251 lines
12 KiB
Plaintext
251 lines
12 KiB
Plaintext
-------------------------------------------------------------------
|
|
Wed Jun 4 05:21:19 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Always clear SUSEConnect suse_* secrets when starting containers regardless
|
|
of whether the daemon was built with SUSEConnect support. Not doing this
|
|
causes containers from SUSEConnect-enabled daemons to fail to start when
|
|
running with SUSEConnect-disabled (i.e. upstream) daemons.
|
|
|
|
This was a long-standing issue with our secrets support but until recently
|
|
this would've required migrating from SLE packages to openSUSE packages
|
|
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
|
|
away from in-built SUSEConnect support, this is now a practical issue users
|
|
will run into. bsc#1244035
|
|
|
|
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
|
|
|
|
- Rearrange patches:
|
|
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
|
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
|
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
|
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
|
- 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
|
|
+ 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
|
|
- 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
+ 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
- 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
|
+ 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
|
- 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
+ 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
- 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
|
|
+ 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
|
|
- 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
|
|
+ 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
|
|
- 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
|
|
+ 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
|
|
- 0013-TESTS-backport-fixes-for-integration-tests.patch
|
|
+ 0014-TESTS-backport-fixes-for-integration-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 10 03:18:42 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Update to docker-buildx v0.22.0. Upstream changelog:
|
|
<https://github.com/docker/buildx/releases/tag/v0.22.0>
|
|
* Includes fixes for CVE-2025-0495. bsc#1239765
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Apr 10 03:09:38 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Disable transparent SUSEConnect support for SLE-16. PED-12534
|
|
|
|
When this patchset was first added in 2013 (and rewritten over the years),
|
|
there was no upstream way to easily provide SLE customers with a way to build
|
|
container images based on SLE using the host subscription. However, with
|
|
docker-buildx you can now define secrets for builds (this is not entirely
|
|
transparent, but we can easily document this new requirement for SLE-16).
|
|
|
|
Users should use
|
|
|
|
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
|
|
|
|
in their Dockerfiles, and
|
|
|
|
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
|
|
|
|
when doing their builds.
|
|
|
|
- Now that the only blocker for docker-buildx support was removed for SLE-16,
|
|
enable docker-buildx for SLE-16 as well. PED-8905
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Mar 26 02:36:16 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Don't use the new container-selinux conditional requires on SLE-12, as the
|
|
RPM version there doesn't support it. Arguably the change itself is a bit
|
|
suspect but we can fix that later. bsc#1237367
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Mar 25 01:11:54 UTC 2025 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Add backport for golang.org/x/oauth2 CVE-2025-22868 fix. bsc#1239185
|
|
+ 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
|
|
- Add backport for golang.org/x/crypto CVE-2025-22869 fix. bsc#1239322
|
|
+ 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
|
|
- Refresh patches:
|
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
|
* 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
|
|
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
|
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
* 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
|
|
- Move test-related patch to the end of the patch stack:
|
|
- 0011-TESTS-backport-fixes-for-integration-tests.patch
|
|
+ 0013-TESTS-backport-fixes-for-integration-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Thu Mar 20 16:09:49 UTC 2025 - Fabian Vogt <fvogt@suse.com>
|
|
|
|
- Make container-selinux requirement conditional on selinux-policy
|
|
(bsc#1237367)
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 18 05:53:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Add backport for CVE-2024-29018 fix. bsc#1234089
|
|
+ 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
|
|
- Add backport for CVE-2024-23650 fix and rename patch filename. bsc#1219437
|
|
- 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
|
|
+ 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
|
|
- Reorder and rebase patches:
|
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
|
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
|
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
- 0010-TESTS-backport-fixes-for-integration-tests.patch
|
|
+ 0011-TESTS-backport-fixes-for-integration-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Dec 17 13:20:39 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Update to docker-buildx 0.19.3. See upstream changelog online at
|
|
<https://github.com/docker/buildx/releases/tag/v0.19.3>
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Update docker-buildx to v0.19.2. See upstream changelog online at
|
|
<https://github.com/docker/buildx/releases/tag/v0.19.2>.
|
|
|
|
Some notable changelogs from the last update:
|
|
* <https://github.com/docker/buildx/releases/tag/v0.19.0>
|
|
* <https://github.com/docker/buildx/releases/tag/v0.18.0>
|
|
- Update to Go 1.22.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
|
|
disable the SUSEConnect integration with Docker (which creates special mounts
|
|
in /run/secrets to allow container-suseconnect to authenticate containers
|
|
with registries on registered hosts). bsc#1231348 bsc#1232999
|
|
|
|
In order to disable these mounts, just do
|
|
|
|
echo 0 > /etc/docker/suse-secrets-enable
|
|
|
|
and restart Docker. In order to re-enable them, just do
|
|
|
|
echo 1 > /etc/docker/suse-secrets-enable
|
|
|
|
and restart Docker. Docker will output information on startup to tell you
|
|
whether the SUSE secrets feature is enabled or not.
|
|
|
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Disable docker-buildx builds for SLES. It turns out that build containers
|
|
with docker-buildx don't currently get the SUSE secrets mounts applied,
|
|
meaning that container-suseconnect doesn't work when building images.
|
|
bsc#1233819
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Add docker-integration-tests-devel subpackage for building and running the
|
|
upstream Docker integration tests on machines to test that Docker works
|
|
properly. Users should not install this package.
|
|
- docker-rpmlintrc updated to include allow-list for all of the integration
|
|
tests package, since it contains a bunch of stuff that wouldn't normally be
|
|
allowed.
|
|
- Rebased patches:
|
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
|
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
|
* 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
|
|
* 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
* 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
|
* 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
- Added patches:
|
|
+ 0010-TESTS-backport-fixes-for-integration-tests.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Remove DOCKER_NETWORK_OPTS from docker.service. This was removed from
|
|
sysconfig a long time ago, and apparently this causes issues with systemd in
|
|
some cases.
|
|
- Update --add-runtime to point to correct binary path.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 16 22:24:52 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Further merge docker and docker-stable specfiles to minimise the differences.
|
|
The main thing is that we now include both halves of the
|
|
Conflicts/Provides/Obsoletes dance in both specfiles.
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Update to docker-buildx v0.17.1 to match standalone docker-buildx package we
|
|
are replacing. See upstream changelog online at
|
|
<https://github.com/docker/buildx/releases/tag/v0.17.1>
|
|
|
|
-------------------------------------------------------------------
|
|
Sat Sep 7 13:10:30 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Import specfile changes for docker-buildx as well as the changes to help
|
|
reduce specfile differences between docker-stable and docker. bsc#1230331
|
|
bsc#1230333
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Aug 14 03:21:00 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Backport patch for CVE-2024-41110. bsc#1228324
|
|
+ 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
|
|
|
|
-------------------------------------------------------------------
|
|
Wed Jun 16 04:18:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
|
|
|
- Initial docker-stable release, forked from Docker 24.0.6-ce release
|
|
(packaged on 2023-10-11).
|
|
- Update to Docker 24.0.9-ce, which is the latest version of the 24.0.x branch.
|
|
It seems likely this will be the last upstream version of the 24.0.x branch
|
|
(it seems Mirantis is going to do LTS for 23.0.x, not 24.0.x).
|
|
<https://docs.docker.com/engine/release-notes/24.0/#2409>
|
|
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
|
|
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
|
|
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
|
|
+ 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
|
- Write volume options atomically so sudden system crashes won't result in
|
|
future Docker starts failing due to empty files. Backport of
|
|
<https://github.com/moby/moby/pull/48034>. bsc#1214855
|
|
+ 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|