Sync from SUSE:SLFO:Main docker revision 943becf65682ef261fe277e0167d9204

This commit is contained in:
Adrian Schröter 2024-09-13 16:13:54 +02:00
parent 061d426151
commit 4e79ef499d
17 changed files with 4815 additions and 11893 deletions

View File

@ -1,7 +1,7 @@
From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
From fc318bf73243e653e34252db10d8216fbe0fc17a Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
@ -14,18 +14,18 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 290ec59a34..b7013fb89c 100644
index e9be1b4e72e2..bf6af24c303c 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -4,6 +4,7 @@
@@ -3,6 +3,7 @@
package daemon // import "github.com/docker/docker/daemon"
import (
+ "bytes"
"context"
"fmt"
"os"
"path/filepath"
@@ -14,6 +15,7 @@ import (
@@ -16,6 +17,7 @@ import (
"github.com/docker/docker/daemon/links"
"github.com/docker/docker/errdefs"
"github.com/docker/docker/libnetwork"
@ -33,7 +33,7 @@ index 290ec59a34..b7013fb89c 100644
"github.com/docker/docker/pkg/idtools"
"github.com/docker/docker/pkg/process"
"github.com/docker/docker/pkg/stringid"
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
if err != nil {
return errors.Wrap(err, "unable to get secret from secret store")
}
@ -43,7 +43,7 @@ index 290ec59a34..b7013fb89c 100644
uid, err := strconv.Atoi(s.File.UID)
if err != nil {
@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
return err
}
@ -69,5 +69,5 @@ index 290ec59a34..b7013fb89c 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.43.0
2.45.2

View File

@ -1,7 +1,7 @@
From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
From 530aa9ea84a85817b747a2cb4ae3c5c029eea48c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
@ -19,10 +19,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
create mode 100644 daemon/suse_secrets.go
diff --git a/daemon/start.go b/daemon/start.go
index 2e0b9e6be8..dca0448688 100644
index 86321bc5d017..5d4c1280608d 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
return err
}
@ -31,12 +31,12 @@ index 2e0b9e6be8..dca0448688 100644
+ return errdefs.System(err)
+ }
+
spec, err := daemon.createSpec(ctx, container)
spec, err := daemon.createSpec(ctx, daemonCfg, container)
if err != nil {
return errdefs.System(err)
// Any error that occurs while creating the spec, even if it's the
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 0000000000..32b0ece91b
index 000000000000..32b0ece91b59
--- /dev/null
+++ b/daemon/suse_secrets.go
@@ -0,0 +1,415 @@
@ -456,5 +456,5 @@ index 0000000000..32b0ece91b
+ return nil
+}
--
2.43.0
2.45.2

View File

@ -1,7 +1,7 @@
From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
From dfa9e392bf1360144c80d62e01c297dc7aa52827 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Mon, 22 May 2023 15:44:54 +1000
Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
Subject: [PATCH 3/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
headers"
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
index d88efc4be2..4e976aa689 100644
index 6aaa33cf7622..7264d4036427 100644
--- a/daemon/graphdriver/btrfs/btrfs.go
+++ b/daemon/graphdriver/btrfs/btrfs.go
@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
/*
#include <stdlib.h>
@ -42,5 +42,5 @@ index d88efc4be2..4e976aa689 100644
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
--
2.43.0
2.45.2

View File

@ -1,7 +1,7 @@
From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
From 208a9ba144d7ab21b9717d669a577e2dbbf7ab2e Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
@ -22,10 +22,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
3 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
index 6376001613..5fde21a4af 100644
index 81e10b6cbec0..e695667a190f 100644
--- a/daemon/apparmor_default.go
+++ b/daemon/apparmor_default.go
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
return ""
}
@ -41,7 +41,7 @@ index 6376001613..5fde21a4af 100644
func ensureDefaultAppArmorProfile() error {
if apparmor.HostSupports() {
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
}
// Load the profile.
@ -54,10 +54,10 @@ index 6376001613..5fde21a4af 100644
return nil
}
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
index e3dc18b32b..9c77230562 100644
index be4938f5b61a..2b326fea5829 100644
--- a/daemon/apparmor_default_unsupported.go
+++ b/daemon/apparmor_default_unsupported.go
@@ -3,6 +3,10 @@
@@ -2,6 +2,10 @@
package daemon // import "github.com/docker/docker/daemon"
@ -69,11 +69,11 @@ index e3dc18b32b..9c77230562 100644
return nil
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 4d76c57988..15c95b50c4 100644
index c28e3063d576..c3228a084cb1 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
}
- // ensureDefaultAppArmorProfile does nothing if apparmor is disabled
@ -81,9 +81,9 @@ index 4d76c57988..15c95b50c4 100644
+ // Make sure we clobber any pre-existing docker-default profile to ensure
+ // that upgrades to the profile actually work smoothly.
+ if err := clobberDefaultAppArmorProfile(); err != nil {
logrus.Errorf(err.Error())
log.G(ctx).Errorf(err.Error())
}
--
2.43.0
2.45.2

View File

@ -1,7 +1,7 @@
From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
From 3dd554c3bdb8a01c28651b6b8a405a5d735d02d9 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 11 Oct 2023 21:19:12 +1100
Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
Subject: [PATCH 5/7] SLE12: revert "apparmor: remove version-conditionals from
template"
This reverts the following commits:
@ -17,15 +17,16 @@ apparmor_parser version is quite old.
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
contrib/apparmor/main.go | 16 ++++++++++++++--
contrib/apparmor/template.go | 16 ++++++++++++++++
pkg/aaparser/aaparser.go | 2 --
profiles/apparmor/apparmor.go | 14 ++++++++++++--
profiles/apparmor/template.go | 4 ++++
5 files changed, 46 insertions(+), 6 deletions(-)
contrib/apparmor/main.go | 16 ++++++-
contrib/apparmor/template.go | 16 +++++++
pkg/aaparser/aaparser.go | 86 +++++++++++++++++++++++++++++++++++
profiles/apparmor/apparmor.go | 16 ++++++-
profiles/apparmor/template.go | 4 ++
5 files changed, 134 insertions(+), 4 deletions(-)
create mode 100644 pkg/aaparser/aaparser.go
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
index d67890d265..f4a2978b86 100644
index 899d8378edae..93f98cbd20e5 100644
--- a/contrib/apparmor/main.go
+++ b/contrib/apparmor/main.go
@@ -6,9 +6,13 @@ import (
@ -68,7 +69,7 @@ index d67890d265..f4a2978b86 100644
log.Fatalf("executing template failed: %v", err)
}
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
index 58afcbe845..e6d0b6d37c 100644
index 58afcbe845ee..e6d0b6d37c58 100644
--- a/contrib/apparmor/template.go
+++ b/contrib/apparmor/template.go
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
@ -156,24 +157,107 @@ index 58afcbe845..e6d0b6d37c 100644
/lib/** rm,
/usr/bin/xz rm,
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
index 3d7c2c5a97..2b5a2605f9 100644
--- a/pkg/aaparser/aaparser.go
new file mode 100644
index 000000000000..89b48b2dba58
--- /dev/null
+++ b/pkg/aaparser/aaparser.go
@@ -13,8 +13,6 @@ const (
)
// GetVersion returns the major and minor version of apparmor_parser.
-//
-// Deprecated: no longer used, and will be removed in the next release.
func GetVersion() (int, error) {
output, err := cmd("", "--version")
if err != nil {
@@ -0,0 +1,86 @@
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
+
+import (
+ "fmt"
+ "os/exec"
+ "strconv"
+ "strings"
+)
+
+const (
+ binary = "apparmor_parser"
+)
+
+// GetVersion returns the major and minor version of apparmor_parser.
+func GetVersion() (int, error) {
+ output, err := cmd("", "--version")
+ if err != nil {
+ return -1, err
+ }
+
+ return parseVersion(output)
+}
+
+// cmd runs `apparmor_parser` with the passed arguments.
+func cmd(dir string, arg ...string) (string, error) {
+ c := exec.Command(binary, arg...)
+ c.Dir = dir
+
+ output, err := c.CombinedOutput()
+ if err != nil {
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
+ }
+
+ return string(output), nil
+}
+
+// parseVersion takes the output from `apparmor_parser --version` and returns
+// a representation of the {major, minor, patch} version as a single number of
+// the form MMmmPPP {major, minor, patch}.
+func parseVersion(output string) (int, error) {
+ // output is in the form of the following:
+ // AppArmor parser version 2.9.1
+ // Copyright (C) 1999-2008 Novell Inc.
+ // Copyright 2009-2012 Canonical Ltd.
+
+ lines := strings.SplitN(output, "\n", 2)
+ words := strings.Split(lines[0], " ")
+ version := words[len(words)-1]
+
+ // trim "-beta1" suffix from version="3.0.0-beta1" if exists
+ version = strings.SplitN(version, "-", 2)[0]
+ // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10)
+ version = strings.SplitN(version, "~", 2)[0]
+
+ // split by major minor version
+ v := strings.Split(version, ".")
+ if len(v) == 0 || len(v) > 3 {
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
+ }
+
+ // Default the versions to 0.
+ var majorVersion, minorVersion, patchLevel int
+
+ majorVersion, err := strconv.Atoi(v[0])
+ if err != nil {
+ return -1, err
+ }
+
+ if len(v) > 1 {
+ minorVersion, err = strconv.Atoi(v[1])
+ if err != nil {
+ return -1, err
+ }
+ }
+ if len(v) > 2 {
+ patchLevel, err = strconv.Atoi(v[2])
+ if err != nil {
+ return -1, err
+ }
+ }
+
+ // major*10^5 + minor*10^3 + patch*10^0
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
+ return numericVersion, nil
+}
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
index d0f2361605..b3566b2f73 100644
index 1edfc5300235..0d23b940bdf4 100644
--- a/profiles/apparmor/apparmor.go
+++ b/profiles/apparmor/apparmor.go
@@ -14,8 +14,10 @@ import (
"github.com/docker/docker/pkg/aaparser"
@@ -11,10 +11,14 @@ import (
"path"
"strings"
"text/template"
+
+ "github.com/docker/docker/pkg/aaparser"
)
-// profileDirectory is the file store for apparmor profiles and macros.
@ -185,7 +269,7 @@ index d0f2361605..b3566b2f73 100644
// profileData holds information about the given profile for generation.
type profileData struct {
@@ -27,6 +29,8 @@ type profileData struct {
@@ -26,6 +30,8 @@ type profileData struct {
Imports []string
// InnerImports defines the apparmor functions to import in the profile.
InnerImports []string
@ -194,7 +278,7 @@ index d0f2361605..b3566b2f73 100644
}
// generateDefault creates an apparmor profile from ProfileData.
@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
@@ -45,6 +51,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
}
@ -208,17 +292,18 @@ index d0f2361605..b3566b2f73 100644
}
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
index 9f207e2014..626e5f6789 100644
index 8dbc1b610288..2062aab1ac99 100644
--- a/profiles/apparmor/template.go
+++ b/profiles/apparmor/template.go
@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -23,6 +23,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
capability,
file,
umount,
+{{if ge .Version 208096}}
# Host (privileged) processes may send signals to container processes.
signal (receive) peer=unconfined,
# dockerd may send signals to container processes (for "docker kill").
# runc may send signals to container processes (for "docker stop").
@@ -33,6 +34,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
signal (receive) peer={{.DaemonProfile}},
# Container processes may send signals amongst themselves.
signal (send,receive) peer={{.Name}},
@ -226,7 +311,7 @@ index 9f207e2014..626e5f6789 100644
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
# deny write to files not in /proc/<number>/** or /proc/sys/**
@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
@@ -53,7 +55,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
deny /sys/devices/virtual/powercap/** rwklx,
deny /sys/kernel/security/** rwklx,
@ -237,5 +322,5 @@ index 9f207e2014..626e5f6789 100644
}
`
--
2.43.0
2.45.2

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,53 @@
From a60ba6a7cae1bfc679e5a34646ffe1d4702d91e0 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 19 Jun 2024 16:30:49 +1000
Subject: [PATCH 7/7] bsc1214855: volume: use AtomicWriteFile to save volume
options
If the system (or Docker) crashes while saivng the volume options, on
restart the daemon will error out when trying to read the options file
because it doesn't contain valid JSON.
In such a crash scenario, the new volume will be treated as though it
has the default options configuration. This is not ideal, but volumes
created on very old Docker versions (pre-1.11[1], circa 2016) do not
have opts.json and so doing some kind of cleanup when loading the volume
store (even if we take care to only delete empty volumes) could delete
existing volumes carried over from very old Docker versions that users
would not expect to disappear.
Ultimately, if a user creates a volume and the system crashes, a volume
that has the wrong config is better than Docker not being able to start.
[1]: commit b05b2370757d ("Support mount opts for `local` volume driver")
SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1214855
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
volume/local/local.go | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/volume/local/local.go b/volume/local/local.go
index 6e96aeea4189..4412f34a3da9 100644
--- a/volume/local/local.go
+++ b/volume/local/local.go
@@ -17,6 +17,7 @@ import (
"github.com/docker/docker/daemon/names"
"github.com/docker/docker/errdefs"
"github.com/docker/docker/pkg/idtools"
+ "github.com/docker/docker/pkg/ioutils"
"github.com/docker/docker/quota"
"github.com/docker/docker/volume"
"github.com/pkg/errors"
@@ -388,7 +389,7 @@ func (v *localVolume) saveOpts() error {
if err != nil {
return err
}
- err = os.WriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
+ err = ioutils.AtomicWriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
if err != nil {
return errdefs.System(errors.Wrap(err, "error while persisting volume options"))
}
--
2.45.2

View File

@ -3,16 +3,17 @@
<param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">24.0.7_ce_%h</param>
<param name="revision">v24.0.7</param>
<param name="versionformat">25.0.6_ce_%h</param>
<param name="revision">v25.0.6</param>
<param name="filename">docker</param>
</service>
<service name="tar_scm" mode="manual">
<param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">24.0.7_ce</param>
<param name="revision">v24.0.7</param>
<param name="versionformat">25.0.6_ce</param>
<!-- They didn't release a version of docker-cli for this update. -->
<param name="revision">v25.0.5</param>
<param name="filename">docker-cli</param>
</service>
<service name="recompress" mode="manual">

File diff suppressed because it is too large Load Diff

BIN
docker-24.0.7_ce_311b9ff0aa93.tar.xz (Stored with Git LFS)

Binary file not shown.

BIN
docker-25.0.6_ce_b08a51fe16ee.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
docker-cli-24.0.7_ce.tar.xz (Stored with Git LFS)

Binary file not shown.

BIN
docker-cli-25.0.6_ce.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -1,8 +1,96 @@
-------------------------------------------------------------------
Wed Jul 31 04:58:15 UTC 2024 - Aleksa Sarai <asarai@suse.com>
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2506>
- This update includes a fix for CVE-2024-41110. bsc#1228324
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
-------------------------------------------------------------------
Mon Jun 24 08:15:24 UTC 2024 - Aleksa Sarai <asarai@suse.com>
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
+ 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- Write volume options atomically so sudden system crashes won't result in
future Docker starts failing due to empty files. Backport of
<https://github.com/moby/moby/pull/48034>. bsc#1214855
+ 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
-------------------------------------------------------------------
Mon Mar 25 12:34:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
[NOTE: This update was only ever released in SLES and Leap.]
- Update to Docker 25.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- Update --add-runtime to point to correct binary path.
-------------------------------------------------------------------
Fri Mar 8 07:46:11 UTC 2024 - Dan Čermák <dcermak@suse.com>
[NOTE: This update was only ever released in SLES and Leap.]
- Add patch to fix bsc#1220339
* 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
- rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
-------------------------------------------------------------------
Thu Feb 22 14:13:42 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
- Allow to disable apparmor support (ALP supports only SELinux)
-------------------------------------------------------------------
Wed Feb 17 12:56:22 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
- Update to Docker 25.0.3-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/25.0/#2503>
- Fixes:
* bsc#1219267 - CVE-2024-23651
* bsc#1219268 - CVE-2024-23652
* bsc#1219438 - CVE-2024-23653
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-docs-include-required-tools-in-source-tree.patch
- Remove upstreamed patches:
- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
-------------------------------------------------------------------
Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
@ -27,12 +115,12 @@ Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
-------------------------------------------------------------------
Fri Oct 27 21:14:37 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 24.0.7-ce. See upstream changelong online at
- Update to Docker 24.0.7-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
* Deny containers access to /sys/devices/virtual/powercap by default.
- CVE-2020-8694 bsc#1170415
- CVE-2020-8695 bsc#1170446
- CVE-2020-12912 bsc#1178760
- CVE-2020-8695 bsc#1170446
- CVE-2020-12912 bsc#1178760
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -56,7 +144,7 @@ Wed Oct 11 10:32:43 UTC 2023 - Aleksa Sarai <asarai@suse.com>
-------------------------------------------------------------------
Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 24.0.6-ce. See upstream changelong online at
- Update to Docker 24.0.6-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -72,7 +160,7 @@ Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
-------------------------------------------------------------------
Tue Jul 25 19:40:25 UTC 2023 - Dirk Müller <dmueller@suse.com>
- Update to Docker 24.0.5-ce. See upstream changelong online at
- Update to Docker 24.0.5-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
-------------------------------------------------------------------

View File

@ -16,7 +16,7 @@ EnvironmentFile=/etc/sysconfig/docker
# enabled by default because enabling socket activation means that on boot your
# containers won't start until someone tries to administer the Docker daemon.
Type=notify
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
# Having non-zero Limit*s causes performance problems due to accounting overhead

View File

@ -32,9 +32,9 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define real_version 24.0.7
%define git_version 311b9ff0aa93
%define git_commit_epoch 1698306665
%define real_version 25.0.6
%define git_version b08a51fe16ee
%define git_commit_epoch 1721861837
Name: docker
Version: %{real_version}_ce
@ -71,13 +71,13 @@ Patch200: 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
# UPSTREAM: Backport of <https://github.com/moby/buildkit/pull/4896> and
# <https://github.com/moby/buildkit/pull/5060>.
Patch203: 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/48034>.
Patch204: 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
# bugfix for:
# bsc#1219438: CVE-2024-23653
# bsc#1219268: CVE-2024-23652
# bsc#1219267: CVE-2024-23651
Patch901: 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
BuildRequires: audit
BuildRequires: bash-completion
BuildRequires: ca-certificates
@ -97,7 +97,7 @@ BuildRequires: fish
BuildRequires: go-go-md2man
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-tools
BuildRequires: golang(API) = 1.20
BuildRequires: golang(API) = 1.21
%if %{with apparmor}
%if 0%{?sle_version} >= 150000
# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
@ -232,8 +232,10 @@ cp %{SOURCE130} .
%patch -P201 -p1
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
%patch -P202 -p1
# temporary buildkit bugfixes
%patch -P901 -p1
# bsc#1221916
%patch -P203 -p1
# bsc#1214855
%patch -P204 -p1
%build
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf