profile
viewpoint
Brian Goff cpuguy83 @Microsoft Seattle, WA

delete branch cpuguy83/buildx

delete branch : bake_args_from_env

delete time in 17 hours

PR closed moby/moby

Titel

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

- How I did it

- How to verify it

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

- A picture of a cute animal (not mandatory but encouraged)

+30 -2

1 comment

3 changed files

Michaelmichaeljensen

pr closed time in 2 days

PR closed moby/moby

Os llv 2

0s uplas mecanics

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

- How I did it

- How to verify it

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

- A picture of a cute animal (not mandatory but encouraged)

+1 -1

1 comment

1 changed file

Michaelmichaeljensen

pr closed time in 2 days

pull request commentmoby/moby

Os llv 2

Not sure what this is but it doesn't look like this was intentional, so closing. Feel free to ping back.

Thanks.

Michaelmichaeljensen

comment created time in 2 days

issue commentmoby/moby

Docker Network bypasses Firewall, no option to disable

@dentonmwood That sounds exactly like what you should do. As I mentioned above, you can even setup the service to run using macvlan or ipvlan which will give it an IP directly on your normal network.

@BenjamenMeyer @jest @jacoscaz

Thanks for the extra feedback.

I agree the knowledge we are asking users to poses in this regard is not great. We currently put the onus on the user (be it a sysadmin or a developer) to understand what -p does and to take appropriate precautions to ensure the service is only exposed to who they think it is exposed to. We take that a step further even by expecting developers who often don't have any reason to know iptables to step in and fix it for their own environment (via DOCKER-USER). We are basically in this situation due to fears of breaking compatibility.

I have some ideas that I haven't had time to fully think through yet, but it would basically be changing the behavior of -p based on API version of the client and handling ingress separately. Still a breaking change which worries me but at least old behavior is preserved in older API versions.

I did have a thought that we could do a local proxy (ala kubectl proxy) for the use-case of local access, however this again puts the onus on the developer to know and understand more than they really should need to.

Thoughts?

BenjamenMeyer

comment created time in 3 days

issue commentmoby/moby

Docker Network bypasses Firewall, no option to disable

Let's assess the situation as it is today:

By default, no ports are exposed. You have to tell Docker to expose a port. In the past Docker would setup iptables such that anything that knew how to route to the bridge network could access the container IP's (by setting the forward policy to "accept"), but this is no longer true.

I have seen some people saying they are using -p to expose services to each other, which should not be required. On the default network you can use --link to wire up services together, the container is available over DNS. On non-default networks (user defined networks), containers can access each other by DNS as well, including setting up aliases via --link, or even to a network with a specified alias.

It seems like many cases really you just want to connect to the service from the client, in which case it is recommended to use another container with access to the service you want to connect to rather than exposing a port.

-p is specifically designed for ingress, as in let external things access this service. The default for -p is indeed to allow traffic from anywhere. You can change this by manually specifying the address to allow from either per -p or as a daemon wide setting. Since -p does use iptables, the DOCKER-USER chain was created so users can add their own filter rules before it hits the container.

Since -p is designed for ingress, I think it is reasonable for this to expose traffic as it does. I do feel like it is unfortunate that the Docker rules are inserted at the top of the filter table, however changing this would very much be a breaking change to a large group of users who DO want this behavior.

There are a couple of other alternatives to -p:

  1. Don't use -p, connect to the container IP directly. This requires a little extra work since you have to lookup the IP, but this data is available from the API. You'll also need to make sure the forward policy on the firewall allows this (assuming you are connecting from a different host, same host should be fine)
  2. Use macvlan or ipvlan networking for services you want to be accessible from the host's network (i.e. ingress). These networking options give the container an IP directly from the host's network interface (you choose which interface it is bound to).
  3. Use --net=host, this runs the service on the host network namespace giving the service access to network infra already exists on the host.

You say "make this secure by default", but exposing a port is by definition a potentially insecure action. There also seems to be some idea that exposing to localhost only is secure, but it is not as anything running on the host can access localhost (including javascript in a browser if it is a desktop).

What use case are you trying to solve by using -p? Do you have some thoughts on the actual change you'd like to see?

I'm fine changing something to make this better for your workflow, but there are a lot of different uses cases here and one size never fits all (see complaints about -p).

BenjamenMeyer

comment created time in 3 days

issue closedmoby/moby

--version

<!-- If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.

If you suspect your issue is a bug, please edit your issue description to include the BUG REPORT INFORMATION shown below. If you fail to provide this information within 7 days, we cannot debug your issue and will close it. We will, however, reopen it if you later provide the information.

For more information about reporting issues, see https://github.com/moby/moby/blob/master/CONTRIBUTING.md#reporting-other-issues


GENERAL SUPPORT INFORMATION

The GitHub issue tracker is for bug reports and feature requests. General support for docker can be found at the following locations:

  • Docker Support Forums - https://forums.docker.com
  • Slack - community.docker.com #general channel
  • Post a question on StackOverflow, using the Docker tag

General support for moby can be found at the following locations:

  • Moby Project Forums - https://forums.mobyproject.org
  • Slack - community.docker.com #moby-project channel
  • Post a question on StackOverflow, using the Moby tag

BUG REPORT INFORMATION

Use the commands below to provide key information from your environment: You do NOT have to include this information if this is a FEATURE REQUEST -->

Description

<!-- Briefly describe the problem you are having in a few paragraphs. -->

Steps to reproduce the issue: 1. 2. 3.

Describe the results you received:

Describe the results you expected:

Additional information you deem important (e.g. issue happens only occasionally):

Output of docker version:

(paste your output here)

Output of docker info:

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.):

closed time in 4 days

xxxkrogoth

pull request commentvirtual-kubelet/azure-aci

Add support for test config from env

@ibabou Still getting 409's with eastus.

cpuguy83

comment created time in 5 days

push eventcpuguy83/azure-aci

Brian Goff

commit sha d6ad451964a461fa36dd9c02d11082eefd68d47c

Add support for test config from env This sets some defaults like before but adds the option to configure from env, pretty much for CI.

view details

push time in 5 days

push eventcpuguy83/azure-aci

Brian Goff

commit sha 44684eed4cdfcb0b5b7046ef17838df54ac70f74

Add support for test config from env This sets some defaults like before but adds the option to configure from env, pretty much for CI.

view details

push time in 5 days

push eventcpuguy83/azure-aci

Brian Goff

commit sha 0ab7da0898996058ad66ebb546030bdf0f60aad5

Add support for test config from env This sets some defaults like before but adds the option to configure from env, pretty much for CI.

view details

push time in 5 days

pull request commentvirtual-kubelet/azure-aci

Add support for test config from env

I expect this to fail just because the network profile seems like it might be tied to the region and I added a var to circleci for just the region.

cpuguy83

comment created time in 5 days

PR opened virtual-kubelet/azure-aci

Reviewers
Add support for test config from env

This sets some defaults like before but adds the option to configure from env, pretty much for CI.

+64 -16

0 comment

3 changed files

pr created time in 5 days

create barnchcpuguy83/azure-aci

branch : add_configurable_test_region

created branch time in 5 days

pull request commentvirtual-kubelet/azure-aci

Add tracing flags to CLI.

Sadly this seems to be hardcoded into the tests.

cpuguy83

comment created time in 5 days

PR opened docker/engine

[19.03] Windows: Only set VERSION_QUAD if unset

When trying to build with some pretty typical version strings this was causing failures trying to generate the windows resource file.

The resource file is already gated by an ifdef for this var, so instead of blindly setting based on "VERSION", which can contain some characters which are incompatible (e.g. 1.2.3.rc.0 will fail due to the ".rc").

Signed-off-by: Brian Goff cpuguy83@gmail.com (cherry picked from commit ce931f28ea8768baa7ca2725d9030fbf8a40d3ba) Signed-off-by: Brian Goff cpuguy83@gmail.com

Backports moby/moby#40169

+3 -1

0 comment

1 changed file

pr created time in 5 days

create barnchcpuguy83/docker

branch : backport_40169_windows_version_quad

created branch time in 5 days

pull request commentdocker/cli

Stack: Support cap_add, cap_drop and privileged on services

I'm conflicted on having default caps here.... or even if we reference them from moby it doesn't quite seem right because it is not necessarily in sync with the engine.

olljanat

comment created time in 6 days

pull request commentvirtual-kubelet/azure-aci

Add tracing flags to CLI.

Is there a better region to run tests against?

cpuguy83

comment created time in 6 days

pull request commentvirtual-kubelet/azure-aci

Add tracing flags to CLI.

Failed again with 409 in westus.

cpuguy83

comment created time in 6 days

created tagvirtual-kubelet/virtual-kubelet

tagv1.2.1

Virtual Kubelet is an open source Kubernetes kubelet implementation.

created time in 6 days

release virtual-kubelet/virtual-kubelet

v1.2.1

released time in 6 days

delete branch cpuguy83/virtual-kubelet

delete branch : cherry_picks_1.2.1

delete time in 6 days

push eventvirtual-kubelet/virtual-kubelet

Brian Goff

commit sha 7585e1154200b741ff63b663f54f2516a8cb2b8d

[Sync Provider] Fix panic on not found pod status (cherry picked from commit 6e33b0f084ffd48d7cd76f2336b0df6caddc1e93)

view details

Thomas Hartland

commit sha df16317a891b24c86b511be7c3988d680c5a84b7

After handling status update, reset update timer with correct duration If the ping timer is being used, it should be reset with the ping update interval. If the status update interval is used then Ping stops being called for long enough to cause kubernetes to mark the node as NotReady. (cherry picked from commit c258614d8f7139ea7c03f685bab9fb3b9f88bc8c)

view details

Thomas Hartland

commit sha eb9498cddeb390c92d0258c7341030bcdb613a04

Add test for node ping interval (cherry picked from commit 3783a39b262353a2588a649993af6c047ee0207a)

view details

Brian Goff

commit sha e6e1dbed870de9c9716ac8309eeec11b9ea67ebd

Merge pull request #794 from cpuguy83/cherry_picks_1.2.1 Cherry picks 1.2.1

view details

push time in 6 days

pull request commentvirtual-kubelet/virtual-kubelet

Cherry picks 1.2.1

This is the same as master, so merging.

cpuguy83

comment created time in 6 days

issue commentmoby/moby

Docker Network bypasses Firewall, no option to disable

Let's be clear, Docker Is secure by default. You have to tell Docker to do port forwarding.

As for services that need to communicate with each other, you should be using networks (docker network) to limit access, not port forwarding.

BenjamenMeyer

comment created time in 6 days

PR opened virtual-kubelet/virtual-kubelet

Reviewers
Cherry picks 1.2.1
+125 -22

0 comment

3 changed files

pr created time in 6 days

create barnchcpuguy83/virtual-kubelet

branch : cherry_picks_1.1.1

created branch time in 6 days

create barnchvirtual-kubelet/virtual-kubelet

branch : release-1.2

created branch time in 6 days

create barnchcpuguy83/virtual-kubelet

branch : cherry_picks_1.2.1

created branch time in 6 days

push eventvirtual-kubelet/virtual-kubelet

Brian Goff

commit sha 6e33b0f084ffd48d7cd76f2336b0df6caddc1e93

[Sync Provider] Fix panic on not found pod status

view details

Brian Goff

commit sha 7f2a02291530d2df14905702e6d51500dd57640a

Merge pull request #793 from cpuguy83/fix_pod_status_panic [Sync Provider] Fix panic on not found pod status

view details

push time in 6 days

pull request commentvirtual-kubelet/azure-aci

Add tracing flags to CLI.

Tests are getting 409 service unavailable in westus.

cpuguy83

comment created time in 6 days

PR opened virtual-kubelet/azure-aci

Reviewers
Add tracing flags to CLI.

Adds support for using ocagent to export tracing data.

+44 -0

0 comment

3 changed files

pr created time in 6 days

create barnchcpuguy83/azure-aci

branch : add_tracing_flags

created branch time in 6 days

push eventvirtual-kubelet/cri

Brian Goff

commit sha 5dec3cbdcba22c93bce91bf845d1d798c8cc2aa4

Add support for oc agent tracing exporter

view details

push time in 6 days

issue commentvirtual-kubelet/cri

example

https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/09-bootstrapping-kubernetes-workers.md

chechuironman

comment created time in 6 days

push eventvirtual-kubelet/cri

Brian Goff

commit sha e6fad542857bcd4d5a214db15f3f6a3389b0059d

Bump vk to 1.2.0 + other deps.

view details

push time in 6 days

push eventvirtual-kubelet/cri

Brian Goff

commit sha cf465abb58c9b5a2bbfd16b91b45d1f0bda80a2e

Use vk logger and tracer

view details

push time in 6 days

push eventvirtual-kubelet/cri

Brian Goff

commit sha 24f253e370945b243873743c422864c52c57d9b3

Use node-cli

view details

push time in 6 days

issue commentAzure/aks-engine

VMSS disk attach/detach issues w/ v1.13.12, v1.14.8, v1.15.5, v1.16.2

If you have already been hit by this issue, you'll need to manually detach disks from the vmss nodes. You can use https://gist.github.com/cpuguy83/75f2f1c6556aa99118eef2830952c844 to help with that.

It is difficult to (safely) automate detection of which disks disks need to be detached, however a good indicator may be if you have PV's you are trying to delete and they are stuck in "Terminating" state.

The other option is to compare the list of running pods on a node with the disks attached to the vmss instance (using azure cli).

While performing these actions it is bessed to cordon the node so that k8s will not schedule new workloads on it while you are working on it.

jackfrancis

comment created time in 6 days

push eventcpuguy83/virtual-kubelet

Brian Goff

commit sha 6e33b0f084ffd48d7cd76f2336b0df6caddc1e93

[Sync Provider] Fix panic on not found pod status

view details

push time in 6 days

pull request commentvirtual-kubelet/virtual-kubelet

[Sync Provider] Fix panic on not found pod status

Yeah. In this case at least it's an error that's returned with the nil status I just messed up here.

cpuguy83

comment created time in 6 days

Pull request review commentvirtual-kubelet/virtual-kubelet

[Sync Provider] Fix panic on not found pod status

 func (p *syncProviderWrapper) updatePodStatus(ctx context.Context, podFromKubern 		return nil 	} +	if podFromKubernetes.Status.Phase != corev1.PodRunning && time.Since(podFromKubernetes.ObjectMeta.CreationTimestamp.Time) <= time.Minute {+		span.SetStatus(err)

:( Yes. Thanks

cpuguy83

comment created time in 6 days

Pull request review commentvirtual-kubelet/virtual-kubelet

[Sync Provider] Fix panic on not found pod status

 func (p *syncProviderWrapper) updatePodStatus(ctx context.Context, podFromKubern 		log.G(ctx).Debug("Setting pod not found on pod status") 	} +	if podStatus == nil {+		log.G(ctx).WithError(statusErr).Debug("Skipping pod status update due to missing pod status")

Sure, I updated this to actually return the error.

cpuguy83

comment created time in 6 days

issue commentmoby/moby

How to map 127.0.0.1 of container to IP of physical machine

The only way to do this is to create a container with --net=container:<name>. Otherwise the only way to access 127.0.0.1 is from inside that container.

I would recommend listening on all addresses, you can choose to allow access using docker networks. https://docs.docker.com/network/network-tutorial-standalone/

Ruilkyu

comment created time in 6 days

issue closedmoby/moby

How to map 127.0.0.1 of container to IP of physical machine

Question: Now I have a problem. I have run a program in the container that only listens to 127.0.0.1. How to map it so that other machines can access the container

closed time in 6 days

Ruilkyu

issue commentmoby/moby

Set a default max size for the json-file log driver.

Unfortunately Kubernetes consumes json logs.

thomas15v

comment created time in 6 days

issue commentvirtual-kubelet/cri

example

You need to setup CNI on the node.

chechuironman

comment created time in 6 days

push eventcpuguy83/virtual-kubelet

Brian Goff

commit sha 43d0ecf433e5d44516fec603d32d076f21d34c8d

[Sync Provider] Fix panic on not found pod status

view details

push time in 7 days

push eventcpuguy83/virtual-kubelet

Brian Goff

commit sha c9d5eeecd0fa4bda0df1c08587976bc7caf5655f

[Sync Provider] Fix panic on not found pod status

view details

push time in 7 days

push eventcpuguy83/virtual-kubelet

Brian Goff

commit sha f2b721182fc2f2bf4c269fcecb17f2a51f5c6d0c

[Sync Provider] Fix panic on not found pod status

view details

push time in 7 days

create barnchcpuguy83/virtual-kubelet

branch : fix_pod_status_panic

created branch time in 7 days

issue commentgolang/go

proposal: syscall: define Windows O_ALLOW_DELETE for use in os.OpenFile

IMO we need to be able to os.OpenFile(..., syscall.O_ALLOW_DELETE, ...).

I honestly find the duplicated flags in os confusing, particularly for non cross-platform concepts, but do not care if it is added to os or not.

rsc

comment created time in 8 days

pull request commentmoby/moby

Fix misspellings of "successfully" in error msgs

Ok, thanks anyway.

Closing since we can't merge this as is.

dnnr

comment created time in 8 days

PR closed moby/moby

Fix misspellings of "successfully" in error msgs status/needs-vendoring

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/moby/moby/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

- How I did it

- How to verify it

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

- A picture of a cute animal (not mandatory but encouraged)

+6 -6

3 comments

1 changed file

dnnr

pr closed time in 8 days

push eventdocker/cli

Justyn Temme

commit sha 756ab2fb92998047d072a81ef432851411819030

Add support for docker push --quiet Signed-off-by: Justyn Temme <justyntemme@gmail.com> Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Brian Goff

commit sha 6c12a82f330675d4e2cfff4f8b89a353bcb1fecd

Merge pull request #2197 from thaJeztah/carry_1221_push_quiet Add support for docker push --quiet

view details

push time in 8 days

PR merged docker/cli

Add support for docker push --quiet area/distribution impact/changelog status/2-code-review
  • carries https://github.com/docker/cli/pull/1221 Added support for docker push --quiet
    • continues https://github.com/docker/cli/pull/1220 Added support for docker push --quiet
  • closes https://github.com/docker/cli/pull/1221 Added support for docker push --quiet
  • fixes https://github.com/docker/cli/issues/958 docker push should support --quiet flag
  • fixes https://github.com/docker/cli/issues/1930 docker push no progress/quiet
  • fixes https://github.com/moby/moby/issues/37417 docker push quiet option
  • fixes https://github.com/moby/moby/issues/36655 docker push should support --quiet flag
  • addresses the workaround in https://github.com/moby/moby/issues/13588#issuecomment-242694121

- Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: -->

+ Add support for docker push --quiet

- A picture of a cute animal (not mandatory but encouraged)

image

+34 -14

1 comment

4 changed files

thaJeztah

pr closed time in 8 days

PR closed docker/cli

Reviewers
Added support for docker push --quiet status/1-design-review

Signed-off-by: Justyn Temme justyntemme@gmail.com

<!-- Please make sure you've read and understood our contributing guidelines; https://github.com/docker/cli/blob/master/CONTRIBUTING.md

** Make sure all your commits include a signature generated with git commit -s **

For additional information on our contributing process, read our contributing guide https://docs.docker.com/opensource/code/

If this is a bug fix, make sure your description includes "fixes #xxxx", or "closes #xxxx"

Please provide the following information: -->

- What I did

Added --quiet flag for docker push Fix for https://github.com/docker/cli/issues/958

- How I did it

Passing a flag to either write out the content body of the response, or simply output nothing

- How to verify it docker push --quiet tagged/image - Description for the changelog <!-- Write a short (one line) summary that describes the changes in this pull request for inclusion in the changelog: --> Added a --quiet flag for docker push

- A picture of a cute animal (not mandatory but encouraged)

cute bunny

+41 -2

7 comments

3 changed files

justyntemme

pr closed time in 8 days

issue closeddocker/cli

docker push should support --quiet flag

See https://github.com/moby/moby/issues/36655

closed time in 8 days

nathanleclaire

pull request commentkubernetes/kubernetes

fix vmss dirty cache issue

Oh nevermind I see it was changed in 1.15.5

andyzhangx

comment created time in 9 days

pull request commentkubernetes/kubernetes

fix vmss dirty cache issue

Note that this was changed already between 1.15 and 1.16.

andyzhangx

comment created time in 9 days

issue commentjruby/jruby

Official Docker image

@lopex Definitely let's discuss. When are you usually online? I can certainly start by giving you push access to the existing repo and we can go from there.

cpuguy83

comment created time in 9 days

push eventvirtual-kubelet/virtual-kubelet

Thomas Hartland

commit sha 3783a39b262353a2588a649993af6c047ee0207a

Add test for node ping interval

view details

Thomas Hartland

commit sha c258614d8f7139ea7c03f685bab9fb3b9f88bc8c

After handling status update, reset update timer with correct duration If the ping timer is being used, it should be reset with the ping update interval. If the status update interval is used then Ping stops being called for long enough to cause kubernetes to mark the node as NotReady.

view details

Brian Goff

commit sha 1a9c4bfb24484a58eb779223f374d51302c37b95

Merge pull request #789 from tghartland/fix-notify-status-788 After handling status update, reset update timer with correct duration

view details

push time in 9 days

PR merged virtual-kubelet/virtual-kubelet

After handling status update, reset update timer with correct duration

If the ping timer is being used, it should be reset with the ping update interval. If the status update interval is used then Ping stops being called for long enough to cause kubernetes to mark the node as NotReady.

Fixes #788

+98 -1

1 comment

2 changed files

tghartland

pr closed time in 9 days

issue closedvirtual-kubelet/virtual-kubelet

Node goes to NotReady status a short time after using NotifyNodeStatus callback

After causing the NotifyNodeStatus callback to be used, the node goes into NotReady status after ~30 seconds and then recovers soon after.

The reason: after updating the node status the periodic update timer is reset, but it is always set to the statusInterval duration (1 minute) even when the periodic update is using Ping, which should be called every 10 seconds.

https://github.com/virtual-kubelet/virtual-kubelet/blob/ba940a9739fe0c661f9edfa3192ad84a412e23a3/node/node.go#L279

Since Ping stops being called for 1 minute the virtual kubelet stops posting status in this time, and kubernetes marks the node as NotReady.

closed time in 9 days

tghartland

delete branch cpuguy83/docker

delete branch : windows_version_quad_err

delete time in 9 days

issue closedmoby/moby

docker exec does not obey --security-opt no-new-privileges

Description

docker run supports starting a container with no new privileges enabled, however this does not seem to apply to processes started with docker exec

Steps to reproduce the issue:

  1. Set up a test (suid root id)
$ sudo cp `which id` .
$ sudo chmod +s id
  1. Check that it is working (elevate privs inside container)
$ docker run --rm -ti -v `pwd`:/test -u 1000:1000 centos:7 /test/id
uid=1000 gid=1000 euid=0(root) egid=0(root) groups=0(root)
  1. Check that no-new-privs is working
$ docker run --rm -ti -v `pwd`:/test -u 1000:1000 --name nnp-test --security-opt no-new-privileges centos:7
bash-4.2$ /test/id
uid=1000 gid=1000 groups=1000
  1. Check that no-new-privs is working with docker exec (in another terminal, leaving the container from previous step running)
$ docker exec -ti -u 1000:1000 nnp-test /test/id
uid=1000 gid=1000 euid=0(root) egid=0(root) groups=0(root)

Describe the results you received: Eventhough the container was started with --security-opt no-new-privileges privilege elevation was possible through docker exec

Describe the results you expected: No privilege elevation.

Output of docker version:

Client:
 Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:11:45 2018
 OS/Arch:           linux/amd64
 Experimental:      false

Server:
 Engine:
  Version:          18.06.0-ce
  API version:      1.38 (minimum version 1.12)
  Go version:       go1.10.3
  Git commit:       0ffa825
  Built:            Wed Jul 18 19:14:07 2018
  OS/Arch:          linux/amd64
  Experimental:     false

Output of docker info:

Server Version: 18.06.0-ce
Storage Driver: overlay2
 Backing Filesystem: xfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: d64c661f1d51c48782c9cec8fda7604785f93587
runc version: 69663f0bd4b60df09991c08812a60108003fa340
init version: fec3683
Security Options:
 seccomp
  Profile: default
Kernel Version: 4.17.14-202.fc28.x86_64
Operating System: Fedora 28 (Twenty Eight)
OSType: linux
Architecture: x86_64
CPUs: 8
Total Memory: 15.53GiB
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

closed time in 10 days

margana

issue commentmoby/moby

docker exec does not obey --security-opt no-new-privileges

Thanks for pointing this out @pjbgf

Going to close this since it seems like this is resolved, but feel free to discuss. Let me know if that's incorrect.

margana

comment created time in 10 days

pull request commentmoby/moby

Add Thomas H. Cormen to names generator

Thanks. Can you also add a female to the list?

https://github.com/moby/moby/blob/9363db2c7e4fa7cb04a84aa821a1d0e2f4168c36/pkg/namesgenerator/names-generator.go#L121

francoraphael

comment created time in 10 days

issue commentvirtual-kubelet/virtual-kubelet

kubectl exec api conn idleTimeout 30s too short.

If the Kubelet API has a param for this we could add support for it. Otherwise, the design of this package is such that you can bring your own handlers.

lauly

comment created time in 10 days

Pull request review commentvirtual-kubelet/virtual-kubelet

After handling status update, reset update timer with correct duration

 func (n *NodeController) controlLoop(ctx context.Context) error { 			return nil 		case updated := <-n.chStatusUpdate: 			var t *time.Timer+			var resetDuration time.Duration

Maybe we can set this before we start the loop?

tghartland

comment created time in 11 days

issue commentdocker/for-linux

Ubuntu become too slow after i upgraded from 19.04 to 19.10

Do you have more details? Please fill out all the bug report information. "Ubuntu became slow" doesn't even look like a bug report for docker.

Closing for now but feel free to ping back and we can open it back up.

Thanks!

dracesh

comment created time in 14 days

issue closeddocker/for-linux

Ubuntu become too slow after i upgraded from 19.04 to 19.10

<!-- This issue tracker is for bug reports and feature requests. For questions, and getting help on using docker:

  • Docker documentation - https://docs.docker.com
  • Docker Forums - https://forums.docker.com
  • Docker community Slack - https://dockercommunity.slack.com/ (register here: http://dockr.ly/community)
  • Post a question on StackOverflow, using the Docker tag -->
  • [x] This is a bug report
  • [ ] This is a feature request
  • [ ] I searched existing issues before opening this one

<!-- DO NOT report security issues publicly! If you suspect you discovered a security issue, send your report privately to security@docker.com. -->

Expected behavior

Actual behavior

Steps to reproduce the behavior

<!-- Describe the exact steps to reproduce. If possible, provide a minimum reproduction example; take into account that others do not have access to your private images, source code, and environment.

REMOVE SENSITIVE DATA BEFORE POSTING (replace those parts with "REDACTED") -->

Output of docker version:

(paste your output here)

Output of docker info:

(paste your output here)

Additional environment details (AWS, VirtualBox, physical, etc.)

closed time in 14 days

dracesh

issue commentvirtual-kubelet/virtual-kubelet

VK v1.1.0 crash when provider returns nil, nil from GetPodStatus() during new creations

FYI we released 1.2.0. We re-added support for synchronous providers. The crash should be fixed in the new implementation.

ibabou

comment created time in 14 days

issue commentmoby/moby

COPY with excluded files is not possible

I can't speak for every maintainer, but I have spoken to @tonistiigi a month or so ago about this and IIRC the biggest hurdle how this relates to dockerignore, the syntax, etc. (and the fact the dockerignore is insufficient syntactically).

The change would need to go into buildkit.

bronger

comment created time in 14 days

issue commentmoby/moby

COPY with excluded files is not possible

It's not controversial, it requires work.

bronger

comment created time in 14 days

issue commentmoby/moby

COPY with excluded files is not possible

With buildkit the cache is not dependent on the parent image like it is pre-buildkit. So yes with the mentioned rsync solution you will take a hit in that you'll need to sync every time there is some change, but subsequent stages will be cached based on content, and if the content of what is transferred is not changed then... at least in my complete on the spot theory those stages should use the cache.

bronger

comment created time in 15 days

delete branch cpuguy83/virtual-kubelet

delete branch : add_sync_provider_support

delete time in 15 days

created tagvirtual-kubelet/virtual-kubelet

tagv1.2.0

Virtual Kubelet is an open source Kubernetes kubelet implementation.

created time in 15 days

release virtual-kubelet/virtual-kubelet

v1.2.0

released time in 15 days

pull request commentmoby/moby

Update Resources struct to support hugepages

Can we consolidate these PR's? I think the commits could even be squashed.

Also need to update swagger definition.

bg-chun

comment created time in 15 days

Pull request review commentvirtual-kubelet/virtual-kubelet

Add flags to tune GC behaviour

 type PodControllerConfig struct { 	ConfigMapInformer corev1informers.ConfigMapInformer 	SecretInformer    corev1informers.SecretInformer 	ServiceInformer   corev1informers.ServiceInformer++	PodDeletionPolicy PodDeletionPolicy

My worry is this can't possibly handle all cases just the common ones and I can see needing to scrap this in the future.

We should also avoid requiring changes in the core in order to support an edge case.

sargun

comment created time in 15 days

Pull request review commentmoby/moby

No more dev tools

 ARG PRODUCT ENV PRODUCT=${PRODUCT} ARG DEFAULT_PRODUCT_LICENSE ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE}+ARG DOCKER_BUILDTAGS+ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"+ENV PREFIX=/build+# TODO: This is here because hack/make.sh binary copies these extras binaries+# from $PATH into the bundles dir.+# It would be nice to handle this in a different way.+COPY --from=tini /build/ /usr/local/bin/+COPY --from=runc /build/ /usr/local/bin/+COPY --from=containerd /build/ /usr/local/bin/+COPY --from=rootlesskit /build/ /usr/local/bin/+COPY --from=proxy /build/ /usr/local/bin/

Fixed

cpuguy83

comment created time in 16 days

push eventcpuguy83/docker

Brian Goff

commit sha 615f2fe60cbe1cde129c2433d40e744cdae583ef

binary targets do not need the dev environment This makes the binary build targets use a minimal build env instead of having to build all the stuff needed for the full dev enviornment. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 2774e590023f31f1a48a3321f7263a20dde6f3a3

Use -X ldflags to set dockerversion package vars This eliminates the need to lay down an auto-generated file. IIRC this was originally hadded for gccgo which we no longer support. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 7fe342dce308c482506e5d9e79f354d7f554938c

Add support for outputing binaries to custom dir Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 2b8c638083e96568d9340df275ccd04c6627dd0d

Bind-mount context for Dockerfile build targets Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 1499b27e82771c3ed6d8320fb06f4b5531c809e9

Add Dockerfile to .dockerignore The Dockerfile is not needed in any of the build targets. The one exception may be the dev image, however in most cases the docker source will be bind mounted into the container anyway. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 16 days

Pull request review commentmoby/moby

No more dev tools

 ARG PRODUCT ENV PRODUCT=${PRODUCT} ARG DEFAULT_PRODUCT_LICENSE ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE}+ARG DOCKER_BUILDTAGS+ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"+ENV PREFIX=/build+# TODO: This is here because hack/make.sh binary copies these extras binaries+# from $PATH into the bundles dir.+# It would be nice to handle this in a different way.

Basically my worry here is we have this list of commands that need to be copied as part of a build and different lists get out of sync.

cpuguy83

comment created time in 16 days

Pull request review commentmoby/moby

No more dev tools

 ARG PRODUCT ENV PRODUCT=${PRODUCT} ARG DEFAULT_PRODUCT_LICENSE ENV DEFAULT_PRODUCT_LICENSE=${DEFAULT_PRODUCT_LICENSE}+ARG DOCKER_BUILDTAGS+ENV DOCKER_BUILDTAGS="${DOCKER_BUILDTAGS}"+ENV PREFIX=/build+# TODO: This is here because hack/make.sh binary copies these extras binaries+# from $PATH into the bundles dir.+# It would be nice to handle this in a different way.

Here is the logic: https://github.com/moby/moby/blob/c36460c437c8c515c543dd31afcbb5c2a9f5dd48/hack/make/binary-daemon#L4-L31

So we can add them anywhere into PATH, or add anywhere to PATH, or just copy them manually. I wanted to reduce redundant code as much as possible here. The other thing that makes it kinda tricky is each build target builds in a subdir, like bundles/binary-daemon and bundles/dynbinary-daemon, so I'd have to do this copy twice.

I could bind-mount the files in and update PATH to include each one, but this would only reduce the amount of copying we are doing.

cpuguy83

comment created time in 16 days

push eventcpuguy83/docker

Brian Goff

commit sha a75768fa276e03f5cab83c94ff85df6eb9669040

Add support for outputing binaries to custom dir Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 228d4162fffdb97bd854c3c2803adcc6411ec0cb

Bind-mount context for Dockerfile build targets Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

Brian Goff

commit sha 8f477f26c94bdae68905809e8900294885169b0d

Add Dockerfile to .dockerignore The Dockerfile is not needed in any of the build targets. The one exception may be the dev image, however in most cases the docker source will be bind mounted into the container anyway. Signed-off-by: Brian Goff <cpuguy83@gmail.com>

view details

push time in 16 days

PR opened moby/moby

Reviewers
No more dev tools

More optimizations for the Dockerfile

  1. Do not use the dev target for building binaries since we don't need all that stuff. This is much faster since we don't need to compile things like CRIU.
  2. Do not use autoversion
  3. Allow bind-mounting the build context to the binary target stages instead of copying.
  4. Do not include Dockerfile or .gitignore in build context - (maybe controversial) i. Prevents rebuilding things just because there is some change in either of these files. ii. Is not needed since we don't do nested build.
+56 -64

0 comment

5 changed files

pr created time in 16 days

create barnchcpuguy83/docker

branch : no_more_dev_tools

created branch time in 16 days

push eventmoby/moby

Justen Martin

commit sha 3b49bd1d840d64ec603333eae28655b9ff5edc0c

replaced call to deprecated grpc method WithDialer with WithContextDialer Signed-off-by: Justen Martin <jmart@the-coder.com>

view details

Brian Goff

commit sha 47c5c67ed825589b0d88d98d05d81c5d22b3e9a9

Merge pull request #40032 from jmartin84/fix-grpc-withdialer-deprecation-warning Fix grpc withdialer deprecation warning

view details

push time in 16 days

PR merged moby/moby

Reviewers
Fix grpc withdialer deprecation warning area/testing kind/refactor process/cherry-pick status/2-code-review

closes #39928

- What I did Removed deprecation warning for grpc.WithDialer

- How I did it Replaced WithDialer with WithContextDialer, that change required me to pull in a newer version of containerd which ended up requiring a newer version of buildkit

- How to verify it Ran unit tests

- Description for the changelog Bumped buildkit and containerd, fixed deprecation warning for WithDialer

- A picture of a cute animal (not mandatory but encouraged)

150902_WILD_CutePenguins jpg CROP cq5dam_web_1280_1280_jpeg

+1 -5

7 comments

2 changed files

jmartin84

pr closed time in 16 days

issue closedmoby/moby

Fixme: SA1019: grpc.WithDialer is deprecated

Tracking issue for some remaining linting issues to be fixed after https://github.com/moby/moby/pull/39668 is merged.

daemon/daemon.go:885:3:                               SA1019: grpc.WithDialer is deprecated: use WithContextDialer instead.  Will be supported throughout 1.x.  (staticcheck)

These warnings are currently suppressed in hack/validate/golangci-lint.yml (after https://github.com/moby/moby/pull/39668 is merged), so when this is fixed, those lines should be removed

closed time in 16 days

thaJeztah

create barnchcpuguy83/docker

branch : autoversion

created branch time in 16 days

issue commentdocker/cli

Docker log rotation is not working the container log keeps on growing

This looks like compose is not passing down the options for some reason. I'm not intimately familiar with the compose schema here.

Doing a docker run manually with log options works just fine.

avi-kalar

comment created time in 16 days

pull request commentmoby/moby

Header to explicit raw-stream implementation being used

That sounds about right to me.

ndeloof

comment created time in 16 days

more