pool/docker
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1040668 from home:cyphar:docker

Browse Source 
- Update to Docker 20.10.21-ce. See upstream changelog online at
  <https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
  * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
  * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
  preparation for removing the feature). This feature was never meant to be
  used by users directly (and is only available in the -kubic/CaaSP version of
  the package anyway) and thus should not affect any users.

OBS-URL: https://build.opensuse.org/request/show/1040668
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=378
This commit is contained in:
Aleksa Sarai 2022-12-06 13:40:50 +00:00 committed by Git OBS Bridge
parent 2d5b72554e
commit 8d13290266
16 changed files with 98 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
View File

@ -1,7 +1,7 @@
From 37dfb97c0016300dd6453fc718805ccdf341bfd6 Mon Sep 17 00:00:00 2001
From 823bedd07fac6778a3d94b6f949ac16e6bd12638 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 12:41:54 +1100
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
Since FileMode can have the directory bit set, allow a SecretStore
implementation to return secrets that are actually directories. This is
@ -70,5 +70,5 @@ index 75b4b09b8dc4..583db20aa459 100644
return errors.Wrap(err, "error setting ownership for secret")
}
--
2.36.1
2.38.1

6
0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
View File

@ -1,7 +1,7 @@
From 11ac23e5620ee53c9527334d2222b32ca5098876 Mon Sep 17 00:00:00 2001
From fa24396cbecbb6cdc7c734559389486849c2268c Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Wed, 8 Mar 2017 11:43:29 +1100
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
This allows for us to pass in host credentials to a container, allowing
for SUSEConnect to work with containers.
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
+ return nil
+}
--
2.36.1
2.38.1

63
0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
View File

@ -1,7 +1,7 @@
From cf3c6ccefda39c60dc656404674628ac48b55de9 Mon Sep 17 00:00:00 2001
From 0fe6aba9612d2b483b29192c0605b1311b77a92b Mon Sep 17 00:00:00 2001
From: Valentin Rothberg <vrothberg@suse.com>
Date: Mon, 2 Jul 2018 13:37:34 +0200
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
Subject: [PATCH 3/7] PRIVATE-REGISTRY: add private-registry mirror support
NOTE: This is a backport/downstream patch of the upstream pull-request
for Moby, which is still subject to changes. Please visit
@ -72,12 +72,12 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
distribution/pull.go | 2 +-
distribution/pull_v2.go | 2 +-
distribution/push.go | 2 +-
registry/config.go | 126 ++++++++++++++++++++++++++++-
registry/config.go | 133 +++++++++++++++++++++++++++++-
registry/config_test.go | 142 ++++++++++++++++++++++++++++++++
registry/registry_test.go | 99 ++++++++++++++++++++---
registry/service.go | 43 +++++++---
registry/service_v2.go | 64 +++++++++++----
12 files changed, 710 insertions(+), 46 deletions(-)
registry/service_v2.go | 63 +++++++++++----
12 files changed, 716 insertions(+), 46 deletions(-)
diff --git a/api/types/registry/registry.go b/api/types/registry/registry.go
index 53e47084c8d5..b4bb9ef805d3 100644
@ -444,10 +444,10 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644
return err
}
diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go
index 123abf6b497a..097ead45d0fd 100644
index 5abd18b6cf7c..0796e7ea1d52 100644
--- a/distribution/pull_v2.go
+++ b/distribution/pull_v2.go
@@ -432,7 +432,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
@@ -433,7 +433,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform
// the other side speaks the v2 protocol.
p.confirmedV2 = true
@ -470,7 +470,7 @@ index 5617a4c95f49..0a24aebed968 100644
return err
}
diff --git a/registry/config.go b/registry/config.go
index 54b83fa40aab..e1ba24b83bdd 100644
index 54b83fa40aab..5adc913e4344 100644
--- a/registry/config.go
+++ b/registry/config.go
@@ -14,11 +14,12 @@ import (
@ -512,7 +512,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644
config := &serviceConfig{
ServiceConfig: registrytypes.ServiceConfig{
InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0),
@@ -78,10 +92,106 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
@@ -78,10 +92,113 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) {
if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil {
return nil, err
}
@ -531,6 +531,13 @@ index 54b83fa40aab..e1ba24b83bdd 100644
+func (config *serviceConfig) checkRegistries() error {
+ inUse := make(map[string]string) // key: host, value: user
+
+ if len(config.Registries) > 0 {
+ logrus.Errorf("[SUSE] You are currently using an unsupported and out-of-tree Docker feature intended for internal SUSE only.")
+ logrus.Errorf("[SUSE] If you see this warning (and you are not using CaaSP) please open a SUSE bug report to alert us of this.")
+ logrus.Errorf("[SUSE] This feature (registry mirrors) will be removed in a future Docker release on SUSE.")
+ logrus.Errorf("[SUSE] Please DO NOT submit an upstream bug report about this warning!")
+ }
+
+ // make sure that each mirror serves only one registry
+ for _, reg := range config.Registries {
+ for _, mirror := range reg.Mirrors {
@ -619,7 +626,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644
// LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config.
func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error {
cidrs := map[string]*registrytypes.NetIPNet{}
@@ -122,6 +232,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str
@@ -122,6 +239,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str
// LoadMirrors loads mirrors to config, after removing duplicates.
// Returns an error if mirrors contains an invalid mirror.
func (config *serviceConfig) LoadMirrors(mirrors []string) error {
@ -630,7 +637,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644
mMap := map[string]struct{}{}
unique := []string{}
@@ -151,6 +265,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error {
@@ -151,6 +272,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error {
// LoadInsecureRegistries loads insecure registries to config
func (config *serviceConfig) LoadInsecureRegistries(registries []string) error {
@ -1042,10 +1049,10 @@ index 3b08e39da2c2..62556ba1ba70 100644
for _, endpoint := range allEndpoints {
if !endpoint.Mirror {
diff --git a/registry/service_v2.go b/registry/service_v2.go
index 3e3a5b41ffbd..451a6f874bc1 100644
index 154ac7c93e80..06f7d20de8f9 100644
--- a/registry/service_v2.go
+++ b/registry/service_v2.go
@@ -1,39 +1,71 @@
@@ -1,42 +1,73 @@
package registry // import "github.com/docker/docker/registry"
import (
@ -1060,17 +1067,7 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
-func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) {
+func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) {
tlsConfig := tlsconfig.ServerDefault()
- if hostname == DefaultNamespace || hostname == IndexHostname {
- for _, mirror := range s.config.Mirrors {
- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
- mirror = "https://" + mirror
- }
- mirrorURL, err := url.Parse(mirror)
- if err != nil {
- return nil, err
- }
- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL)
+
+ // extraxt the hostname from the reference
+ refURL := reference
+ if !strings.HasPrefix(refURL, "http://") && !strings.HasPrefix(refURL, "https://") {
@ -1085,6 +1082,18 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
+ return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: cannot determine hostname of reference %s", reference)
+ }
+
ana := allowNondistributableArtifacts(s.config, hostname)
- if hostname == DefaultNamespace || hostname == IndexHostname {
- for _, mirror := range s.config.Mirrors {
- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") {
- mirror = "https://" + mirror
- }
- mirrorURL, err := url.Parse(mirror)
- if err != nil {
- return nil, err
- }
- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL)
+ // create endpoints for official and configured registries
+ official := false
+ if hostname == "docker.io" {
@ -1131,8 +1140,8 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
+ Official: official,
TrimHostname: true,
TLSConfig: tlsConfig,
})
@@ -45,7 +77,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
@@ -48,7 +79,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp
tlsConfig, err = s.tlsConfig(hostname)
if err != nil {
@ -1142,5 +1151,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
endpoints = []APIEndpoint{
--
2.36.1
2.38.1

10
0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
View File

@ -1,7 +1,7 @@
From 5d2f7a37a37547663aae1538b2d3fd48dd7277c8 Mon Sep 17 00:00:00 2001
From bc52d15141402d94eeaee618f1df0b540f527b98 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Jun 2018 17:59:30 +1000
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
start
In the process of making docker-default reloading far less expensive,
@ -69,10 +69,10 @@ index e3dc18b32b5e..9c7723056268 100644
return nil
}
diff --git a/daemon/daemon.go b/daemon/daemon.go
index 2a2fbbd52e19..0999ac3186b7 100644
index f15a4b038498..2f0c23bc62c9 100644
--- a/daemon/daemon.go
+++ b/daemon/daemon.go
@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
@@ -857,8 +857,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
}
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
}
--
2.36.1
2.38.1

6
0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
View File

@ -1,7 +1,7 @@
From b54c6c7addcb163ddcef5e37fc7ed1c0afd0dbfa Mon Sep 17 00:00:00 2001
From 57673ad5455b1b27e41716e33b67c9cd8099b580 Mon Sep 17 00:00:00 2001
From: Michal Rostecki <mrostecki@opensuse.org>
Date: Thu, 8 Apr 2021 14:42:02 +0100
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
Subject: [PATCH 5/7] bsc1183855: btrfs: Do not disable quota on cleanup
Before this change, cleanup of the btrfs driver (occuring on each daemon
shutdown) resulted in disabling quotas. It was done with an assumption
@ -140,5 +140,5 @@ index fa0cdf8666b1..02bbb5da1088 100644
}
if err := subvolLimitQgroup(dir, size); err != nil {
--
2.36.1
2.38.1

10
0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
View File

@ -1,7 +1,7 @@
From bb67252dfccb18dacc9e0c3463e7c52f32fb2900 Mon Sep 17 00:00:00 2001
From dd265ac6cbe070f80a0c607ba147af35858ae5e9 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <asarai@suse.de>
Date: Fri, 29 Apr 2022 12:44:21 +1000
Subject: [PATCH 6/6] bsc1193930: vendor: update golang.org/x/crypto
Subject: [PATCH 6/7] bsc1193930: vendor: update golang.org/x/crypto
This is necessary to fix several security issues that Docker hasn't
backported to their CE branch:
@ -354,10 +354,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
create mode 100644 vendor/golang.org/x/crypto/xts/xts.go
diff --git a/vendor.conf b/vendor.conf
index 54e97e4562d8..9ff95d499ef8 100644
index a41471b57b71..2965c71c3709 100644
--- a/vendor.conf
+++ b/vendor.conf
@@ -150,7 +150,7 @@ github.com/golang/protobuf 84668698ea25b64748563aa20726
@@ -152,7 +152,7 @@ github.com/golang/protobuf 84668698ea25b64748563aa20726
github.com/cloudflare/cfssl 5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2
github.com/fernet/fernet-go 9eac43b88a5efb8651d24de9b68e87567e029736
github.com/google/certificate-transparency-go 37a384cd035e722ea46e55029093e26687138edf # v1.0.20
@ -41068,5 +41068,5 @@ index 000000000000..b51308e95e52
+ }
+}
--
2.36.1
2.38.1

4
0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
View File

@ -1,4 +1,4 @@
From 078fbd36b8fecab42ac7faad973a16aed10ab28c Mon Sep 17 00:00:00 2001
From 6451aa1559ce5a135f599682ab33721e116925bd Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Fri, 29 Jan 2021 14:55:08 +0100
Subject: [PATCH 7/7] bsc1200022: fifo.Close(): prevent possible panic if fifo
@ -52,5 +52,5 @@ index 96c214f270bf..c3eec295b578 100644
case <-f.closed:
f.handle.Close()
--
2.36.1
2.38.1

10
_service
View File

@ -3,16 +3,16 @@
<param name="url">https://github.com/moby/moby.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.17_ce_%h</param>
<param name="revision">v20.10.17</param>
<param name="versionformat">20.10.21_ce_%h</param>
<param name="revision">v20.10.21</param>
<param name="filename">docker</param>
</service>
<service name="tar_scm" mode="disabled">
<param name="url">https://github.com/docker/cli.git</param>
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">20.10.17_ce</param>
<param name="revision">v20.10.17</param>
<param name="versionformat">20.10.21_ce</param>
<param name="revision">v20.10.21</param>
<param name="filename">docker-cli</param>
</service>
<service name="tar_scm" mode="disabled">
@ -20,7 +20,7 @@
<param name="scm">git</param>
<param name="exclude">.git</param>
<param name="versionformat">%H</param>
<param name="revision">f6ccccb1c082a432c2a5814aaedaca56af33d9ea</param>
<param name="revision">0dde5c895075df6e3630e76f750a447cf63f4789</param>
<param name="filename">docker-libnetwork</param>
</service>
<service name="recompress" mode="disabled">

3
docker-20.10.17_ce_a89b84221c85.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:9464d19aa358c19089672a03b13572b9c512c8c19ad098b594caca864052c426
size 6557740

3
docker-20.10.21_ce_3056208812eb.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2696414f3d39bb862d2e60e614a4fe2e6a655c65c30742a4a28b776fbbd59bc5
size 6590696

3
docker-cli-20.10.17_ce.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1eeb771ad69ec70e206d69bdb649d05f438d0fa4193bbb6f4c7fd276258a08a9
size 4357440

3
docker-cli-20.10.21_ce.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cfa23215b99aed9c85a401fd1aeb961a5a3f8b3095fb6815ba8eb83cf182481f
size 4358052

3
docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:24a4b6aeb1391b2ab9f99fad7343913ecc7191a10669a056e0a2cdf449e3733e
size 1983868

3
docker-libnetwork-f6ccccb1c082a432c2a5814aaedaca56af33d9ea.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:a676901b2676dedd147e70b2e6c5b9869e8d2fad99605de20cc1b42830097d3b
size 1983552

18
docker.changes
View File

@ -1,3 +1,21 @@
-------------------------------------------------------------------
Tue Dec 6 11:49:32 UTC 2022 - Aleksa Sarai <asarai@suse.com>
- Update to Docker 20.10.21-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/#201021>. bsc#1206065
- Rebase patches:
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
* 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
* 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in
preparation for removing the feature). This feature was never meant to be
used by users directly (and is only available in the -kubic/CaaSP version of
the package anyway) and thus should not affect any users.
-------------------------------------------------------------------
Mon Oct 24 09:45:20 UTC 2022 - Dan Čermák <dcermak@suse.com>

17
docker.spec
View File

@ -42,24 +42,25 @@
# helpfully injects into our build environment from the changelog). If you want
# to generate a new git_commit_epoch, use this:
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
%define git_version a89b84221c85
%define git_commit_epoch 1654554758
%define real_version 20.10.21
%define git_version 3056208812eb
%define git_commit_epoch 1666698255
# We require a specific pin of libnetwork because it doesn't really do
# versioning and minor version mismatches in libnetwork can break Docker
# networking. All other key runtime dependencies (containerd, runc) are stable
# enough that this isn't necessary.
%define libnetwork_version f6ccccb1c082a432c2a5814aaedaca56af33d9ea
%define libnetwork_version 0dde5c895075df6e3630e76f750a447cf63f4789
%define dist_builddir %{_builddir}/dist-suse
%define cli_builddir %{dist_builddir}/src/github.com/docker/cli
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
Name: %{realname}%{name_suffix}
Version: 20.10.17_ce
Version: %{real_version}_ce
# This "nice version" is so that docker --version gives a result that can be
# parsed by other people. boo#1182476
%define nice_version 20.10.17-ce
%define nice_version %{real_version}-ce
Release: 0
Summary: The Moby-project Linux container runtime
License: Apache-2.0
@ -117,8 +118,8 @@ BuildRequires: go-go-md2man
BuildRequires: pkgconfig(libsystemd)
BuildRequires: sysuser-tools
# Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires
# for 'golang(API) >= 1.17' here, so just require 1.17 exactly. bsc#1172608
BuildRequires: go1.17
# for 'golang(API) >= 1.18' here, so just require 1.18 exactly. bsc#1172608
BuildRequires: go1.18
Requires: (apparmor-parser or container-selinux)
Requires: ca-certificates-mozilla
# The docker-proxy binary used to be in a separate package. We obsolete it,
@ -128,7 +129,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
# Required to actually run containers. We require the minimum version that is
# pinned by Docker, but in order to avoid headaches we allow for updates.
Requires: runc >= 1.1.2
Requires: containerd >= 1.6.6
Requires: containerd >= 1.6.9
# Needed for --init support. We don't use "tini", we use our own implementation
# which handles edge-cases better.
Requires: catatonit