- Places a hard cap on the amount of mechanisms that can be specified and
encoded in the payload. (bcs#1253904, CVE-2025-58181)
* 0007-CVE-2025-58181-fix-vendor-crypto-ssh.patch
- Update to Docker 28.5.1-ce. See upstream changelog online at
<https://docs.docker.com/engine/release-notes/28/#2851>
- Rebased patches:
* 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
* 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
* 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
* 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
* 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
* 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
* cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
* cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
- Update to docker-buildx v0.29.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.29.0>
- Remove git-core recommends also on openSUSE: the below argument
is valid for those users too.
- Remove git-core recommends on SLE. Most SLE systems have
installRecommends=yes by default and thus end up installing git with Docker.
bsc#1250508
This feature is mostly intended for developers ("docker build git://") so
most users already have the dependency installed, and the error when git is
missing is fairly straightforward (so they can easily figure out what they
need to install).
- Update warnings and errors related to "docker buildx ..." so that they
reference our openSUSE docker-buildx packages.
+ cli-0001-openSUSE-point-users-to-docker-buildx-package.patch
- Enable building docker-buildx for SLE15 systems with SUSEConnect secret
injection enabled. PED-12534 PED-8905 bsc#1247594
As docker-buildx does not support our SUSEConnect secret injection (and some
users depend "docker build" working transparently), patch the docker CLI so
that "docker build" will no longer automatically call "docker buildx build",
effectively making DOCKER_BUILDKIT=0 the default configuration. Users can
manually use "docker buildx ..." commands or set DOCKER_BUILDKIT=1 in order
to opt-in to using docker-buildx.
Users can silence the "docker build" warning by setting DOCKER_BUILDKIT=0
explicitly.
In order to inject SCC credentials with docker-buildx, users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
+ cli-0002-SECRETS-SUSE-default-to-DOCKER_BUILDKIT-0-for-docker.patch
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
packaging script behaviour on SLES. ]
- The following patches were removed in openSUSE in the Docker 28.1.1-ce
update, but the patch names were later renamed in a SLES-only update before
Docker 28.1.1-ce was submitted to SLES.
This causes the SLES build scripts to refuse the update because the patches
are not referenced in the changelog. There is no obvious place to put the
patch removals (the 28.1.1-ce update removing the patches chronologically
predates their renaming in SLES), so they are included here a dummy changelog
entry to work around the issue.
- 0007-CVE-2025-22868-vendor-jws-split-token-into-fixed-num.patch
- 0008-CVE-2025-22869-vendor-ssh-limit-the-size-of-the-inte.patch
- Update to docker-buildx v0.25.0. Upstream changelog:
<https://github.com/docker/buildx/releases/tag/v0.25.0>
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=438
of whether the daemon was built with SUSEConnect support. Not doing this
causes containers from SUSEConnect-enabled daemons to fail to start when
running with SUSEConnect-disabled (i.e. upstream) daemons.
This was a long-standing issue with our secrets support but until recently
this would've required migrating from SLE packages to openSUSE packages
(which wasn't supported). However, as SLE Micro 6.x and SLES 16 will move
away from in-built SUSEConnect support, this is now a practical issue users
will run into. bsc#1244035
+ 0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch
- Rearrange patches:
- 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+ 0002-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
- 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+ 0003-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
+ 0004-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
- 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+ 0005-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
- 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
+ 0006-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=434
<https://github.com/docker/buildx/releases/tag/v0.22.0>
* Includes fixes for CVE-2025-0495. bsc#1239765
- Disable transparent SUSEConnect support for SLE-16. PED-12534
When this patchset was first added in 2013 (and rewritten over the years),
there was no upstream way to easily provide SLE customers with a way to build
container images based on SLE using the host subscription. However, with
docker-buildx you can now define secrets for builds (this is not entirely
transparent, but we can easily document this new requirement for SLE-16).
Users should use
RUN --mount=type=secret,id=SCCcredentials zypper -n ...
in their Dockerfiles, and
docker buildx build --secret id=SCCcredentials,src=/etc/zypp/credentials.d/SCCcredentials,type=file .
when doing their builds.
- Now that the only blocker for docker-buildx support was removed for SLE-16,
enable docker-buildx for SLE-16 as well. PED-8905
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=430
- Update docker-buildx to v0.19.2. See upstream changelog online at
<https://github.com/docker/buildx/releases/tag/v0.19.2>.
Some notable changelogs from the last update:
* <https://github.com/docker/buildx/releases/tag/v0.19.0>
* <https://github.com/docker/buildx/releases/tag/v0.18.0>
- Update to Go 1.22.
- Add a new toggle file /etc/docker/suse-secrets-enable which allows users to
disable the SUSEConnect integration with Docker (which creates special mounts
in /run/secrets to allow container-suseconnect to authenticate containers
with registries on registered hosts). bsc#1231348 bsc#1232999
In order to disable these mounts, just do
echo 0 > /etc/docker/suse-secrets-enable
and restart Docker. In order to re-enable them, just do
echo 1 > /etc/docker/suse-secrets-enable
and restart Docker. Docker will output information on startup to tell you
whether the SUSE secrets feature is enabled or not.
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
- Add docker-integration-tests-devel subpackage for building and running the
upstream Docker integration tests on machines to test that Docker works
properly. Users should not install this package.
- docker-rpmlintrc updated to include allow-list for all of the integration
tests package, since it contains a bunch of stuff that wouldn't normally be
allowed.
OBS-URL: https://build.opensuse.org/request/show/1230066
OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=420
