Sync from SUSE:SLFO:Main docker revision 943becf65682ef261fe277e0167d9204
This commit is contained in:
parent
061d426151
commit
4e79ef499d
@ -1,7 +1,7 @@
|
||||
From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
|
||||
From fc318bf73243e653e34252db10d8216fbe0fc17a Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
|
||||
Since FileMode can have the directory bit set, allow a SecretStore
|
||||
implementation to return secrets that are actually directories. This is
|
||||
@ -14,18 +14,18 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||
index 290ec59a34..b7013fb89c 100644
|
||||
index e9be1b4e72e2..bf6af24c303c 100644
|
||||
--- a/daemon/container_operations_unix.go
|
||||
+++ b/daemon/container_operations_unix.go
|
||||
@@ -4,6 +4,7 @@
|
||||
@@ -3,6 +3,7 @@
|
||||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
+ "bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
@@ -14,6 +15,7 @@ import (
|
||||
@@ -16,6 +17,7 @@ import (
|
||||
"github.com/docker/docker/daemon/links"
|
||||
"github.com/docker/docker/errdefs"
|
||||
"github.com/docker/docker/libnetwork"
|
||||
@ -33,7 +33,7 @@ index 290ec59a34..b7013fb89c 100644
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
"github.com/docker/docker/pkg/process"
|
||||
"github.com/docker/docker/pkg/stringid"
|
||||
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "unable to get secret from secret store")
|
||||
}
|
||||
@ -43,7 +43,7 @@ index 290ec59a34..b7013fb89c 100644
|
||||
|
||||
uid, err := strconv.Atoi(s.File.UID)
|
||||
if err != nil {
|
||||
@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||
return err
|
||||
}
|
||||
|
||||
@ -69,5 +69,5 @@ index 290ec59a34..b7013fb89c 100644
|
||||
return errors.Wrap(err, "error setting ownership for secret")
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
2.45.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
|
||||
From 530aa9ea84a85817b747a2cb4ae3c5c029eea48c Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
|
||||
Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
|
||||
|
||||
This allows for us to pass in host credentials to a container, allowing
|
||||
for SUSEConnect to work with containers.
|
||||
@ -19,10 +19,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
create mode 100644 daemon/suse_secrets.go
|
||||
|
||||
diff --git a/daemon/start.go b/daemon/start.go
|
||||
index 2e0b9e6be8..dca0448688 100644
|
||||
index 86321bc5d017..5d4c1280608d 100644
|
||||
--- a/daemon/start.go
|
||||
+++ b/daemon/start.go
|
||||
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
|
||||
@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
|
||||
return err
|
||||
}
|
||||
|
||||
@ -31,12 +31,12 @@ index 2e0b9e6be8..dca0448688 100644
|
||||
+ return errdefs.System(err)
|
||||
+ }
|
||||
+
|
||||
spec, err := daemon.createSpec(ctx, container)
|
||||
spec, err := daemon.createSpec(ctx, daemonCfg, container)
|
||||
if err != nil {
|
||||
return errdefs.System(err)
|
||||
// Any error that occurs while creating the spec, even if it's the
|
||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||
new file mode 100644
|
||||
index 0000000000..32b0ece91b
|
||||
index 000000000000..32b0ece91b59
|
||||
--- /dev/null
|
||||
+++ b/daemon/suse_secrets.go
|
||||
@@ -0,0 +1,415 @@
|
||||
@ -456,5 +456,5 @@ index 0000000000..32b0ece91b
|
||||
+ return nil
|
||||
+}
|
||||
--
|
||||
2.43.0
|
||||
2.45.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
|
||||
From dfa9e392bf1360144c80d62e01c297dc7aa52827 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Mon, 22 May 2023 15:44:54 +1000
|
||||
Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||
Subject: [PATCH 3/7] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||
headers"
|
||||
|
||||
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
||||
@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
1 file changed, 4 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
||||
index d88efc4be2..4e976aa689 100644
|
||||
index 6aaa33cf7622..7264d4036427 100644
|
||||
--- a/daemon/graphdriver/btrfs/btrfs.go
|
||||
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
||||
@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
|
||||
@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
|
||||
|
||||
/*
|
||||
#include <stdlib.h>
|
||||
@ -42,5 +42,5 @@ index d88efc4be2..4e976aa689 100644
|
||||
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
|
||||
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
|
||||
--
|
||||
2.43.0
|
||||
2.45.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
|
||||
From 208a9ba144d7ab21b9717d669a577e2dbbf7ab2e Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
|
||||
Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
|
||||
start
|
||||
|
||||
In the process of making docker-default reloading far less expensive,
|
||||
@ -22,10 +22,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
3 files changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
||||
index 6376001613..5fde21a4af 100644
|
||||
index 81e10b6cbec0..e695667a190f 100644
|
||||
--- a/daemon/apparmor_default.go
|
||||
+++ b/daemon/apparmor_default.go
|
||||
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
|
||||
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
|
||||
return ""
|
||||
}
|
||||
|
||||
@ -41,7 +41,7 @@ index 6376001613..5fde21a4af 100644
|
||||
func ensureDefaultAppArmorProfile() error {
|
||||
if apparmor.HostSupports() {
|
||||
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
|
||||
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
|
||||
@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
|
||||
}
|
||||
|
||||
// Load the profile.
|
||||
@ -54,10 +54,10 @@ index 6376001613..5fde21a4af 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
|
||||
index e3dc18b32b..9c77230562 100644
|
||||
index be4938f5b61a..2b326fea5829 100644
|
||||
--- a/daemon/apparmor_default_unsupported.go
|
||||
+++ b/daemon/apparmor_default_unsupported.go
|
||||
@@ -3,6 +3,10 @@
|
||||
@@ -2,6 +2,10 @@
|
||||
|
||||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
@ -69,11 +69,11 @@ index e3dc18b32b..9c77230562 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
||||
index 4d76c57988..15c95b50c4 100644
|
||||
index c28e3063d576..c3228a084cb1 100644
|
||||
--- a/daemon/daemon.go
|
||||
+++ b/daemon/daemon.go
|
||||
@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
||||
@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||
log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
|
||||
}
|
||||
|
||||
- // ensureDefaultAppArmorProfile does nothing if apparmor is disabled
|
||||
@ -81,9 +81,9 @@ index 4d76c57988..15c95b50c4 100644
|
||||
+ // Make sure we clobber any pre-existing docker-default profile to ensure
|
||||
+ // that upgrades to the profile actually work smoothly.
|
||||
+ if err := clobberDefaultAppArmorProfile(); err != nil {
|
||||
logrus.Errorf(err.Error())
|
||||
log.G(ctx).Errorf(err.Error())
|
||||
}
|
||||
|
||||
--
|
||||
2.43.0
|
||||
2.45.2
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
|
||||
From 3dd554c3bdb8a01c28651b6b8a405a5d735d02d9 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 11 Oct 2023 21:19:12 +1100
|
||||
Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
|
||||
Subject: [PATCH 5/7] SLE12: revert "apparmor: remove version-conditionals from
|
||||
template"
|
||||
|
||||
This reverts the following commits:
|
||||
@ -17,15 +17,16 @@ apparmor_parser version is quite old.
|
||||
|
||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
---
|
||||
contrib/apparmor/main.go | 16 ++++++++++++++--
|
||||
contrib/apparmor/template.go | 16 ++++++++++++++++
|
||||
pkg/aaparser/aaparser.go | 2 --
|
||||
profiles/apparmor/apparmor.go | 14 ++++++++++++--
|
||||
profiles/apparmor/template.go | 4 ++++
|
||||
5 files changed, 46 insertions(+), 6 deletions(-)
|
||||
contrib/apparmor/main.go | 16 ++++++-
|
||||
contrib/apparmor/template.go | 16 +++++++
|
||||
pkg/aaparser/aaparser.go | 86 +++++++++++++++++++++++++++++++++++
|
||||
profiles/apparmor/apparmor.go | 16 ++++++-
|
||||
profiles/apparmor/template.go | 4 ++
|
||||
5 files changed, 134 insertions(+), 4 deletions(-)
|
||||
create mode 100644 pkg/aaparser/aaparser.go
|
||||
|
||||
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
|
||||
index d67890d265..f4a2978b86 100644
|
||||
index 899d8378edae..93f98cbd20e5 100644
|
||||
--- a/contrib/apparmor/main.go
|
||||
+++ b/contrib/apparmor/main.go
|
||||
@@ -6,9 +6,13 @@ import (
|
||||
@ -68,7 +69,7 @@ index d67890d265..f4a2978b86 100644
|
||||
log.Fatalf("executing template failed: %v", err)
|
||||
}
|
||||
diff --git a/contrib/apparmor/template.go b/contrib/apparmor/template.go
|
||||
index 58afcbe845..e6d0b6d37c 100644
|
||||
index 58afcbe845ee..e6d0b6d37c58 100644
|
||||
--- a/contrib/apparmor/template.go
|
||||
+++ b/contrib/apparmor/template.go
|
||||
@@ -20,9 +20,11 @@ profile /usr/bin/docker (attach_disconnected, complain) {
|
||||
@ -156,24 +157,107 @@ index 58afcbe845..e6d0b6d37c 100644
|
||||
/lib/** rm,
|
||||
/usr/bin/xz rm,
|
||||
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
|
||||
index 3d7c2c5a97..2b5a2605f9 100644
|
||||
--- a/pkg/aaparser/aaparser.go
|
||||
new file mode 100644
|
||||
index 000000000000..89b48b2dba58
|
||||
--- /dev/null
|
||||
+++ b/pkg/aaparser/aaparser.go
|
||||
@@ -13,8 +13,6 @@ const (
|
||||
)
|
||||
|
||||
// GetVersion returns the major and minor version of apparmor_parser.
|
||||
-//
|
||||
-// Deprecated: no longer used, and will be removed in the next release.
|
||||
func GetVersion() (int, error) {
|
||||
output, err := cmd("", "--version")
|
||||
if err != nil {
|
||||
@@ -0,0 +1,86 @@
|
||||
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
|
||||
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
|
||||
+
|
||||
+import (
|
||||
+ "fmt"
|
||||
+ "os/exec"
|
||||
+ "strconv"
|
||||
+ "strings"
|
||||
+)
|
||||
+
|
||||
+const (
|
||||
+ binary = "apparmor_parser"
|
||||
+)
|
||||
+
|
||||
+// GetVersion returns the major and minor version of apparmor_parser.
|
||||
+func GetVersion() (int, error) {
|
||||
+ output, err := cmd("", "--version")
|
||||
+ if err != nil {
|
||||
+ return -1, err
|
||||
+ }
|
||||
+
|
||||
+ return parseVersion(output)
|
||||
+}
|
||||
+
|
||||
+// cmd runs `apparmor_parser` with the passed arguments.
|
||||
+func cmd(dir string, arg ...string) (string, error) {
|
||||
+ c := exec.Command(binary, arg...)
|
||||
+ c.Dir = dir
|
||||
+
|
||||
+ output, err := c.CombinedOutput()
|
||||
+ if err != nil {
|
||||
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
|
||||
+ }
|
||||
+
|
||||
+ return string(output), nil
|
||||
+}
|
||||
+
|
||||
+// parseVersion takes the output from `apparmor_parser --version` and returns
|
||||
+// a representation of the {major, minor, patch} version as a single number of
|
||||
+// the form MMmmPPP {major, minor, patch}.
|
||||
+func parseVersion(output string) (int, error) {
|
||||
+ // output is in the form of the following:
|
||||
+ // AppArmor parser version 2.9.1
|
||||
+ // Copyright (C) 1999-2008 Novell Inc.
|
||||
+ // Copyright 2009-2012 Canonical Ltd.
|
||||
+
|
||||
+ lines := strings.SplitN(output, "\n", 2)
|
||||
+ words := strings.Split(lines[0], " ")
|
||||
+ version := words[len(words)-1]
|
||||
+
|
||||
+ // trim "-beta1" suffix from version="3.0.0-beta1" if exists
|
||||
+ version = strings.SplitN(version, "-", 2)[0]
|
||||
+ // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10)
|
||||
+ version = strings.SplitN(version, "~", 2)[0]
|
||||
+
|
||||
+ // split by major minor version
|
||||
+ v := strings.Split(version, ".")
|
||||
+ if len(v) == 0 || len(v) > 3 {
|
||||
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
|
||||
+ }
|
||||
+
|
||||
+ // Default the versions to 0.
|
||||
+ var majorVersion, minorVersion, patchLevel int
|
||||
+
|
||||
+ majorVersion, err := strconv.Atoi(v[0])
|
||||
+ if err != nil {
|
||||
+ return -1, err
|
||||
+ }
|
||||
+
|
||||
+ if len(v) > 1 {
|
||||
+ minorVersion, err = strconv.Atoi(v[1])
|
||||
+ if err != nil {
|
||||
+ return -1, err
|
||||
+ }
|
||||
+ }
|
||||
+ if len(v) > 2 {
|
||||
+ patchLevel, err = strconv.Atoi(v[2])
|
||||
+ if err != nil {
|
||||
+ return -1, err
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ // major*10^5 + minor*10^3 + patch*10^0
|
||||
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
|
||||
+ return numericVersion, nil
|
||||
+}
|
||||
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
|
||||
index d0f2361605..b3566b2f73 100644
|
||||
index 1edfc5300235..0d23b940bdf4 100644
|
||||
--- a/profiles/apparmor/apparmor.go
|
||||
+++ b/profiles/apparmor/apparmor.go
|
||||
@@ -14,8 +14,10 @@ import (
|
||||
"github.com/docker/docker/pkg/aaparser"
|
||||
@@ -11,10 +11,14 @@ import (
|
||||
"path"
|
||||
"strings"
|
||||
"text/template"
|
||||
+
|
||||
+ "github.com/docker/docker/pkg/aaparser"
|
||||
)
|
||||
|
||||
-// profileDirectory is the file store for apparmor profiles and macros.
|
||||
@ -185,7 +269,7 @@ index d0f2361605..b3566b2f73 100644
|
||||
|
||||
// profileData holds information about the given profile for generation.
|
||||
type profileData struct {
|
||||
@@ -27,6 +29,8 @@ type profileData struct {
|
||||
@@ -26,6 +30,8 @@ type profileData struct {
|
||||
Imports []string
|
||||
// InnerImports defines the apparmor functions to import in the profile.
|
||||
InnerImports []string
|
||||
@ -194,7 +278,7 @@ index d0f2361605..b3566b2f73 100644
|
||||
}
|
||||
|
||||
// generateDefault creates an apparmor profile from ProfileData.
|
||||
@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
||||
@@ -45,6 +51,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
||||
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
|
||||
}
|
||||
|
||||
@ -208,17 +292,18 @@ index d0f2361605..b3566b2f73 100644
|
||||
}
|
||||
|
||||
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
|
||||
index 9f207e2014..626e5f6789 100644
|
||||
index 8dbc1b610288..2062aab1ac99 100644
|
||||
--- a/profiles/apparmor/template.go
|
||||
+++ b/profiles/apparmor/template.go
|
||||
@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
@@ -23,6 +23,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
capability,
|
||||
file,
|
||||
umount,
|
||||
+{{if ge .Version 208096}}
|
||||
# Host (privileged) processes may send signals to container processes.
|
||||
signal (receive) peer=unconfined,
|
||||
# dockerd may send signals to container processes (for "docker kill").
|
||||
# runc may send signals to container processes (for "docker stop").
|
||||
@@ -33,6 +34,7 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
signal (receive) peer={{.DaemonProfile}},
|
||||
# Container processes may send signals amongst themselves.
|
||||
signal (send,receive) peer={{.Name}},
|
||||
@ -226,7 +311,7 @@ index 9f207e2014..626e5f6789 100644
|
||||
|
||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||
@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
@@ -53,7 +55,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||
deny /sys/devices/virtual/powercap/** rwklx,
|
||||
deny /sys/kernel/security/** rwklx,
|
||||
|
||||
@ -237,5 +322,5 @@ index 9f207e2014..626e5f6789 100644
|
||||
}
|
||||
`
|
||||
--
|
||||
2.43.0
|
||||
2.45.2
|
||||
|
||||
|
File diff suppressed because it is too large
Load Diff
4415
0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
Normal file
4415
0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,53 @@
|
||||
From a60ba6a7cae1bfc679e5a34646ffe1d4702d91e0 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <cyphar@cyphar.com>
|
||||
Date: Wed, 19 Jun 2024 16:30:49 +1000
|
||||
Subject: [PATCH 7/7] bsc1214855: volume: use AtomicWriteFile to save volume
|
||||
options
|
||||
|
||||
If the system (or Docker) crashes while saivng the volume options, on
|
||||
restart the daemon will error out when trying to read the options file
|
||||
because it doesn't contain valid JSON.
|
||||
|
||||
In such a crash scenario, the new volume will be treated as though it
|
||||
has the default options configuration. This is not ideal, but volumes
|
||||
created on very old Docker versions (pre-1.11[1], circa 2016) do not
|
||||
have opts.json and so doing some kind of cleanup when loading the volume
|
||||
store (even if we take care to only delete empty volumes) could delete
|
||||
existing volumes carried over from very old Docker versions that users
|
||||
would not expect to disappear.
|
||||
|
||||
Ultimately, if a user creates a volume and the system crashes, a volume
|
||||
that has the wrong config is better than Docker not being able to start.
|
||||
|
||||
[1]: commit b05b2370757d ("Support mount opts for `local` volume driver")
|
||||
|
||||
SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1214855
|
||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||
---
|
||||
volume/local/local.go | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/volume/local/local.go b/volume/local/local.go
|
||||
index 6e96aeea4189..4412f34a3da9 100644
|
||||
--- a/volume/local/local.go
|
||||
+++ b/volume/local/local.go
|
||||
@@ -17,6 +17,7 @@ import (
|
||||
"github.com/docker/docker/daemon/names"
|
||||
"github.com/docker/docker/errdefs"
|
||||
"github.com/docker/docker/pkg/idtools"
|
||||
+ "github.com/docker/docker/pkg/ioutils"
|
||||
"github.com/docker/docker/quota"
|
||||
"github.com/docker/docker/volume"
|
||||
"github.com/pkg/errors"
|
||||
@@ -388,7 +389,7 @@ func (v *localVolume) saveOpts() error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
- err = os.WriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
|
||||
+ err = ioutils.AtomicWriteFile(filepath.Join(v.rootPath, "opts.json"), b, 0o600)
|
||||
if err != nil {
|
||||
return errdefs.System(errors.Wrap(err, "error while persisting volume options"))
|
||||
}
|
||||
--
|
||||
2.45.2
|
||||
|
9
_service
9
_service
@ -3,16 +3,17 @@
|
||||
<param name="url">https://github.com/moby/moby.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">24.0.7_ce_%h</param>
|
||||
<param name="revision">v24.0.7</param>
|
||||
<param name="versionformat">25.0.6_ce_%h</param>
|
||||
<param name="revision">v25.0.6</param>
|
||||
<param name="filename">docker</param>
|
||||
</service>
|
||||
<service name="tar_scm" mode="manual">
|
||||
<param name="url">https://github.com/docker/cli.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">24.0.7_ce</param>
|
||||
<param name="revision">v24.0.7</param>
|
||||
<param name="versionformat">25.0.6_ce</param>
|
||||
<!-- They didn't release a version of docker-cli for this update. -->
|
||||
<param name="revision">v25.0.5</param>
|
||||
<param name="filename">docker-cli</param>
|
||||
</service>
|
||||
<service name="recompress" mode="manual">
|
||||
|
File diff suppressed because it is too large
Load Diff
BIN
docker-24.0.7_ce_311b9ff0aa93.tar.xz
(Stored with Git LFS)
BIN
docker-24.0.7_ce_311b9ff0aa93.tar.xz
(Stored with Git LFS)
Binary file not shown.
BIN
docker-25.0.6_ce_b08a51fe16ee.tar.xz
(Stored with Git LFS)
Normal file
BIN
docker-25.0.6_ce_b08a51fe16ee.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
docker-cli-24.0.7_ce.tar.xz
(Stored with Git LFS)
BIN
docker-cli-24.0.7_ce.tar.xz
(Stored with Git LFS)
Binary file not shown.
BIN
docker-cli-25.0.6_ce.tar.xz
(Stored with Git LFS)
Normal file
BIN
docker-cli-25.0.6_ce.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
@ -1,8 +1,96 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 31 04:58:15 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
[NOTE: This update was only ever released in SLES and Leap.]
|
||||
|
||||
- Update to Docker 25.0.6-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/25.0/#2506>
|
||||
- This update includes a fix for CVE-2024-41110. bsc#1228324
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
* 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
||||
* 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Jun 24 08:15:24 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
- Fix BuildKit's symlink resolution logic to correctly handle non-lexical
|
||||
symlinks. Backport of <https://github.com/moby/buildkit/pull/4896> and
|
||||
<https://github.com/moby/buildkit/pull/5060>. bsc#1221916
|
||||
+ 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
||||
- Write volume options atomically so sudden system crashes won't result in
|
||||
future Docker starts failing due to empty files. Backport of
|
||||
<https://github.com/moby/moby/pull/48034>. bsc#1214855
|
||||
+ 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 25 12:34:56 UTC 2024 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
[NOTE: This update was only ever released in SLES and Leap.]
|
||||
|
||||
- Update to Docker 25.0.5-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/25.0/#2505> bsc#1223409
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
* cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||
- Remove upstreamed patches:
|
||||
- 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
|
||||
- Update --add-runtime to point to correct binary path.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Mar 8 07:46:11 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
||||
|
||||
[NOTE: This update was only ever released in SLES and Leap.]
|
||||
|
||||
- Add patch to fix bsc#1220339
|
||||
* 0007-daemon-overlay2-remove-world-writable-permission-fro.patch
|
||||
|
||||
- rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
* 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 22 14:13:42 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
|
||||
|
||||
- Allow to disable apparmor support (ALP supports only SELinux)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 17 12:56:22 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
|
||||
|
||||
- Update to Docker 25.0.3-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/25.0/#2503>
|
||||
- Fixes:
|
||||
* bsc#1219267 - CVE-2024-23651
|
||||
* bsc#1219268 - CVE-2024-23652
|
||||
* bsc#1219438 - CVE-2024-23653
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
* cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||
- Remove upstreamed patches:
|
||||
- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
||||
|
||||
@ -27,12 +115,12 @@ Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 27 21:14:37 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to Docker 24.0.7-ce. See upstream changelong online at
|
||||
- Update to Docker 24.0.7-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/24.0/#2407>. bsc#1217513
|
||||
* Deny containers access to /sys/devices/virtual/powercap by default.
|
||||
- CVE-2020-8694 bsc#1170415
|
||||
- CVE-2020-8695 bsc#1170446
|
||||
- CVE-2020-12912 bsc#1178760
|
||||
- CVE-2020-8695 bsc#1170446
|
||||
- CVE-2020-12912 bsc#1178760
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
@ -56,7 +144,7 @@ Wed Oct 11 10:32:43 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||
-------------------------------------------------------------------
|
||||
Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to Docker 24.0.6-ce. See upstream changelong online at
|
||||
- Update to Docker 24.0.6-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/24.0/#2406>. bsc#1215323
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
@ -72,7 +160,7 @@ Thu Sep 14 01:46:30 UTC 2023 - Aleksa Sarai <asarai@suse.com>
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 25 19:40:25 UTC 2023 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
- Update to Docker 24.0.5-ce. See upstream changelong online at
|
||||
- Update to Docker 24.0.5-ce. See upstream changelog online at
|
||||
<https://docs.docker.com/engine/release-notes/24.0/#2405>. bsc#1213229
|
||||
|
||||
-------------------------------------------------------------------
|
||||
|
@ -16,7 +16,7 @@ EnvironmentFile=/etc/sysconfig/docker
|
||||
# enabled by default because enabling socket activation means that on boot your
|
||||
# containers won't start until someone tries to administer the Docker daemon.
|
||||
Type=notify
|
||||
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/docker-runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
||||
ExecStart=/usr/bin/dockerd --add-runtime oci=/usr/sbin/runc $DOCKER_NETWORK_OPTIONS $DOCKER_OPTS
|
||||
ExecReload=/bin/kill -s HUP $MAINPID
|
||||
|
||||
# Having non-zero Limit*s causes performance problems due to accounting overhead
|
||||
|
24
docker.spec
24
docker.spec
@ -32,9 +32,9 @@
|
||||
# helpfully injects into our build environment from the changelog). If you want
|
||||
# to generate a new git_commit_epoch, use this:
|
||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||
%define real_version 24.0.7
|
||||
%define git_version 311b9ff0aa93
|
||||
%define git_commit_epoch 1698306665
|
||||
%define real_version 25.0.6
|
||||
%define git_version b08a51fe16ee
|
||||
%define git_commit_epoch 1721861837
|
||||
|
||||
Name: docker
|
||||
Version: %{real_version}_ce
|
||||
@ -71,13 +71,13 @@ Patch200: 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||
Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
# UPSTREAM: Revert of upstream patches to make apparmor work on SLE 12.
|
||||
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||
# UPSTREAM: Backport of <https://github.com/moby/buildkit/pull/4896> and
|
||||
# <https://github.com/moby/buildkit/pull/5060>.
|
||||
Patch203: 0006-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
|
||||
# UPSTREAM: Backport of <https://github.com/moby/moby/pull/48034>.
|
||||
Patch204: 0007-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
|
||||
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
||||
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||
# bugfix for:
|
||||
# bsc#1219438: CVE-2024-23653
|
||||
# bsc#1219268: CVE-2024-23652
|
||||
# bsc#1219267: CVE-2024-23651
|
||||
Patch901: 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
|
||||
BuildRequires: audit
|
||||
BuildRequires: bash-completion
|
||||
BuildRequires: ca-certificates
|
||||
@ -97,7 +97,7 @@ BuildRequires: fish
|
||||
BuildRequires: go-go-md2man
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
BuildRequires: sysuser-tools
|
||||
BuildRequires: golang(API) = 1.20
|
||||
BuildRequires: golang(API) = 1.21
|
||||
%if %{with apparmor}
|
||||
%if 0%{?sle_version} >= 150000
|
||||
# This conditional only works on rpm>=4.13, which SLE 12 doesn't have. But we
|
||||
@ -232,8 +232,10 @@ cp %{SOURCE130} .
|
||||
%patch -P201 -p1
|
||||
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
|
||||
%patch -P202 -p1
|
||||
# temporary buildkit bugfixes
|
||||
%patch -P901 -p1
|
||||
# bsc#1221916
|
||||
%patch -P203 -p1
|
||||
# bsc#1214855
|
||||
%patch -P204 -p1
|
||||
|
||||
%build
|
||||
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
|
||||
|
Loading…
Reference in New Issue
Block a user