Accepting request 630750 from home:cyphar:containers:docker_18.06_security_bugfix

- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce upgrade. This is a potential security issue (the CRI plugin was enabled by default, which listens on a TCP port bound to 0.0.0.0) that will be fixed upstream in the 18.06.1-ce upgrade. bsc#1102522 + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch OBS-URL: https://build.opensuse.org/request/show/630750 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=261
2018-08-21 11:26:57 +00:00 · 2018-08-21 11:26:57 +00:00 · 060769c15c
commit 060769c15c
parent b184f95d9f
3 changed files with 49 additions and 0 deletions
--- a/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
+++ b/bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
@ -0,0 +1,36 @@
+From 7ed2f5078916c4addd321d12bce49f40bf32680e Mon Sep 17 00:00:00 2001
+From: Aleksa Sarai <asarai@suse.de>
+Date: Tue, 21 Aug 2018 19:42:53 +1000
+Subject: [PATCH] 18.06: disable containerd CRI plugin
+
+Docker 18.06 does not have a configuration option to disable the CRI
+plugin, and this plugin is not very useful if containerd is not running
+standalone.
+
+This patch disables the plugin if containerd is running as child-process
+of dockerd.
+
+Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
+Signed-off-by: Aleksa Sarai <asarai@suse.de>
+---
+ components/engine/libcontainerd/remote_daemon_linux.go | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/components/engine/libcontainerd/remote_daemon_linux.go b/components/engine/libcontainerd/remote_daemon_linux.go
+index dc59eb8c14f0..34b04e299acd 100644
+--- a/components/engine/libcontainerd/remote_daemon_linux.go
+++ b/components/engine/libcontainerd/remote_daemon_linux.go
+@@ -37,6 +37,10 @@ func (r *remote) setDefaults() {
+ 	if r.snapshotter == "" {
+ 		r.snapshotter = "overlay"
+ 	}
+	// Disable CRI plugin by default if containerd is managed as child-process
+	// of dockerd. See https://github.com/moby/moby/issues/37507
+	r.DisabledPlugins = append(r.DisabledPlugins, "cri")
+	delete(r.pluginConfs.Plugins, "cri")
+ }
+ 
+ func (r *remote) stopDaemon() {
+-- 
+2.18.0
+
--- a/docker.changes
+++ b/docker.changes
@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Aug 21 09:50:01 UTC 2018 - asarai@suse.com
+
+- Add a backport of https://github.com/docker/engine/pull/29 for the 18.06.0-ce
+  upgrade. This is a potential security issue (the CRI plugin was enabled by
+  default, which listens on a TCP port bound to 0.0.0.0) that will be fixed
+  upstream in the 18.06.1-ce upgrade. bsc#1102522
+  + bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
+
 -------------------------------------------------------------------
 Tue Aug 21 09:39:57 UTC 2018 - rbrown@suse.com

--- a/docker.spec
+++ b/docker.spec
@ -82,6 +82,8 @@ Patch400:       bsc1073877-0001-apparmor-allow-receiving-of-signals-from-docker-
 Patch401:       bsc1073877-0002-apparmor-clobber-docker-default-profile-on-start.patch
 # SUSE-BACKPORT: Backport of https://github.com/docker/cli/pull/1242. bsc#1100727
 Patch402:       bsc1100727-0001-build-add-buildmode-pie.patch
+# SUSE-BACKPORT: Backport of https://github.com/docker/engine/pull/29. bsc#1102522
+Patch403:       bsc1102522-0001-18.06-disable-containerd-CRI-plugin.patch
 # SUSE-FEATURE: Add support to mirror inofficial/private registries
 #               (https://github.com/moby/moby/pull/34319)
 Patch500:       private-registry-0001-Add-private-registry-mirror-support.patch
@ -261,6 +263,8 @@ docker container runtime configuration for kubeadm
 %patch401 -p1
 # bsc#1100727
 %patch402 -p1
+# bsc#1102522
+%patch403 -p1
 %if "%flavour" == "kubic"
 # PATCH-SUSE: Mirror patch.
 %patch500 -p1