forked from pool/docker
- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190 OBS-URL: https://build.opensuse.org/package/show/Virtualization:containers/docker?expand=0&rev=365
This commit is contained in:
parent
a222574549
commit
97daa986c4
@ -1,7 +1,7 @@
|
|||||||
From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
|
From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||||
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
|
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
|
||||||
|
|
||||||
Since FileMode can have the directory bit set, allow a SecretStore
|
Since FileMode can have the directory bit set, allow a SecretStore
|
||||||
implementation to return secrets that are actually directories. This is
|
implementation to return secrets that are actually directories. This is
|
||||||
@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets.
|
|||||||
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
Signed-off-by: Antonio Murdaca <runcom@redhat.com>
|
||||||
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
||||||
---
|
---
|
||||||
daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
|
daemon/container_operations_unix.go | 25 ++++++++++++++++++++++---
|
||||||
1 file changed, 21 insertions(+), 3 deletions(-)
|
1 file changed, 22 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||||
index 1647df0ce7ba..4ea2efed241f 100644
|
index 6a50b99bd29e..583db20aa459 100644
|
||||||
--- a/daemon/container_operations_unix.go
|
--- a/daemon/container_operations_unix.go
|
||||||
+++ b/daemon/container_operations_unix.go
|
+++ b/daemon/container_operations_unix.go
|
||||||
@@ -3,6 +3,7 @@
|
@@ -1,8 +1,10 @@
|
||||||
|
+//go:build linux || freebsd
|
||||||
|
// +build linux freebsd
|
||||||
|
|
||||||
package daemon // import "github.com/docker/docker/daemon"
|
package daemon // import "github.com/docker/docker/daemon"
|
||||||
|
|
||||||
import (
|
import (
|
||||||
+ "bytes"
|
+ "bytes"
|
||||||
"context"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
@@ -14,6 +15,7 @@ import (
|
"os"
|
||||||
|
@@ -12,6 +14,7 @@ import (
|
||||||
"github.com/docker/docker/container"
|
"github.com/docker/docker/container"
|
||||||
"github.com/docker/docker/daemon/links"
|
"github.com/docker/docker/daemon/links"
|
||||||
"github.com/docker/docker/errdefs"
|
"github.com/docker/docker/errdefs"
|
||||||
@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
|
|||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/stringid"
|
"github.com/docker/docker/pkg/stringid"
|
||||||
"github.com/docker/docker/pkg/system"
|
"github.com/docker/docker/pkg/system"
|
||||||
@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
@@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unable to get secret from secret store")
|
return errors.Wrap(err, "unable to get secret from secret store")
|
||||||
}
|
}
|
||||||
@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
|
|||||||
|
|
||||||
uid, err := strconv.Atoi(s.File.UID)
|
uid, err := strconv.Atoi(s.File.UID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
@@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644
|
|||||||
return errors.Wrap(err, "error setting ownership for secret")
|
return errors.Wrap(err, "error setting ownership for secret")
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.33.0
|
2.33.1
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
|
From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
|
||||||
|
|
||||||
This allows for us to pass in host credentials to a container, allowing
|
This allows for us to pass in host credentials to a container, allowing
|
||||||
for SUSEConnect to work with containers.
|
for SUSEConnect to work with containers.
|
||||||
@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
|
|||||||
+ return nil
|
+ return nil
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.33.0
|
2.33.1
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
|
From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
|
||||||
From: Valentin Rothberg <vrothberg@suse.com>
|
From: Valentin Rothberg <vrothberg@suse.com>
|
||||||
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
Date: Mon, 2 Jul 2018 13:37:34 +0200
|
||||||
Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
|
Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
|
||||||
|
|
||||||
NOTE: This is a backport/downstream patch of the upstream pull-request
|
NOTE: This is a backport/downstream patch of the upstream pull-request
|
||||||
for Moby, which is still subject to changes. Please visit
|
for Moby, which is still subject to changes. Please visit
|
||||||
@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
|
|||||||
|
|
||||||
endpoints = []APIEndpoint{
|
endpoints = []APIEndpoint{
|
||||||
--
|
--
|
||||||
2.33.0
|
2.33.1
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
|
From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
|
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
|
||||||
start
|
start
|
||||||
|
|
||||||
In the process of making docker-default reloading far less expensive,
|
In the process of making docker-default reloading far less expensive,
|
||||||
@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
2.33.0
|
2.33.1
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
|
From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
|
||||||
From: Michal Rostecki <mrostecki@opensuse.org>
|
From: Michal Rostecki <mrostecki@opensuse.org>
|
||||||
Date: Thu, 8 Apr 2021 14:42:02 +0100
|
Date: Thu, 8 Apr 2021 14:42:02 +0100
|
||||||
Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
|
Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
|
||||||
|
|
||||||
Before this change, cleanup of the btrfs driver (occuring on each daemon
|
Before this change, cleanup of the btrfs driver (occuring on each daemon
|
||||||
shutdown) resulted in disabling quotas. It was done with an assumption
|
shutdown) resulted in disabling quotas. It was done with an assumption
|
||||||
@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
|
|||||||
}
|
}
|
||||||
if err := subvolLimitQgroup(dir, size); err != nil {
|
if err := subvolLimitQgroup(dir, size); err != nil {
|
||||||
--
|
--
|
||||||
2.33.0
|
2.33.1
|
||||||
|
|
||||||
|
@ -1,195 +0,0 @@
|
|||||||
From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Tianon Gravi <admwiggin@gmail.com>
|
|
||||||
Date: Thu, 9 Sep 2021 11:31:30 -0700
|
|
||||||
Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
|
|
||||||
default policy
|
|
||||||
MIME-Version: 1.0
|
|
||||||
Content-Type: text/plain; charset=UTF-8
|
|
||||||
Content-Transfer-Encoding: 8bit
|
|
||||||
|
|
||||||
This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
|
|
||||||
|
|
||||||
Original commit message is as follows:
|
|
||||||
|
|
||||||
> If no seccomp policy is requested, then the built-in default policy in
|
|
||||||
> dockerd applies. This has no rule for "clone3" defined, nor any default
|
|
||||||
> errno defined. So when runc receives the config it attempts to determine
|
|
||||||
> a default errno, using logic defined in its commit:
|
|
||||||
>
|
|
||||||
> opencontainers/runc@7a8d716
|
|
||||||
>
|
|
||||||
> As explained in the above commit message, runc uses a heuristic to
|
|
||||||
> decide which errno to return by default:
|
|
||||||
>
|
|
||||||
> [quote]
|
|
||||||
> The solution applied here is to prepend a "stub" filter which returns
|
|
||||||
> -ENOSYS if the requested syscall has a larger syscall number than any
|
|
||||||
> syscall mentioned in the filter. The reason for this specific rule is
|
|
||||||
> that syscall numbers are (roughly) allocated sequentially and thus newer
|
|
||||||
> syscalls will (usually) have a larger syscall number -- thus causing our
|
|
||||||
> filters to produce -ENOSYS if the filter was written before the syscall
|
|
||||||
> existed.
|
|
||||||
> [/quote]
|
|
||||||
>
|
|
||||||
> Unfortunately clone3 appears to one of the edge cases that does not
|
|
||||||
> result in use of ENOSYS, instead ending up with the historical EPERM
|
|
||||||
> errno.
|
|
||||||
>
|
|
||||||
> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
|
|
||||||
> clone3 by default. If it sees ENOSYS then it will automatically
|
|
||||||
> fallback to using clone. Any other errno is treated as a fatal
|
|
||||||
> error. Thus when docker seccomp policy triggers EPERM from clone3,
|
|
||||||
> no fallback occurs and programs are thus unable to spawn threads.
|
|
||||||
>
|
|
||||||
> The clone3 syscall is much more complicated than clone, most notably its
|
|
||||||
> flags are not exposed as a directly argument any more. Instead they are
|
|
||||||
> hidden inside a struct. This means that seccomp filters are unable to
|
|
||||||
> apply policy based on values seen in flags. Thus we can't directly
|
|
||||||
> replicate the current "clone" filtering for "clone3". We can at least
|
|
||||||
> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
|
|
||||||
> at which point we can filter on flags.
|
|
||||||
|
|
||||||
SUSE-Bugs: bsc#1190670
|
|
||||||
Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
|
|
||||||
Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
||||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|
||||||
---
|
|
||||||
profiles/seccomp/default.json | 16 ++++++++++++++++
|
|
||||||
profiles/seccomp/default_linux.go | 13 +++++++++++++
|
|
||||||
profiles/seccomp/seccomp.go | 1 +
|
|
||||||
profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
|
|
||||||
4 files changed, 42 insertions(+), 16 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
|
|
||||||
index 4213799ddb5c..ee5e04f781a8 100644
|
|
||||||
--- a/profiles/seccomp/default.json
|
|
||||||
+++ b/profiles/seccomp/default.json
|
|
||||||
@@ -591,6 +591,7 @@
|
|
||||||
"names": [
|
|
||||||
"bpf",
|
|
||||||
"clone",
|
|
||||||
+ "clone3",
|
|
||||||
"fanotify_init",
|
|
||||||
"fsconfig",
|
|
||||||
"fsmount",
|
|
||||||
@@ -670,6 +671,21 @@
|
|
||||||
]
|
|
||||||
}
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ "names": [
|
|
||||||
+ "clone3"
|
|
||||||
+ ],
|
|
||||||
+ "action": "SCMP_ACT_ERRNO",
|
|
||||||
+ "errnoRet": 38,
|
|
||||||
+ "args": [],
|
|
||||||
+ "comment": "",
|
|
||||||
+ "includes": {},
|
|
||||||
+ "excludes": {
|
|
||||||
+ "caps": [
|
|
||||||
+ "CAP_SYS_ADMIN"
|
|
||||||
+ ]
|
|
||||||
+ }
|
|
||||||
+ },
|
|
||||||
{
|
|
||||||
"names": [
|
|
||||||
"reboot"
|
|
||||||
diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
|
|
||||||
index 879eb88c64f1..fb593f336f7a 100644
|
|
||||||
--- a/profiles/seccomp/default_linux.go
|
|
||||||
+++ b/profiles/seccomp/default_linux.go
|
|
||||||
@@ -42,6 +42,7 @@ func arches() []Architecture {
|
|
||||||
|
|
||||||
// DefaultProfile defines the allowed syscalls for the default seccomp profile.
|
|
||||||
func DefaultProfile() *Seccomp {
|
|
||||||
+ nosys := uint(unix.ENOSYS)
|
|
||||||
syscalls := []*Syscall{
|
|
||||||
{
|
|
||||||
Names: []string{
|
|
||||||
@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
|
|
||||||
Names: []string{
|
|
||||||
"bpf",
|
|
||||||
"clone",
|
|
||||||
+ "clone3",
|
|
||||||
"fanotify_init",
|
|
||||||
"fsconfig",
|
|
||||||
"fsmount",
|
|
||||||
@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
|
|
||||||
Caps: []string{"CAP_SYS_ADMIN"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
+ {
|
|
||||||
+ Names: []string{
|
|
||||||
+ "clone3",
|
|
||||||
+ },
|
|
||||||
+ Action: specs.ActErrno,
|
|
||||||
+ ErrnoRet: &nosys,
|
|
||||||
+ Args: []*specs.LinuxSeccompArg{},
|
|
||||||
+ Excludes: Filter{
|
|
||||||
+ Caps: []string{"CAP_SYS_ADMIN"},
|
|
||||||
+ },
|
|
||||||
+ },
|
|
||||||
{
|
|
||||||
Names: []string{
|
|
||||||
"reboot",
|
|
||||||
diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
|
|
||||||
index d2a21cddc4b2..9edec72db546 100644
|
|
||||||
--- a/profiles/seccomp/seccomp.go
|
|
||||||
+++ b/profiles/seccomp/seccomp.go
|
|
||||||
@@ -45,6 +45,7 @@ type Syscall struct {
|
|
||||||
Name string `json:"name,omitempty"`
|
|
||||||
Names []string `json:"names,omitempty"`
|
|
||||||
Action specs.LinuxSeccompAction `json:"action"`
|
|
||||||
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
|
|
||||||
Args []*specs.LinuxSeccompArg `json:"args"`
|
|
||||||
Comment string `json:"comment"`
|
|
||||||
Includes Filter `json:"includes"`
|
|
||||||
diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
|
|
||||||
index 566f173acd3a..e35e242cd500 100644
|
|
||||||
--- a/profiles/seccomp/seccomp_linux.go
|
|
||||||
+++ b/profiles/seccomp/seccomp_linux.go
|
|
||||||
@@ -150,29 +150,25 @@ Loop:
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ newCall := specs.LinuxSyscall{
|
|
||||||
+ Action: call.Action,
|
|
||||||
+ ErrnoRet: call.ErrnoRet,
|
|
||||||
+ }
|
|
||||||
if call.Name != "" && len(call.Names) != 0 {
|
|
||||||
return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
|
|
||||||
}
|
|
||||||
-
|
|
||||||
if call.Name != "" {
|
|
||||||
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
|
|
||||||
+ newCall.Names = []string{call.Name}
|
|
||||||
} else {
|
|
||||||
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
|
|
||||||
+ newCall.Names = call.Names
|
|
||||||
+ }
|
|
||||||
+ // Loop through all the arguments of the syscall and convert them
|
|
||||||
+ for _, arg := range call.Args {
|
|
||||||
+ newCall.Args = append(newCall.Args, *arg)
|
|
||||||
}
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return newConfig, nil
|
|
||||||
-}
|
|
||||||
|
|
||||||
-func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
|
|
||||||
- newCall := specs.LinuxSyscall{
|
|
||||||
- Names: names,
|
|
||||||
- Action: action,
|
|
||||||
+ newConfig.Syscalls = append(newConfig.Syscalls, newCall)
|
|
||||||
}
|
|
||||||
|
|
||||||
- // Loop through all the arguments of the syscall and convert them
|
|
||||||
- for _, arg := range args {
|
|
||||||
- newCall.Args = append(newCall.Args, *arg)
|
|
||||||
- }
|
|
||||||
- return newCall
|
|
||||||
+ return newConfig, nil
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.33.0
|
|
||||||
|
|
8
_service
8
_service
@ -3,16 +3,16 @@
|
|||||||
<param name="url">https://github.com/moby/moby.git</param>
|
<param name="url">https://github.com/moby/moby.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">20.10.9_ce_%h</param>
|
<param name="versionformat">20.10.11_ce_%h</param>
|
||||||
<param name="revision">v20.10.9</param>
|
<param name="revision">v20.10.11</param>
|
||||||
<param name="filename">docker</param>
|
<param name="filename">docker</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="tar_scm" mode="disabled">
|
<service name="tar_scm" mode="disabled">
|
||||||
<param name="url">https://github.com/docker/cli.git</param>
|
<param name="url">https://github.com/docker/cli.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">20.10.9_ce</param>
|
<param name="versionformat">20.10.11_ce</param>
|
||||||
<param name="revision">v20.10.9</param>
|
<param name="revision">v20.10.11</param>
|
||||||
<param name="filename">docker-cli</param>
|
<param name="filename">docker-cli</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="tar_scm" mode="disabled">
|
<service name="tar_scm" mode="disabled">
|
||||||
|
3
docker-20.10.11_ce_847da184ad50.tar.xz
Normal file
3
docker-20.10.11_ce_847da184ad50.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450
|
||||||
|
size 6497200
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
|
|
||||||
size 6491984
|
|
3
docker-cli-20.10.11_ce.tar.xz
Normal file
3
docker-cli-20.10.11_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8
|
||||||
|
size 4272896
|
@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
|
|
||||||
size 4272556
|
|
@ -1,3 +1,17 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
|
||||||
|
/usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
|
||||||
|
- Rebase patches:
|
||||||
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||||
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
* 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
|
||||||
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
* 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
Wed Oct 6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
|
||||||
|
|
||||||
|
14
docker.spec
14
docker.spec
@ -42,8 +42,8 @@
|
|||||||
# helpfully injects into our build environment from the changelog). If you want
|
# helpfully injects into our build environment from the changelog). If you want
|
||||||
# to generate a new git_commit_epoch, use this:
|
# to generate a new git_commit_epoch, use this:
|
||||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||||
%define git_version 79ea9d308018
|
%define git_version 847da184ad50
|
||||||
%define git_commit_epoch 1632421578
|
%define git_commit_epoch 1637194919
|
||||||
|
|
||||||
# We require a specific pin of libnetwork because it doesn't really do
|
# We require a specific pin of libnetwork because it doesn't really do
|
||||||
# versioning and minor version mismatches in libnetwork can break Docker
|
# versioning and minor version mismatches in libnetwork can break Docker
|
||||||
@ -56,10 +56,10 @@
|
|||||||
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
|
%define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
|
||||||
|
|
||||||
Name: %{realname}%{name_suffix}
|
Name: %{realname}%{name_suffix}
|
||||||
Version: 20.10.9_ce
|
Version: 20.10.11_ce
|
||||||
# This "nice version" is so that docker --version gives a result that can be
|
# This "nice version" is so that docker --version gives a result that can be
|
||||||
# parsed by other people. boo#1182476
|
# parsed by other people. boo#1182476
|
||||||
%define nice_version 20.10.9-ce
|
%define nice_version 20.10.11-ce
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: The Moby-project Linux container runtime
|
Summary: The Moby-project Linux container runtime
|
||||||
License: Apache-2.0
|
License: Apache-2.0
|
||||||
@ -94,8 +94,6 @@ Patch200: 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
|
|||||||
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
Patch300: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
|
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
|
||||||
Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
Patch301: 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
|
||||||
# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670
|
|
||||||
Patch302: 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
|
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -121,7 +119,7 @@ Provides: docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
|
|||||||
# Required to actually run containers. We require the minimum version that is
|
# Required to actually run containers. We require the minimum version that is
|
||||||
# pinned by Docker, but in order to avoid headaches we allow for updates.
|
# pinned by Docker, but in order to avoid headaches we allow for updates.
|
||||||
Requires: runc >= 1.0.2
|
Requires: runc >= 1.0.2
|
||||||
Requires: containerd >= 1.4.11
|
Requires: containerd >= 1.4.12
|
||||||
# Needed for --init support. We don't use "tini", we use our own implementation
|
# Needed for --init support. We don't use "tini", we use our own implementation
|
||||||
# which handles edge-cases better.
|
# which handles edge-cases better.
|
||||||
Requires: catatonit
|
Requires: catatonit
|
||||||
@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm
|
|||||||
%patch300 -p1
|
%patch300 -p1
|
||||||
# bsc#1183855 bsc#1175081
|
# bsc#1183855 bsc#1175081
|
||||||
%patch301 -p1
|
%patch301 -p1
|
||||||
# bsc#1190670
|
|
||||||
%patch302 -p1
|
|
||||||
|
|
||||||
# README_SUSE.md for documentation.
|
# README_SUSE.md for documentation.
|
||||||
cp %{SOURCE103} .
|
cp %{SOURCE103} .
|
||||||
|
Loading…
Reference in New Issue
Block a user