profile
viewpoint
Derek McGowan dmcgowan Docker San Francisco

issue commentcontainerd/containerd

containerd can't pull image from Github Docker Package Registry

@pathcl We outlined the problem very clearly with what is not working with the Github registry, please read above before commenting. They are not implementing the distribution specification, so clients are having trouble.

csantanapr

comment created time in 7 hours

issue commentdocker/distribution

HTTP API Tags Paginated not work

This is the last pending issue for full conformance with OCI distribution specification

cloverstd

comment created time in 6 days

push eventcontainerd/containerd

Shengjing Zhu

commit sha 1189cc40f2bea63d2d381a4c95617c869c5c99cc

snapshots: fix flaky TestMetastore https://logs.openlabtesting.org/logs/62/3962/35a8e6e589eb37a73f94cdbd5c8d7938b2b04140/check/containerd-build-arm64/de237af/logs/make_test.txt --- FAIL: TestMetastore (18.27s) --- FAIL: TestMetastore/GetInfo (13.91s) metastore_test.go:242: assertion failed: --- expected +++ info {snapshots.Info}.Created: -: s"0001-01-01 00:00:00 +0000 UTC" +: s"2020-01-15 14:15:38.71882571 +0000 UTC" {snapshots.Info}.Updated: -: s"0001-01-01 00:00:00 +0000 UTC" +: s"2020-01-15 14:15:38.71882571 +0000 UTC" : on key committed-1 Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

Derek McGowan

commit sha b8797016bb34650f4c6dbec36e8407cc650147ec

Merge pull request #3964 from zhsj/flaky-metastore-test snapshots: fix flaky TestMetastore

view details

push time in 6 days

PR merged containerd/containerd

snapshots: fix flaky TestMetastore

Today in my two PR(#3962, #3963), the openlab-ci bot sometimes reports failure...

For example,

https://logs.openlabtesting.org/logs/62/3962/35a8e6e589eb37a73f94cdbd5c8d7938b2b04140/check/containerd-build-arm64/de237af/logs/make_test.txt

--- FAIL: TestMetastore (18.27s)
    --- FAIL: TestMetastore/GetInfo (13.91s)
        metastore_test.go:242: assertion failed:
            --- expected
            +++ info
            {snapshots.Info}.Created:
            	-: s"0001-01-01 00:00:00 +0000 UTC"
            	+: s"2020-01-15 14:15:38.71882571 +0000 UTC"
            {snapshots.Info}.Updated:
            	-: s"0001-01-01 00:00:00 +0000 UTC"
            	+: s"2020-01-15 14:15:38.71882571 +0000 UTC"
            : on key committed-1

It seems the test runs 13.91s...

+1 -1

2 comments

1 changed file

zhsj

pr closed time in 6 days

Pull request review commentnotaryproject/requirements

Notary v2 initial scenarios

+# Notary Signing - Scenarios++As containers and cloud native artifacts become the common unit of deployment, users want to know the artifacts in their private registries and the artifacts deployed are the same artifacts that were initially published.++The [OCI TOB][oci-tob] has adopted [OCI Artifacts][artifacts-repo], generalizing container images as one of many types of artifacts that may be stored in a registry. Other artifact types currently include:++* [Helm Charts][helm-registry]+* [Singularity][singularity]+* Car firmware updates, deployed from OCI Artifact registries++## The Need for a Generalized Signing Solution++This document serves as the requirements and constraints of a generalized signing solution. It focuses on the scenarios and needs, and very specifically avoids any reference to other projects or implementations. As our working group forms a consensus on the requirements, the group will then transition to a spec.+++## Key Stake Holders & Contributors++As we identify the requirements and constraints, a number of key contributors will be asked to represent their requirements and constraints.++> Please add companies, projects, products that you believe should be included.++* Registry Cloud Operators+  * [Azure Container Registry (acr)][acr] - Steve Lasker <steve.lasker@microsoft.com> (@stevelasker)+  * [AWS Container Registry (ecr)][ecr] - Omar Paul <omarpaul@amazon.com>+  * [Docker Hub][docker-hub]+  * [Google Container Registry (gcr)][gcr]+  * [GitHub Package Registry (gpr)][gpr]+  * [Quay][quay]+  * [IBM Cloud Container Registry (icr)][icr]+* Registry Vendors, Projects & Products+  * [Docker Trusted Registry][docker-dtr]+  * [Harbor][harbor]+  * [JFrog Artifactory][jfrog]+* Artifact Types+  * Container Images - OCI Org+  * Helm Charts+  * Singularity+  * Operator Bundles++## Scenarios++### Scenario #1: Local Build, Sign, Validate++Prior to doing any deployment, a developer can test the: build, sign, validate scenario.++1. Locally build a container image using a non-registry specific `name:tag`, such as:  

So, we just need to agree that an Artifact that doesn't have a domain, isn't associated with any registry. Which isn't an error, it's just a state.

I think we should be careful here though. I have come to the conclusion that partial names are actually worse than no name at all. For example, in the OCI index specification it tried to define the reference name as only a tag component of a name (such as say "v1.0.0"), however, this made these images unable to be imported by clients without specifying the rest of the name and making a decision (which allows for opinionated interpretation) of how the full name would get reconstructed. Without a name, it is clear that a name should be provided and it can be anything. With a full name, also clear with assigning a new name a common and understand mechanism.

I would suggest either recommending full names which include the registry or using a label which represents the "partial name". Just avoid having an ambiguous field that requires the client to figure out how to interpret the string, even just identifying domain/no domain isn't always straight forward to implement.

SteveLasker

comment created time in 6 days

issue commentcontainerd/typeurl

Create release tag

I propose a simple v1.0.0

Any reason to do 1.x.x instead of 0.x.x. For our libraries and non-release repositories, it seems better to avoid the headaches associated with the "guarantees" around the Go interfaces when doing 1.0 and avoid confusion related to the containerd release numbers. Just a feeling though, I don't feel super strong about it but am curious if anyone else has any opinions.

estesp

comment created time in 6 days

push eventcontainerd/typeurl

徐敏才

commit sha a1e455d55b64d818790940929bc5055f65f81096

fix 404 link Signed-off-by: 徐敏才 <hmilym@gmail.com> Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Derek McGowan

commit sha fe1d0d650e42c1cfb43c8ba9e22e9f1470c9102b

Merge pull request #16 from estesp/carry-10 fix 404 link

view details

push time in 6 days

PR merged containerd/typeurl

fix 404 link

Carry #10 from @xumc

Closes: #7

Signed-off-by: 徐敏才 hmilym@gmail.com Signed-off-by: Phil Estes estesp@linux.vnet.ibm.com

+1 -1

0 comment

1 changed file

estesp

pr closed time in 6 days

issue closedcontainerd/typeurl

Broken link in Readme

The Readme links to protobuf.Any which does not exist. A bit more explanation in the Readme would be welcome :)

closed time in 6 days

elboulangero

Pull request review commentnotaryproject/requirements

Notary v2 initial scenarios

+# Notary Signing - Scenarios++As containers and cloud native artifacts become the common unit of deployment, users want to know the artifacts in their private registries and the artifacts deployed are the same artifacts that were initially published.++The [OCI TOB][oci-tob] has adopted [OCI Artifacts][artifacts-repo], generalizing container images as one of many types of artifacts that may be stored in a registry. Other artifact types currently include:++* [Helm Charts][helm-registry]+* [Singularity][singularity]+* Car firmware updates, deployed from OCI Artifact registries++## The Need for a Generalized Signing Solution++This document serves as the requirements and constraints of a generalized signing solution. It focuses on the scenarios and needs, and very specifically avoids any reference to other projects or implementations. As our working group forms a consensus on the requirements, the group will then transition to a spec.+++## Key Stake Holders & Contributors++As we identify the requirements and constraints, a number of key contributors will be asked to represent their requirements and constraints.++> Please add companies, projects, products that you believe should be included.++* Registry Cloud Operators+  * [Azure Container Registry (acr)][acr] - Steve Lasker <steve.lasker@microsoft.com> (@stevelasker)+  * [AWS Container Registry (ecr)][ecr] - Omar Paul <omarpaul@amazon.com>+  * [Docker Hub][docker-hub]+  * [Google Container Registry (gcr)][gcr]+  * [GitHub Package Registry (gpr)][gpr]+  * [Quay][quay]+  * [IBM Cloud Container Registry (icr)][icr]+* Registry Vendors, Projects & Products+  * [Docker Trusted Registry][docker-dtr]+  * [Harbor][harbor]+  * [JFrog Artifactory][jfrog]+* Artifact Types+  * Container Images - OCI Org+  * Helm Charts+  * Singularity+  * Operator Bundles++## Scenarios++### Scenario #1: Local Build, Sign, Validate++Prior to doing any deployment, a developer can test the: build, sign, validate scenario.++1. Locally build a container image using a non-registry specific `name:tag`, such as:  

Not sure what you mean by "the default registry issue". If you try to push an image called hello-world:1 with the containerd client (or ctr) it will spit it back out at you for not defining a registry. If you put hello-world:1 into Docker or Kubernetes (CRI), it will interpret it as docker.io/library/hello-world:1. This won't ever change in Docker and likely never will in Kubernetes (CRI) either since it would just break everyone for no real usability gain. From a notary perspective, it should only ever see docker.io/library/hello-world:1 and leave it to the clients to take care of interpreting short names according to their own UX experience. I wouldn't really categorize it as the dreaded default registry though, each client is free to make their own opinionated UX. Notary should have no opinions at its core, in its tool, or in its documentation. I would suggest just using examples which include a full registry name except where you are explicitly giving an example of an official image in the Docker UX.

SteveLasker

comment created time in 7 days

pull request commentcontainerd/containerd

Use utf8.RuneCountInString instead of len to handle certain characters like "─"

Right now I think we should stick to ASCII and the format used by Docker, at least in terms of what is supported by ctr. While handling UTF8 makes sense, this function is trying to estimate based on a fix width, which neither rune count nor byte count can reliably give us when non-ASCII. Consider this case...

...
	str:="中文"
	length := len(str)
	count := utf8.RuneCountInString(str)
	fmt.Println(length, count)
	fmt.Println("123456")
	fmt.Println(str)
...

Gives an output of

6 2
123456
中文

Here byte count gives 6, rune count gives 2, but the actual width on the console is 4.

You might know a better solution to this, in which case having better UTF-8 support on the terminal is very welcome. I don't think this change gets us there though.

yeahdongcn

comment created time in 8 days

push eventcontainerd/containerd

Sebastiaan van Stijn

commit sha 77a3780c25735901928284496efc4b6349de328c

vendor: bump beorn7/perks v1.0.1 full diff: https://github.com/beorn7/perks/compare/4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9...v1.0.1 - beorn7/perks#3 Avoid iterating on maps - Speed up InsertTargeted* functions by at least 2x by avoiding iterating on maps. - beorn7/perks#4 Fixed format error - Use 1000000 instead of 1e6 for int constant - Add go module support Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha c02dc24ecfa6b46f8575a170f90498d89115e492

vendor: bump prometheus/client_model v0.1.0 full diff: https://github.com/prometheus/client_model/compare/99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c...v0.1.0 - prometheus/client_model#22 add `go_package`, regenerate Go binding file - prometheus/client_model#31 Support Go Modules - prometheus/client_model#38 Remove all languages but Go and add a deprecation note Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha ed6ae818612b8f08dfa319eb40aea1aab286c979

vendor: bump prometheus/common v0.7.0 full diff: https://github.com/prometheus/common/compare/89604d197083d4781071d3c65855d24ecfb0a563...v0.7.0 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 99911ea668437cb0dcd30d67fcf3d7fb86238a95

vendor: bump prometheus/procfs v0.0.8 full diff: https://github.com/prometheus/procfs/compare/cb4147076ac75738c9a7d279075a253c0cc5acbd...v0.0.8 Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 04506b87d65a3390656de6f9e5de8d84d0270567

vendor: bump docker/go-metrics v0.0.1: full diff: https://github.com/docker/go-metrics/compare/4ea375f7759c82740c893fc030bc37088d2ec098...v0.0.1 - docker/go-metrics#15 Add functions that instruments http handler using promhttp - docker/go-metrics#20 Rename LICENSE.code → LICENSE - docker/go-metrics#22 Support Go Modules Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 845b91d6b5431433cf2b33a21bd921d5b23ec432

vendor: bump prometheus/client_golang v0.9.4 full diff: https://github.com/prometheus/client_golang/compare/f4fb1b73fb099f396a7f0036bf86aa8def4ed823...v0.9.4 version v0.9.0 is the minimum tagged version to work with go-metrics v0.0.1, as it depends on `prometheus.Observer`: vendor/github.com/docker/go-metrics/timer.go:39:4: undefined: prometheus.Observer Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha e10c911876614cef082e988f7b14c4d008370165

vendor: bump prometheus/client_golang v1.1.0 full diff: https://github.com/prometheus/client_golang/compare/v0.9.4...v1.1.0 Using v1.1.0, because version v1.2.0 and up use versioned import paths for the github.com/cespare/xxhash/v2 dependency (prometheus/client_golang#657), which causes vendoring with vndr to break due to the v2 in the import-path. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 2f0db8e2a81319b3e48bc6e3d433b10090bd5f50

vendor: bump prometheus/client_golang v1.3.0 full diff: https://github.com/prometheus/client_golang/compare/v1.1.0...v1.3.0 This requires LK4D/vndr v0.1.0 or newer for vendoring; also adds a new dependency: github.com/cespare/xxhash Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Derek McGowan

commit sha bb9d4e8bf22e802301ffab4d3bc247659b9f5dbe

Merge pull request #3959 from thaJeztah/bump_prometheus Bump prometheus/client_golang and dependencies v1.3.0

view details

push time in 8 days

PR merged containerd/containerd

Bump prometheus/client_golang and dependencies v1.3.0

Updates prometheus to v1.3.0; given that this dependency wasn't updated for a while, doing so in some steps;

vendor: bump beorn7/perks v1.0.1

full diff: https://github.com/beorn7/perks/compare/4c0e84591b9aa9e6dcfdf3e020114cd81f89d5f9...v1.0.1

  • beorn7/perks#3 Avoid iterating on maps
    • Speed up InsertTargeted* functions by at least 2x by avoiding iterating on maps.
  • beorn7/perks#4 Fixed format error
  • Use 1000000 instead of 1e6 for int constant
  • Add go module support

vendor: bump prometheus/client_model v0.1.0

full diff: https://github.com/prometheus/client_model/compare/99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c...v0.1.0

  • prometheus/client_model#22 add go_package, regenerate Go binding file
  • prometheus/client_model#31 Support Go Modules
  • prometheus/client_model#38 Remove all languages but Go and add a deprecation note

vendor: bump prometheus/common v0.7.0

full diff: https://github.com/prometheus/common/compare/89604d197083d4781071d3c65855d24ecfb0a563...v0.7.0

vendor: bump prometheus/procfs v0.0.8

full diff: https://github.com/prometheus/procfs/compare/cb4147076ac75738c9a7d279075a253c0cc5acbd...v0.0.8

vendor: bump docker/go-metrics v0.0.1:

full diff: https://github.com/docker/go-metrics/compare/4ea375f7759c82740c893fc030bc37088d2ec098...v0.0.1

  • docker/go-metrics#15 Add functions that instruments http handler using promhttp
  • docker/go-metrics#20 Rename LICENSE.code → LICENSE
  • docker/go-metrics#22 Support Go Modules

vendor: bump prometheus/client_golang v0.9.4

full diff: https://github.com/prometheus/client_golang/compare/f4fb1b73fb099f396a7f0036bf86aa8def4ed823...v0.9.4

version v0.9.0 is the minimum tagged version to work with go-metrics v0.0.1, as it depends on prometheus.Observer:

vendor/github.com/docker/go-metrics/timer.go:39:4: undefined: prometheus.Observer

vendor: bump prometheus/client_golang v1.1.0

full diff: https://github.com/prometheus/client_golang/compare/v0.9.4...v1.1.0

Using v1.1.0, because version v1.2.0 and up use versioned import paths for the github.com/cespare/xxhash/v2 dependency (prometheus/client_golang#657), which causes vendoring with vndr to break due to the v2 in the import-path.

vendor: bump prometheus/client_golang v1.3.0

full diff: https://github.com/prometheus/client_golang/compare/v1.1.0...v1.3.0

This requires LK4D/vndr v0.1.0 or newer for vendoring; also adds a new dependency: github.com/cespare/xxhash

+7703 -2599

2 comments

102 changed files

thaJeztah

pr closed time in 8 days

pull request commentcontainerd/containerd

always try the next host for any non-OK response on manifest resolve

The last rebase/merge seems to have gone bad. Try to rebase your commits into a single commit, then rebase that commit on master. For a change of this side, there should not be multiple commits and never any merge commits in your dev branch.

fahedouch

comment created time in 8 days

PR opened containerd/project

Add Boris Popovschi as reviewer

Boris has been making significant and meaningful contributions to containerd, especially with cgroups, and should be recognized as a reviewer.

5 maintainer LGTM required (1/3) + new reviewer

  • [ ] @Zyqsempai (required)
  • [ ] @estesp
  • [ ] @mxpv
  • [ ] @AkihiroSuda
  • [ ] @crosbymichael
  • [x] @dmcgowan
  • [ ] @jterry75
  • [ ] @mlaventure
  • [ ] @stevvooe
  • [ ] @dchen1107
  • [ ] @Random-Liu
  • [ ] @mikebrow
  • [ ] @yujuhong
  • [ ] @fuweid
+1 -0

0 comment

1 changed file

pr created time in 8 days

create barnchdmcgowan/project

branch : add-boris-reviewer

created branch time in 8 days

pull request commentcontainerd/containerd.io

Added aria-label tags for twitter image in home page

ping @surya474

please update the wording

surya474

comment created time in 8 days

PR opened containerd/containerd

[release/1.3] Fix filter errors

Prevent error messages from being output to stderr. Return illegal token when a quoted string is invalid and capture the error.

This issue occurs on the daemon and a good candidate to backport.

+103 -20

0 comment

5 changed files

pr created time in 12 days

create barnchdmcgowan/containerd

branch : backport-1.3-filters-fix

created branch time in 12 days

pull request commentcontainerd/containerd.io

Create GitHub Action to sync RELEASES.md

Let's try it out, LGTM

estesp

comment created time in 12 days

PR opened containerd/containerd

Fix filter errors

Prevent error messages from being output to stderr. Return illegal token when a quoted string is invalid and capture the error.

+103 -20

0 comment

5 changed files

pr created time in 13 days

create barnchdmcgowan/containerd

branch : fix-printf-scanner-error

created branch time in 13 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 4d9162c68f692463948fd662e1264e2e4ba08c66

Skip failing root tests in user namespace The archive test requires an user id space larger than the 65k common used for user namespaces. Devices cannot be created in user namespace, skip tests which fail in the user namespace context. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 13 days

push eventdmcgowan/containerd

Derek McGowan

commit sha a3fea8db868c90ac812c852500a14b89fc376969

Skip archive issue test in user namespace The archive test requires an user id space larger than the 65k common used for user namespaces. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 13 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 122382640d6e75c6f244e67a18f4133c237644f3

Skip integration tests on arm64 Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 13 days

pull request commentcontainerd/containerd

bump microsoft/hcsshim to 0.8.7

DCO is still required on vendor commits

wawa0210

comment created time in 13 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 4d7a10e6cbeded3d771f0ad8624233a72f660178

Skip integration tests on arm64 Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 13 days

PR opened containerd/containerd

[release/1.3] Add Makefile variable to skip test packages

Backport for 1.3 importers

+5 -0

0 comment

1 changed file

pr created time in 13 days

create barnchdmcgowan/containerd

branch : backport-1.3-skip-tests

created branch time in 13 days

push eventcontainerd/containerd

Shengjing Zhu

commit sha 054ce5844fa061759231528ba8fd761723d31449

platforms: fill default arm variant when parse platform specifier arm has been supported, but something is missing, causes test failure --- FAIL: TestParseSelector/linux (0.00s) platforms_test.go:292: arm support not fully implemented: not implemented --- FAIL: TestParseSelector/macOS (0.00s) platforms_test.go:292: arm support not fully implemented: not implemented Signed-off-by: Shengjing Zhu <zhsj@debian.org> (cherry picked from commit 90cd777a6c8c92c105625ba086e2e67a0c32d7ed) Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

Derek McGowan

commit sha bc7c9547b1453434e580a64039336fcd89a7d454

Merge pull request #3945 from zhsj/bpo-3939 [release/1.3 backport] platforms: fill default arm variant when parse platform specifier

view details

push time in 13 days

push eventopencontainers/go-digest

Jonathan Boulle

commit sha b74b8405fa6465d2ddf6a648999c8f08c5fccb2b

*: clarify we only deal with hex-encoded digests Also fixes a typo and adds one clarifying link in the README. Fixes #31 Signed-off-by: Jonathan Boulle <jonathanboulle@gmail.com>

view details

Jonathan Boulle

commit sha d1caf2031586d7b12ff6d6a4dfca9ebfdb2722aa

doc: tweak wording around algorithms Signed-off-by: Jonathan Boulle <jonathanboulle@gmail.com>

view details

Derek McGowan

commit sha 998894bda92c78ec6b32ae48b1ea3d9828513e96

Merge pull request #32 from jonboulle/master *: clarify we only deal with hex-encoded digests

view details

push time in 13 days

PR merged opencontainers/go-digest

*: clarify we only deal with hex-encoded digests

Also fixes a typo and adds one clarifying link in the README.

Fixes #31

+13 -5

4 comments

2 changed files

jonboulle

pr closed time in 13 days

issue closedopencontainers/go-digest

Hardcoded assumptions that the hash will be encoded in hex

The docs for Algorithm (now algorithm) made it clear that the algorithm identifier was intended to cover both the hash and encoding algorithms. @stevvooe confirmed this interpretation in recent comments as well. The idea is that a future algorithm may chose a non-hex encoding like base 64.

The current implementation, on the other hand, bakes the hex encoding into key locations (e.g. in NewDigestFromBytes and Digest.Validate). I suggest:

  • Defining an Encoding interface.
  • Adding an Algorithm.Encoding() Encoding method.
  • Adding an Algorithm.HashSize() int method.
  • Updating go-descriptor to use those instead of the currently-hard-coded hex assumptions.

I've floated an implementation in #30 if folks want to see how that works out.

Alternative solutions include giving up on alternatives and just requiring all hashes to be hex-encoded. Or some other API for pushing encoding information into the Algorithm instances.

Thoughts?

closed time in 13 days

wking

pull request commentopencontainers/go-digest

*: clarify we only deal with hex-encoded digests

LGTM

jonboulle

comment created time in 13 days

push eventopencontainers/go-digest

Sebastiaan van Stijn

commit sha 232efbd85dd967e2700cc4f938c43d48ad4c6c30

travis: update list of go versions removes go 1.11 and lower as they are now obsolete, and adds go 1.12 and 1.13, which are the currently supported versions. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Derek McGowan

commit sha 76a4f527f297dedbcf34bc901aacac258074e12f

Merge pull request #49 from thaJeztah/update_go_versions travis: update list of go versions

view details

push time in 13 days

PR merged opencontainers/go-digest

travis: update list of go versions

removes go 1.11 and lower as they are now obsolete, and adds go 1.12 and 1.13, which are the currently supported versions.

+2 -5

2 comments

1 changed file

thaJeztah

pr closed time in 13 days

pull request commentopencontainers/go-digest

travis: update list of go versions

LGTM

thaJeztah

comment created time in 13 days

PR opened opencontainers/go-digest

Update pull approve configuration

The current configuration does not work with approvals, this configuration is mirrored from the distribution spec which does work correctly.

+27 -11

0 comment

1 changed file

pr created time in 13 days

create barnchdmcgowan/go-digest

branch : update-pull-approve

created branch time in 13 days

fork dmcgowan/go-digest

Common digest package used across the container ecosystem

https://www.opencontainers.org/

fork in 13 days

push eventopencontainers/go-digest

Sebastiaan van Stijn

commit sha ac2cd61e1685a3cd084abfadd111bfe569cf02bc

Update Aaron's e-mail address Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Derek McGowan

commit sha f67466bad37558eda50c8ebf3581eb04aeff9490

Merge pull request #50 from thaJeztah/update_aaron_email Update Aaron's e-mail address

view details

push time in 13 days

PR merged opencontainers/go-digest

Update Aaron's e-mail address

fixes https://github.com/opencontainers/go-digest/issues/41

+2 -1

3 comments

2 changed files

thaJeztah

pr closed time in 13 days

issue closedopencontainers/go-digest

Update @aaronlehmann contact

It looks like @aaronlehmann is a maintainer but the email is bad.

Are they still interested in being a maintainer and do they have a new email to use?

cc: @dmcgowan @opencontainers/go-digest-maintainers

closed time in 13 days

caniszczyk

pull request commentopencontainers/go-digest

Update Aaron's e-mail address

LGTM

thaJeztah

comment created time in 13 days

push eventdmcgowan/containerd

Akihiro Suda

commit sha e739314ed421ecf10d52a47dcdf27859022fa124

mount: support FUSE helper When m.Type starts with either `fuse.` or `fuse3`, the mount helper binary `mount.fuse` or `mount.fuse3` is executed. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Kathryn Baldauf

commit sha a18f77bea0a7193b6594af3ca22cd2734d6dfb14

create local version of introspection service Signed-off-by: Kathryn Baldauf <kabaldau@microsoft.com>

view details

Wei Fu

commit sha 5fc0f30167216f7b11de904df4df8b1c96290104

Merge pull request #3903 from katiewasnothere/local_introspection create local version of introspection service

view details

Li Yuxuan

commit sha 1fb1d93212af763bd481b476293040b1566ae00b

v2: Fix missing ns when openShimLog on windows Related to https://github.com/containerd/containerd/pull/3921#discussion_r363046745 Signed-off-by: Li Yuxuan <liyuxuan04@baidu.com>

view details

Wei Fu

commit sha 7c856d19804fa9516e793c055d16fa22d010c857

Merge pull request #3929 from darfux/v2_fix_win_ctx_ns v2: Fix missing ns when openShimLog on windows

view details

Derek McGowan

commit sha b9fad5e310fafb453def5f1e7094f4c36a9806d2

Merge pull request #3765 from AkihiroSuda/mount-fuse mount: support FUSE helper

view details

Akihiro Suda

commit sha 067a66b90a3bf0915ff34d5fa5bbc790ff625d77

.travis.yml: run test with crun Relates to #3727 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Wei Fu

commit sha d5714702d1f78ad1149e78e204db0b53611ddb3c

Merge pull request #3883 from AkihiroSuda/ci-crun .travis.yml: run test with crun

view details

Akihiro Suda

commit sha a4b423b19b0b3f18bd4827afcd4a9c7ca4a6645a

overlay: test actual Opts AsynchronousRemove opt was untested while it is specified by default in the plugin init. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha b127b666aa679ab0ac50025e0741b54acd743496

ctr: support $CONTAINERD_ADDRESS env var `$CONTAINERD_ADDRESS` can be specified instead of the `ctr --address` flag. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Hu Shuai

commit sha 52e477f947434989e93d0a9c22a7389d08b9b056

Fix outdated comments Signed-off-by: Hu Shuai <hus.fnst@cn.fujitsu.com>

view details

Shengjing Zhu

commit sha 465c11dc8736d3e2a9a3b76ece6abdeb63a2f676

Fix build with gccgo + archive: don't convert syscall.Timespec to unix.Timespec archive/tar_unix.go:179:76: error: invalid type conversion (cannot use type syscall.Timespec as type unix.Timespec) 179 | timespec := []unix.Timespec{unix.Timespec(fs.StatAtime(st)), unix.Timespec(fs.StatMtime(st))} + gccgo has no plugin support https://github.com/golang/go/issues/36403 + update github.com/containerd/continuity to include same fix for Timespec Signed-off-by: Shengjing Zhu <zhsj@debian.org>

view details

Phil Estes

commit sha 82fdac1cd602fa3f1800d9fa82a9d3b90a0cf024

Merge pull request #3935 from zhsj/fix-gccgo Fix build with gccgo

view details

Phil Estes

commit sha da2890a90826458c0573cdbc4e3e3768d69197b8

Merge pull request #3934 from AkihiroSuda/ctr-address-env ctr: support $CONTAINERD_ADDRESS env var

view details

Michael Crosby

commit sha fda9cebc813b035be137d4d61f203e625623692c

Merge pull request #3936 from hs0210/work Fix outdated comments

view details

Michael Crosby

commit sha 0d276ece0e280812297f20be5110800db6614c03

Merge pull request #3932 from AkihiroSuda/ovl-test-opts overlay: test actual Opts

view details

Derek McGowan

commit sha 322d89b5b346ec851a013cb07698119459d60c14

Add arm64 build to Travis Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Derek McGowan

commit sha 29afb0dd41be047f29cc918e77b58cbd361300a1

Add sysinfo script Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Derek McGowan

commit sha d96e291d417c2773e53f8de4d06dcdf088aa340b

Update tar test to show chown error log Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 14 days

push eventdmcgowan/containerd

Derek McGowan

commit sha e6aa5718475922d5d181393c87d6c4a2b07c477e

Add arm64 build to Travis Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Derek McGowan

commit sha 7cdf843c69ceb766d653044a59a40ca32b2af231

Add sysinfo script Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Derek McGowan

commit sha 5a3fcd5f877bc0c200fecdec43dc33cd65b0f624

Update tar test to show chown error log Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 14 days

PR opened containerd/containerd

Add Makefile variable to skip test packages

The package lists for testing/build are currently auto generated with no way to explicitly skip packages for test. This adds a variable which can be set to filter out packages.

Fixes #3940

+5 -0

0 comment

1 changed file

pr created time in 14 days

create barnchdmcgowan/containerd

branch : skip_tests

created branch time in 14 days

issue commentcontainerd/containerd

Unable to disable devmapper tests

We normally try to avoid putting the build tags into the go packages themselves, but I can add a way to filter out specific tests run through the makefile.

rn

comment created time in 14 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 123af61c0bd897c0892d7a0fb51574a78698de8a

Add Cleanup to snapshot API Cleanup is an optional method a snapshotter may implement. Cleanup can be used to cleanup resources after a snapshot has been removed. This function allows a snapshotter to defer longer resource cleanup until after snapshot removals are completed. Adding this to the API allows proxy snapshotters to leverage this enhancement. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 14 days

issue openedcncf/devstats

Affiliation not showing up as expected

From the containerd devstats, one of our maintainers contributions don't seem to be reflected for their company.

See company contributions from the last year https://containerd.devstats.cncf.io/d/5/companies-table?orgId=1&var-period_name=Last%20year&var-metric=contributions . Alibaba is listed with 3 contributions.

See PR authors in the same time period https://containerd.devstats.cncf.io/d/22/prs-authors-table?orgId=1&var-period_name=Last%20year&var-repogroup_name=All and fuweid shows up with 58 PRs. The comments also show 400+ in the same time period.

I checked the github json and see

...
    "login": "fuweid",
    "email": "fuweid89!gmail.com",
    "affiliation": "Cheetah Mobile < 2015-11-01, Alibaba",
...

I have made updates to the cncf/gitdm for some other contributors, but not sure how to correct this one since the affiliation already seems correct.

created time in 14 days

issue commentcontainerd/project

Add non-core project "remote-snapshotter" to containerd organization

I am fining pulling this in, but I think it needs to be scoped a little tighter and named accordingly. This is an implementation of an overlayfs snapshotter with remotely managed lower directories and currently backed by CRFS (with a plugin interface). There are many other ways we have discussed being able to do remote snapshotters, so we should avoid keeping the name so generic. I think it is best to focus on having a configurable snapshotter which can define a backend rather than having a single instance snapshotter with plug-able backends. That can be discussed as part of the project, but I think it is relevant here for scoping and naming the project in the containerd namespace.

ktock

comment created time in 14 days

Pull request review commentAkihiroSuda/containerd-fuse-overlayfs

add user namespace remapping through Labels

 func (o *snapshotter) mounts(s storage.Snapshot) []mount.Mount { 	}  	options = append(options, fmt.Sprintf("lowerdir=%s", strings.Join(parentPaths, ":")))+	if mapping, ok := info.Labels["containerd.io/snapshot/uidmapping"]; ok {+		options = append(options, fmt.Sprintf("uidmapping=%s", mapping))+	}+	if mapping, ok := info.Labels["containerd.io/snapshot/gidmapping"]; ok {+		options = append(options, fmt.Sprintf("gidmapping=%s", mapping))+	}

Label looks good

liaojh1998

comment created time in 14 days

push eventopencontainers/distribution-spec

Vincent Batts

commit sha 828fb626bfe4fbd1c7d65331450803c6a7165fc0

spec: JSON formating staggering amount of copy-pasta, and a little bit of indentations Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

view details

Derek McGowan

commit sha 24a74a020dd6856f32f01bd08ecac4f79ead7919

Merge pull request #78 from vbatts/json_format spec: JSON formating

view details

push time in 14 days

PR merged opencontainers/distribution-spec

spec: JSON formating

staggering amount of copy-pasta, and a little bit of indentations

Signed-off-by: Vincent Batts vbatts@hashbangbash.com

+210 -200

2 comments

1 changed file

vbatts

pr closed time in 14 days

PR opened cncf/gitdm

Update containerd contributor affiliations

Updates for containerd reviewers and maintainers which are incorrectly altering our company dev stats output.

+6 -5

0 comment

2 changed files

pr created time in 14 days

create barnchdmcgowan/gitdm

branch : update-containerd

created branch time in 14 days

fork dmcgowan/gitdm

📜Fork for tracking CNCF projects

https://cncf.io

fork in 14 days

pull request commentcontainerd/containerd

.travis.yml: run test with crun

All green now! Thanks @giuseppe

LGTM

AkihiroSuda

comment created time in 15 days

Pull request review commentopencontainers/distribution-spec

spec: `Location` can be absolute or relative

 Uploads are started with a POST request which returns a url that can be used to  The `Location` header will be used to communicate the upload location after each request. While it won't change in the this specification, clients SHOULD use the most recent value returned by the API.+Note that the `Location` header value returned may either be absolute or relative as described in

The "Note that" doesn't seem necessary, try "The Location header value MAY be either an absolute or relative URI as described in"

rchincha

comment created time in 15 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 067a66b90a3bf0915ff34d5fa5bbc790ff625d77

.travis.yml: run test with crun Relates to #3727 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 15 days

push eventAkihiroSuda/containerd

Akihiro Suda

commit sha 2d23984e6b8883dfb7a0fdab31a0783213971f7e

.travis.yml: run test with crun Relates to #3727 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

push time in 15 days

push eventAkihiroSuda/containerd

Derek McGowan

commit sha 30d92eff1c61d012be0053467f619974ad841698

Defer layer download until unpack Moves the content fetching into the unpack process and defers the download until the snapshot needs it and is ready to apply. As soon as a layer is reached which requires fetching, all remaining layers are fetched. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Jie Hao Liao

commit sha 51a6813c06030ae2b3fcf9ec068e4b39cd2d1e69

Split uid and gid user ns remapping in oci Signed-off-by: Jie Hao Liao <liaojh1998@gmail.com>

view details

Daniel Bevenius

commit sha caeacfce34a9a5a042e8ef6d713defb9c5abe437

Correct grammar/typo in BUILDING.MD Signed-off-by: Daniel Bevenius <daniel.bevenius@gmail.com>

view details

Michael Crosby

commit sha f0c6684ef1c4c111be5fa09079d128d3782d2211

Merge pull request #3884 from danbev/building-correction Correct grammar/typo in BUILDING.MD

view details

Akihiro Suda

commit sha f01665aa02d8b26c581fdfcc93d837ce3b275edd

Merge pull request #3881 from liaojh1998/idmap Split uid and gid user ns remapping in oci

view details

Akihiro Suda

commit sha 8f870c233f14fe9df47ef9defa42cf8517fb64e0

support cgroup2 * only shim v2 runc v2 ("io.containerd.runc.v2") is supported * only PID metrics is implemented. Others should be implemented in separate PRs. * lots of code duplication in v1 metrics and v2 metrics. Dedupe should be separate PR. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Akihiro Suda

commit sha b02e20f12e4faa07d4fba741337921968d901e9d

cgroup2: enable controllers automatically Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Jie Hao Liao

commit sha 9862cb8f8544a3069add9a3b90e87e695d14b313

support user remapping in ctr * --uidmap support for one remapping * --gidmap support for one remapping * create IoUid and IoGid options for getNewTaskOpts Signed-off-by: Jie Hao Liao <liaojh1998@gmail.com>

view details

Joakim Roubert

commit sha e0011978fff03d6f7061ad709bbfffaf992a77ae

start.go: Improve help text Change-Id: I9adfc27868b246fb85823d18c65f95668e3fbc58 Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

Akihiro Suda

commit sha 55698e69428896661f288f031d1492f8fb2c4c92

Merge pull request #3886 from joakimr-axis/joakimr-axis_helptext start.go: Improve help text

view details

Joakim Roubert

commit sha 499fbb0337c9138b5360117e0b25a7a1428f9667

Improve install scripts * Only use bash where needed (scripts with pipes that use -o pipefail) * Make string comparisons POSIX compatible * Handle whitespace(s) in GOPATH * Remove superfluous quotes in variable assignments Change-Id: If1ea55f06f402ded646b5085d4837c0996f90fab Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

Derek McGowan

commit sha 08517e586485ef3b977b641c7dcc3ea33f6a6148

Allow empty scope authorization Registries may allow using token authorization without explicitly setting the scope. This may cover use cases where no scope is required for an endpoint or the registry is only covering authentication using the token. This aligns with the oauth2 spec which specifies the scope as optional. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Michael Crosby

commit sha 1649e8e43b2bede35b8cc56d2bd41e59e1e97469

Merge pull request #3848 from liaojh1998/master support user remapping in ctr

view details

Michael Crosby

commit sha 5d93ece75875c030b6b9dd76a7facfc9c3bf7a29

Merge pull request #3799 from AkihiroSuda/cgroup2 support cgroup2

view details

Phil Estes

commit sha ff91f225fa0e3c795b7365af7cefad22ca845d4b

Merge pull request #3889 from dmcgowan/allow-empty-scope Allow empty scope authorization

view details

Phil Estes

commit sha fa62b6d2380817f9baef36944289d826398a0999

Use logrus instead of printf for warning Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Alex Price

commit sha a022c218194c05449ad69b69c48fc6cac9d6f0b3

Improve host fallback behaviour in docker remote This commit improves the fallback behaviour when resolving and fetching images with multiple hosts. If an error is encountered when resolving and fetching images, and more than one host is being used, we will try the same operation on the next host. The error from the first host is preserved so that if all hosts fail, we can display the error from the first host. fixes #3850 Signed-off-by: Alex Price <aprice@atlassian.com>

view details

Michael Crosby

commit sha 082f7e3aed57ae0a3cec3cd82e41d3bf4e553428

Merge pull request #3890 from estesp/printf-to-log Use logrus instead of printf for warning

view details

Akihiro Suda

commit sha 43fca9eba242e3f019369bcc4a0b4243899e319a

metrics: rename pids_v2 to pids dicussed in #3726 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Joakim Roubert

commit sha 9eef69e3ae145e0e442d9107cabcfa569029bbdd

Update after review comments Change-Id: Ic566e4857436409cdf1cdd7a635dfeee809b91a9 Signed-off-by: Joakim Roubert <joakimr@axis.com>

view details

push time in 15 days

pull request commentcontainerd/containerd

Deal with 403 for POST in OAuth2 for private image pulls using Harbor

I would like to get some acknowledgement of the issue from the Harbor folks before adding this exception.

belegent

comment created time in 15 days

Pull request review commentcontainerd/containerd

Deal with 403 for POST in OAuth2 for private image pulls using Harbor

 func (ah *authHandler) fetchTokenWithOAuth(ctx context.Context, to tokenOptions) 	// Registries without support for POST may return 404 for POST /v2/token. 	// As of September 2017, GCR is known to return 404. 	// As of February 2018, JFrog Artifactory is known to return 401.-	if (resp.StatusCode == 405 && to.username != "") || resp.StatusCode == 404 || resp.StatusCode == 401 {+	// As of December 2019, for private image pulls, Harbor is known to return 403.

You can remove the for private image pulls statement

belegent

comment created time in 15 days

push eventcontainerd/containerd

Akihiro Suda

commit sha e739314ed421ecf10d52a47dcdf27859022fa124

mount: support FUSE helper When m.Type starts with either `fuse.` or `fuse3`, the mount helper binary `mount.fuse` or `mount.fuse3` is executed. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Derek McGowan

commit sha b9fad5e310fafb453def5f1e7094f4c36a9806d2

Merge pull request #3765 from AkihiroSuda/mount-fuse mount: support FUSE helper

view details

push time in 15 days

PR merged containerd/containerd

Reviewers
mount: support FUSE helper

When m.Type starts with either fuse. or fuse3, the mount helper binary mount.fuse or mount.fuse3 is executed.

This is expected to be used by fuse-overlayfs plugin: https://github.com/AkihiroSuda/containerd-fuse-overlayfs

Motivation

The purpose of the containerd fuse-overlayfs snapshotter plugin is to provide OverlayFS functionality for rootless mode without depending on the Ubuntu/Debian kernel patch. Although fuse-overlayfs provides shiftfs functionality and supports CRFS plugin, these functionalities are not planned to be supported by the containerd fuse-overlayfs snapshotter plugin. (EDIT: shiftfs functionality using fuse-overlayfs snapshotter is being covered in https://github.com/containerd/containerd/pull/3885)

+100 -2

24 comments

2 changed files

AkihiroSuda

pr closed time in 15 days

Pull request review commentcontainerd/containerd

Add Cleanup to snapshot API

 func (s *service) Usage(ctx context.Context, ur *snapshotsapi.UsageRequest) (*sn 	return fromUsage(usage), nil } +type cleaner interface {

I was following the principle of define where it is used, but with it in the API and used in multiple places, probably best to add it and document in snapshots/snapshotter.go

dmcgowan

comment created time in 15 days

Pull request review commentcontainerd/containerd

Add Cleanup to snapshot API

 func (s *service) Usage(ctx context.Context, ur *snapshotsapi.UsageRequest) (*sn 	return fromUsage(usage), nil } +type cleaner interface {+	Cleanup(ctx context.Context) error+}++func (s *service) Cleanup(ctx context.Context, cr *snapshotsapi.CleanupRequest) (*ptypes.Empty, error) {+	sn, err := s.getSnapshotter(cr.Snapshotter)+	if err != nil {+		return nil, err+	}++	c, ok := sn.(cleaner)+	if !ok {+		return nil, errdefs.ToGRPCf(errdefs.ErrNotImplemented, "snapshotter does not implement Cleanup method")+	}++	err = c.Cleanup(ctx)

As a pass-through?

dmcgowan

comment created time in 15 days

Pull request review commentcontainerd/containerd

allow user namespace remapping using snapshotters

 func withRemappedSnapshotBase(id string, i Image, uid, gid uint32, readonly bool 		if err != nil { 			return err 		}+		if remapper == remapperSnapshotter {+			opts = append(opts,+				snapshots.WithLabels(map[string]string{+					"containerd.io/snapshot/uidmapping": fmt.Sprintf("%d:%d:%d", 0, uid, 65535),+					"containerd.io/snapshot/gidmapping": fmt.Sprintf("%d:%d:%d", 0, gid, 65535),+				}))+		} 		if _, err := snapshotter.Stat(ctx, usernsID); err == nil {-			if _, err := snapshotter.Prepare(ctx, id, usernsID); err == nil {+			if _, err := snapshotter.Prepare(ctx, id, usernsID, opts...); err == nil { 				c.SnapshotKey = id 				c.Image = i.Name() 				return nil 			} else if !errdefs.IsNotFound(err) { 				return err 			} 		}-		mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent)+		mounts, err := snapshotter.Prepare(ctx, usernsID+"-remap", parent, opts...)

This doesn't seem necessary if the snapshotter is supporting the mapping. I think a better approach would be to leave the remapping functions alone and just provide a helper which can set the labels and just use WithNewSnapshot

liaojh1998

comment created time in 15 days

push eventdmcgowan/containerd

Wei Fu

commit sha 074b453ac66797ab93d9570e826ef9c35b079b13

vendor: call vndr to remove useless pkgs and update vendor Signed-off-by: Wei Fu <fuweid89@gmail.com>

view details

Sebastiaan van Stijn

commit sha 6356e55be002df80b98ba59ec98dfd0ece7ec80c

Update Golang 1.12.12 (CVE-2019-17596) Golang 1.12.12 ------------------------------- go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime, syscall and net packages. See the Go 1.12.12 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.12 Golang 1.12.11 (CVE-2019-17596) ------------------------------- go1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa package. See the Go 1.12.11 milestone on our issue tracker for details. https://github.com/golang/go/issues?q=milestone%3AGo1.12.11 [security] Go 1.13.2 and Go 1.12.11 are released Hi gophers, We have just released Go 1.13.2 and Go 1.12.11 to address a recently reported security issue. We recommend that all affected users update to one of these releases (if you're not sure which, choose Go 1.13.2). Invalid DSA public keys can cause a panic in dsa.Verify. In particular, using crypto/x509.Verify on a crafted X.509 certificate chain can lead to a panic, even if the certificates don't chain to a trusted root. The chain can be delivered via a crypto/tls connection to a client, or to a server that accepts and verifies client certificates. net/http clients can be made to crash by an HTTPS server, while net/http servers that accept client certificates will recover the panic and are unaffected. Moreover, an application might crash invoking crypto/x509.(*CertificateRequest).CheckSignature on an X.509 certificate request, parsing a golang.org/x/crypto/openpgp Entity, or during a golang.org/x/crypto/otr conversation. Finally, a golang.org/x/crypto/ssh client can panic due to a malformed host key, while a server could panic if either PublicKeyCallback accepts a malformed public key, or if IsUserAuthority accepts a certificate with a malformed public key. The issue is CVE-2019-17596 and Go issue golang.org/issue/34960. Thanks to Daniel Mandragona for discovering and reporting this issue. We'd also like to thank regilero for a previous disclosure of CVE-2019-16276. The Go 1.13.2 release also includes a fix to the compiler that prevents improper access to negative slice indexes in rare cases. Affected code, in which the compiler can prove that the index is zero or negative, would have resulted in a panic in Go 1.12, but could have led to arbitrary memory read and writes in Go 1.13 and Go 1.13.1. This is Go issue golang.org/issue/34802. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Maksym Pavlenko

commit sha 36c4260e6fa15cb20012cfe95f322ef85cf771ca

Merge pull request #3760 from thaJeztah/bump_golang_1.12.x Update Golang 1.12.12 (CVE-2019-17596)

view details

Phil Estes

commit sha 3e3c5fe129e4d25e5ec215439bc7a0986e49f995

Merge pull request #3759 from fuweid/me-update-vendor vendor: call vndr to remove useless pkgs and update vendor

view details

Sebastiaan van Stijn

commit sha 885232b72f0b7ead6ffec76fe0adfda384572b6f

bump google.golang.org/grpc v1.23.1 full diff: https://github.com/grpc/grpc-go/compare/v1.23.0...v1.23.1 - grpc/grpc-go#3018 server: set and advertise max frame size of 16KB - grpc/grpc-go#3017 grpclb: fix deadlock in grpclb connection cache - Before the fix, if the timer to remove a SubConn fires at the same time NewSubConn cancels the timer, it caused a mutex leak and deadlock. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Phil Estes

commit sha 3bf461ae8ebec194e333a54ec0dfc562b741112c

Move autocomplete files to contrib/ Since recent versions of `vndr` are going to remove the autocomplete scripts from the urfave vendored content, we will just move them into `contrib/` and reference them in the documentation from that location. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>

view details

Akihiro Suda

commit sha 0d8fc0a487f82b922122ca0280fe1ba3d19b3803

Merge pull request #3767 from thaJeztah/bump_grpc bump google.golang.org/grpc v1.23.1

view details

Phil Estes

commit sha 4523ab734aff7fd4abc0b676b767b1026b826278

Merge pull request #3766 from estesp/move-autocomplete Move autocomplete files to contrib/

view details

Justin Terry (VM)

commit sha 178469e2ae5b7edd9e55601415fe9f494ab22b9a

Update Microsoft/hcsshim vendor Updates Microsoft/hcsshim vendor commit hash to a recent version that now: 1. Supports container stats via the Stats RuntimeV2 gRPC call. 2. Fixes a regression when issuing a resize of the pty after the container has exited which previously in Docker was expected to be a non-error case. 3. Puts in a workaround when using a non-default sandbox size for Windows containers due to a platform bug. This expansion now happens in the go library itself. Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>

view details

Justin Terry (VM)

commit sha 37b56cafc63445721c4475eea4e0994de3ed5118

Add ctr metrics support for Windows/LCOW containers Signed-off-by: Justin Terry (VM) <juterry@microsoft.com>

view details

Akihiro Suda

commit sha 966b1b8e30c9ccf7e0f3127da08d4db30133e3bc

Merge pull request #3775 from jterry75/vendor_hcsshim Update Microsoft/hcsshim vendor

view details

Akihiro Suda

commit sha c224edc5c6350026a7d35a09dce638b0f09e6d44

apply: use naive applier when running in UserNS `OverlayConvertWhiteout` calls `mknod c 0 0` which is not allowed when running in a user namespace, even in Ubuntu kernel. Although there is an alternative hacky way to create whiteouts without calling mknod as Moby `overlay2` actually does(see #3762), let's use naive applier when running in UserNS and call it a day. Close #3762 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Lantao Liu

commit sha aaccfcbe2b8792e5fa3711811f3025562485e8bb

Fix `containerd config dump`. Signed-off-by: Lantao Liu <lantaol@google.com>

view details

Akihiro Suda

commit sha f593efdf0c160037c9f831983f62537285739b03

RELEASES.md: 1.1 EOL v1.1 reached EOL on October 23, 2019 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Phil Estes

commit sha f05e19c5c6fa330753b84fe200f887cb3d62df41

Merge pull request #3777 from Random-Liu/fix-containerd-config Fix `containerd config dump`.

view details

Phil Estes

commit sha c59561a08ec1936d4632a6b4868110681216d160

Merge pull request #3763 from AkihiroSuda/disable-mknod00-in-userns apply: use naive applier when running in UserNS

view details

bpopovschi

commit sha e8c14c07c6d9c33df7484bdde4df166627b6b44a

Added filters to snapshots API Signed-off-by: bpopovschi <zyqsempai@mail.ru>

view details

Derek McGowan

commit sha 66aa1d3ef6f69be075f6acf10123f7e8db9112c2

Add snapshot walk implementations Temporarily remove zfs and aufs until interface update Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Akihiro Suda

commit sha 0c01992f9c8cc2794b3d2b4f2ed0b55a4b91ed9e

Merge pull request #3709 from Zyqsempai/3708-added-filters-to-shapsotters-api Added filters to snapshots API

view details

Lantao Liu

commit sha 20e844a227950952e110cf751a8efeb7dfcbf167

Use logrus trace support. Signed-off-by: Lantao Liu <lantaol@google.com>

view details

push time in 19 days

push eventdmcgowan/containerd

Derek McGowan

commit sha 5b12b3a85fe4c74bc64e889479f038763f030943

Add Cleanup to snapshot API Cleanup is an optional method a snapshotter may implement. Cleanup can be used to cleanup resources after a snapshot has been removed. This function allows a snapshotter to defer longer resource cleanup until after snapshot removals are completed. Adding this to the API allows proxy snapshotters to leverage this enhancement. Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

push time in 19 days

PR opened containerd/containerd

Add Cleanup to snapshot API

Cleanup is an optional method a snapshotter may implement. Cleanup can be used to cleanup resources after a snapshot (or multiple snapshots) has been removed. Adding this to the API allows proxy snapshotters to leverage this enhancement.

+333 -65

0 comment

6 changed files

pr created time in 19 days

create barnchdmcgowan/containerd

branch : snapshot-cleanup-api

created branch time in 19 days

pull request commentcontainerd/containerd

snapshots/devmapper: do not stop snapshot GC when one snapshot removing fails

Try to Remove as usual, but mark it as needToClean internally in snapshotter;

The Remove should be reliable and fast. Normally this would involve updating the database and marking any resources as unused. The Cleanup method itself runs after GC outside the snapshotter's gc lock, giving the snapshotter the chance to perform longer running removals without keeping the snapshotter database locked or holding the garbage collection lock. When the cleanup of a resource fails, the snapshotter should be able to attempt to cleanup that resource the next time Cleanup is called.

renzhengeek

comment created time in 20 days

pull request commentcontainerd/containerd

snapshots/devmapper: do not stop snapshot GC when one snapshot removing fails

It might be useful to implement the Cleanup method. When running behind the garbage collector, the Remove should be done as quickly as possible and defer resource cleanup. Resource cleanup errors are better returned on Cleanup. After Remove has been called, the key should be available again and the resources to be cleaned up should be tracked. For overlay we did this and just added an option so the driver could still be used standalone.

renzhengeek

comment created time in 20 days

push eventcontainerd/containerd

Xiaodong Ye

commit sha c4ed3ff1edf383512789746419a28431bd4e256a

Replace ocispec.MediaTypeImageManifest with manifest.MediaType Signed-off-by: Xiaodong Ye <xiaodongy@vmware.com>

view details

Xiaodong Ye

commit sha 05d192929b1e9d34d74386ecc6e6472b1f496a86

Update checkImages to accept images.MediaTypeDockerSchema2Manifest Signed-off-by: Xiaodong Ye <xiaodongy@vmware.com>

view details

Xiaodong Ye

commit sha facedf8980daa7296c4b56782ee695f1dba96457

Remove an empty line Signed-off-by: Xiaodong Ye <xiaodongy@vmware.com>

view details

Derek McGowan

commit sha f823c377086bccc8c35a0ddfe12a02a0c6c112af

Merge pull request #3904 from yeahdongcn/manifest Replace ocispec.MediaTypeImageManifest with manifest.MediaType

view details

push time in 25 days

PR merged containerd/containerd

Replace ocispec.MediaTypeImageManifest with manifest.MediaType

Signed-off-by: Xiaodong Ye xiaodongy@vmware.com

Import a tar with manifest.json, ctr image ls returns incorrect TYPE.

REF                              TYPE                                       DIGEST                                                                  SIZE      PLATFORMS   LABELS 
docker.io/library/myimage:latest application/vnd.oci.image.manifest.v1+json sha256:663a45ec27ca42bd4ad37eab55a7ad96db3ee5d7ad5c6dc5bbec958b9e63ad53 745.9 KiB linux/amd64 -   
+3 -3

8 comments

2 changed files

yeahdongcn

pr closed time in 25 days

Pull request review commentmoby/moby

distribution: http.Transport use keep alive

 func NewV2Repository( 		DualStack: true, 	} -	// TODO(dmcgowan): Call close idle connections when complete, use keep alive 	base := &http.Transport{ 		Proxy:               http.ProxyFromEnvironment, 		DialContext:         direct.DialContext, 		TLSHandshakeTimeout: 10 * time.Second, 		TLSClientConfig:     endpoint.TLSConfig,-		// TODO(dmcgowan): Call close idle connections when complete and use keep alive

What are these values set to though? Has this changed in Go since this was originally added, originally we had to add this because of memory leaks. In general, after a pull/push operations there should be no remaining connections open to the host, would that still be the case here?

yedamao

comment created time in a month

Pull request review commentopencontainers/distribution-spec

spec: clarify digest algorithm

 Some examples of _digests_ include the following:  | digest                                                                  | description                | |-------------------------------------------------------------------------|----------------------------|-| sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b | Common sha256 based digest |+| `sha256:6c3c624b58dbbcd3c0dd82b4c53f04194d1247c6eebdaab7c610cf7d66709b3b` | Common sha256 based digest format | -While the _algorithm_ does allow one to implement a wide variety of algorithms, compliant implementations SHOULD use sha256.+Compliant implementations SHOULD use _algorithm_ of sha256 (until the ruled sufficiently broken).

reword or remove the parenthetical statement

vbatts

comment created time in a month

Pull request review commentopencontainers/distribution-spec

spec: session_id is clearer than UUID

 The following parameters SHOULD be specified on the request: | `Content-Range`  | header | Range of bytes identifying the desired block of content represented by the body.Start MUST the end offset retrieved via status check plus one.Note that this is a non-standard use of the `Content-Range` header. | | `Content-Length` | header | Length of the chunk being uploaded, corresponding the length of the request body.                                                                                                                                 | | `name`           | path   | Name of the target repository.                                                                                                                                                                                    |-| `uuid`           | path   | A uuid identifying the upload.This field can accept characters that match `[a-zA-Z0-9-_.=]+`.                                                                                                                     |+| `session_id`           | path   | A unique string identifying session of the partiuclar upload.This field can accept characters that match `[a-zA-Z0-9-_.=]+`.                                                                                                                     |

particular*

vbatts

comment created time in a month

Pull request review commentopencontainers/distribution-spec

spec: session_id is clearer than UUID

 The following parameters SHOULD be specified on the request: | `Host`          | header | Standard HTTP Host Header.SHOULD be set to the registry host.                                 | | `Authorization` | header | An RFC7235 compliant authorization header.                                                    | | `name`          | path   | Name of the target repository.                                                                |-| `uuid`          | path   | A uuid identifying the upload.This field can accept characters that match `[a-zA-Z0-9-_.=]+`. |+| `session_id`          | path   | A unique string identifying session of the partiuclar upload.This field can accept characters that match `[a-zA-Z0-9-_.=]+`. |

particular*

vbatts

comment created time in a month

Pull request review commentopencontainers/distribution-spec

Add registry mirroring section

 The following parameters SHOULD be specified on the request: | `name` | path  | Name of the target repository.                                                              | | `n`    | query | Limit the number of entries in each response. It not present, all entries will be returned. | | `last` | query | Result set will include values lexically after last.                                        |+| `ns`   | query | (OPTIONAL) Namespace of repository. SHOULD be set to mirrored host.                         |

Yes, the word "namespace" is quite unspecific and its usage here partially conflicts with other appearances of that word within the spec. Particularly, under "Starting an upload", the request POST /v2/<name>/blobs/uploads/ has a description reading:

The word "namespace" is intentionally unspecific since it is highly contextual. As pointed out elsewhere, we specify a the <name> component in the URL path, the ns parameter is further information related to that <name>, hence the full name being <namespace>/<name>. We should clarify any part of the documentation that suggests that full names are <host>/<namespace>/<repository> as that is only referring to a single registry interpretation and this specification is intended to be less opinionated.

would it make sense to rename it e.g. upstream and explicitly define it as containing the domain name of the upstream registry

It would be better to clarify how it is applied rather than rename it. The namespace could be the upstream registry, and should be used by mirrors to resolve the host. However, just because this normally represents a domain, does not mean it represents the upstream host. For example, with docker.io the upstream host is resolved differently. The intent of this change is to provide the full name used by the client, not to tell the registry host how to use the name. Mirroring is just the use case here, the specification itself is more generic.

dmcgowan

comment created time in a month

Pull request review commentopencontainers/distribution-spec

Add registry mirroring section

 If the image had already been deleted or did not exist, a `404 Not Found` respon  > for more details, see: [compatibility.md](https://github.com/docker/distribution/blob/master/docs/spec/manifest-v2-2.md#backward-compatibility) +### Registry Mirroring++A registry MAY operate as a mirror for an upstream registry to support pull-through caching or proxying of pull operations (such as fetching tags, manifests, or blobs).

The intent is to highlight it can be used for pull-through caching or forward proxying. I don't understand what you mean by docker/distribution behavior being a reverse-proxy strategy though, can you clarify so I can understand how to make this more clear. I ask because I never saw that implementation in docker/distribution as a reverse proxy, it was intending more as a forward proxy but without the capability specified here, that can't be easily done.

dmcgowan

comment created time in a month

issue commentopencontainers/distribution-spec

add "feature flags", and API to expose

I like the extension proposal idea, I think that is a good way to separate the core of the spec from additional features in the future. As I have stated before, I think the specification needs to stay focused on the distribution of images (push and pull) rather than on registry operation. Just as we wouldn't expect the git protocol to continuously be added to with Github API features, we wouldn't expect this protocol to expand for all the needs of operating a registry. However, there are many different registry operators and agreeing on common APIs is good, I am fine with defining those here.

As for the /v2/features endpoint itself. We have discussed adding an endpoint like this for awhile but were never sure of what the scope of it might be. Simple is nice, but I might advocate for having a single endpoint which could fulfil requirements about getting the API version as well as more contextual metadata such as mirrors. So in that case, it might look like {"extensions":[]} rather than [].

Lastly, I think we need to consider that the extensions may need to define some configuration. Adding new endpoints via extensions may be easy, but that may end up putting a burden on the operators as well as the extension authors when it comes to defining the path. From an operational perspective, the service which implements the extension may be (and in some cases should be) different from the service handling the core specification API. For example today the authorization server and "distribution" server (such as a docker/distribution instance) would always run separately since they have different security profiles and scale requirements. An authorization server handles a smaller volume of requests and requires both a private key to sign tokens and user database access. While the "distribution" server only needs to be configured with storage backend access (which may be configured through something like IAM) and a public key for the authorization server. For a search extension, access to a completely different search backend would be necessary with a lower volume of requests. For pub sub, there was discussion about being able to send authorization keys, something a "distribution" server mentioned earlier should never have access to do. All that is to say that we should be flexible in how we let the registries configure their service extensions and not make an assumption they will be at the same URL prefix.

vbatts

comment created time in a month

MemberEvent

issue closeddocker/distribution

After updating everything got deleted

Docker version 19.03.5, build 633a0ea838 this is the build i have updated to but everything from last docker got deleted, including images, volumes and containers.

Any way to restore ??

closed time in a month

xalekx

issue commentdocker/distribution

After updating everything got deleted

This project is related to the open source registry, try maybe https://github.com/docker/for-linux

xalekx

comment created time in a month

issue closeddocker/distribution

Memory leak? Nonpaged pool grows on docker ee on windows server 2019

I'm running few .net core services on my small docker swarm. Some of those services crashes because of missing db. Swarm then tries to start them until db is back online. I have noticed that windows non paged pool memory grows every time while we are updating our development environment.

It seems that if I run the service as a container, with restart: always, it behaves similar way, growing non paged pool.

image

Visible in the graph, a boot, and then the issue. As I removed service from swarm and turned it to container, issue only affects the red computer in the end. Green computer is the node and red manager and node.

used image for the service: mcr.microsoft.com/dotnet/core/aspnet:2.1

container listing looks like this: CONTAINER ID NAMES STATUS PORTS 7809f8673fec PICR_service.41fxd8uz0dw8vw6013bri1vw8.iv5le28mtbay0pijjb0g4cazh Created 2b61182ee001 PICR_service.41fxd8uz0dw8vw6013bri1vw8.0xv0p3uzo0w9n6d1lhsijx6q7 Exited (3762504530) 5 seconds ago 46583e1cc3ab PICR_service.41fxd8uz0dw8vw6013bri1vw8.pmgr4a5vd2q2yxn402wwak6ft Exited (3762504530) 22 seconds ago 42c4b87c7dc8 PICR_service.41fxd8uz0dw8vw6013bri1vw8.r99g30m5jtz3z2eor2tt6a2mg Exited (3762504530) 37 seconds ago 73d8754f6d98 PICR_service.41fxd8uz0dw8vw6013bri1vw8.judriyy00udn88b7h8m4jlak8 Exited (3762504530) 51 seconds ago

compose: version: '3.6'

services: xxx_service: image: xxx:6000/xxxservice:latest isolation: process environment: - ASPNETCORE_ENVIRONMENT=Development

deploy:
  mode: global

PS C:\Docker\CustomerImportService> docker version Client: Docker Engine - Enterprise Version: 19.03.5 API version: 1.40 Go version: go1.12.12 Git commit: 2ee0c57608 Built: 11/13/2019 08:00:16 OS/Arch: windows/amd64 Experimental: false

Server: Docker Engine - Enterprise Engine: Version: 19.03.5 API version: 1.40 (minimum version 1.24) Go version: go1.12.12 Git commit: 2ee0c57608 Built: 11/13/2019 07:58:51 OS/Arch: windows/amd64 Experimental: false

PS C:\Docker\CustomerImportService> docker info Client: Debug Mode: false Plugins: cluster: Manage Docker clusters (Docker Inc., v1.2.0)

Server: Containers: 23 Running: 16 Paused: 0 Stopped: 7 Images: 53 Server Version: 19.03.5 Storage Driver: windowsfilter Windows: Logging Driver: json-file Plugins: Volume: local Network: ics internal l2bridge l2tunnel nat null overlay private transparent Log: awslogs etwlogs fluentd gcplogs gelf json-file local logentries splunk syslog Swarm: active NodeID: 41fxd8uz0dw8vw6013bri1vw8 Is Manager: true ClusterID: j5fpxcb32aq3ywgxd6k2p85j6 Managers: 1 Nodes: 2 Default Address Pool: 10.0.0.0/8 SubnetSize: 24 Data Path Port: 4789 Orchestration: Task History Retention Limit: 5 Raft: Snapshot Interval: 10000 Number of Old Snapshots to Retain: 0 Heartbeat Tick: 1 Election Tick: 10 Dispatcher: Heartbeat Period: 5 seconds CA Configuration: Expiry Duration: 3 months Force Rotate: 0 Autolock Managers: false Root Rotation In Progress: false Node Address: 192.168.21.124 Manager Addresses: 192.168.21.124:2377 Default Isolation: process Kernel Version: 10.0 17763 (17763.1.amd64fre.rs5_release.180914-1434) Operating System: Windows Server 2019 Datacenter Version 1809 (OS Build 17763.914) OSType: windows Architecture: x86_64 CPUs: 4 Total Memory: 8GiB Name: MDEVDOCKERW2 ID: X3RG:T54V:DNA7:UUVE:7JJY:CC43:35F4:XL3K:2WBM:3JPU:GMLL:SB4X Docker Root Dir: C:\ProgramData\docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: xxx:6000 xxx:5000 127.0.0.0/8 Live Restore Enabled: false

WARNING: API is accessible on http://0.0.0.0:2375 without encryption. Access to the remote API is equivalent to root access on the host. Refer to the 'Docker daemon attack surface' section in the documentation for more information: https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface

closed time in a month

veepee78

issue commentdocker/distribution

Memory leak? Nonpaged pool grows on docker ee on windows server 2019

This project is related to the open source registry. If you are having problems with Docker EE you should file a ticket with them.

veepee78

comment created time in a month

push eventdocker/distribution

Vishesh Jindal

commit sha c636ed788ae3d2cf2c355ba77bd5f7c18b3a70e7

Fix cloudfront documentation formatting Signed-off-by: Vishesh Jindal <vishesh92@gmail.com> (cherry picked from commit e1e72e9563743afc1649b23a2f651a7c3caaf369) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Adrian Plata

commit sha f999f540d32d55561ff3f5f88a991be15ece4bd3

Fixing broken table Signed-off-by: Adrian Plata <adrian.plata@docker.com> (cherry picked from commit b4694b0d2d3ce79e70143a50920a9e629e85c536) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Derek McGowan

commit sha cfd1309845b351acdb46dd299c4fd2901c11cb10

Merge pull request #3073 from thaJeztah/2.7_backport_table_fix [release/2.7 backport] fix markdown issues on configuration page

view details

push time in a month

PR merged docker/distribution

[release/2.7 backport] fix markdown issues on configuration page documentation

Backports of:

  • commit e1e72e9563743afc1649b23a2f651a7c3caaf369 (documentation fixes taken from https://github.com/docker/distribution/pull/2837)
  • https://github.com/docker/distribution/pull/3053 Fixing broken table
    • fixes https://github.com/docker/docker.github.io/issues/9935 Docker Registry: CloudFront requirements table broken
    • fixes https://github.com/docker/docker.github.io/issues/9945 "Cloudfront" section is garbled
+14 -9

2 comments

1 changed file

thaJeztah

pr closed time in a month

PR closed docker/distribution

add alicdn support impact/changelog status/2-code-review

sample config:

version: 0.1
log:
  level: info
  formatter: text
  fields:
    service: registry
    environment: staging
storage:
  oss:
    accesskeyid:access-key-id
    accesskeysecret: access-key-secret
    region: region
    bucket: bucket
middleware:
  storage:
    - name: alicdn
      options:
        baseurl: http://my-cdn-domain
http:
  addr: 0.0.0.0:5000

Signed-off-by: Jizhong Jiang jizhong.jiangjz@alibaba-inc.com

+212 -0

6 comments

4 changed files

jzwlqx

pr closed time in a month

pull request commentdocker/distribution

add alicdn support

another PR got support for this in

jzwlqx

comment created time in a month

pull request commentdocker/distribution

Update OAuth spec to add support for authorization code

@TheJayMann the original proposal is kind of old. The part that was ended to be solved by the HEAD is the zero-knowledge problem we have from Docker clients today. There may be a better way to solve it now, but that was the originally proposal. Normally oauth is performed by clients who are configured to know they are talking to an oauth server, as such they would know the various URLs and IDs need to complete the process. The problem from Docker clients is the client may only start out knowing a host and not whether it is oauth2. This a basic discovery problem and there have been various suggestions for getting that to work, there is probably a better solution than using HEAD here.

dmcgowan

comment created time in a month

push eventdocker/distribution

Derek McGowan

commit sha 5883e2d9358b4761ab733e96915271397e8781f6

Fix vndr and check Signed-off-by: Derek McGowan <derek@mcgstyle.net>

view details

Derek McGowan

commit sha a85caead04527c43c3b69c83ea23fd8ec0e5f671

Merge pull request #3001 from dmcgowan/2.7-fix-vndr-checks [release/2.7] Fix vndr and check

view details

push time in a month

PR merged docker/distribution

[release/2.7] Fix vndr and check

Signed-off-by: Derek McGowan derek@mcgstyle.net

+11 -1

3 comments

3 changed files

dmcgowan

pr closed time in a month

push eventcontainerd/containerd

Alex Price

commit sha a022c218194c05449ad69b69c48fc6cac9d6f0b3

Improve host fallback behaviour in docker remote This commit improves the fallback behaviour when resolving and fetching images with multiple hosts. If an error is encountered when resolving and fetching images, and more than one host is being used, we will try the same operation on the next host. The error from the first host is preserved so that if all hosts fail, we can display the error from the first host. fixes #3850 Signed-off-by: Alex Price <aprice@atlassian.com>

view details

Derek McGowan

commit sha 566121485bc9ef4c2b59ba7725f55491bc8795cd

Merge pull request #3868 from awprice/issue-3850 Improve host fallback behaviour in docker remote

view details

push time in a month

more