For local communications (npipe://, unix://), the hostname is not used,
but we need valid and meaningful hostname.
The current code used the client's `addr` as hostname in some cases, which
could contain the path for the unix-socket (`/var/run/docker.sock`), which
gets rejected by go1.20.6 and go1.19.11 because of a security fix for
[CVE-2023-29406 ][1], which was implemented in https://go.dev/issue/60374.
Prior versions go Go would clean the host header, and strip slashes in the
process, but go1.20.6 and go1.19.11 no longer do, and reject the host
header.
This patch introduces a `DummyHost` const, and uses this dummy host for
cases where we don't need an actual hostname.
docker pause/unpause with parallel docker exec can lead to freezing
state, set freezer.state to Thawed to increase freeze chances
(cherry picked from commit b78a50c378d2ccef2254cf694991f4d52eec1fe9)
If image pull fails of context canceled, image layer will perform a
rollback operation. When image layer is released, the diff folder of layer
will be removed first, and then the digest folder will be removed.
If the diff folder fails to be removed, such as operation not permitted or
interrupted by others, both the digest folder and diff folder will remain
on the disk, this will cause image not be complete and not repairable.
So we should remove the digest folder first for image layers rollback
and ensure image can be re-pulled completely.
(cherry picked from commit 54c9d1260f3b7756794a8b8c13e0080831c29203)
After kernel upgrade to 5.10, clone3 is defined. But if clone3 is not
added to docker seccomp whitelist, clone3 calling will be rejected in
container, which causes some commands like curl returns error.
Signed-off-by: xiadanni <xiadanni1@huawei.com>
reason: when mirror is matched, only matched mirror endpoint is added to endpoint list, but the hostname itself is not in the list, which is not compatible with the case of docker.io, docker.io will be appended to the last of the endpoint list.
kill process directly should check whether exit file is exist already,
for avoid kill the new process which reused this pid
Signed-off-by: liuzekun <liuzekun@huawei.com>
containerd has two objects with regard to containers.
This is a "container" object which is metadata and a "task" which is
manging the actual runtime state.
When docker starts a container, it creates both the container metadata
and the task at the same time. So when a container exists, docker deletes
both of these objects as well.
This ensures that if, on start, when we go to create the container metadata object
in containerd, if there is an error due to a name conflict taht we go
ahead and clean that up and try again.
backport from upstream: https://github.com/moby/moby/pull/38364
Signed-off-by: Grooooot <isula@huawei.com>
