forked from pool/docker
Accepting request 1147713 from Virtualization:containers
OBS-URL: https://build.opensuse.org/request/show/1147713 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=143
This commit is contained in:
commit
af5f657805
@ -1,7 +1,7 @@
|
|||||||
From 678e0f470c01dcf849d42d4f3f38e97b8d7ba841 Mon Sep 17 00:00:00 2001
|
From 4a5c4ff94d466dcd5d7c986478ee3c12d056208a Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
Date: Wed, 8 Mar 2017 12:41:54 +1100
|
||||||
Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
|
Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
|
||||||
|
|
||||||
Since FileMode can have the directory bit set, allow a SecretStore
|
Since FileMode can have the directory bit set, allow a SecretStore
|
||||||
implementation to return secrets that are actually directories. This is
|
implementation to return secrets that are actually directories. This is
|
||||||
@ -14,18 +14,18 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
1 file changed, 20 insertions(+), 3 deletions(-)
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
|
||||||
index 290ec59a34..b7013fb89c 100644
|
index 6a23a4ca92..4f2a611bbc 100644
|
||||||
--- a/daemon/container_operations_unix.go
|
--- a/daemon/container_operations_unix.go
|
||||||
+++ b/daemon/container_operations_unix.go
|
+++ b/daemon/container_operations_unix.go
|
||||||
@@ -4,6 +4,7 @@
|
@@ -3,6 +3,7 @@
|
||||||
package daemon // import "github.com/docker/docker/daemon"
|
package daemon // import "github.com/docker/docker/daemon"
|
||||||
|
|
||||||
import (
|
import (
|
||||||
+ "bytes"
|
+ "bytes"
|
||||||
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
@@ -16,6 +17,7 @@ import (
|
||||||
@@ -14,6 +15,7 @@ import (
|
|
||||||
"github.com/docker/docker/daemon/links"
|
"github.com/docker/docker/daemon/links"
|
||||||
"github.com/docker/docker/errdefs"
|
"github.com/docker/docker/errdefs"
|
||||||
"github.com/docker/docker/libnetwork"
|
"github.com/docker/docker/libnetwork"
|
||||||
@ -33,7 +33,7 @@ index 290ec59a34..b7013fb89c 100644
|
|||||||
"github.com/docker/docker/pkg/idtools"
|
"github.com/docker/docker/pkg/idtools"
|
||||||
"github.com/docker/docker/pkg/process"
|
"github.com/docker/docker/pkg/process"
|
||||||
"github.com/docker/docker/pkg/stringid"
|
"github.com/docker/docker/pkg/stringid"
|
||||||
@@ -206,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
@@ -201,9 +203,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "unable to get secret from secret store")
|
return errors.Wrap(err, "unable to get secret from secret store")
|
||||||
}
|
}
|
||||||
@ -43,7 +43,7 @@ index 290ec59a34..b7013fb89c 100644
|
|||||||
|
|
||||||
uid, err := strconv.Atoi(s.File.UID)
|
uid, err := strconv.Atoi(s.File.UID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -219,6 +218,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
@@ -214,6 +213,24 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -69,5 +69,5 @@ index 290ec59a34..b7013fb89c 100644
|
|||||||
return errors.Wrap(err, "error setting ownership for secret")
|
return errors.Wrap(err, "error setting ownership for secret")
|
||||||
}
|
}
|
||||||
--
|
--
|
||||||
2.43.0
|
2.39.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 4f2462c67f8aa24d08648c2494a83a10e1578079 Mon Sep 17 00:00:00 2001
|
From 0b91e46d6f1515461d28d768557b63eacbcc68af Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
Date: Wed, 8 Mar 2017 11:43:29 +1100
|
||||||
Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
|
Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
|
||||||
|
|
||||||
This allows for us to pass in host credentials to a container, allowing
|
This allows for us to pass in host credentials to a container, allowing
|
||||||
for SUSEConnect to work with containers.
|
for SUSEConnect to work with containers.
|
||||||
@ -19,10 +19,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
create mode 100644 daemon/suse_secrets.go
|
create mode 100644 daemon/suse_secrets.go
|
||||||
|
|
||||||
diff --git a/daemon/start.go b/daemon/start.go
|
diff --git a/daemon/start.go b/daemon/start.go
|
||||||
index 2e0b9e6be8..dca0448688 100644
|
index 24e72e2248..9bce0c6dff 100644
|
||||||
--- a/daemon/start.go
|
--- a/daemon/start.go
|
||||||
+++ b/daemon/start.go
|
+++ b/daemon/start.go
|
||||||
@@ -151,6 +151,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, container *container.C
|
@@ -159,6 +159,11 @@ func (daemon *Daemon) containerStart(ctx context.Context, daemonCfg *configStore
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -31,9 +31,9 @@ index 2e0b9e6be8..dca0448688 100644
|
|||||||
+ return errdefs.System(err)
|
+ return errdefs.System(err)
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
spec, err := daemon.createSpec(ctx, container)
|
spec, err := daemon.createSpec(ctx, daemonCfg, container)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errdefs.System(err)
|
// Any error that occurs while creating the spec, even if it's the
|
||||||
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
diff --git a/daemon/suse_secrets.go b/daemon/suse_secrets.go
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 0000000000..32b0ece91b
|
index 0000000000..32b0ece91b
|
||||||
@ -456,5 +456,5 @@ index 0000000000..32b0ece91b
|
|||||||
+ return nil
|
+ return nil
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.43.0
|
2.39.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From 4b6edb887a878a9637e9b3f434fa3f905543e1d1 Mon Sep 17 00:00:00 2001
|
From cee586793de12fc029897e897aacdf18933f8ba6 Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Mon, 22 May 2023 15:44:54 +1000
|
Date: Mon, 22 May 2023 15:44:54 +1000
|
||||||
Subject: [PATCH 3/6] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
Subject: [PATCH 3/5] BUILD: SLE12: revert "graphdriver/btrfs: use kernel UAPI
|
||||||
headers"
|
headers"
|
||||||
|
|
||||||
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
This reverts commit 3208dcabdc8997340b255f5b880fef4e3f54580d.
|
||||||
@ -16,10 +16,10 @@ Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
|||||||
1 file changed, 4 insertions(+), 9 deletions(-)
|
1 file changed, 4 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
diff --git a/daemon/graphdriver/btrfs/btrfs.go b/daemon/graphdriver/btrfs/btrfs.go
|
||||||
index d88efc4be2..4e976aa689 100644
|
index 6aaa33cf76..7264d40364 100644
|
||||||
--- a/daemon/graphdriver/btrfs/btrfs.go
|
--- a/daemon/graphdriver/btrfs/btrfs.go
|
||||||
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
+++ b/daemon/graphdriver/btrfs/btrfs.go
|
||||||
@@ -5,17 +5,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
|
@@ -4,17 +4,12 @@ package btrfs // import "github.com/docker/docker/daemon/graphdriver/btrfs"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
@ -42,5 +42,5 @@ index d88efc4be2..4e976aa689 100644
|
|||||||
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
|
static void set_name_btrfs_ioctl_vol_args_v2(struct btrfs_ioctl_vol_args_v2* btrfs_struct, const char* value) {
|
||||||
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
|
snprintf(btrfs_struct->name, BTRFS_SUBVOL_NAME_MAX, "%s", value);
|
||||||
--
|
--
|
||||||
2.43.0
|
2.39.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From a309d7e57c351a5f81a0cf9a342205ab790f60ba Mon Sep 17 00:00:00 2001
|
From 99fb19fd177d211063394a56348ecd9987fd17aa Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
Date: Fri, 29 Jun 2018 17:59:30 +1000
|
||||||
Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
|
Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
|
||||||
start
|
start
|
||||||
|
|
||||||
In the process of making docker-default reloading far less expensive,
|
In the process of making docker-default reloading far less expensive,
|
||||||
@ -22,10 +22,10 @@ Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
|||||||
3 files changed, 17 insertions(+), 6 deletions(-)
|
3 files changed, 17 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
diff --git a/daemon/apparmor_default.go b/daemon/apparmor_default.go
|
||||||
index 6376001613..5fde21a4af 100644
|
index 81e10b6cbe..e695667a19 100644
|
||||||
--- a/daemon/apparmor_default.go
|
--- a/daemon/apparmor_default.go
|
||||||
+++ b/daemon/apparmor_default.go
|
+++ b/daemon/apparmor_default.go
|
||||||
@@ -24,6 +24,15 @@ func DefaultApparmorProfile() string {
|
@@ -23,6 +23,15 @@ func DefaultApparmorProfile() string {
|
||||||
return ""
|
return ""
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -41,7 +41,7 @@ index 6376001613..5fde21a4af 100644
|
|||||||
func ensureDefaultAppArmorProfile() error {
|
func ensureDefaultAppArmorProfile() error {
|
||||||
if apparmor.HostSupports() {
|
if apparmor.HostSupports() {
|
||||||
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
|
loaded, err := aaprofile.IsLoaded(defaultAppArmorProfile)
|
||||||
@@ -37,10 +46,7 @@ func ensureDefaultAppArmorProfile() error {
|
@@ -36,10 +45,7 @@ func ensureDefaultAppArmorProfile() error {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Load the profile.
|
// Load the profile.
|
||||||
@ -54,10 +54,10 @@ index 6376001613..5fde21a4af 100644
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
|
diff --git a/daemon/apparmor_default_unsupported.go b/daemon/apparmor_default_unsupported.go
|
||||||
index e3dc18b32b..9c77230562 100644
|
index be4938f5b6..2b326fea58 100644
|
||||||
--- a/daemon/apparmor_default_unsupported.go
|
--- a/daemon/apparmor_default_unsupported.go
|
||||||
+++ b/daemon/apparmor_default_unsupported.go
|
+++ b/daemon/apparmor_default_unsupported.go
|
||||||
@@ -3,6 +3,10 @@
|
@@ -2,6 +2,10 @@
|
||||||
|
|
||||||
package daemon // import "github.com/docker/docker/daemon"
|
package daemon // import "github.com/docker/docker/daemon"
|
||||||
|
|
||||||
@ -69,11 +69,11 @@ index e3dc18b32b..9c77230562 100644
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
diff --git a/daemon/daemon.go b/daemon/daemon.go
|
||||||
index 4d76c57988..15c95b50c4 100644
|
index 05b933ca86..cced9c9a8d 100644
|
||||||
--- a/daemon/daemon.go
|
--- a/daemon/daemon.go
|
||||||
+++ b/daemon/daemon.go
|
+++ b/daemon/daemon.go
|
||||||
@@ -839,8 +839,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
@@ -900,8 +900,9 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
||||||
logrus.Warnf("Failed to configure golang's threads limit: %v", err)
|
log.G(ctx).Warnf("Failed to configure golang's threads limit: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
- // ensureDefaultAppArmorProfile does nothing if apparmor is disabled
|
- // ensureDefaultAppArmorProfile does nothing if apparmor is disabled
|
||||||
@ -81,9 +81,9 @@ index 4d76c57988..15c95b50c4 100644
|
|||||||
+ // Make sure we clobber any pre-existing docker-default profile to ensure
|
+ // Make sure we clobber any pre-existing docker-default profile to ensure
|
||||||
+ // that upgrades to the profile actually work smoothly.
|
+ // that upgrades to the profile actually work smoothly.
|
||||||
+ if err := clobberDefaultAppArmorProfile(); err != nil {
|
+ if err := clobberDefaultAppArmorProfile(); err != nil {
|
||||||
logrus.Errorf(err.Error())
|
log.G(ctx).Errorf(err.Error())
|
||||||
}
|
}
|
||||||
|
|
||||||
--
|
--
|
||||||
2.43.0
|
2.39.0
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
From e4c2b3e6b168e815ec7248aea696afe807153cb6 Mon Sep 17 00:00:00 2001
|
From 079e8a9eefc639772d8849cea26727ea0918a74b Mon Sep 17 00:00:00 2001
|
||||||
From: Aleksa Sarai <asarai@suse.de>
|
From: Aleksa Sarai <asarai@suse.de>
|
||||||
Date: Wed, 11 Oct 2023 21:19:12 +1100
|
Date: Wed, 11 Oct 2023 21:19:12 +1100
|
||||||
Subject: [PATCH 5/6] SLE12: revert "apparmor: remove version-conditionals from
|
Subject: [PATCH 5/5] SLE12: revert "apparmor: remove version-conditionals from
|
||||||
template"
|
template"
|
||||||
|
|
||||||
This reverts the following commits:
|
This reverts the following commits:
|
||||||
@ -17,15 +17,16 @@ apparmor_parser version is quite old.
|
|||||||
|
|
||||||
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
|
||||||
---
|
---
|
||||||
contrib/apparmor/main.go | 16 ++++++++++++++--
|
contrib/apparmor/main.go | 16 ++++++-
|
||||||
contrib/apparmor/template.go | 16 ++++++++++++++++
|
contrib/apparmor/template.go | 16 +++++++
|
||||||
pkg/aaparser/aaparser.go | 2 --
|
pkg/aaparser/aaparser.go | 86 +++++++++++++++++++++++++++++++++++
|
||||||
profiles/apparmor/apparmor.go | 14 ++++++++++++--
|
profiles/apparmor/apparmor.go | 16 ++++++-
|
||||||
profiles/apparmor/template.go | 4 ++++
|
profiles/apparmor/template.go | 4 ++
|
||||||
5 files changed, 46 insertions(+), 6 deletions(-)
|
5 files changed, 134 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 pkg/aaparser/aaparser.go
|
||||||
|
|
||||||
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
|
diff --git a/contrib/apparmor/main.go b/contrib/apparmor/main.go
|
||||||
index d67890d265..f4a2978b86 100644
|
index 899d8378ed..93f98cbd20 100644
|
||||||
--- a/contrib/apparmor/main.go
|
--- a/contrib/apparmor/main.go
|
||||||
+++ b/contrib/apparmor/main.go
|
+++ b/contrib/apparmor/main.go
|
||||||
@@ -6,9 +6,13 @@ import (
|
@@ -6,9 +6,13 @@ import (
|
||||||
@ -156,24 +157,107 @@ index 58afcbe845..e6d0b6d37c 100644
|
|||||||
/lib/** rm,
|
/lib/** rm,
|
||||||
/usr/bin/xz rm,
|
/usr/bin/xz rm,
|
||||||
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
|
diff --git a/pkg/aaparser/aaparser.go b/pkg/aaparser/aaparser.go
|
||||||
index 3d7c2c5a97..2b5a2605f9 100644
|
new file mode 100644
|
||||||
--- a/pkg/aaparser/aaparser.go
|
index 0000000000..89b48b2dba
|
||||||
|
--- /dev/null
|
||||||
+++ b/pkg/aaparser/aaparser.go
|
+++ b/pkg/aaparser/aaparser.go
|
||||||
@@ -13,8 +13,6 @@ const (
|
@@ -0,0 +1,86 @@
|
||||||
)
|
+// Package aaparser is a convenience package interacting with `apparmor_parser`.
|
||||||
|
+package aaparser // import "github.com/docker/docker/pkg/aaparser"
|
||||||
// GetVersion returns the major and minor version of apparmor_parser.
|
+
|
||||||
-//
|
+import (
|
||||||
-// Deprecated: no longer used, and will be removed in the next release.
|
+ "fmt"
|
||||||
func GetVersion() (int, error) {
|
+ "os/exec"
|
||||||
output, err := cmd("", "--version")
|
+ "strconv"
|
||||||
if err != nil {
|
+ "strings"
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+const (
|
||||||
|
+ binary = "apparmor_parser"
|
||||||
|
+)
|
||||||
|
+
|
||||||
|
+// GetVersion returns the major and minor version of apparmor_parser.
|
||||||
|
+func GetVersion() (int, error) {
|
||||||
|
+ output, err := cmd("", "--version")
|
||||||
|
+ if err != nil {
|
||||||
|
+ return -1, err
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return parseVersion(output)
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// cmd runs `apparmor_parser` with the passed arguments.
|
||||||
|
+func cmd(dir string, arg ...string) (string, error) {
|
||||||
|
+ c := exec.Command(binary, arg...)
|
||||||
|
+ c.Dir = dir
|
||||||
|
+
|
||||||
|
+ output, err := c.CombinedOutput()
|
||||||
|
+ if err != nil {
|
||||||
|
+ return "", fmt.Errorf("running `%s %s` failed with output: %s\nerror: %v", c.Path, strings.Join(c.Args, " "), output, err)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return string(output), nil
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+// parseVersion takes the output from `apparmor_parser --version` and returns
|
||||||
|
+// a representation of the {major, minor, patch} version as a single number of
|
||||||
|
+// the form MMmmPPP {major, minor, patch}.
|
||||||
|
+func parseVersion(output string) (int, error) {
|
||||||
|
+ // output is in the form of the following:
|
||||||
|
+ // AppArmor parser version 2.9.1
|
||||||
|
+ // Copyright (C) 1999-2008 Novell Inc.
|
||||||
|
+ // Copyright 2009-2012 Canonical Ltd.
|
||||||
|
+
|
||||||
|
+ lines := strings.SplitN(output, "\n", 2)
|
||||||
|
+ words := strings.Split(lines[0], " ")
|
||||||
|
+ version := words[len(words)-1]
|
||||||
|
+
|
||||||
|
+ // trim "-beta1" suffix from version="3.0.0-beta1" if exists
|
||||||
|
+ version = strings.SplitN(version, "-", 2)[0]
|
||||||
|
+ // also trim "~..." suffix used historically (https://gitlab.com/apparmor/apparmor/-/commit/bca67d3d27d219d11ce8c9cc70612bd637f88c10)
|
||||||
|
+ version = strings.SplitN(version, "~", 2)[0]
|
||||||
|
+
|
||||||
|
+ // split by major minor version
|
||||||
|
+ v := strings.Split(version, ".")
|
||||||
|
+ if len(v) == 0 || len(v) > 3 {
|
||||||
|
+ return -1, fmt.Errorf("parsing version failed for output: `%s`", output)
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // Default the versions to 0.
|
||||||
|
+ var majorVersion, minorVersion, patchLevel int
|
||||||
|
+
|
||||||
|
+ majorVersion, err := strconv.Atoi(v[0])
|
||||||
|
+ if err != nil {
|
||||||
|
+ return -1, err
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if len(v) > 1 {
|
||||||
|
+ minorVersion, err = strconv.Atoi(v[1])
|
||||||
|
+ if err != nil {
|
||||||
|
+ return -1, err
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ if len(v) > 2 {
|
||||||
|
+ patchLevel, err = strconv.Atoi(v[2])
|
||||||
|
+ if err != nil {
|
||||||
|
+ return -1, err
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ // major*10^5 + minor*10^3 + patch*10^0
|
||||||
|
+ numericVersion := majorVersion*1e5 + minorVersion*1e3 + patchLevel
|
||||||
|
+ return numericVersion, nil
|
||||||
|
+}
|
||||||
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
|
diff --git a/profiles/apparmor/apparmor.go b/profiles/apparmor/apparmor.go
|
||||||
index d0f2361605..b3566b2f73 100644
|
index 1edfc53002..0d23b940bd 100644
|
||||||
--- a/profiles/apparmor/apparmor.go
|
--- a/profiles/apparmor/apparmor.go
|
||||||
+++ b/profiles/apparmor/apparmor.go
|
+++ b/profiles/apparmor/apparmor.go
|
||||||
@@ -14,8 +14,10 @@ import (
|
@@ -11,10 +11,14 @@ import (
|
||||||
"github.com/docker/docker/pkg/aaparser"
|
"path"
|
||||||
|
"strings"
|
||||||
|
"text/template"
|
||||||
|
+
|
||||||
|
+ "github.com/docker/docker/pkg/aaparser"
|
||||||
)
|
)
|
||||||
|
|
||||||
-// profileDirectory is the file store for apparmor profiles and macros.
|
-// profileDirectory is the file store for apparmor profiles and macros.
|
||||||
@ -185,7 +269,7 @@ index d0f2361605..b3566b2f73 100644
|
|||||||
|
|
||||||
// profileData holds information about the given profile for generation.
|
// profileData holds information about the given profile for generation.
|
||||||
type profileData struct {
|
type profileData struct {
|
||||||
@@ -27,6 +29,8 @@ type profileData struct {
|
@@ -26,6 +30,8 @@ type profileData struct {
|
||||||
Imports []string
|
Imports []string
|
||||||
// InnerImports defines the apparmor functions to import in the profile.
|
// InnerImports defines the apparmor functions to import in the profile.
|
||||||
InnerImports []string
|
InnerImports []string
|
||||||
@ -194,7 +278,7 @@ index d0f2361605..b3566b2f73 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
// generateDefault creates an apparmor profile from ProfileData.
|
// generateDefault creates an apparmor profile from ProfileData.
|
||||||
@@ -46,6 +50,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
@@ -45,6 +51,12 @@ func (p *profileData) generateDefault(out io.Writer) error {
|
||||||
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
|
p.InnerImports = append(p.InnerImports, "#include <abstractions/base>")
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -208,10 +292,10 @@ index d0f2361605..b3566b2f73 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
|
diff --git a/profiles/apparmor/template.go b/profiles/apparmor/template.go
|
||||||
index 9f207e2014..626e5f6789 100644
|
index cf8c34ce8a..4ebd647e14 100644
|
||||||
--- a/profiles/apparmor/template.go
|
--- a/profiles/apparmor/template.go
|
||||||
+++ b/profiles/apparmor/template.go
|
+++ b/profiles/apparmor/template.go
|
||||||
@@ -24,12 +24,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
@@ -23,12 +23,14 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
capability,
|
capability,
|
||||||
file,
|
file,
|
||||||
umount,
|
umount,
|
||||||
@ -226,7 +310,7 @@ index 9f207e2014..626e5f6789 100644
|
|||||||
|
|
||||||
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
deny @{PROC}/* w, # deny write for all files directly in /proc (not in a subdir)
|
||||||
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
# deny write to files not in /proc/<number>/** or /proc/sys/**
|
||||||
@@ -50,7 +52,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
@@ -49,7 +51,9 @@ profile {{.Name}} flags=(attach_disconnected,mediate_deleted) {
|
||||||
deny /sys/devices/virtual/powercap/** rwklx,
|
deny /sys/devices/virtual/powercap/** rwklx,
|
||||||
deny /sys/kernel/security/** rwklx,
|
deny /sys/kernel/security/** rwklx,
|
||||||
|
|
||||||
@ -237,5 +321,5 @@ index 9f207e2014..626e5f6789 100644
|
|||||||
}
|
}
|
||||||
`
|
`
|
||||||
--
|
--
|
||||||
2.43.0
|
2.39.0
|
||||||
|
|
||||||
|
File diff suppressed because it is too large
Load Diff
8
_service
8
_service
@ -3,16 +3,16 @@
|
|||||||
<param name="url">https://github.com/moby/moby.git</param>
|
<param name="url">https://github.com/moby/moby.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">24.0.7_ce_%h</param>
|
<param name="versionformat">25.0.3_ce_%h</param>
|
||||||
<param name="revision">v24.0.7</param>
|
<param name="revision">v25.0.3</param>
|
||||||
<param name="filename">docker</param>
|
<param name="filename">docker</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="tar_scm" mode="manual">
|
<service name="tar_scm" mode="manual">
|
||||||
<param name="url">https://github.com/docker/cli.git</param>
|
<param name="url">https://github.com/docker/cli.git</param>
|
||||||
<param name="scm">git</param>
|
<param name="scm">git</param>
|
||||||
<param name="exclude">.git</param>
|
<param name="exclude">.git</param>
|
||||||
<param name="versionformat">24.0.7_ce</param>
|
<param name="versionformat">25.0.3_ce</param>
|
||||||
<param name="revision">v24.0.7</param>
|
<param name="revision">v25.0.3</param>
|
||||||
<param name="filename">docker-cli</param>
|
<param name="filename">docker-cli</param>
|
||||||
</service>
|
</service>
|
||||||
<service name="recompress" mode="manual">
|
<service name="recompress" mode="manual">
|
||||||
|
File diff suppressed because it is too large
Load Diff
BIN
docker-24.0.7_ce_311b9ff0aa93.tar.xz
(Stored with Git LFS)
BIN
docker-24.0.7_ce_311b9ff0aa93.tar.xz
(Stored with Git LFS)
Binary file not shown.
3
docker-25.0.3_ce_f417435e5.tar.xz
Normal file
3
docker-25.0.3_ce_f417435e5.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:4fbef23923d6949cb83b1f2374adfd3cb1a10b9a4dc9586062d5d1d8fa46b1f0
|
||||||
|
size 11864752
|
BIN
docker-cli-24.0.7_ce.tar.xz
(Stored with Git LFS)
BIN
docker-cli-24.0.7_ce.tar.xz
(Stored with Git LFS)
Binary file not shown.
3
docker-cli-25.0.3_ce.tar.xz
Normal file
3
docker-cli-25.0.3_ce.tar.xz
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:f7e2be457177315bce7f31db577329812da085b5d63064bf3220b188e69fdd1d
|
||||||
|
size 3856520
|
@ -1,3 +1,22 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Feb 17 12:56:22 UTC 2024 - Danish Prakash <danish.prakash@suse.com>
|
||||||
|
|
||||||
|
- Update to Docker 25.0.3-ce. See upstream changelong online at
|
||||||
|
<https://docs.docker.com/engine/release-notes/25.0/#2503>
|
||||||
|
- Fixes:
|
||||||
|
* bsc#1219267 - CVE-2024-23651
|
||||||
|
* bsc#1219268 - CVE-2024-23652
|
||||||
|
* bsc#1219438 - CVE-2024-23653
|
||||||
|
- Rebase patches:
|
||||||
|
* 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
|
||||||
|
* 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
|
||||||
|
* 0003-BUILD-SLE12-revert-graphdriver-btrfs-use-kernel-UAPI.patch
|
||||||
|
* 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
||||||
|
* 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||||
|
* cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||||
|
- Remove upstreamed patches:
|
||||||
|
- 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
Wed Feb 14 08:40:36 UTC 2024 - Dan Čermák <dcermak@suse.com>
|
||||||
|
|
||||||
|
13
docker.spec
13
docker.spec
@ -31,9 +31,9 @@
|
|||||||
# helpfully injects into our build environment from the changelog). If you want
|
# helpfully injects into our build environment from the changelog). If you want
|
||||||
# to generate a new git_commit_epoch, use this:
|
# to generate a new git_commit_epoch, use this:
|
||||||
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
# $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
|
||||||
%define real_version 24.0.7
|
%define real_version 25.0.3
|
||||||
%define git_version 311b9ff0aa93
|
%define git_version f417435e5
|
||||||
%define git_commit_epoch 1698306665
|
%define git_commit_epoch 1706746344
|
||||||
|
|
||||||
Name: docker
|
Name: docker
|
||||||
Version: %{real_version}_ce
|
Version: %{real_version}_ce
|
||||||
@ -72,11 +72,6 @@ Patch201: 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
|
|||||||
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
Patch202: 0005-SLE12-revert-apparmor-remove-version-conditionals-fr.patch
|
||||||
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
# UPSTREAM: Backport of <https://github.com/docker/cli/pull/4228>.
|
||||||
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
Patch900: cli-0001-docs-include-required-tools-in-source-tree.patch
|
||||||
# bugfix for:
|
|
||||||
# bsc#1219438: CVE-2024-23653
|
|
||||||
# bsc#1219268: CVE-2024-23652
|
|
||||||
# bsc#1219267: CVE-2024-23651
|
|
||||||
Patch901: 0006-Vendor-in-latest-buildkit-v0.11-branch-including-CVE.patch
|
|
||||||
BuildRequires: audit
|
BuildRequires: audit
|
||||||
BuildRequires: bash-completion
|
BuildRequires: bash-completion
|
||||||
BuildRequires: ca-certificates
|
BuildRequires: ca-certificates
|
||||||
@ -225,8 +220,6 @@ cp %{SOURCE130} .
|
|||||||
%patch -P201 -p1
|
%patch -P201 -p1
|
||||||
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
|
# Solves apparmor issues on SLE-12, but okay for newer SLE versions too.
|
||||||
%patch -P202 -p1
|
%patch -P202 -p1
|
||||||
# temporary buildkit bugfixes
|
|
||||||
%patch -P901 -p1
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
|
%sysusers_generate_pre %{SOURCE160} %{name} %{name}.conf
|
||||||
|
Loading…
Reference in New Issue
Block a user