diff --git a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index 15cbd34..ffbad23 100644 --- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ -From 5dfd507cf2ab34a99d925eae7fa9a1a062c1930e Mon Sep 17 00:00:00 2001 +From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 5521adbd2749..c103d9349c51 100644 +index 1647df0ce7ba..4ea2efed241f 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ @@ -70,5 +70,5 @@ index 5521adbd2749..c103d9349c51 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.30.2 +2.33.0 diff --git a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index 190a682..c3ebcec 100644 --- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From cb696ab8168b611535c04f8780c4632a2dc0ec2a Mon Sep 17 00:00:00 2001 +From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497 + return nil +} -- -2.30.2 +2.33.0 diff --git a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch index 6142fe0..8ddab30 100644 --- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch @@ -1,7 +1,7 @@ -From 759c1b0c2d4a3c89dea396510d2a1518ad2fcb2c Mon Sep 17 00:00:00 2001 +From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support +Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit @@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 endpoints = []APIEndpoint{ -- -2.30.2 +2.33.0 diff --git a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index 0ba5e8d..986b605 100644 --- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From 9f27140b54e30eed9d3428b24c3ca9c340c48394 Mon Sep 17 00:00:00 2001 +From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -69,7 +69,7 @@ index dd581dc7dadb..5b14979cd4a3 100644 return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index 3d8cca288010..62d3859cff8c 100644 +index 2a2fbbd52e19..0999ac3186b7 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S @@ -85,5 +85,5 @@ index 3d8cca288010..62d3859cff8c 100644 } -- -2.30.2 +2.33.0 diff --git a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch index cd2a429..a43d5b9 100644 --- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch +++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch @@ -1,7 +1,7 @@ -From bb452793d224b00a3700af9fdd9b0f183e1141f1 Mon Sep 17 00:00:00 2001 +From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Thu, 8 Apr 2021 14:42:02 +0100 -Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup +Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup Before this change, cleanup of the btrfs driver (occuring on each daemon shutdown) resulted in disabling quotas. It was done with an assumption @@ -24,10 +24,10 @@ Signed-off-by: Michal Rostecki 1 file changed, 8 insertions(+), 42 deletions(-) diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go -index 0499489d16e6..0720bb571f2e 100644 +index 8fd2854a2673..32c4f07c620d 100644 --- a/daemon/graphdriver/btrfs/btrfs.go +++ b/daemon/graphdriver/btrfs/btrfs.go -@@ -96,7 +96,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap +@@ -103,7 +103,7 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap } if userDiskQuota { @@ -36,7 +36,7 @@ index 0499489d16e6..0720bb571f2e 100644 return nil, err } } -@@ -165,18 +165,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { +@@ -172,18 +172,10 @@ func (d *Driver) GetMetadata(id string) (map[string]string, error) { // Cleanup unmounts the home directory. func (d *Driver) Cleanup() error { @@ -56,7 +56,7 @@ index 0499489d16e6..0720bb571f2e 100644 return nil } -@@ -334,7 +326,7 @@ func (d *Driver) updateQuotaStatus() { +@@ -341,7 +333,7 @@ func (d *Driver) updateQuotaStatus() { d.once.Do(func() { if !d.quotaEnabled { // In case quotaEnabled is not set, check qgroup and update quotaEnabled as needed @@ -65,7 +65,7 @@ index 0499489d16e6..0720bb571f2e 100644 // quota is still not enabled return } -@@ -343,7 +335,7 @@ func (d *Driver) updateQuotaStatus() { +@@ -350,7 +342,7 @@ func (d *Driver) updateQuotaStatus() { }) } @@ -74,7 +74,7 @@ index 0499489d16e6..0720bb571f2e 100644 d.updateQuotaStatus() if d.quotaEnabled { -@@ -369,32 +361,6 @@ func (d *Driver) subvolEnableQuota() error { +@@ -376,32 +368,6 @@ func (d *Driver) subvolEnableQuota() error { return nil } @@ -107,7 +107,7 @@ index 0499489d16e6..0720bb571f2e 100644 func (d *Driver) subvolRescanQuota() error { d.updateQuotaStatus() -@@ -437,11 +403,11 @@ func subvolLimitQgroup(path string, size uint64) error { +@@ -444,11 +410,11 @@ func subvolLimitQgroup(path string, size uint64) error { return nil } @@ -121,7 +121,7 @@ index 0499489d16e6..0720bb571f2e 100644 dir, err := openDir(path) if err != nil { return err -@@ -608,7 +574,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error { +@@ -622,7 +588,7 @@ func (d *Driver) setStorageSize(dir string, driver *Driver) error { if d.options.minSpace > 0 && driver.options.size < d.options.minSpace { return fmt.Errorf("btrfs: storage size cannot be less than %s", units.HumanSize(float64(d.options.minSpace))) } @@ -130,7 +130,7 @@ index 0499489d16e6..0720bb571f2e 100644 return err } return subvolLimitQgroup(dir, driver.options.size) -@@ -662,7 +628,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) { +@@ -676,7 +642,7 @@ func (d *Driver) Get(id, mountLabel string) (containerfs.ContainerFS, error) { if quota, err := ioutil.ReadFile(d.quotasDirID(id)); err == nil { if size, err := strconv.ParseUint(string(quota), 10, 64); err == nil && size >= d.options.minSpace { @@ -140,5 +140,5 @@ index 0499489d16e6..0720bb571f2e 100644 } if err := subvolLimitQgroup(dir, size); err != nil { -- -2.30.2 +2.33.0 diff --git a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch b/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch index 99b36e3..dff5182 100644 --- a/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch +++ b/0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch @@ -1,4 +1,4 @@ -From ec9265210aaf10fe5f810d0ac7f566cf1929283a Mon Sep 17 00:00:00 2001 +From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 9 Sep 2021 11:31:30 -0700 Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in diff --git a/_service b/_service index 29776d4..e581df4 100644 --- a/_service +++ b/_service @@ -3,16 +3,16 @@ https://github.com/moby/moby.git git .git - 20.10.6_ce_%h - v20.10.6 + 20.10.9_ce_%h + v20.10.9 docker https://github.com/docker/cli.git git .git - 20.10.6_ce - v20.10.6 + 20.10.9_ce + v20.10.9 docker-cli @@ -20,7 +20,7 @@ git .git %H - b3507428be5b458cb0e2b4086b13531fb0706e46 + 64b7a4574d1426139437d20e81c0b6d391130ec8 docker-libnetwork diff --git a/docker-20.10.6_ce_8728dd246c3a.tar.xz b/docker-20.10.6_ce_8728dd246c3a.tar.xz deleted file mode 100644 index ec628c7..0000000 --- a/docker-20.10.6_ce_8728dd246c3a.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:620a514c43fc9ffa7fbac50d16f3479e576425ef1496c13c6b2c226be1dc54ef -size 6486364 diff --git a/docker-20.10.9_ce_79ea9d308018.tar.xz b/docker-20.10.9_ce_79ea9d308018.tar.xz new file mode 100644 index 0000000..ec9d404 --- /dev/null +++ b/docker-20.10.9_ce_79ea9d308018.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1 +size 6491984 diff --git a/docker-cli-20.10.6_ce.tar.xz b/docker-cli-20.10.6_ce.tar.xz deleted file mode 100644 index 4d8cbef..0000000 --- a/docker-cli-20.10.6_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:22c42e3fb154a00627b6698573fe4b035638cfd5f5dc1d26795e096d73c1da13 -size 4409500 diff --git a/docker-cli-20.10.9_ce.tar.xz b/docker-cli-20.10.9_ce.tar.xz new file mode 100644 index 0000000..e485731 --- /dev/null +++ b/docker-cli-20.10.9_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0 +size 4272556 diff --git a/docker-libnetwork-64b7a4574d1426139437d20e81c0b6d391130ec8.tar.xz b/docker-libnetwork-64b7a4574d1426139437d20e81c0b6d391130ec8.tar.xz new file mode 100644 index 0000000..6811745 --- /dev/null +++ b/docker-libnetwork-64b7a4574d1426139437d20e81c0b6d391130ec8.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:437df6f6e33cf527acbcc2117738430f89e43bc57d958557155b3392c3a00ff8 +size 1983592 diff --git a/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz b/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz deleted file mode 100644 index 93d7a9a..0000000 --- a/docker-libnetwork-b3507428be5b458cb0e2b4086b13531fb0706e46.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:29bbbfafb284edb07004fdfe2dccc43c7f8e0eb8c17e7370f13e22e6778b7745 -size 1982240 diff --git a/docker.changes b/docker.changes index c76db62..37b49a0 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai + +- Update to Docker 20.10.9-ce. See upstream changelog in the packaged + /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1191355 + CVE-2021-41092 CVE-2021-41089 CVE-2021-41091 CVE-2021-41103 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch + * 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch +- Switch to Go 1.16.x compiler, in line with upstream. + ------------------------------------------------------------------- Mon Sep 20 23:59:05 UTC 2021 - Aleksa Sarai diff --git a/docker.spec b/docker.spec index c92af45..cf60bd2 100644 --- a/docker.spec +++ b/docker.spec @@ -42,24 +42,24 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 8728dd246c3a -%define git_commit_epoch 1618005978 +%define git_version 79ea9d308018 +%define git_commit_epoch 1632421578 # We require a specific pin of libnetwork because it doesn't really do # versioning and minor version mismatches in libnetwork can break Docker # networking. All other key runtime dependencies (containerd, runc) are stable # enough that this isn't necessary. -%define libnetwork_version b3507428be5b458cb0e2b4086b13531fb0706e46 +%define libnetwork_version 64b7a4574d1426139437d20e81c0b6d391130ec8 %define dist_builddir %{_builddir}/dist-suse %define cli_builddir %{dist_builddir}/src/github.com/docker/cli %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork Name: %{realname}%{name_suffix} -Version: 20.10.6_ce +Version: 20.10.9_ce # This "nice version" is so that docker --version gives a result that can be # parsed by other people. boo#1182476 -%define nice_version 20.10.6-ce +%define nice_version 20.10.9-ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -110,9 +110,7 @@ BuildRequires: sqlite3-devel BuildRequires: zsh BuildRequires: fish BuildRequires: go-go-md2man -# We cannot use Go 1.14 because it breaks io.Copy (among other things) by -# returning -EINTR from I/O syscalls much more often. -BuildRequires: go1.13 +BuildRequires: go1.16 BuildRequires: pkgconfig(libsystemd) Requires: apparmor-parser Requires: ca-certificates-mozilla @@ -122,8 +120,8 @@ Obsoletes: docker-libnetwork%{name_suffix} < 0.7.0.2 Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version} # Required to actually run containers. We require the minimum version that is # pinned by Docker, but in order to avoid headaches we allow for updates. -Requires: runc >= 1.0.0~rc93 -Requires: containerd >= 1.4.3 +Requires: runc >= 1.0.2 +Requires: containerd >= 1.4.11 # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit @@ -312,6 +310,8 @@ export DOCKER_GITCOMMIT="%{git_version}" export GITCOMMIT="%{git_version}" export SOURCE_DATE_EPOCH="${SOURCE_DATE_EPOCH:-%{git_commit_epoch}}" export BUILDTIME="$(date -u -d "@$SOURCE_DATE_EPOCH" --rfc-3339 ns 2>/dev/null | sed -e 's/ /T/')" +# NOTE: This will have to be removed with the next major Docker bump. +export GO111MODULE=off EOF ) > docker_build_env . ./docker_build_env