- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- Include historical changelog data from before the docker-stable fork. The
initial changelog entry did technically provide all the necessary
information, but our CVE tracking tools do not understand how the package is
forked and so it seems that this package does not include fixes for ~12 years
of updates. So, include a copy of the original package's changelog up until
the fork point. bsc#1250596
OBS-URL: https://build.opensuse.org/request/show/1307633
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=35
- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
Docker does not have permission to access the host zypper credentials in this
mode (and unprivileged users cannot disable the feature using
/etc/docker/suse-secrets-enable.) bsc#1240150
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Rebase patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
* 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
* 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
* 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
* 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
* 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
* 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
* 0014-TESTS-backport-fixes-for-integration-tests.patch
OBS-URL: https://build.opensuse.org/request/show/1283415
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=27
- Always clear SUSEConnect suse_* secrets when starting containers regardless
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
- 0006-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
+ 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
- 0007-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+ 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
- 0008-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+ 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
- 0009-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
+ 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
- 0010-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
+ 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
- 0011-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+ 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0012-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+ 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- 0013-TESTS-backport-fixes-for-integration-tests.patch
+ 0014-TESTS-backport-fixes-for-integration-tests.patch
OBS-URL: https://build.opensuse.org/request/show/1282503
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=25
- Update to docker-buildx v0.22.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
OBS-URL: https://build.opensuse.org/request/show/1268263
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=23
- Update docker-buildx to v0.19.2. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.19.2>.
Some notable changelogs from the last update:
* <https://github.com/docker/buildx/releases/tag/v0.19.0>
* <https://github.com/docker/buildx/releases/tag/v0.18.0>
- Update to Go 1.22.
- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
disable the SUSEConnect integration with Docker (which creates special mounts
in /run/secrets to allow container-suseconnect to authenticate containers
with registries on registered hosts). bsc#1231348 bsc#1232999
In order to disable these mounts, just do
echo 0 > /etc/docker/suse-secrets-enable
and restart Docker. In order to re-enable them, just do
echo 1 > /etc/docker/suse-secrets-enable
and restart Docker. Docker will output information on startup to tell you
whether the SUSE secrets feature is enabled or not.
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Add docker-integration-tests-devel subpackage for building and running the
upstream Docker integration tests on machines to test that Docker works
properly. Users should not install this package.
- docker-rpmlintrc updated to include allow-list for all of the integration
tests package, since it contains a bunch of stuff that wouldn't normally be
allowed.
- Added patches:
+ 0010-TESTS-backport-fixes-for-integration-tests.patch
OBS-URL: https://build.opensuse.org/request/show/1230067
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker-stable?expand=0&rev=11
