diff --git a/_service b/_service index 475a71d..6c5b887 100644 --- a/_service +++ b/_service @@ -3,8 +3,8 @@ https://github.com/docker/docker-ce.git git .git - 17.07.0_ce - v17.07.0-ce + 17.09.1_ce + v17.09.1-ce docker diff --git a/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch b/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch index ffc4153..28cd85f 100644 --- a/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +++ b/bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch @@ -1,4 +1,4 @@ -From 69d2f2339e43e44ea23bb9b9f699b093046568fe Mon Sep 17 00:00:00 2001 +From b492588a54b8efa1fba1de700cb3e0ad3fe665d9 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Thu, 16 Nov 2017 17:09:16 +1100 Subject: [PATCH] pkg: devmapper: dynamically load dm_task_deferred_remove @@ -17,7 +17,6 @@ gate the whole dlsym(3) logic behind a buildflag that we disable by default (libdm_dlsym_deferred_remove). SUSE-Bugs: bsc#1021227 bsc#1029320 bsc#1058173 -SUSE-Backport: https://github.com/moby/moby/pull/35518 Signed-off-by: Aleksa Sarai --- hack/make.sh | 12 +- @@ -29,7 +28,7 @@ Signed-off-by: Aleksa Sarai create mode 100644 pkg/devicemapper/devmapper_wrapper_dynamic_dlsym_deferred_remove.go diff --git a/hack/make.sh b/hack/make.sh -index 58e0d8cd628a..3b78ddef30b0 100755 +index bc18c066b66c..6e94824ad557 100755 --- a/hack/make.sh +++ b/hack/make.sh @@ -112,6 +112,12 @@ if [ ! "$GOPATH" ]; then @@ -55,9 +54,9 @@ index 58e0d8cd628a..3b78ddef30b0 100755 +# with a newer libdevmapper than the one it was built wih. if \ command -v gcc &> /dev/null \ - && ! ( echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null -ldevmapper &> /dev/null ) \ + && ! ( echo -e '#include \nint main() { dm_task_deferred_remove(NULL); }'| gcc -xc - -o /dev/null $(pkg-config --libs devmapper) &> /dev/null ) \ ; then -- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove' +- DOCKER_BUILDTAGS+=' libdm_no_deferred_remove' + add_buildtag libdm dlsym_deferred_remove fi @@ -69,20 +68,20 @@ rename to pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go index 7f793c270868..bf57371ff4cf 100644 --- a/pkg/devicemapper/devmapper_wrapper_deferred_remove.go +++ b/pkg/devicemapper/devmapper_wrapper_dynamic_deferred_remove.go -@@ -1,14 +1,15 @@ +@@ -1,11 +1,15 @@ -// +build linux,cgo,!libdm_no_deferred_remove +// +build linux,cgo,!static_build +// +build !libdm_dlsym_deferred_remove,!libdm_no_deferred_remove package devicemapper - /* --#cgo LDFLAGS: -L. -ldevmapper - #include - */ +-// #include ++/* ++#include ++*/ import "C" --// LibraryDeferredRemovalSupport is supported when statically linked. +-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build +// LibraryDeferredRemovalSupport tells if the feature is supported by the +// current Docker invocation. const LibraryDeferredRemovalSupport = true @@ -149,7 +148,7 @@ index 000000000000..5dfb369f1ff8 +import ( + "unsafe" + -+ "github.com/Sirupsen/logrus" ++ "github.com/sirupsen/logrus" +) + +// dm_task_deferred_remove is not supported by all distributions, due to @@ -233,7 +232,7 @@ index a880fec8c499..80b034b3ff17 100644 package devicemapper --// LibraryDeferredRemovalSupport is not supported when statically linked. +-// LibraryDeferredRemovalSupport tells if the feature is enabled in the build +// LibraryDeferredRemovalSupport tells if the feature is supported by the +// current Docker invocation. const LibraryDeferredRemovalSupport = false diff --git a/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch b/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch deleted file mode 100644 index 2122b3f..0000000 --- a/bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch +++ /dev/null @@ -1,72 +0,0 @@ -From be9eaee9e25e6b389fcfacd8829bc1235269527b Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Sun, 20 Aug 2017 13:50:52 +1000 -Subject: [PATCH] devicemapper: remove container rootfs mountPath after umount - -libdm currently has a fairly substantial DoS bug that makes certain -operations fail on a libdm device if the device has active references -through mountpoints. This is a significant problem with the advent of -mount namespaces and MS_PRIVATE, and can cause certain --volume mounts -to cause libdm to no longer be able to remove containers: - - % docker run -d --name testA busybox top - % docker run -d --name testB -v /var/lib/docker:/docker busybox top - % docker rm -f testA - [fails on libdm with dm_task_run errors.] - -This also solves the problem of unprivileged users being able to DoS -docker by using unprivileged mount namespaces to preseve mounts that -Docker has dropped. - -SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1045628 -SUSE-Backport: https://github.com/moby/moby/pull/34573 -Signed-off-by: Aleksa Sarai ---- - daemon/graphdriver/devmapper/deviceset.go | 12 ++++++++++++ - daemon/graphdriver/devmapper/driver.go | 4 +++- - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/daemon/graphdriver/devmapper/deviceset.go b/daemon/graphdriver/devmapper/deviceset.go -index ba845d4d01d4..fe8103683b9b 100644 ---- a/daemon/graphdriver/devmapper/deviceset.go -+++ b/daemon/graphdriver/devmapper/deviceset.go -@@ -2402,6 +2402,18 @@ func (devices *DeviceSet) UnmountDevice(hash, mountPath string) error { - } - logrus.Debug("devmapper: Unmount done") - -+ // Remove the mountpoint here. Removing the mountpoint (in newer kernels) -+ // will cause all other instances of this mount in other mount namespaces -+ // to be killed (this is an anti-DoS measure that is necessary for things -+ // like devicemapper). This is necessary to avoid cases where a libdm mount -+ // that is present in another namespace will cause subsequent RemoveDevice -+ // operations to fail. We ignore any errors here because this may fail on -+ // older kernels which don't have -+ // torvalds/linux@8ed936b5671bfb33d89bc60bdcc7cf0470ba52fe applied. -+ if err := os.Remove(mountPath); err != nil { -+ logrus.Debugf("devmapper: error doing a remove on unmounted device %s: %v", mountPath, err) -+ } -+ - return devices.deactivateDevice(info) - } - -diff --git a/daemon/graphdriver/devmapper/driver.go b/daemon/graphdriver/devmapper/driver.go -index 91de5cd12a0f..69a3b3184933 100644 ---- a/daemon/graphdriver/devmapper/driver.go -+++ b/daemon/graphdriver/devmapper/driver.go -@@ -227,10 +227,12 @@ func (d *Driver) Put(id string) error { - if count := d.ctr.Decrement(mp); count > 0 { - return nil - } -+ - err := d.DeviceSet.UnmountDevice(id, mp) - if err != nil { -- logrus.Errorf("devmapper: Error unmounting device %s: %s", id, err) -+ logrus.Errorf("devmapper: Error unmounting device %s: %v", id, err) - } -+ - return err - } - --- -2.14.1 - diff --git a/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch b/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch index 50546b3..88b70c2 100644 --- a/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch +++ b/bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch @@ -1,4 +1,4 @@ -From 6f18798a72d330f282ff7beb554d298f30531c8f Mon Sep 17 00:00:00 2001 +From a24b98c0fc45d640b4eed8105033b313b8145e35 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Sun, 15 Oct 2017 17:06:20 +1100 Subject: [PATCH] daemon: oci: obey CL_UNPRIVILEGED for user namespaced daemon @@ -21,13 +21,13 @@ Signed-off-by: Aleksa Sarai 1 file changed, 46 insertions(+) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go -index 9cf6674dfe11..0f1dabc31100 100644 +index 0f8a392c2621..89ac627ff090 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go -@@ -27,6 +27,7 @@ import ( - "github.com/opencontainers/runc/libcontainer/devices" - "github.com/opencontainers/runc/libcontainer/user" - specs "github.com/opencontainers/runtime-spec/specs-go" +@@ -26,6 +26,7 @@ import ( + "github.com/opencontainers/runc/libcontainer/user" + specs "github.com/opencontainers/runtime-spec/specs-go" + "github.com/sirupsen/logrus" + "golang.org/x/sys/unix" ) @@ -71,7 +71,7 @@ index 9cf6674dfe11..0f1dabc31100 100644 var ( mountPropagationMap = map[string]int{ "private": mount.PRIVATE, -@@ -573,6 +606,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c +@@ -575,6 +608,19 @@ func setMounts(daemon *Daemon, s *specs.Spec, c *container.Container, mounts []c opts = append(opts, mountPropagationReverseMap[pFlag]) } @@ -92,5 +92,5 @@ index 9cf6674dfe11..0f1dabc31100 100644 s.Mounts = append(s.Mounts, mt) } -- -2.14.2 +2.15.0 diff --git a/bsc1064781-0001-Allow-to-override-build-date.patch b/bsc1064781-0001-Allow-to-override-build-date.patch deleted file mode 100644 index f62090d..0000000 --- a/bsc1064781-0001-Allow-to-override-build-date.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 760763e9957840f1983a5006f4e66d6920ec496e Mon Sep 17 00:00:00 2001 -From: "Bernhard M. Wiedemann" -Date: Wed, 19 Jul 2017 06:17:19 +0200 -Subject: [PATCH] Allow to override build date - -in order to make builds reproducible. -See https://reproducible-builds.org/ for why this is good -and https://reproducible-builds.org/specs/source-date-epoch/ -for the definition of this variable. - -SUSE-Bugfix: https://bugzilla.suse.com/show_bug.cgi?id=1064781 -Signed-off-by: Bernhard M. Wiedemann -Signed-off-by: Aleksa Sarai ---- - hack/make.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/hack/make.sh b/hack/make.sh -index b7d59ba94a00..7d18d649b540 100755 ---- a/hack/make.sh -+++ b/hack/make.sh -@@ -68,7 +68,7 @@ DEFAULT_BUNDLES=( - ) - - VERSION=$(< ./VERSION) --! BUILDTIME=$(date --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') -+! BUILDTIME=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" --rfc-3339 ns 2> /dev/null | sed -e 's/ /T/') - if [ "$DOCKER_GITCOMMIT" ]; then - GITCOMMIT="$DOCKER_GITCOMMIT" - elif command -v git &> /dev/null && [ -d .git ] && git rev-parse &> /dev/null; then --- -2.14.2 - diff --git a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch b/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch deleted file mode 100644 index b3dca29..0000000 --- a/bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch +++ /dev/null @@ -1,118 +0,0 @@ -From b5cf56bc7f734ed8bfad4119fb817261e541a609 Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Wed, 8 Nov 2017 02:50:52 +1100 -Subject: [PATCH] vendor: update to github.com/vbatts/tar-split@v0.10.2 - -Update to the latest version of tar-split, which includes a change to -fix a memory exhaustion issue where a malformed image could cause the -Docker daemon to crash. - - * tar: asm: store padding in chunks to avoid memory exhaustion - -Fixes: CVE-2017-14992 -SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066210 -Signed-off-by: Aleksa Sarai ---- - vendor.conf | 2 +- - vendor/github.com/vbatts/tar-split/README.md | 3 +- - .../vbatts/tar-split/tar/asm/disassemble.go | 43 ++++++++++++++-------- - 3 files changed, 31 insertions(+), 17 deletions(-) - -diff --git a/vendor.conf b/vendor.conf -index 535adad38728..ea4f75bbea10 100644 ---- a/vendor.conf -+++ b/vendor.conf -@@ -53,7 +53,7 @@ github.com/miekg/dns 75e6e86cc601825c5dbcd4e0c209eab180997cd7 - - # get graph and distribution packages - github.com/docker/distribution b38e5838b7b2f2ad48e06ec4b500011976080621 --github.com/vbatts/tar-split v0.10.1 -+github.com/vbatts/tar-split v0.10.2 - github.com/opencontainers/go-digest a6d0ee40d4207ea02364bd3b9e8e77b9159ba1eb - - # get go-zfs packages -diff --git a/vendor/github.com/vbatts/tar-split/README.md b/vendor/github.com/vbatts/tar-split/README.md -index 4c544d823fbc..03e3ec4308b7 100644 ---- a/vendor/github.com/vbatts/tar-split/README.md -+++ b/vendor/github.com/vbatts/tar-split/README.md -@@ -1,6 +1,7 @@ - # tar-split - - [![Build Status](https://travis-ci.org/vbatts/tar-split.svg?branch=master)](https://travis-ci.org/vbatts/tar-split) -+[![Go Report Card](https://goreportcard.com/badge/github.com/vbatts/tar-split)](https://goreportcard.com/report/github.com/vbatts/tar-split) - - Pristinely disassembling a tar archive, and stashing needed raw bytes and offsets to reassemble a validating original archive. - -@@ -50,7 +51,7 @@ For example stored sparse files that have "holes" in them, will be read as a - contiguous file, though the archive contents may be recorded in sparse format. - Therefore when adding the file payload to a reassembled tar, to achieve - identical output, the file payload would need be precisely re-sparsified. This --is not something I seek to fix imediately, but would rather have an alert that -+is not something I seek to fix immediately, but would rather have an alert that - precise reassembly is not possible. - (see more http://www.gnu.org/software/tar/manual/html_node/Sparse-Formats.html) - -diff --git a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go -index 54ef23aed366..009b3f5d8124 100644 ---- a/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go -+++ b/vendor/github.com/vbatts/tar-split/tar/asm/disassemble.go -@@ -2,7 +2,6 @@ package asm - - import ( - "io" -- "io/ioutil" - - "github.com/vbatts/tar-split/archive/tar" - "github.com/vbatts/tar-split/tar/storage" -@@ -119,20 +118,34 @@ func NewInputTarStream(r io.Reader, p storage.Packer, fp storage.FilePutter) (io - } - } - -- // it is allowable, and not uncommon that there is further padding on the -- // end of an archive, apart from the expected 1024 null bytes. -- remainder, err := ioutil.ReadAll(outputRdr) -- if err != nil && err != io.EOF { -- pW.CloseWithError(err) -- return -- } -- _, err = p.AddEntry(storage.Entry{ -- Type: storage.SegmentType, -- Payload: remainder, -- }) -- if err != nil { -- pW.CloseWithError(err) -- return -+ // It is allowable, and not uncommon that there is further padding on -+ // the end of an archive, apart from the expected 1024 null bytes. We -+ // do this in chunks rather than in one go to avoid cases where a -+ // maliciously crafted tar file tries to trick us into reading many GBs -+ // into memory. -+ const paddingChunkSize = 1024 * 1024 -+ var paddingChunk [paddingChunkSize]byte -+ for { -+ var isEOF bool -+ n, err := outputRdr.Read(paddingChunk[:]) -+ if err != nil { -+ if err != io.EOF { -+ pW.CloseWithError(err) -+ return -+ } -+ isEOF = true -+ } -+ _, err = p.AddEntry(storage.Entry{ -+ Type: storage.SegmentType, -+ Payload: paddingChunk[:n], -+ }) -+ if err != nil { -+ pW.CloseWithError(err) -+ return -+ } -+ if isEOF { -+ break -+ } - } - pW.Close() - }() --- -2.14.3 - diff --git a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch b/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch deleted file mode 100644 index 315cd5b..0000000 --- a/bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch +++ /dev/null @@ -1,31 +0,0 @@ -From d0194d04255e8121d67c1f55d7dce8f5ba67fccc Mon Sep 17 00:00:00 2001 -From: Aleksa Sarai -Date: Tue, 7 Nov 2017 18:32:41 +1100 -Subject: [PATCH] oci: add /proc/scsi to masked paths - -This is writeable, and can be used to remove devices. Containers do -not need to know about scsi devices. - -Fixes: CVE-2017-16539 -SUSE-Bug: https://bugzilla.suse.com/show_bug.cgi?id=1066801 -Signed-off-by: Justin Cormack -Signed-off-by: Aleksa Sarai ---- - oci/defaults.go | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/oci/defaults.go b/oci/defaults.go -index d706fafcc021..a7fd285060c2 100644 ---- a/oci/defaults.go -+++ b/oci/defaults.go -@@ -132,6 +132,7 @@ func DefaultLinuxSpec() specs.Spec { - "/proc/timer_list", - "/proc/timer_stats", - "/proc/sched_debug", -+ "/proc/scsi", - }, - ReadonlyPaths: []string{ - "/proc/asound", --- -2.14.3 - diff --git a/docker-17.07.0_ce.tar.xz b/docker-17.07.0_ce.tar.xz deleted file mode 100644 index c7a52da..0000000 --- a/docker-17.07.0_ce.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:50c6b7f10e313ffe906b2fd72a6844f14d23458e2881a862c630c37c1c87f4b8 -size 6142992 diff --git a/docker-17.09.1_ce.tar.xz b/docker-17.09.1_ce.tar.xz new file mode 100644 index 0000000..a659615 --- /dev/null +++ b/docker-17.09.1_ce.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dd19ad9900aaabb9eb5870be6271262aebbd4f86fa12f7c59677d47876492bf9 +size 6237800 diff --git a/docker.changes b/docker.changes index 379427e..ae73ac8 100644 --- a/docker.changes +++ b/docker.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com + +- Update to Docker v17.09.1_ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v17.09.1-ce +- Removed patches (merged upstream): + - bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch + - bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch + - bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch + +------------------------------------------------------------------- +Mon Dec 18 12:32:35 UTC 2017 - asarai@suse.com + +- Update to Docker v17.09.0_ce. Upstream changelog: + https://github.com/docker/docker-ce/releases/tag/v17.09.0-ce +- Rebased patches: + * bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch + * bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch + * bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch + * secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch + * secrets-0002-SUSE-implement-SUSE-container-secrets.patch +- Removed patches (merged upstream): + - bsc1064781-0001-Allow-to-override-build-date.patch + ------------------------------------------------------------------- Tue Dec 5 10:58:07 UTC 2017 - asarai@suse.com @@ -78,7 +102,7 @@ Mon Oct 16 11:06:22 UTC 2017 - asarai@suse.com ------------------------------------------------------------------- Mon Oct 9 11:36:59 UTC 2017 - asarai@suse.com -- Update to Docker v17.07-ce (bsc#1069758). Upstream changelog: +- Update to Docker v17.07.0_ce (bsc#1069758). Upstream changelog: https://github.com/docker/docker-ce/releases/tag/v17.06.0-ce https://github.com/docker/docker-ce/releases/tag/v17.07.0-ce - Removed no-longer needed patches. diff --git a/docker.spec b/docker.spec index 204c739..0dce5ce 100644 --- a/docker.spec +++ b/docker.spec @@ -31,11 +31,17 @@ # helpfully injects into our build environment from the changelog). If you want # to generate a new git_commit_epoch, use this: # $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s' -%define git_version 87847530f717 -%define git_commit_epoch 1508266293 +%define git_version f4ffd2511ce9 +%define git_commit_epoch 1508606827 + +# These are the git commits required. We verify them against the source to make +# sure we didn't miss anything important when doing upgrades. +%define required_containerd 06b9cb35161009dcb7123345749fef02f7cea8e0 +%define required_dockerrunc 3f2f8b84a77f73d38244dd690525642a72156c64 +%define required_libnetwork 7b2b1feb1de4817d522cc372af149ff48d25028e Name: docker -Version: 17.07.0_ce +Version: 17.09.1_ce Release: 0 Summary: The Linux container runtime License: Apache-2.0 @@ -57,17 +63,9 @@ Source9: tests.sh Patch200: secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch Patch201: secrets-0002-SUSE-implement-SUSE-container-secrets.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35205. bsc#1055676 -Patch401: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34573. bsc#1045628 -Patch402: bsc1045628-0001-devicemapper-remove-container-rootfs-mountPath-after.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/34176. boo#1064781 -Patch403: bsc1064781-0001-Allow-to-override-build-date.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35399. boo#1066801 CVE-2017-16539 -Patch404: bsc1066801-0001-oci-add-proc-scsi-to-masked-paths.patch -# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35424. boo#1066210 CVE-2017-14992 -Patch405: bsc1066210-0001-vendor-update-to-github.com-vbatts-tar-split-v0.10.2.patch +Patch400: bsc1055676-0001-daemon-oci-obey-CL_UNPRIVILEGED-for-user-namespaced-.patch # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/35518. bsc#1021227 bsc#1029320 bsc#1058173 -Patch406: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch +Patch401: bsc1021227-0001-pkg-devmapper-dynamically-load-dm_task_deferred_remo.patch BuildRequires: audit BuildRequires: bash-completion BuildRequires: ca-certificates @@ -101,14 +99,14 @@ Requires: ca-certificates-mozilla # Required in order for networking to work. fix_bsc_1057743 is a work-around # for some old packaging issues (where rpm would delete a binary that was # installed by docker-libnetwork). See bsc#1057743 for more details. -Requires: docker-libnetwork = 0.7.0+gitr2322_4a242dba7739 +Requires: docker-libnetwork-git = %{required_libnetwork} Requires: fix_bsc_1057743 # Containerd and runC are required as they are the only currently supported # execdrivers of Docker. NOTE: The version pinning here matches upstream's # vendor.conf to ensure that we don't use a slightly incompatible version of # runC or containerd (which would be bad). -Requires: containerd = 0.2.8+gitr671_3addd8406531 -Requires: docker-runc = 1.0.0rc3+gitr3201_2d41c04 +Requires: containerd-git = %{required_containerd} +Requires: docker-runc-git = %{required_dockerrunc} # Provides mkfs.ext4 - used by Docker when devicemapper storage driver is used Requires: e2fsprogs Requires: git-core >= 1.7 @@ -126,7 +124,7 @@ Requires(post): shadow Recommends: lvm2 >= 2.2.89 Conflicts: lxc < 1.0 BuildRoot: %{_tmppath}/%{name}-%{version}-build -ExcludeArch: %ix86 s390 ppc +ExcludeArch: s390 ppc # Make sure we build with go 1.8 BuildRequires: go-go-md2man BuildRequires: golang(API) = 1.8 @@ -183,21 +181,14 @@ Test package for docker. It contains the source code and the tests. %if 0%{?is_opensuse} # nothing %else +# PATCH-SUSE: Secrets patches. %patch200 -p1 -d components/engine %patch201 -p1 -d components/engine %endif # bsc#1055676 -%patch401 -p1 -d components/engine -# bsc#1045628 -%patch402 -p1 -d components/engine -# boo#1064781 -%patch403 -p1 -d components/engine -# boo#1066801 CVE-2017-16539 -%patch404 -p1 -d components/engine -# boo#1066210 CVE-2017-14992 -%patch405 -p1 -d components/engine +%patch400 -p1 -d components/engine # bsc#1021227 bsc#1029320 bsc#1058173 -%patch406 -p1 -d components/engine +%patch401 -p1 -d components/engine cp %{SOURCE7} . cp %{SOURCE9} . @@ -277,6 +268,12 @@ cp -ar %{buildroot}/usr/src/docker/engine $HOME/go/src/github.com/docker/docker cd $HOME/go/src/github.com/docker/docker +# We verify that all of our -git requires are correct. This is done on-build to +# make sure that someone doing an update didn't miss anything. +grep 'RUNC_COMMIT=%{required_dockerrunc}' hack/dockerfile/binaries-commits +grep 'CONTAINERD_COMMIT=%{required_containerd}' hack/dockerfile/binaries-commits +grep 'LIBNETWORK_COMMIT=%{required_libnetwork}' hack/dockerfile/binaries-commits + # The command is taken from hack/make/test-unit and various test runs. # Everything that follows github.com/docker/pkg/integration-cli are packages # containing tests that cannot run in an obs build context. Some tests must be @@ -300,6 +297,7 @@ PKG_LIST=$(go list -e \ | grep -v 'github.com/docker/docker/daemon$' \ | grep -v 'github.com/docker/docker/daemon/graphdriver' \ | grep -Pv 'github.com/docker/docker/daemon/logger(?!/gelf)' \ + | grep -v 'github.com/docker/docker/integration' \ | grep -v 'github.com/docker/docker/integration-cli' \ | grep -v 'github.com/docker/docker/man$' \ | grep -v 'github.com/docker/docker/pkg/archive$' \ @@ -322,22 +320,33 @@ PKG_LIST=$(go list -e \ ) # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER! rm ./pkg/system/rm_test.go - go test -buildmode=pie -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST # DOCKER CLIENT +find $(go env GOROOT) -type d + cp -ar %{buildroot}/usr/src/docker/cli $HOME/go/src/github.com/docker/cli cd $HOME/go/src/github.com/docker/cli PKG_LIST=$(go list ./... \ | grep 'github.com/docker/cli' \ | grep -v 'github.com/docker/cli/vendor' \ + | grep -Ev 'vendor/(.+/)?github.com/docker/cli' \ | grep -v 'github.com/docker/cli/cli/command/idresolver' \ | grep -v 'github.com/docker/cli/cli/command/image' \ | grep -v 'github.com/docker/cli/cli/image' \ + | grep -v 'github.com/docker/cli/cmd/docker' \ + | grep -v 'github.com/docker/cli/e2e' \ + | grep -v 'github.com/docker/cli/cli/image' \ ) # PLEASE KEEP THIS LIST IN ALPHABETICAL ORDER! -go test -buildmode=pie -cover -ldflags -w -tags daemon -a -test.timeout=10m $PKG_LIST +# We cannot use -buildmode=pie here becaue (for some reason) 'go test' will +# produce really odd errors about packages missing (this only happens if we +# have a lot of packages in the cmdline). So just avoid running these tests if +# we're on ppc64le (which requires -buildmode=pie). +%ifnarch ppc64le +go test -cover -ldflags -w -tags "$DOCKER_BUILDTAGS" -a -test.timeout=10m $PKG_LIST +%endif %install install -d %{buildroot}%{go_contribdir} diff --git a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch index 66d1782..c0e06a8 100644 --- a/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch +++ b/secrets-0001-daemon-allow-directory-creation-in-run-secrets.patch @@ -1,4 +1,4 @@ -From 102c28e548a544d672163300334d01240cfc965b Mon Sep 17 00:00:00 2001 +From 5022c3554723040682444e324cd26ec8e2500131 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 12:41:54 +1100 Subject: [PATCH 1/2] daemon: allow directory creation in /run/secrets @@ -14,7 +14,7 @@ Signed-off-by: Aleksa Sarai 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go -index 84b7eb352f1a..dc3a48bfe47a 100644 +index 954c194ea836..3ef1e0262edc 100644 --- a/daemon/container_operations_unix.go +++ b/daemon/container_operations_unix.go @@ -3,6 +3,7 @@ @@ -26,7 +26,7 @@ index 84b7eb352f1a..dc3a48bfe47a 100644 "fmt" "io/ioutil" @@ -13,6 +14,7 @@ import ( - "github.com/Sirupsen/logrus" + "github.com/docker/docker/container" "github.com/docker/docker/daemon/links" + "github.com/docker/docker/pkg/archive" @@ -70,5 +70,5 @@ index 84b7eb352f1a..dc3a48bfe47a 100644 return errors.Wrap(err, "error setting ownership for secret") } -- -2.15.0 +2.15.1 diff --git a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch index d30b6de..e85be85 100644 --- a/secrets-0002-SUSE-implement-SUSE-container-secrets.patch +++ b/secrets-0002-SUSE-implement-SUSE-container-secrets.patch @@ -1,4 +1,4 @@ -From c62fb8fa766b6917839987b7e1323f0523166d32 Mon Sep 17 00:00:00 2001 +From a84aa9152b50ea1fd73a7d09246ac056534d0e48 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 8 Mar 2017 11:43:29 +1100 Subject: [PATCH 2/2] SUSE: implement SUSE container secrets @@ -19,7 +19,7 @@ Signed-off-by: Aleksa Sarai create mode 100644 daemon/suse_secrets.go diff --git a/daemon/start.go b/daemon/start.go -index 55438cf2c45f..7dfa6cd1d055 100644 +index de32a649d7ed..2b6137d315e9 100644 --- a/daemon/start.go +++ b/daemon/start.go @@ -147,6 +147,11 @@ func (daemon *Daemon) containerStart(container *container.Container, checkpoint @@ -33,7 +33,7 @@ index 55438cf2c45f..7dfa6cd1d055 100644 + spec, err := daemon.createSpec(container) if err != nil { - return err + return systemError{err} diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go new file mode 100644 index 000000000000..9d0788f0410d @@ -74,7 +74,7 @@ index 000000000000..9d0788f0410d + "github.com/docker/docker/pkg/archive" + "github.com/docker/docker/pkg/idtools" + "github.com/opencontainers/go-digest" -+ "github.com/Sirupsen/logrus" ++ "github.com/sirupsen/logrus" + + swarmtypes "github.com/docker/docker/api/types/swarm" + swarmexec "github.com/docker/swarmkit/agent/exec" @@ -432,5 +432,5 @@ index 000000000000..9d0788f0410d + return nil +} -- -2.15.0 +2.15.1