diff --git a/go.mod b/go.mod
index 6947b441cc10..764db7b3c7b6 100644
--- a/go.mod
+++ b/go.mod
@@ -2,8 +2,8 @@ module github.com/moby/buildkit
go 1.22.0
-// FIXME(thaJeztah): testing https://github.com/moby/moby/pull/49087
-replace github.com/docker/docker => github.com/dmcgowan/docker v1.1.3-0.20241219215548-75a8139e6c42
+// FIXME(thaJeztah): testing moby master
+replace github.com/docker/docker => github.com/docker/docker v27.0.2-0.20241219215845-ec0dba002046+incompatible
replace github.com/docker/cli => github.com/docker/cli v27.0.2-0.20241218124108-2f67b2f3ff3a+incompatible
diff --git a/go.sum b/go.sum
index 4618ca880ea0..9eb9c26e66a9 100644
--- a/go.sum
+++ b/go.sum
@@ -138,10 +138,10 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/dmcgowan/docker v1.1.3-0.20241219215548-75a8139e6c42 h1:u2GeTGFCfs9QlOS1wmS7g0Q5i2I6WGcWGs501UzIWGI=
-github.com/dmcgowan/docker v1.1.3-0.20241219215548-75a8139e6c42/go.mod h1:AKi7Z6FzccBGsB9PP0AbY4O0g9QR4Y5RmrVhRbN4r3Q=
github.com/docker/cli v27.0.2-0.20241218124108-2f67b2f3ff3a+incompatible h1:XsSN1xr87F/IR/WB7nWhL7qJIb72GLkZKvMSWPYFYrY=
github.com/docker/cli v27.0.2-0.20241218124108-2f67b2f3ff3a+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v27.0.2-0.20241219215845-ec0dba002046+incompatible h1:y5zPikHhd1kWQfhFaQYkBhFNt3SI5oxZfcVQsSFFOvg=
+github.com/docker/docker v27.0.2-0.20241219215845-ec0dba002046+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml
index b9f805a52f73..ee559ff0353a 100644
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
@@ -1195,6 +1195,7 @@ definitions:
- "default"
- "process"
- "hyperv"
+ - ""
MaskedPaths:
type: "array"
description: |
@@ -4219,6 +4220,7 @@ definitions:
- "default"
- "process"
- "hyperv"
+ - ""
Init:
description: |
Run an init inside the container that forwards signals and reaps
@@ -5546,13 +5548,28 @@ definitions:
type: "boolean"
example: true
BridgeNfIptables:
- description: "Indicates if `bridge-nf-call-iptables` is available on the host."
+ description: |
+ Indicates if `bridge-nf-call-iptables` is available on the host when
+ the daemon was started.
+
+
+
+ > **Deprecated**: netfilter module is now loaded on-demand and no longer
+ > during daemon startup, making this field obsolete. This field is always
+ > `false` and will be removed in a API v1.49.
type: "boolean"
- example: true
+ example: false
BridgeNfIp6tables:
- description: "Indicates if `bridge-nf-call-ip6tables` is available on the host."
+ description: |
+ Indicates if `bridge-nf-call-ip6tables` is available on the host.
+
+
+
+ > **Deprecated**: netfilter module is now loaded on-demand, and no longer
+ > during daemon startup, making this field obsolete. This field is always
+ > `false` and will be removed in a API v1.49.
type: "boolean"
- example: true
+ example: false
Debug:
description: |
Indicates if the daemon is running in debug-mode / with debug-level
@@ -5789,6 +5806,7 @@ definitions:
- "default"
- "hyperv"
- "process"
+ - ""
InitBinary:
description: |
Name and, optional, path of the `docker-init` binary.
@@ -5859,8 +5877,6 @@ definitions:
type: "string"
example:
- "WARNING: No memory limit support"
- - "WARNING: bridge-nf-call-iptables is disabled"
- - "WARNING: bridge-nf-call-ip6tables is disabled"
CDISpecDirs:
description: |
List of directories where (Container Device Interface) CDI
@@ -5983,55 +5999,27 @@ definitions:
List of IP ranges to which nondistributable artifacts can be pushed,
using the CIDR syntax [RFC 4632](https://tools.ietf.org/html/4632).
- Some images (for example, Windows base images) contain artifacts
- whose distribution is restricted by license. When these images are
- pushed to a registry, restricted artifacts are not included.
-
- This configuration override this behavior, and enables the daemon to
- push nondistributable artifacts to all registries whose resolved IP
- address is within the subnet described by the CIDR syntax.
-
- This option is useful when pushing images containing
- nondistributable artifacts to a registry on an air-gapped network so
- hosts on that network can pull the images without connecting to
- another server.
-
- > **Warning**: Nondistributable artifacts typically have restrictions
- > on how and where they can be distributed and shared. Only use this
- > feature to push artifacts to private registries and ensure that you
- > are in compliance with any terms that cover redistributing
- > nondistributable artifacts.
+
+ > **Deprecated**: Pushing nondistributable artifacts is now always enabled
+ > and this field is always `null`. This field will be removed in a API v1.49.
type: "array"
items:
type: "string"
- example: ["::1/128", "127.0.0.0/8"]
+ example: []
AllowNondistributableArtifactsHostnames:
description: |
List of registry hostnames to which nondistributable artifacts can be
pushed, using the format `[:]` or `[:]`.
- Some images (for example, Windows base images) contain artifacts
- whose distribution is restricted by license. When these images are
- pushed to a registry, restricted artifacts are not included.
-
- This configuration override this behavior for the specified
- registries.
-
- This option is useful when pushing images containing
- nondistributable artifacts to a registry on an air-gapped network so
- hosts on that network can pull the images without connecting to
- another server.
+
- > **Warning**: Nondistributable artifacts typically have restrictions
- > on how and where they can be distributed and shared. Only use this
- > feature to push artifacts to private registries and ensure that you
- > are in compliance with any terms that cover redistributing
- > nondistributable artifacts.
+ > **Deprecated**: Pushing nondistributable artifacts is now always enabled
+ > and this field is always `null`. This field will be removed in a API v1.49.
type: "array"
items:
type: "string"
- example: ["registry.internal.corp.example.com:3000", "[2001:db8:a0b:12f0::1]:443"]
+ example: []
InsecureRegistryCIDRs:
description: |
List of IP ranges of insecure registries, using the CIDR syntax
@@ -9626,7 +9614,7 @@ paths:
type: "string"
example: "OK"
headers:
- API-Version:
+ Api-Version:
type: "string"
description: "Max API Version the server supports"
Builder-Version:
@@ -9682,7 +9670,7 @@ paths:
type: "string"
example: "(empty)"
headers:
- API-Version:
+ Api-Version:
type: "string"
description: "Max API Version the server supports"
Builder-Version:
@@ -11726,6 +11714,7 @@ paths:
example:
ListenAddr: "0.0.0.0:2377"
AdvertiseAddr: "192.168.1.1:2377"
+ DataPathAddr: "192.168.1.1"
RemoteAddrs:
- "node1:2377"
JoinToken: "SWMTKN-1-3pu6hszjas19xyp7ghgosyx9k8atbfcr8p2is99znpy26u2lkl-7p73s1dx5in4tatdymyhg9hu2"
diff --git a/vendor/github.com/docker/docker/api/types/registry/registry.go b/vendor/github.com/docker/docker/api/types/registry/registry.go
index 75ee07b15f97..b0a4d604f5f8 100644
--- a/vendor/github.com/docker/docker/api/types/registry/registry.go
+++ b/vendor/github.com/docker/docker/api/types/registry/registry.go
@@ -9,11 +9,29 @@ import (
// ServiceConfig stores daemon registry services configuration.
type ServiceConfig struct {
- AllowNondistributableArtifactsCIDRs []*NetIPNet
- AllowNondistributableArtifactsHostnames []string
- InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"`
- IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"`
- Mirrors []string
+ AllowNondistributableArtifactsCIDRs []*NetIPNet `json:"AllowNondistributableArtifactsCIDRs,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+ AllowNondistributableArtifactsHostnames []string `json:"AllowNondistributableArtifactsHostnames,omitempty"` // Deprecated: non-distributable artifacts are deprecated and enabled by default. This field will be removed in the next release.
+
+ InsecureRegistryCIDRs []*NetIPNet `json:"InsecureRegistryCIDRs"`
+ IndexConfigs map[string]*IndexInfo `json:"IndexConfigs"`
+ Mirrors []string
+}
+
+// MarshalJSON implements a custom marshaler to include legacy fields
+// in API responses.
+func (sc ServiceConfig) MarshalJSON() ([]byte, error) {
+ tmp := map[string]interface{}{
+ "InsecureRegistryCIDRs": sc.InsecureRegistryCIDRs,
+ "IndexConfigs": sc.IndexConfigs,
+ "Mirrors": sc.Mirrors,
+ }
+ if sc.AllowNondistributableArtifactsCIDRs != nil {
+ tmp["AllowNondistributableArtifactsCIDRs"] = nil
+ }
+ if sc.AllowNondistributableArtifactsHostnames != nil {
+ tmp["AllowNondistributableArtifactsHostnames"] = nil
+ }
+ return json.Marshal(tmp)
}
// NetIPNet is the net.IPNet type, which can be marshalled and
diff --git a/vendor/github.com/docker/docker/api/types/system/info.go b/vendor/github.com/docker/docker/api/types/system/info.go
index 4704edfba731..8a2444da28a8 100644
--- a/vendor/github.com/docker/docker/api/types/system/info.go
+++ b/vendor/github.com/docker/docker/api/types/system/info.go
@@ -29,8 +29,8 @@ type Info struct {
CPUSet bool
PidsLimit bool
IPv4Forwarding bool
- BridgeNfIptables bool
- BridgeNfIP6tables bool `json:"BridgeNfIp6tables"`
+ BridgeNfIptables bool `json:"BridgeNfIptables"` // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
+ BridgeNfIP6tables bool `json:"BridgeNfIp6tables"` // Deprecated: netfilter module is now loaded on-demand and no longer during daemon startup, making this field obsolete. This field is always false and will be removed in the next release.
Debug bool
NFd int
OomKillDisable bool
diff --git a/vendor/github.com/docker/docker/client/ping.go b/vendor/github.com/docker/docker/client/ping.go
index bf3e9b1cd6d5..7c43268b3a0c 100644
--- a/vendor/github.com/docker/docker/client/ping.go
+++ b/vendor/github.com/docker/docker/client/ping.go
@@ -56,8 +56,8 @@ func parsePingResponse(cli *Client, resp serverResponse) (types.Ping, error) {
err := cli.checkResponseErr(resp)
return ping, errdefs.FromStatusCode(err, resp.statusCode)
}
- ping.APIVersion = resp.header.Get("API-Version")
- ping.OSType = resp.header.Get("OSType")
+ ping.APIVersion = resp.header.Get("Api-Version")
+ ping.OSType = resp.header.Get("Ostype")
if resp.header.Get("Docker-Experimental") == "true" {
ping.Experimental = true
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive.go b/vendor/github.com/docker/docker/pkg/archive/archive.go
index 963f865bd1db..365e8f18ed50 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive.go
@@ -1,5 +1,5 @@
// Package archive provides helper functions for dealing with archive files.
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
@@ -9,26 +9,26 @@ import (
"compress/gzip"
"context"
"encoding/binary"
+ "errors"
"fmt"
"io"
"os"
"os/exec"
"path/filepath"
"runtime"
+ "runtime/debug"
"strconv"
"strings"
+ "sync/atomic"
"syscall"
"time"
"github.com/containerd/log"
"github.com/docker/docker/pkg/idtools"
- "github.com/docker/docker/pkg/ioutils"
"github.com/docker/docker/pkg/pools"
- "github.com/docker/docker/pkg/system"
"github.com/klauspost/compress/zstd"
"github.com/moby/patternmatcher"
"github.com/moby/sys/sequential"
- "github.com/pkg/errors"
)
// ImpliedDirectoryMode represents the mode (Unix permissions) applied to directories that are implied by files in a
@@ -215,11 +215,22 @@ func gzDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {
return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)
}
-func wrapReadCloser(readBuf io.ReadCloser, cancel context.CancelFunc) io.ReadCloser {
- return ioutils.NewReadCloserWrapper(readBuf, func() error {
- cancel()
- return readBuf.Close()
- })
+type readCloserWrapper struct {
+ io.Reader
+ closer func() error
+ closed atomic.Bool
+}
+
+func (r *readCloserWrapper) Close() error {
+ if !r.closed.CompareAndSwap(false, true) {
+ log.G(context.TODO()).Error("subsequent attempt to close readCloserWrapper")
+ if log.GetLevel() >= log.DebugLevel {
+ log.G(context.TODO()).Errorf("stack trace: %s", string(debug.Stack()))
+ }
+
+ return nil
+ }
+ return r.closer()
}
// DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.
@@ -237,11 +248,26 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
return nil, err
}
+ wrapReader := func(r io.Reader, cancel context.CancelFunc) io.ReadCloser {
+ return &readCloserWrapper{
+ Reader: r,
+ closer: func() error {
+ if cancel != nil {
+ cancel()
+ }
+ if readCloser, ok := r.(io.ReadCloser); ok {
+ readCloser.Close()
+ }
+ p.Put(buf)
+ return nil
+ },
+ }
+ }
+
compression := DetectCompression(bs)
switch compression {
case Uncompressed:
- readBufWrapper := p.NewReadCloserWrapper(buf, buf)
- return readBufWrapper, nil
+ return wrapReader(buf, nil), nil
case Gzip:
ctx, cancel := context.WithCancel(context.Background())
@@ -250,12 +276,10 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
cancel()
return nil, err
}
- readBufWrapper := p.NewReadCloserWrapper(buf, gzReader)
- return wrapReadCloser(readBufWrapper, cancel), nil
+ return wrapReader(gzReader, cancel), nil
case Bzip2:
bz2Reader := bzip2.NewReader(buf)
- readBufWrapper := p.NewReadCloserWrapper(buf, bz2Reader)
- return readBufWrapper, nil
+ return wrapReader(bz2Reader, nil), nil
case Xz:
ctx, cancel := context.WithCancel(context.Background())
@@ -264,15 +288,13 @@ func DecompressStream(archive io.Reader) (io.ReadCloser, error) {
cancel()
return nil, err
}
- readBufWrapper := p.NewReadCloserWrapper(buf, xzReader)
- return wrapReadCloser(readBufWrapper, cancel), nil
+ return wrapReader(xzReader, cancel), nil
case Zstd:
zstdReader, err := zstd.NewReader(buf)
if err != nil {
return nil, err
}
- readBufWrapper := p.NewReadCloserWrapper(buf, zstdReader)
- return readBufWrapper, nil
+ return wrapReader(zstdReader, nil), nil
default:
return nil, fmt.Errorf("Unsupported compression format %s", (&compression).Extension())
}
@@ -484,7 +506,7 @@ func ReadSecurityXattrToTarHeader(path string, hdr *tar.Header) error {
vfsCapRevision2 = 2
vfsCapRevision3 = 3
)
- capability, _ := system.Lgetxattr(path, "security.capability")
+ capability, _ := lgetxattr(path, "security.capability")
if capability != nil {
if capability[versionOffset] == vfsCapRevision3 {
// Convert VFS_CAP_REVISION_3 to VFS_CAP_REVISION_2 as root UID makes no
@@ -762,11 +784,11 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
chownOpts = &idtools.Identity{UID: hdr.Uid, GID: hdr.Gid}
}
if err := os.Lchown(path, chownOpts.UID, chownOpts.GID); err != nil {
- msg := "failed to Lchown %q for UID %d, GID %d"
+ var msg string
if inUserns && errors.Is(err, syscall.EINVAL) {
- msg += " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
+ msg = " (try increasing the number of subordinate IDs in /etc/subuid and /etc/subgid)"
}
- return errors.Wrapf(err, msg, path, hdr.Uid, hdr.Gid)
+ return fmt.Errorf("failed to Lchown %q for UID %d, GID %d%s: %w", path, hdr.Uid, hdr.Gid, msg, err)
}
}
@@ -776,7 +798,7 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
if !ok {
continue
}
- if err := system.Lsetxattr(path, xattr, []byte(value), 0); err != nil {
+ if err := lsetxattr(path, xattr, []byte(value), 0); err != nil {
if bestEffortXattrs && errors.Is(err, syscall.ENOTSUP) || errors.Is(err, syscall.EPERM) {
// EPERM occurs if modifying xattrs is not allowed. This can
// happen when running in userns with restrictions (ChromeOS).
@@ -799,26 +821,22 @@ func createTarFile(path, extractDir string, hdr *tar.Header, reader io.Reader, o
return err
}
- aTime := hdr.AccessTime
- if aTime.Before(hdr.ModTime) {
- // Last access time should never be before last modified time.
- aTime = hdr.ModTime
- }
+ aTime := boundTime(latestTime(hdr.AccessTime, hdr.ModTime))
+ mTime := boundTime(hdr.ModTime)
- // system.Chtimes doesn't support a NOFOLLOW flag atm
+ // chtimes doesn't support a NOFOLLOW flag atm
if hdr.Typeflag == tar.TypeLink {
if fi, err := os.Lstat(hdr.Linkname); err == nil && (fi.Mode()&os.ModeSymlink == 0) {
- if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+ if err := chtimes(path, aTime, mTime); err != nil {
return err
}
}
} else if hdr.Typeflag != tar.TypeSymlink {
- if err := system.Chtimes(path, aTime, hdr.ModTime); err != nil {
+ if err := chtimes(path, aTime, mTime); err != nil {
return err
}
} else {
- ts := []syscall.Timespec{timeToTimespec(aTime), timeToTimespec(hdr.ModTime)}
- if err := system.LUtimesNano(path, ts); err != nil && err != system.ErrNotSupportedPlatform {
+ if err := lchtimes(path, aTime, mTime); err != nil {
return err
}
}
@@ -1178,7 +1196,7 @@ loop:
// #nosec G305 -- The header was checked for path traversal before it was appended to the dirs slice.
path := filepath.Join(dest, hdr.Name)
- if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+ if err := chtimes(path, boundTime(latestTime(hdr.AccessTime, hdr.ModTime)), boundTime(hdr.ModTime)); err != nil {
return err
}
}
@@ -1327,7 +1345,7 @@ func (archiver *Archiver) CopyFileWithTar(src, dst string) (err error) {
dst = filepath.Join(dst, filepath.Base(src))
}
// Create the holding directory if necessary
- if err := system.MkdirAll(filepath.Dir(dst), 0o700); err != nil {
+ if err := os.MkdirAll(filepath.Dir(dst), 0o700); err != nil {
return err
}
@@ -1424,11 +1442,14 @@ func cmdStream(cmd *exec.Cmd, input io.Reader) (io.ReadCloser, error) {
close(done)
}()
- return ioutils.NewReadCloserWrapper(pipeR, func() error {
- // Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
- // cmd.Wait waits for any non-file stdout/stderr/stdin to close.
- err := pipeR.Close()
- <-done
- return err
- }), nil
+ return &readCloserWrapper{
+ Reader: pipeR,
+ closer: func() error {
+ // Close pipeR, and then wait for the command to complete before returning. We have to close pipeR first, as
+ // cmd.Wait waits for any non-file stdout/stderr/stdin to close.
+ err := pipeR.Close()
+ <-done
+ return err
+ },
+ }, nil
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
index b9d2a538ab01..631d2e3c5b72 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
@@ -1,14 +1,13 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
+ "fmt"
"os"
"path/filepath"
"strings"
- "github.com/docker/docker/pkg/system"
"github.com/moby/sys/userns"
- "github.com/pkg/errors"
"golang.org/x/sys/unix"
)
@@ -39,7 +38,7 @@ func (overlayWhiteoutConverter) ConvertWrite(hdr *tar.Header, path string, fi os
}
// convert opaque dirs to AUFS format by writing an empty file with the prefix
- opaque, err := system.Lgetxattr(path, opaqueXattrName)
+ opaque, err := lgetxattr(path, opaqueXattrName)
if err != nil {
return nil, err
}
@@ -79,7 +78,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
err := unix.Setxattr(dir, opaqueXattrName, []byte{'y'}, 0)
if err != nil {
- return false, errors.Wrapf(err, "setxattr(%q, %s=y)", dir, opaqueXattrName)
+ return false, fmt.Errorf("setxattr('%s', %s=y): %w", dir, opaqueXattrName, err)
}
// don't write the file itself
return false, err
@@ -91,7 +90,7 @@ func (c overlayWhiteoutConverter) ConvertRead(hdr *tar.Header, path string) (boo
originalPath := filepath.Join(dir, originalBase)
if err := unix.Mknod(originalPath, unix.S_IFCHR, 0); err != nil {
- return false, errors.Wrapf(err, "failed to mknod(%q, S_IFCHR, 0)", originalPath)
+ return false, fmt.Errorf("failed to mknod('%s', S_IFCHR, 0): %w", originalPath, err)
}
if err := os.Chown(originalPath, hdr.Uid, hdr.Gid); err != nil {
return false, err
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_other.go b/vendor/github.com/docker/docker/pkg/archive/archive_other.go
index 7dee1f7a4615..6495549f60e8 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_other.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_other.go
@@ -1,6 +1,6 @@
//go:build !linux
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
func getWhiteoutConverter(format WhiteoutFormat) tarWhiteoutConverter {
return nil
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go b/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
index f559a30565f3..9c70d1789f12 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_unix.go
@@ -1,6 +1,6 @@
//go:build !windows
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
@@ -12,7 +12,6 @@ import (
"syscall"
"github.com/docker/docker/pkg/idtools"
- "github.com/docker/docker/pkg/system"
"golang.org/x/sys/unix"
)
@@ -109,7 +108,7 @@ func handleTarTypeBlockCharFifo(hdr *tar.Header, path string) error {
mode |= unix.S_IFIFO
}
- return system.Mknod(path, mode, int(system.Mkdev(hdr.Devmajor, hdr.Devminor)))
+ return mknod(path, mode, unix.Mkdev(uint32(hdr.Devmajor), uint32(hdr.Devminor)))
}
func handleLChmod(hdr *tar.Header, path string, hdrInfo os.FileInfo) error {
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go b/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
index e25c64b415cf..031608162f9f 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_windows.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes.go b/vendor/github.com/docker/docker/pkg/archive/changes.go
index 5f12ca4016a1..423605fbb784 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
@@ -6,17 +6,16 @@ import (
"context"
"fmt"
"io"
+ "io/fs"
"os"
"path/filepath"
"sort"
"strings"
- "syscall"
"time"
"github.com/containerd/log"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/pools"
- "github.com/docker/docker/pkg/system"
)
// ChangeType represents the change type.
@@ -74,11 +73,6 @@ func sameFsTime(a, b time.Time) bool {
(a.Nanosecond() == 0 || b.Nanosecond() == 0))
}
-func sameFsTimeSpec(a, b syscall.Timespec) bool {
- return a.Sec == b.Sec &&
- (a.Nsec == b.Nsec || a.Nsec == 0 || b.Nsec == 0)
-}
-
// Changes walks the path rw and determines changes for the files in the path,
// with respect to the parent layers
func Changes(layers []string, rw string) ([]Change, error) {
@@ -210,7 +204,7 @@ func changes(layers []string, rw string, dc deleteChange, sc skipChange) ([]Chan
type FileInfo struct {
parent *FileInfo
name string
- stat *system.StatT
+ stat fs.FileInfo
children map[string]*FileInfo
capability []byte
added bool
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go b/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
index 877ec785589c..6bb358486a63 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_linux.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"bytes"
@@ -9,7 +9,6 @@ import (
"syscall"
"unsafe"
- "github.com/docker/docker/pkg/system"
"golang.org/x/sys/unix"
)
@@ -74,12 +73,8 @@ func walkchunk(path string, fi os.FileInfo, dir string, root *FileInfo) error {
parent: parent,
}
cpath := filepath.Join(dir, path)
- stat, err := system.FromStatT(fi.Sys().(*syscall.Stat_t))
- if err != nil {
- return err
- }
- info.stat = stat
- info.capability, _ = system.Lgetxattr(cpath, "security.capability") // lgetxattr(2): fs access
+ info.stat = fi
+ info.capability, _ = lgetxattr(cpath, "security.capability") // lgetxattr(2): fs access
parent.children[info.name] = info
return nil
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_other.go b/vendor/github.com/docker/docker/pkg/archive/changes_other.go
index 28f741a25ddb..a8a3a5a6faa8 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_other.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_other.go
@@ -1,6 +1,6 @@
//go:build !linux
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"fmt"
@@ -8,8 +8,6 @@ import (
"path/filepath"
"runtime"
"strings"
-
- "github.com/docker/docker/pkg/system"
)
func collectFileInfoForChanges(oldDir, newDir string) (*FileInfo, *FileInfo, error) {
@@ -72,7 +70,7 @@ func collectFileInfo(sourceDir string) (*FileInfo, error) {
return fmt.Errorf("collectFileInfo: Unexpectedly no parent for %s", relPath)
}
- s, err := system.Lstat(path)
+ s, err := os.Lstat(path)
if err != nil {
return err
}
@@ -84,11 +82,7 @@ func collectFileInfo(sourceDir string) (*FileInfo, error) {
stat: s,
}
- // system.Lgetxattr is only implemented on Linux and produces an error
- // on other platforms. This code is intentionally left commented-out
- // as a reminder to include this code if this would ever be implemented
- // on other platforms.
- // info.capability, _ = system.Lgetxattr(path, "security.capability")
+ info.capability, _ = lgetxattr(path, "security.capability")
parent.children[info.name] = info
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_unix.go b/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
index 853c73ee8c03..4dd98bd2935f 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_unix.go
@@ -1,21 +1,21 @@
//go:build !windows
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
+ "io/fs"
"os"
"syscall"
-
- "github.com/docker/docker/pkg/system"
- "golang.org/x/sys/unix"
)
-func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+func statDifferent(oldStat fs.FileInfo, newStat fs.FileInfo) bool {
+ oldSys := oldStat.Sys().(*syscall.Stat_t)
+ newSys := newStat.Sys().(*syscall.Stat_t)
// Don't look at size for dirs, its not a good measure of change
if oldStat.Mode() != newStat.Mode() ||
- oldStat.UID() != newStat.UID() ||
- oldStat.GID() != newStat.GID() ||
- oldStat.Rdev() != newStat.Rdev() ||
+ oldSys.Uid != newSys.Uid ||
+ oldSys.Gid != newSys.Gid ||
+ oldSys.Rdev != newSys.Rdev ||
// Don't look at size or modification time for dirs, its not a good
// measure of change. See https://github.com/moby/moby/issues/9874
// for a description of the issue with modification time, and
@@ -23,15 +23,15 @@ func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
// (Note that in the Windows implementation of this function,
// modification time IS taken as a change). See
// https://github.com/moby/moby/pull/37982 for more information.
- (oldStat.Mode()&unix.S_IFDIR != unix.S_IFDIR &&
- (!sameFsTimeSpec(oldStat.Mtim(), newStat.Mtim()) || (oldStat.Size() != newStat.Size()))) {
+ (!oldStat.Mode().IsDir() &&
+ (!sameFsTime(oldStat.ModTime(), newStat.ModTime()) || (oldStat.Size() != newStat.Size()))) {
return true
}
return false
}
func (info *FileInfo) isDir() bool {
- return info.parent == nil || info.stat.Mode()&unix.S_IFDIR != 0
+ return info.parent == nil || info.stat.Mode().IsDir()
}
func getIno(fi os.FileInfo) uint64 {
diff --git a/vendor/github.com/docker/docker/pkg/archive/changes_windows.go b/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
index 9906685e4b0e..c89605c78fed 100644
--- a/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/changes_windows.go
@@ -1,19 +1,18 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
+ "io/fs"
"os"
-
- "github.com/docker/docker/pkg/system"
)
-func statDifferent(oldStat *system.StatT, newStat *system.StatT) bool {
+func statDifferent(oldStat fs.FileInfo, newStat fs.FileInfo) bool {
// Note there is slight difference between the Linux and Windows
// implementations here. Due to https://github.com/moby/moby/issues/9874,
// and the fix at https://github.com/moby/moby/pull/11422, Linux does not
// consider a change to the directory time as a change. Windows on NTFS
// does. See https://github.com/moby/moby/pull/37982 for more information.
- if !sameFsTime(oldStat.Mtim(), newStat.Mtim()) ||
+ if !sameFsTime(oldStat.ModTime(), newStat.ModTime()) ||
oldStat.Mode() != newStat.Mode() ||
oldStat.Size() != newStat.Size() && !oldStat.Mode().IsDir() {
return true
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy.go b/vendor/github.com/docker/docker/pkg/archive/copy.go
index 01eadc30d99a..ee4020c2a225 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
@@ -10,7 +10,6 @@ import (
"strings"
"github.com/containerd/log"
- "github.com/docker/docker/pkg/system"
)
// Errors used or returned by this file.
@@ -203,7 +202,7 @@ func CopyInfoDestinationPath(path string) (info CopyInfo, err error) {
return CopyInfo{}, err
}
- if !system.IsAbs(linkTarget) {
+ if !filepath.IsAbs(linkTarget) {
// Join with the parent directory.
dstParent, _ := SplitPathDirEntry(path)
linkTarget = filepath.Join(dstParent, linkTarget)
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_unix.go b/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
index 065bd4addaea..f579282449af 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy_unix.go
@@ -1,6 +1,6 @@
//go:build !windows
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"path/filepath"
diff --git a/vendor/github.com/docker/docker/pkg/archive/copy_windows.go b/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
index a878d1bac426..2b775b45c4f1 100644
--- a/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
+++ b/vendor/github.com/docker/docker/pkg/archive/copy_windows.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"path/filepath"
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go b/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
new file mode 100644
index 000000000000..aa8e29154a2d
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/dev_freebsd.go
@@ -0,0 +1,7 @@
+//go:build freebsd
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+var mknod = unix.Mknod
diff --git a/vendor/github.com/docker/docker/pkg/archive/dev_unix.go b/vendor/github.com/docker/docker/pkg/archive/dev_unix.go
new file mode 100644
index 000000000000..dffc596f93f7
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/dev_unix.go
@@ -0,0 +1,9 @@
+//go:build !windows && !freebsd
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+func mknod(path string, mode uint32, dev uint64) error {
+ return unix.Mknod(path, mode, int(dev))
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/diff.go b/vendor/github.com/docker/docker/pkg/archive/diff.go
index e080e310ac8b..6a05643ab6e1 100644
--- a/vendor/github.com/docker/docker/pkg/archive/diff.go
+++ b/vendor/github.com/docker/docker/pkg/archive/diff.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
@@ -12,7 +12,6 @@ import (
"github.com/containerd/log"
"github.com/docker/docker/pkg/pools"
- "github.com/docker/docker/pkg/system"
)
// UnpackLayer unpack `layer` to a `dest`. The stream `layer` can be
@@ -200,7 +199,7 @@ func UnpackLayer(dest string, layer io.Reader, options *TarOptions) (size int64,
for _, hdr := range dirs {
// #nosec G305 -- The header was checked for path traversal before it was appended to the dirs slice.
path := filepath.Join(dest, hdr.Name)
- if err := system.Chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
+ if err := chtimes(path, hdr.AccessTime, hdr.ModTime); err != nil {
return 0, err
}
}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time.go b/vendor/github.com/docker/docker/pkg/archive/time.go
new file mode 100644
index 000000000000..4e9ae9508432
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/time.go
@@ -0,0 +1,38 @@
+package archive
+
+import (
+ "syscall"
+ "time"
+ "unsafe"
+)
+
+var (
+ minTime = time.Unix(0, 0)
+ maxTime time.Time
+)
+
+func init() {
+ if unsafe.Sizeof(syscall.Timespec{}.Nsec) == 8 {
+ // This is a 64 bit timespec
+ // os.Chtimes limits time to the following
+ maxTime = time.Unix(0, 1<<63-1)
+ } else {
+ // This is a 32 bit timespec
+ maxTime = time.Unix(1<<31-1, 0)
+ }
+}
+
+func boundTime(t time.Time) time.Time {
+ if t.Before(minTime) || t.After(maxTime) {
+ return minTime
+ }
+
+ return t
+}
+
+func latestTime(t1, t2 time.Time) time.Time {
+ if t1.Before(t2) {
+ return t2
+ }
+ return t1
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_linux.go b/vendor/github.com/docker/docker/pkg/archive/time_linux.go
deleted file mode 100644
index 797143ee84d8..000000000000
--- a/vendor/github.com/docker/docker/pkg/archive/time_linux.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package archive // import "github.com/docker/docker/pkg/archive"
-
-import (
- "syscall"
- "time"
-)
-
-func timeToTimespec(time time.Time) (ts syscall.Timespec) {
- if time.IsZero() {
- // Return UTIME_OMIT special value
- ts.Sec = 0
- ts.Nsec = (1 << 30) - 2
- return
- }
- return syscall.NsecToTimespec(time.UnixNano())
-}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go b/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
new file mode 100644
index 000000000000..8ce83bd0b50e
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/time_nonwindows.go
@@ -0,0 +1,40 @@
+//go:build !windows
+
+package archive
+
+import (
+ "os"
+ "time"
+
+ "golang.org/x/sys/unix"
+)
+
+// chtimes changes the access time and modified time of a file at the given path.
+// If the modified time is prior to the Unix Epoch (unixMinTime), or after the
+// end of Unix Time (unixEpochTime), os.Chtimes has undefined behavior. In this
+// case, Chtimes defaults to Unix Epoch, just in case.
+func chtimes(name string, atime time.Time, mtime time.Time) error {
+ return os.Chtimes(name, atime, mtime)
+}
+
+func timeToTimespec(time time.Time) (ts unix.Timespec) {
+ if time.IsZero() {
+ // Return UTIME_OMIT special value
+ ts.Sec = 0
+ ts.Nsec = (1 << 30) - 2
+ return
+ }
+ return unix.NsecToTimespec(time.UnixNano())
+}
+
+func lchtimes(name string, atime time.Time, mtime time.Time) error {
+ utimes := [2]unix.Timespec{
+ timeToTimespec(atime),
+ timeToTimespec(mtime),
+ }
+ err := unix.UtimesNanoAt(unix.AT_FDCWD, name, utimes[0:], unix.AT_SYMLINK_NOFOLLOW)
+ if err != nil && err != unix.ENOSYS {
+ return err
+ }
+ return err
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go b/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go
deleted file mode 100644
index 14c4ceb1d8b4..000000000000
--- a/vendor/github.com/docker/docker/pkg/archive/time_unsupported.go
+++ /dev/null
@@ -1,16 +0,0 @@
-//go:build !linux
-
-package archive // import "github.com/docker/docker/pkg/archive"
-
-import (
- "syscall"
- "time"
-)
-
-func timeToTimespec(time time.Time) (ts syscall.Timespec) {
- nsec := int64(0)
- if !time.IsZero() {
- nsec = time.UnixNano()
- }
- return syscall.NsecToTimespec(nsec)
-}
diff --git a/vendor/github.com/docker/docker/pkg/archive/time_windows.go b/vendor/github.com/docker/docker/pkg/archive/time_windows.go
new file mode 100644
index 000000000000..af1f7c8f3a07
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/time_windows.go
@@ -0,0 +1,32 @@
+package archive
+
+import (
+ "os"
+ "time"
+
+ "golang.org/x/sys/windows"
+)
+
+func chtimes(name string, atime time.Time, mtime time.Time) error {
+ if err := os.Chtimes(name, atime, mtime); err != nil {
+ return err
+ }
+
+ pathp, err := windows.UTF16PtrFromString(name)
+ if err != nil {
+ return err
+ }
+ h, err := windows.CreateFile(pathp,
+ windows.FILE_WRITE_ATTRIBUTES, windows.FILE_SHARE_WRITE, nil,
+ windows.OPEN_EXISTING, windows.FILE_FLAG_BACKUP_SEMANTICS, 0)
+ if err != nil {
+ return err
+ }
+ defer windows.Close(h)
+ c := windows.NsecToFiletime(mtime.UnixNano())
+ return windows.SetFileTime(h, &c, nil, nil)
+}
+
+func lchtimes(name string, atime time.Time, mtime time.Time) error {
+ return nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/whiteouts.go b/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
index 4c072a87ee53..d20478a10dc1 100644
--- a/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
+++ b/vendor/github.com/docker/docker/pkg/archive/whiteouts.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
// Whiteouts are files with a special meaning for the layered filesystem.
// Docker uses AUFS whiteout files inside exported archives. In other
diff --git a/vendor/github.com/docker/docker/pkg/archive/wrap.go b/vendor/github.com/docker/docker/pkg/archive/wrap.go
index 032db82cea82..903befd76301 100644
--- a/vendor/github.com/docker/docker/pkg/archive/wrap.go
+++ b/vendor/github.com/docker/docker/pkg/archive/wrap.go
@@ -1,4 +1,4 @@
-package archive // import "github.com/docker/docker/pkg/archive"
+package archive
import (
"archive/tar"
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go
new file mode 100644
index 000000000000..652a1f0f349d
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported.go
@@ -0,0 +1,52 @@
+//go:build linux || darwin || freebsd || netbsd
+
+package archive
+
+import (
+ "errors"
+ "fmt"
+ "io/fs"
+
+ "golang.org/x/sys/unix"
+)
+
+// lgetxattr retrieves the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+// It returns a nil slice and nil error if the xattr is not set.
+func lgetxattr(path string, attr string) ([]byte, error) {
+ // Start with a 128 length byte array
+ dest := make([]byte, 128)
+ sz, err := unix.Lgetxattr(path, attr, dest)
+
+ for errors.Is(err, unix.ERANGE) {
+ // Buffer too small, use zero-sized buffer to get the actual size
+ sz, err = unix.Lgetxattr(path, attr, []byte{})
+ if err != nil {
+ return nil, wrapPathError("lgetxattr", path, attr, err)
+ }
+ dest = make([]byte, sz)
+ sz, err = unix.Lgetxattr(path, attr, dest)
+ }
+
+ if err != nil {
+ if errors.Is(err, noattr) {
+ return nil, nil
+ }
+ return nil, wrapPathError("lgetxattr", path, attr, err)
+ }
+
+ return dest[:sz], nil
+}
+
+// lsetxattr sets the value of the extended attribute identified by attr
+// and associated with the given path in the file system.
+func lsetxattr(path string, attr string, data []byte, flags int) error {
+ return wrapPathError("lsetxattr", path, attr, unix.Lsetxattr(path, attr, data, flags))
+}
+
+func wrapPathError(op, path, attr string, err error) error {
+ if err == nil {
+ return nil
+ }
+ return &fs.PathError{Op: op, Path: path, Err: fmt.Errorf("xattr %q: %w", attr, err)}
+}
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go
new file mode 100644
index 000000000000..f2e76465ae56
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_linux.go
@@ -0,0 +1,5 @@
+package archive
+
+import "golang.org/x/sys/unix"
+
+var noattr = unix.ENODATA
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go
new file mode 100644
index 000000000000..4d8824158ea9
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_supported_unix.go
@@ -0,0 +1,7 @@
+//go:build !linux && !windows
+
+package archive
+
+import "golang.org/x/sys/unix"
+
+var noattr = unix.ENOATTR
diff --git a/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go b/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go
new file mode 100644
index 000000000000..b0d9165cd94f
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/archive/xattr_unsupported.go
@@ -0,0 +1,11 @@
+//go:build !linux && !darwin && !freebsd && !netbsd
+
+package archive
+
+func lgetxattr(path string, attr string) ([]byte, error) {
+ return nil, nil
+}
+
+func lsetxattr(path string, attr string, data []byte, flags int) error {
+ return nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/chrootarchive/archive_unix_nolinux.go b/vendor/github.com/docker/docker/pkg/chrootarchive/archive_unix_nolinux.go
index 13e557b12830..8689573d9406 100644
--- a/vendor/github.com/docker/docker/pkg/chrootarchive/archive_unix_nolinux.go
+++ b/vendor/github.com/docker/docker/pkg/chrootarchive/archive_unix_nolinux.go
@@ -11,7 +11,7 @@ import (
"syscall"
"github.com/docker/docker/pkg/archive"
- "github.com/docker/docker/pkg/reexec"
+ "github.com/moby/sys/reexec"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
diff --git a/vendor/github.com/docker/docker/pkg/idtools/const_windows.go b/vendor/github.com/docker/docker/pkg/idtools/const_windows.go
deleted file mode 100644
index 0120bdf8e661..000000000000
--- a/vendor/github.com/docker/docker/pkg/idtools/const_windows.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package idtools
-
-const (
- // Deprecated: copy value locally
- SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
-)
-
-const (
- // Deprecated: copy value locally
- ContainerAdministratorSidString = "S-1-5-93-2-1"
-
- // Deprecated: copy value locally
- ContainerUserSidString = "S-1-5-93-2-2"
-)
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools.go b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
index d2fbd943a656..82b325a2b72b 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools.go
@@ -1,8 +1,11 @@
-package idtools
+package idtools // import "github.com/docker/docker/pkg/idtools"
import (
+ "bufio"
"fmt"
"os"
+ "strconv"
+ "strings"
)
// IDMap contains a single entry for user namespace range remapping. An array
@@ -14,6 +17,22 @@ type IDMap struct {
Size int `json:"size"`
}
+type subIDRange struct {
+ Start int
+ Length int
+}
+
+type subIDRanges []subIDRange
+
+func (e subIDRanges) Len() int { return len(e) }
+func (e subIDRanges) Swap(i, j int) { e[i], e[j] = e[j], e[i] }
+func (e subIDRanges) Less(i, j int) bool { return e[i].Start < e[j].Start }
+
+const (
+ subuidFileName = "/etc/subuid"
+ subgidFileName = "/etc/subgid"
+)
+
// MkdirAllAndChown creates a directory (include any along the path) and then modifies
// ownership to the requested uid/gid. If the directory already exists, this
// function will still change ownership and permissions.
@@ -143,6 +162,67 @@ func (i IdentityMapping) Empty() bool {
return len(i.UIDMaps) == 0 && len(i.GIDMaps) == 0
}
+func createIDMap(subidRanges subIDRanges) []IDMap {
+ idMap := []IDMap{}
+
+ containerID := 0
+ for _, idrange := range subidRanges {
+ idMap = append(idMap, IDMap{
+ ContainerID: containerID,
+ HostID: idrange.Start,
+ Size: idrange.Length,
+ })
+ containerID = containerID + idrange.Length
+ }
+ return idMap
+}
+
+func parseSubuid(username string) (subIDRanges, error) {
+ return parseSubidFile(subuidFileName, username)
+}
+
+func parseSubgid(username string) (subIDRanges, error) {
+ return parseSubidFile(subgidFileName, username)
+}
+
+// parseSubidFile will read the appropriate file (/etc/subuid or /etc/subgid)
+// and return all found subIDRanges for a specified username. If the special value
+// "ALL" is supplied for username, then all subIDRanges in the file will be returned
+func parseSubidFile(path, username string) (subIDRanges, error) {
+ var rangeList subIDRanges
+
+ subidFile, err := os.Open(path)
+ if err != nil {
+ return rangeList, err
+ }
+ defer subidFile.Close()
+
+ s := bufio.NewScanner(subidFile)
+ for s.Scan() {
+ text := strings.TrimSpace(s.Text())
+ if text == "" || strings.HasPrefix(text, "#") {
+ continue
+ }
+ parts := strings.Split(text, ":")
+ if len(parts) != 3 {
+ return rangeList, fmt.Errorf("Cannot parse subuid/gid information: Format not correct for %s file", path)
+ }
+ if parts[0] == username || username == "ALL" {
+ startid, err := strconv.Atoi(parts[1])
+ if err != nil {
+ return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
+ }
+ length, err := strconv.Atoi(parts[2])
+ if err != nil {
+ return rangeList, fmt.Errorf("String to int conversion failed during subuid/gid parsing of %s: %v", path, err)
+ }
+ rangeList = append(rangeList, subIDRange{startid, length})
+ }
+ }
+
+ return rangeList, s.Err()
+}
+
// CurrentIdentity returns the identity of the current process
func CurrentIdentity() Identity {
return Identity{UID: os.Getuid(), GID: os.Getegid()}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go b/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
index 0f8c1dc86c0e..cd621bdcc2ae 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go
@@ -1,11 +1,18 @@
//go:build !windows
-package idtools
+package idtools // import "github.com/docker/docker/pkg/idtools"
import (
+ "bytes"
+ "fmt"
+ "io"
"os"
+ "os/exec"
"path/filepath"
+ "strconv"
"syscall"
+
+ "github.com/moby/sys/user"
)
func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
@@ -65,6 +72,129 @@ func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting
return nil
}
+// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupUser(name string) (user.User, error) {
+ // first try a local system files lookup using existing capabilities
+ usr, err := user.LookupUser(name)
+ if err == nil {
+ return usr, nil
+ }
+ // local files lookup failed; attempt to call `getent` to query configured passwd dbs
+ usr, err = getentUser(name)
+ if err != nil {
+ return user.User{}, err
+ }
+ return usr, nil
+}
+
+// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupUID(uid int) (user.User, error) {
+ // first try a local system files lookup using existing capabilities
+ usr, err := user.LookupUid(uid)
+ if err == nil {
+ return usr, nil
+ }
+ // local files lookup failed; attempt to call `getent` to query configured passwd dbs
+ return getentUser(strconv.Itoa(uid))
+}
+
+func getentUser(name string) (user.User, error) {
+ reader, err := callGetent("passwd", name)
+ if err != nil {
+ return user.User{}, err
+ }
+ users, err := user.ParsePasswd(reader)
+ if err != nil {
+ return user.User{}, err
+ }
+ if len(users) == 0 {
+ return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", name)
+ }
+ return users[0], nil
+}
+
+// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupGroup(name string) (user.Group, error) {
+ // first try a local system files lookup using existing capabilities
+ group, err := user.LookupGroup(name)
+ if err == nil {
+ return group, nil
+ }
+ // local files lookup failed; attempt to call `getent` to query configured group dbs
+ return getentGroup(name)
+}
+
+// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
+// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
+func LookupGID(gid int) (user.Group, error) {
+ // first try a local system files lookup using existing capabilities
+ group, err := user.LookupGid(gid)
+ if err == nil {
+ return group, nil
+ }
+ // local files lookup failed; attempt to call `getent` to query configured group dbs
+ return getentGroup(strconv.Itoa(gid))
+}
+
+func getentGroup(name string) (user.Group, error) {
+ reader, err := callGetent("group", name)
+ if err != nil {
+ return user.Group{}, err
+ }
+ groups, err := user.ParseGroup(reader)
+ if err != nil {
+ return user.Group{}, err
+ }
+ if len(groups) == 0 {
+ return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", name)
+ }
+ return groups[0], nil
+}
+
+func callGetent(database, key string) (io.Reader, error) {
+ getentCmd, err := resolveBinary("getent")
+ // if no `getent` command within the execution environment, can't do anything else
+ if err != nil {
+ return nil, fmt.Errorf("unable to find getent command: %w", err)
+ }
+ command := exec.Command(getentCmd, database, key)
+ // we run getent within container filesystem, but without /dev so /dev/null is not available for exec to mock stdin
+ command.Stdin = io.NopCloser(bytes.NewReader(nil))
+ out, err := command.CombinedOutput()
+ if err != nil {
+ exitCode, errC := getExitCode(err)
+ if errC != nil {
+ return nil, err
+ }
+ switch exitCode {
+ case 1:
+ return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
+ case 2:
+ return nil, fmt.Errorf("getent unable to find entry %q in %s database", key, database)
+ case 3:
+ return nil, fmt.Errorf("getent database doesn't support enumeration")
+ default:
+ return nil, err
+ }
+ }
+ return bytes.NewReader(out), nil
+}
+
+// getExitCode returns the ExitStatus of the specified error if its type is
+// exec.ExitError, returns 0 and an error otherwise.
+func getExitCode(err error) (int, error) {
+ exitCode := 0
+ if exiterr, ok := err.(*exec.ExitError); ok {
+ if procExit, ok := exiterr.Sys().(syscall.WaitStatus); ok {
+ return procExit.ExitStatus(), nil
+ }
+ }
+ return exitCode, fmt.Errorf("failed to get exit code")
+}
+
// setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
// dir is on an NFS share, so don't call chown unless we absolutely must.
@@ -88,3 +218,61 @@ func setPermissions(p string, mode os.FileMode, owner Identity, stat os.FileInfo
}
return os.Chown(p, owner.UID, owner.GID)
}
+
+// LoadIdentityMapping takes a requested username and
+// using the data from /etc/sub{uid,gid} ranges, creates the
+// proper uid and gid remapping ranges for that user/group pair
+func LoadIdentityMapping(name string) (IdentityMapping, error) {
+ usr, err := LookupUser(name)
+ if err != nil {
+ return IdentityMapping{}, fmt.Errorf("could not get user for username %s: %v", name, err)
+ }
+
+ subuidRanges, err := lookupSubUIDRanges(usr)
+ if err != nil {
+ return IdentityMapping{}, err
+ }
+ subgidRanges, err := lookupSubGIDRanges(usr)
+ if err != nil {
+ return IdentityMapping{}, err
+ }
+
+ return IdentityMapping{
+ UIDMaps: subuidRanges,
+ GIDMaps: subgidRanges,
+ }, nil
+}
+
+func lookupSubUIDRanges(usr user.User) ([]IDMap, error) {
+ rangeList, err := parseSubuid(strconv.Itoa(usr.Uid))
+ if err != nil {
+ return nil, err
+ }
+ if len(rangeList) == 0 {
+ rangeList, err = parseSubuid(usr.Name)
+ if err != nil {
+ return nil, err
+ }
+ }
+ if len(rangeList) == 0 {
+ return nil, fmt.Errorf("no subuid ranges found for user %q", usr.Name)
+ }
+ return createIDMap(rangeList), nil
+}
+
+func lookupSubGIDRanges(usr user.User) ([]IDMap, error) {
+ rangeList, err := parseSubgid(strconv.Itoa(usr.Uid))
+ if err != nil {
+ return nil, err
+ }
+ if len(rangeList) == 0 {
+ rangeList, err = parseSubgid(usr.Name)
+ if err != nil {
+ return nil, err
+ }
+ }
+ if len(rangeList) == 0 {
+ return nil, fmt.Errorf("no subgid ranges found for user %q", usr.Name)
+ }
+ return createIDMap(rangeList), nil
+}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
index 6ef53cee19ed..32953f4563f2 100644
--- a/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
+++ b/vendor/github.com/docker/docker/pkg/idtools/idtools_windows.go
@@ -1,7 +1,18 @@
-package idtools
+package idtools // import "github.com/docker/docker/pkg/idtools"
import (
"os"
+
+ "github.com/docker/docker/pkg/system"
+)
+
+const (
+ SeTakeOwnershipPrivilege = "SeTakeOwnershipPrivilege"
+)
+
+const (
+ ContainerAdministratorSidString = "S-1-5-93-2-1"
+ ContainerUserSidString = "S-1-5-93-2-2"
)
// This is currently a wrapper around MkdirAll, however, since currently
@@ -9,5 +20,5 @@ import (
// Ownership is handled elsewhere, but in the future could be support here
// too.
func mkdirAs(path string, _ os.FileMode, _ Identity, _, _ bool) error {
- return os.MkdirAll(path, 0)
+ return system.MkdirAll(path, 0)
}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go
new file mode 100644
index 000000000000..7fd6c413d451
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_linux.go
@@ -0,0 +1,166 @@
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+ "fmt"
+ "os/exec"
+ "regexp"
+ "sort"
+ "strconv"
+ "strings"
+ "sync"
+)
+
+// add a user and/or group to Linux /etc/passwd, /etc/group using standard
+// Linux distribution commands:
+// adduser --system --shell /bin/false --disabled-login --disabled-password --no-create-home --group
+// useradd -r -s /bin/false
+
+var (
+ once sync.Once
+ userCommand string
+ idOutRegexp = regexp.MustCompile(`uid=([0-9]+).*gid=([0-9]+)`)
+)
+
+const (
+ // default length for a UID/GID subordinate range
+ defaultRangeLen = 65536
+ defaultRangeStart = 100000
+)
+
+// AddNamespaceRangesUser takes a username and uses the standard system
+// utility to create a system user/group pair used to hold the
+// /etc/sub{uid,gid} ranges which will be used for user namespace
+// mapping ranges in containers.
+func AddNamespaceRangesUser(name string) (int, int, error) {
+ if err := addUser(name); err != nil {
+ return -1, -1, fmt.Errorf("error adding user %q: %v", name, err)
+ }
+
+ // Query the system for the created uid and gid pair
+ out, err := exec.Command("id", name).CombinedOutput()
+ if err != nil {
+ return -1, -1, fmt.Errorf("error trying to find uid/gid for new user %q: %v", name, err)
+ }
+ matches := idOutRegexp.FindStringSubmatch(strings.TrimSpace(string(out)))
+ if len(matches) != 3 {
+ return -1, -1, fmt.Errorf("can't find uid, gid from `id` output: %q", string(out))
+ }
+ uid, err := strconv.Atoi(matches[1])
+ if err != nil {
+ return -1, -1, fmt.Errorf("can't convert found uid (%s) to int: %v", matches[1], err)
+ }
+ gid, err := strconv.Atoi(matches[2])
+ if err != nil {
+ return -1, -1, fmt.Errorf("Can't convert found gid (%s) to int: %v", matches[2], err)
+ }
+
+ // Now we need to create the subuid/subgid ranges for our new user/group (system users
+ // do not get auto-created ranges in subuid/subgid)
+
+ if err := createSubordinateRanges(name); err != nil {
+ return -1, -1, fmt.Errorf("couldn't create subordinate ID ranges: %v", err)
+ }
+ return uid, gid, nil
+}
+
+func addUser(name string) error {
+ once.Do(func() {
+ // set up which commands are used for adding users/groups dependent on distro
+ if _, err := resolveBinary("adduser"); err == nil {
+ userCommand = "adduser"
+ } else if _, err := resolveBinary("useradd"); err == nil {
+ userCommand = "useradd"
+ }
+ })
+ var args []string
+ switch userCommand {
+ case "adduser":
+ args = []string{"--system", "--shell", "/bin/false", "--no-create-home", "--disabled-login", "--disabled-password", "--group", name}
+ case "useradd":
+ args = []string{"-r", "-s", "/bin/false", name}
+ default:
+ return fmt.Errorf("cannot add user; no useradd/adduser binary found")
+ }
+
+ if out, err := exec.Command(userCommand, args...).CombinedOutput(); err != nil {
+ return fmt.Errorf("failed to add user with error: %v; output: %q", err, string(out))
+ }
+ return nil
+}
+
+func createSubordinateRanges(name string) error {
+ // first, we should verify that ranges weren't automatically created
+ // by the distro tooling
+ ranges, err := parseSubuid(name)
+ if err != nil {
+ return fmt.Errorf("error while looking for subuid ranges for user %q: %v", name, err)
+ }
+ if len(ranges) == 0 {
+ // no UID ranges; let's create one
+ startID, err := findNextUIDRange()
+ if err != nil {
+ return fmt.Errorf("can't find available subuid range: %v", err)
+ }
+ idRange := fmt.Sprintf("%d-%d", startID, startID+defaultRangeLen-1)
+ out, err := exec.Command("usermod", "-v", idRange, name).CombinedOutput()
+ if err != nil {
+ return fmt.Errorf("unable to add subuid range to user: %q; output: %s, err: %v", name, out, err)
+ }
+ }
+
+ ranges, err = parseSubgid(name)
+ if err != nil {
+ return fmt.Errorf("error while looking for subgid ranges for user %q: %v", name, err)
+ }
+ if len(ranges) == 0 {
+ // no GID ranges; let's create one
+ startID, err := findNextGIDRange()
+ if err != nil {
+ return fmt.Errorf("can't find available subgid range: %v", err)
+ }
+ idRange := fmt.Sprintf("%d-%d", startID, startID+defaultRangeLen-1)
+ out, err := exec.Command("usermod", "-w", idRange, name).CombinedOutput()
+ if err != nil {
+ return fmt.Errorf("unable to add subgid range to user: %q; output: %s, err: %v", name, out, err)
+ }
+ }
+ return nil
+}
+
+func findNextUIDRange() (int, error) {
+ ranges, err := parseSubuid("ALL")
+ if err != nil {
+ return -1, fmt.Errorf("couldn't parse all ranges in /etc/subuid file: %v", err)
+ }
+ sort.Sort(ranges)
+ return findNextRangeStart(ranges)
+}
+
+func findNextGIDRange() (int, error) {
+ ranges, err := parseSubgid("ALL")
+ if err != nil {
+ return -1, fmt.Errorf("couldn't parse all ranges in /etc/subgid file: %v", err)
+ }
+ sort.Sort(ranges)
+ return findNextRangeStart(ranges)
+}
+
+func findNextRangeStart(rangeList subIDRanges) (int, error) {
+ startID := defaultRangeStart
+ for _, arange := range rangeList {
+ if wouldOverlap(arange, startID) {
+ startID = arange.Start + arange.Length
+ }
+ }
+ return startID, nil
+}
+
+func wouldOverlap(arange subIDRange, ID int) bool {
+ low := ID
+ high := ID + defaultRangeLen
+ if (low >= arange.Start && low <= arange.Start+arange.Length) ||
+ (high <= arange.Start+arange.Length && high >= arange.Start) {
+ return true
+ }
+ return false
+}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go
new file mode 100644
index 000000000000..6a9311c4a750
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/idtools/usergroupadd_unsupported.go
@@ -0,0 +1,12 @@
+//go:build !linux
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import "fmt"
+
+// AddNamespaceRangesUser takes a name and finds an unused uid, gid pair
+// and calls the appropriate helper function to add the group and then
+// the user to the group in /etc/group and /etc/passwd respectively.
+func AddNamespaceRangesUser(name string) (int, int, error) {
+ return -1, -1, fmt.Errorf("No support for adding users or groups on this OS")
+}
diff --git a/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go b/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go
new file mode 100644
index 000000000000..517a2f52ca2f
--- /dev/null
+++ b/vendor/github.com/docker/docker/pkg/idtools/utils_unix.go
@@ -0,0 +1,26 @@
+//go:build !windows
+
+package idtools // import "github.com/docker/docker/pkg/idtools"
+
+import (
+ "fmt"
+ "os/exec"
+ "path/filepath"
+)
+
+func resolveBinary(binname string) (string, error) {
+ binaryPath, err := exec.LookPath(binname)
+ if err != nil {
+ return "", err
+ }
+ resolvedPath, err := filepath.EvalSymlinks(binaryPath)
+ if err != nil {
+ return "", err
+ }
+ // only return no error if the final resolved binary basename
+ // matches what was searched for
+ if filepath.Base(resolvedPath) == binname {
+ return resolvedPath, nil
+ }
+ return "", fmt.Errorf("Binary %q does not resolve to a binary of that name in $PATH (%q)", binname, resolvedPath)
+}
diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_linux.go b/vendor/github.com/docker/docker/pkg/reexec/command_linux.go
deleted file mode 100644
index 952633c864e0..000000000000
--- a/vendor/github.com/docker/docker/pkg/reexec/command_linux.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package reexec
-
-import (
- "os/exec"
- "syscall"
-)
-
-// Command returns an [*exec.Cmd] which has Path as current binary which,
-// on Linux, is set to the in-memory version (/proc/self/exe) of the current
-// binary, it is thus safe to delete or replace the on-disk binary (os.Args[0]).
-//
-// On Linux, the Pdeathsig of [*exec.Cmd.SysProcAttr] is set to SIGTERM.
-// This signal will be sent to the process when the OS thread which created
-// the process dies.
-//
-// It is the caller's responsibility to ensure that the creating thread is
-// not terminated prematurely. See https://go.dev/issue/27505 for more details.
-func Command(args ...string) *exec.Cmd {
- return &exec.Cmd{
- Path: Self(),
- Args: args,
- SysProcAttr: &syscall.SysProcAttr{
- Pdeathsig: syscall.SIGTERM,
- },
- }
-}
diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_other.go b/vendor/github.com/docker/docker/pkg/reexec/command_other.go
deleted file mode 100644
index b458ef2d20d6..000000000000
--- a/vendor/github.com/docker/docker/pkg/reexec/command_other.go
+++ /dev/null
@@ -1,19 +0,0 @@
-//go:build freebsd || darwin || windows
-
-package reexec
-
-import (
- "os/exec"
-)
-
-// Command returns *exec.Cmd with its Path set to the path of the current
-// binary using the result of [Self]. For example if current binary is
-// "my-binary" at "/usr/bin/" (or "my-binary.exe" at "C:\" on Windows),
-// then cmd.Path is set to "/usr/bin/my-binary" and "C:\my-binary.exe"
-// respectively.
-func Command(args ...string) *exec.Cmd {
- return &exec.Cmd{
- Path: Self(),
- Args: args,
- }
-}
diff --git a/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go b/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go
deleted file mode 100644
index 3e98b989a3c2..000000000000
--- a/vendor/github.com/docker/docker/pkg/reexec/command_unsupported.go
+++ /dev/null
@@ -1,12 +0,0 @@
-//go:build !linux && !windows && !freebsd && !darwin
-
-package reexec
-
-import (
- "os/exec"
-)
-
-// Command is unsupported on operating systems apart from Linux, Windows, and Darwin.
-func Command(args ...string) *exec.Cmd {
- return nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/reexec/reexec.go b/vendor/github.com/docker/docker/pkg/reexec/reexec.go
deleted file mode 100644
index b9d11a2a5870..000000000000
--- a/vendor/github.com/docker/docker/pkg/reexec/reexec.go
+++ /dev/null
@@ -1,64 +0,0 @@
-// Package reexec facilitates the busybox style reexec of a binary.
-//
-// Handlers can be registered with a name and the argv 0 of the exec of
-// the binary will be used to find and execute custom init paths.
-//
-// It is used in dockerd to work around forking limitations when using Go.
-package reexec
-
-import (
- "fmt"
- "os"
- "os/exec"
- "path/filepath"
- "runtime"
-)
-
-var registeredInitializers = make(map[string]func())
-
-// Register adds an initialization func under the specified name. It panics
-// if the given name is already registered.
-func Register(name string, initializer func()) {
- if _, exists := registeredInitializers[name]; exists {
- panic(fmt.Sprintf("reexec func already registered under name %q", name))
- }
-
- registeredInitializers[name] = initializer
-}
-
-// Init is called as the first part of the exec process and returns true if an
-// initialization function was called.
-func Init() bool {
- if initializer, ok := registeredInitializers[os.Args[0]]; ok {
- initializer()
- return true
- }
- return false
-}
-
-// Self returns the path to the current process's binary. On Linux, it
-// returns "/proc/self/exe", which provides the in-memory version of the
-// current binary, whereas on other platforms it attempts to looks up the
-// absolute path for os.Args[0], or otherwise returns os.Args[0] as-is.
-func Self() string {
- if runtime.GOOS == "linux" {
- return "/proc/self/exe"
- }
- return naiveSelf()
-}
-
-func naiveSelf() string {
- name := os.Args[0]
- if filepath.Base(name) == name {
- if lp, err := exec.LookPath(name); err == nil {
- return lp
- }
- }
- // handle conversion of relative paths to absolute
- if absName, err := filepath.Abs(name); err == nil {
- return absName
- }
- // if we couldn't get absolute name, return original
- // (NOTE: Go only errors on Abs() if os.Getwd fails)
- return name
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go b/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
deleted file mode 100644
index 5e29a6b3b8a9..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/lstat_unix.go
+++ /dev/null
@@ -1,20 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "os"
- "syscall"
-)
-
-// Lstat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Lstat(path string) (*StatT, error) {
- s := &syscall.Stat_t{}
- if err := syscall.Lstat(path, s); err != nil {
- return nil, &os.PathError{Op: "Lstat", Path: path, Err: err}
- }
- return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go b/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
deleted file mode 100644
index 359c791d9b62..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/lstat_windows.go
+++ /dev/null
@@ -1,14 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "os"
-
-// Lstat calls os.Lstat to get a fileinfo interface back.
-// This is then copied into our own locally defined structure.
-func Lstat(path string) (*StatT, error) {
- fi, err := os.Lstat(path)
- if err != nil {
- return nil, err
- }
-
- return fromStatT(&fi)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod.go b/vendor/github.com/docker/docker/pkg/system/mknod.go
deleted file mode 100644
index 2a62237a45cd..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod.go
+++ /dev/null
@@ -1,16 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "golang.org/x/sys/unix"
-)
-
-// Mkdev is used to build the value of linux devices (in /dev/) which specifies major
-// and minor number of the newly created device special file.
-// Linux device nodes are a bit weird due to backwards compat with 16 bit device nodes.
-// They are, from low to high: the lower 8 bits of the minor, then 12 bits of the major,
-// then the top 12 bits of the minor.
-func Mkdev(major int64, minor int64) uint32 {
- return uint32(unix.Mkdev(uint32(major), uint32(minor)))
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go b/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
deleted file mode 100644
index e218e742d495..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod_freebsd.go
+++ /dev/null
@@ -1,13 +0,0 @@
-//go:build freebsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "golang.org/x/sys/unix"
-)
-
-// Mknod creates a filesystem node (file, device special file or named pipe) named path
-// with attributes specified by mode and dev.
-func Mknod(path string, mode uint32, dev int) error {
- return unix.Mknod(path, mode, uint64(dev))
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go b/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
deleted file mode 100644
index 34df0b9236c8..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/mknod_unix.go
+++ /dev/null
@@ -1,13 +0,0 @@
-//go:build !freebsd && !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "golang.org/x/sys/unix"
-)
-
-// Mknod creates a filesystem node (file, device special file or named pipe) named path
-// with attributes specified by mode and dev.
-func Mknod(path string, mode uint32, dev int) error {
- return unix.Mknod(path, mode, dev)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_bsd.go b/vendor/github.com/docker/docker/pkg/system/stat_bsd.go
deleted file mode 100644
index 435b776ee36f..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_bsd.go
+++ /dev/null
@@ -1,17 +0,0 @@
-//go:build freebsd || netbsd
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
- return &StatT{
- size: s.Size,
- mode: uint32(s.Mode),
- uid: s.Uid,
- gid: s.Gid,
- rdev: uint64(s.Rdev),
- mtim: s.Mtimespec,
- }, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_darwin.go b/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
deleted file mode 100644
index e0b629df0e29..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_darwin.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
- return &StatT{
- size: s.Size,
- mode: uint32(s.Mode),
- uid: s.Uid,
- gid: s.Gid,
- rdev: uint64(s.Rdev),
- mtim: s.Mtimespec,
- }, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_illumos.go b/vendor/github.com/docker/docker/pkg/system/stat_illumos.go
deleted file mode 100644
index 851374e5d99e..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_illumos.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
- return &StatT{
- size: s.Size,
- mode: uint32(s.Mode),
- uid: s.Uid,
- gid: s.Gid,
- rdev: uint64(s.Rdev),
- mtim: s.Mtim,
- }, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_linux.go b/vendor/github.com/docker/docker/pkg/system/stat_linux.go
deleted file mode 100644
index 4309d42b9fd5..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_linux.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
- return &StatT{
- size: s.Size,
- mode: s.Mode,
- uid: s.Uid,
- gid: s.Gid,
- // the type is 32bit on mips
- rdev: uint64(s.Rdev), //nolint: unconvert
- mtim: s.Mtim,
- }, nil
-}
-
-// FromStatT converts a syscall.Stat_t type to a system.Stat_t type
-// This is exposed on Linux as pkg/archive/changes uses it.
-func FromStatT(s *syscall.Stat_t) (*StatT, error) {
- return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go b/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
deleted file mode 100644
index 851374e5d99e..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_openbsd.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import "syscall"
-
-// fromStatT converts a syscall.Stat_t type to a system.Stat_t type
-func fromStatT(s *syscall.Stat_t) (*StatT, error) {
- return &StatT{
- size: s.Size,
- mode: uint32(s.Mode),
- uid: s.Uid,
- gid: s.Gid,
- rdev: uint64(s.Rdev),
- mtim: s.Mtim,
- }, nil
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_unix.go b/vendor/github.com/docker/docker/pkg/system/stat_unix.go
deleted file mode 100644
index 205e54677db3..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_unix.go
+++ /dev/null
@@ -1,66 +0,0 @@
-//go:build !windows
-
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "os"
- "syscall"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, owner, group, size, etc about a file.
-type StatT struct {
- mode uint32
- uid uint32
- gid uint32
- rdev uint64
- size int64
- mtim syscall.Timespec
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() uint32 {
- return s.mode
-}
-
-// UID returns file's user id of owner.
-func (s StatT) UID() uint32 {
- return s.uid
-}
-
-// GID returns file's group id of owner.
-func (s StatT) GID() uint32 {
- return s.gid
-}
-
-// Rdev returns file's device ID (if it's special file).
-func (s StatT) Rdev() uint64 {
- return s.rdev
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
- return s.size
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() syscall.Timespec {
- return s.mtim
-}
-
-// IsDir reports whether s describes a directory.
-func (s StatT) IsDir() bool {
- return s.mode&syscall.S_IFDIR != 0
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Stat(path string) (*StatT, error) {
- s := &syscall.Stat_t{}
- if err := syscall.Stat(path, s); err != nil {
- return nil, &os.PathError{Op: "Stat", Path: path, Err: err}
- }
- return fromStatT(s)
-}
diff --git a/vendor/github.com/docker/docker/pkg/system/stat_windows.go b/vendor/github.com/docker/docker/pkg/system/stat_windows.go
deleted file mode 100644
index 10876cd73e28..000000000000
--- a/vendor/github.com/docker/docker/pkg/system/stat_windows.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package system // import "github.com/docker/docker/pkg/system"
-
-import (
- "os"
- "time"
-)
-
-// StatT type contains status of a file. It contains metadata
-// like permission, size, etc about a file.
-type StatT struct {
- mode os.FileMode
- size int64
- mtim time.Time
-}
-
-// Size returns file's size.
-func (s StatT) Size() int64 {
- return s.size
-}
-
-// Mode returns file's permission mode.
-func (s StatT) Mode() os.FileMode {
- return s.mode
-}
-
-// Mtim returns file's last modification time.
-func (s StatT) Mtim() time.Time {
- return s.mtim
-}
-
-// Stat takes a path to a file and returns
-// a system.StatT type pertaining to that file.
-//
-// Throws an error if the file does not exist
-func Stat(path string) (*StatT, error) {
- fi, err := os.Stat(path)
- if err != nil {
- return nil, err
- }
- return fromStatT(&fi)
-}
-
-// fromStatT converts a os.FileInfo type to a system.StatT type
-func fromStatT(fi *os.FileInfo) (*StatT, error) {
- return &StatT{
- size: (*fi).Size(),
- mode: (*fi).Mode(),
- mtim: (*fi).ModTime(),
- }, nil
-}
diff --git a/vendor/modules.txt b/vendor/modules.txt
index fad04ebe362c..86e9d497aa53 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -466,7 +466,7 @@ github.com/docker/cli/cli/config/configfile
github.com/docker/cli/cli/config/credentials
github.com/docker/cli/cli/config/types
github.com/docker/cli/cli/connhelper/commandconn
-# github.com/docker/docker v27.4.0+incompatible => github.com/dmcgowan/docker v1.1.3-0.20241219215548-75a8139e6c42
+# github.com/docker/docker v27.4.0+incompatible => github.com/docker/docker v27.0.2-0.20241219215845-ec0dba002046+incompatible
## explicit
github.com/docker/docker/api
github.com/docker/docker/api/types
@@ -499,7 +499,6 @@ github.com/docker/docker/pkg/chrootarchive
github.com/docker/docker/pkg/idtools
github.com/docker/docker/pkg/ioutils
github.com/docker/docker/pkg/pools
-github.com/docker/docker/pkg/reexec
github.com/docker/docker/pkg/system
github.com/docker/docker/profiles/seccomp
# github.com/docker/docker-credential-helpers v0.8.2
@@ -1106,5 +1105,5 @@ kernel.org/pub/linux/libs/security/libcap/cap
# kernel.org/pub/linux/libs/security/libcap/psx v1.2.70
## explicit; go 1.11
kernel.org/pub/linux/libs/security/libcap/psx
-# github.com/docker/docker => github.com/dmcgowan/docker v1.1.3-0.20241219215548-75a8139e6c42
+# github.com/docker/docker => github.com/docker/docker v27.0.2-0.20241219215845-ec0dba002046+incompatible
# github.com/docker/cli => github.com/docker/cli v27.0.2-0.20241218124108-2f67b2f3ff3a+incompatible