!102 fix CVES and issue

From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234, @duguhaotian 
Signed-off-by: @duguhaotian

VERSION-openeuler

@@ -1 +1 @@
-18.09.0.301
+18.09.0.306

docker.spec

@@ -1,6 +1,6 @@
 Name: docker-engine
 Version: 18.09.0
-Release: 301
+Release: 306
 Summary: The open-source application container engine
 Group: Tools/Docker
 
@@ -212,6 +212,36 @@ fi
 %endif
 
 %changelog
+* Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-306
+- Type:CVE
+- CVE:CVE-2021-41092
+- SUG:NA
+- DESC:fix CVE-2021-41092
+
+* Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-305
+- Type:CVE
+- CVE:CVE-2021-41091
+- SUG:NA
+- DESC:fix CVE-2021-41091
+
+* Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-304
+- Type:CVE
+- CVE:CVE-2021-41089
+- SUG:NA
+- DESC:fix CVE-2021-41089
+
+* Wed Jun 29 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-303
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:close channel in write side to avoid panic in docker stats
+
+* Tue Jun 28 2022 zjw<zhongjiawei1@huawei.com> - 18.09.0-302
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:fix status inconsistent after restart container
+
 * Thu Jun 16 2022 duyiwei <duyiwei@kylinos.cn> - 18.09.0-301
 - Type:bugfix
 - CVE:CVE-2022-24769

git-commit

@@ -1 +1 @@
-aa1eee89dbf55f1be74beab946d39bd5308554f6
+1d79dce8b3c1b71f07ef5ad31adfe8026080311f

patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch

@@ -1,33 +1,34 @@
-From a7c1bbed0aed4c9a5c67871f7506646c07c34574 Mon Sep 17 00:00:00 2001
+From ba62de1350b25ec1d85eff67bd3c8c5be98d02a7 Mon Sep 17 00:00:00 2001
 From: chenjiankun <chenjiankun1@huawei.com>
-Date: Thu, 9 Dec 2021 20:58:32 +0800
+Date: Thu, 17 Mar 2022 20:18:30 +0800
 Subject: [PATCH] docker: fix "endpoint with name container_xx already exists
  in network none" error
 
 ---
- components/engine/daemon/kill.go | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ components/engine/daemon/kill.go | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
 
 diff --git a/components/engine/daemon/kill.go b/components/engine/daemon/kill.go
-index 2652f7ad2..0388b16c9 100644
+index 2652f7ad2..cb0ec61d1 100644
 --- a/components/engine/daemon/kill.go
 +++ b/components/engine/daemon/kill.go
-@@ -163,6 +163,15 @@ func (daemon *Daemon) Kill(container *containerpkg.Container) error {
+@@ -162,7 +162,16 @@ func (daemon *Daemon) Kill(container *containerpkg.Container) error {
+ 		if isErrNoSuchProcess(err) {
  			// there is a case where we hit here before the exit event is processed
  			//  So let's wait the container's stop timeout amount of time to see if the event is eventually processed
- 			container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout())
-+			// using mock exit event to handle container exit
-+			ei := libcontainerd.EventInfo{
-+				ContainerID: container.ID,
-+				ProcessID:   container.ID,
-+				Pid:         uint32(container.GetPID()),
-+				ExitCode:    137,
-+				ExitedAt:    time.Now(),
+-			container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout())
++			if err := container.WaitForState(containerpkg.WaitConditionNotRunning, container.StopTimeout()); err != nil {
++				ei := libcontainerd.EventInfo{
++					ContainerID: container.ID,
++					ProcessID:   container.ID,
++					Pid:         uint32(container.GetPID()),
++					ExitCode:    137,
++					ExitedAt:    time.Now(),
++				}
++				daemon.ProcessEvent(container.ID, libcontainerd.EventExit, ei)
 +			}
-+			daemon.ProcessEvent(container.ID, libcontainerd.EventExit, ei)
  			return nil
  		}
  		return err
 -- 
-2.27.0
-
+2.23.0

patch/0224-fix-rwlayer-umountd-after-container-restart.patch

@@ -0,0 +1,36 @@
+From e37f4e4f738b605fe5ea1030e39da8d723260007 Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Fri, 18 Mar 2022 11:19:28 +0800
+Subject: [PATCH] docker: fix rwlayer umountd after container restart
+
+if exit event be handled to slow, then the exit event maybe handled again.
+we need to add a check after the container lock acquired.
+---
+ components/engine/daemon/monitor.go | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/components/engine/daemon/monitor.go b/components/engine/daemon/monitor.go
+index 0aadf33fd..0bf7f0379 100644
+--- a/components/engine/daemon/monitor.go
++++ b/components/engine/daemon/monitor.go
+@@ -60,6 +60,17 @@ func (daemon *Daemon) ProcessEvent(id string, e libcontainerd.EventType, ei libc
+ 		if int(ei.Pid) == c.Pid {
+ 			logrus.Infof("handle container %s exit event pid=%d", c.ID, c.Pid)
+ 			c.Lock()
++
++			// ProcessEvent could be called concurrently, and will execute serial
++			// for c.Lock(), but int(ei.Pid) == c.Pid has already pass. It will cause
++			// daemon.Cleanup be called twice. This will make rwlayer umount in docker
++			// restart, get "fork/exec /proc/self/exe: no such file or directory" err.
++			// Adding this under c.Lock(), could avaid daemon.Cleanup be called again.
++			if c.Pid == 0 || int(ei.Pid) != c.Pid {
++				c.Unlock()
++				return nil
++			}
++
+ 			_, _, err := daemon.containerd.DeleteTask(context.Background(), c.ID)
+ 			if err != nil {
+ 				logrus.WithError(err).Warnf("failed to delete container %s from containerd", c.ID)
+-- 
+2.23.0
+

patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch

@@ -0,0 +1,38 @@
+From 548078b9e76e34c6994830ce35bee1c15e3c091f Mon Sep 17 00:00:00 2001
+From: chenjiankun <chenjiankun1@huawei.com>
+Date: Mon, 21 Mar 2022 11:05:43 +0800
+Subject: [PATCH] docker: close channel in write side to avoid panic in docker
+ stats
+
+there is a situation when write event to chan c, chan c is close,
+and that will cause a panic. Close chan c in write side can avaid
+panic.
+---
+ components/cli/cli/command/container/stats.go | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/components/cli/cli/command/container/stats.go b/components/cli/cli/command/container/stats.go
+index 8387fc988..daab91627 100644
+--- a/components/cli/cli/command/container/stats.go
++++ b/components/cli/cli/command/container/stats.go
+@@ -60,6 +60,9 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
+ 	// monitorContainerEvents watches for container creation and removal (only
+ 	// used when calling `docker stats` without arguments).
+ 	monitorContainerEvents := func(started chan<- struct{}, c chan events.Message) {
++		// close channel in write side to avoid panic
++		defer close(c)
++
+ 		f := filters.NewArgs()
+ 		f.Add("type", "container")
+ 		options := types.EventsOptions{
+@@ -150,7 +153,6 @@ func runStats(dockerCli command.Cli, opts *statsOptions) error {
+ 		eventChan := make(chan events.Message)
+ 		go eh.Watch(eventChan)
+ 		go monitorContainerEvents(started, eventChan)
+-		defer close(eventChan)
+ 		<-started
+ 
+ 		// Start a short-lived goroutine to retrieve the initial list of
+-- 
+2.23.0
+

patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch

@@ -0,0 +1,53 @@
+From 80f1169eca587305759829e626cebd2a434664f6 Mon Sep 17 00:00:00 2001 
+From: Tonis Tiigi <tonistiigi@gmail.com>
+Date: Wed, 19 May 2021 16:51:35 -0700
+Subject: [PATCH] chrootarchive: don't create parent dirsoutside of chroot
+
+If chroot is used with a special root directory then create
+destination directory within chroot. This works automatically
+already due to extractor creating parent paths and is only
+used currently with cp where parent paths are actually required
+and error will be shown to user before reaching this point.
+
+Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
+(cherry picked from commit 52d285184068998c22632bfb869f6294b5613a58)
+Signed-off-by: Brian Goff <cpuguy83@gmail.com>
+
+Conflict:NA
+Reference:https://github.com/moby/moby/commit/bce32e5c93be4caf1a592582155b9cb837fc129a
+
+---
+ components/engine/pkg/chrootarchive/archive.go | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+diff --git a/components/engine/pkg/chrootarchive/archive.go b/components/engine/pkg/chrootarchive/archive.go
+index 6ff61e6a7..9926b63b8 100644
+--- a/components/engine/pkg/chrootarchive/archive.go
++++ b/components/engine/pkg/chrootarchive/archive.go
+@@ -65,13 +65,17 @@ func untarHandler(tarArchive io.Reader, dest string, options *archive.TarOptions
+ 		options.ExcludePatterns = []string{}
+ 	}
+ 
+-	idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
+-	rootIDs := idMapping.RootPair()
++	// If dest is inside a root then directory is created within chroot by extractor.
++	// This case is only currently used by cp.
++	if dest == root {
++		idMapping := idtools.NewIDMappingsFromMaps(options.UIDMaps, options.GIDMaps)
++		rootIDs := idMapping.RootPair()
+ 
+-	dest = filepath.Clean(dest)
+-	if _, err := os.Stat(dest); os.IsNotExist(err) {
+-		if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
+-			return err
++		dest = filepath.Clean(dest)
++		if _, err := os.Stat(dest); os.IsNotExist(err) {
++			if err := idtools.MkdirAllAndChownNew(dest, 0755, rootIDs); err != nil {
++				return err
++			}
+ 		}
+ 	}
+ 
+-- 
+2.30.0
+

patch/0227-docker-Lock-down-docker-root-dir-perms.patch

@@ -0,0 +1,323 @@
+From 4d3147906307befb5055d668bb4d55c1f3c03286 Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 9 Jun 2022 10:48:26 +0800
+Subject: [PATCH] docker: Lock down docker root dir perms.
+
+Do not use 0701 perms.
+0701 dir perms allows anyone to traverse the docker dir.
+It happens to allow any user to execute, as an example, suid binaries
+from image rootfs dirs because it allows traversal AND critically
+container users need to be able to do execute things.
+
+0701 on lower directories also happens to allow any user to modify
+     things in, for instance, the overlay upper dir which neccessarily
+     has 0755 permissions.
+
+This changes to use 0710 which allows users in the group to traverse.
+In userns mode the UID owner is (real) root and the GID is the remapped
+root's GID.
+
+This prevents anyone but the remapped root to traverse our directories
+(which is required for userns with runc).
+
+Conflict:daemon/graphdriver/fuse-overlayfs/fuseoverlayfs.go
+Reference:https://github.com/moby/moby/commit/f0ab919f518c47240ea0e72d0999576bb8008e64
+---
+ .../daemon/container_operations_unix.go       |  2 +-
+ components/engine/daemon/create.go            |  5 ++--
+ components/engine/daemon/daemon.go            |  5 +++-
+ components/engine/daemon/daemon_unix.go       | 13 +++++-----
+ .../engine/daemon/graphdriver/aufs/aufs.go    | 13 ++++++++--
+ .../engine/daemon/graphdriver/btrfs/btrfs.go  | 18 ++++++++++++--
+ .../daemon/graphdriver/overlay/overlay.go     | 19 +++++++++++----
+ .../daemon/graphdriver/overlay2/overlay.go    | 24 +++++++++++++++----
+ .../engine/daemon/graphdriver/vfs/driver.go   | 16 +++++++++++--
+ .../engine/daemon/graphdriver/zfs/zfs.go      | 11 ++++++++-
+ 10 files changed, 101 insertions(+), 25 deletions(-)
+
+diff --git a/components/engine/daemon/container_operations_unix.go b/components/engine/daemon/container_operations_unix.go
+index e238366c1..5c6a09ce4 100644
+--- a/components/engine/daemon/container_operations_unix.go
++++ b/components/engine/daemon/container_operations_unix.go
+@@ -425,5 +425,5 @@ func (daemon *Daemon) setupContainerMountsRoot(c *container.Container) error {
+ 	if err != nil {
+ 		return err
+ 	}
+-	return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity())
++	return idtools.MkdirAllAndChown(p, 0710, idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: daemon.IdentityMapping().RootPair().GID})
+ }
+diff --git a/components/engine/daemon/create.go b/components/engine/daemon/create.go
+index 4d083e703..e3dd598d4 100644
+--- a/components/engine/daemon/create.go
++++ b/components/engine/daemon/create.go
+@@ -190,10 +190,11 @@ func (daemon *Daemon) create(params types.ContainerCreateConfig, managed bool) (
+ 		return nil, err
+ 	}
+ 
+-	if err := idtools.MkdirAndChown(container.Root, 0701, idtools.CurrentIdentity()); err != nil {
++	current := idtools.CurrentIdentity()
++	if err := idtools.MkdirAndChown(container.Root, 0710, idtools.Identity{UID: current.UID, GID: daemon.IdentityMapping().RootPair().GID}); err != nil {
+ 		return nil, err
+ 	}
+-	if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil {
++	if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, current); err != nil {
+ 		return nil, err
+ 	}
+ 
+diff --git a/components/engine/daemon/daemon.go b/components/engine/daemon/daemon.go
+index b3039abf3..5c6be8e45 100644
+--- a/components/engine/daemon/daemon.go
++++ b/components/engine/daemon/daemon.go
+@@ -913,7 +913,10 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
+ 	}
+ 
+ 	daemonRepo := filepath.Join(config.Root, "containers")
+-	if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil {
++	if err := idtools.MkdirAllAndChown(daemonRepo, 0710, idtools.Identity{
++		UID: idtools.CurrentIdentity().UID,
++		GID: rootIDs.GID,
++	}); err != nil {
+ 		return nil, err
+ 	}
+ 
+diff --git a/components/engine/daemon/daemon_unix.go b/components/engine/daemon/daemon_unix.go
+index 07a0aa0d5..8c21807df 100644
+--- a/components/engine/daemon/daemon_unix.go
++++ b/components/engine/daemon/daemon_unix.go
+@@ -1291,21 +1291,22 @@ func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools
+ 		}
+ 	}
+ 
++	id := idtools.Identity{UID: idtools.CurrentIdentity().UID, GID: remappedRoot.GID}
++	// First make sure the current root dir has the correct perms.
++	if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil {
++		return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
++	}
++
+ 	// if user namespaces are enabled we will create a subtree underneath the specified root
+ 	// with any/all specified remapped root uid/gid options on the daemon creating
+ 	// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
+ 	// `chdir()` to work for containers namespaced to that uid/gid)
+ 	if config.RemappedRoot != "" {
+-		id := idtools.CurrentIdentity()
+-		// First make sure the current root dir has the correct perms.
+-		if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
+-			return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
+-		}
+ 
+ 		config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID))
+ 		logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
+ 		// Create the root directory if it doesn't exist
+-		if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
++		if err := idtools.MkdirAllAndChown(config.Root, 0710, id); err != nil {
+ 			return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
+ 		}
+ 		// we also need to verify that any pre-existing directories in the path to
+diff --git a/components/engine/daemon/graphdriver/aufs/aufs.go b/components/engine/daemon/graphdriver/aufs/aufs.go
+index 4ee3682cb..f0e8e0b23 100644
+--- a/components/engine/daemon/graphdriver/aufs/aufs.go
++++ b/components/engine/daemon/graphdriver/aufs/aufs.go
+@@ -131,14 +131,23 @@ func Init(root string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 	}
+ 
+ 	currentID := idtools.CurrentIdentity()
++	_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if err != nil {
++		return nil, err
++	}
++	dirID := idtools.Identity{
++		UID: currentID.UID,
++		GID: rootGID,
++	}
++
+ 	// Create the root aufs driver dir
+-	if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil {
++	if err := idtools.MkdirAllAndChown(root, 0710, dirID); err != nil {
+ 		return nil, err
+ 	}
+ 
+ 	// Populate the dir structure
+ 	for _, p := range paths {
+-		if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil {
++		if err := idtools.MkdirAllAndChown(path.Join(root, p), 0710, dirID); err != nil {
+ 			return nil, err
+ 		}
+ 	}
+diff --git a/components/engine/daemon/graphdriver/btrfs/btrfs.go b/components/engine/daemon/graphdriver/btrfs/btrfs.go
+index d76e14490..35e14db0f 100644
+--- a/components/engine/daemon/graphdriver/btrfs/btrfs.go
++++ b/components/engine/daemon/graphdriver/btrfs/btrfs.go
+@@ -70,7 +70,14 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		return nil, graphdriver.ErrPrerequisites
+ 	}
+ 
+-	if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
++	remappedRoot := idtools.NewIDMappingsFromMaps(uidMaps, gidMaps)
++	currentID := idtools.CurrentIdentity()
++	dirID := idtools.Identity{
++		UID: currentID.UID,
++		GID: remappedRoot.RootPair().GID,
++	}
++
++	if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
+ 		return nil, err
+ 	}
+ 
+@@ -531,7 +538,14 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+ 	if err != nil {
+ 		return err
+ 	}
+-	if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil {
++
++	currentID := idtools.CurrentIdentity()
++	dirID := idtools.Identity{
++		UID: currentID.UID,
++		GID: rootGID,
++	}
++
++	if err := idtools.MkdirAllAndChown(subvolumes, 0710, dirID); err != nil {
+ 		return err
+ 	}
+ 	if parent == "" {
+diff --git a/components/engine/daemon/graphdriver/overlay/overlay.go b/components/engine/daemon/graphdriver/overlay/overlay.go
+index a9e65a35c..566c4cc9f 100644
+--- a/components/engine/daemon/graphdriver/overlay/overlay.go
++++ b/components/engine/daemon/graphdriver/overlay/overlay.go
+@@ -163,8 +163,18 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
+ 	}
+ 
++	currentID := idtools.CurrentIdentity()
++	_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if err != nil {
++		return nil, err
++	}
++	dirID := idtools.Identity{
++		UID: currentID.UID,
++		GID: rootGID,
++	}
++
+ 	// Create the driver home dir
+-	if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
++	if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
+ 		return nil, err
+ 	}
+ 
+@@ -300,10 +310,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) (retErr
+ 	root := idtools.Identity{UID: rootUID, GID: rootGID}
+ 
+ 	currentID := idtools.CurrentIdentity()
+-	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil {
+-		return err
++	dirID := idtools.Identity{
++		UID: currentID.UID,
++		GID: rootGID,
+ 	}
+-	if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil {
++	if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil {
+ 		return err
+ 	}
+ 
+diff --git a/components/engine/daemon/graphdriver/overlay2/overlay.go b/components/engine/daemon/graphdriver/overlay2/overlay.go
+index 7576320ad..3a9f5ce6e 100644
+--- a/components/engine/daemon/graphdriver/overlay2/overlay.go
++++ b/components/engine/daemon/graphdriver/overlay2/overlay.go
+@@ -197,7 +197,20 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
+ 	}
+ 
+-	if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil {
++	_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if err != nil {
++		return nil, err
++	}
++
++	cur := idtools.CurrentIdentity()
++	dirID := idtools.Identity{
++		UID: cur.UID,
++		GID: rootGID,
++	}
++	if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
++		return nil, err
++	}
++	if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, cur); err != nil {
+ 		return nil, err
+ 	}
+ 
+@@ -424,12 +437,15 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
+ 		return err
+ 	}
+ 	root := idtools.Identity{UID: rootUID, GID: rootGID}
+-	current := idtools.CurrentIdentity()
++	dirID := idtools.Identity{
++		UID: idtools.CurrentIdentity().UID,
++		GID: rootGID,
++	}
+ 
+-	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil {
++	if err := idtools.MkdirAllAndChown(path.Dir(dir), 0710, dirID); err != nil {
+ 		return err
+ 	}
+-	if err := idtools.MkdirAndChown(dir, 0701, current); err != nil {
++	if err := idtools.MkdirAndChown(dir, 0710, dirID); err != nil {
+ 		return err
+ 	}
+ 
+diff --git a/components/engine/daemon/graphdriver/vfs/driver.go b/components/engine/daemon/graphdriver/vfs/driver.go
+index 15ac25199..3ced5d7a1 100644
+--- a/components/engine/daemon/graphdriver/vfs/driver.go
++++ b/components/engine/daemon/graphdriver/vfs/driver.go
+@@ -30,7 +30,15 @@ func Init(home string, options []string, uidMaps, gidMaps []idtools.IDMap) (grap
+ 		home:      home,
+ 		idMapping: idtools.NewIDMappingsFromMaps(uidMaps, gidMaps),
+ 	}
+-	if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
++	_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if err != nil {
++		return nil, err
++	}
++	dirID := idtools.Identity{
++		UID: idtools.CurrentIdentity().UID,
++		GID: rootGID,
++	}
++	if err := idtools.MkdirAllAndChown(home, 0710, dirID); err != nil {
+ 		return nil, err
+ 	}
+ 
+@@ -115,7 +123,11 @@ func (d *Driver) Create(id, parent string, opts *graphdriver.CreateOpts) error {
+ func (d *Driver) create(id, parent string, size uint64) error {
+ 	dir := d.dir(id)
+ 	rootIDs := d.idMapping.RootPair()
+-	if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil {
++	dirID := idtools.Identity{
++		UID: idtools.CurrentIdentity().UID,
++		GID: rootIDs.GID,
++	}
++	if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0710, dirID); err != nil {
+ 		return err
+ 	}
+ 	if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
+diff --git a/components/engine/daemon/graphdriver/zfs/zfs.go b/components/engine/daemon/graphdriver/zfs/zfs.go
+index 4484c517a..944f902f6 100644
+--- a/components/engine/daemon/graphdriver/zfs/zfs.go
++++ b/components/engine/daemon/graphdriver/zfs/zfs.go
+@@ -102,7 +102,16 @@ func Init(base string, opt []string, uidMaps, gidMaps []idtools.IDMap) (graphdri
+ 		return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
+ 	}
+ 
+-	if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil {
++	_, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
++	if err != nil {
++		return nil, err
++	}
++
++	dirID := idtools.Identity{
++		UID: idtools.CurrentIdentity().UID,
++		GID: rootGID,
++	}
++	if err := idtools.MkdirAllAndChown(base, 0710, dirID); err != nil {
+ 		return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
+ 	}
+ 
+-- 
+2.30.0

patch/0228-docker-registry-ensure-default-auth-config-has-address.patch

@@ -0,0 +1,130 @@
+From 47b9fb37236351afc0c2e58c109a70c1432096ff Mon Sep 17 00:00:00 2001
+From: zhongjiawei <zhongjiawei1@huawei.com>
+Date: Thu, 9 Jun 2022 10:50:43 +0800
+Subject: [PATCH]  docker: registry: ensure default auth config has address
+
+Conflict:cli/command/registry.go,cli/command/registry/login.go
+Reference:https://github.com/docker/cli/commit/893e52cf4ba4b048d72e99748e0f86b2767c6c6b
+---
+ components/cli/cli/command/registry.go       | 12 ++++++++----
+ components/cli/cli/command/registry/login.go | 13 ++++++-------
+ components/cli/cli/command/registry_test.go  | 16 +++++++++++++++-
+ 3 files changed, 29 insertions(+), 12 deletions(-)
+
+diff --git a/components/cli/cli/command/registry.go b/components/cli/cli/command/registry.go
+index c12843693..74abbfc5f 100644
+--- a/components/cli/cli/command/registry.go
++++ b/components/cli/cli/command/registry.go
+@@ -58,11 +58,11 @@ func RegistryAuthenticationPrivilegedFunc(cli Cli, index *registrytypes.IndexInf
+ 		if err != nil {
+ 			fmt.Fprintf(cli.Err(), "Unable to retrieve stored credentials for %s, error: %s.\n", indexServer, err)
+ 		}
+-		err = ConfigureAuth(cli, "", "", authConfig, isDefaultRegistry)
++		err = ConfigureAuth(cli, "", "", &authConfig, isDefaultRegistry)
+ 		if err != nil {
+ 			return "", err
+ 		}
+-		return EncodeAuthToBase64(*authConfig)
++		return EncodeAuthToBase64(authConfig)
+ 	}
+ }
+ 
+@@ -81,7 +81,7 @@ func ResolveAuthConfig(ctx context.Context, cli Cli, index *registrytypes.IndexI
+ 
+ // GetDefaultAuthConfig gets the default auth config given a serverAddress
+ // If credentials for given serverAddress exists in the credential store, the configuration will be populated with values in it
+-func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (*types.AuthConfig, error) {
++func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, isDefaultRegistry bool) (types.AuthConfig, error) {
+ 	if !isDefaultRegistry {
+ 		serverAddress = registry.ConvertToHostname(serverAddress)
+ 	}
+@@ -89,12 +89,16 @@ func GetDefaultAuthConfig(cli Cli, checkCredStore bool, serverAddress string, is
+ 	var err error
+ 	if checkCredStore {
+ 		authconfig, err = cli.ConfigFile().GetAuthConfig(serverAddress)
++		if err != nil {
++			return types.AuthConfig{ServerAddress: serverAddress,}, err
++		}
+ 	} else {
+ 		authconfig = types.AuthConfig{}
+ 	}
+ 	authconfig.ServerAddress = serverAddress
+ 	authconfig.IdentityToken = ""
+-	return &authconfig, err
++	res := types.AuthConfig(authconfig)
++	return res, err
+ }
+ 
+ // ConfigureAuth handles prompting of user's username and password if needed
+diff --git a/components/cli/cli/command/registry/login.go b/components/cli/cli/command/registry/login.go
+index f4f57398b..f86076c5e 100644
+--- a/components/cli/cli/command/registry/login.go
++++ b/components/cli/cli/command/registry/login.go
+@@ -111,23 +111,22 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
+ 	}
+ 
+ 	var err error
+-	var authConfig *types.AuthConfig
+ 	var response registrytypes.AuthenticateOKBody
+ 	isDefaultRegistry := serverAddress == authServer
+-	authConfig, err = command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
++	authConfig, err := command.GetDefaultAuthConfig(dockerCli, opts.user == "" && opts.password == "", serverAddress, isDefaultRegistry)
+ 	if err == nil && authConfig.Username != "" && authConfig.Password != "" {
+-		response, err = loginWithCredStoreCreds(ctx, dockerCli, authConfig)
++		response, err = loginWithCredStoreCreds(ctx, dockerCli, &authConfig)
+ 	}
+ 	if err != nil || authConfig.Username == "" || authConfig.Password == "" {
+-		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, authConfig, isDefaultRegistry)
++		err = command.ConfigureAuth(dockerCli, opts.user, opts.password, &authConfig, isDefaultRegistry)
+ 		if err != nil {
+ 			return err
+ 		}
+ 
+-		response, err = clnt.RegistryLogin(ctx, *authConfig)
++		response, err = clnt.RegistryLogin(ctx, authConfig)
+ 		if err != nil && client.IsErrConnectionFailed(err) {
+ 			// If the server isn't responding (yet) attempt to login purely client side
+-			response, err = loginClientSide(ctx, *authConfig)
++			response, err = loginClientSide(ctx, authConfig)
+ 		}
+ 		// If we (still) have an error, give up
+ 		if err != nil {
+@@ -149,7 +148,7 @@ func runLogin(dockerCli command.Cli, opts loginOptions) error { //nolint: gocycl
+ 		}
+ 	}
+ 
+-	if err := creds.Store(*authConfig); err != nil {
++	if err := creds.Store(types.AuthConfig(authConfig)); err != nil {
+ 		return errors.Errorf("Error saving credentials: %v", err)
+ 	}
+ 
+diff --git a/components/cli/cli/command/registry_test.go b/components/cli/cli/command/registry_test.go
+index 966db86b9..a4a7fe184 100644
+--- a/components/cli/cli/command/registry_test.go
++++ b/components/cli/cli/command/registry_test.go
+@@ -144,7 +144,21 @@ func TestGetDefaultAuthConfig(t *testing.T) {
+ 			assert.Check(t, is.Equal(tc.expectedErr, err.Error()))
+ 		} else {
+ 			assert.NilError(t, err)
+-			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, *authconfig))
++			assert.Check(t, is.DeepEqual(tc.expectedAuthConfig, authconfig))
+ 		}
+ 	}
+ }
++
++func TestGetDefaultAuthConfig_HelperError(t *testing.T) {
++	cli := test.NewFakeCli(&fakeClient{})
++	errBuf := new(bytes.Buffer)
++	cli.SetErr(errBuf)
++	cli.ConfigFile().CredentialsStore = "fake-does-not-exist"
++	serverAddress := "test-server-address"
++	expectedAuthConfig := types.AuthConfig{
++		ServerAddress: serverAddress,
++	}
++	authconfig, err := GetDefaultAuthConfig(cli, true, serverAddress, serverAddress == "https://index.docker.io/v1/")
++	assert.Check(t, is.DeepEqual(expectedAuthConfig, authconfig))
++	assert.Check(t, is.ErrorContains(err, "docker-credential-fake-does-not-exist"))
++}
+-- 
+2.30.0
+

series.conf

@@ -221,4 +221,9 @@ patch/0220-docker-fix-endpoint-with-name-container_xx-already-e.patch
 patch/0221-docker-fix-Up-292-years-in-status-in-docker-ps-a.patch
 patch/0222-docker-Use-original-process-spec-for-execs.patch
 patch/0223-docker-fix-CVE-2022-24769.patch
+patch/0224-fix-rwlayer-umountd-after-container-restart.patch
+patch/0225-docker-close-channel-in-write-side-to-avoid-panic-in.patch
+patch/0226-docker-chrootarchive-don-t-create-parent-dirs-outside-of-ch.patch
+patch/0227-docker-Lock-down-docker-root-dir-perms.patch
+patch/0228-docker-registry-ensure-default-auth-config-has-address.patch
 #end