BoltDB

- Fix the freelist.allocs isn't rollbacked when a tx is rollbacked.

CMD

- Add -gobench-output option for bench command to adapt to benchstat.

Other

- Bump go version to 1.22.x.
- This patch also added dmflakey package, which can be reused by other projects. See #812.

full diff: etcd-io/bbolt@v1.3.10...v1.3.11

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: golang/sys@v0.24.0...v0.25.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

no changes in vendored code

full diff: golang/text@v0.17.0...v0.18.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: golang/crypto@v0.26.0...v0.27.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

no changes in vendored code

full diff: golang/net@v0.28.0...v0.29.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: golang/mod@v0.20.0...v0.21.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: golang/tools@v0.24.0...v0.25.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: cespare/xxhash@v2.2.0...v2.3.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

full diff: protocolbuffers/protobuf-go@v1.33.0...v1.34.1

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Signed-off-by: Sebastiaan van Stijn <[email protected]>

vendor assorted dependencies in preparation of BuildKit v0.17

…endency

This test was originally used to test the experimental `--stream` option with
the classic builder. This feature was removed in Docker 20.10 through
6ca3ec8, which also disabled the test
(adding a note to rewrite the test for BuildKit).

The above is 5 years ago, and we now run the BuildKit integration tests
as part of our CI, which (I assume) should cover this functionality.

Removing this test, as it depends on github.com/tonistiigi/fsutil, which
does not have a stable API, and frequently cannot be updated independently
from BuildKit.

Also adding a linter-rule to prevent it from accidentally being imported;

    errdefs/defs.go:3:8: import 'github.com/tonistiigi/fsutil' is not allowed from list 'main': The fsutil module does not have a stable API, so we should not have a direct dependency unless necessary. (depguard)
    import _ "github.com/tonistiigi/fsutil"
           ^

Signed-off-by: Sebastiaan van Stijn <[email protected]>

We had a few "runaway jobs" recently, where the job got stuck, and kept
running for 6 hours (in one case even 24 hours, probably due some github
outage). Some of those jobs could not be terminated.

While running these actions on public repositories doesn't cost us, it's
still not desirable to have jobs running for that long (as they can still
hold up the queue).

This patch adds a blanket "2 hours" time-limit to all jobs that didn't
have a limit set. We should look at tweaking those limits to actually
expected duration, but having a default at least is a start.

Also changed the position of some existing timeouts so that we have a
consistent order in which it's set; making it easier to spot locations
where no limit is defined.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

…WithSession

integration/build: remove TestBuildWithSession, and fsutil direct dependency

gha: add guardrails timeouts on all jobs

Accidentally introduced in 6b7e278

Signed-off-by: Sebastiaan van Stijn <[email protected]>

gha: remove stray double empty line

Without containerd store enabled, we were discarding underlying errors,
and instead informing the user that `--platform` is not suported;

    docker pull --quiet --platform=linux/riscv64 alpine:latest
    docker image push --platform=linux/amd64 alpine:latest
    Error response from daemon: graphdriver backed image store doesn't support multiplatform images

However, that's not the case; platform filtering works, but if the image
is not the right platform, the push fails (which is the same as would
happen with the containerd image store enabled).

    docker image push --platform=linux/amd64 alpine:latest
    Error response from daemon: image with reference docker.io/library/alpine:latest was found but does not match the specified platform: wanted linux/amd64, actual: linux/riscv64

When specifying the platform and that platform matches, it finds the image,
and the push continue;

    docker image push --platform=linux/riscv64 alpine:latest
    The push refers to repository [docker.io/library/alpine]
    3fd4750fd687: Layer already exists
    ...

(The above example obviously fails because I don't have permissions to
push official images).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

Slightly touching up the error message, because the "wanted/actual" output
felt too much like a assertion failure in a test-case.

- Format the image-reference using "familiar" format, which shows the
  image's short name for official images.
- Move the actual and requested platforms to be a part of the sentence,
  but within braces.

Before this patch:

    docker image push --platform=linux/amd64 alpine:latest
    Error response from daemon: image with reference docker.io/library/alpine:latest was found but does not match the specified platform: wanted linux/amd64, actual: linux/riscv64

With this patch:

    docker image push --platform=linux/amd64 alpine:latest
    Error response from daemon: image with reference alpine:latest was found but its platform (linux/riscv64) does not match the specified platform (linux/amd64)

Signed-off-by: Sebastiaan van Stijn <[email protected]>

TestAttachDisconnectLeak starts its own daemon with iptables disabled,
but disabling ip6tables was missed when we enabled ip6tables by default.

TestNetworkStateCleanupOnDaemonStart also starts its own daemon, with
iptables and ip6tables both enabled. It isn't trying to test anything
iptables related.

These tests run in parallel, so they both modify ip6tables in the host
namespace - and could break each other by adding/removing chains at
awkward moments.

Disable iptables and ip6tables in both tests.

Signed-off-by: Rob Murray <[email protected]>

- Changed "match" to "provide", in an attempt to indicate that the image is
  a multi-platform image that doesn't contain the given platform.
- Remove the "wanted" and instead make the requested platforms to be a part
  of the sentence, but within braces.

Before this patch:

    docker pull --quiet --platform=linux/riscv64 alpine:latest
    docker image history --platform=linux/amd64 alpine
    Error response from daemon: image with reference alpine:latest was found but does not match the specified platform: wanted linux/nosuch

With this patch:

    docker pull --quiet --platform=linux/riscv64 alpine:latest
    docker image history --platform=linux/amd64 alpine
    Error response from daemon: image with reference alpine:latest was found but does not provide the specified platform (linux/amd64)

Signed-off-by: Sebastiaan van Stijn <[email protected]>

…rrors

The platform was printed in its raw format, which didn't produce a very
readable output;

Before this change:

    $ docker image save --platform=linux/amd64 -o alpine_amd64.tar alpine:latest
    Error response from daemon: no suitable export target found for platform linux/amd64: no suitable image manifest found for platform {amd64 linux [] }

After this change:

    $ docker image save --platform=linux/amd64 -o alpine_amd64.tar alpine:latest
    Error response from daemon: no suitable export target found: image with reference alpine:latest was found but does not provide the specified platform (linux/amd64)

Signed-off-by: Sebastiaan van Stijn <[email protected]>

…n-tests

Disable iptables/ip6tables in two tests to remove conflict

Use `pools.Copy` for archive file copy operations

full diff:

- moby/buildkit@v0.16.0...v0.17.0-rc1
- tonistiigi/fsutil@91a3fc4...3f140a1
- golang/exp@9b4947d...701f63a

Signed-off-by: Sebastiaan van Stijn <[email protected]>

vendor: github.com/moby/buildkit v0.17.0-rc1

We had a couple of runs where these jobs got stuck and github
actions didn't allow terminating them, so that they were only
terminated after 120 minutes.

These jobs usually complete in 5 minutes, so let's give them
a shorter timeout. 20 minutes should be enough (don't @ me).

Signed-off-by: Sebastiaan van Stijn <[email protected]>

internal/safepath: log some unhandled errors, and remove workaround for ECI / Sysbox

Multiple images with the same repository name but different tag caused
the `RepoDigests` to contain duplicated entries for each of the image.

Deduplicate the slice before setting the `RepoDigests` field.

Signed-off-by: Paweł Gronowski <[email protected]>

Signed-off-by: jinjiadu <[email protected]>

volume/mounts: minor linting issues, touch-ups, and improve test-coverage

remove deprecated pkg/longpath.Prefix, pkg/directory

c8d/inspect: Fix duplicate RepoDigests

volume/service: use local driver as default for anonymous volumes

Temporarily remove firewallds jobs. These are actually not running
firewalld due to a typo in GHA definitions. Moreover, these new jobs
are putting too much load on the CI, causing GHA cache backend to return
429 for many jobs. This slows down build jobs (as they can't use
existing cache), and at least one buildkit test is now failing.

This reverts commit 4e567e1.

Signed-off-by: Albin Kerouanton <[email protected]>

Revert "ci: run integration tests with firewalld enabled"

chore: fix some function names

vendor: go.opentelemetry.io/otel v1.28.0, go.opentelemetry.io/contrib v0.53.0

full diff: kubernetes-sigs/yaml@v1.3.0...v1.4.0

Signed-off-by: Sebastiaan van Stijn <[email protected]>

- full diff: microsoft/hcsshim@v0.12.5...v0.12.7

Signed-off-by: Sebastiaan van Stijn <[email protected]>

commit 77fe35b added a warning if the
"volumeDriver" option was used in combination with --mount.

That change put the warning in the CLI, which should not have to handle
this logic. Let's move it to the daemon as we have a warnings response
in the container create response.

The warning is gated by API version, so that older clients can continue
to produce the warning client-side.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

vendor: github.com/Microsoft/hcsshim v0.12.7

Signed-off-by: Tonis Tiigi <[email protected]>

In 27.x and earlier releases libnetwork's database file was in a
sub-directory "network/files" under the daemon's root data dir.

That part of the path got lost in commit ed08486

So, libnet data ended up in the daemon's main Bolt db. Then, on
upgrade, config in the original file was no longer accessible.

libnet doesn't need access to any data outside its sub-dir, so
change the meaning of its OptionDataDir - it now points at libnet's
sub-dir, so the db will be created in the right place. Also, update
other uses of that data dir to match.

Signed-off-by: Rob Murray <[email protected]>

Restore 27.x path for libnet's Bolt database

The OCI image spec now has the platform as field, so we can just
set it directly now.

Signed-off-by: Sebastiaan van Stijn <[email protected]>

vendor: update buildkit to v0.17.0-rc2

full diff:

- containerd/containerd@v1.7.22...v1.7.23
- microsoft/hcsshim@v0.12.7...v0.12.8

Signed-off-by: Sebastiaan van Stijn <[email protected]>

It only removed the test host's libnet Bolt db file, and didn't
need to do that because the tests use a TempDir for it.

Signed-off-by: Rob Murray <[email protected]>

…rectly

builder-next: exporter: emptyImageConfig: use platform directly

container create: add warning for volumeDriver together with mounts

hack/unit: Rerun failed flaky libnetwork tests

Remove libnetwork_test.TestMain

Registry host configuration cleanup

Signed-off-by: Tonis Tiigi <[email protected]>

vendor: update buildkit to v0.17.0

vendor: github.com/containerd/containerd v1.7.23, hcsshim v0.12.8