diff --git a/cli/command/container/opts.go b/cli/command/container/opts.go index a68bbe4833a8..d3da512dc730 100644 --- a/cli/command/container/opts.go +++ b/cli/command/container/opts.go @@ -13,13 +13,13 @@ import ( "strings" "time" + "github.com/docker/cli/cli/command" "github.com/docker/cli/cli/compose/loader" "github.com/docker/cli/opts" "github.com/docker/docker/api/types/container" mounttypes "github.com/docker/docker/api/types/mount" networktypes "github.com/docker/docker/api/types/network" "github.com/docker/docker/api/types/strslice" - "github.com/docker/docker/api/types/versions" "github.com/docker/docker/errdefs" "github.com/docker/go-connections/nat" "github.com/pkg/errors" @@ -1061,8 +1061,8 @@ func validateAttach(val string) (string, error) { func validateAPIVersion(c *containerConfig, serverAPIVersion string) error { for _, m := range c.HostConfig.Mounts { - if m.BindOptions != nil && m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") { - return errors.Errorf("bind-nonrecursive requires API v1.40 or later") + if err := command.ValidateMountWithAPIVersion(m, serverAPIVersion); err != nil { + return err } } return nil diff --git a/cli/command/service/opts.go b/cli/command/service/opts.go index 97201fd432de..51ea651edfd0 100644 --- a/cli/command/service/opts.go +++ b/cli/command/service/opts.go @@ -8,11 +8,11 @@ import ( "strings" "time" + "github.com/docker/cli/cli/command" "github.com/docker/cli/opts" "github.com/docker/docker/api/types" "github.com/docker/docker/api/types/container" "github.com/docker/docker/api/types/swarm" - "github.com/docker/docker/api/types/versions" "github.com/docker/docker/client" gogotypes "github.com/gogo/protobuf/types" "github.com/google/shlex" @@ -1033,8 +1033,8 @@ const ( func validateAPIVersion(c swarm.ServiceSpec, serverAPIVersion string) error { for _, m := range c.TaskTemplate.ContainerSpec.Mounts { - if m.BindOptions != nil && m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") { - return errors.Errorf("bind-nonrecursive requires API v1.40 or later") + if err := command.ValidateMountWithAPIVersion(m, serverAPIVersion); err != nil { + return err } } return nil diff --git a/cli/command/utils.go b/cli/command/utils.go index 753f428aa089..d85650d7fbec 100644 --- a/cli/command/utils.go +++ b/cli/command/utils.go @@ -11,6 +11,8 @@ import ( "github.com/docker/cli/cli/streams" "github.com/docker/docker/api/types/filters" + mounttypes "github.com/docker/docker/api/types/mount" + "github.com/docker/docker/api/types/versions" "github.com/moby/sys/sequential" "github.com/pkg/errors" "github.com/spf13/pflag" @@ -195,3 +197,17 @@ func StringSliceReplaceAt(s, old, new []string, requireIndex int) ([]string, boo out = append(out, s[idx+len(old):]...) return out, true } + +// ValidateMountWithAPIVersion validates a mount with the server API version. +func ValidateMountWithAPIVersion(m mounttypes.Mount, serverAPIVersion string) error { + if m.BindOptions != nil { + if m.BindOptions.NonRecursive && versions.LessThan(serverAPIVersion, "1.40") { + return errors.Errorf("bind-nonrecursive requires API v1.40 or later") + } + // bind-readonly-nonrecursive can be safely ignored when API < 1.44 + if m.BindOptions.ReadOnlyForceRecursive && versions.LessThan(serverAPIVersion, "1.44") { + return errors.Errorf("bind-readonly-forcerecursive requires API v1.44 or later") + } + } + return nil +} diff --git a/docs/reference/commandline/service_create.md b/docs/reference/commandline/service_create.md index ee9981687afa..60b5ca4d285b 100644 --- a/docs/reference/commandline/service_create.md +++ b/docs/reference/commandline/service_create.md @@ -393,7 +393,8 @@ volumes in a service:

The Engine mounts binds and volumes read-write unless readonly option is given when mounting the bind or volume. Note that setting readonly for a - bind-mount does not make its submounts readonly on the current Linux implementation. See also bind-nonrecursive.

+ bind-mount does not make its submounts readonly if Docker Engine is older than v25.0, + or Linux kernel is older than v5.12. See also Options for Bind Mounts.

+ + bind-readonly-nonrecursive or bind-ro-nonrecursive + + If set to true, submounts are recursively bind-mounted + (unless bind-nonrecursive is set to true in conjunction), + but they are not recursively made read-only. This corresponds to the default behavior of Docker v24 and older. + A false value is ignored when the Docker daemon is running on Linux kernel older than v5.12.
+
+ A value is optional:
+
+ + + + + bind-readonly-forcerecursive or bind-ro-forcerecursive + + If set to true, and submounts cannot be made recursively read-only, the Docker daemon raises an error.
+ This option should be used in conjunction with bind-propagation=rprivate. +
+ A value is optional:
+
+ + + ##### Bind propagation diff --git a/docs/reference/run.md b/docs/reference/run.md index e9a671c279e8..47873a0ac1b7 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1714,13 +1714,21 @@ $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image ### VOLUME (shared filesystems) -v, --volume=[host-src:]container-dest[:]: Bind mount a volume. - The comma-delimited `options` are [rw|ro], [z|Z], + The comma-delimited `options` are [rw|ro|ro-non-recursive|ro-force-recursive|rro], [z|Z], [[r]shared|[r]slave|[r]private], and [nocopy]. The 'host-src' is an absolute path or a name value. If neither 'rw' or 'ro' is specified then the volume is mounted in read-write mode. + Starting with Docker Engine v25, the `ro` mode makes its submounts read-only when running on + Linux kernel v5.12 or newer. + To fall back to the behavior of Docker v24, specify `ro-non-recursive`. + To explicitly make the mount recursively read-only, specify `ro-force-recursive` + or `rro`. + The `ro-force-recursive` (`rro`) mode should be used in conjunction with `bind-propagation=rprivate`. + The `ro-force-recursive` (`rro`) mode fails when running on Linux kernel older than v5.12. + The `nocopy` mode is used to disable automatically copying the requested volume path in the container to the volume storage location. For named volumes, `copy` is the default mode. Copy modes are not supported diff --git a/man/docker-run.1.md b/man/docker-run.1.md index 13d42984f02a..56329faa7cec 100644 --- a/man/docker-run.1.md +++ b/man/docker-run.1.md @@ -468,7 +468,7 @@ according to RFC4862. * `ro`, `readonly`: `true` or `false` (default). **Note**: setting `readonly` for a bind mount does not make its submounts - read-only on the current Linux implementation. See also `bind-nonrecursive`. + read-only if Docker Engine is older than v25, or Linux kernel is older than v5.12. See also `bind` options below. Options specific to `bind`: @@ -476,7 +476,14 @@ according to RFC4862. * `consistency`: `consistent`(default), `cached`, or `delegated`. Currently, only effective for Docker for Mac. * `bind-nonrecursive`: `true` or `false` (default). If set to `true`, submounts are not recursively bind-mounted. This option is useful for - `readonly` bind mount. + `readonly` bind mount when running on Linux kernel older than v5.12, which leaves submounts writable. + * `bind-ro-nonrecursive`, `bind-readonly-nonrecursive`: `true` or `false` (default). If set to `true`, + submounts are recursively bind-mounted (unless `bind-nonrecursive` is set to `true` in conjunction), + but they are not recursively made read-only. This corresponds to the default behavior of Docker Engine v24 and older. + A `false` value is ignored when the Docker daemon is running on Linux kernel older than v5.12. + * `bind-ro-forcerecursive`,`bind-readonly-forcerecursive`: `true` or `false` (default). If set to `true`, + and submounts cannot be made recursively read-only, the Docker daemon raises an error. + This option should be used in conjunction with `bind-propagation=rprivate`. Options specific to `volume`: @@ -719,7 +726,7 @@ any options, the systems uses the following options: container. If 'HOST-DIR' is omitted, Docker automatically creates the new volume on the host. The `OPTIONS` are a comma delimited list and can be: - * [rw|ro] + * [rw|ro|ro-non-recursive|ro-force-recursive|rro] * [z|Z] * [`[r]shared`|`[r]slave`|`[r]private`] * [`delegated`|`cached`|`consistent`] @@ -747,6 +754,14 @@ You can also specify the consistency requirement for the mount, either `:consistent` (the default), `:cached`, or `:delegated`. Multiple options are separated by commas, e.g. `:ro,cached`. +Starting with Docker Engine v25, the `:ro` mode makes its submounts read-only when running on +Linux kernel v5.12 or newer. +To fall back to the behavior of Docker Engine v24, specify `:ro-non-recursive`. +To explicitly make the mount recursively read-only, specify `:ro-force-recursive` +or `:rro`. +The `:ro-force-recursive` (`:rro`) mode should be used in conjunction with `bind-propagation=rprivate`. +The `:ro-force-recursive` (`:rro`) mode fails when running on Linux kernel older than v5.12. + Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. By diff --git a/opts/mount.go b/opts/mount.go index 2b531127ebdb..ce952a71f971 100644 --- a/opts/mount.go +++ b/opts/mount.go @@ -81,6 +81,18 @@ func (m *MountOpt) Set(value string) error { case "bind-nonrecursive": bindOptions().NonRecursive = true continue + case "bind-readonly-nonrecursive", "bind-ro-nonrecursive": + // ReadOnlyNonRecursive makes the mount non-recursively read-only, but still leaves the mount recursive + // (unless NonRecursive is set to true in conjunction). + bindOptions().ReadOnlyNonRecursive = true + // Implies ReadOnly = true + mount.ReadOnly = true + continue + case "bind-readonly-forcerecursive", "bind-ro-forcerecursive": + bindOptions().ReadOnlyForceRecursive = true + // Implies ReadOnly = true + mount.ReadOnly = true + continue default: return fmt.Errorf("invalid field '%s' must be a key=value pair", field) } diff --git a/opts/mount_test.go b/opts/mount_test.go index cdb04aa1d2f9..c84beedb0ece 100644 --- a/opts/mount_test.go +++ b/opts/mount_test.go @@ -217,3 +217,72 @@ func TestMountOptSetTmpfsError(t *testing.T) { assert.ErrorContains(t, m.Set("type=tmpfs,target=/foo,tmpfs-mode=foo"), "invalid value for tmpfs-mode") assert.ErrorContains(t, m.Set("type=tmpfs"), "target is required") } + +func TestMountOptSetBindNonRecursive(t *testing.T) { + // Makes the mount itself non-recursive + t.Run("bind-nonrecursive", func(t *testing.T) { + var mount MountOpt + assert.NilError(t, mount.Set("type=bind,source=/foo,target=/bar,bind-nonrecursive")) + assert.Check(t, is.DeepEqual([]mounttypes.Mount{ + { + Type: mounttypes.TypeBind, + Source: "/foo", + Target: "/bar", + BindOptions: &mounttypes.BindOptions{ + NonRecursive: true, + }, + }, + }, mount.Value())) + }) + + // The mount itself is still recursive, but it is made read-only non-recursively + t.Run("bind-readonly-nonrecursive", func(t *testing.T) { + var mount MountOpt + assert.NilError(t, mount.Set("type=bind,source=/foo,target=/bar,bind-readonly-nonrecursive")) + assert.Check(t, is.DeepEqual([]mounttypes.Mount{ + { + Type: mounttypes.TypeBind, + Source: "/foo", + Target: "/bar", + ReadOnly: true, + BindOptions: &mounttypes.BindOptions{ + ReadOnlyNonRecursive: true, + }, + }, + }, mount.Value())) + }) + + t.Run("bind-readonly-forcerecursive", func(t *testing.T) { + var mount MountOpt + assert.NilError(t, mount.Set("type=bind,source=/foo,target=/bar,bind-readonly-forcerecursive")) + assert.Check(t, is.DeepEqual([]mounttypes.Mount{ + { + Type: mounttypes.TypeBind, + Source: "/foo", + Target: "/bar", + ReadOnly: true, + BindOptions: &mounttypes.BindOptions{ + ReadOnlyForceRecursive: true, + }, + }, + }, mount.Value())) + }) + + // Valid combination, but not really useful + t.Run("bind-nonrecursive,bind-readonly-nonrecursive", func(t *testing.T) { + var mount MountOpt + assert.NilError(t, mount.Set("type=bind,source=/foo,target=/bar,bind-nonrecursive,bind-readonly-nonrecursive")) + assert.Check(t, is.DeepEqual([]mounttypes.Mount{ + { + Type: mounttypes.TypeBind, + Source: "/foo", + Target: "/bar", + ReadOnly: true, + BindOptions: &mounttypes.BindOptions{ + NonRecursive: true, + ReadOnlyNonRecursive: true, + }, + }, + }, mount.Value())) + }) +} diff --git a/vendor.mod b/vendor.mod index 2f80772c13b1..a7a16c64add5 100644 --- a/vendor.mod +++ b/vendor.mod @@ -10,7 +10,7 @@ require ( github.com/containerd/containerd v1.6.21 github.com/creack/pty v1.1.18 github.com/docker/distribution v2.8.2+incompatible - github.com/docker/docker v24.0.0-rc.2.0.20230523155306-cf4df9d8ae4c+incompatible // master (v25.0.0-dev) + github.com/docker/docker v24.0.0-rc.2.0.20230528104423-2ebd97dec1a2+incompatible // master (v25.0.0-dev) github.com/docker/docker-credential-helpers v0.7.0 github.com/docker/go-connections v0.4.0 github.com/docker/go-units v0.5.0 @@ -62,6 +62,7 @@ require ( github.com/miekg/pkcs11 v1.1.1 // indirect github.com/moby/sys/symlink v0.2.0 // indirect github.com/opencontainers/runc v1.1.7 // indirect + github.com/opencontainers/runtime-spec v1.1.0-rc.2 // indirect github.com/prometheus/client_golang v1.14.0 // indirect github.com/prometheus/client_model v0.3.0 // indirect github.com/prometheus/common v0.37.0 // indirect diff --git a/vendor.sum b/vendor.sum index abb6f5c354f6..e9211da14b64 100644 --- a/vendor.sum +++ b/vendor.sum @@ -96,8 +96,8 @@ github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xb github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.0-rc.2.0.20230523155306-cf4df9d8ae4c+incompatible h1:stJU/EC2yJHujjvqyEAHeNxsIXtwuCvvYwImyaJ0wtI= -github.com/docker/docker v24.0.0-rc.2.0.20230523155306-cf4df9d8ae4c+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.0-rc.2.0.20230528104423-2ebd97dec1a2+incompatible h1:N7Y6lZFkcPXwoNXTImu92izjoh5o9VU8NVApLdFIHe8= +github.com/docker/docker v24.0.0-rc.2.0.20230528104423-2ebd97dec1a2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0= @@ -305,6 +305,8 @@ github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1 github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ= github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk= github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50= +github.com/opencontainers/runtime-spec v1.1.0-rc.2 h1:ucBtEms2tamYYW/SvGpvq9yUN0NEVL6oyLEwDcTSrk8= +github.com/opencontainers/runtime-spec v1.1.0-rc.2/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0= github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU= github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml index 8364e7bf4b70..f761a307083d 100644 --- a/vendor/github.com/docker/docker/api/swagger.yaml +++ b/vendor/github.com/docker/docker/api/swagger.yaml @@ -388,6 +388,16 @@ definitions: description: "Create mount point on host if missing" type: "boolean" default: false + ReadOnlyNonRecursive: + description: | + Make the mount non-recursively read-only, but still leave the mount recursive + (unless NonRecursive is set to true in conjunction). + type: "boolean" + default: false + ReadOnlyForceRecursive: + description: "Raise an error if the mount cannot be made recursively read-only." + type: "boolean" + default: false VolumeOptions: description: "Optional configuration for the `volume` type." type: "object" diff --git a/vendor/github.com/docker/docker/api/types/mount/mount.go b/vendor/github.com/docker/docker/api/types/mount/mount.go index ac4ce622310d..57edf2ef1830 100644 --- a/vendor/github.com/docker/docker/api/types/mount/mount.go +++ b/vendor/github.com/docker/docker/api/types/mount/mount.go @@ -29,7 +29,7 @@ type Mount struct { // Source is not supported for tmpfs (must be an empty value) Source string `json:",omitempty"` Target string `json:",omitempty"` - ReadOnly bool `json:",omitempty"` + ReadOnly bool `json:",omitempty"` // attempts recursive read-only if possible Consistency Consistency `json:",omitempty"` BindOptions *BindOptions `json:",omitempty"` @@ -85,6 +85,11 @@ type BindOptions struct { Propagation Propagation `json:",omitempty"` NonRecursive bool `json:",omitempty"` CreateMountpoint bool `json:",omitempty"` + // ReadOnlyNonRecursive makes the mount non-recursively read-only, but still leaves the mount recursive + // (unless NonRecursive is set to true in conjunction). + ReadOnlyNonRecursive bool `json:",omitempty"` + // ReadOnlyForceRecursive raises an error if the mount cannot be made recursively read-only. + ReadOnlyForceRecursive bool `json:",omitempty"` } // VolumeOptions represents the options for a mount of type volume. diff --git a/vendor/github.com/docker/docker/api/types/types.go b/vendor/github.com/docker/docker/api/types/types.go index d6aa3d63851e..04be8e513bfa 100644 --- a/vendor/github.com/docker/docker/api/types/types.go +++ b/vendor/github.com/docker/docker/api/types/types.go @@ -16,6 +16,7 @@ import ( "github.com/docker/docker/api/types/swarm" "github.com/docker/docker/api/types/volume" "github.com/docker/go-connections/nat" + "github.com/opencontainers/runtime-spec/specs-go/features" ) const ( @@ -658,7 +659,8 @@ type Runtime struct { Options map[string]interface{} `json:"options,omitempty"` // This is exposed here only for internal use - ShimConfig *ShimConfig `json:"-"` + ShimConfig *ShimConfig `json:"-"` + Features *features.Features `json:"-"` } // ShimConfig is used by runtime to configure containerd shims diff --git a/vendor/github.com/opencontainers/runtime-spec/LICENSE b/vendor/github.com/opencontainers/runtime-spec/LICENSE new file mode 100644 index 000000000000..bdc403653e0a --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-spec/LICENSE @@ -0,0 +1,191 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2015 The Linux Foundation. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go new file mode 100644 index 000000000000..230e88f568e9 --- /dev/null +++ b/vendor/github.com/opencontainers/runtime-spec/specs-go/features/features.go @@ -0,0 +1,125 @@ +// Package features provides the Features struct. +package features + +// Features represents the supported features of the runtime. +type Features struct { + // OCIVersionMin is the minimum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.0". + OCIVersionMin string `json:"ociVersionMin,omitempty"` + + // OCIVersionMax is the maximum OCI Runtime Spec version recognized by the runtime, e.g., "1.0.2-dev". + OCIVersionMax string `json:"ociVersionMax,omitempty"` + + // Hooks is the list of the recognized hook names, e.g., "createRuntime". + // Nil value means "unknown", not "no support for any hook". + Hooks []string `json:"hooks,omitempty"` + + // MountOptions is the list of the recognized mount options, e.g., "ro". + // Nil value means "unknown", not "no support for any mount option". + // This list does not contain filesystem-specific options passed to mount(2) syscall as (const void *). + MountOptions []string `json:"mountOptions,omitempty"` + + // Linux is specific to Linux. + Linux *Linux `json:"linux,omitempty"` + + // Annotations contains implementation-specific annotation strings, + // such as the implementation version, and third-party extensions. + Annotations map[string]string `json:"annotations,omitempty"` +} + +// Linux is specific to Linux. +type Linux struct { + // Namespaces is the list of the recognized namespaces, e.g., "mount". + // Nil value means "unknown", not "no support for any namespace". + Namespaces []string `json:"namespaces,omitempty"` + + // Capabilities is the list of the recognized capabilities , e.g., "CAP_SYS_ADMIN". + // Nil value means "unknown", not "no support for any capability". + Capabilities []string `json:"capabilities,omitempty"` + + Cgroup *Cgroup `json:"cgroup,omitempty"` + Seccomp *Seccomp `json:"seccomp,omitempty"` + Apparmor *Apparmor `json:"apparmor,omitempty"` + Selinux *Selinux `json:"selinux,omitempty"` + IntelRdt *IntelRdt `json:"intelRdt,omitempty"` +} + +// Cgroup represents the "cgroup" field. +type Cgroup struct { + // V1 represents whether Cgroup v1 support is compiled in. + // Unrelated to whether the host uses cgroup v1 or not. + // Nil value means "unknown", not "false". + V1 *bool `json:"v1,omitempty"` + + // V2 represents whether Cgroup v2 support is compiled in. + // Unrelated to whether the host uses cgroup v2 or not. + // Nil value means "unknown", not "false". + V2 *bool `json:"v2,omitempty"` + + // Systemd represents whether systemd-cgroup support is compiled in. + // Unrelated to whether the host uses systemd or not. + // Nil value means "unknown", not "false". + Systemd *bool `json:"systemd,omitempty"` + + // SystemdUser represents whether user-scoped systemd-cgroup support is compiled in. + // Unrelated to whether the host uses systemd or not. + // Nil value means "unknown", not "false". + SystemdUser *bool `json:"systemdUser,omitempty"` + + // Rdma represents whether RDMA cgroup support is compiled in. + // Unrelated to whether the host supports RDMA or not. + // Nil value means "unknown", not "false". + Rdma *bool `json:"rdma,omitempty"` +} + +// Seccomp represents the "seccomp" field. +type Seccomp struct { + // Enabled is true if seccomp support is compiled in. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` + + // Actions is the list of the recognized actions, e.g., "SCMP_ACT_NOTIFY". + // Nil value means "unknown", not "no support for any action". + Actions []string `json:"actions,omitempty"` + + // Operators is the list of the recognized operators, e.g., "SCMP_CMP_NE". + // Nil value means "unknown", not "no support for any operator". + Operators []string `json:"operators,omitempty"` + + // Archs is the list of the recognized archs, e.g., "SCMP_ARCH_X86_64". + // Nil value means "unknown", not "no support for any arch". + Archs []string `json:"archs,omitempty"` + + // KnownFlags is the list of the recognized filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". + // Nil value means "unknown", not "no flags are recognized". + KnownFlags []string `json:"knownFlags,omitempty"` + + // SupportedFlags is the list of the supported filter flags, e.g., "SECCOMP_FILTER_FLAG_LOG". + // This list may be a subset of KnownFlags due to some flags + // not supported by the current kernel and/or libseccomp. + // Nil value means "unknown", not "no flags are supported". + SupportedFlags []string `json:"supportedFlags,omitempty"` +} + +// Apparmor represents the "apparmor" field. +type Apparmor struct { + // Enabled is true if AppArmor support is compiled in. + // Unrelated to whether the host supports AppArmor or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} + +// Selinux represents the "selinux" field. +type Selinux struct { + // Enabled is true if SELinux support is compiled in. + // Unrelated to whether the host supports SELinux or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} + +// IntelRdt represents the "intelRdt" field. +type IntelRdt struct { + // Enabled is true if Intel RDT support is compiled in. + // Unrelated to whether the host supports Intel RDT or not. + // Nil value means "unknown", not "false". + Enabled *bool `json:"enabled,omitempty"` +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 6047a1a7fb54..d18410104753 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -40,7 +40,7 @@ github.com/docker/distribution/registry/client/transport github.com/docker/distribution/registry/storage/cache github.com/docker/distribution/registry/storage/cache/memory github.com/docker/distribution/uuid -# github.com/docker/docker v24.0.0-rc.2.0.20230523155306-cf4df9d8ae4c+incompatible +# github.com/docker/docker v24.0.0-rc.2.0.20230528104423-2ebd97dec1a2+incompatible ## explicit github.com/docker/docker/api github.com/docker/docker/api/types @@ -198,6 +198,9 @@ github.com/opencontainers/image-spec/specs-go/v1 # github.com/opencontainers/runc v1.1.7 ## explicit; go 1.17 github.com/opencontainers/runc/libcontainer/user +# github.com/opencontainers/runtime-spec v1.1.0-rc.2 +## explicit +github.com/opencontainers/runtime-spec/specs-go/features # github.com/pkg/errors v0.9.1 ## explicit github.com/pkg/errors