Accepting request 521899 from Virtualization:containers

1

OBS-URL: https://build.opensuse.org/request/show/521899
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=59

bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch

@@ -0,0 +1,72 @@
+From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Sun, 20 Aug 2017 13:50:52 +1000
+Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount
+
+libdm currently has a fairly substantial DoS bug that makes certain
+operations fail on a libdm device if the device has active references
+through mountpoints. This is a significant problem with the advent of
+mount namespaces and MS_PRIVATE, and can cause certain --volume mounts
+to cause libdm to no longer be able to remove containers:
+
+  % docker run -d --name testA busybox top
+  % docker run -d --name testB -v /var/lib/docker:/docker busybox top
+  % docker rm -f testA
+  [fails on libdm with dm_task_run errors.]
+
+This also solves the problem of unprivileged users being able to DoS
+docker by using unprivileged mount namespaces to preseve mounts that
+Docker has dropped.
+
+SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628
+SUSE-Backport: https://github.com/moby/moby/pull/34573
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++
+ daemon/graphdriver/devmapper/driver.go    |  4 +++-
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go
+index ba845d4d01d4..fe8103683b9b 100644
+--- a/daemon/graphdriver/devmapper/deviceset.go
++++ b/daemon/graphdriver/devmapper/deviceset.go
+@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error {
+ 	}
+ 	logrus.Debug("devmapper: Unmount done")
+ 
++	// Remove the mountpoint here. Removing the mountpoint (in newer kernels)
++	// will cause all other instances of this mount in other mount namespaces
++	// to be killed (this is an anti-DoS measure that is necessary for things
++	// like devicemapper). This is necessary to avoid cases where a libdm mount
++	// that is present in another namespace will cause subsequent RemoveDevice
++	// operations to fail. We ignore any errors here because this may fail on
++	// older kernels which don't have
++	// torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied.
++	if err := os.Remove(mountPath); err != nil {
++		logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err)
++	}
++
+ 	return devices.deactivateDevice(info)
+ }
+ 
+diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go
+index 91de5cd12a0f..69a3b3184933 100644
+--- a/daemon/graphdriver/devmapper/driver.go
++++ b/daemon/graphdriver/devmapper/driver.go
+@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error {
+ 	if count := d.ctr.Decrement(mp); count > 0 {
+ 		return nil
+ 	}
++
+ 	err := d.DeviceSet.UnmountDevice(id, mp)
+ 	if err != nil {
+-		logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err)
++		logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err)
+ 	}
++
+ 	return err
+ }
+ 
+-- 
+2.14.1
+

docker.changes

@@ -1,3 +1,23 @@
+-------------------------------------------------------------------
+Wed Sep  6 11:42:31 UTC 2017 - asarai@suse.com
+
+- devicemapper: add patch to make the dm storage driver remove a container's
+  rootfs mountpoint before attempting to do libdm operations on it. This helps
+  avoid complications when live mounts will leak into containers. Backport of
+  https://github.com/moby/moby/pull/34573. bsc#1045628
+  + bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
+
+-------------------------------------------------------------------
+Wed Aug 30 14:58:52 UTC 2017 - asarai@suse.com
+
+- Fix a regression in our SUSE secrets patches, which caused the copied files
+  to not carry the correct {uid,gid} mapping when using user namespaces. This
+  would not cause any bugs (SUSEConnect does the right thing anyway) but it's
+  possible some programs would not treat the files correctly. This is
+  tangentially related to bsc#1055676.
+  * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch
+  * secrets-0002-SUSE-implement-SUSE-container-secrets.patch
+
 -------------------------------------------------------------------
 Wed Aug  2 13:37:16 UTC 2017 - asarai@suse.com
 

docker.spec

@@ -58,6 +58,8 @@ Patch300:       integration-cli-fix-TestInfoEnsureSucceeds.patch
 Patch400:       bsc1037436-0001-client-check-tty-before-creating-exec-job.patch
 # PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/33250 (bsc#1037607).
 Patch401:       bsc1037607-0001-apparmor-make-pkg-aaparser-work-on-read-only-root.patch
+# PATCH-FIX-UPSTREAM: Backport of https://github.com/moby/moby/pull/34573 (bsc#1045628)
+Patch402:       bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -176,8 +178,12 @@ Test package for docker. It contains the source code and the tests.
 %patch201 -p1
 %endif
 %patch300 -p1
+# bsc#1037436
 %patch400 -p1
+# bsc#1037607
 %patch401 -p1
+# bsc#1045628
+%patch402 -p1
 cp %{SOURCE7} .
 cp %{SOURCE10} .
 

secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch

@@ -58,5 +58,5 @@ index 67b3ee38c0ab..a538ba4e73e8 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.13.0
+2.14.1
 

secrets-0002-SUSE-implement-SUSE-container-secrets.patch

@@ -1,4 +1,4 @@
-From a6d2f9f43ea02d93534867271f7fa7cf0f77e70c Mon Sep 17 00:00:00 2001
+From 9b33a267ec637d7d8a29259246033bfe1b5f47bc Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets
@@ -13,8 +13,8 @@ MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
  daemon/start.go        |   5 +
- daemon/suse_secrets.go | 246 +++++++++++++++++++++++++++++++++++++++++++++++++
+ daemon/suse_secrets.go | 260 +++++++++++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 251 insertions(+)
+ 2 files changed, 265 insertions(+)
  create mode 100644 daemon/suse_secrets.go
 
 diff --git a/daemon/start.go b/daemon/start.go
@@ -35,10 +35,10 @@ index eddb5d3d5060..eb74e2ab1096 100644
  		return err
 diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
 new file mode 100644
-index 000000000000..99bdbefdebcc
+index 000000000000..b577b7081976
 --- /dev/null
 +++ b/daemon/suse_secrets.go
-@@ -0,0 +1,246 @@
+@@ -0,0 +1,260 @@
 +/*
 + * suse-secrets: patch for Docker to implement SUSE secrets
 + * Copyright (C) 2017 SUSE LLC.
@@ -67,6 +67,7 @@ index 000000000000..99bdbefdebcc
 +
 +	"github.com/Sirupsen/logrus"
 +	"github.com/docker/docker/container"
++	"github.com/docker/docker/pkg/idtools"
 +	"github.com/opencontainers/go-digest"
 +
 +	swarmtypes "github.com/docker/docker/api/types/swarm"
@@ -102,14 +103,26 @@ index 000000000000..99bdbefdebcc
 +	}
 +}
 +
-+func (s SuseFakeFile) toSecretReference() *swarmtypes.SecretReference {
++func (s SuseFakeFile) toSecretReference(uidMaps, gidMaps []idtools.IDMap) *swarmtypes.SecretReference {
++	// Figure out the host-facing {uid,gid} based on the provided maps. Fall
++	// back to root if the UID/GID don't match (we are guaranteed that root is
++	// mapped).
++	hostUid, hostGid, _ := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if uid, err := idtools.ToHost(s.Uid, uidMaps); err == nil {
++		hostUid = uid
++	}
++	if gid, err := idtools.ToHost(s.Gid, gidMaps); err == nil {
++		hostGid = gid
++	}
++
++	// Return the secret reference as a file target.
 +	return &swarmtypes.SecretReference{
 +		SecretID:   s.id(),
 +		SecretName: s.id(),
 +		File: &swarmtypes.SecretReferenceFileTarget{
 +			Name: s.Path,
-+			UID:  fmt.Sprintf("%d", s.Uid),
++			UID:  fmt.Sprintf("%d", hostUid),
-+			GID:  fmt.Sprintf("%d", s.Gid),
++			GID:  fmt.Sprintf("%d", hostGid),
 +			Mode: s.Mode,
 +		},
 +	}
@@ -277,14 +290,15 @@ index 000000000000..99bdbefdebcc
 +		return err
 +	}
 +
++	uidMaps, gidMaps := daemon.GetUIDGIDMaps()
 +	for _, secret := range secrets {
 +		newSecretStore.secrets[secret.id()] = secret.toSecret()
-+		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference())
++		c.SecretReferences = append(c.SecretReferences, secret.toSecretReference(uidMaps, gidMaps))
 +	}
 +
 +	c.SecretStore = newSecretStore
 +	return nil
 +}
 -- 
-2.13.0
+2.14.1