profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/thaJeztah/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Sebastiaan van Stijn thaJeztah thaJeztah Netherlands @docker, @moby, @containerd, and runc maintainer, member of the Moby TSC. Staff Software Engineer @ Docker, Inc. Feeds @GordonTheTurtle with PRs

sirupsen/logrus 18728

Structured, pluggable logging for Go.

distribution/distribution 6316

The toolkit to pack, ship, store, and deliver container content

moby/buildkit 4234

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit

docker/for-mac 2029

Bug reports for Docker Desktop for Mac

docker/for-win 1458

Bug reports for Docker Desktop for Windows

docker/go-plugins-helpers 289

Go helper packages to extend the Docker Engine

docker/hub-feedback 201

Feedback and bug reports for the Docker Hub

issue commentcontainerd/containerd

Support parsing signals based on container's platform

runc is a reference implementation and there are other implementations which are written by other languages (crun in C, youki in Rust). They have to know moby/sys's signal parsing logic.

I think with the proposed change, they'd still be able to pass the signal as it is today (numeric value) and things continue to work.

runc and other implementations which runs on Linux don't have to deal with the cross-platform signal handling.

Afaics, runc is already dealing with conversion of signal names to numbers (it gets the signal passed as a string (command line arguments are always strings), and accepts both names and numbers. The only difference would be that using "moby/signal" extends the list of known signals to add the SIGRTMIN signals (alternatively, we should consider having those added to golang.org/x/sys)

katiewasnothere

comment created time in 2 days

Pull request review commentopencontainers/runc

support changing of lsm mount context on restore

 daemon. See [criu --lazy-pages option](https://criu.org/CLI/opt/--lazy-pages). : Specify an LSM profile to be used during restore. Here _type_ can either be **apparamor** or **selinux**, and _label_ is a valid LSM label. For example, **--lsm-profile "selinux:system_u:system_r:container_t:s0:c82,c137"**.+By default, the checkpointed LSM profile is used upon restore.++**--lsm-mount-context** _context_

Since it looks like we've copied the CRIU argument names in the past we should probably just stick with it...

Fair point. Adding --lsm-mount-label to the list of possible names (naming is hard!)

adrianreber

comment created time in 2 days

PullRequestReviewEvent

push eventopencontainers/runc

Akihiro Suda

commit sha cbb5ef5c6aa7b3ba7f872802c7edeb59f489f54e

improve error message when dbus-user-session is not installed Before: ```console $ docker --context=rootless run -it --rm alpine docker: Error response from daemon: OCI runtime create failed: unable to start container process: unable to apply cgroup configuration: unable to start unit "docker-7ef2c29ccafc1ed9c7fd9859337e5b79870d8ccb282f560e43060a847a6c5310.scope" (properties [{Name:Description Value:"libcontainer container 7ef2c29ccafc1ed9c7fd9859337e5b79870d8ccb282f560e43060a847a6c5310"} {Name:Slice Value:"user.slice"} {Name:PIDs Value:@au [6286]} {Name:Delegate Value:true} {Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true} {Name:IOAccounting Value:true} {Name:TasksAccounting Value:true} {Name:DefaultDependencies Value:false}]): read unix @->/run/systemd/private: read: connection reset by peer: unknown. ``` After: ```console $ docker --context=rootless run -it --rm alpine docker: Error response from daemon: OCI runtime create failed: unable to start container process: unable to apply cgroup configuration: unable to start unit "docker-8527d83e046da46d1b56b1c6a89324e687da1c365e044b8dde52cfbf1c461c5a.scope" (properties [{Name:Description Value:"libcontainer container 8527d83e046da46d1b56b1c6a89324e687da1c365e044b8dde52cfbf1c461c5a"} {Name:Slice Value:"user.slice"} {Name:PIDs Value:@au [10012]} {Name:Delegate Value:true} {Name:MemoryAccounting Value:true} {Name:CPUAccounting Value:true} {Name:IOAccounting Value:true} {Name:TasksAccounting Value:true} {Name:DefaultDependencies Value:false}]): failed to connect to dbus (hint: for rootless containers, maybe you need to install dbus-user-session package, see https://github.com/opencontainers/runc/blob/master/docs/cgroup-v2.md): read unix @->/run/systemd/private: read: connection reset by peer: unknown. ``` For moby/moby issue 42793 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> (cherry picked from commit 1f5798f784afc09c07c71e8a8e35b36a5e524837) Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

view details

Sebastiaan van Stijn

commit sha 23c6e4f54f10930c6ce8822b4790de2e5b30b60f

Merge pull request #3212 from AkihiroSuda/cherrypick-3186 [1.0] rootless+cgroup2+systemd: improve error message when dbus-user-session is not installed #3186

view details

push time in 2 days

PR merged opencontainers/runc

[1.0] rootless+cgroup2+systemd: improve error message when dbus-user-session is not installed #3186 area/cgroupv2 area/rootless area/systemd backport/1.0-pr

Cherry-pick https://github.com/opencontainers/runc/pull/3186 (clean)

+5 -1

1 comment

1 changed file

AkihiroSuda

pr closed time in 2 days

PullRequestReviewEvent

Pull request review commentcontainerd/containerd

Split apart runc shim into plugin components

 package v2  import ( 	"context"-	"encoding/json"-	"io/ioutil" 	"os"-	"path/filepath" 	"sync"-	"syscall"-	"time"  	"github.com/containerd/cgroups" 	cgroupsv2 "github.com/containerd/cgroups/v2" 	eventstypes "github.com/containerd/containerd/api/events" 	"github.com/containerd/containerd/api/types/task" 	"github.com/containerd/containerd/errdefs"-	"github.com/containerd/containerd/mount" 	"github.com/containerd/containerd/namespaces" 	"github.com/containerd/containerd/pkg/oom" 	oomv1 "github.com/containerd/containerd/pkg/oom/v1" 	oomv2 "github.com/containerd/containerd/pkg/oom/v2" 	"github.com/containerd/containerd/pkg/process"+	"github.com/containerd/containerd/pkg/shutdown" 	"github.com/containerd/containerd/pkg/stdio" 	"github.com/containerd/containerd/pkg/userns"+	"github.com/containerd/containerd/plugin" 	"github.com/containerd/containerd/runtime/v2/runc" 	"github.com/containerd/containerd/runtime/v2/runc/options"+	runcservice "github.com/containerd/containerd/runtime/v2/runc/service" 	"github.com/containerd/containerd/runtime/v2/shim"+	shimapi "github.com/containerd/containerd/runtime/v2/task" 	taskAPI "github.com/containerd/containerd/runtime/v2/task" 	"github.com/containerd/containerd/sys/reaper" 	runcC "github.com/containerd/go-runc"+	"github.com/containerd/ttrpc" 	"github.com/containerd/typeurl"-	"github.com/gogo/protobuf/proto" 	ptypes "github.com/gogo/protobuf/types" 	"github.com/pkg/errors" 	"github.com/sirupsen/logrus"-	exec "golang.org/x/sys/execabs"-	"golang.org/x/sys/unix" )  var ( 	_     = (taskAPI.TaskService)(&service{}) 	empty = &ptypes.Empty{} ) -// group labels specifies how the shim groups services.-// currently supports a runc.v2 specific .group label and the-// standard k8s pod label.  Order matters in this list-var groupLabels = []string{-	"io.containerd.runc.v2.group",-	"io.kubernetes.cri.sandbox-id",-}+// New returns a new shim service that can be used via GRPC+// TODO(2.0): Remove this function, rely on plugin registration+func New(_ context.Context, id string, _ shim.Publisher, _ func()) (shim.Shim, error) {

Just glancing over the changes, and I'm a bit confused; is this backward compatible (as in; all arguments are now ignored, whereas previously they did something).

If the change is non-backward compatible from that perspective (even without the signature changing), I'm wondering if instead we should explicitly break it, and remove the arguments?

It doesn't look to be widely used (https://grep.app/search?q=github.com/containerd/containerd/runtime/v2/runc/v2), so mostly commenting (wondering if we want to stick with SemVer for these), but I see at least firecracker is using this; (cc @kzys) https://github.com/firecracker-microvm/firecracker-containerd/blob/568c84051caf61c1fc77a0b62171c22c40219b6a/agent/service.go#L99

dmcgowan

comment created time in 2 days

PullRequestReviewEvent

pull request commentcontainerd/containerd

refactor: move from io/ioutil to io and os package

oh! I see you opened that PR as well 🤦 😂

Juneezee

comment created time in 2 days

pull request commentcontainerd/containerd

refactor: move from io/ioutil to io and os package

I think @cpuguy83 may be referring to a similar change we had in moby, what broke in moby was the use of io.FileInfoToDirEntry(), which is available only in Go 1.17 (haven't checked yet if this PR uses that); see https://github.com/moby/moby/pull/42797

Juneezee

comment created time in 2 days

pull request commentmoby/moby

Add http(s) proxy properties to daemon configuration (carry 42647)

Added a warning if we're overriding the "system" value (environment variables);

HTTPS_PROXY="https://user:pass@example.com" \
https_proxy="https://user:pass@example.com" \
HTTP_PROXY="http://user:pass@example.com" \
http_proxy="http://user:pass@example.com" \
NO_PROXY="*" \
no_proxy="*" \
dockerd --https-proxy="https://user:secret@foo.example.com" --http-proxy="http://user:secret@foo.example.com" --no-proxy="hello"

WARN[2021-09-17T14:55:36.554465385Z] overriding existing proxy variable with value from configuration  name=HTTP_PROXY new-value="http://xxxxx:xxxxx@foo.example.com" old-value="http://xxxxx:xxxxx@example.com"
WARN[2021-09-17T14:55:36.554547154Z] overriding existing proxy variable with value from configuration  name=http_proxy new-value="http://xxxxx:xxxxx@foo.example.com" old-value="http://xxxxx:xxxxx@example.com"
WARN[2021-09-17T14:55:36.554572109Z] overriding existing proxy variable with value from configuration  name=HTTPS_PROXY new-value="https://xxxxx:xxxxx@foo.example.com" old-value="https://xxxxx:xxxxx@example.com"
WARN[2021-09-17T14:55:36.554617061Z] overriding existing proxy variable with value from configuration  name=https_proxy new-value="https://xxxxx:xxxxx@foo.example.com" old-value="https://xxxxx:xxxxx@example.com"
WARN[2021-09-17T14:55:36.554627868Z] overriding existing proxy variable with value from configuration  name=NO_PROXY new-value=hello old-value="*"
WARN[2021-09-17T14:55:36.554683409Z] overriding existing proxy variable with value from configuration  name=no_proxy new-value=hello old-value="*"

@tianon PTAL

thaJeztah

comment created time in 2 days

Pull request review commentmoby/moby

compression: support zstd with skippable frame

 func IsArchivePath(path string) bool { 	return err == nil } +const (+	ZstdMagicSkippableStart = 0x184D2A50+	ZstdMagicSkippableMask  = 0xFFFFFFF0+)++var (+	Bzip2Magic = []byte{0x42, 0x5A, 0x68}+	GzipMagic  = []byte{0x1F, 0x8B, 0x08}+	XzMagic    = []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}+	ZstdMagic  = []byte{0x28, 0xb5, 0x2f, 0xfd}+)++type matcher = func([]byte) bool++func magicNumberMatcher(m []byte) matcher {+	return func(source []byte) bool {+		return bytes.HasPrefix(source, m)+	}+}++// ZstDetector detects zstd compression algorithm.+// Zstandard compressed data is made of one or more frames.+// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.+// See https://tools.ietf.org/id/draft-kucherawy-dispatch-zstd-00.html#rfc.section.2 for more details.+func ZstDetector(buf []byte) bool {

Yeah, my train of thought here is that;

  • I know at least multiple runtimes / container-related projects that will likely (?) have to implement this detection (buildkit, containerd, moby, cri-o?)
  • Afaik, most (if not all) of those currently use the klauspost module
  • The klauspost module also has definitions for these magic numbers, and (from a quick look) looks to have an implementation to detect;

https://github.com/klauspost/compress/blob/f118b5f6f7e720b1f1c1464bb11904261c06f2f3/zstd/framedec.go#L57-L60 https://github.com/klauspost/compress/blob/baa1f1e42d738c71ea4a18b673ebacee0ce520b8/zstd/decodeheader.go#L79

So perhaps it could be within scope of that project to have each compression export a "detection" function (and possibly a utility package that allows to detect compression for all, but that could be left to consumers)

Of course, an alternative could be to have a small module somewhere that can be used by other the projects mentioned, but having it in the klauspost project would help making sure the detection doesn't diverge.

@klauspost @giuseppe @tonistiigi any thoughts? (it's just an idea; not a show-stopper)

dkkb

comment created time in 2 days

PullRequestReviewEvent

issue commentdocker/docker.github.io

404 at /desktop/mac/previous-versions/undefined

Thanks for reporting; we received a couple of reports for this URL, but so far I haven't been able to find the broken link itself; do you know what link you clicked on that page?

baz974

comment created time in 2 days

push eventthaJeztah/docker

Sebastiaan van Stijn

commit sha f586a473cf8dc9ac1edf893f70ccf37c2e217035

pkg/namesgenerator: replace uses of fmt.Sprintf() Looks like we don't need sprintf for how it's used. Replacing sprintf makes it more performant (~2.4x as fast), and less memory, allocations: BenchmarkGetRandomName-8 8203230 142.4 ns/op 37 B/op 2 allocs/op BenchmarkGetRandomNameOld-8 3499509 342.9 ns/op 85 B/op 5 allocs/op Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Sebastiaan van Stijn

commit sha 0050ddd43b7fab951a378bf1bb4ef31c9c411c4c

Update Go to 1.17.1 This includes additional fixes for CVE-2021-39293. go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip package, as well as bug fixes to the compiler, linker, the go command, and to the crypto/rand, embed, go/types, html/template, and net/http packages. See the Go 1.17.1 milestone on the issue tracker for details: https://github.com/golang/go/issues?q=milestone%3AGo1.17.1+label%3ACherryPickApproved Signed-off-by: Sebastiaan van Stijn <github@gone.nl>

view details

Giuseppe Scrivano

commit sha e187eb2bb5f0c3f899fe643e95d1af8c57e89a73

compression: add support for the zstd algorithm zstd is a compression algorithm that has a very fast decoder, while providing also good compression ratios. The fast decoder makes it suitable for container images, as decompressing the tarballs is a very expensive operation. https://github.com/opencontainers/image-spec/pull/788 added support for zstd to the OCI image specs. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

view details

Sebastiaan van Stijn

commit sha 0d654d103cfcd3e5be87dfc8451c3cd8a455f3cb

Merge pull request #42855 from thaJeztah/bump_go_1.17.1 Update Go to 1.17.1

view details

Sebastiaan van Stijn

commit sha e952346c9976d365b74588daf2cb886fdbd1b8ce

Merge pull request #42851 from thaJeztah/namesgenerator_nosprintf pkg/namesgenerator: replace uses of fmt.Sprintf()

view details

Akihiro Suda

commit sha 6014c1e29dc34dffa77fb5749cc3281c1b4854ac

Merge pull request #41759 from giuseppe/zstd-compression compression: add support for the zstd algorithm

view details

push time in 2 days

Pull request review commentmoby/moby

Add http(s) proxy properties to daemon configuration (carry 42647)

 func configureDaemonLogs(conf *config.Config) error { 	}) 	return nil }++func configureProxyEnv(conf *config.Config) {+	if p := conf.HTTPProxy; p != "" {+		_ = os.Setenv("HTTP_PROXY", p)+		_ = os.Setenv("http_proxy", p)+	}+	if p := conf.HTTPSProxy; p != "" {+		_ = os.Setenv("HTTPS_PROXY", p)+		_ = os.Setenv("https_proxy", p)+	}+	if p := conf.NoProxy; p != "" {+		_ = os.Setenv("NO_PROXY", p)+		_ = os.Setenv("no_proxy", p)+	}

^^ discussing the above in the maintainers meeting, and we'll keep the current implementation (allowboth --flag and daemon.json to override the "system" configuration), but if we find that a proxy env-var is present, we'll print a warning in the daemon logs.

thaJeztah

comment created time in 2 days

PullRequestReviewEvent

pull request commentmoby/moby

compression: support zstd with skippable frame

Left a quick thought above.

Also, would it be possible to amend the commit message to use your (quite informative) PR description in the commit message itself?

dkkb

comment created time in 2 days

Pull request review commentmoby/moby

compression: support zstd with skippable frame

 func IsArchivePath(path string) bool { 	return err == nil } +const (+	ZstdMagicSkippableStart = 0x184D2A50+	ZstdMagicSkippableMask  = 0xFFFFFFF0+)++var (+	Bzip2Magic = []byte{0x42, 0x5A, 0x68}+	GzipMagic  = []byte{0x1F, 0x8B, 0x08}+	XzMagic    = []byte{0xFD, 0x37, 0x7A, 0x58, 0x5A, 0x00}+	ZstdMagic  = []byte{0x28, 0xb5, 0x2f, 0xfd}+)++type matcher = func([]byte) bool++func magicNumberMatcher(m []byte) matcher {+	return func(source []byte) bool {+		return bytes.HasPrefix(source, m)+	}+}++// ZstDetector detects zstd compression algorithm.+// Zstandard compressed data is made of one or more frames.+// There are two frame formats defined by Zstandard: Zstandard frames and Skippable frames.+// See https://tools.ietf.org/id/draft-kucherawy-dispatch-zstd-00.html#rfc.section.2 for more details.+func ZstDetector(buf []byte) bool {

Wondering if this is something to contribute to github.com/klauspost/compress/zstd (so that other consumers of that package can also implement the same detection)

dkkb

comment created time in 2 days

PullRequestReviewEvent

issue commentmoby/moby

BUG: Requested host port bindings are nondeterministically missing after creating a container in the Go SDK

. I therefore need to inspect the container after it's created to figure out what host ports the container got. Approximately 10% of the time, I'll inspect the container after creation

Do you have a minimal code example?

If I'm not mistaken, networking will be attached on container start (not create), and I think it should be synchronous (so after container start, the ephemeral ports should be assigned); https://github.com/moby/moby/blob/9674540ccff358c3cd84cc2f33c3503e0dab7fb7/daemon/start.go#L149-L151

I see you are running on Docker Desktop; I know there's some rewriting happening on container inspect responses when using Docker Desktop (to make the inspect response match the networking setup needed for Docker Desktop);

Would it be able for you to test your code in a container, and in that container, bind-mount /var/run/docker.sock.raw as the socket to connect with the docker daemon? /var/run/docker.sock.raw allows connecting to the docker engine running in Docker Desktop but without the Docker Desktop proxy (which does the rewriting) in between, so something like;

# mount `/var/run/docker.sock.raw` as `/var/run/docker.sock` inside the container;
docker run -it --rm -v /var/run/docker.sock.raw:/var/run/docker.sock <your container image>
mieubrisse

comment created time in 2 days

Pull request review commentdocker/compose

waitForContainer to ensure stopped before remove

 func (s *composeService) runInteractive(ctx context.Context, containerID string, 	} } -func (s *composeService) terminateRun(ctx context.Context, containerID string, opts api.RunOptions, err error) (int, error) {-	if err != nil {-		return 0, err-	}-	inspect, err := s.apiClient.ContainerInspect(ctx, containerID)-	if err != nil {-		return 0, err-	}-	exitCode := 0-	if inspect.State != nil {-		exitCode = inspect.State.ExitCode+func (s *composeService) terminateRun(ctx context.Context, containerID string, opts api.RunOptions) (exitCode int, err error) {+	exitCh, errCh := s.apiClient.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)+	select {+	case exit := <-exitCh:+		exitCode = int(exit.StatusCode)+	case err = <-errCh:+		return 	} 	if opts.AutoRemove { 		err = s.apiClient.ContainerRemove(ctx, containerID, moby.ContainerRemoveOptions{}) 	}

Note that the AutoRemove option in API v1.30 and up (Docker 17.06 and up) is handled by the daemon (it will remove the container when it exits) (assuming the AutoRemove option is passed to the daemon when compose creates the container)

While it's of course possible for the client to also (manually) remove the container, there may be a race condition in that case (container no longer exists because it's already removed, or an error that the container is "already in the process of being removed").

See https://github.com/docker/cli/blob/135ffd205791001337d283310b286261242444e4/cli/command/container/run.go#L165-L183

And https://github.com/docker/cli/blob/135ffd205791001337d283310b286261242444e4/cli/command/container/utils.go#L16

ndeloof

comment created time in 2 days

PullRequestReviewEvent

push eventthaJeztah/buildkit

Aaron Lehmann

commit sha 56c0981f1ecabc129e78a970a06e487b3a9b7a28

Follow links in includedPaths to resolve incorrect caching when source path is behind symlink As discussed in #2300, includedPaths does not resolve symlinks when looking up the source path in the prefix tree. If the user requests a path that involves symlinks (for example, /a/foo when a symlink /a -> /b exists), includedPaths will not find it, and will expect nothing to be copied. This does not match the actual copy behavior implemented in fsutil, which will follow symlinks in prefix components of a given path, so it can end up caching an empty result even though the copy will produce a non-empty result, which is quite bad. To fix this, use getFollowLinks to resolve the path before walking it. In the wildcard case, this is done to the non-wildcard prefix of the path (if any), which matches the behavior in fsutil. Fixes the repro case here: https://gist.github.com/aaronlehmann/64054c9a2cff0d27e200cc107bba3d69 Fixes #2300 Signed-off-by: Aaron Lehmann <alehmann@netflix.com>

view details

Tonis Tiigi

commit sha 8b5c4d74ef40a47f8fb3a341c9048df6fa26f6b9

exporter: support creating blobs with zstd compression Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Tonis Tiigi

commit sha a5e0b865f803e3226f985103f8b8f74b38e54ab2

update getremote test for zstd Estargz support has been removed from this test as implementation does not guarantee digest stability and only reason it passed were the exceptions in the test via variant map that ignored cases where timing resulted the digest to go wrong. This needs to be addressed in the follow up if we want to keep estargz support. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Akihiro Suda

commit sha ea773f6a9baf032890d2a803f7e2cdbfbb689b1d

Merge pull request #2344 from tonistiigi/zstd exporter: support creating blobs with zstd compression

view details

Aaron Lehmann

commit sha ddd18de18ea4cb6fb340db334bda83aabffa02e2

Add test case for symlink which is not final path component before wildcard Signed-off-by: Aaron Lehmann <alehmann@netflix.com>

view details

Tonis Tiigi

commit sha 9c672574e55a51aed0793bf51f65de767de4e250

hack: allow mounting in workdir in shell Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Aaron Lehmann

commit sha 98f54ff22c03d5f861f81125e2e48b1eb39ddbc1

Handle the case of multiple path component symlinks (including last component) in wildcard prefix Signed-off-by: Aaron Lehmann <alehmann@netflix.com>

view details

Akihiro Suda

commit sha 91d2f2dc170a1dbcd1b5cc085e440353b138959e

Merge pull request #2349 from tonistiigi/shell-workdir hack: allow mounting in workdir in shell

view details

Aaron Lehmann

commit sha e9e6cec838963ba2a47f4fd9ea27d0be976801e2

Use getFollowLinksWalked Signed-off-by: Aaron Lehmann <alehmann@netflix.com>

view details

Tõnis Tiigi

commit sha f5eb400a857e5e5a74323bfdeae70875fe2755c6

Merge pull request #2318 from aaronlehmann/follow-links-includedpaths Follow links in includedPaths to resolve incorrect caching when source path is behind symlink

view details

Morlay

commit sha 0f52917bf3bff26834f1f101847bd29acbc8c717

bklog: only log tracing ids when span exporter not nil Signed-off-by: Morlay <morlay.null@gmail.com>

view details

Tõnis Tiigi

commit sha e07f3883e343ab311ca96be8ca9be3619ed27db7

Merge pull request #2351 from morlay/log-fix bklog: only log tracing ids when span exporter not nil

view details

CrazyMax

commit sha 8bb242e7aca0b3b2414a1b11e9ff0e5a1f23a37e

Refactor url redacting util Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

view details

Tõnis Tiigi

commit sha 252d7cac94cf5c69c4b7d23142a4650927846b89

Merge pull request #2363 from crazy-max/urlutil Refactor url redacting util

view details

Tonis Tiigi

commit sha 35fcb28a009d6454b2915a5c8084b25ad851cf38

Clean up old TODOs Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>

view details

Akihiro Suda

commit sha 8f2e691b19969f3bc2737d98054d26f8e7c37619

Merge pull request #2364 from tonistiigi/todo-clean Clean up old TODOs

view details

push time in 2 days

pull request commentcontainerd/go-runc

Update runc kill wrapper to take a string for signal

Checking the signal conversion would require that the tests actually run runc which appears to not be done today.

Sorry, I should probably have been more clear; full integration tests would be good, but I think that should be mostly covered in the containerd repository, and (as you mentioned) not in place here (yet).

I was thinking of a test to verify that the right order of preference is taken, which can end with checking that the expected value is passed as the command-line arguments for "runc".

This should probably be written as a test-table, but something like below (stubbing out runc for /bin/true, which looks to be used for some other tests), as we're only interested in this code passing the command-line arguments that we hand it; I'm not sure if the code needs handling of the 0 case (no signal given at all)? If we consider that a responsibility for the caller, that of course can be skipped;

	ctx := context.Background()
	okRunc := &Runc{
		Command: "/bin/true",
	}

	// Should produce an error?? (no signal given?)
	_ := okRunc.Kill(ctx, "fake-id", 0, &KillOpts{})

	// Should exec `/bin/true kill fake-id 123`
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{})

	// Should also exec `/bin/true kill fake-id 123`
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{RawSignal: ""})

	// Should also exec `/bin/true kill fake-id 123` ???
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{RawSignal: "0"})


	// Should exec `/bin/true kill fake-id 456`
	_ := okRunc.Kill(ctx, "fake-id", 0, &KillOpts{RawSignal: "456"})

	// Should also exec `/bin/true kill fake-id 456`
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{RawSignal: "456"})

	// Should exec `/bin/true kill fake-id SIGFOOBAR`
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{RawSignal: "SIGFOOBAR"})

	// Should exec `/bin/true kill fake-id SIGFOOBAR`
	_ := okRunc.Kill(ctx, "fake-id", 123, &KillOpts{RawSignal: "SIGFOOBAR"})
katiewasnothere

comment created time in 3 days

issue commentdocker/for-linux

high system cpu usage when streaming container stats

I've encountered an issue may be relevant.

@Windrow14 I think your issue is different; the original issue reported is about CPU consumption to collect stats, not CPU consumption for processes running inside a container. If you suspect there's a bug, it's better to open a new ticket with details (at least docker version, docker info, and exact steps to reproduce). In general, processes "inside" a container should perform the same as "outside" (container processes are just sandboxed processes; all of those are constructs provided by the kernel), but (e.g.) if the process does a lot of disk operations (especially write) to the container's CoW filesystem, this can affect performance. That really depends on the process / use-case, and setup though, and may be out of scope for this issue tracker.

drscre

comment created time in 3 days

issue commentdocker/cli

Windows binary cannot be built

It seems to be a different issue here, I had a different error message.

🤦 I didn't read carefully, and shouldn't do these things from my phone. I now see it's because of the "version" bit (building from a state with uncommitted changes).

I guess the script was anticipating to be used for releases (and at least, from a "clean" state)

ionash

comment created time in 3 days

PR closed moby/moby

Added pride month to namegenerator 🏳️‍🌈 status/2-code-review kind/enhancement

- What I did Added a few LGBTQI+ orientations to pkg/namegenerator https://github.com/SharkyRawr/moby/commit/0fad8b215cf3add6bba7d615a3b472ad46f04232

- How I did it Wrote a bit of code that shouldn't be problematic.

- How to verify it For testing, change the following line in file https://github.com/SharkyRawr/moby/blob/pridemonth/pkg/namesgenerator/names-generator.go:

if time.Now().Month() == 6 {
		// It's pride month! 🏳️‍🌈

to your current month and then go run pkg/namesgenerator/cmd/names-generator/main.go

- Description for the changelog Added easter egg to the namegenerator which creates container names with LGBTQI+ terms every year on June for Pride Month.

- A picture of a cute animal (not mandatory but encouraged)

IMG_2642 (sharks are cute! 🦈))

+34 -3

2 comments

1 changed file

SharkyRawr

pr closed time in 3 days

pull request commentmoby/moby

Added pride month to namegenerator 🏳️‍🌈

We discussed this pull request in the maintainers meeting, and decided not to merge this change for reasons above, but thanks again for contributing, it's appreciated!

SharkyRawr

comment created time in 3 days

issue closedmoby/moby

net.ipv4.tcp_challenge_ack_limit parameter is not added in container network namespace /proc/sys/net/ipv4

Hi,

I am trying to set net.ipv4.tcp_challenge_ack_limit inside docker container using sysctl command but i m getting the error as file not found. "write sysctl key net.ipv4.tcp_challenge_ack_limit: open /proc/sys/net/ipv4/tcp_challenge_ack_limit: no such file or directory"

I am able to set this parameter on host but not inside container. I have some questions:

  1. Am I not able to set this parameter due to any security concern in docker container?
  2. Is it cause due to any limitation in the kernel version that I am using?
  3. can setting of this parameter on host will be inherited to all containers?
  4. Is it like it is system wide parameter and can not be set at container level?
  5. is it due to any limitation in docker?

kernel version: uname -a Linux controller 4.14.240-pc64 #1 SMP Mon Aug 23 09:53:06 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

docker version: Docker version 20.10.4, build 20.10.4

adding parameter using sysctl: sysctl net.ipv4.tcp_challenge_ack_limit=100

result of above command on host:

sysctl net.ipv4.tcp_challenge_ack_limit=1000

net.ipv4.tcp_challenge_ack_limit = 1000

sysctl net.ipv4.tcp_challenge_ack_limit

net.ipv4.tcp_challenge_ack_limit = 1000

result of above command inside container:

sysctl net.ipv4.tcp_challenge_ack_limit=1000

/proc/sys/net/ipv4/tcp_challenge_ack_limit: no such file or directory

closed time in 3 days

zain4681