From d39a556288d7efbb495da544e3bff831628a8269 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Sat, 15 Jul 2023 20:25:29 +0200 Subject: [PATCH] [0.11] vendor: github.com/docker/docker 0cae31c7dd6e08b96994e22c059c132a70119f7c (v23.0.7-dev) relevant changes: - remove name_to_handle_at(2) from filtered syscalls and add it to allow-list - client: define a "dummy" hostname to use for local connections fixed compatibility with go1.19.11 and go1.20.6 full diff: https://github.com/docker/docke/rcompare/v23.0.6...0cae31c7dd6e08b96994e22c059c132a70119f7c Signed-off-by: Sebastiaan van Stijn --- go.mod | 2 +- go.sum | 4 +-- .../github.com/docker/docker/client/client.go | 30 +++++++++++++++++++ .../github.com/docker/docker/client/hijack.go | 6 +++- .../docker/docker/client/request.go | 10 +++---- .../docker/profiles/seccomp/default.json | 2 +- .../docker/profiles/seccomp/default_linux.go | 2 +- vendor/modules.txt | 2 +- 8 files changed, 45 insertions(+), 13 deletions(-) diff --git a/go.mod b/go.mod index fabf3286d671f..a57074b5ab223 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/coreos/go-systemd/v22 v22.4.0 github.com/docker/cli v23.0.6+incompatible github.com/docker/distribution v2.8.2+incompatible - github.com/docker/docker v23.0.6+incompatible + github.com/docker/docker v23.0.7-0.20230720050051-0cae31c7dd6e+incompatible // v23.0.7-dev github.com/docker/go-connections v0.4.0 github.com/docker/go-units v0.5.0 github.com/gofrs/flock v0.8.1 diff --git a/go.sum b/go.sum index d1c62afd73dc2..7b98b2bcab4b3 100644 --- a/go.sum +++ b/go.sum @@ -523,8 +523,8 @@ github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r github.com/docker/docker v17.12.0-ce-rc1.0.20200730172259-9f28837c1d93+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.0-beta1.0.20201110211921-af34b94a78a1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v23.0.6+incompatible h1:aBD4np894vatVX99UTx/GyOUOK4uEcROwA3+bQhEcoU= -github.com/docker/docker v23.0.6+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v23.0.7-0.20230720050051-0cae31c7dd6e+incompatible h1:3GGzs7NaqbBVPzDJZsJ6j/d2cij35mH9AyOQj28Pg84= +github.com/docker/docker v23.0.7-0.20230720050051-0cae31c7dd6e+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.6.4/go.mod h1:ofX3UI0Gz1TteYBjtgs07O36Pyasyp66D2uKT7H8W1c= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= diff --git a/vendor/github.com/docker/docker/client/client.go b/vendor/github.com/docker/docker/client/client.go index 09ea4851ff5d5..ca9ceee43dd37 100644 --- a/vendor/github.com/docker/docker/client/client.go +++ b/vendor/github.com/docker/docker/client/client.go @@ -56,6 +56,36 @@ import ( "github.com/pkg/errors" ) +// DummyHost is a hostname used for local communication. +// +// It acts as a valid formatted hostname for local connections (such as "unix://" +// or "npipe://") which do not require a hostname. It should never be resolved, +// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2] +// and [RFC 6761, Section 6.3]). +// +// [RFC 7230, Section 5.4] defines that an empty header must be used for such +// cases: +// +// If the authority component is missing or undefined for the target URI, +// then a client MUST send a Host header field with an empty field-value. +// +// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not +// allow an empty header to be used, and requires req.URL.Scheme to be either +// "http" or "https". +// +// For further details, refer to: +// +// - https://github.com/docker/engine-api/issues/189 +// - https://github.com/golang/go/issues/13624 +// - https://github.com/golang/go/issues/61076 +// - https://github.com/moby/moby/issues/45935 +// +// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2 +// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3 +// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4 +// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569 +const DummyHost = "api.moby.localhost" + // ErrRedirect is the error returned by checkRedirect when the request is non-GET. var ErrRedirect = errors.New("unexpected redirect in response") diff --git a/vendor/github.com/docker/docker/client/hijack.go b/vendor/github.com/docker/docker/client/hijack.go index 6bdacab10adbe..4dcaaca4c58f5 100644 --- a/vendor/github.com/docker/docker/client/hijack.go +++ b/vendor/github.com/docker/docker/client/hijack.go @@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) { } func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) { - req.Host = cli.addr + req.URL.Host = cli.addr + if cli.proto == "unix" || cli.proto == "npipe" { + // Override host header for non-tcp connections. + req.Host = DummyHost + } req.Header.Set("Connection", "Upgrade") req.Header.Set("Upgrade", proto) diff --git a/vendor/github.com/docker/docker/client/request.go b/vendor/github.com/docker/docker/client/request.go index c799095c12272..bcedcf3bd9d44 100644 --- a/vendor/github.com/docker/docker/client/request.go +++ b/vendor/github.com/docker/docker/client/request.go @@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea return nil, err } req = cli.addHeaders(req, headers) + req.URL.Scheme = cli.scheme + req.URL.Host = cli.addr if cli.proto == "unix" || cli.proto == "npipe" { - // For local communications, it doesn't matter what the host is. We just - // need a valid and meaningful host name. (See #189) - req.Host = "docker" + // Override host header for non-tcp connections. + req.Host = DummyHost } - req.URL.Host = cli.addr - req.URL.Scheme = cli.scheme - if expectedPayload && req.Header.Get("Content-Type") == "" { req.Header.Set("Content-Type", "text/plain") } diff --git a/vendor/github.com/docker/docker/profiles/seccomp/default.json b/vendor/github.com/docker/docker/profiles/seccomp/default.json index f361066a2f7ae..cf785ef2c0ddb 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/default.json +++ b/vendor/github.com/docker/docker/profiles/seccomp/default.json @@ -237,6 +237,7 @@ "munlock", "munlockall", "munmap", + "name_to_handle_at", "nanosleep", "newfstatat", "_newselect", @@ -601,7 +602,6 @@ "mount", "mount_setattr", "move_mount", - "name_to_handle_at", "open_tree", "perf_event_open", "quotactl", diff --git a/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go b/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go index 1ee7d7a808b08..c9ee04167789d 100644 --- a/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go +++ b/vendor/github.com/docker/docker/profiles/seccomp/default_linux.go @@ -229,6 +229,7 @@ func DefaultProfile() *Seccomp { "munlock", "munlockall", "munmap", + "name_to_handle_at", "nanosleep", "newfstatat", "_newselect", @@ -592,7 +593,6 @@ func DefaultProfile() *Seccomp { "mount", "mount_setattr", "move_mount", - "name_to_handle_at", "open_tree", "perf_event_open", "quotactl", diff --git a/vendor/modules.txt b/vendor/modules.txt index 4f95af50d91c9..1724eb4b2c50c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -384,7 +384,7 @@ github.com/docker/cli/cli/connhelper/commandconn ## explicit github.com/docker/distribution/digestset github.com/docker/distribution/reference -# github.com/docker/docker v23.0.6+incompatible +# github.com/docker/docker v23.0.7-0.20230720050051-0cae31c7dd6e+incompatible ## explicit github.com/docker/docker/api github.com/docker/docker/api/types