[pull] master from moby:master #1404
Open
+1,895,595
−628,209
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes warning: ``` time="2025-11-06T11:22:30Z" level=warning msg="Template locator \"template://oraclelinux-8\" should be written \"template:oraclelinux-8\" since Lima v2.0" ``` Signed-off-by: Paweł Gronowski <[email protected]>
Replace WithDialOpts with WithExtraDialOpts when creating containerd clients to preserve the containerd client's default dial options while adding our custom options. Previously, using WithDialOpts would overwrite all of containerd's default dial options, requiring us to sync them. Signed-off-by: Paweł Gronowski <[email protected]>
Stopping the Engine while a container with autoremove set is running may leave behind dead containers on disk. These containers aren't reclaimed on next start, appear as "dead" in `docker ps -a` and can't be inspected or removed by the user. This bug has existed since a long time but became user visible with 9f5f4f5. Prior to that commit, containers with no rwlayer weren't added to the in-memory viewdb, so they weren't visible in `docker ps -a`. However, some dangling files would still live on disk (e.g. folder in /var/lib/docker/containers, mount points, etc). The underlying issue is that when the daemon stops, it tries to stop all running containers and then closes the containerd client. This leaves a small window of time where the Engine might receive 'task stop' events from containerd, and trigger autoremove. If the containerd client is closed in parallel, the Engine is unable to complete the removal, leaving the container in 'dead' state. In such case, the Engine logs the following error: cannot remove container "bcbc98b4f5c2b072eb3c4ca673fa1c222d2a8af00bf58eae0f37085b9724ea46": Canceled: grpc: the client connection is closing: context canceled Solving the underlying issue would require complex changes to the shutdown sequence. Moreover, the same issue could also happen if the daemon crashes while it deletes a container. Thus, add a cleanup step on daemon startup to remove these dead containers. Signed-off-by: Albin Kerouanton <[email protected]>
project: add End-of-maintenance date for 25.0
gha/vm: Adjust lima template locators
rm -r hack/dockerfile/install
api: move scripts to generate and validate swagger to api module
daemon: use WithExtraDialOpts for containerd client connection
daemon: clean up dead containers on start
Signed-off-by: Nicolas De Loof <[email protected]>
Natively support gRPC on the docker socket
no changes in vendored code includes a fix for CVE-2025-67499 full diff: containernetworking/plugins@v1.8.0...v1.9.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: wazero/wazero@v0.9.0...v1.10.1 Signed-off-by: Sebastiaan van Stijn <[email protected]>
vendor: github.com/containernetworking/plugins v1.9.0
Start the metadata transaction before creating the overlay2 directory. This ensures that if driver.Create() fails, we can properly cancel the transaction. Previously, if StartTransaction() failed after driver.Create() succeeded, the defer cleanup would not run (not registered yet), leaving an orphaned overlay2 directory. The fix reorders operations so that: 1. Transaction is started first (no filesystem changes yet) 2. Overlay2 directory is created second (transaction ready for cleanup) 3. Defer is registered after both succeed (tx is guaranteed non-nil) If driver.Create() fails, the transaction is explicitly cancelled before returning. The nil check for tx in the defer is no longer needed since tx is guaranteed to exist when the defer runs. Related to #45939 Signed-off-by: Jan Scheffler <[email protected]>
layer: Fix orphan creation in registerWithDescriptor
vendor: github.com/tetratelabs/wazero v1.10.1
…45-e5b454202754 last commit before it updated to runtime-spec v1.3.0 full diff: opencontainers/runtime-tools@0ea5ed0...e5b4542 Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
vendor: github.com/opencontainers/runtime-tools v0.9.1-0.20251111083745-e5b454202754
NRI: allow plugins to add mounts
Add cleanup for the RW layer directory if saveMount() fails after driver.CreateReadWrite() succeeds. Previously, this failure path would leave an orphaned overlay2 directory with no corresponding metadata. Related to #45939 Signed-off-by: Jan Scheffler <[email protected]>
Signed-off-by: Aditya Mishra <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
Signed-off-by: Rob Murray <[email protected]>
Add cleanup for the init layer directory if any operation fails after driver.CreateReadWrite() succeeds in initMount(). Previously, failures in driver.Get(), initFunc(), or driver.Put() would leave an orphaned overlay2 directory. Related to #45939 Signed-off-by: Jan Scheffler <[email protected]>
Signed-off-by: Paweł Gronowski <[email protected]>
vendor: github.com/sirupsen/logrus v1.9.4
Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: aws/smithy-go@v1.23.1...v1.23.2 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: aws/aws-sdk-go-v2@v1.39.4...v1.39.6 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: aws/aws-sdk-go-v2@credentials/v1.18.19...credentials/v1.18.24 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: aws/aws-sdk-go-v2@config/v1.31.15...config/v1.31.20 Signed-off-by: Sebastiaan van Stijn <[email protected]>
vendor: update buildkit dependencies
full diff: googleapis/google-cloud-go@auth/v0.16.5...auth/v0.17.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: Azure/azure-sdk-for-go@sdk/azcore/v1.18.2...sdk/azcore/v1.20.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
no changes; same commit, but tagged full diff: anchore/go-struct-converter@c68fdcf...v0.1.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: containerd/nydus-snapshotter@v0.15.4...v0.15.10 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: googleapis/enterprise-certificate-proxy@v0.3.6...v0.3.7 Signed-off-by: Sebastiaan van Stijn <[email protected]>
…b101 full diff: googleapis/go-genproto@c5933d9...f26f940 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: hashicorp/go-sockaddr@v1.0.2...v1.0.7 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: prometheus/procfs@v0.16.1...v0.17.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: spdx/tools-golang@v0.5.5...v0.5.7 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: jmoiron/sqlx@v1.3.3...v1.4.0 Signed-off-by: Sebastiaan van Stijn <[email protected]>
full diff: grpc-ecosystem/grpc-gateway@v2.27.2...v2.27.3 Signed-off-by: Sebastiaan van Stijn <[email protected]>
vendor: update buildkit dependencies (indirects)
This releases includes 6 security fixes following the security policy:
- archive/zip: denial of service when parsing arbitrary ZIP archives
archive/zip used a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Thanks to Thanks to Jakub Ciolek for reporting this issue.
This is CVE-2025-61728 and Go issue https://go.dev/issue/77102.
- net/http: memory exhaustion in Request.ParseForm
When parsing a URL-encoded form net/http may allocate an unexpected amount of
memory when provided a large number of key-value pairs. This can result in a
denial of service due to memory exhaustion.
Thanks to jub0bs for reporting this issue.
This is CVE-2025-61726 and Go issue https://go.dev/issue/77101.
- crypto/tls: Config.Clone copies automatically generated session ticket keys, session resumption does not account for the expiration of full certificate chain
The Config.Clone methods allows cloning a Config which has already been passed
to a TLS function, allowing it to be mutated and reused.
If Config.SessionTicketKey has not been set, and Config.SetSessionTicketKeys has
not been called, crypto/tls will generate random session ticket keys and
automatically rotate them. Config.Clone would copy these automatically generated
keys into the returned Config, meaning that the two Configs would share session
ticket keys, allowing sessions created using one Config could be used to resume
sessions with the other Config. This can allow clients to resume sessions even
though the Config may be configured such that they should not be able to do so.
Config.Clone no longer copies the automatically generated session ticket keys.
Config.Clone still copies keys which are explicitly provided, either by setting
Config.SessionTicketKey or by calling Config.SetSessionTicketKeys.
This issue was discoverd by the Go Security team while investigating another
issue reported by Coia Prant (github.com/rbqvq).
Additionally, on the server side only the expiration of the leaf certificate, if
one was provided during the initial handshake, was checked when considering if a
session could be resumed. This allowed sessions to be resumed if an intermediate
or root certificate in the chain had expired.
Session resumption now takes into account of the full chain when determining if
the session can be resumed.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-68121 and Go issue https://go.dev/issue/77113.
- cmd/go: bypass of flag sanitization can lead to arbitrary code execution
Usage of 'CgoPkgConfig' allowed execution of the pkg-config
binary with flags that are not explicitly safe-listed.
To prevent this behavior, compiler flags resulting from usage
of 'CgoPkgConfig' are sanitized prior to invoking pkg-config.
Thank you to RyotaK (https://ryotak.net) of GMO Flatt Security Inc.
for reporting this issue.
This is CVE-2025-61731 and go.dev/issue/77100.
- cmd/go: unexpected code execution when invoking toolchain
The Go toolchain supports multiple VCS which are used retrieving modules and
embedding build information into binaries.
On systems with Mercurial installed (hg) downloading modules (e.g. via go get or
go mod download) from non-standard sources (e.g. custom domains) can cause
unexpected code execution due to how external VCS commands are constructed.
On systems with Git installed, downloading and building modules with malicious
version strings could allow an attacker to write to arbitrary files on the
system the user has access to. This can only be triggered by explicitly
providing the malicious version strings to the toolchain, and does not affect
usage of @latest or bare module paths.
The toolchain now uses safer VCS options to prevent misinterpretation of
untrusted inputs. In addition, the toolchain now disallows module version
strings prefixed with a "-" or "/" character.
Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this
issue.
This is CVE-2025-68119 and Go issue https://go.dev/issue/77099.
- crypto/tls: handshake messages may be processed at the incorrect encryption level
During the TLS 1.3 handshake if multiple messages are sent in records that span
encryption level boundaries (for instance the Client Hello and Encrypted
Extensions messages), the subsequent messages may be processed before the
encryption level changes. This can cause some minor information disclosure if a
network-local attacker can inject messages during the handshake.
Thanks to Coia Prant (github.com/rbqvq) for reporting this issue.
This is CVE-2025-61730 and Go issue https://go.dev/issue/76443
View the release notes for more information:
https://go.dev/doc/devel/release#go1.25.6
Signed-off-by: Paweł Gronowski <[email protected]>
full diff: moby/buildkit@d1e5d1a...v0.27.0-rc1 Signed-off-by: Paweł Gronowski <[email protected]>
full diff: moby/buildkit@v0.27.0-rc1...faed462 Signed-off-by: Paweł Gronowski <[email protected]>
update to go1.25.6
vendor: github.com/moby/buildkit v0.27.0-rc1
Signed-off-by: Tonis Tiigi <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Signed-off-by: Tonis Tiigi <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Enable inspect endpoint to verify image signatures and expose signature information for inspection. Signed-off-by: Tonis Tiigi <[email protected]> Signed-off-by: Sebastiaan van Stijn <[email protected]>
Add trusted identity to images
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
19 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )