ": true, + "ϖ": true, + "∝": true, + "↕": true, + "ϱ": true, + "ς": true, + "⊊︀": true, + "⫋︀": true, + "⊋︀": true, + "⫌︀": true, + "ϑ": true, + "⊲": true, + "⊳": true, + "в": true, + "⊢": true, + "∨": true, + "⊻": true, + "≚": true, + "⋮": true, + "|": true, + "|": true, + "𝔳": true, + "⊲": true, + "⊂⃒": true, + "⊃⃒": true, + "𝕧": true, + "∝": true, + "⊳": true, + "𝓋": true, + "⫋︀": true, + "⊊︀": true, + "⫌︀": true, + "⊋︀": true, + "⦚": true, + "ŵ": true, + "⩟": true, + "∧": true, + "≙": true, + "℘": true, + "𝔴": true, + "𝕨": true, + "℘": true, + "≀": true, + "≀": true, + "𝓌": true, + "⋂": true, + "◯": true, + "⋃": true, + "▽": true, + "𝔵": true, + "⟺": true, + "⟷": true, + "ξ": true, + "⟸": true, + "⟵": true, + "⟼": true, + "⋻": true, + "⨀": true, + "𝕩": true, + "⨁": true, + "⨂": true, + "⟹": true, + "⟶": true, + "𝓍": true, + "⨆": true, + "⨄": true, + "△": true, + "⋁": true, + "⋀": true, + "ý": true, + "ý": true, + "я": true, + "ŷ": true, + "ы": true, + "¥": true, + "¥": true, + "𝔶": true, + "ї": true, + "𝕪": true, + "𝓎": true, + "ю": true, + "ÿ": true, + "ÿ": true, + "ź": true, + "ž": true, + "з": true, + "ż": true, + "ℨ": true, + "ζ": true, + "𝔷": true, + "ж": true, + "⇝": true, + "𝕫": true, + "𝓏": true, + "‍": true, + "‌": true, +} diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/esc.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/esc.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/esc.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/esc.go 2021-11-17 23:49:46.000000000 +0000 @@ -13,13 +13,27 @@ } func escapeHTML(w io.Writer, s []byte) { + escapeEntities(w, s, false) +} + +func escapeAllHTML(w io.Writer, s []byte) { + escapeEntities(w, s, true) +} + +func escapeEntities(w io.Writer, s []byte, escapeValidEntities bool) { var start, end int for end < len(s) { escSeq := htmlEscaper[s[end]] if escSeq != nil { - w.Write(s[start:end]) - w.Write(escSeq) - start = end + 1 + isEntity, entityEnd := nodeIsEntity(s, end) + if isEntity && !escapeValidEntities { + w.Write(s[start : entityEnd+1]) + start = entityEnd + 1 + } else { + w.Write(s[start:end]) + w.Write(escSeq) + start = end + 1 + } } end++ } @@ -28,6 +42,28 @@ } } +func nodeIsEntity(s []byte, end int) (isEntity bool, endEntityPos int) { + isEntity = false + endEntityPos = end + 1 + + if s[end] == '&' { + for endEntityPos < len(s) { + if s[endEntityPos] == ';' { + if entities[string(s[end:endEntityPos+1])] { + isEntity = true + break + } + } + if !isalnum(s[endEntityPos]) && s[endEntityPos] != '&' && s[endEntityPos] != '#' { + break + } + endEntityPos++ + } + } + + return isEntity, endEntityPos +} + func escLink(w io.Writer, text []byte) { unesc := html.UnescapeString(string(text)) escapeHTML(w, []byte(unesc)) diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/html.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/html.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/html.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/html.go 2021-11-17 23:49:46.000000000 +0000 @@ -132,7 +132,10 @@ } if params.FootnoteReturnLinkContents == "" { - params.FootnoteReturnLinkContents = `[return]` + // U+FE0E is VARIATION SELECTOR-15. + // It suppresses automatic emoji presentation of the preceding + // U+21A9 LEFTWARDS ARROW WITH HOOK on iOS and iPadOS. + params.FootnoteReturnLinkContents = "↩\ufe0e" } return &HTMLRenderer{ @@ -616,7 +619,7 @@ } case Code: r.out(w, codeTag) - escapeHTML(w, node.Literal) + escapeAllHTML(w, node.Literal) r.out(w, codeCloseTag) case Document: break @@ -762,7 +765,7 @@ r.cr(w) r.out(w, preTag) r.tag(w, codeTag[:len(codeTag)-1], attrs) - escapeHTML(w, node.Literal) + escapeAllHTML(w, node.Literal) r.out(w, codeCloseTag) r.out(w, preCloseTag) if node.Parent.Type != Item { diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/inline.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/inline.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/inline.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/inline.go 2021-11-17 23:49:46.000000000 +0000 @@ -278,7 +278,7 @@ case data[i] == '\n': textHasNl = true - case data[i-1] == '\\': + case isBackslashEscaped(data, i): continue case data[i] == '[': diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/node.go docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/node.go --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/node.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/node.go 2021-11-17 23:49:46.000000000 +0000 @@ -199,7 +199,8 @@ } } -func (n *Node) isContainer() bool { +// IsContainer returns true if 'n' can contain children. +func (n *Node) IsContainer() bool { switch n.Type { case Document: fallthrough @@ -238,6 +239,11 @@ } } +// IsLeaf returns true if 'n' is a leaf node. +func (n *Node) IsLeaf() bool { + return !n.IsContainer() +} + func (n *Node) canContain(t NodeType) bool { if n.Type == List { return t == Item @@ -309,11 +315,11 @@ } func (nw *nodeWalker) next() { - if (!nw.current.isContainer() || !nw.entering) && nw.current == nw.root { + if (!nw.current.IsContainer() || !nw.entering) && nw.current == nw.root { nw.current = nil return } - if nw.entering && nw.current.isContainer() { + if nw.entering && nw.current.IsContainer() { if nw.current.FirstChild != nil { nw.current = nw.current.FirstChild nw.entering = true diff -Nru docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/README.md docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/README.md --- docker.io-20.10.7/cli/vendor/github.com/russross/blackfriday/v2/README.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/russross/blackfriday/v2/README.md 2021-11-17 23:49:46.000000000 +0000 @@ -1,4 +1,6 @@ -Blackfriday [![Build Status](https://travis-ci.org/russross/blackfriday.svg?branch=master)](https://travis-ci.org/russross/blackfriday) +Blackfriday +[![Build Status][BuildV2SVG]][BuildV2URL] +[![PkgGoDev][PkgGoDevV2SVG]][PkgGoDevV2URL] =========== Blackfriday is a [Markdown][1] processor implemented in [Go][2]. It @@ -16,19 +18,21 @@ Installation ------------ -Blackfriday is compatible with any modern Go release. With Go 1.7 and git -installed: +Blackfriday is compatible with modern Go releases in module mode. +With Go installed: - go get gopkg.in/russross/blackfriday.v2 + go get github.com/russross/blackfriday/v2 -will download, compile, and install the package into your `$GOPATH` -directory hierarchy. Alternatively, you can achieve the same if you -import it into a project: +will resolve and add the package to the current development module, +then build and install it. Alternatively, you can achieve the same +if you import it in a package: - import "gopkg.in/russross/blackfriday.v2" + import "github.com/russross/blackfriday/v2" and `go get` without parameters. +Legacy GOPATH mode is unsupported. + Versions -------- @@ -36,13 +40,9 @@ Currently maintained and recommended version of Blackfriday is `v2`. It's being developed on its own branch: https://github.com/russross/blackfriday/tree/v2 and the documentation is available at -https://godoc.org/gopkg.in/russross/blackfriday.v2. +https://pkg.go.dev/github.com/russross/blackfriday/v2. -It is `go get`-able via via [gopkg.in][6] at `gopkg.in/russross/blackfriday.v2`, -but we highly recommend using package management tool like [dep][7] or -[Glide][8] and make use of semantic versioning. With package management you -should import `github.com/russross/blackfriday` and specify that you're using -version 2.0.0. +It is `go get`-able in module mode at `github.com/russross/blackfriday/v2`. Version 2 offers a number of improvements over v1: @@ -62,6 +62,11 @@ v2. See issue [#348](https://github.com/russross/blackfriday/issues/348) for tracking. +If you are still interested in the legacy `v1`, you can import it from +`github.com/russross/blackfriday`. Documentation for the legacy v1 can be found +here: https://pkg.go.dev/github.com/russross/blackfriday. + + Usage ----- @@ -91,7 +96,7 @@ ```go import ( "github.com/microcosm-cc/bluemonday" - "github.com/russross/blackfriday" + "github.com/russross/blackfriday/v2" ) // ... @@ -104,6 +109,8 @@ If you want to customize the set of options, use `blackfriday.WithExtensions`, `blackfriday.WithRenderer` and `blackfriday.WithRefOverride`. +### `blackfriday-tool` + You can also check out `blackfriday-tool` for a more complete example of how to use it. Download and install it using: @@ -114,7 +121,7 @@ source directly on github if you are just looking for some example code: -* +* Note that if you have not already done so, installing `blackfriday-tool` will be sufficient to download and install @@ -123,6 +130,22 @@ can be copied to wherever you need it without worrying about dependencies and library versions. +### Sanitized anchor names + +Blackfriday includes an algorithm for creating sanitized anchor names +corresponding to a given input text. This algorithm is used to create +anchors for headings when `AutoHeadingIDs` extension is enabled. The +algorithm has a specification, so that other packages can create +compatible anchor names and links to those anchors. + +The specification is located at https://pkg.go.dev/github.com/russross/blackfriday/v2#hdr-Sanitized_Anchor_Names. + +[`SanitizedAnchorName`](https://pkg.go.dev/github.com/russross/blackfriday/v2#SanitizedAnchorName) exposes this functionality, and can be used to +create compatible links to the anchor names generated by blackfriday. +This algorithm is also implemented in a small standalone package at +[`github.com/shurcooL/sanitized_anchor_name`](https://pkg.go.dev/github.com/shurcooL/sanitized_anchor_name). It can be useful for clients +that want a small package and don't need full functionality of blackfriday. + Features -------- @@ -199,6 +222,15 @@ You can use 3 or more backticks to mark the beginning of the block, and the same number to mark the end of the block. + To preserve classes of fenced code blocks while using the bluemonday + HTML sanitizer, use the following policy: + + ```go + p := bluemonday.UGCPolicy() + p.AllowAttrs("class").Matching(regexp.MustCompile("^language-[a-zA-Z0-9]+$")).OnElements("code") + html := p.SanitizeBytes(unsafe) + ``` + * **Definition lists**. A simple definition list is made of a single-line term followed by a colon and the definition for that term. @@ -250,7 +282,7 @@ Blackfriday is structured to allow alternative rendering engines. Here are a few of note: -* [github_flavored_markdown](https://godoc.org/github.com/shurcooL/github_flavored_markdown): +* [github_flavored_markdown](https://pkg.go.dev/github.com/shurcooL/github_flavored_markdown): provides a GitHub Flavored Markdown renderer with fenced code block highlighting, clickable heading anchor links. @@ -261,20 +293,28 @@ * [markdownfmt](https://github.com/shurcooL/markdownfmt): like gofmt, but for markdown. -* [LaTeX output](https://github.com/Ambrevar/Blackfriday-LaTeX): +* [LaTeX output](https://gitlab.com/ambrevar/blackfriday-latex): renders output as LaTeX. +* [bfchroma](https://github.com/Depado/bfchroma/): provides convenience + integration with the [Chroma](https://github.com/alecthomas/chroma) code + highlighting library. bfchroma is only compatible with v2 of Blackfriday and + provides a drop-in renderer ready to use with Blackfriday, as well as + options and means for further customization. + * [Blackfriday-Confluence](https://github.com/kentaro-m/blackfriday-confluence): provides a [Confluence Wiki Markup](https://confluence.atlassian.com/doc/confluence-wiki-markup-251003035.html) renderer. +* [Blackfriday-Slack](https://github.com/karriereat/blackfriday-slack): converts markdown to slack message style + -Todo +TODO ---- * More unit testing -* Improve unicode support. It does not understand all unicode +* Improve Unicode support. It does not understand all Unicode rules (about what constitutes a letter, a punctuation symbol, etc.), so it may fail to detect word boundaries correctly in - some instances. It is safe on all utf-8 input. + some instances. It is safe on all UTF-8 input. License @@ -286,6 +326,10 @@ [1]: https://daringfireball.net/projects/markdown/ "Markdown" [2]: https://golang.org/ "Go Language" [3]: https://github.com/vmg/sundown "Sundown" - [4]: https://godoc.org/gopkg.in/russross/blackfriday.v2#Parse "Parse func" + [4]: https://pkg.go.dev/github.com/russross/blackfriday/v2#Parse "Parse func" [5]: https://github.com/microcosm-cc/bluemonday "Bluemonday" - [6]: https://labix.org/gopkg.in "gopkg.in" + + [BuildV2SVG]: https://travis-ci.org/russross/blackfriday.svg?branch=v2 + [BuildV2URL]: https://travis-ci.org/russross/blackfriday + [PkgGoDevV2SVG]: https://pkg.go.dev/badge/github.com/russross/blackfriday/v2 + [PkgGoDevV2URL]: https://pkg.go.dev/github.com/russross/blackfriday/v2 diff -Nru docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/go.mod docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/go.mod --- docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/go.mod 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/go.mod 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -module github.com/shurcooL/sanitized_anchor_name diff -Nru docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/LICENSE docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/LICENSE --- docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/LICENSE 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/LICENSE 1970-01-01 00:00:00.000000000 +0000 @@ -1,21 +0,0 @@ -MIT License - -Copyright (c) 2015 Dmitri Shuralyov - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. diff -Nru docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/main.go docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/main.go --- docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/main.go 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/main.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,29 +0,0 @@ -// Package sanitized_anchor_name provides a func to create sanitized anchor names. -// -// Its logic can be reused by multiple packages to create interoperable anchor names -// and links to those anchors. -// -// At this time, it does not try to ensure that generated anchor names -// are unique, that responsibility falls on the caller. -package sanitized_anchor_name // import "github.com/shurcooL/sanitized_anchor_name" - -import "unicode" - -// Create returns a sanitized anchor name for the given text. -func Create(text string) string { - var anchorName []rune - var futureDash = false - for _, r := range text { - switch { - case unicode.IsLetter(r) || unicode.IsNumber(r): - if futureDash && len(anchorName) > 0 { - anchorName = append(anchorName, '-') - } - futureDash = false - anchorName = append(anchorName, unicode.ToLower(r)) - default: - futureDash = true - } - } - return string(anchorName) -} diff -Nru docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/README.md docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/README.md --- docker.io-20.10.7/cli/vendor/github.com/shurcooL/sanitized_anchor_name/README.md 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor/github.com/shurcooL/sanitized_anchor_name/README.md 1970-01-01 00:00:00.000000000 +0000 @@ -1,36 +0,0 @@ -sanitized_anchor_name -===================== - -[![Build Status](https://travis-ci.org/shurcooL/sanitized_anchor_name.svg?branch=master)](https://travis-ci.org/shurcooL/sanitized_anchor_name) [![GoDoc](https://godoc.org/github.com/shurcooL/sanitized_anchor_name?status.svg)](https://godoc.org/github.com/shurcooL/sanitized_anchor_name) - -Package sanitized_anchor_name provides a func to create sanitized anchor names. - -Its logic can be reused by multiple packages to create interoperable anchor names -and links to those anchors. - -At this time, it does not try to ensure that generated anchor names -are unique, that responsibility falls on the caller. - -Installation ------------- - -```bash -go get -u github.com/shurcooL/sanitized_anchor_name -``` - -Example -------- - -```Go -anchorName := sanitized_anchor_name.Create("This is a header") - -fmt.Println(anchorName) - -// Output: -// this-is-a-header -``` - -License -------- - -- [MIT License](LICENSE) diff -Nru docker.io-20.10.7/cli/vendor.conf docker.io-20.10.11/cli/vendor.conf --- docker.io-20.10.7/cli/vendor.conf 2021-05-31 09:40:07.000000000 +0000 +++ docker.io-20.10.11/cli/vendor.conf 2021-11-17 23:49:46.000000000 +0000 @@ -1,5 +1,5 @@ cloud.google.com/go ceeb313ad77b789a7fa5287b36a1d127b69b7093 # v0.44.3 -github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109 +github.com/Azure/go-ansiterm d185dfc1b5a126116ea5a19e148e29d16b4574c9 github.com/beorn7/perks 37c8de3658fcb183f997c4e13e8337516ab753e6 # v1.0.1 github.com/cespare/xxhash/v2 d7df74196a9e781ede915320c11c378c1b2f3a1f # v2.1.1 github.com/containerd/console 5d7e1412f07b502a01029ea20e20e0d2be31fa7c # v1.0.1 @@ -8,19 +8,19 @@ github.com/containerd/cgroups 0b889c03f102012f1d93a97ddd3ef71cd6f4f510 github.com/containerd/typeurl cd3ce7159eae562a4f60ceff37dada11a939d247 # v1.0.1 github.com/coreos/etcd d57e8b8d97adfc4a6c224fe116714bf1a1f3beb9 # v3.3.12 -github.com/cpuguy83/go-md2man/v2 f79a8a8ca69da163eee19ab442bedad7a35bba5a # v2.0.0 +github.com/cpuguy83/go-md2man/v2 b1ec32e02fe539480dc03e3bf381c20066e7c6cc # v2.0.1 github.com/creack/pty 2a38352e8b4d7ab6c336eef107e42a55e72e7fbc # v1.1.11 github.com/davecgh/go-spew 8991bc29aa16c548c550c7ff78260e27b9ab7c73 # v1.1.1 github.com/docker/compose-on-kubernetes 78e6a00beda64ac8ccb9fec787e601fe2ce0d5bb # v0.5.0-alpha1 github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 -github.com/docker/docker 46229ca1d815cfd4b50eb377ac75ad8300e13a85 -github.com/docker/docker-credential-helpers 38bea2ce277ad0c9d2a6230692b0606ca5286526 +github.com/docker/docker b0f5bc36fea9dfb9672e1e9b1278ebab797b9ee0 # v20.10.7 +github.com/docker/docker-credential-helpers fc9290adbcf1594e78910e2f0334090eaee0e1ee # v0.6.4 github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06 # Contains a customized version of canonical/json and is used by Notary. The package is periodically rebased on current Go versions. github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 # v0.4.0 github.com/docker/go-events e31b211e4f1cd09aa76fe4ac244571fab96ae47f github.com/docker/go-metrics b619b3592b65de4f087d9f16863a7e6ff905973c # v0.0.1 github.com/docker/go-units 519db1ee28dcc9fd2474ae59fca29a810482bfb1 # v0.4.0 -github.com/docker/swarmkit d6592ddefd8a5319aadff74c558b816b1a0b2590 +github.com/docker/swarmkit 17d8d4e4d8bdec33d386e6362d3537fa9493ba00 github.com/evanphx/json-patch 72bf35d0ff611848c1dc9df0f976c81192392fa5 # v4.1.0 github.com/fvbommel/sortorder 26fad50c6b32a3064c09ed089865c16f2f3615f6 # v1.0.2 github.com/gofrs/flock 6caa7350c26b838538005fae7dbee4e69d9398db # v0.7.3 @@ -49,7 +49,7 @@ github.com/mitchellh/mapstructure d16e9488127408e67948eb43b6d3fbb9f222da10 # v1.3.2 github.com/moby/buildkit 8142d66b5ebde79846b869fba30d9d30633e74aa # v0.8.1 github.com/moby/sys 1bc8673b57550ddf85262eb0fed0aac651a37dab # symlink/v0.1.0 (latest tag, either mount/vXXX, mountinfo/vXXX or symlink/vXXX) -github.com/moby/term bea5bbe245bf407372d477f1361d2ff042d2f556 +github.com/moby/term 3f7ff695adc6a35abc925370dd0a4dafb48ec64d github.com/modern-go/concurrent bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94 # 1.0.3 github.com/modern-go/reflect2 4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd # 1.0.1 github.com/morikuni/aec 39771216ff4c63d11f5e604076f9c45e8be1067b # v1.0.0 @@ -62,8 +62,7 @@ github.com/prometheus/client_model 7bc5445566f0fe75b15de23e6b93886e982d7bf9 # v0.2.0 github.com/prometheus/common d978bcb1309602d68bb4ba69cf3f8ed900e07308 # v0.9.1 github.com/prometheus/procfs 46159f73e74d1cb8dc223deef9b2d049286f46b1 # v0.0.11 -github.com/russross/blackfriday/v2 d3b5b032dc8e8927d31a5071b56e14c89f045135 # v2.0.1 -github.com/shurcooL/sanitized_anchor_name 7bfe4c7ecddb3666a94b053b422cdd8f5aaa3615 # v1.0.0 +github.com/russross/blackfriday/v2 4c9bf9512682b995722660a4196c0013228e2049 # v2.1.0 github.com/sirupsen/logrus 6699a89a232f3db797f2e280639854bbc4b89725 # v1.7.0 github.com/spf13/cobra 86f8bfd7fef868a174e1b606783bd7f5c82ddf8f # v1.1.1 github.com/spf13/pflag 2e9d26c8c37aae03e3f9d4e90b7116f5accb7cab # v1.0.5 diff -Nru docker.io-20.10.7/debian/changelog docker.io-20.10.11/debian/changelog --- docker.io-20.10.7/debian/changelog 2021-11-12 16:42:06.000000000 +0000 +++ docker.io-20.10.11/debian/changelog 2022-01-13 13:34:48.000000000 +0000 @@ -1,3 +1,14 @@ +docker.io (20.10.11-0ubuntu0~20.04.1~anthos1) focal; urgency=medium + + * New upstream version, 20.10.11. + * Switch to golang-1.16-go from golang-1.13-go as + the package needs features which are not in Go + 1.13 or before. + * Set GO111MODULE to auto so that it uses the go.mod + files as a consequence of bumping from to Go 1.16. + + -- Utkarsh Gupta Thu, 13 Jan 2022 19:04:48 +0530 + docker.io (20.10.7-0ubuntu5~20.04.2~anthos1) focal; urgency=medium * No-change rebuild w/ containerd 1.5.7. diff -Nru docker.io-20.10.7/debian/control docker.io-20.10.11/debian/control --- docker.io-20.10.7/debian/control 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/control 2022-01-13 13:34:48.000000000 +0000 @@ -15,7 +15,7 @@ dh-exec, dh-golang, git, - golang-1.13-go, + golang-1.16-go, libapparmor-dev, libbtrfs-dev | btrfs-progs (<< 4.16.1~), libdevmapper-dev (>= 2:1.02.68~), diff -Nru docker.io-20.10.7/debian/patches/CVE-2021-41089.patch docker.io-20.10.11/debian/patches/CVE-2021-41089.patch --- docker.io-20.10.7/debian/patches/CVE-2021-41089.patch 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/patches/CVE-2021-41089.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,49 +0,0 @@ -From 0a9c9352b236f12f8de41d1e450fdd95ee086eb0 Mon Sep 17 00:00:00 2001 -From: Tonis Tiigi -Date: Wed, 19 May 2021 16:51:35 -0700 -Subject: [PATCH] chrootarchive: don't create parent dirs outside of chroot - -If chroot is used with a special root directory then create -destination directory within chroot. This works automatically -already due to extractor creating parent paths and is only -used currently with cp where parent paths are actually required -and error will be shown to user before reaching this point. - -Signed-off-by: Tonis Tiigi -(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58) -Signed-off-by: Brian Goff ---- - pkg/chrootarchive/archive.go | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/engine/pkg/chrootarchive/archive.go b/engine/pkg/chrootarchive/archive.go -index 83ed0c6b2f..d11cbdf277 100644 ---- a/engine/pkg/chrootarchive/archive.go -+++ b/engine/pkg/chrootarchive/archive.go -@@ -74,13 +74,17 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions - options.ExcludePatterns = []string{} - } - -- idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) -- rootIDs := idMapping.RootPair() -+ // If dest is inside a root then directory is created within chroot by extractor. -+ // This case is only currently used by cp. -+ if dest == root { -+ idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) -+ rootIDs := idMapping.RootPair() - -- dest = filepath.Clean(dest) -- if _, err := os.Stat(dest); os.IsNotExist(err) { -- if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { -- return err -+ dest = filepath.Clean(dest) -+ if _, err := os.Stat(dest); os.IsNotExist(err) { -+ if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { -+ return err -+ } - } - } - --- -2.33.0 - diff -Nru docker.io-20.10.7/debian/patches/CVE-2021-41091.patch docker.io-20.10.11/debian/patches/CVE-2021-41091.patch --- docker.io-20.10.7/debian/patches/CVE-2021-41091.patch 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/patches/CVE-2021-41091.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,382 +0,0 @@ -From 93ac040bf0c0b51d9a7fedaf994bf5bf1d68ee0e Mon Sep 17 00:00:00 2001 -From: Brian Goff -Date: Fri, 2 Jul 2021 17:27:45 +0000 -Subject: [PATCH] Lock down docker root dir perms. - -Do not use 0701 perms. -0701 dir perms allows anyone to traverse the docker dir. -It happens to allow any user to execute, as an example, suid binaries -from image rootfs dirs because it allows traversal AND critically -container users need to be able to do execute things. - -0701 on lower directories also happens to allow any user to modify - things in, for instance, the overlay upper dir which neccessarily - has 0755 permissions. - -This changes to use 0710 which allows users in the group to traverse. -In userns mode the UID owner is (real) root and the GID is the remapped -root's GID. - -This prevents anyone but the remapped root to traverse our directories -(which is required for userns with runc). - -Signed-off-by: Brian Goff -(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73) -Signed-off-by: Brian Goff ---- - daemon/container_operations_unix.go | 2 +- - daemon/create.go | 5 ++-- - daemon/daemon.go | 5 +++- - daemon/daemon_unix.go | 14 +++++------ - daemon/graphdriver/aufs/aufs.go | 13 ++++++++-- - daemon/graphdriver/btrfs/btrfs.go | 18 ++++++++++++-- - .../fuse-overlayfs/fuseoverlayfs.go | 24 +++++++++++++++---- - daemon/graphdriver/overlay/overlay.go | 20 ++++++++++++---- - daemon/graphdriver/overlay2/overlay.go | 24 +++++++++++++++---- - daemon/graphdriver/vfs/driver.go | 17 +++++++++++-- - daemon/graphdriver/zfs/zfs.go | 11 ++++++++- - 11 files changed, 121 insertions(+), 32 deletions(-) - -diff --git a/engine/daemon/container_operations_unix.go b/engine/daemon/container_operations_unix.go -index 5521adbd27..1647df0ce7 100644 ---- a/engine/daemon/container_operations_unix.go -+++ b/engine/daemon/container_operations_unix.go -@@ -466,5 +466,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error { - if err != nil { - return err - } -- return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity()) -+ return idtools.MkdirAllAndChown(p, 0710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID}) - } -diff --git a/engine/daemon/create.go b/engine/daemon/create.go -index 57f1eff665..b07851aec9 100644 ---- a/engine/daemon/create.go -+++ b/engine/daemon/create.go -@@ -212,10 +212,11 @@ func (daemon *Daemon) create(opts createOpts) (retC *container.Container, retErr - } - ctr.RWLayer = rwLayer - -- if err := idtools.MkdirAndChown(ctr.Root, 0701, idtools.CurrentIdentity()); err != nil { -+ current := idtools.CurrentIdentity() -+ if err := idtools.MkdirAndChown(ctr.Root, 0710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil { - return nil, err - } -- if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil { -+ if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, current); err != nil { - return nil, err - } - -diff --git a/engine/daemon/daemon.go b/engine/daemon/daemon.go -index 3d8cca2880..2a2fbbd52e 100644 ---- a/engine/daemon/daemon.go -+++ b/engine/daemon/daemon.go -@@ -861,7 +861,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S - } - - daemonRepo := filepath.Join(config.Root, "containers") -- if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil { -+ if err := idtools.MkdirAllAndChown(daemonRepo, 0710, idtools.Identity{ -+ UID: idtools.CurrentIdentity().UID, -+ GID: rootIDs.GID, -+ }); err != nil { - return nil, err - } - -diff --git a/engine/daemon/daemon_unix.go b/engine/daemon/daemon_unix.go -index 8754d4f972..d982018c34 100644 ---- a/engine/daemon/daemon_unix.go -+++ b/engine/daemon/daemon_unix.go -@@ -1216,21 +1216,21 @@ func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools - } - } - -+ id := idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: remappedRoot.GID} -+ // First make sure the current root dir has the correct perms. -+ if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { -+ return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) -+ } -+ - // if user namespaces are enabled we will create a subtree underneath the specified root - // with any/all specified remapped root uid/gid options on the daemon creating - // a new subdirectory with ownership set to the remapped uid/gid (so as to allow - // `chdir()` to work for containers namespaced to that uid/gid) - if config.RemappedRoot != "" { -- id := idtools.CurrentIdentity() -- // First make sure the current root dir has the correct perms. -- if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { -- return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) -- } -- - config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID)) - logrus.Debugf("Creating user namespaced daemon root: %s", config.Root) - // Create the root directory if it doesn't exist -- if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { -+ if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { - return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err) - } - // we also need to verify that any pre-existing directories in the path to -diff --git a/engine/daemon/graphdriver/aufs/aufs.go b/engine/daemon/graphdriver/aufs/aufs.go -index b007274e13..cfa18666d9 100644 ---- a/engine/daemon/graphdriver/aufs/aufs.go -+++ b/engine/daemon/graphdriver/aufs/aufs.go -@@ -130,14 +130,23 @@ func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - } - - currentID := idtools.CurrentIdentity() -+ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) -+ if err != nil { -+ return nil, err -+ } -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: rootGID, -+ } -+ - // Create the root aufs driver dir -- if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil { -+ if err := idtools.MkdirAllAndChown(root, 0710, dirID); err != nil { - return nil, err - } - - // Populate the dir structure - for _, p := range paths { -- if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil { -+ if err := idtools.MkdirAllAndChown(path.Join(root, p), 0710, dirID); err != nil { - return nil, err - } - } -diff --git a/engine/daemon/graphdriver/btrfs/btrfs.go b/engine/daemon/graphdriver/btrfs/btrfs.go -index 0499489d16..8fd2854a26 100644 ---- a/engine/daemon/graphdriver/btrfs/btrfs.go -+++ b/engine/daemon/graphdriver/btrfs/btrfs.go -@@ -70,7 +70,14 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - return nil, graphdriver.ErrPrerequisites - } - -- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { -+ remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps) -+ currentID := idtools.CurrentIdentity() -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: remappedRoot.RootPair().GID, -+ } -+ -+ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { - return nil, err - } - -@@ -521,7 +528,14 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { - if err != nil { - return err - } -- if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil { -+ -+ currentID := idtools.CurrentIdentity() -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: rootGID, -+ } -+ -+ if err := idtools.MkdirAllAndChown(subvolumes, 0710, dirID); err != nil { - return err - } - if parent == "" { -diff --git a/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go b/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go -index 782e8be984..1bf30f4298 100644 ---- a/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go -+++ b/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go -@@ -88,7 +88,17 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - return nil, graphdriver.ErrNotSupported - } - -- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { -+ remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps) -+ currentID := idtools.CurrentIdentity() -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: remappedRoot.RootPair().GID, -+ } -+ -+ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { -+ return nil, err -+ } -+ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 700, currentID); err != nil { - return nil, err - } - -@@ -173,11 +183,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr - } - root := idtools.Identity{UID: rootUID, GID: rootGID} - -- currentID := idtools.CurrentIdentity() -- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { -+ dirID := idtools.Identity{ -+ UID: rootUID, -+ GID: rootGID, -+ } -+ -+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil { - return err - } -- if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { -+ if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { - return err - } - -@@ -211,7 +225,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr - return nil - } - -- if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0701, currentID); err != nil { -+ if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0710, dirID); err != nil { - return err - } - -diff --git a/engine/daemon/graphdriver/overlay/overlay.go b/engine/daemon/graphdriver/overlay/overlay.go -index 90be0e3d64..6e9897da05 100644 ---- a/engine/daemon/graphdriver/overlay/overlay.go -+++ b/engine/daemon/graphdriver/overlay/overlay.go -@@ -156,11 +156,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs)) - } - -- // Create the driver home dir -- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { -+ currentID := idtools.CurrentIdentity() -+ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) -+ if err != nil { - return nil, err - } -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: rootGID, -+ } - -+ // Create the driver home dir -+ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { -+ return nil, err -+ } - d := &Driver{ - home: home, - uidMaps: uidMaps, -@@ -262,10 +271,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr - root := idtools.Identity{UID: rootUID, GID: rootGID} - - currentID := idtools.CurrentIdentity() -- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { -- return err -+ dirID := idtools.Identity{ -+ UID: currentID.UID, -+ GID: rootGID, - } -- if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { -+ if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { - return err - } - -diff --git a/engine/daemon/graphdriver/overlay2/overlay.go b/engine/daemon/graphdriver/overlay2/overlay.go -index 36a921a018..562d1e58fd 100644 ---- a/engine/daemon/graphdriver/overlay2/overlay.go -+++ b/engine/daemon/graphdriver/overlay2/overlay.go -@@ -165,7 +165,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs)) - } - -- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { -+ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) -+ if err != nil { -+ return nil, err -+ } -+ -+ cur := idtools.CurrentIdentity() -+ dirID := idtools.Identity{ -+ UID: cur.UID, -+ GID: rootGID, -+ } -+ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { -+ return nil, err -+ } -+ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, cur); err != nil { - return nil, err - } - -@@ -344,12 +357,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr - return err - } - root := idtools.Identity{UID: rootUID, GID: rootGID} -- current := idtools.CurrentIdentity() -+ dirID := idtools.Identity{ -+ UID: idtools.CurrentIdentity().UID, -+ GID: rootGID, -+ } - -- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil { -+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil { - return err - } -- if err := idtools.MkdirAndChown(dir, 0701, current); err != nil { -+ if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { - return err - } - -diff --git a/engine/daemon/graphdriver/vfs/driver.go b/engine/daemon/graphdriver/vfs/driver.go -index af9b107609..f903393da2 100644 ---- a/engine/daemon/graphdriver/vfs/driver.go -+++ b/engine/daemon/graphdriver/vfs/driver.go -@@ -37,8 +37,16 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap - if err := d.parseOptions(options); err != nil { - return nil, err - } -+ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) -+ if err != nil { -+ return nil, err -+ } - -- if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { -+ dirID := idtools.Identity{ -+ UID: idtools.CurrentIdentity().UID, -+ GID: rootGID, -+ } -+ if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { - return nil, err - } - -@@ -140,7 +148,12 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error { - func (d *Driver) create(id, parent string, size uint64) error { - dir := d.dir(id) - rootIDs := d.idMapping.RootPair() -- if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil { -+ -+ dirID := idtools.Identity{ -+ UID: idtools.CurrentIdentity().UID, -+ GID: rootIDs.GID, -+ } -+ if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0710, dirID); err != nil { - return err - } - if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil { -diff --git a/engine/daemon/graphdriver/zfs/zfs.go b/engine/daemon/graphdriver/zfs/zfs.go -index f9099a2094..2fbbe9498f 100644 ---- a/engine/daemon/graphdriver/zfs/zfs.go -+++ b/engine/daemon/graphdriver/zfs/zfs.go -@@ -104,7 +104,16 @@ func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdri - return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName) - } - -- if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil { -+ _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) -+ if err != nil { -+ return nil, err -+ } -+ -+ dirID := idtools.Identity{ -+ UID: idtools.CurrentIdentity().UID, -+ GID: rootGID, -+ } -+ if err := idtools.MkdirAllAndChown(base, 0710, dirID); err != nil { - return nil, fmt.Errorf("Failed to create '%s': %v", base, err) - } - --- -2.25.1 - diff -Nru docker.io-20.10.7/debian/patches/CVE-2021-41092.patch docker.io-20.10.11/debian/patches/CVE-2021-41092.patch --- docker.io-20.10.7/debian/patches/CVE-2021-41092.patch 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/patches/CVE-2021-41092.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,130 +0,0 @@ -From 42d1c02750b3631402da3973e5f36b76c8c934f4 Mon Sep 17 00:00:00 2001 -From: Samuel Karp -Date: Wed, 21 Jul 2021 17:59:42 -0700 -Subject: [PATCH] registry: ensure default auth config has address - -Signed-off-by: Samuel Karp ---- -cli/cli/command/registry.go | 15 +++++++-------- -cli/cli/command/registry/login.go | 13 +++++-------- -cli/cli/command/registry_test.go | 16 +++++++++++++++- - 3 files changed, 27 insertions(+), 17 deletions(-) - -Index: docker.io-20.10.7/cli/cli/command/registry.go -=================================================================== ---- docker.io-20.10.7.orig/cli/cli/command/registry.go -+++ docker.io-20.10.7/cli/cli/command/registry.go -@@ -63,17 +63,14 @@ func RegistryAuthenticationPrivilegedFun - indexServer := registry.GetAuthConfigKey(index) - isDefaultRegistry := indexServer == ElectAuthServer(context.Background(), cli) - authConfig, err := GetDefaultAuthConfig(cli, true, indexServer, isDefaultRegistry) -- if authConfig == nil { -- authConfig = &types.AuthConfig{} -- } - if err != nil { - fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err) - } -- err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry) -+ err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry) - if err != nil { - return "", err - } -- return EncodeAuthToBase64(*authConfig) -+ return EncodeAuthToBase64(authConfig) - } - } - -@@ -92,7 +89,7 @@ func ResolveAuthConfig(ctx context.Conte - - // GetDefaultAuthConfig gets the default auth config given a serverAddress - // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it --func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) { -+func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) { - if !isDefaultRegistry { - serverAddress = registry.ConvertToHostname(serverAddress) - } -@@ -101,13 +98,15 @@ func GetDefaultAuthConfig(cli Cli, check - if checkCredStore { - authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress) - if err != nil { -- return nil, err -+ return types.AuthConfig{ -+ ServerAddress: serverAddress, -+ }, err - } - } - authconfig.ServerAddress = serverAddress - authconfig.IdentityToken = "" - res := types.AuthConfig(authconfig) -- return &res, nil -+ return res, nil - } - - // ConfigureAuth handles prompting of user's username and password if needed -Index: docker.io-20.10.7/cli/cli/command/registry/login.go -=================================================================== ---- docker.io-20.10.7.orig/cli/cli/command/registry/login.go -+++ docker.io-20.10.7/cli/cli/command/registry/login.go -@@ -114,22 +114,19 @@ func runLogin(dockerCli command.Cli, opt - var response registrytypes.AuthenticateOKBody - isDefaultRegistry := serverAddress == authServer - authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry) -- if authConfig == nil { -- authConfig = &types.AuthConfig{} -- } - if err == nil && authConfig.Username != "" && authConfig.Password != "" { -- response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig) -+ response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig) - } - if err != nil || authConfig.Username == "" || authConfig.Password == "" { -- err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry) -+ err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry) - if err != nil { - return err - } - -- response, err = clnt.RegistryLogin(ctx, *authConfig) -+ response, err = clnt.RegistryLogin(ctx, authConfig) - if err != nil && client.IsErrConnectionFailed(err) { - // If the server isn't responding (yet) attempt to login purely client side -- response, err = loginClientSide(ctx, *authConfig) -+ response, err = loginClientSide(ctx, authConfig) - } - // If we (still) have an error, give up - if err != nil { -@@ -152,7 +149,7 @@ func runLogin(dockerCli command.Cli, opt - } - } - -- if err := creds.Store(configtypes.AuthConfig(*authConfig)); err != nil { -+ if err := creds.Store(configtypes.AuthConfig(authConfig)); err != nil { - return errors.Errorf("Error saving credentials: %v", err) - } - -Index: docker.io-20.10.7/cli/cli/command/registry_test.go -=================================================================== ---- docker.io-20.10.7.orig/cli/cli/command/registry_test.go -+++ docker.io-20.10.7/cli/cli/command/registry_test.go -@@ -145,7 +145,21 @@ func TestGetDefaultAuthConfig(t *testing - assert.Check(t, is.Equal(tc.expectedErr, err.Error())) - } else { - assert.NilError(t, err) -- assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig)) -+ assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig)) - } - } - } -+ -+func TestGetDefaultAuthConfig_HelperError(t *testing.T) { -+ cli := test.NewFakeCli(&fakeClient{}) -+ errBuf := new(bytes.Buffer) -+ cli.SetErr(errBuf) -+ cli.ConfigFile().CredentialsStore = "fake-does-not-exist" -+ serverAddress := "test-server-address" -+ expectedAuthConfig := types.AuthConfig{ -+ ServerAddress: serverAddress, -+ } -+ authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/") -+ assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig)) -+ assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist")) -+} diff -Nru docker.io-20.10.7/debian/patches/seccomp-add-support-for-clone3-syscall-in-default-policy.patch docker.io-20.10.11/debian/patches/seccomp-add-support-for-clone3-syscall-in-default-policy.patch --- docker.io-20.10.7/debian/patches/seccomp-add-support-for-clone3-syscall-in-default-policy.patch 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/patches/seccomp-add-support-for-clone3-syscall-in-default-policy.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,193 +0,0 @@ -From 567c01f6d157cf6c1f39d68e9ca62e76d7834558 Mon Sep 17 00:00:00 2001 -From: Tianon Gravi -Date: Thu, 9 Sep 2021 11:31:30 -0700 -Subject: [PATCH] seccomp: add support for "clone3" syscall in default policy -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7. - -Original commit message is as follows: - -> If no seccomp policy is requested, then the built-in default policy in -> dockerd applies. This has no rule for "clone3" defined, nor any default -> errno defined. So when runc receives the config it attempts to determine -> a default errno, using logic defined in its commit: -> -> opencontainers/runc@7a8d716 -> -> As explained in the above commit message, runc uses a heuristic to -> decide which errno to return by default: -> -> [quote] -> The solution applied here is to prepend a "stub" filter which returns -> -ENOSYS if the requested syscall has a larger syscall number than any -> syscall mentioned in the filter. The reason for this specific rule is -> that syscall numbers are (roughly) allocated sequentially and thus newer -> syscalls will (usually) have a larger syscall number -- thus causing our -> filters to produce -ENOSYS if the filter was written before the syscall -> existed. -> [/quote] -> -> Unfortunately clone3 appears to one of the edge cases that does not -> result in use of ENOSYS, instead ending up with the historical EPERM -> errno. -> -> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use -> clone3 by default. If it sees ENOSYS then it will automatically -> fallback to using clone. Any other errno is treated as a fatal -> error. Thus when docker seccomp policy triggers EPERM from clone3, -> no fallback occurs and programs are thus unable to spawn threads. -> -> The clone3 syscall is much more complicated than clone, most notably its -> flags are not exposed as a directly argument any more. Instead they are -> hidden inside a struct. This means that seccomp filters are unable to -> apply policy based on values seen in flags. Thus we can't directly -> replicate the current "clone" filtering for "clone3". We can at least -> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone" -> at which point we can filter on flags. - -Signed-off-by: Tianon Gravi -Co-authored-by: Daniel P. BerrangĂ© - -Origin: upstream, https://github.com/moby/moby/pull/42836 -Reviewed-By: Lucas Kanashiro -Last-Updated: 2021-09-14 ---- - engine/profiles/seccomp/default.json | 16 ++++++++++++++++ - engine/profiles/seccomp/default_linux.go | 13 +++++++++++++ - engine/profiles/seccomp/seccomp.go | 1 + - engine/profiles/seccomp/seccomp_linux.go | 28 ++++++++++++---------------- - 4 files changed, 42 insertions(+), 16 deletions(-) - -diff --git a/engine/profiles/seccomp/default.json b/engine/profiles/seccomp/default.json -index 4213799ddb5..ee5e04f781a 100644 ---- a/engine/profiles/seccomp/default.json -+++ b/engine/profiles/seccomp/default.json -@@ -591,6 +591,7 @@ - "names": [ - "bpf", - "clone", -+ "clone3", - "fanotify_init", - "fsconfig", - "fsmount", -@@ -670,6 +671,21 @@ - ] - } - }, -+ { -+ "names": [ -+ "clone3" -+ ], -+ "action": "SCMP_ACT_ERRNO", -+ "errnoRet": 38, -+ "args": [], -+ "comment": "", -+ "includes": {}, -+ "excludes": { -+ "caps": [ -+ "CAP_SYS_ADMIN" -+ ] -+ } -+ }, - { - "names": [ - "reboot" -diff --git a/engine/profiles/seccomp/default_linux.go b/engine/profiles/seccomp/default_linux.go -index 879eb88c64f..fb593f336f7 100644 ---- a/engine/profiles/seccomp/default_linux.go -+++ b/engine/profiles/seccomp/default_linux.go -@@ -42,6 +42,7 @@ func arches() []Architecture { - - // DefaultProfile defines the allowed syscalls for the default seccomp profile. - func DefaultProfile() *Seccomp { -+ nosys := uint(unix.ENOSYS) - syscalls := []*Syscall{ - { - Names: []string{ -@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp { - Names: []string{ - "bpf", - "clone", -+ "clone3", - "fanotify_init", - "fsconfig", - "fsmount", -@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp { - Caps: []string{"CAP_SYS_ADMIN"}, - }, - }, -+ { -+ Names: []string{ -+ "clone3", -+ }, -+ Action: specs.ActErrno, -+ ErrnoRet: &nosys, -+ Args: []*specs.LinuxSeccompArg{}, -+ Excludes: Filter{ -+ Caps: []string{"CAP_SYS_ADMIN"}, -+ }, -+ }, - { - Names: []string{ - "reboot", -diff --git a/engine/profiles/seccomp/seccomp.go b/engine/profiles/seccomp/seccomp.go -index d2a21cddc4b..9edec72db54 100644 ---- a/engine/profiles/seccomp/seccomp.go -+++ b/engine/profiles/seccomp/seccomp.go -@@ -45,6 +45,7 @@ type Syscall struct { - Name string `json:"name,omitempty"` - Names []string `json:"names,omitempty"` - Action specs.LinuxSeccompAction `json:"action"` -+ ErrnoRet *uint `json:"errnoRet,omitempty"` - Args []*specs.LinuxSeccompArg `json:"args"` - Comment string `json:"comment"` - Includes Filter `json:"includes"` -diff --git a/engine/profiles/seccomp/seccomp_linux.go b/engine/profiles/seccomp/seccomp_linux.go -index 566f173acd3..e35e242cd50 100644 ---- a/engine/profiles/seccomp/seccomp_linux.go -+++ b/engine/profiles/seccomp/seccomp_linux.go -@@ -150,29 +150,25 @@ Loop: - } - } - -+ newCall := specs.LinuxSyscall{ -+ Action: call.Action, -+ ErrnoRet: call.ErrnoRet, -+ } - if call.Name != "" && len(call.Names) != 0 { - return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") - } -- - if call.Name != "" { -- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args)) -+ newCall.Names = []string{call.Name} - } else { -- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args)) -+ newCall.Names = call.Names -+ } -+ // Loop through all the arguments of the syscall and convert them -+ for _, arg := range call.Args { -+ newCall.Args = append(newCall.Args, *arg) - } -- } -- -- return newConfig, nil --} - --func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { -- newCall := specs.LinuxSyscall{ -- Names: names, -- Action: action, -+ newConfig.Syscalls = append(newConfig.Syscalls, newCall) - } - -- // Loop through all the arguments of the syscall and convert them -- for _, arg := range args { -- newCall.Args = append(newCall.Args, *arg) -- } -- return newCall -+ return newConfig, nil - } diff -Nru docker.io-20.10.7/debian/patches/series docker.io-20.10.11/debian/patches/series --- docker.io-20.10.7/debian/patches/series 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/patches/series 1970-01-01 00:00:00.000000000 +0000 @@ -1,4 +0,0 @@ -seccomp-add-support-for-clone3-syscall-in-default-policy.patch -CVE-2021-41089.patch -CVE-2021-41091.patch -CVE-2021-41092.patch diff -Nru docker.io-20.10.7/debian/rules docker.io-20.10.11/debian/rules --- docker.io-20.10.7/debian/rules 2021-11-12 16:41:14.000000000 +0000 +++ docker.io-20.10.11/debian/rules 2022-01-13 13:34:48.000000000 +0000 @@ -21,12 +21,9 @@ MAKEFLAGS += -j '$(NUMJOBS)' endif -# build explicitly against Go 1.13 (for now): -# https://github.com/moby/moby/pull/40353 -# https://github.com/containerd/containerd/issues/4509 -# https://github.com/containerd/containerd/pull/4050 -# https://github.com/golang/go/issues/37942 -export PATH := /usr/lib/go-1.13/bin:$(PATH) +# build explicitly against Go 1.16 (for now): +export PATH := /usr/lib/go-1.16/bin:$(PATH) +export GO111MODULE := auto override_dh_gencontrol: # if we're on Ubuntu, we need to Recommends: apparmor diff -Nru docker.io-20.10.7/engine/api/swagger.yaml docker.io-20.10.11/engine/api/swagger.yaml --- docker.io-20.10.7/engine/api/swagger.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/api/swagger.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -5583,12 +5583,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/builder/builder-next/adapters/containerimage/pull.go docker.io-20.10.11/engine/builder/builder-next/adapters/containerimage/pull.go --- docker.io-20.10.7/engine/builder/builder-next/adapters/containerimage/pull.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/builder/builder-next/adapters/containerimage/pull.go 2021-11-18 00:21:59.000000000 +0000 @@ -22,6 +22,7 @@ "github.com/containerd/containerd/remotes/docker" "github.com/containerd/containerd/remotes/docker/schema1" distreference "github.com/docker/distribution/reference" + dimages "github.com/docker/docker/daemon/images" "github.com/docker/docker/distribution" "github.com/docker/docker/distribution/metadata" "github.com/docker/docker/distribution/xfer" @@ -854,11 +855,11 @@ } func platformMatches(img *image.Image, p *ocispec.Platform) bool { - if img.Architecture != p.Architecture { - return false - } - if img.Variant != "" && img.Variant != p.Variant { - return false - } - return img.OS == p.OS + return dimages.OnlyPlatformWithFallback(*p).Match(ocispec.Platform{ + Architecture: img.Architecture, + OS: img.OS, + OSVersion: img.OSVersion, + OSFeatures: img.OSFeatures, + Variant: img.Variant, + }) } diff -Nru docker.io-20.10.7/engine/cmd/dockerd/daemon.go docker.io-20.10.11/engine/cmd/dockerd/daemon.go --- docker.io-20.10.7/engine/cmd/dockerd/daemon.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/cmd/dockerd/daemon.go 2021-11-18 00:21:59.000000000 +0000 @@ -114,7 +114,7 @@ // return human-friendly error before creating files if runtime.GOOS == "linux" && os.Geteuid() != 0 { - return fmt.Errorf("dockerd needs to be started with root. To see how to run dockerd in rootless mode with unprivileged user, see the documentation") + return fmt.Errorf("dockerd needs to be started with root privileges. To run dockerd in rootless mode as an unprivileged user, see https://docs.docker.com/go/rootless/") } system.InitLCOW(cli.Config.Experimental) diff -Nru docker.io-20.10.7/engine/cmd/dockerd/service_windows.go docker.io-20.10.11/engine/cmd/dockerd/service_windows.go --- docker.io-20.10.7/engine/cmd/dockerd/service_windows.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/cmd/dockerd/service_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -372,7 +372,7 @@ func initPanicFile(path string) error { var err error - panicFile, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0) + panicFile, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0o200) if err != nil { return err } diff -Nru docker.io-20.10.7/engine/contrib/dockerd-rootless.sh docker.io-20.10.11/engine/contrib/dockerd-rootless.sh --- docker.io-20.10.7/engine/contrib/dockerd-rootless.sh 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/contrib/dockerd-rootless.sh 2021-11-18 00:21:59.000000000 +0000 @@ -24,12 +24,12 @@ exit 1 ;; esac -if ! [ -w $XDG_RUNTIME_DIR ]; then +if ! [ -w "$XDG_RUNTIME_DIR" ]; then echo "XDG_RUNTIME_DIR needs to be set and writable" exit 1 fi -if ! [ -w $HOME ]; then - echo "HOME needs to be set and writable" +if ! [ -d "$HOME" ]; then + echo "HOME needs to be set and exist." exit 1 fi @@ -40,7 +40,7 @@ break fi done -if [ -z $rootlesskit ]; then +if [ -z "$rootlesskit" ]; then echo "rootlesskit needs to be installed" exit 1 fi @@ -52,19 +52,19 @@ : "${DOCKERD_ROOTLESS_ROOTLESSKIT_SLIRP4NETNS_SECCOMP:=auto}" net=$DOCKERD_ROOTLESS_ROOTLESSKIT_NET mtu=$DOCKERD_ROOTLESS_ROOTLESSKIT_MTU -if [ -z $net ]; then +if [ -z "$net" ]; then if command -v slirp4netns > /dev/null 2>&1; then # If --netns-type is present in --help, slirp4netns is >= v0.4.0. if slirp4netns --help | grep -qw -- --netns-type; then net=slirp4netns - if [ -z $mtu ]; then + if [ -z "$mtu" ]; then mtu=65520 fi else echo "slirp4netns found but seems older than v0.4.0. Falling back to VPNKit." fi fi - if [ -z $net ]; then + if [ -z "$net" ]; then if command -v vpnkit > /dev/null 2>&1; then net=vpnkit else @@ -73,17 +73,23 @@ fi fi fi -if [ -z $mtu ]; then +if [ -z "$mtu" ]; then mtu=1500 fi -if [ -z $_DOCKERD_ROOTLESS_CHILD ]; then +if [ -z "$_DOCKERD_ROOTLESS_CHILD" ]; then _DOCKERD_ROOTLESS_CHILD=1 export _DOCKERD_ROOTLESS_CHILD if [ "$(id -u)" = "0" ]; then echo "This script must be executed as a non-privileged user" exit 1 fi + # `selinuxenabled` always returns false in RootlessKit child, so we execute `selinuxenabled` in the parent. + # https://github.com/rootless-containers/rootlesskit/issues/94 + if command -v selinuxenabled > /dev/null 2>&1 && selinuxenabled; then + _DOCKERD_ROOTLESS_SELINUX=1 + export _DOCKERD_ROOTLESS_SELINUX + fi # Re-exec the script via RootlessKit, so as to create unprivileged {user,mount,network} namespaces. # # --copy-up allows removing/creating files in the directories by creating tmpfs and symlinks @@ -101,9 +107,26 @@ $DOCKERD_ROOTLESS_ROOTLESSKIT_FLAGS \ $0 $@ else - [ $_DOCKERD_ROOTLESS_CHILD = 1 ] + [ "$_DOCKERD_ROOTLESS_CHILD" = 1 ] # remove the symlinks for the existing files in the parent namespace if any, # so that we can create our own files in our mount namespace. rm -f /run/docker /run/containerd /run/xtables.lock + + if [ -n "$_DOCKERD_ROOTLESS_SELINUX" ]; then + # iptables requires /run in the child to be relabeled. The actual /run in the parent is unaffected. + # https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401 + # https://github.com/moby/moby/issues/41230 + chcon system_u:object_r:iptables_var_run_t:s0 /run + fi + + if [ "$(stat -c %T -f /etc)" = "tmpfs" ] && [ -L "/etc/ssl" ]; then + # Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed. + # https://github.com/rootless-containers/rootlesskit/issues/225 + realpath_etc_ssl=$(realpath /etc/ssl) + rm -f /etc/ssl + mkdir /etc/ssl + mount --rbind ${realpath_etc_ssl} /etc/ssl + fi + exec dockerd $@ fi diff -Nru docker.io-20.10.7/engine/daemon/cluster/executor/container/executor.go docker.io-20.10.11/engine/daemon/cluster/executor/container/executor.go --- docker.io-20.10.7/engine/daemon/cluster/executor/container/executor.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/cluster/executor/container/executor.go 2021-11-18 00:21:59.000000000 +0000 @@ -15,12 +15,15 @@ "github.com/docker/docker/daemon/cluster/convert" executorpkg "github.com/docker/docker/daemon/cluster/executor" clustertypes "github.com/docker/docker/daemon/cluster/provider" + "github.com/docker/libnetwork" networktypes "github.com/docker/libnetwork/types" "github.com/docker/swarmkit/agent" "github.com/docker/swarmkit/agent/exec" "github.com/docker/swarmkit/api" "github.com/docker/swarmkit/api/naming" + "github.com/docker/swarmkit/log" "github.com/docker/swarmkit/template" + "github.com/pkg/errors" "github.com/sirupsen/logrus" ) @@ -32,6 +35,14 @@ dependencies exec.DependencyManager mutex sync.Mutex // This mutex protects the following node field node *api.NodeDescription + + // nodeObj holds a copy of the swarmkit Node object from the time of the + // last call to executor.Configure. This allows us to discover which + // network attachments the node previously had, which further allows us to + // determine which, if any, need to be removed. nodeObj is not protected by + // a mutex, because it is only written to in the method (Configure) that it + // is read from. If that changes, it may need to be guarded. + nodeObj *api.Node } // NewExecutor returns an executor from the docker client. @@ -157,6 +168,40 @@ attachments[na.Network.ID] = na.Addresses[0] } + // discover which, if any, attachments have been removed. + // + // we aren't responsible directly for creating these networks. that is + // handled indirectly when a container using that network is created. + // however, when it comes time to remove the network, none of the relevant + // tasks may exist anymore. this means we should go ahead and try to remove + // any network we know to no longer be in use. + + // removeAttachments maps the network ID to a boolean. This boolean + // indicates whether the attachment in question is totally removed (true), + // or has just had its IP changed (false) + removeAttachments := make(map[string]bool) + + // the first time we Configure, nodeObj wil be nil, because it will not be + // set yet. in that case, skip this check. + if e.nodeObj != nil { + for _, na := range e.nodeObj.Attachments { + // same thing as above, check sanity of the attachments so we don't + // get a panic. + if na == nil || na.Network == nil || len(na.Addresses) == 0 { + logrus.WithField("NetworkAttachment", fmt.Sprintf("%#v", na)). + Warnf("skipping nil or malformed node network attachment entry") + continue + } + + // now, check if the attachment exists and shares the same IP address. + if ip, ok := attachments[na.Network.ID]; !ok || na.Addresses[0] != ip { + // if the map entry exists, then the network still exists, and the + // IP must be what has changed + removeAttachments[na.Network.ID] = !ok + } + } + } + if (ingressNA == nil) && (node.Attachment != nil) && (len(node.Attachment.Addresses) > 0) { ingressNA = node.Attachment attachments[ingressNA.Network.ID] = ingressNA.Addresses[0] @@ -197,6 +242,42 @@ return err } + var ( + activeEndpointsError *libnetwork.ActiveEndpointsError + errNoSuchNetwork libnetwork.ErrNoSuchNetwork + ) + + // now, finally, remove any network LB attachments that we no longer have. + for nw, gone := range removeAttachments { + err := e.backend.DeleteManagedNetwork(nw) + switch { + case err == nil: + continue + case errors.As(err, &activeEndpointsError): + // this is the purpose of the boolean in the map. it's literally + // just to log an appropriate, informative error. i'm unsure if + // this can ever actually occur, but we need to know if it does. + if gone { + log.G(ctx).Warnf("network %s should be removed, but still has active attachments", nw) + } else { + log.G(ctx).Warnf( + "network %s should have its node LB IP changed, but cannot be removed because of active attachments", + nw, + ) + } + continue + case errors.As(err, &errNoSuchNetwork): + // NoSuchNetworkError indicates the network is already gone. + continue + default: + log.G(ctx).Errorf("network %s remove failed: %v", nw, err) + } + } + + // now update our copy of the node object, reset the attachment store, and + // return + e.nodeObj = node + return e.backend.GetAttachmentStore().ResetAttachments(attachments) } diff -Nru docker.io-20.10.7/engine/daemon/container_operations_unix.go docker.io-20.10.11/engine/daemon/container_operations_unix.go --- docker.io-20.10.7/engine/daemon/container_operations_unix.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/container_operations_unix.go 2021-11-18 00:21:59.000000000 +0000 @@ -3,13 +3,11 @@ package daemon // import "github.com/docker/docker/daemon" import ( - "context" "fmt" "io/ioutil" "os" "path/filepath" "strconv" - "time" "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" @@ -336,38 +334,32 @@ } } -func killProcessDirectly(cntr *container.Container) error { - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) - defer cancel() - - // Block until the container to stops or timeout. - status := <-cntr.Wait(ctx, container.WaitConditionNotRunning) - if status.Err() != nil { - // Ensure that we don't kill ourselves - if pid := cntr.GetPID(); pid != 0 { - logrus.Infof("Container %s failed to exit within 10 seconds of kill - trying direct SIGKILL", stringid.TruncateID(cntr.ID)) - if err := unix.Kill(pid, 9); err != nil { - if err != unix.ESRCH { - return err - } - e := errNoSuchProcess{pid, 9} - logrus.Debug(e) - return e - } +func killProcessDirectly(container *container.Container) error { + pid := container.GetPID() + // Ensure that we don't kill ourselves + if pid == 0 { + return nil + } - // In case there were some exceptions(e.g., state of zombie and D) - if system.IsProcessAlive(pid) { + if err := unix.Kill(pid, 9); err != nil { + if err != unix.ESRCH { + return err + } + e := errNoSuchProcess{pid, 9} + logrus.WithError(e).WithField("container", container.ID).Debug("no such process") + return e + } - // Since we can not kill a zombie pid, add zombie check here - isZombie, err := system.IsProcessZombie(pid) - if err != nil { - logrus.Warnf("Container %s state is invalid", stringid.TruncateID(cntr.ID)) - return err - } - if isZombie { - return errdefs.System(errors.Errorf("container %s PID %d is zombie and can not be killed. Use the --init option when creating containers to run an init inside the container that forwards signals and reaps processes", stringid.TruncateID(cntr.ID), pid)) - } - } + // In case there were some exceptions(e.g., state of zombie and D) + if system.IsProcessAlive(pid) { + // Since we can not kill a zombie pid, add zombie check here + isZombie, err := system.IsProcessZombie(pid) + if err != nil { + logrus.WithError(err).WithField("container", container.ID).Warn("Container state is invalid") + return err + } + if isZombie { + return errdefs.System(errors.Errorf("container %s PID %d is zombie and can not be killed. Use the --init option when creating containers to run an init inside the container that forwards signals and reaps processes", stringid.TruncateID(container.ID), pid)) } } return nil @@ -466,5 +458,5 @@ if err != nil { return err } - return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity()) + return idtools.MkdirAllAndChown(p, 0710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID}) } diff -Nru docker.io-20.10.7/engine/daemon/create.go docker.io-20.10.11/engine/daemon/create.go --- docker.io-20.10.7/engine/daemon/create.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/create.go 2021-11-18 00:21:59.000000000 +0000 @@ -212,10 +212,11 @@ } ctr.RWLayer = rwLayer - if err := idtools.MkdirAndChown(ctr.Root, 0701, idtools.CurrentIdentity()); err != nil { + current := idtools.CurrentIdentity() + if err := idtools.MkdirAndChown(ctr.Root, 0710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil { return nil, err } - if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil { + if err := idtools.MkdirAndChown(ctr.CheckpointDir(), 0700, current); err != nil { return nil, err } diff -Nru docker.io-20.10.7/engine/daemon/daemon.go docker.io-20.10.11/engine/daemon/daemon.go --- docker.io-20.10.7/engine/daemon/daemon.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/daemon.go 2021-11-18 00:21:59.000000000 +0000 @@ -861,7 +861,10 @@ } daemonRepo := filepath.Join(config.Root, "containers") - if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil { + if err := idtools.MkdirAllAndChown(daemonRepo, 0710, idtools.Identity{ + UID: idtools.CurrentIdentity().UID, + GID: rootIDs.GID, + }); err != nil { return nil, err } diff -Nru docker.io-20.10.7/engine/daemon/daemon_unix.go docker.io-20.10.11/engine/daemon/daemon_unix.go --- docker.io-20.10.7/engine/daemon/daemon_unix.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/daemon_unix.go 2021-11-18 00:21:59.000000000 +0000 @@ -1216,21 +1216,21 @@ } } + id := idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: remappedRoot.GID} + // First make sure the current root dir has the correct perms. + if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { + return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) + } + // if user namespaces are enabled we will create a subtree underneath the specified root // with any/all specified remapped root uid/gid options on the daemon creating // a new subdirectory with ownership set to the remapped uid/gid (so as to allow // `chdir()` to work for containers namespaced to that uid/gid) if config.RemappedRoot != "" { - id := idtools.CurrentIdentity() - // First make sure the current root dir has the correct perms. - if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { - return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root) - } - config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID)) logrus.Debugf("Creating user namespaced daemon root: %s", config.Root) // Create the root directory if it doesn't exist - if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil { + if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil { return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err) } // we also need to verify that any pre-existing directories in the path to diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/aufs/aufs.go docker.io-20.10.11/engine/daemon/graphdriver/aufs/aufs.go --- docker.io-20.10.7/engine/daemon/graphdriver/aufs/aufs.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/aufs/aufs.go 2021-11-18 00:21:59.000000000 +0000 @@ -130,14 +130,23 @@ } currentID := idtools.CurrentIdentity() + _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) + if err != nil { + return nil, err + } + dirID := idtools.Identity{ + UID: currentID.UID, + GID: rootGID, + } + // Create the root aufs driver dir - if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil { + if err := idtools.MkdirAllAndChown(root, 0710, dirID); err != nil { return nil, err } // Populate the dir structure for _, p := range paths { - if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil { + if err := idtools.MkdirAllAndChown(path.Join(root, p), 0710, dirID); err != nil { return nil, err } } diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/btrfs/btrfs.go docker.io-20.10.11/engine/daemon/graphdriver/btrfs/btrfs.go --- docker.io-20.10.7/engine/daemon/graphdriver/btrfs/btrfs.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/btrfs/btrfs.go 2021-11-18 00:21:59.000000000 +0000 @@ -70,7 +70,14 @@ return nil, graphdriver.ErrPrerequisites } - if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps) + currentID := idtools.CurrentIdentity() + dirID := idtools.Identity{ + UID: currentID.UID, + GID: remappedRoot.RootPair().GID, + } + + if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { return nil, err } @@ -521,7 +528,14 @@ if err != nil { return err } - if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil { + + currentID := idtools.CurrentIdentity() + dirID := idtools.Identity{ + UID: currentID.UID, + GID: rootGID, + } + + if err := idtools.MkdirAllAndChown(subvolumes, 0710, dirID); err != nil { return err } if parent == "" { diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go docker.io-20.10.11/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go --- docker.io-20.10.7/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go 2021-11-18 00:21:59.000000000 +0000 @@ -88,7 +88,17 @@ return nil, graphdriver.ErrNotSupported } - if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { + remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps) + currentID := idtools.CurrentIdentity() + dirID := idtools.Identity{ + UID: currentID.UID, + GID: remappedRoot.RootPair().GID, + } + + if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } + if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 700, currentID); err != nil { return nil, err } @@ -173,11 +183,15 @@ } root := idtools.Identity{UID: rootUID, GID: rootGID} - currentID := idtools.CurrentIdentity() - if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { + dirID := idtools.Identity{ + UID: rootUID, + GID: rootGID, + } + + if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil { return err } - if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { + if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { return err } @@ -211,7 +225,7 @@ return nil } - if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0701, currentID); err != nil { + if err := idtools.MkdirAndChown(path.Join(dir, workDirName), 0710, dirID); err != nil { return err } diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/overlay/overlay.go docker.io-20.10.11/engine/daemon/graphdriver/overlay/overlay.go --- docker.io-20.10.7/engine/daemon/graphdriver/overlay/overlay.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/overlay/overlay.go 2021-11-18 00:21:59.000000000 +0000 @@ -156,11 +156,20 @@ logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs)) } - // Create the driver home dir - if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + currentID := idtools.CurrentIdentity() + _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) + if err != nil { return nil, err } + dirID := idtools.Identity{ + UID: currentID.UID, + GID: rootGID, + } + // Create the driver home dir + if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } d := &Driver{ home: home, uidMaps: uidMaps, @@ -262,10 +271,11 @@ root := idtools.Identity{UID: rootUID, GID: rootGID} currentID := idtools.CurrentIdentity() - if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil { - return err + dirID := idtools.Identity{ + UID: currentID.UID, + GID: rootGID, } - if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil { + if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { return err } diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/overlay2/overlay.go docker.io-20.10.11/engine/daemon/graphdriver/overlay2/overlay.go --- docker.io-20.10.7/engine/daemon/graphdriver/overlay2/overlay.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/overlay2/overlay.go 2021-11-18 00:21:59.000000000 +0000 @@ -165,7 +165,20 @@ logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs)) } - if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil { + _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) + if err != nil { + return nil, err + } + + cur := idtools.CurrentIdentity() + dirID := idtools.Identity{ + UID: cur.UID, + GID: rootGID, + } + if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { + return nil, err + } + if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, cur); err != nil { return nil, err } @@ -344,12 +357,15 @@ return err } root := idtools.Identity{UID: rootUID, GID: rootGID} - current := idtools.CurrentIdentity() + dirID := idtools.Identity{ + UID: idtools.CurrentIdentity().UID, + GID: rootGID, + } - if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil { + if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil { return err } - if err := idtools.MkdirAndChown(dir, 0701, current); err != nil { + if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil { return err } diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/overlayutils/overlayutils.go docker.io-20.10.11/engine/daemon/graphdriver/overlayutils/overlayutils.go --- docker.io-20.10.7/engine/daemon/graphdriver/overlayutils/overlayutils.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/overlayutils/overlayutils.go 2021-11-18 00:21:59.000000000 +0000 @@ -37,6 +37,16 @@ // checkMultipleLowers parameter enables check for multiple lowerdirs, // which is required for the overlay2 driver. func SupportsOverlay(d string, checkMultipleLowers bool) error { + // We can't rely on go-selinux.GetEnabled() to detect whether SELinux is enabled, + // because RootlessKit doesn't mount /sys/fs/selinux in the child: https://github.com/rootless-containers/rootlesskit/issues/94 + // So we check $_DOCKERD_ROOTLESS_SELINUX, which is set by dockerd-rootless.sh . + if os.Getenv("_DOCKERD_ROOTLESS_SELINUX") == "1" { + // Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux, + // so fallback to fuse-overlayfs. + // https://github.com/moby/moby/issues/42333 + return errors.New("overlay is not supported for Rootless with SELinux") + } + td, err := ioutil.TempDir(d, "check-overlayfs-support") if err != nil { return err diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/vfs/driver.go docker.io-20.10.11/engine/daemon/graphdriver/vfs/driver.go --- docker.io-20.10.7/engine/daemon/graphdriver/vfs/driver.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/vfs/driver.go 2021-11-18 00:21:59.000000000 +0000 @@ -37,8 +37,16 @@ if err := d.parseOptions(options); err != nil { return nil, err } + _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) + if err != nil { + return nil, err + } - if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil { + dirID := idtools.Identity{ + UID: idtools.CurrentIdentity().UID, + GID: rootGID, + } + if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil { return nil, err } @@ -140,7 +148,12 @@ func (d *Driver) create(id, parent string, size uint64) error { dir := d.dir(id) rootIDs := d.idMapping.RootPair() - if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil { + + dirID := idtools.Identity{ + UID: idtools.CurrentIdentity().UID, + GID: rootIDs.GID, + } + if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0710, dirID); err != nil { return err } if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil { diff -Nru docker.io-20.10.7/engine/daemon/graphdriver/zfs/zfs.go docker.io-20.10.11/engine/daemon/graphdriver/zfs/zfs.go --- docker.io-20.10.7/engine/daemon/graphdriver/zfs/zfs.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/graphdriver/zfs/zfs.go 2021-11-18 00:21:59.000000000 +0000 @@ -104,7 +104,16 @@ return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName) } - if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil { + _, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps) + if err != nil { + return nil, err + } + + dirID := idtools.Identity{ + UID: idtools.CurrentIdentity().UID, + GID: rootGID, + } + if err := idtools.MkdirAllAndChown(base, 0710, dirID); err != nil { return nil, fmt.Errorf("Failed to create '%s': %v", base, err) } diff -Nru docker.io-20.10.7/engine/daemon/images/image_pull.go docker.io-20.10.11/engine/daemon/images/image_pull.go --- docker.io-20.10.7/engine/daemon/images/image_pull.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/images/image_pull.go 2021-11-18 00:21:59.000000000 +0000 @@ -15,10 +15,12 @@ progressutils "github.com/docker/docker/distribution/utils" "github.com/docker/docker/errdefs" "github.com/docker/docker/pkg/progress" + "github.com/docker/docker/pkg/streamformatter" "github.com/docker/docker/registry" digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" + "github.com/sirupsen/logrus" ) // PullImage initiates a pull operation. image is the repository name to pull, and @@ -51,7 +53,29 @@ err = i.pullImageWithReference(ctx, ref, platform, metaHeaders, authConfig, outStream) imageActions.WithValues("pull").UpdateSince(start) - return err + if err != nil { + return err + } + + if platform != nil { + // If --platform was specified, check that the image we pulled matches + // the expected platform. This check is for situations where the image + // is a single-arch image, in which case (for backward compatibility), + // we allow the image to have a non-matching architecture. The code + // below checks for this situation, and returns a warning to the client, + // as well ass logs it to the daemon logs. + img, err := i.GetImage(image, platform) + + // Note that this is a special case where GetImage returns both an image + // and an error: https://github.com/docker/docker/blob/v20.10.7/daemon/images/image.go#L175-L183 + if errdefs.IsNotFound(err) && img != nil { + po := streamformatter.NewJSONProgressOutput(outStream, false) + progress.Messagef(po, "", `WARNING: %s`, err.Error()) + logrus.WithError(err).WithField("image", image).Warn("ignoring platform mismatch on single-arch image") + } + } + + return nil } func (i *ImageService) pullImageWithReference(ctx context.Context, ref reference.Named, platform *specs.Platform, metaHeaders map[string][]string, authConfig *types.AuthConfig, outStream io.Writer) error { diff -Nru docker.io-20.10.7/engine/daemon/info_unix.go docker.io-20.10.11/engine/daemon/info_unix.go --- docker.io-20.10.7/engine/daemon/info_unix.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/info_unix.go 2021-11-18 00:21:59.000000000 +0000 @@ -25,16 +25,18 @@ v.CgroupVersion = "2" } - v.MemoryLimit = sysInfo.MemoryLimit - v.SwapLimit = sysInfo.SwapLimit - v.KernelMemory = sysInfo.KernelMemory - v.KernelMemoryTCP = sysInfo.KernelMemoryTCP - v.OomKillDisable = sysInfo.OomKillDisable - v.CPUCfsPeriod = sysInfo.CPUCfs - v.CPUCfsQuota = sysInfo.CPUCfs - v.CPUShares = sysInfo.CPUShares - v.CPUSet = sysInfo.Cpuset - v.PidsLimit = sysInfo.PidsLimit + if v.CgroupDriver != cgroupNoneDriver { + v.MemoryLimit = sysInfo.MemoryLimit + v.SwapLimit = sysInfo.SwapLimit + v.KernelMemory = sysInfo.KernelMemory + v.KernelMemoryTCP = sysInfo.KernelMemoryTCP + v.OomKillDisable = sysInfo.OomKillDisable + v.CPUCfsPeriod = sysInfo.CPUCfs + v.CPUCfsQuota = sysInfo.CPUCfs + v.CPUShares = sysInfo.CPUShares + v.CPUSet = sysInfo.Cpuset + v.PidsLimit = sysInfo.PidsLimit + } v.Runtimes = daemon.configStore.GetAllRuntimes() v.DefaultRuntime = daemon.configStore.GetDefaultRuntimeName() v.InitBinary = daemon.configStore.GetInitPath() diff -Nru docker.io-20.10.7/engine/daemon/kill.go docker.io-20.10.11/engine/daemon/kill.go --- docker.io-20.10.7/engine/daemon/kill.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/kill.go 2021-11-18 00:21:59.000000000 +0000 @@ -139,29 +139,22 @@ // 1. Send SIGKILL if err := daemon.killPossiblyDeadProcess(container, int(syscall.SIGKILL)); err != nil { - // While normally we might "return err" here we're not going to - // because if we can't stop the container by this point then - // it's probably because it's already stopped. Meaning, between - // the time of the IsRunning() call above and now it stopped. - // Also, since the err return will be environment specific we can't - // look for any particular (common) error that would indicate - // that the process is already dead vs something else going wrong. - // So, instead we'll give it up to 2 more seconds to complete and if - // by that time the container is still running, then the error - // we got is probably valid and so we return it to the caller. + // kill failed, check if process is no longer running. if isErrNoSuchProcess(err) { return nil } + } - ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) - defer cancel() + ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second) + defer cancel() - if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil { - return err - } + status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning) + if status.Err() == nil { + return nil } - // 2. Wait for the process to die, in last resort, try to kill the process directly + logrus.WithError(status.Err()).WithField("container", container.ID).Error("Container failed to exit within 10 seconds of kill - trying direct SIGKILL") + if err := killProcessDirectly(container); err != nil { if isErrNoSuchProcess(err) { return nil @@ -169,10 +162,13 @@ return err } - // Wait for exit with no timeout. - // Ignore returned status. - <-container.Wait(context.Background(), containerpkg.WaitConditionNotRunning) + // wait for container to exit one last time, if it doesn't then kill didnt work, so return error + ctx2, cancel2 := context.WithTimeout(context.Background(), 2*time.Second) + defer cancel2() + if status := <-container.Wait(ctx2, containerpkg.WaitConditionNotRunning); status.Err() != nil { + return errors.New("tried to kill container, but did not receive an exit event") + } return nil } diff -Nru docker.io-20.10.7/engine/daemon/stop.go docker.io-20.10.11/engine/daemon/stop.go --- docker.io-20.10.7/engine/daemon/stop.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/daemon/stop.go 2021-11-18 00:21:59.000000000 +0000 @@ -38,52 +38,64 @@ // containerStop sends a stop signal, waits, sends a kill signal. func (daemon *Daemon) containerStop(container *containerpkg.Container, seconds int) error { + // TODO propagate a context down to this function + ctx := context.TODO() if !container.IsRunning() { return nil } - + var wait time.Duration + if seconds >= 0 { + wait = time.Duration(seconds) * time.Second + } + success := func() error { + daemon.LogContainerEvent(container, "stop") + return nil + } stopSignal := container.StopSignal() - // 1. Send a stop signal - if err := daemon.killPossiblyDeadProcess(container, stopSignal); err != nil { - // While normally we might "return err" here we're not going to - // because if we can't stop the container by this point then - // it's probably because it's already stopped. Meaning, between - // the time of the IsRunning() call above and now it stopped. - // Also, since the err return will be environment specific we can't - // look for any particular (common) error that would indicate - // that the process is already dead vs something else going wrong. - // So, instead we'll give it up to 2 more seconds to complete and if - // by that time the container is still running, then the error - // we got is probably valid and so we force kill it. - ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second) - defer cancel() - if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil { - logrus.Infof("Container failed to stop after sending signal %d to the process, force killing", stopSignal) - if err := daemon.killPossiblyDeadProcess(container, 9); err != nil { - return err - } - } + // 1. Send a stop signal + err := daemon.killPossiblyDeadProcess(container, stopSignal) + if err != nil { + wait = 2 * time.Second } - // 2. Wait for the process to exit on its own - ctx := context.Background() + var subCtx context.Context + var cancel context.CancelFunc if seconds >= 0 { - var cancel context.CancelFunc - ctx, cancel = context.WithTimeout(ctx, time.Duration(seconds)*time.Second) - defer cancel() + subCtx, cancel = context.WithTimeout(ctx, wait) + } else { + subCtx, cancel = context.WithCancel(ctx) + } + defer cancel() + + if status := <-container.Wait(subCtx, containerpkg.WaitConditionNotRunning); status.Err() == nil { + // container did exit, so ignore any previous errors and return + return success() } - if status := <-container.Wait(ctx, containerpkg.WaitConditionNotRunning); status.Err() != nil { - logrus.Infof("Container %v failed to exit within %d seconds of signal %d - using the force", container.ID, seconds, stopSignal) - // 3. If it doesn't, then send SIGKILL - if err := daemon.Kill(container); err != nil { - // Wait without a timeout, ignore result. - <-container.Wait(context.Background(), containerpkg.WaitConditionNotRunning) - logrus.Warn(err) // Don't return error because we only care that container is stopped, not what function stopped it + if err != nil { + // the container has still not exited, and the kill function errored, so log the error here: + logrus.WithError(err).WithField("container", container.ID).Errorf("Error sending stop (signal %d) to container", stopSignal) + } + if seconds < 0 { + // if the client requested that we never kill / wait forever, but container.Wait was still + // interrupted (parent context cancelled, for example), we should propagate the signal failure + return err + } + + logrus.WithField("container", container.ID).Infof("Container failed to exit within %s of signal %d - using the force", wait, stopSignal) + // Stop either failed or container didnt exit, so fallback to kill. + if err := daemon.Kill(container); err != nil { + // got a kill error, but give container 2 more seconds to exit just in case + subCtx, cancel := context.WithTimeout(ctx, 2*time.Second) + defer cancel() + if status := <-container.Wait(subCtx, containerpkg.WaitConditionNotRunning); status.Err() == nil { + // container did exit, so ignore error and return + return success() } + logrus.WithError(err).WithField("container", container.ID).Error("Error killing the container") + return err } - daemon.LogContainerEvent(container, "stop") - return nil + return success() } diff -Nru docker.io-20.10.7/engine/distribution/manifest.go docker.io-20.10.11/engine/distribution/manifest.go --- docker.io-20.10.7/engine/distribution/manifest.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/distribution/manifest.go 2021-11-18 00:21:59.000000000 +0000 @@ -3,6 +3,7 @@ import ( "context" "encoding/json" + "fmt" "io" "io/ioutil" @@ -11,7 +12,9 @@ "github.com/containerd/containerd/log" "github.com/containerd/containerd/remotes" "github.com/docker/distribution" + "github.com/docker/distribution/manifest/manifestlist" "github.com/docker/distribution/manifest/schema1" + "github.com/docker/distribution/manifest/schema2" digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/image-spec/specs-go/v1" "github.com/pkg/errors" @@ -166,8 +169,10 @@ func detectManifestBlobMediaType(dt []byte) (string, error) { var mfst struct { MediaType string `json:"mediaType"` - Config json.RawMessage `json:"config"` // schema2 Manifest - FSLayers json.RawMessage `json:"fsLayers"` // schema1 Manifest + Manifests json.RawMessage `json:"manifests"` // oci index, manifest list + Config json.RawMessage `json:"config"` // schema2 Manifest + Layers json.RawMessage `json:"layers"` // schema2 Manifest + FSLayers json.RawMessage `json:"fsLayers"` // schema1 Manifest } if err := json.Unmarshal(dt, &mfst); err != nil { @@ -178,18 +183,40 @@ // Docker types should generally have a media type set. // OCI (golang) types do not have a `mediaType` defined, and it is optional in the spec. // - // `distrubtion.UnmarshalManifest`, which is used to unmarshal this for real, checks these media type values. + // `distribution.UnmarshalManifest`, which is used to unmarshal this for real, checks these media type values. // If the specified media type does not match it will error, and in some cases (docker media types) it is required. // So pretty much if we don't have a media type we can fall back to OCI. // This does have a special fallback for schema1 manifests just because it is easy to detect. - switch { - case mfst.MediaType != "": + switch mfst.MediaType { + case schema2.MediaTypeManifest, specs.MediaTypeImageManifest: + if mfst.Manifests != nil || mfst.FSLayers != nil { + return "", fmt.Errorf(`media-type: %q should not have "manifests" or "fsLayers"`, mfst.MediaType) + } + return mfst.MediaType, nil + case manifestlist.MediaTypeManifestList, specs.MediaTypeImageIndex: + if mfst.Config != nil || mfst.Layers != nil || mfst.FSLayers != nil { + return "", fmt.Errorf(`media-type: %q should not have "config", "layers", or "fsLayers"`, mfst.MediaType) + } + return mfst.MediaType, nil + case schema1.MediaTypeManifest: + if mfst.Manifests != nil || mfst.Layers != nil { + return "", fmt.Errorf(`media-type: %q should not have "manifests" or "layers"`, mfst.MediaType) + } return mfst.MediaType, nil - case mfst.FSLayers != nil: + default: + if mfst.MediaType != "" { + return mfst.MediaType, nil + } + } + switch { + case mfst.FSLayers != nil && mfst.Manifests == nil && mfst.Layers == nil && mfst.Config == nil: return schema1.MediaTypeManifest, nil - case mfst.Config != nil: + case mfst.Config != nil && mfst.Manifests == nil && mfst.FSLayers == nil, + mfst.Layers != nil && mfst.Manifests == nil && mfst.FSLayers == nil: return specs.MediaTypeImageManifest, nil - default: + case mfst.Config == nil && mfst.Layers == nil && mfst.FSLayers == nil: + // fallback to index return specs.MediaTypeImageIndex, nil } + return "", errors.New("media-type: cannot determine") } diff -Nru docker.io-20.10.7/engine/distribution/manifest_test.go docker.io-20.10.11/engine/distribution/manifest_test.go --- docker.io-20.10.7/engine/distribution/manifest_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/distribution/manifest_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -14,8 +14,10 @@ "github.com/containerd/containerd/errdefs" "github.com/containerd/containerd/remotes" "github.com/docker/distribution" + "github.com/docker/distribution/manifest/manifestlist" "github.com/docker/distribution/manifest/ocischema" "github.com/docker/distribution/manifest/schema1" + "github.com/docker/distribution/manifest/schema2" "github.com/google/go-cmp/cmp/cmpopts" digest "github.com/opencontainers/go-digest" specs "github.com/opencontainers/image-spec/specs-go/v1" @@ -348,4 +350,74 @@ }) } +} + +func TestDetectManifestBlobMediaTypeInvalid(t *testing.T) { + type testCase struct { + json []byte + expected string + } + cases := map[string]testCase{ + "schema 1 mediaType with manifests": { + []byte(`{"mediaType": "` + schema1.MediaTypeManifest + `","manifests":[]}`), + `media-type: "application/vnd.docker.distribution.manifest.v1+json" should not have "manifests" or "layers"`, + }, + "schema 1 mediaType with layers": { + []byte(`{"mediaType": "` + schema1.MediaTypeManifest + `","layers":[]}`), + `media-type: "application/vnd.docker.distribution.manifest.v1+json" should not have "manifests" or "layers"`, + }, + "schema 2 mediaType with manifests": { + []byte(`{"mediaType": "` + schema2.MediaTypeManifest + `","manifests":[]}`), + `media-type: "application/vnd.docker.distribution.manifest.v2+json" should not have "manifests" or "fsLayers"`, + }, + "schema 2 mediaType with fsLayers": { + []byte(`{"mediaType": "` + schema2.MediaTypeManifest + `","fsLayers":[]}`), + `media-type: "application/vnd.docker.distribution.manifest.v2+json" should not have "manifests" or "fsLayers"`, + }, + "oci manifest mediaType with manifests": { + []byte(`{"mediaType": "` + specs.MediaTypeImageManifest + `","manifests":[]}`), + `media-type: "application/vnd.oci.image.manifest.v1+json" should not have "manifests" or "fsLayers"`, + }, + "manifest list mediaType with fsLayers": { + []byte(`{"mediaType": "` + manifestlist.MediaTypeManifestList + `","fsLayers":[]}`), + `media-type: "application/vnd.docker.distribution.manifest.list.v2+json" should not have "config", "layers", or "fsLayers"`, + }, + "index mediaType with layers": { + []byte(`{"mediaType": "` + specs.MediaTypeImageIndex + `","layers":[]}`), + `media-type: "application/vnd.oci.image.index.v1+json" should not have "config", "layers", or "fsLayers"`, + }, + "index mediaType with config": { + []byte(`{"mediaType": "` + specs.MediaTypeImageIndex + `","config":{}}`), + `media-type: "application/vnd.oci.image.index.v1+json" should not have "config", "layers", or "fsLayers"`, + }, + "config and manifests": { + []byte(`{"config":{}, "manifests":[]}`), + `media-type: cannot determine`, + }, + "layers and manifests": { + []byte(`{"layers":[], "manifests":[]}`), + `media-type: cannot determine`, + }, + "layers and fsLayers": { + []byte(`{"layers":[], "fsLayers":[]}`), + `media-type: cannot determine`, + }, + "fsLayers and manifests": { + []byte(`{"fsLayers":[], "manifests":[]}`), + `media-type: cannot determine`, + }, + "config and fsLayers": { + []byte(`{"config":{}, "fsLayers":[]}`), + `media-type: cannot determine`, + }, + } + + for name, tc := range cases { + t.Run(name, func(t *testing.T) { + mt, err := detectManifestBlobMediaType(tc.json) + assert.Error(t, err, tc.expected) + assert.Equal(t, mt, "") + }) + } + } diff -Nru docker.io-20.10.7/engine/Dockerfile docker.io-20.10.11/engine/Dockerfile --- docker.io-20.10.7/engine/Dockerfile 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/Dockerfile 2021-11-18 00:21:59.000000000 +0000 @@ -3,7 +3,7 @@ ARG CROSS="false" ARG SYSTEMD="false" # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 ARG DEBIAN_FRONTEND=noninteractive ARG VPNKIT_VERSION=0.5.0 ARG DOCKER_BUILDTAGS="apparmor seccomp" @@ -72,7 +72,7 @@ # Install go-swagger for validating swagger.yaml # This is https://github.com/kolyshkin/go-swagger/tree/golang-1.13-fix # TODO: move to under moby/ or fix upstream go-swagger to work for us. -ENV GO_SWAGGER_COMMIT 5e6cb12f7c82ce78e45ba71fa6cb1928094db050 +ENV GO_SWAGGER_COMMIT c56166c036004ba7a3a321e5951ba472b9ae298c RUN --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg/mod \ --mount=type=tmpfs,target=/go/src/ \ @@ -280,6 +280,7 @@ libnl-3-200 \ libprotobuf-c1 \ net-tools \ + patch \ pigz \ python3-pip \ python3-setuptools \ diff -Nru docker.io-20.10.7/engine/Dockerfile.e2e docker.io-20.10.11/engine/Dockerfile.e2e --- docker.io-20.10.7/engine/Dockerfile.e2e 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/Dockerfile.e2e 2021-11-18 00:21:59.000000000 +0000 @@ -1,4 +1,4 @@ -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 FROM golang:${GO_VERSION}-alpine AS base ENV GO111MODULE=off diff -Nru docker.io-20.10.7/engine/Dockerfile.simple docker.io-20.10.11/engine/Dockerfile.simple --- docker.io-20.10.7/engine/Dockerfile.simple 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/Dockerfile.simple 2021-11-18 00:21:59.000000000 +0000 @@ -5,7 +5,7 @@ # This represents the bare minimum required to build and test Docker. -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 FROM golang:${GO_VERSION}-buster ENV GO111MODULE=off diff -Nru docker.io-20.10.7/engine/Dockerfile.windows docker.io-20.10.11/engine/Dockerfile.windows --- docker.io-20.10.7/engine/Dockerfile.windows 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/Dockerfile.windows 2021-11-18 00:21:59.000000000 +0000 @@ -165,7 +165,7 @@ # Use PowerShell as the default shell SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"] -ARG GO_VERSION=1.13.15 +ARG GO_VERSION=1.16.10 ARG GOTESTSUM_COMMIT=v0.5.3 # Environment variable notes: diff -Nru docker.io-20.10.7/engine/docs/api/v1.18.md docker.io-20.10.11/engine/docs/api/v1.18.md --- docker.io-20.10.7/engine/docs/api/v1.18.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.18.md 2021-11-18 00:21:59.000000000 +0000 @@ -317,7 +317,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.19.md docker.io-20.10.11/engine/docs/api/v1.19.md --- docker.io-20.10.7/engine/docs/api/v1.19.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.19.md 2021-11-18 00:21:59.000000000 +0000 @@ -327,7 +327,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.20.md docker.io-20.10.11/engine/docs/api/v1.20.md --- docker.io-20.10.7/engine/docs/api/v1.20.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.20.md 2021-11-18 00:21:59.000000000 +0000 @@ -331,7 +331,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.21.md docker.io-20.10.11/engine/docs/api/v1.21.md --- docker.io-20.10.7/engine/docs/api/v1.21.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.21.md 2021-11-18 00:21:59.000000000 +0000 @@ -352,7 +352,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.22.md docker.io-20.10.11/engine/docs/api/v1.22.md --- docker.io-20.10.7/engine/docs/api/v1.22.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.22.md 2021-11-18 00:21:59.000000000 +0000 @@ -467,7 +467,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.23.md docker.io-20.10.11/engine/docs/api/v1.23.md --- docker.io-20.10.7/engine/docs/api/v1.23.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.23.md 2021-11-18 00:21:59.000000000 +0000 @@ -493,7 +493,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.24.md docker.io-20.10.11/engine/docs/api/v1.24.md --- docker.io-20.10.7/engine/docs/api/v1.24.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.24.md 2021-11-18 00:21:59.000000000 +0000 @@ -535,7 +535,7 @@ - **201** – no error - **400** – bad parameter -- **404** – no such container +- **404** – no such image - **406** – impossible to attach (container not running) - **409** – conflict - **500** – server error diff -Nru docker.io-20.10.7/engine/docs/api/v1.25.yaml docker.io-20.10.11/engine/docs/api/v1.25.yaml --- docker.io-20.10.7/engine/docs/api/v1.25.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.25.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -2786,12 +2786,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.26.yaml docker.io-20.10.11/engine/docs/api/v1.26.yaml --- docker.io-20.10.7/engine/docs/api/v1.26.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.26.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -2791,12 +2791,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.27.yaml docker.io-20.10.11/engine/docs/api/v1.27.yaml --- docker.io-20.10.7/engine/docs/api/v1.27.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.27.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -2851,12 +2851,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.28.yaml docker.io-20.10.11/engine/docs/api/v1.28.yaml --- docker.io-20.10.7/engine/docs/api/v1.28.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.28.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -2941,12 +2941,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.29.yaml docker.io-20.10.11/engine/docs/api/v1.29.yaml --- docker.io-20.10.7/engine/docs/api/v1.29.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.29.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -2975,12 +2975,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.30.yaml docker.io-20.10.11/engine/docs/api/v1.30.yaml --- docker.io-20.10.7/engine/docs/api/v1.30.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.30.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -3181,12 +3181,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.31.yaml docker.io-20.10.11/engine/docs/api/v1.31.yaml --- docker.io-20.10.7/engine/docs/api/v1.31.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.31.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -3251,12 +3251,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 406: description: "impossible to attach" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.32.yaml docker.io-20.10.11/engine/docs/api/v1.32.yaml --- docker.io-20.10.7/engine/docs/api/v1.32.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.32.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4494,12 +4494,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.33.yaml docker.io-20.10.11/engine/docs/api/v1.33.yaml --- docker.io-20.10.7/engine/docs/api/v1.33.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.33.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4499,12 +4499,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.34.yaml docker.io-20.10.11/engine/docs/api/v1.34.yaml --- docker.io-20.10.7/engine/docs/api/v1.34.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.34.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4528,12 +4528,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.35.yaml docker.io-20.10.11/engine/docs/api/v1.35.yaml --- docker.io-20.10.7/engine/docs/api/v1.35.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.35.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4510,12 +4510,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.36.yaml docker.io-20.10.11/engine/docs/api/v1.36.yaml --- docker.io-20.10.7/engine/docs/api/v1.36.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.36.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4525,12 +4525,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.37.yaml docker.io-20.10.11/engine/docs/api/v1.37.yaml --- docker.io-20.10.7/engine/docs/api/v1.37.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.37.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4545,12 +4545,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.38.yaml docker.io-20.10.11/engine/docs/api/v1.38.yaml --- docker.io-20.10.7/engine/docs/api/v1.38.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.38.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -4599,12 +4599,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.39.yaml docker.io-20.10.11/engine/docs/api/v1.39.yaml --- docker.io-20.10.7/engine/docs/api/v1.39.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.39.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -5294,12 +5294,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.40.yaml docker.io-20.10.11/engine/docs/api/v1.40.yaml --- docker.io-20.10.7/engine/docs/api/v1.40.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.40.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -5425,12 +5425,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/docs/api/v1.41.yaml docker.io-20.10.11/engine/docs/api/v1.41.yaml --- docker.io-20.10.7/engine/docs/api/v1.41.yaml 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/docs/api/v1.41.yaml 2021-11-18 00:21:59.000000000 +0000 @@ -5583,12 +5583,12 @@ schema: $ref: "#/definitions/ErrorResponse" 404: - description: "no such container" + description: "no such image" schema: $ref: "#/definitions/ErrorResponse" examples: application/json: - message: "No such container: c2ada9df5af8" + message: "No such image: c2ada9df5af8" 409: description: "conflict" schema: diff -Nru docker.io-20.10.7/engine/hack/ci/windows.ps1 docker.io-20.10.11/engine/hack/ci/windows.ps1 --- docker.io-20.10.7/engine/hack/ci/windows.ps1 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/ci/windows.ps1 2021-11-18 00:21:59.000000000 +0000 @@ -874,6 +874,7 @@ } else { $env:DOCKER_HOST=$DASHH_CUT $env:PATH="$env:TEMP\binary;$env:PATH;" # Force to use the test binaries, not the host ones. + $env:GO111MODULE="off" Write-Host -ForegroundColor Green "INFO: DOCKER_HOST at $DASHH_CUT" $ErrorActionPreference = "SilentlyContinue" diff -Nru docker.io-20.10.7/engine/hack/dockerfile/install/containerd.installer docker.io-20.10.11/engine/hack/dockerfile/install/containerd.installer --- docker.io-20.10.7/engine/hack/dockerfile/install/containerd.installer 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/dockerfile/install/containerd.installer 2021-11-18 00:21:59.000000000 +0000 @@ -4,7 +4,7 @@ # containerd is also pinned in vendor.conf. When updating the binary # version you may also need to update the vendor version to pick up bug # fixes or new APIs. -: "${CONTAINERD_COMMIT:=d71fcd7d8303cbf684402823e425e9dd2e99285d}" # v1.4.6 +: "${CONTAINERD_COMMIT:=7b11cfaabd73bb80907dd23182b9347b4245eb5d}" # v1.4.12 install_containerd() ( echo "Install containerd version $CONTAINERD_COMMIT" diff -Nru docker.io-20.10.7/engine/hack/dockerfile/install/rootlesskit.installer docker.io-20.10.11/engine/hack/dockerfile/install/rootlesskit.installer --- docker.io-20.10.7/engine/hack/dockerfile/install/rootlesskit.installer 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/dockerfile/install/rootlesskit.installer 2021-11-18 00:21:59.000000000 +0000 @@ -1,7 +1,7 @@ #!/bin/sh -# v0.14.2 -: "${ROOTLESSKIT_COMMIT:=4cd567642273d369adaadcbadca00880552c1778}" +# v0.14.4 +: "${ROOTLESSKIT_COMMIT:=87d443683ac1e8aba4110b8081f15aaae432aaa2}" install_rootlesskit() { case "$1" in diff -Nru docker.io-20.10.7/engine/hack/dockerfile/install/runc.installer docker.io-20.10.11/engine/hack/dockerfile/install/runc.installer --- docker.io-20.10.7/engine/hack/dockerfile/install/runc.installer 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/dockerfile/install/runc.installer 2021-11-18 00:21:59.000000000 +0000 @@ -4,7 +4,7 @@ # The version of runc should match the version that is used by the containerd # version that is used. If you need to update runc, open a pull request in # the containerd project first, and update both after that is merged. -: ${RUNC_COMMIT:=b9ee9c6314599f1b4a7f497e1f1f856fe433d3b7} # v1.0.0-rc95 +: ${RUNC_COMMIT:=52b36a2dd837e8462de8e01458bf02cf9eea47dd} # v1.0.2 install_runc() { # If using RHEL7 kernels (3.10.0 el7), disable kmem accounting/limiting diff -Nru docker.io-20.10.7/engine/hack/generate-test-certs.sh docker.io-20.10.11/engine/hack/generate-test-certs.sh --- docker.io-20.10.7/engine/hack/generate-test-certs.sh 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.11/engine/hack/generate-test-certs.sh 2021-11-18 00:21:59.000000000 +0000 @@ -0,0 +1,87 @@ +#!/bin/bash +set -eu + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd -P)" + +# integration/testdata/https (and integration-cli/fixtures/https, which has symlinks to these files) +OUT_DIR="${SCRIPT_DIR}/../integration/testdata/https" + +# generate CA +echo 01 > "${OUT_DIR}/ca.srl" +openssl genrsa -out "${OUT_DIR}/ca-key.pem" + +openssl req \ + -new \ + -x509 \ + -days 3652 \ + -subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=moby-ci/name=moby/emailAddress=moby@example.org" \ + -nameopt compat \ + -text \ + -key "${OUT_DIR}/ca-key.pem" \ + -out "${OUT_DIR}/ca.pem" + +# Now that we have a CA, create a server key and certificate signing request. +# Make sure that `"Common Name (e.g. server FQDN or YOUR name)"` matches the hostname you will use +# to connect or just use '*' for a certificate valid for any hostname: + +openssl genrsa -out server-key.pem +openssl req -new \ + -subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=server/name=moby/emailAddress=moby@example.org" \ + -text \ + -key "${OUT_DIR}/server-key.pem" \ + -out "${OUT_DIR}/server.csr" + +# Options for server certificate +cat > "${OUT_DIR}/server-options.cfg" << 'EOF' +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +extendedKeyUsage=serverAuth +subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1 +EOF + +# Generate the certificate and sign with our CA +openssl x509 \ + -req \ + -days 3652 \ + -extfile "${OUT_DIR}/server-options.cfg" \ + -CA "${OUT_DIR}/ca.pem" \ + -CAkey "${OUT_DIR}/ca-key.pem" \ + -nameopt compat \ + -text \ + -in "${OUT_DIR}/server.csr" \ + -out "${OUT_DIR}/server-cert.pem" + +# For client authentication, create a client key and certificate signing request +openssl genrsa -out "${OUT_DIR}/client-key.pem" +openssl req -new \ + -subj "/C=US/ST=CA/L=SanFrancisco/O=Moby-project/OU=ci/CN=client/name=moby/emailAddress=moby@example.org" \ + -text \ + -key "${OUT_DIR}/client-key.pem" \ + -out "${OUT_DIR}/client.csr" + +# Options for client certificate +cat > "${OUT_DIR}/client-options.cfg" << 'EOF' +basicConstraints=CA:FALSE +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer +extendedKeyUsage=clientAuth +subjectAltName=DNS:*,DNS:localhost,IP:127.0.0.1,IP:::1 +EOF + +# Generate the certificate and sign with our CA: +openssl x509 \ + -req \ + -days 3652 \ + -extfile "${OUT_DIR}/client-options.cfg" \ + -CA "${OUT_DIR}/ca.pem" \ + -CAkey "${OUT_DIR}/ca-key.pem" \ + -nameopt compat \ + -text \ + -in "${OUT_DIR}/client.csr" \ + -out "${OUT_DIR}/client-cert.pem" + +rm "${OUT_DIR}/ca.srl" +rm "${OUT_DIR}/ca-key.pem" +rm "${OUT_DIR}"/*.cfg +rm "${OUT_DIR}"/*.csr diff -Nru docker.io-20.10.7/engine/hack/validate/vendor docker.io-20.10.11/engine/hack/validate/vendor --- docker.io-20.10.7/engine/hack/validate/vendor 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/validate/vendor 2021-11-18 00:21:59.000000000 +0000 @@ -5,12 +5,13 @@ validate_vendor_diff(){ IFS=$'\n' + # shellcheck disable=SC2207 files=( $(validate_diff --diff-filter=ACMR --name-only -- 'vendor.conf' 'vendor/' || true) ) unset IFS if [ -n "${TEST_FORCE_VALIDATE:-}" ] || [ ${#files[@]} -gt 0 ]; then # recreate vendor/ - vndr -whitelist=^archive/tar + ./hack/vendor.sh # check if any files have changed diffs="$(git status --porcelain -- vendor 2>/dev/null)" mfiles="$(echo "$diffs" | awk '/^ M / {print $2}')" diff -Nru docker.io-20.10.7/engine/hack/vendor.sh docker.io-20.10.11/engine/hack/vendor.sh --- docker.io-20.10.7/engine/hack/vendor.sh 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/hack/vendor.sh 2021-11-18 00:21:59.000000000 +0000 @@ -12,4 +12,17 @@ exit 1 fi -vndr -whitelist=^archive/tar "$@" +if [ $# -eq 0 ] || [ "$1" = "archive/tar" ]; then + echo "update vendored copy of archive/tar" + : "${GO_VERSION:=$(awk -F '[ =]' '$1 == "ARG" && $2 == "GO_VERSION" { print $3; exit }' ./Dockerfile)}" + rm -rf vendor/archive + mkdir -p ./vendor/archive/tar + echo "downloading: https://golang.org/dl/go${GO_VERSION}.src.tar.gz" + curl -fsSL "https://golang.org/dl/go${GO_VERSION}.src.tar.gz" \ + | tar --extract --gzip --directory=vendor/archive/tar --strip-components=4 go/src/archive/tar + patch --strip=4 --directory=vendor/archive/tar --input="$PWD/patches/0001-archive-tar-do-not-populate-user-group-names.patch" +fi + +if [ $# -eq 0 ] || [ "$1" != "archive/tar" ]; then + vndr -whitelist=^archive/tar "$@" +fi diff -Nru docker.io-20.10.7/engine/integration/build/build_userns_linux_test.go docker.io-20.10.11/engine/integration/build/build_userns_linux_test.go --- docker.io-20.10.7/engine/integration/build/build_userns_linux_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/build/build_userns_linux_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -41,6 +41,7 @@ dUserRemap.Start(t, "--userns-remap", "default") ctx := context.Background() clientUserRemap := dUserRemap.NewClientT(t) + defer clientUserRemap.Close() err = load.FrozenImagesLinux(clientUserRemap, "debian:bullseye") assert.NilError(t, err) @@ -49,6 +50,7 @@ defer func() { if dUserRemapRunning { dUserRemap.Stop(t) + dUserRemap.Cleanup(t) } }() @@ -89,12 +91,17 @@ dNoUserRemap := daemon.New(t) dNoUserRemap.Start(t) - defer dNoUserRemap.Stop(t) + defer func() { + dNoUserRemap.Stop(t) + dNoUserRemap.Cleanup(t) + }() clientNoUserRemap := dNoUserRemap.NewClientT(t) + defer clientNoUserRemap.Close() tarFile, err := os.Open(tmp + "/image.tar") assert.NilError(t, err, "failed to open image tar file") + defer tarFile.Close() tarReader := bufio.NewReader(tarFile) loadResp, err := clientNoUserRemap.ImageLoad(ctx, tarReader, false) @@ -112,6 +119,7 @@ ShowStdout: true, }) assert.NilError(t, err) + defer logReader.Close() actualStdout := new(bytes.Buffer) actualStderr := ioutil.Discard diff -Nru docker.io-20.10.7/engine/integration/container/health_test.go docker.io-20.10.11/engine/integration/container/health_test.go --- docker.io-20.10.7/engine/integration/container/health_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/container/health_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -43,8 +43,32 @@ client := testEnv.APIClient() id := container.Run(ctx, t, client, func(c *container.TestContainerConfig) { + cmd := ` +# Set the initial HEALTH value so the healthcheck passes +HEALTH="1" +echo $HEALTH > /health + +# Any time doHealth is run we flip the value +# This lets us use kill signals to determine when healtchecks have run. +doHealth() { + case "$HEALTH" in + "0") + HEALTH="1" + ;; + "1") + HEALTH="0" + ;; + esac + echo $HEALTH > /health +} + +trap 'doHealth' USR1 + +while true; do sleep 1; done +` + c.Config.Cmd = []string{"/bin/sh", "-c", cmd} c.Config.Healthcheck = &containertypes.HealthConfig{ - Test: []string{"CMD-SHELL", "sleep 1"}, + Test: []string{"CMD-SHELL", `[ "$(cat /health)" = "1" ]`}, Interval: time.Second, Retries: 5, } @@ -58,6 +82,13 @@ assert.NilError(t, err) ctxPoll, cancel = context.WithTimeout(ctx, 30*time.Second) + defer cancel() + poll.WaitOn(t, pollForHealthStatus(ctxPoll, client, id, "unhealthy"), poll.WithDelay(100*time.Millisecond)) + + err = client.ContainerKill(ctx, id, "SIGUSR1") + assert.NilError(t, err) + + ctxPoll, cancel = context.WithTimeout(ctx, 30*time.Second) defer cancel() poll.WaitOn(t, pollForHealthStatus(ctxPoll, client, id, "healthy"), poll.WithDelay(100*time.Millisecond)) } diff -Nru docker.io-20.10.7/engine/integration/plugin/common/plugin_test.go docker.io-20.10.11/engine/integration/plugin/common/plugin_test.go --- docker.io-20.10.7/engine/integration/plugin/common/plugin_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/plugin/common/plugin_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -276,11 +276,7 @@ assert.NilError(t, err) defer rdr.Close() - type manifest struct { - MediaType string - v1.Manifest - } - var m manifest + var m v1.Manifest assert.NilError(t, json.NewDecoder(rdr).Decode(&m)) assert.Check(t, cmp.Equal(m.MediaType, images.MediaTypeDockerSchema2Manifest)) assert.Check(t, cmp.Len(m.Layers, 1)) diff -Nru docker.io-20.10.7/engine/integration/plugin/logging/helpers_test.go docker.io-20.10.11/engine/integration/plugin/logging/helpers_test.go --- docker.io-20.10.7/engine/integration/plugin/logging/helpers_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/plugin/logging/helpers_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -31,7 +31,7 @@ } cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name)) - cmd.Env = append(os.Environ(), "CGO_ENABLED=0") + cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GO111MODULE=off") if out, err := cmd.CombinedOutput(); err != nil { t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out))) } diff -Nru docker.io-20.10.7/engine/integration/plugin/volumes/helpers_test.go docker.io-20.10.11/engine/integration/plugin/volumes/helpers_test.go --- docker.io-20.10.7/engine/integration/plugin/volumes/helpers_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/plugin/volumes/helpers_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -36,7 +36,7 @@ assert.NilError(t, err) cmd := exec.Command(goBin, "build", "-o", installPath, "./"+filepath.Join("cmd", name)) - cmd.Env = append(os.Environ(), "CGO_ENABLED=0") + cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GO111MODULE=off") if out, err := cmd.CombinedOutput(); err != nil { t.Fatal(errors.Wrapf(err, "error building basic plugin bin: %s", string(out))) } diff -Nru docker.io-20.10.7/engine/integration/service/create_test.go docker.io-20.10.11/engine/integration/service/create_test.go --- docker.io-20.10.7/engine/integration/service/create_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/service/create_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -267,7 +267,7 @@ serviceID := swarm.CreateService(t, d, swarm.ServiceWithReplicas(instances), swarm.ServiceWithName(serviceName), - swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/secret || /bin/top"}), + swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/secret && sleep inf"}), swarm.ServiceWithSecret(&swarmtypes.SecretReference{ File: &swarmtypes.SecretReferenceFileTarget{ Name: "/etc/secret", @@ -282,15 +282,8 @@ poll.WaitOn(t, swarm.RunningTasksCount(client, serviceID, instances), swarm.ServicePoll) - filter := filters.NewArgs() - filter.Add("service", serviceID) - tasks, err := client.TaskList(ctx, types.TaskListOptions{ - Filters: filter, - }) - assert.NilError(t, err) - assert.Check(t, is.Equal(len(tasks), 1)) - - body, err := client.ContainerLogs(ctx, tasks[0].Status.ContainerStatus.ContainerID, types.ContainerLogsOptions{ + body, err := client.ServiceLogs(ctx, serviceID, types.ContainerLogsOptions{ + Tail: "1", ShowStdout: true, }) assert.NilError(t, err) @@ -330,7 +323,7 @@ serviceName := "TestService_" + t.Name() serviceID := swarm.CreateService(t, d, swarm.ServiceWithName(serviceName), - swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/config || /bin/top"}), + swarm.ServiceWithCommand([]string{"/bin/sh", "-c", "ls -l /etc/config && sleep inf"}), swarm.ServiceWithReplicas(instances), swarm.ServiceWithConfig(&swarmtypes.ConfigReference{ File: &swarmtypes.ConfigReferenceFileTarget{ @@ -346,15 +339,8 @@ poll.WaitOn(t, swarm.RunningTasksCount(client, serviceID, instances)) - filter := filters.NewArgs() - filter.Add("service", serviceID) - tasks, err := client.TaskList(ctx, types.TaskListOptions{ - Filters: filter, - }) - assert.NilError(t, err) - assert.Check(t, is.Equal(len(tasks), 1)) - - body, err := client.ContainerLogs(ctx, tasks[0].Status.ContainerStatus.ContainerID, types.ContainerLogsOptions{ + body, err := client.ServiceLogs(ctx, serviceID, types.ContainerLogsOptions{ + Tail: "1", ShowStdout: true, }) assert.NilError(t, err) diff -Nru docker.io-20.10.7/engine/integration/testdata/https/ca.pem docker.io-20.10.11/engine/integration/testdata/https/ca.pem --- docker.io-20.10.7/engine/integration/testdata/https/ca.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/testdata/https/ca.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,23 +1,82 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 45:9c:ce:13:92:42:39:2e:90:f5:93:05:f1:03:92:17:5d:e4:89:8d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org + Validity + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:5a:af:10:15:fb:c8:46:c4:31:d7:ee:ec:d9: + c4:1e:c3:b3:b6:4c:ec:e1:2b:57:40:a2:74:cd:d5: + 8e:7d:69:b6:22:60:21:05:be:a5:92:40:4c:43:2b: + eb:c9:00:32:5f:59:1c:59:50:e2:98:df:ff:9b:2d: + 16:9f:c6:a0:57:78:bc:ae:a5:8d:b3:7d:98:73:7a: + 6f:d2:05:52:15:89:89:22:ec:9d:9a:e7:c7:35:8f: + 6b:38:a3:33:54:c5:74:2a:05:ad:af:a0:8a:54:7b: + 7d:d4:6a:9b:2b:90:cb:9a:e7:6e:94:bd:a2:f3:5b: + 40:d1:fa:4d:ec:fd:6f:14:1d:89:5b:fc:35:c2:1c: + 98:0b:c4:53:7a:25:16:3f:02:e9:e8:46:20:4d:e8: + 1e:25:0d:0d:10:e9:36:42:2a:88:d9:91:b3:fa:9e: + 07:c0:a9:b1:44:db:2c:e5:cb:85:bf:4a:38:a0:cf: + 7e:2c:20:e5:a9:cf:49:2a:6f:e3:b8:93:fd:38:9b: + 2a:c2:ea:c3:0f:3b:f5:f3:30:c8:f7:51:d5:8b:d0: + 5e:97:75:21:e4:d2:47:ca:1d:66:4a:36:b2:81:13: + d9:13:19:0d:35:04:84:ca:35:f4:47:f9:47:37:21: + 64:95:a1:cb:8a:01:d3:e6:50:e2:01:17:e5:0e:64: + 89:0d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 + X509v3 Authority Key Identifier: + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 46:73:2d:4b:ce:b0:c2:13:19:85:97:67:95:d9:15:6f:cf:e0: + 89:e4:42:90:4e:a3:5a:64:8c:e9:92:6f:b4:cb:56:e6:ec:6e: + 91:04:18:12:79:ca:70:bb:e5:ba:5d:ed:fe:8c:47:7e:8f:8b: + bd:9f:40:5a:63:51:b8:80:6f:b2:7b:ff:c1:43:68:7d:21:0c: + 0a:a4:ea:b7:2d:0a:31:e4:3e:5e:bb:72:bd:63:6b:a1:2d:d3: + ca:6a:e0:af:17:52:12:71:73:77:41:11:f1:24:32:54:b4:67: + c9:5e:b1:f1:cf:bd:95:91:c8:9c:43:4f:3f:c3:f6:3c:0e:41: + 2b:f9:c7:25:3f:17:4d:4a:e7:27:36:bc:9e:d4:30:e6:6e:29: + 95:e4:33:66:b4:2e:11:ac:97:61:df:3f:4d:03:8e:96:04:10: + a5:d8:5f:85:a3:4b:6c:d5:1c:7d:17:8c:4c:8a:cb:9d:27:65: + 2c:ee:dd:2b:19:27:1a:57:3c:68:2d:eb:6e:e8:b2:59:8c:0a: + 17:75:ba:fc:89:d8:fc:c0:45:44:8a:a1:9c:52:b0:f3:b7:6d: + f2:2e:24:ee:50:d9:27:4d:33:89:5c:97:34:b0:47:81:94:4b: + c1:b4:aa:d9:65:b5:4f:98:0b:a9:76:30:a0:ef:f1:71:23:0f: + 04:dc:83:fd -----BEGIN CERTIFICATE----- -MIID0TCCAzqgAwIBAgIJAP2r7GqEJwSnMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD -VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG -A1UEChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMI -Y2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWls -QGhvc3QuZG9tYWluMB4XDTEzMTIwMzE2NTYzMFoXDTIzMTIwMTE2NTYzMFowgaIx -CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2Nv -MRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYD -VQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEW -EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAn -0xDw+5y7ZptQacq66pUhRu82JP2WU6IDgo5QUtNU6/CX5PwQATe/OnYTZQFbksxp -AU9boG0FCkgxfsgPYXEuZxVEGKI2fxfKHOZZI8mrkWmj6eWU/0cvCjGVc9rTITP5 -sNQvg+hORyVDdNp2IdsbMJayiB3AQYMFx3vSDOMTAgMBAAGjggELMIIBBzAdBgNV -HQ4EFgQUZu7DFz09q0QBa2+ymRm9qgK1NPswgdcGA1UdIwSBzzCBzIAUZu7DFz09 -q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD -QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x -ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI -Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq -hCcEpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF8fJKKM+/oOdnNi -zEd0M1+PmZOyqvjYQn/2ZR8UHH6Imgc/OPQKZXf0bVE1Txc/DaUNn9Isd1SuCuaE -ic3vAIYYU7PmgeNN6vwec48V96T7jr+GAi6AVMhQEc2hHCfVtx11Xx+x6aHDZzJt -Zxtf5lL6KSO9Y+EFwM+rju6hm5hW +MIIEETCCAvmgAwIBAgIURZzOE5JCOS6Q9ZMF8QOSF13kiY0wDQYJKoZIhvcNAQEL +BQAwgZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJh +bmNpc2NvMRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYD +VQQDDAdtb2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5 +QGV4YW1wbGUub3JnMB4XDTIxMDUxNzE5NDkzNFoXDTMxMDUxNzE5NDkzNFowgZcx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJhbmNpc2Nv +MRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYDVQQDDAdt +b2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5QGV4YW1w +bGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlqvEBX7yEbE +Mdfu7NnEHsOztkzs4StXQKJ0zdWOfWm2ImAhBb6lkkBMQyvryQAyX1kcWVDimN// +my0Wn8agV3i8rqWNs32Yc3pv0gVSFYmJIuydmufHNY9rOKMzVMV0KgWtr6CKVHt9 +1GqbK5DLmudulL2i81tA0fpN7P1vFB2JW/w1whyYC8RTeiUWPwLp6EYgTegeJQ0N +EOk2QiqI2ZGz+p4HwKmxRNss5cuFv0o4oM9+LCDlqc9JKm/juJP9OJsqwurDDzv1 +8zDI91HVi9Bel3Uh5NJHyh1mSjaygRPZExkNNQSEyjX0R/lHNyFklaHLigHT5lDi +ARflDmSJDQIDAQABo1MwUTAdBgNVHQ4EFgQUhVfQ/6m0Hh+AM/u4NO19BjnNNJgw +HwYDVR0jBBgwFoAUhVfQ/6m0Hh+AM/u4NO19BjnNNJgwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEARnMtS86wwhMZhZdnldkVb8/gieRCkE6jWmSM +6ZJvtMtW5uxukQQYEnnKcLvlul3t/oxHfo+LvZ9AWmNRuIBvsnv/wUNofSEMCqTq +ty0KMeQ+XrtyvWNroS3TymrgrxdSEnFzd0ER8SQyVLRnyV6x8c+9lZHInENPP8P2 +PA5BK/nHJT8XTUrnJza8ntQw5m4pleQzZrQuEayXYd8/TQOOlgQQpdhfhaNLbNUc +fReMTIrLnSdlLO7dKxknGlc8aC3rbuiyWYwKF3W6/InY/MBFRIqhnFKw87dt8i4k +7lDZJ00ziVyXNLBHgZRLwbSq2WW1T5gLqXYwoO/xcSMPBNyD/Q== -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration/testdata/https/client-cert.pem docker.io-20.10.11/engine/integration/testdata/https/client-cert.pem --- docker.io-20.10.7/engine/integration/testdata/https/client-cert.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/testdata/https/client-cert.pem 2021-11-18 00:21:59.000000000 +0000 @@ -2,72 +2,85 @@ Data: Version: 3 (0x2) Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org Validity - Not Before: Dec 4 14:17:54 2013 GMT - Not After : Dec 2 14:17:54 2023 GMT - Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=client/name=moby/emailAddress=moby@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) + RSA Public-Key: (2048 bit) Modulus: - 00:ca:c9:05:d0:09:4e:3e:a4:fc:d5:14:f4:a5:e8: - 34:d3:6b:51:e3:f3:62:ea:a1:f0:e8:ed:c4:2a:bc: - f0:4f:ca:07:df:e3:88:fa:f4:21:99:35:0e:3d:ea: - b0:86:e7:c4:d2:8a:83:2b:42:b8:ec:a3:99:62:70: - 81:46:cc:fc:a5:1d:d2:63:e8:eb:07:25:9a:e2:25: - 6d:11:56:f2:1a:51:a1:b6:3e:1c:57:32:e9:7b:2c: - aa:1b:cc:97:2d:89:2d:b1:c9:5e:35:28:4d:7c:fa: - 65:31:3e:f7:70:dd:6e:0b:3c:58:af:a8:2e:24:c0: - 7e:4e:78:7d:0a:9e:8f:42:43 + 00:e3:20:9f:c9:63:fe:29:a9:0e:21:e0:4d:4c:42: + cb:cc:9f:29:8c:73:5d:f7:88:bd:81:62:1f:b2:a3: + 95:4d:3a:58:28:af:f0:3e:aa:a7:c2:c6:52:b9:94: + 9f:6b:58:d6:9a:08:b4:5f:60:fb:f1:ea:e7:49:8d: + 46:35:e2:e9:82:9f:20:44:41:82:a7:fa:ab:82:1b: + 03:7f:f0:4e:78:38:37:20:9d:67:43:c0:e2:8f:09: + 07:3f:7f:96:13:7a:64:c5:90:13:87:71:6d:ed:e7: + 28:3a:05:48:eb:d6:e6:27:da:46:f9:a4:5c:66:49: + 56:5f:88:87:4e:0a:8b:fe:ea:05:a6:c1:72:b9:94: + d5:8e:d4:9a:18:58:ac:56:1b:34:3e:c3:50:06:5d: + f3:3d:85:93:2c:8b:3f:33:e6:32:14:92:9e:fd:fc: + 5d:8a:71:1b:20:67:43:e0:72:fc:4e:31:c6:b7:03: + 98:99:e7:95:ef:7c:5a:30:cf:c1:a4:43:42:fb:be: + 1b:a7:08:d5:e0:b5:b2:10:ff:0f:e1:0d:ee:3e:b2: + 04:05:86:1e:72:a9:d6:16:84:37:73:28:5d:d9:3c: + fd:f3:99:18:dc:90:83:59:23:90:bc:25:33:0f:23: + 48:9d:d2:97:a0:ac:94:4f:8e:31:22:cc:74:83:f7: + 31:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE - Netscape Comment: - Easy-RSA Generated Certificate X509v3 Subject Key Identifier: - DE:42:EF:2D:98:A3:6C:A8:AA:E0:8C:71:2C:9D:64:23:A9:E2:7E:81 + 23:1C:5A:99:1A:2B:BC:FD:39:97:8D:1F:5A:49:BF:4F:33:0F:26:C1 X509v3 Authority Key Identifier: - keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB - DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain - serial:FD:AB:EC:6A:84:27:04:A7 + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 X509v3 Extended Key Usage: TLS Web Client Authentication - X509v3 Key Usage: - Digital Signature - Signature Algorithm: sha1WithRSAEncryption - 1c:44:26:ea:e1:66:25:cb:e4:8e:57:1c:f6:b9:17:22:62:40: - 12:90:8f:3b:b2:61:7a:54:94:8f:b1:20:0b:bf:a3:51:e3:fa: - 1c:a1:be:92:3a:d0:76:44:c0:57:83:ab:6a:e4:1a:45:49:a4: - af:39:0d:60:32:fc:3a:be:d7:fb:5d:99:7a:1f:87:e7:d5:ab: - 84:a2:5e:90:d8:bf:fa:89:6d:32:26:02:5e:31:35:68:7f:31: - f5:6b:51:46:bc:af:70:ed:5a:09:7d:ec:b2:48:4f:fe:c5:2f: - 56:04:ad:f6:c1:d2:2a:e4:6a:c4:87:fe:08:35:c5:38:cb:5e: - 4a:c4 + X509v3 Subject Alternative Name: + DNS:*, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 4d:79:c0:07:ac:13:51:00:5c:4b:70:6d:9f:bf:87:c8:ac:31: + c9:37:5e:4e:4c:9f:c6:cd:a4:e3:df:72:b5:06:28:9d:f6:3e: + 32:b5:01:81:43:78:6d:93:b2:b2:0a:0b:95:64:f2:25:a4:5e: + d1:4b:b1:11:5c:54:17:21:a7:f7:e6:73:af:f2:53:54:b3:69: + 40:8c:26:5b:1b:a7:63:07:26:c4:d2:c4:7a:64:b3:ab:f1:23: + fa:58:9c:b2:b7:17:35:34:91:dd:84:bb:b0:ee:a6:cd:78:cf: + 32:39:d8:5f:23:ad:62:ef:82:38:88:cd:34:1b:7d:3b:02:a8: + 75:70:72:50:33:44:a4:65:01:14:ef:78:46:3b:27:4e:82:e6: + 01:1b:5c:65:97:2c:08:f7:4f:e6:ee:dd:1c:40:0c:48:59:33: + 5e:c7:da:bf:40:ce:b0:e9:03:95:6f:a8:07:b3:7f:6b:15:cd: + c0:6f:57:e3:73:99:67:aa:fd:90:6c:a7:6f:ff:b9:5f:f6:8a: + 8c:93:f1:c3:75:34:10:c6:6c:0e:ae:0a:22:6b:16:6c:56:41: + 0a:b5:e6:74:52:b8:3e:f2:e4:fc:f1:54:a0:84:90:d5:97:70: + 25:4b:28:2c:8a:ec:46:0a:63:ac:32:c6:cd:96:71:ee:f6:17: + 2c:e9:60:5e -----BEGIN CERTIFICATE----- -MIIEFTCCA36gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv -cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l -MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv -bWFpbjAeFw0xMzEyMDQxNDE3NTRaFw0yMzEyMDIxNDE3NTRaMIGgMQswCQYDVQQG -EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE -ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xp -ZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0 -LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyskF0AlOPqT81RT0 -peg002tR4/Ni6qHw6O3EKrzwT8oH3+OI+vQhmTUOPeqwhufE0oqDK0K47KOZYnCB -Rsz8pR3SY+jrByWa4iVtEVbyGlGhtj4cVzLpeyyqG8yXLYktscleNShNfPplMT73 -cN1uCzxYr6guJMB+Tnh9Cp6PQkMCAwEAAaOCAVkwggFVMAkGA1UdEwQCMAAwLQYJ -YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV -HQ4EFgQU3kLvLZijbKiq4IxxLJ1kI6nifoEwgdcGA1UdIwSBzzCBzIAUZu7DFz09 -q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD -QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x -ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI -Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq -hCcEpzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcN -AQEFBQADgYEAHEQm6uFmJcvkjlcc9rkXImJAEpCPO7JhelSUj7EgC7+jUeP6HKG+ -kjrQdkTAV4OrauQaRUmkrzkNYDL8Or7X+12Zeh+H59WrhKJekNi/+oltMiYCXjE1 -aH8x9WtRRryvcO1aCX3sskhP/sUvVgSt9sHSKuRqxIf+CDXFOMteSsQ= +MIIEPzCCAyegAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +CzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1v +YnktcHJvamVjdDELMAkGA1UECwwCY2kxEDAOBgNVBAMMB21vYnktY2kxDTALBgNV +BCkMBG1vYnkxHzAdBgkqhkiG9w0BCQEWEG1vYnlAZXhhbXBsZS5vcmcwHhcNMjEw +NTE3MTk0OTM0WhcNMzEwNTE3MTk0OTM0WjCBljELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1vYnktcHJv +amVjdDELMAkGA1UECwwCY2kxDzANBgNVBAMMBmNsaWVudDENMAsGA1UEKQwEbW9i +eTEfMB0GCSqGSIb3DQEJARYQbW9ieUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOMgn8lj/impDiHgTUxCy8yfKYxzXfeIvYFiH7Kj +lU06WCiv8D6qp8LGUrmUn2tY1poItF9g+/Hq50mNRjXi6YKfIERBgqf6q4IbA3/w +Tng4NyCdZ0PA4o8JBz9/lhN6ZMWQE4dxbe3nKDoFSOvW5ifaRvmkXGZJVl+Ih04K +i/7qBabBcrmU1Y7UmhhYrFYbND7DUAZd8z2FkyyLPzPmMhSSnv38XYpxGyBnQ+By +/E4xxrcDmJnnle98WjDPwaRDQvu+G6cI1eC1shD/D+EN7j6yBAWGHnKp1haEN3Mo +Xdk8/fOZGNyQg1kjkLwlMw8jSJ3Sl6CslE+OMSLMdIP3MZ0CAwEAAaOBlDCBkTAJ +BgNVHRMEAjAAMB0GA1UdDgQWBBQjHFqZGiu8/TmXjR9aSb9PMw8mwTAfBgNVHSME +GDAWgBSFV9D/qbQeH4Az+7g07X0GOc00mDATBgNVHSUEDDAKBggrBgEFBQcDAjAv +BgNVHREEKDAmggEqgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEw +DQYJKoZIhvcNAQELBQADggEBAE15wAesE1EAXEtwbZ+/h8isMck3Xk5Mn8bNpOPf +crUGKJ32PjK1AYFDeG2TsrIKC5Vk8iWkXtFLsRFcVBchp/fmc6/yU1SzaUCMJlsb +p2MHJsTSxHpks6vxI/pYnLK3FzU0kd2Eu7Dups14zzI52F8jrWLvgjiIzTQbfTsC +qHVwclAzRKRlARTveEY7J06C5gEbXGWXLAj3T+bu3RxADEhZM17H2r9AzrDpA5Vv +qAezf2sVzcBvV+NzmWeq/ZBsp2//uV/2ioyT8cN1NBDGbA6uCiJrFmxWQQq15nRS +uD7y5PzxVKCEkNWXcCVLKCyK7EYKY6wyxs2Wce72FyzpYF4= -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration/testdata/https/client-key.pem docker.io-20.10.11/engine/integration/testdata/https/client-key.pem --- docker.io-20.10.7/engine/integration/testdata/https/client-key.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/testdata/https/client-key.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMrJBdAJTj6k/NUU -9KXoNNNrUePzYuqh8OjtxCq88E/KB9/jiPr0IZk1Dj3qsIbnxNKKgytCuOyjmWJw -gUbM/KUd0mPo6wclmuIlbRFW8hpRobY+HFcy6XssqhvMly2JLbHJXjUoTXz6ZTE+ -93Ddbgs8WK+oLiTAfk54fQqej0JDAgMBAAECgYBOFEzKp2qbMEexe9ofL2N3rDDh -xkrl8OijpzkLA6i78BxMFn4dsnZlWUpciMrjhsYAExkiRRSS+QMMJimAq1jzQqc3 -FAQV2XGYwkd0cUn7iZGvfNnEPysjsfyYQM+m+sT0ATj4BZjVShC6kkSjTdm1leLN -OSvcHdcu3Xxg9ufF0QJBAPYdnNt5sIndt2WECePuRVi+uF4mlxTobFY0fjn26yhC -4RsnhhD3Vldygo9gvnkwrAZYaALGSPBewes2InxvjA8CQQDS7erKiNXpwoqz5XiU -SVEsIIVTdWzBjGbIqMOu/hUwM5FK4j6JTBks0aTGMyh0YV9L1EzM0X79J29JahCe -iQKNAkBKNMOGqTpBV0hko1sYDk96YobUXG5RL4L6uvkUIQ7mJMQam+AgXXL7Ctuy -v0iu4a38e8tgisiTMP7nHHtpaXihAkAOiN54/lzfMsykANgCP9scE1GcoqbP34Dl -qttxH4kOPT9xzY1JoLjLYdbc4YGUI3GRpBt2sajygNkmUey7P+2xAkBBsVCZFvTw -qHvOpPS2kX5ml5xoc/QAHK9N7kR+X7XFYx82RTVSqJEK4lPb+aEWn+CjiIewO4Q5 -ksDFuNxAzbhl ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA4yCfyWP+KakOIeBNTELLzJ8pjHNd94i9gWIfsqOVTTpYKK/w +PqqnwsZSuZSfa1jWmgi0X2D78ernSY1GNeLpgp8gREGCp/qrghsDf/BOeDg3IJ1n +Q8DijwkHP3+WE3pkxZATh3Ft7ecoOgVI69bmJ9pG+aRcZklWX4iHTgqL/uoFpsFy +uZTVjtSaGFisVhs0PsNQBl3zPYWTLIs/M+YyFJKe/fxdinEbIGdD4HL8TjHGtwOY +meeV73xaMM/BpENC+74bpwjV4LWyEP8P4Q3uPrIEBYYecqnWFoQ3cyhd2Tz985kY +3JCDWSOQvCUzDyNIndKXoKyUT44xIsx0g/cxnQIDAQABAoIBAQCZ0oGFIlyDGISC +uud+64oc9fpsrcGJIKm/k5YGJTW7jPUh8S4TMv7VMf3aw+ZIDG2i+pw2MHfRepbT +wIM5gYlGNsDimT+ExocbYXI4Vqa+Usw7IX9LarnFx4aKIb2hSXYwOwiO5WpfAfvD +d8rQNsW/XdxNvFv7xlVh9BQ27Xus0sjz7dNBSt+LQ4hSyfZgFwbXh1+E9k6PDhnX +oYFz4/U/1G+HwXKivvKcRIkYZpMyD80H/M4+bB9x6btFvb4+R3K6Ii8wh+VMz5pX +Nm+mN8d3W/7Mhyof8EbbQpJMdwemzI7lM6wf1FPfSEeKXAclJ3+BnjOuh295Jv4Z +u+YWhzDhAoGBAPcRWiVyU7US7K4dhbVo2zyM6mGO3gFBXgeSwFFby8kMsbi8aewt +m90WMdWjvITw/sNsIRye7sCUVXOmGgz+5UfxRKtcFB5JnfLymrmQS7y1+TZ1WRak +T0400U+VEE4Cw3vkd4lFbyu94P4iDmn816Ix6tR8UTt11wMG3NgVoFSFAoGBAOtW +uKYN58BXWA3nU9rPEKq7n1cx7ML/xFvIPPNWp+6Pc1EJ2yX7tnyhPzvPdm3+XdTz +PU0oIBVfKNToPqYJRX8kK4hCYPvgOOAccZkSrxe3jBupKW72BwVvl/wN6Yb7ggda +NMbsQ85XyF4K9bvIFxROrR1K/nsowO0UaLvtEOA5AoGBALf2pabIT+e95Zlnxg1j +vAqD6mkl1cwdfgQpkyWBMmXLG/Gv6TbAZxPh2M14k4BxaWDdfHIxLRkb2dy4yyDu +Eo7U6QqnDxvWONOTLP4KoTosTRntmp4vThWvYkLdfTx49lGjthXyK2rogUT42r60 +U2Mjw/TfdCTQA37vdzU2NSF5AoGBAOZQpsEMVsRsNqbUv8IiZ8NPf2+MUpO8T+Ur +IEtdgVf9V/P1W13e7Acon4PfU53uFNJ1gobiQBPqX0GOUNGZvUPimB/wJo4aME9U +RvBx0p25agsgEIahjNmLDwkEbIlH10duxrvvOaTVUCiJPVibR8r9/HnwjQDnL3hW +QvG33o4xAoGBAOsX3ABiBnXzqotDlqgoofgmv7zGkjZByiGQz3d+nL74ucRmZRgX +aeYb14YbJ1I1sGj2u2fPa4P1EJ0RnjgYkaQ7c0ZyTXceS+2/LtJ56RvRepKKs+Yg +fX1EruZYZvoDW+AViWF784CzpIpmedgB7dbXJPahTh0Q76OWQdP3T/uh +-----END RSA PRIVATE KEY----- diff -Nru docker.io-20.10.7/engine/integration/testdata/https/server-cert.pem docker.io-20.10.11/engine/integration/testdata/https/server-cert.pem --- docker.io-20.10.7/engine/integration/testdata/https/server-cert.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/testdata/https/server-cert.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,76 +1,86 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 4 (0x4) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org Validity - Not Before: Dec 4 15:01:20 2013 GMT - Not After : Dec 2 15:01:20 2023 GMT - Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=*/name=changeme/emailAddress=mail@host.domain + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=server/name=moby/emailAddress=moby@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) + RSA Public-Key: (2048 bit) Modulus: - 00:c1:ff:7d:30:6f:64:4a:b1:92:b1:71:d1:c1:74: - e2:1d:db:2d:11:24:e1:00:d4:00:ae:6f:c8:9e:ae: - 67:b3:4a:bd:f7:e6:9e:57:6d:19:4c:3c:23:94:2d: - 3d:d6:63:84:d8:fa:76:2b:38:12:c1:ed:20:9d:32: - e0:e8:c2:bf:9a:77:70:04:3f:7f:ca:8c:2c:82:d6: - 3d:25:5c:02:1a:4f:64:93:03:dd:9c:42:97:5e:09: - 49:af:f0:c2:e1:30:08:0e:21:46:95:d1:13:59:c0: - c8:76:be:94:0d:8b:43:67:21:33:b2:08:60:9d:76: - a8:05:32:1e:f9:95:09:14:75 + 00:f2:23:b2:a3:22:03:a2:0b:cd:71:de:19:29:14: + 92:7f:e8:9d:30:7f:e3:0e:13:da:de:f9:9b:5a:65: + ec:22:c5:ce:73:e7:2f:c2:ae:c3:04:eb:72:43:77: + 87:46:d2:63:e2:3a:08:85:9f:58:1f:fc:f3:82:4f: + 5e:4e:5a:92:0f:ac:a1:16:a0:7e:92:a3:8e:aa:93: + fd:4c:e0:ed:f0:96:09:43:b8:e6:ec:72:1b:aa:aa: + 76:3f:79:00:89:26:c4:2f:ff:99:01:95:f2:8e:39: + a0:4f:13:63:bf:6b:6c:40:0f:7c:ed:ee:a8:2b:90: + 11:94:d8:a9:15:c1:91:40:89:13:eb:49:ec:0d:fe: + 4f:cd:41:8f:a6:e0:ab:15:db:45:86:28:23:79:98: + 42:bb:52:a8:96:c3:aa:91:df:5a:67:24:09:4b:2e: + ce:9a:ba:fc:97:4e:89:5e:c3:18:08:4e:31:e4:1c: + b6:65:c2:7e:93:ef:52:e7:92:ee:25:88:07:4a:d5: + 3d:86:44:31:07:e5:1a:f5:63:dc:c3:11:b5:4d:10: + a0:9c:6a:99:7a:d9:b4:22:07:97:e2:f4:0e:5a:10: + bc:90:09:c1:0f:5a:65:e8:f3:9c:e0:e2:04:29:24: + ee:a7:ee:aa:fa:02:7f:80:ac:9d:ca:9f:0f:8d:f5: + c5:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - Easy-RSA Generated Server Certificate X509v3 Subject Key Identifier: - 14:02:FD:FD:DD:13:38:E0:71:EA:D1:BE:C0:0E:89:1A:2D:B6:19:06 + 82:DD:B4:72:E4:DB:12:4E:9A:3B:45:75:F0:1B:4E:7F:43:2C:10:BF X509v3 Authority Key Identifier: - keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB - DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain - serial:FD:AB:EC:6A:84:27:04:A7 + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 X509v3 Extended Key Usage: TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha1WithRSAEncryption - 40:0f:10:39:c4:b7:0f:0d:2f:bf:d2:16:cc:8e:d3:9a:fb:8b: - ce:4b:7b:0d:48:77:ce:f1:fe:d5:8f:ea:b1:71:ed:49:1d:9f: - 23:3a:16:d4:70:7c:c5:29:bf:e4:90:34:d0:f0:00:24:f4:e4: - df:2c:c3:83:01:66:61:c9:a8:ab:29:e7:98:6d:27:89:4a:76: - c9:2e:19:8e:fe:6e:d5:f8:99:11:0e:97:67:4b:34:e3:1e:e3: - 9f:35:00:a5:32:f9:b5:2c:f2:e0:c5:2e:cc:81:bd:18:dd:5c: - 12:c8:6b:fa:0c:17:74:30:55:f6:6e:20:9a:6c:1e:09:b4:0c: - 15:42 + X509v3 Subject Alternative Name: + DNS:*, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 1e:a5:f6:ed:f9:8b:a4:c8:1d:11:e3:03:3b:ec:6a:a2:59:44: + 35:d1:28:0a:0e:b5:84:3c:17:3b:38:6f:e5:8c:03:4c:70:13: + b8:cf:40:3c:4a:5d:bf:96:a6:ca:26:9d:ce:00:13:10:a9:eb: + 91:b4:50:98:a2:68:6f:6b:95:54:46:39:97:74:d6:fd:bb:54: + f4:27:91:b7:4e:9f:bc:85:5f:51:69:59:87:86:7e:1d:06:10: + 74:f5:c3:e3:81:09:e6:77:f5:b7:ed:ae:1c:b0:56:2e:8d:31: + 60:ff:ef:f5:ab:03:fb:da:9a:69:d8:8a:ca:e7:00:99:d5:9f: + 39:f7:d5:19:4c:57:a1:90:23:c8:21:a3:9b:ab:05:d4:b7:a8: + 7c:12:a9:6e:d5:c3:ae:e0:c0:2c:08:95:da:16:c4:35:e0:89: + 3b:01:f1:f7:b2:d8:15:b6:05:7f:ec:09:fd:0a:5f:a9:48:16: + 11:c1:30:0a:fd:98:71:69:03:91:19:5f:02:14:d7:42:75:fb: + b7:01:af:c2:09:08:4c:7b:c9:d2:bc:0f:2d:de:57:84:9d:8e: + a8:f0:22:7e:eb:05:6e:f3:5b:cd:2f:1f:67:b4:3a:2f:b4:b1: + a6:bd:78:0f:c4:65:c5:01:7a:06:b2:63:3e:a0:de:a7:ef:84: + cc:17:4b:22 -----BEGIN CERTIFICATE----- -MIIEKjCCA5OgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv -cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l -MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv -bWFpbjAeFw0xMzEyMDQxNTAxMjBaFw0yMzEyMDIxNTAxMjBaMIGbMQswCQYDVQQG -EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE -ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEKMAgGA1UEAxQBKjER -MA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21h -aW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMH/fTBvZEqxkrFx0cF04h3b -LREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y4OjCv5p3 -cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+lA2LQ2ch -M7IIYJ12qAUyHvmVCRR1AgMBAAGjggFzMIIBbzAJBgNVHRMEAjAAMBEGCWCGSAGG -+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNl -cnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUFAL9/d0TOOBx6tG+wA6JGi22GQYw -gdcGA1UdIwSBzzCBzIAUZu7DFz09q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJ -BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUw -EwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQD -EwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1h -aWxAaG9zdC5kb21haW6CCQD9q+xqhCcEpzATBgNVHSUEDDAKBggrBgEFBQcDATAL -BgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEAQA8QOcS3Dw0vv9IWzI7TmvuL -zkt7DUh3zvH+1Y/qsXHtSR2fIzoW1HB8xSm/5JA00PAAJPTk3yzDgwFmYcmoqynn -mG0niUp2yS4Zjv5u1fiZEQ6XZ0s04x7jnzUApTL5tSzy4MUuzIG9GN1cEshr+gwX -dDBV9m4gmmweCbQMFUI= +MIIEPzCCAyegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +CzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1v +YnktcHJvamVjdDELMAkGA1UECwwCY2kxEDAOBgNVBAMMB21vYnktY2kxDTALBgNV +BCkMBG1vYnkxHzAdBgkqhkiG9w0BCQEWEG1vYnlAZXhhbXBsZS5vcmcwHhcNMjEw +NTE3MTk0OTM0WhcNMzEwNTE3MTk0OTM0WjCBljELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1vYnktcHJv +amVjdDELMAkGA1UECwwCY2kxDzANBgNVBAMMBnNlcnZlcjENMAsGA1UEKQwEbW9i +eTEfMB0GCSqGSIb3DQEJARYQbW9ieUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAPIjsqMiA6ILzXHeGSkUkn/onTB/4w4T2t75m1pl +7CLFznPnL8KuwwTrckN3h0bSY+I6CIWfWB/884JPXk5akg+soRagfpKjjqqT/Uzg +7fCWCUO45uxyG6qqdj95AIkmxC//mQGV8o45oE8TY79rbEAPfO3uqCuQEZTYqRXB +kUCJE+tJ7A3+T81Bj6bgqxXbRYYoI3mYQrtSqJbDqpHfWmckCUsuzpq6/JdOiV7D +GAhOMeQctmXCfpPvUueS7iWIB0rVPYZEMQflGvVj3MMRtU0QoJxqmXrZtCIHl+L0 +DloQvJAJwQ9aZejznODiBCkk7qfuqvoCf4CsncqfD431xbMCAwEAAaOBlDCBkTAJ +BgNVHRMEAjAAMB0GA1UdDgQWBBSC3bRy5NsSTpo7RXXwG05/QywQvzAfBgNVHSME +GDAWgBSFV9D/qbQeH4Az+7g07X0GOc00mDATBgNVHSUEDDAKBggrBgEFBQcDATAv +BgNVHREEKDAmggEqgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEw +DQYJKoZIhvcNAQELBQADggEBAB6l9u35i6TIHRHjAzvsaqJZRDXRKAoOtYQ8Fzs4 +b+WMA0xwE7jPQDxKXb+Wpsomnc4AExCp65G0UJiiaG9rlVRGOZd01v27VPQnkbdO +n7yFX1FpWYeGfh0GEHT1w+OBCeZ39bftrhywVi6NMWD/7/WrA/vammnYisrnAJnV +nzn31RlMV6GQI8gho5urBdS3qHwSqW7Vw67gwCwIldoWxDXgiTsB8fey2BW2BX/s +Cf0KX6lIFhHBMAr9mHFpA5EZXwIU10J1+7cBr8IJCEx7ydK8Dy3eV4SdjqjwIn7r +BW7zW80vH2e0Oi+0saa9eA/EZcUBegayYz6g3qfvhMwXSyI= -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration/testdata/https/server-key.pem docker.io-20.10.11/engine/integration/testdata/https/server-key.pem --- docker.io-20.10.7/engine/integration/testdata/https/server-key.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration/testdata/https/server-key.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMH/fTBvZEqxkrFx -0cF04h3bLREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y -4OjCv5p3cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+ -lA2LQ2chM7IIYJ12qAUyHvmVCRR1AgMBAAECgYAmwckb9RUfSwyYgLm8IYLPHiuJ -wkllZfVg5Bo7gXJcQnFjZmJ56uTj8xvUjZlODIHM63TSO5ibv6kFXtXKCqZGd2M+ -wGbhZ0f+2GvKcwMmJERnIQjuoNaYSQLT0tM0VB9Iz0rJlZC+tzPZ+5pPqEumRdsS -IzWNXfF42AhcbwAQYQJBAPVXtMYIJc9EZsz86ZcQiMPWUpCX5vnRmtwL8kKyR8D5 -4KfYeiowyFffSRMMcclwNHq7TgSXN+nIXM9WyzyzwikCQQDKbNA28AgZp9aT54HP -WnbeE2pmt+uk/zl/BtxJSoK6H+69Jec+lf7EgL7HgOWYRSNot4uQWu8IhsHLTiUq -+0FtAkEAqwlRxRy4/x24bP+D+QRV0/D97j93joFJbE4Hved7jlSlAV4xDGilwlyv -HNB4Iu5OJ6Gcaibhm+FKkmD3noHSwQJBAIpu3fokLzX0bS+bDFBU6qO3HXX/47xj -+tsfQvkwZrSI8AkU6c8IX0HdVhsz0FBRQAT2ORDQz1XCarfxykNZrwUCQQCGCBIc -BBCWzhHlswlGidWJg3HqqO6hPPClEr3B5G87oCsdeYwiO23XT6rUnoJXfJHp6oCW -5nCwDu5ZTP+khltg ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA8iOyoyIDogvNcd4ZKRSSf+idMH/jDhPa3vmbWmXsIsXOc+cv +wq7DBOtyQ3eHRtJj4joIhZ9YH/zzgk9eTlqSD6yhFqB+kqOOqpP9TODt8JYJQ7jm +7HIbqqp2P3kAiSbEL/+ZAZXyjjmgTxNjv2tsQA987e6oK5ARlNipFcGRQIkT60ns +Df5PzUGPpuCrFdtFhigjeZhCu1KolsOqkd9aZyQJSy7Omrr8l06JXsMYCE4x5By2 +ZcJ+k+9S55LuJYgHStU9hkQxB+Ua9WPcwxG1TRCgnGqZetm0IgeX4vQOWhC8kAnB +D1pl6POc4OIEKSTup+6q+gJ/gKydyp8PjfXFswIDAQABAoIBAEKIvJVGy2jDhXg8 +Zv16waaT7F1fRqyfmAyc2atFRlVntQr0A5OjIcNATu1q8qjrNrb660yMNFLV1rN/ +y5IMIQZdkQX+o8j3WERW1ctCIx9wmqsZK5rc3+1NWaCnRxZoqI/n08szwKqD+yC/ +WzFF+0C/AL0ATwVpWOtlfVCVF6x7dTkTqtc+65C/nw86ymp6cDq7Fh39d0deD8HB +h4zxGnvTr4jFGkFWg6Vq4XdzKdVeVz/Njw19wJjdi/6Q3aC90APlJ6nuX3OWv6VV +/Xs9rXqIUS4bhYyRrzCQ5Y/vINZCx3ekKynfghul4NDE4zo1GQm3E+7tVYZ6ll+9 ++uHeUwECgYEA81NxVe5ViOWa4NFXucAgiNGl7KkN9/gDh77weXzGPhZDBULTv4OC +yKokQOnn41qF5eq+YRKr+B733fGEhwJRoEyoyXSDpgTxdJHKmohdxGfsRoOEMO4Z +ALm9+XmJYTq11l01M5Jqn36Smz5+iXAD7QVQdZMnA++IaBs2/uTuEQMCgYEA/sBv +GweGKfdM11ZckNG8ocrAhkttq+5V9uFcGcpBmw08vu/Woy+L1dFvyUa7Hc/l6fe1 +PLdTvNaSK6mP/gfeevwNlS1NUVLtdnOq9cl/1/xfqi8Cj46VUTqRaEQMKHCeXyuA +A3N1k06hMuW/bYstspyWvGyjsWth5QT7MNjkYZECgYEAoWcoNqfxdO1Y3uf+GOio +rBjkxyccbO/G57RwLyXlGioKKuM5MkA58IFrquN9PgI971TXE+0exWdFY6NhFW0k +WACBtZ/j86wzve83RWpPSIjm4Z87gHlvfFu4+FL2Hdij5Z3OPHdS4plDBldd+Cyl +bgOoa1VA/AtXoDbtNAcHI6ECgYB7b6ymMSgd73jpIixp82ZuErrkl2nFlA9NN3cT ++/977JcRgU7D9UbRTNDYexAxasnhaygDCmVlq6ZZx6hAk3mGp9jA/plnHUJ4UaV1 +wLPUaLHF2U9pVdId8L4CAm7NrXvfa0l04p4GyWOsMMxnfLegwuT62b0bO4fMm3RG +/+DxMQKBgQDTz8wKQFRWuDYshcRKJ8GB7Czgb4aFU0iTPFC4ql1HXkiGePDXyWjC ++6JQ3dTadn8HA540nCOWWvpgWeSCec9Q5YslpIdupMKpCx/zUfZZ2Y2/y+yJdQCr +gGDf7LxhxBHQFyCLM9KuTdCzhQPsHVFHFrfr1UdDEe/e9QaJAyUw7Q== +-----END RSA PRIVATE KEY----- diff -Nru docker.io-20.10.7/engine/integration-cli/fixtures/https/ca.pem docker.io-20.10.11/engine/integration-cli/fixtures/https/ca.pem --- docker.io-20.10.7/engine/integration-cli/fixtures/https/ca.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration-cli/fixtures/https/ca.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,23 +1,82 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 45:9c:ce:13:92:42:39:2e:90:f5:93:05:f1:03:92:17:5d:e4:89:8d + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org + Validity + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c2:5a:af:10:15:fb:c8:46:c4:31:d7:ee:ec:d9: + c4:1e:c3:b3:b6:4c:ec:e1:2b:57:40:a2:74:cd:d5: + 8e:7d:69:b6:22:60:21:05:be:a5:92:40:4c:43:2b: + eb:c9:00:32:5f:59:1c:59:50:e2:98:df:ff:9b:2d: + 16:9f:c6:a0:57:78:bc:ae:a5:8d:b3:7d:98:73:7a: + 6f:d2:05:52:15:89:89:22:ec:9d:9a:e7:c7:35:8f: + 6b:38:a3:33:54:c5:74:2a:05:ad:af:a0:8a:54:7b: + 7d:d4:6a:9b:2b:90:cb:9a:e7:6e:94:bd:a2:f3:5b: + 40:d1:fa:4d:ec:fd:6f:14:1d:89:5b:fc:35:c2:1c: + 98:0b:c4:53:7a:25:16:3f:02:e9:e8:46:20:4d:e8: + 1e:25:0d:0d:10:e9:36:42:2a:88:d9:91:b3:fa:9e: + 07:c0:a9:b1:44:db:2c:e5:cb:85:bf:4a:38:a0:cf: + 7e:2c:20:e5:a9:cf:49:2a:6f:e3:b8:93:fd:38:9b: + 2a:c2:ea:c3:0f:3b:f5:f3:30:c8:f7:51:d5:8b:d0: + 5e:97:75:21:e4:d2:47:ca:1d:66:4a:36:b2:81:13: + d9:13:19:0d:35:04:84:ca:35:f4:47:f9:47:37:21: + 64:95:a1:cb:8a:01:d3:e6:50:e2:01:17:e5:0e:64: + 89:0d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 + X509v3 Authority Key Identifier: + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + 46:73:2d:4b:ce:b0:c2:13:19:85:97:67:95:d9:15:6f:cf:e0: + 89:e4:42:90:4e:a3:5a:64:8c:e9:92:6f:b4:cb:56:e6:ec:6e: + 91:04:18:12:79:ca:70:bb:e5:ba:5d:ed:fe:8c:47:7e:8f:8b: + bd:9f:40:5a:63:51:b8:80:6f:b2:7b:ff:c1:43:68:7d:21:0c: + 0a:a4:ea:b7:2d:0a:31:e4:3e:5e:bb:72:bd:63:6b:a1:2d:d3: + ca:6a:e0:af:17:52:12:71:73:77:41:11:f1:24:32:54:b4:67: + c9:5e:b1:f1:cf:bd:95:91:c8:9c:43:4f:3f:c3:f6:3c:0e:41: + 2b:f9:c7:25:3f:17:4d:4a:e7:27:36:bc:9e:d4:30:e6:6e:29: + 95:e4:33:66:b4:2e:11:ac:97:61:df:3f:4d:03:8e:96:04:10: + a5:d8:5f:85:a3:4b:6c:d5:1c:7d:17:8c:4c:8a:cb:9d:27:65: + 2c:ee:dd:2b:19:27:1a:57:3c:68:2d:eb:6e:e8:b2:59:8c:0a: + 17:75:ba:fc:89:d8:fc:c0:45:44:8a:a1:9c:52:b0:f3:b7:6d: + f2:2e:24:ee:50:d9:27:4d:33:89:5c:97:34:b0:47:81:94:4b: + c1:b4:aa:d9:65:b5:4f:98:0b:a9:76:30:a0:ef:f1:71:23:0f: + 04:dc:83:fd -----BEGIN CERTIFICATE----- -MIID0TCCAzqgAwIBAgIJAP2r7GqEJwSnMA0GCSqGSIb3DQEBBQUAMIGiMQswCQYD -VQQGEwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMG -A1UEChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMI -Y2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWls -QGhvc3QuZG9tYWluMB4XDTEzMTIwMzE2NTYzMFoXDTIzMTIwMTE2NTYzMFowgaIx -CzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2Nv -MRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYD -VQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEW -EG1haWxAaG9zdC5kb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALAn -0xDw+5y7ZptQacq66pUhRu82JP2WU6IDgo5QUtNU6/CX5PwQATe/OnYTZQFbksxp -AU9boG0FCkgxfsgPYXEuZxVEGKI2fxfKHOZZI8mrkWmj6eWU/0cvCjGVc9rTITP5 -sNQvg+hORyVDdNp2IdsbMJayiB3AQYMFx3vSDOMTAgMBAAGjggELMIIBBzAdBgNV -HQ4EFgQUZu7DFz09q0QBa2+ymRm9qgK1NPswgdcGA1UdIwSBzzCBzIAUZu7DFz09 -q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD -QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x -ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI -Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq -hCcEpzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAF8fJKKM+/oOdnNi -zEd0M1+PmZOyqvjYQn/2ZR8UHH6Imgc/OPQKZXf0bVE1Txc/DaUNn9Isd1SuCuaE -ic3vAIYYU7PmgeNN6vwec48V96T7jr+GAi6AVMhQEc2hHCfVtx11Xx+x6aHDZzJt -Zxtf5lL6KSO9Y+EFwM+rju6hm5hW +MIIEETCCAvmgAwIBAgIURZzOE5JCOS6Q9ZMF8QOSF13kiY0wDQYJKoZIhvcNAQEL +BQAwgZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJh +bmNpc2NvMRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYD +VQQDDAdtb2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5 +QGV4YW1wbGUub3JnMB4XDTIxMDUxNzE5NDkzNFoXDTMxMDUxNzE5NDkzNFowgZcx +CzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEVMBMGA1UEBwwMU2FuRnJhbmNpc2Nv +MRUwEwYDVQQKDAxNb2J5LXByb2plY3QxCzAJBgNVBAsMAmNpMRAwDgYDVQQDDAdt +b2J5LWNpMQ0wCwYDVQQpDARtb2J5MR8wHQYJKoZIhvcNAQkBFhBtb2J5QGV4YW1w +bGUub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwlqvEBX7yEbE +Mdfu7NnEHsOztkzs4StXQKJ0zdWOfWm2ImAhBb6lkkBMQyvryQAyX1kcWVDimN// +my0Wn8agV3i8rqWNs32Yc3pv0gVSFYmJIuydmufHNY9rOKMzVMV0KgWtr6CKVHt9 +1GqbK5DLmudulL2i81tA0fpN7P1vFB2JW/w1whyYC8RTeiUWPwLp6EYgTegeJQ0N +EOk2QiqI2ZGz+p4HwKmxRNss5cuFv0o4oM9+LCDlqc9JKm/juJP9OJsqwurDDzv1 +8zDI91HVi9Bel3Uh5NJHyh1mSjaygRPZExkNNQSEyjX0R/lHNyFklaHLigHT5lDi +ARflDmSJDQIDAQABo1MwUTAdBgNVHQ4EFgQUhVfQ/6m0Hh+AM/u4NO19BjnNNJgw +HwYDVR0jBBgwFoAUhVfQ/6m0Hh+AM/u4NO19BjnNNJgwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAAOCAQEARnMtS86wwhMZhZdnldkVb8/gieRCkE6jWmSM +6ZJvtMtW5uxukQQYEnnKcLvlul3t/oxHfo+LvZ9AWmNRuIBvsnv/wUNofSEMCqTq +ty0KMeQ+XrtyvWNroS3TymrgrxdSEnFzd0ER8SQyVLRnyV6x8c+9lZHInENPP8P2 +PA5BK/nHJT8XTUrnJza8ntQw5m4pleQzZrQuEayXYd8/TQOOlgQQpdhfhaNLbNUc +fReMTIrLnSdlLO7dKxknGlc8aC3rbuiyWYwKF3W6/InY/MBFRIqhnFKw87dt8i4k +7lDZJ00ziVyXNLBHgZRLwbSq2WW1T5gLqXYwoO/xcSMPBNyD/Q== -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration-cli/fixtures/https/client-cert.pem docker.io-20.10.11/engine/integration-cli/fixtures/https/client-cert.pem --- docker.io-20.10.7/engine/integration-cli/fixtures/https/client-cert.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration-cli/fixtures/https/client-cert.pem 2021-11-18 00:21:59.000000000 +0000 @@ -2,72 +2,85 @@ Data: Version: 3 (0x2) Serial Number: 3 (0x3) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org Validity - Not Before: Dec 4 14:17:54 2013 GMT - Not After : Dec 2 14:17:54 2023 GMT - Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client/name=changeme/emailAddress=mail@host.domain + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=client/name=moby/emailAddress=moby@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) + RSA Public-Key: (2048 bit) Modulus: - 00:ca:c9:05:d0:09:4e:3e:a4:fc:d5:14:f4:a5:e8: - 34:d3:6b:51:e3:f3:62:ea:a1:f0:e8:ed:c4:2a:bc: - f0:4f:ca:07:df:e3:88:fa:f4:21:99:35:0e:3d:ea: - b0:86:e7:c4:d2:8a:83:2b:42:b8:ec:a3:99:62:70: - 81:46:cc:fc:a5:1d:d2:63:e8:eb:07:25:9a:e2:25: - 6d:11:56:f2:1a:51:a1:b6:3e:1c:57:32:e9:7b:2c: - aa:1b:cc:97:2d:89:2d:b1:c9:5e:35:28:4d:7c:fa: - 65:31:3e:f7:70:dd:6e:0b:3c:58:af:a8:2e:24:c0: - 7e:4e:78:7d:0a:9e:8f:42:43 + 00:e3:20:9f:c9:63:fe:29:a9:0e:21:e0:4d:4c:42: + cb:cc:9f:29:8c:73:5d:f7:88:bd:81:62:1f:b2:a3: + 95:4d:3a:58:28:af:f0:3e:aa:a7:c2:c6:52:b9:94: + 9f:6b:58:d6:9a:08:b4:5f:60:fb:f1:ea:e7:49:8d: + 46:35:e2:e9:82:9f:20:44:41:82:a7:fa:ab:82:1b: + 03:7f:f0:4e:78:38:37:20:9d:67:43:c0:e2:8f:09: + 07:3f:7f:96:13:7a:64:c5:90:13:87:71:6d:ed:e7: + 28:3a:05:48:eb:d6:e6:27:da:46:f9:a4:5c:66:49: + 56:5f:88:87:4e:0a:8b:fe:ea:05:a6:c1:72:b9:94: + d5:8e:d4:9a:18:58:ac:56:1b:34:3e:c3:50:06:5d: + f3:3d:85:93:2c:8b:3f:33:e6:32:14:92:9e:fd:fc: + 5d:8a:71:1b:20:67:43:e0:72:fc:4e:31:c6:b7:03: + 98:99:e7:95:ef:7c:5a:30:cf:c1:a4:43:42:fb:be: + 1b:a7:08:d5:e0:b5:b2:10:ff:0f:e1:0d:ee:3e:b2: + 04:05:86:1e:72:a9:d6:16:84:37:73:28:5d:d9:3c: + fd:f3:99:18:dc:90:83:59:23:90:bc:25:33:0f:23: + 48:9d:d2:97:a0:ac:94:4f:8e:31:22:cc:74:83:f7: + 31:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE - Netscape Comment: - Easy-RSA Generated Certificate X509v3 Subject Key Identifier: - DE:42:EF:2D:98:A3:6C:A8:AA:E0:8C:71:2C:9D:64:23:A9:E2:7E:81 + 23:1C:5A:99:1A:2B:BC:FD:39:97:8D:1F:5A:49:BF:4F:33:0F:26:C1 X509v3 Authority Key Identifier: - keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB - DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain - serial:FD:AB:EC:6A:84:27:04:A7 + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 X509v3 Extended Key Usage: TLS Web Client Authentication - X509v3 Key Usage: - Digital Signature - Signature Algorithm: sha1WithRSAEncryption - 1c:44:26:ea:e1:66:25:cb:e4:8e:57:1c:f6:b9:17:22:62:40: - 12:90:8f:3b:b2:61:7a:54:94:8f:b1:20:0b:bf:a3:51:e3:fa: - 1c:a1:be:92:3a:d0:76:44:c0:57:83:ab:6a:e4:1a:45:49:a4: - af:39:0d:60:32:fc:3a:be:d7:fb:5d:99:7a:1f:87:e7:d5:ab: - 84:a2:5e:90:d8:bf:fa:89:6d:32:26:02:5e:31:35:68:7f:31: - f5:6b:51:46:bc:af:70:ed:5a:09:7d:ec:b2:48:4f:fe:c5:2f: - 56:04:ad:f6:c1:d2:2a:e4:6a:c4:87:fe:08:35:c5:38:cb:5e: - 4a:c4 + X509v3 Subject Alternative Name: + DNS:*, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 4d:79:c0:07:ac:13:51:00:5c:4b:70:6d:9f:bf:87:c8:ac:31: + c9:37:5e:4e:4c:9f:c6:cd:a4:e3:df:72:b5:06:28:9d:f6:3e: + 32:b5:01:81:43:78:6d:93:b2:b2:0a:0b:95:64:f2:25:a4:5e: + d1:4b:b1:11:5c:54:17:21:a7:f7:e6:73:af:f2:53:54:b3:69: + 40:8c:26:5b:1b:a7:63:07:26:c4:d2:c4:7a:64:b3:ab:f1:23: + fa:58:9c:b2:b7:17:35:34:91:dd:84:bb:b0:ee:a6:cd:78:cf: + 32:39:d8:5f:23:ad:62:ef:82:38:88:cd:34:1b:7d:3b:02:a8: + 75:70:72:50:33:44:a4:65:01:14:ef:78:46:3b:27:4e:82:e6: + 01:1b:5c:65:97:2c:08:f7:4f:e6:ee:dd:1c:40:0c:48:59:33: + 5e:c7:da:bf:40:ce:b0:e9:03:95:6f:a8:07:b3:7f:6b:15:cd: + c0:6f:57:e3:73:99:67:aa:fd:90:6c:a7:6f:ff:b9:5f:f6:8a: + 8c:93:f1:c3:75:34:10:c6:6c:0e:ae:0a:22:6b:16:6c:56:41: + 0a:b5:e6:74:52:b8:3e:f2:e4:fc:f1:54:a0:84:90:d5:97:70: + 25:4b:28:2c:8a:ec:46:0a:63:ac:32:c6:cd:96:71:ee:f6:17: + 2c:e9:60:5e -----BEGIN CERTIFICATE----- -MIIEFTCCA36gAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv -cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l -MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv -bWFpbjAeFw0xMzEyMDQxNDE3NTRaFw0yMzEyMDIxNDE3NTRaMIGgMQswCQYDVQQG -EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE -ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEPMA0GA1UEAxMGY2xp -ZW50MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0 -LmRvbWFpbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyskF0AlOPqT81RT0 -peg002tR4/Ni6qHw6O3EKrzwT8oH3+OI+vQhmTUOPeqwhufE0oqDK0K47KOZYnCB -Rsz8pR3SY+jrByWa4iVtEVbyGlGhtj4cVzLpeyyqG8yXLYktscleNShNfPplMT73 -cN1uCzxYr6guJMB+Tnh9Cp6PQkMCAwEAAaOCAVkwggFVMAkGA1UdEwQCMAAwLQYJ -YIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNV -HQ4EFgQU3kLvLZijbKiq4IxxLJ1kI6nifoEwgdcGA1UdIwSBzzCBzIAUZu7DFz09 -q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJD -QTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUwEwYDVQQKEwxGb3J0LUZ1bnN0b24x -ETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQDEwhjaGFuZ2VtZTERMA8GA1UEKRMI -Y2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21haW6CCQD9q+xq -hCcEpzATBgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCB4AwDQYJKoZIhvcN -AQEFBQADgYEAHEQm6uFmJcvkjlcc9rkXImJAEpCPO7JhelSUj7EgC7+jUeP6HKG+ -kjrQdkTAV4OrauQaRUmkrzkNYDL8Or7X+12Zeh+H59WrhKJekNi/+oltMiYCXjE1 -aH8x9WtRRryvcO1aCX3sskhP/sUvVgSt9sHSKuRqxIf+CDXFOMteSsQ= +MIIEPzCCAyegAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +CzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1v +YnktcHJvamVjdDELMAkGA1UECwwCY2kxEDAOBgNVBAMMB21vYnktY2kxDTALBgNV +BCkMBG1vYnkxHzAdBgkqhkiG9w0BCQEWEG1vYnlAZXhhbXBsZS5vcmcwHhcNMjEw +NTE3MTk0OTM0WhcNMzEwNTE3MTk0OTM0WjCBljELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1vYnktcHJv +amVjdDELMAkGA1UECwwCY2kxDzANBgNVBAMMBmNsaWVudDENMAsGA1UEKQwEbW9i +eTEfMB0GCSqGSIb3DQEJARYQbW9ieUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAOMgn8lj/impDiHgTUxCy8yfKYxzXfeIvYFiH7Kj +lU06WCiv8D6qp8LGUrmUn2tY1poItF9g+/Hq50mNRjXi6YKfIERBgqf6q4IbA3/w +Tng4NyCdZ0PA4o8JBz9/lhN6ZMWQE4dxbe3nKDoFSOvW5ifaRvmkXGZJVl+Ih04K +i/7qBabBcrmU1Y7UmhhYrFYbND7DUAZd8z2FkyyLPzPmMhSSnv38XYpxGyBnQ+By +/E4xxrcDmJnnle98WjDPwaRDQvu+G6cI1eC1shD/D+EN7j6yBAWGHnKp1haEN3Mo +Xdk8/fOZGNyQg1kjkLwlMw8jSJ3Sl6CslE+OMSLMdIP3MZ0CAwEAAaOBlDCBkTAJ +BgNVHRMEAjAAMB0GA1UdDgQWBBQjHFqZGiu8/TmXjR9aSb9PMw8mwTAfBgNVHSME +GDAWgBSFV9D/qbQeH4Az+7g07X0GOc00mDATBgNVHSUEDDAKBggrBgEFBQcDAjAv +BgNVHREEKDAmggEqgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEw +DQYJKoZIhvcNAQELBQADggEBAE15wAesE1EAXEtwbZ+/h8isMck3Xk5Mn8bNpOPf +crUGKJ32PjK1AYFDeG2TsrIKC5Vk8iWkXtFLsRFcVBchp/fmc6/yU1SzaUCMJlsb +p2MHJsTSxHpks6vxI/pYnLK3FzU0kd2Eu7Dups14zzI52F8jrWLvgjiIzTQbfTsC +qHVwclAzRKRlARTveEY7J06C5gEbXGWXLAj3T+bu3RxADEhZM17H2r9AzrDpA5Vv +qAezf2sVzcBvV+NzmWeq/ZBsp2//uV/2ioyT8cN1NBDGbA6uCiJrFmxWQQq15nRS +uD7y5PzxVKCEkNWXcCVLKCyK7EYKY6wyxs2Wce72FyzpYF4= -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration-cli/fixtures/https/client-key.pem docker.io-20.10.11/engine/integration-cli/fixtures/https/client-key.pem --- docker.io-20.10.7/engine/integration-cli/fixtures/https/client-key.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration-cli/fixtures/https/client-key.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAMrJBdAJTj6k/NUU -9KXoNNNrUePzYuqh8OjtxCq88E/KB9/jiPr0IZk1Dj3qsIbnxNKKgytCuOyjmWJw -gUbM/KUd0mPo6wclmuIlbRFW8hpRobY+HFcy6XssqhvMly2JLbHJXjUoTXz6ZTE+ -93Ddbgs8WK+oLiTAfk54fQqej0JDAgMBAAECgYBOFEzKp2qbMEexe9ofL2N3rDDh -xkrl8OijpzkLA6i78BxMFn4dsnZlWUpciMrjhsYAExkiRRSS+QMMJimAq1jzQqc3 -FAQV2XGYwkd0cUn7iZGvfNnEPysjsfyYQM+m+sT0ATj4BZjVShC6kkSjTdm1leLN -OSvcHdcu3Xxg9ufF0QJBAPYdnNt5sIndt2WECePuRVi+uF4mlxTobFY0fjn26yhC -4RsnhhD3Vldygo9gvnkwrAZYaALGSPBewes2InxvjA8CQQDS7erKiNXpwoqz5XiU -SVEsIIVTdWzBjGbIqMOu/hUwM5FK4j6JTBks0aTGMyh0YV9L1EzM0X79J29JahCe -iQKNAkBKNMOGqTpBV0hko1sYDk96YobUXG5RL4L6uvkUIQ7mJMQam+AgXXL7Ctuy -v0iu4a38e8tgisiTMP7nHHtpaXihAkAOiN54/lzfMsykANgCP9scE1GcoqbP34Dl -qttxH4kOPT9xzY1JoLjLYdbc4YGUI3GRpBt2sajygNkmUey7P+2xAkBBsVCZFvTw -qHvOpPS2kX5ml5xoc/QAHK9N7kR+X7XFYx82RTVSqJEK4lPb+aEWn+CjiIewO4Q5 -ksDFuNxAzbhl ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpgIBAAKCAQEA4yCfyWP+KakOIeBNTELLzJ8pjHNd94i9gWIfsqOVTTpYKK/w +PqqnwsZSuZSfa1jWmgi0X2D78ernSY1GNeLpgp8gREGCp/qrghsDf/BOeDg3IJ1n +Q8DijwkHP3+WE3pkxZATh3Ft7ecoOgVI69bmJ9pG+aRcZklWX4iHTgqL/uoFpsFy +uZTVjtSaGFisVhs0PsNQBl3zPYWTLIs/M+YyFJKe/fxdinEbIGdD4HL8TjHGtwOY +meeV73xaMM/BpENC+74bpwjV4LWyEP8P4Q3uPrIEBYYecqnWFoQ3cyhd2Tz985kY +3JCDWSOQvCUzDyNIndKXoKyUT44xIsx0g/cxnQIDAQABAoIBAQCZ0oGFIlyDGISC +uud+64oc9fpsrcGJIKm/k5YGJTW7jPUh8S4TMv7VMf3aw+ZIDG2i+pw2MHfRepbT +wIM5gYlGNsDimT+ExocbYXI4Vqa+Usw7IX9LarnFx4aKIb2hSXYwOwiO5WpfAfvD +d8rQNsW/XdxNvFv7xlVh9BQ27Xus0sjz7dNBSt+LQ4hSyfZgFwbXh1+E9k6PDhnX +oYFz4/U/1G+HwXKivvKcRIkYZpMyD80H/M4+bB9x6btFvb4+R3K6Ii8wh+VMz5pX +Nm+mN8d3W/7Mhyof8EbbQpJMdwemzI7lM6wf1FPfSEeKXAclJ3+BnjOuh295Jv4Z +u+YWhzDhAoGBAPcRWiVyU7US7K4dhbVo2zyM6mGO3gFBXgeSwFFby8kMsbi8aewt +m90WMdWjvITw/sNsIRye7sCUVXOmGgz+5UfxRKtcFB5JnfLymrmQS7y1+TZ1WRak +T0400U+VEE4Cw3vkd4lFbyu94P4iDmn816Ix6tR8UTt11wMG3NgVoFSFAoGBAOtW +uKYN58BXWA3nU9rPEKq7n1cx7ML/xFvIPPNWp+6Pc1EJ2yX7tnyhPzvPdm3+XdTz +PU0oIBVfKNToPqYJRX8kK4hCYPvgOOAccZkSrxe3jBupKW72BwVvl/wN6Yb7ggda +NMbsQ85XyF4K9bvIFxROrR1K/nsowO0UaLvtEOA5AoGBALf2pabIT+e95Zlnxg1j +vAqD6mkl1cwdfgQpkyWBMmXLG/Gv6TbAZxPh2M14k4BxaWDdfHIxLRkb2dy4yyDu +Eo7U6QqnDxvWONOTLP4KoTosTRntmp4vThWvYkLdfTx49lGjthXyK2rogUT42r60 +U2Mjw/TfdCTQA37vdzU2NSF5AoGBAOZQpsEMVsRsNqbUv8IiZ8NPf2+MUpO8T+Ur +IEtdgVf9V/P1W13e7Acon4PfU53uFNJ1gobiQBPqX0GOUNGZvUPimB/wJo4aME9U +RvBx0p25agsgEIahjNmLDwkEbIlH10duxrvvOaTVUCiJPVibR8r9/HnwjQDnL3hW +QvG33o4xAoGBAOsX3ABiBnXzqotDlqgoofgmv7zGkjZByiGQz3d+nL74ucRmZRgX +aeYb14YbJ1I1sGj2u2fPa4P1EJ0RnjgYkaQ7c0ZyTXceS+2/LtJ56RvRepKKs+Yg +fX1EruZYZvoDW+AViWF784CzpIpmedgB7dbXJPahTh0Q76OWQdP3T/uh +-----END RSA PRIVATE KEY----- diff -Nru docker.io-20.10.7/engine/integration-cli/fixtures/https/server-cert.pem docker.io-20.10.11/engine/integration-cli/fixtures/https/server-cert.pem --- docker.io-20.10.7/engine/integration-cli/fixtures/https/server-cert.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration-cli/fixtures/https/server-cert.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,76 +1,86 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 4 (0x4) - Signature Algorithm: sha1WithRSAEncryption - Issuer: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=moby-ci/name=moby/emailAddress=moby@example.org Validity - Not Before: Dec 4 15:01:20 2013 GMT - Not After : Dec 2 15:01:20 2023 GMT - Subject: C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=*/name=changeme/emailAddress=mail@host.domain + Not Before: May 17 19:49:34 2021 GMT + Not After : May 17 19:49:34 2031 GMT + Subject: C=US, ST=CA, L=SanFrancisco, O=Moby-project, OU=ci, CN=server/name=moby/emailAddress=moby@example.org Subject Public Key Info: Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit) + RSA Public-Key: (2048 bit) Modulus: - 00:c1:ff:7d:30:6f:64:4a:b1:92:b1:71:d1:c1:74: - e2:1d:db:2d:11:24:e1:00:d4:00:ae:6f:c8:9e:ae: - 67:b3:4a:bd:f7:e6:9e:57:6d:19:4c:3c:23:94:2d: - 3d:d6:63:84:d8:fa:76:2b:38:12:c1:ed:20:9d:32: - e0:e8:c2:bf:9a:77:70:04:3f:7f:ca:8c:2c:82:d6: - 3d:25:5c:02:1a:4f:64:93:03:dd:9c:42:97:5e:09: - 49:af:f0:c2:e1:30:08:0e:21:46:95:d1:13:59:c0: - c8:76:be:94:0d:8b:43:67:21:33:b2:08:60:9d:76: - a8:05:32:1e:f9:95:09:14:75 + 00:f2:23:b2:a3:22:03:a2:0b:cd:71:de:19:29:14: + 92:7f:e8:9d:30:7f:e3:0e:13:da:de:f9:9b:5a:65: + ec:22:c5:ce:73:e7:2f:c2:ae:c3:04:eb:72:43:77: + 87:46:d2:63:e2:3a:08:85:9f:58:1f:fc:f3:82:4f: + 5e:4e:5a:92:0f:ac:a1:16:a0:7e:92:a3:8e:aa:93: + fd:4c:e0:ed:f0:96:09:43:b8:e6:ec:72:1b:aa:aa: + 76:3f:79:00:89:26:c4:2f:ff:99:01:95:f2:8e:39: + a0:4f:13:63:bf:6b:6c:40:0f:7c:ed:ee:a8:2b:90: + 11:94:d8:a9:15:c1:91:40:89:13:eb:49:ec:0d:fe: + 4f:cd:41:8f:a6:e0:ab:15:db:45:86:28:23:79:98: + 42:bb:52:a8:96:c3:aa:91:df:5a:67:24:09:4b:2e: + ce:9a:ba:fc:97:4e:89:5e:c3:18:08:4e:31:e4:1c: + b6:65:c2:7e:93:ef:52:e7:92:ee:25:88:07:4a:d5: + 3d:86:44:31:07:e5:1a:f5:63:dc:c3:11:b5:4d:10: + a0:9c:6a:99:7a:d9:b4:22:07:97:e2:f4:0e:5a:10: + bc:90:09:c1:0f:5a:65:e8:f3:9c:e0:e2:04:29:24: + ee:a7:ee:aa:fa:02:7f:80:ac:9d:ca:9f:0f:8d:f5: + c5:b3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE - Netscape Cert Type: - SSL Server - Netscape Comment: - Easy-RSA Generated Server Certificate X509v3 Subject Key Identifier: - 14:02:FD:FD:DD:13:38:E0:71:EA:D1:BE:C0:0E:89:1A:2D:B6:19:06 + 82:DD:B4:72:E4:DB:12:4E:9A:3B:45:75:F0:1B:4E:7F:43:2C:10:BF X509v3 Authority Key Identifier: - keyid:66:EE:C3:17:3D:3D:AB:44:01:6B:6F:B2:99:19:BD:AA:02:B5:34:FB - DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain - serial:FD:AB:EC:6A:84:27:04:A7 + keyid:85:57:D0:FF:A9:B4:1E:1F:80:33:FB:B8:34:ED:7D:06:39:CD:34:98 X509v3 Extended Key Usage: TLS Web Server Authentication - X509v3 Key Usage: - Digital Signature, Key Encipherment - Signature Algorithm: sha1WithRSAEncryption - 40:0f:10:39:c4:b7:0f:0d:2f:bf:d2:16:cc:8e:d3:9a:fb:8b: - ce:4b:7b:0d:48:77:ce:f1:fe:d5:8f:ea:b1:71:ed:49:1d:9f: - 23:3a:16:d4:70:7c:c5:29:bf:e4:90:34:d0:f0:00:24:f4:e4: - df:2c:c3:83:01:66:61:c9:a8:ab:29:e7:98:6d:27:89:4a:76: - c9:2e:19:8e:fe:6e:d5:f8:99:11:0e:97:67:4b:34:e3:1e:e3: - 9f:35:00:a5:32:f9:b5:2c:f2:e0:c5:2e:cc:81:bd:18:dd:5c: - 12:c8:6b:fa:0c:17:74:30:55:f6:6e:20:9a:6c:1e:09:b4:0c: - 15:42 + X509v3 Subject Alternative Name: + DNS:*, DNS:localhost, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1 + Signature Algorithm: sha256WithRSAEncryption + 1e:a5:f6:ed:f9:8b:a4:c8:1d:11:e3:03:3b:ec:6a:a2:59:44: + 35:d1:28:0a:0e:b5:84:3c:17:3b:38:6f:e5:8c:03:4c:70:13: + b8:cf:40:3c:4a:5d:bf:96:a6:ca:26:9d:ce:00:13:10:a9:eb: + 91:b4:50:98:a2:68:6f:6b:95:54:46:39:97:74:d6:fd:bb:54: + f4:27:91:b7:4e:9f:bc:85:5f:51:69:59:87:86:7e:1d:06:10: + 74:f5:c3:e3:81:09:e6:77:f5:b7:ed:ae:1c:b0:56:2e:8d:31: + 60:ff:ef:f5:ab:03:fb:da:9a:69:d8:8a:ca:e7:00:99:d5:9f: + 39:f7:d5:19:4c:57:a1:90:23:c8:21:a3:9b:ab:05:d4:b7:a8: + 7c:12:a9:6e:d5:c3:ae:e0:c0:2c:08:95:da:16:c4:35:e0:89: + 3b:01:f1:f7:b2:d8:15:b6:05:7f:ec:09:fd:0a:5f:a9:48:16: + 11:c1:30:0a:fd:98:71:69:03:91:19:5f:02:14:d7:42:75:fb: + b7:01:af:c2:09:08:4c:7b:c9:d2:bc:0f:2d:de:57:84:9d:8e: + a8:f0:22:7e:eb:05:6e:f3:5b:cd:2f:1f:67:b4:3a:2f:b4:b1: + a6:bd:78:0f:c4:65:c5:01:7a:06:b2:63:3e:a0:de:a7:ef:84: + cc:17:4b:22 -----BEGIN CERTIFICATE----- -MIIEKjCCA5OgAwIBAgIBBDANBgkqhkiG9w0BAQUFADCBojELMAkGA1UEBhMCVVMx -CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xFTATBgNVBAoTDEZv -cnQtRnVuc3RvbjERMA8GA1UECxMIY2hhbmdlbWUxETAPBgNVBAMTCGNoYW5nZW1l -MREwDwYDVQQpEwhjaGFuZ2VtZTEfMB0GCSqGSIb3DQEJARYQbWFpbEBob3N0LmRv -bWFpbjAeFw0xMzEyMDQxNTAxMjBaFw0yMzEyMDIxNTAxMjBaMIGbMQswCQYDVQQG -EwJVUzELMAkGA1UECBMCQ0ExFTATBgNVBAcTDFNhbkZyYW5jaXNjbzEVMBMGA1UE -ChMMRm9ydC1GdW5zdG9uMREwDwYDVQQLEwhjaGFuZ2VtZTEKMAgGA1UEAxQBKjER -MA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1haWxAaG9zdC5kb21h -aW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMH/fTBvZEqxkrFx0cF04h3b -LREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y4OjCv5p3 -cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+lA2LQ2ch -M7IIYJ12qAUyHvmVCRR1AgMBAAGjggFzMIIBbzAJBgNVHRMEAjAAMBEGCWCGSAGG -+EIBAQQEAwIGQDA0BglghkgBhvhCAQ0EJxYlRWFzeS1SU0EgR2VuZXJhdGVkIFNl -cnZlciBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUFAL9/d0TOOBx6tG+wA6JGi22GQYw -gdcGA1UdIwSBzzCBzIAUZu7DFz09q0QBa2+ymRm9qgK1NPuhgaikgaUwgaIxCzAJ -BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMRUw -EwYDVQQKEwxGb3J0LUZ1bnN0b24xETAPBgNVBAsTCGNoYW5nZW1lMREwDwYDVQQD -EwhjaGFuZ2VtZTERMA8GA1UEKRMIY2hhbmdlbWUxHzAdBgkqhkiG9w0BCQEWEG1h -aWxAaG9zdC5kb21haW6CCQD9q+xqhCcEpzATBgNVHSUEDDAKBggrBgEFBQcDATAL -BgNVHQ8EBAMCBaAwDQYJKoZIhvcNAQEFBQADgYEAQA8QOcS3Dw0vv9IWzI7TmvuL -zkt7DUh3zvH+1Y/qsXHtSR2fIzoW1HB8xSm/5JA00PAAJPTk3yzDgwFmYcmoqynn -mG0niUp2yS4Zjv5u1fiZEQ6XZ0s04x7jnzUApTL5tSzy4MUuzIG9GN1cEshr+gwX -dDBV9m4gmmweCbQMFUI= +MIIEPzCCAyegAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +CzAJBgNVBAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1v +YnktcHJvamVjdDELMAkGA1UECwwCY2kxEDAOBgNVBAMMB21vYnktY2kxDTALBgNV +BCkMBG1vYnkxHzAdBgkqhkiG9w0BCQEWEG1vYnlAZXhhbXBsZS5vcmcwHhcNMjEw +NTE3MTk0OTM0WhcNMzEwNTE3MTk0OTM0WjCBljELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMRUwEwYDVQQHDAxTYW5GcmFuY2lzY28xFTATBgNVBAoMDE1vYnktcHJv +amVjdDELMAkGA1UECwwCY2kxDzANBgNVBAMMBnNlcnZlcjENMAsGA1UEKQwEbW9i +eTEfMB0GCSqGSIb3DQEJARYQbW9ieUBleGFtcGxlLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAPIjsqMiA6ILzXHeGSkUkn/onTB/4w4T2t75m1pl +7CLFznPnL8KuwwTrckN3h0bSY+I6CIWfWB/884JPXk5akg+soRagfpKjjqqT/Uzg +7fCWCUO45uxyG6qqdj95AIkmxC//mQGV8o45oE8TY79rbEAPfO3uqCuQEZTYqRXB +kUCJE+tJ7A3+T81Bj6bgqxXbRYYoI3mYQrtSqJbDqpHfWmckCUsuzpq6/JdOiV7D +GAhOMeQctmXCfpPvUueS7iWIB0rVPYZEMQflGvVj3MMRtU0QoJxqmXrZtCIHl+L0 +DloQvJAJwQ9aZejznODiBCkk7qfuqvoCf4CsncqfD431xbMCAwEAAaOBlDCBkTAJ +BgNVHRMEAjAAMB0GA1UdDgQWBBSC3bRy5NsSTpo7RXXwG05/QywQvzAfBgNVHSME +GDAWgBSFV9D/qbQeH4Az+7g07X0GOc00mDATBgNVHSUEDDAKBggrBgEFBQcDATAv +BgNVHREEKDAmggEqgglsb2NhbGhvc3SHBH8AAAGHEAAAAAAAAAAAAAAAAAAAAAEw +DQYJKoZIhvcNAQELBQADggEBAB6l9u35i6TIHRHjAzvsaqJZRDXRKAoOtYQ8Fzs4 +b+WMA0xwE7jPQDxKXb+Wpsomnc4AExCp65G0UJiiaG9rlVRGOZd01v27VPQnkbdO +n7yFX1FpWYeGfh0GEHT1w+OBCeZ39bftrhywVi6NMWD/7/WrA/vammnYisrnAJnV +nzn31RlMV6GQI8gho5urBdS3qHwSqW7Vw67gwCwIldoWxDXgiTsB8fey2BW2BX/s +Cf0KX6lIFhHBMAr9mHFpA5EZXwIU10J1+7cBr8IJCEx7ydK8Dy3eV4SdjqjwIn7r +BW7zW80vH2e0Oi+0saa9eA/EZcUBegayYz6g3qfvhMwXSyI= -----END CERTIFICATE----- diff -Nru docker.io-20.10.7/engine/integration-cli/fixtures/https/server-key.pem docker.io-20.10.11/engine/integration-cli/fixtures/https/server-key.pem --- docker.io-20.10.7/engine/integration-cli/fixtures/https/server-key.pem 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/integration-cli/fixtures/https/server-key.pem 2021-11-18 00:21:59.000000000 +0000 @@ -1,16 +1,27 @@ ------BEGIN PRIVATE KEY----- -MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMH/fTBvZEqxkrFx -0cF04h3bLREk4QDUAK5vyJ6uZ7NKvffmnldtGUw8I5QtPdZjhNj6dis4EsHtIJ0y -4OjCv5p3cAQ/f8qMLILWPSVcAhpPZJMD3ZxCl14JSa/wwuEwCA4hRpXRE1nAyHa+ -lA2LQ2chM7IIYJ12qAUyHvmVCRR1AgMBAAECgYAmwckb9RUfSwyYgLm8IYLPHiuJ -wkllZfVg5Bo7gXJcQnFjZmJ56uTj8xvUjZlODIHM63TSO5ibv6kFXtXKCqZGd2M+ -wGbhZ0f+2GvKcwMmJERnIQjuoNaYSQLT0tM0VB9Iz0rJlZC+tzPZ+5pPqEumRdsS -IzWNXfF42AhcbwAQYQJBAPVXtMYIJc9EZsz86ZcQiMPWUpCX5vnRmtwL8kKyR8D5 -4KfYeiowyFffSRMMcclwNHq7TgSXN+nIXM9WyzyzwikCQQDKbNA28AgZp9aT54HP -WnbeE2pmt+uk/zl/BtxJSoK6H+69Jec+lf7EgL7HgOWYRSNot4uQWu8IhsHLTiUq -+0FtAkEAqwlRxRy4/x24bP+D+QRV0/D97j93joFJbE4Hved7jlSlAV4xDGilwlyv -HNB4Iu5OJ6Gcaibhm+FKkmD3noHSwQJBAIpu3fokLzX0bS+bDFBU6qO3HXX/47xj -+tsfQvkwZrSI8AkU6c8IX0HdVhsz0FBRQAT2ORDQz1XCarfxykNZrwUCQQCGCBIc -BBCWzhHlswlGidWJg3HqqO6hPPClEr3B5G87oCsdeYwiO23XT6rUnoJXfJHp6oCW -5nCwDu5ZTP+khltg ------END PRIVATE KEY----- +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA8iOyoyIDogvNcd4ZKRSSf+idMH/jDhPa3vmbWmXsIsXOc+cv +wq7DBOtyQ3eHRtJj4joIhZ9YH/zzgk9eTlqSD6yhFqB+kqOOqpP9TODt8JYJQ7jm +7HIbqqp2P3kAiSbEL/+ZAZXyjjmgTxNjv2tsQA987e6oK5ARlNipFcGRQIkT60ns +Df5PzUGPpuCrFdtFhigjeZhCu1KolsOqkd9aZyQJSy7Omrr8l06JXsMYCE4x5By2 +ZcJ+k+9S55LuJYgHStU9hkQxB+Ua9WPcwxG1TRCgnGqZetm0IgeX4vQOWhC8kAnB +D1pl6POc4OIEKSTup+6q+gJ/gKydyp8PjfXFswIDAQABAoIBAEKIvJVGy2jDhXg8 +Zv16waaT7F1fRqyfmAyc2atFRlVntQr0A5OjIcNATu1q8qjrNrb660yMNFLV1rN/ +y5IMIQZdkQX+o8j3WERW1ctCIx9wmqsZK5rc3+1NWaCnRxZoqI/n08szwKqD+yC/ +WzFF+0C/AL0ATwVpWOtlfVCVF6x7dTkTqtc+65C/nw86ymp6cDq7Fh39d0deD8HB +h4zxGnvTr4jFGkFWg6Vq4XdzKdVeVz/Njw19wJjdi/6Q3aC90APlJ6nuX3OWv6VV +/Xs9rXqIUS4bhYyRrzCQ5Y/vINZCx3ekKynfghul4NDE4zo1GQm3E+7tVYZ6ll+9 ++uHeUwECgYEA81NxVe5ViOWa4NFXucAgiNGl7KkN9/gDh77weXzGPhZDBULTv4OC +yKokQOnn41qF5eq+YRKr+B733fGEhwJRoEyoyXSDpgTxdJHKmohdxGfsRoOEMO4Z +ALm9+XmJYTq11l01M5Jqn36Smz5+iXAD7QVQdZMnA++IaBs2/uTuEQMCgYEA/sBv +GweGKfdM11ZckNG8ocrAhkttq+5V9uFcGcpBmw08vu/Woy+L1dFvyUa7Hc/l6fe1 +PLdTvNaSK6mP/gfeevwNlS1NUVLtdnOq9cl/1/xfqi8Cj46VUTqRaEQMKHCeXyuA +A3N1k06hMuW/bYstspyWvGyjsWth5QT7MNjkYZECgYEAoWcoNqfxdO1Y3uf+GOio +rBjkxyccbO/G57RwLyXlGioKKuM5MkA58IFrquN9PgI971TXE+0exWdFY6NhFW0k +WACBtZ/j86wzve83RWpPSIjm4Z87gHlvfFu4+FL2Hdij5Z3OPHdS4plDBldd+Cyl +bgOoa1VA/AtXoDbtNAcHI6ECgYB7b6ymMSgd73jpIixp82ZuErrkl2nFlA9NN3cT ++/977JcRgU7D9UbRTNDYexAxasnhaygDCmVlq6ZZx6hAk3mGp9jA/plnHUJ4UaV1 +wLPUaLHF2U9pVdId8L4CAm7NrXvfa0l04p4GyWOsMMxnfLegwuT62b0bO4fMm3RG +/+DxMQKBgQDTz8wKQFRWuDYshcRKJ8GB7Czgb4aFU0iTPFC4ql1HXkiGePDXyWjC ++6JQ3dTadn8HA540nCOWWvpgWeSCec9Q5YslpIdupMKpCx/zUfZZ2Y2/y+yJdQCr +gGDf7LxhxBHQFyCLM9KuTdCzhQPsHVFHFrfr1UdDEe/e9QaJAyUw7Q== +-----END RSA PRIVATE KEY----- diff -Nru docker.io-20.10.7/engine/Jenkinsfile docker.io-20.10.11/engine/Jenkinsfile --- docker.io-20.10.7/engine/Jenkinsfile 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/Jenkinsfile 2021-11-18 00:21:59.000000000 +0000 @@ -14,8 +14,8 @@ booleanParam(name: 'rootless', defaultValue: true, description: 'amd64 (x86_64) Build/Test (Rootless mode)') booleanParam(name: 'cgroup2', defaultValue: true, description: 'amd64 (x86_64) Build/Test (cgroup v2)') booleanParam(name: 'arm64', defaultValue: true, description: 'ARM (arm64) Build/Test') - booleanParam(name: 's390x', defaultValue: true, description: 'IBM Z (s390x) Build/Test') - booleanParam(name: 'ppc64le', defaultValue: true, description: 'PowerPC (ppc64le) Build/Test') + booleanParam(name: 's390x', defaultValue: false, description: 'IBM Z (s390x) Build/Test') + booleanParam(name: 'ppc64le', defaultValue: false, description: 'PowerPC (ppc64le) Build/Test') booleanParam(name: 'windowsRS1', defaultValue: false, description: 'Windows 2016 (RS1) Build/Test') booleanParam(name: 'windowsRS5', defaultValue: true, description: 'Windows 2019 (RS5) Build/Test') booleanParam(name: 'dco', defaultValue: true, description: 'Run the DCO check') @@ -547,9 +547,13 @@ stage('s390x') { when { beforeAgent true - expression { params.s390x } + // Skip this stage on PRs unless the checkbox is selected + anyOf { + not { changeRequest() } + expression { params.s390x } + } } - agent { label 's390x-ubuntu-1804' } + agent { label 's390x-ubuntu-2004' } stages { stage("Print info") { @@ -655,7 +659,7 @@ not { changeRequest() } expression { params.s390x } } - agent { label 's390x-ubuntu-1804' } + agent { label 's390x-ubuntu-2004' } stages { stage("Print info") { @@ -735,7 +739,11 @@ stage('ppc64le') { when { beforeAgent true - expression { params.ppc64le } + // Skip this stage on PRs unless the checkbox is selected + anyOf { + not { changeRequest() } + expression { params.ppc64le } + } } agent { label 'ppc64le-ubuntu-1604' } // ppc64le machines run on Docker 18.06, and buildkit has some diff -Nru docker.io-20.10.7/engine/patches/0001-archive-tar-do-not-populate-user-group-names.patch docker.io-20.10.11/engine/patches/0001-archive-tar-do-not-populate-user-group-names.patch --- docker.io-20.10.7/engine/patches/0001-archive-tar-do-not-populate-user-group-names.patch 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/patches/0001-archive-tar-do-not-populate-user-group-names.patch 2021-11-18 00:21:59.000000000 +0000 @@ -23,7 +23,7 @@ @@ -8,10 +8,7 @@ package tar import ( - "os" + "io/fs" - "os/user" "runtime" - "strconv" @@ -39,7 +39,7 @@ -// The downside is that renaming uname or gname by the OS never takes effect. -var userMap, groupMap sync.Map // map[int]string - - func statUnix(fi os.FileInfo, h *Header) error { + func statUnix(fi fs.FileInfo, h *Header) error { sys, ok := fi.Sys().(*syscall.Stat_t) if !ok { @@ -31,22 +24,9 @@ func statUnix(fi os.FileInfo, h *Header) error { diff -Nru docker.io-20.10.7/engine/pkg/chrootarchive/archive.go docker.io-20.10.11/engine/pkg/chrootarchive/archive.go --- docker.io-20.10.7/engine/pkg/chrootarchive/archive.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/pkg/chrootarchive/archive.go 2021-11-18 00:21:59.000000000 +0000 @@ -74,13 +74,17 @@ options.ExcludePatterns = []string{} } - idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) - rootIDs := idMapping.RootPair() + // If dest is inside a root then directory is created within chroot by extractor. + // This case is only currently used by cp. + if dest == root { + idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps) + rootIDs := idMapping.RootPair() - dest = filepath.Clean(dest) - if _, err := os.Stat(dest); os.IsNotExist(err) { - if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { - return err + dest = filepath.Clean(dest) + if _, err := os.Stat(dest); os.IsNotExist(err) { + if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil { + return err + } } } diff -Nru docker.io-20.10.7/engine/pkg/fileutils/fileutils_test.go docker.io-20.10.11/engine/pkg/fileutils/fileutils_test.go --- docker.io-20.10.7/engine/pkg/fileutils/fileutils_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/pkg/fileutils/fileutils_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -377,8 +377,6 @@ if runtime.GOOS != "windows" { tests = append(tests, []matchesTestCase{ {"a\\*b", "a*b", true}, - {"a\\", "a", false}, - {"a\\", "a\\", false}, }...) } diff -Nru docker.io-20.10.7/engine/pkg/sysinfo/cgroup2_linux.go docker.io-20.10.11/engine/pkg/sysinfo/cgroup2_linux.go --- docker.io-20.10.7/engine/pkg/sysinfo/cgroup2_linux.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/pkg/sysinfo/cgroup2_linux.go 2021-11-18 00:21:59.000000000 +0000 @@ -2,11 +2,13 @@ import ( "io/ioutil" + "os" "path" "strings" cgroupsV2 "github.com/containerd/cgroups/v2" "github.com/containerd/containerd/sys" + "github.com/opencontainers/runc/libcontainer/cgroups" "github.com/sirupsen/logrus" ) @@ -66,6 +68,24 @@ return sysInfo } +func getSwapLimitV2() bool { + groups, err := cgroups.ParseCgroupFile("/proc/self/cgroup") + if err != nil { + return false + } + + g := groups[""] + if g == "" { + return false + } + + cGroupPath := path.Join("/sys/fs/cgroup", g, "memory.swap.max") + if _, err = os.Stat(cGroupPath); os.IsNotExist(err) { + return false + } + return true +} + func applyMemoryCgroupInfoV2(info *SysInfo, controllers map[string]struct{}, _ string) []string { var warnings []string if _, ok := controllers["memory"]; !ok { @@ -74,7 +94,7 @@ } info.MemoryLimit = true - info.SwapLimit = true + info.SwapLimit = getSwapLimitV2() info.MemoryReservation = true info.OomKillDisable = false info.MemorySwappiness = false diff -Nru docker.io-20.10.7/engine/profiles/seccomp/default.json docker.io-20.10.11/engine/profiles/seccomp/default.json --- docker.io-20.10.7/engine/profiles/seccomp/default.json 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/profiles/seccomp/default.json 2021-11-18 00:21:59.000000000 +0000 @@ -591,6 +591,7 @@ "names": [ "bpf", "clone", + "clone3", "fanotify_init", "fsconfig", "fsmount", @@ -667,6 +668,21 @@ "excludes": { "caps": [ "CAP_SYS_ADMIN" + ] + } + }, + { + "names": [ + "clone3" + ], + "action": "SCMP_ACT_ERRNO", + "errnoRet": 38, + "args": [], + "comment": "", + "includes": {}, + "excludes": { + "caps": [ + "CAP_SYS_ADMIN" ] } }, diff -Nru docker.io-20.10.7/engine/profiles/seccomp/default_linux.go docker.io-20.10.11/engine/profiles/seccomp/default_linux.go --- docker.io-20.10.7/engine/profiles/seccomp/default_linux.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/profiles/seccomp/default_linux.go 2021-11-18 00:21:59.000000000 +0000 @@ -42,6 +42,7 @@ // DefaultProfile defines the allowed syscalls for the default seccomp profile. func DefaultProfile() *Seccomp { + nosys := uint(unix.ENOSYS) syscalls := []*Syscall{ { Names: []string{ @@ -522,6 +523,7 @@ Names: []string{ "bpf", "clone", + "clone3", "fanotify_init", "fsconfig", "fsmount", @@ -586,6 +588,17 @@ Excludes: Filter{ Caps: []string{"CAP_SYS_ADMIN"}, }, + }, + { + Names: []string{ + "clone3", + }, + Action: specs.ActErrno, + ErrnoRet: &nosys, + Args: []*specs.LinuxSeccompArg{}, + Excludes: Filter{ + Caps: []string{"CAP_SYS_ADMIN"}, + }, }, { Names: []string{ diff -Nru docker.io-20.10.7/engine/profiles/seccomp/seccomp.go docker.io-20.10.11/engine/profiles/seccomp/seccomp.go --- docker.io-20.10.7/engine/profiles/seccomp/seccomp.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/profiles/seccomp/seccomp.go 2021-11-18 00:21:59.000000000 +0000 @@ -45,6 +45,7 @@ Name string `json:"name,omitempty"` Names []string `json:"names,omitempty"` Action specs.LinuxSeccompAction `json:"action"` + ErrnoRet *uint `json:"errnoRet,omitempty"` Args []*specs.LinuxSeccompArg `json:"args"` Comment string `json:"comment"` Includes Filter `json:"includes"` diff -Nru docker.io-20.10.7/engine/profiles/seccomp/seccomp_linux.go docker.io-20.10.11/engine/profiles/seccomp/seccomp_linux.go --- docker.io-20.10.7/engine/profiles/seccomp/seccomp_linux.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/profiles/seccomp/seccomp_linux.go 2021-11-18 00:21:59.000000000 +0000 @@ -150,29 +150,25 @@ } } + newCall := specs.LinuxSyscall{ + Action: call.Action, + ErrnoRet: call.ErrnoRet, + } if call.Name != "" && len(call.Names) != 0 { return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'") } - if call.Name != "" { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args)) + newCall.Names = []string{call.Name} } else { - newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args)) + newCall.Names = call.Names + } + // Loop through all the arguments of the syscall and convert them + for _, arg := range call.Args { + newCall.Args = append(newCall.Args, *arg) } - } - - return newConfig, nil -} -func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall { - newCall := specs.LinuxSyscall{ - Names: names, - Action: action, + newConfig.Syscalls = append(newConfig.Syscalls, newCall) } - // Loop through all the arguments of the syscall and convert them - for _, arg := range args { - newCall.Args = append(newCall.Args, *arg) - } - return newCall + return newConfig, nil } diff -Nru docker.io-20.10.7/engine/quota/projectquota.go docker.io-20.10.11/engine/quota/projectquota.go --- docker.io-20.10.7/engine/quota/projectquota.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/quota/projectquota.go 2021-11-18 00:21:59.000000000 +0000 @@ -396,9 +396,9 @@ return uintptr(C.dirfd(dir)) } -// Get the backing block device of the driver home directory -// and create a block device node under the home directory -// to be used by quotactl commands +// makeBackingFsDev gets the backing block device of the driver home directory +// and creates a block device node under the home directory to be used by +// quotactl commands. func makeBackingFsDev(home string) (string, error) { var stat unix.Stat_t if err := unix.Stat(home, &stat); err != nil { diff -Nru docker.io-20.10.7/engine/quota/testhelpers.go docker.io-20.10.11/engine/quota/testhelpers.go --- docker.io-20.10.7/engine/quota/testhelpers.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/quota/testhelpers.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,4 +1,4 @@ -// +build linux +// +build linux,!exclude_disk_quota,cgo package quota // import "github.com/docker/docker/quota" diff -Nru docker.io-20.10.7/engine/testutil/daemon/daemon.go docker.io-20.10.11/engine/testutil/daemon/daemon.go --- docker.io-20.10.7/engine/testutil/daemon/daemon.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/testutil/daemon/daemon.go 2021-11-18 00:21:59.000000000 +0000 @@ -281,6 +281,7 @@ t.Helper() cleanupMount(t, d) cleanupRaftDir(t, d) + cleanupDaemonStorage(t, d) cleanupNetworkNamespace(t, d) } @@ -820,5 +821,38 @@ if err := os.RemoveAll(dir); err != nil { t.Logf("[%s] error removing %v: %v", d.id, dir, err) } + } +} + +// cleanupDaemonStorage removes the daemon's storage directory. +// +// Note that we don't delete the whole directory, as some files (e.g. daemon +// logs) are collected for inclusion in the "bundles" that are stored as Jenkins +// artifacts. +// +// We currently do not include container logs in the bundles, so this also +// removes the "containers" sub-directory. +func cleanupDaemonStorage(t testing.TB, d *Daemon) { + t.Helper() + dirs := []string{ + "builder", + "buildkit", + "containers", + "image", + "network", + "plugins", + "tmp", + "trust", + "volumes", + // note: this assumes storage-driver name matches the subdirectory, + // which is currently true, but not guaranteed. + d.storageDriver, + } + + for _, p := range dirs { + dir := filepath.Join(d.Root, p) + if err := os.RemoveAll(dir); err != nil { + t.Logf("[%s] error removing %v: %v", d.id, dir, err) + } } } diff -Nru docker.io-20.10.7/engine/testutil/fixtures/plugin/plugin.go docker.io-20.10.11/engine/testutil/fixtures/plugin/plugin.go --- docker.io-20.10.7/engine/testutil/fixtures/plugin/plugin.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/testutil/fixtures/plugin/plugin.go 2021-11-18 00:21:59.000000000 +0000 @@ -222,7 +222,7 @@ installPath := filepath.Join(os.Getenv("GOPATH"), "bin", name) sourcePath := filepath.Join("github.com", "docker", "docker", "testutil", "fixtures", "plugin", "basic") cmd := exec.Command(goBin, "build", "-o", installPath, sourcePath) - cmd.Env = append(os.Environ(), "CGO_ENABLED=0") + cmd.Env = append(os.Environ(), "CGO_ENABLED=0", "GO111MODULE=off") if out, err := cmd.CombinedOutput(); err != nil { return "", errors.Wrapf(err, "error building basic plugin bin: %s", string(out)) } diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/common.go docker.io-20.10.11/engine/vendor/archive/tar/common.go --- docker.io-20.10.7/engine/vendor/archive/tar/common.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/common.go 2021-11-18 00:21:59.000000000 +0000 @@ -13,8 +13,8 @@ import ( "errors" "fmt" + "io/fs" "math" - "os" "path" "reflect" "strconv" @@ -525,12 +525,12 @@ return format, paxHdrs, err } -// FileInfo returns an os.FileInfo for the Header. -func (h *Header) FileInfo() os.FileInfo { +// FileInfo returns an fs.FileInfo for the Header. +func (h *Header) FileInfo() fs.FileInfo { return headerFileInfo{h} } -// headerFileInfo implements os.FileInfo. +// headerFileInfo implements fs.FileInfo. type headerFileInfo struct { h *Header } @@ -549,57 +549,57 @@ } // Mode returns the permission and mode bits for the headerFileInfo. -func (fi headerFileInfo) Mode() (mode os.FileMode) { +func (fi headerFileInfo) Mode() (mode fs.FileMode) { // Set file permission bits. - mode = os.FileMode(fi.h.Mode).Perm() + mode = fs.FileMode(fi.h.Mode).Perm() // Set setuid, setgid and sticky bits. if fi.h.Mode&c_ISUID != 0 { - mode |= os.ModeSetuid + mode |= fs.ModeSetuid } if fi.h.Mode&c_ISGID != 0 { - mode |= os.ModeSetgid + mode |= fs.ModeSetgid } if fi.h.Mode&c_ISVTX != 0 { - mode |= os.ModeSticky + mode |= fs.ModeSticky } // Set file mode bits; clear perm, setuid, setgid, and sticky bits. - switch m := os.FileMode(fi.h.Mode) &^ 07777; m { + switch m := fs.FileMode(fi.h.Mode) &^ 07777; m { case c_ISDIR: - mode |= os.ModeDir + mode |= fs.ModeDir case c_ISFIFO: - mode |= os.ModeNamedPipe + mode |= fs.ModeNamedPipe case c_ISLNK: - mode |= os.ModeSymlink + mode |= fs.ModeSymlink case c_ISBLK: - mode |= os.ModeDevice + mode |= fs.ModeDevice case c_ISCHR: - mode |= os.ModeDevice - mode |= os.ModeCharDevice + mode |= fs.ModeDevice + mode |= fs.ModeCharDevice case c_ISSOCK: - mode |= os.ModeSocket + mode |= fs.ModeSocket } switch fi.h.Typeflag { case TypeSymlink: - mode |= os.ModeSymlink + mode |= fs.ModeSymlink case TypeChar: - mode |= os.ModeDevice - mode |= os.ModeCharDevice + mode |= fs.ModeDevice + mode |= fs.ModeCharDevice case TypeBlock: - mode |= os.ModeDevice + mode |= fs.ModeDevice case TypeDir: - mode |= os.ModeDir + mode |= fs.ModeDir case TypeFifo: - mode |= os.ModeNamedPipe + mode |= fs.ModeNamedPipe } return mode } // sysStat, if non-nil, populates h from system-dependent fields of fi. -var sysStat func(fi os.FileInfo, h *Header) error +var sysStat func(fi fs.FileInfo, h *Header) error const ( // Mode constants from the USTAR spec: @@ -623,10 +623,10 @@ // If fi describes a symlink, FileInfoHeader records link as the link target. // If fi describes a directory, a slash is appended to the name. // -// Since os.FileInfo's Name method only returns the base name of +// Since fs.FileInfo's Name method only returns the base name of // the file it describes, it may be necessary to modify Header.Name // to provide the full path name of the file. -func FileInfoHeader(fi os.FileInfo, link string) (*Header, error) { +func FileInfoHeader(fi fs.FileInfo, link string) (*Header, error) { if fi == nil { return nil, errors.New("archive/tar: FileInfo is nil") } @@ -643,29 +643,29 @@ case fi.IsDir(): h.Typeflag = TypeDir h.Name += "/" - case fm&os.ModeSymlink != 0: + case fm&fs.ModeSymlink != 0: h.Typeflag = TypeSymlink h.Linkname = link - case fm&os.ModeDevice != 0: - if fm&os.ModeCharDevice != 0 { + case fm&fs.ModeDevice != 0: + if fm&fs.ModeCharDevice != 0 { h.Typeflag = TypeChar } else { h.Typeflag = TypeBlock } - case fm&os.ModeNamedPipe != 0: + case fm&fs.ModeNamedPipe != 0: h.Typeflag = TypeFifo - case fm&os.ModeSocket != 0: + case fm&fs.ModeSocket != 0: return nil, fmt.Errorf("archive/tar: sockets not supported") default: return nil, fmt.Errorf("archive/tar: unknown file mode %v", fm) } - if fm&os.ModeSetuid != 0 { + if fm&fs.ModeSetuid != 0 { h.Mode |= c_ISUID } - if fm&os.ModeSetgid != 0 { + if fm&fs.ModeSetgid != 0 { h.Mode |= c_ISGID } - if fm&os.ModeSticky != 0 { + if fm&fs.ModeSticky != 0 { h.Mode |= c_ISVTX } // If possible, populate additional fields from OS-specific diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/reader.go docker.io-20.10.11/engine/vendor/archive/tar/reader.go --- docker.io-20.10.7/engine/vendor/archive/tar/reader.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/reader.go 2021-11-18 00:21:59.000000000 +0000 @@ -7,7 +7,6 @@ import ( "bytes" "io" - "io/ioutil" "strconv" "strings" "time" @@ -104,7 +103,7 @@ continue // This is a meta header affecting the next header case TypeGNULongName, TypeGNULongLink: format.mayOnlyBe(FormatGNU) - realname, err := ioutil.ReadAll(tr) + realname, err := io.ReadAll(tr) if err != nil { return nil, err } @@ -294,7 +293,7 @@ // parsePAX parses PAX headers. // If an extended header (type 'x') is invalid, ErrHeader is returned func parsePAX(r io.Reader) (map[string]string, error) { - buf, err := ioutil.ReadAll(r) + buf, err := io.ReadAll(r) if err != nil { return nil, err } @@ -433,7 +432,7 @@ // files generated by a pre-Go1.8 toolchain. If the generated file // happened to have a prefix field that parses as valid // atime and ctime fields (e.g., when they are valid octal strings), - // then it is impossible to distinguish between an valid GNU file + // then it is impossible to distinguish between a valid GNU file // and an invalid pre-Go1.8 file. // // See https://golang.org/issues/12594 @@ -850,7 +849,7 @@ } } - copySkipped, err := io.CopyN(ioutil.Discard, r, n-seekSkipped) + copySkipped, err := io.CopyN(io.Discard, r, n-seekSkipped) if err == io.EOF && seekSkipped+copySkipped < n { err = io.ErrUnexpectedEOF } diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/reader_test.go docker.io-20.10.11/engine/vendor/archive/tar/reader_test.go --- docker.io-20.10.7/engine/vendor/archive/tar/reader_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/reader_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -10,7 +10,6 @@ "errors" "fmt" "io" - "io/ioutil" "math" "os" "path" @@ -773,7 +772,7 @@ "testdata/pax-path-hdr.tar", "testdata/sparse-formats.tar", } { - buf, err := ioutil.ReadFile(p) + buf, err := os.ReadFile(p) if err != nil { t.Fatalf("unexpected error: %v", err) } @@ -865,7 +864,7 @@ } cnt++ if s2 == "manual" { - if _, err = tr.writeTo(ioutil.Discard); err != nil { + if _, err = tr.writeTo(io.Discard); err != nil { break } } diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/stat_unix.go docker.io-20.10.11/engine/vendor/archive/tar/stat_unix.go --- docker.io-20.10.7/engine/vendor/archive/tar/stat_unix.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/stat_unix.go 2021-11-18 00:21:59.000000000 +0000 @@ -7,7 +7,7 @@ package tar import ( - "os" + "io/fs" "runtime" "syscall" ) @@ -16,7 +16,7 @@ sysStat = statUnix } -func statUnix(fi os.FileInfo, h *Header) error { +func statUnix(fi fs.FileInfo, h *Header) error { sys, ok := fi.Sys().(*syscall.Stat_t) if !ok { return nil @@ -46,7 +46,7 @@ minor := uint32((dev & 0x00000000000000ff) >> 0) minor |= uint32((dev & 0x00000ffffff00000) >> 12) h.Devmajor, h.Devminor = int64(major), int64(minor) - case "darwin": + case "darwin", "ios": // Copied from golang.org/x/sys/unix/dev_darwin.go. major := uint32((dev >> 24) & 0xff) minor := uint32(dev & 0xffffff) diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/strconv.go docker.io-20.10.11/engine/vendor/archive/tar/strconv.go --- docker.io-20.10.7/engine/vendor/archive/tar/strconv.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/strconv.go 2021-11-18 00:21:59.000000000 +0000 @@ -28,7 +28,7 @@ } // toASCII converts the input to an ASCII C-style string. -// This a best effort conversion, so invalid characters are dropped. +// This is a best effort conversion, so invalid characters are dropped. func toASCII(s string) string { if isASCII(s) { return s @@ -265,8 +265,27 @@ return "", "", s, ErrHeader } + afterSpace := int64(sp + 1) + beforeLastNewLine := n - 1 + // In some cases, "length" was perhaps padded/malformed, and + // trying to index past where the space supposedly is goes past + // the end of the actual record. + // For example: + // "0000000000000000000000000000000030 mtime=1432668921.098285006\n30 ctime=2147483649.15163319" + // ^ ^ + // | | + // | afterSpace=35 + // | + // beforeLastNewLine=29 + // yet indexOf(firstSpace) MUST BE before endOfRecord. + // + // See https://golang.org/issues/40196. + if afterSpace >= beforeLastNewLine { + return "", "", s, ErrHeader + } + // Extract everything between the space and the final newline. - rec, nl, rem := s[sp+1:n-1], s[n-1:n], s[n:] + rec, nl, rem := s[afterSpace:beforeLastNewLine], s[beforeLastNewLine:n], s[n:] if nl != "\n" { return "", "", s, ErrHeader } diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/strconv_test.go docker.io-20.10.11/engine/vendor/archive/tar/strconv_test.go --- docker.io-20.10.7/engine/vendor/archive/tar/strconv_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/strconv_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -368,6 +368,13 @@ {"16 longkeyname=hahaha\n", "16 longkeyname=hahaha\n", "", "", false}, {"3 somelongkey=\n", "3 somelongkey=\n", "", "", false}, {"50 tooshort=\n", "50 tooshort=\n", "", "", false}, + {"0000000000000000000000000000000030 mtime=1432668921.098285006\n30 ctime=2147483649.15163319", "0000000000000000000000000000000030 mtime=1432668921.098285006\n30 ctime=2147483649.15163319", "mtime", "1432668921.098285006", false}, + {"06 k=v\n", "06 k=v\n", "", "", false}, + {"00006 k=v\n", "00006 k=v\n", "", "", false}, + {"000006 k=v\n", "000006 k=v\n", "", "", false}, + {"000000 k=v\n", "000000 k=v\n", "", "", false}, + {"0 k=v\n", "0 k=v\n", "", "", false}, + {"+0000005 x=\n", "+0000005 x=\n", "", "", false}, } for _, v := range vectors { diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/tar_test.go docker.io-20.10.11/engine/vendor/archive/tar/tar_test.go --- docker.io-20.10.7/engine/vendor/archive/tar/tar_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/tar_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -10,7 +10,7 @@ "fmt" "internal/testenv" "io" - "io/ioutil" + "io/fs" "math" "os" "path" @@ -262,7 +262,7 @@ func TestFileInfoHeaderSymlink(t *testing.T) { testenv.MustHaveSymlink(t) - tmpdir, err := ioutil.TempDir("", "TestFileInfoHeaderSymlink") + tmpdir, err := os.MkdirTemp("", "TestFileInfoHeaderSymlink") if err != nil { t.Fatal(err) } @@ -327,7 +327,7 @@ if !reflect.DeepEqual(rHdr, hdr) { t.Errorf("Header mismatch.\n got %+v\nwant %+v", rHdr, hdr) } - rData, err := ioutil.ReadAll(tr) + rData, err := io.ReadAll(tr) if err != nil { t.Fatalf("Read: %v", err) } @@ -338,7 +338,7 @@ type headerRoundTripTest struct { h *Header - fm os.FileMode + fm fs.FileMode } func TestHeaderRoundTrip(t *testing.T) { @@ -361,7 +361,7 @@ ModTime: time.Unix(1360600852, 0), Typeflag: TypeSymlink, }, - fm: 0777 | os.ModeSymlink, + fm: 0777 | fs.ModeSymlink, }, { // character device node. h: &Header{ @@ -371,7 +371,7 @@ ModTime: time.Unix(1360578951, 0), Typeflag: TypeChar, }, - fm: 0666 | os.ModeDevice | os.ModeCharDevice, + fm: 0666 | fs.ModeDevice | fs.ModeCharDevice, }, { // block device node. h: &Header{ @@ -381,7 +381,7 @@ ModTime: time.Unix(1360578954, 0), Typeflag: TypeBlock, }, - fm: 0660 | os.ModeDevice, + fm: 0660 | fs.ModeDevice, }, { // directory. h: &Header{ @@ -391,7 +391,7 @@ ModTime: time.Unix(1360601116, 0), Typeflag: TypeDir, }, - fm: 0755 | os.ModeDir, + fm: 0755 | fs.ModeDir, }, { // fifo node. h: &Header{ @@ -401,7 +401,7 @@ ModTime: time.Unix(1360578949, 0), Typeflag: TypeFifo, }, - fm: 0600 | os.ModeNamedPipe, + fm: 0600 | fs.ModeNamedPipe, }, { // setuid. h: &Header{ @@ -411,7 +411,7 @@ ModTime: time.Unix(1355405093, 0), Typeflag: TypeReg, }, - fm: 0755 | os.ModeSetuid, + fm: 0755 | fs.ModeSetuid, }, { // setguid. h: &Header{ @@ -421,7 +421,7 @@ ModTime: time.Unix(1360602346, 0), Typeflag: TypeReg, }, - fm: 0750 | os.ModeSetgid, + fm: 0750 | fs.ModeSetgid, }, { // sticky. h: &Header{ @@ -431,7 +431,7 @@ ModTime: time.Unix(1360602540, 0), Typeflag: TypeReg, }, - fm: 0600 | os.ModeSticky, + fm: 0600 | fs.ModeSticky, }, { // hard link. h: &Header{ @@ -804,9 +804,9 @@ b.Run(v.label, func(b *testing.B) { b.ReportAllocs() for i := 0; i < b.N; i++ { - // Writing to ioutil.Discard because we want to + // Writing to io.Discard because we want to // test purely the writer code and not bring in disk performance into this. - tw := NewWriter(ioutil.Discard) + tw := NewWriter(io.Discard) for _, file := range v.files { if err := tw.WriteHeader(file.hdr); err != nil { b.Errorf("unexpected WriteHeader error: %v", err) @@ -844,7 +844,7 @@ if _, err := tr.Next(); err != nil { b.Errorf("unexpected Next error: %v", err) } - if _, err := io.Copy(ioutil.Discard, tr); err != nil { + if _, err := io.Copy(io.Discard, tr); err != nil { b.Errorf("unexpected Copy error : %v", err) } } diff -Nru docker.io-20.10.7/engine/vendor/archive/tar/writer_test.go docker.io-20.10.11/engine/vendor/archive/tar/writer_test.go --- docker.io-20.10.7/engine/vendor/archive/tar/writer_test.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/archive/tar/writer_test.go 2021-11-18 00:21:59.000000000 +0000 @@ -9,7 +9,6 @@ "encoding/hex" "errors" "io" - "io/ioutil" "os" "path" "reflect" @@ -520,7 +519,7 @@ } if v.file != "" { - want, err := ioutil.ReadFile(v.file) + want, err := os.ReadFile(v.file) if err != nil { t.Fatalf("ReadFile() = %v, want nil", err) } diff -Nru docker.io-20.10.7/engine/vendor/github.com/containerd/containerd/images/image.go docker.io-20.10.11/engine/vendor/github.com/containerd/containerd/images/image.go --- docker.io-20.10.7/engine/vendor/github.com/containerd/containerd/images/image.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/containerd/containerd/images/image.go 2021-11-18 00:21:59.000000000 +0000 @@ -19,6 +19,7 @@ import ( "context" "encoding/json" + "fmt" "sort" "time" @@ -154,6 +155,10 @@ return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var manifest ocispec.Manifest if err := json.Unmarshal(p, &manifest); err != nil { return nil, err @@ -194,6 +199,10 @@ return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "manifest: invalid desc %s", desc.Digest) + } + var idx ocispec.Index if err := json.Unmarshal(p, &idx); err != nil { return nil, err @@ -336,6 +345,10 @@ return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + // TODO(stevvooe): We just assume oci manifest, for now. There may be // subtle differences from the docker version. var manifest ocispec.Manifest @@ -351,6 +364,10 @@ return nil, err } + if err := validateMediaType(p, desc.MediaType); err != nil { + return nil, errors.Wrapf(err, "children: invalid desc %s", desc.Digest) + } + var index ocispec.Index if err := json.Unmarshal(p, &index); err != nil { return nil, err @@ -368,6 +385,44 @@ return descs, nil } +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated. +type unknownDocument struct { + MediaType string `json:"mediaType,omitempty"` + Config json.RawMessage `json:"config,omitempty"` + Layers json.RawMessage `json:"layers,omitempty"` + Manifests json.RawMessage `json:"manifests,omitempty"` + FSLayers json.RawMessage `json:"fsLayers,omitempty"` // schema 1 +} + +// validateMediaType returns an error if the byte slice is invalid JSON or if +// the media type identifies the blob as one format but it contains elements of +// another format. +func validateMediaType(b []byte, mt string) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if len(doc.FSLayers) != 0 { + return fmt.Errorf("media-type: schema 1 not supported") + } + switch mt { + case MediaTypeDockerSchema2Manifest, ocispec.MediaTypeImageManifest: + if len(doc.Manifests) != 0 || + doc.MediaType == MediaTypeDockerSchema2ManifestList || + doc.MediaType == ocispec.MediaTypeImageIndex { + return fmt.Errorf("media-type: expected manifest but found index (%s)", mt) + } + case MediaTypeDockerSchema2ManifestList, ocispec.MediaTypeImageIndex: + if len(doc.Config) != 0 || len(doc.Layers) != 0 || + doc.MediaType == MediaTypeDockerSchema2Manifest || + doc.MediaType == ocispec.MediaTypeImageManifest { + return fmt.Errorf("media-type: expected index but found manifest (%s)", mt) + } + } + return nil +} + // RootFS returns the unpacked diffids that make up and images rootfs. // // These are used to verify that a set of layers unpacked to the expected diff -Nru docker.io-20.10.7/engine/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go docker.io-20.10.11/engine/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go --- docker.io-20.10.7/engine/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/containerd/containerd/remotes/docker/schema1/converter.go 2021-11-18 00:21:59.000000000 +0000 @@ -256,6 +256,9 @@ if err := json.Unmarshal(b, &m); err != nil { return err } + if len(m.Manifests) != 0 || len(m.Layers) != 0 { + return errors.New("converter: expected schema1 document but found extra keys") + } c.pulledManifest = &m return nil @@ -472,8 +475,10 @@ } type manifest struct { - FSLayers []fsLayer `json:"fsLayers"` - History []history `json:"history"` + FSLayers []fsLayer `json:"fsLayers"` + History []history `json:"history"` + Layers json.RawMessage `json:"layers,omitempty"` // OCI manifest + Manifests json.RawMessage `json:"manifests,omitempty"` // OCI index } type v1History struct { diff -Nru docker.io-20.10.7/engine/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go docker.io-20.10.11/engine/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go --- docker.io-20.10.7/engine/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/docker/distribution/manifest/manifestlist/manifestlist.go 2021-11-18 00:21:59.000000000 +0000 @@ -54,6 +54,9 @@ } imageIndexFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) { + if err := validateIndex(b); err != nil { + return nil, distribution.Descriptor{}, err + } m := new(DeserializedManifestList) err := m.UnmarshalJSON(b) if err != nil { @@ -214,3 +217,23 @@ return mediaType, m.canonical, nil } + +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated +type unknownDocument struct { + Config interface{} `json:"config,omitempty"` + Layers interface{} `json:"layers,omitempty"` +} + +// validateIndex returns an error if the byte slice is invalid JSON or if it +// contains fields that belong to a manifest +func validateIndex(b []byte) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if doc.Config != nil || doc.Layers != nil { + return errors.New("index: expected index but found manifest") + } + return nil +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go docker.io-20.10.11/engine/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go --- docker.io-20.10.7/engine/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/docker/distribution/manifest/ocischema/manifest.go 2021-11-18 00:21:59.000000000 +0000 @@ -22,6 +22,9 @@ func init() { ocischemaFunc := func(b []byte) (distribution.Manifest, distribution.Descriptor, error) { + if err := validateManifest(b); err != nil { + return nil, distribution.Descriptor{}, err + } m := new(DeserializedManifest) err := m.UnmarshalJSON(b) if err != nil { @@ -122,3 +125,22 @@ func (m DeserializedManifest) Payload() (string, []byte, error) { return v1.MediaTypeImageManifest, m.canonical, nil } + +// unknownDocument represents a manifest, manifest list, or index that has not +// yet been validated +type unknownDocument struct { + Manifests interface{} `json:"manifests,omitempty"` +} + +// validateManifest returns an error if the byte slice is invalid JSON or if it +// contains fields that belong to a index +func validateManifest(b []byte) error { + var doc unknownDocument + if err := json.Unmarshal(b, &doc); err != nil { + return err + } + if doc.Manifests != nil { + return errors.New("ocimanifest: expected manifest but found index") + } + return nil +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/docker/swarmkit/manager/logbroker/subscription.go docker.io-20.10.11/engine/vendor/github.com/docker/swarmkit/manager/logbroker/subscription.go --- docker.io-20.10.7/engine/vendor/github.com/docker/swarmkit/manager/logbroker/subscription.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/docker/swarmkit/manager/logbroker/subscription.go 2021-11-18 00:21:59.000000000 +0000 @@ -204,20 +204,31 @@ } add := func(t *api.Task) { + // this mutex does not have a deferred unlock, because there is work + // we need to do after we release it. s.mu.Lock() - defer s.mu.Unlock() // Un-allocated task. if t.NodeID == "" { s.pendingTasks[t.ID] = struct{}{} + s.mu.Unlock() return } delete(s.pendingTasks, t.ID) if _, ok := s.nodes[t.NodeID]; !ok { s.nodes[t.NodeID] = struct{}{} + + s.mu.Unlock() + + // if we try to call Publish before we release the lock, we can end + // up in a situation where the receiver is trying to acquire a read + // lock on it. it's hard to explain. s.changed.Publish(s) + return } + + s.mu.Unlock() } for { diff -Nru docker.io-20.10.7/engine/vendor/github.com/docker/swarmkit/manager/orchestrator/update/updater.go docker.io-20.10.11/engine/vendor/github.com/docker/swarmkit/manager/orchestrator/update/updater.go --- docker.io-20.10.7/engine/vendor/github.com/docker/swarmkit/manager/orchestrator/update/updater.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/docker/swarmkit/manager/orchestrator/update/updater.go 2021-11-18 00:21:59.000000000 +0000 @@ -280,6 +280,11 @@ wg.Wait() if !stopped { + // if a delay is set we need to monitor for a period longer than the delay + // otherwise we will leave the monitorLoop before the task is done delaying + if updateConfig.Delay >= monitoringPeriod { + monitoringPeriod = updateConfig.Delay + 1*time.Second + } // Keep watching for task failures for one more monitoringPeriod, // before declaring the update complete. doneMonitoring := time.After(monitoringPeriod) diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/backuptar/tar.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/backuptar/tar.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/backuptar/tar.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/backuptar/tar.go 2021-11-18 00:21:59.000000000 +0000 @@ -5,7 +5,6 @@ import ( "archive/tar" "encoding/base64" - "errors" "fmt" "io" "io/ioutil" @@ -41,19 +40,14 @@ hdrCreationTime = "LIBARCHIVE.creationtime" ) -func writeZeroes(w io.Writer, count int64) error { - buf := make([]byte, 8192) - c := len(buf) - for i := int64(0); i < count; i += int64(c) { - if int64(c) > count-i { - c = int(count - i) - } - _, err := w.Write(buf[:c]) - if err != nil { - return err - } +// zeroReader is an io.Reader that always returns 0s. +type zeroReader struct{} + +func (zr zeroReader) Read(b []byte) (int, error) { + for i := range b { + b[i] = 0 } - return nil + return len(b), nil } func copySparse(t *tar.Writer, br *winio.BackupStreamReader) error { @@ -70,16 +64,26 @@ return fmt.Errorf("unexpected stream %d", bhdr.Id) } + // We can't seek backwards, since we have already written that data to the tar.Writer. + if bhdr.Offset < curOffset { + return fmt.Errorf("cannot seek back from %d to %d", curOffset, bhdr.Offset) + } // archive/tar does not support writing sparse files // so just write zeroes to catch up to the current offset. - err = writeZeroes(t, bhdr.Offset-curOffset) + if _, err := io.CopyN(t, zeroReader{}, bhdr.Offset-curOffset); err != nil { + return fmt.Errorf("seek to offset %d: %s", bhdr.Offset, err) + } if bhdr.Size == 0 { + // A sparse block with size = 0 is used to mark the end of the sparse blocks. break } n, err := io.Copy(t, br) if err != nil { return err } + if n != bhdr.Size { + return fmt.Errorf("copied %d bytes instead of %d at offset %d", n, bhdr.Size, bhdr.Offset) + } curOffset = bhdr.Offset + n } return nil @@ -220,20 +224,44 @@ } } + // The logic for copying file contents is fairly complicated due to the need for handling sparse files, + // and the weird ways they are represented by BackupRead. A normal file will always either have a data stream + // with size and content, or no data stream at all (if empty). However, for a sparse file, the content can also + // be represented using a series of sparse block streams following the data stream. Additionally, the way sparse + // files are handled by BackupRead has changed in the OS recently. The specifics of the representation are described + // in the list at the bottom of this block comment. + // + // Sparse files can be represented in four different ways, based on the specifics of the file. + // - Size = 0: + // Previously: BackupRead yields no data stream and no sparse block streams. + // Recently: BackupRead yields a data stream with size = 0. There are no following sparse block streams. + // - Size > 0, no allocated ranges: + // BackupRead yields a data stream with size = 0. Following is a single sparse block stream with + // size = 0 and offset = . + // - Size > 0, one allocated range: + // BackupRead yields a data stream with size = containing the file contents. There are no + // sparse block streams. This is the case if you take a normal file with contents and simply set the + // sparse flag on it. + // - Size > 0, multiple allocated ranges: + // BackupRead yields a data stream with size = 0. Following are sparse block streams for each allocated + // range of the file containing the range contents. Finally there is a sparse block stream with + // size = 0 and offset = . + if dataHdr != nil { // A data stream was found. Copy the data. - if (dataHdr.Attributes & winio.StreamSparseAttributes) == 0 { + // We assume that we will either have a data stream size > 0 XOR have sparse block streams. + if dataHdr.Size > 0 || (dataHdr.Attributes&winio.StreamSparseAttributes) == 0 { if size != dataHdr.Size { return fmt.Errorf("%s: mismatch between file size %d and header size %d", name, size, dataHdr.Size) } - _, err = io.Copy(t, br) - if err != nil { - return err + if _, err = io.Copy(t, br); err != nil { + return fmt.Errorf("%s: copying contents from data stream: %s", name, err) } - } else { - err = copySparse(t, br) - if err != nil { - return err + } else if size > 0 { + // As of a recent OS change, BackupRead now returns a data stream for empty sparse files. + // These files have no sparse block streams, so skip the copySparse call if file size = 0. + if err = copySparse(t, br); err != nil { + return fmt.Errorf("%s: copying contents from sparse block stream: %s", name, err) } } } @@ -278,7 +306,7 @@ } else { // Unsupported for now, since the size of the alternate stream is not present // in the backup stream until after the data has been read. - return errors.New("tar of sparse alternate data streams is unsupported") + return fmt.Errorf("%s: tar of sparse alternate data streams is unsupported", name) } case winio.BackupEaData, winio.BackupLink, winio.BackupPropertyData, winio.BackupObjectId, winio.BackupTxfsData: // ignore these streams diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/go.mod docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/go.mod --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/go.mod 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/go.mod 2021-11-18 00:21:59.000000000 +0000 @@ -3,7 +3,7 @@ go 1.12 require ( - github.com/pkg/errors v0.8.1 - github.com/sirupsen/logrus v1.4.1 - golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3 + github.com/pkg/errors v0.9.1 + github.com/sirupsen/logrus v1.7.0 + golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c ) diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/hvsock.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/hvsock.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/hvsock.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/hvsock.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package winio import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pipe.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pipe.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pipe.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pipe.go 2021-11-18 00:21:59.000000000 +0000 @@ -429,10 +429,10 @@ // when the pipe is in message mode. MessageMode bool - // InputBufferSize specifies the size the input buffer, in bytes. + // InputBufferSize specifies the size of the input buffer, in bytes. InputBufferSize int32 - // OutputBufferSize specifies the size the input buffer, in bytes. + // OutputBufferSize specifies the size of the output buffer, in bytes. OutputBufferSize int32 } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventdata.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etw import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventopt.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventopt.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventopt.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/eventopt.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etw import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/fieldopt.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etw import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,4 @@ +// +build windows // +build amd64 arm64 386 package etw @@ -11,11 +12,20 @@ "golang.org/x/sys/windows" ) -// NewProviderWithID creates and registers a new ETW provider, allowing the -// provider ID to be manually specified. This is most useful when there is an -// existing provider ID that must be used to conform to existing diagnostic -// infrastructure. -func NewProviderWithID(name string, id guid.GUID, callback EnableCallback) (provider *Provider, err error) { +// NewProviderWithOptions creates and registers a new ETW provider, allowing +// the provider ID and Group to be manually specified. This is most useful when +// there is an existing provider ID that must be used to conform to existing +// diagnostic infrastructure. +func NewProviderWithOptions(name string, options ...ProviderOpt) (provider *Provider, err error) { + var opts providerOpts + for _, opt := range options { + opt(&opts) + } + + if opts.id == (guid.GUID{}) { + opts.id = providerIDFromName(name) + } + providerCallbackOnce.Do(func() { globalProviderCallback = windows.NewCallback(providerCallbackAdapter) }) @@ -26,17 +36,27 @@ providers.removeProvider(provider) } }(provider) - provider.ID = id - provider.callback = callback + provider.ID = opts.id + provider.callback = opts.callback if err := eventRegister((*windows.GUID)(&provider.ID), globalProviderCallback, uintptr(provider.index), &provider.handle); err != nil { return nil, err } + trait := &bytes.Buffer{} + if opts.group != (guid.GUID{}) { + binary.Write(trait, binary.LittleEndian, uint16(0)) // Write empty size for buffer (update later) + binary.Write(trait, binary.LittleEndian, uint8(1)) // EtwProviderTraitTypeGroup + traitArray := opts.group.ToWindowsArray() // Append group guid + trait.Write(traitArray[:]) + binary.LittleEndian.PutUint16(trait.Bytes(), uint16(trait.Len())) // Update size + } + metadata := &bytes.Buffer{} binary.Write(metadata, binary.LittleEndian, uint16(0)) // Write empty size for buffer (to update later) metadata.WriteString(name) metadata.WriteByte(0) // Null terminator for name + trait.WriteTo(metadata) // Add traits if applicable binary.LittleEndian.PutUint16(metadata.Bytes(), uint16(metadata.Len())) // Update the size at the beginning of the buffer provider.metadata = metadata.Bytes() diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider_unsupported.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider_unsupported.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider_unsupported.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/newprovider_unsupported.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,12 +1,9 @@ +// +build windows // +build arm package etw -import ( - "github.com/Microsoft/go-winio/pkg/guid" -) - // NewProviderWithID returns a nil provider on unsupported platforms. -func NewProviderWithID(name string, id guid.GUID, callback EnableCallback) (provider *Provider, err error) { +func NewProviderWithOptions(name string, options ...ProviderOpt) (provider *Provider, err error) { return nil, nil } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/providerglobal.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/providerglobal.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/providerglobal.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/providerglobal.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etw import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/provider.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/provider.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/provider.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/provider.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etw import ( @@ -81,15 +83,6 @@ } } -// providerCallbackAdapter acts as the first-level callback from the C/ETW side -// for provider notifications. Because Go has trouble with callback arguments of -// different size, it has only pointer-sized arguments, which are then cast to -// the appropriate types when calling providerCallback. -func providerCallbackAdapter(sourceID *guid.GUID, state uintptr, level uintptr, matchAnyKeyword uintptr, matchAllKeyword uintptr, filterData uintptr, i uintptr) uintptr { - providerCallback(*sourceID, ProviderState(state), Level(level), uint64(matchAnyKeyword), uint64(matchAllKeyword), filterData, i) - return 0 -} - // providerIDFromName generates a provider ID based on the provider name. It // uses the same algorithm as used by .NET's EventSource class, which is based // on RFC 4122. More information on the algorithm can be found here: @@ -117,10 +110,50 @@ return guid.FromWindowsArray(a) } +type providerOpts struct { + callback EnableCallback + id guid.GUID + group guid.GUID +} + +// ProviderOpt allows the caller to specify provider options to +// NewProviderWithOptions +type ProviderOpt func(*providerOpts) + +// WithCallback is used to provide a callback option to NewProviderWithOptions +func WithCallback(callback EnableCallback) ProviderOpt { + return func(opts *providerOpts) { + opts.callback = callback + } +} + +// WithID is used to provide a provider ID option to NewProviderWithOptions +func WithID(id guid.GUID) ProviderOpt { + return func(opts *providerOpts) { + opts.id = id + } +} + +// WithGroup is used to provide a provider group option to +// NewProviderWithOptions +func WithGroup(group guid.GUID) ProviderOpt { + return func(opts *providerOpts) { + opts.group = group + } +} + +// NewProviderWithID creates and registers a new ETW provider, allowing the +// provider ID to be manually specified. This is most useful when there is an +// existing provider ID that must be used to conform to existing diagnostic +// infrastructure. +func NewProviderWithID(name string, id guid.GUID, callback EnableCallback) (provider *Provider, err error) { + return NewProviderWithOptions(name, WithID(id), WithCallback(callback)) +} + // NewProvider creates and registers a new ETW provider. The provider ID is // generated based on the provider name. func NewProvider(name string, callback EnableCallback) (provider *Provider, err error) { - return NewProviderWithID(name, providerIDFromName(name), callback) + return NewProviderWithOptions(name, WithCallback(callback)) } // Close unregisters the provider. diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_32.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_32.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_32.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_32.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,8 +1,10 @@ +// +build windows // +build 386 arm package etw import ( + "github.com/Microsoft/go-winio/pkg/guid" "golang.org/x/sys/windows" ) @@ -49,3 +51,17 @@ information, length) } + +// providerCallbackAdapter acts as the first-level callback from the C/ETW side +// for provider notifications. Because Go has trouble with callback arguments of +// different size, it has only pointer-sized arguments, which are then cast to +// the appropriate types when calling providerCallback. +// For x86, the matchAny and matchAll keywords need to be assembled from two +// 32-bit integers, because the max size of an argument is uintptr, but those +// two arguments are actually 64-bit integers. +func providerCallbackAdapter(sourceID *guid.GUID, state uint32, level uint32, matchAnyKeyword_low uint32, matchAnyKeyword_high uint32, matchAllKeyword_low uint32, matchAllKeyword_high uint32, filterData uintptr, i uintptr) uintptr { + matchAnyKeyword := uint64(matchAnyKeyword_high)<<32 | uint64(matchAnyKeyword_low) + matchAllKeyword := uint64(matchAllKeyword_high)<<32 | uint64(matchAllKeyword_low) + providerCallback(*sourceID, ProviderState(state), Level(level), uint64(matchAnyKeyword), uint64(matchAllKeyword), filterData, i) + return 0 +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_64.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_64.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_64.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/wrapper_64.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,8 +1,10 @@ +// +build windows // +build amd64 arm64 package etw import ( + "github.com/Microsoft/go-winio/pkg/guid" "golang.org/x/sys/windows" ) @@ -39,3 +41,12 @@ information, length) } + +// providerCallbackAdapter acts as the first-level callback from the C/ETW side +// for provider notifications. Because Go has trouble with callback arguments of +// different size, it has only pointer-sized arguments, which are then cast to +// the appropriate types when calling providerCallback. +func providerCallbackAdapter(sourceID *guid.GUID, state uintptr, level uintptr, matchAnyKeyword uintptr, matchAllKeyword uintptr, filterData uintptr, i uintptr) uintptr { + providerCallback(*sourceID, ProviderState(state), Level(level), uint64(matchAnyKeyword), uint64(matchAllKeyword), filterData, i) + return 0 +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etw/zsyscall_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -19,6 +19,7 @@ var ( errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) + errERROR_EINVAL error = syscall.EINVAL ) // errnoErr returns common boxed Errno values, to prevent @@ -26,7 +27,7 @@ func errnoErr(e syscall.Errno) error { switch e { case 0: - return nil + return errERROR_EINVAL case errnoERROR_IO_PENDING: return errERROR_IO_PENDING } @@ -40,9 +41,9 @@ modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") procEventRegister = modadvapi32.NewProc("EventRegister") + procEventSetInformation = modadvapi32.NewProc("EventSetInformation") procEventUnregister = modadvapi32.NewProc("EventUnregister") procEventWriteTransfer = modadvapi32.NewProc("EventWriteTransfer") - procEventSetInformation = modadvapi32.NewProc("EventSetInformation") ) func eventRegister(providerId *windows.GUID, callback uintptr, callbackContext uintptr, providerHandle *providerHandle) (win32err error) { @@ -53,24 +54,24 @@ return } -func eventUnregister_64(providerHandle providerHandle) (win32err error) { - r0, _, _ := syscall.Syscall(procEventUnregister.Addr(), 1, uintptr(providerHandle), 0, 0) +func eventSetInformation_64(providerHandle providerHandle, class eventInfoClass, information uintptr, length uint32) (win32err error) { + r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 4, uintptr(providerHandle), uintptr(class), uintptr(information), uintptr(length), 0, 0) if r0 != 0 { win32err = syscall.Errno(r0) } return } -func eventWriteTransfer_64(providerHandle providerHandle, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) { - r0, _, _ := syscall.Syscall6(procEventWriteTransfer.Addr(), 6, uintptr(providerHandle), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors))) +func eventSetInformation_32(providerHandle_low uint32, providerHandle_high uint32, class eventInfoClass, information uintptr, length uint32) (win32err error) { + r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 5, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(class), uintptr(information), uintptr(length), 0) if r0 != 0 { win32err = syscall.Errno(r0) } return } -func eventSetInformation_64(providerHandle providerHandle, class eventInfoClass, information uintptr, length uint32) (win32err error) { - r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 4, uintptr(providerHandle), uintptr(class), uintptr(information), uintptr(length), 0, 0) +func eventUnregister_64(providerHandle providerHandle) (win32err error) { + r0, _, _ := syscall.Syscall(procEventUnregister.Addr(), 1, uintptr(providerHandle), 0, 0) if r0 != 0 { win32err = syscall.Errno(r0) } @@ -85,16 +86,16 @@ return } -func eventWriteTransfer_32(providerHandle_low uint32, providerHandle_high uint32, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) { - r0, _, _ := syscall.Syscall9(procEventWriteTransfer.Addr(), 7, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)), 0, 0) +func eventWriteTransfer_64(providerHandle providerHandle, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) { + r0, _, _ := syscall.Syscall6(procEventWriteTransfer.Addr(), 6, uintptr(providerHandle), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors))) if r0 != 0 { win32err = syscall.Errno(r0) } return } -func eventSetInformation_32(providerHandle_low uint32, providerHandle_high uint32, class eventInfoClass, information uintptr, length uint32) (win32err error) { - r0, _, _ := syscall.Syscall6(procEventSetInformation.Addr(), 5, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(class), uintptr(information), uintptr(length), 0) +func eventWriteTransfer_32(providerHandle_low uint32, providerHandle_high uint32, descriptor *eventDescriptor, activityID *windows.GUID, relatedActivityID *windows.GUID, dataDescriptorCount uint32, dataDescriptors *eventDataDescriptor) (win32err error) { + r0, _, _ := syscall.Syscall9(procEventWriteTransfer.Addr(), 7, uintptr(providerHandle_low), uintptr(providerHandle_high), uintptr(unsafe.Pointer(descriptor)), uintptr(unsafe.Pointer(activityID)), uintptr(unsafe.Pointer(relatedActivityID)), uintptr(dataDescriptorCount), uintptr(unsafe.Pointer(dataDescriptors)), 0, 0) if r0 != 0 { win32err = syscall.Errno(r0) } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etwlogrus/hook.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etwlogrus/hook.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/etwlogrus/hook.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/etwlogrus/hook.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package etwlogrus import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/guid/guid.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + // Package guid provides a GUID type. The backing structure for a GUID is // identical to that used by the golang.org/x/sys/windows GUID type. // There are two main binary encodings used for a GUID, the big-endian encoding, diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/grantvmgroupaccess.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,5 @@ +// +build windows + package security import ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/syscall_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -2,6 +2,6 @@ //go:generate go run mksyscall_windows.go -output zsyscall_windows.go syscall_windows.go -//sys getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) [failretval!=0] = advapi32.GetSecurityInfo -//sys setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) [failretval!=0] = advapi32.SetSecurityInfo -//sys setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) [failretval!=0] = advapi32.SetEntriesInAclW +//sys getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (win32err error) = advapi32.GetSecurityInfo +//sys setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (win32err error) = advapi32.SetSecurityInfo +//sys setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (win32err error) = advapi32.SetEntriesInAclW diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/pkg/security/zsyscall_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,4 +1,4 @@ -// Code generated mksyscall_windows.exe DO NOT EDIT +// Code generated by 'go generate'; DO NOT EDIT. package security @@ -19,6 +19,7 @@ var ( errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) + errERROR_EINVAL error = syscall.EINVAL ) // errnoErr returns common boxed Errno values, to prevent @@ -26,7 +27,7 @@ func errnoErr(e syscall.Errno) error { switch e { case 0: - return nil + return errERROR_EINVAL case errnoERROR_IO_PENDING: return errERROR_IO_PENDING } @@ -40,42 +41,30 @@ modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") procGetSecurityInfo = modadvapi32.NewProc("GetSecurityInfo") - procSetSecurityInfo = modadvapi32.NewProc("SetSecurityInfo") procSetEntriesInAclW = modadvapi32.NewProc("SetEntriesInAclW") + procSetSecurityInfo = modadvapi32.NewProc("SetSecurityInfo") ) -func getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (err error) { - r1, _, e1 := syscall.Syscall9(procGetSecurityInfo.Addr(), 8, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(unsafe.Pointer(ppsidOwner)), uintptr(unsafe.Pointer(ppsidGroup)), uintptr(unsafe.Pointer(ppDacl)), uintptr(unsafe.Pointer(ppSacl)), uintptr(unsafe.Pointer(ppSecurityDescriptor)), 0) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func getSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, ppsidOwner **uintptr, ppsidGroup **uintptr, ppDacl *uintptr, ppSacl *uintptr, ppSecurityDescriptor *uintptr) (win32err error) { + r0, _, _ := syscall.Syscall9(procGetSecurityInfo.Addr(), 8, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(unsafe.Pointer(ppsidOwner)), uintptr(unsafe.Pointer(ppsidGroup)), uintptr(unsafe.Pointer(ppDacl)), uintptr(unsafe.Pointer(ppSacl)), uintptr(unsafe.Pointer(ppSecurityDescriptor)), 0) + if r0 != 0 { + win32err = syscall.Errno(r0) } return } -func setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (err error) { - r1, _, e1 := syscall.Syscall9(procSetSecurityInfo.Addr(), 7, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(psidOwner), uintptr(psidGroup), uintptr(pDacl), uintptr(pSacl), 0, 0) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (win32err error) { + r0, _, _ := syscall.Syscall6(procSetEntriesInAclW.Addr(), 4, uintptr(count), uintptr(pListOfEEs), uintptr(oldAcl), uintptr(unsafe.Pointer(newAcl)), 0, 0) + if r0 != 0 { + win32err = syscall.Errno(r0) } return } -func setEntriesInAcl(count uintptr, pListOfEEs uintptr, oldAcl uintptr, newAcl *uintptr) (err error) { - r1, _, e1 := syscall.Syscall6(procSetEntriesInAclW.Addr(), 4, uintptr(count), uintptr(pListOfEEs), uintptr(oldAcl), uintptr(unsafe.Pointer(newAcl)), 0, 0) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func setSecurityInfo(handle syscall.Handle, objectType uint32, si uint32, psidOwner uintptr, psidGroup uintptr, pDacl uintptr, pSacl uintptr) (win32err error) { + r0, _, _ := syscall.Syscall9(procSetSecurityInfo.Addr(), 7, uintptr(handle), uintptr(objectType), uintptr(si), uintptr(psidOwner), uintptr(psidGroup), uintptr(pDacl), uintptr(pSacl), 0, 0) + if r0 != 0 { + win32err = syscall.Errno(r0) } return } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/privilege.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/privilege.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/privilege.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/privilege.go 2021-11-18 00:21:59.000000000 +0000 @@ -28,8 +28,9 @@ ERROR_NOT_ALL_ASSIGNED syscall.Errno = 1300 - SeBackupPrivilege = "SeBackupPrivilege" - SeRestorePrivilege = "SeRestorePrivilege" + SeBackupPrivilege = "SeBackupPrivilege" + SeRestorePrivilege = "SeRestorePrivilege" + SeSecurityPrivilege = "SeSecurityPrivilege" ) const ( diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/README.md docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/README.md --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/README.md 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/README.md 2021-11-18 00:21:59.000000000 +0000 @@ -1,4 +1,4 @@ -# go-winio +# go-winio [![Build Status](https://github.com/microsoft/go-winio/actions/workflows/ci.yml/badge.svg)](https://github.com/microsoft/go-winio/actions/workflows/ci.yml) This repository contains utilities for efficiently performing Win32 IO operations in Go. Currently, this is focused on accessing named pipes and other file handles, and diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/syscall.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/syscall.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/syscall.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/syscall.go 2021-11-18 00:21:59.000000000 +0000 @@ -1,3 +1,3 @@ package winio -//go:generate go run $GOROOT/src/syscall/mksyscall_windows.go -output zsyscall_windows.go file.go pipe.go sd.go fileinfo.go privilege.go backup.go hvsock.go +//go:generate go run golang.org/x/sys/windows/mkwinsyscall -output zsyscall_windows.go file.go pipe.go sd.go fileinfo.go privilege.go backup.go hvsock.go diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/vhd.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/vhd.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/vhd.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/vhd.go 2021-11-18 00:21:59.000000000 +0000 @@ -2,150 +2,322 @@ package vhd -import "syscall" - -//go:generate go run mksyscall_windows.go -output zvhd.go vhd.go +import ( + "fmt" + "syscall" + + "github.com/Microsoft/go-winio/pkg/guid" + "github.com/pkg/errors" + "golang.org/x/sys/windows" +) -//sys createVirtualDisk(virtualStorageType *virtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, flags uint32, providerSpecificFlags uint32, parameters *createVirtualDiskParameters, o *syscall.Overlapped, handle *syscall.Handle) (err error) [failretval != 0] = VirtDisk.CreateVirtualDisk -//sys openVirtualDisk(virtualStorageType *virtualStorageType, path string, virtualDiskAccessMask uint32, flags uint32, parameters *openVirtualDiskParameters, handle *syscall.Handle) (err error) [failretval != 0] = VirtDisk.OpenVirtualDisk -//sys detachVirtualDisk(handle syscall.Handle, flags uint32, providerSpecificFlags uint32) (err error) [failretval != 0] = VirtDisk.DetachVirtualDisk +//go:generate go run mksyscall_windows.go -output zvhd_windows.go vhd.go -type virtualStorageType struct { - DeviceID uint32 - VendorID [16]byte -} +//sys createVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (win32err error) = virtdisk.CreateVirtualDisk +//sys openVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (win32err error) = virtdisk.OpenVirtualDisk +//sys attachVirtualDisk(handle syscall.Handle, securityDescriptor *uintptr, attachVirtualDiskFlag uint32, providerSpecificFlags uint32, parameters *AttachVirtualDiskParameters, overlapped *syscall.Overlapped) (win32err error) = virtdisk.AttachVirtualDisk +//sys detachVirtualDisk(handle syscall.Handle, detachVirtualDiskFlags uint32, providerSpecificFlags uint32) (win32err error) = virtdisk.DetachVirtualDisk +//sys getVirtualDiskPhysicalPath(handle syscall.Handle, diskPathSizeInBytes *uint32, buffer *uint16) (win32err error) = virtdisk.GetVirtualDiskPhysicalPath type ( - createVirtualDiskFlag uint32 - VirtualDiskAccessMask uint32 + CreateVirtualDiskFlag uint32 VirtualDiskFlag uint32 + AttachVirtualDiskFlag uint32 + DetachVirtualDiskFlag uint32 + VirtualDiskAccessMask uint32 ) -const ( - // Flags for creating a VHD (not exported) - createVirtualDiskFlagNone createVirtualDiskFlag = 0 - createVirtualDiskFlagFullPhysicalAllocation createVirtualDiskFlag = 1 - createVirtualDiskFlagPreventWritesToSourceDisk createVirtualDiskFlag = 2 - createVirtualDiskFlagDoNotCopyMetadataFromParent createVirtualDiskFlag = 4 - - // Access Mask for opening a VHD - VirtualDiskAccessNone VirtualDiskAccessMask = 0 - VirtualDiskAccessAttachRO VirtualDiskAccessMask = 65536 - VirtualDiskAccessAttachRW VirtualDiskAccessMask = 131072 - VirtualDiskAccessDetach VirtualDiskAccessMask = 262144 - VirtualDiskAccessGetInfo VirtualDiskAccessMask = 524288 - VirtualDiskAccessCreate VirtualDiskAccessMask = 1048576 - VirtualDiskAccessMetaOps VirtualDiskAccessMask = 2097152 - VirtualDiskAccessRead VirtualDiskAccessMask = 851968 - VirtualDiskAccessAll VirtualDiskAccessMask = 4128768 - VirtualDiskAccessWritable VirtualDiskAccessMask = 3276800 - - // Flags for opening a VHD - OpenVirtualDiskFlagNone VirtualDiskFlag = 0 - OpenVirtualDiskFlagNoParents VirtualDiskFlag = 0x1 - OpenVirtualDiskFlagBlankFile VirtualDiskFlag = 0x2 - OpenVirtualDiskFlagBootDrive VirtualDiskFlag = 0x4 - OpenVirtualDiskFlagCachedIO VirtualDiskFlag = 0x8 - OpenVirtualDiskFlagCustomDiffChain VirtualDiskFlag = 0x10 - OpenVirtualDiskFlagParentCachedIO VirtualDiskFlag = 0x20 - OpenVirtualDiskFlagVhdSetFileOnly VirtualDiskFlag = 0x40 - OpenVirtualDiskFlagIgnoreRelativeParentLocator VirtualDiskFlag = 0x80 - OpenVirtualDiskFlagNoWriteHardening VirtualDiskFlag = 0x100 -) +type VirtualStorageType struct { + DeviceID uint32 + VendorID guid.GUID +} -type createVersion2 struct { - UniqueID [16]byte // GUID +type CreateVersion2 struct { + UniqueID guid.GUID MaximumSize uint64 BlockSizeInBytes uint32 SectorSizeInBytes uint32 + PhysicalSectorSizeInByte uint32 ParentPath *uint16 // string SourcePath *uint16 // string OpenFlags uint32 - ParentVirtualStorageType virtualStorageType - SourceVirtualStorageType virtualStorageType - ResiliencyGUID [16]byte // GUID + ParentVirtualStorageType VirtualStorageType + SourceVirtualStorageType VirtualStorageType + ResiliencyGUID guid.GUID } -type createVirtualDiskParameters struct { +type CreateVirtualDiskParameters struct { Version uint32 // Must always be set to 2 - Version2 createVersion2 + Version2 CreateVersion2 } -type openVersion2 struct { - GetInfoOnly int32 // bool but 4-byte aligned - ReadOnly int32 // bool but 4-byte aligned - ResiliencyGUID [16]byte // GUID +type OpenVersion2 struct { + GetInfoOnly bool + ReadOnly bool + ResiliencyGUID guid.GUID } -type openVirtualDiskParameters struct { +type OpenVirtualDiskParameters struct { Version uint32 // Must always be set to 2 - Version2 openVersion2 + Version2 OpenVersion2 } -// CreateVhdx will create a simple vhdx file at the given path using default values. -func CreateVhdx(path string, maxSizeInGb, blockSizeInMb uint32) error { - var ( - defaultType virtualStorageType - handle syscall.Handle - ) +type AttachVersion2 struct { + RestrictedOffset uint64 + RestrictedLength uint64 +} + +type AttachVirtualDiskParameters struct { + Version uint32 // Must always be set to 2 + Version2 AttachVersion2 +} + +const ( + VIRTUAL_STORAGE_TYPE_DEVICE_VHDX = 0x3 + + // Access Mask for opening a VHD + VirtualDiskAccessNone VirtualDiskAccessMask = 0x00000000 + VirtualDiskAccessAttachRO VirtualDiskAccessMask = 0x00010000 + VirtualDiskAccessAttachRW VirtualDiskAccessMask = 0x00020000 + VirtualDiskAccessDetach VirtualDiskAccessMask = 0x00040000 + VirtualDiskAccessGetInfo VirtualDiskAccessMask = 0x00080000 + VirtualDiskAccessCreate VirtualDiskAccessMask = 0x00100000 + VirtualDiskAccessMetaOps VirtualDiskAccessMask = 0x00200000 + VirtualDiskAccessRead VirtualDiskAccessMask = 0x000d0000 + VirtualDiskAccessAll VirtualDiskAccessMask = 0x003f0000 + VirtualDiskAccessWritable VirtualDiskAccessMask = 0x00320000 + + // Flags for creating a VHD + CreateVirtualDiskFlagNone CreateVirtualDiskFlag = 0x0 + CreateVirtualDiskFlagFullPhysicalAllocation CreateVirtualDiskFlag = 0x1 + CreateVirtualDiskFlagPreventWritesToSourceDisk CreateVirtualDiskFlag = 0x2 + CreateVirtualDiskFlagDoNotCopyMetadataFromParent CreateVirtualDiskFlag = 0x4 + CreateVirtualDiskFlagCreateBackingStorage CreateVirtualDiskFlag = 0x8 + CreateVirtualDiskFlagUseChangeTrackingSourceLimit CreateVirtualDiskFlag = 0x10 + CreateVirtualDiskFlagPreserveParentChangeTrackingState CreateVirtualDiskFlag = 0x20 + CreateVirtualDiskFlagVhdSetUseOriginalBackingStorage CreateVirtualDiskFlag = 0x40 + CreateVirtualDiskFlagSparseFile CreateVirtualDiskFlag = 0x80 + CreateVirtualDiskFlagPmemCompatible CreateVirtualDiskFlag = 0x100 + CreateVirtualDiskFlagSupportCompressedVolumes CreateVirtualDiskFlag = 0x200 - parameters := createVirtualDiskParameters{ + // Flags for opening a VHD + OpenVirtualDiskFlagNone VirtualDiskFlag = 0x00000000 + OpenVirtualDiskFlagNoParents VirtualDiskFlag = 0x00000001 + OpenVirtualDiskFlagBlankFile VirtualDiskFlag = 0x00000002 + OpenVirtualDiskFlagBootDrive VirtualDiskFlag = 0x00000004 + OpenVirtualDiskFlagCachedIO VirtualDiskFlag = 0x00000008 + OpenVirtualDiskFlagCustomDiffChain VirtualDiskFlag = 0x00000010 + OpenVirtualDiskFlagParentCachedIO VirtualDiskFlag = 0x00000020 + OpenVirtualDiskFlagVhdsetFileOnly VirtualDiskFlag = 0x00000040 + OpenVirtualDiskFlagIgnoreRelativeParentLocator VirtualDiskFlag = 0x00000080 + OpenVirtualDiskFlagNoWriteHardening VirtualDiskFlag = 0x00000100 + OpenVirtualDiskFlagSupportCompressedVolumes VirtualDiskFlag = 0x00000200 + + // Flags for attaching a VHD + AttachVirtualDiskFlagNone AttachVirtualDiskFlag = 0x00000000 + AttachVirtualDiskFlagReadOnly AttachVirtualDiskFlag = 0x00000001 + AttachVirtualDiskFlagNoDriveLetter AttachVirtualDiskFlag = 0x00000002 + AttachVirtualDiskFlagPermanentLifetime AttachVirtualDiskFlag = 0x00000004 + AttachVirtualDiskFlagNoLocalHost AttachVirtualDiskFlag = 0x00000008 + AttachVirtualDiskFlagNoSecurityDescriptor AttachVirtualDiskFlag = 0x00000010 + AttachVirtualDiskFlagBypassDefaultEncryptionPolicy AttachVirtualDiskFlag = 0x00000020 + AttachVirtualDiskFlagNonPnp AttachVirtualDiskFlag = 0x00000040 + AttachVirtualDiskFlagRestrictedRange AttachVirtualDiskFlag = 0x00000080 + AttachVirtualDiskFlagSinglePartition AttachVirtualDiskFlag = 0x00000100 + AttachVirtualDiskFlagRegisterVolume AttachVirtualDiskFlag = 0x00000200 + + // Flags for detaching a VHD + DetachVirtualDiskFlagNone DetachVirtualDiskFlag = 0x0 +) + +// CreateVhdx is a helper function to create a simple vhdx file at the given path using +// default values. +func CreateVhdx(path string, maxSizeInGb, blockSizeInMb uint32) error { + params := CreateVirtualDiskParameters{ Version: 2, - Version2: createVersion2{ + Version2: CreateVersion2{ MaximumSize: uint64(maxSizeInGb) * 1024 * 1024 * 1024, BlockSizeInBytes: blockSizeInMb * 1024 * 1024, }, } - if err := createVirtualDisk( - &defaultType, - path, - uint32(VirtualDiskAccessNone), - nil, - uint32(createVirtualDiskFlagNone), - 0, - ¶meters, - nil, - &handle); err != nil { + handle, err := CreateVirtualDisk(path, VirtualDiskAccessNone, CreateVirtualDiskFlagNone, ¶ms) + if err != nil { return err } if err := syscall.CloseHandle(handle); err != nil { return err } + return nil +} +// DetachVirtualDisk detaches a virtual hard disk by handle. +func DetachVirtualDisk(handle syscall.Handle) (err error) { + if err := detachVirtualDisk(handle, 0, 0); err != nil { + return errors.Wrap(err, "failed to detach virtual disk") + } return nil } -// DetachVhd detaches a mounted container layer vhd found at `path`. +// DetachVhd detaches a vhd found at `path`. func DetachVhd(path string) error { handle, err := OpenVirtualDisk( path, VirtualDiskAccessNone, - OpenVirtualDiskFlagCachedIO|OpenVirtualDiskFlagIgnoreRelativeParentLocator) + OpenVirtualDiskFlagCachedIO|OpenVirtualDiskFlagIgnoreRelativeParentLocator, + ) + if err != nil { + return err + } + defer syscall.CloseHandle(handle) + return DetachVirtualDisk(handle) +} + +// AttachVirtualDisk attaches a virtual hard disk for use. +func AttachVirtualDisk(handle syscall.Handle, attachVirtualDiskFlag AttachVirtualDiskFlag, parameters *AttachVirtualDiskParameters) (err error) { + // Supports both version 1 and 2 of the attach parameters as version 2 wasn't present in RS5. + if err := attachVirtualDisk( + handle, + nil, + uint32(attachVirtualDiskFlag), + 0, + parameters, + nil, + ); err != nil { + return errors.Wrap(err, "failed to attach virtual disk") + } + return nil +} +// AttachVhd attaches a virtual hard disk at `path` for use. Attaches using version 2 +// of the ATTACH_VIRTUAL_DISK_PARAMETERS. +func AttachVhd(path string) (err error) { + handle, err := OpenVirtualDisk( + path, + VirtualDiskAccessNone, + OpenVirtualDiskFlagCachedIO|OpenVirtualDiskFlagIgnoreRelativeParentLocator, + ) if err != nil { return err } + defer syscall.CloseHandle(handle) - return detachVirtualDisk(handle, 0, 0) + params := AttachVirtualDiskParameters{Version: 2} + if err := AttachVirtualDisk( + handle, + AttachVirtualDiskFlagNone, + ¶ms, + ); err != nil { + return errors.Wrap(err, "failed to attach virtual disk") + } + return nil } // OpenVirtualDisk obtains a handle to a VHD opened with supplied access mask and flags. -func OpenVirtualDisk(path string, accessMask VirtualDiskAccessMask, flag VirtualDiskFlag) (syscall.Handle, error) { +func OpenVirtualDisk(vhdPath string, virtualDiskAccessMask VirtualDiskAccessMask, openVirtualDiskFlags VirtualDiskFlag) (syscall.Handle, error) { + parameters := OpenVirtualDiskParameters{Version: 2} + handle, err := OpenVirtualDiskWithParameters( + vhdPath, + virtualDiskAccessMask, + openVirtualDiskFlags, + ¶meters, + ) + if err != nil { + return 0, err + } + return handle, nil +} + +// OpenVirtualDiskWithParameters obtains a handle to a VHD opened with supplied access mask, flags and parameters. +func OpenVirtualDiskWithParameters(vhdPath string, virtualDiskAccessMask VirtualDiskAccessMask, openVirtualDiskFlags VirtualDiskFlag, parameters *OpenVirtualDiskParameters) (syscall.Handle, error) { var ( - defaultType virtualStorageType handle syscall.Handle + defaultType VirtualStorageType ) - parameters := openVirtualDiskParameters{Version: 2} + if parameters.Version != 2 { + return handle, fmt.Errorf("only version 2 VHDs are supported, found version: %d", parameters.Version) + } if err := openVirtualDisk( &defaultType, + vhdPath, + uint32(virtualDiskAccessMask), + uint32(openVirtualDiskFlags), + parameters, + &handle, + ); err != nil { + return 0, errors.Wrap(err, "failed to open virtual disk") + } + return handle, nil +} + +// CreateVirtualDisk creates a virtual harddisk and returns a handle to the disk. +func CreateVirtualDisk(path string, virtualDiskAccessMask VirtualDiskAccessMask, createVirtualDiskFlags CreateVirtualDiskFlag, parameters *CreateVirtualDiskParameters) (syscall.Handle, error) { + var ( + handle syscall.Handle + defaultType VirtualStorageType + ) + if parameters.Version != 2 { + return handle, fmt.Errorf("only version 2 VHDs are supported, found version: %d", parameters.Version) + } + + if err := createVirtualDisk( + &defaultType, path, - uint32(accessMask), - uint32(flag), - ¶meters, - &handle); err != nil { - return 0, err + uint32(virtualDiskAccessMask), + nil, + uint32(createVirtualDiskFlags), + 0, + parameters, + nil, + &handle, + ); err != nil { + return handle, errors.Wrap(err, "failed to create virtual disk") } return handle, nil } + +// GetVirtualDiskPhysicalPath takes a handle to a virtual hard disk and returns the physical +// path of the disk on the machine. This path is in the form \\.\PhysicalDriveX where X is an integer +// that represents the particular enumeration of the physical disk on the caller's system. +func GetVirtualDiskPhysicalPath(handle syscall.Handle) (_ string, err error) { + var ( + diskPathSizeInBytes uint32 = 256 * 2 // max path length 256 wide chars + diskPhysicalPathBuf [256]uint16 + ) + if err := getVirtualDiskPhysicalPath( + handle, + &diskPathSizeInBytes, + &diskPhysicalPathBuf[0], + ); err != nil { + return "", errors.Wrap(err, "failed to get disk physical path") + } + return windows.UTF16ToString(diskPhysicalPathBuf[:]), nil +} + +// CreateDiffVhd is a helper function to create a differencing virtual disk. +func CreateDiffVhd(diffVhdPath, baseVhdPath string, blockSizeInMB uint32) error { + // Setting `ParentPath` is how to signal to create a differencing disk. + createParams := &CreateVirtualDiskParameters{ + Version: 2, + Version2: CreateVersion2{ + ParentPath: windows.StringToUTF16Ptr(baseVhdPath), + BlockSizeInBytes: blockSizeInMB * 1024 * 1024, + OpenFlags: uint32(OpenVirtualDiskFlagCachedIO), + }, + } + + vhdHandle, err := CreateVirtualDisk( + diffVhdPath, + VirtualDiskAccessNone, + CreateVirtualDiskFlagNone, + createParams, + ) + if err != nil { + return fmt.Errorf("failed to create differencing vhd: %s", err) + } + if err := syscall.CloseHandle(vhdHandle); err != nil { + return fmt.Errorf("failed to close differencing vhd handle: %s", err) + } + return nil +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd.go 1970-01-01 00:00:00.000000000 +0000 @@ -1,99 +0,0 @@ -// MACHINE GENERATED BY 'go generate' COMMAND; DO NOT EDIT - -package vhd - -import ( - "syscall" - "unsafe" - - "golang.org/x/sys/windows" -) - -var _ unsafe.Pointer - -// Do the interface allocations only once for common -// Errno values. -const ( - errnoERROR_IO_PENDING = 997 -) - -var ( - errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) -) - -// errnoErr returns common boxed Errno values, to prevent -// allocations at runtime. -func errnoErr(e syscall.Errno) error { - switch e { - case 0: - return nil - case errnoERROR_IO_PENDING: - return errERROR_IO_PENDING - } - // TODO: add more here, after collecting data on the common - // error values see on Windows. (perhaps when running - // all.bat?) - return e -} - -var ( - modVirtDisk = windows.NewLazySystemDLL("VirtDisk.dll") - - procCreateVirtualDisk = modVirtDisk.NewProc("CreateVirtualDisk") - procOpenVirtualDisk = modVirtDisk.NewProc("OpenVirtualDisk") - procDetachVirtualDisk = modVirtDisk.NewProc("DetachVirtualDisk") -) - -func createVirtualDisk(virtualStorageType *virtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, flags uint32, providerSpecificFlags uint32, parameters *createVirtualDiskParameters, o *syscall.Overlapped, handle *syscall.Handle) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(path) - if err != nil { - return - } - return _createVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, securityDescriptor, flags, providerSpecificFlags, parameters, o, handle) -} - -func _createVirtualDisk(virtualStorageType *virtualStorageType, path *uint16, virtualDiskAccessMask uint32, securityDescriptor *uintptr, flags uint32, providerSpecificFlags uint32, parameters *createVirtualDiskParameters, o *syscall.Overlapped, handle *syscall.Handle) (err error) { - r1, _, e1 := syscall.Syscall9(procCreateVirtualDisk.Addr(), 9, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(flags), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(handle))) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} - -func openVirtualDisk(virtualStorageType *virtualStorageType, path string, virtualDiskAccessMask uint32, flags uint32, parameters *openVirtualDiskParameters, handle *syscall.Handle) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(path) - if err != nil { - return - } - return _openVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, flags, parameters, handle) -} - -func _openVirtualDisk(virtualStorageType *virtualStorageType, path *uint16, virtualDiskAccessMask uint32, flags uint32, parameters *openVirtualDiskParameters, handle *syscall.Handle) (err error) { - r1, _, e1 := syscall.Syscall6(procOpenVirtualDisk.Addr(), 6, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(flags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(handle))) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} - -func detachVirtualDisk(handle syscall.Handle, flags uint32, providerSpecificFlags uint32) (err error) { - r1, _, e1 := syscall.Syscall(procDetachVirtualDisk.Addr(), 3, uintptr(handle), uintptr(flags), uintptr(providerSpecificFlags)) - if r1 != 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go 1970-01-01 00:00:00.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/vhd/zvhd_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -0,0 +1,106 @@ +// Code generated by 'go generate'; DO NOT EDIT. + +package vhd + +import ( + "syscall" + "unsafe" + + "golang.org/x/sys/windows" +) + +var _ unsafe.Pointer + +// Do the interface allocations only once for common +// Errno values. +const ( + errnoERROR_IO_PENDING = 997 +) + +var ( + errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) + errERROR_EINVAL error = syscall.EINVAL +) + +// errnoErr returns common boxed Errno values, to prevent +// allocations at runtime. +func errnoErr(e syscall.Errno) error { + switch e { + case 0: + return errERROR_EINVAL + case errnoERROR_IO_PENDING: + return errERROR_IO_PENDING + } + // TODO: add more here, after collecting data on the common + // error values see on Windows. (perhaps when running + // all.bat?) + return e +} + +var ( + modvirtdisk = windows.NewLazySystemDLL("virtdisk.dll") + + procAttachVirtualDisk = modvirtdisk.NewProc("AttachVirtualDisk") + procCreateVirtualDisk = modvirtdisk.NewProc("CreateVirtualDisk") + procDetachVirtualDisk = modvirtdisk.NewProc("DetachVirtualDisk") + procGetVirtualDiskPhysicalPath = modvirtdisk.NewProc("GetVirtualDiskPhysicalPath") + procOpenVirtualDisk = modvirtdisk.NewProc("OpenVirtualDisk") +) + +func attachVirtualDisk(handle syscall.Handle, securityDescriptor *uintptr, attachVirtualDiskFlag uint32, providerSpecificFlags uint32, parameters *AttachVirtualDiskParameters, overlapped *syscall.Overlapped) (win32err error) { + r0, _, _ := syscall.Syscall6(procAttachVirtualDisk.Addr(), 6, uintptr(handle), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(attachVirtualDiskFlag), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped))) + if r0 != 0 { + win32err = syscall.Errno(r0) + } + return +} + +func createVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (win32err error) { + var _p0 *uint16 + _p0, win32err = syscall.UTF16PtrFromString(path) + if win32err != nil { + return + } + return _createVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, securityDescriptor, createVirtualDiskFlags, providerSpecificFlags, parameters, overlapped, handle) +} + +func _createVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, securityDescriptor *uintptr, createVirtualDiskFlags uint32, providerSpecificFlags uint32, parameters *CreateVirtualDiskParameters, overlapped *syscall.Overlapped, handle *syscall.Handle) (win32err error) { + r0, _, _ := syscall.Syscall9(procCreateVirtualDisk.Addr(), 9, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(unsafe.Pointer(securityDescriptor)), uintptr(createVirtualDiskFlags), uintptr(providerSpecificFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(overlapped)), uintptr(unsafe.Pointer(handle))) + if r0 != 0 { + win32err = syscall.Errno(r0) + } + return +} + +func detachVirtualDisk(handle syscall.Handle, detachVirtualDiskFlags uint32, providerSpecificFlags uint32) (win32err error) { + r0, _, _ := syscall.Syscall(procDetachVirtualDisk.Addr(), 3, uintptr(handle), uintptr(detachVirtualDiskFlags), uintptr(providerSpecificFlags)) + if r0 != 0 { + win32err = syscall.Errno(r0) + } + return +} + +func getVirtualDiskPhysicalPath(handle syscall.Handle, diskPathSizeInBytes *uint32, buffer *uint16) (win32err error) { + r0, _, _ := syscall.Syscall(procGetVirtualDiskPhysicalPath.Addr(), 3, uintptr(handle), uintptr(unsafe.Pointer(diskPathSizeInBytes)), uintptr(unsafe.Pointer(buffer))) + if r0 != 0 { + win32err = syscall.Errno(r0) + } + return +} + +func openVirtualDisk(virtualStorageType *VirtualStorageType, path string, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (win32err error) { + var _p0 *uint16 + _p0, win32err = syscall.UTF16PtrFromString(path) + if win32err != nil { + return + } + return _openVirtualDisk(virtualStorageType, _p0, virtualDiskAccessMask, openVirtualDiskFlags, parameters, handle) +} + +func _openVirtualDisk(virtualStorageType *VirtualStorageType, path *uint16, virtualDiskAccessMask uint32, openVirtualDiskFlags uint32, parameters *OpenVirtualDiskParameters, handle *syscall.Handle) (win32err error) { + r0, _, _ := syscall.Syscall6(procOpenVirtualDisk.Addr(), 6, uintptr(unsafe.Pointer(virtualStorageType)), uintptr(unsafe.Pointer(path)), uintptr(virtualDiskAccessMask), uintptr(openVirtualDiskFlags), uintptr(unsafe.Pointer(parameters)), uintptr(unsafe.Pointer(handle))) + if r0 != 0 { + win32err = syscall.Errno(r0) + } + return +} diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/go-winio/zsyscall_windows.go 2021-11-18 00:21:59.000000000 +0000 @@ -19,6 +19,7 @@ var ( errERROR_IO_PENDING error = syscall.Errno(errnoERROR_IO_PENDING) + errERROR_EINVAL error = syscall.EINVAL ) // errnoErr returns common boxed Errno values, to prevent @@ -26,7 +27,7 @@ func errnoErr(e syscall.Errno) error { switch e { case 0: - return nil + return errERROR_EINVAL case errnoERROR_IO_PENDING: return errERROR_IO_PENDING } @@ -37,514 +38,400 @@ } var ( + modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") modkernel32 = windows.NewLazySystemDLL("kernel32.dll") - modws2_32 = windows.NewLazySystemDLL("ws2_32.dll") modntdll = windows.NewLazySystemDLL("ntdll.dll") - modadvapi32 = windows.NewLazySystemDLL("advapi32.dll") + modws2_32 = windows.NewLazySystemDLL("ws2_32.dll") - procCancelIoEx = modkernel32.NewProc("CancelIoEx") - procCreateIoCompletionPort = modkernel32.NewProc("CreateIoCompletionPort") - procGetQueuedCompletionStatus = modkernel32.NewProc("GetQueuedCompletionStatus") - procSetFileCompletionNotificationModes = modkernel32.NewProc("SetFileCompletionNotificationModes") - procWSAGetOverlappedResult = modws2_32.NewProc("WSAGetOverlappedResult") - procConnectNamedPipe = modkernel32.NewProc("ConnectNamedPipe") - procCreateNamedPipeW = modkernel32.NewProc("CreateNamedPipeW") - procCreateFileW = modkernel32.NewProc("CreateFileW") - procGetNamedPipeInfo = modkernel32.NewProc("GetNamedPipeInfo") - procGetNamedPipeHandleStateW = modkernel32.NewProc("GetNamedPipeHandleStateW") - procLocalAlloc = modkernel32.NewProc("LocalAlloc") - procNtCreateNamedPipeFile = modntdll.NewProc("NtCreateNamedPipeFile") - procRtlNtStatusToDosErrorNoTeb = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb") - procRtlDosPathNameToNtPathName_U = modntdll.NewProc("RtlDosPathNameToNtPathName_U") - procRtlDefaultNpAcl = modntdll.NewProc("RtlDefaultNpAcl") - procLookupAccountNameW = modadvapi32.NewProc("LookupAccountNameW") + procAdjustTokenPrivileges = modadvapi32.NewProc("AdjustTokenPrivileges") + procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW") procConvertSidToStringSidW = modadvapi32.NewProc("ConvertSidToStringSidW") procConvertStringSecurityDescriptorToSecurityDescriptorW = modadvapi32.NewProc("ConvertStringSecurityDescriptorToSecurityDescriptorW") - procConvertSecurityDescriptorToStringSecurityDescriptorW = modadvapi32.NewProc("ConvertSecurityDescriptorToStringSecurityDescriptorW") - procLocalFree = modkernel32.NewProc("LocalFree") procGetSecurityDescriptorLength = modadvapi32.NewProc("GetSecurityDescriptorLength") - procGetFileInformationByHandleEx = modkernel32.NewProc("GetFileInformationByHandleEx") - procSetFileInformationByHandle = modkernel32.NewProc("SetFileInformationByHandle") - procAdjustTokenPrivileges = modadvapi32.NewProc("AdjustTokenPrivileges") procImpersonateSelf = modadvapi32.NewProc("ImpersonateSelf") - procRevertToSelf = modadvapi32.NewProc("RevertToSelf") - procOpenThreadToken = modadvapi32.NewProc("OpenThreadToken") - procGetCurrentThread = modkernel32.NewProc("GetCurrentThread") - procLookupPrivilegeValueW = modadvapi32.NewProc("LookupPrivilegeValueW") - procLookupPrivilegeNameW = modadvapi32.NewProc("LookupPrivilegeNameW") + procLookupAccountNameW = modadvapi32.NewProc("LookupAccountNameW") procLookupPrivilegeDisplayNameW = modadvapi32.NewProc("LookupPrivilegeDisplayNameW") + procLookupPrivilegeNameW = modadvapi32.NewProc("LookupPrivilegeNameW") + procLookupPrivilegeValueW = modadvapi32.NewProc("LookupPrivilegeValueW") + procOpenThreadToken = modadvapi32.NewProc("OpenThreadToken") + procRevertToSelf = modadvapi32.NewProc("RevertToSelf") procBackupRead = modkernel32.NewProc("BackupRead") procBackupWrite = modkernel32.NewProc("BackupWrite") + procCancelIoEx = modkernel32.NewProc("CancelIoEx") + procConnectNamedPipe = modkernel32.NewProc("ConnectNamedPipe") + procCreateFileW = modkernel32.NewProc("CreateFileW") + procCreateIoCompletionPort = modkernel32.NewProc("CreateIoCompletionPort") + procCreateNamedPipeW = modkernel32.NewProc("CreateNamedPipeW") + procGetCurrentThread = modkernel32.NewProc("GetCurrentThread") + procGetFileInformationByHandleEx = modkernel32.NewProc("GetFileInformationByHandleEx") + procGetNamedPipeHandleStateW = modkernel32.NewProc("GetNamedPipeHandleStateW") + procGetNamedPipeInfo = modkernel32.NewProc("GetNamedPipeInfo") + procGetQueuedCompletionStatus = modkernel32.NewProc("GetQueuedCompletionStatus") + procLocalAlloc = modkernel32.NewProc("LocalAlloc") + procLocalFree = modkernel32.NewProc("LocalFree") + procSetFileCompletionNotificationModes = modkernel32.NewProc("SetFileCompletionNotificationModes") + procSetFileInformationByHandle = modkernel32.NewProc("SetFileInformationByHandle") + procNtCreateNamedPipeFile = modntdll.NewProc("NtCreateNamedPipeFile") + procRtlDefaultNpAcl = modntdll.NewProc("RtlDefaultNpAcl") + procRtlDosPathNameToNtPathName_U = modntdll.NewProc("RtlDosPathNameToNtPathName_U") + procRtlNtStatusToDosErrorNoTeb = modntdll.NewProc("RtlNtStatusToDosErrorNoTeb") + procWSAGetOverlappedResult = modws2_32.NewProc("WSAGetOverlappedResult") procbind = modws2_32.NewProc("bind") ) -func cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) { - r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) { + var _p0 uint32 + if releaseAll { + _p0 = 1 } - return -} - -func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) { - r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0) - newport = syscall.Handle(r0) - if newport == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize))) + success = r0 != 0 + if true { + err = errnoErr(e1) } return } -func getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0) +func convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procConvertSecurityDescriptorToStringSecurityDescriptorW.Addr(), 5, uintptr(unsafe.Pointer(sd)), uintptr(revision), uintptr(secInfo), uintptr(unsafe.Pointer(sddl)), uintptr(unsafe.Pointer(sddlSize)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) { - r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0) +func convertSidToStringSid(sid *byte, str **uint16) (err error) { + r1, _, e1 := syscall.Syscall(procConvertSidToStringSidW.Addr(), 2, uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(str)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) { - var _p0 uint32 - if wait { - _p0 = 1 - } else { - _p0 = 0 +func convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd *uintptr, size *uint32) (err error) { + var _p0 *uint16 + _p0, err = syscall.UTF16PtrFromString(str) + if err != nil { + return } - r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0) + return _convertStringSecurityDescriptorToSecurityDescriptor(_p0, revision, sd, size) +} + +func _convertStringSecurityDescriptorToSecurityDescriptor(str *uint16, revision uint32, sd *uintptr, size *uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procConvertStringSecurityDescriptorToSecurityDescriptorW.Addr(), 4, uintptr(unsafe.Pointer(str)), uintptr(revision), uintptr(unsafe.Pointer(sd)), uintptr(unsafe.Pointer(size)), 0, 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) { - r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0) +func getSecurityDescriptorLength(sd uintptr) (len uint32) { + r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(sd), 0, 0) + len = uint32(r0) + return +} + +func impersonateSelf(level uint32) (err error) { + r1, _, e1 := syscall.Syscall(procImpersonateSelf.Addr(), 1, uintptr(level), 0, 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) { +func lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) { var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(name) + _p0, err = syscall.UTF16PtrFromString(accountName) if err != nil { return } - return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa) + return _lookupAccountName(systemName, _p0, sid, sidSize, refDomain, refDomainSize, sidNameUse) } -func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) { - r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0) - handle = syscall.Handle(r0) - if handle == syscall.InvalidHandle { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) { + r1, _, e1 := syscall.Syscall9(procLookupAccountNameW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0) + if r1 == 0 { + err = errnoErr(e1) } return } -func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) { +func lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) { var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(name) + _p0, err = syscall.UTF16PtrFromString(systemName) if err != nil { return } - return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile) + return _lookupPrivilegeDisplayName(_p0, name, buffer, size, languageId) } -func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) { - r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0) - handle = syscall.Handle(r0) - if handle == syscall.InvalidHandle { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func _lookupPrivilegeDisplayName(systemName *uint16, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procLookupPrivilegeDisplayNameW.Addr(), 5, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)), 0) + if r1 == 0 { + err = errnoErr(e1) } return } -func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) { + var _p0 *uint16 + _p0, err = syscall.UTF16PtrFromString(systemName) + if err != nil { + return } - return + return _lookupPrivilegeName(_p0, luid, buffer, size) } -func getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) { - r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0) +func _lookupPrivilegeName(systemName *uint16, luid *uint64, buffer *uint16, size *uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procLookupPrivilegeNameW.Addr(), 4, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), 0, 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func localAlloc(uFlags uint32, length uint32) (ptr uintptr) { - r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0) - ptr = uintptr(r0) - return +func lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) { + var _p0 *uint16 + _p0, err = syscall.UTF16PtrFromString(systemName) + if err != nil { + return + } + var _p1 *uint16 + _p1, err = syscall.UTF16PtrFromString(name) + if err != nil { + return + } + return _lookupPrivilegeValue(_p0, _p1, luid) } -func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) { - r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0) - status = ntstatus(r0) +func _lookupPrivilegeValue(systemName *uint16, name *uint16, luid *uint64) (err error) { + r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid))) + if r1 == 0 { + err = errnoErr(e1) + } return } -func rtlNtStatusToDosError(status ntstatus) (winerr error) { - r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0) - if r0 != 0 { - winerr = syscall.Errno(r0) +func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) { + var _p0 uint32 + if openAsSelf { + _p0 = 1 + } + r1, _, e1 := syscall.Syscall6(procOpenThreadToken.Addr(), 4, uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)), 0, 0) + if r1 == 0 { + err = errnoErr(e1) } return } -func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) { - r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0) - status = ntstatus(r0) +func revertToSelf() (err error) { + r1, _, e1 := syscall.Syscall(procRevertToSelf.Addr(), 0, 0, 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } return } -func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) { - r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0) - status = ntstatus(r0) +func backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) { + var _p0 *byte + if len(b) > 0 { + _p0 = &b[0] + } + var _p1 uint32 + if abort { + _p1 = 1 + } + var _p2 uint32 + if processSecurity { + _p2 = 1 + } + r1, _, e1 := syscall.Syscall9(procBackupRead.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesRead)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } return } -func lookupAccountName(systemName *uint16, accountName string, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(accountName) - if err != nil { - return +func backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) { + var _p0 *byte + if len(b) > 0 { + _p0 = &b[0] } - return _lookupAccountName(systemName, _p0, sid, sidSize, refDomain, refDomainSize, sidNameUse) + var _p1 uint32 + if abort { + _p1 = 1 + } + var _p2 uint32 + if processSecurity { + _p2 = 1 + } + r1, _, e1 := syscall.Syscall9(procBackupWrite.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesWritten)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0) + if r1 == 0 { + err = errnoErr(e1) + } + return } -func _lookupAccountName(systemName *uint16, accountName *uint16, sid *byte, sidSize *uint32, refDomain *uint16, refDomainSize *uint32, sidNameUse *uint32) (err error) { - r1, _, e1 := syscall.Syscall9(procLookupAccountNameW.Addr(), 7, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(accountName)), uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(sidSize)), uintptr(unsafe.Pointer(refDomain)), uintptr(unsafe.Pointer(refDomainSize)), uintptr(unsafe.Pointer(sidNameUse)), 0, 0) +func cancelIoEx(file syscall.Handle, o *syscall.Overlapped) (err error) { + r1, _, e1 := syscall.Syscall(procCancelIoEx.Addr(), 2, uintptr(file), uintptr(unsafe.Pointer(o)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func convertSidToStringSid(sid *byte, str **uint16) (err error) { - r1, _, e1 := syscall.Syscall(procConvertSidToStringSidW.Addr(), 2, uintptr(unsafe.Pointer(sid)), uintptr(unsafe.Pointer(str)), 0) +func connectNamedPipe(pipe syscall.Handle, o *syscall.Overlapped) (err error) { + r1, _, e1 := syscall.Syscall(procConnectNamedPipe.Addr(), 2, uintptr(pipe), uintptr(unsafe.Pointer(o)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func convertStringSecurityDescriptorToSecurityDescriptor(str string, revision uint32, sd *uintptr, size *uint32) (err error) { +func createFile(name string, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) { var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(str) + _p0, err = syscall.UTF16PtrFromString(name) if err != nil { return } - return _convertStringSecurityDescriptorToSecurityDescriptor(_p0, revision, sd, size) + return _createFile(_p0, access, mode, sa, createmode, attrs, templatefile) } -func _convertStringSecurityDescriptorToSecurityDescriptor(str *uint16, revision uint32, sd *uintptr, size *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procConvertStringSecurityDescriptorToSecurityDescriptorW.Addr(), 4, uintptr(unsafe.Pointer(str)), uintptr(revision), uintptr(unsafe.Pointer(sd)), uintptr(unsafe.Pointer(size)), 0, 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func _createFile(name *uint16, access uint32, mode uint32, sa *syscall.SecurityAttributes, createmode uint32, attrs uint32, templatefile syscall.Handle) (handle syscall.Handle, err error) { + r0, _, e1 := syscall.Syscall9(procCreateFileW.Addr(), 7, uintptr(unsafe.Pointer(name)), uintptr(access), uintptr(mode), uintptr(unsafe.Pointer(sa)), uintptr(createmode), uintptr(attrs), uintptr(templatefile), 0, 0) + handle = syscall.Handle(r0) + if handle == syscall.InvalidHandle { + err = errnoErr(e1) } return } -func convertSecurityDescriptorToStringSecurityDescriptor(sd *byte, revision uint32, secInfo uint32, sddl **uint16, sddlSize *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procConvertSecurityDescriptorToStringSecurityDescriptorW.Addr(), 5, uintptr(unsafe.Pointer(sd)), uintptr(revision), uintptr(secInfo), uintptr(unsafe.Pointer(sddl)), uintptr(unsafe.Pointer(sddlSize)), 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func createIoCompletionPort(file syscall.Handle, port syscall.Handle, key uintptr, threadCount uint32) (newport syscall.Handle, err error) { + r0, _, e1 := syscall.Syscall6(procCreateIoCompletionPort.Addr(), 4, uintptr(file), uintptr(port), uintptr(key), uintptr(threadCount), 0, 0) + newport = syscall.Handle(r0) + if newport == 0 { + err = errnoErr(e1) } return } -func localFree(mem uintptr) { - syscall.Syscall(procLocalFree.Addr(), 1, uintptr(mem), 0, 0) +func createNamedPipe(name string, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) { + var _p0 *uint16 + _p0, err = syscall.UTF16PtrFromString(name) + if err != nil { + return + } + return _createNamedPipe(_p0, flags, pipeMode, maxInstances, outSize, inSize, defaultTimeout, sa) +} + +func _createNamedPipe(name *uint16, flags uint32, pipeMode uint32, maxInstances uint32, outSize uint32, inSize uint32, defaultTimeout uint32, sa *syscall.SecurityAttributes) (handle syscall.Handle, err error) { + r0, _, e1 := syscall.Syscall9(procCreateNamedPipeW.Addr(), 8, uintptr(unsafe.Pointer(name)), uintptr(flags), uintptr(pipeMode), uintptr(maxInstances), uintptr(outSize), uintptr(inSize), uintptr(defaultTimeout), uintptr(unsafe.Pointer(sa)), 0) + handle = syscall.Handle(r0) + if handle == syscall.InvalidHandle { + err = errnoErr(e1) + } return } -func getSecurityDescriptorLength(sd uintptr) (len uint32) { - r0, _, _ := syscall.Syscall(procGetSecurityDescriptorLength.Addr(), 1, uintptr(sd), 0, 0) - len = uint32(r0) +func getCurrentThread() (h syscall.Handle) { + r0, _, _ := syscall.Syscall(procGetCurrentThread.Addr(), 0, 0, 0, 0) + h = syscall.Handle(r0) return } func getFileInformationByHandleEx(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) { r1, _, e1 := syscall.Syscall6(procGetFileInformationByHandleEx.Addr(), 4, uintptr(h), uintptr(class), uintptr(unsafe.Pointer(buffer)), uintptr(size), 0, 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func setFileInformationByHandle(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procSetFileInformationByHandle.Addr(), 4, uintptr(h), uintptr(class), uintptr(unsafe.Pointer(buffer)), uintptr(size), 0, 0) +func getNamedPipeHandleState(pipe syscall.Handle, state *uint32, curInstances *uint32, maxCollectionCount *uint32, collectDataTimeout *uint32, userName *uint16, maxUserNameSize uint32) (err error) { + r1, _, e1 := syscall.Syscall9(procGetNamedPipeHandleStateW.Addr(), 7, uintptr(pipe), uintptr(unsafe.Pointer(state)), uintptr(unsafe.Pointer(curInstances)), uintptr(unsafe.Pointer(maxCollectionCount)), uintptr(unsafe.Pointer(collectDataTimeout)), uintptr(unsafe.Pointer(userName)), uintptr(maxUserNameSize), 0, 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } - return -} - -func adjustTokenPrivileges(token windows.Token, releaseAll bool, input *byte, outputSize uint32, output *byte, requiredSize *uint32) (success bool, err error) { - var _p0 uint32 - if releaseAll { - _p0 = 1 - } else { - _p0 = 0 - } - r0, _, e1 := syscall.Syscall6(procAdjustTokenPrivileges.Addr(), 6, uintptr(token), uintptr(_p0), uintptr(unsafe.Pointer(input)), uintptr(outputSize), uintptr(unsafe.Pointer(output)), uintptr(unsafe.Pointer(requiredSize))) - success = r0 != 0 - if true { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func impersonateSelf(level uint32) (err error) { - r1, _, e1 := syscall.Syscall(procImpersonateSelf.Addr(), 1, uintptr(level), 0, 0) +func getNamedPipeInfo(pipe syscall.Handle, flags *uint32, outSize *uint32, inSize *uint32, maxInstances *uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procGetNamedPipeInfo.Addr(), 5, uintptr(pipe), uintptr(unsafe.Pointer(flags)), uintptr(unsafe.Pointer(outSize)), uintptr(unsafe.Pointer(inSize)), uintptr(unsafe.Pointer(maxInstances)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func revertToSelf() (err error) { - r1, _, e1 := syscall.Syscall(procRevertToSelf.Addr(), 0, 0, 0, 0) +func getQueuedCompletionStatus(port syscall.Handle, bytes *uint32, key *uintptr, o **ioOperation, timeout uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procGetQueuedCompletionStatus.Addr(), 5, uintptr(port), uintptr(unsafe.Pointer(bytes)), uintptr(unsafe.Pointer(key)), uintptr(unsafe.Pointer(o)), uintptr(timeout), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func openThreadToken(thread syscall.Handle, accessMask uint32, openAsSelf bool, token *windows.Token) (err error) { - var _p0 uint32 - if openAsSelf { - _p0 = 1 - } else { - _p0 = 0 - } - r1, _, e1 := syscall.Syscall6(procOpenThreadToken.Addr(), 4, uintptr(thread), uintptr(accessMask), uintptr(_p0), uintptr(unsafe.Pointer(token)), 0, 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } +func localAlloc(uFlags uint32, length uint32) (ptr uintptr) { + r0, _, _ := syscall.Syscall(procLocalAlloc.Addr(), 2, uintptr(uFlags), uintptr(length), 0) + ptr = uintptr(r0) return } -func getCurrentThread() (h syscall.Handle) { - r0, _, _ := syscall.Syscall(procGetCurrentThread.Addr(), 0, 0, 0, 0) - h = syscall.Handle(r0) +func localFree(mem uintptr) { + syscall.Syscall(procLocalFree.Addr(), 1, uintptr(mem), 0, 0) return } -func lookupPrivilegeValue(systemName string, name string, luid *uint64) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(systemName) - if err != nil { - return - } - var _p1 *uint16 - _p1, err = syscall.UTF16PtrFromString(name) - if err != nil { - return - } - return _lookupPrivilegeValue(_p0, _p1, luid) -} - -func _lookupPrivilegeValue(systemName *uint16, name *uint16, luid *uint64) (err error) { - r1, _, e1 := syscall.Syscall(procLookupPrivilegeValueW.Addr(), 3, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(luid))) +func setFileCompletionNotificationModes(h syscall.Handle, flags uint8) (err error) { + r1, _, e1 := syscall.Syscall(procSetFileCompletionNotificationModes.Addr(), 2, uintptr(h), uintptr(flags), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } -func lookupPrivilegeName(systemName string, luid *uint64, buffer *uint16, size *uint32) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(systemName) - if err != nil { - return +func setFileInformationByHandle(h syscall.Handle, class uint32, buffer *byte, size uint32) (err error) { + r1, _, e1 := syscall.Syscall6(procSetFileInformationByHandle.Addr(), 4, uintptr(h), uintptr(class), uintptr(unsafe.Pointer(buffer)), uintptr(size), 0, 0) + if r1 == 0 { + err = errnoErr(e1) } - return _lookupPrivilegeName(_p0, luid, buffer, size) + return } -func _lookupPrivilegeName(systemName *uint16, luid *uint64, buffer *uint16, size *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procLookupPrivilegeNameW.Addr(), 4, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(luid)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), 0, 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } +func ntCreateNamedPipeFile(pipe *syscall.Handle, access uint32, oa *objectAttributes, iosb *ioStatusBlock, share uint32, disposition uint32, options uint32, typ uint32, readMode uint32, completionMode uint32, maxInstances uint32, inboundQuota uint32, outputQuota uint32, timeout *int64) (status ntstatus) { + r0, _, _ := syscall.Syscall15(procNtCreateNamedPipeFile.Addr(), 14, uintptr(unsafe.Pointer(pipe)), uintptr(access), uintptr(unsafe.Pointer(oa)), uintptr(unsafe.Pointer(iosb)), uintptr(share), uintptr(disposition), uintptr(options), uintptr(typ), uintptr(readMode), uintptr(completionMode), uintptr(maxInstances), uintptr(inboundQuota), uintptr(outputQuota), uintptr(unsafe.Pointer(timeout)), 0) + status = ntstatus(r0) return } -func lookupPrivilegeDisplayName(systemName string, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) { - var _p0 *uint16 - _p0, err = syscall.UTF16PtrFromString(systemName) - if err != nil { - return - } - return _lookupPrivilegeDisplayName(_p0, name, buffer, size, languageId) +func rtlDefaultNpAcl(dacl *uintptr) (status ntstatus) { + r0, _, _ := syscall.Syscall(procRtlDefaultNpAcl.Addr(), 1, uintptr(unsafe.Pointer(dacl)), 0, 0) + status = ntstatus(r0) + return } -func _lookupPrivilegeDisplayName(systemName *uint16, name *uint16, buffer *uint16, size *uint32, languageId *uint32) (err error) { - r1, _, e1 := syscall.Syscall6(procLookupPrivilegeDisplayNameW.Addr(), 5, uintptr(unsafe.Pointer(systemName)), uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(buffer)), uintptr(unsafe.Pointer(size)), uintptr(unsafe.Pointer(languageId)), 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } - } +func rtlDosPathNameToNtPathName(name *uint16, ntName *unicodeString, filePart uintptr, reserved uintptr) (status ntstatus) { + r0, _, _ := syscall.Syscall6(procRtlDosPathNameToNtPathName_U.Addr(), 4, uintptr(unsafe.Pointer(name)), uintptr(unsafe.Pointer(ntName)), uintptr(filePart), uintptr(reserved), 0, 0) + status = ntstatus(r0) return } -func backupRead(h syscall.Handle, b []byte, bytesRead *uint32, abort bool, processSecurity bool, context *uintptr) (err error) { - var _p0 *byte - if len(b) > 0 { - _p0 = &b[0] - } - var _p1 uint32 - if abort { - _p1 = 1 - } else { - _p1 = 0 - } - var _p2 uint32 - if processSecurity { - _p2 = 1 - } else { - _p2 = 0 - } - r1, _, e1 := syscall.Syscall9(procBackupRead.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesRead)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0) - if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } +func rtlNtStatusToDosError(status ntstatus) (winerr error) { + r0, _, _ := syscall.Syscall(procRtlNtStatusToDosErrorNoTeb.Addr(), 1, uintptr(status), 0, 0) + if r0 != 0 { + winerr = syscall.Errno(r0) } return } -func backupWrite(h syscall.Handle, b []byte, bytesWritten *uint32, abort bool, processSecurity bool, context *uintptr) (err error) { - var _p0 *byte - if len(b) > 0 { - _p0 = &b[0] - } - var _p1 uint32 - if abort { - _p1 = 1 - } else { - _p1 = 0 - } - var _p2 uint32 - if processSecurity { - _p2 = 1 - } else { - _p2 = 0 +func wsaGetOverlappedResult(h syscall.Handle, o *syscall.Overlapped, bytes *uint32, wait bool, flags *uint32) (err error) { + var _p0 uint32 + if wait { + _p0 = 1 } - r1, _, e1 := syscall.Syscall9(procBackupWrite.Addr(), 7, uintptr(h), uintptr(unsafe.Pointer(_p0)), uintptr(len(b)), uintptr(unsafe.Pointer(bytesWritten)), uintptr(_p1), uintptr(_p2), uintptr(unsafe.Pointer(context)), 0, 0) + r1, _, e1 := syscall.Syscall6(procWSAGetOverlappedResult.Addr(), 5, uintptr(h), uintptr(unsafe.Pointer(o)), uintptr(unsafe.Pointer(bytes)), uintptr(_p0), uintptr(unsafe.Pointer(flags)), 0) if r1 == 0 { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } @@ -552,11 +439,7 @@ func bind(s syscall.Handle, name unsafe.Pointer, namelen int32) (err error) { r1, _, e1 := syscall.Syscall(procbind.Addr(), 3, uintptr(s), uintptr(name), uintptr(namelen)) if r1 == socketError { - if e1 != 0 { - err = errnoErr(e1) - } else { - err = syscall.EINVAL - } + err = errnoErr(e1) } return } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/hcsshim/errors.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/hcsshim/errors.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/hcsshim/errors.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/hcsshim/errors.go 2021-11-18 00:21:59.000000000 +0000 @@ -59,7 +59,7 @@ // ErrVmcomputeOperationInvalidState is an error encountered when the compute system is not in a valid state for the requested operation ErrVmcomputeOperationInvalidState = hcs.ErrVmcomputeOperationInvalidState - // ErrProcNotFound is an error encountered when the the process cannot be found + // ErrProcNotFound is an error encountered when a procedure look up fails. ErrProcNotFound = hcs.ErrProcNotFound // ErrVmcomputeOperationAccessIsDenied is an error which can be encountered when enumerating compute systems in RS1/RS2 @@ -177,7 +177,7 @@ // IsNotExist checks if an error is caused by the Container or Process not existing. // Note: Currently, ErrElementNotFound can mean that a Process has either // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist -// will currently return true when the error is ErrElementNotFound or ErrProcNotFound. +// will currently return true when the error is ErrElementNotFound. func IsNotExist(err error) bool { if _, ok := err.(EndpointNotFoundError); ok { return true @@ -210,7 +210,7 @@ // a Container or Process being already stopped. // Note: Currently, ErrElementNotFound can mean that a Process has either // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist -// will currently return true when the error is ErrElementNotFound or ErrProcNotFound. +// will currently return true when the error is ErrElementNotFound. func IsAlreadyStopped(err error) bool { return hcs.IsAlreadyStopped(getInnerError(err)) } diff -Nru docker.io-20.10.7/engine/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go docker.io-20.10.11/engine/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go --- docker.io-20.10.7/engine/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/Microsoft/hcsshim/internal/hcs/errors.go 2021-11-18 00:21:59.000000000 +0000 @@ -60,7 +60,7 @@ // ErrVmcomputeOperationInvalidState is an error encountered when the compute system is not in a valid state for the requested operation ErrVmcomputeOperationInvalidState = syscall.Errno(0xc0370105) - // ErrProcNotFound is an error encountered when the the process cannot be found + // ErrProcNotFound is an error encountered when a procedure look up fails. ErrProcNotFound = syscall.Errno(0x7f) // ErrVmcomputeOperationAccessIsDenied is an error which can be encountered when enumerating compute systems in RS1/RS2 @@ -242,12 +242,11 @@ // IsNotExist checks if an error is caused by the Container or Process not existing. // Note: Currently, ErrElementNotFound can mean that a Process has either // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist -// will currently return true when the error is ErrElementNotFound or ErrProcNotFound. +// will currently return true when the error is ErrElementNotFound. func IsNotExist(err error) bool { err = getInnerError(err) return err == ErrComputeSystemDoesNotExist || - err == ErrElementNotFound || - err == ErrProcNotFound + err == ErrElementNotFound } // IsAlreadyClosed checks if an error is caused by the Container or Process having been @@ -278,12 +277,11 @@ // a Container or Process being already stopped. // Note: Currently, ErrElementNotFound can mean that a Process has either // already exited, or does not exist. Both IsAlreadyStopped and IsNotExist -// will currently return true when the error is ErrElementNotFound or ErrProcNotFound. +// will currently return true when the error is ErrElementNotFound. func IsAlreadyStopped(err error) bool { err = getInnerError(err) return err == ErrVmcomputeAlreadyStopped || - err == ErrElementNotFound || - err == ErrProcNotFound + err == ErrElementNotFound } // IsNotSupported returns a boolean indicating whether the error is caused by diff -Nru docker.io-20.10.7/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go docker.io-20.10.11/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go --- docker.io-20.10.7/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/moby/buildkit/util/imageutil/config.go 2021-11-18 00:21:59.000000000 +0000 @@ -183,19 +183,39 @@ func DetectManifestBlobMediaType(dt []byte) (string, error) { var mfst struct { - MediaType string `json:"mediaType"` + MediaType *string `json:"mediaType"` Config json.RawMessage `json:"config"` + Manifests json.RawMessage `json:"manifests"` + Layers json.RawMessage `json:"layers"` } if err := json.Unmarshal(dt, &mfst); err != nil { return "", err } - if mfst.MediaType != "" { - return mfst.MediaType, nil + mt := images.MediaTypeDockerSchema2ManifestList + + if mfst.Config != nil || mfst.Layers != nil { + mt = images.MediaTypeDockerSchema2Manifest + + if mfst.Manifests != nil { + return "", errors.Errorf("invalid ambiguous manifest and manifest list") + } } - if mfst.Config != nil { - return images.MediaTypeDockerSchema2Manifest, nil + + if mfst.MediaType != nil { + switch *mfst.MediaType { + case images.MediaTypeDockerSchema2ManifestList, specs.MediaTypeImageIndex: + if mt != images.MediaTypeDockerSchema2ManifestList { + return "", errors.Errorf("mediaType in manifest does not match manifest contents") + } + mt = *mfst.MediaType + case images.MediaTypeDockerSchema2Manifest, specs.MediaTypeImageManifest: + if mt != images.MediaTypeDockerSchema2Manifest { + return "", errors.Errorf("mediaType in manifest does not match manifest contents") + } + mt = *mfst.MediaType + } } - return images.MediaTypeDockerSchema2ManifestList, nil + return mt, nil } diff -Nru docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go --- docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/index.go 2021-11-18 00:21:59.000000000 +0000 @@ -21,6 +21,9 @@ type Index struct { specs.Versioned + // MediaType specificies the type of this document data structure e.g. `application/vnd.oci.image.index.v1+json` + MediaType string `json:"mediaType,omitempty"` + // Manifests references platform specific manifests. Manifests []Descriptor `json:"manifests"` diff -Nru docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go --- docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go 2021-11-18 00:21:59.000000000 +0000 @@ -20,6 +20,9 @@ type Manifest struct { specs.Versioned + // MediaType specificies the type of this document data structure e.g. `application/vnd.oci.image.manifest.v1+json` + MediaType string `json:"mediaType,omitempty"` + // Config references a configuration object for a container, by digest. // The referenced configuration object is a JSON blob that the runtime uses to set up the container. Config Descriptor `json:"config"` diff -Nru docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/version.go docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/version.go --- docker.io-20.10.7/engine/vendor/github.com/opencontainers/image-spec/specs-go/version.go 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor/github.com/opencontainers/image-spec/specs-go/version.go 2021-11-18 00:21:59.000000000 +0000 @@ -22,7 +22,7 @@ // VersionMinor is for functionality in a backwards-compatible manner VersionMinor = 0 // VersionPatch is for backwards-compatible bug fixes - VersionPatch = 1 + VersionPatch = 2 // VersionDev indicates development branch. Releases will be empty string. VersionDev = "" diff -Nru docker.io-20.10.7/engine/vendor.conf docker.io-20.10.11/engine/vendor.conf --- docker.io-20.10.7/engine/vendor.conf 2021-06-01 22:34:42.000000000 +0000 +++ docker.io-20.10.11/engine/vendor.conf 2021-11-18 00:21:59.000000000 +0000 @@ -1,6 +1,6 @@ github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109 -github.com/Microsoft/hcsshim 89a9a3b524264d34985f1d48793ab2b2d2e430f6 # moby branch -github.com/Microsoft/go-winio 5b44b70ab3ab4d291a7c1d28afe7b4afeced0ed4 # v0.4.15 +github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c # moby branch +github.com/Microsoft/go-winio 7e149e8c70409f36773c1b2cf3447a7ab7697368 # v0.4.20 github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a github.com/golang/gddo 72a348e765d293ed6d1ded7b699591f14d6cd921 github.com/google/uuid 0cd6bf5da1e1c83f8b45653022c74f71af0538a4 # v1.1.1 @@ -33,7 +33,7 @@ golang.org/x/sync cd5d95a43a6e21273425c7ae415d3df9ea832eeb # buildkit -github.com/moby/buildkit 244e8cde639f71a05a1a2e0670bd88e0206ce55c # v0.8.3-3-g244e8cde +github.com/moby/buildkit bc07b2b81b1c6a62d29981ac564b16a15ce2bfa7 # v0.8.3-4-gbc07b2b8 github.com/tonistiigi/fsutil 0834f99b7b85462efb69b4f571a4fa3ca7da5ac9 github.com/tonistiigi/units 6950e57a87eaf136bbe44ef2ec8e75b9e3569de2 github.com/grpc-ecosystem/grpc-opentracing 8e809c8a86450a29b90dcc9efbf062d0fe6d9746 @@ -76,7 +76,7 @@ go.etcd.io/bbolt 232d8fc87f50244f9c808f4745759e08a304c029 # v1.3.5 # get graph and distribution packages -github.com/docker/distribution 0d3efadf0154c2b8a4e7b6621fff9809655cc580 +github.com/docker/distribution 58f99e93b767ebacbf8e62a9074844712d31a177 https://github.com/samuelkarp/docker-distribution.git github.com/vbatts/tar-split 620714a4c508c880ac1bdda9c8370a2b19af1a55 # v0.11.1 github.com/opencontainers/go-digest ea51bea511f75cfa3ef6098cc253c5c3609b037a # v1.0.0 @@ -92,7 +92,7 @@ # packages but should be newer or equal. github.com/opencontainers/runc ff819c7e9184c13b7c2607fe6c30ae19403a7aff # v1.0.0-rc92 github.com/opencontainers/runtime-spec 4d89ac9fbff6c455f46a5bb59c6b1bb7184a5e43 # v1.0.3-0.20200728170252-4d89ac9fbff6 -github.com/opencontainers/image-spec d60099175f88c47cd379c4738d158884749ed235 # v1.0.1 +github.com/opencontainers/image-spec 67d2d5658fe0476ab9bf414cec164077ebff3920 # v1.0.2 github.com/cyphar/filepath-securejoin a261ee33d7a517f054effbf451841abaafe3e0fd # v0.2.2 # go-systemd v17 is required by github.com/coreos/pkg/capnslog/journald_formatter.go @@ -130,7 +130,7 @@ google.golang.org/genproto 3f1135a288c9a07e340ae8ba4cc6c7065a3160e8 # containerd -github.com/containerd/containerd 0edc412565dcc6e3d6125ff9e4b009ad4b89c638 # master (v1.5.0-dev) +github.com/containerd/containerd e048c115a3a89caf63941d363858e207c28bccd6 https://github.com/moby/containerd.git # master (v1.5.0-dev) + patch for CVE-2021-41190 github.com/containerd/fifo 0724c46b320cf96bb172a0550c19a4b1fca4dacb github.com/containerd/continuity efbc4488d8fe1bdc16bde3b2d2990d9b3a899165 github.com/containerd/cgroups 0b889c03f102012f1d93a97ddd3ef71cd6f4f510 @@ -142,7 +142,7 @@ github.com/cilium/ebpf 1c8d4c9ef7759622653a1d319284a44652333b28 # cluster -github.com/docker/swarmkit 17d8d4e4d8bdec33d386e6362d3537fa9493ba00 +github.com/docker/swarmkit 286f4575a2d2853c1574e1be10eb1a2450692dfc # bump_20.10 github.com/gogo/protobuf 5628607bb4c51c3157aacc3a50f0ab707582b805 # v1.3.1 github.com/golang/protobuf 84668698ea25b64748563aa20726db66a6b8d299 # v1.3.5 github.com/cloudflare/cfssl 5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2 @@ -151,7 +151,7 @@ golang.org/x/crypto c1f2f97bffc9c53fc40a1a28a5b460094c0050d9 golang.org/x/time 555d28b269f0569763d25dbe1a237ae74c6bcc82 github.com/hashicorp/go-memdb cb9a474f84cc5e41b273b20c6927680b2a8776ad -github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 git://github.com/tonistiigi/go-immutable-radix.git +github.com/hashicorp/go-immutable-radix 826af9ccf0feeee615d546d69b11f8e98da8c8f1 https://github.com/tonistiigi/go-immutable-radix.git github.com/hashicorp/golang-lru 7f827b33c0f158ec5dfbba01bb0b14a4541fd81d # v0.5.3 github.com/coreos/pkg 3ac0863d7acf3bc44daf49afef8919af12f704ef # v3 code.cloudfoundry.org/clock 02e53af36e6c978af692887ed449b74026d76fec # v1.0.0