Accepting request 558281 from Virtualization:containers

Docker v17.09.1_ce upgrade.

OBS-URL: https://build.opensuse.org/request/show/558281
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=67

_service

@@ -3,8 +3,8 @@
     <param name="url">https://github.com/docker/docker-ce.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">17.07.0_ce</param>
+    <param name="versionformat">17.09.1_ce</param>
-    <param name="revision">v17.07.0-ce</param>
+    <param name="revision">v17.09.1-ce</param>
     <param name="filename">docker</param>
   </service>
   <service name="recompress" mode="disabled">

bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch

@@ -0,0 +1,243 @@
+From b492588a54b8efa1fba1de700cb3e0ad3fe665d9 Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Thu, 16 Nov 2017 17:09:16 +1100
+Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove
+
+dm_task_deferred_remove is not supported by all distributions, due to
+out-dated versions of devicemapper. However, in the case where the
+devicemapper library was updated without rebuilding Docker (which can
+happen in some distributions) then we should attempt to dynamically load
+the relevant object rather than try to link to it.
+
+This can only be done if Docker was built dynamically, for obvious
+reasons.
+
+In order to avoid having issues arise when dlsym(3) was unnecessary,
+gate the whole dlsym(3) logic behind a buildflag that we disable by
+default (libdm_dlsym_deferred_remove).
+
+SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ hack/make.sh                                       |  12 +-
+ ...> devmapper_wrapper_dynamic_deferred_remove.go} |  10 +-
+ ...mapper_wrapper_dynamic_dlsym_deferred_remove.go | 128 +++++++++++++++++++++
+ .../devmapper_wrapper_no_deferred_remove.go        |   6 +-
+ 4 files changed, 149 insertions(+), 7 deletions(-)
+ rename pkg/devicemapper/{devmapper_wrapper_deferred_remove.go => devmapper_wrapper_dynamic_deferred_remove.go} (78%)
+ create mode 100644 pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
+
+diff --git a/hack/make.sh b/hack/make.sh
+index bc18c066b66c..6e94824ad557 100755
+--- a/hack/make.sh
++++ b/hack/make.sh
+@@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then
+ 	exit 1
+ fi
+ 
++# Adds $1_$2 to DOCKER_BUILDTAGS unless it already
++# contains a word starting from $1_
++add_buildtag() {
++	[[ " $DOCKER_BUILDTAGS" == *" $1_"* ]] || DOCKER_BUILDTAGS+=" $1_$2"
++}
++
+ if ${PKG_CONFIG} 'libsystemd >= 209' 2> /dev/null ; then
+ 	DOCKER_BUILDTAGS+=" journald"
+ elif ${PKG_CONFIG} 'libsystemd-journal' 2> /dev/null ; then
+@@ -127,12 +133,14 @@ if \
+ fi
+ 
+ # test whether "libdevmapper.h" is new enough to support deferred remove
+-# functionality.
++# functionality. We favour libdm_dlsym_deferred_remove over
++# libdm_no_deferred_remove in dynamic cases because the binary could be shipped
++# with a newer libdevmapper than the one it was built wih.
+ if \
+ 	command -v gcc &> /dev/null \
+ 	&& ! ( echo -e  '#include <libdevmapper.h>\nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \
+ ; then
+-	DOCKER_BUILDTAGS+=' libdm_no_deferred_remove'
++	add_buildtag libdm dlsym_deferred_remove
+ fi
+ 
+ # Use these flags when compiling the tests and final binary
+diff --git a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
+similarity index 78%
+rename from pkg/devicemapper/devmapper_wrapper_deferred_remove.go
+rename to pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
+index 7f793c270868..bf57371ff4cf 100644
+--- a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go
++++ b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go
+@@ -1,11 +1,15 @@
+-// +build linux,cgo,!libdm_no_deferred_remove
++// +build linux,cgo,!static_build
++// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
+ 
+ package devicemapper
+ 
+-// #include <libdevmapper.h>
++/*
++#include <libdevmapper.h>
++*/
+ import "C"
+ 
+-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
++// LibraryDeferredRemovalSupport tells if the feature is supported by the
++// current Docker invocation.
+ const LibraryDeferredRemovalSupport = true
+ 
+ func dmTaskDeferredRemoveFct(task *cdmTask) int {
+diff --git a/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
+new file mode 100644
+index 000000000000..5dfb369f1ff8
+--- /dev/null
++++ b/pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go
+@@ -0,0 +1,128 @@
++// +build linux,cgo,!static_build
++// +build libdm_dlsym_deferred_remove,!libdm_no_deferred_remove
++
++package devicemapper
++
++/*
++#cgo LDFLAGS: -ldl
++#include <stdlib.h>
++#include <dlfcn.h>
++#include <libdevmapper.h>
++
++// Yes, I know this looks scary. In order to be able to fill our own internal
++// dm_info with deferred_remove we need to have a struct definition that is
++// correct (regardless of the version of libdm that was used to compile it). To
++// this end, we define struct_backport_dm_info. This code comes from lvm2, and
++// I have verified that the structure has only ever had elements *appended* to
++// it (since 2001).
++//
++// It is also important that this structure be _larger_ than the dm_info that
++// libdevmapper expected. Otherwise libdm might try to write to memory it
++// shouldn't (they don't have a "known size" API).
++struct backport_dm_info {
++	int exists;
++	int suspended;
++	int live_table;
++	int inactive_table;
++	int32_t open_count;
++	uint32_t event_nr;
++	uint32_t major;
++	uint32_t minor;
++	int read_only;
++
++	int32_t target_count;
++
++	int deferred_remove;
++	int internal_suspend;
++
++	// Padding, purely for our own safety. This is to avoid cases where libdm
++	// was updated underneath us and we call into dm_task_get_info() with too
++	// small of a buffer.
++	char _[512];
++};
++
++// We have to wrap this in CGo, because Go really doesn't like function pointers.
++int call_dm_task_deferred_remove(void *fn, struct dm_task *task)
++{
++	int (*_dm_task_deferred_remove)(struct dm_task *task) = fn;
++	return _dm_task_deferred_remove(task);
++}
++*/
++import "C"
++
++import (
++	"unsafe"
++
++	"github.com/sirupsen/logrus"
++)
++
++// dm_task_deferred_remove is not supported by all distributions, due to
++// out-dated versions of devicemapper. However, in the case where the
++// devicemapper library was updated without rebuilding Docker (which can happen
++// in some distributions) then we should attempt to dynamically load the
++// relevant object rather than try to link to it.
++
++// dmTaskDeferredRemoveFct is a "bound" version of dm_task_deferred_remove.
++// It is nil if dm_task_deferred_remove was not found in the libdevmapper that
++// is currently loaded.
++var dmTaskDeferredRemovePtr unsafe.Pointer
++
++// LibraryDeferredRemovalSupport tells if the feature is supported by the
++// current Docker invocation. This value is fixed during init.
++var LibraryDeferredRemovalSupport bool
++
++func init() {
++	// Clear any errors.
++	var err *C.char
++	C.dlerror()
++
++	// The symbol we want to fetch.
++	symName := C.CString("dm_task_deferred_remove")
++	defer C.free(unsafe.Pointer(symName))
++
++	// See if we can find dm_task_deferred_remove. Since we already are linked
++	// to libdevmapper, we can search our own address space (rather than trying
++	// to guess what libdevmapper is called). We use NULL here, as RTLD_DEFAULT
++	// is not available in CGO (even if you set _GNU_SOURCE for some reason).
++	// The semantics are identical on glibc.
++	sym := C.dlsym(nil, symName)
++	err = C.dlerror()
++	if err != nil {
++		logrus.Debugf("devmapper: could not load dm_task_deferred_remove: %s", C.GoString(err))
++		return
++	}
++
++	logrus.Debugf("devmapper: found dm_task_deferred_remove at %x", uintptr(sym))
++	dmTaskDeferredRemovePtr = sym
++	LibraryDeferredRemovalSupport = true
++}
++
++func dmTaskDeferredRemoveFct(task *cdmTask) int {
++	sym := dmTaskDeferredRemovePtr
++	if sym == nil || !LibraryDeferredRemovalSupport {
++		return -1
++	}
++	return int(C.call_dm_task_deferred_remove(sym, (*C.struct_dm_task)(task)))
++}
++
++func dmTaskGetInfoWithDeferredFct(task *cdmTask, info *Info) int {
++	if !LibraryDeferredRemovalSupport {
++		return -1
++	}
++
++	Cinfo := C.struct_backport_dm_info{}
++	defer func() {
++		info.Exists = int(Cinfo.exists)
++		info.Suspended = int(Cinfo.suspended)
++		info.LiveTable = int(Cinfo.live_table)
++		info.InactiveTable = int(Cinfo.inactive_table)
++		info.OpenCount = int32(Cinfo.open_count)
++		info.EventNr = uint32(Cinfo.event_nr)
++		info.Major = uint32(Cinfo.major)
++		info.Minor = uint32(Cinfo.minor)
++		info.ReadOnly = int(Cinfo.read_only)
++		info.TargetCount = int32(Cinfo.target_count)
++		info.DeferredRemove = int(Cinfo.deferred_remove)
++	}()
++	return int(C.dm_task_get_info((*C.struct_dm_task)(task), (*C.struct_dm_info)(unsafe.Pointer(&Cinfo))))
++}
+diff --git a/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go b/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
+index a880fec8c499..80b034b3ff17 100644
+--- a/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
++++ b/pkg/devicemapper/devmapper_wrapper_no_deferred_remove.go
+@@ -1,8 +1,10 @@
+-// +build linux,cgo,libdm_no_deferred_remove
++// +build linux,cgo
++// +build !libdm_dlsym_deferred_remove,libdm_no_deferred_remove
+ 
+ package devicemapper
+ 
+-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build
++// LibraryDeferredRemovalSupport tells if the feature is supported by the
++// current Docker invocation.
+ const LibraryDeferredRemovalSupport = false
+ 
+ func dmTaskDeferredRemoveFct(task *cdmTask) int {
+-- 
+2.15.1
+

bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch

@@ -1,72 +0,0 @@
-From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Sun, 20 Aug 2017 13:50:52 +1000
-Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount
-
-libdm currently has a fairly substantial DoS bug that makes certain
-operations fail on a libdm device if the device has active references
-through mountpoints. This is a significant problem with the advent of
-mount namespaces and MS_PRIVATE, and can cause certain --volume mounts
-to cause libdm to no longer be able to remove containers:
-
-  % docker run -d --name testA busybox top
-  % docker run -d --name testB -v /var/lib/docker:/docker busybox top
-  % docker rm -f testA
-  [fails on libdm with dm_task_run errors.]
-
-This also solves the problem of unprivileged users being able to DoS
-docker by using unprivileged mount namespaces to preseve mounts that
-Docker has dropped.
-
-SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628
-SUSE-Backport: https://github.com/moby/moby/pull/34573
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++
- daemon/graphdriver/devmapper/driver.go    |  4 +++-
- 2 files changed, 15 insertions(+), 1 deletion(-)
-
-diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go
-index ba845d4d01d4..fe8103683b9b 100644
---- a/daemon/graphdriver/devmapper/deviceset.go
-+++ b/daemon/graphdriver/devmapper/deviceset.go
-@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error {
- 	}
- 	logrus.Debug("devmapper: Unmount done")
- 
-+	// Remove the mountpoint here. Removing the mountpoint (in newer kernels)
-+	// will cause all other instances of this mount in other mount namespaces
-+	// to be killed (this is an anti-DoS measure that is necessary for things
-+	// like devicemapper). This is necessary to avoid cases where a libdm mount
-+	// that is present in another namespace will cause subsequent RemoveDevice
-+	// operations to fail. We ignore any errors here because this may fail on
-+	// older kernels which don't have
-+	// torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
-+	if err := os.Remove(mountPath); err != nil {
-+		logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err)
-+	}
-+
- 	return devices.deactivateDevice(info)
- }
- 
-diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go
-index 91de5cd12a0f..69a3b3184933 100644
---- a/daemon/graphdriver/devmapper/driver.go
-+++ b/daemon/graphdriver/devmapper/driver.go
-@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error {
- 	if count := d.ctr.Decrement(mp); count > 0 {
- 		return nil
- 	}
-+
- 	err := d.DeviceSet.UnmountDevice(id, mp)
- 	if err != nil {
--		logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err)
-+		logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err)
- 	}
-+
- 	return err
- }
- 
--- 
-2.14.1
-

bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch

@@ -1,4 +1,4 @@
-From 6f18798a72d330f282ff7beb554d298f30531c8f Mon Sep 17 00:00:00 2001
+From a24b98c0fc45d640b4eed8105033b313b8145e35 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Sun, 15 Oct 2017 17:06:20 +1100
 Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon
@@ -21,13 +21,13 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 46 insertions(+)
 
 diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go
-index 9cf6674dfe11..0f1dabc31100 100644
+index 0f8a392c2621..89ac627ff090 100644
 --- a/daemon/oci_linux.go
 +++ b/daemon/oci_linux.go
-@@ -27,6 +27,7 @@ import (
+@@ -26,6 +26,7 @@ import (
-	"github.com/opencontainers/runc/libcontainer/devices"
  	"github.com/opencontainers/runc/libcontainer/user"
  	specs "github.com/opencontainers/runtime-spec/specs-go"
+ 	"github.com/sirupsen/logrus"
 +	"golang.org/x/sys/unix"
  )
  
@@ -71,7 +71,7 @@ index 9cf6674dfe11..0f1dabc31100 100644
  var (
  	mountPropagationMap = map[string]int{
  		"private":  mount.PRIVATE,
-@@ -573,6 +606,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
+@@ -575,6 +608,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c
  			opts = append(opts, mountPropagationReverseMap[pFlag])
  		}
  
@@ -92,5 +92,5 @@ index 9cf6674dfe11..0f1dabc31100 100644
  		s.Mounts = append(s.Mounts, mt)
  	}
 -- 
-2.14.2
+2.15.0
 

bsc1064781-0001-Allow-to-override-build-date.patch

@@ -1,33 +0,0 @@
-From 760763e9957840f1983a5006f4e66d6920ec496e Mon Sep 17 00:00:00 2001
-From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
-Date: Wed, 19 Jul 2017 06:17:19 +0200
-Subject: [PATCH] Allow to override build date
-
-in order to make builds reproducible.
-See https://reproducible-builds.org/ for why this is good
-and https://reproducible-builds.org/specs/source-date-epoch/
-for the definition of this variable.
-
-SUSE-Bugfix: https://bugzilla.suse.com/show_bug.cgi?id=1064781
-Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- hack/make.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/hack/make.sh b/hack/make.sh
-index b7d59ba94a00..7d18d649b540 100755
---- a/hack/make.sh
-+++ b/hack/make.sh
-@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=(
- )
-
- VERSION=$(< ./VERSION)
--! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
-+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/')
- if [ "$DOCKER_GITCOMMIT" ]; then
-	GITCOMMIT="$DOCKER_GITCOMMIT"
- elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then
--- 
-2.14.2
-

bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch

@@ -1,118 +0,0 @@
-From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Wed, 8 Nov 2017 02:50:52 +1100
-Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2
-
-Update to the latest version of tar-split, which includes a change to
-fix a memory exhaustion issue where a malformed image could cause the
-Docker daemon to crash.
-
-  * tar: asm: store padding in chunks to avoid memory exhaustion
-
-Fixes: CVE-2017-14992
-SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- vendor.conf                                        |  2 +-
- vendor/github.com/vbatts/tar-split/README.md       |  3 +-
- .../vbatts/tar-split/tar/asm/disassemble.go        | 43 ++++++++++++++--------
- 3 files changed, 31 insertions(+), 17 deletions(-)
-
-diff --git a/vendor.conf b/vendor.conf
-index 535adad38728..ea4f75bbea10 100644
---- a/vendor.conf
-+++ b/vendor.conf
-@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7
- 
- # get graph and distribution packages
- github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621
--github.com/vbatts/tar-split v0.10.1
-+github.com/vbatts/tar-split v0.10.2
- github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb
- 
- # get go-zfs packages
-diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md
-index 4c544d823fbc..03e3ec4308b7 100644
---- a/vendor/github.com/vbatts/tar-split/README.md
-+++ b/vendor/github.com/vbatts/tar-split/README.md
-@@ -1,6 +1,7 @@
- # tar-split
- 
- [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split)
-+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split)
- 
- Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive.
- 
-@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a
- contiguous file, though the archive contents may be recorded in sparse format.
- Therefore when adding the file payload to a reassembled tar, to achieve
- identical output, the file payload would need be precisely re-sparsified. This
--is not something I seek to fix imediately, but would rather have an alert that
-+is not something I seek to fix immediately, but would rather have an alert that
- precise reassembly is not possible.
- (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html)
- 
-diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
-index 54ef23aed366..009b3f5d8124 100644
---- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
-+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go
-@@ -2,7 +2,6 @@ package asm
- 
- import (
- 	"io"
--	"io/ioutil"
- 
- 	"github.com/vbatts/tar-split/archive/tar"
- 	"github.com/vbatts/tar-split/tar/storage"
-@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io
- 			}
- 		}
- 
--		// it is allowable, and not uncommon that there is further padding on the
--		// end of an archive, apart from the expected 1024 null bytes.
--		remainder, err := ioutil.ReadAll(outputRdr)
--		if err != nil && err != io.EOF {
--			pW.CloseWithError(err)
--			return
--		}
--		_, err = p.AddEntry(storage.Entry{
--			Type:    storage.SegmentType,
--			Payload: remainder,
--		})
--		if err != nil {
--			pW.CloseWithError(err)
--			return
-+		// It is allowable, and not uncommon that there is further padding on
-+		// the end of an archive, apart from the expected 1024 null bytes. We
-+		// do this in chunks rather than in one go to avoid cases where a
-+		// maliciously crafted tar file tries to trick us into reading many GBs
-+		// into memory.
-+		const paddingChunkSize = 1024 * 1024
-+		var paddingChunk [paddingChunkSize]byte
-+		for {
-+			var isEOF bool
-+			n, err := outputRdr.Read(paddingChunk[:])
-+			if err != nil {
-+				if err != io.EOF {
-+					pW.CloseWithError(err)
-+					return
-+				}
-+				isEOF = true
-+			}
-+			_, err = p.AddEntry(storage.Entry{
-+				Type:    storage.SegmentType,
-+				Payload: paddingChunk[:n],
-+			})
-+			if err != nil {
-+				pW.CloseWithError(err)
-+				return
-+			}
-+			if isEOF {
-+				break
-+			}
- 		}
- 		pW.Close()
- 	}()
--- 
-2.14.3
-

bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch

@@ -1,31 +0,0 @@
-From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001
-From: Aleksa Sarai <asarai@suse.de>
-Date: Tue, 7 Nov 2017 18:32:41 +1100
-Subject: [PATCH] oci: add /proc/scsi to masked paths
-
-This is writeable, and can be used to remove devices. Containers do
-not need to know about scsi devices.
-
-Fixes: CVE-2017-16539
-SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801
-Signed-off-by: Justin Cormack <justin.cormack@docker.com>
-Signed-off-by: Aleksa Sarai <asarai@suse.de>
----
- oci/defaults.go | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/oci/defaults.go b/oci/defaults.go
-index d706fafcc021..a7fd285060c2 100644
---- a/oci/defaults.go
-+++ b/oci/defaults.go
-@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec {
- 			"/proc/timer_list",
- 			"/proc/timer_stats",
- 			"/proc/sched_debug",
-+			"/proc/scsi",
- 		},
- 		ReadonlyPaths: []string{
- 			"/proc/asound",
--- 
-2.14.3
-

docker-17.07.0_ce.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:50c6b7f10e313ffe906b2fd72a6844f14d23458e2881a862c630c37c1c87f4b8
-size 6142992

docker-17.09.1_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9
+size 6237800

docker.changes

@@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com
+
+- Update to Docker v17.09.1_ce. Upstream changelog:
+  https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce
+- Removed patches (merged upstream):
+  - bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+  - bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
+  - bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
+
+-------------------------------------------------------------------
+Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com
+
+- Update to Docker v17.09.0_ce. Upstream changelog:
+  https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce
+- Rebased patches:
+  * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
+  * bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+  * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+- Removed patches (merged upstream):
+  - bsc1064781-0001-Allow-to-override-build-date.patch
+
+-------------------------------------------------------------------
+Tue Dec  5 10:58:07 UTC 2017 - asarai@suse.com
+
+- Add a patch to dynamically probe whether libdevmapper supports
+  dm_task_deferred_remove. This is necessary because we build the containers
+  module on a SLE12 base, but later SLE versions have libdevmapper support.
+  This should not affect openSUSE, as all openSUSE versions have a new enough
+  libdevmapper. Backport of https://github.com/moby/moby/pull/35518.
+  bsc#1021227 bsc#1029320 bsc#1058173
+  + bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
+
 -------------------------------------------------------------------
 Mon Dec  4 12:22:29 UTC 2017 - asarai@suse.com
 
@@ -67,7 +102,7 @@ Mon Oct 16 11:06:22 UTC 2017 - asarai@suse.com
 -------------------------------------------------------------------
 Mon Oct  9 11:36:59 UTC 2017 - asarai@suse.com
 
-- Update to Docker v17.07-ce (bsc#1069758). Upstream changelog:
+- Update to Docker v17.07.0_ce (bsc#1069758). Upstream changelog:
   https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce
   https://github.com/docker/docker-ce/releases/tag/v17.07.0-ce
 - Removed no-longer needed patches.

docker.spec

@@ -31,11 +31,17 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 87847530f717
+%define git_version f4ffd2511ce9
-%define git_commit_epoch 1508266293
+%define git_commit_epoch 1508606827
+
+# These are the git commits required. We verify them against the source to make
+# sure we didn't miss anything important when doing upgrades.
+%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0
+%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64
+%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e
 
 Name:           docker
-Version:        17.07.0_ce
+Version:        17.09.1_ce
 Release:        0
 Summary:        The Linux container runtime
 License:        Apache-2.0
@@ -57,15 +63,9 @@ Source9:        tests.sh
 Patch200:       secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
 Patch201:       secrets-0002-SUSE-implement-SUSE-container-secrets.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676
-Patch401:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
+Patch400:       bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34573. bsc#1045628
+# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173
-Patch402:       bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+Patch401:       bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781
-Patch403:       bsc1064781-0001-Allow-to-override-build-date.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539
-Patch404:       bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992
-Patch405:       bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -99,14 +99,14 @@ Requires:       ca-certificates-mozilla
 # Required in order for networking to work. fix_bsc_1057743 is a work-around
 # for some old packaging issues (where rpm would delete a binary that was
 # installed by docker-libnetwork). See bsc#1057743 for more details.
-Requires:       docker-libnetwork = 0.7.0+gitr2322_4a242dba7739
+Requires:       docker-libnetwork-git = %{required_libnetwork}
 Requires:       fix_bsc_1057743
 # Containerd and runC are required as they are the only currently supported
 # execdrivers of Docker. NOTE: The version pinning here matches upstream's
 # vendor.conf to ensure that we don't use a slightly incompatible version of
 # runC or containerd (which would be bad).
-Requires:       containerd = 0.2.8+gitr671_3addd8406531
+Requires:       containerd-git  = %{required_containerd}
-Requires:       docker-runc = 1.0.0rc3+gitr3201_2d41c04
+Requires:       docker-runc-git = %{required_dockerrunc}
 # Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used
 Requires:       e2fsprogs
 Requires:       git-core >= 1.7
@@ -124,7 +124,7 @@ Requires(post): shadow
 Recommends:     lvm2 >= 2.2.89
 Conflicts:      lxc < 1.0
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-ExcludeArch:    %ix86 s390 ppc
+ExcludeArch:    s390 ppc
 # Make sure we build with go 1.8
 BuildRequires:  go-go-md2man
 BuildRequires:  golang(API) = 1.8
@@ -181,19 +181,14 @@ Test package for docker. It contains the source code and the tests.
 %if 0%{?is_opensuse}
 # nothing
 %else
+# PATCH-SUSE: Secrets patches.
 %patch200 -p1 -d components/engine
 %patch201 -p1 -d components/engine
 %endif
 # bsc#1055676
+%patch400 -p1 -d components/engine
+# bsc#1021227 bsc#1029320 bsc#1058173
 %patch401 -p1 -d components/engine
-# bsc#1045628
-%patch402 -p1 -d components/engine
-# boo#1064781
-%patch403 -p1 -d components/engine
-# boo#1066801 CVE-2017-16539
-%patch404 -p1 -d components/engine
-# boo#1066210 CVE-2017-14992
-%patch405 -p1 -d components/engine
 
 cp %{SOURCE7} .
 cp %{SOURCE9} .
@@ -203,10 +198,11 @@ BUILDTAGS="exclude_graphdriver_aufs apparmor selinux pkcs11"
 %if 0%{?with_libseccomp}
 BUILDTAGS="seccomp $BUILDTAGS"
 %endif
-# For SLE12 libdevmapper.h is not recent enough to define
-# dm_task_deferred_remove().
 %if 0%{?sle_version} == 120000
-	BUILDTAGS="libdm_no_deferred_remove $BUILDTAGS"
+	# Provided by patch406, to allow us to build with older distros but still
+	# have deferred removal support at runtime. We only use this when building
+	# on SLE12.
+	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
 %endif
 
 (cat <<EOF
@@ -272,6 +268,12 @@ cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker
 
 cd $HOME/go/src/github.com/docker/docker
 
+# We verify that all of our -git requires are correct. This is done on-build to
+# make sure that someone doing an update didn't miss anything.
+grep 'RUNC_COMMIT=%{required_dockerrunc}'       hack/dockerfile/binaries-commits
+grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits
+grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits
+
 # The command is taken from hack/make/test-unit and various test runs.
 # Everything that follows github.com/docker/pkg/integration-cli are packages
 # containing tests that cannot run in an obs build context. Some tests must be
@@ -289,9 +291,13 @@ PKG_LIST=$(go list -e \
 		| grep -v 'github.com/docker/docker/builder/dockerfile/parser$' \
 		| grep -v 'github.com/docker/docker/builder/remotecontext' \
 		| grep -v 'github.com/docker/docker/cmd/dockerd$' \
+%ifarch s390x
+		| grep -v 'github.com/docker/docker/container' \
+%endif
 		| grep -v 'github.com/docker/docker/daemon$' \
 		| grep -v 'github.com/docker/docker/daemon/graphdriver' \
 		| grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \
+		| grep -v 'github.com/docker/docker/integration' \
 		| grep -v 'github.com/docker/docker/integration-cli' \
 		| grep -v 'github.com/docker/docker/man$' \
 		| grep -v 'github.com/docker/docker/pkg/archive$' \
@@ -314,22 +320,33 @@ PKG_LIST=$(go list -e \
 		)
 # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
 rm ./pkg/system/rm_test.go
-
 go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
 
 # DOCKER CLIENT
+find $(go env GOROOT) -type d
+
 cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli
 cd $HOME/go/src/github.com/docker/cli
 PKG_LIST=$(go list ./... \
 		| grep    'github.com/docker/cli' \
 		| grep -v 'github.com/docker/cli/vendor' \
+		| grep -Ev 'vendor/(.+/)?github.com/docker/cli' \
 		| grep -v 'github.com/docker/cli/cli/command/idresolver' \
 		| grep -v 'github.com/docker/cli/cli/command/image' \
 		| grep -v 'github.com/docker/cli/cli/image' \
+		| grep -v 'github.com/docker/cli/cmd/docker' \
+		| grep -v 'github.com/docker/cli/e2e' \
+		| grep -v 'github.com/docker/cli/cli/image' \
 		)
 # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER!
 
-go test -buildmode=pie -cover -ldflags -w -tags daemon -a -test.timeout=10m $PKG_LIST
+# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will
+# produce really odd errors about packages missing (this only happens if we
+# have a lot of packages in the cmdline). So just avoid running these tests if
+# we're on ppc64le (which requires -buildmode=pie).
+%ifnarch ppc64le
+go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST
+%endif
 
 %install
 install -d %{buildroot}%{go_contribdir}

secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch

@@ -1,4 +1,4 @@
-From 102c28e548a544d672163300334d01240cfc965b Mon Sep 17 00:00:00 2001
+From 5022c3554723040682444e324cd26ec8e2500131 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets
@@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  1 file changed, 21 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 84b7eb352f1a..dc3a48bfe47a 100644
+index 954c194ea836..3ef1e0262edc 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
 @@ -3,6 +3,7 @@
@@ -26,7 +26,7 @@ index 84b7eb352f1a..dc3a48bfe47a 100644
  	"fmt"
  	"io/ioutil"
 @@ -13,6 +14,7 @@ import (
- 	"github.com/Sirupsen/logrus"
+ 
  	"github.com/docker/docker/container"
  	"github.com/docker/docker/daemon/links"
 +	"github.com/docker/docker/pkg/archive"
@@ -70,5 +70,5 @@ index 84b7eb352f1a..dc3a48bfe47a 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.15.0
+2.15.1
 

secrets-0002-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From c62fb8fa766b6917839987b7e1323f0523166d32 Mon Sep 17 00:00:00 2001
+From a84aa9152b50ea1fd73a7d09246ac056534d0e48 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -19,7 +19,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
-index 55438cf2c45f..7dfa6cd1d055 100644
+index de32a649d7ed..2b6137d315e9 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
 @@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
@@ -33,7 +33,7 @@ index 55438cf2c45f..7dfa6cd1d055 100644
 +
  	spec, err := daemon.createSpec(container)
  	if err != nil {
- 		return err
+ 		return systemError{err}
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
 index 000000000000..9d0788f0410d
@@ -74,7 +74,7 @@ index 000000000000..9d0788f0410d
 +	"github.com/docker/docker/pkg/archive"
 +	"github.com/docker/docker/pkg/idtools"
 +	"github.com/opencontainers/go-digest"
-+	"github.com/Sirupsen/logrus"
++	"github.com/sirupsen/logrus"
 +
 +	swarmtypes "github.com/docker/docker/api/types/swarm"
 +	swarmexec "github.com/docker/swarmkit/agent/exec"
@@ -432,5 +432,5 @@ index 000000000000..9d0788f0410d
 +	return nil
 +}
 -- 
-2.15.0
+2.15.1