Add the nri_no_wasm build tag to the BUILDFLAGS for static builds to
disable WASM plugins support in the NRI (Node Resource Interface)
component.
See: 1078130fa0/README.md (webassembly-support)
The NRI support is still minimal and disabling WASM plugins shaves off a
couple of MiB of the binary size.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This option was added in 9672afa339 in 2016,
at which time tweaking GOGC showed a significant difference when building
the binary (`1m14.221s` vs `0m49.929s`).
Testing this Today doesn't show a real difference;
With GOGC=1000:
rm -rf bundles/
time hack/make.sh binary
real 0m15.303s
user 0m26.285s
sys 0m6.383s
real 0m4.931s
user 0m3.103s
sys 0m1.670s
real 0m5.693s
user 0m3.827s
sys 0m2.384s
Without GOGC set;
real 0m5.012s
user 0m3.689s
sys 0m1.549s
real 0m5.298s
user 0m3.997s
sys 0m1.695s
real 0m4.899s
user 0m3.579s
sys 0m1.423s
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove the `replace` rule check as it's not needed because it will also
pass the second check.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
dropreplace now accepts an optional argument that allows to manually
specify a git ref to use for the modules.
It's not required though and if not present it will default to a master
branch from the upstream (preferred) or origin remote.
This is much more reliable than "module@master" which for some reason
tends to not resolve to the actual latest commit on the master branch.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Add a `dev` target which adds a convenient developer loop which
rebuilds and reruns the daemon after a SIGINT is received.
It can be exited by sending SIGINT (Ctrl+C) a couple times.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
The directory was solely used by Dockerfile.simple.
For the "simple" mode, we can just directly apt-get the dependencies.
A part of issue 51637
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
These releases include 2 security fixes following the security policy:
- crypto/x509: excessive resource consumption in printing error string for host certificate validation
Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out.
Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime.
Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.
HostnameError.Error() now limits the number of hosts and utilizes strings.Builder when constructing an error string.
Thanks to Philippe Antoine (Catena cyber) for reporting this issue.
This is CVE-2025-61729 and Go issue https://go.dev/issue/76445.
- crypto/x509: excluded subdomain constraint does not restrict wildcard SANs
An excluded subdomain constraint in a certificate chain does not restrict the
usage of wildcard SANs in the leaf certificate. For example a constraint that
excludes the subdomain test.example.com does not prevent a leaf certificate from
claiming the SAN *.example.com.
This is CVE-2025-61727 and Go issue https://go.dev/issue/76442.
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.5
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Do not require replace rules to be added if there's no code-changes
in the module. Note that changes in api/swagger.yaml may result in
changes in generated code, but this should be checked separate from
the swagger itself.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The bash array usage was wrong - change to a simpler check that just
compares if the diff is empty.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Running sub-package tests from the root module without readding the
replace rules wasn't running the tests from the local in-tree versions
of these submodules.
Fix by cd-ing into their directories before running tests.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Update the version of containerd used in CI and for static binaries
to v2.1.5 (linux) and v2.0.7 (windows)
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
This change adds type specific fields to `GET /system/df` endpoint with high level information of disk usage. This change also introduces `verbose` query to the endpoint so that detailed information is by default excluded unless queried to reduce memory consumption. The previous top level `DiskUsage` fields (`Images`, `Containers`, `Volumes` and `BuildCache`) are now deprecated and kept for backwards compatibility.
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
Now that we're raising the minimum API version, we can also update
the CLI used in our integration-cli tests.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
commit 081987b647 updated the Dockerfile
to disable go's telemetry in our dev / test-environment; as collecting
this data doesn't serve much purpose.
However, the configuration to disable telemetry is tied to the user's
home-directory (HOME); and disabling telemetry writs a config-file to the
user's home-directory (`~/.config/go/telemetry/mode`). While go provides
env-vars about the mode and location (`GOTELEMETRY` and `GOTELEMETRYDIR`),
those env-vars are read-only and cannot be used to either disable telemetry
or to set the location;
> Information about telemetry configuration is also available via read-only Go environment variables:
>
> go env GOTELEMETRY reports the telemetry mode.
> go env GOTELEMETRYDIR reports the directory holding telemetry configuration and data.
Some steps in our CI set up a different home-directory, which is not configured
to disable telemetry, which means that CI currently leaves behind a bunch of
files related to this;
make TEST_FILTER=TestPruneDontDeleteUsedDangling test-integration
tree -a bundles/test-integration/fake-HOME/
bundles/test-integration/fake-HOME/
└── .config
└── go
└── telemetry
├── local
│ ├── asm@go1.25.3-go1.25.3-linux-arm64-2025-10-21.v1.count
│ ├── compile@go1.25.3-go1.25.3-linux-arm64-2025-10-21.v1.count
│ ├── go@go1.25.3-go1.25.3-linux-arm64-2025-10-21.v1.count
│ ├── link@go1.25.3-go1.25.3-linux-arm64-2025-10-21.v1.count
│ ├── test2json@go1.25.3-go1.25.3-linux-arm64-2025-10-21.v1.count
│ ├── upload.token
│ └── weekends
└── upload
6 directories, 7 files
This patch disables go telemetry also for this home-directory to prevent
those files from being created, and to prevent go from producing the
telemetry.
With this patch, only the file to disable telemetry is produced:
make TEST_FILTER=TestPruneDontDeleteUsedDangling test-integration
tree -a bundles/test-integration/fake-HOME/
bundles/test-integration/fake-HOME/
└── .config
└── go
└── telemetry
└── mode
4 directories, 1 file
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- relates to 96b29f5a1f
- similar to 08e4e88482
The daemon currently provides support for API versions all the way back
to v1.24, which is the version of the API that shipped with docker 1.12.0
(released in 2016).
Such old versions of the client are rare, and supporting older API versions
has accumulated significant amounts of code to remain backward-compatible
(which is largely untested, and a "best-effort" at most).
This patch updates the minimum API version to v1.44, matching the minimum
version of the client, and matching the API version of docker v25.0, which
is the oldest supported version (through Mirantis MCR).
The intent is to start deprecating older API versions when daemons implementing
them reach EOL. This patch does not yet remove backward-compatibility code
for older API versions, and the DOCKER_MIN_API_VERSION environment variable
allows overriding the minimum version (to allow restoring the behavior from
before this patch), however, API versions below v1.44 should be considered
"best effort", and we may remove compatibility code to provide "degraded"
support.
With this patch the daemon defaults to API v1.44 as minimum:
docker version
Client:
Version: 28.5.0
API version: 1.51
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Server:
Engine:
Version: dev
API version: 1.52 (minimum version 1.44)
....
Trying to use an older version of the API produces an error:
DOCKER_API_VERSION=1.43 docker version
Client:
Version: 28.5.0
API version: 1.43 (downgraded from 1.51)
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Error response from daemon: client version 1.43 is too old. Minimum supported API version is 1.44, please upgrade your client to a newer version
To restore the previous minimum, users can start the daemon with the
DOCKER_MIN_API_VERSION environment variable set:
DOCKER_MIN_API_VERSION=1.24 dockerd
API 1.24 is the oldest supported API version;
docker version
Client:
Version: 28.5.0
API version: 1.24 (downgraded from 1.51)
Go version: go1.24.7
Git commit: 887030f
Built: Thu Oct 2 14:54:39 2025
OS/Arch: linux/arm64
Context: default
Server:
Engine:
Version: dev
API version: 1.52 (minimum version 1.24)
....
When using the `DOCKER_MIN_API_VERSION` with a version of the API that
is not supported, an error is produced when starting the daemon;
DOCKER_MIN_API_VERSION=1.23 dockerd --validate
invalid DOCKER_MIN_API_VERSION: minimum supported API version is 1.24: 1.23
DOCKER_MIN_API_VERSION=1.99 dockerd --validate
invalid DOCKER_MIN_API_VERSION: maximum supported API version is 1.52: 1.99
Specifying a malformed API version also produces the same error;
DOCKER_MIN_API_VERSION=hello dockerd --validate
invalid DOCKER_MIN_API_VERSION: minimum supported API version is 1.24: hello
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This release addresses breakage caused by a security patch included in
Go 1.25.2 and 1.24.8, which enforced overly restrictive validation on
the parsing of X.509 certificates. We've removed those restrictions
while maintaining the security fix that the initial release addressed.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
