Merge pull request #51129 from smerkviladze/25.0-bump-swarmkit-to-v2.1.1
[25.0 backport] vendor: github.com/moby/swarmkit/v2 v2.1.1
diff --git a/.github/workflows/arm64.yml b/.github/workflows/arm64.yml
index 704bdd4..1f8c391 100644
--- a/.github/workflows/arm64.yml
+++ b/.github/workflows/arm64.yml
@@ -86,7 +86,7 @@
targets: dev
set: |
*.cache-from=type=gha,scope=dev-arm64
- *.cache-to=type=gha,scope=dev-arm64,mode=max
+ *.cache-to=type=gha,scope=dev-arm64
*.output=type=cacheonly
test-unit:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 8a9b799..da7a31f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -41,6 +41,7 @@
mode:
- ""
- systemd
+ - firewalld
steps:
-
name: Prepare
@@ -58,7 +59,7 @@
targets: dev
set: |
*.cache-from=type=gha,scope=dev${{ matrix.mode }}
- *.cache-to=type=gha,scope=dev${{ matrix.mode }},mode=max
+ *.cache-to=type=gha,scope=dev${{ matrix.mode }}
*.output=type=cacheonly
test:
diff --git a/cmd/dockerd/daemon.go b/cmd/dockerd/daemon.go
index 3704042..b1f2688 100644
--- a/cmd/dockerd/daemon.go
+++ b/cmd/dockerd/daemon.go
@@ -9,7 +9,9 @@
"os"
"path/filepath"
"runtime"
+ "slices"
"sort"
+ "strconv"
"strings"
"sync"
"time"
@@ -67,6 +69,14 @@
"tags.cncf.io/container-device-interface/pkg/cdi"
)
+// strongTLSCiphers defines a secure, modern set of TLS cipher suites for use by the daemon.
+var strongTLSCiphers = []uint16{
+ tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+}
+
// DaemonCli represents the daemon CLI.
type DaemonCli struct {
*config.Config
@@ -779,6 +789,18 @@
if err != nil {
return nil, errors.Wrap(err, "invalid TLS configuration")
}
+ // Optionally enforce strong TLS ciphers via the environment variable DOCKER_DISABLE_WEAK_CIPHERS.
+ // When set to true, weak TLS ciphers are disabled, restricting the daemon to a modern, secure
+ // subset of cipher suites.
+ if disableWeakCiphers := os.Getenv("DOCKER_DISABLE_WEAK_CIPHERS"); disableWeakCiphers != "" {
+ disable, err := strconv.ParseBool(disableWeakCiphers)
+ if err != nil {
+ return nil, errors.Wrap(err, "invalid value for DOCKER_DISABLE_WEAK_CIPHERS")
+ }
+ if disable {
+ tlsConfig.CipherSuites = slices.Clone(strongTLSCiphers)
+ }
+ }
}
return tlsConfig, nil
diff --git a/hack/validate/vendor b/hack/validate/vendor
index a0b35d3..b01a45c 100755
--- a/hack/validate/vendor
+++ b/hack/validate/vendor
@@ -5,27 +5,30 @@
SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "${SCRIPTDIR}/.validate"
-tidy_files=('vendor.mod' 'vendor.sum')
+modules_files=('man/go.mod' 'vendor.mod')
+tidy_files=("${modules_files[@]}" 'man/go.sum' 'vendor.sum')
vendor_files=("${tidy_files[@]}" 'vendor/')
-validate_vendor_tidy() {
+validate_tidy_modules() {
+ # check that all go.mod files exist in HEAD; go.sum files are generated by 'go mod tidy'
+ # so we don't need to check for their existence beforehand
+ for f in "${modules_files[@]}"; do
+ if [ ! -f "$f" ]; then
+ echo >&2 "ERROR: missing $f"
+ return 1
+ fi
+ done
# run mod tidy
./hack/vendor.sh tidy
# check if any files have changed
- git diff --quiet HEAD -- "${tidy_files[@]}"
+ git diff --quiet HEAD -- "${tidy_files[@]}" && [ -z "$(git ls-files --others --exclude-standard)" ]
}
validate_vendor_diff() {
- mapfile -t changed_files < <(validate_diff --diff-filter=ACMR --name-only -- "${vendor_files[@]}")
-
- if [ -n "${TEST_FORCE_VALIDATE:-}" ] || [ "${#changed_files[@]}" -gt 0 ]; then
- # recreate vendor/
- ./hack/vendor.sh vendor
- # check if any files have changed
- git diff --quiet HEAD -- "${vendor_files[@]}"
- else
- echo >&2 'INFO: no vendor changes in diff; skipping vendor check.'
- fi
+ # recreate vendor/
+ ./hack/vendor.sh vendor
+ # check if any files have changed
+ git diff --quiet HEAD -- "${vendor_files[@]}" && [ -z "$(git ls-files --others --exclude-standard)" ]
}
validate_vendor_license() {
@@ -37,16 +40,22 @@
done < <(awk '/^# /{ print $2 }' vendor/modules.txt)
}
-if validate_vendor_tidy && validate_vendor_diff && validate_vendor_license; then
+if validate_tidy_modules && validate_vendor_diff && validate_vendor_license; then
echo >&2 'PASS: Vendoring has been performed correctly!'
else
{
echo 'FAIL: Vendoring was not performed correctly!'
echo
- echo 'The following files changed during re-vendor:'
- echo
- git diff --name-status HEAD -- "${vendor_files[@]}"
- echo
+ if [ -n "$(git ls-files --others --exclude-standard)" ]; then
+ echo 'The following files are missing:'
+ git ls-files --others --exclude-standard
+ echo
+ fi
+ if [ -n "$(git diff --name-status HEAD -- "${vendor_files[@]}")" ]; then
+ echo 'The following files changed during re-vendor:'
+ git diff --name-status HEAD -- "${vendor_files[@]}"
+ echo
+ fi
echo 'Please revendor with hack/vendor.sh'
echo
git diff --diff-filter=M -- "${vendor_files[@]}"
diff --git a/hack/vendor.sh b/hack/vendor.sh
index 32538a3..8d55056 100755
--- a/hack/vendor.sh
+++ b/hack/vendor.sh
@@ -7,15 +7,32 @@
set -e
SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPTDIR/.." && pwd)"
tidy() (
+ (
set -x
"${SCRIPTDIR}"/with-go-mod.sh go mod tidy -modfile vendor.mod -compat 1.18
+ )
+
+ (
+ set -x
+ cd man
+ go mod tidy
+ )
)
vendor() (
+ (
set -x
"${SCRIPTDIR}"/with-go-mod.sh go mod vendor -modfile vendor.mod
+ )
+
+ (
+ set -x
+ cd man
+ go mod vendor
+ )
)
help() {
