notable changes
- oauth2.go: use a more straightforward return value
- oauth2: Deep copy context client in NewClient
- jws: improve fix for CVE-2025-22868
full diff: https://github.com/golang/oauth2/compare/v0.27.0...v0.29.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- We now only use winresources for the dockerd binary, so we can
reduce some uses of wildcards
- Use explicit ("/") to indicate these should only be ignored
relative to the root of the repository and build-context
- Remove remnant ignore for rpm builds
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Fix a logical error in the rootless setup tool where the iptables error
handling was incorrectly placed. The code was setting
`faced_iptables_error=1` even when iptables was available, causing
unnecessary error messages and setup suggestions.
This patch correctly moves the error handling into the `else` branch so
that we only report iptables errors when the command is actually
unavailable.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Go maintainers started to unconditionally update the minimum go version
for golang.org/x/ dependencies to go1.23, which means that we'll no longer
be able to support any version below that when updating those dependencies;
> all: upgrade go directive to at least 1.23.0 [generated]
>
> By now Go 1.24.0 has been released, and Go 1.22 is no longer supported
> per the Go Release Policy (https://go.dev/doc/devel/release#policy).
>
> For golang/go#69095.
This updates our minimum version to go1.23, as we won't be able to maintain
compatibility with older versions because of the above.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since commit 925b484 ("No fallback nameservers for internal
resolver"), if the host's resolv.conf has no nameservers and
no servers are supplied via config, the internal resolver will
not use Google's DNS - so the container will not be able to
resolve external DNS requests.
That can happen when container's are "restart-always" and the
docker daemon starts before the host's DNS is configured.
So, to highlight the issue (which may not be an error, but
probably is), include a warning in the container's resolv.conf
file.
Also, log a warning - logs currently say "No non-localhost DNS
nameservers are left in resolv.conf. Using default external
servers". But, that's misleading because it's from an initial
resolv.conf setup, before the internal resolver configured without
those fallbacks - we'll drop the fallbacks completely once the
default bridge has an internal resolver).
Signed-off-by: Rob Murray <rob.murray@docker.com>
Since commit 51d7f95 ("libnet: remove struct endpointCnt") an
endpoint count for networks has not been persisted.
But, on downgrade to a version older than that commit, the
missing field caused daemon startup to fail.
So, create the count in the store - it only needs to exist, it's
no longer maintained as a count of endpoints. On downgrade, the
count is probably zero anyway (the daemon is stopped), but the
older daemon fixes it up on startup if necessary.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The existing code was more complicated than needed. By default, the daemon
runs "unconfined", but we try to detect the current profile that's set.
When failing to do so (error, or detected profile is empty), we assume
the default ("unconfined").
This patch simplifies the logic;
- Set the default ("unconfined")
- Only update the default when we successfully found the current profile
(no error occurred, and the profile is not empty).
While updating, also;
- Replaced use of `strings.SplitN` for `strings.Cut`, which is more
efficient, and doesn't allocate.
- Move constructing the profileData closer to where it's used.
- Remove intermediate var.
- Combine defers and change the order (close file first, before removing),
and suppress errors to keep linters happy.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
`exec.Cmd.Path` already contains the command that was executed, so we
were printing the command twice. However, `exec.Cmd` implements a stringer
interface, which provides a readable version of the command that was
executed, so use that instead. While updating, lso change backticks in
the error for regular quotes.
Before:
running `/usr/sbin/apparmor_parser apparmor_parser -Kr /no/such/file` failed with output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
error: exit status 1
After:
running '/usr/sbin/apparmor_parser -Kr /no/such/file' failed with output: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
error: exit status 1
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We are considering moving the apparmor profile to a separate module,
so removing these comments in preparation. These comments are ignored
already when building in go module mode, so have little benefits.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We are considering moving the seccomp profile to a separate module,
so removing these comments in preparation. These comments are ignored
already when building in go module mode, so have little benefits.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We are considering moving the seccomp profile to a separate module,
so reducing the list of dependencies for this package.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This reverts commit 5d2006256f15f7252c11bd72d632de26a8b2ff06, which
caused some issues in the docker/cli formatting code that needs some
investigating.
Let's (temporarily) revert this while we look what's wrong.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Copy the swagger / OpenAPI file to the documentation. This is the API
version used by the upcoming v28.1.0 release.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
