app-containers/docker: add 24.0.4-r1 for go 1.20.6

Closes: https://bugs.gentoo.org/910491 Signed-off-by: William Hubbs <williamh@gentoo.org>
author: William Hubbs <williamh@gentoo.org> 2023-07-21 00:16:59 -0500
committer: William Hubbs <williamh@gentoo.org> 2023-07-21 00:16:59 -0500
commit: c2569d6c9edb48538180eb771c2b8a63fab53cf4 (patch)
tree: 6cc520ec20b3d51f14005dd74246616756e88920 /app-containers/docker
parent: app-containers/docker-cli: add 24.0.4-r1 for go 1.20.6 (diff)
download: gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.tar.gz
gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.tar.bz2
gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.zip
2 files changed, 620 insertions, 0 deletions
diff --git a/app-containers/docker/docker-24.0.4-r1.ebuild b/app-containers/docker/docker-24.0.4-r1.ebuild
new file mode 100644
index 000000000000..72c039ef97b9
--- /dev/null
+++ b/app-containers/docker/docker-24.0.4-r1.ebuild
@@ -0,0 +1,330 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+EGO_PN=github.com/docker/docker
+MY_PV=${PV/_/-}
+inherit linux-info systemd udev golang-vcs-snapshot
+GIT_COMMIT=4ffc61430bbe6d3d405bdf357b766bf303ff3cc5
+
+DESCRIPTION="The core functions you need to create Docker images and run Docker containers"
+HOMEPAGE="https://www.docker.com/"
+SRC_URI="https://github.com/moby/moby/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+IUSE="apparmor btrfs +container-init device-mapper overlay seccomp selinux"
+
+DEPEND="
+	acct-group/docker
+	>=dev-db/sqlite-3.7.9:3
+	apparmor? ( sys-libs/libapparmor )
+	btrfs? ( >=sys-fs/btrfs-progs-3.16.1 )
+	device-mapper? ( >=sys-fs/lvm2-2.02.89[thin] )
+	seccomp? ( >=sys-libs/libseccomp-2.2.1 )
+"
+
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#runtime-dependencies
+# https://github.com/moby/moby/blob/master/project/PACKAGERS.md#optional-dependencies
+RDEPEND="
+	${DEPEND}
+	>=net-firewall/iptables-1.4
+	sys-process/procps
+	>=dev-vcs/git-1.7
+	>=app-arch/xz-utils-4.9
+	dev-libs/libltdl
+	>=app-containers/containerd-1.7.1[apparmor?,btrfs?,device-mapper?,seccomp?]
+	!app-containers/docker-proxy
+	container-init? ( >=sys-process/tini-0.19.0[static] )
+	selinux? ( sec-policy/selinux-docker )
+"
+
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#build-dependencies
+BDEPEND="
+	>=dev-lang/go-1.16.12
+	dev-go/go-md2man
+	virtual/pkgconfig
+"
+# tests require running dockerd as root and downloading containers
+RESTRICT="installsources strip test"
+
+S="${WORKDIR}/${P}/src/${EGO_PN}"
+
+# https://bugs.gentoo.org/748984 https://github.com/etcd-io/etcd/pull/12552
+PATCHES=(
+	"${FILESDIR}/0001-Openrc-Depend-on-containerd-init-script.patch"
+	"${FILESDIR}/${P}-client-define-a-dummy-hostname-for-local-connections.patch"
+)
+
+pkg_setup() {
+	# this is based on "contrib/check-config.sh" from upstream's sources
+	# required features.
+	CONFIG_CHECK="
+		~NAMESPACES ~NET_NS ~PID_NS ~IPC_NS ~UTS_NS
+		~CGROUPS ~CGROUP_CPUACCT ~CGROUP_DEVICE ~CGROUP_FREEZER ~CGROUP_SCHED ~CPUSETS ~MEMCG
+		~KEYS
+		~VETH ~BRIDGE ~BRIDGE_NETFILTER
+		~IP_NF_FILTER ~IP_NF_TARGET_MASQUERADE
+		~NETFILTER_XT_MATCH_ADDRTYPE
+		~NETFILTER_XT_MATCH_CONNTRACK
+		~NETFILTER_XT_MATCH_IPVS
+		~NETFILTER_XT_MARK
+		~IP_NF_NAT ~NF_NAT
+		~POSIX_MQUEUE
+	"
+	WARNING_POSIX_MQUEUE="CONFIG_POSIX_MQUEUE: is required for bind-mounting /dev/mqueue into containers"
+
+	if kernel_is lt 4 8; then
+		CONFIG_CHECK+="
+			~DEVPTS_MULTIPLE_INSTANCES
+		"
+	fi
+
+	if kernel_is le 5 1; then
+		CONFIG_CHECK+="
+			~NF_NAT_IPV4
+		"
+	fi
+
+	if kernel_is le 5 2; then
+		CONFIG_CHECK+="
+			~NF_NAT_NEEDED
+		"
+	fi
+
+	if kernel_is ge 4 15; then
+		CONFIG_CHECK+="
+			~CGROUP_BPF
+		"
+	fi
+
+	# optional features
+	CONFIG_CHECK+="
+		~USER_NS
+	"
+
+	if use seccomp; then
+		CONFIG_CHECK+="
+			~SECCOMP ~SECCOMP_FILTER
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~CGROUP_PIDS
+	"
+
+	if kernel_is lt 6 1; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP
+			"
+	fi
+
+	if kernel_is le 5 8; then
+		CONFIG_CHECK+="
+			~MEMCG_SWAP_ENABLED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NATIVE
+		"
+	if kernel_is lt 5 19; then
+		CONFIG_CHECK+="
+			~LEGACY_VSYSCALL_EMULATE
+			"
+	fi
+	CONFIG_CHECK+="
+		~!LEGACY_VSYSCALL_NONE
+		"
+	WARNING_LEGACY_VSYSCALL_NONE="CONFIG_LEGACY_VSYSCALL_NONE enabled: \
+		Containers with <=glibc-2.13 will not work"
+
+	if kernel_is le 4 5; then
+		CONFIG_CHECK+="
+			~MEMCG_KMEM
+		"
+	fi
+
+	if kernel_is lt 5; then
+		CONFIG_CHECK+="
+			~IOSCHED_CFQ ~CFQ_GROUP_IOSCHED
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~BLK_CGROUP ~BLK_DEV_THROTTLING
+		~CGROUP_PERF
+		~CGROUP_HUGETLB
+		~NET_CLS_CGROUP ~CGROUP_NET_PRIO
+		~CFS_BANDWIDTH ~FAIR_GROUP_SCHED
+		~IP_NF_TARGET_REDIRECT
+		~IP_VS
+		~IP_VS_NFCT
+		~IP_VS_PROTO_TCP
+		~IP_VS_PROTO_UDP
+		~IP_VS_RR
+		"
+
+	if use selinux; then
+		CONFIG_CHECK+="
+			~SECURITY_SELINUX
+			"
+	fi
+
+	if use apparmor; then
+		CONFIG_CHECK+="
+			~SECURITY_APPARMOR
+			"
+	fi
+
+	# if ! is_set EXT4_USE_FOR_EXT2; then
+	#	check_flags EXT3_FS EXT3_FS_XATTR EXT3_FS_POSIX_ACL EXT3_FS_SECURITY
+	#	if ! is_set EXT3_FS || ! is_set EXT3_FS_XATTR || ! is_set EXT3_FS_POSIX_ACL || ! is_set EXT3_FS_SECURITY; then
+	#		echo "    $(wrap_color '(enable these ext3 configs if you are using ext3 as backing filesystem)' bold black)"
+	#	fi
+	# fi
+
+	CONFIG_CHECK+="
+		~EXT4_FS ~EXT4_FS_POSIX_ACL ~EXT4_FS_SECURITY
+	"
+
+	# if ! is_set EXT4_FS || ! is_set EXT4_FS_POSIX_ACL || ! is_set EXT4_FS_SECURITY; then
+	#	if is_set EXT4_USE_FOR_EXT2; then
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext3 or ext4 as backing filesystem' bold black)"
+	#	else
+	#		echo "    $(wrap_color 'enable these ext4 configs if you are using ext4 as backing filesystem' bold black)"
+	#	fi
+	# fi
+
+	# network drivers
+	CONFIG_CHECK+="
+		~VXLAN ~BRIDGE_VLAN_FILTERING
+		~CRYPTO ~CRYPTO_AEAD ~CRYPTO_GCM ~CRYPTO_SEQIV ~CRYPTO_GHASH
+		~XFRM ~XFRM_USER ~XFRM_ALGO ~INET_ESP
+	"
+	if kernel_is le 5 3; then
+		CONFIG_CHECK+="
+			~INET_XFRM_MODE_TRANSPORT
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~IPVLAN
+		"
+	CONFIG_CHECK+="
+		~MACVLAN ~DUMMY
+		"
+	CONFIG_CHECK+="
+		~NF_NAT_FTP ~NF_CONNTRACK_FTP ~NF_NAT_TFTP ~NF_CONNTRACK_TFTP
+	"
+
+	# storage drivers
+	if use btrfs; then
+		CONFIG_CHECK+="
+			~BTRFS_FS
+			~BTRFS_FS_POSIX_ACL
+		"
+	fi
+
+	if use device-mapper; then
+		CONFIG_CHECK+="
+			~BLK_DEV_DM ~DM_THIN_PROVISIONING
+		"
+	fi
+
+	CONFIG_CHECK+="
+		~OVERLAY_FS
+	"
+
+	linux-info_pkg_setup
+}
+
+src_compile() {
+	export DOCKER_GITCOMMIT="${GIT_COMMIT}"
+	export GOPATH="${WORKDIR}/${P}"
+	export VERSION=${PV}
+
+	# setup CFLAGS and LDFLAGS for separate build target
+	# see https://github.com/tianon/docker-overlay/pull/10
+	export CGO_CFLAGS="-I${ESYSROOT}/usr/include"
+	export CGO_LDFLAGS="-L${ESYSROOT}/usr/$(get_libdir)"
+
+	# let's set up some optional features :)
+	export DOCKER_BUILDTAGS=''
+	for gd in btrfs device-mapper overlay; do
+		if ! use $gd; then
+			DOCKER_BUILDTAGS+=" exclude_graphdriver_${gd//-/}"
+		fi
+	done
+
+	for tag in apparmor seccomp; do
+		if use $tag; then
+			DOCKER_BUILDTAGS+=" $tag"
+		fi
+	done
+
+	# build daemon
+	./hack/make.sh dynbinary || die 'dynbinary failed'
+}
+
+src_install() {
+	dosym containerd /usr/bin/docker-containerd
+	dosym containerd-shim /usr/bin/docker-containerd-shim
+	dosym runc /usr/bin/docker-runc
+	use container-init && dosym tini /usr/bin/docker-init
+	newbin bundles/dynbinary-daemon/dockerd dockerd
+
+	newinitd contrib/init/openrc/docker.initd docker
+	newconfd contrib/init/openrc/docker.confd docker
+
+	systemd_dounit contrib/init/systemd/docker.{service,socket}
+
+	udev_dorules contrib/udev/*.rules
+
+	dodoc AUTHORS CONTRIBUTING.md NOTICE README.md
+	dodoc -r docs/*
+
+	# note: intentionally not using "doins" so that we preserve +x bits
+	dodir /usr/share/${PN}/contrib
+	cp -R contrib/* "${ED}/usr/share/${PN}/contrib"
+}
+
+pkg_postinst() {
+	udev_reload
+
+	elog
+	elog "To use Docker, the Docker daemon must be running as root. To automatically"
+	elog "start the Docker daemon at boot:"
+	if systemd_is_booted || has_version sys-apps/systemd; then
+		elog "  systemctl enable docker.service"
+	else
+		elog "  rc-update add docker default"
+	fi
+	elog
+	elog "To use Docker as a non-root user, add yourself to the 'docker' group:"
+	elog '  usermod -aG docker <youruser>'
+	elog
+
+	if use device-mapper; then
+		elog " Devicemapper storage driver has been deprecated"
+		elog " It will be removed in a future release"
+		elog
+	fi
+
+	if use overlay; then
+		elog " Overlay storage driver/USEflag has been deprecated"
+		elog " in favor of overlay2 (enabled unconditionally)"
+		elog
+	fi
+
+	if has_version sys-fs/zfs; then
+		elog " ZFS storage driver is available"
+		elog " Check https://docs.docker.com/storage/storagedriver/zfs-driver for more info"
+		elog
+	fi
+}
+
+pkg_postrm() {
+	udev_reload
+}
diff --git a/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch b/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch
new file mode 100644
index 000000000000..91c0f12daae0
--- /dev/null
+++ b/app-containers/docker/files/docker-24.0.4-client-define-a-dummy-hostname-for-local-connections.patch
@@ -0,0 +1,290 @@
+From 18b6066f21dd24671c96c3d9f1b3a7e39da1dabf Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 14:15:38 +0200
+Subject: [PATCH 1/3] client: define a "dummy" hostname to use for local
+ connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the client's `addr` as hostname in some cases, which
+could contain the path for the unix-socket (`/var/run/docker.sock`), which
+gets rejected by go1.20.6 and go1.19.11 because of a security fix for
+[CVE-2023-29406 ][1], which was implemented in  https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+This patch introduces a `DummyHost` const, and uses this dummy host for
+cases where we don't need an actual hostname.
+
+Before this patch (using go1.20.6):
+
+    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+    === RUN   TestAttachWithTTY
+        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+    --- FAIL: TestAttachWithTTY (0.11s)
+    === RUN   TestAttachWithoutTTy
+        attach_test.go:46: assertion failed: error is not nil: http: invalid Host header
+    --- FAIL: TestAttachWithoutTTy (0.02s)
+    FAIL
+
+With this patch applied:
+
+    make GO_VERSION=1.20.6 TEST_FILTER=TestAttach test-integration
+    INFO: Testing against a local daemon
+    === RUN   TestAttachWithTTY
+    --- PASS: TestAttachWithTTY (0.12s)
+    === RUN   TestAttachWithoutTTy
+    --- PASS: TestAttachWithoutTTy (0.02s)
+    PASS
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 5119e8c98f31f36a9e73884d4132c326cd931c34)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ client/client.go       | 30 ++++++++++++++++++++++++++++++
+ client/hijack.go       |  5 ++++-
+ client/request.go      |  8 ++++----
+ client/request_test.go | 20 ++++++++------------
+ 4 files changed, 46 insertions(+), 17 deletions(-)
+
+diff --git a/client/client.go b/client/client.go
+index 1c081a51ae69..54fa36cca88e 100644
+--- a/client/client.go
++++ b/moby-24.0.4/client/client.go
+@@ -56,6 +56,36 @@ import (
+ 	"github.com/pkg/errors"
+ )
+ 
++// DummyHost is a hostname used for local communication.
++//
++// It acts as a valid formatted hostname for local connections (such as "unix://"
++// or "npipe://") which do not require a hostname. It should never be resolved,
++// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
++// and [RFC 6761, Section 6.3]).
++//
++// [RFC 7230, Section 5.4] defines that an empty header must be used for such
++// cases:
++//
++//	If the authority component is missing or undefined for the target URI,
++//	then a client MUST send a Host header field with an empty field-value.
++//
++// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
++// allow an empty header to be used, and requires req.URL.Scheme to be either
++// "http" or "https".
++//
++// For further details, refer to:
++//
++//   - https://github.com/docker/engine-api/issues/189
++//   - https://github.com/golang/go/issues/13624
++//   - https://github.com/golang/go/issues/61076
++//   - https://github.com/moby/moby/issues/45935
++//
++// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
++// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
++// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
++// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
++const DummyHost = "api.moby.localhost"
++
+ // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
+ var ErrRedirect = errors.New("unexpected redirect in response")
+ 
+diff --git a/client/hijack.go b/client/hijack.go
+index 6bdacab10adb..db9b02e1601f 100644
+--- a/client/hijack.go
++++ b/moby-24.0.4/client/hijack.go
+@@ -64,7 +64,10 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
+ }
+ 
+ func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
+-	req.Host = cli.addr
++	if cli.proto == "unix" || cli.proto == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = DummyHost
++	}
+ 	req.Header.Set("Connection", "Upgrade")
+ 	req.Header.Set("Upgrade", proto)
+ 
+diff --git a/client/request.go b/client/request.go
+index c799095c1227..8f43553fb7c5 100644
+--- a/client/request.go
++++ b/moby-24.0.4/client/request.go
+@@ -98,12 +98,12 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
+ 	req = cli.addHeaders(req, headers)
+ 
+ 	if cli.proto == "unix" || cli.proto == "npipe" {
+-		// For local communications, it doesn't matter what the host is. We just
+-		// need a valid and meaningful host name. (See #189)
+-		req.Host = "docker"
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = DummyHost
++	} else {
++		req.URL.Host = cli.addr
+ 	}
+ 
+-	req.URL.Host = cli.addr
+ 	req.URL.Scheme = cli.scheme
+ 
+ 	if expectedPayload && req.Header.Get("Content-Type") == "" {
+diff --git a/client/request_test.go b/client/request_test.go
+index 6e5a6e81f21c..1a99197ca231 100644
+--- a/client/request_test.go
++++ b/moby-24.0.4/client/request_test.go
+@@ -28,24 +28,20 @@ func TestSetHostHeader(t *testing.T) {
+ 		expectedURLHost string
+ 	}{
+ 		{
+-			"unix:///var/run/docker.sock",
+-			"docker",
+-			"/var/run/docker.sock",
++			host:            "unix:///var/run/docker.sock",
++			expectedURLHost: DummyHost,
+ 		},
+ 		{
+-			"npipe:////./pipe/docker_engine",
+-			"docker",
+-			"//./pipe/docker_engine",
++			host:            "npipe:////./pipe/docker_engine",
++			expectedURLHost: DummyHost,
+ 		},
+ 		{
+-			"tcp://0.0.0.0:4243",
+-			"",
+-			"0.0.0.0:4243",
++			host:            "tcp://0.0.0.0:4243",
++			expectedURLHost: "0.0.0.0:4243",
+ 		},
+ 		{
+-			"tcp://localhost:4243",
+-			"",
+-			"localhost:4243",
++			host:            "tcp://localhost:4243",
++			expectedURLHost: "localhost:4243",
+ 		},
+ 	}
+ 
+
+From d22fa2bb92fd1ea37071487465f58c8bcb58badd Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 15:07:59 +0200
+Subject: [PATCH 2/3] pkg/plugins: use a dummy hostname for local connections
+
+For local communications (npipe://, unix://), the hostname is not used,
+but we need valid and meaningful hostname.
+
+The current code used the socket path as hostname, which gets rejected by
+go1.20.6 and go1.19.11 because of a security fix for [CVE-2023-29406 ][1],
+which was implemented in  https://go.dev/issue/60374.
+
+Prior versions go Go would clean the host header, and strip slashes in the
+process, but go1.20.6 and go1.19.11 no longer do, and reject the host
+header.
+
+Before this patch, tests would fail on go1.20.6:
+
+    === FAIL: pkg/authorization TestAuthZRequestPlugin (15.01s)
+    time="2023-07-12T12:53:45Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 1s"
+    time="2023-07-12T12:53:46Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 2s"
+    time="2023-07-12T12:53:48Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 4s"
+    time="2023-07-12T12:53:52Z" level=warning msg="Unable to connect to plugin: //tmp/authz2422457390/authz-test-plugin.sock/AuthZPlugin.AuthZReq: Post \"http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq\": http: invalid Host header, retrying in 8s"
+        authz_unix_test.go:82: Failed to authorize request Post "http://%2F%2Ftmp%2Fauthz2422457390%2Fauthz-test-plugin.sock/AuthZPlugin.AuthZReq": http: invalid Host header
+
+[1]: https://github.com/advisories/GHSA-f8f7-69v5-w4vx
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit a4a861f9fbdd6293f95ef8d6d35241c6f6c29853)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ pkg/plugins/client.go | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/pkg/plugins/client.go b/pkg/plugins/client.go
+index 752fecd0ae47..a740a8c3dac1 100644
+--- a/pkg/plugins/client.go
++++ b/moby-24.0.4/pkg/plugins/client.go
+@@ -18,6 +18,12 @@ import (
+ 
+ const (
+ 	defaultTimeOut = 30
++
++	// dummyHost is a hostname used for local communication.
++	//
++	// For local communications (npipe://, unix://), the hostname is not used,
++	// but we need valid and meaningful hostname.
++	dummyHost = "plugin.moby.localhost"
+ )
+ 
+ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transport, error) {
+@@ -44,8 +50,12 @@ func newTransport(addr string, tlsConfig *tlsconfig.Options) (transport.Transpor
+ 		return nil, err
+ 	}
+ 	scheme := httpScheme(u)
+-
+-	return transport.NewHTTPTransport(tr, scheme, socket), nil
++	hostName := u.Host
++	if hostName == "" || u.Scheme == "unix" || u.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		hostName = dummyHost
++	}
++	return transport.NewHTTPTransport(tr, scheme, hostName), nil
+ }
+ 
+ // NewClient creates a new plugin client (http).
+
+From af1c09666a5c7ea12685fb8b482e64433a58f820 Mon Sep 17 00:00:00 2001
+From: Sebastiaan van Stijn <github@gone.nl>
+Date: Wed, 12 Jul 2023 17:37:01 +0200
+Subject: [PATCH 3/3] testutil: use dummyhost for non-tcp connections
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+(cherry picked from commit 524506a452dab8f67cb2c287c8acacdbe2599906)
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+---
+ integration-cli/docker_api_attach_test.go | 9 ++++++++-
+ testutil/request/request.go               | 9 +++++++--
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/integration-cli/docker_api_attach_test.go b/integration-cli/docker_api_attach_test.go
+index 6d31c51ec344..0064b48bdf7b 100644
+--- a/integration-cli/docker_api_attach_test.go
++++ b/moby-24.0.4/integration-cli/docker_api_attach_test.go
+@@ -234,7 +234,14 @@ func requestHijack(method, endpoint string, data io.Reader, ct, daemon string, m
+ 		return nil, nil, errors.Wrap(err, "could not create new request")
+ 	}
+ 	req.URL.Scheme = "http"
+-	req.URL.Host = hostURL.Host
++
++	// FIXME(thaJeztah): this should really be done by client.ParseHostURL
++	if hostURL.Scheme == "unix" || hostURL.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = client.DummyHost
++	} else {
++		req.URL.Host = hostURL.Host
++	}
+ 
+ 	for _, opt := range modifiers {
+ 		opt(req)
+diff --git a/testutil/request/request.go b/testutil/request/request.go
+index d5f559c66637..239e27a8fc1d 100644
+--- a/testutil/request/request.go
++++ b/moby-24.0.4/testutil/request/request.go
+@@ -123,8 +123,13 @@ func newRequest(endpoint string, opts *Options) (*http.Request, error) {
+ 	} else {
+ 		req.URL.Scheme = "http"
+ 	}
+-	req.URL.Host = hostURL.Host
+-
++	// FIXME(thaJeztah): this should really be done by client.ParseHostURL
++	if hostURL.Scheme == "unix" || hostURL.Scheme == "npipe" {
++		// For local communications, it doesn't matter what the host is.
++		req.URL.Host = client.DummyHost
++	} else {
++		req.URL.Host = hostURL.Host
++	}
+ 	for _, config := range opts.requestModifiers {
+ 		if err := config(req); err != nil {
+ 			return nil, err
author	William Hubbs <williamh@gentoo.org>	2023-07-21 00:16:59 -0500
committer	William Hubbs <williamh@gentoo.org>	2023-07-21 00:16:59 -0500
commit	c2569d6c9edb48538180eb771c2b8a63fab53cf4 (patch)
tree	6cc520ec20b3d51f14005dd74246616756e88920 /app-containers/docker
parent	app-containers/docker-cli: add 24.0.4-r1 for go 1.20.6 (diff)
download	gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.tar.gz gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.tar.bz2 gentoo-c2569d6c9edb48538180eb771c2b8a63fab53cf4.zip