[pull] master from moby:master #1404
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
[Service.ResolveRepository] is a shallow wrapper around [newRepositoryInfo], from which we only consume the `Name` field. That field is a direct result of `reference.TrimNamed`, so we can replace this with that. [Service.ResolveRepository]: https://github.com/moby/moby/blob/ecb03c4cdae6f323150fc11b303dcc5dc4d82416/registry/service.go#L106-L111 [newRepositoryInfo]: https://github.com/moby/moby/blob/ecb03c4cdae6f323150fc11b303dcc5dc4d82416/registry/config.go#L392-L408 Signed-off-by: Sebastiaan van Stijn <[email protected]>
It's not called anywhere, so we can remove it from this interface. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Simplify how we lookup auth-config, as we don't need the additional information provided by RepositoryInfo. There's still more layers to peel off, which will be done in follow-ups. Signed-off-by: Sebastiaan van Stijn <[email protected]>
inline a simplified version of "newIndexInfo" without handling of insecure registries and mirrors, as we don't need that information to resolve the auth-config. Signed-off-by: Sebastiaan van Stijn <[email protected]>
While it's generally better to define interfaces locally, this one now duplicated distribution.RegistryResolver, and it's passed on to other types which expect that interface. Remove this (un-exported) interface to make it easier to discover what's used where. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
refactor and simplify various code-paths related to distribution / authentication
registry: deprecate APIEndpoint.Official field
Create an iptablesNetwork containing all the info needed to set up per-network iptables rules, give it methods to do create the rules, and use it instead of per-rule-type calls from driver.createNetwork(). Signed-off-by: Rob Murray <[email protected]>
The github action running bake expected FIREWALLD to be set, but DOCKER_FIREWALLD was set instead, so firewalld wasn't installed in the dev image. The dind-systemd script expected DOCKER_FIREWALLD to be set if it needed to run firewalld, and it was. But it had no effect. In CI, bake builds the image then make runs it - and the use the same env. So, align on FIREWALLD (as it's not a docker feature). Signed-off-by: Rob Murray <[email protected]>
Run firewalld in CI
- use gotest.tools for assertions - remove some debug-logs Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Unlike the equivalent for pulling images, [Service.LookupPushEndpoints] never returns mirror endpoints, as it calls [Service.lookupV2Endpoints] with "includeMirrors=false", so we should not use this field, and unconditionally handle errors without the additional fallbacks that we consider for pulling images from a mirror. [Service.LookupPushEndpoints]: https://github.com/moby/moby/blob/cea56c1d9c2fae5831f38ae88fba593206985b2b/registry/service.go#L134-L139 [Service.lookupV2Endpoints]: https://github.com/moby/moby/blob/cea56c1d9c2fae5831f38ae88fba593206985b2b/registry/service_v2.go#L10-L40 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Test actual error returned, and test normalized value. Signed-off-by: Sebastiaan van Stijn <[email protected]>
Bridge: factor out creation of network-level iptables rules
Include legacy link setup in IptablesNetwork, with the other per-network rules. Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
registry: session.searchRepositories: pass through context
registry: ValidateMirror: touch-up GoDoc and improve test-coverage
Signed-off-by: Paweł Gronowski <[email protected]>
Simplify bridge legacy links
Signed-off-by: Rob Murray <[email protected]>
pkg/atomicwriter: use sequential file access on Windows
client: keep image refs in canonical format where possible
Signed-off-by: Kristian Heljas <[email protected]>
archive/tar: fix for CVE-2022-2879 full diff: vbatts/tar-split@v0.11.6...v0.12.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
gotest.tools v3.0.1 and up support Go's native test.Cleanup(), which means that manually calling the cleanup functions in a defer is no longer needed. Some of these could probably be replaced by Go's native `t.TempDir()`, but keeping that for a follow-up exercise. Signed-off-by: Sebastiaan van Stijn <[email protected]>
vendor: github.com/vbatts/tar-split v0.12.1
Dockerfile: update cli to v28.1.1, buildx v0.33.0, compose v0.35.1, syntax: docker/dockerfile:1
builder/remotecontext: MakeGitContext: use "WithFields" for logs
testing: remove some defer cleanup in favor of test.Cleanup()
Signed-off-by: Sebastiaan van Stijn <[email protected]>
CI: deduplicate execution of unit tests
Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
It's now shouldInsertMirroredWSL2Rule, because it's a test and doesn't do the insertion. Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
fix duplicate import, and force consistent alias for bolt
Move bridge driver iptables code into its own package
Reset default bridge addresses after integration tests
builder/remotecontext: Deprecate Rel()
Commit 27adcd5 ("libnet/d/bridge: drop connections to lo mappings, and
direct remote connections") introduced an iptables rule to drop 'direct'
remote connections made to the container's IP address - for each
published port on the container.
The normal filter-FORWARD rules would then drop packets sent directly to
unpublished ports. This rule was only created along with the rest of port
publishing (when a container's endpoint was selected as its gateway). Until
then, all packets addressed directly to the container's ports were dropped
by the filter-FORWARD rules.
But, the rule doesn't need to be per-port. Just drop packets sent
directly to a container's address unless they originate on the host.
That means fewer rules, that can be created along with the endpoint (then
directly-routed get dropped at the same point whether or not the endpoint
is currently the gateway - very slightly earlier than when it's not the
gateway).
Signed-off-by: Rob Murray <[email protected]>
The issue is now fixed. Signed-off-by: Paweł Gronowski <[email protected]>
`moby/vpnkit` now officially pushes a binary image to `moby/vpnkit-bin` repository on Docker Hub. Use it to fetch the vpnkit binary. Signed-off-by: Paweł Gronowski <[email protected]>
iptables: Direct routing DROP rules per-container, not per-port
Dockerfile: Fetch vpnkit from moby org
Signed-off-by: Rob Murray <[email protected]>
integration/build: Unskip TestBuildEmitsImageCreateEvent for c8d
When a network is created with "-o com.docker.network.enable_ipv4' (including via "default-network-opts" in daemon config), and EnableIPv4 is present in the API request (including when CLI option "--ipv4" is used) - the top-level API value is used and the '-o' is ignored. But, the "-o" still shows up in Options in inspect output, which is confusing if the values are different. So, drop the "-o" if the top-level API option is set. Ditto IPv6. Signed-off-by: Rob Murray <[email protected]>
Add TestLegacyLink
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Sebastiaan van Stijn <[email protected]>
Drop "-o com.docker.network.enable_ipv[46]" if overridden
builder: use t.TempDir() in tests
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )