Use the tagged version instead of the v2.0.0-20250613170222-a45be3cac15c
pseudo-version. The referenced commit has not changed.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Add a mention to stdcopy.StdCopy to the documentation, as the stream returned in the HijackedResponse is multiplexed when tty is disabled.
Signed-off-by: Medhy DOHOU <52136144+PowerPixel@users.noreply.github.com>
The IdentityMapping and Identity types are still used internally, but
should be considered transitional.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The Inter-Network Communication rules in the iptables chains
DOCKER-ISOLATION-STAGE-1 / DOCKER-ISOLATION-STAGE-2 (which are
called from filter-FORWARD) currently:
- Block access from containers in one bridge network, to ports
published to host addresses by containers in other bridge
networks, when the userland-proxy is disabled.
- But, that access is allowed when the proxy is enabled.
- Block access to all ports on container addresses in gateway
mode "nat-unprotected" networks.
- But, those ports can be accessed from anywhere else, including
other hosts. Just not other bridge networks.
- Allow access from containers in "nat" bridge networks to published
ports on container addresses in "routed" networks. But, to do that,
extra INC rules are added for the routed network.
The INC rules are no longer needed to block access from containers
in one network to unpublished ports on container addresses in
other networks. Direct routing to containers in NAT networks is
blocked by the "raw-PREROUTING" rules that block access from
untrusted interfaces (all interfaces apart from the network's
own bridge).
Drop these INC rules to resolve the inconsistencies listed above,
with this change:
- Published ports on host addresses can be accessed from containers
in other networks (even without the userland-proxy).
- The rules for direct routing between bridge networks are the same
as the rules for direct routing from outside the Docker host
(allowed for gw modes "routed" and "nat-unprotected", disallowed
for "nat").
Fewer rules, so it's simpler, and perhaps slightly faster.
Internal networks (with no access to networks outside the host)
are also implemented using rules in the DOCKER-ISOLATION chains.
This change moves those rules to a new chain, DOCKER-INTERNAL,
and drops the DOCKER-ISOLATION chains.
Signed-off-by: Rob Murray <rob.murray@docker.com>
A network node is responsible for both broadcasting table events for
entries it owns and for rebroadcasting table events from other nodes it
has received. Table events to be broadcast are added to a single queue
per network, including events for rebroadcasting. As the memberlist
TransmitLimitedQueue is (to a first approximation) LIFO, a flood of
events from other nodes could delay the broadcasting of
locally-generated events indefinitely. Prioritize broadcasting local
events by splitting up the queues and only pulling from the rebroadcast
queue if there is free space in the gossip packet after draining the
local-broadcast queue.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Log more details when assertions fail to provide a more complete picture
of what went wrong when TestCRUDTableEntries fails. Log the state of
each NetworkDB instance at various points in TestCRUDTableEntries to
provide an even more complete picture.
Increase the global logger verbosity in tests so warnings and debug logs
are printed to the test log.
Signed-off-by: Cory Snider <csnider@mirantis.com>
NetworkDB uses a muli-dimensional map of struct network to keep track of
network attachments for both remote nodes and the local node. Only a
subset of the struct fields are used for remote nodes' network
attachments. The tableBroadcasts pointer field in particular is
always initialized for network values representing local attachments
(read: nDB.networks[nDB.config.NodeID]) and always nil for remote
attachments. Consequently, unnecessary defensive nil-pointer checks are
peppered throughout the code despite the aforementioned invariant.
Enshrine the invariant that tableBroadcasts is initialized iff the
network attachment is for the local node in the type system. Pare down
struct network to only the fields needed for remote network attachments
and move the local-only fields into a new struct thisNodeNetwork. Elide
the unnecessary nil-checks.
Signed-off-by: Cory Snider <csnider@mirantis.com>
When joining a network that was previously joined but not yet reaped,
NetworkDB replaces the network struct value with a zeroed-out one with
the entries count copied over. This is also the case when joining a
network that is currently joined! Consequently, joining a network has
the side effect of clearing the broadcast queue. If the queue is cleared
while messages are still pending broadcast, convergence may be delayed
until the next bulk sync cycle.
Make it an error to join a network twice without leaving. Retain the
existing broadcast queue when rejoining a network that has not yet been
reaped.
Signed-off-by: Cory Snider <csnider@mirantis.com>
The map key for nDB.networks is the network ID. The struct field is not
actually used anywhere in practice.
Signed-off-by: Cory Snider <csnider@mirantis.com>
After pushing the multi-platform index fails due to missing content, we
retry with the single-platform manifest. While the target descriptor was
changed for the second push, the actual target digested reference still
pointed to the original multi-platform index. Obviously, with the
fallback that didn't really work correctly, because the multi-platform
index is not pushed.
This commit fixes the issue by updating the target reference to point to
the single-platform manifest.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
It checked for "Bind for 0.0.0.0:80 failed: port is already
allocated". But, since commit d662091 ("portallocator: always
check for ports allocated for 0.0.0.0/::"), the message is
sometimes about ":::80".
Signed-off-by: Rob Murray <rob.murray@docker.com>
This parameter was already supported for some time in the backend (for
purposes related to docker system prune). It was also already present in
the imagetypes.ListOptions but was never actually handled by the client.
Make it available by default in the response.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
It looks like the error returned by Windows changed in Windows 2025; before
Windows 2025, this produced a `ERROR_INVALID_NAME`;
The filename, directory name, or volume label syntax is incorrect.
But Windows 2025 produces a `ERROR_DIRECTORY` ("The directory name is invalid."):
CreateFile \\\\?\\Volume{d9f06b05-0405-418b-b3e5-4fede64f3cdc}\\windows\\system32\\drivers\\etc\\hosts\\: The directory name is invalid.
Docs; https://learn.microsoft.com/en-us/windows/win32/debug/system-error-codes--0-499-
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
