Skip to content

chore(deps): update Docker to v28.2.2 and fix compatibility issues #9037

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Jun 19, 2025
Merged

chore(deps): update Docker to v28.2.2 and fix compatibility issues #9037

merged 9 commits into from
Jun 19, 2025

Conversation

@knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Jun 16, 2025
edited
Loading

Summary

This PR updates Docker dependencies from v28.1.1 to v28.2.2 and addresses API compatibility issues that emerged with recent Docker versions, including fixing container cleanup errors in integration tests.

Changes

1. Docker API Updates

  • Replace deprecated ImageInspectWithRaw with ImageInspect API
  • Update Docker dependencies to v28.2.2
  • Update testdocker to v0.0.0-20250616060700-ba6845ac6d17 for Docker v28.2.2 compatibility (see chore(deps): Upgrade Docker to v28.2.2 testdocker#26)
  • Remove usage of removed container configuration fields

2. Fix ArgsEscaped field expectations in containerd tests

  • Files: pkg/fanal/test/integration/containerd_test.go
  • Issue: Docker v28 API changes affected how the ArgsEscaped field is populated in image config
  • Solution: Updated test expectations to expect ArgsEscaped: true instead of false

3. Update testcontainers-go to fix container cleanup error

  • Files: go.mod, go.sum
  • Issue: Docker API changes in moby/moby#50030 affected how errdefs.ErrConflict errors are handled
  • Solution: Updated testcontainers-go to commit 1720acdcb24ef79dd34188da22da05e6cf72773c which includes the fix from testcontainers/testcontainers-go#3194

API Changes Addressed

Recent Docker versions have deprecated ImageInspectWithRaw in favor of ImageInspect. Additionally, certain fields in the image inspection response have been removed or moved to align with OCI specifications:

  • Deprecated fields like Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr, Tty, OpenStdin, StdinOnce, Image, NetworkDisabled, MacAddress

Test Results

Before fixes:

--- FAIL: TestContainerd_LocalImage (7.31s)
    --- FAIL: TestContainerd_LocalImage/alpine_3.10 (0.94s)
    --- FAIL: TestContainerd_LocalImage/vulnimage (4.97s)

=== NAME  TestClientServerWithRedis
    Error: terminate: Error response from daemon: removal of container X is already in progress

After fixes:

--- PASS: TestContainerd_LocalImage (12.26s)
    --- PASS: TestContainerd_LocalImage/alpine_3.10 (2.36s)
    --- PASS: TestContainerd_LocalImage/vulnimage (5.71s)
--- PASS: TestContainerd_LocalImage_Alternative_Namespace (9.44s)
    --- PASS: TestContainerd_LocalImage_Alternative_Namespace/alpine_3.10 (1.35s)
    --- PASS: TestContainerd_LocalImage_Alternative_Namespace/vulnimage (5.63s)

--- PASS: TestClientServerWithRedis (5.01s)
    --- PASS: TestClientServerWithRedis/alpine_3.9 (0.33s)
    --- PASS: TestClientServerWithRedis/sad_path (0.58s)

@knqyf263
fix(daemon): update for Docker v28 compatibility
0337e8e 
This commit updates the daemon package to be compatible with Docker v28
by addressing breaking changes introduced in Docker API v1.46.

Changes made:
- Replace deprecated ImageInspectWithRaw with ImageInspect API
- Remove deprecated container configuration fields from image config
- Update dependencies to Docker v28.2.2
- Update testdocker to v0.0.0-20250616060700-ba6845ac6d17 which includes
  Docker v28 compatibility fixes (aquasecurity/testdocker#26)
- Simplify imageConfig function to use only OCI-compliant fields

Breaking changes addressed:
Docker API v1.46 removed the following fields from image inspection Config:
- Hostname, Domainname, AttachStdin, AttachStdout, AttachStderr
- Tty, OpenStdin, StdinOnce, Image, NetworkDisabled, MacAddress

These fields were implementation details and not part of the OCI image
specification. The removal aligns Docker with the OCI standard.

Test updates:
- Update test expectations to match new API behavior
- Remove assertions for deprecated fields that are no longer returned

Fixes: Docker v28 compatibility issues
@knqyf263 knqyf263 changed the title fix(daemon): update for Docker v28 compatibility chore(deps): update for Docker v28 compatibility Jun 16, 2025
@knqyf263 knqyf263 self-assigned this Jun 16, 2025
@knqyf263 knqyf263 changed the title chore(deps): update for Docker v28 compatibility chore(deps): update moby to v28.2.2 Jun 16, 2025
@knqyf263
fix linter issues and update tests for Docker v28 compatibility
2d47ea9 
- Add nolint comments for gocritic ruleguard warnings about using set instead of map
- Update image tests to match Docker v28 API behavior where deprecated Image field is removed in OCI-compliant scenarios
@knqyf263
revert unnecessary import alias change
332f423 
- Change dockerimage back to dimage to minimize diff changes
- Keep functionality unchanged
@knqyf263
fix(test): add override for Docker removed fields in engine tests
a185b57 
Add overrideDockerRemovedFields function to handle image config fields
that were removed from Docker API. This affects only Docker Engine tests
where images are loaded directly into Docker daemon.

Fields cleared in Docker Engine tests only:
- Container (removed in Docker API v1.45)
- Image (removed in Docker API v1.50)
- Hostname (removed in Docker API v1.50)

Other integration tests (TestTar, etc.) continue to compare these fields
as they don't use Docker Engine and retain the original image metadata.

This preserves golden file compatibility while ensuring Docker Engine
tests work with newer Docker versions.
knqyf263 added 4 commits June 18, 2025 14:36
@knqyf263
fix(daemon): update containerd integration for Docker v28 API changes
e52c6a5 
- Update containerd.go to use dockerimage.InspectResponse instead of api.ImageInspect
- Fix Config field to use dockerspec.DockerOCIImageConfig structure
- Update image config handling for Docker API field removals
- Maintain compatibility with new Docker v28.2.2 API changes
@knqyf263
fix: remove incorrect testcontainers replace directive
2d377ac
@knqyf263
fix(test): update containerd test expectations for Docker v28 ArgsEsc…
7426c7e 
…aped field

Update TestContainerd_LocalImage test cases to expect ArgsEscaped: true
instead of false to match Docker v28 API behavior changes.

In Docker v28, the containerd integration now populates the Config field
with dockerspec.DockerOCIImageConfig{ImageConfig: imgConfig.Config},
which preserves the actual ArgsEscaped value from the OCI image manifest
instead of using the default false value.

This change affects:
- alpine 3.10 test case: Add ArgsEscaped: true to Config
- vulnimage test case: Add ArgsEscaped: true to Config
- TestContainerd_PullImage: Change ArgsEscaped from false to true

The change reflects more accurate image metadata representation
where the actual OCI image configuration is preserved rather than
being overridden with default values.
@knqyf263
fix(deps): update testcontainers-go to fix container cleanup race con…
f31266b 
…dition

Update testcontainers-go to commit 1720acdcb24ef79dd34188da22da05e6cf72773c
which includes the fix from testcontainers/testcontainers-go#3194

Background:
Docker API changes in moby/moby#50030 affected how
errdefs.ErrConflict errors are handled, causing testcontainers-go's
isCleanupSafe function to no longer properly detect "already in progress"
container removal errors. This resulted in test failures with messages like:
"terminate: Error response from daemon: removal of container X is already in progress"

The fix in testcontainers-go PR aquasecurity#3194 addresses this issue by updating the
error handling logic to properly catch these Docker API error changes.
Since this fix is not yet released, we use the specific commit hash.

This resolves container cleanup race conditions in integration tests,
particularly affecting TestContainerd_LocalImage and TestClientServerWithRedis.
@knqyf263 knqyf263 changed the title chore(deps): update moby to v28.2.2 chore(deps): update Docker to v28.2.2 and fix compatibility issues Jun 18, 2025
@knqyf263 knqyf263 marked this pull request as ready for review June 18, 2025 16:10
@knqyf263 knqyf263 requested a review from DmitriyLewen as a code owner June 18, 2025 16:10
DmitriyLewen
DmitriyLewen approved these changes Jun 19, 2025
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@knqyf263 knqyf263 added this pull request to the merge queue Jun 19, 2025
Merged via the queue into aquasecurity:main with commit 3f41ffa Jun 19, 2025
14 checks passed
@knqyf263 knqyf263 deleted the docker-v28 branch June 19, 2025 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@knqyf263 @DmitriyLewen