Accepting request 923378 from Virtualization:containers

Needs to be staged with sr#923377.

- Update to Docker 20.10.9-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355
  CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Switch to Go 1.16.x compiler, in line with upstream.

OBS-URL: https://build.opensuse.org/request/show/923378
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=114
This commit is contained in:
Dominique Leuenberger 2021-10-11 13:30:18 +00:00 committed by Git OBS Bridge
commit 16025f1d73
15 changed files with 66 additions and 51 deletions

View File

@ -1,7 +1,7 @@
From 5dfd507cf2ab34a99d925eae7fa9a1a062c1930e Mon Sep 17 00:00:00 2001
From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
index 5521adbd2749..c103d9349c51 100644
index 1647df0ce7ba..4ea2efed241f 100644
--- a/daemon/container_operations_unix.go
+++ b/daemon/container_operations_unix.go
@@ -3,6 +3,7 @@
@ -70,5 +70,5 @@ index 5521adbd2749..c103d9349c51 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.30.2
2.33.0

View File

@ -1,7 +1,7 @@
From cb696ab8168b611535c04f8780c4632a2dc0ec2a Mon Sep 17 00:00:00 2001
From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
+ return nil
+}
--
2.30.2
2.33.0

View File

@ -1,7 +1,7 @@
From 759c1b0c2d4a3c89dea396510d2a1518ad2fcb2c Mon Sep 17 00:00:00 2001
From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
NOTE: This is a backport/downstream patch of the upstream pull-request
for Moby, which is still subject to changes. Please visit
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
endpoints = []APIEndpoint{
--
2.30.2
2.33.0

View File

@ -1,7 +1,7 @@
From 9f27140b54e30eed9d3428b24c3ca9c340c48394 Mon Sep 17 00:00:00 2001
From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
@ -69,7 +69,7 @@ index dd581dc7dadb..5b14979cd4a3 100644
return nil
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 3d8cca288010..62d3859cff8c 100644
index 2a2fbbd52e19..0999ac3186b7 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
@ -85,5 +85,5 @@ index 3d8cca288010..62d3859cff8c 100644
}
--
2.30.2
2.33.0

View File

@ -1,7 +1,7 @@
From bb452793d224b00a3700af9fdd9b0f183e1141f1 Mon Sep 17 00:00:00 2001
From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
From: Michal Rostecki <mrostecki@opensuse.org>
Date: Thu, 8 Apr 2021 14:42:02 +0100
Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
Before this change, cleanup of the btrfs driver (occuring on each daemon
shutdown) resulted in disabling quotas. It was done with an assumption
@ -24,10 +24,10 @@ Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
1 file changed, 8 insertions(+), 42 deletions(-)
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
index 0499489d16e6..0720bb571f2e 100644
index 8fd2854a2673..32c4f07c620d 100644
--- a/daemon/graphdriver/btrfs/btrfs.go
+++ b/daemon/graphdriver/btrfs/btrfs.go
@@ -96,7 +96,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
@@ -103,7 +103,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
}
if userDiskQuota {
@ -36,7 +36,7 @@ index 0499489d16e6..0720bb571f2e 100644
return nil, err
}
}
@@ -165,18 +165,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
@@ -172,18 +172,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
// Cleanup unmounts the home directory.
func (d *Driver) Cleanup() error {
@ -56,7 +56,7 @@ index 0499489d16e6..0720bb571f2e 100644
return nil
}
@@ -334,7 +326,7 @@ func (d *Driver) updateQuotaStatus() {
@@ -341,7 +333,7 @@ func (d *Driver) updateQuotaStatus() {
d.once.Do(func() {
if !d.quotaEnabled {
// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
@ -65,7 +65,7 @@ index 0499489d16e6..0720bb571f2e 100644
// quota is still not enabled
return
}
@@ -343,7 +335,7 @@ func (d *Driver) updateQuotaStatus() {
@@ -350,7 +342,7 @@ func (d *Driver) updateQuotaStatus() {
})
}
@ -74,7 +74,7 @@ index 0499489d16e6..0720bb571f2e 100644
d.updateQuotaStatus()
if d.quotaEnabled {
@@ -369,32 +361,6 @@ func (d *Driver) subvolEnableQuota() error {
@@ -376,32 +368,6 @@ func (d *Driver) subvolEnableQuota() error {
return nil
}
@ -107,7 +107,7 @@ index 0499489d16e6..0720bb571f2e 100644
func (d *Driver) subvolRescanQuota() error {
d.updateQuotaStatus()
@@ -437,11 +403,11 @@ func subvolLimitQgroup(path string, size uint64) error {
@@ -444,11 +410,11 @@ func subvolLimitQgroup(path string, size uint64) error {
return nil
}
@ -121,7 +121,7 @@ index 0499489d16e6..0720bb571f2e 100644
dir, err := openDir(path)
if err != nil {
return err
@@ -608,7 +574,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
@@ -622,7 +588,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
}
@ -130,7 +130,7 @@ index 0499489d16e6..0720bb571f2e 100644
return err
}
return subvolLimitQgroup(dir, driver.options.size)
@@ -662,7 +628,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
@@ -676,7 +642,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
@ -140,5 +140,5 @@ index 0499489d16e6..0720bb571f2e 100644
}
if err := subvolLimitQgroup(dir, size); err != nil {
--
2.30.2
2.33.0

View File

@ -1,4 +1,4 @@
From ec9265210aaf10fe5f810d0ac7f566cf1929283a Mon Sep 17 00:00:00 2001
From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Thu, 9 Sep 2021 11:31:30 -0700
Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in

View File

@ -3,16 +3,16 @@
<param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.6_ce_%h</param>
<param name="revision">v20.10.6</param>
<param name="versionformat">20.10.9_ce_%h</param>
<param name="revision">v20.10.9</param>
<param name="filename">docker</param>
</service>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.6_ce</param>
<param name="revision">v20.10.6</param>
<param name="versionformat">20.10.9_ce</param>
<param name="revision">v20.10.9</param>
<param name="filename">docker-cli</param>
</service>
<service name="tar_scm" mode="disabled">
@ -20,7 +20,7 @@
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">%H</param>
<param name="revision">b3507428be5b458cb0e2b4086b13531fb0706e46</param>
<param name="revision">64b7a4574d1426139437d20e81c0b6d391130ec8</param>
<param name="filename">docker-libnetwork</param>
</service>
<service name="recompress" mode="disabled">

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:620a514c43fc9ffa7fbac50d16f3479e576425ef1496c13c6b2c226be1dc54ef
size 6486364

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
size 6491984

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:22c42e3fb154a00627b6698573fe4b035638cfd5f5dc1d26795e096d73c1da13
size 4409500

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
size 4272556

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:437df6f6e33cf527acbcc2117738430f89e43bc57d958557155b3392c3a00ff8
size 1983592

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:29bbbfafb284edb07004fdfe2dccc43c7f8e0eb8c17e7370f13e22e6778b7745
size 1982240

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 20.10.9-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
- Switch to Go 1.16.x compiler, in line with upstream.
-------------------------------------------------------------------
Mon Sep 20 23:59:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>

View File

@ -42,24 +42,24 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version 8728dd246c3a
%define git_commit_epoch 1618005978
%define git_version 79ea9d308018
%define git_commit_epoch 1632421578
# We require a specific pin of libnetwork because it doesn't really do
# versioning and minor version mismatches in libnetwork can break Docker
# networking. All other key runtime dependencies (containerd, runc) are stable
# enough that this isn't necessary.
%define libnetwork_version b3507428be5b458cb0e2b4086b13531fb0706e46
%define libnetwork_version 64b7a4574d1426139437d20e81c0b6d391130ec8
%define dist_builddir %{_builddir}/dist-suse
%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix}
Version: 20.10.6_ce
Version: 20.10.9_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define nice_version 20.10.6-ce
%define nice_version 20.10.9-ce
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
@ -110,9 +110,7 @@ BuildRequires: sqlite3-devel
BuildRequires: zsh
BuildRequires: fish
BuildRequires: go-go-md2man
# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
# returning -EINTR from I/O syscalls much more often.
BuildRequires: go1.13
BuildRequires: go1.16
BuildRequires: pkgconfig(libsystemd)
Requires: apparmor-parser
Requires: ca-certificates-mozilla
@ -122,8 +120,8 @@ Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2
Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
# Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.0.0~rc93
Requires: containerd >= 1.4.3
Requires: runc >= 1.0.2
Requires: containerd >= 1.4.11
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit
@ -312,6 +310,8 @@ export DOCKER_GITCOMMIT="%{git_version}"
export GITCOMMIT="%{git_version}"
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
# NOTE: This will have to be removed with the next major Docker bump.
export GO111MODULE=off
EOF
) > docker_build_env
. ./docker_build_env