packages/docker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:94af3078782fa1a7d0faaf8398e3a3e776d223b4
Branches Tags
packages:main
...
compare: packages:b511bc5c6875fd2ba5e75bf68b4df8a2ca26bc30
Branches Tags
packages:main

10 Commits
94af307878 ... b511bc5c68

Author SHA1 Message Date
openeuler-ci-bot
b511bc5c68
!378 [sync] PR-377: docker:sync some patches 
From: @openeuler-sync-bot 
Reviewed-by: @xuxuepeng 
Signed-off-by: @xuxuepeng
 2025-02-24 02:36:33 +00:00
zhongjiawei
a8f31ed0bf docker:sync some patches 
(cherry picked from commit d4cbc6b9cb46f6932e34abf7dfa15257379f762a)
 2025-02-24 09:32:52 +08:00
openeuler-ci-bot
56bf09d198
!370 [sync] PR-366: fix CVE-2024-36623 
From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234
 2024-12-09 01:41:07 +00:00
zhongjiawei
96638540d5 docker:fix CVE-2024-36623 
(cherry picked from commit bac17d509e0e29a47e18ba9950b23a4069b3713b)
 2024-12-06 14:49:35 +08:00
openeuler-ci-bot
dcaac72b52
!362 [sync] PR-358: docker:fix missing lock in ensurelayer 
From: @openeuler-sync-bot 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234
 2024-12-04 03:31:10 +00:00
zhongjiawei
0bb947b3e4 docker:fix missing lock in ensurelayer 
(cherry picked from commit 7d79bc05c62531d7ffcc2caaf89c29e33440171e)
 2024-12-02 16:03:49 +08:00
openeuler-ci-bot
50b310391f
!356 [sync] PR-352: add requires for docker-proxy rather than installing it manually 
From: @openeuler-sync-bot 
Reviewed-by: @jianminw 
Signed-off-by: @jianminw
 2024-12-02 06:31:33 +00:00
Funda Wang
ed264fb299 add requires for docker-proxy rather than installing it manually 
(cherry picked from commit d24f1ae5d41a4498770851e3d4e2559911fdf0a5)
 2024-11-29 17:41:33 +08:00
openeuler-ci-bot
d0616f8c6c
!349 docker:support calling clone when clone3 is not support 
From: @zhong-jiawei-1 
Reviewed-by: @zhangsong234 
Signed-off-by: @zhangsong234
 2024-10-25 08:11:23 +00:00
zhongjiawei
aa51a103f3 docker:support calling clone when clone3 is not support 2024-10-25 15:59:11 +08:00
11 changed files with 374 additions and 11 deletions
Show Stats Expand all files Collapse all files

2
VERSION-vendor
View File

@ -1 +1 @@
18.09.0.341 18.09.0.346

41
docker.spec
View File

@ -1,12 +1,12 @@
Name: docker-engine Name: docker-engine
Version: 18.09.0 Version: 18.09.0
Release: 341 Release: 346
Epoch: 2 Epoch: 2
Summary: The open-source application container engine Summary: The open-source application container engine
Group: Tools/Docker Group: Tools/Docker
License: ASL 2.0 License: Apache-2.0
Source0: https://github.com/docker/docker-ce/archive/v18.09.0.tar.gz Source0: https://github.com/docker/docker-ce/archive/v%{version}.tar.gz
Source1: patch.tar.gz Source1: patch.tar.gz
Source2: apply-patches Source2: apply-patches
Source3: git-commit Source3: git-commit
@ -24,15 +24,17 @@ URL: https://mobyproject.org
# most are already in the container (see contrib/builder/rpm/ARCH/generate.sh) # most are already in the container (see contrib/builder/rpm/ARCH/generate.sh)
BuildRequires: pkgconfig(systemd) golang >= 1.8.3 btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel BuildRequires: pkgconfig(systemd) golang >= 1.8.3 btrfs-progs-devel device-mapper-devel glibc-static libseccomp-devel
BuildRequires: libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel BuildRequires: libselinux-devel libtool-ltdl-devel pkgconfig selinux-policy selinux-policy-devel sqlite-devel systemd-devel
BuildRequires: tar containerd runc docker-proxy git BuildRequires: tar containerd runc git
# required packages on install # required packages on install
Requires: /bin/sh iptables tar xz device-mapper-libs >= 1.02.90-1 systemd-units Requires: /bin/sh iptables tar xz device-mapper-libs >= 1.02.90-1 systemd-units
Requires: /usr/bin/docker-proxy
# conflicting packages # conflicting packages
Provides: docker Provides: docker
Conflicts: docker-io Conflicts: docker-io
Conflicts: docker-engine-cs Conflicts: docker-engine-cs
%{systemd_requires}
%description %description
Docker is an open source project to build, ship and run any application as a Docker is an open source project to build, ship and run any application as a
@ -111,9 +113,6 @@ install -p -m 755 components/engine/bundles/dynbinary-daemon/dockerd $RPM_BUILD_
# install cli # install cli
install -p -m 755 components/cli/build/docker $RPM_BUILD_ROOT/%{_bindir}/docker install -p -m 755 components/cli/build/docker $RPM_BUILD_ROOT/%{_bindir}/docker
# install proxy
install -p -m 755 /usr/bin/docker-proxy $RPM_BUILD_ROOT/%{_bindir}/docker-proxy
# install containerd # install containerd
install -p -m 755 /usr/bin/containerd $RPM_BUILD_ROOT/%{_bindir}/containerd install -p -m 755 /usr/bin/containerd $RPM_BUILD_ROOT/%{_bindir}/containerd
install -p -m 755 /usr/bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim install -p -m 755 /usr/bin/containerd-shim $RPM_BUILD_ROOT/%{_bindir}/containerd-shim
@ -168,7 +167,6 @@ install -p -m 644 components/engine/contrib/syntax/nano/Dockerfile.nanorc $RPM_B
/%{_bindir}/docker /%{_bindir}/docker
/%{_bindir}/dockerd /%{_bindir}/dockerd
/%{_bindir}/containerd /%{_bindir}/containerd
/%{_bindir}/docker-proxy
/%{_bindir}/containerd-shim /%{_bindir}/containerd-shim
/%{_bindir}/runc /%{_bindir}/runc
/%{_sysconfdir}/udev/rules.d/80-docker.rules /%{_sysconfdir}/udev/rules.d/80-docker.rules
@ -227,6 +225,33 @@ fi
%endif %endif
%changelog %changelog
* Sat Feb 22 2025 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-346
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:sync some patches
* Fri Dec 06 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-345
- Type:CVE
- CVE:CVE-2024-36623
- SUG:NA
- DESC:fix CVE-2024-36623
* Mon Dec 02 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-344
- Type:CVE
- CVE:CVE-2024-36621
- SUG:NA
- DESC:fix missing lock in ensurelayer
* Sat Nov 23 2024 Funda Wang <fundawang@yeah.net> - 2:18.09.0-343
- add requires for docker-proxy rather than installing it manually
* Fri Oct 25 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-342
- Type:bugfix
- CVE:NA
- SUG:NA
- DESC:support calling clone when clone3 is not support
* Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341 * Sat Aug 31 2024 zhongjiawei<zhongjiawei1@huawei.com> - 2:18.09.0-341
- Type:bugfix - Type:bugfix
- CVE:NA - CVE:NA

3
gen-commit.sh
View File

@ -18,9 +18,10 @@ echo 18.09.0.$new_version > VERSION-vendor
author=$(git config user.name) author=$(git config user.name)
email=$(git config user.email) email=$(git config user.email)
epoch=$(head -10 docker.spec | grep Epoch | awk '{print $NF}')
version=$(head -10 docker.spec | grep Version | awk '{print $NF}') version=$(head -10 docker.spec | grep Version | awk '{print $NF}')
release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}') release=$(head -10 docker.spec | grep Release | awk '{print $2}' | awk -F% '{print $1}')
new_all=$version-$release new_all=$epoch:$version-$release
new_changelog=$(cat << EOF new_changelog=$(cat << EOF
* $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n * $(LC_ALL="C" date '+%a %b %d %Y') $author<$email> - $new_all\n- Type:\n- CVE:\n- SUG:\n- DESC:\n
EOF EOF

2
git-commit
View File

@ -1 +1 @@
678fb4d2b2fbf91642358d82e5680aec01a15d56 270f89013d2ad9993ff863c5b5636cc1c9e17ae1

123
patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch Normal file
View File

@ -0,0 +1,123 @@
From 28a8f3016bfba8aab5cf0495519ca41f4c43f7a3 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 25 Oct 2024 15:00:22 +0800
Subject: [PATCH] docker:support calling clone when clone3 is not support
---
components/engine/api/types/seccomp.go | 1 +
components/engine/profiles/seccomp/seccomp.go | 7 +++---
.../profiles/seccomp/seccomp_default.go | 22 ++++++++++---------
.../runtime-spec/specs-go/config.go | 1 +
4 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/components/engine/api/types/seccomp.go b/components/engine/api/types/seccomp.go
index 67a41e1a..0ed7d6ee 100644
--- a/components/engine/api/types/seccomp.go
+++ b/components/engine/api/types/seccomp.go
@@ -86,6 +86,7 @@ type Syscall struct {
Name string `json:"name,omitempty"`
Names []string `json:"names,omitempty"`
Action Action `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []*Arg `json:"args"`
Comment string `json:"comment"`
Includes Filter `json:"includes"`
diff --git a/components/engine/profiles/seccomp/seccomp.go b/components/engine/profiles/seccomp/seccomp.go
index 4438670a..993e8d87 100644
--- a/components/engine/profiles/seccomp/seccomp.go
+++ b/components/engine/profiles/seccomp/seccomp.go
@@ -128,21 +128,22 @@ Loop:
}
if call.Name != "" {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args))
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(call.Name, call.Action, call.Args, call.ErrnoRet))
}
for _, n := range call.Names {
- newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args))
+ newConfig.Syscalls = append(newConfig.Syscalls, createSpecsSyscall(n, call.Action, call.Args, call.ErrnoRet))
}
}
return newConfig, nil
}
-func createSpecsSyscall(name string, action types.Action, args []*types.Arg) specs.LinuxSyscall {
+func createSpecsSyscall(name string, action types.Action, args []*types.Arg, errnoRet *uint) specs.LinuxSyscall {
newCall := specs.LinuxSyscall{
Names: []string{name},
Action: specs.LinuxSeccompAction(action),
+ ErrnoRet: errnoRet,
}
// Loop through all the arguments of the syscall and convert them
diff --git a/components/engine/profiles/seccomp/seccomp_default.go b/components/engine/profiles/seccomp/seccomp_default.go
index a90e441c..0b96de5f 100644
--- a/components/engine/profiles/seccomp/seccomp_default.go
+++ b/components/engine/profiles/seccomp/seccomp_default.go
@@ -42,6 +42,7 @@ func arches() []types.Architecture {
// DefaultProfile defines the whitelist for the default seccomp profile.
func DefaultProfile() *types.Seccomp {
+ nosys := uint(unix.ENOSYS)
syscalls := []*types.Syscall{
{
Names: []string{
@@ -489,16 +490,6 @@ func DefaultProfile() *types.Seccomp {
Arches: []string{"amd64", "x32", "x86"},
},
},
- {
- Names: []string{
- "clone3",
- },
- Action: types.ActAllow,
- Args: []*types.Arg{},
- Includes: types.Filter{
- Arches: []string{"arm64", "amd64", "x32", "x86"},
- },
- },
{
Names: []string{
"s390_pci_mmio_read",
@@ -525,6 +516,7 @@ func DefaultProfile() *types.Seccomp {
Names: []string{
"bpf",
"clone",
+ "clone3",
"fanotify_init",
"lookup_dcookie",
"mount",
@@ -584,6 +576,16 @@ func DefaultProfile() *types.Seccomp {
Caps: []string{"CAP_SYS_ADMIN"},
},
},
+ {
+ Names: []string{
+ "clone3",
+ },
+ Action: types.ActErrno,
+ ErrnoRet: &nosys,
+ Excludes: types.Filter{
+ Caps: []string{"CAP_SYS_ADMIN"},
+ },
+ },
{
Names: []string{
"reboot",
diff --git a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
index 46049b3b..8b17fd1e 100644
--- a/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
+++ b/components/engine/vendor/github.com/opencontainers/runtime-spec/specs-go/config.go
@@ -628,6 +628,7 @@ type LinuxSeccompArg struct {
type LinuxSyscall struct {
Names []string `json:"names"`
Action LinuxSeccompAction `json:"action"`
+ ErrnoRet *uint `json:"errnoRet,omitempty"`
Args []LinuxSeccompArg `json:"args,omitempty"`
}
--
2.33.0

79
patch/0281-backport-fix-CVE-2024-36621.patch Normal file
View File

@ -0,0 +1,79 @@
From 5aa1ff9afad56ef0cf4acd983ff441c8048c0ba3 Mon Sep 17 00:00:00 2001
From: Tonis Tiigi <tonistiigi@gmail.com>
Date: Wed, 6 Mar 2024 23:11:32 -0800
Subject: [PATCH] builder-next: fix missing lock in ensurelayer
When this was called concurrently from the moby image
exporter there could be a data race where a layer was
written to the refs map when it was already there.
In that case the reference count got mixed up and on
release only one of these layers was actually released.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
---
.../builder-next/adapters/snapshot/layer.go | 3 +++
.../adapters/snapshot/snapshot.go | 19 +++++++++++--------
2 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/components/engine/builder/builder-next/adapters/snapshot/layer.go b/components/engine/builder/builder-next/adapters/snapshot/layer.go
index ffde5eec..13847d5a 100644
--- a/components/engine/builder/builder-next/adapters/snapshot/layer.go
+++ b/components/engine/builder/builder-next/adapters/snapshot/layer.go
@@ -13,6 +13,9 @@ import (
)
func (s *snapshotter) EnsureLayer(ctx context.Context, key string) ([]layer.DiffID, error) {
+ s.layerCreateLocker.Lock(key)
+ defer s.layerCreateLocker.Unlock(key)
+
if l, err := s.getLayer(key, true); err != nil {
return nil, err
} else if l != nil {
diff --git a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
index c1388da7..2b1d33d7 100644
--- a/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
+++ b/components/engine/builder/builder-next/adapters/snapshot/snapshot.go
@@ -11,6 +11,7 @@ import (
"github.com/containerd/containerd/snapshots"
"github.com/docker/docker/daemon/graphdriver"
"github.com/docker/docker/layer"
+ "github.com/docker/docker/pkg/locker"
"github.com/moby/buildkit/identity"
"github.com/moby/buildkit/snapshot"
digest "github.com/opencontainers/go-digest"
@@ -43,10 +44,11 @@ type checksumCalculator interface {
type snapshotter struct {
opt Opt
- refs map[string]layer.Layer
- db *bolt.DB
- mu sync.Mutex
- reg graphIDRegistrar
+ refs map[string]layer.Layer
+ db *bolt.DB
+ mu sync.Mutex
+ reg graphIDRegistrar
+ layerCreateLocker *locker.Locker
}
var _ snapshot.SnapshotterBase = &snapshotter{}
@@ -65,10 +67,11 @@ func NewSnapshotter(opt Opt) (snapshot.SnapshotterBase, error) {
}
s := &snapshotter{
- opt: opt,
- db: db,
- refs: map[string]layer.Layer{},
- reg: reg,
+ opt: opt,
+ db: db,
+ refs: map[string]layer.Layer{},
+ reg: reg,
+ layerCreateLocker: locker.New(),
}
return s, nil
}
--
2.33.0

48
patch/0282-backport-fix-CVE-2024-36623.patch Normal file
View File

@ -0,0 +1,48 @@
From 5e02d7625ef0472e0be29acb30e47255546ced58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Thu, 22 Feb 2024 18:01:40 +0100
Subject: [PATCH] pkg/streamformatter: Make `progressOutput` concurrency safe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sync access to the underlying `io.Writer` with a mutex.
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
components/engine/pkg/streamformatter/streamformatter.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/components/engine/pkg/streamformatter/streamformatter.go b/components/engine/pkg/streamformatter/streamformatter.go
index 04917d49ab..eaa82e1010 100644
--- a/components/engine/pkg/streamformatter/streamformatter.go
+++ b/components/engine/pkg/streamformatter/streamformatter.go
@@ -5,6 +5,7 @@ import (
"encoding/json"
"fmt"
"io"
+ "sync"
"github.com/docker/docker/pkg/jsonmessage"
"github.com/docker/docker/pkg/progress"
@@ -109,6 +110,7 @@ type progressOutput struct {
sf formatProgress
out io.Writer
newLines bool
+ mu sync.Mutex
}
// WriteProgress formats progress information from a ProgressReader.
@@ -120,6 +122,9 @@ func (out *progressOutput) WriteProgress(prog progress.Progress) error {
jsonProgress := jsonmessage.JSONProgress{Current: prog.Current, Total: prog.Total, HideCounts: prog.HideCounts, Units: prog.Units}
formatted = out.sf.formatProgress(prog.ID, prog.Action, &jsonProgress, prog.Aux)
}
+
+ out.mu.Lock()
+ defer out.mu.Unlock()
_, err := out.out.Write(formatted)
if err != nil {
return err
--
2.33.0

30
patch/0283-docker-check-containerd-sock-legality.patch Normal file
View File

@ -0,0 +1,30 @@
From 66f64ce2f18d1051f19f342c8fcf98c5066f00a6 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Mon, 13 Jan 2025 16:35:53 +0800
Subject: [PATCH] docker:check containerd.sock legality
---
components/engine/cmd/dockerd/daemon.go | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/components/engine/cmd/dockerd/daemon.go b/components/engine/cmd/dockerd/daemon.go
index 89fa9245a..f703765be 100644
--- a/components/engine/cmd/dockerd/daemon.go
+++ b/components/engine/cmd/dockerd/daemon.go
@@ -759,8 +759,11 @@ func validateAuthzPlugins(requestedPlugins []string, pg plugingetter.PluginGette
}
func systemContainerdRunning() bool {
- _, err := os.Lstat(containerddefaults.DefaultAddress)
- return err == nil
+ fileInfo, err := os.Stat(containerddefaults.DefaultAddress)
+ if err != nil {
+ return false
+ }
+ return fileInfo.Mode()&os.ModeSocket == os.ModeSocket
}
func (cli *DaemonCli) setRuntimeStartTimeout() error {
--
2.33.0

25
patch/0284-docker-modify-hostconfig.json-perm-640.patch Normal file
View File

@ -0,0 +1,25 @@
From 432ab009827f6bc84fb07d424d95d10328b4b185 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Fri, 21 Feb 2025 11:00:10 +0800
Subject: [PATCH] docker:modify hostconfig.json perm to 640
---
components/engine/container/container.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/components/engine/container/container.go b/components/engine/container/container.go
index 3dcfdaefa..6eaee714e 100644
--- a/components/engine/container/container.go
+++ b/components/engine/container/container.go
@@ -262,7 +262,7 @@ func (container *Container) WriteHostConfig() (*containertypes.HostConfig, error
return nil, err
}
- f, err := ioutils.NewAtomicFileWriter(pth, 0644)
+ f, err := ioutils.NewAtomicFileWriter(pth, 0640)
if err != nil {
return nil, err
}
--
2.33.0

26
patch/0285-docker-change-rand-random-number-library-to-generate.patch Normal file
View File

@ -0,0 +1,26 @@
From a002e6e5309209cd7aa90cde3c1168328fc654d7 Mon Sep 17 00:00:00 2001
From: zhongjiawei <zhongjiawei1@huawei.com>
Date: Sat, 22 Feb 2025 09:58:59 +0800
Subject: [PATCH] docker:change rand random number library to generate seeds
using Nano time
---
.../engine/vendor/github.com/docker/libnetwork/resolver.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/components/engine/vendor/github.com/docker/libnetwork/resolver.go b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
index 0e44352d7..b898c38f9 100644
--- a/components/engine/vendor/github.com/docker/libnetwork/resolver.go
+++ b/components/engine/vendor/github.com/docker/libnetwork/resolver.go
@@ -98,7 +98,7 @@ type resolver struct {
}
func init() {
- rand.Seed(time.Now().Unix())
+ rand.Seed(time.Now().UnixNano())
}
// NewResolver creates a new instance of the Resolver
--
2.33.0

6
series.conf
View File

@ -277,4 +277,10 @@ patch/0276-docker-Ignore-SIGURG-on-Linux.patch
patch/0277-backport-fix-CVE-2024-41110.patch patch/0277-backport-fix-CVE-2024-41110.patch
patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch patch/0278-docker-add-clone3-seccomp-whitelist-for-arm64.patch
patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch patch/0279-docker-try-to-reconnect-when-containerd-grpc-return-.patch
patch/0280-docker-support-calling-clone-when-clone3-is-not-supp.patch
patch/0281-backport-fix-CVE-2024-36621.patch
patch/0282-backport-fix-CVE-2024-36623.patch
patch/0283-docker-check-containerd-sock-legality.patch
patch/0284-docker-modify-hostconfig.json-perm-640.patch
patch/0285-docker-change-rand-random-number-library-to-generate.patch
#end #end