diff --git a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch index 0cc4766..28f2252 100644 --- a/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch +++ b/0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch @@ -1,7 +1,7 @@ -From 37dfb97c0016300dd6453fc718805ccdf341bfd6 Mon Sep 17 00:00:00 2001 +From 823bedd07fac6778a3d94b6f949ac16e6bd12638 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 -Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets +Subject: [PATCH 1/7] SECRETS: daemon: allow directory creation in /run/secrets Since FileMode can have the directory bit set, allow a SecretStore implementation to return secrets that are actually directories. This is @@ -70,5 +70,5 @@ index 75b4b09b8dc4..583db20aa459 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.36.1 +2.38.1 diff --git a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch index 565b413..a5680ba 100644 --- a/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch +++ b/0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch @@ -1,7 +1,7 @@ -From 11ac23e5620ee53c9527334d2222b32ca5098876 Mon Sep 17 00:00:00 2001 +From fa24396cbecbb6cdc7c734559389486849c2268c Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 -Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets +Subject: [PATCH 2/7] SECRETS: SUSE: implement SUSE container secrets This allows for us to pass in host credentials to a container, allowing for SUSEConnect to work with containers. @@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497 + return nil +} -- -2.36.1 +2.38.1 diff --git a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch index efe684e..a26bbd8 100644 --- a/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch +++ b/0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch @@ -1,7 +1,7 @@ -From cf3c6ccefda39c60dc656404674628ac48b55de9 Mon Sep 17 00:00:00 2001 +From 0fe6aba9612d2b483b29192c0605b1311b77a92b Mon Sep 17 00:00:00 2001 From: Valentin Rothberg Date: Mon, 2 Jul 2018 13:37:34 +0200 -Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support +Subject: [PATCH 3/7] PRIVATE-REGISTRY: add private-registry mirror support NOTE: This is a backport/downstream patch of the upstream pull-request for Moby, which is still subject to changes. Please visit @@ -72,12 +72,12 @@ Signed-off-by: Aleksa Sarai distribution/pull.go | 2 +- distribution/pull_v2.go | 2 +- distribution/push.go | 2 +- - registry/config.go | 126 ++++++++++++++++++++++++++++- + registry/config.go | 133 +++++++++++++++++++++++++++++- registry/config_test.go | 142 ++++++++++++++++++++++++++++++++ registry/registry_test.go | 99 ++++++++++++++++++++--- registry/service.go | 43 +++++++--- - registry/service_v2.go | 64 +++++++++++---- - 12 files changed, 710 insertions(+), 46 deletions(-) + registry/service_v2.go | 63 +++++++++++---- + 12 files changed, 716 insertions(+), 46 deletions(-) diff --git a/api/types/registry/registry.go b/api/types/registry/registry.go index 53e47084c8d5..b4bb9ef805d3 100644 @@ -444,10 +444,10 @@ index c8ddd4c5cfcd..b17e9d25d6c2 100644 return err } diff --git a/distribution/pull_v2.go b/distribution/pull_v2.go -index 123abf6b497a..097ead45d0fd 100644 +index 5abd18b6cf7c..0796e7ea1d52 100644 --- a/distribution/pull_v2.go +++ b/distribution/pull_v2.go -@@ -432,7 +432,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform +@@ -433,7 +433,7 @@ func (p *v2Puller) pullV2Tag(ctx context.Context, ref reference.Named, platform // the other side speaks the v2 protocol. p.confirmedV2 = true @@ -470,7 +470,7 @@ index 5617a4c95f49..0a24aebed968 100644 return err } diff --git a/registry/config.go b/registry/config.go -index 54b83fa40aab..e1ba24b83bdd 100644 +index 54b83fa40aab..5adc913e4344 100644 --- a/registry/config.go +++ b/registry/config.go @@ -14,11 +14,12 @@ import ( @@ -512,7 +512,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644 config := &serviceConfig{ ServiceConfig: registrytypes.ServiceConfig{ InsecureRegistryCIDRs: make([]*registrytypes.NetIPNet, 0), -@@ -78,10 +92,106 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { +@@ -78,10 +92,113 @@ func newServiceConfig(options ServiceOptions) (*serviceConfig, error) { if err := config.LoadInsecureRegistries(options.InsecureRegistries); err != nil { return nil, err } @@ -531,6 +531,13 @@ index 54b83fa40aab..e1ba24b83bdd 100644 +func (config *serviceConfig) checkRegistries() error { + inUse := make(map[string]string) // key: host, value: user + ++ if len(config.Registries) > 0 { ++ logrus.Errorf("[SUSE] You are currently using an unsupported and out-of-tree Docker feature intended for internal SUSE only.") ++ logrus.Errorf("[SUSE] If you see this warning (and you are not using CaaSP) please open a SUSE bug report to alert us of this.") ++ logrus.Errorf("[SUSE] This feature (registry mirrors) will be removed in a future Docker release on SUSE.") ++ logrus.Errorf("[SUSE] Please DO NOT submit an upstream bug report about this warning!") ++ } ++ + // make sure that each mirror serves only one registry + for _, reg := range config.Registries { + for _, mirror := range reg.Mirrors { @@ -619,7 +626,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644 // LoadAllowNondistributableArtifacts loads allow-nondistributable-artifacts registries into config. func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []string) error { cidrs := map[string]*registrytypes.NetIPNet{} -@@ -122,6 +232,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str +@@ -122,6 +239,10 @@ func (config *serviceConfig) LoadAllowNondistributableArtifacts(registries []str // LoadMirrors loads mirrors to config, after removing duplicates. // Returns an error if mirrors contains an invalid mirror. func (config *serviceConfig) LoadMirrors(mirrors []string) error { @@ -630,7 +637,7 @@ index 54b83fa40aab..e1ba24b83bdd 100644 mMap := map[string]struct{}{} unique := []string{} -@@ -151,6 +265,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { +@@ -151,6 +272,10 @@ func (config *serviceConfig) LoadMirrors(mirrors []string) error { // LoadInsecureRegistries loads insecure registries to config func (config *serviceConfig) LoadInsecureRegistries(registries []string) error { @@ -1042,10 +1049,10 @@ index 3b08e39da2c2..62556ba1ba70 100644 for _, endpoint := range allEndpoints { if !endpoint.Mirror { diff --git a/registry/service_v2.go b/registry/service_v2.go -index 3e3a5b41ffbd..451a6f874bc1 100644 +index 154ac7c93e80..06f7d20de8f9 100644 --- a/registry/service_v2.go +++ b/registry/service_v2.go -@@ -1,39 +1,71 @@ +@@ -1,42 +1,73 @@ package registry // import "github.com/docker/docker/registry" import ( @@ -1060,17 +1067,7 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 -func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndpoint, err error) { +func (s *DefaultService) lookupV2Endpoints(reference string) (endpoints []APIEndpoint, err error) { tlsConfig := tlsconfig.ServerDefault() -- if hostname == DefaultNamespace || hostname == IndexHostname { -- for _, mirror := range s.config.Mirrors { -- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { -- mirror = "https://" + mirror -- } -- mirrorURL, err := url.Parse(mirror) -- if err != nil { -- return nil, err -- } -- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) -+ + + // extraxt the hostname from the reference + refURL := reference + if !strings.HasPrefix(refURL, "http://") && !strings.HasPrefix(refURL, "https://") { @@ -1085,6 +1082,18 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 + return nil, fmt.Errorf("SUSE PATCH [lookupV2Endpoints]: cannot determine hostname of reference %s", reference) + } + + ana := allowNondistributableArtifacts(s.config, hostname) + +- if hostname == DefaultNamespace || hostname == IndexHostname { +- for _, mirror := range s.config.Mirrors { +- if !strings.HasPrefix(mirror, "http://") && !strings.HasPrefix(mirror, "https://") { +- mirror = "https://" + mirror +- } +- mirrorURL, err := url.Parse(mirror) +- if err != nil { +- return nil, err +- } +- mirrorTLSConfig, err := s.tlsConfigForMirror(mirrorURL) + // create endpoints for official and configured registries + official := false + if hostname == "docker.io" { @@ -1131,8 +1140,8 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 + Official: official, TrimHostname: true, TLSConfig: tlsConfig, - }) -@@ -45,7 +77,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp + +@@ -48,7 +79,7 @@ func (s *DefaultService) lookupV2Endpoints(hostname string) (endpoints []APIEndp tlsConfig, err = s.tlsConfig(hostname) if err != nil { @@ -1142,5 +1151,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644 endpoints = []APIEndpoint{ -- -2.36.1 +2.38.1 diff --git a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch index 61930ec..ceef77c 100644 --- a/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch +++ b/0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch @@ -1,7 +1,7 @@ -From 5d2f7a37a37547663aae1538b2d3fd48dd7277c8 Mon Sep 17 00:00:00 2001 +From bc52d15141402d94eeaee618f1df0b540f527b98 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Jun 2018 17:59:30 +1000 -Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on +Subject: [PATCH 4/7] bsc1073877: apparmor: clobber docker-default profile on start In the process of making docker-default reloading far less expensive, @@ -69,10 +69,10 @@ index e3dc18b32b5e..9c7723056268 100644 return nil } diff --git a/daemon/daemon.go b/daemon/daemon.go -index 2a2fbbd52e19..0999ac3186b7 100644 +index f15a4b038498..2f0c23bc62c9 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go -@@ -855,8 +855,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S +@@ -857,8 +857,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S logrus.Warnf("Failed to configure golang's threads limit: %v", err) } @@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644 } -- -2.36.1 +2.38.1 diff --git a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch index bd92ee3..f76db42 100644 --- a/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch +++ b/0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch @@ -1,7 +1,7 @@ -From b54c6c7addcb163ddcef5e37fc7ed1c0afd0dbfa Mon Sep 17 00:00:00 2001 +From 57673ad5455b1b27e41716e33b67c9cd8099b580 Mon Sep 17 00:00:00 2001 From: Michal Rostecki Date: Thu, 8 Apr 2021 14:42:02 +0100 -Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup +Subject: [PATCH 5/7] bsc1183855: btrfs: Do not disable quota on cleanup Before this change, cleanup of the btrfs driver (occuring on each daemon shutdown) resulted in disabling quotas. It was done with an assumption @@ -140,5 +140,5 @@ index fa0cdf8666b1..02bbb5da1088 100644 } if err := subvolLimitQgroup(dir, size); err != nil { -- -2.36.1 +2.38.1 diff --git a/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch b/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch index 653d689..5248319 100644 --- a/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch +++ b/0006-bsc1193930-vendor-update-golang.org-x-crypto.patch @@ -1,7 +1,7 @@ -From bb67252dfccb18dacc9e0c3463e7c52f32fb2900 Mon Sep 17 00:00:00 2001 +From dd265ac6cbe070f80a0c607ba147af35858ae5e9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Fri, 29 Apr 2022 12:44:21 +1000 -Subject: [PATCH 6/6] bsc1193930: vendor: update golang.org/x/crypto +Subject: [PATCH 6/7] bsc1193930: vendor: update golang.org/x/crypto This is necessary to fix several security issues that Docker hasn't backported to their CE branch: @@ -354,10 +354,10 @@ Signed-off-by: Aleksa Sarai create mode 100644 vendor/golang.org/x/crypto/xts/xts.go diff --git a/vendor.conf b/vendor.conf -index 54e97e4562d8..9ff95d499ef8 100644 +index a41471b57b71..2965c71c3709 100644 --- a/vendor.conf +++ b/vendor.conf -@@ -150,7 +150,7 @@ github.com/golang/protobuf 84668698ea25b64748563aa20726 +@@ -152,7 +152,7 @@ github.com/golang/protobuf 84668698ea25b64748563aa20726 github.com/cloudflare/cfssl 5d63dbd981b5c408effbb58c442d54761ff94fbd # 1.3.2 github.com/fernet/fernet-go 9eac43b88a5efb8651d24de9b68e87567e029736 github.com/google/certificate-transparency-go 37a384cd035e722ea46e55029093e26687138edf # v1.0.20 @@ -41068,5 +41068,5 @@ index 000000000000..b51308e95e52 + } +} -- -2.36.1 +2.38.1 diff --git a/0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch b/0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch index 206c746..a6b7acb 100644 --- a/0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch +++ b/0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch @@ -1,4 +1,4 @@ -From 078fbd36b8fecab42ac7faad973a16aed10ab28c Mon Sep 17 00:00:00 2001 +From 6451aa1559ce5a135f599682ab33721e116925bd Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 29 Jan 2021 14:55:08 +0100 Subject: [PATCH 7/7] bsc1200022: fifo.Close(): prevent possible panic if fifo @@ -52,5 +52,5 @@ index 96c214f270bf..c3eec295b578 100644 case <-f.closed: f.handle.Close() -- -2.36.1 +2.38.1 diff --git a/_service b/_service index 5626a21..f239518 100644 --- a/_service +++ b/_service @@ -3,16 +3,16 @@ https://github.com/moby/moby.git git .git - 20.10.17_ce_%h - v20.10.17 + 20.10.21_ce_%h + v20.10.21 docker https://github.com/docker/cli.git git .git - 20.10.17_ce - v20.10.17 + 20.10.21_ce + v20.10.21 docker-cli @@ -20,7 +20,7 @@ git .git %H - f6ccccb1c082a432c2a5814aaedaca56af33d9ea + 0dde5c895075df6e3630e76f750a447cf63f4789 docker-libnetwork diff --git a/docker-20.10.17_ce_a89b84221c85.tar.xz b/docker-20.10.17_ce_a89b84221c85.tar.xz deleted file mode 100644 index 60379b3..0000000 --- a/docker-20.10.17_ce_a89b84221c85.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:9464d19aa358c19089672a03b13572b9c512c8c19ad098b594caca864052c426 -size 6557740 diff --git a/docker-20.10.21_ce_3056208812eb.tar.xz b/docker-20.10.21_ce_3056208812eb.tar.xz new file mode 100644 index 0000000..10fc677 --- /dev/null +++ b/docker-20.10.21_ce_3056208812eb.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2696414f3d39bb862d2e60e614a4fe2e6a655c65c30742a4a28b776fbbd59bc5 +size 6590696 diff --git a/docker-cli-20.10.17_ce.tar.xz b/docker-cli-20.10.17_ce.tar.xz deleted file mode 100644 index 1286b18..0000000 --- a/docker-cli-20.10.17_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1eeb771ad69ec70e206d69bdb649d05f438d0fa4193bbb6f4c7fd276258a08a9 -size 4357440 diff --git a/docker-cli-20.10.21_ce.tar.xz b/docker-cli-20.10.21_ce.tar.xz new file mode 100644 index 0000000..ab727e4 --- /dev/null +++ b/docker-cli-20.10.21_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cfa23215b99aed9c85a401fd1aeb961a5a3f8b3095fb6815ba8eb83cf182481f +size 4358052 diff --git a/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz b/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz new file mode 100644 index 0000000..acaa518 --- /dev/null +++ b/docker-libnetwork-0dde5c895075df6e3630e76f750a447cf63f4789.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:24a4b6aeb1391b2ab9f99fad7343913ecc7191a10669a056e0a2cdf449e3733e +size 1983868 diff --git a/docker-libnetwork-f6ccccb1c082a432c2a5814aaedaca56af33d9ea.tar.xz b/docker-libnetwork-f6ccccb1c082a432c2a5814aaedaca56af33d9ea.tar.xz deleted file mode 100644 index dbe226f..0000000 --- a/docker-libnetwork-f6ccccb1c082a432c2a5814aaedaca56af33d9ea.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a676901b2676dedd147e70b2e6c5b9869e8d2fad99605de20cc1b42830097d3b -size 1983552 diff --git a/docker.changes b/docker.changes index 48b2dfc..a19b064 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Tue Dec 6 11:49:32 UTC 2022 - Aleksa Sarai + +- Update to Docker 20.10.21-ce. See upstream changelog online at + . bsc#1206065 +- Rebase patches: + * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch + * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch + * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch + * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch + * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch + * 0006-bsc1193930-vendor-update-golang.org-x-crypto.patch + * 0007-bsc1200022-fifo.Close-prevent-possible-panic-if-fifo.patch +- The PRIVATE-REGISTRY patch will now output a warning if it is being used (in + preparation for removing the feature). This feature was never meant to be + used by users directly (and is only available in the -kubic/CaaSP version of + the package anyway) and thus should not affect any users. + ------------------------------------------------------------------- Mon Oct 24 09:45:20 UTC 2022 - Dan Čermák diff --git a/docker.spec b/docker.spec index d189e2d..381e1b1 100644 --- a/docker.spec +++ b/docker.spec @@ -42,24 +42,25 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version a89b84221c85 -%define git_commit_epoch 1654554758 +%define real_version 20.10.21 +%define git_version 3056208812eb +%define git_commit_epoch 1666698255 # We require a specific pin of libnetwork because it doesn't really do # versioning and minor version mismatches in libnetwork can break Docker # networking. All other key runtime dependencies (containerd, runc) are stable # enough that this isn't necessary. -%define libnetwork_version f6ccccb1c082a432c2a5814aaedaca56af33d9ea +%define libnetwork_version 0dde5c895075df6e3630e76f750a447cf63f4789 %define dist_builddir %{_builddir}/dist-suse %define cli_builddir %{dist_builddir}/src/github.com/docker/cli %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork Name: %{realname}%{name_suffix} -Version: 20.10.17_ce +Version: %{real_version}_ce # This "nice version" is so that docker --version gives a result that can be # parsed by other people. boo#1182476 -%define nice_version 20.10.17-ce +%define nice_version %{real_version}-ce Release: 0 Summary: The Moby-project Linux container runtime License: Apache-2.0 @@ -117,8 +118,8 @@ BuildRequires: go-go-md2man BuildRequires: pkgconfig(libsystemd) BuildRequires: sysuser-tools # Due to a limitation in openSUSE's Go packaging we cannot have a BuildRequires -# for 'golang(API) >= 1.17' here, so just require 1.17 exactly. bsc#1172608 -BuildRequires: go1.17 +# for 'golang(API) >= 1.18' here, so just require 1.18 exactly. bsc#1172608 +BuildRequires: go1.18 Requires: (apparmor-parser or container-selinux) Requires: ca-certificates-mozilla # The docker-proxy binary used to be in a separate package. We obsolete it, @@ -128,7 +129,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version} # Required to actually run containers. We require the minimum version that is # pinned by Docker, but in order to avoid headaches we allow for updates. Requires: runc >= 1.1.2 -Requires: containerd >= 1.6.6 +Requires: containerd >= 1.6.9 # Needed for --init support. We don't use "tini", we use our own implementation # which handles edge-cases better. Requires: catatonit