From ee6d320706fa420f7a930a901853d7921b294ed9 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Wed, 7 Mar 2018 09:17:41 +0000 Subject: [PATCH] Update moby tool Also update its notary vendor as that was part of update. Signed-off-by: Justin Cormack --- src/cmd/linuxkit/vendor.conf | 4 +- .../vendor/github.com/moby/tool/README.md | 18 ++++ .../github.com/moby/tool/src/moby/linuxkit.go | 2 +- .../github.com/moby/tool/src/moby/output.go | 12 +++ .../vendor/github.com/moby/tool/vendor.conf | 2 +- .../theupdateframework/notary/README.md | 40 ++++----- .../notary/client/client.go | 86 +------------------ .../notary/trustmanager/keys.go | 10 ++- .../trustmanager/yubikey/pkcs11_linux.go | 2 + .../theupdateframework/notary/tuf/tuf.go | 11 +-- .../theupdateframework/notary/vendor.conf | 12 +-- 11 files changed, 75 insertions(+), 124 deletions(-) create mode 100644 src/cmd/linuxkit/vendor/github.com/moby/tool/README.md diff --git a/src/cmd/linuxkit/vendor.conf b/src/cmd/linuxkit/vendor.conf index e07810a89..8060ac422 100644 --- a/src/cmd/linuxkit/vendor.conf +++ b/src/cmd/linuxkit/vendor.conf @@ -26,7 +26,7 @@ github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86 github.com/moby/hyperkit a285521725f44f3d10ca1042c2c07d3a6e24bed8 # When updating also: # curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/«hash»/cmd/moby/build.go -github.com/moby/tool bd556c86f7b1ea3667990468ab28789e61e6f2f1 +github.com/moby/tool c9d52b57874b36a474206a867d9bc3ea7bacaffe github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448 github.com/opencontainers/image-spec v1.0.0 @@ -40,7 +40,7 @@ github.com/rn/iso9660wrap baf8d62ad3155152b488d5ff9d4f2b9bb0d6986a github.com/sirupsen/logrus v1.0.3 github.com/stretchr/testify v1.1.4 github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495 -github.com/theupdateframework/notary c3574cbdf09c9b52ffd364451d1c793b129edb0a +github.com/theupdateframework/notary v0.6.0 github.com/vmware/govmomi 6f8ebd89d521d9f9af7a6c2219c4deee511020dd github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45 diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md b/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md new file mode 100644 index 000000000..2d5aeff55 --- /dev/null +++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/README.md @@ -0,0 +1,18 @@ +# Moby + +[Moby Project](https://mobyproject.org) + +The Moby Project is an open framework to assemble specialized container systems without reinventing the wheel. + +Moby is an open framework created by Docker to assemble specialized container systems without reinventing the wheel. It provides a “lego set” of dozens of standard components and a framework for assembling them into custom platforms. At the core of Moby is a framework to assemble specialized container systems which provides: + +* Components +* Tools +* Assemblies + +For more information, please visit the [Moby Project home page](https://mobyproject.org). + +## Documentation + +* [Format of moby input yml](./docs/yaml.md) +* [Using private images](./docs/privateimages.md) diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go index 7425be6dd..0d853982c 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go +++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/linuxkit.go @@ -17,7 +17,7 @@ kernel: image: linuxkit/kernel:4.9.39 cmdline: "console=ttyS0" init: - - linuxkit/init:b212cfeb4bb6330e0a7547d8010fe2e8489b677a + - linuxkit/init:00ab58c9681a0bf42b2e35134c1ccf1591ebb64d - linuxkit/runc:f5960b83a8766ae083efc744fa63dbf877450e4f onboot: - name: mkimage diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go index 19850d362..701fa1a82 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go +++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/output.go @@ -23,6 +23,7 @@ const ( vmdk = "linuxkit/mkimage-vmdk:deb9018d06dbb9da29464a4320187ce7e4ae1856" dynamicvhd = "linuxkit/mkimage-dynamic-vhd:172fb196713a4aff677b88422026512600b1ca55" rpi3 = "linuxkit/mkimage-rpi3:553c6c2d13b7d54f6b73b3b0c1c15f2e47ffb0df" + qcow2Efi = "linuxkit/mkimage-qcow2-efi:9bc3de981188da099eaf44cc467f5bbb29c13033" ) var outFuns = map[string]func(string, io.Reader, int) error{ @@ -108,6 +109,17 @@ var outFuns = map[string]func(string, io.Reader, int) error{ } return nil }, + "qcow2-efi": func(base string, image io.Reader, size int) error { + kernel, initrd, cmdline, _, err := tarToInitrd(image) + if err != nil { + return fmt.Errorf("Error converting to initrd: %v", err) + } + err = outputImg(qcow2Efi, base+"-efi.qcow2", kernel, initrd, cmdline) + if err != nil { + return fmt.Errorf("Error writing qcow2 EFI output: %v", err) + } + return nil + }, "qcow2-bios": func(base string, image io.Reader, size int) error { filename := base + ".qcow2" log.Infof(" %s", filename) diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf b/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf index 4796d797b..be28bf5b7 100644 --- a/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf +++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/vendor.conf @@ -13,7 +13,7 @@ github.com/opencontainers/runtime-spec v1.0.0 github.com/pkg/errors v0.8.0 github.com/sirupsen/logrus v1.0.3 github.com/surma/gocpio fcb68777e7dc4ea43ffce871b552c0d073c17495 -github.com/theupdateframework/notary c3574cbdf09c9b52ffd364451d1c793b129edb0a +github.com/theupdateframework/notary v0.6.0 github.com/xeipuuv/gojsonpointer 6fe8760cad3569743d51ddbb243b26f8456742dc github.com/xeipuuv/gojsonreference e02fc20de94c78484cd5ffb007f8af96be030a45 github.com/xeipuuv/gojsonschema 702b404897d4364af44dc8dcabc9815947942325 diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/README.md b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/README.md index 652305086..6b955d259 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/README.md +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/README.md @@ -1,5 +1,6 @@ Notary +[![GoDoc](https://godoc.org/github.com/theupdateframework/notary?status.svg)](https://godoc.org/github.com/theupdateframework/notary) [![Circle CI](https://circleci.com/gh/theupdateframework/notary/tree/master.svg?style=shield)](https://circleci.com/gh/theupdateframework/notary/tree/master) [![CodeCov](https://codecov.io/github/theupdateframework/notary/coverage.svg?branch=master)](https://codecov.io/github/theupdateframework/notary) [![GoReportCard](https://goreportcard.com/badge/theupdateframework/notary)](https://goreportcard.com/report/github.com/theupdateframework/notary) [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_shield) @@ -15,7 +16,7 @@ location via GitHub's redirect. # Overview The Notary project comprises a [server](cmd/notary-server) and a [client](cmd/notary) for running and interacting -with trusted collections. Please see the [service architecture](docs/service_architecture.md) documentation +with trusted collections. See the [service architecture](docs/service_architecture.md) documentation for more information. Notary aims to make the internet more secure by making it easy for people to @@ -45,26 +46,26 @@ Notary is based on [The Update Framework](https://www.theupdateframework.com/), ## Security -Please see our [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations. +See Notary's [service architecture docs](docs/service_architecture.md#threat-model) for more information about our threat model, which details the varying survivability and severities for key compromise as well as mitigations. -Our last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)). +Notary's last security audit was on July 31, 2015 by NCC ([results](docs/resources/ncc_docker_notary_audit_2015_07_31.pdf)). Any security vulnerabilities can be reported to security@docker.com. # Getting started with the Notary CLI -Please get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary). +Get the Notary Client CLI binary from [the official releases page](https://github.com/theupdateframework/notary/releases) or you can [build one yourself](#building-notary). The version of Notary server and signer should be greater than or equal to Notary CLI's version to ensure feature compatibility (ex: CLI version 0.2, server/signer version >= 0.2), and all official releases are associated with GitHub tags. -To use the Notary CLI with Docker hub images, please have a look at our +To use the Notary CLI with Docker hub images, have a look at Notary's [getting started docs](docs/getting_started.md). -For more advanced usage, please see the +For more advanced usage, see the [advanced usage docs](docs/advanced_usage.md). To use the CLI against a local Notary server rather than against Docker Hub: -1. Please ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed. +1. Ensure that you have [docker and docker-compose](http://docs.docker.com/compose/install/) installed. 1. `git clone https://github.com/theupdateframework/notary.git` and from the cloned repository path, start up a local Notary server and signer and copy the config file and testing certs to your local notary config directory: @@ -90,32 +91,31 @@ to use `notary` with Docker images. ## Building Notary -Note that our [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the +Note that Notary's [latest stable release](https://github.com/theupdateframework/notary/releases) is at the head of the [releases branch](https://github.com/theupdateframework/notary/tree/releases). The master branch is the development branch and contains features for the next release. Prerequisites: - Go >= 1.7.1 -- [godep](https://github.com/tools/godep) installed + - Fedora: `dnf install golang` - libtool development headers installed - Ubuntu: `apt-get install libltdl-dev` - CentOS/RedHat: `yum install libtool-ltdl-devel` + - Fedora: `dnf install libtool-ltdl-devel` - Mac OS ([Homebrew](http://brew.sh/)): `brew install libtool` -Run `make client`, which creates the Notary Client CLI binary at `bin/notary`. -Note that `make client` assumes a standard Go directory structure, in which -Notary is checked out to the `src` directory in your `GOPATH`. For example: -``` -$GOPATH/ - src/ - github.com/ - docker/ - notary/ +Set [```GOPATH```](https://golang.org/doc/code.html#GOPATH). Then, run: + +```bash +$ go get github.com/theupdateframework/notary +# build with pcks11 support by default to support yubikey +$ go install -tags pkcs11 github.com/theupdateframework/notary/cmd/notary +$ notary ``` -To build the server and signer, please run `docker-compose build`. +To build the server and signer, run `docker-compose build`. ## License -[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large) \ No newline at end of file +[![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary.svg?type=large)](https://app.fossa.io/projects/git%2Bgithub.com%2Ftheupdateframework%2Fnotary?ref=badge_large) diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/client/client.go b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/client/client.go index 217e96235..efdc6ce4a 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/client/client.go +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/client/client.go @@ -1,88 +1,4 @@ -/* -Package client implements everything required for interacting with a Notary repository. - -Usage - -Use this package by creating a new repository object and calling methods on it. - - package main - - import ( - "encoding/hex" - "fmt" - "net/http" - "os" - "time" - - "github.com/docker/distribution/registry/client/auth" - "github.com/docker/distribution/registry/client/auth/challenge" - "github.com/docker/distribution/registry/client/transport" - notary "github.com/theupdateframework/notary/client" - "github.com/theupdateframework/notary/trustpinning" - "github.com/theupdateframework/notary/tuf/data" - ) - - func main() { - rootDir := ".trust" - if err := os.MkdirAll(rootDir, 0700); err != nil { - panic(err) - } - - server := "https://notary.docker.io" - image := "docker.io/library/alpine" - repo, err := notary.NewFileCachedNotaryRepository( - rootDir, - data.GUN(image), - server, - makeHubTransport(server, image), - nil, - trustpinning.TrustPinConfig{}, - ) - - targets, err := repo.ListTargets() - if err != nil { - panic(err) - } - - for _, tgt := range targets { - fmt.Printf("%s\t%s\n", tgt.Name, hex.EncodeToString(tgt.Hashes["sha256"])) - } - } - - func makeHubTransport(server, image string) http.RoundTripper { - base := http.DefaultTransport - modifiers := []transport.RequestModifier{ - transport.NewHeaderRequestModifier(http.Header{ - "User-Agent": []string{"my-client"}, - }), - } - - authTransport := transport.NewTransport(base, modifiers...) - pingClient := &http.Client{ - Transport: authTransport, - Timeout: 5 * time.Second, - } - req, err := http.NewRequest("GET", server+"/v2/", nil) - if err != nil { - panic(err) - } - - challengeManager := challenge.NewSimpleManager() - resp, err := pingClient.Do(req) - if err != nil { - panic(err) - } - defer resp.Body.Close() - if err := challengeManager.AddResponse(resp); err != nil { - panic(err) - } - tokenHandler := auth.NewTokenHandler(base, nil, image, "pull") - modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, auth.NewBasicHandler(nil))) - - return transport.NewTransport(base, modifiers...) - } - -*/ +//Package client implements everything required for interacting with a Notary repository. package client import ( diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/keys.go b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/keys.go index 8ad77a2fe..89e82a75a 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/keys.go +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/keys.go @@ -3,6 +3,7 @@ package trustmanager import ( "encoding/pem" "errors" + "fmt" "io" "io/ioutil" "path/filepath" @@ -100,8 +101,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN return err } var ( - writeTo string - toWrite []byte + writeTo string + toWrite []byte + errBlocks []string ) for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) { handleLegacyPath(block) @@ -110,6 +112,7 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN loc, err := checkValidity(block) if err != nil { // already logged in checkValidity + errBlocks = append(errBlocks, err.Error()) continue } @@ -157,6 +160,9 @@ func ImportKeys(from io.Reader, to []Importer, fallbackRole string, fallbackGUN if toWrite != nil { // close out final iteration if there's data left return importToStores(to, writeTo, toWrite) } + if len(errBlocks) > 0 { + return fmt.Errorf("failed to import all keys: %s", strings.Join(errBlocks, ", ")) + } return nil } diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go index 9967e89e1..836018f00 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/trustmanager/yubikey/pkcs11_linux.go @@ -4,7 +4,9 @@ package yubikey var possiblePkcs11Libs = []string{ "/usr/lib/libykcs11.so", + "/usr/lib/libykcs11.so.1", // yubico-piv-tool on Fedora installs here "/usr/lib64/libykcs11.so", + "/usr/lib64/libykcs11.so.1", // yubico-piv-tool on Fedora installs here "/usr/lib/x86_64-linux-gnu/libykcs11.so", "/usr/local/lib/libykcs11.so", } diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/tuf/tuf.go b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/tuf/tuf.go index 74f6ceb59..866403bba 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/tuf/tuf.go +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/tuf/tuf.go @@ -248,17 +248,14 @@ func (tr *Repo) GetDelegationRole(name data.RoleName) (data.DelegationRole, erro } // Check all public key certificates in the role for expiry // Currently we do not reject expired delegation keys but warn if they might expire soon or have already - for keyID, pubKey := range delgRole.Keys { + for _, pubKey := range delgRole.Keys { certFromKey, err := utils.LoadCertFromPEM(pubKey.Public()) if err != nil { continue } - if err := utils.ValidateCertificate(certFromKey, true); err != nil { - if _, ok := err.(data.ErrCertExpired); !ok { - // do not allow other invalid cert errors - return err - } - logrus.Warnf("error with delegation %s key ID %d: %s", delgRole.Name, keyID, err) + //Don't check the delegation certificate expiry once added, use the TUF role expiry instead + if err := utils.ValidateCertificate(certFromKey, false); err != nil { + return err } } foundRole = &delgRole diff --git a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/vendor.conf b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/vendor.conf index 73e12db5d..33e81418d 100644 --- a/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/vendor.conf +++ b/src/cmd/linuxkit/vendor/github.com/theupdateframework/notary/vendor.conf @@ -5,8 +5,8 @@ github.com/bugsnag/bugsnag-go 13fd6b8acda029830ef9904df6b63be0a83369d0 github.com/bugsnag/panicwrap e2c28503fcd0675329da73bf48b33404db873782 github.com/bugsnag/osext 0dd3f918b21bec95ace9dc86c7e70266cfc5c702 github.com/docker/distribution edc3ab29cdff8694dd6feb85cfeb4b5f1b38ed9c -github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb -github.com/docker/go-connections 3ede32e2033de7505e6500d6c868c2b9ed9f169d +github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb +github.com/docker/go-connections 7395e3f8aa162843a74ed6d48e79627d9792ac55 github.com/docker/go d30aec9fd63c35133f8f79c3412ad91a3b08be06 github.com/dvsekhvalnov/jose2go 6387d3c1f5abd8443b223577d5a7e0f4e0e5731f # v1.2 github.com/go-sql-driver/mysql a0583e0143b1624142adab07e0e97fe106d99561 # v1.3 @@ -15,22 +15,22 @@ github.com/jinzhu/gorm 5409931a1bb87e484d68d649af9367c207713ea2 github.com/jinzhu/inflection 1c35d901db3da928c72a72d8458480cc9ade058f github.com/lib/pq 0dad96c0b94f8dee039aa40467f767467392a0af github.com/mattn/go-sqlite3 b4142c444a8941d0d92b0b7103a24df9cd815e42 # v1.0.0 -github.com/miekg/pkcs11 ba39b9c6300b7e0be41b115330145ef8afdff7d6 +github.com/miekg/pkcs11 5f6e0d0dad6f472df908c8e968a98ef00c9224bb github.com/mitchellh/go-homedir df55a15e5ce646808815381b3db47a8c66ea62f4 github.com/prometheus/client_golang 449ccefff16c8e2b7229f6be1921ba22f62461fe github.com/prometheus/client_model fa8ad6fec33561be4280a8f0514318c79d7f6cb6 # model-0.0.2-12-gfa8ad6f github.com/prometheus/procfs b1afdc266f54247f5dc725544f5d351a8661f502 github.com/prometheus/common 4fdc91a58c9d3696b982e8a680f4997403132d44 github.com/golang/protobuf c3cefd437628a0b7d31b34fe44b3a7a540e98527 -github.com/spf13/cobra f368244301305f414206f889b1735a54cfc8bde8 +github.com/spf13/cobra 7b2c5ac9fc04fc5efafb60700713d4fa609b777b # v0.0.1 github.com/spf13/viper be5ff3e4840cf692388bde7a057595a474ef379e golang.org/x/crypto 76eec36fa14229c4b25bb894c2d0e591527af429 golang.org/x/net 6a513affb38dc9788b449d59ffed099b8de18fa0 -golang.org/x/sys 739734461d1c916b6c72a63d7efda2b27edb369f +golang.org/x/sys 314a259e304ff91bd6985da2a7149bbf91237993 google.golang.org/grpc 708a7f9f3283aa2d4f6132d287d78683babe55c8 # v1.0.5 github.com/pkg/errors 839d9e913e063e28dfd0e6c7b7512793e0a48be9 -github.com/spf13/pflag cb88ea77998c3f024757528e3305022ab50b43be +github.com/spf13/pflag e57e3eeb33f795204c1ca35f56c44f83227c6e66 # v1.0.0 github.com/spf13/cast 4d07383ffe94b5e5a6fa3af9211374a4507a0184 gopkg.in/yaml.v2 bef53efd0c76e49e6de55ead051f886bea7e9420 gopkg.in/fatih/pool.v2 cba550ebf9bce999a02e963296d4bc7a486cb715