The test was failing on Windows because it used Unix-style paths and
relied on platform-specific filesystem behavior.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Restriction on anonymouse read-only volumes is currently preventing
the use of pre-populated volumes that should be accessed in a read-only manner in a container
(e.g. an NFS volume containing data to be processed or served).
According to @neersighted the restriction may have originally been put
in place with the assumption that pre-populated volumes would be
exposed as a named volume by the volume driver.
In practice, NFS volumes are mounted using the docker `local` driver
by supplying driver opts. Example that fails when `readonly` is specified but works without:
```
docker run --rm -it \
--mount 'readonly,type=volume,dst=/data/dest,volume-driver=local,volume-opt=type=nfs,volume-opt=device=:/export/some-share,"volume-opt=o=nfsvers=4,addr=some.server"' \
debian
```
Fixes#45297
Signed-off-by: Shane St Savage <shane@axds.co>
This check was added in 14c5cd377d to prevent
passing `nil` as type (`GenerateFromModel[nil](....)`), however, `nil` is not
a type, so trying to do so won't compile. Even if it would, it would be
theoretical at best, so let's just remove it.
fix linting:
daemon/libnetwork/options/options.go:57:13: SA4023(related information): the lhs of the comparison is the 1st return value of this function call (staticcheck)
modType := reflect.TypeFor[T]()
^
daemon/libnetwork/options/options.go:58:5: SA4023: this comparison is never true (staticcheck)
if modType == nil {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Some false positives from gosec (G602: slice index out of range)
integration-cli/daemon/daemon.go:109:1: deprecatedComment: `Deprecated: ` notices should be in a dedicated paragraph, separated from the rest (gocritic)
// Deprecated: use cli.WaitCmd instead
^
integration-cli/docker_cli_build_test.go:562:3: dupOption: function argument `build.WithFile("test_file3", "test3")` is duplicated (gocritic)
build.WithFile("test_file3", "test3"),
^
integration-cli/docker_utils_test.go:250:1: deprecatedComment: `Deprecated: ` notices should be in a dedicated paragraph, separated from the rest (gocritic)
// Deprecated: use cli.WaitFor
^
daemon/libnetwork/ipams/defaultipam/address_space.go:45:39: G602: slice index out of range (gosec)
if predefined[j].Overlaps(predefined[i].Base) {
^
daemon/libnetwork/ipams/defaultipam/address_space.go:49:29: G602: slice index out of range (gosec)
predefined[j] = predefined[i]
^
daemon/libnetwork/libnetwork_linux_test.go:1492:9: G602: slice index out of range (gosec)
sboxes[thd-1], err = controller.NewSandbox(context.Background(), fmt.Sprintf("%drace", thd))
^
daemon/libnetwork/networkdb/cluster_test.go:111:21: G602: slice index out of range (gosec)
mean, stdev := nf[0], nf[1]
^
daemon/libnetwork/osl/interface_linux.go:586:54: G602: slice index out of range (gosec)
log.G(ctx).WithField("portState", stateFileContent[0]).Debug("waiting for bridge port to be forwarding")
^
daemon/libnetwork/osl/interface_linux.go:594:32: G602: slice index out of range (gosec)
"portState": stateFileContent[0],
^
daemon/libnetwork/portallocator/osallocator_linux_test.go:358:13: G602: slice index out of range (gosec)
if payload[0] != 0x1 {
^
daemon/libnetwork/portallocator/osallocator_linux_test.go:359:68: G602: slice index out of range (gosec)
readCh <- fmt.Errorf("expected payload 0x1, but got %x", payload[0])
^
daemon/logger/gelf/gelf_test.go:197:9: nilness: impossible condition: nil != nil (govet)
if err != nil {
^
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The /grpc and /session endpoints are now deprecated as the Engine has
been upgraded to properly support HTTP/2 and h2c requests, making these
specialized endpoints unnecessary.
These endpoints will be removed in the next major API version to
complete the cleanup.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
When logging an unmarshal failure in the registry error handling code,
the function was incorrectly logging the uninitialized `derrs` variable
instead of the actual JSON unmarshal error `jerr`.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Add cleanup for the init layer directory if any operation fails after
driver.CreateReadWrite() succeeds in initMount(). Previously, failures
in driver.Get(), initFunc(), or driver.Put() would leave an orphaned
overlay2 directory.
Related to moby/moby#45939
Signed-off-by: Jan Scheffler <jan.scheffler@qodev.ai>
Add cleanup for the RW layer directory if saveMount() fails after
driver.CreateReadWrite() succeeds. Previously, this failure path would
leave an orphaned overlay2 directory with no corresponding metadata.
Related to moby/moby#45939
Signed-off-by: Jan Scheffler <jan.scheffler@qodev.ai>
Start the metadata transaction before creating the overlay2 directory.
This ensures that if driver.Create() fails, we can properly cancel the
transaction. Previously, if StartTransaction() failed after driver.Create()
succeeded, the defer cleanup would not run (not registered yet), leaving
an orphaned overlay2 directory.
The fix reorders operations so that:
1. Transaction is started first (no filesystem changes yet)
2. Overlay2 directory is created second (transaction ready for cleanup)
3. Defer is registered after both succeed (tx is guaranteed non-nil)
If driver.Create() fails, the transaction is explicitly cancelled before
returning. The nil check for tx in the defer is no longer needed since
tx is guaranteed to exist when the defer runs.
Related to moby/moby#45939
Signed-off-by: Jan Scheffler <jan.scheffler@qodev.ai>
Stopping the Engine while a container with autoremove set is running may
leave behind dead containers on disk. These containers aren't reclaimed
on next start, appear as "dead" in `docker ps -a` and can't be
inspected or removed by the user.
This bug has existed since a long time but became user visible with
9f5f4f5a42. Prior to that commit,
containers with no rwlayer weren't added to the in-memory viewdb, so
they weren't visible in `docker ps -a`. However, some dangling files
would still live on disk (e.g. folder in /var/lib/docker/containers,
mount points, etc).
The underlying issue is that when the daemon stops, it tries to stop all
running containers and then closes the containerd client. This leaves a
small window of time where the Engine might receive 'task stop' events
from containerd, and trigger autoremove. If the containerd client is
closed in parallel, the Engine is unable to complete the removal,
leaving the container in 'dead' state. In such case, the Engine logs the
following error:
cannot remove container "bcbc98b4f5c2b072eb3c4ca673fa1c222d2a8af00bf58eae0f37085b9724ea46": Canceled: grpc: the client connection is closing: context canceled
Solving the underlying issue would require complex changes to the
shutdown sequence. Moreover, the same issue could also happen if the
daemon crashes while it deletes a container. Thus, add a cleanup step
on daemon startup to remove these dead containers.
Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
Replace WithDialOpts with WithExtraDialOpts when creating containerd
clients to preserve the containerd client's default dial options while
adding our custom options.
Previously, using WithDialOpts would overwrite all of containerd's
default dial options, requiring us to sync them.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
