While the target-file does not have to exist, its parent must, and must
be a directory. This adds a test-case to verify the behavior if the
parent is not a directory.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Previously, we were silently discarding this situation and hoping that
it would work; let's produce an error instead (we can add additional
filemodes when they arrive and if we need them)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The implementation uses "os.Rename" to move the temporary file to
the destination, which does not follow symlinks, and because of this
would replace a symlink with a file.
We can consider adding support for symlinked files in future, so that
WriteFile can be used as a drop-in replacement for `os.WriteFile()`
but in the meantime, let's produce an error so that nobody can depend
on this.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
CentOS 10 uses iptables-nft by default, and doesn't have
kernel module ip_tables - so dockerd-rootless-setuptool.sh
reports that the module is missing. It suggests installing
it (which isn't needed), or using --skip-iptables (which
disables iptables in daemon config).
So, unless "iptables --version" command reports "legacy",
check for kernel module "nf_tables" instead of "ip_tables".
Signed-off-by: Rob Murray <rob.murray@docker.com>
`GET /image/{name}/json` now supports `platform` parameter allowing to
specify which platform variant of a multi-platform image to inspect.
For servers that do not use containerd image store integration, this
option will cause an error if the requested platform doesn't match the
image's actual platform
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
full diff: https://github.com/golang/go/compare/go1.23.7...go1.23.8
release notes: https://go.dev/doc/devel/release#go1.24.2
go1.23.8 (released 2025-04-01) includes security fixes to the net/http package,
as well as bug fixes to the runtime and the go command. See the Go 1.23.8
milestone on our issue tracker for details;
https://github.com/golang/go/issues?q=milestone%3AGo1.23.8+label%3ACherryPickApproved
From the mailing list:
Hello gophers,
We have just released Go versions 1.24.2 and 1.23.8, minor point releases.
These minor releases include 1 security fixes following the security policy:
- net/http: request smuggling through invalid chunked data
The net/http package accepted data in the chunked transfer encoding
containing an invalid chunk-size line terminated by a bare LF.
When used in conjunction with a server or proxy which incorrectly
interprets a bare LF in a chunk extension as part of the extension,
this could permit request smuggling.
The net/http package now rejects chunk-size lines containing a bare LF.
Thanks to Jeppe Bonde Weikop for reporting this issue.
This is CVE-2025-22871 and Go issue https://go.dev/issue/71988.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Since commit f2a183a99, `getEndpointPortMapInfo` is called for all the
endpoints of a container to get its complete list of port mappings. This
is required as multiple endpoints might publish different ports (e.g.
IPv4-only and IPv6-only endpoints mapping an IPv4 and an IPv6 port).
`getEndpointPortMapInfo` calls `(*Endpoint).DriverInfo()` which has a
dodgy behavior: if the endpoint is part of a sandbox that also has an
endpoint for the `docker_gwbridge` network, then `(*Endpoint).DriverInfo()`
returns the DriverInfo of that `docker_gwbridge` endpoint in place of
the current Endpoint's DriverInfo.
On overlay networks, host port-mappings are made through the
`docker_gwbridge` network (which is automatically attached to all Swarm
tasks). This results in duplicated port mappings reported for all Swarm
containers.
Since `getEndpointPortMapInfo` is the only place where
`(*Endpoint).DriverInfo()` is called, just remove that dodgy behavior.
`(*Endpoint).DriverInfo()` has an OS-specific implementation. Unlike the
Linux implementation, on Windows, `DriverInfo()` returns the DriverInfo
of the gateway endpoint _in addition_ to the current Endpoint's
DriverInfo. So it shouldn't be affected by this bug -- don't touch it.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Tests will run in the host's namspace not the rootlesskit
namespace. So, just duplicating the non-rootless unit tests.
Signed-off-by: Rob Murray <rob.murray@docker.com>
Unlike the equivalent for pulling images, [Service.LookupPushEndpoints]
never returns mirror endpoints, as it calls [Service.lookupV2Endpoints]
with "includeMirrors=false", so we should not use this field, and
unconditionally handle errors without the additional fallbacks that
we consider for pulling images from a mirror.
[Service.LookupPushEndpoints]: cea56c1d9c/registry/service.go (L134-L139)
[Service.lookupV2Endpoints]: cea56c1d9c/registry/service_v2.go (L10-L40)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
The github action running bake expected FIREWALLD to be set, but
DOCKER_FIREWALLD was set instead, so firewalld wasn't installed
in the dev image.
The dind-systemd script expected DOCKER_FIREWALLD to be set if it
needed to run firewalld, and it was. But it had no effect.
In CI, bake builds the image then make runs it - and the use the
same env. So, align on FIREWALLD (as it's not a docker feature).
Signed-off-by: Rob Murray <rob.murray@docker.com>
Create an iptablesNetwork containing all the info needed to
set up per-network iptables rules, give it methods to do
create the rules, and use it instead of per-rule-type calls
from driver.createNetwork().
Signed-off-by: Rob Murray <rob.murray@docker.com>
While it's generally better to define interfaces locally, this one
now duplicated distribution.RegistryResolver, and it's passed on
to other types which expect that interface.
Remove this (un-exported) interface to make it easier to discover
what's used where.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
inline a simplified version of "newIndexInfo" without handling of
insecure registries and mirrors, as we don't need that information
to resolve the auth-config.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Simplify how we lookup auth-config, as we don't need the
additional information provided by RepositoryInfo. There's
still more layers to peel off, which will be done in follow-ups.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
