Accepting request 923378 from Virtualization:containers

Needs to be staged with sr#923377. - Update to Docker 20.10.9-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355 CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch - Switch to Go 1.16.x compiler, in line with upstream. OBS-URL: https://build.opensuse.org/request/show/923378 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=114
2021-10-11 13:30:18 +00:00 · 2021-10-11 13:30:18 +00:00 · 16025f1d73
commit 16025f1d73
parent 4479960a16 c3815d76b8
15 changed files with 66 additions and 51 deletions
--- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
@ -1,7 +1,7 @@
-From 5dfd507cf2ab34a99d925eae7fa9a1a062c1930e Mon Sep 17 00:00:00 2001
+From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets

 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
 1 file changed, 21 insertions(+), 3 deletions(-)

 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 5521adbd2749..c103d9349c51 100644
+index 1647df0ce7ba..4ea2efed241f 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@ -70,5 +70,5 @@ index 5521adbd2749..c103d9349c51 100644
 			return errors.Wrap(err, "error setting ownership for secret")
 		}
 -- 
-2.30.2
+2.33.0

--- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
@ -1,7 +1,7 @@
-From cb696ab8168b611535c04f8780c4632a2dc0ec2a Mon Sep 17 00:00:00 2001
+From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets

 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
 +	return nil
 +}
 -- 
-2.30.2
+2.33.0

--- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
@ -1,7 +1,7 @@
-From 759c1b0c2d4a3c89dea396510d2a1518ad2fcb2c Mon Sep 17 00:00:00 2001
+From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
+Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support

 NOTE: This is a backport/downstream patch of the upstream pull-request
      for Moby, which is still subject to changes.  Please visit
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
 
 	endpoints = []APIEndpoint{
 -- 
-2.30.2
+2.33.0

--- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
@ -1,7 +1,7 @@
-From 9f27140b54e30eed9d3428b24c3ca9c340c48394 Mon Sep 17 00:00:00 2001
+From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
 start

 In the process of making docker-default reloading far less expensive,
@ -69,7 +69,7 @@ index dd581dc7dadb..5b14979cd4a3 100644
 	return nil
 }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index 3d8cca288010..62d3859cff8c 100644
+index 2a2fbbd52e19..0999ac3186b7 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
@ -85,5 +85,5 @@ index 3d8cca288010..62d3859cff8c 100644
 	}
 
 -- 
-2.30.2
+2.33.0

--- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
@ -1,7 +1,7 @@
-From bb452793d224b00a3700af9fdd9b0f183e1141f1 Mon Sep 17 00:00:00 2001
+From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
 From: Michal Rostecki <mrostecki@opensuse.org>
 Date: Thu, 8 Apr 2021 14:42:02 +0100
-Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
+Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup

 Before this change, cleanup of the btrfs driver (occuring on each daemon
 shutdown) resulted in disabling quotas. It was done with an assumption
@ -24,10 +24,10 @@ Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
 1 file changed, 8 insertions(+), 42 deletions(-)

 diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
-index 0499489d16e6..0720bb571f2e 100644
+index 8fd2854a2673..32c4f07c620d 100644
 --- a/daemon/graphdriver/btrfs/btrfs.go
 +++ b/daemon/graphdriver/btrfs/btrfs.go
-@@ -96,7 +96,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+@@ -103,7 +103,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
 	}
 
 	if userDiskQuota {
@ -36,7 +36,7 @@ index 0499489d16e6..0720bb571f2e 100644
 			return nil, err
 		}
 	}
-@@ -165,18 +165,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
+@@ -172,18 +172,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
 
 // Cleanup unmounts the home directory.
 func (d *Driver) Cleanup() error {
@ -56,7 +56,7 @@ index 0499489d16e6..0720bb571f2e 100644
 	return nil
 }
 
-@@ -334,7 +326,7 @@ func (d *Driver) updateQuotaStatus() {
+@@ -341,7 +333,7 @@ func (d *Driver) updateQuotaStatus() {
 	d.once.Do(func() {
 		if !d.quotaEnabled {
 			// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
@ -65,7 +65,7 @@ index 0499489d16e6..0720bb571f2e 100644
 				// quota is still not enabled
 				return
 			}
-@@ -343,7 +335,7 @@ func (d *Driver) updateQuotaStatus() {
+@@ -350,7 +342,7 @@ func (d *Driver) updateQuotaStatus() {
 	})
 }
 
@ -74,7 +74,7 @@ index 0499489d16e6..0720bb571f2e 100644
 	d.updateQuotaStatus()
 
 	if d.quotaEnabled {
-@@ -369,32 +361,6 @@ func (d *Driver) subvolEnableQuota() error {
+@@ -376,32 +368,6 @@ func (d *Driver) subvolEnableQuota() error {
 	return nil
 }
 
@ -107,7 +107,7 @@ index 0499489d16e6..0720bb571f2e 100644
 func (d *Driver) subvolRescanQuota() error {
 	d.updateQuotaStatus()
 
-@@ -437,11 +403,11 @@ func subvolLimitQgroup(path string, size uint64) error {
+@@ -444,11 +410,11 @@ func subvolLimitQgroup(path string, size uint64) error {
 	return nil
 }
 
@ -121,7 +121,7 @@ index 0499489d16e6..0720bb571f2e 100644
 	dir, err := openDir(path)
 	if err != nil {
 		return err
-@@ -608,7 +574,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
+@@ -622,7 +588,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
 	if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
 		return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
 	}
@ -130,7 +130,7 @@ index 0499489d16e6..0720bb571f2e 100644
 		return err
 	}
 	return subvolLimitQgroup(dir, driver.options.size)
-@@ -662,7 +628,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
+@@ -676,7 +642,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
 
 	if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
 		if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
@ -140,5 +140,5 @@ index 0499489d16e6..0720bb571f2e 100644
 			}
 			if err := subvolLimitQgroup(dir, size); err != nil {
 -- 
-2.30.2
+2.33.0

--- a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
+++ b/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
@ -1,4 +1,4 @@
-From ec9265210aaf10fe5f810d0ac7f566cf1929283a Mon Sep 17 00:00:00 2001
+From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
 From: Tianon Gravi <admwiggin@gmail.com>
 Date: Thu, 9 Sep 2021 11:31:30 -0700
 Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
--- a/10
+++ b/10
@ -3,16 +3,16 @@
    <param name="url">https://github.com/moby/moby.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.6_ce_%h</param>
-    <param name="revision">v20.10.6</param>
+    <param name="versionformat">20.10.9_ce_%h</param>
+    <param name="revision">v20.10.9</param>
    <param name="filename">docker</param>
  </service>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/docker/cli.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
-    <param name="versionformat">20.10.6_ce</param>
-    <param name="revision">v20.10.6</param>
+    <param name="versionformat">20.10.9_ce</param>
+    <param name="revision">v20.10.9</param>
    <param name="filename">docker-cli</param>
  </service>
  <service name="tar_scm" mode="disabled">
@ -20,7 +20,7 @@
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="versionformat">%H</param>
-    <param name="revision">b3507428be5b458cb0e2b4086b13531fb0706e46</param>
+    <param name="revision">64b7a4574d1426139437d20e81c0b6d391130ec8</param>
    <param name="filename">docker-libnetwork</param>
  </service>
  <service name="recompress" mode="disabled">
--- a/docker-20.10.6_ce_8728dd246c3a.tar.xz
+++ b/docker-20.10.6_ce_8728dd246c3a.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:620a514c43fc9ffa7fbac50d16f3479e576425ef1496c13c6b2c226be1dc54ef
-size 6486364
--- a/docker-20.10.9_ce_79ea9d308018.tar.xz
+++ b/docker-20.10.9_ce_79ea9d308018.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
+size 6491984
--- a/docker-cli-20.10.6_ce.tar.xz
+++ b/docker-cli-20.10.6_ce.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:22c42e3fb154a00627b6698573fe4b035638cfd5f5dc1d26795e096d73c1da13
-size 4409500
--- a/docker-cli-20.10.9_ce.tar.xz
+++ b/docker-cli-20.10.9_ce.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
+size 4272556
--- a/docker-libnetwork-64b7a4574d1426139437d20e81c0b6d391130ec8.tar.xz
+++ b/docker-libnetwork-64b7a4574d1426139437d20e81c0b6d391130ec8.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:437df6f6e33cf527acbcc2117738430f89e43bc57d958557155b3392c3a00ff8
+size 1983592
--- a/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz
+++ b/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:29bbbfafb284edb07004fdfe2dccc43c7f8e0eb8c17e7370f13e22e6778b7745
-size 1982240
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Oct  6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 20.10.9-ce. See upstream changelog in the packaged
+  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355
+  CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+  * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
+- Switch to Go 1.16.x compiler, in line with upstream.
+
 -------------------------------------------------------------------
 Mon Sep 20 23:59:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>

--- a/docker.spec
+++ b/docker.spec
@ -42,24 +42,24 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 8728dd246c3a
-%define git_commit_epoch 1618005978
+%define git_version 79ea9d308018
+%define git_commit_epoch 1632421578

 # We require a specific pin of libnetwork because it doesn't really do
 # versioning and minor version mismatches in libnetwork can break Docker
 # networking. All other key runtime dependencies (containerd, runc) are stable
 # enough that this isn't necessary.
-%define libnetwork_version b3507428be5b458cb0e2b4086b13531fb0706e46
+%define libnetwork_version 64b7a4574d1426139437d20e81c0b6d391130ec8

 %define dist_builddir  %{_builddir}/dist-suse
 %define cli_builddir   %{dist_builddir}/src/github.com/docker/cli
 %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork

 Name:           %{realname}%{name_suffix}
-Version:        20.10.6_ce
+Version:        20.10.9_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
-%define nice_version 20.10.6-ce
+%define nice_version 20.10.9-ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
@ -110,9 +110,7 @@ BuildRequires:  sqlite3-devel
 BuildRequires:  zsh
 BuildRequires:  fish
 BuildRequires:  go-go-md2man
-# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
-# returning -EINTR from I/O syscalls much more often.
-BuildRequires:  go1.13
+BuildRequires:  go1.16
 BuildRequires:  pkgconfig(libsystemd)
 Requires:       apparmor-parser
 Requires:       ca-certificates-mozilla
@ -122,8 +120,8 @@ Obsoletes:      docker-libnetwork%{name_suffix} < 0.7.0.2
 Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
-Requires:       runc >= 1.0.0~rc93
-Requires:       containerd >= 1.4.3
+Requires:       runc >= 1.0.2
+Requires:       containerd >= 1.4.11
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@ -312,6 +310,8 @@ export DOCKER_GITCOMMIT="%{git_version}"
 export GITCOMMIT="%{git_version}"
 export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
 export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
+# NOTE: This will have to be removed with the next major Docker bump.
+export GO111MODULE=off
 EOF
 ) > docker_build_env
 . ./docker_build_env