Accepting request 1297601 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1297601
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker-stable?expand=0&rev=14

0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From e643d35b32d7f6219dc65919c8ecc8860e7f2846 Mon Sep 17 00:00:00 2001
+From a102adce24c2b15ad3db0fa39cff2a336781923e Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 03/14] SECRETS: SUSE: implement SUSE container secrets
@@ -18,8 +18,8 @@ SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702 bsc#1231348
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 418 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 423 insertions(+)
+ daemon/suse_secrets.go | 438 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 443 insertions(+)
 
 diff --git a/daemon/start.go b/daemon/start.go
 index 9fb77b5cfe17..90557aeee15a 100644
@@ -38,15 +38,16 @@ index 9fb77b5cfe17..90557aeee15a 100644
  	if err != nil {
  		return errdefs.System(err)
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
-index b8f3d9f9c094..3f77185fa5e5 100644
+index b8f3d9f9c094..9ff3fa6d31e4 100644
 --- a/daemon/suse_secrets.go
 +++ b/daemon/suse_secrets.go
-@@ -18,15 +18,377 @@
+@@ -18,15 +18,379 @@
  package daemon
  
  import (
 +	"archive/tar"
 +	"bytes"
++	"errors"
 +	"fmt"
 +	"io"
 +	"io/ioutil"
@@ -58,6 +59,7 @@ index b8f3d9f9c094..3f77185fa5e5 100644
  	"github.com/docker/docker/container"
 +	"github.com/docker/docker/pkg/archive"
 +	"github.com/docker/docker/pkg/idtools"
++	"github.com/docker/docker/pkg/rootless"
  
  	swarmtypes "github.com/docker/docker/api/types/swarm"
 +	swarmexec "github.com/moby/swarmkit/v2/agent/exec"
@@ -198,11 +200,11 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +		IncludeSourceDir: true,
 +	})
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %v", path, err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to tar source directory %q: %w", path, err)
 +	}
 +	tarStreamBytes, err := ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read full tar archive: %w", err)
 +	}
 +
 +	// Get a list of the symlinks in the tar archive.
@@ -214,7 +216,7 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +			break
 +		}
 +		if err != nil {
-+			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %v", err)
++			return nil, fmt.Errorf("SUSE:secrets :: failed to read through tar reader: %w", err)
 +		}
 +		if hdr.Typeflag == tar.TypeSymlink {
 +			symlinks = append(symlinks, hdr.Name)
@@ -235,7 +237,7 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +			// Get a copy of the original byte stream.
 +			oldContent, err := ioutil.ReadAll(r)
 +			if err != nil {
-+				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %v", tarPath, err)
++				return nil, nil, fmt.Errorf("suse_rewrite: failed to read archive entry %q: %w", tarPath, err)
 +			}
 +
 +			// Check that the file actually exists.
@@ -273,7 +275,7 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +	tarStream = archive.ReplaceFileTarWrapper(ioutil.NopCloser(bytes.NewBuffer(tarStreamBytes)), symlinkModifyMap)
 +	tarStreamBytes, err = ioutil.ReadAll(tarStream)
 +	if err != nil {
-+		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %v", err)
++		return nil, fmt.Errorf("SUSE:secrets :: failed to read rewritten archive: %w", err)
 +	}
 +
 +	// Add the tar stream as a "file".
@@ -419,11 +421,15 @@ index b8f3d9f9c094..3f77185fa5e5 100644
  // clearSuseSecrets removes any SecretReferences which were added by us
  // explicitly (this is detected by checking that the prefix has a 'suse_'
  // prefix, which is a prefix that cannot exist for normal swarm secrets). See
-@@ -42,3 +404,59 @@ func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
+@@ -42,3 +406,77 @@ func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
  	}
  	c.SecretReferences = without
  }
 +
++func (daemon *Daemon) isRootless() bool {
++	return os.Geteuid() != 0 || daemon.Rootless() || rootless.RunningWithRootlessKit()
++}
++
 +func (daemon *Daemon) injectSuseSecretStore(c *container.Container) error {
 +	// We drop any "old" SUSE secrets, as it appears that old containers (when
 +	// restarted) could still have references to old secrets. The .id() of all
@@ -438,6 +444,13 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container %q because of %s", c.ID, suseSecretsTogglePath)
 +		return nil
 +	}
++	// Unprivileged users (or Docker in rootless mode, in a user namespace)
++	// cannot access host zypper credentials so there is no real point even
++	// trying to inject them into the container. bsc#1240150
++	if daemon.isRootless() {
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container in rootless mode")
++		return nil
++	}
 +
 +	newDependencyStore := &suseDependencyStore{
 +		dfl:     c.DependencyStore,
@@ -449,6 +462,13 @@ index b8f3d9f9c094..3f77185fa5e5 100644
 +	}
 +
 +	secrets, err := getHostSuseSecretData()
++	if errors.Is(err, os.ErrPermission) {
++		// This should only ever really happen for rootless Docker (which we
++		// already handled above), but ignore permission errors here just in
++		// case. bsc#1240150
++		logrus.Debugf("SUSE:secrets :: skipping injection of secrets into container because of permission error while loading host data")
++		return nil
++	}
 +	if err != nil {
 +		return err
 +	}

0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch

@@ -1,4 +1,4 @@
-From 0d214508ce09867edfd3cf05404a094db5a0cf49 Mon Sep 17 00:00:00 2001
+From ba2fbfac1b3001d2e4e874b30456546f07039f2b Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Mon, 22 May 2023 15:44:54 +1000
 Subject: [PATCH 04/14] BUILD: SLE12: revert "graphdriver/btrfs: use kernel

0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,4 +1,4 @@
-From f138435366fc18a7f9997354f5610b66486807fd Mon Sep 17 00:00:00 2001
+From d89fec1bef20bcc76c07ef886e033bb69fdd6f32 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
 Subject: [PATCH 05/14] bsc1073877: apparmor: clobber docker-default profile on

0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch

@@ -1,4 +1,4 @@
-From 5f61104373e445e97da680264e8ba7b2cb8cbc02 Mon Sep 17 00:00:00 2001
+From 35f1693d5585b742a6749964c9bd05859c33f64b Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 11 Oct 2023 21:19:12 +1100
 Subject: [PATCH 06/14] SLE12: revert "apparmor: remove version-conditionals

0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch

@@ -1,4 +1,4 @@
-From d7777b97391aa6018b7ae8548ccaa361d4901c02 Mon Sep 17 00:00:00 2001
+From e7445110df38791ba94bb4e47c80a22607b3dd9d Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20=C4=8Cerm=C3=A1k?= <dcermak@suse.com>
 Date: Tue, 13 Feb 2024 16:57:32 +0100
 Subject: [PATCH 07/14] CVE-2024-2365x: update buildkit to include CVE patches

0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch

@@ -1,4 +1,4 @@
-From 926b2dfab891d47f72fbc44d685cba31bd68b521 Mon Sep 17 00:00:00 2001
+From d5e7d0a4de49083955ecfcb26ddc62e2ba15abb8 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 2 May 2024 22:50:23 +1000
 Subject: [PATCH 08/14] bsc1221916: update to patched buildkit version to fix

0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch

@@ -1,4 +1,4 @@
-From 976f563db60fda5a991302ed4adff2d2957e5da2 Mon Sep 17 00:00:00 2001
+From 5ada2078fb4c4a0433578fdff1ccff028293117a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Wed, 19 Jun 2024 16:30:49 +1000
 Subject: [PATCH 09/14] bsc1214855: volume: use AtomicWriteFile to save volume

0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch

@@ -1,4 +1,4 @@
-From 2121972b26958c9428e044018aa798eb9418ecf9 Mon Sep 17 00:00:00 2001
+From 1957d4002bf0cc4854d12e4fd1e0a324b973ae18 Mon Sep 17 00:00:00 2001
 From: Jameson Hyde <jameson.hyde@docker.com>
 Date: Mon, 26 Nov 2018 14:15:22 -0500
 Subject: [PATCH 10/14] CVE-2024-41110: AuthZ plugin securty fixes

0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch

@@ -1,4 +1,4 @@
-From d0f85de1cd0fd00165796f30e0e2fa7b88cc9c33 Mon Sep 17 00:00:00 2001
+From 46690092b2a9ae46cc25ef04d3f5417fb8f715dc Mon Sep 17 00:00:00 2001
 From: Albin Kerouanton <albinker@gmail.com>
 Date: Tue, 10 Oct 2023 01:13:25 +0200
 Subject: [PATCH 11/14] CVE-2024-29018: libnet: Don't forward to upstream

0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch

@@ -1,4 +1,4 @@
-From 182046dcf8d27e57bcb71c9d284cc2422726fde5 Mon Sep 17 00:00:00 2001
+From 4b86dca1e44964483c4587dbca1aa1fac42571d9 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Tue, 25 Mar 2025 12:02:42 +1100
 Subject: [PATCH 12/14] CVE-2025-22868: vendor: jws: split token into fixed

0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch

@@ -1,4 +1,4 @@
-From fa2ac6ef56502198f08872dffc20a5edb8b98eb8 Mon Sep 17 00:00:00 2001
+From 0f1bec6ecc1b769c80d02a59f683c4cd634cc5f0 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Tue, 25 Mar 2025 12:05:38 +1100
 Subject: [PATCH 13/14] CVE-2025-22869: vendor: ssh: limit the size of the

0014-TESTS-backport-fixes-for-integration-tests.patch

@@ -1,4 +1,4 @@
-From 884bc2111b6601696dadab203506ff7ca5fd2953 Mon Sep 17 00:00:00 2001
+From 7ba7a35a844985c3599e18bfc4e2ede8f1087bc2 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <cyphar@cyphar.com>
 Date: Thu, 21 Nov 2024 20:00:07 +1100
 Subject: [PATCH 14/14] TESTS: backport fixes for integration tests

0015-bsc1247362-release-container-layer-on-export.patch

@@ -0,0 +1,55 @@
+From 8e736eda0c047c572564e95d97da19fd372f4d33 Mon Sep 17 00:00:00 2001
+From: Joan Grau <grautxo.dev@proton.me>
+Date: Tue, 17 Sep 2024 12:49:02 +0200
+Subject: [PATCH 15/15] bsc1247362: release container layer on export
+
+When running docker export command the container layer is only released
+in case there is an error.
+
+This makes the daemon not being able to remove them when using docker
+rmi or docker system prune leaving the container layer and the image
+used in an orphaned state on the docker file system.
+
+After applying this patch, the layer is always released allowing dockerd
+to remove/prune it.
+
+SUSE-Bugs: https://bugzilla.suse.com/show_bug.cgi?id=1247362
+Signed-off-by: Joan Grau <grautxo.dev@proton.me>
+(Cherry-picked from commit 1aba291cd4ad9d9d1172a72fb6371e67a1403e83.)
+Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
+---
+ daemon/images/image_exporter.go | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/daemon/images/image_exporter.go b/daemon/images/image_exporter.go
+index 88877b01c6b2..ac93b00174c5 100644
+--- a/daemon/images/image_exporter.go
++++ b/daemon/images/image_exporter.go
+@@ -24,12 +24,11 @@ func (i *ImageService) PerformWithBaseFS(ctx context.Context, c *container.Conta
+ 	if err != nil {
+ 		return err
+ 	}
++
+ 	defer func() {
++		err := i.ReleaseLayer(rwlayer)
+ 		if err != nil {
+-			err2 := i.ReleaseLayer(rwlayer)
+-			if err2 != nil {
+-				logrus.WithError(err2).WithField("container", c.ID).Warn("Failed to release layer")
+-			}
++			logrus.WithError(err).WithField("container", c.ID).Warn("Failed to release layer")
+ 		}
+ 	}()
+ 
+@@ -38,6 +37,8 @@ func (i *ImageService) PerformWithBaseFS(ctx context.Context, c *container.Conta
+ 		return err
+ 	}
+ 
++	defer rwlayer.Unmount()
++
+ 	return fn(basefs)
+ }
+ 
+-- 
+2.50.1
+

_service

@@ -19,8 +19,8 @@
     <param name="url">https://github.com/docker/buildx.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">0.22.0</param>
-    <param name="revision">v0.22.0</param>
+    <param name="versionformat">0.25.0</param>
+    <param name="revision">v0.25.0</param>
     <param name="filename">docker-buildx</param>
   </service>
   <service name="recompress" mode="manual">

docker-stable.changes

@@ -1,3 +1,42 @@
+-------------------------------------------------------------------
+Tue Aug  5 05:26:44 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Backport <https://github.com/moby/moby/pull/48517>. bsc#1247362
+  + 0015-bsc1247362-release-container-layer-on-export.patch
+
+-------------------------------------------------------------------
+Thu Jul 17 04:27:33 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Update to docker-buildx v0.25.0. Upstream changelog:
+  <https://github.com/docker/buildx/releases/tag/v0.25.0>
+- Update to Go 1.23 for building now that upstream has switched their 23.0.x
+  LTSS to use Go 1.23.
+
+-------------------------------------------------------------------
+Thu Jun  5 16:12:14 UTC 2025 - Aleksa Sarai <asarai@suse.com>
+
+- Do not try to inject SUSEConnect secrets when in Rootless Docker mode, as
+  Docker does not have permission to access the host zypper credentials in this
+  mode (and unprivileged users cannot disable the feature using
+  /etc/docker/suse-secrets-enable.) bsc#1240150
+
+  * 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+
+- Rebase patches:
+  * 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
+  * 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  * 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  * 0007-CVE-2024-2365x-update-buildkit-to-include-CVE-patche.patch
+  * 0008-bsc1221916-update-to-patched-buildkit-version-to-fix.patch
+  * 0009-bsc1214855-volume-use-AtomicWriteFile-to-save-volume.patch
+  * 0010-CVE-2024-41110-AuthZ-plugin-securty-fixes.patch
+  * 0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
+  * 0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
+  * 0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+  * 0014-TESTS-backport-fixes-for-integration-tests.patch
+
 -------------------------------------------------------------------
 Wed Jun  4 05:21:19 UTC 2025 - Aleksa Sarai <asarai@suse.com>
 
@@ -236,6 +275,14 @@ Wed Jun 16 04:18:11 UTC 2024 - Aleksa Sarai <asarai@suse.com>
 
 - Initial docker-stable release, forked from Docker 24.0.6-ce release
   (packaged on 2023-10-11).
+- Patches included from snapshot:
+  + 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  + 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  + 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+  + 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  + 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+  + 0006-CVE-2024-23653-update-buildkit-to-include-CVE-patche.patch
+  + cli-0001-docs-include-required-tools-in-source-tree.patch
 - Update to Docker 24.0.9-ce, which is the latest version of the 24.0.x branch.
   It seems likely this will be the last upstream version of the 24.0.x branch
   (it seems Mirantis is going to do LTS for 23.0.x, not 24.0.x).

docker-stable.spec

@@ -60,7 +60,7 @@
 
 %if %{with buildx}
 # MANUAL: This needs to be updated with every docker-buildx update.
-%define buildx_version 0.22.0
+%define buildx_version 0.25.0
 %endif
 
 # Used when generating the "build" information for Docker version. The value of
@@ -133,6 +133,8 @@ Patch207:       0011-CVE-2024-29018-libnet-Don-t-forward-to-upstream-reso.patch
 Patch208:       0012-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
 # UPSTREAM: Backport of <https://go-review.googlesource.com/c/crypto/+/652135>. CVE-2025-22869
 Patch209:       0013-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
+# UPSTREAM: Backport of <https://github.com/moby/moby/pull/48517>. bsc#1247362
+Patch210:       0015-bsc1247362-release-container-layer-on-export.patch
 # UPSTREAM: Backport of <https://github.com/moby/moby/pull/46307> and
 #                       <https://github.com/moby/moby/pull/49061>.
 Patch299:       0014-TESTS-backport-fixes-for-integration-tests.patch
@@ -156,7 +158,7 @@ BuildRequires:  procps
 BuildRequires:  sqlite3-devel
 BuildRequires:  sysuser-tools
 BuildRequires:  zsh
-BuildRequires:  golang(API) = 1.22
+BuildRequires:  golang(API) = 1.23
 BuildRequires:  pkgconfig(libsystemd)
 %if %{with apparmor}
 %if 0%{?suse_version} >= 1500
@@ -416,6 +418,8 @@ cp %{SOURCE130} .
 %patch -P208 -p1
 # CVE-2025-22869
 %patch -P209 -p1
+# bsc#1247362
+%patch -P210 -p1
 %if %{with integration_tests}
 # integration-tests patches
 %patch -P299 -p1