[CONTINT-5217][CONTINT-5218][CONTINT-5219][CONTINT-5220] Upgrade Docker SDK from docker/docker v28 to moby/moby v29#48777
Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 11 commits intomainfrom Apr 10, 2026
Conversation
L3n41c
added
changelog/no-changelog
Contributor
Go Package Import DifferencesBaseline: 61fdef4
|
Contributor
Files inventory check summaryFile checks results against ancestor 61fdef49: Results for datadog-agent_7.79.0~devel.git.464.c1e5bcd.pipeline.106591804-1_amd64.deb:No change detected |
Contributor
Static quality checks✅ Please find below the results from static quality gates Successful checksInfo
7 successful checks with minimal change (< 2 KiB)
On-wire sizes (compressed)
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: fd8f08b Optimization Goals: ✅ No significant changes detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +3.16 | [+0.10, +6.21] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ➖ | docker_containers_cpu | % cpu utilization | +3.16 | [+0.10, +6.21] | 1 | Logs |
| ➖ | quality_gate_logs | % cpu utilization | +2.71 | [+1.03, +4.40] | 1 | Logs bounds checks dashboard |
| ➖ | file_tree | memory utilization | +0.93 | [+0.87, +0.99] | 1 | Logs |
| ➖ | quality_gate_idle | memory utilization | +0.85 | [+0.80, +0.91] | 1 | Logs bounds checks dashboard |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | +0.76 | [+0.69, +0.82] | 1 | Logs |
| ➖ | otlp_ingest_metrics | memory utilization | +0.55 | [+0.39, +0.71] | 1 | Logs |
| ➖ | ddot_logs | memory utilization | +0.40 | [+0.34, +0.47] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | +0.34 | [+0.20, +0.49] | 1 | Logs |
| ➖ | docker_containers_memory | memory utilization | +0.24 | [+0.16, +0.32] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | +0.17 | [+0.14, +0.21] | 1 | Logs bounds checks dashboard |
| ➖ | tcp_syslog_to_blackhole | ingress throughput | +0.15 | [-0.03, +0.33] | 1 | Logs |
| ➖ | otlp_ingest_logs | memory utilization | +0.05 | [-0.05, +0.15] | 1 | Logs |
| ➖ | ddot_metrics | memory utilization | +0.04 | [-0.15, +0.23] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | +0.02 | [-0.42, +0.46] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | +0.02 | [-0.55, +0.59] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | +0.02 | [-0.38, +0.42] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | +0.01 | [-0.10, +0.12] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | +0.01 | [-0.19, +0.21] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | +0.01 | [-0.11, +0.12] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.00 | [-0.21, +0.22] | 1 | Logs |
| ➖ | ddot_metrics_sum_delta | memory utilization | -0.07 | [-0.25, +0.10] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | -0.10 | [-0.32, +0.13] | 1 | Logs |
| ➖ | quality_gate_metrics_logs | memory utilization | -0.29 | [-0.53, -0.06] | 1 | Logs bounds checks dashboard |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | 674 ≥ 26 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | 275.44MiB ≤ 370MiB | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | 697 ≥ 26 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_0ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | 0.23GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_1000ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | 0.20GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_100ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | 0.22GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_500ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 = 3 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | 177.54MiB ≤ 181MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 3 = 3 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 498.90MiB ≤ 550MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 3 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 206.16MiB ≤ 220MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 353.23 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 423.94MiB ≤ 475MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
dd-octo-sts
bot
added
internal
dd-octo-sts
bot
added
team/container-platform
L3n41c
changed the title
docker/docker v28 to moby/moby v29
Member
Author
|
@codex review |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 51fa32cde4
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
This was referenced Apr 2, 2026
…er SDK from docker/docker v28 to moby/moby v29 Migrate from github.com/docker/docker v28.5.2+incompatible to github.com/moby/moby/api v1.54.1 and github.com/moby/moby/client v0.4.0 to fix CVE-2026-34040 (High, CVSS 7.8) and CVE-2026-33997 (Medium, CVSS 8.1). This is a major SDK migration: Docker Engine v29 restructured its Go modules into separate sub-modules (moby/moby/api for types, moby/moby/client for the client) with a new Options/Result pattern for all API methods. Key changes: - Update all 55 files importing from github.com/docker/docker - Adapt to v29 Options/Result method signatures in DockerUtil wrapper - Migrate filters from api/types/filters to client.Filters - Handle removed types: ContainerJSONBase (flattened into InspectResponse), image.Summary.VirtualSize, image.InspectResponse.DockerVersion/ContainerConfig - Handle type changes: IPAddress (string -> netip.Addr), Port (nat.Port -> network.Port), ContainerState (string -> typed) - Replace libnetwork/resolvconf with inline implementation (removed in v29) - Update ContainerExec* -> Exec* method names in e2e framework Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
L3n41c
force-pushed
the
lenaic/CONTINT-5217-CONTINT-5218-CONTINT-5219-CONTINT-5220-upgrade-docker-sdk-v29
branch
from
51fa32c to
27747ca
Compare
Member
Author
|
Here is how I validated that this PR actually fixes the CVEs it was intended to address:
$ docker run aquasec/trivy:0.69.3 image --scanners vuln datadog/agent:7.78.0-rc.7
[…]
opt/datadog-agent/bin/agent/agent (gobinary)
============================================
Total: 9 (UNKNOWN: 6, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)
┌──────────────────────────┬────────────────┬──────────┬──────────┬──────────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ github.com/docker/docker │ CVE-2026-34040 │ HIGH │ fixed │ v28.5.2+incompatible │ 29.3.1 │ Moby: Moby: Authorization bypass vulnerability │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-34040 │
│ ├────────────────┼──────────┤ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-33997 │ MEDIUM │ │ │ │ moby: docker: github.com/moby/moby: Moby: Privilege │
│ │ │ │ │ │ │ validation bypass during plugin installation │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33997 │
├──────────────────────────┼────────────────┤ ├──────────┼──────────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.etcd.io/bbolt │ CVE-2026-33817 │ │ affected │ v1.4.3 │ │ go.etcd.io/bbolt: go.etcd.io/bbolt: Denial of Service via │
│ │ │ │ │ │ │ index out-of-range error │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33817 │
├──────────────────────────┼────────────────┼──────────┼──────────┼──────────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2026-32280 │ UNKNOWN │ fixed │ v1.25.8 │ 1.25.9, 1.26.2 │ Unexpected work during chain building in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32280 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32281 │ │ │ │ │ Inefficient policy validation in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32281 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32282 │ │ │ │ │ TOCTOU permits root escape on Linux via Root.Chmod in os in │
│ │ │ │ │ │ │ internal/syscall/unix... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32282 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32283 │ │ │ │ │ Unauthenticated TLS 1.3 KeyUpdate record can cause │
│ │ │ │ │ │ │ persistent connection retention and DoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32283 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32288 │ │ │ │ │ Unbounded allocation for old GNU sparse in archive/tar │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32288 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32289 │ │ │ │ │ JsBraceDepth Context Tracking Bugs (XSS) in html/template │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32289 │
└──────────────────────────┴────────────────┴──────────┴──────────┴──────────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘
$ docker run aquasec/trivy:0.69.3 image --scanners vuln datadog/agent-dev:lenaic-contint-5217-contint-5218-contint-5219-contint-5220-upgr-c1e5bcdd-full
[…]
opt/datadog-agent/bin/agent/agent (gobinary)
============================================
Total: 7 (UNKNOWN: 6, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)
┌──────────────────┬────────────────┬──────────┬──────────┬───────────────────┬────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├──────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ go.etcd.io/bbolt │ CVE-2026-33817 │ MEDIUM │ affected │ v1.4.3 │ │ go.etcd.io/bbolt: go.etcd.io/bbolt: Denial of Service via │
│ │ │ │ │ │ │ index out-of-range error │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-33817 │
├──────────────────┼────────────────┼──────────┼──────────┼───────────────────┼────────────────┼─────────────────────────────────────────────────────────────┤
│ stdlib │ CVE-2026-32280 │ UNKNOWN │ fixed │ v1.25.8 │ 1.25.9, 1.26.2 │ Unexpected work during chain building in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32280 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32281 │ │ │ │ │ Inefficient policy validation in crypto/x509 │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32281 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32282 │ │ │ │ │ TOCTOU permits root escape on Linux via Root.Chmod in os in │
│ │ │ │ │ │ │ internal/syscall/unix... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32282 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32283 │ │ │ │ │ Unauthenticated TLS 1.3 KeyUpdate record can cause │
│ │ │ │ │ │ │ persistent connection retention and DoS... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32283 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32288 │ │ │ │ │ Unbounded allocation for old GNU sparse in archive/tar │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32288 │
│ ├────────────────┤ │ │ │ ├─────────────────────────────────────────────────────────────┤
│ │ CVE-2026-32289 │ │ │ │ │ JsBraceDepth Context Tracking Bugs (XSS) in html/template │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2026-32289 │
└──────────────────┴────────────────┴──────────┴──────────┴───────────────────┴────────────────┴─────────────────────────────────────────────────────────────┘ |
YoannGh
approved these changes
Apr 8, 2026
Contributor
YoannGh
left a comment
YoannGh
left a comment
There was a problem hiding this comment.
Thanks for taking care of this!
spikat
approved these changes
Apr 8, 2026
s-alad
approved these changes
Apr 8, 2026
gabedos
approved these changes
Apr 8, 2026
aiuto
approved these changes
Apr 8, 2026
ddrthall
approved these changes
Apr 8, 2026
lavigne958
approved these changes
Apr 9, 2026
stzou
approved these changes
Apr 9, 2026
chouetz
approved these changes
Apr 10, 2026
Member
Author
|
/merge |
|
View all feedbacks in Devflow UI.
The expected merge time in
|
gh-worker-dd-mergequeue-cf854d
bot
deleted the
lenaic/CONTINT-5217-CONTINT-5218-CONTINT-5219-CONTINT-5220-upgrade-docker-sdk-v29
branch
dd-octo-sts-4aefcb bot
pushed a commit
that referenced
this pull request
Apr 10, 2026
…grade Docker SDK from `docker/docker` v28 to `moby/moby` v29 (#48777) ### What does this PR do? Migrates the Docker SDK dependency from `github.com/docker/docker` v28.5.2+incompatible to `github.com/moby/moby` v29 sub-modules (`moby/moby/api` v1.54.1, `moby/moby/client` v0.4.0) to fix two security vulnerabilities: - **CVE-2026-34040** (High, CVSS 7.8) - **CVE-2026-33997** (Medium, CVSS 8.1) Docker Engine v29 restructured its Go modules into separate sub-modules with a new Options/Result API pattern. This PR updates all 55 affected files across the codebase: - All `github.com/docker/docker/*` imports replaced with `github.com/moby/moby/*` equivalents - `DockerUtil` wrapper adapted to v29 Options/Result method signatures - Filters migrated from `api/types/filters.Args` to `client.Filters` - Removed types handled: `ContainerJSONBase` (flattened), `image.Summary.VirtualSize`, `image.InspectResponse.DockerVersion`/`ContainerConfig` - Type changes adapted: `IPAddress` (`string` → `netip.Addr`), `Port` (`nat.Port` → `network.Port`), `ContainerState` (`string` → typed) - `libnetwork/resolvconf` replaced with inline implementation (removed from moby/moby in v29) - `ContainerExec*` → `Exec*` method renames applied in e2e framework - DataDog/trivy fork updated to [PR #32](DataDog/trivy#32) which reduces docker/docker usage - `replace` directive added to pin the remaining **indirect** `docker/docker` dependency (from otel-collector-contrib) to the `28.x` branch head which includes backported security fixes ### Motivation Fix CVE-2026-34040 and CVE-2026-33997 affecting both the agent and cluster-agent binaries. Jira: [CONTINT-5217](https://datadoghq.atlassian.net/browse/CONTINT-5217), [CONTINT-5218](https://datadoghq.atlassian.net/browse/CONTINT-5218), [CONTINT-5219](https://datadoghq.atlassian.net/browse/CONTINT-5219), [CONTINT-5220](https://datadoghq.atlassian.net/browse/CONTINT-5220), [VULN-59766](https://datadoghq.atlassian.net/browse/VULN-59766), [VULN-59767](https://datadoghq.atlassian.net/browse/VULN-59767), [VULN-59774](https://datadoghq.atlassian.net/browse/VULN-59774), [VULN-59775](https://datadoghq.atlassian.net/browse/VULN-59775) ### Describe how you validated your changes - `dda inv agent.build --build-exclude=systemd` — PASS - `dda inv cluster-agent.build` — PASS - `dda inv test --targets=./pkg/util/docker/...` — ALL PASSED - `dda inv test --targets=./pkg/collector/corechecks/containers/docker/...` — 15/15 PASSED - `dda inv test --targets=./pkg/util/containers/metrics/docker/...` — ALL PASSED - `dda inv test --targets=./comp/core/workloadmeta/collectors/internal/docker/...` — 13/13 PASSED ### Additional Notes **Indirect `docker/docker` dependency:** `github.com/docker/docker` remains as an indirect dependency pulled in transitively by `opentelemetry-collector-contrib/dockerobserver` and other third-party modules. A `replace` directive pins it to the `28.x` branch head (`31a1689cb0a1`) which includes the same security fixes backported from v29.3.1 (not yet released as a tagged v28.x version). No datadog-agent code directly imports from `docker/docker` anymore. **`docker.image.virtual_size` metric:** This metric now reports `image.Size` instead of the removed `image.VirtualSize` field. These values have been identical since Docker API v1.44 (`VirtualSize` was already deprecated). [CONTINT-5217]: https://datadoghq.atlassian.net/browse/CONTINT-5217?atlOrigin=eyJpIjoiNWRkNTljNzYxNjVmNDY3MDlhMDU5Y2ZhYzA5YTRkZjUiLCJwIjoiZ2l0aHViLWNvbS1KU1cifQ Co-authored-by: lenaic.huard <lenaic.huard@datadoghq.com>
Contributor
|
We're having some pipeline failures, often around container building. Pipeline failure analysisThis PR appears to be the cause of pipeline failures starting around 2026-04-10. What fails: The OTel agent build pipeline fails at Root cause: The In Go workspace mode, replace directives from individual This PR updated the root
In workspace mode, Recommended fix: From the repo root, run: go work syncThis will update |
Contributor
|
TBH. I think the claude analysis is wrong here. I'm still leaving the comment because we are getting random docker container build failures, and this seems like a likely culprit. |
chouetz
pushed a commit
that referenced
this pull request
Apr 13, 2026
…49233) ### What does this PR do? Adds `KUBERNETES_MEMORY_REQUEST` and `KUBERNETES_MEMORY_LIMIT` (32Gi) to the `docker_image_build_otel` CI job, which was the only OTel integration test job without Kubernetes memory limits. ### Motivation The `docker_image_build_otel` job has a **~12% flaky failure rate** on `main`, caused by OOM kills during `go mod download` of 40+ OTel modules inside a Docker-in-Docker build (see [Slack thread](https://dd.slack.com/archives/CR5TV8QBY/p1775901945411339)). **Root cause analysis** ([posted in thread](https://dd.slack.com/archives/CR5TV8QBY/p1775979407970919?thread_ts=1775901945.411339&cid=CR5TV8QBY)): - Datadog CI data shows **64 failures / 469 successes over 7 days** (~12%), with failures pre-dating the initially suspected PR #48777 (one failure on Apr 9, a day before the PR merged) - **60%** of failures are Kubernetes pod scheduling failures (insufficient memory, unmatched node affinity) - **25%** are silent process kills (exit code 255) during `go mod download` — classic OOM pattern - The two sibling OTel jobs already have memory limits: - `integration_tests_otel`: 16Gi - `datadog_otel_components_ocb_build`: 32Gi + 16 CPU - `docker_image_build_otel` had **none**, relying on runner defaults Setting REQUEST = LIMIT = 32Gi gives the pod a Guaranteed QoS class in Kubernetes, matching the OCB build job which performs the same workload (OCB generation + Go compilation). ### Describe how you validated your changes - The YAML structure matches the existing pattern used by all other jobs in this file - The 32Gi value matches `datadog_otel_components_ocb_build` which does the same work - Validation will come from observing the failure rate drop after merge ### Additional Notes The `.ddot_byoc_oci_build_test` template and `ddot_byoc_binary_build_test_ubuntu2004` job in the same file also lack memory limits and perform similar Docker builds. They may benefit from the same treatment as a follow-up. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Migrates the Docker SDK dependency from
github.com/docker/dockerv28.5.2+incompatible togithub.com/moby/mobyv29 sub-modules (moby/moby/apiv1.54.1,moby/moby/clientv0.4.0) to fix two security vulnerabilities:Docker Engine v29 restructured its Go modules into separate sub-modules with a new Options/Result API pattern. This PR updates all 55 affected files across the codebase:
github.com/docker/docker/*imports replaced withgithub.com/moby/moby/*equivalentsDockerUtilwrapper adapted to v29 Options/Result method signaturesapi/types/filters.Argstoclient.FiltersContainerJSONBase(flattened),image.Summary.VirtualSize,image.InspectResponse.DockerVersion/ContainerConfigIPAddress(string→netip.Addr),Port(nat.Port→network.Port),ContainerState(string→ typed)libnetwork/resolvconfreplaced with inline implementation (removed from moby/moby in v29)ContainerExec*→Exec*method renames applied in e2e frameworkreplacedirective added to pin the remaining indirectdocker/dockerdependency (from otel-collector-contrib) to the28.xbranch head which includes backported security fixesMotivation
Fix CVE-2026-34040 and CVE-2026-33997 affecting both the agent and cluster-agent binaries.
Jira: CONTINT-5217, CONTINT-5218, CONTINT-5219, CONTINT-5220, VULN-59766, VULN-59767, VULN-59774, VULN-59775
Describe how you validated your changes
dda inv agent.build --build-exclude=systemd— PASSdda inv cluster-agent.build— PASSdda inv test --targets=./pkg/util/docker/...— ALL PASSEDdda inv test --targets=./pkg/collector/corechecks/containers/docker/...— 15/15 PASSEDdda inv test --targets=./pkg/util/containers/metrics/docker/...— ALL PASSEDdda inv test --targets=./comp/core/workloadmeta/collectors/internal/docker/...— 13/13 PASSEDAdditional Notes
Indirect
docker/dockerdependency:github.com/docker/dockerremains as an indirect dependency pulled in transitively byopentelemetry-collector-contrib/dockerobserverand other third-party modules. Areplacedirective pins it to the28.xbranch head (31a1689cb0a1) which includes the same security fixes backported from v29.3.1 (not yet released as a tagged v28.x version). No datadog-agent code directly imports fromdocker/dockeranymore.docker.image.virtual_sizemetric: This metric now reportsimage.Sizeinstead of the removedimage.VirtualSizefield. These values have been identical since Docker API v1.44 (VirtualSizewas already deprecated).