Unfortunately, this check was missing in the original version. It could
cause a positive match to be overwritten by checking parent dirs.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Upstream-commit: 55da5245ded6228afc5cf40e6cf18dc50d8cf0ff
Component: engine
pkg/fileutils: Track incremental pattern match results against each pattern
Upstream-commit: 93d560d5b3b0249f798243b52310128b7e1d163c
Component: engine
The existing code does not correctly handle the case where a file
matches one of the patterns, but should not match overall because of an
exclude pattern that applied to a parent directory (see
https://github.com/docker/buildx/issues/850).
Fix this by independently tracking the results of matching against each
pattern. A file should be considered to match any pattern that matched a
parent dir.
Signed-off-by: Aaron Lehmann <alehmann@netflix.com>
Upstream-commit: 4555d3aa543ad54f0f0658337022632a26d7dd9a
Component: engine
full diff: https://github.com/containerd/ttrpc/compare/v1.0.2...v1.1.0
- client: Handle sending/receiving in separate goroutines
- Return Unimplemented when services or methods are not implemented
- go.mod: sirupsen/logrus v1.7.0
- go.mod: update dependencies
- go.mod: github.com/gogo/protobuf v1.3.2
- go.mod: google.golang.org/grpc v1.27.1
- go.mod: google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63
- go.mod: github.com/prometheus/procfs v0.6.0
- replace pkg/errors
- Rename branch from master to main
- Use GitHub Actions for CI
- Make "go test" and "go build" work on macOS
- Add protoc-gen-go-ttrpc
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: cbb4aed0b4e5769ac9a91003670f8e5183b239be
Component: engine
The appropriate/nc image was last built over 6 years ago, and uses the
deprecated v2 schema 1 format.
https://github.com/appropriate/docker-nc/tree/master/latest
The image is just a plain "apk install" of netbsd-netcat, but was added
in 1c4286bcffcdc6668f84570a2754c78cccbbf7e1, because at the time the
busybox nc had some bugs.
These appear to be resolved, so we can use the busybox nc, from the
frozen images.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 6d92d2c7c4e32e840d86cfdfafa0b9bb980ba62c
Component: engine
This was accidentally forgotten in aef782f34844e70c79481cbecd35b01c9bb25ffa
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: c3537ec24ca67171f57ba0d5e4c182685ba5e4ad
Component: engine
Pushing manifest v2, schema 1 images has been deprecated in commit
6302dbbf46dd40d824238487a5afece551d53293 (docker 20.10). It's still used in
some tests to provision a legacy registry to test _pulling_ legacy images
(which is still "supported"), but we should no longer have to validate pushing
for other scenarios.
This patch removes the schema 1 push tests, and inlines the code that was
extracted in non-exported functions (for them to be shared between schema 2 and
schema 1 tests).
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 238180d292a27a4b7b7bb669867e04236b4acc43
Component: engine
- Bring mediaType out of reserved status
- specs-go: adding mediaType to the index and manifest structures
full diff: https://github.com/opencontainers/image-spec/compare/v1.0.1...v1.0.2
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: cef0a7c14efdef430b1e84140bb68dc3e4c4f8e7
Component: engine
contains a mitigation for CVE-2021-41190 as well as several fixes and updates.
full diff: https://github.com/containerd/containerd/compare/v1.5.7...v1.5.8
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: 458b4aae197aee829075c4f0a883ae689f966f29
Component: engine
The eighth patch release for containerd 1.5 contains a mitigation for CVE-2021-41190
as well as several fixes and updates.
Notable Updates
* Handle ambiguous OCI manifest parsing
* Filter selinux xattr for image volumes in CRI plugin
* Use DeactiveLayer to unlock layers that cannot be renamed in Windows snapshotter
* Fix pull failure on unexpected EOF
* Close task IO before waiting on delete
* Log a warning for ignored invalid image labels rather than erroring
* Update pull to handle of non-https urls in descriptors
See the changelog for complete list of changes
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Upstream-commit: aef782f34844e70c79481cbecd35b01c9bb25ffa
Component: engine
Since moby/libnetwork#2635 has been merged, allocatePortsInternal()
checks if IPv6 is enabled by calling IsV6Listenable(). This function
calls `net.Listen("tcp6", "[::1]:0")` and returns false when
net.Listen() fails.
TestPortMappingV6Config() starts by setting up a new net ns to run into
it. The loopback interface is not bring up in this net ns, thus
net.Listen() fails and IsV6Listenable() returns false. This change takes
care of bringing loopback iface up right after moving to the new net ns.
This test has been reported has flaky on s390x in #42468. For some
reason, this test seems to be consistently green on the CI (on amd64
arch) and when running `hack/test/unit` locally. However it consistently
fails when running `TESTFLAGS='-shuffle on' hack/test/unit` locally.
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Upstream-commit: c721bad8ccddeb353e71d4b4b26ad878d1ae8bee
Component: engine
Aaron Lehmann
CrazyMax
GordonTheTurtle
Sebastiaan van Stijn
Samuel Karp
haining.cao
Sebastiaan van Stijn
Tianon Gravi
Brian Goff
Albin Kerouanton
Akihiro Suda