Signed-off-by: Jakub Guzik <jakubmguzik@gmail.com>
(cherry picked from commit 7ef6ece)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

This changes CI to skip these platforms by default. The ppc64le and s390x
machines are "pet machines", configuration may be outdated, and these
machines are known to be flaky.

Building and verifying packages for these platforms is being handed
over to the IBM team.

We can still run these platforms for specific pull requests by selecting
the checkboxes.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 82c7e90)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

[20.10 backport] Jenkinsfile: skip ppc64le and s390x by default on pull requests

A node is no longer using its load balancer IP address when it no longer
has tasks that use the network that requires that load balancer. When
this occurs, the swarmkit manager will free that IP in IPAM, and may
reaassign it.

When a task shuts down cleanly, it attempts removal of the networks it
uses, and if it is the last task using those networks, this removal
succeeds, and the load balancer IP is freed.

However, this behavior is absent if the container fails. Removal of the
networks is never attempted.

To address this issue, I amend the executor. Whenever a node load
balancer IP is removed or changed, that information is passedd to the
executor by way of the Configure method. By keeping track of the set of
node NetworkAttachments from the previous call to Configure, we can
determine which, if any, have been removed or changed.

At first, this seems to create a race, by which a task can be attempting
to start and the network is removed right out from under it. However,
this is already addressed in the controller. The controller will attempt
to recreate missing networks before starting a task.

Signed-off-by: Drew Erny <derny@mirantis.com>
(cherry picked from commit 0d9b0ed)
Signed-off-by: Ameya Gawde <agawde@mirantis.com>

[20.10 backport] Fix possible overlapping IPs

Signed-off-by: Ameya Gawde <agawde@mirantis.com>

[20.10] vendor: swarmkit to fix deadlock in log broker (bump_20.10)

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 64badfc)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Stefan Scherer <stefan.scherer@docker.com>
(cherry picked from commit 7a6cac2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 42d2048)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Previously, running dockerd-rootless.sh on SELinux-enabled hosts
was failing with "can't open lock file /run/xtables.lock: Permission denied" error.
(issue 41230).

This commit avoids hitting the error by relabeling /run in the RootlessKit child.
The actual /run on the parent is unaffected.

https://github.com/containers/podman/blob/e6fc34b71aa9d876b1218efe90e14f8b912b0603/libpod/networking_linux.go#L396-L401

Tested on Fedora 34

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit cdaf82b)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Kernel 5.11 introduced support for rootless overlayfs, but incompatible with SELinux.

On the other hand, fuse-overlayfs is compatible.

Close issue 42333

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 4300a52)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

…SUSE Tumbleweed

openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error,
as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`,
which was not supported by `rootlesskit --copy-up=/etc` .

See rootless-containers/rootlesskit issues 225

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit 8610d8c)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

fix containers/create 404 response description

Signed-off-by: Matt Morrison <3241034+Emdot@users.noreply.github.com>
(cherry picked from commit ff1d9a3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This updates the current swagger file, and all docs versions
with the same fix as ff1d9a3

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 68b095d)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

…756a991ad09cf7c (moby branch)

Brings in microsoft/hcsshim#1065, which fixes #42610.

full diff: microsoft/hcsshim@89a9a3b...64a2b71

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

…form

This takes the same approach as was implemented on `docker build`, where a warning
is printed if `FROM --platform=...` is used (added in 3996953)

Before:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

With this change:

    docker rmi armhf/busybox
    docker pull --platform=linux/s390x armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    WARNING: image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64
    docker.io/armhf/busybox:latest

And daemon logs print:

   WARN[2021-04-26T11:19:37.153572667Z] ignoring platform mismatch on single-arch image  error="image with reference armhf/busybox was found but does not match the specified platform: wanted linux/s390x, actual: linux/arm64" image=armhf/busybox

When pulling without specifying `--platform, no warning is currently printed (but we can add a warning in future);

    docker rmi armhf/busybox
    docker pull armhf/busybox

    Using default tag: latest
    latest: Pulling from armhf/busybox
    d34a655120f5: Pull complete
    Digest: sha256:8e51389cdda2158935f2b231cd158790c33ae13288c3106909324b061d24d6d1
    Status: Downloaded newer image for armhf/busybox:latest
    docker.io/armhf/busybox:latest

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 424c0eb)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

full diff: containerd/containerd@v1.4.6...v1.4.7

Welcome to the v1.4.7 release of containerd!

The seventh patch release for containerd 1.4 updates runc to 1.0.0 and contains
various other fixes.

Notable Updates

- Update runc binary to 1.0.0
- Fix invalid validation error checking
- Fix error on image pull resume
- Fix symlink resolution for disk mounts on Windows

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

…r_fork

[20.10 backport] Dockerfile: update go-swagger to fix validation on Go1.16

[20.10] update containerd binary to v1.4.7

[20.10 backport] update runc binary to v1.0.0 GA

[20.10 backport] API: fix 404 status description on container create

[20.10] vendor github.com/Microsoft/hcsshim 64a2b71405dacf76c95600f4c756a991ad09cf7c (moby branch)

…ubuntu_2004

[20.10 backport] Run s390x tests on Ubuntu 20.04

[20.10 backport] Fix setting swaplimit=true without checking

…x-42334

[20.10 backport] rootless:  avoid /run/xtables.lock EACCES on SELinux hosts  ; disable overlay2 if running with SELinux ; fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed

…atching_platform

[20.10 backport] docker pull: warn when pulled single-arch image does not match --platform

Also allow re-vendoring using `./hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 31b2c3b)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Certificates were originally added in c000cb6,
but did not include a script to generate them. Current versions of Go expect
certificates to use SAN instead of Common Name fields, so updating the script
to include those;

    x509: certificate relies on legacy Common Name field, use SANs or temporarily
    enable Common Name matching with GODEBUG=x509ignoreCN=0

Some fields were updated to be a bit more descriptive (instead of "replaceme"),
and the `-text` option was used to include a human-readable variant of the
content.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2fea30f)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Updates the certificates to account for current versions of Go expecting
SANs to be used instead of the Common Name field:

    FAIL: s390x.integration.plugin.authz TestAuthZPluginTLS (0.53s)
    [2020-07-26T09:36:58.638Z]     authz_plugin_test.go:132: assertion failed:
        error is not nil: error during connect: Get "https://localhost:4271/v1.41/version":
        x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe54215)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

These tests were no longer valid on Go 1.16; related to https://tip.golang.org/doc/go1.16#path/filepath

> The Match and Glob functions now return an error if the unmatched part of
> the pattern has a syntax error. Previously, the functions returned early on
> a failed match, and thus did not report any later syntax error in the pattern.

Causing the test to fail:

    === RUN   TestMatches
        fileutils_test.go:388: assertion failed: error is not nil: syntax error in pattern: pattern="a\\" text="a"
    --- FAIL: TestMatches (0.00s)

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 2842639)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

    INFO: Running integration tests at 05/17/2021 12:54:50...
    INFO: DOCKER_HOST at tcp://127.0.0.1:2357
    INFO: Integration API tests being run from the host:
    INFO: make.ps1 starting at 05/17/2021 12:54:50
    powershell.exe : go: cannot find main module, but found vendor.conf in D:\gopath\src\github.com\docker\docker
    At D:\gopath\src\github.com\docker\docker@tmp\durable-1ed00396\powershellWrapper.ps1:3 char:1
    + & powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -Comm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (go: cannot find...m\docker\docker:String) [], RemoteException
        + FullyQualifiedErrorId : NativeCommandError

    	to create a module there, run:
    	go mod init
    INFO: make.ps1 ended at 05/17/2021 12:54:51

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8bae227)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

    === RUN   TestServicePlugin
        plugin_test.go:42: assertion failed: error is not nil: error building basic plugin bin: no required module provides package github.com/docker/docker/testutil/fixtures/plugin/basic: go.mod file not found in current directory or any parent directory; see 'go help modules'
            : exit status 1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 7070df3)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

…for_go116

[20.10 backport] various test-changes for Go 1.16

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit ae5ddd2)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit f400e84)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

result of: `hack/vendor.sh archive/tar`

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 3ed804a)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

This addresses CVE-2021-34558: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34558

go1.16.6 (released 2021-07-12) includes a security fix to the crypto/tls package,
as well as bug fixes to the compiler, and the net and net/http packages. See the
Go 1.16.6 milestone on the issue tracker for details:

https://github.com/golang/go/issues?q=milestone%3AGo1.16.6+label%3ACherryPickApproved

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit fe6f1a4)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Update to containerd 1.4.8 to address [CVE-2021-32760][1].

[1]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32760

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
(cherry picked from commit f50c764)
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Welcome to the v1.4.9 release of containerd!

The ninth patch release for containerd 1.4 updates runc to 1.0.1 and contains
other minor updates.

Notable Updates

- Update runc binary to 1.0.1
- Update pull authorization logic on redirect
- Fix user agent used for fetching registry authentication tokens

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

[20.10 backport] update runc binary to v1.0.1

[20.10] update containerd binary to v1.4.9