fix(deps): update module github.com/docker/docker to v20.10.24+incompatible [security] #456
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Codecov Report
@@ Coverage Diff @@
## main #456 +/- ##
=======================================
Coverage ? 83.39%
=======================================
Files ? 68
Lines ? 5367
Branches ? 0
=======================================
Hits ? 4476
Misses ? 746
Partials ? 145 |
renovate
bot
force-pushed
the
renovate/go-github.jparrowsec.cn/docker/docker-vulnerability
branch
from
b837692 to
4b44461
Compare
renovate
bot
force-pushed
the
renovate/go-github.jparrowsec.cn/docker/docker-vulnerability
branch
3 times, most recently
from
1052b3f to
e85f010
Compare
renovate
bot
force-pushed
the
renovate/go-github.jparrowsec.cn/docker/docker-vulnerability
branch
from
e85f010 to
9432825
Compare
wass3rw3rk
approved these changes
Apr 18, 2023
ecrupper
approved these changes
Apr 18, 2023
timhuynh94
approved these changes
Apr 18, 2023
ecrupper
deleted the
renovate/go-github.jparrowsec.cn/docker/docker-vulnerability
branch
plyr4
added a commit
that referenced
this pull request
Aug 31, 2023
* chore: update go version to 1.16 (#202) * chore: upgrade dependencies for v0.9.0-rc2 (#203) * chore: upgrade dependencies for v0.9.0-rc3 (#204) * chore: upgrade dependencies for v0.9.0 (#207) * fix(deps): update module github.com/gin-gonic/gin to v1.7.4 (#205) Co-authored-by: Renovate Bot <[email protected]> * docs - remove use at your own risk language (#208) * fix(deps): update module github.com/joho/godotenv to v1.4.0 (#209) Co-authored-by: Renovate Bot <[email protected]> * feat(log streaming): add ability to stream step and service logs (#211) * chore: release v0.10.0-rc1 (#212) * chore: release v0.10.0-rc2 (#213) * chore: release v0.10.0-rc3 (#214) * chore: release v0.10.0 (#216) * fix(register): handle nil response (#217) * chore(deps): update postgres docker tag to v14 (#210) Co-authored-by: Renovate Bot <[email protected]> * remove/fix broken links (#218) * feat(internal): add internal logic from pkg-executor (#219) * feat(internal): add logic from pkg-executor * chore: clean go dependencies * chore: address linter feedback * feat(executor): add executor logic from pkg-executor (#220) * feat(executor): add logic from pkg-executor * chore: clean go dependencies * feat(internal): add logic from pkg-runtime (#221) * feat(runtime): add logic from pkg-runtime (#222) * fix(deps): update module github.com/docker/docker to v20.10.10 (#226) Co-authored-by: Renovate Bot <[email protected]> * refactor: update queue packge to get from server (#225) Co-authored-by: Neal Coleman <[email protected]> * fix(deps): update deps (patch) (#227) Co-authored-by: Renovate Bot <[email protected]> * refactor: update compiler package to get from server (#228) * feat(mock): add logic from go-vela/mock (#229) Co-authored-by: Kelly Merrick <[email protected]> * refactor: pull server mock package from server (#230) * feat: enable streaming logs for container (#233) * revert: stream container logs * feat: add flag to enable streaming logs * feat(executor): add logic to stream logs if enabled * enhance: make log publishing method configurable * enhance: use configurable log publishing method * chore: configure time log publish method for local * chore: address linter feedback * chore: fix tests for code changes * chore: address linter feedback v2 * chore: release v0.11.0-rc1 (#234) * fix: compare time chunks against zero (#235) * chore: release v0.11.0-rc3 (#236) * chore(v0.11.0): update dependencies for v0.11.0 (#238) * fix(deps): update module github.com/opencontainers/image-spec to v1.0.2 (#237) Co-authored-by: Renovate Bot <[email protected]> * enhance: setting version information (#240) * enhance(version): add fallback for empty tag * enhance(version): use go version from runtime library * chore: clean go code * fix(deps): update deps (patch) to v0.22.4 (#241) * fix: move Step init logic to library (#239) * StepFromContainer -> StepFromContainerEnvironment * Use library.StepFromBuildContainer to create new Steps * update go-vela/types * go mod tidy Co-authored-by: David May <[email protected]> * fix(deps): update module github.com/gin-gonic/gin to v1.7.6 (#242) Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: Jordan Brockopp <[email protected]> * fix(deps): update module github.com/gin-gonic/gin to v1.7.7 (#243) Co-authored-by: Renovate Bot <[email protected]> * fix: local setup with server (#245) * feat(logs): allow setting max log size (#244) * chore: update go-vela/server dependency (#252) * enhance: use application logger (#246) * fix(docker): pulling images without output (#253) * chore(deps): update go to 1.17 (#255) * fix(deps): update kubernetes packages to v0.23.1 (#250) * feat(secrets): mask secrets in logs (#254) * initial changes * add some replace logic for secret masking * bringing in new types * fix go mod validate * multi line compatibility and initial testing work * added testing for internal secret masking * add back accidental deletion of error checking Co-authored-by: Jordan Brockopp <[email protected]> * fix(deps): update module gotest.tools/v3 to v3.1.0 (#256) Co-authored-by: Renovate Bot <[email protected]> * chore: update copyright year to 2022 (#257) * update copyright year to 2022 * fix quotes * fix(deps): update module github.com/prometheus/client_golang to v1.12.0 (#259) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update module github.com/google/go-cmp to v0.5.7 (#260) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update deps (patch) to v0.23.2 (#262) Co-authored-by: Renovate Bot <[email protected]> * chore(step): clean up masking routine due to types change (#261) * first commit * adding new name due to types change * enhance(spec): automate worker api spec generation (#258) * chore(release): v0.12.0-rc1 (#264) * fix(deps): update deps (patch) (#265) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update module github.com/prometheus/client_golang to v1.12.1 (#266) Co-authored-by: Renovate Bot <[email protected]> * chore(deps): bump server and sdk to latest rc (#268) * chore(release): v0.12.0 (#269) * fix(deps): update module github.com/docker/distribution to v2.8.0 (#270) Co-authored-by: Renovate Bot <[email protected]> * fix(step): add catch block for disallowed secrets (#272) * add catch block for unallowed secrets * adding test case * fix(deps): update deps (patch) to v0.23.4 (#273) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update module github.com/go-vela/server to v0.12.1 (#276) Co-authored-by: Renovate Bot <[email protected]> * chore(dep): update containerd to 1.4.8 (#278) * refactor: docs for local setup (#275) * chore(deps): update actions/checkout action to v3 (#281) Co-authored-by: Renovate Bot <[email protected]> * chore: update Golangci config & clean repo (#282) * add new yml config * lint wsl * replace golint fals pos with revive false pos * remove nolintlints * lint funlen * noctx * govet -> goheader * errorlint * remove lll false pos, lint contextcheck * lint dupl * lint nilerr * remove false positives * clean * remove changelog code * chore(dep): update containerd to 1.4.13 (#283) * fix(deps): update module github.com/docker/distribution to v2.8.1 (#284) Co-authored-by: Renovate Bot <[email protected]> * chore: release v0.13.0-rc1 (#285) * refactor(logs): Replace "Pulling" with "Preparing" in init step logs (#287) * refactor(kubernetes): Refactor watch related code (#288) * test(kubernetes): Test TailContainer happy path (#289) * fix(deps): update module github.com/urfave/cli/v2 to v2.4.0 (#290) * chore: update contributing (#291) * chore(release): updates for v0.13.0-rc2 (#292) * fix(deps): update deps (patch) to v0.23.5 (#293) Co-authored-by: Renovate Bot <[email protected]> * chore: Add tests for runtime WithLogger opt (#295) * chore(release): dependency updates for v0.13.0 (#297) * feat(kubernetes): Add PipelinePodsTemplate CRD to define worker-specific Pod defaults for Kubernetes Runtime (#294) * chore(deps): update codecov/codecov-action action to v3 (#298) Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: David May <[email protected]> * fix(deps): update module sigs.k8s.io/yaml to v1.3.0 (#301) * refactor: silence lint issues (#307) * bugfix(k8s): add newline to init step output (#309) * revert(k8s): Revert go-vela/pkg-runtime#151 (#306) * bugfix(k8s): avoid InspectContainer panic where container is not Terminated (#308) * tests: Convert runtime tests to subtests (#312) * refactor: drop duplicate executor.DestroyBuild call (#313) * bugfix(k8s): avoid "index out of range" panic by replacing magic indexes with containerLookup map (#311) * refactor: cleanup context passing in kubernetes runtime (#314) * tests: Convert executor tests to subtests (#315) * tests: Convert internal/ tests to subtests (#316) * fix(ci): Fix silent failures in GHA reviewdog workflow (#319) * fix(deps): update deps (patch) (#310) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update module gotest.tools/v3 to v3.2.0 (#321) * fix(deps): update module github.com/urfave/cli/v2 to v2.4.8 (#320) * enhancement: Make context handling for log streaming more explicit (#317) * bugfix(k8s): skip false error in logs correctly (#323) * chore(deps): update dependency redis to v7 (#328) * chore(deps): update github/codeql-action action to v2 (#322) * fix(deps): update module github.com/urfave/cli/v2 to v2.5.1 (#325) * fix(deps): update module github.com/google/go-cmp to v0.5.8 (#327) * bugfix: make sure kubernetes log streaming gets canceled with build (#329) * refactor(executor): clarify why use different contexts (#304) * feat(internal/skip): add event action handling for skip method (#326) * fix(deps): update deps (patch) (#330) * enhance(kubernetes): Add podTracker and containerTracker to use k8s API more like a k8s controller (#302) * fix(executor): tests from compiler changes (#332) * chore(release): dependency updates for v0.14.0-rc1 (#333) * fix(deps): update kubernetes packages to v0.24.0 (#334) Co-authored-by: Renovate Bot <[email protected]> * fix(deps): update module github.com/urfave/cli/v2 to v2.6.0 (#335) * bugfix(k8s): Drop TailContainer's logsContext to avoid early cancel (#337) * fix(deps): update module github.com/prometheus/client_golang to v1.12.2 (#341) * fix(deps): update golang.org/x/sync digest to 0976fa6 (#342) * fix(deps): update module github.com/urfave/cli/v2 to v2.8.1 (#343) * fix(deps): update deps (patch) to v0.24.1 (#344) * test: add API mock for Vela Worker (#338) * fix(deps): update module github.com/gin-gonic/gin to v1.8.0 (#345) * fix(deps): update golang.org/x/sync digest to 0de741c (#346) * add tag to ruleset for deployment event, if it is from a tag #606 (#347) * chore(release): v0.14.0-rc2 (#348) * fix(deps): update module github.com/gin-gonic/gin to v1.8.1 (#349) * chore(release): v0.14.0-rc3 (#350) * fix(deps): update module gotest.tools/v3 to v3.3.0 (#352) * fix(deps): update deps (patch) to v0.24.2 (#351) * chore(release): dependency updates for v0.14.0 (#353) * enhance(local executor): print to stdout via client field (#339) * fix(deps): update module github.com/sirupsen/logrus to v1.9.0 (#356) * fix(deps): update module github.com/urfave/cli/v2 to v2.11.1 (#354) * fix(deps): update golang.org/x/sync digest to 886fb93 (#358) * fix(deps): update module github.com/prometheus/client_golang to v1.13.0 (#362) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update deps (patch) to v0.14.3 (#355) * Allow creating mocks via `runtime.New()` (#340) * fix(deps): update module github.com/google/go-cmp to v0.5.9 (#369) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(go): update to 1.19 (#370) * fix(deps): update golang.org/x/sync digest to f12130a (#364) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(lint): fix linter errors in worker codebase (#371) * chore(lint): fix linter errors in worker codebase * go mod tidy * fixing struct check Co-authored-by: David May <[email protected]> Co-authored-by: dave vader <[email protected]> * feat(start/server): add minimum TLS version of 1.2 with option to set it differently (#368) * fix(deps): update kubernetes packages to v0.25.0 (#365) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/docker/go-units to v0.5.0 (#366) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/docker/docker to v20.10.18+incompatible (#373) * fix(deps): update module github.com/docker/docker to v20.10.18+incompatible * fix it Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: wass3r <[email protected]> * chore: change default branch to main (#378) * fix(deps): update deps (patch) to v0.25.1 (#377) * fix(deps): update deps (patch) to v0.25.2 (#379) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update golang.org/x/sync digest to 7f9b162 (#380) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore: v0.15.0-rc1 prep (#381) * fix(deps): update module github.com/urfave/cli/v2 to v2.17.1 (#383) * fix(deps): update golang.org/x/sync digest to 8fcdb60 (#382) * chore: v0.15.0-rc2 (#384) * chore: v0.15.0 release prep (#385) * fix(actions): make sure to use latest Go version (#386) * chore: update deps for v0.15.1 (#387) * wip: queue public key for opening signed items * revert: changes for testing * fix: tidy * refactor: move kubernetes runtime mock code to separate file (#389) * Merge pull request from GHSA-2w78-ffv6-p46w * feat!: gate privileged images behind trusted repos (#391) * chore(release): v0.16.0 prep (#399) * fix(deps): update module gotest.tools/v3 to v3.4.0 (#388) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update deps (patch) (#392) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update postgres docker tag to v15 (#393) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module golang.org/x/sync to v0.1.0 (#394) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(release): v0.16.1 prep (#400) * chore(release): 0.16.2 prep (#402) * refactor(k8s): move test logic to MockKubernetesRuntime interface (#395) * refactor(executor tests): cleanup test names and errors (#396) * fix: Allow log streaming to take longer than build execution (#390) * fix(deps): update module github.com/urfave/cli/v2 to v2.23.6 (#401) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/masterminds/semver/v3 to v3.2.0 (#404) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update elgohr/publish-docker-github-action action to v5 (#406) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update kubernetes packages to v0.26.0 (#407) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix: revert log streaming commit (#409) * feat(stage): stages fail independently when continue is set to true (#318) * first draft * changing dependent to continue and ditching print statements * changing continue to independent and linter work * adding new types in go mod * go mod tidy * adding additional stop check in stage loop and more comments Co-authored-by: David May <[email protected]> * fix: move trusted repos check to handle dynamic images (#405) * chore: remove code of conduct in favor of global version (#403) Co-authored-by: dave vader <[email protected]> * chore(release): dependency updates for v0.17.0-rc1 (#412) * fix: improve streaming coordination so it does not hang (#410) * fix(deps): update deps (patch) (#413) * chore(release): update dependencies for v0.17.0 (#415) * refactor(executor tests): Make runtime a test arg (#418) * enhance(executor tests): test StreamBuild logging during build tests (#419) * enhance(executor tests): Sanitize pipelines to handle runtime specific differences (#422) * enhance(executor tests): Add test helpers to generate test Pods (#424) * test: add kubernetes baseline for Create funcs * test: add kubernetes runtime for stages * test: prepare for test specific pod in executor test * test: add testPod helper method * test: add testPodFor(pipeline) helper method * test: mark secret containers terminated in test Pods * test: use pipeline-specific runtime instances * test: Create runtime for each executor build test * test: Adds several new test helpers. --------- Co-authored-by: JordanBrockopp <[email protected]> * enhance(executor tests): Call k8s SetupMock method after CreateBuild in tests (#425) * enhance: extract kubernetes runtime mock setup In order to run the PodTracker mock setup in executor tests, we need to export something * Call k8s SetupMock in executor Build test * test: Add kubernetes SetupMock to executor StreamBuild test * mark exported k8s Mock functions as test-only functions * fix(tests): accommodate clone image change in server (#417) * feat(build_token): worker changes for build token implementation (#427) * enhance(executor tests): Manage k8s mocks for Executor exec tests (#431) * enhance(executor tests): Manage k8s mocks for Executor AssembleBuild test (#432) * test: Fix kubernetes tests for executor AssembleBuild Adds some new WaitForPod* test helpers. * sort imports in runtime/kubernetes/kubernetes.go * test: add pause to simulate step execution * AssembleBuild test does not need to mark steps running * fix(deps): update deps (patch) (#414) * Update spec.yml (#416) Co-authored-by: David May <[email protected]> Co-authored-by: Kelly Merrick <[email protected]> * fix(deps): update module github.com/gin-gonic/gin to v1.9.0 (#426) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/joho/godotenv to v1.5.1 (#423) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/urfave/cli/v2 to v2.24.4 (#420) * chore: upgrade to docker v23 and add new mocked funcs (#433) * Revert "chore: upgrade to docker v23 and add new mocked funcs (#433)" (#435) This reverts commit 3a4c3a2. * chore(release): v0.18.0-rc1 prep (#436) * chore(release): v0.18.0-rc1 prep * tidy up * chore(release): v0.18.0-rc2 prep (#444) * chore(release): upgrade server, types, sdk to v0.18.0 (#445) * chore: v0.18.1 (#446) * chore(log): remove byte-chunks log method (#447) * enhance(executor tests): Add kubernetes runtime test cases for Build tests (#438) * test(executor): add kubernetes runtime to CreateBuild test * test: Use kubernetes runtime in executor build tests The kubernetes Mock does not support some of the failure modes simulated by the docker Mock. So, those test cases are commented out with a FIXME. * cleanup commented blocks * test(executor): add remaining StreamBuild k8s test cases --------- Co-authored-by: JordanBrockopp <[email protected]> Co-authored-by: Easton Crupper <[email protected]> Co-authored-by: David May <[email protected]> * enhance(executor tests): Add kubernetes runtime test cases for Opts and Secrets tests (#439) * enhance(executor tests): Add kubernetes runtime test cases for Step tests (#440) * enhance(executor tests): Add kubernetes runtime test cases for Stage tests (#441) * enhance(executor tests): Add kubernetes runtime test cases for Service tests (#442) * feat: use validate-token endpoint in MustServer (#449) * enhance(auth): implement registration flow (#452) * initial work * more work * backwards compatibility with comments * adjust middleware to only use validate-token for server tokens * more work * rename auth token channel to RegisterToken * rename token channel and update api comments * updating some comments and not loggin token * fix docker compose * fix local replace * token expiration func has two return vals * docker compose no register * name register token middleware file correctly * update swagger for register * feat(mock): add support for register endpoint (#457) * feat(runtime/docker): add drop kernel capabilities option to runtime flags (#454) * capabilities * docker compose revert + opencontainers version * revert lots of go mod stuff * fix copy pasta and add a test in opts * enhance: operate/exec logging (#461) * chore(deps): update actions/setup-go action to v4 (#448) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update deps (patch) (#443) * fix(deps): update module github.com/urfave/cli/v2 to v2.25.1 (#453) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/docker/docker to v20.10.24+incompatible [security] (#456) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update module github.com/prometheus/client_golang to v1.15.0 (#460) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * fix(deps): update kubernetes packages to v0.27.1 (#459) * fix(deps): update kubernetes packages to v0.27.1 * fix(deps): update kubernetes packages to v0.27.1 * update runtime k8s container to use proper type for log func * gosimple lint fix --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: ecrupper <[email protected]> * chore(release): upgrade types, server, sdk to v19 rc1 (#463) * fix: err shadowing (#464) * fix(register): verify hostname (#465) * chore(release): upgrade server and sdk to rc2 (#466) * chore(release): upgrade sdk, server, types to v0.19.0 for release (#467) * chore(release): upgrade types, server, worker to v0.19.1 (#468) * chore(release): upgrade server, types, sdk to v0.19.2 (#470) * enhance(exec): do not kill worker if build has been canceled and build token minting fails (#472) * enhance(exec): do not kill worker if build has been canceled and build token minting fails * change status code to 409 conflict * upgrade server * chore: add vscode project files to gitignore (#469) Co-authored-by: Easton Crupper <[email protected]> * fix: generate example keys * tweak: env var naming * feat!: Use queue Item.ItemVersion field to fail stale builds (#478) * feat: add support for schedules (#479) * feat: add support for schedules * chore: update go dependencies * chore: update go deps * chore: vscode gitignore from toptal (#476) * enhance(log): no library log return for update calls (#485) * chore(deps): bulk update (#487) * feat(worker-visibility): allow update to worker table with status and build info (#482) * feat(register-and-operate): add ability for worker to update status to idle and error * docs(README): showing off commitizen cli * feat: update worker status and runningBuildIDs * feat: worker can update runningBuildIDs and status * chore(exec): clean up logging for worker database updates * feat(worker): update last_build_ timestamps in the database * fix(worker-visibility): update error to make logrus happy * chore(worker_visibility): update deps for types and server * Update cmd/vela-worker/register.go Co-authored-by: David May <[email protected]> * add res nil check * move res nil above err * add res nil check * more accurate logging * make clean --------- Co-authored-by: Tim Huynh <[email protected]> Co-authored-by: David May <[email protected]> * chore(release): upgrade types, server, sdk to v0.20.0-rc1 (#489) * fix(compose): use hashicorp/vault docker repo (#490) * fix(deps): update module gotest.tools/v3 to v3.5.0 (#491) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(release): bump server and sdk to v0.20.0-rc3 (#492) * chore(release): upgrade types, server, sdk-go to v0.20.0 (#494) * chore(release): ugprade types, server, sdk to v0.20.1 + other deps (#496) * chore(release): ugprade types, server, sdk to v0.20.1 + other deps * pin to alpine version * chore: go mod tidy * chore: reorganize compose vars * chore: simplify queue env variable names * chore: bump server * chore: tweak var naming * todo: build executables types change * chore: go mod tidy --------- Co-authored-by: Kelly Merrick <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Renovate Bot <[email protected]> Co-authored-by: David May <[email protected]> Co-authored-by: Jordan Sussman <[email protected]> Co-authored-by: kaymckay <[email protected]> Co-authored-by: Jordan Brockopp <[email protected]> Co-authored-by: Neal <[email protected]> Co-authored-by: Neal Coleman <[email protected]> Co-authored-by: David Vader <[email protected]> Co-authored-by: Jacob Floyd <[email protected]> Co-authored-by: Easton Crupper <[email protected]> Co-authored-by: DaxJohnson <[email protected]> Co-authored-by: DaxJohnson <[email protected]> Co-authored-by: JayCeeJr <[email protected]> Co-authored-by: wass3r <[email protected]> Co-authored-by: JordanBrockopp <[email protected]> Co-authored-by: David May <[email protected]> Co-authored-by: ecrupper <[email protected]> Co-authored-by: Tim Huynh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v20.10.23+incompatible->v20.10.24+incompatibleGitHub Vulnerability Alerts
CVE-2023-28842
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (
dockerd), which is developed as moby/moby is commonly referred to as Docker.Swarm Mode, which is compiled in and delivered by default in
dockerdand is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.The
overlaynetwork driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the
u32iptables extension provided by thext_u32kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.The
overlaydriver dynamically and lazily defines the kernel configuration for the VXLAN network on each node as containers are attached and detached. Routes and encryption parameters are only defined for destination nodes that participate in the network. The iptables rules that prevent encrypted overlay networks from accepting unencrypted packets are not created until a peer is available with which to communicate.Impact
Encrypted overlay networks silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams. The implications of this can be quite dire, and GHSA-vwm3-crmr-xfxw should be referenced for a deeper exploration.
Patches
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Workarounds
registry.k8s.io/pauseimage and a--mode globalservice.The Swarm ingress feature is implemented using an overlay network, but can be disabled by publishing ports in
hostmode instead ofingressmode (allowing the use of an external load balancer), and removing theingressnetwork.iptables -A INPUT -m udp —-dport 4789 -m policy --dir in --pol none -j DROP.Background
Related
CVE-2023-28841
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (
dockerd), which is developed as moby/moby is commonly referred to as Docker.Swarm Mode, which is compiled in and delivered by default in
dockerdand is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.The
overlaynetwork driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the
u32iptables extension provided by thext_u32kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.An iptables rule designates outgoing VXLAN datagrams with a VNI that corresponds to an encrypted overlay network for IPsec encapsulation.
On Red Hat Enterprise Linux and derivatives such as CentOS and Rocky, the
xt_u32module has been:This rule is not created when
xt_u32is unavailable, even though the container is still attached to the network.Impact
Encrypted overlay networks on affected platforms silently transmit unencrypted data. As a result,
overlaynetworks may appear to be functional, passing traffic as expected, but without any of the expected confidentiality or data integrity guarantees.It is possible for an attacker sitting in a trusted position on the network to read all of the application traffic that is moving across the overlay network, resulting in unexpected secrets or user data disclosure. Thus, because many database protocols, internal APIs, etc. are not protected by a second layer of encryption, a user may rely on Swarm encrypted overlay networks to provide confidentiality, which due to this vulnerability is no longer guaranteed.
Patches
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Workarounds
xt_u32kernel module is available on all nodes of the Swarm cluster.Background
Related
CVE-2023-28840
Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component (
dockerd), which is developed as moby/moby is commonly referred to as Docker.Swarm Mode, which is compiled in and delivered by default in
dockerdand is thus present in most major Moby downstreams, is a simple, built-in container orchestrator that is implemented through a combination of SwarmKit and supporting network code.The
overlaynetwork driver is a core feature of Swarm Mode, providing isolated virtual LANs that allow communication between containers and services across the cluster. This driver is an implementation/user of VXLAN, which encapsulates link-layer (Ethernet) frames in UDP datagrams that tag the frame with a VXLAN Network ID (VNI) that identifies the originating overlay network. In addition, the overlay network driver supports an optional, off-by-default encrypted mode, which is especially useful when VXLAN packets traverses an untrusted network between nodes.Encrypted overlay networks function by encapsulating the VXLAN datagrams through the use of the IPsec Encapsulating Security Payload protocol in Transport mode. By deploying IPSec encapsulation, encrypted overlay networks gain the additional properties of source authentication through cryptographic proof, data integrity through check-summing, and confidentiality through encryption.
When setting an endpoint up on an encrypted overlay network, Moby installs three iptables (Linux kernel firewall) rules that enforce both incoming and outgoing IPSec. These rules rely on the
u32iptables extension provided by thext_u32kernel module to directly filter on a VXLAN packet's VNI field, so that IPSec guarantees can be enforced on encrypted overlay networks without interfering with other overlay networks or other users of VXLAN.Two iptables rules serve to filter incoming VXLAN datagrams with a VNI that corresponds to an encrypted network and discards unencrypted datagrams. The rules are appended to the end of the
INPUTfilter chain, following any rules that have been previously set by the system administrator. Administrator-set rules take precedence over the rules Moby sets to discard unencrypted VXLAN datagrams, which can potentially admit unencrypted datagrams that should have been discarded.On Red Hat Enterprise Linux and derivatives such as CentOS and Rocky, the
xt_u32module has been:These rules are not created when
xt_u32is unavailable, even though the container is still attached to the network.Impact
Encrypted overlay networks on affected configurations silently accept cleartext VXLAN datagrams that are tagged with the VNI of an encrypted overlay network. As a result, it is possible to inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
The injection of arbitrary Ethernet frames can enable a Denial of Service attack. A sophisticated attacker may be able to establish a UDP or TCP connection by way of the container’s outbound gateway that would otherwise be blocked by a stateful firewall, or carry out other escalations beyond simple injection by smuggling packets into the overlay network.
Patches
Patches are available in Moby releases 23.0.3, and 20.10.24. As Mirantis Container Runtime's 20.10 releases are numbered differently, users of that platform should update to 20.10.16.
Workarounds
xt_u32kernel module is available on all nodes of the Swarm cluster.Background
Related
Release Notes
docker/docker
v20.10.24+incompatibleCompare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.