Update Moby to 20.10.17; containerd to 1.6.6; runc to 1.1.2

.github/workflows/flowzone.yml

@@ -14,5 +14,5 @@ jobs:
     secrets: inherit
     with:
       # https://github.com/golang/go/blob/master/src/go/build/syslist.go
-      custom_publish_matrix: "linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64,linux/386"
+      custom_publish_matrix: "linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64"
       cloudflare_website: "balena-engine"

.versionbot/CHANGELOG.yml

@@ -1,3 +1,16 @@
+- commits:
+  - subject: Merge upstream v20.10.17
+    hash: 013d0279ce25791b87a0a0d77686e2cd74f6462a
+    body: >-
+      For full changelog see:
+      https://github.com/balena-os/balena-engine/blob/20.10.17-balena/CHANGELOG.md#2023-02-07-upstream-release
+    footers:
+      change-type: patch
+      signed-off-by: Leandro Motta Barros <leandro@balena.io>
+    author: Leandro Motta Barros
+    nested: []
+  version: 20.10.27
+  date: 2023-02-07T12:00:00.000Z
 - commits:
     - subject: Cross-build the dynbinary target
       hash: 0240d94e35a43be595cd5e79b0653440c228229f

CHANGELOG.md

@@ -4,6 +4,180 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+# v20.10.27
+## (2023-02-07) [upstream release]
+
+<details>
+<summary>Merge upstream 20.10.17 [Leandro Motta Barros]</summary>
+
+## 20.10.17
+
+2022-06-06
+
+This release of Docker Engine comes with updated versions of Docker Compose and the `containerd`, and `runc` components, as well as some minor bug fixes.
+
+### Client
+
+* Remove asterisk from docker commands in zsh completion script [docker/cli#3648](https://github.com/docker/cli/pull/3648).
+
+### Networking
+
+* Fix Windows port conflict with published ports in host mode for overlay [moby/moby#43644](https://github.com/moby/moby/pull/43644).
+* Ensure performance tuning is always applied to libnetwork sandboxes [moby/moby#43683](https://github.com/moby/moby/pull/43683).
+
+### Packaging
+
+* Update Docker Compose to [v2.6.0](https://github.com/docker/compose/releases/tag/v2.6.0).
+* Update containerd (`containerd.io` package) to [v1.6.6](https://github.com/containerd/containerd/releases/tag/v1.6.6), which contains a fix for [CVE-2022-31030](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31030)
+* Update runc version to [v1.1.2](https://github.com/opencontainers/runc/releases/tag/v1.1.2), which contains a fix for [CVE-2022-29162](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29162).
+* Update Go runtime to [1.17.11](https://go.dev/doc/devel/release#go1.17.minor), which contains fixes for [CVE-2022-30634](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30634), [CVE-2022-30629](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30629), [CVE-2022-30580](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30580) and [CVE-2022-29804](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29804)
+
+## 20.10.16
+
+2022-05-12
+
+This release of Docker Engine fixes a regression in the Docker CLI builds for macOS, fixes an issue with `docker stats` when using containerd 1.5 and up, and updates the Go runtime to include a fix for [CVE-2022-29526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526).
+
+### Client
+
+* Fixed a regression in binaries for macOS introduced in [20.10.15](#201015), which resulted in a panic [docker/cli#43426](https://github.com/docker/cli/pull/3592).
+* Update golang.org/x/sys dependency which contains a fix for [CVE-2022-29526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526).
+
+### Daemon
+
+* Fixed an issue where `docker stats` was showing empty stats when running with containerd 1.5.0 or up [moby/moby#43567](https://github.com/moby/moby/pull/43567).
+* Updated the `golang.org/x/sys` build-time dependency which contains a fix for [CVE-2022-29526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526).
+
+### Packaging
+
+* Updated Go runtime to [1.17.10](https://go.dev/doc/devel/release#go1.17.minor), which contains a fix for [CVE-2022-29526](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29526).
+* Used “weak” dependencies for the `docker scan` CLI plugin, to prevent a “conflicting requests” error when users performed an off-line installation from downloaded RPM packages [docker/docker-ce-packaging#659](https://github.com/docker/docker-ce-packaging/pull/659).
+
+## 20.10.15
+
+2022-05-05
+
+This release of Docker Engine comes with updated versions of the `compose`, `buildx`, `containerd`, and `runc` components, as well as some minor bug fixes.
+
+> **Known issues**
+>
+> We’ve identified an issue with the [macOS CLI binaries](https://download.docker.com/mac/static/stable/) in the 20.10.15 release. This issue has been resolved in the [20.10.16](#201016) release.
+
+### Daemon
+
+* Use a RWMutex for stateCounter to prevent potential locking congestion [moby/moby#43426](https://github.com/moby/moby/pull/43426).
+* Prevent an issue where the daemon was unable to find an available IP-range in some conditions [moby/moby#43360](https://github.com/moby/moby/pull/43360)
+
+### Packaging
+
+* Update Docker Compose to [v2.5.0](https://github.com/docker/compose/releases/tag/v2.5.0).
+* Update Docker Buildx to [v0.8.2](https://github.com/docker/buildx/releases/tag/v0.8.2).
+* Update Go runtime to [1.17.9](https://go.dev/doc/devel/release#go1.17.minor).
+* Update containerd (`containerd.io` package) to [v1.6.4](https://github.com/containerd/containerd/releases/tag/v1.6.4).
+* Update runc version to [v1.1.1](https://github.com/opencontainers/runc/releases/tag/v1.1.1).
+* Add packages for CentOS 9 stream and Fedora 36.
+
+## 20.10.14
+
+2022-03-23
+
+This release of Docker Engine updates the default inheritable capabilities for containers to address [CVE-2022-24769](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24769), a new version of the `containerd.io` runtime is also included to address the same issue.
+
+### Daemon
+
+* Update the default inheritable capabilities.
+
+### Builder
+
+* Update the default inheritable capabilities for containers used during build.
+
+### Packaging
+
+* Update containerd (`containerd.io` package) to [v1.5.11](https://github.com/containerd/containerd/releases/tag/v1.5.11).
+* Update `docker buildx` to [v0.8.1](https://github.com/docker/buildx/releases/tag/v0.8.1).
+
+## 20.10.13
+
+2022-03-10
+
+This release of Docker Engine contains some bug-fixes and packaging changes, updates to the `docker scan` and `docker buildx` commands, an updated version of the Go runtime, and new versions of the `containerd.io` runtime. Together with this release, we now also provide `.deb` and `.rpm` packages of Docker Compose V2, which can be installed using the (optional) `docker-compose-plugin` package.
+
+### Builder
+
+* Updated the bundled version of buildx to [v0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0).
+
+### Daemon
+
+* Fix a race condition when updating the container’s state [moby/moby#43166](https://github.com/moby/moby/pull/43166).
+* Update the etcd dependency to prevent the daemon from incorrectly holding file locks [moby/moby#43259](https://github.com/moby/moby/pull/43259)
+* Fix detection of user-namespaces when configuring the default `net.ipv4.ping_group_range` sysctl [moby/moby#43084](https://github.com/moby/moby/pull/43084).
+
+### Distribution
+
+* Retry downloading image-manifests if a connection failure happens during image pull [moby/moby#43333](https://github.com/moby/moby/pull/43333).
+
+### Documentation
+
+* Various fixes in command-line reference and API documentation.
+
+### Logging
+
+* Prevent an OOM when using the “local” logging driver with containers that produce a large amount of log messages [moby/moby#43165](https://github.com/moby/moby/pull/43165).
+* Updates the fluentd log driver to prevent a potential daemon crash, and prevent containers from hanging when using the `fluentd-async-connect=true` and the remote server is unreachable [moby/moby#43147](https://github.com/moby/moby/pull/43147).
+
+### Packaging
+
+* Provide `.deb` and `.rpm` packages for Docker Compose V2\. [Docker Compose v2.3.3](https://github.com/docker/compose/releases/tag/v2.3.3) can now be installed on Linux using the `docker-compose-plugin` packages, which provides the `docker compose` subcommand on the Docker CLI. The Docker Compose plugin can also be installed and run standalone to be used as a drop-in replacement for `docker-compose` (Docker Compose V1) [docker/docker-ce-packaging#638](https://github.com/docker/docker-ce-packaging/pull/638). The `compose-cli-plugin` package can also be used on older version of the Docker CLI with support for CLI plugins (Docker CLI 18.09 and up).
+* Provide packages for the upcoming Ubuntu 22.04 “Jammy Jellyfish” LTS release [docker/docker-ce-packaging#645](https://github.com/docker/docker-ce-packaging/pull/645), [docker/containerd-packaging#271](https://github.com/docker/containerd-packaging/pull/271).
+* Update `docker buildx` to [v0.8.0](https://github.com/docker/buildx/releases/tag/v0.8.0).
+* Update `docker scan` (`docker-scan-plugin`) to [v0.17.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.17.0).
+* Update containerd (`containerd.io` package) to [v1.5.10](https://github.com/containerd/containerd/releases/tag/v1.5.10).
+* Update the bundled runc version to [v1.0.3](https://github.com/opencontainers/runc/releases/tag/v1.0.3).
+* Update Golang runtime to Go 1.16.15.
+
+## 20.10.12
+
+2021-12-13
+
+This release of Docker Engine contains changes in packaging only, and provides updates to the `docker scan` and `docker buildx` commands. Versions of `docker scan` before v0.11.0 are not able to detect the [Log4j 2 CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228). We are shipping an updated version of `docker scan` in this release to help you scan your images for this vulnerability.
+
+> **Note**
+>
+> The `docker scan` command on Linux is currently only supported on x86 platforms. We do not yet provide a package for other hardware architectures on Linux.
+
+The `docker scan` feature is provided as a separate package and, depending on your upgrade or installation method, ‘docker scan’ may not be updated automatically to the latest version. Use the instructions below to update `docker scan` to the latest version. You can also use these instructions to install, or upgrade the `docker scan` package without upgrading the Docker Engine:
+
+On `.deb` based distros, such as Ubuntu and Debian:
+
+```
+$ apt-get update && apt-get install docker-scan-plugin
+```
+
+On rpm-based distros, such as CentOS or Fedora:
+
+```
+$ yum install docker-scan-plugin
+```
+
+After upgrading, verify you have the latest version of `docker scan` installed:
+
+```
+$ docker scan --accept-license --version
+Version:    v0.12.0
+Git commit: 1074dd0
+Provider:   Snyk (1.790.0 (standalone))
+```
+
+[Read our blog post on CVE-2021-44228](https://www.docker.com/blog/apache-log4j-2-cve-2021-44228/) to learn how to use the `docker scan` command to check if images are vulnerable.
+
+### Packaging
+
+* Update `docker scan` to [v0.12.0](https://github.com/docker/scan-cli-plugin/releases/tag/v0.12.0).
+* Update `docker buildx` to [v0.7.1](https://github.com/docker/buildx/releases/tag/v0.7.1).
+* Update Golang runtime to Go 1.16.12.
+
+</details>
+
 # v20.10.26
 ## (2023-01-17)
 

Dockerfile

@@ -3,7 +3,7 @@
 ARG CROSS="false"
 ARG SYSTEMD="false"
 # IMPORTANT: When updating this please note that stdlib archive/tar pkg is vendored
-ARG GO_VERSION=1.18.8
+ARG GO_VERSION=1.17.11
 ARG DEBIAN_FRONTEND=noninteractive
 ARG VPNKIT_VERSION=0.5.0
 ARG DOCKER_BUILDTAGS="apparmor seccomp no_btrfs no_cri no_devmapper no_zfs exclude_disk_quota exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_zfs"

Dockerfile.e2e

@@ -1,4 +1,4 @@
-ARG GO_VERSION=1.16.10
+ARG GO_VERSION=1.17.11
 
 FROM golang:${GO_VERSION}-alpine AS base
 ENV GO111MODULE=off

Dockerfile.simple

@@ -5,7 +5,7 @@
 
 # This represents the bare minimum required to build and test Docker.
 
-ARG GO_VERSION=1.16.10
+ARG GO_VERSION=1.17.11
 
 FROM golang:${GO_VERSION}-buster
 ENV GO111MODULE=off

Dockerfile.windows

@@ -165,8 +165,8 @@ FROM microsoft/windowsservercore
 # Use PowerShell as the default shell
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
-ARG GO_VERSION=1.16.10
-ARG GOTESTSUM_COMMIT=v0.5.3
+ARG GO_VERSION=1.17.11
+ARG GOTESTSUM_VERSION=v1.7.0
 
 # Environment variable notes:
 #  - GO_VERSION must be consistent with 'Dockerfile' used by Linux.
@@ -176,7 +176,7 @@ ENV GO_VERSION=${GO_VERSION} `
     GOPATH=C:\gopath `
     GO111MODULE=off `
     FROM_DOCKERFILE=1 `
-    GOTESTSUM_COMMIT=${GOTESTSUM_COMMIT}
+    GOTESTSUM_VERSION=${GOTESTSUM_VERSION}
 
 RUN `
   Function Test-Nano() { `
@@ -261,21 +261,20 @@ RUN `
   C:\git\cmd\git config --global core.autocrlf true;
 
 RUN `
-  Function Build-GoTestSum() { `
-    Write-Host "INFO: Building gotestsum version $Env:GOTESTSUM_COMMIT in $Env:GOPATH"; `
+  Function Install-GoTestSum() { `
     $Env:GO111MODULE = 'on'; `
     $tmpGobin = "${Env:GOBIN_TMP}"; `
     $Env:GOBIN = """${Env:GOPATH}`\bin"""; `
-    &go get -buildmode=exe "gotest.tools/gotestsum@${Env:GOTESTSUM_COMMIT}"; `
+    Write-Host "INFO: Installing gotestsum version $Env:GOTESTSUM_VERSION in $Env:GOBIN"; `
+    &go install "gotest.tools/gotestsum@${Env:GOTESTSUM_VERSION}"; `
     $Env:GOBIN = "${tmpGobin}"; `
     $Env:GO111MODULE = 'off'; `
     if ($LASTEXITCODE -ne 0) {  `
-      Throw '"gotestsum build failed..."'; `
+      Throw '"gotestsum install failed..."'; `
     } `
-    Write-Host "INFO:     Build done for gotestsum..."; `
   } `
   `
-  Build-GoTestSum
+  Install-GoTestSum
 
 # Make PowerShell the default entrypoint
 ENTRYPOINT ["powershell.exe"]

Makefile

@@ -1,5 +1,7 @@
 .PHONY: all binary dynbinary build cross help install manpages run shell test test-docker-py test-integration test-unit validate win
 
+BUILDX_VERSION ?= v0.8.2
+
 ifdef USE_BUILDX
 BUILDX ?= $(shell command -v buildx)
 BUILDX ?= $(shell command -v docker-buildx)
@@ -272,22 +274,6 @@ buildx: bundles/buildx ## build buildx cli tool
 endif
 endif
 
-# This intentionally is not using the `--output` flag from the docker CLI, which
-# is a buildkit option. The idea here being that if buildx is being used, it's
-# because buildkit is not supported natively
 bundles/buildx: bundles ## build buildx CLI tool
-	docker build -f $${BUILDX_DOCKERFILE:-Dockerfile.buildx} -t "moby-buildx:$${BUILDX_COMMIT:-latest}" \
-		--build-arg BUILDX_COMMIT \
-		--build-arg BUILDX_REPO \
-		--build-arg GOOS=$$(if [ -n "$(GOOS)" ]; then echo $(GOOS); else go env GOHOSTOS || uname | awk '{print tolower($$0)}' || true; fi) \
-		--build-arg GOARCH=$$(if [ -n "$(GOARCH)" ]; then echo $(GOARCH); else go env GOHOSTARCH || true; fi) \
-		.
-
-	id=$$(docker create moby-buildx:$${BUILDX_COMMIT:-latest}); \
-	if [ -n "$${id}" ]; then \
-		docker cp $${id}:/usr/bin/buildx $@ \
-		&& touch $@; \
-		docker rm -f $${id}; \
-	fi
-
+	curl -fsSL https://raw.githubusercontent.com/moby/buildkit/70deac12b5857a1aa4da65e90b262368e2f71500/hack/install-buildx | VERSION="$(BUILDX_VERSION)" BINDIR="$(@D)" bash
 	$@ version

api/common_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package api // import "github.com/docker/docker/api"

api/server/errorhandler.go

@@ -0,0 +1,34 @@
+package server
+
+import (
+	"net/http"
+
+	"github.com/docker/docker/api/server/httpstatus"
+	"github.com/docker/docker/api/server/httputils"
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/gorilla/mux"
+	"google.golang.org/grpc/status"
+)
+
+// makeErrorHandler makes an HTTP handler that decodes a Docker error and
+// returns it in the response.
+func makeErrorHandler(err error) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		statusCode := httpstatus.FromError(err)
+		vars := mux.Vars(r)
+		if apiVersionSupportsJSONErrors(vars["version"]) {
+			response := &types.ErrorResponse{
+				Message: err.Error(),
+			}
+			_ = httputils.WriteJSON(w, statusCode, response)
+		} else {
+			http.Error(w, status.Convert(err).Message(), statusCode)
+		}
+	}
+}
+
+func apiVersionSupportsJSONErrors(version string) bool {
+	const firstAPIVersionWithJSONErrors = "1.23"
+	return version == "" || versions.GreaterThan(version, firstAPIVersionWithJSONErrors)
+}