commit 7c09fa25fd and
e8c269843c removed support for schema1, but
we still enabled the schema1 conversion in containerd, causing the error
produced by dockerd to be shadowed by the error from containerd;
Before this patch, we would get an error from containerd;
docker pull docker:1.0
Error response from daemon: failed to get converter for "docker.io/library/docker:1.0": Pulling Schema 1 images have been deprecated and disabled by default since containerd v2.0. As a workaround you may set an environment variable `CONTAINERD_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE=1`, but this will be completely removed in containerd v2.1.
After enabling that env-var, it would return the error from dockerd;
CONTAINERD_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE=1 dockerd --feature containerd-snapshotter
docker pull docker:1.0
Error response from daemon: Docker Image Format v1 and Docker Image manifest version 2, schema 1 support has been removed. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/
With this patch, we immediately return the error from dockerd;
docker pull docker:1.0
Error response from daemon: Docker Image Format v1 and Docker Image manifest version 2, schema 1 support has been removed. Suggest the author of docker.io/library/docker:1.0 to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2. More information at https://docs.docker.com/go/deprecated-image-specs/
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
We had some runs timeout after 120 minutes; expected duration is much
lower than that, so let's lower the timeout to make actions fail faster.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Mostly for readability, and to avoid linters suggesting to move the
default condition outside of the if/else.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some linters were complaining about the testing.T not being used; put
it to use to silence the linter.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- scope variables locally to the if/else if
- use if/else if to try to make it more clear it's a "best effort" before
falling through to other ways of resolving the image reference
- remove outdated TODO, now that containerd errdefs can be used for either
moby, or containerd error definitions.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- https://github.com/golang/go/issues?q=milestone%3AGo1.24.4+label%3ACherryPickApproved
- full diff: https://github.com/golang/go/compare/go1.24.3...go1.24.4
This release includes 3 security fixes following the security policy:
- net/http: sensitive headers not cleared on cross-origin redirect
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.
Thanks to Takeshi Kaneko (GMO Cybersecurity by Ierae, Inc.) for reporting this issue.
This is CVE-2025-4673 and Go issue https://go.dev/issue/73816.
- os: inconsistent handling of O_CREATE|O_EXCL on Unix and Windows
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location.
OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Thanks to Junyoung Park and Dong-uk Kim of KAIST Hacking Lab for discovering this issue.
This is CVE-2025-0913 and Go issue https://go.dev/issue/73702.
- crypto/x509: usage of ExtKeyUsageAny disables policy validation
Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.
Thanks to Krzysztof Skrzętnicki (@Tener) of Teleport for reporting this issue.
This is CVE-2025-22874 and Go issue https://go.dev/issue/73612.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Added backend code to support the exact same interface
used today for Nvidia GPUs, allowing customers to use
the same docker commands for both Nvidia and AMD GPUs.
Signed-off-by: Sudheendra Gopinath <sudheendra.gopinath@amd.com>
Reused common functions from nvidia_linux.go.
Removed duplicate code in amd_linux.go by reusing
the init() and countToDevices() functions in
nvidia_linux.go. AMD driver is registered in init().
Signed-off-by: Sudheendra Gopinath <sudheendra.gopinath@amd.com>
Renamed amd-container-runtime constant
Signed-off-by: Sudheendra Gopinath <sudheendra.gopinath@amd.com>
Removed empty branch to keep linter happy.
Also renamed amd_linux.go to gpu_amd_linux.go.
Signed-off-by: Sudheendra Gopinath <sudheendra.gopinath@amd.com>
Renamed nvidia_linux.go and gpu_amd_linux.go.
Signed-off-by: Sudheendra Gopinath <sudheendra.gopinath@amd.com>
