diff --git a/go.mod b/go.mod
index d38d66d997..9217047c46 100644
--- a/go.mod
+++ b/go.mod
@@ -12,7 +12,7 @@ require (
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240419161514-af205d85bb44
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
github.com/containerd/cgroups v1.1.0 // indirect
- github.com/docker/docker v27.0.3+incompatible
+ github.com/docker/docker v27.3.1+incompatible
github.com/go-git/go-billy/v5 v5.5.0
github.com/go-git/go-git/v5 v5.12.0
github.com/golang/mock v1.6.0
@@ -171,6 +171,7 @@ require (
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83 // indirect
github.com/moby/sys/user v0.1.0 // indirect
+ github.com/moby/sys/userns v0.1.0 // indirect
github.com/pelletier/go-toml/v2 v2.2.1 // indirect
github.com/pjbgf/sha1cd v0.3.0 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
diff --git a/go.sum b/go.sum
index 8755d68981..b80191f4cb 100644
--- a/go.sum
+++ b/go.sum
@@ -184,8 +184,8 @@ github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwen
github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.0.3+incompatible h1:aBGI9TeQ4MPlhquTQKq9XbK79rKFVwXNUAYz9aXyEBE=
-github.com/docker/docker v27.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v27.3.1+incompatible h1:KttF0XoteNTicmUtBO0L2tP+J7FGRFTjaEF4k6WdhfI=
+github.com/docker/docker v27.3.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
github.com/docker/docker-credential-helpers v0.8.1 h1:j/eKUktUltBtMzKqmfLB0PAgqYyMHOp5vfsD1807oKo=
github.com/docker/docker-credential-helpers v0.8.1/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
@@ -375,6 +375,8 @@ github.com/moby/sys/symlink v0.2.0 h1:tk1rOM+Ljp0nFmfOIBtlV3rTDlWOwFRhjEeAhZB0nZ
github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs=
github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
diff --git a/vendor/github.com/docker/docker/api/common.go b/vendor/github.com/docker/docker/api/common.go
index f831735f84..93d64cd8d5 100644
--- a/vendor/github.com/docker/docker/api/common.go
+++ b/vendor/github.com/docker/docker/api/common.go
@@ -3,7 +3,7 @@ package api // import "github.com/docker/docker/api"
// Common constants for daemon and client.
const (
// DefaultVersion of the current REST API.
- DefaultVersion = "1.46"
+ DefaultVersion = "1.47"
// MinSupportedAPIVersion is the minimum API version that can be supported
// by the API server, specified as "major.minor". Note that the daemon
diff --git a/vendor/github.com/docker/docker/api/swagger.yaml b/vendor/github.com/docker/docker/api/swagger.yaml
index cc754bf1fd..7164e1eba5 100644
--- a/vendor/github.com/docker/docker/api/swagger.yaml
+++ b/vendor/github.com/docker/docker/api/swagger.yaml
@@ -19,10 +19,10 @@ produces:
consumes:
- "application/json"
- "text/plain"
-basePath: "/v1.46"
+basePath: "/v1.47"
info:
title: "Docker Engine API"
- version: "1.46"
+ version: "1.47"
x-logo:
url: "https://docs.docker.com/assets/images/logo-docker-main.png"
description: |
@@ -55,8 +55,8 @@ info:
the URL is not supported by the daemon, a HTTP `400 Bad Request` error message
is returned.
- If you omit the version-prefix, the current version of the API (v1.46) is used.
- For example, calling `/info` is the same as calling `/v1.46/info`. Using the
+ If you omit the version-prefix, the current version of the API (v1.47) is used.
+ For example, calling `/info` is the same as calling `/v1.47/info`. Using the
API without a version-prefix is deprecated and will be removed in a future release.
Engine releases in the near future should support this version of the API,
@@ -393,7 +393,7 @@ definitions:
Make the mount non-recursively read-only, but still leave the mount recursive
(unless NonRecursive is set to `true` in conjunction).
- Addded in v1.44, before that version all read-only mounts were
+ Added in v1.44, before that version all read-only mounts were
non-recursive by default. To match the previous behaviour this
will default to `true` for clients on versions prior to v1.44.
type: "boolean"
@@ -1384,7 +1384,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always empty. It must not be used, and will be removed in API v1.47.
+ > always empty. It must not be used, and will be removed in API v1.48.
type: "string"
example: ""
Domainname:
@@ -1394,7 +1394,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always empty. It must not be used, and will be removed in API v1.47.
+ > always empty. It must not be used, and will be removed in API v1.48.
type: "string"
example: ""
User:
@@ -1408,7 +1408,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1419,7 +1419,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1430,7 +1430,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1457,7 +1457,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1468,7 +1468,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1479,7 +1479,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always false. It must not be used, and will be removed in API v1.47.
+ > always false. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1516,7 +1516,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always empty. It must not be used, and will be removed in API v1.47.
+ > always empty. It must not be used, and will be removed in API v1.48.
type: "string"
default: ""
example: ""
@@ -1555,7 +1555,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always omitted. It must not be used, and will be removed in API v1.47.
+ > always omitted. It must not be used, and will be removed in API v1.48.
type: "boolean"
default: false
example: false
@@ -1567,7 +1567,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always omitted. It must not be used, and will be removed in API v1.47.
+ > always omitted. It must not be used, and will be removed in API v1.48.
type: "string"
default: ""
example: ""
@@ -1601,7 +1601,7 @@ definitions:
> **Deprecated**: this field is not part of the image specification and is
- > always omitted. It must not be used, and will be removed in API v1.47.
+ > always omitted. It must not be used, and will be removed in API v1.48.
type: "integer"
default: 10
x-nullable: true
@@ -2216,7 +2216,7 @@ definitions:
Created:
description: |
Date and time at which the image was created as a Unix timestamp
- (number of seconds sinds EPOCH).
+ (number of seconds since EPOCH).
type: "integer"
x-nullable: false
example: "1644009612"
@@ -2265,6 +2265,19 @@ definitions:
x-nullable: false
type: "integer"
example: 2
+ Manifests:
+ description: |
+ Manifests is a list of manifests available in this image.
+ It provides a more detailed view of the platform-specific image manifests
+ or other image-attached data like build attestations.
+
+ WARNING: This is experimental and may change at any time without any backward
+ compatibility.
+ type: "array"
+ x-nullable: false
+ x-omitempty: true
+ items:
+ $ref: "#/definitions/ImageManifestSummary"
AuthConfig:
type: "object"
@@ -2500,7 +2513,7 @@ definitions:
example: false
Attachable:
description: |
- Wheter a global / swarm scope network is manually attachable by regular
+ Whether a global / swarm scope network is manually attachable by regular
containers from workers in swarm mode.
type: "boolean"
default: false
@@ -3723,7 +3736,7 @@ definitions:
example: "json-file"
Options:
description: |
- Driver-specific options for the selectd log driver, specified
+ Driver-specific options for the selected log driver, specified
as key/value pairs.
type: "object"
additionalProperties:
@@ -5318,7 +5331,7 @@ definitions:
description: |
The default (and highest) API version that is supported by the daemon
type: "string"
- example: "1.46"
+ example: "1.47"
MinAPIVersion:
description: |
The minimum API version that is supported by the daemon
@@ -5334,7 +5347,7 @@ definitions:
The version Go used to compile the daemon, and the version of the Go
runtime in use.
type: "string"
- example: "go1.21.11"
+ example: "go1.22.7"
Os:
description: |
The operating system that the daemon is running on ("linux" or "windows")
@@ -5830,13 +5843,13 @@ definitions:
- "/var/run/cdi"
Containerd:
$ref: "#/definitions/ContainerdInfo"
- x-nullable: true
ContainerdInfo:
description: |
Information for connecting to the containerd instance that is used by the daemon.
This is included for debugging purposes only.
type: "object"
+ x-nullable: true
properties:
Address:
description: "The address of the containerd socket."
@@ -6644,6 +6657,120 @@ definitions:
additionalProperties:
type: "string"
+ ImageManifestSummary:
+ x-go-name: "ManifestSummary"
+ description: |
+ ImageManifestSummary represents a summary of an image manifest.
+ type: "object"
+ required: ["ID", "Descriptor", "Available", "Size", "Kind"]
+ properties:
+ ID:
+ description: |
+ ID is the content-addressable ID of an image and is the same as the
+ digest of the image manifest.
+ type: "string"
+ example: "sha256:95869fbcf224d947ace8d61d0e931d49e31bb7fc67fffbbe9c3198c33aa8e93f"
+ Descriptor:
+ $ref: "#/definitions/OCIDescriptor"
+ Available:
+ description: Indicates whether all the child content (image config, layers) is fully available locally.
+ type: "boolean"
+ example: true
+ Size:
+ type: "object"
+ x-nullable: false
+ required: ["Content", "Total"]
+ properties:
+ Total:
+ type: "integer"
+ format: "int64"
+ example: 8213251
+ description: |
+ Total is the total size (in bytes) of all the locally present
+ data (both distributable and non-distributable) that's related to
+ this manifest and its children.
+ This equal to the sum of [Content] size AND all the sizes in the
+ [Size] struct present in the Kind-specific data struct.
+ For example, for an image kind (Kind == "image")
+ this would include the size of the image content and unpacked
+ image snapshots ([Size.Content] + [ImageData.Size.Unpacked]).
+ Content:
+ description: |
+ Content is the size (in bytes) of all the locally present
+ content in the content store (e.g. image config, layers)
+ referenced by this manifest and its children.
+ This only includes blobs in the content store.
+ type: "integer"
+ format: "int64"
+ example: 3987495
+ Kind:
+ type: "string"
+ example: "image"
+ enum:
+ - "image"
+ - "attestation"
+ - "unknown"
+ description: |
+ The kind of the manifest.
+
+ kind | description
+ -------------|-----------------------------------------------------------
+ image | Image manifest that can be used to start a container.
+ attestation | Attestation manifest produced by the Buildkit builder for a specific image manifest.
+ ImageData:
+ description: |
+ The image data for the image manifest.
+ This field is only populated when Kind is "image".
+ type: "object"
+ x-nullable: true
+ x-omitempty: true
+ required: ["Platform", "Containers", "Size", "UnpackedSize"]
+ properties:
+ Platform:
+ $ref: "#/definitions/OCIPlatform"
+ description: |
+ OCI platform of the image. This will be the platform specified in the
+ manifest descriptor from the index/manifest list.
+ If it's not available, it will be obtained from the image config.
+ Containers:
+ description: |
+ The IDs of the containers that are using this image.
+ type: "array"
+ items:
+ type: "string"
+ example: ["ede54ee1fda366ab42f824e8a5ffd195155d853ceaec74a927f249ea270c7430", "abadbce344c096744d8d6071a90d474d28af8f1034b5ea9fb03c3f4bfc6d005e"]
+ Size:
+ type: "object"
+ x-nullable: false
+ required: ["Unpacked"]
+ properties:
+ Unpacked:
+ type: "integer"
+ format: "int64"
+ example: 3987495
+ description: |
+ Unpacked is the size (in bytes) of the locally unpacked
+ (uncompressed) image content that's directly usable by the containers
+ running this image.
+ It's independent of the distributable content - e.g.
+ the image might still have an unpacked data that's still used by
+ some container even when the distributable/compressed content is
+ already gone.
+ AttestationData:
+ description: |
+ The image data for the attestation manifest.
+ This field is only populated when Kind is "attestation".
+ type: "object"
+ x-nullable: true
+ x-omitempty: true
+ required: ["For"]
+ properties:
+ For:
+ description: |
+ The digest of the image manifest that this attestation is for.
+ type: "string"
+ example: "sha256:95869fbcf224d947ace8d61d0e931d49e31bb7fc67fffbbe9c3198c33aa8e93f"
+
paths:
/containers/json:
get:
@@ -7585,7 +7712,7 @@ paths:
* Memory usage % = `(used_memory / available_memory) * 100.0`
* cpu_delta = `cpu_stats.cpu_usage.total_usage - precpu_stats.cpu_usage.total_usage`
* system_cpu_delta = `cpu_stats.system_cpu_usage - precpu_stats.system_cpu_usage`
- * number_cpus = `lenght(cpu_stats.cpu_usage.percpu_usage)` or `cpu_stats.online_cpus`
+ * number_cpus = `length(cpu_stats.cpu_usage.percpu_usage)` or `cpu_stats.online_cpus`
* CPU usage % = `(cpu_delta / system_cpu_delta) * number_cpus * 100.0`
operationId: "ContainerStats"
produces: ["application/json"]
@@ -8622,6 +8749,11 @@ paths:
description: "Show digest information as a `RepoDigests` field on each image."
type: "boolean"
default: false
+ - name: "manifests"
+ in: "query"
+ description: "Include `Manifests` in the image summary."
+ type: "boolean"
+ default: false
tags: ["Image"]
/build:
post:
@@ -9094,12 +9226,23 @@ paths:
parameters:
- name: "name"
in: "path"
- description: "Image name or ID."
+ description: |
+ Name of the image to push. For example, `registry.example.com/myimage`.
+ The image must be present in the local image store with the same name.
+
+ The name should be provided without tag; if a tag is provided, it
+ is ignored. For example, `registry.example.com/myimage:latest` is
+ considered equivalent to `registry.example.com/myimage`.
+
+ Use the `tag` parameter to specify the tag to push.
type: "string"
required: true
- name: "tag"
in: "query"
- description: "The tag to associate with the image on the registry."
+ description: |
+ Tag of the image to push. For example, `latest`. If no tag is provided,
+ all tags of the given image that are present in the local image store
+ are pushed.
type: "string"
- name: "X-Registry-Auth"
in: "header"
@@ -9563,7 +9706,7 @@ paths:
Containers report these events: `attach`, `commit`, `copy`, `create`, `destroy`, `detach`, `die`, `exec_create`, `exec_detach`, `exec_start`, `exec_die`, `export`, `health_status`, `kill`, `oom`, `pause`, `rename`, `resize`, `restart`, `start`, `stop`, `top`, `unpause`, `update`, and `prune`
- Images report these events: `create, `delete`, `import`, `load`, `pull`, `push`, `save`, `tag`, `untag`, and `prune`
+ Images report these events: `create`, `delete`, `import`, `load`, `pull`, `push`, `save`, `tag`, `untag`, and `prune`
Volumes report these events: `create`, `mount`, `unmount`, `destroy`, and `prune`
diff --git a/vendor/github.com/docker/docker/api/types/container/hostconfig.go b/vendor/github.com/docker/docker/api/types/container/hostconfig.go
index 727da8839c..03648fb7b5 100644
--- a/vendor/github.com/docker/docker/api/types/container/hostconfig.go
+++ b/vendor/github.com/docker/docker/api/types/container/hostconfig.go
@@ -1,6 +1,7 @@
package container // import "github.com/docker/docker/api/types/container"
import (
+ "errors"
"fmt"
"strings"
@@ -325,12 +326,12 @@ func ValidateRestartPolicy(policy RestartPolicy) error {
if policy.MaximumRetryCount < 0 {
msg += " and cannot be negative"
}
- return &errInvalidParameter{fmt.Errorf(msg)}
+ return &errInvalidParameter{errors.New(msg)}
}
return nil
case RestartPolicyOnFailure:
if policy.MaximumRetryCount < 0 {
- return &errInvalidParameter{fmt.Errorf("invalid restart policy: maximum retry count cannot be negative")}
+ return &errInvalidParameter{errors.New("invalid restart policy: maximum retry count cannot be negative")}
}
return nil
case "":
diff --git a/vendor/github.com/docker/docker/api/types/filters/parse.go b/vendor/github.com/docker/docker/api/types/filters/parse.go
index 0c39ab5f18..0914b2a441 100644
--- a/vendor/github.com/docker/docker/api/types/filters/parse.go
+++ b/vendor/github.com/docker/docker/api/types/filters/parse.go
@@ -196,7 +196,7 @@ func (args Args) Match(field, source string) bool {
}
// GetBoolOrDefault returns a boolean value of the key if the key is present
-// and is intepretable as a boolean value. Otherwise the default value is returned.
+// and is interpretable as a boolean value. Otherwise the default value is returned.
// Error is not nil only if the filter values are not valid boolean or are conflicting.
func (args Args) GetBoolOrDefault(key string, defaultValue bool) (bool, error) {
fieldValues, ok := args.fields[key]
diff --git a/vendor/github.com/docker/docker/api/types/image/manifest.go b/vendor/github.com/docker/docker/api/types/image/manifest.go
new file mode 100644
index 0000000000..db8a00830e
--- /dev/null
+++ b/vendor/github.com/docker/docker/api/types/image/manifest.go
@@ -0,0 +1,99 @@
+package image
+
+import (
+ "github.com/opencontainers/go-digest"
+ ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+)
+
+type ManifestKind string
+
+const (
+ ManifestKindImage ManifestKind = "image"
+ ManifestKindAttestation ManifestKind = "attestation"
+ ManifestKindUnknown ManifestKind = "unknown"
+)
+
+type ManifestSummary struct {
+ // ID is the content-addressable ID of an image and is the same as the
+ // digest of the image manifest.
+ //
+ // Required: true
+ ID string `json:"ID"`
+
+ // Descriptor is the OCI descriptor of the image.
+ //
+ // Required: true
+ Descriptor ocispec.Descriptor `json:"Descriptor"`
+
+ // Indicates whether all the child content (image config, layers) is
+ // fully available locally
+ //
+ // Required: true
+ Available bool `json:"Available"`
+
+ // Size is the size information of the content related to this manifest.
+ // Note: These sizes only take the locally available content into account.
+ //
+ // Required: true
+ Size struct {
+ // Content is the size (in bytes) of all the locally present
+ // content in the content store (e.g. image config, layers)
+ // referenced by this manifest and its children.
+ // This only includes blobs in the content store.
+ Content int64 `json:"Content"`
+
+ // Total is the total size (in bytes) of all the locally present
+ // data (both distributable and non-distributable) that's related to
+ // this manifest and its children.
+ // This equal to the sum of [Content] size AND all the sizes in the
+ // [Size] struct present in the Kind-specific data struct.
+ // For example, for an image kind (Kind == ManifestKindImage),
+ // this would include the size of the image content and unpacked
+ // image snapshots ([Size.Content] + [ImageData.Size.Unpacked]).
+ Total int64 `json:"Total"`
+ } `json:"Size"`
+
+ // Kind is the kind of the image manifest.
+ //
+ // Required: true
+ Kind ManifestKind `json:"Kind"`
+
+ // Fields below are specific to the kind of the image manifest.
+
+ // Present only if Kind == ManifestKindImage.
+ ImageData *ImageProperties `json:"ImageData,omitempty"`
+
+ // Present only if Kind == ManifestKindAttestation.
+ AttestationData *AttestationProperties `json:"AttestationData,omitempty"`
+}
+
+type ImageProperties struct {
+ // Platform is the OCI platform object describing the platform of the image.
+ //
+ // Required: true
+ Platform ocispec.Platform `json:"Platform"`
+
+ Size struct {
+ // Unpacked is the size (in bytes) of the locally unpacked
+ // (uncompressed) image content that's directly usable by the containers
+ // running this image.
+ // It's independent of the distributable content - e.g.
+ // the image might still have an unpacked data that's still used by
+ // some container even when the distributable/compressed content is
+ // already gone.
+ //
+ // Required: true
+ Unpacked int64 `json:"Unpacked"`
+ }
+
+ // Containers is an array containing the IDs of the containers that are
+ // using this image.
+ //
+ // Required: true
+ Containers []string `json:"Containers"`
+}
+
+type AttestationProperties struct {
+ // For is the digest of the image manifest that this attestation is for.
+ For digest.Digest `json:"For"`
+}
diff --git a/vendor/github.com/docker/docker/api/types/image/opts.go b/vendor/github.com/docker/docker/api/types/image/opts.go
index 8e32c9af86..923ebe5a06 100644
--- a/vendor/github.com/docker/docker/api/types/image/opts.go
+++ b/vendor/github.com/docker/docker/api/types/image/opts.go
@@ -76,6 +76,9 @@ type ListOptions struct {
// ContainerCount indicates whether container count should be computed.
ContainerCount bool
+
+ // Manifests indicates whether the image manifests should be returned.
+ Manifests bool
}
// RemoveOptions holds parameters to remove images.
diff --git a/vendor/github.com/docker/docker/api/types/image/summary.go b/vendor/github.com/docker/docker/api/types/image/summary.go
index f1e3e2ef01..e87e216a28 100644
--- a/vendor/github.com/docker/docker/api/types/image/summary.go
+++ b/vendor/github.com/docker/docker/api/types/image/summary.go
@@ -1,10 +1,5 @@
package image
-// This file was generated by the swagger tool.
-// Editing this file might prove futile when you re-run the swagger generate command
-
-// Summary summary
-// swagger:model Summary
type Summary struct {
// Number of containers using this image. Includes both stopped and running
@@ -17,7 +12,7 @@ type Summary struct {
Containers int64 `json:"Containers"`
// Date and time at which the image was created as a Unix timestamp
- // (number of seconds sinds EPOCH).
+ // (number of seconds since EPOCH).
//
// Required: true
Created int64 `json:"Created"`
@@ -47,6 +42,14 @@ type Summary struct {
// Required: true
ParentID string `json:"ParentId"`
+ // Manifests is a list of image manifests available in this image. It
+ // provides a more detailed view of the platform-specific image manifests or
+ // other image-attached data like build attestations.
+ //
+ // WARNING: This is experimental and may change at any time without any backward
+ // compatibility.
+ Manifests []ManifestSummary `json:"Manifests,omitempty"`
+
// List of content-addressable digests of locally available image manifests
// that the image is referenced from. Multiple manifests can refer to the
// same image.
diff --git a/vendor/github.com/docker/docker/api/types/registry/authconfig.go b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
index 97a924e374..8e383f6e60 100644
--- a/vendor/github.com/docker/docker/api/types/registry/authconfig.go
+++ b/vendor/github.com/docker/docker/api/types/registry/authconfig.go
@@ -34,10 +34,9 @@ type AuthConfig struct {
}
// EncodeAuthConfig serializes the auth configuration as a base64url encoded
-// RFC4648, section 5) JSON string for sending through the X-Registry-Auth header.
+// ([RFC4648, section 5]) JSON string for sending through the X-Registry-Auth header.
//
-// For details on base64url encoding, see:
-// - RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
buf, err := json.Marshal(authConfig)
if err != nil {
@@ -46,15 +45,14 @@ func EncodeAuthConfig(authConfig AuthConfig) (string, error) {
return base64.URLEncoding.EncodeToString(buf), nil
}
-// DecodeAuthConfig decodes base64url encoded (RFC4648, section 5) JSON
+// DecodeAuthConfig decodes base64url encoded ([RFC4648, section 5]) JSON
// authentication information as sent through the X-Registry-Auth header.
//
-// This function always returns an AuthConfig, even if an error occurs. It is up
+// This function always returns an [AuthConfig], even if an error occurs. It is up
// to the caller to decide if authentication is required, and if the error can
// be ignored.
//
-// For details on base64url encoding, see:
-// - RFC4648, section 5: https://tools.ietf.org/html/rfc4648#section-5
+// [RFC4648, section 5]: https://tools.ietf.org/html/rfc4648#section-5
func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
if authEncoded == "" {
return &AuthConfig{}, nil
@@ -69,7 +67,7 @@ func DecodeAuthConfig(authEncoded string) (*AuthConfig, error) {
// clients and API versions. Current clients and API versions expect authentication
// to be provided through the X-Registry-Auth header.
//
-// Like DecodeAuthConfig, this function always returns an AuthConfig, even if an
+// Like [DecodeAuthConfig], this function always returns an [AuthConfig], even if an
// error occurs. It is up to the caller to decide if authentication is required,
// and if the error can be ignored.
func DecodeAuthConfigBody(rdr io.ReadCloser) (*AuthConfig, error) {
diff --git a/vendor/github.com/docker/docker/api/types/swarm/swarm.go b/vendor/github.com/docker/docker/api/types/swarm/swarm.go
index 3eae4b9b29..1b4be6fffb 100644
--- a/vendor/github.com/docker/docker/api/types/swarm/swarm.go
+++ b/vendor/github.com/docker/docker/api/types/swarm/swarm.go
@@ -122,7 +122,7 @@ type CAConfig struct {
SigningCAKey string `json:",omitempty"`
// If this value changes, and there is no specified signing cert and key,
- // then the swarm is forced to generate a new root certificate ane key.
+ // then the swarm is forced to generate a new root certificate and key.
ForceRotate uint64 `json:",omitempty"`
}
diff --git a/vendor/github.com/docker/docker/api/types/system/info.go b/vendor/github.com/docker/docker/api/types/system/info.go
index 6791cf3284..c66a2afb8b 100644
--- a/vendor/github.com/docker/docker/api/types/system/info.go
+++ b/vendor/github.com/docker/docker/api/types/system/info.go
@@ -77,9 +77,6 @@ type Info struct {
Containerd *ContainerdInfo `json:",omitempty"`
- // Legacy API fields for older API versions.
- legacyFields
-
// Warnings contains a slice of warnings that occurred while collecting
// system information. These warnings are intended to be informational
// messages for the user, and are not intended to be parsed / used for
@@ -124,10 +121,6 @@ type ContainerdNamespaces struct {
Plugins string
}
-type legacyFields struct {
- ExecutionDriver string `json:",omitempty"` // Deprecated: deprecated since API v1.25, but returned for older versions.
-}
-
// PluginsInfo is a temp struct holding Plugins name
// registered with docker daemon. It is used by [Info] struct
type PluginsInfo struct {
diff --git a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
index bbd9ff0b8f..618a481620 100644
--- a/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
+++ b/vendor/github.com/docker/docker/api/types/volume/cluster_volume.go
@@ -414,7 +414,7 @@ type Info struct {
// the Volume has not been successfully created yet.
VolumeID string `json:",omitempty"`
- // AccessibleTopolgoy is the topology this volume is actually accessible
+ // AccessibleTopology is the topology this volume is actually accessible
// from.
AccessibleTopology []Topology `json:",omitempty"`
}
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/builder.go b/vendor/github.com/docker/docker/builder/dockerfile/builder.go
index be03511a3f..9ad139b1f2 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/builder.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/builder.go
@@ -8,8 +8,8 @@ import (
"sort"
"strings"
- "github.com/containerd/containerd/platforms"
"github.com/containerd/log"
+ "github.com/containerd/platforms"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/api/types/container"
@@ -228,7 +228,7 @@ func emitImageID(aux *streamformatter.AuxFormatter, state *dispatchState) error
func processMetaArg(meta instructions.ArgCommand, shlex *shell.Lex, args *BuildArgs) error {
// shell.Lex currently only support the concatenated string format
- envs := convertMapToEnvList(args.GetAllAllowed())
+ envs := shell.EnvsFromSlice(convertMapToEnvList(args.GetAllAllowed()))
if err := meta.Expand(func(word string) (string, error) {
newword, _, err := shlex.ProcessWord(word, envs)
return newword, err
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go b/vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go
index c302eeebd5..fe35dd206a 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/dispatchers.go
@@ -15,7 +15,7 @@ import (
"sort"
"strings"
- "github.com/containerd/containerd/platforms"
+ "github.com/containerd/platforms"
"github.com/docker/docker/api"
"github.com/docker/docker/api/types/strslice"
"github.com/docker/docker/builder"
@@ -224,7 +224,7 @@ func (d *dispatchRequest) getExpandedString(shlex *shell.Lex, str string) (strin
substitutionArgs = append(substitutionArgs, key+"="+value)
}
- name, _, err := shlex.ProcessWord(str, substitutionArgs)
+ name, _, err := shlex.ProcessWord(str, shell.EnvsFromSlice(substitutionArgs))
if err != nil {
return "", err
}
@@ -508,7 +508,7 @@ func dispatchEntrypoint(ctx context.Context, d dispatchRequest, c *instructions.
//
// Expose ports for links and port mappings. This all ends up in
// req.runConfig.ExposedPorts for runconfig.
-func dispatchExpose(ctx context.Context, d dispatchRequest, c *instructions.ExposeCommand, envs []string) error {
+func dispatchExpose(ctx context.Context, d dispatchRequest, c *instructions.ExposeCommand, envs shell.EnvGetter) error {
// custom multi word expansion
// expose $FOO with FOO="80 443" is expanded as EXPOSE [80,443]. This is the only command supporting word to words expansion
// so the word processing has been de-generalized
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/evaluator.go b/vendor/github.com/docker/docker/builder/dockerfile/evaluator.go
index 2bf74ed07f..cc23bf0a52 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/evaluator.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/evaluator.go
@@ -43,7 +43,7 @@ func dispatch(ctx context.Context, d dispatchRequest, cmd instructions.Command)
}
}
runConfigEnv := d.state.runConfig.Env
- envs := append(runConfigEnv, d.state.buildArgs.FilterAllowed(runConfigEnv)...)
+ envs := shell.EnvsFromSlice(append(runConfigEnv, d.state.buildArgs.FilterAllowed(runConfigEnv)...))
if ex, ok := cmd.(instructions.SupportsSingleWordExpansion); ok {
err := ex.Expand(func(word string) (string, error) {
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/imagecontext.go b/vendor/github.com/docker/docker/builder/dockerfile/imagecontext.go
index e943c22951..97e1146a7a 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/imagecontext.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/imagecontext.go
@@ -4,8 +4,8 @@ import (
"context"
"runtime"
- "github.com/containerd/containerd/platforms"
"github.com/containerd/log"
+ "github.com/containerd/platforms"
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/builder"
dockerimage "github.com/docker/docker/image"
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/internals.go b/vendor/github.com/docker/docker/builder/dockerfile/internals.go
index 2439efe37b..fada8a65f2 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/internals.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/internals.go
@@ -10,8 +10,8 @@ import (
"fmt"
"strings"
- "github.com/containerd/containerd/platforms"
"github.com/containerd/log"
+ "github.com/containerd/platforms"
"github.com/docker/docker/api/types"
"github.com/docker/docker/api/types/backend"
"github.com/docker/docker/api/types/container"
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/internals_linux.go b/vendor/github.com/docker/docker/builder/dockerfile/internals_linux.go
index 4af7376264..694e129f75 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/internals_linux.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/internals_linux.go
@@ -27,25 +27,25 @@ func parseChownFlag(ctx context.Context, builder *Builder, state *dispatchState,
passwdPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "passwd"), ctrRootPath)
if err != nil {
- return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/passwd path in container rootfs")
+ return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/passwd path in container rootfs")
}
groupPath, err := symlink.FollowSymlinkInScope(filepath.Join(ctrRootPath, "etc", "group"), ctrRootPath)
if err != nil {
- return idtools.Identity{}, errors.Wrapf(err, "can't resolve /etc/group path in container rootfs")
+ return idtools.Identity{}, errors.Wrap(err, "can't resolve /etc/group path in container rootfs")
}
uid, err := lookupUser(userStr, passwdPath)
if err != nil {
- return idtools.Identity{}, errors.Wrapf(err, "can't find uid for user "+userStr)
+ return idtools.Identity{}, errors.Wrap(err, "can't find uid for user "+userStr)
}
gid, err := lookupGroup(grpStr, groupPath)
if err != nil {
- return idtools.Identity{}, errors.Wrapf(err, "can't find gid for group "+grpStr)
+ return idtools.Identity{}, errors.Wrap(err, "can't find gid for group "+grpStr)
}
// convert as necessary because of user namespaces
chownPair, err := identityMapping.ToHost(idtools.Identity{UID: uid, GID: gid})
if err != nil {
- return idtools.Identity{}, errors.Wrapf(err, "unable to convert uid/gid to host mapping")
+ return idtools.Identity{}, errors.Wrap(err, "unable to convert uid/gid to host mapping")
}
return chownPair, nil
}
diff --git a/vendor/github.com/docker/docker/builder/dockerfile/internals_windows.go b/vendor/github.com/docker/docker/builder/dockerfile/internals_windows.go
index f79f8e16e1..9be0868312 100644
--- a/vendor/github.com/docker/docker/builder/dockerfile/internals_windows.go
+++ b/vendor/github.com/docker/docker/builder/dockerfile/internals_windows.go
@@ -7,7 +7,7 @@ import (
"path/filepath"
"strings"
- "github.com/containerd/containerd/platforms"
+ "github.com/containerd/platforms"
"github.com/docker/docker/api/types/container"
"github.com/docker/docker/api/types/mount"
"github.com/docker/docker/errdefs"
diff --git a/vendor/github.com/docker/docker/client/image_list.go b/vendor/github.com/docker/docker/client/image_list.go
index a9cc1e21e5..bef679431d 100644
--- a/vendor/github.com/docker/docker/client/image_list.go
+++ b/vendor/github.com/docker/docker/client/image_list.go
@@ -11,6 +11,11 @@ import (
)
// ImageList returns a list of images in the docker host.
+//
+// Experimental: Setting the [options.Manifest] will populate
+// [image.Summary.Manifests] with information about image manifests.
+// This is experimental and might change in the future without any backward
+// compatibility.
func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]image.Summary, error) {
var images []image.Summary
@@ -47,6 +52,9 @@ func (cli *Client) ImageList(ctx context.Context, options image.ListOptions) ([]
if options.SharedSize && versions.GreaterThanOrEqualTo(cli.version, "1.42") {
query.Set("shared-size", "1")
}
+ if options.Manifests && versions.GreaterThanOrEqualTo(cli.version, "1.47") {
+ query.Set("manifests", "1")
+ }
serverResp, err := cli.get(ctx, "/images/json", query, nil)
defer ensureReaderClosed(serverResp)
diff --git a/vendor/github.com/docker/docker/container/container.go b/vendor/github.com/docker/docker/container/container.go
index dfc056a427..d9c5bb736c 100644
--- a/vendor/github.com/docker/docker/container/container.go
+++ b/vendor/github.com/docker/docker/container/container.go
@@ -30,7 +30,6 @@ import (
"github.com/docker/docker/layer"
libcontainerdtypes "github.com/docker/docker/libcontainerd/types"
"github.com/docker/docker/oci"
- "github.com/docker/docker/pkg/containerfs"
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/ioutils"
"github.com/docker/docker/restartmanager"
@@ -326,7 +325,7 @@ func (container *Container) SetupWorkingDirectory(rootIdentity idtools.Identity)
}
// GetResourcePath evaluates `path` in the scope of the container's BaseFS, with proper path
-// sanitisation. Symlinks are all scoped to the BaseFS of the container, as
+// sanitization. Symlinks are all scoped to the BaseFS of the container, as
// though the container's BaseFS was `/`.
//
// The BaseFS of a container is the host-facing path which is bind-mounted as
@@ -345,7 +344,7 @@ func (container *Container) GetResourcePath(path string) (string, error) {
}
// IMPORTANT - These are paths on the OS where the daemon is running, hence
// any filepath operations must be done in an OS-agnostic way.
- r, e := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, containerfs.CleanScopedPath(path)), container.BaseFS)
+ r, e := symlink.FollowSymlinkInScope(filepath.Join(container.BaseFS, cleanScopedPath(path)), container.BaseFS)
// Log this here on the daemon side as there's otherwise no indication apart
// from the error being propagated all the way back to the client. This makes
@@ -356,8 +355,20 @@ func (container *Container) GetResourcePath(path string) (string, error) {
return r, e
}
+// cleanScopedPath prepares the given path to be combined with a mount path or
+// a drive-letter. On Windows, it removes any existing driveletter (e.g. "C:").
+// The returned path is always prefixed with a [filepath.Separator].
+func cleanScopedPath(path string) string {
+ if len(path) >= 2 {
+ if v := filepath.VolumeName(path); len(v) > 0 {
+ path = path[len(v):]
+ }
+ }
+ return filepath.Join(string(filepath.Separator), path)
+}
+
// GetRootResourcePath evaluates `path` in the scope of the container's root, with proper path
-// sanitisation. Symlinks are all scoped to the root of the container, as
+// sanitization. Symlinks are all scoped to the root of the container, as
// though the container's root was `/`.
//
// The root of a container is the host-facing configuration metadata directory.
diff --git a/vendor/github.com/docker/docker/container/stream/streams.go b/vendor/github.com/docker/docker/container/stream/streams.go
index 78ec048396..b64e3a3969 100644
--- a/vendor/github.com/docker/docker/container/stream/streams.go
+++ b/vendor/github.com/docker/docker/container/stream/streams.go
@@ -2,6 +2,7 @@ package stream // import "github.com/docker/docker/container/stream"
import (
"context"
+ "errors"
"fmt"
"io"
"strings"
@@ -91,24 +92,24 @@ func (c *Config) NewNopInputPipe() {
// CloseStreams ensures that the configured streams are properly closed.
func (c *Config) CloseStreams() error {
- var errors []string
+ var errs []string
if c.stdin != nil {
if err := c.stdin.Close(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stdin: %s", err))
+ errs = append(errs, fmt.Sprintf("error close stdin: %s", err))
}
}
if err := c.stdout.Clean(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stdout: %s", err))
+ errs = append(errs, fmt.Sprintf("error close stdout: %s", err))
}
if err := c.stderr.Clean(); err != nil {
- errors = append(errors, fmt.Sprintf("error close stderr: %s", err))
+ errs = append(errs, fmt.Sprintf("error close stderr: %s", err))
}
- if len(errors) > 0 {
- return fmt.Errorf(strings.Join(errors, "\n"))
+ if len(errs) > 0 {
+ return errors.New(strings.Join(errs, "\n"))
}
return nil
diff --git a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
index 61490c8d1a..17704366dc 100644
--- a/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
+++ b/vendor/github.com/docker/docker/daemon/logger/loggerutils/logfile.go
@@ -93,7 +93,7 @@ type Decoder interface {
// Reset resets the decoder
// Reset is called for certain events, such as log rotations
Reset(io.Reader)
- // Decode decodes the next log messeage from the stream
+ // Decode decodes the next log message from the stream
Decode() (*logger.Message, error)
// Close signals to the decoder that it can release whatever resources it was using.
Close()
diff --git a/vendor/github.com/docker/docker/daemon/logger/plugin_unix.go b/vendor/github.com/docker/docker/daemon/logger/plugin_unix.go
index 7a8c6aebd6..1951ca88bd 100644
--- a/vendor/github.com/docker/docker/daemon/logger/plugin_unix.go
+++ b/vendor/github.com/docker/docker/daemon/logger/plugin_unix.go
@@ -12,7 +12,7 @@ import (
)
func openPluginStream(a *pluginAdapter) (io.WriteCloser, error) {
- // Make sure to also open with read (in addition to write) to avoid borken pipe errors on plugin failure.
+ // Make sure to also open with read (in addition to write) to avoid broken pipe errors on plugin failure.
// It is up to the plugin to keep track of pipes that it should re-attach to, however.
// If the plugin doesn't open for reads, then the container will block once the pipe is full.
f, err := fifo.OpenFifo(context.Background(), a.fifoPath, unix.O_RDWR|unix.O_CREAT|unix.O_NONBLOCK, 0o700)
diff --git a/vendor/github.com/docker/docker/layer/filestore.go b/vendor/github.com/docker/docker/layer/filestore.go
index 96ede8711b..7870f6ee33 100644
--- a/vendor/github.com/docker/docker/layer/filestore.go
+++ b/vendor/github.com/docker/docker/layer/filestore.go
@@ -7,7 +7,6 @@ import (
"io"
"os"
"path/filepath"
- "regexp"
"strconv"
"strings"
@@ -18,14 +17,11 @@ import (
"github.com/pkg/errors"
)
-var (
- stringIDRegexp = regexp.MustCompile(`^[a-f0-9]{64}(-init)?$`)
- supportedAlgorithms = []digest.Algorithm{
- digest.SHA256,
- // digest.SHA384, // Currently not used
- // digest.SHA512, // Currently not used
- }
-)
+var supportedAlgorithms = []digest.Algorithm{
+ digest.SHA256,
+ // digest.SHA384, // Currently not used
+ // digest.SHA512, // Currently not used
+}
type fileMetadataStore struct {
root string
@@ -262,7 +258,7 @@ func (fms *fileMetadataStore) GetMountID(mount string) (string, error) {
}
content := strings.TrimSpace(string(contentBytes))
- if !stringIDRegexp.MatchString(content) {
+ if !isValidID(content) {
return "", errors.New("invalid mount id value")
}
@@ -279,7 +275,7 @@ func (fms *fileMetadataStore) GetInitID(mount string) (string, error) {
}
content := strings.TrimSpace(string(contentBytes))
- if !stringIDRegexp.MatchString(content) {
+ if !isValidID(content) {
return "", errors.New("invalid init id value")
}
@@ -431,3 +427,18 @@ func (fms *fileMetadataStore) Remove(layer ChainID, cache string) error {
func (fms *fileMetadataStore) RemoveMount(mount string) error {
return os.RemoveAll(fms.getMountDirectory(mount))
}
+
+// isValidID checks if mount/init id is valid. It is similar to
+// regexp.MustCompile(`^[a-f0-9]{64}(-init)?$`).MatchString(id).
+func isValidID(id string) bool {
+ id = strings.TrimSuffix(id, "-init")
+ if len(id) != 64 {
+ return false
+ }
+ for _, c := range id {
+ if (c < '0' || c > '9') && (c < 'a' || c > 'f') {
+ return false
+ }
+ }
+ return true
+}
diff --git a/vendor/github.com/docker/docker/layer/layer.go b/vendor/github.com/docker/docker/layer/layer.go
index 28ad0fc9c7..3f2d3adcaa 100644
--- a/vendor/github.com/docker/docker/layer/layer.go
+++ b/vendor/github.com/docker/docker/layer/layer.go
@@ -199,11 +199,11 @@ func createChainIDFromParent(parent ChainID, dgsts ...DiffID) ChainID {
return parent
}
if parent == "" {
- return createChainIDFromParent(ChainID(dgsts[0]), dgsts[1:]...)
+ return createChainIDFromParent(ChainID(dgsts[0]), dgsts[1:]...) // #nosec G602 -- slice index out of range, which is a false positive
}
// H = "H(n-1) SHA256(n)"
- dgst := digest.FromBytes([]byte(string(parent) + " " + string(dgsts[0])))
- return createChainIDFromParent(ChainID(dgst), dgsts[1:]...)
+ dgst := digest.FromBytes([]byte(string(parent) + " " + string(dgsts[0]))) // #nosec G602 -- slice index out of range, which is a false positive
+ return createChainIDFromParent(ChainID(dgst), dgsts[1:]...) // #nosec G602 -- slice index out of range, which is a false positive
}
// ReleaseAndLog releases the provided layer from the given layer
diff --git a/vendor/github.com/docker/docker/oci/caps/utils.go b/vendor/github.com/docker/docker/oci/caps/utils.go
index c61f6b49e9..1cdcf5b7b3 100644
--- a/vendor/github.com/docker/docker/oci/caps/utils.go
+++ b/vendor/github.com/docker/docker/oci/caps/utils.go
@@ -21,7 +21,7 @@ var (
knownCaps map[string]*struct{}
)
-// GetAllCapabilities returns all capabilities that are availeble in the current
+// GetAllCapabilities returns all capabilities that are available in the current
// environment.
func GetAllCapabilities() []string {
initCaps()
diff --git a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
index 45ac2aa6ce..b9d2a538ab 100644
--- a/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
+++ b/vendor/github.com/docker/docker/pkg/archive/archive_linux.go
@@ -6,8 +6,8 @@ import (
"path/filepath"
"strings"
- "github.com/containerd/containerd/pkg/userns"
"github.com/docker/docker/pkg/system"
+ "github.com/moby/sys/userns"
"github.com/pkg/errors"
"golang.org/x/sys/unix"
)
diff --git a/vendor/github.com/docker/docker/pkg/chrootarchive/archive.go b/vendor/github.com/docker/docker/pkg/chrootarchive/archive.go
index 3b6d8a77aa..07739462e0 100644
--- a/vendor/github.com/docker/docker/pkg/chrootarchive/archive.go
+++ b/vendor/github.com/docker/docker/pkg/chrootarchive/archive.go
@@ -36,7 +36,7 @@ func Untar(tarArchive io.Reader, dest string, options *archive.TarOptions) error
// This should be used to prevent a potential attacker from manipulating `dest`
// such that it would provide access to files outside of `dest` through things
// like symlinks. Normally `ResolveSymlinksInScope` would handle this, however
-// sanitizing symlinks in this manner is inherrently racey:
+// sanitizing symlinks in this manner is inherently racey:
// ref: CVE-2018-15664
func UntarWithRoot(tarArchive io.Reader, dest string, options *archive.TarOptions, root string) error {
return untarHandler(tarArchive, dest, options, true, root)
diff --git a/vendor/github.com/docker/docker/pkg/chrootarchive/diff_unix.go b/vendor/github.com/docker/docker/pkg/chrootarchive/diff_unix.go
index d9f26074a5..e12ba86aca 100644
--- a/vendor/github.com/docker/docker/pkg/chrootarchive/diff_unix.go
+++ b/vendor/github.com/docker/docker/pkg/chrootarchive/diff_unix.go
@@ -6,8 +6,8 @@ import (
"io"
"path/filepath"
- "github.com/containerd/containerd/pkg/userns"
"github.com/docker/docker/pkg/archive"
+ "github.com/moby/sys/userns"
)
// applyLayerHandler parses a diff in the standard layer format from `layer`, and
diff --git a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go b/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go
deleted file mode 100644
index 3b7fd80f28..0000000000
--- a/vendor/github.com/docker/docker/pkg/containerfs/containerfs.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package containerfs // import "github.com/docker/docker/pkg/containerfs"
-
-import "path/filepath"
-
-// CleanScopedPath prepares the given path to be combined with a mount path or
-// a drive-letter. On Windows, it removes any existing driveletter (e.g. "C:").
-// The returned path is always prefixed with a [filepath.Separator].
-func CleanScopedPath(path string) string {
- if len(path) >= 2 {
- if v := filepath.VolumeName(path); len(v) > 0 {
- path = path[len(v):]
- }
- }
- return filepath.Join(string(filepath.Separator), path)
-}
diff --git a/vendor/github.com/docker/docker/pkg/containerfs/rm.go b/vendor/github.com/docker/docker/pkg/containerfs/rm.go
deleted file mode 100644
index 303714a180..0000000000
--- a/vendor/github.com/docker/docker/pkg/containerfs/rm.go
+++ /dev/null
@@ -1,78 +0,0 @@
-//go:build !darwin && !windows
-
-package containerfs // import "github.com/docker/docker/pkg/containerfs"
-
-import (
- "os"
- "syscall"
- "time"
-
- "github.com/moby/sys/mount"
- "github.com/pkg/errors"
-)
-
-// EnsureRemoveAll wraps `os.RemoveAll` to check for specific errors that can
-// often be remedied.
-// Only use `EnsureRemoveAll` if you really want to make every effort to remove
-// a directory.
-//
-// Because of the way `os.Remove` (and by extension `os.RemoveAll`) works, there
-// can be a race between reading directory entries and then actually attempting
-// to remove everything in the directory.
-// These types of errors do not need to be returned since it's ok for the dir to
-// be gone we can just retry the remove operation.
-//
-// This should not return a `os.ErrNotExist` kind of error under any circumstances
-func EnsureRemoveAll(dir string) error {
- notExistErr := make(map[string]bool)
-
- // track retries
- exitOnErr := make(map[string]int)
- maxRetry := 50
-
- // Attempt to unmount anything beneath this dir first
- mount.RecursiveUnmount(dir)
-
- for {
- err := os.RemoveAll(dir)
- if err == nil {
- return nil
- }
-
- pe, ok := err.(*os.PathError)
- if !ok {
- return err
- }
-
- if os.IsNotExist(err) {
- if notExistErr[pe.Path] {
- return err
- }
- notExistErr[pe.Path] = true
-
- // There is a race where some subdir can be removed but after the parent
- // dir entries have been read.
- // So the path could be from `os.Remove(subdir)`
- // If the reported non-existent path is not the passed in `dir` we
- // should just retry, but otherwise return with no error.
- if pe.Path == dir {
- return nil
- }
- continue
- }
-
- if pe.Err != syscall.EBUSY {
- return err
- }
-
- if e := mount.Unmount(pe.Path); e != nil {
- return errors.Wrapf(e, "error while removing %s", dir)
- }
-
- if exitOnErr[pe.Path] == maxRetry {
- return err
- }
- exitOnErr[pe.Path]++
- time.Sleep(100 * time.Millisecond)
- }
-}
diff --git a/vendor/github.com/docker/docker/pkg/containerfs/rm_windows.go b/vendor/github.com/docker/docker/pkg/containerfs/rm_windows.go
deleted file mode 100644
index 779979ed3d..0000000000
--- a/vendor/github.com/docker/docker/pkg/containerfs/rm_windows.go
+++ /dev/null
@@ -1,6 +0,0 @@
-package containerfs // import "github.com/docker/docker/pkg/containerfs"
-
-import "os"
-
-// EnsureRemoveAll is an alias to os.RemoveAll on Windows
-var EnsureRemoveAll = os.RemoveAll
diff --git a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
index 035160c834..8d2c8857fb 100644
--- a/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
+++ b/vendor/github.com/docker/docker/pkg/jsonmessage/jsonmessage.go
@@ -290,7 +290,7 @@ func DisplayJSONMessagesStream(in io.Reader, out io.Writer, terminalFd uintptr,
}
// Stream is an io.Writer for output with utilities to get the output's file
-// descriptor and to detect wether it's a terminal.
+// descriptor and to detect whether it's a terminal.
//
// it is subset of the streams.Out type in
// https://pkg.go.dev/github.com/docker/cli@v20.10.17+incompatible/cli/streams#Out
diff --git a/vendor/github.com/docker/docker/pkg/plugins/discovery.go b/vendor/github.com/docker/docker/pkg/plugins/discovery.go
index 503ac574a9..baa39ccccf 100644
--- a/vendor/github.com/docker/docker/pkg/plugins/discovery.go
+++ b/vendor/github.com/docker/docker/pkg/plugins/discovery.go
@@ -10,8 +10,8 @@ import (
"strings"
"sync"
- "github.com/containerd/containerd/pkg/userns"
"github.com/containerd/log"
+ "github.com/moby/sys/userns"
"github.com/pkg/errors"
)
diff --git a/vendor/github.com/docker/docker/pkg/plugins/plugins.go b/vendor/github.com/docker/docker/pkg/plugins/plugins.go
index 2efd8508bf..96c8e2b7fd 100644
--- a/vendor/github.com/docker/docker/pkg/plugins/plugins.go
+++ b/vendor/github.com/docker/docker/pkg/plugins/plugins.go
@@ -236,7 +236,6 @@ func loadWithRetry(name string, retry bool) (*Plugin, error) {
storage.Unlock()
err = pl.activate()
-
if err != nil {
storage.Lock()
delete(storage.plugins, name)
diff --git a/vendor/github.com/docker/docker/pkg/pools/pools.go b/vendor/github.com/docker/docker/pkg/pools/pools.go
index 3792c67a9e..3ea3012b18 100644
--- a/vendor/github.com/docker/docker/pkg/pools/pools.go
+++ b/vendor/github.com/docker/docker/pkg/pools/pools.go
@@ -124,7 +124,7 @@ func (bufPool *BufioWriterPool) Put(b *bufio.Writer) {
}
// NewWriteCloserWrapper returns a wrapper which puts the bufio.Writer back
-// into the pool and closes the writer if it's an io.Writecloser.
+// into the pool and closes the writer if it's an io.WriteCloser.
func (bufPool *BufioWriterPool) NewWriteCloserWrapper(buf *bufio.Writer, w io.Writer) io.WriteCloser {
return ioutils.NewWriteCloserWrapper(w, func() error {
buf.Flush()
diff --git a/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go b/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
index facfbb3126..b877ecc5a9 100644
--- a/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
+++ b/vendor/github.com/docker/docker/pkg/system/xattrs_linux.go
@@ -6,7 +6,7 @@ import (
// Lgetxattr retrieves the value of the extended attribute identified by attr
// and associated with the given path in the file system.
-// It will returns a nil slice and nil error if the xattr is not set.
+// It returns a nil slice and nil error if the xattr is not set.
func Lgetxattr(path string, attr string) ([]byte, error) {
sysErr := func(err error) ([]byte, error) {
return nil, &XattrError{Op: "lgetxattr", Attr: attr, Path: path, Err: err}
diff --git a/vendor/github.com/docker/docker/plugin/v2/plugin.go b/vendor/github.com/docker/docker/plugin/v2/plugin.go
index 522adeb4de..5712a94847 100644
--- a/vendor/github.com/docker/docker/plugin/v2/plugin.go
+++ b/vendor/github.com/docker/docker/plugin/v2/plugin.go
@@ -55,6 +55,7 @@ func (p *Plugin) ScopedPath(s string) string {
}
// Client returns the plugin client.
+//
// Deprecated: use p.Addr() and manually create the client
func (p *Plugin) Client() *plugins.Client {
p.mu.RLock()
@@ -64,6 +65,7 @@ func (p *Plugin) Client() *plugins.Client {
}
// SetPClient set the plugin client.
+//
// Deprecated: Hardcoded plugin client is deprecated
func (p *Plugin) SetPClient(client *plugins.Client) {
p.mu.Lock()
diff --git a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
index 3c4e143138..bdd8891498 100644
--- a/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
+++ b/vendor/github.com/docker/docker/plugin/v2/plugin_linux.go
@@ -9,11 +9,11 @@ import (
"runtime"
"strings"
- "github.com/containerd/containerd/pkg/userns"
"github.com/docker/docker/api/types"
"github.com/docker/docker/internal/rootless/mountopts"
"github.com/docker/docker/internal/sliceutil"
"github.com/docker/docker/oci"
+ "github.com/moby/sys/userns"
specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/pkg/errors"
)
diff --git a/vendor/github.com/moby/sys/userns/LICENSE b/vendor/github.com/moby/sys/userns/LICENSE
new file mode 100644
index 0000000000..d645695673
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/LICENSE
@@ -0,0 +1,202 @@
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+ END OF TERMS AND CONDITIONS
+
+ APPENDIX: How to apply the Apache License to your work.
+
+ To apply the Apache License to your work, attach the following
+ boilerplate notice, with the fields enclosed by brackets "[]"
+ replaced with your own identifying information. (Don't include
+ the brackets!) The text should be enclosed in the appropriate
+ comment syntax for the file format. We also recommend that a
+ file or class name and description of purpose be included on the
+ same "printed page" as the copyright notice for easier
+ identification within third-party archives.
+
+ Copyright [yyyy] [name of copyright owner]
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
diff --git a/vendor/github.com/moby/sys/userns/userns.go b/vendor/github.com/moby/sys/userns/userns.go
new file mode 100644
index 0000000000..56b24c44ad
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns.go
@@ -0,0 +1,16 @@
+// Package userns provides utilities to detect whether we are currently running
+// in a Linux user namespace.
+//
+// This code was migrated from [libcontainer/runc], which based its implementation
+// on code from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+package userns
+
+// RunningInUserNS detects whether we are currently running in a Linux
+// user namespace and memoizes the result. It returns false on non-Linux
+// platforms.
+func RunningInUserNS() bool {
+ return inUserNS()
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_linux.go b/vendor/github.com/moby/sys/userns/userns_linux.go
new file mode 100644
index 0000000000..87c1c38eec
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_linux.go
@@ -0,0 +1,53 @@
+package userns
+
+import (
+ "bufio"
+ "fmt"
+ "os"
+ "sync"
+)
+
+var inUserNS = sync.OnceValue(runningInUserNS)
+
+// runningInUserNS detects whether we are currently running in a user namespace.
+//
+// This code was migrated from [libcontainer/runc] and based on an implementation
+// from [lcx/incus].
+//
+// [libcontainer/runc]: https://github.com/opencontainers/runc/blob/3778ae603c706494fd1e2c2faf83b406e38d687d/libcontainer/userns/userns_linux.go#L12-L49
+// [lcx/incus]: https://github.com/lxc/incus/blob/e45085dd42f826b3c8c3228e9733c0b6f998eafe/shared/util.go#L678-L700
+func runningInUserNS() bool {
+ file, err := os.Open("/proc/self/uid_map")
+ if err != nil {
+ // This kernel-provided file only exists if user namespaces are supported.
+ return false
+ }
+ defer file.Close()
+
+ buf := bufio.NewReader(file)
+ l, _, err := buf.ReadLine()
+ if err != nil {
+ return false
+ }
+
+ return uidMapInUserNS(string(l))
+}
+
+func uidMapInUserNS(uidMap string) bool {
+ if uidMap == "" {
+ // File exist but empty (the initial state when userns is created,
+ // see user_namespaces(7)).
+ return true
+ }
+
+ var a, b, c int64
+ if _, err := fmt.Sscanf(uidMap, "%d %d %d", &a, &b, &c); err != nil {
+ // Assume we are in a regular, non user namespace.
+ return false
+ }
+
+ // As per user_namespaces(7), /proc/self/uid_map of
+ // the initial user namespace shows 0 0 4294967295.
+ initNS := a == 0 && b == 0 && c == 4294967295
+ return !initNS
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go b/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go
new file mode 100644
index 0000000000..26ba2e16ec
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_linux_fuzzer.go
@@ -0,0 +1,8 @@
+//go:build linux && gofuzz
+
+package userns
+
+func FuzzUIDMap(uidmap []byte) int {
+ _ = uidMapInUserNS(string(uidmap))
+ return 1
+}
diff --git a/vendor/github.com/moby/sys/userns/userns_unsupported.go b/vendor/github.com/moby/sys/userns/userns_unsupported.go
new file mode 100644
index 0000000000..8ed83072c2
--- /dev/null
+++ b/vendor/github.com/moby/sys/userns/userns_unsupported.go
@@ -0,0 +1,6 @@
+//go:build !linux
+
+package userns
+
+// inUserNS is a stub for non-Linux systems. Always returns false.
+func inUserNS() bool { return false }
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 1f3ab8ce7a..9f579133ac 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -503,7 +503,7 @@ github.com/docker/distribution
github.com/docker/distribution/digestset
github.com/docker/distribution/reference
github.com/docker/distribution/registry/client/auth/challenge
-# github.com/docker/docker v27.0.3+incompatible
+# github.com/docker/docker v27.3.1+incompatible
## explicit
github.com/docker/docker/api
github.com/docker/docker/api/types
@@ -561,7 +561,6 @@ github.com/docker/docker/oci/caps
github.com/docker/docker/pkg/archive
github.com/docker/docker/pkg/broadcaster
github.com/docker/docker/pkg/chrootarchive
-github.com/docker/docker/pkg/containerfs
github.com/docker/docker/pkg/homedir
github.com/docker/docker/pkg/idtools
github.com/docker/docker/pkg/ioutils
@@ -902,6 +901,9 @@ github.com/moby/sys/symlink
# github.com/moby/sys/user v0.1.0
## explicit; go 1.17
github.com/moby/sys/user
+# github.com/moby/sys/userns v0.1.0
+## explicit; go 1.21
+github.com/moby/sys/userns
# github.com/moby/term v0.5.0
## explicit; go 1.18
github.com/moby/term