Slightly touch-up the security policy in this repository to describe
the process in more details.
- Describe process around reporting, triage, and review.
- Describe timelines for acknowledging reports.
- Refer to supported versions / branches.
Some of this wording was adopted from containerd's policy, adjusting
where needed (e.g. the project currently does not have an embargoed
security announce list, and no formal definition of security advisors).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Similar to EnableIPv6:
- Set it if EnableIPv4 is specified in a create request.
- Otherwise, set it if included in `default-network-opts`.
- Apart from in a config-from network, so that it doesn't look
like the API request set the field.
- Include the new field in Network marshalling/unmarshalling test.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The "not mounted" error from .integration-daemon-stop is not an error,
so let's suppress that one (this is the only effect of -q option, at
least according to its man page).
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
In docker versions before v24.0, the dockerd daemon allowed adjusting
its own oom-score; in that case we would forward the configuration to
containerd (when running as child process) for it to do the same.
This feature was deprecated in 5a922dc162,
and removed in fb96b94ed0, but some fields
were left behind in the supervisor package.
This patch removes the oomScore field and adjustOOMScore method from
the remove type.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The `shim.BinaryName()` function used from containerd is part of the
"github.com/containerd/containerd/runtime/v2/shim" packaqge, which comes
with a large number of dependencies.
This patch implements a local variant of the check so that we can remove
the dependency.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Most tests in integration/networking/bridge_test.go are
skipped on Windows - and I want to add a test that uses
helpers that aren't implemented on Windows.
So, move it to bridge_linux_test.go, remove the skips
and put the couple of Windows/nat tests in their own file.
(TestPortMappedHairpin was the only dual-platform test,
it's now got two versions.)
Signed-off-by: Rob Murray <rob.murray@docker.com>
Commit 4b9dc647 (from 2016) added this in response to a
review comment, but I don't think it can ever have worked
because n.enableIPv6 = netMap["enableIPv6"].(bool), added
in 2015, would already have panic'd if the field wasn't
stored.
In any case, it's no longer needed.
Signed-off-by: Rob Murray <rob.murray@docker.com>
The cleanups var collided with the cleanups import; rename it to use
the same name as is used in the Windows implementation.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Use a more distinct name, so that local variables can use it. While
at it, also added GoDoc to describe its functionality.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The same code was used both on Linux and Windows; move it to a platform-
agnostic file so that both can use this function, which contains GoDoc
describing the functionality.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
[buildkit@29b4b1a537][1] applied changes to `buildkitd` to set the correct
defaults, which should be 16MB, but used the library defaults. Without that
change, builds using large Dockerfiles would fail with a `ResourceExhausted`
error;
=> [internal] load build definition from Dockerfile
=> => transferring dockerfile: 896.44kB
ERROR: failed to receive status: rpc error: code = ResourceExhausted desc = grpc: received message larger than max (44865299 vs. 16777216)
However those changes were applied to the `buildkitd` code, which is the
daemon when running BuildKit standalone (or in a container through the
`container` driver). When running a build with the BuildKit builder compiled
into the Docker Engine, that code is not used, so the BuildKit changes did
not fix the issue.
This patch applies the same changes as were made in [buildkit@29b4b1a537][1]
to the gRPC endpoint provided by the dockerd daemon.
[1]: 29b4b1a537
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Remove a special `Details` parameter from the `GetImage` options and
extract its behavior to a `ImageInspect` method as it was only used by
the `/images/{name}/json` endpoint (`docker image inspect`).
This makes it easier for the containerd image service to output an image
inspect output without having to use the same data structures as the
graphdrivers.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
