Accepting request 932375 from Virtualization:containers

- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
- Rebase patches:
  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
- Remove upstreamed patches:
  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch

OBS-URL: https://build.opensuse.org/request/show/932375
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/docker?expand=0&rev=116

0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch

@@ -1,7 +1,7 @@
-From 44214e643a578dfec9f5898f9225ccf3ccbec419 Mon Sep 17 00:00:00 2001
+From f6170a9d05df85cc61f3e5373eceed61ef3d741e Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 12:41:54 +1100
-Subject: [PATCH 1/6] SECRETS: daemon: allow directory creation in /run/secrets
+Subject: [PATCH 1/5] SECRETS: daemon: allow directory creation in /run/secrets
 
 Since FileMode can have the directory bit set, allow a SecretStore
 implementation to return secrets that are actually directories. This is
@@ -10,22 +10,25 @@ useful for creating directories and subdirectories of secrets.
 Signed-off-by: Antonio Murdaca <runcom@redhat.com>
 Signed-off-by: Aleksa Sarai <asarai@suse.de>
 ---
- daemon/container_operations_unix.go | 24 +++++++++++++++++++++---
- 1 file changed, 21 insertions(+), 3 deletions(-)
+ daemon/container_operations_unix.go | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
 
 diff --git a/daemon/container_operations_unix.go b/daemon/container_operations_unix.go
-index 1647df0ce7ba..4ea2efed241f 100644
+index 6a50b99bd29e..583db20aa459 100644
 --- a/daemon/container_operations_unix.go
 +++ b/daemon/container_operations_unix.go
-@@ -3,6 +3,7 @@
+@@ -1,8 +1,10 @@
++//go:build linux || freebsd
+ // +build linux freebsd
+ 
  package daemon // import "github.com/docker/docker/daemon"
  
  import (
 +	"bytes"
- 	"context"
  	"fmt"
  	"io/ioutil"
-@@ -14,6 +15,7 @@ import (
+ 	"os"
+@@ -12,6 +14,7 @@ import (
  	"github.com/docker/docker/container"
  	"github.com/docker/docker/daemon/links"
  	"github.com/docker/docker/errdefs"
@@ -33,7 +36,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
  	"github.com/docker/docker/pkg/idtools"
  	"github.com/docker/docker/pkg/stringid"
  	"github.com/docker/docker/pkg/system"
-@@ -207,9 +209,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -205,9 +208,6 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
  		if err != nil {
  			return errors.Wrap(err, "unable to get secret from secret store")
  		}
@@ -43,7 +46,7 @@ index 1647df0ce7ba..4ea2efed241f 100644
  
  		uid, err := strconv.Atoi(s.File.UID)
  		if err != nil {
-@@ -220,6 +219,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
+@@ -218,6 +218,25 @@ func (daemon *Daemon) setupSecretDir(c *container.Container) (setupErr error) {
  			return err
  		}
  
@@ -70,5 +73,5 @@ index 1647df0ce7ba..4ea2efed241f 100644
  			return errors.Wrap(err, "error setting ownership for secret")
  		}
 -- 
-2.33.0
+2.33.1
 

0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch

@@ -1,7 +1,7 @@
-From 7202e34c5cf8e5c0816bfc610689e2f9d246d131 Mon Sep 17 00:00:00 2001
+From a28715c97b87152c41538b137f8ad49003db1756 Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Wed, 8 Mar 2017 11:43:29 +1100
-Subject: [PATCH 2/6] SECRETS: SUSE: implement SUSE container secrets
+Subject: [PATCH 2/5] SECRETS: SUSE: implement SUSE container secrets
 
 This allows for us to pass in host credentials to a container, allowing
 for SUSEConnect to work with containers.
@@ -451,5 +451,5 @@ index 000000000000..9ee33adf7497
 +	return nil
 +}
 -- 
-2.33.0
+2.33.1
 

0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch

@@ -1,7 +1,7 @@
-From 0bb32212d07d21b0704ef3b3197fad118ae87e7f Mon Sep 17 00:00:00 2001
+From 4914111dcaf1257a9dd3f9f7a089de17c7dc6752 Mon Sep 17 00:00:00 2001
 From: Valentin Rothberg <vrothberg@suse.com>
 Date: Mon, 2 Jul 2018 13:37:34 +0200
-Subject: [PATCH 3/6] PRIVATE-REGISTRY: add private-registry mirror support
+Subject: [PATCH 3/5] PRIVATE-REGISTRY: add private-registry mirror support
 
 NOTE: This is a backport/downstream patch of the upstream pull-request
       for Moby, which is still subject to changes.  Please visit
@@ -1142,5 +1142,5 @@ index 3e3a5b41ffbd..451a6f874bc1 100644
  
  	endpoints = []APIEndpoint{
 -- 
-2.33.0
+2.33.1
 

0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch

@@ -1,7 +1,7 @@
-From 41a72d2a2d835de1e806a5b316067ea933f665e2 Mon Sep 17 00:00:00 2001
+From 29779c3e010e387ef037e5ef9a33cf05a14c79ea Mon Sep 17 00:00:00 2001
 From: Aleksa Sarai <asarai@suse.de>
 Date: Fri, 29 Jun 2018 17:59:30 +1000
-Subject: [PATCH 4/6] bsc1073877: apparmor: clobber docker-default profile on
+Subject: [PATCH 4/5] bsc1073877: apparmor: clobber docker-default profile on
  start
 
 In the process of making docker-default reloading far less expensive,
@@ -85,5 +85,5 @@ index 2a2fbbd52e19..0999ac3186b7 100644
  	}
  
 -- 
-2.33.0
+2.33.1
 

0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch

@@ -1,7 +1,7 @@
-From db0df8889ebc1aad3613cf95803e4672dc8ce96a Mon Sep 17 00:00:00 2001
+From a6aa2a591d31f43e01ba29abdf73658b34fded49 Mon Sep 17 00:00:00 2001
 From: Michal Rostecki <mrostecki@opensuse.org>
 Date: Thu, 8 Apr 2021 14:42:02 +0100
-Subject: [PATCH 5/6] bsc1183855: btrfs: Do not disable quota on cleanup
+Subject: [PATCH 5/5] bsc1183855: btrfs: Do not disable quota on cleanup
 
 Before this change, cleanup of the btrfs driver (occuring on each daemon
 shutdown) resulted in disabling quotas. It was done with an assumption
@@ -140,5 +140,5 @@ index 8fd2854a2673..32c4f07c620d 100644
  			}
  			if err := subvolLimitQgroup(dir, size); err != nil {
 -- 
-2.33.0
+2.33.1
 

0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch

@@ -1,195 +0,0 @@
-From 9cc9665d00293bdff2420a4db49278bc7bb9ed72 Mon Sep 17 00:00:00 2001
-From: Tianon Gravi <admwiggin@gmail.com>
-Date: Thu, 9 Sep 2021 11:31:30 -0700
-Subject: [PATCH 6/6] bsc1190670: seccomp: add support for "clone3" syscall in
- default policy
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a backport of 9f6b562dd12ef7b1f9e2f8e6f2ab6477790a6594, adapted to avoid the refactoring that happened in d92739713c633c155c0f3d8065c8278b1d8a44e7.
-
-Original commit message is as follows:
-
-> If no seccomp policy is requested, then the built-in default policy in
-> dockerd applies. This has no rule for "clone3" defined, nor any default
-> errno defined. So when runc receives the config it attempts to determine
-> a default errno, using logic defined in its commit:
->
->   opencontainers/runc@7a8d716
->
-> As explained in the above commit message, runc uses a heuristic to
-> decide which errno to return by default:
->
-> [quote]
->   The solution applied here is to prepend a "stub" filter which returns
->   -ENOSYS if the requested syscall has a larger syscall number than any
->   syscall mentioned in the filter. The reason for this specific rule is
->   that syscall numbers are (roughly) allocated sequentially and thus newer
->   syscalls will (usually) have a larger syscall number -- thus causing our
->   filters to produce -ENOSYS if the filter was written before the syscall
->   existed.
-> [/quote]
->
-> Unfortunately clone3 appears to one of the edge cases that does not
-> result in use of ENOSYS, instead ending up with the historical EPERM
-> errno.
->
-> Latest glibc (2.33.9000, in Fedora 35 rawhide) will attempt to use
-> clone3 by default. If it sees ENOSYS then it will automatically
-> fallback to using clone. Any other errno is treated as a fatal
-> error. Thus when docker seccomp policy triggers EPERM from clone3,
-> no fallback occurs and programs are thus unable to spawn threads.
->
-> The clone3 syscall is much more complicated than clone, most notably its
-> flags are not exposed as a directly argument any more. Instead they are
-> hidden inside a struct. This means that seccomp filters are unable to
-> apply policy based on values seen in flags. Thus we can't directly
-> replicate the current "clone" filtering for "clone3". We can at least
-> ensure "clone3" returns ENOSYS errno, to trigger fallback to "clone"
-> at which point we can filter on flags.
-
-SUSE-Bugs: bsc#1190670
-Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
-Co-authored-by: Daniel P. Berrangé <berrange@redhat.com>
-Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
----
- profiles/seccomp/default.json     | 16 ++++++++++++++++
- profiles/seccomp/default_linux.go | 13 +++++++++++++
- profiles/seccomp/seccomp.go       |  1 +
- profiles/seccomp/seccomp_linux.go | 28 ++++++++++++----------------
- 4 files changed, 42 insertions(+), 16 deletions(-)
-
-diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json
-index 4213799ddb5c..ee5e04f781a8 100644
---- a/profiles/seccomp/default.json
-+++ b/profiles/seccomp/default.json
-@@ -591,6 +591,7 @@
- 			"names": [
- 				"bpf",
- 				"clone",
-+				"clone3",
- 				"fanotify_init",
- 				"fsconfig",
- 				"fsmount",
-@@ -670,6 +671,21 @@
- 				]
- 			}
- 		},
-+		{
-+			"names": [
-+				"clone3"
-+			],
-+			"action": "SCMP_ACT_ERRNO",
-+			"errnoRet": 38,
-+			"args": [],
-+			"comment": "",
-+			"includes": {},
-+			"excludes": {
-+				"caps": [
-+					"CAP_SYS_ADMIN"
-+				]
-+			}
-+		},
- 		{
- 			"names": [
- 				"reboot"
-diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go
-index 879eb88c64f1..fb593f336f7a 100644
---- a/profiles/seccomp/default_linux.go
-+++ b/profiles/seccomp/default_linux.go
-@@ -42,6 +42,7 @@ func arches() []Architecture {
- 
- // DefaultProfile defines the allowed syscalls for the default seccomp profile.
- func DefaultProfile() *Seccomp {
-+	nosys := uint(unix.ENOSYS)
- 	syscalls := []*Syscall{
- 		{
- 			Names: []string{
-@@ -522,6 +523,7 @@ func DefaultProfile() *Seccomp {
- 			Names: []string{
- 				"bpf",
- 				"clone",
-+				"clone3",
- 				"fanotify_init",
- 				"fsconfig",
- 				"fsmount",
-@@ -587,6 +589,17 @@ func DefaultProfile() *Seccomp {
- 				Caps: []string{"CAP_SYS_ADMIN"},
- 			},
- 		},
-+		{
-+			Names: []string{
-+				"clone3",
-+			},
-+			Action:   specs.ActErrno,
-+			ErrnoRet: &nosys,
-+			Args:     []*specs.LinuxSeccompArg{},
-+			Excludes: Filter{
-+				Caps: []string{"CAP_SYS_ADMIN"},
-+			},
-+		},
- 		{
- 			Names: []string{
- 				"reboot",
-diff --git a/profiles/seccomp/seccomp.go b/profiles/seccomp/seccomp.go
-index d2a21cddc4b2..9edec72db546 100644
---- a/profiles/seccomp/seccomp.go
-+++ b/profiles/seccomp/seccomp.go
-@@ -45,6 +45,7 @@ type Syscall struct {
- 	Name     string                   `json:"name,omitempty"`
- 	Names    []string                 `json:"names,omitempty"`
- 	Action   specs.LinuxSeccompAction `json:"action"`
-+	ErrnoRet *uint                    `json:"errnoRet,omitempty"`
- 	Args     []*specs.LinuxSeccompArg `json:"args"`
- 	Comment  string                   `json:"comment"`
- 	Includes Filter                   `json:"includes"`
-diff --git a/profiles/seccomp/seccomp_linux.go b/profiles/seccomp/seccomp_linux.go
-index 566f173acd3a..e35e242cd500 100644
---- a/profiles/seccomp/seccomp_linux.go
-+++ b/profiles/seccomp/seccomp_linux.go
-@@ -150,29 +150,25 @@ Loop:
- 			}
- 		}
- 
-+		newCall := specs.LinuxSyscall{
-+			Action:   call.Action,
-+			ErrnoRet: call.ErrnoRet,
-+		}
- 		if call.Name != "" && len(call.Names) != 0 {
- 			return nil, errors.New("'name' and 'names' were specified in the seccomp profile, use either 'name' or 'names'")
- 		}
--
- 		if call.Name != "" {
--			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall([]string{call.Name}, call.Action, call.Args))
-+			newCall.Names = []string{call.Name}
- 		} else {
--			newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Names, call.Action, call.Args))
-+			newCall.Names = call.Names
-+		}
-+		// Loop through all the arguments of the syscall and convert them
-+		for _, arg := range call.Args {
-+			newCall.Args = append(newCall.Args, *arg)
- 		}
--	}
--
--	return newConfig, nil
--}
- 
--func createSpecsSyscall(names []string, action specs.LinuxSeccompAction, args []*specs.LinuxSeccompArg) specs.LinuxSyscall {
--	newCall := specs.LinuxSyscall{
--		Names:  names,
--		Action: action,
-+		newConfig.Syscalls = append(newConfig.Syscalls, newCall)
- 	}
- 
--	// Loop through all the arguments of the syscall and convert them
--	for _, arg := range args {
--		newCall.Args = append(newCall.Args, *arg)
--	}
--	return newCall
-+	return newConfig, nil
- }
--- 
-2.33.0
-

_service

@@ -3,16 +3,16 @@
     <param name="url">https://github.com/moby/moby.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">20.10.9_ce_%h</param>
-    <param name="revision">v20.10.9</param>
+    <param name="versionformat">20.10.11_ce_%h</param>
+    <param name="revision">v20.10.11</param>
     <param name="filename">docker</param>
   </service>
   <service name="tar_scm" mode="disabled">
     <param name="url">https://github.com/docker/cli.git</param>
     <param name="scm">git</param>
     <param name="exclude">.git</param>
-    <param name="versionformat">20.10.9_ce</param>
-    <param name="revision">v20.10.9</param>
+    <param name="versionformat">20.10.11_ce</param>
+    <param name="revision">v20.10.11</param>
     <param name="filename">docker-cli</param>
   </service>
   <service name="tar_scm" mode="disabled">

docker-20.10.11_ce_847da184ad50.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf82151ca8fff00a1b4bea55ae44022faf2f8eab518ef979a9c6d6cffd9fb450
+size 6497200

docker-20.10.9_ce_79ea9d308018.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c1428dd0f94fa001b1e4c46c3db89dbd66d209c678fc6f5d21d2f7799b4701a1
-size 6491984

docker-cli-20.10.11_ce.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7820570e1249dc498ef2580c6bf647bd720de27938c82acdcec0bcf90c6af4f8
+size 4272896

docker-cli-20.10.9_ce.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1090b7ade21e0b7d717fc2d6c08882ec14c8ac12b54ff51f407262588555e7a0
-size 4272556

docker.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Nov 18 08:35:37 UTC 2021 - Aleksa Sarai <asarai@suse.com>
+
+- Update to Docker 20.10.11-ce. See upstream changelog in the packaged
+  /usr/share/doc/packages/docker/CHANGELOG.md. bsc#1192814 CVE-2021-41190
+- Rebase patches:
+  * 0001-SECRETS-daemon-allow-directory-creation-in-run-secre.patch
+  * 0002-SECRETS-SUSE-implement-SUSE-container-secrets.patch
+  * 0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
+  * 0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
+  * 0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
+- Remove upstreamed patches:
+  - 0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
+
 -------------------------------------------------------------------
 Wed Oct  6 02:51:16 UTC 2021 - Aleksa Sarai <asarai@suse.com>
 

docker.spec

@@ -42,8 +42,8 @@
 # helpfully injects into our build environment from the changelog). If you want
 # to generate a new git_commit_epoch, use this:
 #  $ date --date="$(git show --format=fuller --date=iso $COMMIT_ID | grep -oP '(?<=^CommitDate: ).*')" '+%s'
-%define git_version 79ea9d308018
-%define git_commit_epoch 1632421578
+%define git_version 847da184ad50
+%define git_commit_epoch 1637194919
 
 # We require a specific pin of libnetwork because it doesn't really do
 # versioning and minor version mismatches in libnetwork can break Docker
@@ -56,10 +56,10 @@
 %define proxy_builddir %{dist_builddir}/src/github.com/docker/libnetwork
 
 Name:           %{realname}%{name_suffix}
-Version:        20.10.9_ce
+Version:        20.10.11_ce
 # This "nice version" is so that docker --version gives a result that can be
 # parsed by other people. boo#1182476
-%define nice_version 20.10.9-ce
+%define nice_version 20.10.11-ce
 Release:        0
 Summary:        The Moby-project Linux container runtime
 License:        Apache-2.0
@@ -94,8 +94,6 @@ Patch200:       0003-PRIVATE-REGISTRY-add-private-registry-mirror-support.patch
 Patch300:       0004-bsc1073877-apparmor-clobber-docker-default-profile-o.patch
 # SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42273. bsc#1183855 bsc#1175081
 Patch301:       0005-bsc1183855-btrfs-Do-not-disable-quota-on-cleanup.patch
-# SUSE-BACKPORT: Backport of https://github.com/moby/moby/pull/42836. bsc#1190670
-Patch302:       0006-bsc1190670-seccomp-add-support-for-clone3-syscall-in.patch
 BuildRequires:  audit
 BuildRequires:  bash-completion
 BuildRequires:  ca-certificates
@@ -121,7 +119,7 @@ Provides:       docker-libnetwork%{name_suffix} = 0.7.0.2.%{version}
 # Required to actually run containers. We require the minimum version that is
 # pinned by Docker, but in order to avoid headaches we allow for updates.
 Requires:       runc >= 1.0.2
-Requires:       containerd >= 1.4.11
+Requires:       containerd >= 1.4.12
 # Needed for --init support. We don't use "tini", we use our own implementation
 # which handles edge-cases better.
 Requires:       catatonit
@@ -264,8 +262,6 @@ docker container runtime configuration for kubeadm
 %patch300 -p1
 # bsc#1183855 bsc#1175081
 %patch301 -p1
-# bsc#1190670
-%patch302 -p1
 
 # README_SUSE.md for documentation.
 cp %{SOURCE103} .