Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
[28.x backport] dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
diff --git a/Dockerfile b/Dockerfile
index 3cc88b5..9ac0ff8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -260,9 +260,8 @@
RUN git init . && git remote add origin "https://github.com/opencontainers/runc.git"
# RUNC_VERSION should match the version that is used by the containerd version
# that is used. If you need to update runc, open a pull request in the containerd
-# project first, and update both after that is merged. When updating RUNC_VERSION,
-# consider updating runc in vendor.mod accordingly.
-ARG RUNC_VERSION=v1.3.0
+# project first, and update both after that is merged.
+ARG RUNC_VERSION=v1.3.3
RUN git fetch -q --depth 1 origin "${RUNC_VERSION}" +refs/tags/*:refs/tags/* && git checkout -q FETCH_HEAD
FROM base AS runc-build
diff --git a/hack/buildkit-ref b/hack/buildkit-ref
index f51a489..280bb0e 100755
--- a/hack/buildkit-ref
+++ b/hack/buildkit-ref
@@ -19,9 +19,6 @@
buildkit_ref=$(curl -s "https://api.github.com/repos/${buildkit_repo}/commits/${buildkit_ref}" | jq -r .sha)
fi
-# https://github.com/moby/buildkit/pull/6278
-buildkit_ref="1030099b27bd3455bf7e5d5fe73b6be5dbec3c1f"
-
cat << EOF
BUILDKIT_REPO=$buildkit_repo
BUILDKIT_REF=$buildkit_ref
diff --git a/hack/dockerfile/install/runc.installer b/hack/dockerfile/install/runc.installer
index 44eea00..01d54aa 100755
--- a/hack/dockerfile/install/runc.installer
+++ b/hack/dockerfile/install/runc.installer
@@ -7,9 +7,7 @@
# The version of runc should match the version that is used by the containerd
# version that is used. If you need to update runc, open a pull request in
# the containerd project first, and update both after that is merged.
-#
-# When updating RUNC_VERSION, consider updating runc in vendor.mod accordingly
-: "${RUNC_VERSION:=v1.3.0}"
+: "${RUNC_VERSION:=v1.3.3}"
install_runc() {
RUNC_BUILDTAGS="${RUNC_BUILDTAGS:-"seccomp"}"
diff --git a/integration-cli/docker_cli_build_unix_test.go b/integration-cli/docker_cli_build_unix_test.go
index 3f7a9d0..0be788a 100644
--- a/integration-cli/docker_cli_build_unix_test.go
+++ b/integration-cli/docker_cli_build_unix_test.go
@@ -33,7 +33,18 @@
RUN ["/hello"]
`))
cli.Docker(
- cli.Args("build", "--no-cache", "--rm=false", "--memory=64m", "--memory-swap=-1", "--cpuset-cpus=0", "--cpuset-mems=0", "--cpu-shares=100", "--cpu-quota=8000", "--ulimit", "nofile=42", "--label="+buildLabel, "-t", name, "."),
+ cli.Args("build",
+ "--no-cache",
+ "--rm=false",
+ "--memory=64m",
+ "--memory-swap=-1",
+ "--cpuset-cpus=0",
+ "--cpuset-mems=0",
+ "--cpu-shares=100",
+ "--cpu-quota=8000",
+ "--ulimit", "nofile=50",
+ "--label="+buildLabel,
+ "-t", name, "."),
cli.InDir(ctx.Dir),
).Assert(c, icmd.Success)
@@ -63,7 +74,7 @@
assert.Equal(c, c1.CPUShares, int64(100), "resource constraints not set properly for CPUShares")
assert.Equal(c, c1.CPUQuota, int64(8000), "resource constraints not set properly for CPUQuota")
assert.Equal(c, c1.Ulimits[0].Name, "nofile", "resource constraints not set properly for Ulimits")
- assert.Equal(c, c1.Ulimits[0].Hard, int64(42), "resource constraints not set properly for Ulimits")
+ assert.Equal(c, c1.Ulimits[0].Hard, int64(50), "resource constraints not set properly for Ulimits")
// Make sure constraints aren't saved to image
cli.DockerCmd(c, "run", "--name=test", name)
diff --git a/integration-cli/docker_cli_daemon_test.go b/integration-cli/docker_cli_daemon_test.go
index 41205c0..060e75e 100644
--- a/integration-cli/docker_cli_daemon_test.go
+++ b/integration-cli/docker_cli_daemon_test.go
@@ -391,7 +391,7 @@
}
func (s *DockerDaemonSuite) TestDaemonUlimitDefaults(c *testing.T) {
- s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-ulimit", "nofile=42:42", "--default-ulimit", "nproc=1024:1024")
+ s.d.StartWithBusybox(testutil.GetContext(c), c, "--default-ulimit", "nofile=50:50", "--default-ulimit", "nproc=1024:1024")
out, err := s.d.Cmd("run", "--ulimit", "nproc=2048", "--name=test", "busybox", "/bin/sh", "-c", "echo $(ulimit -n); echo $(ulimit -u)")
if err != nil {
@@ -405,15 +405,15 @@
nofile := strings.TrimSpace(outArr[0])
nproc := strings.TrimSpace(outArr[1])
- if nofile != "42" {
- c.Fatalf("expected `ulimit -n` to be `42`, got: %s", nofile)
+ if nofile != "50" {
+ c.Fatalf("expected `ulimit -n` to be `50`, got: %s", nofile)
}
if nproc != "2048" {
c.Fatalf("expected `ulimit -u` to be 2048, got: %s", nproc)
}
// Now restart daemon with a new default
- s.d.Restart(c, "--default-ulimit", "nofile=43")
+ s.d.Restart(c, "--default-ulimit", "nofile=50")
out, err = s.d.Cmd("start", "-a", "test")
if err != nil {
@@ -427,8 +427,8 @@
nofile = strings.TrimSpace(outArr[0])
nproc = strings.TrimSpace(outArr[1])
- if nofile != "43" {
- c.Fatalf("expected `ulimit -n` to be `43`, got: %s", nofile)
+ if nofile != "50" {
+ c.Fatalf("expected `ulimit -n` to be `50`, got: %s", nofile)
}
if nproc != "2048" {
c.Fatalf("expected `ulimit -u` to be 2048, got: %s", nproc)
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index aaa7bfb..6d14404 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -3099,10 +3099,10 @@
// Not applicable on Windows as uses Unix specific functionality
testRequires(c, DaemonIsLinux)
- out := cli.DockerCmd(c, "run", "--name=testulimits", "--ulimit", "nofile=42", "busybox", "/bin/sh", "-c", "ulimit -n").Combined()
+ out := cli.DockerCmd(c, "run", "--name=testulimits", "--ulimit", "nofile=50", "busybox", "/bin/sh", "-c", "ulimit -n").Combined()
ul := strings.TrimSpace(out)
- if ul != "42" {
- c.Fatalf("expected `ulimit -n` to be 42, got %s", ul)
+ if ul != "50" {
+ c.Fatalf("expected `ulimit -n` to be 50, got %s", ul)
}
}
@@ -3924,13 +3924,13 @@
assert.NilError(c, err)
assert.Assert(c, is.Contains(out, "[nofile=65535:65535]"))
name = "test-B"
- _, err = d.Cmd("run", "--name", name, "--ulimit=nofile=42", "-d", "busybox", "top")
+ _, err = d.Cmd("run", "--name", name, "--ulimit=nofile=50", "-d", "busybox", "top")
assert.NilError(c, err)
assert.NilError(c, d.WaitRun(name))
out, err = d.Cmd("inspect", "--format", "{{.HostConfig.Ulimits}}", name)
assert.NilError(c, err)
- assert.Assert(c, is.Contains(out, "[nofile=42:42]"))
+ assert.Assert(c, is.Contains(out, "[nofile=50:50]"))
}
func (s *DockerCLIRunSuite) TestRunStoppedLoggingDriverNoLeak(c *testing.T) {
diff --git a/vendor.mod b/vendor.mod
index d1ccaee..ed6e4a1 100644
--- a/vendor.mod
+++ b/vendor.mod
@@ -62,7 +62,7 @@
github.com/miekg/dns v1.1.66
github.com/mistifyio/go-zfs/v3 v3.0.1
github.com/mitchellh/copystructure v1.2.0
- github.com/moby/buildkit v0.25.1
+ github.com/moby/buildkit v0.25.2
github.com/moby/docker-image-spec v1.3.1
github.com/moby/go-archive v0.1.0
github.com/moby/ipvs v1.1.0
diff --git a/vendor.sum b/vendor.sum
index dff7f36..c8a4081 100644
--- a/vendor.sum
+++ b/vendor.sum
@@ -383,8 +383,8 @@
github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs=
-github.com/moby/buildkit v0.25.1 h1:j7IlVkeNbEo+ZLoxdudYCHpmTsbwKvhgc/6UJ/mY/o8=
-github.com/moby/buildkit v0.25.1/go.mod h1:phM8sdqnvgK2y1dPDnbwI6veUCXHOZ6KFSl6E164tkc=
+github.com/moby/buildkit v0.25.2 h1:mReLKDPv05cqk6o/u3ixq2/iTsWGHoUO5Zg3lojrQTk=
+github.com/moby/buildkit v0.25.2/go.mod h1:phM8sdqnvgK2y1dPDnbwI6veUCXHOZ6KFSl6E164tkc=
github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 6f28e8a..c0677e1 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -757,7 +757,7 @@
# github.com/mitchellh/reflectwalk v1.0.2
## explicit
github.com/mitchellh/reflectwalk
-# github.com/moby/buildkit v0.25.1
+# github.com/moby/buildkit v0.25.2
## explicit; go 1.24.0
github.com/moby/buildkit/api/services/control
github.com/moby/buildkit/api/types
