diff --git a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index 1804931..a2d2645 100644 --- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,8 @@ -From 947743a263df2f482db763db568f39aab2970b2d Mon Sep 17 00:00:00 2001 +From a94378d92f7ef523b17aa399ce83b27f7986980f Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/9] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 01/13] SECRETS: daemon: allow directory creation in + /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -69,5 +70,5 @@ index 290ec59a34a7..b7013fb89c83 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.46.0 +2.47.0 diff --git a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index fd5f51e..f108416 100644 --- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From 24afdcdb967fbb6e108b452d2e05e917d29cb184 Mon Sep 17 00:00:00 2001 +From 009cad241857541779baa2a9fae8291597dc85f8 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/9] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 02/10] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -14,12 +14,12 @@ THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT MAKES BUILDS NOT ENTIRELY REPRODUCIBLE. -SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 +SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348 Signed-off-by: Aleksa Sarai --- daemon/start.go | 5 + - daemon/suse_secrets.go | 439 +++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 444 insertions(+) + daemon/suse_secrets.go | 461 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 466 insertions(+) create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go @@ -40,10 +40,10 @@ index 2e0b9e6be847..dca04486888f 100644 return errdefs.System(err) diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 -index 000000000000..f003299522df +index 000000000000..85b37bf46544 --- /dev/null +++ b/daemon/suse_secrets.go -@@ -0,0 +1,439 @@ +@@ -0,0 +1,461 @@ +/* + * suse-secrets: patch for Docker to implement SUSE secrets + * Copyright (C) 2017-2021 SUSE LLC. @@ -86,12 +86,46 @@ index 000000000000..f003299522df + "github.com/sirupsen/logrus" +) + ++const suseSecretsTogglePath = "/etc/docker/suse-secrets-enable" ++ ++// parseEnableFile parses a file that can only contain "0" or "1" (with some ++// whitespace). ++func parseEnableFile(path string) (bool, error) { ++ data, err := os.ReadFile(path) ++ if err != nil { ++ return false, err ++ } ++ data = bytes.TrimSpace(data) ++ ++ switch value := string(data); value { ++ case "1": ++ return true, nil ++ case "0", "": ++ return false, nil ++ default: ++ return false, fmt.Errorf("invalid value %q (must be 0 to disable or 1 to enable)", value) ++ } ++} ++ ++func isSuseSecretsEnabled() bool { ++ value, err := parseEnableFile(suseSecretsTogglePath) ++ if err != nil { ++ logrus.Warnf("SUSE:secrets :: error parsing %s: %v -- disabling SUSE secrets", suseSecretsTogglePath, err) ++ value = false ++ } ++ return value ++} ++ ++var suseSecretsEnabled = true ++ +func init() { -+ // Output to tell us in logs that SUSE:secrets is enabled. -+ if isSuseSecretEnabled() { -+ logrus.Infof("SUSE:secrets :: enabled") ++ // Make this entire feature toggle-able so that users can disable it if ++ // they run into issues like bsc#1231348. ++ suseSecretsEnabled = isSuseSecretsEnabled() ++ if suseSecretsEnabled { ++ logrus.Infof("SUSE:secrets :: SUSEConnect support enabled (set %s to 0 to disable)", suseSecretsTogglePath) + } else { -+ logrus.Infof("SUSE:secrets :: disabled by DOCKER_SUSE_SECRETS_ENABLE=0") ++ logrus.Infof("SUSE:secrets :: SUSEConnect support disabled by %s", suseSecretsTogglePath) + } +} + @@ -408,7 +442,7 @@ index 000000000000..f003299522df + var without []*swarmtypes.SecretReference + for _, secret := range c.SecretReferences { + if strings.HasPrefix(secret.SecretID, "suse") { -+ logrus.Warnf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID) ++ logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID) + continue + } + without = append(without, secret) @@ -416,24 +450,18 @@ index 000000000000..f003299522df + c.SecretReferences = without +} + -+func isSuseSecretEnabled() bool { -+ env := os.Getenv("DOCKER_SUSE_SECRETS_ENABLE") -+ switch env { -+ case "0", "no": -+ return false -+ default: -+ logrus.Errorf("SUSE:secrets :: DOCKER_SUSE_SECRETS_ENABLE=%q is an invalid value, keeping SUSE secrets enabled", env) -+ fallthrough -+ case "", "1", "yes": -+ return true -+ } -+} -+ +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error { -+ // Allow users to disable SUSE secrets in cases where they don't need it -+ // (in principle you only really need containers-suseconnect when you're -+ // building images). bsc#1231348 -+ if !isSuseSecretEnabled() { ++ // We drop any "old" SUSE secrets, as it appears that old containers (when ++ // restarted) could still have references to old secrets. The .id() of all ++ // secrets have a prefix of "suse" so this is much easier. See bsc#1057743 ++ // for details on why this could cause issues. ++ removeSuseSecrets(c) ++ ++ // Don't inject anything if the administrator has disabled suse secrets. ++ // However, for previous existing containers we need to remove old secrets ++ // (see above), otherwise they will still have old secret data. ++ if !suseSecretsEnabled { ++ logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath) + return nil + } + @@ -446,12 +474,6 @@ index 000000000000..f003299522df + newDependencyStore.dfl = emptyStore + } + -+ // We drop any "old" SUSE secrets, as it appears that old containers (when -+ // restarted) could still have references to old secrets. The .id() of all -+ // secrets have a prefix of "suse" so this is much easier. See bsc#1057743 -+ // for details on why this could cause issues. -+ removeSuseSecrets(c) -+ + secrets, err := getHostSuseSecretData() + if err != nil { + return err @@ -484,5 +506,5 @@ index 000000000000..f003299522df + return nil +} -- -2.47.0 +2.47.1 diff --git a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch index 6735d39..4fb3626 100644 --- a/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch +++ b/0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch @@ -1,8 +1,8 @@ -From c1889321c8c598a177f076d52319c6fbd2fe8e1b Mon Sep 17 00:00:00 2001 +From 7824330a0012e6b1d9b00db40a7c58b42d6adbfd Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Mon, 22 May 2023 15:44:54 +1000 -Subject: [PATCH 3/9] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI - headers" +Subject: [PATCH 03/13] BUILD: SLE12: revert "graphdriver/btrfs: use kernel + UAPI headers" This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d. @@ -42,5 +42,5 @@ index d88efc4be2bb..4e976aa689cd 100644 static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) { snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value); -- -2.46.0 +2.47.0 diff --git a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index c56949a..37100ce 100644 --- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From d653a55bf541f5a12927a981c59c4134614e8bc0 Mon Sep 17 00:00:00 2001 +From 5deaa3fad88f7a6d8d5d342e23d3e2027571b9e2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/9] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 04/13] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -85,5 +85,5 @@ index 585d85086f8d..6e4c6ad1ac01 100644 } -- -2.46.0 +2.47.0 diff --git a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch index 1a7f0ef..ab647d2 100644 --- a/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch +++ b/0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch @@ -1,8 +1,8 @@ -From 700e0e1fb127504d2524bbea962b07430dab2df2 Mon Sep 17 00:00:00 2001 +From 6e3d78c8d9f569ed7142994a802e2bce988b59bf Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 11 Oct 2023 21:19:12 +1100 -Subject: [PATCH 5/9] SLE12: revert "apparmor: remove version-conditionals from - template" +Subject: [PATCH 05/13] SLE12: revert "apparmor: remove version-conditionals + from template" This reverts the following commits: @@ -237,5 +237,5 @@ index 9f207e2014a8..626e5f6789a3 100644 } ` -- -2.46.0 +2.47.0 diff --git a/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch b/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch index d45c124..94433ce 100644 --- a/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch +++ b/0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch @@ -1,7 +1,7 @@ -From fe759bf0da0b91a65aeb7e11fd86ee087a7d23d5 Mon Sep 17 00:00:00 2001 +From d3d04b94a209b056c30bec37ce9dd42f646ebd54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= Date: Tue, 13 Feb 2024 16:57:32 +0100 -Subject: [PATCH 6/9] CVE-2024-23653: update buildkit to include CVE patches +Subject: [PATCH 06/13] CVE-2024-23653: update buildkit to include CVE patches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3146,5 +3146,5 @@ index dd3fb54fefd2..2a3b597c5858 100644 resenje.org/singleflight +# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 -- -2.46.0 +2.47.0 diff --git a/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch b/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch index cd78b97..ad22444 100644 --- a/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch +++ b/0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch @@ -1,7 +1,7 @@ -From 9c6101a7e554d6e09983ec59d631390568c664d1 Mon Sep 17 00:00:00 2001 +From 7719675180f785c4e92df7efc25df9adc882b289 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 2 May 2024 22:50:23 +1000 -Subject: [PATCH 7/9] bsc1221916: update to patched buildkit version to fix +Subject: [PATCH 07/13] bsc1221916: update to patched buildkit version to fix symlink resolution SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1221916 @@ -894,5 +894,5 @@ index 2a3b597c5858..335c85392288 100644 -# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814025459-5d3afed3f7b4 +# github.com/moby/buildkit => github.com/cyphar/buildkit v0.0.0-20240814030244-ea1ca9670261 -- -2.46.0 +2.47.0 diff --git a/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch b/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch index a5c0b29..4ee4b9c 100644 --- a/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch +++ b/0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch @@ -1,7 +1,7 @@ -From b50a8d343af0323ad2e615b652d8a653a14b2232 Mon Sep 17 00:00:00 2001 +From b6213c77313f15ac74a551b9a03670fce06280fb Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 19 Jun 2024 16:30:49 +1000 -Subject: [PATCH 8/9] bsc1214855: volume: use AtomicWriteFile to save volume +Subject: [PATCH 08/13] bsc1214855: volume: use AtomicWriteFile to save volume options If the system (or Docker) crashes while saivng the volume options, on @@ -49,5 +49,5 @@ index b4f3a3669a84..077b26f1b813 100644 return errdefs.System(errors.Wrap(err, "error while persisting volume options")) } -- -2.46.0 +2.47.0 diff --git a/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch b/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch index 684f596..9fd13be 100644 --- a/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch +++ b/0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch @@ -1,7 +1,7 @@ -From c005f7c2a1ec8061d15ba0e3d4db23c3fa9838e5 Mon Sep 17 00:00:00 2001 +From 989f5ae4dea1619b7e1d7ec7f9cac8d64b3a2209 Mon Sep 17 00:00:00 2001 From: Jameson Hyde Date: Mon, 26 Nov 2018 14:15:22 -0500 -Subject: [PATCH 9/9] CVE-2024-41110: AuthZ plugin securty fixes +Subject: [PATCH 09/13] CVE-2024-41110: AuthZ plugin securty fixes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -205,5 +205,5 @@ index 835cb703839b..8bfe44e1a840 100644 } } -- -2.46.0 +2.47.0 diff --git a/0010-TESTS-backport-fixes-for-integration-tests.patch b/0010-TESTS-backport-fixes-for-integration-tests.patch new file mode 100644 index 0000000..601888f --- /dev/null +++ b/0010-TESTS-backport-fixes-for-integration-tests.patch @@ -0,0 +1,65 @@ +From 971d5a3b8431c9263060b12c6b131ebb8158a389 Mon Sep 17 00:00:00 2001 +From: Aleksa Sarai +Date: Thu, 21 Nov 2024 20:00:07 +1100 +Subject: [PATCH 10/10] TESTS: backport fixes for integration tests + +We need a couple of patches to make the tests work on SLES: + + * 143b3b2ef3d0 ("test: update registry version to latest") + * 1a453abfb172 ("integration-cli: don't skip AppArmor tests on SLES") + +Signed-off-by: Aleksa Sarai +--- + Dockerfile | 2 +- + integration-cli/requirements_test.go | 3 --- + testutil/registry/registry.go | 4 +++- + 3 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Dockerfile b/Dockerfile +index 463d5cfc1a86..7a23962af09b 100644 +--- a/Dockerfile ++++ b/Dockerfile +@@ -59,7 +59,7 @@ WORKDIR /go/src/github.com/docker/distribution + # from the https://github.com/docker/distribution repository. This version of + # the registry is used to test both schema 1 and schema 2 manifests. Generally, + # the version specified here should match a current release. +-ARG REGISTRY_VERSION=v2.3.0 ++ARG REGISTRY_VERSION=v2.8.2 + # REGISTRY_VERSION_SCHEMA1 specifies the version of the registry to build and + # install from the https://github.com/docker/distribution repository. This is + # an older (pre v2.3.0) version of the registry that only supports schema1 +diff --git a/integration-cli/requirements_test.go b/integration-cli/requirements_test.go +index 2313272d7704..e5f72397e1bc 100644 +--- a/integration-cli/requirements_test.go ++++ b/integration-cli/requirements_test.go +@@ -85,9 +85,6 @@ func Network() bool { + } + + func Apparmor() bool { +- if strings.HasPrefix(testEnv.DaemonInfo.OperatingSystem, "SUSE Linux Enterprise Server ") { +- return false +- } + buf, err := os.ReadFile("/sys/module/apparmor/parameters/enabled") + return err == nil && len(buf) > 1 && buf[0] == 'Y' + } +diff --git a/testutil/registry/registry.go b/testutil/registry/registry.go +index 9213db2ba21a..d8bfe17678a4 100644 +--- a/testutil/registry/registry.go ++++ b/testutil/registry/registry.go +@@ -107,10 +107,12 @@ http: + } + + binary := V2binary ++ args := []string{"serve", confPath} + if c.schema1 { + binary = V2binarySchema1 ++ args = []string{confPath} + } +- cmd := exec.Command(binary, confPath) ++ cmd := exec.Command(binary, args...) + cmd.Stdout = c.stdout + cmd.Stderr = c.stderr + if err := cmd.Start(); err != nil { +-- +2.47.1 + diff --git a/_service b/_service index bf34287..401d30b 100644 --- a/_service +++ b/_service @@ -19,8 +19,8 @@ https://github.com/docker/buildx.git git .git - 0.17.1 - v0.17.1 + 0.19.2 + v0.19.2 docker-buildx diff --git a/docker-buildx-0.17.1.tar.xz b/docker-buildx-0.17.1.tar.xz deleted file mode 100644 index a0ad0be..0000000 --- a/docker-buildx-0.17.1.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fd0f81752a02e20b611f95a35718bdc44eb1e203e0fd80d7afb87dfd8135c300 -size 6445376 diff --git a/docker-buildx-0.19.2.tar.xz b/docker-buildx-0.19.2.tar.xz new file mode 100644 index 0000000..d69b8f4 --- /dev/null +++ b/docker-buildx-0.19.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d915e0d1a81e1ec04bd2d37223e46d8e0438d326d713cde9d059ff2e809bf5b2 +size 6479440 diff --git a/docker-integration.sh b/docker-integration.sh new file mode 100644 index 0000000..07282d8 --- /dev/null +++ b/docker-integration.sh @@ -0,0 +1,294 @@ +#!/bin/bash +# docker-integration: run Docker's integration tests +# Copyright (C) 2024 SUSE LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -Eeuo pipefail + +TESTDIR=/usr/src/docker-test +TEST_SRCDIR="$TESTDIR/src" +TEST_BINDIR="$TESTDIR/bin" + +TMPROOT="$(mktemp --tmpdir -d docker-integration-tmpdir.XXXXXX)" +TMPDIR="$TMPROOT/tmp" +DEST="$TMPROOT/dest" + +mkdir -p "$TMPDIR" "$TEST_BINDIR" "$DEST" +chmod 1777 "$TMPDIR" +chmod 777 "$TMPROOT" + +function usage() { + cat >&2 <<-EOF + docker-integration.sh [-Av] [-r TestName] [-t timeout] [...] + + Arguments: + -A + Run all tests (do not fail on first suite failure). + -v + Run tests in verbose mode (go test -v). + -r + Only run tests that match the given regular expression (go test -run). + -t + Set the per-suite timeout to (go test -timeout). + ... + Only run the given test suites in /usr/src/docker-test. The + default is to run all test suites + + Examples: + + Run the build and network integration tests with a 60 minute timeout: + + ./docker-integration.sh -t 60m integration/build integration/network + + Run all of the tests in verbose mode with a 6 hour timeout: + + ./docker-integration.sh -Av -t 360m + + This script is maintained by openSUSE in the Virtualization:containers + project, and is only intended to be used by openSUSE developers. + EOF + exit "${1:-1}" +} + +fail_fast=1 +verbose= +filter= +timeout=20m +while getopts "Ahr:t:v" opt; do + case "$opt" in + A) + fail_fast= + ;; + v) + verbose=1 + ;; + r) + filter="$OPTARG" + ;; + t) + timeout="$OPTARG" + ;; + h) + usage 0 + ;; + :) + echo "Missing argument: -$OPTARG" >&2 + usage 1 + ;; + \?) + echo "Invalid option: -$OPTARG" >&2 + usage 1 + ;; + esac +done + +pushd "$TEST_SRCDIR" + +if [ "$OPTIND" -le "$#" ]; then + SUITES=("${@:$OPTIND:$(($#+1))}") +else + readarray -t SUITES <<<"$(find . -type f -name test.main -printf "%h\n")" +fi +echo "Planning to run suites {${SUITES[*]}}." + +# Download the frozen images. +if ! [ -d /docker-frozen-images ]; then + # TODO: Get the hashes from /usr/src/docker-test/Dockerfile... + contrib/download-frozen-image-v2.sh "$TMPDIR/docker-frozen-images" \ + busybox:latest@sha256:95cf004f559831017cdf4628aaf1bb30133677be8702a8c5f2994629f637a209 \ + busybox:glibc@sha256:1f81263701cddf6402afe9f33fca0266d9fff379e59b1748f33d3072da71ee85 \ + debian:bookworm-slim@sha256:2bc5c236e9b262645a323e9088dfa3bb1ecb16cc75811daf40a23a824d665be9 \ + hello-world:latest@sha256:d58e752213a51785838f9eed2b7a498ffa1cb3aa7f946dda11af39286c3db9a9 \ + arm32v7/hello-world:latest@sha256:50b8560ad574c779908da71f7ce370c0a2471c098d44d1c8f6b513c5a55eeeb1 + sudo cp -r "$TMPDIR/docker-frozen-images" / +fi + +# Create binaries in $TEST_BINDIR. +if ! [ -e "$TEST_BINDIR/docker-basic-plugin" ]; then + ( + pushd "$TEST_SRCDIR/testutil/fixtures/plugin/basic" + + [ -f go.mod ] || go mod init docker-basic-plugin + go build -o "$TEST_BINDIR/docker-basic-plugin" . + ) +fi +if ! [ -e "$TEST_BINDIR/registry-v2" ]; then + # The v2.x tags of Docker registry don't use go.mod, and pre-date the move + # to github.com/distribution, so we need to create a fake GOPATH with the + # old github.com/docker/distribution import path. + ( + # shellcheck disable=SC2030 + GOPATH="$(mktemp -d -p "$TMPROOT" distribution-build-gopath.XXXXXX)" + export GOPATH + pushd "$GOPATH" + + git clone \ + --depth=1 --branch=v2.8.3 \ + https://github.com/distribution/distribution.git \ + src/github.com/docker/distribution + + pushd src/github.com/docker/distribution + + GO111MODULE=off go build -o "$TEST_BINDIR/registry-v2" ./cmd/registry + ) +fi +if ! [ -e "$TEST_BINDIR/ctr" ]; then + containerd-ctr --help >/dev/null + ln -sf "$(which containerd-ctr)" "$TEST_BINDIR/ctr" +fi +if ! [ -e "$TEST_BINDIR/docker" ]; then + # The integration-cli tests require a Docker 17.06.2 client (from 2017). + # This is mainly because the tests are all based on the specific output the + # client gives, and some tests fail on modern client versions. + ( + # shellcheck disable=SC2030 + GOPATH="$(mktemp -d -p "$TMPROOT" docker-cli-build-gopath.XXXXXX)" + export GOPATH + pushd "$GOPATH" + + # This tag also comes from the time when this was called + # github.com/docker/docker-ce-packaging, so we need to work around this + # by moving the cli component into the right path... + git clone \ + --depth=1 --branch=v17.06.2-ce \ + https://github.com/docker/cli.git \ + src/github.com/docker/docker-ce-packaging + mv \ + src/github.com/docker/docker-ce-packaging/components/cli \ + src/github.com/docker/cli + + pushd src/github.com/docker/cli + GO111MODULE=off go build -o "$TEST_BINDIR/docker" ./cmd/docker + ) +fi + +# Create an unprivilegeduser account for tests. +if ! ( grep unprivilegeduser /etc/passwd &>/dev/null ); then + useradd --create-home --gid docker unprivilegeduser +fi + +# Disable SUSE secrets for tests, as some tests (TestDiff from +# integration/container) will fail if we have secrets injected. +[ -e /etc/docker/suse-secrets-enable ] && \ + mv -nv /etc/docker/suse-secrets-enable{,-DISABLED} +sudo systemctl restart docker + +# Make sure docker-buildx is disabled. +[ -e /usr/lib/docker/cli-plugins/docker-buildx ] && \ + mv -nv /usr/lib/docker/cli-plugins/docker-buildx{,-DISABLED} + +# Disable any daemon configurations. +[ -e /etc/docker/daemon.json ] && \ + mv -nv /etc/docker/daemon.json{,.DISABLED} + +set -x + +# In order for< gotest.tools/v3/assert> to parse the source and give us useful +# error messages, we have to create a fake source directory that points at +# $TEST_SRCDIR. This path is replaced with %{docker_builddir} during the +# docker.spec build. +__DOCKER_BUILDIR="@@docker_builddir@@" +DOCKER_BUILDDIR="${DOCKER_BUILDDIR:-$__DOCKER_BUILDIR}" +sudo rm -rvf "$DOCKER_BUILDDIR" +sudo mkdir -p "$(dirname "$DOCKER_BUILDDIR")" +sudo ln -svf "$TEST_SRCDIR" "$DOCKER_BUILDDIR" + +# Clean up any old containers/images/networks/volumes before running the tests. +# We need to do this *BEFORE* we set PATH, as the outdated $TEST_BINDIR/docker +# doesn't support some of these commands. +docker container prune -f +docker image prune -af +#docker buildx prune -af +docker network prune -f +docker volume prune -af +[ -z "$(docker plugin ls -q)" ] || docker plugin ls -q | xargs docker plugin rm -f +docker system prune -af + +export DOCKERFILE="$TEST_SRCDIR/Dockerfile" +export TMPDIR="$TMPDIR" +export TEMP="$TMPDIR" +export HOME="$TMPDIR/fake-home" +export DEST="$TEST_SRCDIR/bundles/dummy-dir" +export ABS_DEST="$DEST" +export PATH="$TEST_BINDIR:$PATH" + +export TZ=UTC +export DOCKER_INTEGRATION_DAEMON_DEST="$ABS_DEST" +export DOCKER_HOST=unix:///run/docker.sock +export DOCKER_GRAPHDRIVER=overlay2 +export DOCKER_USERLANDPROXY=true +export DOCKER_REMAP_ROOT="${DOCKER_REMAP_ROOT:-}" +export DOCKER_TMPDIR="$TMPDIR" + +set +x + +# Make sure that we have a dummy "destination" directory for tests. +rm -rf "$DOCKER_INTEGRATION_DAEMON_DEST" +mkdir -p "$DOCKER_INTEGRATION_DAEMON_DEST" + +# Install the emptyfs images. +sh ./hack/make/.build-empty-images + +ls -la "$TMPROOT" + +success=0 +failed_suites=() +for suite_name in "${SUITES[@]}"; do + suite_name="${suite_name#*./}" + pushd "$TEST_SRCDIR/$suite_name" + + test_flags=() + [ -n "$verbose" ] && test_flags+=("-test.v") + [ -n "$filter" ] && test_flags+=("-test.run" "$filter") + + if [[ "$suite_name" == "integration-cli" ]]; then + # We need to disable docker-buildx for the integration-cli tests + # because otherwise the "docker build" command will use the wrong + # builder and the output won't match what the tests expect. + timeout=360m + fi + test_flags+=("-test.timeout" "$timeout") + + echo "Running suite $suite_name (${test_flags[*]}) [success=$success fail=${#failed_suites[@]}]" + + set -x +e + sudo -E HOME="$HOME" TMPDIR="$TMPDIR" PATH="$PATH" \ + ./test.main "${test_flags[@]}" + err="$?" + if (( err != 0 )); then + [ -z "$fail_fast" ] || exit "$err" + failed_suites+=("$suite_name") + else + (( success++ )) + fi + set +x -e + + popd +done + +[ -e /usr/lib/docker/cli-plugins/docker-buildx-DISABLED ] && \ + mv -nv /usr/lib/docker/cli-plugins/docker-buildx{-DISABLED,} + +[ -e /etc/docker/suse-secrets-enable-DISABLED ] && \ + mv -nv /etc/docker/suse-secrets-enable{-DISABLED,} + +[ -e /etc/docker/daemon.json.DISABLED ] && \ + mv -nv /etc/docker/daemon.json{.DISABLED,} + +echo "Suite results: $success success(es) ${#failed_suites[*]} failure(s)." +if (( ${#failed_suites[@]} > 0 )); then + echo "Failed suites:" + printf " - %s\n" "${failed_suites[@]}" + exit 1 +fi diff --git a/docker-rpmlintrc b/docker-rpmlintrc index 8d783dc..65d137c 100644 --- a/docker-rpmlintrc +++ b/docker-rpmlintrc @@ -1,6 +1,7 @@ -# The #! comes from upstream. -addFilter ("^docker-bash-completion.noarch: W: sourced-script-with-shebang /etc/bash_completion.d/docker bash") -addFilter ("^docker-zsh-completion.noarch: W: sourced-script-with-shebang /etc/zsh_completion.d/docker zsh") +addFilter("^docker-(stable-)?bash-completion.noarch: (E|W): non-executable-script /usr/share/bash-completion/completions/docker") +addFilter("^docker-(stable-)?zsh-completion.noarch: W: non-conffile-in-etc /etc/zsh_completion.d/_docker") -# -test is something that is used internally and isn't actually shipped -- it's a pseduo-source package. -addFilter ("^docker-test.*") +# The docker-integration-tests-devel package contains all of the source code of +# Docker, which causes a bunch of warnings. Note that +# docker-integration-tests-devel is used internally and isn't actually shipped. +addFilter("^docker-(stable-)?integration-tests-devel\..*: (E|W): .*") diff --git a/docker-stable.changes b/docker-stable.changes index 11a95cf..9f86081 100644 --- a/docker-stable.changes +++ b/docker-stable.changes @@ -1,13 +1,65 @@ +------------------------------------------------------------------- +Wed Dec 11 10:14:56 UTC 2024 - Aleksa Sarai + +- Update docker-buildx to v0.19.2. See upstream changelog online at + . + + Some notable changelogs from the last update: + * + * +- Update to Go 1.22. + +------------------------------------------------------------------- +Wed Dec 11 05:39:42 UTC 2024 - Aleksa Sarai + +- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to + disable the SUSEConnect integration with Docker (which creates special mounts + in /run/secrets to allow container-suseconnect to authenticate containers + with registries on registered hosts). bsc#1231348 bsc#1232999 + + In order to disable these mounts, just do + + echo 0 > /etc/docker/suse-secrets-enable + + and restart Docker. In order to re-enable them, just do + + echo 1 > /etc/docker/suse-secrets-enable + + and restart Docker. Docker will output information on startup to tell you + whether the SUSE secrets feature is enabled or not. + + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + ------------------------------------------------------------------- Wed Nov 27 12:10:42 UTC 2024 - Aleksa Sarai -[NOTE: This update was only ever released in SLES and Leap.] - - Disable docker-buildx builds for SLES. It turns out that build containers with docker-buildx don't currently get the SUSE secrets mounts applied, meaning that container-suseconnect doesn't work when building images. bsc#1233819 +------------------------------------------------------------------- +Wed Nov 20 05:34:38 UTC 2024 - Aleksa Sarai + +- Add docker-integration-tests-devel subpackage for building and running the + upstream Docker integration tests on machines to test that Docker works + properly. Users should not install this package. +- docker-rpmlintrc updated to include allow-list for all of the integration + tests package, since it contains a bunch of stuff that wouldn't normally be + allowed. +- Rebased patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch + * 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch + * 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch + * 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch + * 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch +- Added patches: + + 0010-TESTS-backport-fixes-for-integration-tests.patch + ------------------------------------------------------------------- Tue Nov 12 06:34:28 UTC 2024 - Aleksa Sarai @@ -30,12 +82,6 @@ Wed Oct 16 05:37:14 UTC 2024 - Aleksa Sarai are replacing. See upstream changelog online at -------------------------------------------------------------------- -Tue Oct 15 04:58:46 UTC 2024 - Aleksa Sarai - -- Allow users to disable SUSE secrets support by setting - DOCKER_SUSE_SECRETS_ENABLE=0 in /etc/sysconfig/docker. bsc#1231348 - ------------------------------------------------------------------- Sat Sep 7 13:10:30 UTC 2024 - Aleksa Sarai diff --git a/docker-stable.spec b/docker-stable.spec index f4bcf85..96e9073 100644 --- a/docker-stable.spec +++ b/docker-stable.spec @@ -19,11 +19,18 @@ %bcond_without apparmor +# This subpackage is only used for testing by developers, and shouldn't be +# built for actual users. +%bcond_with integration_tests + +%if 0%{?is_opensuse} == 0 +# SUSEConnect support ("SUSE secrets") only makes sense for SLES hosts. +%bcond_without suseconnect # There is currently a known bug between buildx and SUSE secrets, so we don't # package docker-buildx for SLES. bsc#1233819 -%if 0%{?is_opensuse} == 0 %bcond_with buildx %else +%bcond_with suseconnect %bcond_without buildx %endif @@ -35,6 +42,9 @@ # is guaranteed to see the relevant warning. %define update_messages %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release} +# Test binaries. +%define testdir /usr/src/docker-test + #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates @@ -50,7 +60,7 @@ %if %{with buildx} # MANUAL: This needs to be updated with every docker-buildx update. -%define buildx_version 0.17.1 +%define buildx_version 0.19.2 %endif # Used when generating the "build" information for Docker version. The value of @@ -87,6 +97,8 @@ Source130: README_SUSE.md Source140: docker-audit.rules Source150: docker-daemon.json Source160: docker.sysusers +# docker-integration-tests-devel +Source900: docker-integration.sh # NOTE: All of these patches are maintained in # in the suse-v branch. Make sure you update the patches in that # branch and then git-format-patch the patch here. @@ -113,6 +125,9 @@ Patch205: 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch # UPSTREAM: Backport of # fix. CVE-2024-41110 Patch206: 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch +# UPSTREAM: Backport of and +# . +Patch299: 0010-TESTS-backport-fixes-for-integration-tests.patch # UPSTREAM: Backport of . Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch BuildRequires: audit @@ -133,7 +148,7 @@ BuildRequires: procps BuildRequires: sqlite3-devel BuildRequires: sysuser-tools BuildRequires: zsh -BuildRequires: golang(API) = 1.21 +BuildRequires: golang(API) = 1.22 BuildRequires: pkgconfig(libsystemd) %if %{with apparmor} %if 0%{?sle_version} >= 150000 @@ -258,6 +273,27 @@ Rootless support for Docker. Use dockerd-rootless.sh to run the daemon. Use dockerd-rootless-setuptool.sh to setup systemd for dockerd-rootless.sh. +%if %{with integration_tests} +%package integration-tests-devel +Summary: Rootless support for Docker +Group: TestSuite +Requires: %{name} = %{docker_version} +Requires: containerd-ctr +Requires: curl +Requires: gcc +Requires: git +Requires: glibc-devel-static +Requires: go +Requires: jq +Requires: libcap-progs + +%description integration-tests-devel +Integration testing binaries for Docker. + +THIS PACKAGE SHOULD NOT BE INSTALLED BY END-USERS, IT IS ONLY INTENDED FOR +INTERNAL DEVELOPMENT OF THE DOCKER PACKAGE FOR (OPEN)SUSE. +%endif + %package bash-completion Summary: Bash Completion for %{name} Group: System/Shells @@ -337,7 +373,7 @@ Fish command line completion support for %{name}. # README_SUSE.md for documentation. cp %{SOURCE130} . -%if 0%{?is_opensuse} == 0 +%if %{with suseconnect} # PATCH-SUSE: Secrets patches. %patch -P100 -p1 %patch -P101 -p1 @@ -358,6 +394,10 @@ cp %{SOURCE130} . %patch -P205 -p1 # CVE-2024-41110 %patch -P206 -p1 +%if %{with integration_tests} +# integration-tests patches +%patch -P299 -p1 +%endif %build %sysusers_generate_pre %{SOURCE160} %{name} docker.conf @@ -392,6 +432,21 @@ pushd "%{docker_builddir}" ln -s {vendor,go}.mod ln -s {vendor,go}.sum ./hack/make.sh dynbinary + +%if %{with integration_tests} +# build test binaries for integration tests +readarray -t integration_dirs \ + <<<"$(go list -test -f '{{- if ne .ForTest "" -}}{{- .Dir -}}{{- end -}}' ./integration/... ./integration-cli/...)" +for dir in "${integration_dirs[@]}" +do + pushd "$dir" + go test -c -buildmode=pie -tags "$BUILDTAGS" -o test.main . + popd +done +# Update __DOCKER_BUILDIR in the integration testing script. +sed -i 's|^__DOCKER_BUILDIR=.*|__DOCKER_BUILDIR=%{docker_builddir}|g' "%{SOURCE900}" +%endif + popd ################### @@ -442,6 +497,10 @@ install -D -m0755 %{buildx_builddir}/bin/build/docker-buildx %{buildroot}/usr/li install -d %{buildroot}/%{_localstatedir}/lib/docker # daemon.json config file install -D -m0644 %{SOURCE150} %{buildroot}%{_sysconfdir}/docker/daemon.json +%if %{with suseconnect} +# SUSE-specific config file +echo 1 > %{buildroot}%{_sysconfdir}/docker/suse-secrets-enable +%endif # docker cli install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker @@ -479,6 +538,16 @@ install -D -m0644 %{SOURCE160} %{buildroot}%{_sysusersdir}/docker.conf install -D -p -m 0755 contrib/dockerd-rootless.sh %{buildroot}/%{_bindir}/dockerd-rootless.sh install -D -p -m 0755 contrib/dockerd-rootless-setuptool.sh %{buildroot}/%{_bindir}/dockerd-rootless-setuptool.sh +%if %{with integration_tests} +# integration tests +install -d %{buildroot}%{testdir} +cp -ar %{docker_builddir} %{buildroot}%{testdir}/src +install -d %{buildroot}%{testdir}/bin +install -D -p -m 0755 %{SOURCE900} %{buildroot}%{testdir}/docker-integration.sh +# remove all of the non-test binaries in bundles/ +rm -rfv %{buildroot}%{testdir}/src/bundles/ +%endif + %fdupes %{buildroot} %pre -f %{name}.pre @@ -528,6 +597,9 @@ grep -q '^dockremap:' /etc/subgid || \ %dir %{_sysconfdir}/docker %config(noreplace) %{_sysconfdir}/docker/daemon.json +%if %{with suseconnect} +%config(noreplace) %{_sysconfdir}/docker/suse-secrets-enable +%endif %{_fillupdir}/sysconfig.docker %dir %attr(750,root,root) %{_sysconfdir}/audit/rules.d @@ -550,6 +622,12 @@ grep -q '^dockremap:' /etc/subgid || \ %{_bindir}/dockerd-rootless.sh %{_bindir}/dockerd-rootless-setuptool.sh +%if %{with integration_tests} +%files integration-tests-devel +%defattr(-,root,root) +%{testdir} +%endif + %files bash-completion %defattr(-,root,root) %{_datarootdir}/bash-completion/completions/docker