* [PATCH v2 1/4] Revert "docker-moby: Security fix for CVE-2024-41110"
2026-02-23 16:35 [PATCH v2 0/4] Update docker-moby to v25.0.9 felix
@ 2026-02-23 16:35 ` felix
2026-02-23 16:35 ` [PATCH v2 2/4] docker-moby: Update libnetwork felix
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: felix @ 2026-02-23 16:35 UTC (permalink / raw)
To: meta-virtualization; +Cc: Félix Piédallu, pascal.eberhard
From: Félix Piédallu <felix.piedallu@non.se.com>
This reverts commit 78abd77b8695705e6e55266745c838bb665486de.
Security fixes are backported in v25.0.9.
---
recipes-containers/docker/docker-moby_git.bb | 2 -
.../docker/files/CVE-2024-41110_1.patch | 177 ---------------------
.../docker/files/CVE-2024-41110_2.patch | 99 ------------
3 files changed, 278 deletions(-)
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index b1b2cbb5..1331930e 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -59,8 +59,6 @@ SRC_URI = "\
file://CVE-2024-36620.patch;patchdir=src/import \
file://CVE-2024-36621.patch;patchdir=src/import \
file://CVE-2024-29018.patch;patchdir=src/import \
- file://CVE-2024-41110_1.patch;patchdir=src/import \
- file://CVE-2024-41110_2.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
diff --git a/recipes-containers/docker/files/CVE-2024-41110_1.patch b/recipes-containers/docker/files/CVE-2024-41110_1.patch
deleted file mode 100644
index 7f74348a..00000000
--- a/recipes-containers/docker/files/CVE-2024-41110_1.patch
+++ /dev/null
@@ -1,177 +0,0 @@
-From 88c4b7690840044ce15489699294ec7c5dadf5dd Mon Sep 17 00:00:00 2001
-From: Jameson Hyde <jameson.hyde@docker.com>
-Date: Mon, 26 Nov 2018 14:15:22 -0500
-Subject: [PATCH] Authz plugin security fixes for 0-length content and path
- validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-fix comments
-
-(cherry picked from commit 9659c3a52bac57e615b5fb49b0652baca448643e)
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
-(cherry picked from commit 2ac8a479c53d9b8e67c55f1e283da9d85d2b3415)
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
-
-Upstream-Status: Backport from [https://github.com/moby/moby/commit/88c4b7690840044ce15489699294ec7c5dadf5dd]
-CVE: CVE-2024-41110
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- pkg/authorization/authz.go | 38 ++++++++++++++++++---
- pkg/authorization/authz_unix_test.go | 49 ++++++++++++++++++++++++++--
- 2 files changed, 80 insertions(+), 7 deletions(-)
-
-diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
-index 1eb44315dd..4c2e90b251 100644
---- a/pkg/authorization/authz.go
-+++ b/pkg/authorization/authz.go
-@@ -8,6 +8,8 @@ import (
- "io"
- "mime"
- "net/http"
-+ "net/url"
-+ "regexp"
- "strings"
-
- "github.com/containerd/log"
-@@ -53,10 +55,23 @@ type Ctx struct {
- authReq *Request
- }
-
-+func isChunked(r *http.Request) bool {
-+ // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
-+ if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
-+ return true
-+ }
-+ for _, v := range r.TransferEncoding {
-+ if 0 == strings.Compare(strings.ToLower(v), "chunked") {
-+ return true
-+ }
-+ }
-+ return false
-+}
-+
- // AuthZRequest authorized the request to the docker daemon using authZ plugins
- func (ctx *Ctx) AuthZRequest(w http.ResponseWriter, r *http.Request) error {
- var body []byte
-- if sendBody(ctx.requestURI, r.Header) && r.ContentLength > 0 && r.ContentLength < maxBodySize {
-+ if sendBody(ctx.requestURI, r.Header) && (r.ContentLength > 0 || isChunked(r)) && r.ContentLength < maxBodySize {
- var err error
- body, r.Body, err = drainBody(r.Body)
- if err != nil {
-@@ -109,7 +124,6 @@ func (ctx *Ctx) AuthZResponse(rm ResponseModifier, r *http.Request) error {
- if sendBody(ctx.requestURI, rm.Header()) {
- ctx.authReq.ResponseBody = rm.RawBody()
- }
--
- for _, plugin := range ctx.plugins {
- log.G(context.TODO()).Debugf("AuthZ response using plugin %s", plugin.Name())
-
-@@ -147,10 +161,26 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
- return nil, newBody, err
- }
-
-+func isAuthEndpoint(urlPath string) (bool, error) {
-+ // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
-+ matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
-+ if err != nil {
-+ return false, err
-+ }
-+ return matched, nil
-+}
-+
- // sendBody returns true when request/response body should be sent to AuthZPlugin
--func sendBody(url string, header http.Header) bool {
-+func sendBody(inURL string, header http.Header) bool {
-+ u, err := url.Parse(inURL)
-+ // Assume no if the URL cannot be parsed - an empty request will still be forwarded to the plugin and should be rejected
-+ if err != nil {
-+ return false
-+ }
-+
- // Skip body for auth endpoint
-- if strings.HasSuffix(url, "/auth") {
-+ isAuth, err := isAuthEndpoint(u.Path)
-+ if isAuth || err != nil {
- return false
- }
-
-diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
-index c9b18d96e9..275f1dd3d0 100644
---- a/pkg/authorization/authz_unix_test.go
-+++ b/pkg/authorization/authz_unix_test.go
-@@ -174,8 +174,8 @@ func TestDrainBody(t *testing.T) {
-
- func TestSendBody(t *testing.T) {
- var (
-- url = "nothing.com"
- testcases = []struct {
-+ url string
- contentType string
- expected bool
- }{
-@@ -219,15 +219,58 @@ func TestSendBody(t *testing.T) {
- contentType: "",
- expected: false,
- },
-+ {
-+ url: "nothing.com/auth",
-+ contentType: "",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/auth?p1=test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/test?p1=/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "nothing.com/something/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "nothing.com/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "nothing.com/v1/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
- }
- )
-
- for _, testcase := range testcases {
- header := http.Header{}
- header.Set("Content-Type", testcase.contentType)
-+ if testcase.url == "" {
-+ testcase.url = "nothing.com"
-+ }
-
-- if b := sendBody(url, header); b != testcase.expected {
-- t.Fatalf("Unexpected Content-Type; Expected: %t, Actual: %t", testcase.expected, b)
-+ if b := sendBody(testcase.url, header); b != testcase.expected {
-+ t.Fatalf("sendBody failed: url: %s, content-type: %s; Expected: %t, Actual: %t", testcase.url, testcase.contentType, testcase.expected, b)
- }
- }
- }
---
-2.44.4
-
diff --git a/recipes-containers/docker/files/CVE-2024-41110_2.patch b/recipes-containers/docker/files/CVE-2024-41110_2.patch
deleted file mode 100644
index 48f21b52..00000000
--- a/recipes-containers/docker/files/CVE-2024-41110_2.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From 8fc313c00169d14f1712d5661306d9e0c8838257 Mon Sep 17 00:00:00 2001
-From: Jameson Hyde <jameson.hyde@docker.com>
-Date: Sat, 1 Dec 2018 11:25:49 -0500
-Subject: [PATCH 2/2] If url includes scheme, urlPath will drop hostname, which
- would not match the auth check
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
-(cherry picked from commit 754fb8d9d03895ae3ab60d2ad778152b0d835206)
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
-(cherry picked from commit 5282cb25d09db924fa92fdb8fb7a9bd20bb845b7)
-Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
-
-Upstream-Status: Backport from [https://github.com/moby/moby/commit/7ff423cc1c991d8dc0a7b5d1d93e1cf3efaac169]
-CVE: CVE-2024-41110
-Signed-off-by: Siddharth Doshi <sdoshi@mvista.com>
----
- pkg/authorization/authz.go | 6 ++---
- pkg/authorization/authz_unix_test.go | 35 ++++++++++++++++++++++++++++
- 2 files changed, 38 insertions(+), 3 deletions(-)
-
-diff --git a/pkg/authorization/authz.go b/pkg/authorization/authz.go
-index 4c2e90b251..d568a2b597 100644
---- a/pkg/authorization/authz.go
-+++ b/pkg/authorization/authz.go
-@@ -57,11 +57,11 @@ type Ctx struct {
-
- func isChunked(r *http.Request) bool {
- // RFC 7230 specifies that content length is to be ignored if Transfer-Encoding is chunked
-- if strings.ToLower(r.Header.Get("Transfer-Encoding")) == "chunked" {
-+ if strings.EqualFold(r.Header.Get("Transfer-Encoding"), "chunked") {
- return true
- }
- for _, v := range r.TransferEncoding {
-- if 0 == strings.Compare(strings.ToLower(v), "chunked") {
-+ if strings.EqualFold(v, "chunked") {
- return true
- }
- }
-@@ -163,7 +163,7 @@ func drainBody(body io.ReadCloser) ([]byte, io.ReadCloser, error) {
-
- func isAuthEndpoint(urlPath string) (bool, error) {
- // eg www.test.com/v1.24/auth/optional?optional1=something&optional2=something (version optional)
-- matched, err := regexp.MatchString(`^[^\/]+\/(v\d[\d\.]*\/)?auth.*`, urlPath)
-+ matched, err := regexp.MatchString(`^[^\/]*\/(v\d[\d\.]*\/)?auth.*`, urlPath)
- if err != nil {
- return false, err
- }
-diff --git a/pkg/authorization/authz_unix_test.go b/pkg/authorization/authz_unix_test.go
-index 275f1dd3d0..66b4d20452 100644
---- a/pkg/authorization/authz_unix_test.go
-+++ b/pkg/authorization/authz_unix_test.go
-@@ -259,6 +259,41 @@ func TestSendBody(t *testing.T) {
- contentType: "application/json;charset=UTF8",
- expected: false,
- },
-+ {
-+ url: "www.nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "https://www.nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "http://nothing.com/v1.24/auth/test",
-+ contentType: "application/json;charset=UTF8",
-+ expected: false,
-+ },
-+ {
-+ url: "www.nothing.com/test?p1=/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "http://www.nothing.com/test?p1=/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "www.nothing.com/something/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
-+ {
-+ url: "https://www.nothing.com/something/auth",
-+ contentType: "application/json;charset=UTF8",
-+ expected: true,
-+ },
- }
- )
-
---
-2.44.4
-
--
2.52.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* [PATCH v2 4/4] docker-moby: Update to v25.0.9
2026-02-23 16:35 [PATCH v2 0/4] Update docker-moby to v25.0.9 felix
` (2 preceding siblings ...)
2026-02-23 16:35 ` [PATCH v2 3/4] docker-moby: Update docker cli felix
@ 2026-02-23 16:35 ` felix
2026-02-26 18:21 ` [meta-virtualization] [PATCH v2 0/4] Update docker-moby " Bruce Ashfield
4 siblings, 0 replies; 6+ messages in thread
From: felix @ 2026-02-23 16:35 UTC (permalink / raw)
To: meta-virtualization; +Cc: Félix Piédallu, pascal.eberhard
From: Félix Piédallu <felix.piedallu@non.se.com>
This is the latest point release of v25.0 that supports Go v1.22
Bumping moby to version v25.0.14, which comprises the following commits:
89a48b65fc Dockerfile: update runc binary to v1.2.5
aae4029600 update to go1.22.12
a2802d0746 update to go1.22.11 (fix CVE-2024-45341, CVE-2024-45336)
9281aea6ce ci: update base container to alpine20 for buildkit workflow
b1d6fd957d gha: set arm64 GO_VERSION to 1.22.10
7540f88434 ci: switch from jenkins to gha for arm64 build and tests
f8d9617c43 ci(bin-image): fix bake build
bec5e8eed1 ci: update bake-action to v6
fcb50183e4 Dockerfile: update runc binary to v1.2.4
20af9f77a6 Dockerfile: update containerd to v1.7.25
7d20eee4fd Dockerfile: update runc binary to v1.2.3
eacc3610f9 libnetwork/drivers/bridge: setupIPChains: fix defer checking wrong err
842024e721 update xx to v1.6.1 for compatibility with alpine 3.21
96b8a34d2b Dockerfile: update xx to v1.5.0
5ed63409a2 Dockerfile: update xx to v1.4.0
03885ae2c0 update to go1.22.10
ddc8a15eb5 Dockerd rootless: make {/etc,/var/run}/cdi available
6648f3a10e c8d/tag: Don't log a warning if the source image is not dangling
6f497b2d51 Dockerfile: update to runc v1.2.2
01c163d4ee Dockerfile: update containerd to v1.7.24
708c8dc304 gha: shorter time limits for smoke, validate
f6bcbab7a1 gha: use "ubuntu-24.04" instead of "ubuntu-latest"
2de8143fa6 gha: dco: small tweaks to running the container
e0857ef530 gha: dco: update ALPINE_VERSION to 3.20
1b7b596513 gha: build (binary), build (dynbinary): limit to 20 minutes
2e43cd5450 gha: dco: limit to 10 minutes
bdb21cd779 integration: add wait
911478fb28 Jenkinsfile: modprobe br_netfilter
2278d180a7 daemon: use OwnCgroupPath in withCgroups
a6d1d0693f vendor: github.com/golang-jwt/jwt/v4@v4.5.1
0ed4861f9c update to go1.22.9
2df019330c update runc binary to 1.1.14
e6de0b8f3b update runc binary to v1.1.13
cb56070132 volume: VolumesService.Create: fix log-level for debug logs
480b01a532 volume/mounts: fix anonymous volume not being labeled
f7b7ec14b8 volume/service: change some logs to use structured logs
60eece38cd Fix: setup user chains even if there are running containers
54ac8bbe37 cmd/dockerd: Add workaround for OTEL meter leak
6e1af3d5d8 gha: remove stray double empty line
0eae0850ac gha: restrict cross and bin-image to 20 minutes
e6a2c9bebb gha: add guardrails timeouts on all jobs
4b98bfd07d gha: buildkit: make sure expected Go version is installed
ae548176dc update to go1.22.8
122682205f Dockerfile: update containerd binary to v1.7.22
9f102b3b5b Dockerfile: update containerd binary to v1.7.21 (static binaries and CI only)
75891766e4 man: dockerd: add description for --log-format option
3ec9003a14 Update dlv in the dev-env
caef5cc70c Explicitly disable nvidia device injection for --gpus=0
34471d3259 seccomp: add riscv64 mapping to seccomp_linux.go
bec84c9c31 update to go1.22.7
d0315c9824 golangci-lint: temporarily disable G115: integer overflow conversion
ff546aff14 update golangci-lint to v1.60.2
15db81eeaa update to go1.22.6
23af4b75e9 hack/make/.binary: set CGO_LDFLAGS=-latomic for arm/v5
da8bfd963e hack/make/.binary: set CCGO_CFLAGS=-Wno-atomic-alignment for arm/v5
0ce4415ff2 daemon: fix non-constant format string in call (govet)
14a48ac308 api/types: fix non-constant format string in call (govet)
c50e7e6ca2 api/server/router: fix non-constant format string in call (govet)
2a4ea4749d container/stream: fix non-constant format string in call (govet)
b536253047 libnetwork/drivers/bridge: fix non-constant format string in call (govet)
3216abd8db volume/testutils: fix non-constant format string in call (govet)
dd5a6fdbac builder/dockerfile: parseChownFlag: fix non-constant format string in call (govet)
0c5e131330 layer: ignore G602: slice index out of range (gosec)
b50a85d0ed cmd/dockerd: fix non-constant format string in call (govet)
8105391708 libnetwork: fix non-constant format string in call (govet)
6209d5bd68 integration-cli: fix non-constant format string in call (govet)
25cffb9dec integration-cli: DockerSwarmSuite: rm redundant Fprintf, handle errors
21279f652e integration-cli: DockerNetworkSuite: rm redundant Fprintf, handle errors
a27066d1ca integration-cli: use erors.New() instead of fmt.Errorf
e88d4ea298 libnetwork: TestDNSOptions: remove redundant skip check
613d955d38 integration-cli: remove redundant platform checks
e962b3e06e update to go1.21.13
33dbea3c37 vendor: github.com/Microsoft/go-winio v0.6.2
5e46424b29 vendor: golang.org/x/tools v0.16.0
5ca50f5c24 vendor: golang.org/x/mod v0.17.0
a599caf7e9 update golangci-lint to v1.59.1
89903672a7 pkg/archive: reformat code to make #nosec comment work again
dbf6db9306 builder/remotecontext: reformat code to make #nosec comment work again
55a4cadaa5 man: create parent directories in install recipe
042dad56d0 man: support bringing your own go-md2man
553d915ef4 man: build dockerd man pages using make
c70f626351 Removed all mentions of "please" from docs and messages
5966382473 docs: add default-network-opt daemon option
3edc25412a docs: remove devicemapper
65906e44b0 man/dockerd.8: assorted formatting fixes
a298720e8f man/dockerd.8: escape asterisks and underscores
88a3e540c9 docs: update dockerd usage output for new proxy-options
90fc11f69a Fix styling of arguments
182df40d13 Fix the max-concurrent-downloads and max-concurrent-uploads configs documentation
2544c68655 docs: remove documentation about deprecated cluster-store
be77069539 Document `--validate` daemon option
0299ca1d73 Update man-page source MarkDown to work with go-md2man v2
aff4659c67 docs: update for cgroup v2 and rootless
c47231e5cf docker run: specify cgroup namespace mode with --cgroupns
962f331e76 daemon: document --max-download-attempts option
71f9bfe47f Update document links and title.
017213c2b0 Allow user to specify default address pools for docker networks This is separate commit for CLI files to address PR 36054
210f03082b Update docs and completion-scripts for deprecated features
2f78133a0a Added docs for dockerd
675593bb4f fix a number of minor typos
9c291b1745 Introduce/document new IPC modes
a23ff1bb1a docs: add documentation for dm.libdm_log_level
c78cecd77f Restore dockerd man page
f14cf10618 gha: set permissions to read-only by default
0cd951e4dd api: adjust health start interval on swarm update
d151b0f87f vendor: OTEL v0.46.1 / v1.21.0
30f8908102 github/ci: Check if backport is opened against the expected branch
7454d6a2e6 ci: update workflow artifacts retention
e8ecb9c76d update containerd binary to v1.7.20
e6cae1f237 update containerd binary to v1.7.19
8ec448db6b update containerd binary to v1.7.18
274310807e integration/TestDiskUsage: Make 4096 also a 'empty' value
886e726984 Dockerfile: update containerd binary to v1.7.17 (static binaries and CI only)
a0f0f7e77e update containerd binary to v1.7.15
91903e81ca If url includes scheme, urlPath will drop hostname, which would not match the auth check
ccfe0a41d4 Authz plugin security fixes for 0-length content and path validation Signed-off-by: Jameson Hyde <jameson.hyde@docker.com>
d046451b34 update to go1.21.12 [part 2]
e16a25e442 update to go1.21.12
b1aac1b134 update to go1.21.11
fffbe84ded Makefile: Pass PAGER/GIT_PAGER variable
9f6600deed builder/mobyexporter: Add missing nil check
70fe516b46 don't depend on containerd platform.Parse to return a typed error
f7ce828e9e Fix issue where node promotion could fail
98ddccbbfe apparmor: Allow confined runc to kill containers
637205391b update to go1.21.10
3d56d734db vendor: google.golang.org/protobuf v1.33.0, github.com/golang/protobuf v1.5.4
0a2f5085ee vendor: cloud.google.com/go/logging v1.8.1
3141ea5c8b vendor: golang.org/x/mod v0.13.0, golang.org/x/tools v0.13.0
4f25076181 vendor: golang.org/x/sync v0.5.0
d93cc7edc0 nil dereference fix on image history Created value
ee5909c2d0 vendor: golang.org/x/net v0.23.0
f37d6f5f48 vendor: golang.org/x/net v0.22.0, golang.org/x/crypto v0.21.0
fd828b6766 go.mod: golang.org/x/sys v0.18.0
584a30c772 awslogs: Replace depreacted WithEndpointResolver usage
60605eb1da vendor: bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs to v1.32.0
71b8e0339c vendor: bump github.com/aws/aws-sdk-go-v2 to v1.24.1
08e8912d7c ci/validate-pr: Use `::error::` command to print errors
e2e670299f Fix cases where we are wrapping a nil error
935787c19c save: Remove platform from config descriptor
bd19301d9e ci: Require changelog description
50bd133ad3 update to go1.21.9
a987bc5ad0 libnet: Don't forward to upstream resolvers on internal nw
20c205fd3a Environment variable to override resolv.conf path.
4be97233cc daemon: move getUnprivilegedMountFlags to internal package
7ed7e6caf6 plugin: fix mounting /etc/hosts when running in UserNS
81ad7062f0 rootless: fix `open /etc/docker/plugins: permission denied`
02d4ee3f9a Makefile: generate-files: fix check for empty TMP_OUT
478f6b097d volume: Don't decrement refcount below 0
d250e13945 builder-next: fix missing lock in ensurelayer
d0d85f6438 daemon: overlay2: remove world writable permission from the lower file
0451b287dc Don't create endpoint config for MAC addr config migration
d27fe2558d dockerd-rootless-setuptool.sh: check RootlessKit functionality
77de535364 Dockerfile: update RootlessKit to v2.0.2
2d347024d1 update to go1.21.8
f66b5f642e Test DNS on Windows 'nat' networks
fa4ea308f0 c8d/windows: Temporarily skip two failing tests
d66e0fb7b1 Set up DNS names for Windows default network
7a4abb8c77 ci: set codecov token
81a83f0544 Simplify macvlan/ipvlan integration test structure
abcd6f8a46 Run the macvlan/ipvlan integration tests
f7be6dcba6 integration: Reset `OTEL_EXPORTER_OTLP_ENDPOINT` for sub-daemons
10609544e5 update to go1.21.7
be59afce2d c8d/pull: Output truncated id for `Pulling fs layer`
97951c39fb c8d/pull: Don't emit `Downloading` with 0 progress
2001813571 c8d/pull: Emit `Pulling fs layer`
8e3bcf1974 pkg/streamformatter: Make `progressOutput` concurrency safe
27f36f42a4 builder/dockerfile: ADD with best-effort xattrs
1ae019fca2 Don't enforce new validation rules for existing networks
c761353e7c Make 'internal' bridge networks accessible from host
10bc347b03 ci: Update `teststat` to v0.1.25
94137f6df5 client: fix connection-errors being shadowed by API version mismatch errors
dd5faa9d4f ci: Make `find` for test reports more specific
012bfd33e5 client: doRequest: make sure we return a connection-error
3ec1946ce1 client: NegotiateAPIVersion: do not ignore (connection) errors from Ping
200a2c3576 client: fix TestPingWithError
70c05fe10c libcontainerd: change the digest used when restoring
e85cef89fa api/pre-1.44: Default `ReadOnlyNonRecursive` to true
a72294a668 mounts/validate: Don't check source exists with CreateMountpoint
9ee331235a integration: Add container.Output utility
5d9e13bc84 api: omit missing Created field from ImageInspect response
bb66c3ca04 api/history: Mention empty `Created`
fa3a64f2bc Set `Created` to `0001-01-01T00:00:00Z` on older API versions
Signed-off-by: Félix Piédallu <felix.piedallu@non.se.com>
---
recipes-containers/docker/docker-moby_git.bb | 7 +-
.../docker/files/CVE-2024-29018.patch | 344 ---------------------
.../docker/files/CVE-2024-36620.patch | 39 ---
.../docker/files/CVE-2024-36621.patch | 82 -----
4 files changed, 2 insertions(+), 470 deletions(-)
diff --git a/recipes-containers/docker/docker-moby_git.bb b/recipes-containers/docker/docker-moby_git.bb
index dd6dac05..e66416db 100644
--- a/recipes-containers/docker/docker-moby_git.bb
+++ b/recipes-containers/docker/docker-moby_git.bb
@@ -44,7 +44,7 @@ DESCRIPTION = "Linux container runtime \
# so we get that tag, and make it our SRCREVS:
#
-SRCREV_moby = "f417435e5f6216828dec57958c490c4f8bae4f98"
+SRCREV_moby = "a926bec8fc91332410133b24f3e9e3f5add13b48"
SRCREV_libnetwork = "3797618f9a38372e8107d8c06f6ae199e1133ae8"
SRCREV_cli = "43987fca488a535d810c429f75743d8c7b63bf4f"
SRCREV_FORMAT = "moby_libnetwork"
@@ -56,9 +56,6 @@ SRC_URI = "\
file://0001-libnetwork-use-GO-instead-of-go.patch \
file://0001-cli-use-external-GO111MODULE-and-cross-compiler.patch \
file://0001-dynbinary-use-go-cross-compiler.patch;patchdir=src/import \
- file://CVE-2024-36620.patch;patchdir=src/import \
- file://CVE-2024-36621.patch;patchdir=src/import \
- file://CVE-2024-29018.patch;patchdir=src/import \
"
DOCKER_COMMIT = "${SRCREV_moby}"
@@ -69,7 +66,7 @@ require docker.inc
LICENSE = "Apache-2.0"
LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=4859e97a9c7780e77972d989f0823f28"
-DOCKER_VERSION = "25.0.3"
+DOCKER_VERSION = "25.0.9"
PV = "${DOCKER_VERSION}+git${SRCREV_moby}"
CVE_PRODUCT = "docker mobyproject:moby"
diff --git a/recipes-containers/docker/files/CVE-2024-29018.patch b/recipes-containers/docker/files/CVE-2024-29018.patch
deleted file mode 100644
index f3c800ff..00000000
--- a/recipes-containers/docker/files/CVE-2024-29018.patch
+++ /dev/null
@@ -1,344 +0,0 @@
-From 20c205fd3a0081d005958eff690e2b34df1c5e5e Mon Sep 17 00:00:00 2001
-From: Rob Murray <rob.murray@docker.com>
-Date: Tue, 19 Mar 2024 11:19:30 +0000
-Subject: [PATCH 1/2] Environment variable to override resolv.conf path.
-
-If env var DOCKER_TEST_RESOLV_CONF_PATH is set, treat it as an override
-for the 'resolv.conf' path.
-
-Added as part of resolv.conf refactoring, but needed by back-ported test
-TestInternalNetworkDNS.
-
-Signed-off-by: Rob Murray <rob.murray@docker.com>
-
-CVE: CVE-2024-29018
-Upstream-Status: Backport [https://github.com/moby/moby/commit/e63daec8672d77ac0b2b5c262ef525c7cf17fd20]
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- daemon/container_operations_unix.go | 20 +--
- integration/networking/resolvconf_test.go | 142 ++++++++++++++++++++++
- libnetwork/endpoint.go | 12 +-
- libnetwork/resolver.go | 17 ++-
- libnetwork/sandbox_dns_unix.go | 9 +-
- 5 files changed, 182 insertions(+), 18 deletions(-)
- create mode 100644 integration/networking/resolvconf_test.go
-
-diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 6a23a4ca92..e9be1b4e72 100644
---- a/daemon/container_operations_unix.go
-+++ b/daemon/container_operations_unix.go
-@@ -380,6 +380,7 @@ func serviceDiscoveryOnDefaultNetwork() bool {
-
- func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Config, sboxOptions *[]libnetwork.SandboxOption) error {
- var err error
-+ var originResolvConfPath string
-
- // Set the correct paths for /etc/hosts and /etc/resolv.conf, based on the
- // networking-mode of the container. Note that containers with "container"
-@@ -393,8 +394,8 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
- *sboxOptions = append(
- *sboxOptions,
- libnetwork.OptionOriginHostsPath("/etc/hosts"),
-- libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"),
- )
-+ originResolvConfPath = "/etc/resolv.conf"
- case container.HostConfig.NetworkMode.IsUserDefined():
- // The container uses a user-defined network. We use the embedded DNS
- // server for container name resolution and to act as a DNS forwarder
-@@ -407,10 +408,7 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
- // If systemd-resolvd is used, the "upstream" DNS servers can be found in
- // /run/systemd/resolve/resolv.conf. We do not query those DNS servers
- // directly, as they can be dynamically reconfigured.
-- *sboxOptions = append(
-- *sboxOptions,
-- libnetwork.OptionOriginResolvConfPath("/etc/resolv.conf"),
-- )
-+ originResolvConfPath = "/etc/resolv.conf"
- default:
- // For other situations, such as the default bridge network, container
- // discovery / name resolution is handled through /etc/hosts, and no
-@@ -423,11 +421,15 @@ func setupPathsAndSandboxOptions(container *container.Container, cfg *config.Con
- // DNS servers on the host can be dynamically updated.
- //
- // Copy the host's resolv.conf for the container (/run/systemd/resolve/resolv.conf or /etc/resolv.conf)
-- *sboxOptions = append(
-- *sboxOptions,
-- libnetwork.OptionOriginResolvConfPath(cfg.GetResolvConf()),
-- )
-+ originResolvConfPath = cfg.GetResolvConf()
-+ }
-+
-+ // Allow tests to point at their own resolv.conf file.
-+ if envPath := os.Getenv("DOCKER_TEST_RESOLV_CONF_PATH"); envPath != "" {
-+ log.G(context.TODO()).Infof("Using OriginResolvConfPath from env: %s", envPath)
-+ originResolvConfPath = envPath
- }
-+ *sboxOptions = append(*sboxOptions, libnetwork.OptionOriginResolvConfPath(originResolvConfPath))
-
- container.HostsPath, err = container.GetRootResourcePath("hosts")
- if err != nil {
-diff --git a/integration/networking/resolvconf_test.go b/integration/networking/resolvconf_test.go
-new file mode 100644
-index 0000000000..60c8b1bc9a
---- /dev/null
-+++ b/integration/networking/resolvconf_test.go
-@@ -0,0 +1,142 @@
-+package networking
-+
-+import (
-+ "net"
-+ "os"
-+ "testing"
-+
-+ containertypes "github.com/docker/docker/api/types/container"
-+ "github.com/docker/docker/integration/internal/container"
-+ "github.com/docker/docker/integration/internal/network"
-+ "github.com/docker/docker/testutil/daemon"
-+ "github.com/miekg/dns"
-+ "gotest.tools/v3/assert"
-+ is "gotest.tools/v3/assert/cmp"
-+ "gotest.tools/v3/skip"
-+)
-+
-+// writeTempResolvConf writes a resolv.conf that only contains a single
-+// nameserver line, with address addr.
-+// It returns the name of the temp file.
-+func writeTempResolvConf(t *testing.T, addr string) string {
-+ t.Helper()
-+ // Not using t.TempDir() here because in rootless mode, while the temporary
-+ // directory gets mode 0777, it's a subdir of an 0700 directory owned by root.
-+ // So, it's not accessible by the daemon.
-+ f, err := os.CreateTemp("", "resolv.conf")
-+ assert.NilError(t, err)
-+ t.Cleanup(func() { os.Remove(f.Name()) })
-+ err = f.Chmod(0644)
-+ assert.NilError(t, err)
-+ f.Write([]byte("nameserver " + addr + "\n"))
-+ return f.Name()
-+}
-+
-+const dnsRespAddr = "10.11.12.13"
-+
-+// startDaftDNS starts and returns a really, really daft DNS server that only
-+// responds to type-A requests, and always with address dnsRespAddr.
-+func startDaftDNS(t *testing.T, addr string) *dns.Server {
-+ serveDNS := func(w dns.ResponseWriter, query *dns.Msg) {
-+ if query.Question[0].Qtype == dns.TypeA {
-+ resp := &dns.Msg{}
-+ resp.SetReply(query)
-+ answer := &dns.A{
-+ Hdr: dns.RR_Header{
-+ Name: query.Question[0].Name,
-+ Rrtype: dns.TypeA,
-+ Class: dns.ClassINET,
-+ Ttl: 600,
-+ },
-+ }
-+ answer.A = net.ParseIP(dnsRespAddr)
-+ resp.Answer = append(resp.Answer, answer)
-+ _ = w.WriteMsg(resp)
-+ }
-+ }
-+
-+ conn, err := net.ListenUDP("udp", &net.UDPAddr{
-+ IP: net.ParseIP(addr),
-+ Port: 53,
-+ })
-+ assert.NilError(t, err)
-+
-+ server := &dns.Server{Handler: dns.HandlerFunc(serveDNS), PacketConn: conn}
-+ go func() {
-+ _ = server.ActivateAndServe()
-+ }()
-+
-+ return server
-+}
-+
-+// Check that when a container is connected to an internal network, DNS
-+// requests sent to daemon's internal DNS resolver are not forwarded to
-+// an upstream resolver listening on a localhost address.
-+// (Assumes the host does not already have a DNS server on 127.0.0.1.)
-+func TestInternalNetworkDNS(t *testing.T) {
-+ skip.If(t, testEnv.DaemonInfo.OSType == "windows", "No resolv.conf on Windows")
-+ skip.If(t, testEnv.IsRootless, "Can't use resolver on host in rootless mode")
-+ ctx := setupTest(t)
-+
-+ // Start a DNS server on the loopback interface.
-+ server := startDaftDNS(t, "127.0.0.1")
-+ defer server.Shutdown()
-+
-+ // Set up a temp resolv.conf pointing at that DNS server, and a daemon using it.
-+ tmpFileName := writeTempResolvConf(t, "127.0.0.1")
-+ d := daemon.New(t, daemon.WithEnvVars("DOCKER_TEST_RESOLV_CONF_PATH="+tmpFileName))
-+ d.StartWithBusybox(ctx, t, "--experimental", "--ip6tables")
-+ defer d.Stop(t)
-+
-+ c := d.NewClientT(t)
-+ defer c.Close()
-+
-+ intNetName := "intnet"
-+ network.CreateNoError(ctx, t, c, intNetName,
-+ network.WithDriver("bridge"),
-+ network.WithInternal(),
-+ )
-+ defer network.RemoveNoError(ctx, t, c, intNetName)
-+
-+ extNetName := "extnet"
-+ network.CreateNoError(ctx, t, c, extNetName,
-+ network.WithDriver("bridge"),
-+ )
-+ defer network.RemoveNoError(ctx, t, c, extNetName)
-+
-+ // Create a container, initially with external connectivity.
-+ // Expect the external DNS server to respond to a request from the container.
-+ ctrId := container.Run(ctx, t, c, container.WithNetworkMode(extNetName))
-+ defer c.ContainerRemove(ctx, ctrId, containertypes.RemoveOptions{Force: true})
-+ res, err := container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+ assert.NilError(t, err)
-+ assert.Check(t, is.Equal(res.ExitCode, 0))
-+ assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+
-+ // Connect the container to the internal network as well.
-+ // External DNS should still be used.
-+ err = c.NetworkConnect(ctx, intNetName, ctrId, nil)
-+ assert.NilError(t, err)
-+ res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+ assert.NilError(t, err)
-+ assert.Check(t, is.Equal(res.ExitCode, 0))
-+ assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+
-+ // Disconnect from the external network.
-+ // Expect no access to the external DNS.
-+ err = c.NetworkDisconnect(ctx, extNetName, ctrId, true)
-+ assert.NilError(t, err)
-+ res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+ assert.NilError(t, err)
-+ assert.Check(t, is.Equal(res.ExitCode, 1))
-+ assert.Check(t, is.Contains(res.Stdout(), "SERVFAIL"))
-+
-+ // Reconnect the external network.
-+ // Check that the external DNS server is used again.
-+ err = c.NetworkConnect(ctx, extNetName, ctrId, nil)
-+ assert.NilError(t, err)
-+ res, err = container.Exec(ctx, c, ctrId, []string{"nslookup", "test.example"})
-+ assert.NilError(t, err)
-+ assert.Check(t, is.Equal(res.ExitCode, 0))
-+ assert.Check(t, is.Contains(res.Stdout(), dnsRespAddr))
-+}
-diff --git a/libnetwork/endpoint.go b/libnetwork/endpoint.go
-index d9c257dc68..3ca546a4ac 100644
---- a/libnetwork/endpoint.go
-+++ b/libnetwork/endpoint.go
-@@ -538,8 +538,13 @@ func (ep *Endpoint) sbJoin(sb *Sandbox, options ...EndpointOption) (err error) {
- return sb.setupDefaultGW()
- }
-
-- moveExtConn := sb.getGatewayEndpoint() != extEp
-+ currentExtEp := sb.getGatewayEndpoint()
-+ // Enable upstream forwarding if the sandbox gained external connectivity.
-+ if sb.resolver != nil {
-+ sb.resolver.SetForwardingPolicy(currentExtEp != nil)
-+ }
-
-+ moveExtConn := currentExtEp != extEp
- if moveExtConn {
- if extEp != nil {
- log.G(context.TODO()).Debugf("Revoking external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
-@@ -735,6 +740,11 @@ func (ep *Endpoint) sbLeave(sb *Sandbox, force bool, options ...EndpointOption)
-
- // New endpoint providing external connectivity for the sandbox
- extEp = sb.getGatewayEndpoint()
-+ // Disable upstream forwarding if the sandbox lost external connectivity.
-+ if sb.resolver != nil {
-+ sb.resolver.SetForwardingPolicy(extEp != nil)
-+ }
-+
- if moveExtConn && extEp != nil {
- log.G(context.TODO()).Debugf("Programming external connectivity on endpoint %s (%s)", extEp.Name(), extEp.ID())
- extN, err := extEp.getNetworkFromStore()
-diff --git a/libnetwork/resolver.go b/libnetwork/resolver.go
-index 9df2154499..5d5686fc86 100644
---- a/libnetwork/resolver.go
-+++ b/libnetwork/resolver.go
-@@ -9,6 +9,7 @@ import (
- "strconv"
- "strings"
- "sync"
-+ "sync/atomic"
- "time"
-
- "github.com/containerd/log"
-@@ -75,7 +76,7 @@ type Resolver struct {
- tcpListen *net.TCPListener
- err error
- listenAddress string
-- proxyDNS bool
-+ proxyDNS atomic.Bool
- startCh chan struct{}
- logger *log.Entry
-
-@@ -85,15 +86,17 @@ type Resolver struct {
-
- // NewResolver creates a new instance of the Resolver
- func NewResolver(address string, proxyDNS bool, backend DNSBackend) *Resolver {
-- return &Resolver{
-+ r := &Resolver{
- backend: backend,
-- proxyDNS: proxyDNS,
- listenAddress: address,
- err: fmt.Errorf("setup not done yet"),
- startCh: make(chan struct{}, 1),
- fwdSem: semaphore.NewWeighted(maxConcurrent),
- logInverval: rate.Sometimes{Interval: logInterval},
- }
-+ r.proxyDNS.Store(proxyDNS)
-+
-+ return r
- }
-
- func (r *Resolver) log(ctx context.Context) *log.Entry {
-@@ -194,6 +197,12 @@ func (r *Resolver) SetExtServers(extDNS []extDNSEntry) {
- }
- }
-
-+// SetForwardingPolicy re-configures the embedded DNS resolver to either enable or disable forwarding DNS queries to
-+// external servers.
-+func (r *Resolver) SetForwardingPolicy(policy bool) {
-+ r.proxyDNS.Store(policy)
-+}
-+
- // NameServer returns the IP of the DNS resolver for the containers.
- func (r *Resolver) NameServer() string {
- return r.listenAddress
-@@ -421,7 +430,7 @@ func (r *Resolver) serveDNS(w dns.ResponseWriter, query *dns.Msg) {
- return
- }
-
-- if r.proxyDNS {
-+ if r.proxyDNS.Load() {
- // If the user sets ndots > 0 explicitly and the query is
- // in the root domain don't forward it out. We will return
- // failure and let the client retry with the search domain
-diff --git a/libnetwork/sandbox_dns_unix.go b/libnetwork/sandbox_dns_unix.go
-index e30f394057..9f7a1c4671 100644
---- a/libnetwork/sandbox_dns_unix.go
-+++ b/libnetwork/sandbox_dns_unix.go
-@@ -30,10 +30,11 @@ const (
- func (sb *Sandbox) startResolver(restore bool) {
- sb.resolverOnce.Do(func() {
- var err error
-- // The embedded resolver is always started with proxyDNS set as true, even when the sandbox is only attached to
-- // an internal network. This way, it's the driver responsibility to make sure `connect` syscall fails fast when
-- // no external connectivity is available (eg. by not setting a default gateway).
-- sb.resolver = NewResolver(resolverIPSandbox, true, sb)
-+ // The resolver is started with proxyDNS=false if the sandbox does not currently
-+ // have a gateway. So, if the Sandbox is only connected to an 'internal' network,
-+ // it will not forward DNS requests to external resolvers. The resolver's
-+ // proxyDNS setting is then updated as network Endpoints are added/removed.
-+ sb.resolver = NewResolver(resolverIPSandbox, sb.getGatewayEndpoint() != nil, sb)
- defer func() {
- if err != nil {
- sb.resolver = nil
---
-2.50.1
-
diff --git a/recipes-containers/docker/files/CVE-2024-36620.patch b/recipes-containers/docker/files/CVE-2024-36620.patch
deleted file mode 100644
index 03628fb3..00000000
--- a/recipes-containers/docker/files/CVE-2024-36620.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From ab570ab3d62038b3d26f96a9bb585d0b6095b9b4 Mon Sep 17 00:00:00 2001
-From: Christopher Petito <47751006+krissetto@users.noreply.github.com>
-Date: Fri, 19 Apr 2024 10:44:30 +0000
-Subject: [PATCH] nil dereference fix on image history Created value
-
-Issue was caused by the changes here https://github.com/moby/moby/pull/45504
-First released in v25.0.0-beta.1
-
-CVE: CVE-2024-36620
-
-Upstream-Status: Backport [https://github.com/moby/moby/commit/ab570ab3d62038b3d26f96a9bb585d0b6095b9b4]
-
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
----
- daemon/images/image_history.go | 6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/daemon/images/image_history.go b/daemon/images/image_history.go
-index dcf7a906aa..e5adda8639 100644
---- a/daemon/images/image_history.go
-+++ b/daemon/images/image_history.go
-@@ -41,10 +41,14 @@ func (i *ImageService) ImageHistory(ctx context.Context, name string) ([]*image.
- layer.ReleaseAndLog(i.layerStore, l)
- layerCounter++
- }
-+ var created int64
-+ if h.Created != nil {
-+ created = h.Created.Unix()
-+ }
-
- history = append([]*image.HistoryResponseItem{{
- ID: "<missing>",
-- Created: h.Created.Unix(),
-+ Created: created,
- CreatedBy: h.CreatedBy,
- Comment: h.Comment,
- Size: layerSize,
---
-2.40.0
diff --git a/recipes-containers/docker/files/CVE-2024-36621.patch b/recipes-containers/docker/files/CVE-2024-36621.patch
deleted file mode 100644
index 6560f46a..00000000
--- a/recipes-containers/docker/files/CVE-2024-36621.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 37545cc644344dcb576cba67eb7b6f51a463d31e Mon Sep 17 00:00:00 2001
-From: Tonis Tiigi <tonistiigi@gmail.com>
-Date: Wed, 6 Mar 2024 23:11:32 -0800
-Subject: [PATCH] builder-next: fix missing lock in ensurelayer
-
-When this was called concurrently from the moby image
-exporter there could be a data race where a layer was
-written to the refs map when it was already there.
-
-In that case the reference count got mixed up and on
-release only one of these layers was actually released.
-
-CVE: CVE-2024-36621
-
-Upstream-Status: Backport [https://github.com/moby/moby/commit/37545cc644344dcb576cba67eb7b6f51a463d31e]
-
-Signed-off-by: Praveen Kumar <praveen.kumar@windriver.com>
----
- .../builder-next/adapters/snapshot/layer.go | 3 +++
- .../adapters/snapshot/snapshot.go | 19 +++++++++++--------
- 2 files changed, 14 insertions(+), 8 deletions(-)
-
-diff --git a/builder/builder-next/adapters/snapshot/layer.go b/builder/builder-next/adapters/snapshot/layer.go
-index 73120ea70b..fc83058339 100644
---- a/builder/builder-next/adapters/snapshot/layer.go
-+++ b/builder/builder-next/adapters/snapshot/layer.go
-@@ -22,6 +22,9 @@ func (s *snapshotter) GetDiffIDs(ctx context.Context, key string) ([]layer.DiffI
- }
-
- func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
-+ s.layerCreateLocker.Lock(key)
-+ defer s.layerCreateLocker.Unlock(key)
-+
- diffIDs, err := s.GetDiffIDs(ctx, key)
- if err != nil {
- return nil, err
-diff --git a/builder/builder-next/adapters/snapshot/snapshot.go b/builder/builder-next/adapters/snapshot/snapshot.go
-index a0d28ad984..510ffefb49 100644
---- a/builder/builder-next/adapters/snapshot/snapshot.go
-+++ b/builder/builder-next/adapters/snapshot/snapshot.go
-@@ -17,6 +17,7 @@ import (
- "github.com/moby/buildkit/identity"
- "github.com/moby/buildkit/snapshot"
- "github.com/moby/buildkit/util/leaseutil"
-+ "github.com/moby/locker"
- "github.com/opencontainers/go-digest"
- "github.com/pkg/errors"
- bolt "go.etcd.io/bbolt"
-@@ -51,10 +52,11 @@ type checksumCalculator interface {
- type snapshotter struct {
- opt Opt
-
-- refs map[string]layer.Layer
-- db *bolt.DB
-- mu sync.Mutex
-- reg graphIDRegistrar
-+ refs map[string]layer.Layer
-+ db *bolt.DB
-+ mu sync.Mutex
-+ reg graphIDRegistrar
-+ layerCreateLocker *locker.Locker
- }
-
- // NewSnapshotter creates a new snapshotter
-@@ -71,10 +73,11 @@ func NewSnapshotter(opt Opt, prevLM leases.Manager, ns string) (snapshot.Snapsho
- }
-
- s := &snapshotter{
-- opt: opt,
-- db: db,
-- refs: map[string]layer.Layer{},
-- reg: reg,
-+ opt: opt,
-+ db: db,
-+ refs: map[string]layer.Layer{},
-+ reg: reg,
-+ layerCreateLocker: locker.New(),
- }
-
- slm := newLeaseManager(s, prevLM)
---
-2.40.0
--
2.52.0
^ permalink raw reply related [flat|nested] 6+ messages in thread