Accepting request 923378 from Virtualization:containers
Needs to be staged with sr#923377. - Update to Docker 20.10.9-ce. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355 CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 - Rebase patches: * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch - Switch to Go 1.16.x compiler, in line with upstream. OBS-URL: https://build.opensuse.org/request/show/923378 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=114
This commit is contained in:
commit
16025f1d73
@ -1,7 +1,7 @@
|
||||
From 5dfd507cf2ab34a99d925eae7fa9a1a062c1930e Mon Sep 17 00:00:00 2001
|
||||
From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
|
||||
|
||||
Since FileMode can have the directory bit set, allow a SecretStore
|
||||
implementation to return secrets that are actually directories. This is
|
||||
@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||
index 5521adbd2749..c103d9349c51 100644
|
||||
index 1647df0ce7ba..4ea2efed241f 100644
|
||||
--- a/daemon/container_operations_unix.go
|
||||
+++ b/daemon/container_operations_unix.go
|
||||
@@ -3,6 +3,7 @@
|
||||
@ -70,5 +70,5 @@ index 5521adbd2749..c103d9349c51 100644
|
||||
return errors.Wrap(err, "error setting ownership for secret")
|
||||
}
|
||||
--
|
||||
2.30.2
|
||||
2.33.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From cb696ab8168b611535c04f8780c4632a2dc0ec2a Mon Sep 17 00:00:00 2001
|
||||
From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
|
||||
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
|
||||
|
||||
This allows for us to pass in host credentials to a container, allowing
|
||||
for SUSEConnect to work with containers.
|
||||
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
|
||||
+ return nil
|
||||
+}
|
||||
--
|
||||
2.30.2
|
||||
2.33.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 759c1b0c2d4a3c89dea396510d2a1518ad2fcb2c Mon Sep 17 00:00:00 2001
|
||||
From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
|
||||
From: Valentin Rothberg <vrothberg@suse.com>
|
||||
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
||||
Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
|
||||
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
|
||||
|
||||
NOTE: This is a backport/downstream patch of the upstream pull-request
|
||||
for Moby, which is still subject to changes. Please visit
|
||||
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
|
||||
|
||||
endpoints = []APIEndpoint{
|
||||
--
|
||||
2.30.2
|
||||
2.33.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 9f27140b54e30eed9d3428b24c3ca9c340c48394 Mon Sep 17 00:00:00 2001
|
||||
From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
|
||||
From: Aleksa Sarai <asarai@suse.de>
|
||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
|
||||
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
|
||||
start
|
||||
|
||||
In the process of making docker-default reloading far less expensive,
|
||||
@ -69,7 +69,7 @@ index dd581dc7dadb..5b14979cd4a3 100644
|
||||
return nil
|
||||
}
|
||||
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
||||
index 3d8cca288010..62d3859cff8c 100644
|
||||
index 2a2fbbd52e19..0999ac3186b7 100644
|
||||
--- a/daemon/daemon.go
|
||||
+++ b/daemon/daemon.go
|
||||
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||
@ -85,5 +85,5 @@ index 3d8cca288010..62d3859cff8c 100644
|
||||
}
|
||||
|
||||
--
|
||||
2.30.2
|
||||
2.33.0
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
From bb452793d224b00a3700af9fdd9b0f183e1141f1 Mon Sep 17 00:00:00 2001
|
||||
From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
|
||||
From: Michal Rostecki <mrostecki@opensuse.org>
|
||||
Date: Thu, 8 Apr 2021 14:42:02 +0100
|
||||
Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
|
||||
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
|
||||
|
||||
Before this change, cleanup of the btrfs driver (occuring on each daemon
|
||||
shutdown) resulted in disabling quotas. It was done with an assumption
|
||||
@ -24,10 +24,10 @@ Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
|
||||
1 file changed, 8 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
||||
index 0499489d16e6..0720bb571f2e 100644
|
||||
index 8fd2854a2673..32c4f07c620d 100644
|
||||
--- a/daemon/graphdriver/btrfs/btrfs.go
|
||||
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
||||
@@ -96,7 +96,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||
@@ -103,7 +103,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
|
||||
}
|
||||
|
||||
if userDiskQuota {
|
||||
@ -36,7 +36,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
@@ -165,18 +165,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
||||
@@ -172,18 +172,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
|
||||
|
||||
// Cleanup unmounts the home directory.
|
||||
func (d *Driver) Cleanup() error {
|
||||
@ -56,7 +56,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -334,7 +326,7 @@ func (d *Driver) updateQuotaStatus() {
|
||||
@@ -341,7 +333,7 @@ func (d *Driver) updateQuotaStatus() {
|
||||
d.once.Do(func() {
|
||||
if !d.quotaEnabled {
|
||||
// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
|
||||
@ -65,7 +65,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
// quota is still not enabled
|
||||
return
|
||||
}
|
||||
@@ -343,7 +335,7 @@ func (d *Driver) updateQuotaStatus() {
|
||||
@@ -350,7 +342,7 @@ func (d *Driver) updateQuotaStatus() {
|
||||
})
|
||||
}
|
||||
|
||||
@ -74,7 +74,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
d.updateQuotaStatus()
|
||||
|
||||
if d.quotaEnabled {
|
||||
@@ -369,32 +361,6 @@ func (d *Driver) subvolEnableQuota() error {
|
||||
@@ -376,32 +368,6 @@ func (d *Driver) subvolEnableQuota() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -107,7 +107,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
func (d *Driver) subvolRescanQuota() error {
|
||||
d.updateQuotaStatus()
|
||||
|
||||
@@ -437,11 +403,11 @@ func subvolLimitQgroup(path string, size uint64) error {
|
||||
@@ -444,11 +410,11 @@ func subvolLimitQgroup(path string, size uint64) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -121,7 +121,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
dir, err := openDir(path)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -608,7 +574,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
|
||||
@@ -622,7 +588,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
|
||||
if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
|
||||
return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
|
||||
}
|
||||
@ -130,7 +130,7 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
return err
|
||||
}
|
||||
return subvolLimitQgroup(dir, driver.options.size)
|
||||
@@ -662,7 +628,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
|
||||
@@ -676,7 +642,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
|
||||
|
||||
if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
|
||||
if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
|
||||
@ -140,5 +140,5 @@ index 0499489d16e6..0720bb571f2e 100644
|
||||
}
|
||||
if err := subvolLimitQgroup(dir, size); err != nil {
|
||||
--
|
||||
2.30.2
|
||||
2.33.0
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From ec9265210aaf10fe5f810d0ac7f566cf1929283a Mon Sep 17 00:00:00 2001
|
||||
From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
|
||||
From: Tianon Gravi <admwiggin@gmail.com>
|
||||
Date: Thu, 9 Sep 2021 11:31:30 -0700
|
||||
Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
|
||||
|
10
_service
10
_service
@ -3,16 +3,16 @@
|
||||
<param name="url">https://github.com/moby/moby.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">20.10.6_ce_%h</param>
|
||||
<param name="revision">v20.10.6</param>
|
||||
<param name="versionformat">20.10.9_ce_%h</param>
|
||||
<param name="revision">v20.10.9</param>
|
||||
<param name="filename">docker</param>
|
||||
</service>
|
||||
<service name="tar_scm" mode="disabled">
|
||||
<param name="url">https://github.com/docker/cli.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">20.10.6_ce</param>
|
||||
<param name="revision">v20.10.6</param>
|
||||
<param name="versionformat">20.10.9_ce</param>
|
||||
<param name="revision">v20.10.9</param>
|
||||
<param name="filename">docker-cli</param>
|
||||
</service>
|
||||
<service name="tar_scm" mode="disabled">
|
||||
@ -20,7 +20,7 @@
|
||||
<param name="scm">git</param>
|
||||
<param name="exclude">.git</param>
|
||||
<param name="versionformat">%H</param>
|
||||
<param name="revision">b3507428be5b458cb0e2b4086b13531fb0706e46</param>
|
||||
<param name="revision">64b7a4574d1426139437d20e81c0b6d391130ec8</param>
|
||||
<param name="filename">docker-libnetwork</param>
|
||||
</service>
|
||||
<service name="recompress" mode="disabled">
|
||||
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:620a514c43fc9ffa7fbac50d16f3479e576425ef1496c13c6b2c226be1dc54ef
|
||||
size 6486364
|
3
docker-20.10.9_ce_79ea9d308018.tar.xz
Normal file
3
docker-20.10.9_ce_79ea9d308018.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
|
||||
size 6491984
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:22c42e3fb154a00627b6698573fe4b035638cfd5f5dc1d26795e096d73c1da13
|
||||
size 4409500
|
3
docker-cli-20.10.9_ce.tar.xz
Normal file
3
docker-cli-20.10.9_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
|
||||
size 4272556
|
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:437df6f6e33cf527acbcc2117738430f89e43bc57d958557155b3392c3a00ff8
|
||||
size 1983592
|
@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:29bbbfafb284edb07004fdfe2dccc43c7f8e0eb8c17e7370f13e22e6778b7745
|
||||
size 1982240
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
- Update to Docker 20.10.9-ce. See upstream changelog in the packaged
|
||||
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355
|
||||
CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103
|
||||
- Rebase patches:
|
||||
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
|
||||
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
||||
* 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
|
||||
- Switch to Go 1.16.x compiler, in line with upstream.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Sep 20 23:59:05 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||||
|
||||
|
20
docker.spec
20
docker.spec
@ -42,24 +42,24 @@
|
||||
# helpfully injects into our build environment from the changelog). If you want
|
||||
# to generate a new git_commit_epoch, use this:
|
||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||
%define git_version 8728dd246c3a
|
||||
%define git_commit_epoch 1618005978
|
||||
%define git_version 79ea9d308018
|
||||
%define git_commit_epoch 1632421578
|
||||
|
||||
# We require a specific pin of libnetwork because it doesn't really do
|
||||
# versioning and minor version mismatches in libnetwork can break Docker
|
||||
# networking. All other key runtime dependencies (containerd, runc) are stable
|
||||
# enough that this isn't necessary.
|
||||
%define libnetwork_version b3507428be5b458cb0e2b4086b13531fb0706e46
|
||||
%define libnetwork_version 64b7a4574d1426139437d20e81c0b6d391130ec8
|
||||
|
||||
%define dist_builddir %{_builddir}/dist-suse
|
||||
%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
|
||||
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
|
||||
|
||||
Name: %{realname}%{name_suffix}
|
||||
Version: 20.10.6_ce
|
||||
Version: 20.10.9_ce
|
||||
# This "nice version" is so that docker --version gives a result that can be
|
||||
# parsed by other people. boo#1182476
|
||||
%define nice_version 20.10.6-ce
|
||||
%define nice_version 20.10.9-ce
|
||||
Release: 0
|
||||
Summary: The Moby-project Linux container runtime
|
||||
License: Apache-2.0
|
||||
@ -110,9 +110,7 @@ BuildRequires: sqlite3-devel
|
||||
BuildRequires: zsh
|
||||
BuildRequires: fish
|
||||
BuildRequires: go-go-md2man
|
||||
# We cannot use Go 1.14 because it breaks io.Copy (among other things) by
|
||||
# returning -EINTR from I/O syscalls much more often.
|
||||
BuildRequires: go1.13
|
||||
BuildRequires: go1.16
|
||||
BuildRequires: pkgconfig(libsystemd)
|
||||
Requires: apparmor-parser
|
||||
Requires: ca-certificates-mozilla
|
||||
@ -122,8 +120,8 @@ Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2
|
||||
Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
|
||||
# Required to actually run containers. We require the minimum version that is
|
||||
# pinned by Docker, but in order to avoid headaches we allow for updates.
|
||||
Requires: runc >= 1.0.0~rc93
|
||||
Requires: containerd >= 1.4.3
|
||||
Requires: runc >= 1.0.2
|
||||
Requires: containerd >= 1.4.11
|
||||
# Needed for --init support. We don't use "tini", we use our own implementation
|
||||
# which handles edge-cases better.
|
||||
Requires: catatonit
|
||||
@ -312,6 +310,8 @@ export DOCKER_GITCOMMIT="%{git_version}"
|
||||
export GITCOMMIT="%{git_version}"
|
||||
export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
|
||||
export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
|
||||
# NOTE: This will have to be removed with the next major Docker bump.
|
||||
export GO111MODULE=off
|
||||
EOF
|
||||
) > docker_build_env
|
||||
. ./docker_build_env
|
||||
|
Loading…
Reference in New Issue
Block a user