Accepting request 1083276 from Virtualization:containers

OBS-URL: https://build.opensuse.org/request/show/1083276
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=130

0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,7 +1,7 @@
-From 823bedd07fac6778a3d94b6f949ac16e6bd12638 Mon Sep 17 00:00:00 2001
+From 5c6812a104e161599fc8569d0b4af04224ef3b5a Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/3] SECRETS: daemon: allow directory creation in /run/secrets
 
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@@ -10,11 +10,11 @@ useful for creating directories and subdirectories of secrets.
 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
+ daemon/container_operations_unix.go | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 75b4b09b8dc4..583db20aa459 100644
+index 561077b66b60..0b70825dd2ff 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
 @@ -4,6 +4,7 @@
@@ -23,12 +23,12 @@ index 75b4b09b8dc4..583db20aa459 100644
  import (
 +	"bytes"
  	"fmt"
- 	"io/ioutil"
  	"os"
-@@ -13,6 +14,7 @@ import (
- 	"github.com/docker/docker/container"
+ 	"path/filepath"
+@@ -14,6 +15,7 @@ import (
  	"github.com/docker/docker/daemon/links"
  	"github.com/docker/docker/errdefs"
+ 	"github.com/docker/docker/libnetwork"
 +	"github.com/docker/docker/pkg/archive"
  	"github.com/docker/docker/pkg/idtools"
  	"github.com/docker/docker/pkg/stringid"
@@ -37,13 +37,13 @@ index 75b4b09b8dc4..583db20aa459 100644
  		if err != nil {
  			return errors.Wrap(err, "unable to get secret from secret store")
  		}
--		if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
+-		if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
 -			return errors.Wrap(err, "error injecting secret")
 -		}
  
  		uid, err := strconv.Atoi(s.File.UID)
  		if err != nil {
-@@ -219,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
  			return err
  		}
  
@@ -55,14 +55,13 @@ index 75b4b09b8dc4..583db20aa459 100644
 +				// If the "file" is a directory, then s.File.Data is actually a tar
 +				// archive of the directory. So we just do a tar extraction here.
 +				if err := archive.UntarUncompressed(bytes.NewBuffer(secret.Spec.Data), fPath, &archive.TarOptions{
-+					UIDMaps: daemon.idMapping.UIDs(),
-+					GIDMaps: daemon.idMapping.GIDs(),
++					IDMap: daemon.idMapping,
 +				}); err != nil {
 +					return errors.Wrap(err, "error injecting secretdir")
 +				}
 +			}
 +		} else {
-+			if err := ioutil.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
++			if err := os.WriteFile(fPath, secret.Spec.Data, s.File.Mode); err != nil {
 +				return errors.Wrap(err, "error injecting secret")
 +			}
 +		}
@@ -70,5 +69,5 @@ index 75b4b09b8dc4..583db20aa459 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.38.1
+2.40.0
 

0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,7 +1,7 @@
-From fa24396cbecbb6cdc7c734559389486849c2268c Mon Sep 17 00:00:00 2001
+From 4138c02a19fbd3d3ff50f0b364bf4b99adc47298 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/3] SECRETS: SUSE: implement SUSE container secrets
 
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@@ -14,12 +14,12 @@ SUSE-Bugs: bsc#1065609 bsc#1057743 bsc#1055676 bsc#1030702
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 410 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 415 insertions(+)
+ daemon/suse_secrets.go | 415 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 420 insertions(+)
  create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
-index d9bc082b1078..091dae2ae65e 100644
+index 9d6f7812b67c..53c42082c5bf 100644
 --- a/daemon/start.go
 +++ b/daemon/start.go
 @@ -150,6 +150,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint
@@ -36,10 +36,10 @@ index d9bc082b1078..091dae2ae65e 100644
  		return errdefs.System(err)
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..9ee33adf7497
+index 000000000000..32b0ece91b59
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,410 @@
+@@ -0,0 +1,415 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017-2021 SUSE LLC.
@@ -75,8 +75,8 @@ index 000000000000..9ee33adf7497
 +	"github.com/docker/docker/pkg/idtools"
 +
 +	swarmtypes "github.com/docker/docker/api/types/swarm"
-+	swarmexec "github.com/docker/swarmkit/agent/exec"
-+	swarmapi "github.com/docker/swarmkit/api"
++	swarmexec "github.com/moby/swarmkit/v2/agent/exec"
++	swarmapi "github.com/moby/swarmkit/v2/api"
 +
 +	"github.com/opencontainers/go-digest"
 +	"github.com/sirupsen/logrus"
@@ -113,7 +113,7 @@ index 000000000000..9ee33adf7497
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference(idMaps *idtools.IdentityMapping) *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(idMaps idtools.IdentityMapping) *swarmtypes.SecretReference {
 +	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
 +	// back to root if the UID/GID don't match (we are guaranteed that root is
 +	// mapped).
@@ -345,6 +345,7 @@ index 000000000000..9ee33adf7497
 +	suseEmptyStore  struct{}
 +	suseEmptySecret struct{}
 +	suseEmptyConfig struct{}
++	suseEmptyVolume struct{}
 +)
 +
 +// In order to reduce the amount of code touched outside of this file, we
@@ -356,14 +357,17 @@ index 000000000000..9ee33adf7497
 +	emptyStore  swarmexec.DependencyGetter = suseEmptyStore{}
 +	emptySecret swarmexec.SecretGetter     = suseEmptySecret{}
 +	emptyConfig swarmexec.ConfigGetter     = suseEmptyConfig{}
++	emptyVolume swarmexec.VolumeGetter     = suseEmptyVolume{}
 +)
 +
 +var errSuseEmptyStore = fmt.Errorf("SUSE:secrets :: tried to get a resource from empty store [this is a bug]")
 +
 +func (_ suseEmptyConfig) Get(_ string) (*swarmapi.Config, error) { return nil, errSuseEmptyStore }
 +func (_ suseEmptySecret) Get(_ string) (*swarmapi.Secret, error) { return nil, errSuseEmptyStore }
++func (_ suseEmptyVolume) Get(_ string) (string, error)           { return "", errSuseEmptyStore }
 +func (_ suseEmptyStore) Secrets() swarmexec.SecretGetter         { return emptySecret }
 +func (_ suseEmptyStore) Configs() swarmexec.ConfigGetter         { return emptyConfig }
++func (_ suseEmptyStore) Volumes() swarmexec.VolumeGetter         { return emptyVolume }
 +
 +type suseDependencyStore struct {
 +	dfl     swarmexec.DependencyGetter
@@ -373,6 +377,7 @@ index 000000000000..9ee33adf7497
 +// The following are effectively dumb wrappers that return ourselves, or the
 +// default.
 +func (s *suseDependencyStore) Secrets() swarmexec.SecretGetter { return s }
++func (s *suseDependencyStore) Volumes() swarmexec.VolumeGetter { return emptyVolume }
 +func (s *suseDependencyStore) Configs() swarmexec.ConfigGetter { return s.dfl.Configs() }
 +
 +// Get overrides the underlying DependencyGetter with our own secrets (falling
@@ -451,5 +456,5 @@ index 000000000000..9ee33adf7497
 +	return nil
 +}
 -- 
-2.38.1
+2.40.0
 

0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,7 +1,7 @@
-From bc52d15141402d94eeaee618f1df0b540f527b98 Mon Sep 17 00:00:00 2001
+From 3e37bbad6f0a0c2576ad0b9dfe7a4a9290aa2aa0 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 3/3] bsc1073877: apparmor: clobber docker-default profile on
  start
 
 In the process of making docker-default reloading far less expensive,
@@ -22,7 +22,7 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
  3 files changed, 17 insertions(+), 6 deletions(-)
 
 diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
-index 21813ec14f8f..0de75b32b7fa 100644
+index 6376001613f7..5fde21a4af8a 100644
 --- a/daemon/apparmor_default.go
 +++ b/daemon/apparmor_default.go
 @@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
@@ -30,7 +30,7 @@ index 21813ec14f8f..0de75b32b7fa 100644
  }
  
 +func clobberDefaultAppArmorProfile() error {
-+	if apparmor.IsEnabled() {
++	if apparmor.HostSupports() {
 +		if err := aaprofile.InstallDefault(defaultAppArmorProfile); err != nil {
 +			return fmt.Errorf("AppArmor enabled on system but the %s profile could not be loaded: %s", defaultAppArmorProfile, err)
 +		}
@@ -39,7 +39,7 @@ index 21813ec14f8f..0de75b32b7fa 100644
 +}
 +
  func ensureDefaultAppArmorProfile() error {
- 	if apparmor.IsEnabled() {
+ 	if apparmor.HostSupports() {
  		loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
 @@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
  		}
@@ -69,10 +69,10 @@ index e3dc18b32b5e..9c7723056268 100644
  	return nil
  }
 diff --git a/daemon/daemon.go b/daemon/daemon.go
-index f15a4b038498..2f0c23bc62c9 100644
+index 40abbe8cc19c..05c6db818c30 100644
 --- a/daemon/daemon.go
 +++ b/daemon/daemon.go
-@@ -857,8 +857,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+@@ -807,8 +807,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
  		logrus.Warnf("Failed to configure golang's threads limit: %v", err)
  	}
  
@@ -85,5 +85,5 @@ index f15a4b038498..2f0c23bc62c9 100644
  	}
  
 -- 
-2.38.1
+2.40.0
 

0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch

@@ -1,144 +0,0 @@
-From 57673ad5455b1b27e41716e33b67c9cd8099b580 Mon Sep 17 00:00:00 2001
-From: Michal Rostecki <mrostecki@opensuse.org>
-Date: Thu, 8 Apr 2021 14:42:02 +0100
-Subject: [PATCH 5/7] bsc1183855: btrfs: Do not disable quota on cleanup
-
-Before this change, cleanup of the btrfs driver (occuring on each daemon
-shutdown) resulted in disabling quotas. It was done with an assumption
-that quotas can be enabled or disabled on a subvolume level, which is
-not true - enabling or disabling quota is always done on a filesystem
-level.
-
-That was leading to disabling quota on btrfs filesystems on each daemon
-shutdown.
-
-This change fixes that behavior and removes misleading `subvol` prefix
-from functions and methods which set up quota (on a filesystem level).
-
-SUSE-Bugs: bsc#1175081 bsc#1183855
-SUSE-Upstream-Commit: 1ec689c4c2ecda24ed8495451c53072bb0497871
-Fixes: 401c8d176743 ("Add disk quota support for btrfs")
-Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
----
- daemon/graphdriver/btrfs/btrfs.go | 50 +++++--------------------------
- 1 file changed, 8 insertions(+), 42 deletions(-)
-
-diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
-index fa0cdf8666b1..02bbb5da1088 100644
---- a/daemon/graphdriver/btrfs/btrfs.go
-+++ b/daemon/graphdriver/btrfs/btrfs.go
-@@ -104,7 +104,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
- 	}
- 
- 	if userDiskQuota {
--		if err := driver.subvolEnableQuota(); err != nil {
-+		if err := driver.enableQuota(); err != nil {
- 			return nil, err
- 		}
- 	}
-@@ -173,18 +173,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) {
- 
- // Cleanup unmounts the home directory.
- func (d *Driver) Cleanup() error {
--	err := d.subvolDisableQuota()
--	umountErr := mount.Unmount(d.home)
--
--	// in case we have two errors, prefer the one from disableQuota()
--	if err != nil {
-+	if err := mount.Unmount(d.home); err != nil {
- 		return err
- 	}
- 
--	if umountErr != nil {
--		return umountErr
--	}
--
- 	return nil
- }
- 
-@@ -342,7 +334,7 @@ func (d *Driver) updateQuotaStatus() {
- 	d.once.Do(func() {
- 		if !d.quotaEnabled {
- 			// In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed
--			if err := subvolQgroupStatus(d.home); err != nil {
-+			if err := qgroupStatus(d.home); err != nil {
- 				// quota is still not enabled
- 				return
- 			}
-@@ -351,7 +343,7 @@ func (d *Driver) updateQuotaStatus() {
- 	})
- }
- 
--func (d *Driver) subvolEnableQuota() error {
-+func (d *Driver) enableQuota() error {
- 	d.updateQuotaStatus()
- 
- 	if d.quotaEnabled {
-@@ -377,32 +369,6 @@ func (d *Driver) subvolEnableQuota() error {
- 	return nil
- }
- 
--func (d *Driver) subvolDisableQuota() error {
--	d.updateQuotaStatus()
--
--	if !d.quotaEnabled {
--		return nil
--	}
--
--	dir, err := openDir(d.home)
--	if err != nil {
--		return err
--	}
--	defer closeDir(dir)
--
--	var args C.struct_btrfs_ioctl_quota_ctl_args
--	args.cmd = C.BTRFS_QUOTA_CTL_DISABLE
--	_, _, errno := unix.Syscall(unix.SYS_IOCTL, getDirFd(dir), C.BTRFS_IOC_QUOTA_CTL,
--		uintptr(unsafe.Pointer(&args)))
--	if errno != 0 {
--		return fmt.Errorf("Failed to disable btrfs quota for %s: %v", dir, errno.Error())
--	}
--
--	d.quotaEnabled = false
--
--	return nil
--}
--
- func (d *Driver) subvolRescanQuota() error {
- 	d.updateQuotaStatus()
- 
-@@ -445,11 +411,11 @@ func subvolLimitQgroup(path string, size uint64) error {
- 	return nil
- }
- 
--// subvolQgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path
-+// qgroupStatus performs a BTRFS_IOC_TREE_SEARCH on the root path
- // with search key of BTRFS_QGROUP_STATUS_KEY.
- // In case qgroup is enabled, the retuned key type will match BTRFS_QGROUP_STATUS_KEY.
- // For more details please see https://github.com/kdave/btrfs-progs/blob/v4.9/qgroup.c#L1035
--func subvolQgroupStatus(path string) error {
-+func qgroupStatus(path string) error {
- 	dir, err := openDir(path)
- 	if err != nil {
- 		return err
-@@ -623,7 +589,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error {
- 	if d.options.minSpace > 0 && driver.options.size < d.options.minSpace {
- 		return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace)))
- 	}
--	if err := d.subvolEnableQuota(); err != nil {
-+	if err := d.enableQuota(); err != nil {
- 		return err
- 	}
- 	return subvolLimitQgroup(dir, driver.options.size)
-@@ -677,7 +643,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) {
- 
- 	if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil {
- 		if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace {
--			if err := d.subvolEnableQuota(); err != nil {
-+			if err := d.enableQuota(); err != nil {
- 				return nil, err
- 			}
- 			if err := subvolLimitQgroup(dir, size); err != nil {
--- 
-2.38.1
-

0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch

@@ -1,56 +0,0 @@
-From 6451aa1559ce5a135f599682ab33721e116925bd Mon Sep 17 00:00:00 2001
-From: Sebastiaan van Stijn <github@gone.nl>
-Date: Fri, 29 Jan 2021 14:55:08 +0100
-Subject: [PATCH 7/7] bsc1200022: fifo.Close(): prevent possible panic if fifo
- is nil
-
-I'm not sure if this is the right approach, and synchronisation should probably
-be added elsewhere to fix the underlying issue.
-
-Trying to prevent a panic that was seen on container restore in th docker daemon:
-
-    panic: runtime error: invalid memory address or nil pointer dereference
-    [signal SIGSEGV: segmentation violation code=0x1 addr=0x10 pc=0x5586c892a7a4]
-
-    goroutine 420 [running]:
-    github.com/docker/docker/vendor/github.com/containerd/fifo.(*fifo).Close(0x0, 0x0, 0x0)
-            /go/src/github.com/docker/docker/vendor/github.com/containerd/fifo/fifo.go:208 +0x44
-    github.com/docker/docker/vendor/github.com/containerd/containerd/cio.(*cio).Close(0xc000d06f60, 0x5586cb5654d0, 0xc000d8e9e8)
-            /go/src/github.com/docker/docker/vendor/github.com/containerd/containerd/cio/io.go:203 +0x90
-    github.com/docker/docker/libcontainerd/remote.(*client).Restore.func1(0xc0008bf820, 0xc0008a2040)
-            /go/src/github.com/docker/docker/libcontainerd/remote/client.go:86 +0x5a
-    github.com/docker/docker/libcontainerd/remote.(*client).Restore(0xc00098e5b0, 0x5586cb61c7c0, 0xc000052088, 0xc0011b6500, 0x40, 0xc0008bf810, 0x5586cb05cf00, 0xffffffffffffffff, 0x0, 0x0, ...)
-            /go/src/github.com/docker/docker/libcontainerd/remote/client.go:107 +0x923
-    github.com/docker/docker/daemon.(*Daemon).restore.func3(0xc00079d9e0, 0xc000a38230, 0xc00000c1e0, 0xc00079d9a8, 0xc000d84f00, 0xc000d84ed0, 0xc000d84ea0, 0xc00128a280)
-            /go/src/github.com/docker/docker/daemon/daemon.go:351 +0x48a
-    created by github.com/docker/docker/daemon.(*Daemon).restore
-            /go/src/github.com/docker/docker/daemon/daemon.go:319 +0x4b3
-
-If the fifo is nil, there's nothing to be done in Close(), so returning early
-in that situation.
-
-Backport: <https://github.com/containerd/fifo/pull/32>
-SUSE-Bugs: bsc#1200022
-Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
----
- vendor/github.com/containerd/fifo/fifo.go | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/vendor/github.com/containerd/fifo/fifo.go b/vendor/github.com/containerd/fifo/fifo.go
-index 96c214f270bf..c3eec295b578 100644
---- a/vendor/github.com/containerd/fifo/fifo.go
-+++ b/vendor/github.com/containerd/fifo/fifo.go
-@@ -204,6 +204,10 @@ func (f *fifo) Write(b []byte) (int, error) {
- // before open(2) has returned and fifo was never opened.
- func (f *fifo) Close() (retErr error) {
- 	for {
-+		if f == nil {
-+			return
-+		}
-+
- 		select {
- 		case <-f.closed:
- 			f.handle.Close()
--- 
-2.38.1
-

_service

@@ -3,26 +3,18 @@
     <param name="url">https://github.com/moby/moby.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">20.10.23_ce_%h</param>
-    <param name="revision">v20.10.23</param>
+    <param name="versionformat">23.0.5_ce_%h</param>
+    <param name="revision">v23.0.5</param>
     <param name="filename">docker</param>
   </service>
   <service name="tar_scm" mode="disabled">
     <param name="url">https://github.com/docker/cli.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">20.10.23_ce</param>
-    <param name="revision">v20.10.23</param>
+    <param name="versionformat">23.0.5_ce</param>
+    <param name="revision">v23.0.5</param>
     <param name="filename">docker-cli</param>
   </service>
-  <service name="tar_scm" mode="disabled">
-    <param name="url">https://github.com/docker/libnetwork.git</param>
-    <param name="scm">git</param>
-    <param name="exclude">.git</param>
-    <param name="versionformat">%H</param>
-    <param name="revision">05b93e0d3a95952f70c113b0bc5bdb538d7afdd7</param>
-    <param name="filename">docker-libnetwork</param>
-  </service>
   <service name="recompress" mode="disabled">
     <param name="file">docker-*.tar</param>
     <param name="compression">xz</param>

docker-20.10.23_ce_6051f1429.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0d6b832806f3144a4b917657f615d9388081e7c7b3f77db3b4b7c6c01b931686
-size 6589992

docker-23.0.5_ce_94d3ad69cc59.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84d3a48cfbeeece15ad367eb03834a97b0c57d195d889e5191c138cd6e06579a
+size 8262024

docker-cli-20.10.23_ce.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c2a96dd55814fc22ccfe054b78438963fc139b292696bc3ba7667abd399d7c70
-size 4320480

docker-cli-23.0.5_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b93219b6b5c781031c1ed35fb3174c59e3572e3437218ca3646361259acb77e8
+size 3498104

docker-libnetwork-05b93e0d3a95952f70c113b0bc5bdb538d7afdd7.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:44fa1530b22f18434174b03895c8933b356f254b718855fd7487888afbb10e91
-size 1983112

docker.changes

@@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Thu Apr 27 14:09:05 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 23.0.5-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/23.0/#2305>.
+- Rebase patches:
+  * cli-0001-docs-include-required-tools-in-source-tree.patch
+
+-------------------------------------------------------------------
+Wed Apr 26 00:31:54 UTC 2023 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 23.0.4-ce. See upstream changelog online at
+  <https://docs.docker.com/engine/release-notes/23.0/#2304>. bsc#1208074
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+- Renumbered patches:
+  - 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+- Remove upstreamed patches:
+  - 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+  - 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
+  - 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
+- Backport <https://github.com/docker/cli/pull/4228> to allow man pages to be
+  built without internet access in OBS.
+  + cli-0001-docs-include-required-tools-in-source-tree.patch
+
 -------------------------------------------------------------------
 Wed Feb  1 14:33:19 UTC 2023 - Dirk Müller <dmueller@suse.com>
 

docker.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package docker
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,37 +26,16 @@
   %define _fillupdir /var/adm/fillup-templates
 %endif
 
-# Handle _multibuild magic.
-%define flavour @BUILD_FLAVOR@%{nil}
-
-# We split the Name: into "realname" and "name_suffix".
-%define realname docker
-%if "%flavour" == ""
-%define name_suffix %{nil}
-%else
-%define name_suffix -%{flavour}
-%endif
-
 # Used when generating the "build" information for Docker version. The value of
 # git_commit_epoch is unused here (we use SOURCE_DATE_EPOCH, which rpm
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define real_version 20.10.23
-%define git_version 6051f1429
-%define git_commit_epoch 1674059068
+%define real_version 23.0.5
+%define git_version 94d3ad69cc59
+%define git_commit_epoch 1682522945
 
-# We require a specific pin of libnetwork because it doesn't really do
-# versioning and minor version mismatches in libnetwork can break Docker
-# networking. All other key runtime dependencies (containerd, runc) are stable
-# enough that this isn't necessary.
-%define libnetwork_version 05b93e0d3a95952f70c113b0bc5bdb538d7afdd7
-
-%define dist_builddir  %{_builddir}/dist-suse
-%define cli_builddir   %{dist_builddir}/src/github.com/docker/cli
-%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
-
-Name:           %{realname}%{name_suffix}
+Name:           docker
 Version:        %{real_version}_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
@@ -66,9 +45,8 @@ Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
 Group:          System/Management
 URL:            http://www.docker.io
-Source:         %{realname}-%{version}_%{git_version}.tar.xz
-Source1:        %{realname}-cli-%{version}.tar.xz
-Source2:        %{realname}-libnetwork-%{libnetwork_version}.tar.xz
+Source:         %{name}-%{version}_%{git_version}.tar.xz
+Source1:        %{name}-cli-%{version}.tar.xz
 Source3:        docker-rpmlintrc
 # TODO: Move these source files to somewhere nicer.
 Source100:      docker.service
@@ -87,14 +65,9 @@ Patch100:       0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
 Patch101:       0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
 # SUSE-FEATURE: Add support to mirror unofficial/private registries
 #               <https://github.com/docker/docker/pull/34319>.
-Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
-Patch301:       0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
-# SUSE-BACKPORT: Backport of several golang.org/x/crypto updates.
-#                bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
-Patch302:       0006-bsc1193930-vendor-update-golang.org-x-crypto.patch
-# SUSE-BACKPORT: Backport of <https://github.com/containerd/fifo/pull/32>. bsc#1200022
-Patch303:       0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch
+Patch300:       0003-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
+Patch900:       cli-0001-docs-include-required-tools-in-source-tree.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -111,17 +84,17 @@ BuildRequires:  fish
 BuildRequires:  go-go-md2man
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  sysuser-tools
-BuildRequires:  golang(API) = 1.18
+BuildRequires:  golang(API) = 1.19
 Requires:       (apparmor-parser or container-selinux)
 Requires:       ca-certificates-mozilla
 # The docker-proxy binary used to be in a separate package. We obsolete it,
 # since now docker-proxy is maintained as part of this package.
-Obsoletes:      docker-libnetwork%{name_suffix} < 0.7.0.2
-Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
+Obsoletes:      docker-libnetwork < 0.7.0.2
+Provides:       docker-libnetwork = 0.7.0.2.%{version}
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
-Requires:       runc >= 1.1.2
-Requires:       containerd >= 1.6.9
+Requires:       runc >= 1.1.5
+Requires:       containerd >= 1.6.20
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@@ -149,7 +122,6 @@ Recommends:     lvm2 >= 2.2.89
 Recommends:     git-core >= 1.7
 ExcludeArch:    s390 ppc
 
-
 %description
 Docker complements LXC with a high-level API which operates at the process
 level. It runs unix processes with strong guarantees of isolation and
@@ -193,38 +165,27 @@ BuildArch:      noarch
 Fish command line completion support for %{name}.
 
 %prep
-%setup -q -n %{realname}-%{version}_%{git_version}
+# docker-cli
+%define cli_builddir %{_builddir}/%{name}-cli-%{version}
+%setup -q -T -b 1 -n %{name}-cli-%{version}
+[ "%{cli_builddir}" = "$PWD" ]
+# offline manpages
+%patch900 -p1
 
-%if 0%{?is_opensuse}
-# nothing
-%else
+# docker
+%define docker_builddir %{_builddir}/%{name}-%{version}_%{git_version}
+%setup -q -n %{name}-%{version}_%{git_version}
+[ "%{docker_builddir}" = "$PWD" ]
+# README_SUSE.md for documentation.
+cp %{SOURCE103} .
+
+%if 0%{?is_opensuse} == 0
 # PATCH-SUSE: Secrets patches.
 %patch100 -p1
 %patch101 -p1
 %endif
 # bsc#1099277
 %patch300 -p1
-# bsc#1183855 bsc#1175081
-%patch301 -p1
-# bsc#1193930 CVE-2021-43565 bsc#1197284 CVE-2022-27191
-%patch302 -p1
-# bsc#1200022
-%patch303 -p1
-
-# README_SUSE.md for documentation.
-cp %{SOURCE103} .
-
-# Extract the docker-cli source in a subdir.
-mkdir -p %{cli_builddir}
-pushd %{cli_builddir}
-xz -dc %{SOURCE1} | tar -xof - --strip-components=1
-popd
-
-# Extract the docker-libnetwork source in a subdir.
-mkdir -p %{proxy_builddir}
-pushd %{proxy_builddir}
-xz -dc %{SOURCE2} | tar -xof - --strip-components=1
-popd
 
 %build
 %sysusers_generate_pre %{SOURCE106} %{name} %{name}.conf
@@ -239,12 +200,7 @@ BUILDTAGS="exclude_graphdriver_aufs apparmor selinux seccomp pkcs11"
 	BUILDTAGS="libdm_dlsym_deferred_remove $BUILDTAGS"
 %endif
 
-(cat <<EOF
 export AUTO_GOPATH=1
-export DOCKER_BUILDTAGS="$BUILDTAGS"
-# Until boo#1038493 is fixed properly we need to do this hack to get the
-# compiled-into-the-binary GOROOT.
-export GOROOT="$(GOROOT= go env GOROOT)"
 # Make sure we always build PIC code. bsc#1048046
 export BUILDFLAGS="-buildmode=pie"
 # Specify all of the versioning information. We use SOURCE_DATE_EPOCH if it's
@@ -255,50 +211,29 @@ export DOCKER_GITCOMMIT="%{git_version}"
 export GITCOMMIT="%{git_version}"
 export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}"
 export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')"
-# NOTE: This will have to be removed with the next major Docker bump.
-export GO111MODULE=off
-EOF
-) > docker_build_env
-. ./docker_build_env
-
-# Preparing GOPATH so that the client is visible to the compiler
-mkdir -p src/github.com/docker/
-ln -s "%{cli_builddir}" "$PWD/src/github.com/docker/cli"
-export GOPATH="$GOPATH:$PWD"
 
 ###################
 ## DOCKER ENGINE ##
 ###################
 
-# Ignore the warning that we compile outside a Docker container.
+pushd "%{docker_builddir}"
+# use go module for build
+ln -s {vendor,go}.mod
+ln -s {vendor,go}.sum
 ./hack/make.sh dynbinary
+popd
 
 ###################
 ## DOCKER CLIENT ##
 ###################
 
-pushd %{cli_builddir}
-make dynbinary
-
-mkdir -p ./man/man1
-go build -buildmode=pie -o gen-manpages github.com/docker/cli/man
-./gen-manpages --root "$PWD" --target "$PWD/man/man1"
-./man/md2man-all.sh
+pushd "%{cli_builddir}"
+# use go module for build
+ln -s {vendor,go}.mod
+ln -s {vendor,go}.sum
+make DISABLE_WARN_OUTSIDE_CONTAINER=1 dynbinary manpages
 popd
 
-##################
-## DOCKER PROXY ##
-##################
-
-pushd %{proxy_builddir}
-GOPATH="%{dist_builddir}" \
-	go build -buildmode=pie -o docker-proxy github.com/docker/libnetwork/cmd/proxy
-popd
-
-# We verify that our libnetwork source is the correct version. This is done
-# on-build to make sure that someone doing an update didn't miss anything.
-grep 'LIBNETWORK_COMMIT:=%{libnetwork_version}' hack/dockerfile/install/proxy.installer
-
 %install
 install -Dd -m0755 \
 	%{buildroot}%{_sysconfdir}/init.d \
@@ -306,30 +241,31 @@ install -Dd -m0755 \
 	%{buildroot}%{_sbindir}
 
 # docker daemon
-install -D -m0755 bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
+install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/dockerd %{buildroot}/%{_bindir}/dockerd
+# docker proxy
+install -D -m0755 %{docker_builddir}/bundles/dynbinary-daemon/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
+
+# /var/lib/docker
 install -d %{buildroot}/%{_localstatedir}/lib/docker
 # daemon.json config file
 install -D -m0644 %{SOURCE105} %{buildroot}%{_sysconfdir}/docker/daemon.json
 
 # docker cli
 install -D -m0755 %{cli_builddir}/build/docker %{buildroot}/%{_bindir}/docker
-install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{realname}"
-install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{realname}"
-install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{realname}.fish"
-
-# docker proxy
-install -D -m0755 %{proxy_builddir}/docker-proxy %{buildroot}/%{_bindir}/docker-proxy
+install -D -m0644 %{cli_builddir}/contrib/completion/bash/docker "%{buildroot}%{_datarootdir}/bash-completion/completions/%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/zsh/_docker "%{buildroot}%{_sysconfdir}/zsh_completion.d/_%{name}"
+install -D -m0644 %{cli_builddir}/contrib/completion/fish/docker.fish "%{buildroot}/%{_datadir}/fish/vendor_completions.d/%{name}.fish"
 
 # systemd service
-install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{realname}.service
+install -D -m0644 %{SOURCE100} %{buildroot}%{_unitdir}/%{name}.service
 ln -sf service %{buildroot}%{_sbindir}/rcdocker
 
 # udev rules that prevents dolphin to show all docker devices and slows down
 # upstream report https://bugs.kde.org/show_bug.cgi?id=329930
-install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{realname}.rules
+install -D -m0644 %{SOURCE101} %{buildroot}%{_udevrulesdir}/80-%{name}.rules
 
 # audit rules
-install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{realname}.rules
+install -D -m0640 %{SOURCE104} %{buildroot}%{_sysconfdir}/audit/rules.d/%{name}.rules
 
 # sysconfig file
 install -D -m0644 %{SOURCE102} %{buildroot}%{_fillupdir}/sysconfig.docker
@@ -363,17 +299,17 @@ grep -q '^dockremap:' /etc/subgid || \
 	usermod -w 100000000-200000000 dockremap &>/dev/null || \
 	echo "dockremap:100000000:100000001" >>/etc/subgid ||:
 
-%service_add_pre %{realname}.service
+%service_add_pre %{name}.service
 
 %post
-%service_add_post %{realname}.service
+%service_add_post %{name}.service
 %{fillup_only -n docker}
 
 %preun
-%service_del_preun %{realname}.service
+%service_del_preun %{name}.service
 
 %postun
-%service_del_postun %{realname}.service
+%service_del_postun %{name}.service
 
 %files
 %defattr(-,root,root)
@@ -385,15 +321,15 @@ grep -q '^dockremap:' /etc/subgid || \
 %{_sbindir}/rcdocker
 %dir %{_localstatedir}/lib/docker/
 
-%{_unitdir}/%{realname}.service
+%{_unitdir}/%{name}.service
 %{_sysusersdir}/%{name}.conf
 
 %dir %{_sysconfdir}/docker
 %config(noreplace) %{_sysconfdir}/docker/daemon.json
 %{_fillupdir}/sysconfig.docker
 
-%config %{_sysconfdir}/audit/rules.d/%{realname}.rules
-%{_udevrulesdir}/80-%{realname}.rules
+%config %{_sysconfdir}/audit/rules.d/%{name}.rules
+%{_udevrulesdir}/80-%{name}.rules
 
 %{_mandir}/man1/docker-*.1%{ext_man}
 %{_mandir}/man1/docker.1%{ext_man}
@@ -402,14 +338,14 @@ grep -q '^dockremap:' /etc/subgid || \
 
 %files bash-completion
 %defattr(-,root,root)
-%{_datarootdir}/bash-completion/completions/%{realname}
+%{_datarootdir}/bash-completion/completions/%{name}
 
 %files zsh-completion
 %defattr(-,root,root)
-%{_sysconfdir}/zsh_completion.d/_%{realname}
+%{_sysconfdir}/zsh_completion.d/_%{name}
 
 %files fish-completion
 %defattr(-,root,root)
-%{_datadir}/fish/vendor_completions.d/%{realname}.fish
+%{_datadir}/fish/vendor_completions.d/%{name}.fish
 
 %changelog