Vendored Docker SDK for Python updates #434
Conversation
|
Current state contains commits up to docker/docker-py@dff849f. (Not yet there: https://github.com/docker/docker-py/compare/dff849f6bb7d6805f52dd2112b8666c86d3f3235..main) |
| bugfixes: | ||
| - "modules and plugins communicating directly with the Docker daemon - fix parsing of IPv6 addresses with a port in ``docker_host``. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| - "modules and plugins communicating directly with the Docker daemon - fix ``ProxyCommand`` handling for SSH connections when not using ``use_ssh_client=true``. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| - "modules and plugins communicating directly with the Docker daemon - do not create a subshell for SSH connections when using ``use_ssh_client=true``. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| - "docker_image - when composing the build context, trim trailing whitespace from ``.dockerignore`` entries. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| minor_changes: | ||
| - "modules and plugins communicating directly with the Docker daemon - improve default TLS version selection for Python 3.6 and newer. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| security_fixes: | ||
| - "modules and plugins communicating directly with the Docker daemon - when connecting by SSH and not using ``use_ssh_client=true``, reject unknown host keys instead of accepting them. This is only a change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." | ||
| breaking_changes: | ||
| - "modules and plugins communicating directly with the Docker daemon - when connecting by SSH and not using ``use_ssh_client=true``, reject unknown host keys instead of accepting them. This is only a breaking change relatively to older community.docker 3.0.0 pre-releases, or with respect to Docker SDK for Python < 6.0.0. Docker SDK for Python 6.0.0 will also include this change (https://github.com/ansible-collections/community.docker/pull/434)." |
There was a problem hiding this comment.
Grammar nitpick: s/relatively/relative/. I like adverbs (my name is Maxwell, after all), but this is not the correct place to use them. Perhaps it also makes sense to shorten modules and plugins communicating directly with the Docker daemon to just plugins communicating directly with the Docker daemon, as modules are a type of plugin, but meh.
Also you don't need a comma in , or with respect to Docker SDK for Python < 6.0.0.
There was a problem hiding this comment.
I changed everything except the "modules and plugins ...". That because a) that formulation has been used in earlier changelog fragments, and b) many users do not know that modules are a special kind of plugin. Since the changelog is mainly for users, I think it's important to also mention modules here.
There was a problem hiding this comment.
I meant to submit that other comment as part of the review, but instead, I clicked the wrong button and got side tracked. All of the Python code looks good to me, and if we wanted to change it more, it would be nice to submit it upstream first. I would suggest preserving the entire commit messages from upstream in the future, instead of just the subjects, but I won't hold up the review on that.
This was using a deprecated function (`urllib.splitnport`), ostensibly to work around issues with brackets on IPv6 addresses. Ironically, its usage was broken, and would result in mangled IPv6 addresses if they had a port specified in some instances. Usage of the deprecated function has been eliminated and extra test cases added where missing. All existing cases pass as-is. (The only other change to the test was to improve assertion messages.) Cherry-picked from docker/docker-py@f16c4e1 Co-authored-by: Milas Bowman <[email protected]>
We want "The above exception was the direct cause of the following exception:" instead of "During handling of the above exception, another exception occurred:" Cherry-picked from docker/docker-py@bb11197 Co-authored-by: Maor Kleinberger <[email protected]>
Specific TLS versions are deprecated in latest Python, which causes test failures due to treating deprecation errors as warnings. Luckily, the fix here is straightforward: we can eliminate some custom version selection logic by using `PROTOCOL_TLS_CLIENT`, which is the recommended method and will select the highest TLS version supported by both client and server. Cherry-picked from docker/docker-py@56dd6de Co-authored-by: Milas Bowman <[email protected]>
Cherry-picked from docker/docker-py@4e19cc4 Co-authored-by: Guy Lichtman <[email protected]>
Cherry-picked from docker/docker-py@bb40ba0 Co-authored-by: liubo <[email protected]>
In the Secure Shell (SSH) protocol, host keys are used to verify the identity of remote hosts. Accepting unknown host keys may leave the connection open to man-in-the-middle attacks. Do not accept unknown host keys. In particular, do not set the default missing host key policy for the Paramiko library to either AutoAddPolicy or WarningPolicy. Both of these policies continue even when the host key is unknown. The default setting of RejectPolicy is secure because it throws an exception when it encounters an unknown host key. Reference: https://cwe.mitre.org/data/definitions/295.html NOTE: This only affects SSH connections using the native Python SSH implementation (Paramiko), when `use_ssh_client=False` (default). If using the system SSH client (`use_ssh_client=True`), the host configuration (e.g. `~/.ssh/config`) will apply. Cherry-picked from docker/docker-py@d929864 Co-authored-by: Audun Nes <[email protected]>
Set `daemon` attribute instead of using `setDaemon` method that was deprecated in Python 3.10. Cherry-picked from docker/docker-py@adf5a97 Co-authored-by: Karthikeyan Singaravelan <[email protected]>
Use `from e` to ensure that the error context is propagated correctly. Cherry-picked from docker/docker-py@05e1434 Co-authored-by: Milas Bowman <[email protected]>
Cherry-picked from docker/docker-py@3ee3a24 Co-authored-by: Clément Loiselet <[email protected]>
felixfontein
force-pushed
the
docker-py-updates
branch
from
fd8fbe2 to
3e62d2c
Compare
Upstream is Python 3.6+, while we also support Python 3.5 and Python 2.7. So I cannot copy the upstream changes literally, and they will not want the things we have to change for compatibility :-)
Good idea, I've included the entire messages for all commits (except the signed-off part, which I converted to |
|
@gotmax23 thanks for reviewing this! |
ghost
mentioned this pull request
SUMMARY
Incorporates new commits that apply from https://github.com/docker/docker-py/commits/main.
ISSUE TYPE
COMPONENT NAME
vendored Docker SDK for Python components