docker/0001-SECRETS-SUSE-always-clear-our-internal-secrets.patch

From 6984023c043bec71b44665a55ab4abec6f549ed5 Mon Sep 17 00:00:00 2001
From: Aleksa Sarai <cyphar@cyphar.com>
Date: Wed, 4 Jun 2025 15:01:37 +1000
Subject: [PATCH 1/6] SECRETS: SUSE: always clear our internal secrets

In the future SUSEConnect support patch, we will add swarm secrets with
the ID suse_* containing credentials pertinent to SUSEConnect.
Unfortunately, secret references (but not the secrets themselves) are
persisted in the container configuration.

Our secrets patch would clear old secrets to avoid having duplicates
(see bsc#1057743) but now that SLE16 will no longer use this patch,
containers migrated to the new system will fail to start because the
secret store is not initialised (and the secret reference IDs don't
exist anyway).

The solution is to always clear any secrets with the suse_* prefix, and
this patch will be applied to all builds (even those with SUSEConnect
support disabled).

THIS PATCH IS NOT TO BE UPSTREAMED, DUE TO THE FACT THAT IT IS
SUSE-SPECIFIC, AND UPSTREAM DOES NOT APPROVE OF THIS CONCEPT BECAUSE IT
MAKES BUILDS NOT ENTIRELY REPRODUCIBLE.

SUSE-Bugs: bsc#1244035 bsc#1057743
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
---
 daemon/start.go        | 10 ++++++++++
 daemon/suse_secrets.go | 44 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 daemon/suse_secrets.go

diff --git a/daemon/start.go b/daemon/start.go
index a914a0fe3145..0930ff91d1a2 100644
--- a/daemon/start.go
+++ b/daemon/start.go
@@ -146,6 +146,16 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
 		}
 	}()
 
+	// SUSE:secrets -- Drop any "old" SUSE secrets referenced by this container
+	// (even if this daemon is not compiled with injectSuseSecretStore
+	// enabled). This is necessary because containers secret references are
+	// somewhat permanently associated with containers, so if you were to
+	// restart the container with a different Docker daemon you may end up with
+	// duplicate secrets causing errors (bsc#1057743) or the secret reference
+	// might not be resolveable if you switched to a Docker without the
+	// SUSEConnect patch enabled (bsc#1244035).
+	daemon.clearSuseSecrets(container)
+
 	mnts, err := daemon.setupContainerDirs(container)
 	if err != nil {
 		return err
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
new file mode 100644
index 000000000000..b8f3d9f9c094
--- /dev/null
+++ b/daemon/suse_secrets.go
@@ -0,0 +1,44 @@
+/*
+ * suse-secrets: patch for Docker to implement SUSE secrets
+ * Copyright (C) 2017-2021 SUSE LLC.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package daemon
+
+import (
+	"strings"
+
+	"github.com/docker/docker/container"
+
+	swarmtypes "github.com/docker/docker/api/types/swarm"
+
+	"github.com/sirupsen/logrus"
+)
+
+// clearSuseSecrets removes any SecretReferences which were added by us
+// explicitly (this is detected by checking that the prefix has a 'suse_'
+// prefix, which is a prefix that cannot exist for normal swarm secrets). See
+// bsc#1057743 and bsc#1244035.
+func (daemon *Daemon) clearSuseSecrets(c *container.Container) {
+	var without []*swarmtypes.SecretReference
+	for _, secret := range c.SecretReferences {
+		if strings.HasPrefix(secret.SecretID, "suse_") {
+			logrus.Debugf("SUSE:secrets :: removing 'old' suse secret %q from container %q", secret.SecretID, c.ID)
+			continue
+		}
+		without = append(without, secret)
+	}
+	c.SecretReferences = without
+}
-- 
2.50.0